Re: AJP protocol with Apache Tomcat Version 7.0.52
Hi Dan, We are using apache web server provided along with RHEL.So I believe we are getting back port fixes. In the threaddump we are seeing the below long running threads many times.As mentioned, we are using AJP(with BIO) and tomacat 7.0.52. I wanted to know if this will cause any issues like system hung over a period of time. Also we are thinking of NIO protocol instead of BIO for AJP ajp-bio-10.181.42.51-9011-exec-112 daemon prio=10 tid=0x161aa000 nid=0x776c runnable [0x2b23c3c64000] java.lang.Thread.State: RUNNABLE at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:152) at java.net.SocketInputStream.read(SocketInputStream.java:122) at org.apache.coyote.ajp.AjpProcessor.read(AjpProcessor.java:309) at org.apache.coyote.ajp.AjpProcessor.readMessage(AjpProcessor.java:364) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:121) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313) - locked 0x0007b25a5b58 (a org.apache.tomcat.util.net.SocketWrapper) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Locked ownable synchronizers: - 0x0007b25e7618 (a java.util.concurrent.ThreadPoolExecutor$Worker) Regards, Ravi -- View this message in context: http://tomcat.10.x6.nabble.com/AJP-protocol-with-Apache-Tomcat-Version-7-0-52-tp5017650p5017727.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7 cannot get ciphers with SHA256 or SHA384
I installed Tomcat-7 7.0.42 in OpenSUSE 13.1, configured support for TLSv1.2. I then configured a list of strong ciphers only, that I wanted to use. Connector port=8443 protocol=org.apache.coyote.http11.Http11NioProtocol maxThreads=150 clientAuth=false SSLEnabled=true scheme=https secure=true sslProtocol=TLSv1.2 sslEnabledProtocols=TLSv1.2 keyAlias=tomcat keystoreFile=/usr/share/tomcat/.keystore keystorePass=** keystoreType=JKS ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 / I have tried running Tomcat with Java 7 and Java 8. Both of these should support CBC_SHA256 and CBC_SHA384, but only Java 8 supports GCM_SHA384. I have downloaded the Java cryptographic extensions policy files for both Java 7 and Java 8. The only way I get a connection is when I add the following ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA According to the specification all these ciphers are correct names: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites According to the implementation in JSSE provider they are implemented as well to work with TLSv1.2 http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider Footnote 1(Java7) Cipher suites with SHA384 and SHA256 are available only for TLS 1.2 or later. Also how come SSLLabs SSLTest tells me I do not have forward secrecy and are using RC4 ciphers. Thought when I set a limited list of ciphers only those can be used. I tried to edit /usr/sbin/tomcat-sysd (which is started by service tomcat) to enable SSL debugging, but nothing shows up in the log files exec ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \ -classpath $CLASSPATH \ -Dcatalina.base=$CATALINA_BASE \ -Dcatalina.home=$CATALINA_HOME \ -Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS \ -Djava.io.tmpdir=$CATALINA_TMPDIR ${DSECURITY_MANAGER} \ -Djava.util.logging.config.file=${CATALINA_BASE}/conf/logging.properties \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Djavax.net.debug=ssl \ org.apache.catalina.startup.Bootstrap start
tomcat6 context path attribute
Hello, I have a war app-0.0.1 with a context.xml in META-INF : ?xml version=1.0? !DOCTYPE Context Context path=/app /Context When I deploy it, in CATALINA_BASE\conf\Catalina\localhost a file app-0.0.1.xml is created. When I call localhost:8080/app I got 404 localhost:8080/app-0.0.1 I got 200 I have try ?xml version=1.0? !DOCTYPE Context Context path=/app docBase=../webapps/app-0.0.1.war /Context with the same result Did i miss nothing? I using tomcat 6.0.39 Regards
Re: tomcat6 context path attribute
2014-05-21 15:05 GMT+04:00 philippe rouxel prouxel.pa...@gmail.com: Hello, I have a war app-0.0.1 with a context.xml in META-INF : ?xml version=1.0? !DOCTYPE Context Context path=/app /Context When I deploy it, in CATALINA_BASE\conf\Catalina\localhost a file app-0.0.1.xml is created. When I call localhost:8080/app I got 404 localhost:8080/app-0.0.1 I got 200 I have try ?xml version=1.0? !DOCTYPE Context Context path=/app docBase=../webapps/app-0.0.1.war /Context with the same result Did i miss nothing? I using tomcat 6.0.39 Read Configuration Reference Guide. The path attribute is described there. http://tomcat.apache.org/tomcat-6.0-doc/config/context.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why is my Tomcat connection getting terminated/closed?!!
