AJP connector fails to start in Jira Server due to secretRequired misconfiguration

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Problem

When Jira is configured to run using the AJP protocol with Apache Tomcat 8.5.51 or higher (bundled on Jira 8.11 and newer) the connector may fail to start and the following exception is thrown in the server logs (found under $Jira_INSTALL/logs folder):

16-Aug-2020 23:56:00.578 SEVERE [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[AJP/1.3-9165]]
    org.apache.catalina.LifecycleException: Protocol handler start failed
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1102)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
    Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
        at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1100)
        ... 12 more

(info) If you are unsure about the Tomcat version bundled with your Jira please check this page.

Cause

This error happens because Apache Tomcat 8.5.51 and newer have the secretRequired parameter set to true by default. When secretRequired is true the AJP/1.3 Connector will not start unless the secret attribute is configured to a non-null, non-zero length String.

Resolution

It is needed to inform a secret on the AJP connector in server.xml  and it should match the existing AJP configuration at the proxy level. For reference on this configuration please visit the official mod_proxy_ajp documentation. Keep in mind that this secret password needs to be defined on the reverse proxy (eg. proxypass) as well, and that this option is available in Apache HTTPD since version 2.5. Another potential solution is to disable this requirement by specifying secretRequired="false" on server.xml , however, this is not recommended due to security concerns.

To be clear:

Options such as the secret option of Tomcat... can just be added as a separate parameter at the end of ProxyPass or BalancerMember This parameter is available in Apache HTTP Server 2.4.42 and later.


Description
Product

Last modified on Aug 16, 2023

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.