Hi Mark, We tried below 2 suggestions but still receiving errors. Can we get into quick teams call where I can share screen to resolve this.
Regards, Pratik -----Original Message----- From: Mark Eggers <its_toas...@yahoo.com.INVALID> Sent: 25 April 2023 11:08 To: users@tomcat.apache.org Subject: Re: Tomcat VAPT Closure Pratik, On 4/24/2023 10:20 PM, PRATIK HUMNABADKAR wrote: > Hi, > > Server.xml > > <?xml version="1.0" encoding="UTF-8"?> > <!-- > Licensed to the Apache Software Foundation (ASF) under one or more > contributor license agreements. See the NOTICE file distributed with > this work for additional information regarding copyright ownership. > The ASF licenses this file to You under the Apache License, Version 2.0 > (the "License"); you may not use this file except in compliance with > the License. You may obtain a copy of the License at > > > http://www.a/ > pache.org%2Flicenses%2FLICENSE-2.0&data=05%7C01%7Cpratikh%40bflaf.com% > 7C72834e4844514ce335e508db454f5bdf%7Cbb5475280a7d4ced9f34216a9b7c815d% > 7C0%7C0%7C638179979396683652%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat > a=d0Ccw%2Fbj5piCgdYIS8WB5lCnL3iN%2Buwz90JSRyz9zTA%3D&reserved=0 > > Unless required by applicable law or agreed to in writing, software > distributed under the License is distributed on an "AS IS" BASIS, > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > See the License for the specific language governing permissions and > limitations under the License. > --> > <!-- Note: A "Server" is not itself a "Container", so you may not > define subcomponents such as "Valves" at this level. > Documentation at /docs/config/server.html > --> > <Server port="8006" shutdown="SHUTDOWN"> > <Listener className="org.apache.catalina.startup.VersionLoggerListener" /> > <!-- Security listener. Documentation at /docs/config/listeners.html > <Listener className="org.apache.catalina.security.SecurityListener" /> > --> > <!-- APR library loader. Documentation at /docs/apr.html --> > <Listener className="org.apache.catalina.core.AprLifecycleListener" > SSLEngine="on" /> > <!-- Prevent memory leaks due to use of particular java/javax APIs--> > <Listener > className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> > <Listener > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> > <Listener > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" > /> > > <!-- Global JNDI resources > Documentation at /docs/jndi-resources-howto.html > --> > <GlobalNamingResources> > <!-- Editable user database that can also be used by > UserDatabaseRealm to authenticate users > --> > <Resource name="UserDatabase" auth="Container" > type="org.apache.catalina.UserDatabase" > description="User database that can be updated and saved" > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > pathname="conf/tomcat-users.xml" /> > </GlobalNamingResources> > > <!-- A "Service" is a collection of one or more "Connectors" that share > a single "Container" Note: A "Service" is not itself a "Container", > so you may not define subcomponents such as "Valves" at this level. > Documentation at /docs/config/service.html > --> > <Service name="Catalina"> > > <!--The connectors can use a shared executor, you can define one or more > named thread pools--> > <!-- > <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" > maxThreads="150" minSpareThreads="4"/> > --> > > > <!-- A "Connector" represents an endpoint by which requests are received > and responses are returned. Documentation at : > Java HTTP Connector: /docs/config/http.html > Java AJP Connector: /docs/config/ajp.html > APR (HTTP/AJP) Connector: /docs/apr.html > Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 > --> > <Connector port="9099" protocol="HTTP/1.1" > connectionTimeout="20000" > redirectPort="8443" /> > <!-- A "Connector" using the shared thread pool--> > <!-- > <Connector executor="tomcatThreadPool" > port="8080" protocol="HTTP/1.1" > connectionTimeout="20000" > redirectPort="8443" /> > --> > <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 > This connector uses the NIO implementation. The default > SSLImplementation will depend on the presence of the APR/native > library and the useOpenSSL attribute of the AprLifecycleListener. > Either JSSE or OpenSSL style configuration may be used regardless of > the SSLImplementation selected. JSSE style configuration is used > below. > --> > <!-- > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true"> > <SSLHostConfig> > <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" > type="RSA" /> > </SSLHostConfig> > </Connector> > --> > <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 > This connector uses the APR/native implementation which always uses > OpenSSL for TLS. > Either JSSE or OpenSSL style configuration may be used. OpenSSL > style > configuration is used below. > --> > <!-- > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > maxThreads="150" SSLEnabled="true" > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> > <SSLHostConfig> > <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" > certificateFile="conf/localhost-rsa-cert.pem" > certificateChainFile="conf/localhost-rsa-chain.pem" > type="RSA" /> > </SSLHostConfig> > </Connector> > --> > > <Connector port="9090" scheme="https" secure="true" SSLEnabled="true" > SSLProtocol="TLSv1.2" protocol="org.apache.coyote.http11.Http11AprProtocol" > > <SSLHostConfig> > <Certificate > > certificateFile="/root/visualrules/bajaj_af_cert/ServerCertificate.crt" > > certificateKeyFile="/root/visualrules/bajaj_af_cert/bflaf.key" > SSLPassword="123456789" > certificateChainFile="/root/visualrules/bajaj_af_cert/Root.crt" /> > </SSLHostConfig> > </Connector> > > > > <!-- Define an AJP 1.3 Connector on port 8009 --> > <!-- > <Connector protocol="AJP/1.3" > address="::1" > port="8009" > redirectPort="8443" /> > --> > > <!