On Tue, May 20, 2014 at 5:28 PM, Daniel Mikusa dmik...@gopivotal.comwrote: On May 20, 2014, at 7:47 AM, Aniket Bhoi aniket.b...@gmail.com wrote: It has been working perfectly fine thus far.As far as i have analysed there have been no changes to the firewall or database settings.I will however try and implement your suggestion to setup a validation query. 1.) Don’t top post. Reply inline, like this, or at the bottom. This is the convention we follow on this list. 2.) The fact that you have not recently changed your firewall or database settings doesn’t really mean much. The problem may have not happened before because it just didn’t get triggered. From the db / firewall side, what commonly causes this is a timeout. The connection is open and idle for too long and either the DB server or firewall disconnects it. Perhaps the connections just haven’t idled long enough until now. 3.) It’s generally good practice to have a validation query / testOnBorrow (or one of the other tests) enabled. If you didn’t have this before, you should consider adding it regardless of the problem. It can help with other things too. Dan I checked the code and the server settings,and We already have validation query and testOnBorrow in place.We found out from our data management team,that there have been many sleeping connections from the tomcat servers to the database. Sleeping threads = http://dinesql.blogspot.in/2010/07/sql-server-sleeping-status-and.html We got those connection threads killed just to make sure there the connection pool limit isnt breached.However even after cleaning up those connection threads to the DB ,we still gett the same exception. Aniket On Tue, May 20, 2014 at 5:12 PM, Daniel Mikusa dmik...@gopivotal.com wrote: On May 20, 2014, at 7:35 AM, Aniket Bhoi aniket.b...@gmail.com wrote: I have Apache Solr,hosted on my apache Tomcat Server Details: Tomcat version: Apache Tomcat/6.0.18 This is really, really old. You should upgrade. OS details SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 1 While running indexing on this server,It failed. Log excerpt: SEVERE: Can not close connection java.sql.SQLException: Already closed. Hard to say why this is happening (database server setting, firewall, bad code, etc.) but something is closing the connection and not telling the pool. You can work around this by setting a validation query on your connection pool and enabling “testOnBorrow”. That will instruct the pool to check connections before they are given out. Bad connections will be closed and replaced, if needed. Dan at org.apache.tomcat.dbcp.dbcp.PoolableConnection.close(PoolableConnection.java:84) at org.apache.tomcat.dbcp.dbcp.PoolingDataSource$PoolGuardConnectionWrapper.close(PoolingDataSource.java:189) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator.closeResources(Unknown Source) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator.hasnext(Unknown Source) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator.access$500(Unknown Source) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator$1.hasNext(Unknown Source) at org.apache.solr.handler.dataimport.EntityProcessorBase.getNext(Unknown Source) at org.apache.solr.handler.dataimport.SqlEntityProcessor.nextRow(Unknown Source) at org.apache.solr.handler.dataimport.ThreadedEntityProcessorWrapper.nextRow(Unknown Source) at org.apache.solr.handler.dataimport.DocBuilder$EntityRunner.runAThread(Unknown Source) at org.apache.solr.handler.dataimport.DocBuilder$EntityRunner.access$000(Unknown Source) at org.apache.solr.handler.dataimport.DocBuilder$EntityRunner$1.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) I suspect this to be an issue with the tomcat connection thread to the database being terminated/timed out. Need help as to why this is happening!. Regards Aniket - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why is my Tomcat connection getting terminated/closed?!!
2014-05-21 13:28 GMT+02:00 Aniket Bhoi aniket.b...@gmail.com: On Tue, May 20, 2014 at 5:28 PM, Daniel Mikusa dmik...@gopivotal.comwrote: On May 20, 2014, at 7:47 AM, Aniket Bhoi aniket.b...@gmail.com wrote: It has been working perfectly fine thus far.As far as i have analysed there have been no changes to the firewall or database settings.I will however try and implement your suggestion to setup a validation query. 1.) Don’t top post. Reply inline, like this, or at the bottom. This is the convention we follow on this list. 2.) The fact that you have not recently changed your firewall or database settings doesn’t really mean much. The problem may have not happened before because it just didn’t get triggered. From the db / firewall side, what commonly causes this is a timeout. The connection is open and idle for too long and either the DB server or firewall disconnects it. Perhaps the connections just haven’t idled long enough until now. 3.) It’s generally good practice to have a validation query / testOnBorrow (or one of the other tests) enabled. If you didn’t have this before, you should consider adding it regardless of the problem. It can help with other things too. Dan I checked the code and the server settings,and We already have validation query and testOnBorrow in place.We found out from our data management team,that there have been many sleeping connections from the tomcat servers to the database. Sleeping threads = http://dinesql.blogspot.in/2010/07/sql-server-sleeping-status-and.html We got those connection threads killed just to make sure there the connection pool limit isnt breached.However even after cleaning up those connection threads to the DB ,we still gett the same exception. Aniket Another option is to set testOnReturn=true. As your problem is closing connections already closed ,test them before returning them to pool. Maybe it works. On Tue, May 20, 2014 at 5:12 PM, Daniel Mikusa dmik...@gopivotal.com wrote: On May 20, 2014, at 7:35 AM, Aniket Bhoi aniket.b...@gmail.com wrote: I have Apache Solr,hosted on my apache Tomcat Server Details: Tomcat version: Apache Tomcat/6.0.18 This is really, really old. You should upgrade. OS details SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 1 While running indexing on this server,It failed. Log excerpt: SEVERE: Can not close connection java.sql.SQLException: Already closed. Hard to say why this is happening (database server setting, firewall, bad code, etc.) but something is closing the connection and not telling the pool. You can work around this by setting a validation query on your connection pool and enabling “testOnBorrow”. That will instruct the pool to check connections before they are given out. Bad connections will be closed and replaced, if needed. Dan at org.apache.tomcat.dbcp.dbcp.PoolableConnection.close(PoolableConnection.java:84) at org.apache.tomcat.dbcp.dbcp.PoolingDataSource$PoolGuardConnectionWrapper.close(PoolingDataSource.java:189) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator.closeResources(Unknown Source) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator.hasnext(Unknown Source) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator.access$500(Unknown Source) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator$1.hasNext(Unknown Source) at org.apache.solr.handler.dataimport.EntityProcessorBase.getNext(Unknown Source) at org.apache.solr.handler.dataimport.SqlEntityProcessor.nextRow(Unknown Source) at org.apache.solr.handler.dataimport.ThreadedEntityProcessorWrapper.nextRow(Unknown Source) at org.apache.solr.handler.dataimport.DocBuilder$EntityRunner.runAThread(Unknown Source) at org.apache.solr.handler.dataimport.DocBuilder$EntityRunner.access$000(Unknown Source) at org.apache.solr.handler.dataimport.DocBuilder$EntityRunner$1.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) I suspect this to be an issue with the tomcat connection thread to the database being terminated/timed out. Need help as to why this is happening!. Regards Aniket - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why is my Tomcat connection getting terminated/closed?!!
