RE: problem in starting tomcat

[Prateek]

Here I am hs_err_pid file 

Sent from Mail for Windows 10

From: Coty Sutherland
Sent: Tuesday, June 26, 2018 10:22 PM
To: Tomcat Users List
Subject: Re: problem in starting tomcat

On Tue, Jun 26, 2018 at 12:27 PM, Prateek Yadav 
wrote:

> Thanks for reply
>  I already tested it for more than one machine so hardware problem can not
> be a case.
>

What happens if you don't specify that OnError call? Can you attach a
fuller stack trace if not the entire hs_err_pid log (make sure there isn't
anything sensitive in there)? If the JVM is crashing you should still get
an hs_err_pid log, but given that the crash is in libc and we don't know
what isegencore.sh is, removing it and getting a clearer stack trace would
be nice.


>
> On Tue, Jun 26, 2018, 9:40 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Prateek,
> >
> > On 6/25/18 11:20 PM, Prateek wrote:
> > > Hi, My configuration: OS:REDHAT 7.5 (64 bit) Tomcat: 8.5.31 Jdk-
> > > jdk-11(Early-Access)
> > >
> > > When I am trying to start my server I got following error as: A
> > > fatal error has been detected by the Java Runtime Environment: # #
> > > SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412 # # JRE
> > > version:  (11.0+18) (build ) # Java VM: Java HotSpot(TM) 64-Bit
> > > Server VM (11-ea+18, mixed mode, aot, sharing, tiered, compressed
> > > oops, g1 gc, linux-amd64) # Problematic frame: # C
> > > [libc.so.6+0x8128a]  strlen+0x2a
> >
> > Are you running any custom native code (including libtcnative)? If
> > not, either the JVM or your hardware is to blame.
> >
> > First, I'd re-try with a release-quality JVM build instead of the
> > "early access" build, which may have some bugs in it. If that doesn't
> > help, it's time to look at your hardware.
> >
> > Run several rounds of memtest86+ on your hardware to see whether it
> > finds any errors. If you find errors, you have a hardware failure in
> > your CPU, motherboard, or memory, and you'll need to replace one or
> > more components.
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZV8ACgkQHPApP6U8
> > pFjRFw//XnOm0FrbRjc0ELxDiF/uuWCAEHHKjMjEBat04DG6TTMwTAUikmm0wTXR
> > 2oecK+zU/Zc2cgN6i/pFagUbjeNz1WxHfKmsBK6w2loyLlkJ0WZfmaVhAB7NCbep
> > njp+OtdtDXoQb+wegkQddihDXGhnUEMszMKdPOTvOJEk5dbY7vNIX7a7ktOVseMu
> > hsbggpUtrz8DHwe8BwiOmCK7L5VCdfjMWG23rSPustulVQEu34bKKB9p6ke/cQwg
> > KWuWOa0yPQk1RRu9Fue9mqI+ppQVpVb6bZ6nqmlktCtqQ7sS5A4Pyx794/Kht5bs
> > xKZd+CmxS1+hDTBCTpfIhHbo+r7RXiJ2yOP+/VIzOPTMb+wLUGIgjbSM2opeUC62
> > S0YaqWVzUseMbivZVMxC+S4kTiabM1Dr7MbXtEf6Gu3QrybB7epwImO+l98t+Jjg
> > nY0WIXS+8FdZHoNpItliUjj6ciPNtVUFubghYQAKsn5tHUx+s6Tcos2kEnUPsm6N
> > RMpKb2fBEs9DJTa2GCAHRsSPVE9daDJsDxm5yP8h5AQd82QpSj2s2KoX7oTZ8rV3
> > 3pYfi4nNIXm+6y/HmQG3oU1MYui4i4wHrgSeuFOD80/JkKQhwDwvEz7gFe3ui06U
> > KN3jnT6YIlFGvurfw1r9ZRBLeDVrdyzqu92ot4NtfCkRKdoBUNg=
> > =2XQn
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412
#
# JRE version:  (11.0+18) (build )
# Java VM: Java HotSpot(TM) 64-Bit Server VM (11-ea+18, mixed mode, aot, 
sharing, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# C  [libc.so.6+0x8128a]  strlen+0x2a
#
# Core dump will be written. Default location: 
/localdisk/corefiles/core.%h.%e.%p
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
#

---  S U M M A R Y 


Host: Intel(R) Xeon(R) CPU   X5650  @ 2.67GHz, 2 cores, 7G, Red Hat 
Enterprise Linux Server release 7.5 (Maipo)
Time: Tue Jun 26 03:09:07 2018 UTC elapsed time: 0 seconds (0d 0h 0m 0s)

---  T H R E A D  ---

Current thread (0x01491c70):  JavaThread "Unknown thread" 
[_thread_in_vm, id=2412, stack(0x7fffbaa16000,0x7fffbab14000)]

Stack: [0x7fffbaa16000,0x7fffbab14000],  sp=0x7fffbab109b8,  free 
space=1002k
Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, 
Vv=VM code, C=native code)
C  [libc.so.6+0x8128a]  strlen+0x2a
V  [libjvm.so+0x6030f1]  ClassLoader::setup_bootstrap_search_path()+0x111
V  [libjvm.so+0x60377a]  classLoader_init1()+0x4a
V  [libjvm.so+0x882549]  init_globals()+0x39
V  [libjvm.so+0xde4247]  Threads::create_vm(JavaVMInitArgs*, bool*)+0x327
V  [libjvm.so+0x93f652]  JNI_CreateJavaVM+0x52


siginfo: si_signo: 11 (SIGSEGV), si_code: 1 (SEGV_MAPERR), si_addr: 
0x

Registers:
RAX=0x, RBX=0x, RCX=0x, 

Re: Production Tomcat 8.5.5 suddenly started to give ClassNotFoundError

[Mladen Adamović]

It turned out this problem was caused by a class constructor which started
to give RuntimeException (it has some calculations based on DB data). That
somehow caused ClassNotFoundException. I've solved the cause and had to
reinstall tomcat (as after deleting "work" directory  tomcat did not work
properly).



