Jenkins WAR on external Tomcat returns 404 after upgrade (Tomcat 9→10, Jenkins 2.528.3, Java 21)

Hi all,
I run Jenkins as a WAR deployed on external Tomcat (not the standalone Jenkins service). After an OS upgrade + Jenkins upgrade attempt, Jenkins UI started returning HTTP 404.

Environment

• OS: RHEL8
• Java: OpenJDK/Java 21 (java -version shows 21.x)
• Jenkins WAR tested:
  • 2.462.3 (previous)
  • 2.528.3 (current LTS WAR)
• Tomcat:
  • 9.0.37 (original)
  • 10.1.24 (installed for testing)
• Jenkins deployed as ROOT webapp:
  • /apps/instances/jenkins/webapps/ROOT.war

Symptoms

Jenkins endpoints return 404:

curl -kI https://127.0.0.1:8443/login
HTTP/1.1 404

WAR exists and is expanded:

ls -ltr /apps/instances/jenkins/webapps
ROOT.war
ROOT/

Tomcat logs

AJP connector error:

Failed to start component [Connector[AJP/1.3-8901]]
IllegalArgumentException: AJP secretRequired="true" but secret is null/empty

Jenkins context fails:

SEVERE: One or more listeners failed to start
SEVERE: Context [] startup failed due to previous errors

I also saw this servlet API mismatch at one point:

NoClassDefFoundError: jakarta/servlet/http/HttpSessionListener
ClassNotFoundException: jakarta.servlet.http.HttpSessionListener

Tomcat 10 server.xml has both connectors:

Connector port="8080"
Connector port="8443"

Questions

1. What is the supported combo for Jenkins 2.528.x + Tomcat 9 vs Tomcat 10?
2. For WAR deployments, what is the correct way to avoid 404 (ROOT context + JENKINS_HOME)?
3. Should AJP be disabled, or configured with a secret for Jenkins WAR deployments?

Thanks!

Tomcat 9 doesn’t work with Jenkins 2.528.3 as that Jenkins version requires EE9 which is not supported by Tomcat 9.
Jenkins on Tomcat is not tested by the Jenkins project.
I would try without the AJP but I don’t know if that works. I switched long time ago away from Tomcat to the built-in Jetty.

Thank you mawinter69