Re: org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Handshake failed

[Rémy Maucherat]

On Fri, Jan 5, 2018 at 12:25 AM, Michael Peng <
michael.p...@entrustdatacard.com> wrote:

> Do the changes make sense, and what would be the side effect ? In our
> case, the "netInBuffer" could be full, i.e., postion = limit for large
> data. Maybe the "netInBuffer" should not be cleared since "compact" would
> reset the "netInBuffer", should it?
>
> The buffer is flipped after that and the NIO code is the same anyway, so
the change doesn't make sense indeed as is.

Rémy

org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Handshake failed

[Michael Peng]

Hi, There

we use Http11Nio2Protocol, and configure TLSv1.2 for our services, and 
encountered Handshake failure intermittently when posting big chunk of data 
from HttpClient via HTTP POST with following exception:

https-jsse-nio2-15443-exec-9, fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLException: Unsupported record version Unknown-152.152
%% Invalidated:  [Session-5, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
https-jsse-nio2-15443-exec-9, SEND TLSv1.2 ALERT:  fatal, description = 
internal_error
Padded plaintext before ENCRYPTION:  len = 80
: 0E B4 29 73 84 93 21 64   30 2D 90 D4 99 E4 67 2E  ..)s..!d0-g.
0010: 02 50 50 C3 E0 45 C2 70   5D 09 E7 EC 1D 03 1F CE  .PP..E.p]...
0020: CC 25 05 97 23 88 AA 17   FC D3 41 B6 1B 53 68 A6  .%..#.A..Sh.
0030: 1F BF 53 4D 78 F3 D2 24   D4 09 E1 D4 42 B8 3F 34  ..SMx..$B.?4
0040: 2C BD 0D 0D 0D 0D 0D 0D   0D 0D 0D 0D 0D 0D 0D 0D  ,...
https-jsse-nio2-15443-exec-9, WRITE: TLSv1.2 Alert, length = 80
03-Jan-2018 16:45:36.987 FINE [https-jsse-nio2-15443-exec-9] 
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Handshake failed
javax.net.ssl.SSLException: Unsupported record version Unknown-152.152
at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552)
at 
sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:113)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at 
org.apache.tomcat.util.net.SecureNio2Channel.handshakeUnwrap(SecureNio2Channel.java:495)
at 
org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:289)
at 
org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:204)
at 
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1675)
at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at 
org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:946)
at 
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:98)
at 
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:91)
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
at sun.nio.ch.Invoker$2.run(Invoker.java:218)
at 
sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

If we switched to Http11NioProtocol, it worked ok.

And if we modify the SecurityNio2Channel.handshakeUnwrap() by commenting out 
the following lines,
protected SSLEngineResult handshakeUnwrap() throws IOException {
//if (netInBuffer.position() == netInBuffer.limit()) {
////clear the buffer if we have emptied it out on data
//netInBuffer.clear();
//}
SSLEngineResult result;

We tried both HttpClient Post and browser post with the changes, it seemed to 
work.
Looks like our http client tried to close the socket every time from the log 
message (not sure though)
Do the changes make sense, and what would be the side effect ? In our case, the 
"netInBuffer" could be full, i.e., postion = limit for large data. Maybe the 
"netInBuffer" should not be cleared since "compact" would reset the 
"netInBuffer", should it?

Please advise.

Thanks,

Michael

RE: GC allocation failure

[Sanka, Ambica]

Thank you. I will make initial and max heap to be same value.

Ambica Sanka
Sr J2EE IV Developer
office  703.661.7928

atpco.net
linkedIn  /  twitter @atpconews

45005 Aviation Drive
Dulles, VA 20166




-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Thursday, January 04, 2018 12:20 PM
To: users@tomcat.apache.org
Subject: Re: GC allocation failure

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ambica,

On 1/4/18 11:17 AM, Sanka, Ambica wrote:
> I am seeing below highlighted errors in native_err logs in all my 
> tomcat applications. I also increased memory for the VM from 4GB to 
> 8GB. Still seeing those. When do we get that errors? I am reading 
> online that when program asks for memory and java cannot give, that's 
> when we see them. Please suggest. Java HotSpot(TM) 64-Bit Server VM 
> (25.20-b23) for linux-amd64 JRE (1.8.0_20-b26), built on Jul 30 2014 
> 13:13:52 by "java_re" with gcc 4.3.0 20080428 (Red Hat
> 4.3.0-8) Memory: 4k page, physical 8061572k(2564740k free), swap 
> 4063228k(4063228k free)
> 
> CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError 
> -XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/
> -XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456 -XX:+PrintGC 
> -XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers 
> -XX:+UseCompressedOops -XX:+UseParallelGC

Others have commented on those messages you received, but nobody mentioned your 
heap configuration. In the above command-line arguments, you have specified 
both the minimum and maximum heap memory. You have expressed those values in 
bytes which makes it somewhat hard to read what they actually are, but this is 
what you have in readable units:

- -XX:InitialHeapSize=128M -XX:MaxHeapSize=256M

So you aren't using an 8GiB heap. You aren't even using a 4GiB heap.
You are using a 256 *megabyte* heap. If you really want an 8GiB heap, you'll 
need to set it properly in your command-line arguments.

Note that setting the initial heap size to anything other than the maximum heap 
size just makes the JVM take longer to get the heap generations sized 
appropriately. For a long-running server process, I think it never makes any 
sense to set initial < max heap size. Always set them to the same value so that 
the heap itself does not have to be expanded/resized during heap allocations.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpOYkMdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjKfBAAikZ9mfKhO5VcEGyd
spKC8m4Ot1N+qtkR02ftBf7Sh0CQRjMBFsQUzd2Y+F2w7lPT8bpCnxThKfrkjrkk
ySrF7mVF82aVUM72Abh65tK+E4HJhbZWzGAx7NtSx5XDS5ga9nFvJ42Ea/+pzqUf
ZQmnRIXhj4gWf+q8mk1bIeR0siSc9J7e575CxMkJWji4gIgLgVMMJTZ1Euwya83W
ohTe1Bi355kKiiX3ikRutFgv91fX5kSdNkf+u4huvEBccyDJRaK2MapJ+KOMVUbJ
OodFqlO4eFkeL/KxyclWr8OnAgPj4VaNfaq7jNzZyI5MpZymKhuy8uKnUN10XN8r
tZO/ZFroeEmLDpM6imPIj1eHcgq/emFg1gT9QW8G08WfWFkSF7fm60Xi3U+4/8si
uB3zCFXq9g5EjQ5p2MdpNyQPsHXm5E/J4iS5XyBKkjcuNkVfYneEMP+alOMHIIGI
SxS1Hb54VgV+//etPHgycVVoomw5JFW3erRkiMd6edQL5K9m/j+xHJhbr5nbcYKe
Nj3lPFPQ5hP02qySf+flZQYayX3HNgCXqhFfDDCANKejU7I4ZC2bSySrWrPkuTfc
Dgk+TXlvLRvZ5xWzyM8F1NlsJ/OV+mk23WIyGX7Riyqw9lPghzO+i1mHtyZzg2g8
8zBZXehds+nzTCCBP6MUNqH+I50=
=DPai
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: GC allocation failure