On Mon, Jun 18, 2018 at 7:46 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mladen,
>
> On 6/16/18 5:37 AM, Mladen Adamović wrote:
> > Hi all,
> >
> > I have a production Tomcat server and this morning it started to
> > give strange ClassNotFoundError for stuff which was working for
> > years without a problem.
> >
> > I did redeploy app (by copying into the dir and deleting their
> > ROOT), but it didn't solve the issue, same ClassNotFoundException.
> >
> > On the development machine I built a new release, checked that it
> > worked in my localhost (it worked, no ClassNotFoundException), and
> > stopped Tomcat on the production server, moved files from work to
> > work_1 directory (that's specified as deleting the cache), copied
> > the new WAR files into the destination and deleted the previous
> > files.
> >
> > It didn't still solve the issue, now I got even bigger problem JSPs
> > which were working fine previously now they don't work?
> >
> > What could cause this problem? How to fix it (without setting again
> > new production tomcat from scratch)?
>
> It sounds to me like a botched upgrade from a lower version (e.g. 7.0,
> 8.0) to 8.5 if JSPs are no longer working.
>
> Compare the following files in your environment to what Tomcat ships
> with out of the box:
>
>  conf/context.xml
>  conf/web.xml
>
> There should be no changes between what you have on your disk and what
> comes with Tomcat.
>
> If there are no changes, then look at your own application's
> WEB-INF/web.xml to see if you ave somehow overridden the *.jsp
> mapping. Finally, look in your application's META-INF/context.xml to
> see if there is anything JSP-related in there. (There probably
> shouldn't be anything in there, but it's better to check).
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsn8A8ACgkQHPApP6U8
> pFhSaQ//fq2mr5JbsF9xueie/HHaO6lr7fwtK1VAJJObxbjCYWjVY4oly79QB5VU
> lJJUi34WcZ3oBUBMGrwxThyg1+ll6IwzVJ5mh5GF0HAfwuYwUsNHhXf871a/uNqG
> nGjpqQhbAFOHikZzZLdvLcgHJpVjXc24lI1C/R49gRGAhMOnYI1L3UjaLRF1SCNS
> ZQrVQjWfwDpZLD0IDcsQxA0e5tR+xV3vr1bV4iNsqC7sjXcVWjf/OGLngmAenedL
> ehIV9P15YceY1DCZOl8xbzFAJ4tJQvtE/s0dxvkUTZ4YXaf2zE5W/nFyVdHBhJ8C
> U0oZWkvnLQv2u28MlzqK4cpA85Cpko+Y7ZDWxOIoiGhSVhBvdW3LwI0apphwIqMX
> S3BA471kRzDUBgNNLU288HMF+4D7kk6MuaTJyzXLUM1vdy6fH16Hl7yYWaispj31
> 29vfNR2RfLdLhJ7SJ2v9FskciMkwD5LYCBL8Pybi8xUDeLyy/IrrwaNq3OrIUTIy
> oAjRYd8R6rym3VB0WBvI4NlZxL2vhU2bJnDIsUGPljOuxntL/P3o19hcoqQwB3nM
> Z/l9Tk5wJpSJjhlljOds3wOYHzJQR8OFAxW0kShgh3Pl9o3c2hU4o3Ff6zYKYnom
> B5aRSAgGxeU9n+2DATwEakVq29ykB6o+gCIy91LmcXlEwyPdlqA=
> =4Wmr
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: Alias name does not identify a key entry

[Cybulski, Adam M]

Ok, I worked it out. I had to extract all the intermediate certificates from 
the root/intermediate certificate, and import them separately. 

Thanks for all your help, I have it up and running now!

-Original Message-
From: Cybulski, Adam M  
Sent: Tuesday, June 26, 2018 2:25 PM
To: Tomcat Users List 
Subject: RE: Alias name does not identify a key entry

I got the same error, 

C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat -file 
c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore Enter keystore 
password:

C:\Windows\system32>keytool -import -alias root -keystore 
c:\Tomcat8\meg.keystor e -trustcacerts -file 
"C:\Tomcat8\meg_library_albany_edu_interm.cer"
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias 
Do you still want to add it to your own keystore? [no]:  y Certificate was 
added to keystore

C:\Windows\system32>keytool -import -alias tomcat -keystore 
c:\Tomcat8\meg.keyst ore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply




-Original Message-
From: Cybulski, Adam M 
Sent: Tuesday, June 26, 2018 2:08 PM
To: Tomcat Users List 
Subject: RE: Alias name does not identify a key entry

>Did you re-create your private key? I hope you kept a backup otherwise you 
>might have to get your CA >to re-sign the certificate from scratch.
>If they try to charge you again just say "my key has been compromised and I'd 
>like a replacement". They >should do it for free.

I did recreate it, I'll do a whole new request rather than an update request. 
We have an education license, so it's not coming out of my budget!

