How to integrate IIS and the FootPrints Service Core 12.XX - 20.XX Tomcat server

Knowledge Article

How to integrate IIS and the FootPrints Service Core 12.XX - 20.XX Tomcat server
How to integrate IIS and the FootPrints Service Core 12.XX - 20.XX Tomcat server
FootPrints
FootPrints
FootPrints 12.XX - 20.XX
This article describes how to enable IIS integration with Tomcat. This will allow users of FootPrints Service Core 12.XX - 20.XX to browse to the IIS server instead of browsing directly to the FootPrints Service Core Tomcat server. The IIS integration will forward all FootPrints Service Core requests to the Tomcat server.

Additionally, integrating the Web Server and Tomcat, is a required step prior to enabling Web Server Authentication in FootPrints Service Core 12, if that is a desired Authentication method.

NOTE 1: These instructions apply to integrating IIS with Tomcat in a Windows environment where IIS and Tomcat is on the same server

NOTE 2: If after having integrated IIS and Tomcat, and enabling Web Server Authentication in FootPrints, if HTTP Error 403.14 - Forbidden - The Web Server is configured to not list the contents of this directory errors are seen when attempting to access FootPrints in a browser, select the Application Pool in IIS which will be used, and select the Advanced Settings for the pool. Change the setting "Enable 32-Bit Applications" to "False", and restart IIS. The error should no longer be seen and Footprints should be accessible via Web Server authentication.
1.  Once logged into your server, open IIS Manager.  You can do this by clicking your Windows Start button and entering "inetmgr" into the search box.  Then press enter.
2.  On the Connections pane, expand the server node and click "Application Pools."
3.  Right click on your application pool and select "Advanced Settings..."
4.  Change "Enable 32-bit Application to False."

***Additionally, these steps must be performed with full Administrator privileges.***

Note 3: Please make sure that application pool identity is set to Local System to avoid any permission related errors

Note 4 : After upgrading tomcat to latest version The following error can be seen in the Apache Tomcat catalina log file

"The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "  To fix the issue you need to 
  • Edit the C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\server.xml file and add the secretRequired="false" option to the AJP/1.3 connector.
For example:
 
 <Connector port="8009" protocol="AJP/1.3" secretRequired="false" packetSize="65536" tomcatAuthentication="false" URIEncoding="UTF-8"/>
  • Save the file and then restart the Apache Tomcat Service.
 
Note 5: After upgrading tomcat to latest version ,Tomcat may throw 403 error. To fix the issue 
 
  • Edit the C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\server.xml file and add the allowedRequestAttributesPattern=".*" option to the AJP/1.3 connector.
For example:
 
 <Connector port="8009" protocol="AJP/1.3" secretRequired="false" packetSize="65536" tomcatAuthentication="false" URIEncoding="UTF-8" allowedRequestAttributesPattern=".*"/>
  • Save the file and then restart the Apache Tomcat Service.
How to integrate IIS and the FootPrints Service Core 12 Tomcat server
  1. Install the Web Server Role (If it is not already installed). The Web Server role must be installed on the FootPrints Service Core server. In addition to the Web Server role, the following sub-components of the Web Server role must also be installed:
    • CGI
    • ISAPI Extensions
    • ISAPI Filters
    • Windows Authentication
NOTE: If the intention of integrating IIS with Tomcat is to be able to use Web Server Authentication in FootPrints, the WebDAV extension must not be installed as it is known to cause Server Error: Method Not Allowed errors when saving tickets and other items.
  1. Download the IIS Tomcat connector (isapi_redirect.dll) from here. Make sure to download the most current and correct version for your operating system. For example, if you are installing on a 64-bit Windows system, download the 64-bit connector dll (tomcat-connectors-1.2.40-windows-x86_64-iis.zip or version newer than 1.2.40 if available).
  2. Create a folder on the application server and named isapi. For example:
C:\isapi
  1. Copy the isapi_redirect.dll file to the isapi folder.
NOTE: When creating the text files below, be sure the files are named exactly as specified below (WITHOUT the ".txt" extension). Additionally, it is recommended to disable "Hide File Extensions for known file types", for the folders in the event that when the file is named incorrectly, the file will be immediately seen and the filename corrected.
  1. Create a text file in the isapi folder named:(change the text file to PROPERTIES file type)
workers.properties

