Re: High cpu on Tomcat 8
On 03/05/2015 11:25, Greg Huber wrote: Hello, After an upgrade to Tomcat 8.0.21 and (Oracle jdk1.8.0_40) I seem to be having an erratic high cpu issue, often when the server gets busy. The application was OK tomcat 7 and has not been modified since the upgrade. Use ps to get the thread ID of the thread that is using the CPU. Take a thread dump and find what that thread is doing (you'll need to convert the thread ID from decimal to hex). It is the stack trace of that thread that will be interesting. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
startStopThreads=2 lets Tomcat kill my threads
Hello, I have an application deployed to a Tomcat 8.0.5 which uses the ServletContextListener to do something when Tomcat stops. This task takes about 45 seconds. This wasn't a problem until I learned that I could speed up the Tomcat 8 startup time by parallel instantiation of my webapps by adding the startStopThreads attribute to the Host tag in the server.xml. Now, when Tomcat stops, it seems to interrupt or stop my Thread, because it doesn't print out anything anymore (even a System.out.println isn't shown in the log so I don't think it is because just log4j is stopped). Why does Tomcat wait nicely with startStopThreads removed, and why can't he wait when I use startStopThreads? The behavior of killing webapps the hard way when using startStopThreads isn't documented also. Regards, Daniel Migowski IKOffice UNTERNEHMENSSOFTWARE IKOffice GmbH Daniel Migowski Mail: dmigow...@ikoffice.demailto:dmigow...@ikoffice.de Marie-Curie-Straße 1 Tel.: +49 (0)441 21 98 89 52 26129 Oldenburg Fax.: +49 (0)441 21 98 89 55 http://www.ikoffice.dehttp://www.ikoffice.de/ Mob.: +49 (0)176 22 31 20 76 Geschäftsführer: Ingo Kuhlmann, Daniel Migowski Amtsgericht Oldenburg: HRB 201467 Steuernummer: 64/211/01864
Re: High cpu on Tomcat 8
Thanks, I am going to up the memory. The profiler I used only highlighted the ajp-apr-8009-Poller as active. Terminating the thread stopped the high cpu. Cheers Greg On 4 May 2015 at 10:18, Mark Thomas ma...@apache.org wrote: On 03/05/2015 11:25, Greg Huber wrote: Hello, After an upgrade to Tomcat 8.0.21 and (Oracle jdk1.8.0_40) I seem to be having an erratic high cpu issue, often when the server gets busy. The application was OK tomcat 7 and has not been modified since the upgrade. Use ps to get the thread ID of the thread that is using the CPU. Take a thread dump and find what that thread is doing (you'll need to convert the thread ID from decimal to hex). It is the stack trace of that thread that will be interesting. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while Configuring SSL in tomcat6
On Sun, May 3, 2015 at 7:48 PM, jairaj kamal jairaj.ka...@gmail.com wrote: Hello, I created a keystore via Keytool, CSR file and received below root and intermediate certificates. I have got both TestRoot.cer TestCA.cer certificates imported in keystore via keytool but still in browser it shows in red and looks issue with certificate is not resolved yet. Do i need to convert dot extension of above certs to PKCS12 format, how to resolve it ? There's a lot that could be going on here. You need to try and narrow down the problem. 1.) Include the Connector / tag from `conf/server.xml` so we can see how you've configured Tomcat. 2.) Include the exact version of Tomcat you're using. 3.) Are you connecting directly to Tomcat or is there an HTTPD or some other server acting as a reverse proxy in between? 4.) Look at the certificate as displayed by your browser. In Chrome, click the lock in the tool bar, other browsers are similar. Look at the details on the certificate and see what certificate you're being presented. Is it the once that you purchased? or perhaps an older self-signed on? That should get you started. Dan *Jairaj Kamal*
Re: High cpu on Tomcat 8