-Original Message-
From: Christopher Schultz 
Sent: Tuesday, June 26, 2018 2:06 PM
To: users@tomcat.apache.org
Subject: Re: Alias name does not identify a key entry

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adam,

On 6/26/18 1:32 PM, Cybulski, Adam M wrote:
> Hi Chris, Thanks for the help,
> 
>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file 
>>> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>> That last step should have been to import using the same alias as the 
>> first step. That will update the self-signed >certificate with the 
>> CA-signed certificate.
> 
> I deleted the keystore and the certs and started over so there 
> wouldn't be any garbage data in it, I followed all the same steps as 
> before, but when I get to this one I used the command:
> 
> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file 
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
> 
> It returned the error: keytool error: java.lang.Exception: Failed to 
> establish chain from reply

Did you re-create your private key? I hope you kept a backup otherwise you 
might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised and I'd 
like a replacement". They should do it for free.

>>> Any help you can give me in resolving this error is greatly 
>>> appreciated.
> 
>> You should switch from JKS/JCEKS to PKCS12 keystores, since those 
>> Java-specific ones are being deprecated and >(not quickly enough) 
>> dropped from Java.
> 
> Can you aim me at a guide to this? The steps I've been following are 
> just from whatever I've found online. Most of the articles seem pretty 
> dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you execute. 
Otherwise, the default is the JKS "Java KeyStore" keystore type .

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

B 

RE: Alias name does not identify a key entry

[Cybulski, Adam M]

I got the same error, 

C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\
tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
Enter keystore password:

C:\Windows\system32>keytool -import -alias root -keystore c:\Tomcat8\meg.keystor
e -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias 
Do you still want to add it to your own keystore? [no]:  y
Certificate was added to keystore

C:\Windows\system32>keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keyst
ore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply




-Original Message-
From: Cybulski, Adam M  
Sent: Tuesday, June 26, 2018 2:08 PM
To: Tomcat Users List 
Subject: RE: Alias name does not identify a key entry

>Did you re-create your private key? I hope you kept a backup otherwise you 
>might have to get your CA >to re-sign the certificate from scratch.
>If they try to charge you again just say "my key has been compromised and I'd 
>like a replacement". They >should do it for free.

I did recreate it, I'll do a whole new request rather than an update request. 
We have an education license, so it's not coming out of my budget!

-Original Message-
From: Christopher Schultz 
Sent: Tuesday, June 26, 2018 2:06 PM
To: users@tomcat.apache.org
Subject: Re: Alias name does not identify a key entry

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adam,

On 6/26/18 1:32 PM, Cybulski, Adam M wrote:
> Hi Chris, Thanks for the help,
> 
>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file 
>>> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>> That last step should have been to import using the same alias as the 
>> first step. That will update the self-signed >certificate with the 
>> CA-signed certificate.
> 
> I deleted the keystore and the certs and started over so there 
> wouldn't be any garbage data in it, I followed all the same steps as 
> before, but when I get to this one I used the command:
> 
> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file 
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
> 
> It returned the error: keytool error: java.lang.Exception: Failed to 
> establish chain from reply

Did you re-create your private key? I hope you kept a backup otherwise you 
might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised and I'd 
like a replacement". They should do it for free.

>>> Any help you can give me in resolving this error is greatly 
>>> appreciated.
> 
>> You should switch from JKS/JCEKS to PKCS12 keystores, since those 
>> Java-specific ones are being deprecated and >(not quickly enough) 
>> dropped from Java.
> 
> Can you aim me at a guide to this? The steps I've been following are 
> just from whatever I've found online. Most of the articles seem pretty 
> dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you execute. 
Otherwise, the default is the JKS "Java KeyStore" keystore type .

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Any one using Tomcat Server Side Include (SSI) support?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 6/26/18 1:48 PM, Mark Thomas wrote:
> Hi,
> 
> I'm currently working on an old bug to improve the SSI support in
> Tomcat [1]. Note that the original bug dates back to 2010.
> 
> I'm going to fix [1] if I can. SSI support is part of the current 
> release and the functionality is missing.
> 
> However, I got to wondering just how many folks are actually using
> SSI. Does it make sense to deprecate SSI support in 9.0.x and
> remove it in 10.0.x? It isn't a big deal to maintain support if it
> is required but neither do I think we should continue to maintain
> somethign no-one needs.
> 
> So, is anyone using SSI in Tomcat?

+1 to deprecate-and-remove

SSI is:

1. little used
2. easy to configure insecurely
3. more conveniently-configured using another component (e.g. httpd)
4. better-implemented as a servlet/JSP/whatever

I think the Internet moved-on from SSIs around 2001. It's time Tomcat
did as well. I wouldn't object to a Tomcat sub-project for SSIs or
even a non-Apache GitHub project to implement SSIs as a set of
container-agnostic Filter/Servlet implementations or whatever.

