Re: Tomcat FREAK Issue

[uzair rashid]

Hello Christopher,

Did you or anyone have a gauge on how we might fix this?

Thank you!

On Thu, Jul 14, 2016 at 8:04 PM, uzair rashid <uzairrashi...@gmail.com>
wrote:

> Hello Chris,
>
> We are using Tomcat version: 6.0.36.0
>
> JRE 1.6.0
>
> Do you think I need to change the settings to the following:
>
> 
>
> 
> maxThreads="150"
>
> SSLEnabled="true"
>
> minSpareThreads="25"
>
> enableLookups="false"
>
> disableUploadTimeout="true"
>
> acceptCount="100"
>
> scheme="https"
>
> secure="true"
>
> clientAuth="false"
>
> SSLProtocol="TLSv1,TLSv1.1,TLSv1.2"
>
>
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
>
> keystorePass="password"
>
> keystoreFile="/otex/tomcat/.keystore"/>
>
>
>
> 
>
> 
> maxThreads="150"
>
> SSLEnabled="true"
>
> minSpareThreads="25"
>
> enableLookups="false"
>
> disableUploadTimeout="true"
>
> acceptCount="100"
>
> scheme="https"
>
> secure="true"
>
> clientAuth="false"
>
> SSLProtocol="TLSv1,TLSv1.1,TLSv1.2"
>
>
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
>
> keystorePass="password"
>
>   keystoreFile="/otex/tomcat/.keystore"/>
>
>
>
> Really look forward to your expertise on this.
>
>
> Thank you
>
>
>
>
>
> On Thu, Jul 14, 2016 at 7:07 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Uzair,
>>
>> On 7/14/16 10:12 AM, uzair rashid wrote:
>> > Running Tomcat 6.x
>>
>> Which one exactly?
>>
>> > and every week during vulnerability scans we are having the
>> > following results:
>> >
>> > Vulnerability References:
>> >
>> > SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability
>> >
>> > Impact: Exploitation allows an attacker to bypass security
>> > restrictions on the targeted host. Solution: Disable RSA_EXPORT
>> > cipher suites. Do not use temporary RSA key multiple times
>> > Result: #table cols=2 Public key source key size Public key in
>> > certificate 2048(bits) Temporary RSA key 512(bits)
>> >
>> > [snip]
>> >
>> > 
>> > > > SSLEnabled="true" minSpareThreads="25" enableLookups="false"
>> > disableUploadTimeout="true" acceptCount="100" scheme="https"
>> > secure="true" clientAuth="false" sslProtocol="TLS"
>> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>> > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_
>> 128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES
>> _256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH
>> A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
>> >
>> >
>> SSLCipherSuite="!EXPORT"
>>
>> Are you using tcnative+APR+OpenSSL or JSSE? "ciphers" is for JSSE and
>> SSLCipherSuite is for tcnative+APR+OpenSSL. Either case you should be
>> good.
>>
>> What version of Java are you using?
>>
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iEYEARECAAYFAleIRXsACgkQ9CaO5/Lv0PDuxwCgnlmNaVSkDH4bEHXFEsWcwVxL
>> jsYAoLPDf4y6FI0Np/DVPDxL6ijVkhgY
>> =X5B9
>> -END PGP SIGNATURE-
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: Tomcat FREAK Issue

[uzair rashid]

Hello Chris,

We are using Tomcat version: 6.0.36.0

JRE 1.6.0

Do you think I need to change the settings to the following:













Really look forward to your expertise on this.


Thank you





On Thu, Jul 14, 2016 at 7:07 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Uzair,
>
> On 7/14/16 10:12 AM, uzair rashid wrote:
> > Running Tomcat 6.x
>
> Which one exactly?
>
> > and every week during vulnerability scans we are having the
> > following results:
> >
> > Vulnerability References:
> >
> > SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability
> >
> > Impact: Exploitation allows an attacker to bypass security
> > restrictions on the targeted host. Solution: Disable RSA_EXPORT
> > cipher suites. Do not use temporary RSA key multiple times
> > Result: #table cols=2 Public key source key size Public key in
> > certificate 2048(bits) Temporary RSA key 512(bits)
> >
> > [snip]
> >
> > 
> >  > SSLEnabled="true" minSpareThreads="25" enableLookups="false"
> > disableUploadTimeout="true" acceptCount="100" scheme="https"
> > secure="true" clientAuth="false" sslProtocol="TLS"
> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_
> 128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES
> _256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH
> A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
> >
> >
> SSLCipherSuite="!EXPORT"
>
> Are you using tcnative+APR+OpenSSL or JSSE? "ciphers" is for JSSE and
> SSLCipherSuite is for tcnative+APR+OpenSSL. Either case you should be
> good.
>
> What version of Java are you using?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAleIRXsACgkQ9CaO5/Lv0PDuxwCgnlmNaVSkDH4bEHXFEsWcwVxL
> jsYAoLPDf4y6FI0Np/DVPDxL6ijVkhgY
> =X5B9
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: SSL/TLS and ciphers vulnerability

