No third option, then. But as I said in my first reply, there are still more possibilities to consider.
First, those were indeed the “3” I meant. You simply regarded them as two options. OK. And we will trust that you did enter those 3 (all at once) on the right (ajp) connector line, and restarted Tomcat, and yet still got the 403. In that case, let’s move on to other possibilities.
Second, I wonder if this might be related to a similar problem presented a couple of years ago, here, where someone had similar 403’s that were not being resolved by the above, and though it was a surprise to some, they found they had a ModCFML_SharedKey in their apache conf, and they commented it out (and restarted Apache), and that stopped the problem.
I pressed at the end with some follow-up, but there was never a response. Let us know if you can at least confirm you don’t have one…and not just in your httd.conf (or whatever is your main Apache conf), but consider also that may be being included either explicitly (by named file) or implicitly (all in a named include folder).
Third, if you remain stuck, you may want to at least consider the info in the docs page on setting up Lucee and Apache, particularly its section, “Manually Connecting with mod_proxy_ajp”. While you may not care to use EXACTLY the apache conf lines offered, you could at least see if what’s offered works, and then winnow it down to what you do not want but find you may still need.
Looking forward to the conclusion here.