Tomcat Silent Installation Options
Hi All, I am trying to install Tomcat thru command line ( need this to include the tomcat installation file thru our product installer). I am able to use upto this command prompt tomcat5525.exe /S /D=d:\MyTomcat but i want to know more options available for this like specifying the JAVA HOME, Port numbers, components to be installed..etc I was browsing all over but didn't get a clear documentation on this. Can anyone help me on this. Thanks in advance. Best Regards, Kranti K K Parisa
Increase in rss and thread usage.
Hi, Are using Tomcat 6.0.20. We have mointored it and can see that the rss and thread usage increases all the time. Is this someone else also have experienced?
Re: Increase in rss and thread usage.
2010/1/19 kent.anders...@tieto.com Are using Tomcat 6.0.20. We have mointored it and can see that the rss and thread usage increases all the time. Is this someone else also have experienced? Almost always, if your resource usage increases over time, your application has a resource leak. In this case, I suspect your application is starting threads. It is far more likely to be your application than Tomcat causing the problem. Take two thread dumps some time apart and see what has changed. - Peter
Re: Tomcat Silent Installation Options
The document is here: http://tomcat.apache.org/tomcat-6.0-doc/windows-service-howto.html Kranti™ K K Parisa wrote: Hi All, I am trying to install Tomcat thru command line ( need this to include the tomcat installation file thru our product installer). I am able to use upto this command prompt tomcat5525.exe /S /D=d:\MyTomcat but i want to know more options available for this like specifying the JAVA HOME, Port numbers, components to be installed..etc I was browsing all over but didn't get a clear documentation on this. Can anyone help me on this. Thanks in advance. Best Regards, Kranti K K Parisa -- View this message in context: http://old.nabble.com/Tomcat-Silent-Installation-Options-tp27222513p27223662.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Silent Installation Options
2010/1/19 Kranti™ K K Parisa kranti.par...@gmail.com: Hi All, I am trying to install Tomcat thru command line ( need this to include the tomcat installation file thru our product installer). I am able to use upto this command prompt tomcat5525.exe /S /D=d:\MyTomcat Why 5.5.25 ?? That is an old release. but i want to know more options available for this I am afraid that that is not possible. The NSIS installer does not provide built-in support for an answer file, and we have not coded such support by ourselves. (The patches are always welcome, and the file in question is res/tomcat.nsi or build/tomcat.nsi in TC 5.5). Also, what the installer installs is a good start for a developer, or for a system administrator that will tune it for production, but there was no intention to provide direct control of all the available configuration options. I will mention some of them below. You would better start with a zip archive. Note, that - in 5.5.28 there is a single zip, containing versions of tomcat5.exe for different CPU architectures. - in 6.6.x that is expected to be released very soon (that will be 6.0.24, I suppose), there will be *-windows-x86.zip with binaries for 32-bit CPUs, and separate *-windows-x64.zip and *-windows-i64.zip for AMD/Intel x64_86 and Intel Itanium CPUs respectively. You may look at the dev@ list for the release candidate links. like specifying the JAVA HOME, When using Service launcher, the value of JVM dll to be used is stored in the registry. The environment variables are not used. The service launcher, tomcat5.exe, can configure itself it you call it with relevant command-line options. -- see service.bat for an example The values are usually passed as environment variables. See the daemon project in commons.apache.org for documentation: http://commons.apache.org/daemon/procrun.html Note, that the registry path depends on the name of the exe file. That is, rename tomcat5.exe and tomcat5w.exe to something else to have a different instance of the Service tomcat5.exe and tomcat6.exe in Tomcat 5.5 and in Tomcat 6 are actually the same file, but with different names Be sure to install tomcat(5|6).exe for the right CPU architecture. The installer determines the architecture by reading some environment variables provided by the system (see the *.nsi file). Port numbers, components to be installed..etc Be sure to specify shutdown port that is unique. I saw one product that changed the AJP port, but still used 8005 for shutdown. Tip: You can use properties substitution (${propname}) in the server.xml file and define the necessary properties in catalina.properties file. Also, the when running as a service the shutdown port is not needed and you should be able to set it to -1 -- see configuration reference for details. If you do not need manager/host-manager, remove their *.xml context files from conf/Catalina/localhost/ and their code from server/webapps/Other unnecessary applications are in the webapps/ folder. In TC 6 all of them are in webapps/. You can also remove unneeded user names/roles from conf/tomcat-users.xml, and either remove the UserDatabase resource (that references tomcat-users.xml) from server.xml, or add readonly=true attribute to it so that the file will not be overwritten on startup. http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/users/MemoryUserDatabase.html http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/users/MemoryUserDatabase.html You may also want to tune conf/logging.properties to do not generate unnecessary logs. I was browsing all over but didn't get a clear documentation on this. Can anyone help me on this. Thanks in advance. Best Regards, Kranti K K Parisa If you have any questions, please ask. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Logout mechanism on Digest Authentication
