Re: Tomcat on Windows : new keystore possibilities

[david w]

I understand, but am not looking for troubleshooting but trying to raise 
awareness of the new sunmscapi capabilities.
I'm testing using the private key in the windows machine store to simplify tls 
implementation.
For this it requires local admin rights but I am also looking how to not need 
this...

David Wooffindin

From: Bill Stewart 
Sent: Monday, April 8, 2024 5:36:47 PM
To: Tomcat Users List 
Subject: Re: Tomcat on Windows : new keystore possibilities

On Mon, Apr 8, 2024 at 8:27 AM david w wrote:

If you can share a way for this to not be necessary, I'm all ears...
>

I can read computer certificates from non-privileged accounts on Windows.
(How would a user application such as a browser work otherwise?)

I'm not sure what's different on your system or why you think a privileged
account is required.

In any case, this would not be a Tomcat-specific issue but rather some kind
of configuration issue. (What I am saying is that troubleshooting this
issue on your machine is really outside the scope of this specific mailing
list.)

I would repeat my recommendation not to run a web server of any kind
(Tomcat or otherwise) using a privileged account.

Bill

Re: Tomcat on Windows : new keystore possibilities

[Bill Stewart]

On Mon, Apr 8, 2024 at 8:27 AM david w wrote:

If you can share a way for this to not be necessary, I'm all ears...
>

I can read computer certificates from non-privileged accounts on Windows.
(How would a user application such as a browser work otherwise?)

I'm not sure what's different on your system or why you think a privileged
account is required.

In any case, this would not be a Tomcat-specific issue but rather some kind
of configuration issue. (What I am saying is that troubleshooting this
issue on your machine is really outside the scope of this specific mailing
list.)

I would repeat my recommendation not to run a web server of any kind
(Tomcat or otherwise) using a privileged account.

Bill

Re: Tomcat on Windows : new keystore possibilities

[david w]

If you can share a way for this to not be necessary, I'm all ears...

David Wooffindin

From: Bill Stewart 
Sent: Monday, April 8, 2024 4:22:37 PM
To: Tomcat Users List 
Subject: Re: Tomcat on Windows : new keystore possibilities

On Mon, Apr 8, 2024 at 3:49 AM david w wrote:

The account running the Tomcat Windows Service needs local Administrator
> rights to be able to refernce these certificate stores.
>

Fortunately, this statement is not correct.

I would definitely not recommend running the Tomcat service using a
privileged account.

Bill

Re: Tomcat on Windows : new keystore possibilities

[Bill Stewart]

On Mon, Apr 8, 2024 at 3:49 AM david w wrote:

The account running the Tomcat Windows Service needs local Administrator
> rights to be able to refernce these certificate stores.
>

Fortunately, this statement is not correct.

I would definitely not recommend running the Tomcat service using a
privileged account.

Bill

Re: Tomcat in a Windows environment : new keystore possibilities

[Christopher Schultz]

David,

On 4/8/24 05:35, David Wooffindin wrote:

Referring to the documentation on Apache Tomcat 9 Configuration Reference (9.0.87) - 
The HTTP 
Connector
 keystore types, i wanted to get mentioned that a new set of possibilities is 
available with newer java builds, when using Tomcat in a Windows environment.


As mentioned on the OpenJDK bug tracker: 
https://bugs.openjdk.org/browse/JDK-8286790


The Windows KeyStore support in the SunMSCAPI provider has been expanded to 
include access to the local machine location. The new keystore types are:



Windows-MY-LOCALMACHINE

Windows-ROOT-LOCALMACHINE



The following keystore types were also added, allowing developers to make it 
clear they map to the current user:

  Windows-MY-CURRENTUSER (same as "Windows-MY")

Windows-ROOT-CURRENTUSER (same as "Windows-ROOT")


Alongside other configurations possible on the server side, web certificates 
can be automatically published, renewed and managed with a company's internal 
Active Directory CA. The account running the Tomcat Windows Service needs local 
Administrator rights to be able to refernce these certificate stores.

With this enabled, and setting the server.xml Connector like shown below can 
make certificate management a lot easier.



the use of a predefined Environment Variable for the system name, possible when 
using also this setting  in catalina.properties:
#GPO Managed restricted file: TESTING
#allow_System ENVVar Usage
org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource

  makes it easier to maintain a common server.xml file through tools like GPO.