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Greg, On 5/4/15 7:13 AM, Greg Huber wrote: Thanks, I am going to up the memory. The profiler I used only highlighted the ajp-apr-8009-Poller as active. Terminating the thread stopped the high cpu. ... and probably killed your ability to process requests, unless you configured more than one Poller thread. Have you set a pollerThreadCount? If so, what is it? If not, you might want to consider setting it to 2, but probably not any higher, and see if it improves things. The Poller thread is responsible for handling all blocking-style I/O both into and out of your servlets. When your site gets busy, this thread will be doing a lot of work. When the CPU usage goes high, does the server actually slow down? - -chris On 4 May 2015 at 10:18, Mark Thomas ma...@apache.org wrote: On 03/05/2015 11:25, Greg Huber wrote: Hello, After an upgrade to Tomcat 8.0.21 and (Oracle jdk1.8.0_40) I seem to be having an erratic high cpu issue, often when the server gets busy. The application was OK tomcat 7 and has not been modified since the upgrade. Use ps to get the thread ID of the thread that is using the CPU. Take a thread dump and find what that thread is doing (you'll need to convert the thread ID from decimal to hex). It is the stack trace of that thread that will be interesting. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVR35yAAoJEBzwKT+lPKRYamAQAIYQMdBZLRueevXz71rqJxpA Ij1lEpK4FlXrY1hukAKEX0k/yyiLc2UkXeI0DZtstKNiDDyEo+KmsykvjlTjUmAt mvyhicQ3zhvlNaLIFYBwUIHNqzx+dBmgF/w75pkxKrDOj7MMx7gIFxPGXlTj2+XH 1tt8uWgvHhElKnROjG+jU2bG3/wqZyXfSnT+SsfNhQQE6r0W3MRqJh/0X808GgWO bSJdfk2Dz03/OksrEzK9cVV5/f4zB2Ggce/Uw+4qtZ0jj0jhRd9JXdaJlRFpPfbM EdjDeOVmsJz6oqP+IvSEvtJjQY9RR6iJB8SkyWph64stxRQeeOBFzUsBIDWLTK+d kB4/9HgGpnld8LaDEr3hrY2uXmtjEVwgkVzs1TKVpFipaACePuHG/3aa81/j0mMC wP1iLSzt3SrjI2Z0dXlOszcB5DlQIiInqFG3PpTD8Wfr63hjX7m43zEdepamTX7d eIjyu+TGX1Z+8yZabQzt+IPqGlk2uozafFiJOyxvwAbfBFqmF+rTKxOnYLMS67U7 nFx50rXx/Xq1TCCsWbX4L1s0Y7Gh1G3DAtVTCLFKI+O3oW5aSUTed0trwUcE+oEP VXYkRvSqDTcxJp+fXszz/yJGJxo3Yy46wfgX4WgGf9FZBdJ8XNchzOTPZp/qlqNa WrehBe11KsKgy21Hc+Lz =Hooe -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: startStopThreads=2 lets Tomcat kill my threads
2015-05-04 13:58 GMT+03:00 Daniel Migowski dmigow...@ikoffice.de: Hello, I have an application deployed to a Tomcat 8.0.5 which uses the ServletContextListener to do something when Tomcat stops. This task takes about 45 seconds. This wasn't a problem until I learned that I could speed up the Tomcat 8 startup time by parallel instantiation of my webapps by adding the startStopThreads attribute to the Host tag in the server.xml. Now, when Tomcat stops, it seems to interrupt or stop my Thread, because it doesn't print out anything anymore (even a System.out.println isn't shown in the log so I don't think it is because just log4j is stopped). Why does Tomcat wait nicely with startStopThreads removed, and why can't he wait when I use startStopThreads? The behavior of killing webapps the hard way when using startStopThreads isn't documented also. There is no such feature as killing an app that has ServletContextListener that is running. If ServletContextListener has spawned additional threads and does not wait for them, they may die naturally when web application classloader stops (as they cannot load any more classes beyond that point). Memory leak prevention code may kill threads, but only if you explicitly configure it to do so. But default it just prints diagnostic messages about those. There exist configurable 'unloadDelay' property on Context. The current version of Tomcat 8 is 8.0.21. Whatever your several-years-old 8.0.5 does -- hardly anyone remembers now. You may read the mailing list archives from several years ago. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: High cpu on Tomcat 8
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Greg, On 5/3/15 2:30 PM, Greg Huber wrote: Thanks for the reply, I will up the memory on the heap space and have another go with the profiler if happens again. When I was looking at the thread dumps there were no other active threads other than the ajp-apr-8009-Poller so maybe it is only a memory issue. No, the Poller thread can be quite active, but you will only see it in a few configurations because it mostly blocks on select(), and then notifies other threads that their I/O work is done. Car analogy: it's the distributor cap of all the bytes flying around the container. - -chris On 3 May 2015 at 17:35, Felix Schumacher felix.schumac...@internetallee.de wrote: Am 3. Mai 2015 12:25:53 MESZ, schrieb Greg Huber gregh3...