See the NOTE immediately above step 5.
  1. Add the following text to the workers.properties file:
worker.list=servicecore
worker.servicecore.host=localhost
worker.servicecore.port=8009
worker.servicecore.type=ajp13
worker.servicecore.max_packet_size=65536

 

  1. Save and close the workers.properties file.
  2. Create a text file in the isapi folder named:(change the text file to PROPERTIES file type)
See the NOTE immediately above step 5.

uriworkermap.properties
  1. Add the following text to the uriworkermap.properties file:
Note: If you had configured Tomcat to serve Footprints on a site other than the default /footprints/servicedesk/ directory, please adjust the value below. 
/footprints/servicedesk/*=servicecore
  1. Save and close the uriworkermap.properties file.
  2. Create a text file in the isapi folder named: (change the text file to PROPERTIES file type)
See the NOTE immediately above step 5.

isapi_redirect.properties
  1. Add the following text to the isapi_redirect.properties file:
Note: If you had configured Tomcat to serve Footprints on a site other than the default /footprints/servicedesk/ directory, please adjust the extension_uri value below. 
extension_uri=/footprints/servicedesk/isapi_redirect.dll
log_file=$(JKISAPI_PATH)\..\logs\$(JKISAPI_NAME).log
log_level=info
worker_file=C:\isapi\workers.properties
worker_mount_file=C:\isapi\uriworkermap.properties

 
  1. Save and close the isapi_redirect.properties file.
  2. Start the Internet Information Services (IIS) Manager.
  3. Select the Server node (The root node which represents the web server).
  4. Open the "ISAPI and CGI Restrictions" feature.
  5. Add a new Restriction.
  6. In the "ISAPI or CGI path" field, browse to and select the isapi_redirect.dll file from the isapi folder.
  7. Enter "Service Core" in the "Description" field.
  8. Check the "Allow extension path to execute" box.
  9. Save and close the "Add ISAPI of CGI Restriction" dialog.
  10. Select the "Default Web Site" (or the web site you want to use for FootPrints Service Core).
  11. Open the "ISAPI Filters" feature.
  12. Add a new ISAPI Filter.
  13. In the "Filter name" field enter "Service Core".
  14. In the "Executable" field, browse to and select the isapi_redirect.dll from the isapi folder.
  15. Save and close the "Add ISAPI Filter" dialog.
  16. Select the "Default Web Site" (or the web site you want to use for FootPrints Service Core).
  17. Open the "Handler Mappings" feature.
  18. Click the "Edit Feature Permissions" link in the "Actions" panel.
  19. Check the "Read", "Script" and "Execute" boxes.
  20. Save and close the "Edit Feature Permissions" dialog.
  21. Create the IIS virtual directory. NOTE:: The IIS virtual directory path must match the path of FootPrints Service Core on the Tomcat server. These instructions assume the default paths were used (footprints/servicedesk). If a different path was used, create the virtual directories to match the path on the Tomcat server. Failure to use the same path may results in IIS error "403 Forbidden".
    1. Right click the "Default Web Site" and select "Add Virtual Directory?".
    2. Enter "footprints" in the "Alias" field.
    3. In the "Physical Path" field, browse to and select the isapi folder.
    4. Save and close the "Add Virtual Directory" dialog.
    5. Select the newly created virtual directory named "footprints".
    6. Right click the "footprints" virtual directory and select "Add Virtual Directory".
    7. Enter "servicedesk" in the "Alias" field.
    8. In the "Physical Path" field, browse to and select the isapi folder.
    9. Save and close the "Add Virtual Directory" dialog.
  22. Select the "servicedesk" virtual directory.
  23. Open the "Handler Mappings" feature.
  24. Click the "Edit Feature Permissions" link in the "Actions" panel.
  25. Check the "Read", "Script" and "Execute" boxes.
  26. Save and close the "Edit Feature Permissions" dialog.
  27. Select the "servicedesk" virtual directory.
  28. Open the "Default Document" feature.
  29. Click the "Enable" link in the "Actions" panel. NOTE: If there is only a "Disable" link, the feature is already enabled. Your Tomcat/IIS integration is now complete. If Tomcat and IIS have been integrated for the purpose of using Web Server Authentication, advance to the NEXT step. If not using Web Server Authentication, then skip ahead to step 48 (restart Tomcat).
  30. Select the "servicedesk" virtual directory.
  31. Open the "Authentication" feature.
  32. Select "Anonymous Authentication" and click the "Disable" link in the "Actions" panel.
  33. Select "Windows Authentication" and click the "Enable" link in the "Actions" panel.
  34. Select the "Default Web Site".
  35. Open the "Request Filtering" module from feature panel.
  36. Click on "Edit Feature Settings…" link in the Actions panel to the right.
  37. Change the value of “Maximum URL length” and “Maximum query string” to be "65536" and click OK.
  38. Open server.xml in your Tomcat installation folder. For example: C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\server.xml, or C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\server.xml
  39. Replace the following lines: 
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
    with: 
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    
 <Connector port="8009" protocol="AJP/1.3" secretRequired="false" packetSize="65536" tomcatAuthentication="false" URIEncoding="UTF-8" allowedRequestAttributesPattern=".*"/>
    WARNING! Please copy the line exactly as it is shown. The new attribute (tomcatAuthentication) is case sensitive so it is important that it matches exactly or it will not work.
  40. Restart Tomcat.
  41. Restart IIS:
    1. Right click the Server node (The root node which represents the web server)
    2. Select "Stop".
    3. Right click the Server node (The root node which represents the web server).
    4. Select "Start"
  42. IIS is now configured to forward all FootPrints Service Core requests to the Tomcat server. You can test this by browsing to http://localhost/footprints/servicedesk (or http://FPservername/footprints/servicedesk if accessing from a client computer) on the FootPrints Service Core application server.