-- An Engine represents the entry point (within Catalina) that > processes > every request. The Engine implementation for Tomcat stand alone > analyzes the HTTP headers included with the request, and passes them > on to the appropriate Host (virtual host). > Documentation at /docs/config/engine.html --> > > <!-- You should set jvmRoute to support load-balancing via AJP ie : > <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> > --> > <Engine name="Catalina" defaultHost="localhost"> > > <!--For clustering, please take a look at documentation at: > /docs/cluster-howto.html (simple how to) > /docs/config/cluster.html (reference documentation) --> > <!-- > <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> > --> > > <!-- Use the LockOutRealm to prevent attempts to guess user passwords > via a brute-force attack --> > <Realm className="org.apache.catalina.realm.LockOutRealm"> > <!-- This Realm uses the UserDatabase configured in the global JNDI > resources under the key "UserDatabase". Any edits > that are performed against this UserDatabase are immediately > available for use by the Realm. --> > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"/> > </Realm> > > <Host name="localhost" appBase="webapps" > unpackWARs="true" autoDeploy="true"> > > <!-- SingleSignOn valve, share authentication between web > applications > Documentation at: /docs/config/valve.html --> > <!-- > <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> > --> > > <!-- Access log processes all example. > Documentation at: /docs/config/valve.html > Note: The pattern used is equivalent to using pattern="common" > --> > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" > prefix="localhost_access_log" suffix=".txt" > pattern="%h %l %u %t "%r" %s %b" /> > > </Host> > </Engine> > </Service> > </Server> > > > > > Error Log Tomcat: > > 21-Apr-2023 16:29:45.545 SEVERE [main] > org.apache.catalina.startup.Catalina.start Cannot start server, server > instance is not configured > 21-Apr-2023 16:37:07.450 WARNING [main] > org.apache.tomcat.util.digester.SetPropertiesRule.begin Match > [Server/Service/Connector/SSLHostConfig/Certificate] failed to set > property [SSLPassword] to [123456789] > 21-Apr-2023 16:37:07.454 SEVERE [main] > org.apache.tomcat.util.digester.Digester.endElement End event threw exception > java.lang.reflect.InvocationTargetException > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:469) > at > org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:143) > at > org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1046) > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1782) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2967) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:602) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:505) > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:842) > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:771) > at > com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) > at > com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643) > at > org.apache.tomcat.util.digester.Digester.parse(Digester.java:1535) > at > org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:617) > at > org.apache.catalina.startup.Catalina.load(Catalina.java:709) > at > org.apache.catalina.startup.Catalina.load(Catalina.java:746) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) > Caused by: java.lang.IllegalArgumentException: Multiple > SSLHostConfig elements were provided for the host name [_default_]. Host > names must be unique. > at > org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:294) > at > org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:250) > at > org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:691) > at > org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:878) > ... 27 more > 21-Apr-2023 16:37:07.456 WARNING [main] > org.apache.catalina.startup.Catalina.parseServerXml Unable to load server > configuration from > [/home/ajayv/Actico/Actico-Rules/6.8.3/dev-server/apache-tomcat-9.0.62/conf/server.xml] > org.xml.sax.SAXParseException; systemId: > file:/home/ajayv/Actico/Actico-Rules/6.8.3/dev-server/apache-tomcat-9.0.62/conf/server.xml; > lineNumber: 120; columnNumber: 18; Error at line [120] column [18]: > [Multiple SSLHostConfig elements were provided for the host name [_default_]. > Host names must be unique.] > at > org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1966) > at > org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1998) > at > org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1049) > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1782) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2967) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:602) > at > com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:505) > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:842) > at > com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:771) > at > com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) > at > com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) > at > com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643) > at > org.apache.tomcat.util.digester.Digester.parse(Digester.java:1535) > at > org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:617) > at > org.apache.catalina.startup.Catalina.load(Catalina.java:709) > at > org.apache.catalina.startup.Catalina.load(Catalina.java:746) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) > Caused by: java.lang.IllegalArgumentException: Multiple > SSLHostConfig elements were provided for the host name [_default_]. Host > names must be unique. > at > org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:294) > at > org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:250) > at > org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:691) > at > org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:878) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:469) > at > org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:143) > at > org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1046) > ... 