@gmail.com: Hello, After an upgrade to Tomcat 8.0.21 and (Oracle jdk1.8.0_40) I seem to be having an erratic high cpu issue, often when the server gets busy. The application was OK tomcat 7 and has not been modified since the upgrade. I use mod_jk / apache # # workers.properties # # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8009 worker.worker1.lbfactor=50 worker.worker1.socket_keepalive=1 Here are my startup options: Tomcat 7 JAVA_OPTS=-Xms128M -Xmx512m -XX:MaxPermSize=256m Tomcat 8 (java 8 does not support MaxPermSize) JAVA_OPTS=-Xms128M -Xmx512m I believe java 8 combines the permgen into the heap space, so it is possible, that you run out of space now that you use java 8. Use jstat, jvisualvm or jconsole to look at your gc cycles. They can consume a lot of cpu. If I trace the thread it seems to be related to ajp-apr-8009-Poller ajp-apr-8009-Poller #26 daemon prio=5 os_prio=0 tid=0x7ffe300bd000 nid=0xc82 runnable [0x7ffdd1fd1000] java.lang.Thread.State: RUNNABLE at sun.misc.Unsafe.unpark(Native Method) This thread does nothing. at java.util.concurrent.locks.LockSupport.unpark(LockSupport.java:141) at java.util.concurrent.locks.AbstractQueuedSynchronizer.unparkSuccesso r(AbstractQueuedSynchronizer.java:662) at java.util.concurrent.locks.AbstractQueuedSynchronizer.release(Abstra ctQueuedSynchronizer.java:1264) at java.util.concurrent.locks.ReentrantLock.unlock(ReentrantLock.java:4 57) at java.util.concurrent.LinkedBlockingQueue.signalNotEmpty(LinkedBlocki ngQueue.java:176) at java.util.concurrent.LinkedBlockingQueue.offer(LinkedBlockingQueue.j ava:430) at org.apache.tomcat.util.threads.TaskQueue.offer(TaskQueue.java:74) at org.apache.tomcat.util.threads.TaskQueue.offer(TaskQueue.java:31) at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.j ava:1361) at org.apache.tomcat.util.threads.ThreadPoolExecutor.execute(ThreadPool Executor.java:161) at org.apache.tomcat.util.threads.ThreadPoolExecutor.execute(ThreadPool Executor.java:141) at org.apache.tomcat.util.net.AprEndpoint.processSocket(AprEndpoint.jav a:896) at org.apache.tomcat.util.net.AprEndpoint$Poller.null (Redefined) at java.lang.Thread.run(Redefined) ajp-apr-8009-Poller #26 daemon prio=5 os_prio=0 tid=0x7ffe300bd000 nid=0xc82 runnable [0x7ffdd1fd1000] java.lang.Thread.State: WAITING (parking) at sun.misc.Unsafe.park(Native Method) This thread does nothing, either. - parking to wait for 0xe4a05160 (a java.util.concurrent.locks.ReentrantLock$NonfairSync) at java.util.concurrent.locks.LockSupport.park(LockSupport.java:175) at java.util.concurrent.locks.AbstractQueuedSynchronizer.parkAndCheckIn terrupt(AbstractQueuedSynchronizer.java:836) at java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireQueued( AbstractQueuedSynchronizer.java:870) at java.util.concurrent.locks.AbstractQueuedSynchronizer.acquire(Abstra ctQueuedSynchronizer.java:1199) at java.util.concurrent.locks.ReentrantLock$NonfairSync.lock(ReentrantL ock.java:209) at java.util.concurrent.locks.ReentrantLock.lock(ReentrantLock.java:285 ) at java.util.concurrent.LinkedBlockingQueue.signalNotEmpty(LinkedBlocki ngQueue.java:172) at java.util.concurrent.LinkedBlockingQueue.offer(LinkedBlockingQueue.j ava:430) at org.apache.tomcat.util.threads.TaskQueue.offer(TaskQueue.java:74) at org.apache.tomcat.util.threads.TaskQueue.offer(TaskQueue.java:31) at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.j ava:1361) at org.apache.tomcat.util.threads.ThreadPoolExecutor.execute(ThreadPool Executor.java:161) at org.apache.tomcat.util.threads.ThreadPoolExecutor.execute(ThreadPool Executor.java:141) at org.apache.tomcat.util.net.AprEndpoint.processSocket(AprEndpoint.jav a:896) at org.apache.tomcat.util.net.AprEndpoint$Poller.null (Redefined) at java.lang.Thread.run(Redefined) Killing the thread stops the cpu, but then
RE: High cpu on Tomcat 8
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: High cpu on Tomcat 8 Car analogy: it's the distributor cap of all the bytes flying around the container. You're dating yourself :-) Haven't seen a distributor on a car in many years. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while Configuring SSL in tomcat6