[Rainer Jung]

Am 04.01.2018 um 18:20 schrieb Christopher Schultz:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ambica,

On 1/4/18 11:17 AM, Sanka, Ambica wrote:

I am seeing below highlighted errors in native_err logs in all my
tomcat applications. I also increased memory for the VM from 4GB to
8GB. Still seeing those. When do we get that errors? I am reading
online that when program asks for memory and java cannot give,
that's when we see them. Please suggest. Java HotSpot(TM) 64-Bit
Server VM (25.20-b23) for linux-amd64 JRE (1.8.0_20-b26), built on
Jul 30 2014 13:13:52 by "java_re" with gcc 4.3.0 20080428 (Red Hat
4.3.0-8) Memory: 4k page, physical 8061572k(2564740k free), swap
4063228k(4063228k free)

CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/
-XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456
-XX:+PrintGC -XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers
-XX:+UseCompressedOops -XX:+UseParallelGC


Others have commented on those messages you received, but nobody
mentioned your heap configuration. In the above command-line
arguments, you have specified both the minimum and maximum heap
memory. You have expressed those values in bytes which makes it
somewhat hard to read what they actually are, but this is what you


I *think* the JVM top line in GC output always shows bytes, even if you 
were using other units in the original switches.



have in readable units:

- -XX:InitialHeapSize=128M -XX:MaxHeapSize=256M


but yes, that is a valid point!


So you aren't using an 8GiB heap. You aren't even using a 4GiB heap.
You are using a 256 *megabyte* heap. If you really want an 8GiB heap,
you'll need to set it properly in your command-line arguments.

Note that setting the initial heap size to anything other than the
maximum heap size just makes the JVM take longer to get the heap
generations sized appropriately. For a long-running server process, I
think it never makes any sense to set initial < max heap size. Always
set them to the same value so that the heap itself does not have to be
expanded/resized during heap allocations.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: GC allocation failure

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ambica,

On 1/4/18 11:17 AM, Sanka, Ambica wrote:
> I am seeing below highlighted errors in native_err logs in all my
> tomcat applications. I also increased memory for the VM from 4GB to
> 8GB. Still seeing those. When do we get that errors? I am reading
> online that when program asks for memory and java cannot give,
> that's when we see them. Please suggest. Java HotSpot(TM) 64-Bit
> Server VM (25.20-b23) for linux-amd64 JRE (1.8.0_20-b26), built on
> Jul 30 2014 13:13:52 by "java_re" with gcc 4.3.0 20080428 (Red Hat
> 4.3.0-8) Memory: 4k page, physical 8061572k(2564740k free), swap
> 4063228k(4063228k free)
> 
> CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError
> -XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/
> -XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456
> -XX:+PrintGC -XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers
> -XX:+UseCompressedOops -XX:+UseParallelGC

Others have commented on those messages you received, but nobody
mentioned your heap configuration. In the above command-line
arguments, you have specified both the minimum and maximum heap
memory. You have expressed those values in bytes which makes it
somewhat hard to read what they actually are, but this is what you
have in readable units:

- -XX:InitialHeapSize=128M -XX:MaxHeapSize=256M

So you aren't using an 8GiB heap. You aren't even using a 4GiB heap.
You are using a 256 *megabyte* heap. If you really want an 8GiB heap,
you'll need to set it properly in your command-line arguments.

Note that setting the initial heap size to anything other than the
maximum heap size just makes the JVM take longer to get the heap
generations sized appropriately. For a long-running server process, I
think it never makes any sense to set initial < max heap size. Always
set them to the same value so that the heap itself does not have to be
expanded/resized during heap allocations.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpOYkMdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjKfBAAikZ9mfKhO5VcEGyd
spKC8m4Ot1N+qtkR02ftBf7Sh0CQRjMBFsQUzd2Y+F2w7lPT8bpCnxThKfrkjrkk
ySrF7mVF82aVUM72Abh65tK+E4HJhbZWzGAx7NtSx5XDS5ga9nFvJ42Ea/+pzqUf
ZQmnRIXhj4gWf+q8mk1bIeR0siSc9J7e575CxMkJWji4gIgLgVMMJTZ1Euwya83W
ohTe1Bi355kKiiX3ikRutFgv91fX5kSdNkf+u4huvEBccyDJRaK2MapJ+KOMVUbJ
OodFqlO4eFkeL/KxyclWr8OnAgPj4VaNfaq7jNzZyI5MpZymKhuy8uKnUN10XN8r
tZO/ZFroeEmLDpM6imPIj1eHcgq/emFg1gT9QW8G08WfWFkSF7fm60Xi3U+4/8si
uB3zCFXq9g5EjQ5p2MdpNyQPsHXm5E/J4iS5XyBKkjcuNkVfYneEMP+alOMHIIGI
SxS1Hb54VgV+//etPHgycVVoomw5JFW3erRkiMd6edQL5K9m/j+xHJhbr5nbcYKe
Nj3lPFPQ5hP02qySf+flZQYayX3HNgCXqhFfDDCANKejU7I4ZC2bSySrWrPkuTfc
Dgk+TXlvLRvZ5xWzyM8F1NlsJ/OV+mk23WIyGX7Riyqw9lPghzO+i1mHtyZzg2g8
8zBZXehds+nzTCCBP6MUNqH+I50=
=DPai
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: GC allocation failure

[Rainer Jung]

Hi Ambica,

Am 04.01.2018 um 17:17 schrieb Sanka, Ambica:

I am seeing below highlighted errors in native_err logs in all my tomcat 
applications. I also increased memory for the VM from 4GB to 8GB. Still seeing 
those. When do we get that errors?
I am reading online that when program asks for memory and java cannot give, 
that's when we see them. Please suggest.
Java HotSpot(TM) 64-Bit Server VM (25.20-b23) for linux-amd64 JRE (1.8.0_20-b26), built 
on Jul 30 2014 13:13:52 by "java_re" with gcc 4.3.0 20080428 (Red Hat 4.3.0-8)
Memory: 4k page, physical 8061572k(2564740k free), swap 4063228k(4063228k free)
CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError 
-XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/ 
-XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456 -XX:+PrintGC 
-XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers -XX:+UseCompressedOops 
-XX:+UseParallelGC
3.203: [GC (Allocation Failure)  31744K->6311K(121856K), 0.0097261 secs]
3.578: [GC (Allocation Failure)  38055K->12368K(121856K), 0.0089875 secs]
3.756: [GC (Allocation Failure)  44112K->19589K(121856K), 0.0100339 secs]
3.897: [GC (Allocation Failure)  51333K->25872K(153600K), 0.0092326 secs]
4.172: [GC (Allocation Failure)  89360K->38878K(153600K), 0.0152940 secs]
4.417: [GC (Allocation Failure)  102366K->50311K(148480K), 0.0148816 secs]
4.594: [GC (Allocation Failure)  95367K->49903K(151040K), 0.0197327 secs]
4.765: [GC (Allocation Failure)  94959K->50213K(148992K), 0.0149008 secs]
4.946: [GC (Allocation Failure)  96293K->52257K(150528K), 0.0172634 secs]
5.129: [GC (Allocation Failure)  98337K->53118K(151040K), 0.0139426 secs]
5.313: [GC (Allocation Failure)  102270K->53234K(152064K), 0.0122307 secs]
5.498: [GC (Allocation Failure)  102386K->53579K(153088K), 0.0166336 secs]
5.655: [GC (Allocation Failure)  104779K->54486K(153600K), 0.0161735 secs]
6.885: [GC (Allocation Failure)  105686K->51523K(153600K), 0.0123126 secs]


These messages are normal, as long as there are not other problems or 
errors they are nothing to worry about.