[uzair rashid]

Jeffrey,

Working for a corporation that has strict ssl and security requirements..
There is no way to use the tools you suggested, since the tomcat URLs are
not exposed.

On Thu, Jul 14, 2016 at 8:41 AM, Jeffrey Janner  wrote:

> Hi folks,
>
> I've been off the list for a bit, getting ducks in a row here and
> everything.
> I noticed a number of posts about SSL & TLS security settings lately and I
> wanted to point out that maintaining your SSL configurations is an on-going
> processes.
> New exploits are discovered and released quite often, and often the fault
> lies with a cipher and not necessarily an overall SSL/TLS protocol.
> So using a cipher list like "all except RC4" is probably not sufficient
> anymore.
> And what is secure may depend completely on the SSL/TLS software you use,
> be it OpenSSL or Java's built in SSL libraries.
> For example, with OpenSSL, you should be using 1.0.1t or higher, and even
> then only TLS1.2 with a handful of ciphers.
> I'm not sure what the recommended options for java's libraries are at the
> moment.
> A really good, free tool is Qualys' SSL Labs server test tool located at:
> https://www.ssllabs.com/ssltest/
> Run that against your implementation and follow its recommendations.
>
> Of course, at the end of the day, it will be up to you and your firm to
> decide what risks you are willing to take with your SSL communications and
> whether or not you need to support insecure browsers, i.e. browsers that
> cannot negotiate up to the most secure protocol and ciphers.
>
> Jeffrey Janner
> p.s. Qualys also has a test suite for the browsers that you use.
>
>

Tomcat FREAK Issue

[uzair rashid]

Hello Experts:

Running Tomcat 6.x and every week during vulnerability scans we are having
the following results:



Vulnerability References:

SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability

Impact: Exploitation allows an attacker to bypass security restrictions
on the targeted host. Solution: Disable RSA_EXPORT cipher suites.
Do not use temporary RSA key multiple times Result: #table cols=2
Public key source key size Public key in certificate 2048(bits) Temporary
RSA key 512(bits)



Could someone please help?

Server.xml:



  
  
  
  
  
  
  
  
  

  
  


  

  
  



















  
  

  
  

  
  

  
  







  

  

clustered environment

[uzair rashid]

Hello Experts

Background,: windows boxes, cms servers,  bobj,   tomcat servers 7.057.
Distributed landscape. (Clustered)

Ive configured the server xml for clustering and distributable to true in
the web xml.

In the cms, we have a Java null pointer exception. At login it first says
page is expired and then once in it gives an
jasperexception.java.lang.nullpointer exception: while trying to invoke the
method cpm.businessobjects.bip.core.web.appcontext.appweb session context.
Get productlocale () of an object returned .

The peculiar thing is,  in our production environment,  there is absolutely
no issue.

Things, I've tried:

1. Matched conf directory to production
2. Deleted tomcat work directory
3. Restarted tomcat

Stderr below:

2016-02-29 18:00:56 Commons Daemon procrun stderr initialized

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Server version:Apache Tomcat/7.0.57

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Server built:  Nov 3 2014 08:39:16 UTC

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Server number: 7.0.57.0

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: OS Name:   Windows Server 2008 R2

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: OS Version:6.1

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Architecture:  amd64

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: JAVA_HOME: d:\SAP BusinessObjects\SAP BusinessObjects
Enterprise XI 4.0\win64_x64\sapjvm\jre

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: JVM Version:   6.1.044

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: JVM Vendor:SAP AG

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: CATALINA_BASE: d:\SAP BusinessObjects\tomcat\

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: CATALINA_HOME: d:\SAP BusinessObjects\tomcat\

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: -Djava.library.path=C:\Windows\SysWOW64\;d:\SAP

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: BusinessObjects\SAP

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: BusinessObjects

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: Enterprise

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: XI

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: 4.0\win64_x64\

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: -Dcatalina.base=d:\SAP

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: BusinessObjects\tomcat\

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: -Dcatalina.home=d:\SAP

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: BusinessObjects\tomcat\

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: -Djava.endorsed.dirs=d:\SAP