Hi, Please find my response inline as below. Also *this is for Tomcat version 6* 1.) Include the Connector / tag from `conf/server.xml` so we can see how you've configured Tomcat - Below is what I added Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore keystorePass=report2web clientAuth=false sslProtocol=TLS / 2.) Include the exact version of Tomcat you're using - Tomcat version 6 3.) Are you connecting directly to Tomcat or is there an HTTPD or some other server acting as a reverse proxy in between? - *not by HTTPD but Connecting via url https://hostname:8443/r2wpublisher/ https://hostname:8443/r2wpublisher/* 4.) Look at the certificate as displayed by your browser. In Chrome, click the lock in the tool bar, other browsers are similar. Look at the details on the certificate and see what certificate you're being presented. Is it the once that you purchased? or perhaps an older self-signed on? - *Yes this is what I purchased but its displays error as This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.* *Earlier I used below commands to configure SSL* #Keystore creation keytool -genkey -alias report2web -keyalg RSA -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore #CSR generation keytool -certreq -keyalg RSA -alias report2web -file C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.csr -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore #Root Certificate Import keytool -import -alias root -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore -trustcacerts -file C:\Users\svcr2wadmin\nedr2wqajob1\TestRoot.cer #SSL Certificate Import keytool -import -alias nedr2wqajob1 -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore -file C:\Users\svcr2wadmin\nedr2wqajob1\TestCA.cer *Jairaj Kamal* On Mon, May 4, 2015 at 6:39 AM, Daniel Mikusa dmik...@pivotal.io wrote: On Sun, May 3, 2015 at 7:48 PM, jairaj kamal jairaj.ka...@gmail.com wrote: Hello, I created a keystore via Keytool, CSR file and received below root and intermediate certificates. I have got both TestRoot.cer TestCA.cer certificates imported in keystore via keytool but still in browser it shows in red and looks issue with certificate is not resolved yet. Do i need to convert dot extension of above certs to PKCS12 format, how to resolve it ? There's a lot that could be going on here. You need to try and narrow down the problem. 1.) Include the Connector / tag from `conf/server.xml` so we can see how you've configured Tomcat. 2.) Include the exact version of Tomcat you're using. 3.) Are you connecting directly to Tomcat or is there an HTTPD or some other server acting as a reverse proxy in between? 4.) Look at the certificate as displayed by your browser. In Chrome, click the lock in the tool bar, other browsers are similar. Look at the details on the certificate and see what certificate you're being presented. Is it the once that you purchased? or perhaps an older self-signed on? That should get you started. Dan *Jairaj Kamal*
Re: High cpu on Tomcat 8
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chuck, On 5/4/15 10:23 AM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: High cpu on Tomcat 8 Car analogy: it's the distributor cap of all the bytes flying around the container. You're dating yourself :-) Haven't seen a distributor on a car in many years. The analogy is still reasonably accurate :) Wait 'till I explain which part of Tomcat is the Leiden Jar. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVR4WkAAoJEBzwKT+lPKRYZDwP/2e99U6sxIRWsI+HdXp09yMz uNrvoBeH31KpbZcn5SfIbXcxppBSU0rKrDWyqbDLezVVso4c3b+4FnS0VRVtMzwU 0+jID3BBpi/iIy//x3JkUjewTIuFisj4AI+LBD3Z6D3W9kMITmgWKeUSJ2ZcEVpY GiIIf78hfhz8uMLGO82LGbnWCjyRzuDMpMxUl5iIBtJd/GWUhaJ0p8t1dfT11LhG 44enEDqiZYoYzw2Cv8qY7T/a0EMLcBktjOBkzwK0y1CICiBIgefqsCc+oEYfRV5f A6Xa6BTIf3MG9s77tndO3vQNNKjIv+tsgQemk9rigH6eraPP8nZ4wvP1eILTgfS3 hr8Zi9xQBhI2QWsj65t/qtU1d461VicUdywwAK/enQXxd9G57cjM7gI/Eei8zv3Z Hbk4fUWpBurMSNmFWMrc7KYFg58CiL5IMOERoDuOYA2+wjjglrZODGNVLpdBillQ FI17Hl/XRQJ9Xpk8oq5TykEQ6SPOdPrYJc3jqqo1j0Gzw8NjAYVaBLm+r+jRYew1 5Uiv9UmI9QhNUiDGJu8EbmkTTykKj0Preh/F97lEIg9B8clOepNnOnEHE6hmQ5rU gKwF3h1CZ6Y5lBcenAcTzDpib3wSZ4fSZNbC9T+1f/iPMCAS1k/wc4gk3442xB2M ValgdrHXYwAS+iUnPjts =mVFU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while Configuring SSL in tomcat6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jairaj, On 5/4/15 10:38 AM, jairaj kamal wrote: Hi, Please find my response inline as below. Also *this is for Tomcat version 6* 1.) Include the Connector / tag from `conf/server.xml` so we can see how you've