Java manages memory in regions of different sizes and meaning. 
Allocation for new objects is done in the so-called eden space. This 
memory region is managed in a very simple way. The JVM allocates from it 
until it is full (not enough free space left for the current 
allocation). Then it interrupts the application and runs a Garbage 
Collection (GC) for this memory region, copying any objects which are 
still alive from this region into another one (typically into one of the 
two survivor spaces). At the end of the GC run, eden will be fully 
cleared and the application can continue, again allocating from eden.


The above message is shown, whenever a GC run for eden happens. The 
reason for the GC run is shown, here "(Allocation Failure)". The GC for 
eden in your case takes about 10-20 milliseconds and runs about 4-5 
times per second. The string "Failure" is somewhat misleading, the 
failed allocation will be retried and typically succeeds once the GC 
finishes.


Although you can adjust eden size with specific JVM flags, you probably 
have only set the heap size, which is the combined size of several JVM 
memory regions. In that case the JVM will try to auto-tune eden size. If 
you want to set eden size explicitly, you might need to do more 
measurements to deduce good settings from those. That would be a 
somewhat more difficult and not Tomcat specific topic.


Unrelated: note that you JVM 8 patch level 20 is very old.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: GC allocation failure

[Suvendu Sekhar Mondal]

Ambica,

On Jan 4, 2018 9:47 PM, "Sanka, Ambica"  wrote:

I am seeing below highlighted errors in native_err logs in all my tomcat
applications. I also increased memory for the VM from 4GB to 8GB. Still
seeing those. When do we get that errors?


It is not an error. It is a very normal phenomenon for all Java based
application.

I am reading online that when program asks for memory and java cannot give,
that's when we see them. Please suggest.


That's true. Imagine this scenario: you have a warehouse where you keep
different types of stuff. Say you kept adding new stuffs daily. One day
you'll eventually run out of space. On that day you have two options:
 1. get rid off some old stuffs which are not needed and make room for the
new stuffs
2. Extend your old warehouse

Same thing happens when you run Java programs. What you are seeing in the
log that's called Garbage Collection(GC) and similar to opt#1. What you did
by increasing memory is like opt#2.

Again, GC activity is normal until that operation takes long time and
affect your application response time. I will suggest that please read
about Garbage Collection in Java. Google is your friend.

Thanks!
Suvendu

Java HotSpot(TM) 64-Bit Server VM (25.20-b23) for linux-amd64 JRE
(1.8.0_20-b26), built on Jul 30 2014 13:13:52 by "java_re" with gcc 4.3.0
20080428 (Red Hat 4.3.0-8)
Memory: 4k page, physical 8061572k(2564740k free), swap 4063228k(4063228k
free)
CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/
-XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456 -XX:+PrintGC
-XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers
-XX:+UseCompressedOops -XX:+UseParallelGC
3.203: [GC (Allocation Failure)  31744K->6311K(121856K), 0.0097261 secs]
3.578: [GC (Allocation Failure)  38055K->12368K(121856K), 0.0089875 secs]
3.756: [GC (Allocation Failure)  44112K->19589K(121856K), 0.0100339 secs]
3.897: [GC (Allocation Failure)  51333K->25872K(153600K), 0.0092326 secs]
4.172: [GC (Allocation Failure)  89360K->38878K(153600K), 0.0152940 secs]
4.417: [GC (Allocation Failure)  102366K->50311K(148480K), 0.0148816 secs]
4.594: [GC (Allocation Failure)  95367K->49903K(151040K), 0.0197327 secs]
4.765: [GC (Allocation Failure)  94959K->50213K(148992K), 0.0149008 secs]
4.946: [GC (Allocation Failure)  96293K->52257K(150528K), 0.0172634 secs]
5.129: [GC (Allocation Failure)  98337K->53118K(151040K), 0.0139426 secs]
5.313: [GC (Allocation Failure)  102270K->53234K(152064K), 0.0122307 secs]
5.498: [GC (Allocation Failure)  102386K->53579K(153088K), 0.0166336 secs]
5.655: [GC (Allocation Failure)  104779K->54486K(153600K), 0.0161735 secs]
6.885: [GC (Allocation Failure)  105686K->51523K(153600K), 0.0123126 secs]

Thanks
Ambica.

GC allocation failure

[Sanka, Ambica]

I am seeing below highlighted errors in native_err logs in all my tomcat 
applications. I also increased memory for the VM from 4GB to 8GB. Still seeing 
those. When do we get that errors?
I am reading online that when program asks for memory and java cannot give, 
that's when we see them. Please suggest.
Java HotSpot(TM) 64-Bit Server VM (25.20-b23) for linux-amd64 JRE 
(1.8.0_20-b26), built on Jul 30 2014 13:13:52 by "java_re" with gcc 4.3.0 
20080428 (Red Hat 4.3.0-8)
Memory: 4k page, physical 8061572k(2564740k free), swap 4063228k(4063228k free)
CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError 
-XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/ 
-XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456 -XX:+PrintGC 
-XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers -XX:+UseCompressedOops 
-XX:+UseParallelGC
3.203: [GC (Allocation Failure)  31744K->6311K(121856K), 0.0097261 secs]
3.578: [GC (Allocation Failure)  38055K->12368K(121856K), 0.0089875 secs]
3.756: [GC (Allocation Failure)  44112K->19589K(121856K), 0.0100339 secs]
3.897: [GC (Allocation Failure)  51333K->25872K(153600K), 0.0092326 secs]
4.172: [GC (Allocation Failure)  89360K->38878K(153600K), 0.0152940 secs]
4.417: [GC (Allocation Failure)  102366K->50311K(148480K), 0.0148816 secs]
4.594: [GC (Allocation Failure)  95367K->49903K(151040K), 0.0197327 secs]
4.765: [GC (Allocation Failure)  94959K->50213K(148992K), 0.0149008 secs]
4.946: [GC (Allocation Failure)  96293K->52257K(150528K), 0.0172634 secs]
5.129: [GC (Allocation Failure)  98337K->53118K(151040K), 0.0139426 secs]
5.313: [GC (Allocation Failure)  102270K->53234K(152064K), 0.0122307 secs]
5.498: [GC (Allocation Failure)  102386K->53579K(153088K), 0.0166336 secs]
5.655: [GC (Allocation Failure)  104779K->54486K(153600K), 0.0161735 secs]
6.885: [GC (Allocation Failure)  105686K->51523K(153600K), 0.0123126 secs]

Thanks
Ambica.