On May 21, 2014, at 7:28 AM, Aniket Bhoi aniket.b...@gmail.com wrote: On Tue, May 20, 2014 at 5:28 PM, Daniel Mikusa dmik...@gopivotal.comwrote: On May 20, 2014, at 7:47 AM, Aniket Bhoi aniket.b...@gmail.com wrote: It has been working perfectly fine thus far.As far as i have analysed there have been no changes to the firewall or database settings.I will however try and implement your suggestion to setup a validation query. 1.) Don’t top post. Reply inline, like this, or at the bottom. This is the convention we follow on this list. 2.) The fact that you have not recently changed your firewall or database settings doesn’t really mean much. The problem may have not happened before because it just didn’t get triggered. From the db / firewall side, what commonly causes this is a timeout. The connection is open and idle for too long and either the DB server or firewall disconnects it. Perhaps the connections just haven’t idled long enough until now. 3.) It’s generally good practice to have a validation query / testOnBorrow (or one of the other tests) enabled. If you didn’t have this before, you should consider adding it regardless of the problem. It can help with other things too. Dan I checked the code and the server settings,and We already have validation query and testOnBorrow in place. I suspect that there’s more to it than this. Perhaps you could share your configuration? We found out from our data management team,that there have been many sleeping connections from the tomcat servers to the database. This sounds normal to me. A connection pool will maintain idle connections that do nothing. It sounds like you’re not expecting to see this? Sleeping threads = http://dinesql.blogspot.in/2010/07/sql-server-sleeping-status-and.html We got those connection threads killed just to make sure there the connection pool limit isnt breached. Do you not trust the connection pool? If you set a limit in the pool, it won’t go past that. However even after cleaning up those connection threads to the DB ,we still gett the same exception. Dropping connections from the server side will very likely cause the exception that you’re reporting. Since you’re dropping the connection outside of the pool, the pool has no idea that the connection has been closed. Thus you get the exception you’re reporting. Dan Aniket On Tue, May 20, 2014 at 5:12 PM, Daniel Mikusa dmik...@gopivotal.com wrote: On May 20, 2014, at 7:35 AM, Aniket Bhoi aniket.b...@gmail.com wrote: I have Apache Solr,hosted on my apache Tomcat Server Details: Tomcat version: Apache Tomcat/6.0.18 This is really, really old. You should upgrade. OS details SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 1 While running indexing on this server,It failed. Log excerpt: SEVERE: Can not close connection java.sql.SQLException: Already closed. Hard to say why this is happening (database server setting, firewall, bad code, etc.) but something is closing the connection and not telling the pool. You can work around this by setting a validation query on your connection pool and enabling “testOnBorrow”. That will instruct the pool to check connections before they are given out. Bad connections will be closed and replaced, if needed. Dan at org.apache.tomcat.dbcp.dbcp.PoolableConnection.close(PoolableConnection.java:84) at org.apache.tomcat.dbcp.dbcp.PoolingDataSource$PoolGuardConnectionWrapper.close(PoolingDataSource.java:189) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator.closeResources(Unknown Source) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator.hasnext(Unknown Source) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator.access$500(Unknown Source) at org.apache.solr.handler.dataimport.JdbcDataSource$ResultSetIterator$1.hasNext(Unknown Source) at org.apache.solr.handler.dataimport.EntityProcessorBase.getNext(Unknown Source) at org.apache.solr.handler.dataimport.SqlEntityProcessor.nextRow(Unknown Source) at org.apache.solr.handler.dataimport.ThreadedEntityProcessorWrapper.nextRow(Unknown Source) at org.apache.solr.handler.dataimport.DocBuilder$EntityRunner.runAThread(Unknown Source) at org.apache.solr.handler.dataimport.DocBuilder$EntityRunner.access$000(Unknown Source) at org.apache.solr.handler.dataimport.DocBuilder$EntityRunner$1.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) I suspect this to be an issue with the tomcat connection thread to the database being terminated/timed out. Need help as to why this is happening!. Regards Aniket
Re: AJP protocol with Apache Tomcat Version 7.0.52
On May 21, 2014, at 2:28 AM, ravishankar_d ravishanka...@infosys.com wrote: Hi Dan, We are using apache web server provided along with RHEL.So I believe we are getting back port fixes. In the threaddump we are seeing the below long running threads many times. At a quick glance it doesn’t seem like it would be problematic, just reading data. As mentioned, we are using AJP(with BIO) and tomacat 7.0.52. I wanted to know if this will cause any issues like system hung over a period of time. Both mod_jk and mod_proxy will keep connections open to Tomcat (i.e. pool them). If not tuned correctly, they can cause you to run out of threads in Tomcat (which could look like Tomcat has hung). One way to test this is to disable the pooling (i.e. disablereuse=Off or JkOptions +DisableReuse). If you disable it and you don’t see any more of these threads then you’ve found the culprit. From there you can either tune the connection pooling or just run with it disabled. Also we are thinking of NIO protocol instead of BIO for AJP A good idea. If you’re trying to troubleshoot this problem, I’d stick with BIO though. NIO may very well just mask the problem. Dan ajp-bio-10.181.42.51-9011-exec-112 daemon prio=10 tid=0x161aa000 nid=0x776c runnable [0x2b23c3c64000] java.lang.Thread.State: RUNNABLE at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:152) at java.net.SocketInputStream.read(SocketInputStream.java:122) at org.apache.coyote.ajp.AjpProcessor.read(AjpProcessor.java:309) at org.apache.coyote.ajp.AjpProcessor.readMessage(AjpProcessor.java:364) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:121) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313) - locked 0x0007b25a5b58 (a org.apache.tomcat.util.net.SocketWrapper) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Locked ownable synchronizers: - 0x0007b25e7618 (a java.util.concurrent.ThreadPoolExecutor$Worker) Regards, Ravi -- View this message in context: http://tomcat.10.x6.nabble.com/AJP-protocol-with-Apache-Tomcat-Version-7-0-52-tp5017650p5017727.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to monitor performance of tomcat