configured Tomcat - Below is what I added Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.key store keystorePass=report2web clientAuth=false sslProtocol=TLS / 2.) Include the exact version of Tomcat you're using - Tomcat version 6 There have been 43 versions of Tomcat 6 released. Which one? Are you using the APR-enabled connector or the JSSE one? Since you are using a Java Keystore, I'm assuming JSSE, but it's worth asking; the setup is completely different for the two. 3.) Are you connecting directly to Tomcat or is there an HTTPD or some other server acting as a reverse proxy in between? - *not by HTTPD but Connecting via url https://hostname:8443/r2wpublisher/ https://hostname:8443/r2wpublisher/* 4.) Look at the certificate as displayed by your browser. In Chrome, click the lock in the tool bar, other browsers are similar. Look at the details on the certificate and see what certificate you're being presented. Is it the once that you purchased? or perhaps an older self-signed on? - *Yes this is what I purchased but its displays error as This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.* What is the certificate chain that Chrome shows you? Start with your own certificate and go up toward the root CA. Does it show every certificate that you put into your keystore? Perhaps you are missing one or more intermediate certificates. *Earlier I used below commands to configure SSL* #Keystore creation keytool -genkey -alias report2web -keyalg RSA -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore #CSR generation keytool -certreq -keyalg RSA -alias report2web -file C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.csr -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore #Root Certificate Import keytool -import -alias root -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore -trustcacerts -file C:\Users\svcr2wadmin\nedr2wqajob1\TestRoot.cer #SSL Certificate Import keytool -import -alias nedr2wqajob1 -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore -file C:\Users\svcr2wadmin\nedr2wqajob1\TestCA.cer At some point, you need to re-import your own certificate. Which certificate is the one you got signed? TestCA.cer or TestRoot.cer? Also, nearly every certificate authority requires that you install an intermediate certificate between your cert and the CA's root cert. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVR4bUAAoJEBzwKT+lPKRYXbYQAIHG5Xs1/NJixM6nPwhPOgWm hnVdHXykk11+/fBIjs/ooS4iyNTkUqtACGFT8VCPQVA4/P/90aOnoSuVzaKLFZ3a nJkqdV0xDiLFuqzdb2I2alNvwMAYvNMApgG1yjuBiusq/fbjQFNUIP+8FVce4sP2 za4O5ZNw42GkWLaIvOXQuY4jaOS7Gg/CJnI+igU4QkEGN5At40s5Rgf2IuVUo0Dk R65ywzn9yTYsNjNzy2w/QtxZkY7qn9h0gfenKL6XUFR35t2ppSDO8uNKxvotKuj6 5ahVHcfSnSxsFB2LISFbNH4H67hGpYgNaUL1Ox758zTD9jZ5jFXG2RBfb+gfav4W FocCZXG38lWfCcaDcMZhi+s/shTACWOvXmf14gJNeCqYRz92rVm3+y0moMj5by+S VWwvbaL3ga3pvxqx8ALtFXBffCDiiFBy2QnxYNOBqefoK9jyFnOMnPuf+nyBsqfZ XXvU640p/LXIEfTn0vtPuVF4C1k0nzFOQiHRIxCCbh26mxd1PwiS55Xhfto6QiXn 9LwBQnJuSVypGs9A4us+6z6kPlSQXq+i03CO8h7A91gCVnqoaQ2GPK1tJQ/IA5RX t49PtHq688UFOUrf/7GQMiJy5uE0ESxCruPlRndcPgh67gXw30aNKy3Wf7nzFfwy VE7gxva/v8YJqGhMP25L =nzQT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does the securePort for Cluster/Channel/Receiver work yet?
Hi List This was all done with tomcat-7.0.27 (sorry for being behind) I just tried with 8.0.21 with the same result. I would even appreciate a don't bother trying response from someone with better insight into the code. I'm also not complaining about a missing feature, the only bug may be in the documentation :-) Cheers Pascal
Re: High cpu on Tomcat 8
Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: High cpu on Tomcat 8 Car analogy: it's the distributor cap of all the bytes flying around the container. You're dating yourself :-) Haven't seen a distributor on a car in many years. Hey, my car has one. Which probably dates me too, and my car.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while Configuring SSL in tomcat6