Re: Using existing LetsEncrypt certs with tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Paul,

On 1/4/18 12:50 AM, Paul Beard wrote:
> 
> 
>> On Jan 3, 2018, at 11:33 AM, Christopher Schultz
>>  wrote:
>> 
>> In there, I detail how to put everything together. There is a
>> script that builds a Java keystore that Tomcat can use. That
>> script demonstrates how to take an existing
>> key+certificate+chain, convert it into a Java keystore and then
>> make it active. The script actually requests a renewal of the
>> certificate from Let's Encrypt (which may say "no renewal
>> required") and then only re-builds the keystore if the key/cert
>> have actually changed.
> 
> This looks great but I suspect my problems are more basic, like
> getting *any* cert to be honored, even a self-signed one.

Were you able to get Let's Encrypt to generate a key and LE-signed
certificate? If not, that's obviously the first step. You don't need
TLS working in order to get an LE-signed certificate. Slide #20 has
the command you need to run in order to get an initial certificate.
Slides 16-19 cover the iptables routing required to allow LE to
connect over port 80/443 when Tomcat is binding to port 8080/8443.

> This step —  ... /> — eludes me. I added that to an existing Connector stanza
> but I am seeing these errors which suggests (?) I did that wrong:
> 
> SEVERE: Failed to initialize end point associated with
> ProtocolHandler ["http-bio-8443"] java.io.IOException: Keystore was
> tampered with, or password was incorrect

Slides 21 - 24 cover my investigation for how to replace Tomcat's
keystore while it's running in a safe-ish way. The presentation was a
bit of an explanation for how I was able to ultimately build the final
script. You don't have do perform every step in the presentation.

What you really want to do is look at slide #28 which has the overview
of the process *after* you have the first cert from LE. So, assuming
you have it, you can basically use my script directly.

>  protocol="org.apache.coyote.http11.Http11Protocol" 
> keystoreFile="conf/keystore.jks"  keystorePass="qwerty" 
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
> clientAuth="false" sslProtocol="TLS" />

I'd recommend that you use NIO. I'd also recommend that you upgrade
from Tomcat 7.0.x to Tomcat 8.5.x if possible. It already handled
dynamic reloading of TLS configuration so you won't need any (albeit
short) unavailability of your Tomcat instance.

> But that seems outside the scope of what I was asking. I’ll take
> another look tomorrow…took entirely too long to get the symlink
> step to word as expected. Had to change to the conf directory for
> it to work. Too late in the day for this to make any sense.

:)

> Thanks for the presentation. I’m sure it will make sense to me
> eventually.

Mark pointed to the Tomcat "presentations" page where you can find a
link to this LE/Tomcat presentation as well as the audio my
presentation of these slides at ApacheCon in Miami last year. Perhaps
the audio will give you more information than is actually contained in
the slides.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpOSTIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgqjBAAyHiPpPlRwEUbfGoq
NlPv7icn4y9IrZTQfiCh4kZYP9KeloA9A9Eqi0+NaifApTrnsi6QdS3Ry1ttX9Yg
gX7MWD18smBmZvG4BwQY3KXzb+mOZHuJx+3QKrbFBNw++vOS332igyw26pymMEVd
vxmYAnf3m3BddMYL3+Gv4QEPbv9LE9vU3b41xxYQ//Pdf4yhkoMTssX2QpSn6Bt2
CL3RGB5lcckIsCUaTS75z/7YHjollodYrOBWc87BruiBg6Wxpq0B6qXmWGuMEI9Q
Di8rm+sM+E8OJgkQKH9TNtepENVcindw36G+C2mjOhg6Ss+talhs4xOxCBuwoJyM
m0I3A/7kmk+Zenmm5EVxOT93aZ5N76lElTNzDgxn4gQ+8uQbROoYDHNTzYxJ2E01
HDLmDR9SCnhaSiK5kHH90/JYvXvnOZNXYfTpvTjUGIx1tYRr+VJl9uDFFw2XWz2Q
iJQS/TPR88SPxrmjvnzk/DFQ/AEPxDRrpiCJurIlD+msHeDLHXkt8Ph5zXkXdCJX
n2kDkd7cOc0Q8b1Pr0j4/IhxeHkxy8tipXNsQraDOc9xdndPYDlJY1X5uh6rKs2G
te6tNdYOfP7PB5W+bdDbt0AqQVjLb+IUhFXwUWDAo+q/QWQEiyaXXaU3mEB6Tctv
95WdGIZUyK4cUVDqvnIrNURAfRs=
=2lUy
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ALv2 Tomcat Training material

[Coty Sutherland]

On Thu, Jan 4, 2018 at 8:01 AM, Mark Thomas  wrote:
> On 04/01/18 11:31, Marek Czernek wrote:
>> Hi Mark,
>>
>> I think this is a great idea. Before doing any brainstorming though, I
>> wonder about the following:
>>
>> 1. Who'd be the target audience? And what skill level would you want to
>>target? Any pre-requisites?

People that ask questions on freenode :)

> The short version is whatever the Tomcat community (i.e. the members of
> this list) would find most useful. Possible examples that come to mind are:
> - an introductory course for an experienced sysadmin that knows nothing
> about Tomcat
> - in depth trouble-shooting
>
> But rather than just my random ideas, I'd love to hear what the
> community wants.

I can try and compile a list of questions from my IRC scrollback to
add as ideas. I also started a quickstarts repo on github but that's
mostly focused on tomcat embedded since there isn't much in the way of
examples around. I also considered working on interactive courses and
putting them on https://katacoda.com/.

>
>> 2. Should it be purely Tomcat, or do you want to talk about various
>>frameworks that integrate with Tomcat in some manner? (Hibernate
>>comes to mind, for example)
>
> This is is easy. Purely Tomcat.
>
>> 3. What goals would you like to achieve? I.e., would you want to create
>>a course for a community and potential future contributors, or would
>>your goal be a course for experts to get things done asap? Imho
>>those two goals require different approaches. If the answer is
>>'both', that could be sub-optimal (though understandable). Or do you
>>imagine completely different goal(s)?
>
> My original thinking was training for end users of any/all levels.
> However, if there was interest we could add some modules on how to
> become a contributor, committer, PMC member etc.

+1, I sometimes get questions about how to contribute, become a
committer, etc and share my experience (and the CONTRIBUTING guide on
github), but having a more formal document on what to do for our
project would be nice.