But I don't think it belongs in the container code anymore.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygXwACgkQHPApP6U8
pFgI1xAAp6+tZ/1BlkO2/gDd+Sm9N68dYXbxoQFp7cIMlfX6L57d9KlboVotMncT
4Ax5hUeVkzgGuJQvFCvSVlNvwQppv+jfpf9GIRfXLIjMj/OTNhqGOASDv9PQGXTn
RrOIMqwJy2AME8MNOJKuqo2ugbWp6PA+Dqq9W14ffa7ng5UGwfXUhlPEuD5g7R0Z
X0mVzJ+dUwaFDDrCW44xDCZtFDU6RaP4YaA4aBfjZTEkW5Al9bT3ul4C0jHAW2BU
3rNfLxhj89ywDp6JAP2mD6FmZL3F+QUk3FUxPD/SAcBXQwNweEsvkGvOq+5k5aUi
ycWkbbbFh5IIQ6ZkEmq5XG4RDCwwN3NEg3rnOpeF0f/tnYs/jEbtnHV2ZYa6NzMG
GTzwyijkA6UQ5s4LVTWy3zP8TARgXh2e+t24TClrQnrjYTFepFdcPr4G8kxAz/x+
LEsLsEJRmzkMDDzyyV5Ae8qyoIm7w+4RrzprV+fHbn/ksTxQxweXOEBy6nncix1G
VMYsNstvXwMNGE0EEmboUZ2Ovvd+qY5i/zw0NYTcsUyLcZ/sTVujwatg3drBhvd3
nJhCgQgnS+bTbqlWlRgs0JnvGS6CZ4J2nLwOwz2rI7MzMgxCL6d8xWR5BS+3lb34
FQRYLskm+Ltm64DnrEyjtuWfUH5TcY2D8A0OS+RMhf/mFAijfYc=
=vuWi
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Alias name does not identify a key entry

[Cybulski, Adam M]

>Did you re-create your private key? I hope you kept a backup otherwise you 
>might have to get your CA >to re-sign the certificate from scratch.
>If they try to charge you again just say "my key has been compromised and I'd 
>like a replacement". They >should do it for free.

I did recreate it, I'll do a whole new request rather than an update request. 
We have an education license, so it's not coming out of my budget!

-Original Message-
From: Christopher Schultz  
Sent: Tuesday, June 26, 2018 2:06 PM
To: users@tomcat.apache.org
Subject: Re: Alias name does not identify a key entry

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adam,

On 6/26/18 1:32 PM, Cybulski, Adam M wrote:
> Hi Chris, Thanks for the help,
> 
>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file 
>>> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>> That last step should have been to import using the same alias as the 
>> first step. That will update the self-signed >certificate with the 
>> CA-signed certificate.
> 
> I deleted the keystore and the certs and started over so there 
> wouldn't be any garbage data in it, I followed all the same steps as 
> before, but when I get to this one I used the command:
> 
> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file 
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
> 
> It returned the error: keytool error: java.lang.Exception: Failed to 
> establish chain from reply

Did you re-create your private key? I hope you kept a backup otherwise you 
might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised and I'd 
like a replacement". They should do it for free.

>>> Any help you can give me in resolving this error is greatly 
>>> appreciated.
> 
>> You should switch from JKS/JCEKS to PKCS12 keystores, since those 
>> Java-specific ones are being deprecated and >(not quickly enough) 
>> dropped from Java.
> 
> Can you aim me at a guide to this? The steps I've been following are 
> just from whatever I've found online. Most of the articles seem pretty 
> dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you execute. 
Otherwise, the default is the JKS "Java KeyStore" keystore type .

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Alias name does not identify a key entry

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adam,

On 6/26/18 1:32 PM, Cybulski, Adam M wrote:
> Hi Chris, Thanks for the help,
> 
>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore
>>> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>> That last step should have been to import using the same alias as
>> the first step. That will update the self-signed >certificate
>> with the CA-signed certificate.
> 
> I deleted the keystore and the certs and started over so there
> wouldn't be any garbage data in it, I followed all the same steps
> as before, but when I get to this one I used the command:
> 
> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore
> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
> 
> It returned the error: keytool error: java.lang.Exception: Failed
> to establish chain from reply

Did you re-create your private key? I hope you kept a backup otherwise
you might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised
and I'd like a replacement". They should do it for free.

>>> Any help you can give me in resolving this error is greatly 
>>> appreciated.
> 
>> You should switch from JKS/JCEKS to PKCS12 keystores, since those
>> Java-specific ones are being deprecated and >(not quickly enough)
>> dropped from Java.
> 
> Can you aim me at a guide to this? The steps I've been following
> are just from whatever I've found online. Most of the articles seem
> pretty dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you
execute. Otherwise, the default is the JKS "Java KeyStore" keystore type
.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Any one using Tomcat Server Side Include (SSI) support?

[Mark Thomas]

Hi,

I'm currently working on an old bug to improve the SSI support in Tomcat
[1]. Note that the original bug dates back to 2010.

I'm going to fix [1] if I can. SSI support is part of the current
release and the functionality is missing.

However, I got to wondering just how many folks are actually using SSI.
Does it make sense to deprecate SSI support in 9.0.x and remove it in
10.0.x? It isn't a big deal to maintain support if it is required but
neither do I think we should continue to maintain somethign no-one needs.

So, is anyone using SSI in Tomcat?

Mark



[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=53387

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Alias name does not identify a key entry

[Mark Thomas]

On 26/06/18 18:32, Cybulski, Adam M wrote:

> Can you aim me at a guide to this? The steps I've been following are just 
> from whatever I've found online. Most of the articles seem pretty dated.

http://tomcat.apache.org/presentations.html

Look for the TLS generation presentation from the 2016 webinar series.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Alias name does not identify a key entry

[Cybulski, Adam M]

Hi Chris, Thanks for the help, 

>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file 
>> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>That last step should have been to import using the same alias as the first 
>step. That will update the self-signed >certificate with the CA-signed 
>certificate.

I deleted the keystore and the certs and started over so there wouldn't be any 
garbage data in it, I followed all the same steps as before, but when I get to 
this one I used the command:

keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file 
"C:\Tomcat8\meg_library_albany_edu_cert.cer"

It returned the error: keytool error: java.lang.Exception: Failed to establish 
chain from reply

>> Any help you can give me in resolving this error is greatly 
>> appreciated.