Hello, I have a problem in logout mechanism for my web app. For logging in I use Digest Authentication. Here is how things go: 1. On the same web app I first used Form Authentication and on each jsp page I created I used, on logout, bellow code: session.invalidate(); response.sendRedirect(samepage.jsp); 2. Next, again on the same web app, I only changed login-config tag in web.xml, in order to achieve Digest Authentication, as bellow: login-config auth-methodDIGEST/auth-method realm-nameAuthentication Area/realm-name /login-config Then, login procedure worked OK, but on log out, I still could access the secured jsp pages (as defined in web.xml) Is there a problem in logout mechanism for Digest Authentication? Is logout not supported for diggest authentication? How could I manage to logout? I use Tomcat6. Thanks in Advance for your answer. -- View this message in context: http://old.nabble.com/Logout-mechanism-on-Digest-Authentication-tp27224384p27224384.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logout mechanism on Digest Authentication
vpapado wrote: Hello, I have a problem in logout mechanism for my web app. For logging in I use Digest Authentication. Here is how things go: ... Is there a problem in logout mechanism for Digest Authentication? Is logout not supported for diggest authentication? How could I manage to logout? I use Tomcat6. In HTTP neither Basic nor Digest authentication provide a logout mechanism. That is not an issue specific to Tomcat, it is a generic characteristic of the protocol. The browser memorises the authentication entered by the user for a combination of host/realm, and will automatically re-submit the needed authentication headers whenever the server requests an authentication for the same realm, without user intervention. In other words, the only way to logout is to close the browser and re-open it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logout mechanism on Digest Authentication
Thank you. awarnier wrote: vpapado wrote: Hello, I have a problem in logout mechanism for my web app. For logging in I use Digest Authentication. Here is how things go: ... Is there a problem in logout mechanism for Digest Authentication? Is logout not supported for diggest authentication? How could I manage to logout? I use Tomcat6. In HTTP neither Basic nor Digest authentication provide a logout mechanism. That is not an issue specific to Tomcat, it is a generic characteristic of the protocol. The browser memorises the authentication entered by the user for a combination of host/realm, and will automatically re-submit the needed authentication headers whenever the server requests an authentication for the same realm, without user intervention. In other words, the only way to logout is to close the browser and re-open it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Logout-mechanism-on-Digest-Authentication-tp27224384p27224953.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
On 19/01/2010 02:31, Steve G. Johnson wrote: Mark, Since we do not know how to switch connectors, or install OpenSSL, and do not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet is to wait until Tomcat is fixed (coming soon). You can replace JDK with JRE in what I previously. Switching from BIO to NIO is a simple change to server.xml, if you are interested. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logout mechanism on Digest Authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 1/19/2010 6:32 AM, André Warnier wrote: vpapado wrote: Hello, I have a problem in logout mechanism for my web app. For logging in I use Digest Authentication. Here is how things go: ... Is there a problem in logout mechanism for Digest Authentication? Is logout not supported for diggest authentication? How could I manage to logout? I use Tomcat6. In HTTP neither Basic nor Digest authentication provide a logout mechanism. That is not an issue specific to Tomcat, it is a generic characteristic of the protocol. The browser memorises the authentication entered by the user for a combination of host/realm, and will automatically re-submit the needed authentication headers whenever the server requests an authentication for the same realm, without user intervention. In other words, the only way to logout is to close the browser and re-open it. Not necessarily. In your webapp, if you send another WWW-Authenticate header to the browser, it will generally forget the credentials it had been using. There is no guarantee of this, however it usually works. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktVxpwACgkQ9CaO5/Lv0PD79QCbB45BStGoG1RtKj5CZrVgJAJB 70YAnR14UytcEr2wXwbi7hQAuEOD5m50 =NSux -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Comet Connection Writeable?