>
>> My main question is 'WHY'. What is the hole we're trying to fill in. Do
>> you want people to have quick yet quite deep understanding of basic
>> concepts and fundamentals? Do you want people to be more excited about
>> Tomcat? Do you want to shed light on an obscure integration pattern that
>> is highly useful? Do you want to create a certification that would be
>> beneficial for job interviews? Some of the answers might be
>> complimentary, but a lot of them are almost opposite to each other, imho.
>
> Why? Because I think that there is a community demand for this. I once
> ran a Tomcat training course at ApacheCon for which I did ZERO marketing
> (the only marketing was that it was listed as an option when registering
> - and an expensive option at that) and ~15 people signed up.
>
> I want to help people understand how to use Tomcat. Hopefully, a
> side-effect will be that even more great people show up here.
>
> I'm not interested in creating a certification or anything similar.
>
> HTH explain my thinking.
>
> Mark
>
>
>>
>>
>> On 01/04/2018 11:16 AM, Mark Thomas wrote:
>>> Hi,
>>>
>>> One of the things on my TODO list is to put together some Tomcat
>>> training material licensed under the Apache License (version 2). i.e.
>>> material that would be made freely available for folks to use.
>>>
>>> I'd also like to make the training material available on YouTube as well
>>> as run some training courses (for a small fee) to deliver the material
>>> face to face.
>>>
>>> The structure I have in mind is a series of modules (say 30 mins in
>>> length) that can be organised in different ways to suit different needs.
>>> e.g. put the introductory modules for each area together to provide an
>>> 'Introduction to Tomcat course', put all the TLS modules together to
>>> provide an in depth 'Tomcat and TLS' course etc.
>>>
>>> I think a lot of the raw content is already available. We have the
>>> various Tomcat presentations that have been given over the years and my
>>> employer has agreed to let me make use of the material from our (now
>>> possibly a little dated) Tomcat training courses.
>>>
>>> I can't do this alone. Not in any reasonable time frame anyway. So I am
>>> reaching out to the community for help.
>>>
>>> The first step is to come with:
>>> - a list of modules
>>> - potential courses formed from combinations of modules
>>>
>>> I am asking for your ideas for modules, courses and combinations of
>>> modules that could make up those courses.
>>>
>>> We have a blank wiki page to host this:
>>> https://cwiki.apache.org/confluence/display/TOMCAT/Tomcat+Training+Course
>>>
>>> Feel free to ask for edit access to that page (you'll need to create an
>>> account and let us know the user name) so you can add ideas directly or
>>> add ideas to this thread and I'll add them to the wiki page.
>>>
>>> The second step is to start populating the 

authentication via IIS front-end proxy

[Agrawal, Suraj (CORP)]

Hi Team,

We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache 
to host javacontainer for Rest calls for our Siebel application. The 
javacontainer is listening to Port 9001 as below-

 

We are trying to setup Windows Authentication in Apache by using Reverse Proxy 
with IIS, and have followed the below steps as per the Apache documentation.

---Steps followed :
There are three steps to configuring IIS to provide Windows authentication. 
They are:
1. Configure IIS as a reverse proxy for Tomcat (see the  IIS Web Server How-To).
 This is done and working as expected

2. Configure IIS to use Windows authentication
 This is done and working as expected

3. Configure Tomcat to use the authentication user information from IIS by 
setting the tomcatAuthentication attribute on the  AJP connector to false. 
Alternatively, set the tomcatAuthorization attribute to true to allow IIS to 
authenticate, while Tomcat performs the authorization.

Q1   We were able to configure the reverse proxy with Anon user but the 
Windows authentication is failing at Apache level with below error :-
Thread[http-nio-9001-exec-15,5,main][2017-12-27 13:17:12.637] [null] Error 
while login : The username cannot be empty. Please select a username.

Q2   Our configuration is using "HTTP" protocol, do we need to change the 
server.xml entry for 9001 to use AJP protocol and then add entry " 
tomcatAuthentication=False"

Q3  Do we need to install AJP connector on top of Tomcat or its installed 
by default, or we do not need it for Windows Authentication.


Thanks & Regards,
Suraj Agrawal


-Original Message-
From: users-h...@tomcat.apache.org [mailto:users-h...@tomcat.apache.org] 
Sent: Wednesday, January 3, 2018 12:03 PM
To: Agrawal, Suraj (CORP) 
Subject: WELCOME to users@tomcat.apache.org

Hi! This is the ezmlm program. I'm managing the users@tomcat.apache.org mailing 
list.

I'm working for my owner, who can be reached at users-ow...@tomcat.apache.org.

Acknowledgment: I have added the address

   suraj.agra...@adp.com

to the users mailing list.

Welcome to users@tomcat.apache.org!

Please save this message so that you know the address you are subscribed under, 
in case you later want to unsubscribe or change your subscription address.


--- Administrative commands for the users list ---

I can handle administrative requests automatically. Please do not send them to 
the list address! Instead, send your message to the correct command address:

To subscribe to the list, send a message to:
   

To remove your address from the list, send a message to:
   

Send mail to the following for info and FAQ for this list:
   
   

Similar addresses exist for the digest list:
   
   

To get messages 123 through 145 (a maximum of 100 per request), mail:
   

To get an index with subject and author for messages 123-456 , mail:
   

They are always returned as sets of 100, max 2000 per request, so you'll 
actually get 100-499.

To receive all messages with the same subject as message 12345, send a short 
message to:
   

The messages should contain one line or word of text to avoid being treated as 
sp@m, but I will ignore their content.
Only the ADDRESS you send to is important.

You can start a subscription for an alternate address, for example 
"john@host.domain", just add a hyphen and your address (with '=' instead of 
'@') after the command word:

Re: ALv2 Tomcat Training material

[tomcat]

On 04.01.2018 14:01, Mark Thomas wrote:

On 04/01/18 11:31, Marek Czernek wrote:

Hi Mark,

I think this is a great idea. Before doing any brainstorming though, I
wonder about the following:

1. Who'd be the target audience? And what skill level would you want to
target? Any pre-requisites?


The short version is whatever the Tomcat community (i.e. the members of
this list) would find most useful. Possible examples that come to mind are:
- an introductory course for an experienced sysadmin that knows nothing
about Tomcat


Suggestion : explain to an experienced sysadmin who knows nothing about Tomcat or Java 
(but a lot about system utilities etc) how to set up a coherent and easy-to-manage logging 
system for tomcat (and applications therein), including (safe) log rotation, archiving, 
cleanup etc.



- in depth trouble-shooting

But rather than just my random ideas, I'd love to hear what the
community wants.


2. Should it be purely Tomcat, or do you want to talk about various
frameworks that integrate with Tomcat in some manner? (Hibernate
comes to mind, for example)


This is is easy. Purely Tomcat.


3. What goals would you like to achieve? I.e., would you want to create
a course for a community and potential future contributors, or would
your goal be a course for experts to get things done asap? Imho
those two goals require different approaches. If the answer is
'both', that could be sub-optimal (though understandable). Or do you
imagine completely different goal(s)?


My original thinking was training for end users of any/all levels.
However, if there was interest we could add some modules on how to
become a contributor, committer, PMC member etc.


My main question is 'WHY'. What is the hole we're trying to fill in. Do
you want people to have quick yet quite deep understanding of basic
concepts and fundamentals? Do you want people to be more excited about
Tomcat? Do you want to shed light on an obscure integration pattern that
is highly useful? Do you want to create a certification that would be
beneficial for job interviews? Some of the answers might be
complimentary, but a lot of them are almost opposite to each other, imho.


Why? Because I think that there is a community demand for this. I once
ran a Tomcat training course at ApacheCon for which I did ZERO marketing
(the only marketing was that it was listed as an option when registering
- and an expensive option at that) and ~15 people signed up.

I want to help people understand how to use Tomcat. Hopefully, a
side-effect will be that even more great people show up here.

I'm not interested in creating a certification or anything similar.

HTH explain my thinking.

