Highlighted
Respected Contributor.
Respected Contributor.
626 views

Apache 2.4.23 x64 Tomcat7(x2) loadbalancing with mod_proxy_ajp +SSO

Hi Experts,

Since our Apache and Tomcat config has been updated to x64 bit versions, we would like to loadbalance our webclient traffic with two tomcat servers. Here's the exact scenario:

SM93server running on AIX,

webserver1 : someweb03 with Apache and Tomcat,

webserver2: someweb04

with Tomcat

The authentication would be done with mod_authz_sspi (the old mod_auth_sspi isn't existent in "new" apache anymore).

Here's the trick: As you'll see in the httpd.conf snippet I didn't bother setting up the SSL communication between user browser and webtier but apache does authenticate and SSL is given between webtier and webserver.

Current situation: If I run the config with only one leg:

<Proxy balancer://smcluster>
BalancerMember "ajp://someweb03.somecorp.sys.corp:8009" route=tomcat1
#BalancerMember "ajp://someweb04.somecorp.sys.corp:8009" route=tomcat2
Require all granted
ProxySet lbmethod=bybusyness
#Require valid user
</Proxy>

then the system works: I can login using the SOMEM9SSO webapp:

If I switch the second leg on then it seems to be working until the SM main screen (not login, past that), with todo, but immediately says "Session timeout", login again...

httpd.conf part:

<VirtualHost some:80>
ServerName someweb03.somecorp.sys.corp
ServerAlias someweb03.somecorp.sys.corp someweb03
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache24/htdocs/"
ErrorLog "logs/sm-error.log"
RewriteEngine On
RewriteCond %{HTTP_HOST} ^itselfservice$ [OR]
RewriteCond %{HTTP_HOST} ^websm9$
RewriteRule ^(/)$ http://someweb03/SOME9SSO/ess\.do?lang=en [R=301,L]
<Location /SOME9SSO>
AllowOverride None
Options None
#Options FollowSymLinks
#Require all granted
Order allow,deny
Allow from all

AuthType SSPI
SSPIAuth On
SSPIDomain somedom.sys.corp
SSPIAuthoritative On
SSPIOfferBasic Off
SSPIPerRequestAuth On
require valid-user

ProxyPass balancer://somecluster/SOME9SSO stickysession=JSESSIONID|jsessionid nofailover=On timeout=180
</Location>
</VirtualHost>

Any idea why that's happening?

Your help is hugely apprichiated!

ps. why in the world can't I attach my log normally as log/txt??? why only pic formats?

BR, Dávid

0 Likes
3 Replies
Highlighted
Respected Contributor.
Respected Contributor.

Re: Apache 2.4.23 x64 Tomcat7(x2) loadbalancing with mod_proxy_ajp +SSO

I just thought the whole thing threw: it must be some stickysession problem: Think of it, SM is panicing because the session is wrong... the log shows the same: after a few trials the access granted starts to transform into access denied.

Is there someone out there who could advise me on a proper stickysession setup?

0 Likes
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

Re: Apache 2.4.23 x64 Tomcat7(x2) loadbalancing with mod_proxy_ajp +SSO

try to add to your httpd.conf this

 

KeepAlive On
KeepAliveTimeout 900
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Apache 2.4.23 x64 Tomcat7(x2) loadbalancing with mod_proxy_ajp +SSO

Just as suspected... stickysession hasn't been forced...

This part was missing from the proxy section:

ProxySet stickysession=JSESSIONID

Funny part is that Apache does NOT include the stickysesson=xy part when using JSESSIONID but only when ROUTEID is used.

long story short:

SM9.3x Apache 2.4.23 x64 authentication with mod_authz_sspi (3rdparty) to mod_proxy_ajp loadbalanced Tomcat7 x64 webtiers using SSL only between webtier and smserver is POSSIBLE.I'm a hero.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.