Apache 2.4.23 x64 Tomcat7(x2) loadbalancing with mod_proxy_ajp SSO

Hi Experts,

Since our Apache and Tomcat config has been updated to x64 bit versions, we would like to loadbalance our webclient traffic with two tomcat servers. Here's the exact scenario:

SM93server running on AIX,

webserver1 : someweb03 with Apache and Tomcat,

webserver2: someweb04

with Tomcat

The authentication would be done with mod_authz_sspi (the old mod_auth_sspi isn't existent in "new" apache anymore).

Here's the trick: As you'll see in the httpd.conf snippet I didn't bother setting up the SSL communication between user browser and webtier but apache does authenticate and SSL is given between webtier and webserver.

Current situation: If I run the config with only one leg:

<Proxy balancer://smcluster>
BalancerMember "ajp://someweb03.somecorp.sys.corp:8009" route=tomcat1
#BalancerMember "ajp://someweb04.somecorp.sys.corp:8009" route=tomcat2
Require all granted
ProxySet lbmethod=bybusyness
#Require valid user

then the system works: I can login using the SOMEM9SSO webapp:

If I switch the second leg on then it seems to be working until the SM main screen (not login, past that), with todo, but immediately says "Session timeout", login again...

httpd.conf part:

<VirtualHost some:80>
ServerName someweb03.somecorp.sys.corp
ServerAlias someweb03.somecorp.sys.corp someweb03
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache24/htdocs/"
ErrorLog "logs/sm-error.log"
RewriteEngine On
RewriteCond %{HTTP_HOST} ^itselfservice$ [OR]
RewriteCond %{HTTP_HOST} ^websm9$
RewriteRule ^(/)$ someweb03/.../ess\.do [R=301,L]
<Location /SOME9SSO>
AllowOverride None
Options None
#Options FollowSymLinks
#Require all granted
Order allow,deny
Allow from all

AuthType SSPI
SSPIDomain somedom.sys.corp
SSPIAuthoritative On
SSPIOfferBasic Off
SSPIPerRequestAuth On
require valid-user

ProxyPass balancer://somecluster/SOME9SSO stickysession=JSESSIONID|jsessionid nofailover=On timeout=180

Any idea why that's happening?

Your help is hugely apprichiated!

ps. why in the world can't I attach my log normally as log/txt??? why only pic formats?

BR, Dávid

  • I just thought the whole thing threw: it must be some stickysession problem: Think of it, SM is panicing because the session is wrong... the log shows the same: after a few trials the access granted starts to transform into access denied.

    Is there someone out there who could advise me on a proper stickysession setup?

  • try to add to your httpd.conf this


    KeepAlive On
    KeepAliveTimeout 900
  • Just as suspected... stickysession hasn't been forced...

    This part was missing from the proxy section:

    ProxySet stickysession=JSESSIONID

    Funny part is that Apache does NOT include the stickysesson=xy part when using JSESSIONID but only when ROUTEID is used.

    long story short:

    SM9.3x Apache 2.4.23 x64 authentication with mod_authz_sspi (3rdparty) to mod_proxy_ajp loadbalanced Tomcat7 x64 webtiers using SSL only between webtier and smserver is POSSIBLE.I'm a hero.