Mark





On 01/04/2018 11:16 AM, Mark Thomas wrote:

Hi,

One of the things on my TODO list is to put together some Tomcat
training material licensed under the Apache License (version 2). i.e.
material that would be made freely available for folks to use.

I'd also like to make the training material available on YouTube as well
as run some training courses (for a small fee) to deliver the material
face to face.

The structure I have in mind is a series of modules (say 30 mins in
length) that can be organised in different ways to suit different needs.
e.g. put the introductory modules for each area together to provide an
'Introduction to Tomcat course', put all the TLS modules together to
provide an in depth 'Tomcat and TLS' course etc.

I think a lot of the raw content is already available. We have the
various Tomcat presentations that have been given over the years and my
employer has agreed to let me make use of the material from our (now
possibly a little dated) Tomcat training courses.

I can't do this alone. Not in any reasonable time frame anyway. So I am
reaching out to the community for help.

The first step is to come with:
- a list of modules
- potential courses formed from combinations of modules

I am asking for your ideas for modules, courses and combinations of
modules that could make up those courses.

We have a blank wiki page to host this:
https://cwiki.apache.org/confluence/display/TOMCAT/Tomcat+Training+Course

Feel free to ask for edit access to that page (you'll need to create an
account and let us know the user name) so you can add ideas directly or
add ideas to this thread and I'll add them to the wiki page.

The second step is to start populating the modules with actual content.
As a motivator to get this done, I'd like to run a public Tomcat
training course in late March / early April using this material. My
current thinking is that the course would cost ~£100 plus food per
person for the full day. Possible locations for this course are:
- Cardiff
- Birmingham
- Manchester
- Glasgow
(all in the UK - if successful we can expand to mainland Europe and
beyond)

My second request is for feedback on which location(s) are preferable
and what content would you like to see in the training course. I'll take
this feedback, put 

Re: WELCOME to users@tomcat.apache.org

[tomcat]

Additional suggestion : the next time, use a meaningful subject for your emails to the 
list, indicating the kind of issue your are stuck with.


That will help people here to see quickly if they can respond usefully to your questions, 
without having to read the whole message.


bad : hit "reply" on a previous unrelated message
bad : !! URGENT HELP NEEDED !!
bad : Problem with Tomcat !!!

good : authentication via IIS front-end proxy
good : hit "reply list" on the previous *related* message


On 04.01.2018 15:07, André Warnier (tomcat) wrote:

Hi.

On 03.01.2018 18:31, Agrawal, Suraj (CORP) wrote:

Hi Team,

We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache 
to host
javacontainer for Rest calls for our Siebel application. The javacontainer is 
listening
to Port 9001 as below-



We are trying to setup Windows Authentication in Apache by using Reverse Proxy 
with IIS,
and have followed the below steps as per the Apache documentation.

---Steps followed :
There are three steps to configuring IIS to provide Windows authentication. 
They are:
1. Configure IIS as a reverse proxy for Tomcat (see the  IIS Web Server How-To).
 This is done and working as expected


There is a bit of confusing information in the page
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
in that it talks (in the title and elsewhere) of the "ISAPI redirector", but 
then later it
mentions "The mod_jk module uses the AJP protocol to send requests to the Tomcat
containers".  In fact, "mod_jk" and "ISAPI redirector" are functionaly the same 
thing (and
probably much the same code), but
- mod_jk is the plugin proxy module to use with an Apache httpd webserver 
front-end (under
Linux and/or Windows)
- isapi_redirector is the plugin proxy module to use with an IIS webserver 
front-end
(Windows only)

But /both/ use the same protocol to talk with the back-end Tomcat, and that 
protocol is
AJP, not HTTP.
So in both cases, what they are "talking to" is the AJP Connector in Tomcat, 
and not the
HTTP Connector.

The AJP protocol is somewhat different from HTTP :
- both essentially carry the same information (requests and responses)
but
- HTTP carries all its information back and forth in a text form as per HTTP RFC
- AJP encodes some of this information in a binary form (a bit more efficient)
- one of the "binary" parameters which the AJP protocol does transmit from the 
front-end
to the back-end, is the authenticated user-id on the front-end, if any.
(HTTP does not normally do this in any standard way).

At the Tomcat level (the AJP Connector), the attribute "tomcatAuthentication" 
(true/false)
serves to tell Tomcat to either "believe" (false) the user-id that it receives 
from the
front-end through AJP, or to ignore it (true) and do its own authentication 
anyway.

At the Tomcat level, this "tomcatAuthentication" attribute only makes sense 
with the AJP
Connector (and protocol).
See : http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Common_Attributes
(tomcatAuthentication AND tomcatAuthorization)

while here : 
http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes
this attribute is not mentioned (so if you add it, it will simply be ignored).



2. Configure IIS to use Windows authentication
 This is done and working as expected

3. Configure Tomcat to use the authentication user information from IIS by 
setting the
tomcatAuthentication attribute on the  AJP connector to false. Alternatively, 
set the
tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat
performs the authorization.



Right. But on which Tomcat connector did you set this ? (HTTP or AJP ?)


Q1   We were able to configure the reverse proxy with Anon user but the 
Windows
authentication is failing at Apache level with below error :-
Thread[http-nio-9001-exec-15,5,main][2017-12-27 13:17:12.637] [null] Error 
while
login : The username cannot be empty. Please select a username.



Your problem may be there, with this "anonymous" authentication at the IIS 
level.  Maybe
the isapi_redirector interprets this as "no user", and transmits an empty 
user-id to
Tomcat.  Have you tried with a real Windows-level user-id ?



Q2   Our configuration is using "HTTP" protocol, do we need to change the 
server.xml
entry for 9001 to use AJP protocol and then add entry " 
tomcatAuthentication=False"



Yes, probably.


Q3  Do we need to install AJP connector on top of Tomcat or its installed by
default, or we do not need it for Windows Authentication.



You do need it.
It is provided by default, but you may need to uncomment the corresponding 
lines in the
server.xml file.
Considering your previous statements above, make sure that the HTTP Connector 
(if any) and
the AJP Connector (if any) use different ports.
And on the IIS/ISAPI redirector side, make sure that the settings specify the 
correct
(AJP) port.

This is all quite logical, but a bit convoluted, due to the many ways 

Re: WELCOME to users@tomcat.apache.org

[tomcat]

Hi.

On 03.01.2018 18:31, Agrawal, Suraj (CORP) wrote:

Hi Team,

We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache 
to host javacontainer for Rest calls for our Siebel application. The javacontainer is 
listening to Port 9001 as below-



We are trying to setup Windows Authentication in Apache by using Reverse Proxy 
with IIS, and have followed the below steps as per the Apache documentation.

---Steps followed :
There are three steps to configuring IIS to provide Windows authentication. 
They are:
1. Configure IIS as a reverse proxy for Tomcat (see the  IIS Web Server How-To).
 This is done and working as expected


There is a bit of confusing information in the page
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
in that it talks (in the title and elsewhere) of the "ISAPI redirector", but then later it 
mentions "The mod_jk module uses the AJP protocol to send requests to the Tomcat 
containers".  In fact, "mod_jk" and "ISAPI redirector" are functionaly the same thing (and 
probably much the same code), but
- mod_jk is the plugin proxy module to use with an Apache httpd webserver front-end (under 
Linux and/or Windows)
- isapi_redirector is the plugin proxy module to use with an IIS webserver front-end 
(Windows only)


But /both/ use the same protocol to talk with the back-end Tomcat, and that protocol is 
AJP, not HTTP.
So in both cases, what they are "talking to" is the AJP Connector in Tomcat, and not the 
HTTP Connector.