Hello, when I checked with below command I find my keystore created type as JKS and we are using tool Keytool. Initially we received 2 certificates TestRoot.cer Test.cer, when found things not working, we are now trying to import certs of PKCS#12 format (.pfk) via Keytool *#Testing Keystore type* *D:\Program Files (x86)\Java\jdk1.6.0_27\binkeytool -list -v -keystore C:\Users\* *svcr2wadmin\nedr2wqajob1\Test.keystore* *Enter keystore password:* *Keystore type: JKS* *Keystore provider: SUN* *#Earlier tried steps:* keytool -genkey -alias report2web -keyalg RSA -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore keytool -certreq -keyalg RSA -alias report2web -file C:\Users\svcr2wadmin\nedr2wqajob1\Test.csr -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore keytool -import -alias root -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -trustcacerts -file C:\Users\svcr2wadmin\nedr2wqajob1\TestRoot.cer keytool -import -alias *nedr2wqajob1 *-keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file C:\Users\svcr2wadmin\nedr2wqajob1\Test.cer Then also did below keytool -import -alias nedr2wjob1_non_prod_p7b -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file C:\Users\svcr2wadmin\nedr2wqajob1\Test.pfx # But Below is the error coming while importing the latest .pfx certificated shared D:\Program Files (x86)\Java\jdk1.6.0_27\binkeytool -import -alias nedr2wjob1QAJob1 -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file C:\Users\svcr2wadmin\nedr2wqajob1\*Test.pfx* Enter keystore password: *keytool error: java.lang.Exception: Input not an X.509 certificate* #Certificate status as observed in the browser 1. nedr2wqajob1 is the alias name of certificate Test.cer - It shows for non Root certificate as Your connection to *nedr2wqajob1 *is encrypted with obsolete cryptography, The connections uses TLS 1.0. The connection uses AES_128_CBC with SHA1 for message authentication and DHE_RSA as the key exchange mechanism. 2. Error message showing in chrome browser as below “This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.” Let me know what to do to resolve this ? *Jairaj Kamal* On Mon, May 4, 2015 at 6:51 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jairaj, On 5/4/15 5:35 PM, jairaj kamal wrote: Attached find the error coming in browser,looks to be issue with Root certificate. This list strips attachments. Please copy/paste any messages into the text of your post. Also we tried PKCS#12 format certs but getting below Error The keystore format won't change what gets sent to the client. D:\Program Files (x86)\Java\jdk1.6.0_27\binkeytool -import -alias nedr2wjob1_no n_prod_p7b -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keysto re -file C:\Users\svcr2wadmin\nedr2wqajob1\nedr2wjob1_non_prod.p7b Enter keystore password: *keytool error: java.lang.Exception: Input not an X.509 certificate* If you really have a PKCS12 keystore, they you'll need to specify the keystore type on the command-line. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVSAYcAAoJEBzwKT+lPKRYLREQAMPD6shOiwK7On4wTmMbsuJR ifabn95GXN4ia+L80IlvqyY17Mjfe1VzMYsVhLgpJRiEQmSMoy3ChxbeD+2h3Pzc 38GXZWg8anBHaHqceQDhaiHW2HYNW1HV7IzG22gYDlfi0zwv8JYbpxqQXr7Kf+9q CtO8sUt4hTxWW9zYl5mTa2xB7vXr7jl5k0UTTCF7nNuraXGhFBWifebYZ1AxFJEp aP6n80rglMC9/K4SVCGRaGjGbHKcN7fiJX1InswWNnGzfWgIvt4HxlZeQwNFrQaa N35MGu9pINQ/iofrW/7M5Vp1oqQNMWRSRpU6t9QK3FO6crfNpIuNxmwf46oeEiQh 7HKF+sBmWlWC4QTdpdMiHNg1Ux2XhZrOzpo657QdrLKPKKLHAqtqcmrlJDTCs6Bs lI7NvQXMpMyc466Q0EvemQPkjoyeYr2uRJo8pcscATrvPPqD+chqEstgc6UjHDsZ NQqgDIPxPjKrZf1RUj3oEM693ezMCcvTICAMWbcjzTXrrDBFRPFgrM7gSrGjd/ib 17XsI5+cO3Rc4Ai3d6ss+uMf2HI7/DRQwYEs1h4dUu4Ug1WmRTOEEXV4nFkDUGBS AkoQqx77phGcy3XiASB0Dc96CrkbkVXCtmPYf2RH5OXivzkIztn78WSexWv4q01L sP/r1a2F394bEExnUXIX =7onF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while Configuring SSL in tomcat6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jairaj, On 5/4/15 5:35 PM, jairaj kamal wrote: Attached find the error coming in browser,looks to be issue with Root certificate. This list strips attachments. Please copy/paste any messages into the text of your post. Also we tried PKCS#12 format certs but getting below Error The keystore format won't change what gets sent to the client. D:\Program Files (x86)\Java\jdk1.6.0_27\binkeytool -import -alias nedr2wjob1_no n_prod_p7b -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keysto re -file C:\Users\svcr2wadmin\nedr2wqajob1\nedr2wjob1_non_prod.p7b Enter keystore password: *keytool error: java.lang.Exception: Input not an X.509 certificate* If you really have a PKCS12 keystore, they you'll need to specify the keystore type on the command-line. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVSAYcAAoJEBzwKT+lPKRYLREQAMPD6shOiwK7On4wTmMbsuJR ifabn95GXN4ia+L80IlvqyY17Mjfe1VzMYsVhLgpJRiEQmSMoy3ChxbeD+2h3Pzc 38GXZWg8anBHaHqceQDhaiHW2HYNW1HV7IzG22gYDlfi0zwv8JYbpxqQXr7Kf+9q CtO8sUt4hTxWW9zYl5mTa2xB7vXr7jl5k0UTTCF7nNuraXGhFBWifebYZ1AxFJEp aP6n80rglMC9/K4SVCGRaGjGbHKcN7fiJX1InswWNnGzfWgIvt4HxlZeQwNFrQaa N35MGu9pINQ/iofrW/7M5Vp1oqQNMWRSRpU6t9QK3FO6crfNpIuNxmwf46oeEiQh 7HKF+sBmWlWC4QTdpdMiHNg1Ux2XhZrOzpo657QdrLKPKKLHAqtqcmrlJDTCs6Bs lI7NvQXMpMyc466Q0EvemQPkjoyeYr2uRJo8pcscATrvPPqD+chqEstgc6UjHDsZ NQqgDIPxPjKrZf1RUj3oEM693ezMCcvTICAMWbcjzTXrrDBFRPFgrM7gSrGjd/ib 17XsI5+cO3Rc4Ai3d6ss+uMf2HI7/DRQwYEs1h4dUu4Ug1WmRTOEEXV4nFkDUGBS AkoQqx77phGcy3XiASB0Dc96CrkbkVXCtmPYf2RH5OXivzkIztn78WSexWv4q01L sP/r1a2F394bEExnUXIX =7onF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does the securePort for Cluster/Channel/Receiver work yet?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Pascal, On 5/4/15 10:56 AM, pascal wrote: This was all done with tomcat-7.0.27 (sorry for being behind) I just tried with 8.0.21 with the same result. I would even appreciate a don't bother trying response from someone with better insight into the code. I'm also not complaining about a missing feature, the only bug may be in the documentation :-) If possible, please repeat your tests with 7.0.latest. Tons of fixes have been made to the clustering components within Tomcat. That being said, I don't believe there are any supported options for secure communications for clustering. If you are using static membership, you could use stunnel or OpenVPN or something similar to encrypt your traffic. I'm not sure if OpenVPN can tunnel multicast, but if you have a network interface (and therefore IP address) that is exclusively for accessing OpenVPN, then you should be able to encrypt the traffic regardless of the type (TCP, UDP, ICMP, unicast, multicast, etc.). (I could be wrong about everything, here. I've never set up clustering with Tomcat and am by no means an expert.) Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVR9LcAAoJEBzwKT+lPKRY61QP/2DaZA3lEUaSWtJV69q4T+mC tt0fO7UYUpNL5yJDugJGQ9hq7d+a/v5xsrc1A0zOtKrF9oalE/5vtjKbIGp/1hdg Q0PVqvWOBLlQKJ2G0iXxoLYVm5MhIMdxl2/CmXEfNz5sGph4UQFFmNlGRX41dzEE rPJpMuJi+ehCExbBu/huLk8EtAbBqz2FFzvmLnukCx6WmBEw+Fnw7oXP9ngcgS1M 8nScWrn1IawbtHE2FLU+2KzPoSaZW1rrOQTJ5oY9tgc0hEDxM69+qvVuIVRvXrU2 gLA2R8DMa40tJi4ue9RlChNj+7J8lxw+LfC488DM6AUqrGy0TbhWz6tOv/9rqUNB qnrCoxLmoZfdDxZ18FIoRllBrgbARzqN6gmzkZ74+VkXr/7jWMjkgs0R7rAeFCY3 f/zAPkWZSDmD6hJpYSgncv3qF09O//XSNZKu5EW/6pPjeQ86SZLMjpz4A1cqoG/h nz/Iziv3y87qRAWz84vncJErRs/mk2LyLZCsbuoRkH4EJFUtvDqa4XKnp2cJuDpB xyqwMNj3lKb814566B8At9usijlWBZrk1KhQkOKSLjq98kF1E0Ff3o9wXAO9no9v yYt20R3pzUdHIFsgrom0ROXJ1S36bv/Fdxpkg5LsEyYz+Ev98yWunRZQMRvlzDXi b89xEZpJyGnFcg2C8XEf =Ezsh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while Configuring SSL in tomcat6
Hi, Attached find the error coming in browser,looks to be issue with Root certificate. Also we tried PKCS#12 format certs but getting below Error D:\Program Files (x86)\Java\jdk1.6.0_27\binkeytool -import -alias nedr2wjob1_no n_prod_p7b -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keysto re -file C:\Users\svcr2wadmin\nedr2wqajob1\nedr2wjob1_non_prod.p7b Enter keystore password: *keytool error: java.lang.Exception: Input not an X.509 certificate* *Jairaj Kamal* On Mon, May 4, 2015 at 9:48 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jairaj, On 5/4/15 10:38 AM, jairaj kamal wrote: Hi, Please find my response inline as below. Also *this is for Tomcat version 6* 1.) Include the Connector / tag from `conf/server.xml` so we can see how you've configured Tomcat - Below is what I added Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.key store keystorePass=report2web clientAuth=false sslProtocol=TLS / 2.) Include the exact version of Tomcat you're using - Tomcat version 6 There have been 43 versions of Tomcat 6 released. Which one? Are you using the APR-enabled connector or the JSSE one? Since you are using a Java Keystore, I'm assuming JSSE, but it's worth asking; the setup is completely different for the two. 3.) Are you connecting directly to Tomcat or is there an HTTPD or some other server acting as a reverse proxy in between? - *not by HTTPD but Connecting via url https://hostname:8443/r2wpublisher/ https://hostname:8443/r2wpublisher/* 4.) Look at the certificate as displayed by your browser. In Chrome, click the lock in the tool bar, other browsers are similar. Look at the details on the certificate and see what certificate you're being presented. Is it the once that you purchased? or perhaps an older self-signed on? - *Yes this is what I purchased but its displays error as This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.