Hi, There is a correction as JAVA_OPTS variable is defined in catalina.sh under $CATALINA_HOME/bin and we use $CATALINA_HOME/bin/startup.sh to start tomcat. $CATALINA_HOME/bin/startup.sh has the code like below , -- PRGDIR=`dirname $PRG` EXECUTABLE=catalina.sh # Check that target executable exists if $os400; then # -x will Only work on the os400 if the files are: # 1. owned by the user # 2. owned by the PRIMARY group of the user # this will not work if the user belongs in secondary groups eval else if [ ! -x $PRGDIR/$EXECUTABLE ]; then echo Cannot find $PRGDIR/$EXECUTABLE echo The file is absent or does not have execute permission echo This file is needed to run this program exit 1 fi fi -- I had changed catalina.sh in our development environment like a week back and want to implement it in the production environment but I got this doubt. I feel catalina.sh is invoked by startup.sh but am not sure. I have already taken downtime for production tomorrow but I got this doubt whether changing the JAVA_OPTS=$JAVA_OPTS -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 to JAVA_OPTS=$JAVA_OPTS -Xms2048m -Xmx2048m -XX:MaxPermSize=512m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 in catalina.sh would have the affect of increasing the heap Permgen memory in Tomcat. I hope my query is clear as am quite anxious as I have a downtime scheduled tomorrow. Requesting a reply on priority. randhir.si...@sterlite.com wrote: Thanks a lot for your detailed reply. The JAVA_OPTS variable in $CATALINA_HOME/bin/startup.sh has the value as: JAVA_OPTS=$JAVA_OPTS -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 I checked for free space on the VM instance with Red Hat Linux as the OS on which the Tomcat is hosted with a total memory of 19 GB, I found that there is around 8 GB of free space in the server. As per your inputs, I am planning to increase the memory allocation for Heap size and PermGen size to almost double as below: JAVA_OPTS=$JAVA_OPTS -Xms2048m -Xmx2048m -XX:MaxPermSize=512m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 I hope, this should avoid the hang-up issues where Tomcat does not seem to respond. I plan to implement this in the UAT environment at first and see how it goes. Regards -Original Message- From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Monday, April 28, 2014 7:39 PM To: 'Randhir Singh' Subject: RE: How to monitor performance of tomcat -Original Message- From: Randhir Singh [mailto:randhir.si...@sterlite.com] Sent: Monday, April 28, 2014 5:47 AM To: Jeffrey Janner; Tomcat Users List Subject: RE: How to monitor performance of tomcat Thanks for your valuable inputs. I am a bit of a novice to this. When this problem happens, it is quite a loss of face in front of the users who are widely spread geographically. I checked the catalina.out logs on the 2 days that the problem happened on 23rd 25th April, the findings are as below: 23rd April '14: The catalina.out log showed the message like, -- - -- - - Caused by: org.jboss.remoting.InvocationFailureException: Socket timed out. Waited 30 milliseconds for response while calling on InvokerLocator [socket://hostname of our machine:4173/?invokerDestructionDelay=5000timeout=30]; nested exception is: java.net.SocketTimeoutException: Read timed out -- - -- - - 3 times among other exceptions in a span of around 2 minutes. 25th April '14: The errors captured in the logs were like, -- - -- - - java.lang.OutOfMemoryError: GC overhead limit exceeded This error specifically means that the JVM is basically spending all of its time doing garbage collection and not really getting any significant amount of memory back for its efforts. The end user experiences this usually as a hung system. It might eventually come back or it might end up with a different, more severe, OOM error. There are lots of various causes for this: too small memory allocation; too much load; an activity generating a lot of objects, most of which persist for a long time; memory leaks; or a combination of the above. How to
Re: How to monitor performance of tomcat
Hi, There is a correction as JAVA_OPTS variable is defined in catalina.sh under $CATALINA_HOME/bin and we use $CATALINA_HOME/bin/startup.sh to start tomcat. $CATALINA_HOME/bin/startup.sh has the code like below , -- PRGDIR=`dirname $PRG` EXECUTABLE=catalina.sh # Check that target executable exists if $os400; then # -x will Only work on the os400 if the files are: # 1. owned by the user # 2. owned by the PRIMARY group of the user # this will not work if the user belongs in secondary groups eval else if [ ! -x $PRGDIR/$EXECUTABLE ]; then echo Cannot find $PRGDIR/$EXECUTABLE echo The file is absent or does not have execute permission echo This file is needed to run this program exit 1 fi fi -- I had changed catalina.sh in our development environment like a week back and want to implement it in the production environment but I got this doubt. I feel catalina.sh is invoked by startup.sh but am not sure. I have already taken downtime for production tomorrow but I got this doubt whether changing the JAVA_OPTS=$JAVA_OPTS -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 to JAVA_OPTS=$JAVA_OPTS -Xms2048m -Xmx2048m -XX:MaxPermSize=512m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 in catalina.sh would have the affect of increasing the heap Permgen memory in Tomcat. I hope my query is clear as am quite anxious as I have a downtime scheduled tomorrow. Requesting a reply on priority. On Mon, May 5, 2014 at 3:37 PM, Randhir Singh randhir.si...