Could it be useful to somehow document this, as it does make our WIndows admin 
life easier!!


Hmm.

While this seems really useful, I personally think that encouraging 
Windows admins to run the Tomcat server under a local Administrator 
account would be malfeasance on our part.


Perhaps if there were a native component that could be used as a service 
to request access to the keystore, it would be a more secure setup. In 
the absence of such a component, I think we'll leave the documentation 
along for the time being.


Feel free to publish your findings and setup yourself, but I think we'll 
leave our documentation alone.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat & Http 103 Early Hint

[Mark Thomas]

8 Apr 2024 10:26:23 xulin y :


Hi,
I would like to ask about whether Tomcat has support for http 103 early
hint response status?


Not at the moment.


I have checked the latest
doc that

https://tomcat.apache.org/tomcat-11.0-doc/servletapi/jakarta/servlet/http/HttpServletResponse.html
does not have 103 response status.

If not, do we have any plan to implement it?


It is expected to be part of Servlet.next / Tomcat 12. If possible, there 
is a good chance it will be back-ported to earlier Tomcat versions.


Mark




By Xulin Yang
Kind Regards


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Intermittent error 404

[Mark Thomas]

8 Apr 2024 11:20:09 andreas.moro...@wobi.bz.it:


Hello
we use Apache Tomcat/8.5.99.


Tomcat 8.5.x is no longer supported by the Tomcat community. You should 
upgrade to at least 9.0.x or consider purchasing 8.5.x support from one 
of the commercial vendors that offer it.


It sounds like an issue with JSP compilation. I'd suggest stopping 
Tomcat, cleaning out the work directory and then starting Tomcat.


Mark



Last week I changed the user of the Tomcat services.


When I refresh teh page then every second time the page appears 
correctly and the other 50% I get the error


No I get intermittent error 404

The origin server did not find a current representation for the target 
resource or is not willing to disclose that one exists.


on the index.jsp

The user has the rights to read the index.jsp

The fact that sometimes it works and the next time it doesn't confuses 
me. If it were due to the rights, it should probably never work.

Can someone kindly help me?

Greetings
Andreas

Institut für den sozialen Wohnbau des Landes Südtirol
Istituto per l’edilizia sociale della Provincia autonoma di Bolzano
39100 Bozen Horazstraße 14 / 39100 Bolzano via Orazio, 14_*
*__*wobi.bz.it[https://www.wobi.bz.it/de/default.asp]*_*   
*_*ipes.bz.it[https://www.ipes.bz.it/it/default.asp]*_*



*[cid:_4_00C1B7780DBA0634003348A4C1258AF9]*

*
Dies ist eine vertrauliche Nachricht und nur für den Adressaten 
bestimmt. Sollten Sie diese Nachricht irrtümlich erhalten haben, bitten 
wir um Ihre diesbezügliche Benachrichtigung und um die Löschung der 
Nachricht. Eine Veröffentlichung oder Verbreitung des Inhaltes sowie 
jegliche anderweitige Verwendung sind untersagt.


Il contenuto di questa e-mail è rivolto esclusivamente al destinatario 
della stessa e deve intendersi riservato e personale. Laddove questa 
e-mail Le fosse pervenuta per errore, Le chiediamo di comunicarci 
l’errata notifica e di cancellarne il contenuto. Sono sempre vietate la 
pubblicazione o diffusione del contenuto, nonché l'utilizzo per 
qualsiasi altro scopo.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat on Windows : new keystore possibilities

[david w]

Hello
Referring to the documentation on Apache Tomcat 9 Configuration Reference 
(9.0.87) - The HTTP 
Connector
 keystore types, i wanted to get mentioned that a new set of possibilities is 
available with newer java builds, when using Tomcat in a Windows environment.


As mentioned on the OpenJDK bug tracker: 
https://bugs.openjdk.org/browse/JDK-8286790


The Windows KeyStore support in the SunMSCAPI provider has been expanded to 
include access to the local machine location. The new keystore types are:



Windows-MY-LOCALMACHINE

Windows-ROOT-LOCALMACHINE



The following keystore types were also added, allowing developers to make it 
clear they map to the current user:

 Windows-MY-CURRENTUSER (same as "Windows-MY")

Windows-ROOT-CURRENTUSER (same as "Windows-ROOT")


Alongside other configurations possible on the server side, web certificates 
can be automatically published, renewed and managed with a company's internal 
Active Directory CA. The account running the Tomcat Windows Service needs local 
Administrator rights to be able to refernce these certificate stores.