>You should switch from JKS/JCEKS to PKCS12 keystores, since those 
>Java-specific ones are being deprecated and >(not quickly enough) dropped from 
>Java.

Can you aim me at a guide to this? The steps I've been following are just from 
whatever I've found online. Most of the articles seem pretty dated. 

-Original Message-
From: Christopher Schultz  
Sent: Tuesday, June 26, 2018 12:14 PM
To: users@tomcat.apache.org
Subject: Re: Alias name does not identify a key entry

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adam,

On 6/26/18 11:03 AM, Cybulski, Adam M wrote:
> 
> Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine,  and I'm 
> unable to start the SSL connector.
> 
> My connector syntax is as follows:
> 
>  connectionTimeout="2" redirectPort="8443" />   port="8443" protocol="HTTP/1.1" maxThreads="150" scheme="https"
> secure="true" SSLEnabled="true" 
> keystoreFile="c:\tomcat8\meg.keystore" keystorePass="keystorepass"
>  keyAlias="meg" />
> 
> To which I receive this error in Catalina.log:
> 
> SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to 
> initialize end point associated with ProtocolHandler 
> ["https-openssl-nio-8443"] java.lang.IllegalArgumentException:
> java.io.IOException: Alias name meg does not identify a key entry
> 
> However, meg is in my keystore:
> 
> 
> 
> Keystore type: JKS Keystore provider: SUN
> 
> Your keystore contains 3 entries
> 
> root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint
> (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: 
> 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate 
> fingerprint (SHA1):
> 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59

The error message is correct: your alias identifies a "trusted certificate", 
not a private key. So use the "private key" alias instead:

> tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint
> (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: 
> 84:C8:16:82

^^^ This one.

> I used these steps to manage the certs:
> 
> keytool -genkey -alias tomcat -keyalg RSA -keystore 
> c:\Tomcat8\meg.keystore
> 
> keytool -certreq -keyalg RSA -alias tomcat -file 
> c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
> 
> Sent CSR to InCommon CA, downloaded x509 certificate, and x509 
> intermedites/root certificates.
> 
> keytool -import -alias root -keystore c:\Tomcat8\meg.keystore 
> -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
> 
> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file 
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as the first 
step. That will update the self-signed certificate with the CA-signed 
certificate.

> Any help you can give me in resolving this error is greatly 
> appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those Java-specific 
ones are being deprecated and (not quickly enough) dropped from Java.

Hope that helps.
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8
pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I
OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv
ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P
DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY
I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz
uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4
v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL
5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60
fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0
jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3
fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg=
=q1tu
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: problem in starting tomcat

[Coty Sutherland]

On Tue, Jun 26, 2018 at 12:27 PM, Prateek Yadav 
wrote:

> Thanks for reply
>  I already tested it for more than one machine so hardware problem can not
> be a case.
>

What happens if you don't specify that OnError call? Can you attach a
fuller stack trace if not the entire hs_err_pid log (make sure there isn't
anything sensitive in there)? If the JVM is crashing you should still get
an hs_err_pid log, but given that the crash is in libc and we don't know
what isegencore.sh is, removing it and getting a clearer stack trace would
be nice.


>
> On Tue, Jun 26, 2018, 9:40 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Prateek,
> >
> > On 6/25/18 11:20 PM, Prateek wrote:
> > > Hi, My configuration: OS:REDHAT 7.5 (64 bit) Tomcat: 8.5.31 Jdk-
> > > jdk-11(Early-Access)
> > >
> > > When I am trying to start my server I got following error as: A
> > > fatal error has been detected by the Java Runtime Environment: # #
> > > SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412 # # JRE
> > > version:  (11.0+18) (build ) # Java VM: Java HotSpot(TM) 64-Bit
> > > Server VM (11-ea+18, mixed mode, aot, sharing, tiered, compressed
> > > oops, g1 gc, linux-amd64) # Problematic frame: # C
> > > [libc.so.6+0x8128a]  strlen+0x2a
> >
> > Are you running any custom native code (including libtcnative)? If
> > not, either the JVM or your hardware is to blame.
> >
> > First, I'd re-try with a release-quality JVM build instead of the
> > "early access" build, which may have some bugs in it. If that doesn't
> > help, it's time to look at your hardware.
> >
> > Run several rounds of memtest86+ on your hardware to see whether it
> > finds any errors. If you find errors, you have a hardware failure in
> > your CPU, motherboard, or memory, and you'll need to replace one or
> > more components.
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZV8ACgkQHPApP6U8
> > pFjRFw//XnOm0FrbRjc0ELxDiF/uuWCAEHHKjMjEBat04DG6TTMwTAUikmm0wTXR
> > 2oecK+zU/Zc2cgN6i/pFagUbjeNz1WxHfKmsBK6w2loyLlkJ0WZfmaVhAB7NCbep
> > njp+OtdtDXoQb+wegkQddihDXGhnUEMszMKdPOTvOJEk5dbY7vNIX7a7ktOVseMu
> > hsbggpUtrz8DHwe8BwiOmCK7L5VCdfjMWG23rSPustulVQEu34bKKB9p6ke/cQwg
> > KWuWOa0yPQk1RRu9Fue9mqI+ppQVpVb6bZ6nqmlktCtqQ7sS5A4Pyx794/Kht5bs
> > xKZd+CmxS1+hDTBCTpfIhHbo+r7RXiJ2yOP+/VIzOPTMb+wLUGIgjbSM2opeUC62
> > S0YaqWVzUseMbivZVMxC+S4kTiabM1Dr7MbXtEf6Gu3QrybB7epwImO+l98t+Jjg
> > nY0WIXS+8FdZHoNpItliUjj6ciPNtVUFubghYQAKsn5tHUx+s6Tcos2kEnUPsm6N
> > RMpKb2fBEs9DJTa2GCAHRsSPVE9daDJsDxm5yP8h5AQd82QpSj2s2KoX7oTZ8rV3
> > 3pYfi4nNIXm+6y/HmQG3oU1MYui4i4wHrgSeuFOD80/JkKQhwDwvEz7gFe3ui06U
> > KN3jnT6YIlFGvurfw1r9ZRBLeDVrdyzqu92ot4NtfCkRKdoBUNg=
> > =2XQn
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>