Hi Steffen, At http://svn.apache.org/viewvc/tomcat/sandbox/gdev6x/ I implemented the feature you are looking for. Where you would do CometEvent.interestOps(CometEvent.CometOperation.OP_WRITE); and you will receive a CometEvent.EventType.WRITE When I tried to write sample applications against this, it turned out to be very complex programming. You can check out that branch and build it and see if its something we should still pursue Filip On 01/18/2010 09:06 AM, Steffen Heil wrote: Hi I am using comet connections for some time now in a server push manner: Whenever the server needs to inform the client about some event, it sends a packet to the client and waits for a reply in the same connection. As soon, as a READ event is triggered, that reply is read and the next message can be sent. Now, this requires a round-trip-time between the client and the server and is inappropriate for larger amounts of data especially on high latency connections. I am seeking for a way to determine (from a comet servlets point of view) if a connection is writeable - this is, if output buffers are empty and I can send additional data. Note, that sending a huge amount of data at once is not an option, I need to send distinct parts... So here are my questions: - How can I detect if a connection is writeable? - That is, how can I detect if the output buffers are empty? - Is there a way to use comet connection for something like a selector? Regards, Steffen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: The code of method _jspService(...) is exceeding the 65535 byteslimit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Konstantin, On 1/18/2010 7:08 PM, Konstantin Kolinko wrote: 2010/1/18 iainmac iain_macau...@hotmail.com: Hi, I am moving from Tomcat 5 to 6, and jsp's that worked fine in 5 now give me this length error. I also have moved from java j2sdk1.4.1_02 to jdk1.6.0_18. I know I can rewrite the code, and over time I probably will, but is there a way of configuring Tomcat 6 to enable me to compile these jsp's? If you add the following option init-param param-namemappedfile/param-name param-valuefalse/param-value /init-param to the JspServlet declaration in conf/web.xml, the JSP engine will not generate separate write() command for each line of your JSP. I didn't know you could do that (though it's right there in conf/web.xml if I had cared to read it). Thanks for the tip. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktVyLMACgkQ9CaO5/Lv0PBjiwCgh8pDvmF5VmrIjMdwFoAPGXzx Oe8AnjESQ9PRroz5ZX6TYHV+wrQP3J98 =V3YA -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
TCNative installation failed
Hello there, I'm trying to do this setup: 1. OS debian 5.03 (AMD_64) 2. Tomcat 5.5.28 (downloaded from the official site) 3. Sun Java jdk-6u16-linux-x64 I followed this instruction (http://tomcat.apache.org/native-doc/), installed all the required packages for the compilation of TCNative (1.1.19), ./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/appsrv/jdk1.6.0_16/ --with-ssl=yes --prefix=$CATALINA_HOME make make install The configuration, compilation and installation went OK. Now in my $CATALINA_HOME/lib folder I have drwxr-xr-x 3 niki niki4096 2010-01-19 09:05 . drwxr-xr-x 13 niki niki4096 2010-01-19 08:43 .. -rw-r--r-- 1 niki niki 1574152 2010-01-19 09:05 libtcnative-1.a -rwxr-xr-x 1 niki niki 911 2010-01-19 09:05 libtcnative-1.la lrwxrwxrwx 1 niki niki 23 2010-01-19 09:05 libtcnative-1.so - libtcnative-1.so.0.1.19 lrwxrwxrwx 1 niki niki 23 2010-01-19 09:05 libtcnative-1.so.0 - libtcnative-1.so.0.1.19 -rwxr-xr-x 1 niki niki 889278 2010-01-19 09:05 libtcnative-1.so.0.1.19 drwxr-xr-x 2 niki niki4096 2010-01-19 09:05 pkgconfig According the instructions, I created setenv.sh which contains: JAVA_OPTS=-server -Xms128m -Xmx256m -XX:PermSize=128m -XX:MaxPermSize=128m #CATALINA_OPTS= JAVA_HOME=/appsrv/jdk1.6.0_16 JRE_HOME=/appsrv/jdk1.6.0_16/jre LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CATALINA_HOME/lib export LD_LIBRARY_PATH Till now everything seems