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: BusinessObjects\tomcat\common\endorsed\

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: -Dbobj.enterprise.home=d:\SAP

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: BusinessObjects\SAP

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: BusinessObjects

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: Enterprise

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: XI

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: 4.0\

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: -Xrs

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: -XX:MaxPermSize=384M

Feb 29, 2016 6:01:03 PM org.apache.catalina.startup.VersionLoggerListener
log

INFO: Command line argument: -Djava.awt.headless=true

Feb 29, 2016 6:01:03 PM 

Tomcat 5.0.xx migration

[uzair rashid]

Hello Experts:



Most of our business is running Tomcat 7.x.xx or later. But, we have a
business function of ours that is using Tomcat 5.0.xx. Unfortunately, this
is causing a lot of issues in terms of vulnerability remediation.



Apache Tomcat Servlet Host Manager Servlet Cross-Site Scripting
Vulnerability

Apache Tomcat Information Disclosure Vulnerability

Apache Tomcat Accept-Language Cross-Site Scripting Vulnerability

Apache Tomcat JavaDoc Spoofing Vulnerability

Apache Tomcat 4, 5 and 6 Examples Web Application Multiple Cross-Site
Scripting Vulnerabilities

Apache Tomcat 4 and 5 Cross-Site Scripting Vulnerability in Calender
Application in JSP Examples

Apache Tomcat 5 Cross-Site Scripting in implicit-objects.jsp of "Examples"
Application

Apache Tomcat Multiple Content Length Headers Information Disclosure
Vulnerability

Apache Tomcat Multiple Cross-Site Scripting Vulnerabilities in Manager and
Host Manager Web Applications

Apache Tomcat 4 and 5 Multiple Cross-Site Scripting Vulnerabilities





The above is what were are experiencing and we are running Crystal Report
as well.



Could someone please guide me in the most efficient way to upgrade?



My thought process is 5.0.xx to 5.5 then migration to 6 or 7? We are
running windows 2003. I’m not even sure if it will support it? I am unable
to find any process documents or guidance on how to go about the upgrade
process and which version could help us in vulnerability remediation. Could
someone please help me? This is extremely time sensitive to our business
needs.



Cheers!

SSL FREAK vulnerability issue

[uzair rashid]

I am having an issue with tomcat version: Apache Tomcat 7.0.57 . Windows
Server 2008 R2 Enterprise.

I am using mssql and BOBJ as well. The issue is our servers are noticing a
FREAK vulnerability issue during scan.. Could someone please help me
address how to fix FREAK vulnerability in Tomcat. I am copying server.xml
and web.xml

Here is our server.xml:


?xml version=1.0 encoding=UTF-8?!--

Licensed to the Apache Software Foundation (ASF) under one or more

contributor license agreements. See the NOTICE file distributed with

this work for additional information regarding copyright ownership.

The ASF licenses this file to You under the Apache License, Version 2.0

(the License); you may not use this file except in compliance with

the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an AS IS BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.

--!-- Note: A Server is not itself a Container, so you may not

define subcomponents such as Valves at this level.

Documentation at /docs/config/server.html

--Server port=8005 shutdown=SHUTDOWN

Listener className=org.apache.catalina.startup.VersionLoggerListener/

!-- Security listener. Documentation at /docs/config/listeners.html

Listener className=org.apache.catalina.security.SecurityListener /

--

!--Initialize Jasper prior to webapps are loaded. Documentation at
/docs/jasper-howto.html --

Listener className=org.apache.catalina.core.JasperListener/

!-- Prevent memory leaks due to use of particular java/javax APIs--

Listener
className=org.apache.catalina.core.JreMemoryLeakPreventionListener/

Listener
className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/

Listener
className=org.apache.catalina.core.ThreadLocalLeakPreventionListener/

!-- Global JNDI resources

Documentation at /docs/jndi-resources-howto.html

--

GlobalNamingResources

!-- Editable user database that can also be used by

UserDatabaseRealm to authenticate users

--

Resource name=UserDatabase auth=Container
type=org.apache.catalina.UserDatabase description=User database that can
be updated and saved
factory=org.apache.catalina.users.MemoryUserDatabaseFactory
pathname=conf/tomcat-users.xml/

/GlobalNamingResources

!-- A Service is a collection of one or more Connectors that share

a single Container Note: A Service is not itself a Container,

so you may not define subcomponents such as Valves at this level.