Re: problem in starting tomcat

[Igal Sapir]

Prateek,

On 6/26/2018 9:27 AM, Prateek Yadav wrote:

Thanks for reply
  I already tested it for more than one machine so hardware problem can not
be a case.

On 6/25/2018 8:20 PM, Prateek wrote:

My configuration:
OS:REDHAT 7.5 (64 bit)
Tomcat: 8.5.31
Jdk- jdk-11(Early-Access)

When I am trying to start my server I got following error as:
A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412
#
# JRE version:  (11.0+18) (build )
# 
Java HotSpot(TM) 64-Bit Server VM warning: Ignoring option PermSize; support 
was removed in 8.0
Java HotSpot(TM) 64-Bit Server VM warning: Ignoring option MaxPermSize; support 
was removed in 8.0


You are running Java 11EA but your config settings seem to be circa Java 
7 (per PermSize warnings).


I second Chris' suggestion to use a well tested "release version" of the 
JVM, but at the very least you should try to remove all of the 
unnecessary config settings.



Igal


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: problem in starting tomcat

[Prateek Yadav]

Thanks for reply
 I already tested it for more than one machine so hardware problem can not
be a case.

On Tue, Jun 26, 2018, 9:40 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Prateek,
>
> On 6/25/18 11:20 PM, Prateek wrote:
> > Hi, My configuration: OS:REDHAT 7.5 (64 bit) Tomcat: 8.5.31 Jdk-
> > jdk-11(Early-Access)
> >
> > When I am trying to start my server I got following error as: A
> > fatal error has been detected by the Java Runtime Environment: # #
> > SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412 # # JRE
> > version:  (11.0+18) (build ) # Java VM: Java HotSpot(TM) 64-Bit
> > Server VM (11-ea+18, mixed mode, aot, sharing, tiered, compressed
> > oops, g1 gc, linux-amd64) # Problematic frame: # C
> > [libc.so.6+0x8128a]  strlen+0x2a
>
> Are you running any custom native code (including libtcnative)? If
> not, either the JVM or your hardware is to blame.
>
> First, I'd re-try with a release-quality JVM build instead of the
> "early access" build, which may have some bugs in it. If that doesn't
> help, it's time to look at your hardware.
>
> Run several rounds of memtest86+ on your hardware to see whether it
> finds any errors. If you find errors, you have a hardware failure in
> your CPU, motherboard, or memory, and you'll need to replace one or
> more components.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZV8ACgkQHPApP6U8
> pFjRFw//XnOm0FrbRjc0ELxDiF/uuWCAEHHKjMjEBat04DG6TTMwTAUikmm0wTXR
> 2oecK+zU/Zc2cgN6i/pFagUbjeNz1WxHfKmsBK6w2loyLlkJ0WZfmaVhAB7NCbep
> njp+OtdtDXoQb+wegkQddihDXGhnUEMszMKdPOTvOJEk5dbY7vNIX7a7ktOVseMu
> hsbggpUtrz8DHwe8BwiOmCK7L5VCdfjMWG23rSPustulVQEu34bKKB9p6ke/cQwg
> KWuWOa0yPQk1RRu9Fue9mqI+ppQVpVb6bZ6nqmlktCtqQ7sS5A4Pyx794/Kht5bs
> xKZd+CmxS1+hDTBCTpfIhHbo+r7RXiJ2yOP+/VIzOPTMb+wLUGIgjbSM2opeUC62
> S0YaqWVzUseMbivZVMxC+S4kTiabM1Dr7MbXtEf6Gu3QrybB7epwImO+l98t+Jjg
> nY0WIXS+8FdZHoNpItliUjj6ciPNtVUFubghYQAKsn5tHUx+s6Tcos2kEnUPsm6N
> RMpKb2fBEs9DJTa2GCAHRsSPVE9daDJsDxm5yP8h5AQd82QpSj2s2KoX7oTZ8rV3
> 3pYfi4nNIXm+6y/HmQG3oU1MYui4i4wHrgSeuFOD80/JkKQhwDwvEz7gFe3ui06U
> KN3jnT6YIlFGvurfw1r9ZRBLeDVrdyzqu92ot4NtfCkRKdoBUNg=
> =2XQn
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Programmatically unlocking an account?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alex,

On 6/25/18 8:49 PM, Alex O'Ree wrote:
> Actually I figured it out. It is possible via the mx bean. I'd like
> to request that the method isLocked be changed to public in a
> future version.

In spite of my affinity for JMX, I completely forgot about it in this
case! Sorry for the confusion.

Presumably, you want both isLocked(String) and unlock(String) to be
made public?