20 more > 21-Apr-2023 16:37:07.456 SEVERE [main] > org.apache.catalina.startup.Catalina.start Cannot start server, server > instance is not configured > > > Regards, > Pratik > > -----Original Message----- > From: Mark Eggers <its_toas...@yahoo.com.INVALID> > Sent: 25 April 2023 10:45 > To: users@tomcat.apache.org > Subject: Re: Tomcat VAPT Closure > > Pratik, > > On 4/24/2023 10:09 PM, PRATIK HUMNABADKAR wrote: >> Hi, >> >> We need Tomcat support assistance for closure of our VAPT points for >> disabling SSL TLS 1.0 and 1.1 >> >> Please guide us by arranging concerned technician with us for closure. >> >> Tomcat version: 9.0.62 >> Operating system: Linux >> >> We tried disabling in below way. >> >> Changes done in server.xml >> [cid:image001.png@01D9775F.7B492550] >> >> Error received on Tomcat restart: >> [cid:image002.png@01D9775F.7B492550] >> >> Regards, >> Pratik >> >> >> DISCLAIMER: This message, including any attachments may contain proprietary, >> confidential and privileged information for the sole use of the intended >> recipient(s), and is protected by law. If you are not the intended >> recipient, please notify the sender immediately and destroy all copies of >> the original message and attachments, if any. Any unauthorized review, use, >> disclosure, dissemination, forwarding, printing or copying of this email or >> any action taken in reliance on this e-mail is strictly prohibited and may >> be unlawful. Bajaj Finance Ltd. and / or its group companies reserve the >> right to record, monitor, and inspect all email communications through its >> internal and external networks. Your messages can be subject to such lawful >> supervision as Bajaj Finance Ltd. and / or its group companies deem >> necessary in order to protect their information, interests and reputation. >> Bajaj Finance Ltd. and / or its group companies prohibit and may take steps >> to prevent their information systems from being used to view, store or >> forward offensive or discriminatory material. If this message contains such >> material, please report it to ab...@bflaf.com<mailto:ab...@bflaf.com> . >> Please ensure you have adequate virus protection before you open or detach >> any documents from this transmission. Bajaj Finance Ltd. and / or its group >> companies do not accept any liability for viruses. >> > > The list strips attachments. Please inline your server.xml and your log file, > removing all sensitive information. > > Also, this list consists of volunteers. We'll do what we can to help you if > you are willing to work with us and provide the required information. > > . . . just my two cent > /mde/ > > DISCLAIMER: This message, including any attachments may contain proprietary, > confidential and privileged information for the sole use of the intended > recipient(s), and is protected by law. If you are not the intended recipient, > please notify the sender immediately and destroy all copies of the original > message and attachments, if any. Any unauthorized review, use, disclosure, > dissemination, forwarding, printing or copying of this email or any action > taken in reliance on this e-mail is strictly prohibited and may be unlawful. > Bajaj Finance Ltd. and / or its group companies reserve the right to record, > monitor, and inspect all email communications through its internal and > external networks. Your messages can be subject to such lawful supervision as > Bajaj Finance Ltd. and / or its group companies deem necessary in order to > protect their information, interests and reputation. Bajaj Finance Ltd. and / > or its group companies prohibit and may take steps to prevent their > information systems from being used to view, store or forward offensive or > discriminatory material. If this message contains such material, please > report it to ab...@bflaf.com<mailto:ab...@bflaf.com> . Please ensure you have > adequate virus protection before you open or detach any documents from this > transmission. Bajaj Finance Ltd. and / or its group companies do not accept > any liability for viruses. There appear to be at least two issues: 1. You have multiple SSL connectors configured for the same hostName (default host in this case). As the log files state, you cannot do that. 2. You have not specified the protocols in SSLHostConfig. See https://tomcat.apache.org/tomcat-9.0-doc/config/http.html. Pay particular attention to the protocols attribute and the hostName attribue. . . . just my two cents /mde/ DISCLAIMER: This message, including any attachments may contain proprietary, confidential and privileged information for the sole use of the intended recipient(s), and is protected by law. If you are not the intended recipient, please notify the sender immediately and destroy all copies of the original message and attachments, if any. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Bajaj Finance Ltd. and / or its group companies reserve the right to record, monitor, and inspect all email communications through its internal and external networks. Your messages can be subject to such lawful supervision as Bajaj Finance Ltd. and / or its group companies deem necessary in order to protect their information, interests and reputation. Bajaj Finance Ltd. and / or its group companies prohibit and may take steps to prevent their information systems from being used to view, store or forward offensive or discriminatory material. If this message contains such material, please report it to ab...@bflaf.com<mailto:ab...@bflaf.com> . Please ensure you have adequate virus protection before you open or detach any documents from this transmission. Bajaj Finance Ltd. and / or its group companies do not accept any liability for viruses. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