With this enabled, and setting the server.xml Connector like shown below can 
make certificate management a lot easier.



the use of a predefined Environment Variable for the system name, possible when 
using also this setting  in catalina.properties:
#GPO Managed restricted file: TESTING
#allow_System ENVVar Usage
org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource

 makes it easier to maintain a common server.xml file through tools like GPO.

Could it be useful to somehow document this, as it does make our WIndows admin 
life easier!!

Tomcat in a Windows environment : new keystore possibilities

[David Wooffindin]

Referring to the documentation on Apache Tomcat 9 Configuration Reference 
(9.0.87) - The HTTP 
Connector
 keystore types, i wanted to get mentioned that a new set of possibilities is 
available with newer java builds, when using Tomcat in a Windows environment.


As mentioned on the OpenJDK bug tracker: 
https://bugs.openjdk.org/browse/JDK-8286790


The Windows KeyStore support in the SunMSCAPI provider has been expanded to 
include access to the local machine location. The new keystore types are:



Windows-MY-LOCALMACHINE

Windows-ROOT-LOCALMACHINE



The following keystore types were also added, allowing developers to make it 
clear they map to the current user:

 Windows-MY-CURRENTUSER (same as "Windows-MY")

Windows-ROOT-CURRENTUSER (same as "Windows-ROOT")


Alongside other configurations possible on the server side, web certificates 
can be automatically published, renewed and managed with a company's internal 
Active Directory CA. The account running the Tomcat Windows Service needs local 
Administrator rights to be able to refernce these certificate stores.

With this enabled, and setting the server.xml Connector like shown below can 
make certificate management a lot easier.



the use of a predefined Environment Variable for the system name, possible when 
using also this setting  in catalina.properties:
#GPO Managed restricted file: TESTING
#allow_System ENVVar Usage
org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource

 makes it easier to maintain a common server.xml file through tools like GPO.

Could it be useful to somehow document this, as it does make our WIndows admin 
life easier!!

***
Consider the environment before printing this message.

To read the Companies' Information and Confidentiality Notice, follow this link:
https://www.autoliv.com/autoliv-email-disclaimer
***

Intermittent error 404

[Andreas . Moroder]

Hello 
we use Apache Tomcat/8.5.99.
Last week I changed the user of the Tomcat services.


When I refresh teh page then every second time the page appears correctly 
and the other 50% I get the error

No I get intermittent error 404 

The origin server did not find a current representation for the target 
resource or is not willing to disclose that one exists.

on the index.jsp

The user has the rights to read the index.jsp

The fact that sometimes it works and the next time it doesn't confuses me. 
If it were due to the rights, it should probably never work. 
Can someone kindly help me?

Greetings
Andreas

Institut für den sozialen Wohnbau des Landes Südtirol
Istituto per l’edilizia sociale della Provincia autonoma di Bolzano
39100 Bozen Horazstraße 14 / 39100 Bolzano via Orazio, 14
wobi.bz.it   ipes.bz.it 





Dies ist eine vertrauliche Nachricht und nur für den Adressaten bestimmt. 
Sollten Sie diese Nachricht irrtümlich erhalten haben, bitten wir um Ihre 
diesbezügliche Benachrichtigung und um die Löschung der Nachricht. Eine 
Veröffentlichung oder Verbreitung des Inhaltes sowie jegliche anderweitige 
Verwendung sind untersagt.

Il contenuto di questa e-mail è rivolto esclusivamente al destinatario 
della stessa e deve intendersi riservato e personale. Laddove questa 
e-mail Le fosse pervenuta per errore, Le chiediamo di comunicarci l’errata 
notifica e di cancellarne il contenuto. Sono sempre vietate la 
pubblicazione o diffusione del contenuto, nonché l'utilizzo per qualsiasi 
altro scopo.

Tomcat & Http 103 Early Hint

[xulin y]

Hi,
I would like to ask about whether Tomcat has support for http 103 early
hint response status?

I have checked the latest
doc that
https://tomcat.apache.org/tomcat-11.0-doc/servletapi/jakarta/servlet/http/HttpServletResponse.html
does not have 103 response status.

If not, do we have any plan to implement it?

By Xulin Yang
Kind Regards