Looks like Mark did exactly that with his latest commit.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZyEACgkQHPApP6U8
pFhdOBAAlfMA4PeO4EsdyO5XI7RC4erocWAm0Ws8j6w3Q5kzMIQIgc1knKrdBHvP
gNCoNk39gcdrbF7PzcQMSByaBCf9m09Omgd8plcv3ND/TTCOUbsStwKJpevQQF0E
ZwFxrNWg8CgsEjJNxgNqWEUm++LIFGGXA9HNeV41cdCBd3E2jQBbuB3CD9Y5VNxm
RawLNOvlIpjLrx0uTmdH1LeQQ2XdjuiMMZIP/vxqQO2uxO5IogF7JYRCdsxGpd/f
DQ4ADT8tWjM3vcWwj7BL7vo/D5VCYD3rhOLFIje0lF+7+ZsfCjpkvI+AA+8eo+C6
lmaUFNj8vkEWV61KUmgPXSMiTGKZ+7kaMG7BcW6VyavrGkJWWfnJ4TDUrzZzpkYs
NGU3OdruTVwJKufho1PTxv3HF6i4m6SfcsJE/1Y/md9BPhbl1rYU07q+cN54UJfy
P9vFkXieYaCYUOCTpJsWC9GWJcs4E6aCPNTEiC1ycL2KS81y3aGewizl8Plnh/FD
sQ+ZZbqIVGieo40jskpjjzSFaZxp7JWGb+Y0Iu+TjW6BWJthfMj6tDlZBAQwitXQ
D5usdsBNF+qNACKxBmizcgtUG+5J/2+JVvGQ2iFltnF7kN8ahjZy6TkdAzT3NHTy
hbajJa8URa6pRymAa5Kzk6kqJlgEEPAHL/anRzjY8J93AZ7LaN4=
=MBiJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Alias name does not identify a key entry

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adam,

On 6/26/18 11:03 AM, Cybulski, Adam M wrote:
> 
> Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine,  and I'm
> unable to start the SSL connector.
> 
> My connector syntax is as follows:
> 
>  connectionTimeout="2" redirectPort="8443" />   port="8443" protocol="HTTP/1.1" maxThreads="150" scheme="https" 
> secure="true" SSLEnabled="true" 
> keystoreFile="c:\tomcat8\meg.keystore" keystorePass="keystorepass"
>  keyAlias="meg" />
> 
> To which I receive this error in Catalina.log:
> 
> SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to
> initialize end point associated with ProtocolHandler
> ["https-openssl-nio-8443"] java.lang.IllegalArgumentException:
> java.io.IOException: Alias name meg does not identify a key entry
> 
> However, meg is in my keystore:
> 
> 
> 
> Keystore type: JKS Keystore provider: SUN
> 
> Your keystore contains 3 entries
> 
> root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint
> (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: 
> 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate
> fingerprint (SHA1):
> 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59

The error message is correct: your alias identifies a "trusted
certificate", not a private key. So use the "private key" alias instead:

> tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint
> (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: 
> 84:C8:16:82

^^^ This one.

> I used these steps to manage the certs:
> 
> keytool -genkey -alias tomcat -keyalg RSA -keystore
> c:\Tomcat8\meg.keystore
> 
> keytool -certreq -keyalg RSA -alias tomcat -file
> c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
> 
> Sent CSR to InCommon CA, downloaded x509 certificate, and x509
> intermedites/root certificates.
> 
> keytool -import -alias root -keystore c:\Tomcat8\meg.keystore
> -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
> 
> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as the
first step. That will update the self-signed certificate with the
CA-signed certificate.

> Any help you can give me in resolving this error is greatly
> appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those
Java-specific ones are being deprecated and (not quickly enough)
dropped from Java.

Hope that helps.
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8
pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I
OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv
ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P
DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY
I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz
uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4
v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL
5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60
fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0
jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3
fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg=
=q1tu
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: problem in starting tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Prateek,

On 6/25/18 11:20 PM, Prateek wrote:
> Hi, My configuration: OS:REDHAT 7.5 (64 bit) Tomcat: 8.5.31 Jdk-
> jdk-11(Early-Access)
> 
> When I am trying to start my server I got following error as: A
> fatal error has been detected by the Java Runtime Environment: # #
> SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412 # # JRE
> version:  (11.0+18) (build ) # Java VM: Java HotSpot(TM) 64-Bit
> Server VM (11-ea+18, mixed mode, aot, sharing, tiered, compressed
> oops, g1 gc, linux-amd64) # Problematic frame: # C
> [libc.so.6+0x8128a]  strlen+0x2a

Are you running any custom native code (including libtcnative)? If
not, either the JVM or your hardware is to blame.

First, I'd re-try with a release-quality JVM build instead of the
"early access" build, which may have some bugs in it. If that doesn't
help, it's time to look at your hardware.

Run several rounds of memtest86+ on your hardware to see whether it
finds any errors. If you find errors, you have a hardware failure in
your CPU, motherboard, or memory, and you'll need to replace one or
more components.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZV8ACgkQHPApP6U8
pFjRFw//XnOm0FrbRjc0ELxDiF/uuWCAEHHKjMjEBat04DG6TTMwTAUikmm0wTXR
2oecK+zU/Zc2cgN6i/pFagUbjeNz1WxHfKmsBK6w2loyLlkJ0WZfmaVhAB7NCbep
njp+OtdtDXoQb+wegkQddihDXGhnUEMszMKdPOTvOJEk5dbY7vNIX7a7ktOVseMu
hsbggpUtrz8DHwe8BwiOmCK7L5VCdfjMWG23rSPustulVQEu34bKKB9p6ke/cQwg
KWuWOa0yPQk1RRu9Fue9mqI+ppQVpVb6bZ6nqmlktCtqQ7sS5A4Pyx794/Kht5bs
xKZd+CmxS1+hDTBCTpfIhHbo+r7RXiJ2yOP+/VIzOPTMb+wLUGIgjbSM2opeUC62
S0YaqWVzUseMbivZVMxC+S4kTiabM1Dr7MbXtEf6Gu3QrybB7epwImO+l98t+Jjg
nY0WIXS+8FdZHoNpItliUjj6ciPNtVUFubghYQAKsn5tHUx+s6Tcos2kEnUPsm6N
RMpKb2fBEs9DJTa2GCAHRsSPVE9daDJsDxm5yP8h5AQd82QpSj2s2KoX7oTZ8rV3
3pYfi4nNIXm+6y/HmQG3oU1MYui4i4wHrgSeuFOD80/JkKQhwDwvEz7gFe3ui06U
KN3jnT6YIlFGvurfw1r9ZRBLeDVrdyzqu92ot4NtfCkRKdoBUNg=
=2XQn
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Alias name does not identify a key entry