Documentation at /docs/config/service.html

--

Service name=Catalina

!--The connectors can use a shared executor, you can define one or more
named thread pools--

!--

Executor name=tomcatThreadPool namePrefix=catalina-exec-

maxThreads=150 minSpareThreads=4/

--

!-- A Connector represents an endpoint by which requests are received

and responses are returned. Documentation at :

Java HTTP Connector: /docs/config/http.html (blocking  non-blocking)

Java AJP Connector: /docs/config/ajp.html

APR (HTTP/AJP) Connector: /docs/apr.html

Define a non-SSL HTTP/1.1 Connector on port 8080

--

Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2
redirectPort=8443 compression=on URIEncoding=UTF-8
compressionMinSize=2048 noCompressionUserAgents=gozilla, traviata
compressableMimeType=text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json/

!-- A Connector using the shared thread pool--

!--

Connector executor=tomcatThreadPool

port=8080 protocol=HTTP/1.1

connectionTimeout=2

redirectPort=8443 /

--

!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --

Connector port=8443 protocol=org.apache.coyote.http11.Http11NioProtocol

maxThreads=150 SSLEnabled=true minSpareThreads=25

enableLookups=false disableUploadTimeout=true

acceptCount=100 scheme=https secure=true sslProtocol=TLS

clientAuth=false ciphers=SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,

TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,

SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

keystorePass=PRIVATE keystoreFile=*/

!-- Define a HTTP/1.1 Connector on port 8443, JSSE BIO implementation --

Connector/Connectorprotocol=org.apache.coyote.http11.Http11Protocol
port=8443 .../

!-- An Engine represents the entry point (within Catalina) that processes

every request. The Engine implementation for Tomcat stand alone

analyzes the HTTP headers included with the request, and passes them

on to the appropriate Host (virtual host).

Documentation at /docs/config/engine.html --

!-- You should set jvmRoute to support load-balancing via AJP ie :

Engine name=Catalina defaultHost=localhost jvmRoute=jvm1

--

Engine name=Catalina defaultHost=localhost

!--For clustering, please take a 

Re: Parse and SSL issue

[uzair rashid]

(SAXParserImpl.java:522)
 at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1580)
 at
org.apache.catalina.users.MemoryUserDatabase.open(MemoryUserDatabase.java:432)
 at
org.apache.catalina.users.MemoryUserDatabaseFactory.getObjectInstance(MemoryUserDatabaseFactory.java:102)
 at
org.apache.naming.factory.ResourceFactory.getObjectInstance(ResourceFactory.java:141)
 at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304)
On Sat, Jul 18, 2015 at 1:34 AM, Konstantin Kolinko knst.koli...@gmail.com
wrote:

 .2015-07-17 21:19 GMT+03:00 uzair rashid uzairrashi...@gmail.com:
  Hello:
 
  I am having an issue with tomcat version: Apache Tomcat 7.0.57 . Windows
  Server 2008 R2 Enterprise.
 
  I am using mssql and bobj as well.
 
  I am having a few issues one seems to be related to ssl/apr... maybe my
  sslcipher should just be ciphers? and second issue i'm having is a
 saxparse
  issue. Here is my stderr.log:
 
  2015-07-17 09:56:43 Commons Daemon procrun stderr initialized
  Jul 17, 2015 9:56:48 AM org.apache.catalina.startup.SetAllPropertiesRule
  begin
  WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
 property
  'maxSpareThreads' to '75' did not find a matching property.
  Jul 17, 2015 9:56:48 AM org.apache.catalina.startup.SetAllPropertiesRule
  begin
  WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
 property
  'debug' to '0' did not find a matching property.

 Note the above warnings.  There are no such configuration options in
 your version of Tomcat.

 If you used some obsolete documentation, throw it away.


  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Server version:Apache Tomcat/7.0.57
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Server built:  Nov 3 2014 08:39:16 UTC
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Server number: 7.0.57.0
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: OS Name:   Windows Server 2008 R2
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: OS Version:6.1
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Architecture:  amd64
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: JAVA_HOME: d:\SAP BusinessObjects\SAP BusinessObjects
  Enterprise XI 4.0\win64_x64\sapjvm\jre
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: JVM Version:   6.1.044
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: JVM Vendor:SAP AG
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: CATALINA_BASE: d:\SAP BusinessObjects\tomcat\
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: CATALINA_HOME: d:\SAP BusinessObjects\tomcat\
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument:
 -Djava.library.path=C:\Windows\SysWOW64\;d:\SAP
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: BusinessObjects\SAP
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: BusinessObjects
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: Enterprise
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: XI
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: 4.0\win64_x64\
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: -Dcatalina.base=d:\SAP
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: BusinessObjects\tomcat\
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: -Dcatalina.home=d:\SAP
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: BusinessObjects\tomcat\
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: -Djava.endorsed.dirs=d:\SAP
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: BusinessObjects\tomcat\common\endorsed\
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: -Dbobj.enterprise.home=d:\SAP
  Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
  log
  INFO: Command line argument: BusinessObjects\SAP

Re: Please help

[uzair rashid]

Hello Chuck:

Thank you!

