AJP is a protocol that Tomcat uses to effectively proxy itself through Apache HTTPD. However, AJP has recently come under attack by hackers via the Ghostcat vulnerability. Tomcat 7.x and above have gotten fixes for Ghostcat. Installing the latest version of Tomcat is highly recommended. To further mitigate attacks, QSI also advises that AJP be bound to localhost. Here is how to do so:
- Stop TEAMS-RDS Services
- Windows: Start -> Programs -> TEAMS-RDS -> Stop TEAMS-RDS Services
- Linux: Stop Tomcat service i.e. systemctl stop tomcat
- Open Tomcat server configuration file
- Windows: %RDS_BASE%\jakarta-tomcat\conf\server.xml
- Linux: $TOMCAT_HOME/conf/server.xml
- Bind AJP to localhost
- Windows: Update line
- <Connector port=”8319″ protocol=”AJP/1.3″ URIEncoding=”UTF-8″/>
- to <Connector port=”8319″ address=”127.0.0.1″ protocol=”AJP/1.3″ URIEncoding=”UTF-8″/>
- Linux: Add attribute ‘address’ with value ‘127.0.0.1’ to <Connector> element with attribute ‘protocol’ value of ‘AJP/1.3’
- Windows: Update line
- Start TEAMS-RDS Services
- Windows: Start -> Programs -> TEAMS-RDS -> Start TEAMS-RDS Services
- Linux: Start Tomcat service i.e. systemctl start tomcat