The AJP protocol is somewhat different from HTTP :
- both essentially carry the same information (requests and responses)
but
- HTTP carries all its information back and forth in a text form as per HTTP RFC
- AJP encodes some of this information in a binary form (a bit more efficient)
- one of the "binary" parameters which the AJP protocol does transmit from the front-end 
to the back-end, is the authenticated user-id on the front-end, if any.

(HTTP does not normally do this in any standard way).

At the Tomcat level (the AJP Connector), the attribute "tomcatAuthentication" (true/false) 
serves to tell Tomcat to either "believe" (false) the user-id that it receives from the 
front-end through AJP, or to ignore it (true) and do its own authentication anyway.


At the Tomcat level, this "tomcatAuthentication" attribute only makes sense with the AJP 
Connector (and protocol).

See : http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Common_Attributes
(tomcatAuthentication AND tomcatAuthorization)

while here : 
http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes
this attribute is not mentioned (so if you add it, it will simply be ignored).



2. Configure IIS to use Windows authentication
 This is done and working as expected

3. Configure Tomcat to use the authentication user information from IIS by 
setting the tomcatAuthentication attribute on the  AJP connector to false. 
Alternatively, set the tomcatAuthorization attribute to true to allow IIS to 
authenticate, while Tomcat performs the authorization.



Right. But on which Tomcat connector did you set this ? (HTTP or AJP ?)


Q1   We were able to configure the reverse proxy with Anon user but the 
Windows authentication is failing at Apache level with below error :-
Thread[http-nio-9001-exec-15,5,main][2017-12-27 13:17:12.637] [null] Error 
while login : The username cannot be empty. Please select a username.



Your problem may be there, with this "anonymous" authentication at the IIS level.  Maybe 
the isapi_redirector interprets this as "no user", and transmits an empty user-id to 
Tomcat.  Have you tried with a real Windows-level user-id ?




Q2   Our configuration is using "HTTP" protocol, do we need to change the server.xml 
entry for 9001 to use AJP protocol and then add entry " tomcatAuthentication=False"



Yes, probably.


Q3  Do we need to install AJP connector on top of Tomcat or its installed 
by default, or we do not need it for Windows Authentication.



You do need it.
It is provided by default, but you may need to uncomment the corresponding lines in the 
server.xml file.
Considering your previous statements above, make sure that the HTTP Connector (if any) and 
the AJP Connector (if any) use different ports.
And on the IIS/ISAPI redirector side, make sure that the settings specify the correct 
(AJP) port.


This is all quite logical, but a bit convoluted, due to the many ways in which you can use 
a front-end with Tomcat, and the many ways in which one can do 
authentication/authorization in the WWW.


I have found that it often helps to draw a schema in advance, such as

browser <--(1)--> front-end (2) <-(4)---> tomcat (5)
 + proxy module (3)  + Connector(6)

where :
(1) is the protocol used between the browser and the front-end http server 
(HTTP or HTTPS)
(2) is the front-end webserver (Apache httpd or IIS (or others)), which can be doing its 
own authentication/authorization 

Re: ALv2 Tomcat Training material

[Mark Thomas]

On 04/01/18 11:31, Marek Czernek wrote:
> Hi Mark,
> 
> I think this is a great idea. Before doing any brainstorming though, I
> wonder about the following:
> 
> 1. Who'd be the target audience? And what skill level would you want to
>    target? Any pre-requisites?

The short version is whatever the Tomcat community (i.e. the members of
this list) would find most useful. Possible examples that come to mind are:
- an introductory course for an experienced sysadmin that knows nothing
about Tomcat
- in depth trouble-shooting

But rather than just my random ideas, I'd love to hear what the
community wants.

> 2. Should it be purely Tomcat, or do you want to talk about various
>    frameworks that integrate with Tomcat in some manner? (Hibernate
>    comes to mind, for example)

This is is easy. Purely Tomcat.

> 3. What goals would you like to achieve? I.e., would you want to create
>    a course for a community and potential future contributors, or would
>    your goal be a course for experts to get things done asap? Imho
>    those two goals require different approaches. If the answer is
>    'both', that could be sub-optimal (though understandable). Or do you
>    imagine completely different goal(s)?

My original thinking was training for end users of any/all levels.
However, if there was interest we could add some modules on how to
become a contributor, committer, PMC member etc.

> My main question is 'WHY'. What is the hole we're trying to fill in. Do
> you want people to have quick yet quite deep understanding of basic
> concepts and fundamentals? Do you want people to be more excited about
> Tomcat? Do you want to shed light on an obscure integration pattern that
> is highly useful? Do you want to create a certification that would be
> beneficial for job interviews? Some of the answers might be
> complimentary, but a lot of them are almost opposite to each other, imho.

Why? Because I think that there is a community demand for this. I once
ran a Tomcat training course at ApacheCon for which I did ZERO marketing
(the only marketing was that it was listed as an option when registering
- and an expensive option at that) and ~15 people signed up.

I want to help people understand how to use Tomcat. Hopefully, a
side-effect will be that even more great people show up here.

I'm not interested in creating a certification or anything similar.

HTH explain my thinking.

Mark


> 
> 
> On 01/04/2018 11:16 AM, Mark Thomas wrote:
>> Hi,
>>
>> One of the things on my TODO list is to put together some Tomcat
>> training material licensed under the Apache License (version 2). i.e.
>> material that would be made freely available for folks to use.
>>
>> I'd also like to make the training material available on YouTube as well
>> as run some training courses (for a small fee) to deliver the material
>> face to face.
>>
>> The structure I have in mind is a series of modules (say 30 mins in
>> length) that can be organised in different ways to suit different needs.
>> e.g. put the introductory modules for each area together to provide an
>> 'Introduction to Tomcat course', put all the TLS modules together to
>> provide an in depth 'Tomcat and TLS' course etc.
>>
>> I think a lot of the raw content is already available. We have the
>> various Tomcat presentations that have been given over the years and my
>> employer has agreed to let me make use of the material from our (now
>> possibly a little dated) Tomcat training courses.
>>
>> I can't do this alone. Not in any reasonable time frame anyway. So I am
>> reaching out to the community for help.
>>
>> The first step is to come with:
>> - a list of modules
>> - potential courses formed from combinations of modules
>>
>> I am asking for your ideas for modules, courses and combinations of
>> modules that could make up those courses.
>>
>> We have a blank wiki page to host this:
>> https://cwiki.apache.org/confluence/display/TOMCAT/Tomcat+Training+Course
>>
>> Feel free to ask for edit access to that page (you'll need to create an
>> account and let us know the user name) so you can add ideas directly or
>> add ideas to this thread and I'll add them to the wiki page.
>>
>> The second step is to start populating the modules with actual content.
>> As a motivator to get this done, I'd like to run a public Tomcat
>> training course in late March / early April using this material. My
>> current thinking is that the course would cost ~£100 plus food per
>> person for the full day. Possible locations for this course are:
>> - Cardiff
>> - Birmingham
>> - Manchester
>> - Glasgow
>> (all in the UK - if successful we can expand to mainland Europe and
>> beyond)
>>
>> My second request is for feedback on which location(s) are preferable
>> and what content would you like to see in the training course. I'll take
>> this feedback, put together a course and then make it available to book.
>>
>> I look forward to all your ideas.
>>
>> Mark
>>
>> 

