26.8 Changes Required in server.xml for Apache Tomcat 8.5.51 after Upgrading to Access Manager 4.5 Service Pack 2

Access Manager 4.5 Service Pack 2 (4.5.2) adds support for Apache Tomcat 8.5.51. This version adds a secret required attribute to the Apache JServ Protocol (AJP) Connector. For fresh Access Manager installations, this string is specified in the server.xml file as secret= "namnetiq" by default. You do not need to make any change to server.xml in this regard.

However, the Tomcat service might not get loaded if you upgrade an existing Access Manager setup to 4.5.2 and Tomcat to version 8.5.51. You might see the following error in the Tomcat catalina.log file:

SEVERE [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[AJP/1.3-8009]]
    org.apache.catalina.LifecycleException: Protocol handler start failed
            Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
'

To workaround this issue, after upgrading Tomcat to version 8.5.51, perform the following steps:

  1. Modify Access Gateway server.xml.

    For information about how to add a file or folder using the Configuration File page, see Modifying Configurations in the NetIQ Access Manager 5.0 Administration Guide.

  2. Add the secret required attribute. Set it to true by specifying a a non-null or non-zero length string.

    NOTE:The value of this secret required attribute must be same in server.xml files of each component.

    For example:

    Embedded Service Provider configuration:

    <Connector port="9009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" address="127.0.0.1" minSpareThreads="25" maxThreads="600" backlog="0" connectionTimeout="20000" packetSize="65536" maxPostSize="65536" secret="namnetiq" />^M

    Administration Console:

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" secret="namnetiq" />

    Identity Server:

    <Connector URIEncoding="utf-8" port="8009" protocol="AJP/1.3" redirectPort="8443" secret="namnetiq" useBodyEncodingURI="false"/>
    <Connector address="127.0.0.1" backlog="0" connectionTimeout="20000" enableLookups="false" maxPostSize="2097152" maxThreads="600" minSpareThreads="25" port="9019" protocol="AJP/1.3" scheme="https" secure="true" secret="namnetiq" />^M

The following are examples of Apache vhost.d/*snippets:

Embedded Service Provider configuration:

ProxyPass /AGLogout ajp://127.0.0.1:9009/nesp/app/plogout secret=namnetiq 
ProxyPass /nesp ajp://127.0.0.1:9009/nesp secret=namnetiq
ProxyPass /AGLogout ajp://127.0.0.1:9009/nesp/app/plogout secret=namnetiq
  ProxyPass /nesp ajp://127.0.0.1:9009/nesp secret=namnetiq