@sterlite.comwrote: Thanks Chris for your answer. I researched a lot and want to try out an option for OOME: The JAVA_OPTS variable in $CATALINA_HOME/bin/startup.sh has the value as: JAVA_OPTS=$JAVA_OPTS -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 I checked for free space on the VM instance with Red Hat Linux as the OS on which the Tomcat is hosted with a total memory of 19 GB, I found that there is around 8 GB of free space in the server. I am planning to increase the memory allocation for Heap size and PermGen size to almost double as below: JAVA_OPTS=$JAVA_OPTS -Xms2048m -Xmx2048m -XX:MaxPermSize=512m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 I hope, this should avoid the hang-up issues where Tomcat does not seem to respond. I plan to implement this in the UAT environment at first and see how it goes. There is another thing I wanted to try. We have RHEL 5.8 Beta (Tikanga) version and lot of updates from Red Hat are pending which can update the version to RHEL 5.10 (Tikanga). Would this patching help as lot of updates are pending? Regards -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, April 28, 2014 6:46 PM To: Tomcat Users List Subject: Re: How to monitor performance of tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Randir, On 4/28/14, 6:46 AM, Randhir Singh wrote: Thanks for your valuable inputs. I am a bit of a novice to this. When this problem happens, it is quite a loss of face in front of the users who are widely spread geographically. I checked the catalina.out logs on the 2 days that the problem happened on 23rd 25th April, the findings are as below: 23rd April '14: The catalina.out log showed the message like, -- -- --- Caused by: org.jboss.remoting.InvocationFailureException: Socket timed out. Waited 30 milliseconds for response while calling on InvokerLocator [socket://hostname of our machine:4173/?invokerDestructionDelay=5000timeout=30]; nested exception is: java.net.SocketTimeoutException: Read timed out -- -- --- 3 times among other exceptions in a span of around 2 minutes. 25th April '14: The errors captured in the logs were like, -- -- --- java.lang.OutOfMemoryError: GC overhead limit exceeded -- -- --- 4 times among other exceptions in a span of around 2 minutes. Requesting a reply on this. It sounds like you have all kinds of problems: 1. Bad performance under unspecified conditions 2. Application hang
Re: Tomcat 7 Cluster with load balancing only needs to run a service periodically
Thanks for your response. No. I am not allowed to use cron :-) One thing I have been asked to look at is nodes co-ordinating by sending events to each other. But again I am wondering how coordination would take place in case one node goes down. In that case, when it is started again and becomes a part of the cluster, it would try to start services that shoukd run periodically. But its intervals woukd be out of sync wit rest of the clusters. Regards, Suhaas On May 20, 2014 9:11 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Suhaas, On 5/19/14, 11:40 AM, Suhaas Lang wrote: The Tomcat cluster is configured as load balancer only. There is no session replication. So in case a Tomcat node on which the user session is running, dies in that case the session is lost. We do need to run a service on that cluster periodically. Obviously it cannot run on both servers, but at the same time one has to ensure it has to be run on at least one server after certain interval. What is an elegant solution in this case? Use cron with a non-web-based tool? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTe/0ZAAoJEBzwKT+lPKRY7ogQAIBomKhx/ii5MvMs2ip3n08H RLCPHSMg1ZN9TvbWbYfiGY+fxTCf+r/KN+v3YIJ38gbLNgZ++UcZ8cqMZD3tXWk+ bF7eo9BzisSzKLfXqrQ8+KjOpygpMXorMduEGB8dUG9ySx6ntZjD0254EdqaFC5h 6+Z0D59KJ9JS70pbLkkVGRSoWTKGRQPMwuoO/bwtrLcUm2QmbFqAxj/sbFVN3Qas 63c5KcEY1crnxLkr0DkujKuaImJa+qEYntZxXwnbk2I4mBVGNVmsBoRRUYA0Le/M 1JdvEl12alHIbyTQHeEcyCq0KpNqFbeVfXAnYwMg/Sx6Y8JMkv4jzpooCbRvzkJO mZMlOgZKZQ2c94Lqx6Q7u9ZCCOGk1jvcv7R2BzK36rpd/Xv6x6EFLyEHcp86oY4s 2348RtUb0chF4he5UCeeQEHppdJt4zImMCw/Ar5CD0m8mQZBAUjFcjbF1w3RqUmt KPP6VWDMebyZHRS1f18SHDzcArY7+b155rbgXB9HQx262UmA0hPweyNmxRkKxzLR KmZDIVjfpk/+gOdB5HQIp9AgRj6zJhSmt0lUpWCqERlJlCASeOP7MBVaHERzUvJP JCudcBNplxxexXQ+qV3UUmqDZzsbK8PqX1kzCuIVEKkyY6e1F6n6NqGgxHOP5Pbm 3u1Aw2Vm1Vqf/+2N2oiE =jTiU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat6 thread locked
-Original Message- From: devoss ind [mailto:devoss@gmail.com] Sent: Tuesday, May 20, 2014 8:29 PM To: Tomcat Users List Subject: Re: tomcat6 thread locked Hi Christopher, Can you suggest stable tomcat and jvm versions. Regards, Devoss. I can: Java 7u55 (1.7.0_55) and Tomcat 7.0.53 Just so happens these are the latest versions of both product. Jeff
Re: where find documentation