INFO: Command line argument: -Xss1024k
Jul 16, 2015 5:09:49 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: Loaded APR based Apache Tomcat Native library 1.1.32 using APR
version 1.5.1.
Jul 16, 2015 5:09:49 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jul 16, 2015 5:09:51 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1j 15 Oct 2014)
Jul 16, 2015 5:09:51 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8080]
Jul 16, 2015 5:09:52 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8443]
Jul 16, 2015 5:09:52 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler
[http-apr-8443]
java.lang.Exception: Connector attribute SSLCertificateFile must be defined
when using SSL with APR
 at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:490)
 at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:646)
 at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
 at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)

I missed that point of the error as well!

Could you please give your input
On Thu, Jul 16, 2015 at 8:25 PM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: uzair rashid [mailto:uzairrashi...@gmail.com]
  Subject: Please help

 Please help as a subject line is not terribly useful, is it?

  I am using Apache Tomcat 7.0.57..

 Good to know; many people forget to mention the version they're using.

  I have configured my server.xml as follows:

  Realm className=org.apache.catalina.realm.UserDatabaseRealm
  resourceName=UserDatabase/
 
/Realm

  SEVERE: Parse Fatal Error at line 36 column 4: XML document structures
 must
  start and end within the same entity.

 You have both an end tag and an empty element - pick one or the other.
 Any decent XML editor will highlight the syntax error.

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -Original Message-
 From: uzair rashid [mailto:uzairrashi...@gmail.com]
 Sent: 2015 July 16, Thursday 19:33
 To: users@tomcat.apache.org
 Subject: Please help

 Hello:



 I am using Apache Tomcat 7.0.57..



 I have configured my server.xml as follows:

 ?xml version=1.0 encoding=UTF-8?!--

   Licensed to the Apache Software Foundation (ASF) under one or more

   contributor license agreements.  See the NOTICE file distributed with

   this work for additional information regarding copyright ownership.

   The ASF licenses this file to You under the Apache License, Version 2.0

   (the License); you may not use this file except in compliance with

   the License.  You may obtain a copy of the License at



   http://www.apache.org/licenses/LICENSE-2.0



   Unless required by applicable law or agreed to in writing, software

   distributed under the License is distributed on an AS IS BASIS,

   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

   See the License for the specific language governing permissions and

   limitations under the License.

 --!-- Note:  A Server is not itself a Container, so you may not

  define subcomponents such as Valves at this level.

  Documentation at /docs/config/server.html

  --Server port=8005 shutdown=SHUTDOWN

   Listener className=org.apache.catalina.startup.VersionLoggerListener/

   !-- Security listener. Documentation at /docs/config/listeners.html

   Listener className=org.apache.catalina.security.SecurityListener /

   --

   !--APR library loader. Documentation at /docs/apr.html --

   Listener className=org.apache.catalina.core.AprLifecycleListener
 SSLEngine=on/

   !--Initialize Jasper prior to webapps are loaded. Documentation

Please help

[uzair rashid]

)

at
org.apache.catalina.users.MemoryUserDatabase.open(MemoryUserDatabase.java:432)

at
org.apache.catalina.users.MemoryUserDatabaseFactory.getObjectInstance(MemoryUserDatabaseFactory.java:102)

at
org.apache.naming.factory.ResourceFactory.getObjectInstance(ResourceFactory.java:141)

at
javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304)

at
org.apache.naming.NamingContext.lookup(NamingContext.java:842)

at
org.apache.naming.NamingContext.lookup(NamingContext.java:167)

at
org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:253)

at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)

at
org.apache.catalina.realm.CombinedRealm.startInternal(CombinedRealm.java:201)

at
org.apache.catalina.realm.LockOutRealm.startInternal(LockOutRealm.java:120)

at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)

at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1109)





Can you please guide me in the right direction



Regards



Uzair Rashid