Apache Web Server access results in "You don't have permission to access this resource"
Article ID: 420404
Updated On:
Products
Issue/Introduction
While setting up an Apache Web Server setup of Service Desk, the url http://[SDM-SERVER]:80/CAisd/pdmweb.exe returns a message:
Forbidden:
You don't have permission to access this resource
Apache Tomcat does not present with any problems and is accessible.
Examining the /var/log/httpd/access_log and /var/log/httpd/error_log in the Apache Web Server install may show messages such as:
Access Log:
[IP ADDRESS] - - [22/Oct/XXXX:16:14:23 +0200] "GET /CAisd/pdmweb.exe HTTP/1.1" 403 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 Edg/141.0.0.0"
Error log:
[XXX Oct 22 16:14:23.194747 XXXX] [authz_core:error] [pid XXXX:tid XXXX] [client [IP ADDRESS]:53403] AH01630: client denied by server configuration: /opt/CAisd/bopcfg/www/wwwroot/pdmweb.exe
Environment
Release: All SDM Releases running Apache Web Server on Linux
Cause
Apache Web Server has not been configured to execute CGI content correctly. Telltale sign is the "403" code in the access log, which denotes a permissions issue
Resolution
There are two files to be examined: /etc/httpd/conf/httpd.conf and the SDM install directory's bopcfg/www/CAisd_apache.conf
File: httpd.conf
- Locate and backup the /etc/httpd/conf/httpd.conf file in Apache.
- Edit the httpd.conf file and locate this block of text.
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf - Modify the block to include the "LoadModule cgi_module modules/mod_cgi.so" line. Change is highlighted below.
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule cgi_module modules/mod_cgi.so
Include conf.modules.d/*.conf
File: CAisd_apache.conf
- Locate and backup the CAisd_apache.conf file in Apache.
- Edit the CAisd_apache.conf file and locate this block of text:
<Directory /opt/CAisd/bopcfg/www/wwwroot>
ExpiresActive On
ExpiresDefault "access plus 1 day"
Options +ExecCGI
</Directory>
<Directory /opt/CAisd/site/mods/www/wwwroot>
ExpiresActive On
ExpiresDefault "access plus 1 day"
</Directory> - Modify the blocks to include permissions to access the given directories. Change is highlighted below.
<Directory /opt/CAisd/bopcfg/www/wwwroot>
ExpiresActive On
ExpiresDefault "access plus 1 day"
Options +ExecCGI
Require all granted
</Directory>
<Directory /opt/CAisd/site/mods/www/wwwroot>
ExpiresActive On
ExpiresDefault "access plus 1 day"
Require all granted
</Directory> - Recycle Apache Web Services (sudo systemctl restart httpd) and test SDM web access.
Additional Information
The above changes apply specifically to Apache Web Server (httpd) and not Apache Tomcat. These are two distinct implementations of the web server technology developed by Apache, each with their own configuration requirements and settings. Apache Web Server is an optional web component that Service Desk supports on non-Windows implementations, most commonly Linux. Windows would use IIS in its place.
For additional Apache Web Server settings, please see also AHD4409 pdmweb is unable to connect with the webengine error from Apache Web Server Access attempt
Feedback