Thanks 2014-05-16 22:27 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Francesco, On 5/16/14, 10:01 AM, Арсений Зинченко wrote: I used this one: http://wiki.metawerx.net/wiki/Web.xml 2014-05-15 16:05 GMT+03:00 Francesco Viscomi fvisc...@gmail.com: Hi all, i'm try to find a documentation that describe every tag inside the web.xml file, but i wasn't able to find anything about that on http://tomcat.apache.org/tomcat-5.5-doc/config/context.html someone can help me? thanks in advance; Francesco Italy There's always the servlet specification itself. There is a reference at the end that covers most -- but not all - of the elements. There is also a significant amount of documentation in the XML schemas. You should check those out, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTdnSmAAoJEBzwKT+lPKRY0koP/142leN00V+960gu7HMIb0ke tX1hnY7WK0CGdjRi+YC9LvEqmyxn9EThb3MpTn/0eQOIMEOqBYSWJd3mXbEvdZ9P U9Zy/FlWsdUYoJ3oJ9VdrI5OyvYrvl0JwqcToTBXlhFk1ukLkBOjANmqr+/egNYA rjvuuWpoe10OvH1rGfWch7khGnLFCRYgiVy+eBvYojmglcla/2/Jfs8Nyy0At1jk pVOi7K4qwBm6FCZqCcyWJmcVj7p8+j1P6HFRLi7i8B5IM4Rd7aluEyoGISnmwLy4 dGLWkoxlbw2ONAM9tLFPNBSmE3qXu613/rwlVlxadDJcWjUFBb2tERKQyrxN66VJ AEjle3BIjS4YY0Xs4QxVq+8ec/givdDHVwHyGUDrNbBMHH6oJIVSR9IXRTMtDroj I/Xk6ft1sIVYxOGIQpbmcsevYYvupdS1A9n4Q8WOm+tSonrj4YJPfD4JUXUo7S0Y nCShmCqfFCqBZF2bk7k4iMr+b31tdUDutEKI92Ol6r16nLuNFxNIhjMSLopvjXlj 9S9RCkXMmpUxs7WhkmYitJqz3nQ4/cCKLQH5ofXXh3zu9vba0Cdjsd6EFrsdzMTF yuZbzExW0zcnLziWpRfl/tpaqC4Y+3wUljJ4vBqcRfz9O/fkd4YVObkYzFqO4045 QssBF1LlFn9vTTcu+wEk =P0L2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Ing. Viscomi Francesco
Re: tomcat6 thread locked
On 5/20/2014 8:28 PM, devoss ind wrote: Hi Christopher, Can you suggest stable tomcat and jvm versions. Regards, Devoss. On 20 May 2014 21:32, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Devoss, On 5/19/14, 2:43 AM, devoss ind wrote: Exact Tomcat version is 6.0.16 This version of Tomcat is profoundly old: more than 6 years. There are documented and well-understood vulnerabilities in that (and later) versions of Tomcat 6.0.x that will allow unauthenticated remote attackers to subvert certain authentication mechanisms, mount XSS and CSRF attacks, and trivially launch non-distributed denial-of-service attacks against your server(s). Continued use of it is reckless to be polite. You absolutely positively need to upgrade immediately. OS Version is RHEL Server release 5.3(Tikanga) Java version is 1.6.0_10 All that stuff is fairly old as well. Upgrade Tomcat and your JVM and re-test, please. - -chris On Fri, May 16, 2014 at 9:15 PM, Christopher Schultz ch...@christopherschultz.net wrote: devoss, Exact Tomcat version? OS and version? Java version? On 5/15/14, 12:00 PM, devoss ind wrote: On 7 May 2014 17:37, devoss ind devoss@gmail.com wrote: Hi, Am using tomcat 6, java6 in production environment to run our web application. We found that recently, cpu in top is showing 100% nearly. Then we dig into each thread cpu usage by -H option in top. We found only one thread is taking 100%usage and identified the thread using thread dump. The thread dump for that particular thread which is using 100% usage is as follows... http-8080-exec-3687 daemon prio=10 tid=0x7336f400 nid=0x41a1 runnable [0x619ad000..0x619ade30] java.lang.Thread.State: RUNNABLE at org.apache.coyote.http11.InternalNioOutputBuffer.addToBB(InternalNioOutputBuffer.java:616) - - locked 0x967b22f0 (a org.apache.coyote.http11.InternalNioOutputBuffer) at org.apache.coyote.http11.InternalNioOutputBuffer.commit(InternalNioOutputBuffer.java:608) at org.apache.coyote.http11.Http11NioProcessor.action(Http11NioProcessor.java:1024) at org.apache.coyote.Response.action(Response.java:183) at org.apache.coyote.Response.sendHeaders(Response.java:379) at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:305) at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:288) at org.apache.catalina.connector.Response.flushBuffer(Response.java:548) at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:345) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:144) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:879) at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:719) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:2080) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:619) We can see that above thread is locked due to some problem in NIO. We have verified in tomcat manager also for such thread. We found that a particular thread is taking 14140517ms time and the request in that line is of POST request which is not related to our application. That particular thread is not releasing till we restart tomcat. This is happening frequently. Please help me to find out the root cause of this problem. How to avoid restarts. Our server.xml connector configuration is as follows... Connector port=${http.port} protocol=org.apache.coyote.http11.Http11NioProtocol connectionTimeout=5000 acceptCount=1500 maxThreads=1 redirectPort=8443 / Please help in this thread locking problem. http://tomcat.apache.org/whichversion.html Also, the convention on the Tomcat users list is to respond below the previous message. Please see 6. in: http://tomcat.apache.org/lists.html#tomcat-users -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384
Setting only these ciphers in the JSSE connector: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 I wrote a small Java program that makes a HttpsConnection. With it I have no problem making a connection and getting these ciphers. So how come it doesn't work in any browser? As far as I could see Chromium should have support for AES256-GCM. main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 *** Finished verify_data: { 167, 191, 12, 139, 75, 162, 8, 69, 1, 129, 65, 129 } *** main, WRITE: TLSv1.2 Handshake, length = 96 main, READ: TLSv1.2 Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 96 *** Finished verify_data: { 4, 236, 148, 186, 214, 130, 187, 88, 249, 51, 183, 102 } *** %% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] main, WRITE: TLSv1.2 Application Data, length = 224 main, READ: TLSv1.2 Application Data, length = 11472 If I also add the following ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Then my little Java program uses only these and not the GCM ciphers. 