[Jose María Zaragoza]

El mar., 26 jun. 2018 a las 17:03, Cybulski, Adam M
() escribió:
>
>
> Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine,  and I'm unable to 
> start the SSL connector.
>
> My connector syntax is as follows:
>
>   connectionTimeout="2"
>redirectPort="8443" />
>
>protocol="HTTP/1.1"
>maxThreads="150"
>scheme="https"
>secure="true"
>SSLEnabled="true"
>keystoreFile="c:\tomcat8\meg.keystore"
>keystorePass="keystorepass"
>keyAlias="meg" />
>
> To which I receive this error in Catalina.log:
>
> SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize 
> end point associated with ProtocolHandler ["https-openssl-nio-8443"]
>  java.lang.IllegalArgumentException: java.io.IOException: Alias name meg does 
> not identify a key entry
>
> However, meg is in my keystore:
>
>
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 3 entries
>
> root, Jun 25, 2018, trustedCertEntry,
> Certificate fingerprint (SHA1): 
> 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:
> 68:85:18:68
> meg, Jun 25, 2018, trustedCertEntry,
> Certificate fingerprint (SHA1): 
> 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B:
> 6F:24:D1:59
> tomcat, Jun 25, 2018, PrivateKeyEntry,
> Certificate fingerprint (SHA1): 
> AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70:
> 84:C8:16:82
>
> I used these steps to manage the certs:
>
> keytool -genkey -alias tomcat -keyalg RSA -keystore c:\Tomcat8\meg.keystore
>
> keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\tomcatreq.csr 
> -keystore c:\Tomcat8\meg.keystore
>
> Sent CSR to InCommon CA, downloaded x509 certificate, and x509 
> intermedites/root certificates.
>
> keytool -import -alias root -keystore c:\Tomcat8\meg.keystore -trustcacerts 
> -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
>
> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file 
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>
> Any help you can give me in resolving this error is greatly appreciated.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Hi

I guess that meg entry should be a PrivateKeyEntry ( public
certificate + private key ) , not a trustedCertEntry
I think that meg_library_albany_edu_cert.cer only contains a public certificate

Honestly, I use openssl to create .p12 key stores
Something like

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out
KEYSTORE.p12 -name "meg" -CAfile MY-CA-CERT.crt -caname myCA -chain

Regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Alias name does not identify a key entry

[Cybulski, Adam M]

Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine,  and I'm unable to 
start the SSL connector. 

My connector syntax is as follows:

  
   
   

To which I receive this error in Catalina.log: 

SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end 
point associated with ProtocolHandler ["https-openssl-nio-8443"]
 java.lang.IllegalArgumentException: java.io.IOException: Alias name meg does 
not identify a key entry

However, meg is in my keystore: 



Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

root, Jun 25, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:
68:85:18:68
meg, Jun 25, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B:
6F:24:D1:59
tomcat, Jun 25, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70:
84:C8:16:82

I used these steps to manage the certs: 

keytool -genkey -alias tomcat -keyalg RSA -keystore c:\Tomcat8\meg.keystore

keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\tomcatreq.csr 
-keystore c:\Tomcat8\meg.keystore

Sent CSR to InCommon CA, downloaded x509 certificate, and x509 
intermedites/root certificates. 

keytool -import -alias root -keystore c:\Tomcat8\meg.keystore -trustcacerts 
-file "C:\Tomcat8\meg_library_albany_edu_interm.cer"

keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file 
"C:\Tomcat8\meg_library_albany_edu_cert.cer"

Any help you can give me in resolving this error is greatly appreciated. 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Programmatically unlocking an account?

[Mark Thomas]

On 26/06/18 01:49, Alex O'Ree wrote:
> Actually I figured it out. It is possible via the mx bean. I'd like to
> request that the method isLocked be changed to public in a future version.

Done in 9.0.x for 9.0.11 onwards.

Mark


> 
> The use case is not a typical one but I'd like admins to know if a service
> account is locked out for some reason and to be able to reset it if
> necessary. The timeout is 15 minutes but the account is frequently used by
> service processes which causes the timeout to continually get reset (unless
> I am misunderstanding the code)
> 
> On Mon, Jun 25, 2018, 7:13 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> Alex,
> 
> On 6/25/18 3:24 PM, Alex O'Ree wrote:
 Is it possible to programmatically unlock an account that's been
 locked via the lockoutrealm and the simple xml user store?
> 
> Regardless of the user-storage mechanism, the answer is no.
> 
 If so, how?
> 
> Sorry.
> 
> What's the use-case, here? Support gets a call saying "please unlock
> this account"? What's the lock-timeout in your environment?
> 
> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org