* What is the certificate chain that Chrome shows you? Start with your own certificate and go up toward the root CA. Does it show every certificate that you put into your keystore? Perhaps you are missing one or more intermediate certificates. *Earlier I used below commands to configure SSL* #Keystore creation keytool -genkey -alias report2web -keyalg RSA -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore #CSR generation keytool -certreq -keyalg RSA -alias report2web -file C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.csr -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore #Root Certificate Import keytool -import -alias root -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore -trustcacerts -file C:\Users\svcr2wadmin\nedr2wqajob1\TestRoot.cer #SSL Certificate Import keytool -import -alias nedr2wqajob1 -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keystore -file C:\Users\svcr2wadmin\nedr2wqajob1\TestCA.cer At some point, you need to re-import your own certificate. Which certificate is the one you got signed? TestCA.cer or TestRoot.cer? Also, nearly every certificate authority requires that you install an intermediate certificate between your cert and the CA's root cert. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVR4bUAAoJEBzwKT+lPKRYXbYQAIHG5Xs1/NJixM6nPwhPOgWm hnVdHXykk11+/fBIjs/ooS4iyNTkUqtACGFT8VCPQVA4/P/90aOnoSuVzaKLFZ3a nJkqdV0xDiLFuqzdb2I2alNvwMAYvNMApgG1yjuBiusq/fbjQFNUIP+8FVce4sP2 za4O5ZNw42GkWLaIvOXQuY4jaOS7Gg/CJnI+igU4QkEGN5At40s5Rgf2IuVUo0Dk R65ywzn9yTYsNjNzy2w/QtxZkY7qn9h0gfenKL6XUFR35t2ppSDO8uNKxvotKuj6 5ahVHcfSnSxsFB2LISFbNH4H67hGpYgNaUL1Ox758zTD9jZ5jFXG2RBfb+gfav4W FocCZXG38lWfCcaDcMZhi+s/shTACWOvXmf14gJNeCqYRz92rVm3+y0moMj5by+S VWwvbaL3ga3pvxqx8ALtFXBffCDiiFBy2QnxYNOBqefoK9jyFnOMnPuf+nyBsqfZ XXvU640p/LXIEfTn0vtPuVF4C1k0nzFOQiHRIxCCbh26mxd1PwiS55Xhfto6QiXn 9LwBQnJuSVypGs9A4us+6z6kPlSQXq+i03CO8h7A91gCVnqoaQ2GPK1tJQ/IA5RX t49PtHq688UFOUrf/7GQMiJy5uE0ESxCruPlRndcPgh67gXw30aNKy3Wf7nzFfwy VE7gxva/v8YJqGhMP25L =nzQT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Exception in Tomcat7 when closing stream, server crashes
On 4/30/15, 10:17 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Osman, On 4/30/15 10:07 AM, Osman Ullah | Ntrepid Corp wrote: Just an update. We have been doing some testing and we might not be seeing Tomcat actually go down with 7.0.61. The errors are still occurring but it is possible it may not be crashing. We were seeing the crash with 7.0.56. I¹ll post an update once have done some more thorough testing. Lots of little things are being cleaned-up in and around the connectors as well as tcnative lately. Using the latest Tomcat will improve the stability of tcnative, because if the Java code has been mis-tracking the state of the connection, the native code can sometimes fall-over. I've tried to prevent actual crashes as much as possible, but the result in those cases is that the connection is totally trashed. I'm not sure if Tomcat is recycling those trashed connections, but every release improves the situation. It would be even better if you could move up to Tomcat 8. Lots more refactoring of the connectors has taken place there and so all connectors are more stable. I'm excited about the upcoming Tomcat 9 because the connector code has been nearly unified. This ought to make all of the connectors rock-solid . - -chris Chris, We were able to replicate the crash with the versions I mentioned earlier. Do you have any suggestions as to what else we can do? One thing I was going to try was that if I get a ClientAbortException when trying to flush the output stream, I will not close the stream. I just don¹t know if this is safe or it will cause some kind of long term issues. Thanks, Osman smime.p7s Description: S/MIME cryptographic signature