2014-05-21 12:21 GMT+02:00 Sverre Moe sverre@gmail.com: I installed Tomcat-7 7.0.42 in OpenSUSE 13.1, configured support for TLSv1.2. I then configured a list of strong ciphers only, that I wanted to use. Connector port=8443 protocol=org.apache.coyote.http11.Http11NioProtocol maxThreads=150 clientAuth=false SSLEnabled=true scheme=https secure=true sslProtocol=TLSv1.2 sslEnabledProtocols=TLSv1.2 keyAlias=tomcat keystoreFile=/usr/share/tomcat/.keystore keystorePass=** keystoreType=JKS ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 / I have tried running Tomcat with Java 7 and Java 8. Both of these should support CBC_SHA256 and CBC_SHA384, but only Java 8 supports GCM_SHA384. I have downloaded the Java cryptographic extensions policy files for both Java 7 and Java 8. The only way I get a connection is when I add the following ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA According to the specification all these ciphers are correct names: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites According to the implementation in JSSE provider they are implemented as well to work with TLSv1.2 http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider Footnote 1(Java7) Cipher suites with SHA384 and SHA256 are available only for TLS 1.2 or later. Also how come SSLLabs SSLTest tells me I do not have forward secrecy and are using RC4 ciphers. Thought when I set a limited list of ciphers only those can be used. I tried to edit /usr/sbin/tomcat-sysd (which is started by service tomcat) to enable SSL debugging, but nothing shows up in the log files exec ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \ -classpath $CLASSPATH \ -Dcatalina.base=$CATALINA_BASE \ -Dcatalina.home=$CATALINA_HOME \ -Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS \ -Djava.io.tmpdir=$CATALINA_TMPDIR ${DSECURITY_MANAGER} \ -Djava.util.logging.config.file=${CATALINA_BASE}/conf/logging.properties \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Djavax.net.debug=ssl \ org.apache.catalina.startup.Bootstrap start
Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384
It looks to me that Chromium does not support the strongest ciphers. The strongest/highest cipher available is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 No support for SHA384 and no AES_256_GCM https://www.ssllabs.com/ssltest/viewMyClient.html Cipher Suites (in order of preference)TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy128TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy128TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy128TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy128TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy256TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Forward Secrecy128TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Forward Secrecy128TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Forward Secrecy128TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) Forward Secrecy*128TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) Forward Secrecy256TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112TLS_RSA_WITH_RC4_128_SHA (0x5)128TLS_RSA_WITH_RC4_128_MD5 (0x4)128(*) Cannot be used for Forward Secrecy because they require DSS keys, which are effectively limited to 1024 bits. 2014-05-21 21:24 GMT+02:00 Sverre Moe sverre@gmail.com: Setting only these ciphers in the JSSE connector: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 I wrote a small Java program that makes a HttpsConnection. With it I have no problem making a connection and getting these ciphers. So how come it doesn't work in any browser? As far as I could see Chromium should have support for AES256-GCM. main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 *** Finished verify_data: { 167, 191, 12, 139, 75, 162, 8, 69, 1, 129, 65, 129 } *** main, WRITE: TLSv1.2 Handshake, length = 96 main, READ: TLSv1.2 Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 96 *** Finished verify_data: { 4, 236, 148, 186, 214, 130, 187, 88, 249, 51, 183, 102 } *** %% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] main, WRITE: TLSv1.2 Application Data, length = 224 main, READ: TLSv1.2 Application Data, length = 11472 If I also add the following ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Then my little Java program uses only these and not the GCM ciphers. 2014-05-21 12:21 GMT+02:00 Sverre Moe sverre@gmail.com: I installed Tomcat-7 7.0.42 in OpenSUSE 13.1, configured support for TLSv1.2. I then configured a list of strong ciphers only, that I wanted to use. Connector port=8443 protocol=org.apache.coyote.http11.Http11NioProtocol maxThreads=150 clientAuth=false SSLEnabled=true scheme=https secure=true sslProtocol=TLSv1.2 sslEnabledProtocols=TLSv1.2 keyAlias=tomcat keystoreFile=/usr/share/tomcat/.keystore keystorePass=** keystoreType=JKS ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 / I have tried running Tomcat with Java 7 and Java 8. Both of these should support CBC_SHA256 and CBC_SHA384, but only Java 8 supports GCM_SHA384. I have downloaded the Java cryptographic extensions policy files for both Java 7 and Java 8. The only way I get a connection is when I add the following ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA According to the specification all these ciphers are correct names: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites According to the implementation in JSSE provider they are implemented as well to work with TLSv1.2 http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider Footnote 1(Java7) Cipher suites with SHA384 and SHA256 are available only for TLS 1.2 or later. Also how come SSLLabs SSLTest tells me I do not have forward secrecy and are using RC4 ciphers. Thought when I set a limited list of ciphers only those can be used. I tried to edit /usr/sbin/tomcat-sysd (which is started by service tomcat) to enable SSL debugging, but nothing shows up in the log files exec ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \ -classpath $CLASSPATH \ -Dcatalina.base=$CATALINA_BASE \ -Dcatalina.home=$CATALINA_HOME \ -Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS \ -Djava.io.tmpdir=$CATALINA_TMPDIR ${DSECURITY_MANAGER} \ -Djava.util.logging.config.file=${CATALINA_BASE}/conf/logging.properties \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Djavax.net.debug=ssl \ org.apache.catalina.startup.Bootstrap start