Re: ALv2 Tomcat Training material

[Marek Czernek]

Hi Mark,

I think this is a great idea. Before doing any brainstorming though, I 
wonder about the following:


1. Who'd be the target audience? And what skill level would you want to
   target? Any pre-requisites?
2. Should it be purely Tomcat, or do you want to talk about various
   frameworks that integrate with Tomcat in some manner? (Hibernate
   comes to mind, for example)
3. What goals would you like to achieve? I.e., would you want to create
   a course for a community and potential future contributors, or would
   your goal be a course for experts to get things done asap? Imho
   those two goals require different approaches. If the answer is
   'both', that could be sub-optimal (though understandable). Or do you
   imagine completely different goal(s)?

My main question is 'WHY'. What is the hole we're trying to fill in. Do 
you want people to have quick yet quite deep understanding of basic 
concepts and fundamentals? Do you want people to be more excited about 
Tomcat? Do you want to shed light on an obscure integration pattern that 
is highly useful? Do you want to create a certification that would be 
beneficial for job interviews? Some of the answers might be 
complimentary, but a lot of them are almost opposite to each other, imho.



On 01/04/2018 11:16 AM, Mark Thomas wrote:

Hi,

One of the things on my TODO list is to put together some Tomcat
training material licensed under the Apache License (version 2). i.e.
material that would be made freely available for folks to use.

I'd also like to make the training material available on YouTube as well
as run some training courses (for a small fee) to deliver the material
face to face.

The structure I have in mind is a series of modules (say 30 mins in
length) that can be organised in different ways to suit different needs.
e.g. put the introductory modules for each area together to provide an
'Introduction to Tomcat course', put all the TLS modules together to
provide an in depth 'Tomcat and TLS' course etc.

I think a lot of the raw content is already available. We have the
various Tomcat presentations that have been given over the years and my
employer has agreed to let me make use of the material from our (now
possibly a little dated) Tomcat training courses.

I can't do this alone. Not in any reasonable time frame anyway. So I am
reaching out to the community for help.

The first step is to come with:
- a list of modules
- potential courses formed from combinations of modules

I am asking for your ideas for modules, courses and combinations of
modules that could make up those courses.

We have a blank wiki page to host this:
https://cwiki.apache.org/confluence/display/TOMCAT/Tomcat+Training+Course

Feel free to ask for edit access to that page (you'll need to create an
account and let us know the user name) so you can add ideas directly or
add ideas to this thread and I'll add them to the wiki page.

The second step is to start populating the modules with actual content.
As a motivator to get this done, I'd like to run a public Tomcat
training course in late March / early April using this material. My
current thinking is that the course would cost ~£100 plus food per
person for the full day. Possible locations for this course are:
- Cardiff
- Birmingham
- Manchester
- Glasgow
(all in the UK - if successful we can expand to mainland Europe and beyond)

My second request is for feedback on which location(s) are preferable
and what content would you like to see in the training course. I'll take
this feedback, put together a course and then make it available to book.

I look forward to all your ideas.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



--

Marek Czernek

Associate Quality Engineer

ALv2 Tomcat Training material

[Mark Thomas]

Hi,

One of the things on my TODO list is to put together some Tomcat
training material licensed under the Apache License (version 2). i.e.
material that would be made freely available for folks to use.

I'd also like to make the training material available on YouTube as well
as run some training courses (for a small fee) to deliver the material
face to face.

The structure I have in mind is a series of modules (say 30 mins in
length) that can be organised in different ways to suit different needs.
e.g. put the introductory modules for each area together to provide an
'Introduction to Tomcat course', put all the TLS modules together to
provide an in depth 'Tomcat and TLS' course etc.

I think a lot of the raw content is already available. We have the
various Tomcat presentations that have been given over the years and my
employer has agreed to let me make use of the material from our (now
possibly a little dated) Tomcat training courses.

I can't do this alone. Not in any reasonable time frame anyway. So I am
reaching out to the community for help.

The first step is to come with:
- a list of modules
- potential courses formed from combinations of modules

I am asking for your ideas for modules, courses and combinations of
modules that could make up those courses.

We have a blank wiki page to host this:
https://cwiki.apache.org/confluence/display/TOMCAT/Tomcat+Training+Course

Feel free to ask for edit access to that page (you'll need to create an
account and let us know the user name) so you can add ideas directly or
add ideas to this thread and I'll add them to the wiki page.

The second step is to start populating the modules with actual content.
As a motivator to get this done, I'd like to run a public Tomcat
training course in late March / early April using this material. My
current thinking is that the course would cost ~£100 plus food per
person for the full day. Possible locations for this course are:
- Cardiff
- Birmingham
- Manchester
- Glasgow
(all in the UK - if successful we can expand to mainland Europe and beyond)

My second request is for feedback on which location(s) are preferable
and what content would you like to see in the training course. I'll take
this feedback, put together a course and then make it available to book.

I look forward to all your ideas.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Using existing LetsEncrypt certs with tomcat

[Mark Thomas]

On 04/01/18 05:50, Paul Beard wrote:
> 
> 
>> On Jan 3, 2018, at 11:33 AM, Christopher Schultz 
>>  wrote:
>>
>> In there, I detail how to put everything together. There is a script
>> that builds a Java keystore that Tomcat can use. That script
>> demonstrates how to take an existing key+certificate+chain, convert it
>> into a Java keystore and then make it active. The script actually
>> requests a renewal of the certificate from Let's Encrypt (which may
>> say "no renewal required") and then only re-builds the keystore if the
>> key/cert have actually changed.
> 
> This looks great but I suspect my problems are more basic, like getting *any* 
> cert to be honored, even a self-signed one.
> 
> This step —  — 
> eludes me. I added that to an existing Connector stanza but I am seeing these 
> errors which suggests (?) I did that wrong:
> 
> SEVERE: Failed to initialize end point associated with ProtocolHandler 
> ["http-bio-8443"]
> java.io.IOException: Keystore was tampered with, or password was incorrect
> 
> 
>  keystoreFile="conf/keystore.jks"  keystorePass="qwerty"
>maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS" />
> 
> But that seems outside the scope of what I was asking. I’ll take another look 
> tomorrow…took entirely too long to get the symlink step to word as expected. 
> Had to change to the conf directory for it to work. Too late in the day for 
> this to make any sense.
> 
> Thanks for the presentation. I’m sure it will make sense to me eventually.

This might help.

https://www.youtube.com/watch?v=I6TbMqH9WFg

The complete list of webinars, presentations etc. (many with audio or
video) is available here:
http://tomcat.apache.org/presentations.html

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org