If it is desired to enable Web Server Authentication, see the article for enabling Web Server Authentication in FootPrints Service Core 12.


Troubleshooting:

When using IIS Redirect to support Footprints Web Server Authentication and using HTTPS/SSL in IIS, you can get an error using Footprints Scheduled reports.  Please see this article:
Footprints 12 Auto-Run Report Errors

If you miss the steps to update the Apache Tomcat server.xml file, you can get the error described in this article.
FPSC 12 - Message: Header message of length [65,532] received but the packetSize is only [8,192]

If there are problems uploading files larger then 30MB, you will have to follow the directions below to change the settings in IIS 7 or IIS 8.
"Invalid response - Unable to decode server's response to JSON" error occurs when attempting to upload attachment larger than 30MB

Did you install FootPrints 12.XX - 20.XX using a different url then /footprints/servicedesk?
Change all of the instructions to use the different URL in creating the ISAPI redirect and IIS configuration, per the note instructions.

Upgrade tomcat from 7 to 8.5:
https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=000164588

to add to the tomcat upgrade process, please note below point if you using IIS integration :
In order to process passthrough authentication, the NTFS file permissions on isapi_redirect.dll must allow the groups "IIS_IUSRS" and and "Authenticated Users" Read/Execute permissions.  Because Tomcat 7.0 and Tomcat 8.5 install to different directory paths, the permissions will not be inherited from the previous installation.

NOTE:
Performance may be slower when integrating IIS as additional "hops" have to be performed via the third party application IIS.

NOTE:
These are the instructions to configure IIS integration with FootPrints. 
Any changes in IIS that deviates from these has a possibility of breaking the integration.




 
FootPrints
FootPrints
FootPrints 12.XX - 20.XX
FootPrints
FootPrints
FootPrints 12.XX - 20.XX
Attachment(s):