Re: AJP protocol with Apache Tomcat Version 7.0.52
At a quick glance it doesn’t seem like it would be problematic, just reading data. The issue is there are 300 such threads waiting One way to test this is to disable the pooling (i.e. disablereuse=Off or JkOptions +DisableReuse). If you disable it and you don’t see any more of these threads then you’ve found the culprit. From there you can either tune the connection pooling or just run with it disabled. Do you have any example configuration which you can refer here? -- View this message in context: http://tomcat.10.x6.nabble.com/AJP-protocol-with-Apache-Tomcat-Version-7-0-52-tp5017650p5017788.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP protocol with Apache Tomcat Version 7.0.52
On May 21, 2014, at 4:03 PM, pradeepgm pradeep...@infosys.com wrote: At a quick glance it doesn’t seem like it would be problematic, just reading data. The issue is there are 300 such threads waiting One way to test this is to disable the pooling (i.e. disablereuse=Off or JkOptions +DisableReuse). If you disable it and you don’t see any more of these threads then you’ve found the culprit. From there you can either tune the connection pooling or just run with it disabled. Do you have any example configuration which you can refer here? How do you have your reverse proxy setup? mod_jk or mod_proxy? Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: AJP protocol with Apache Tomcat Version 7.0.52
We are using mod_jk CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to monitor performance of tomcat
Randhir, On 21.5.2014 14:31, Randhir Singh wrote: I had changed catalina.sh in our development environment like a week back and want to implement it in the production environment but I got this doubt. I feel catalina.sh is invoked by startup.sh but am not sure. I have already taken downtime for production tomorrow but I got this doubt whether changing the 1. Don't post the same message twice. It makes volunteers on the list waste their time. 2. Don't top post. Bottom posting is the standard on this list. 3. Don't request/ People are volunteering here. 4. In default Tomcat instalation, catalina.sh is called from startup.sh. 5. Regardless of do you call startup.sh or catalina.sh, environment variables have the same meaning: JAVA_OPTS is used on Tomcat startup and Tomcat shutdown, while CATALINA_OPTS is only used on Tomcat startup. If you place -Xms2048m in JAVA_OPTS it will reserve 2 GB on Tomcat startup, and another 2 GB when you invoke Tomcat shutdown. That is waste of memory. Use CATALINA_OPTS instead. 6. It is not recommended to modify startup.sh or catalina.sh ever. All environment variables should be set in the file bin/setenv.sh. 7. (5.) and (6.) were already pointed out by Chris. Please read answers on the list carefully to show that you respect resources volunteers are allocating for you for free. 8. You may invoke ps -fHA | grep Bootstrap after you start Tomcat, to see if your CATALINA_OPTS reached JVM call. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to monitor performance of tomcat
Thanks Ognjen for your reply. My reply was intended to 2 different people hence it repeated but anyway I would try to take care on this. So now it is clear from your answer that catalina.sh is called from startup.sh in a default installation. Regards On Thu, May 22, 2014 at 3:59 AM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: Randhir, On 21.5.2014 14:31, Randhir Singh wrote: I had changed catalina.sh in our development environment like a week back and want to implement it in the production environment but I got this doubt. I feel catalina.sh is invoked by startup.sh but am not sure. I have already taken downtime for production tomorrow but I got this doubt whether changing the 1. Don't post the same message twice. It makes volunteers on the list waste their time. 2. Don't top post. Bottom posting is the standard on this list. 3. Don't request/ People are volunteering here. 4. In default Tomcat instalation, catalina.sh is called from startup.sh. 5. Regardless of do you call startup.sh or catalina.sh, environment variables have the same meaning: JAVA_OPTS is used on Tomcat startup and Tomcat shutdown, while CATALINA_OPTS is only used on Tomcat startup. If you place -Xms2048m in JAVA_OPTS it will reserve 2 GB on Tomcat startup, and another 2 GB when you invoke Tomcat shutdown. That is waste of memory. Use CATALINA_OPTS instead. 6. It is not recommended to modify startup.sh or catalina.sh ever. All environment variables should be set in the file bin/setenv.sh. 7. (5.) and (6.) were already pointed out by Chris. Please read answers on the list carefully to show that you respect resources volunteers are allocating for you for free. 8. You may invoke ps -fHA | grep Bootstrap after you start Tomcat, to see if your CATALINA_OPTS reached JVM call. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- *STL Disclaimer:* The content of this message may be legally privileged and confidential and are for the use of the intended recipient(s) only. It should not be read, copied and used by anyone other than the intended recipient(s). If you have received this message in error, please immediately notify the sender, preserve its confidentiality and delete it. Before opening any attachments please check them for viruses and defects. No employee or agent is authorised to conclude any binding agreement on behalf of Sterlite Technologies Limited with another party by email without express written confirmation by authorised person. Visit us at www.sterlitetechnologies.com Please consider environment before printing this email !