OK, But when I start tomcat, it seems tcnative library cannot be found (so not loaded). Here is my catalina.out: Jan 19, 2010 9:54:13 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /appsrv/jdk1.6.0_16/jre/lib/amd64/server:/appsrv/jdk1.6.0_16/jre/lib/amd 64:/appsrv/jdk1.6.0_16/jre/../lib/amd64::/appsrv/tomcat/lib:/usr/java/pa ckages/lib/amd64:/lib:/usr/lib Jan 19, 2010 9:54:13 AM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Jan 19, 2010 9:54:13 AM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Jan 19, 2010 9:54:13 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1046 ms Jan 19, 2010 9:54:13 AM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Jan 19, 2010 9:54:13 AM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.28 Jan 19, 2010 9:54:13 AM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Jan 19, 2010 9:54:15 AM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Jan 19, 2010 9:54:15 AM org.apache.coyote.ajp.AjpAprProtocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 Jan 19, 2010 9:54:15 AM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Jan 19, 2010 9:54:15 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 1461 ms Any help would be appretiated. Greetings.
Re: SSLv3/TLS man-in-middle vulnerability
Mark, Our JRE is 1.6.0_17. Below are server.xml entries for connectors minus security tag values. Please suggest changes. Is that all I have to do before Security runs another HP scan? Thanks !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure =true clientAuth=false sslProtocol=TLS keystoreFile=xxx keystorePass=xxx keystoreType=PKCS12 / - !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 enableLookups=false redirectPort=8443 protocol=AJP/1.3 / - !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- - !-- See proxy documentation for more information about using this. -- - !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. Mark Thomas ma...@apache.org To Tomcat Users List 01/19/2010 06:48 users@tomcat.apache.org AM cc Subject Please respond to Re: SSLv3/TLS man-in-middle Tomcat Users vulnerability List us...@tomcat.apa che.org Caterpillar: Confidential Green Retain Until: 02/18/2010 On 19/01/2010 02:31, Steve G. Johnson wrote: Mark, Since we do not know how to switch connectors, or install OpenSSL, and do not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet is to wait until Tomcat is fixed (coming soon). You can replace JDK with JRE in what I previously. Switching from BIO to NIO is a simple change to server.xml, if you are interested. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
Mark - For Steve to switch to the APR/native connectors, all he needs to do in this config is download the native libraries and restart, correct? Oh and make sure the following line is in the server.xml file to start the APR lifecycle listener. Listener className=org.apache.catalina.core.AprLifecycleListener / Steve, you can download the latest APR lib from the Tomcat website. Follow the Tomcat Native link and get the one for your environment. Jeff -Original Message- From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Sent: Tuesday, January 19, 2010 9:08 AM To: Tomcat Users List Subject: Re: SSLv3/TLS man-in-middle vulnerability Mark, Our JRE is 1.6.0_17. Below are server.xml entries for connectors minus security tag values. Please suggest changes. Is that all I have to do before Security runs another HP scan? Thanks !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure =true clientAuth=false sslProtocol=TLS keystoreFile=xxx keystorePass=xxx keystoreType=PKCS12 / - !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 enableLookups=false redirectPort=8443 protocol=AJP/1.3 / - !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- - !-- See proxy documentation for more information about using this. -- - !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. Mark Thomas ma...@apache.org To Tomcat Users List 01/19/2010 06:48 users@tomcat.apache.org AM cc Subject Please respond to Re: SSLv3/TLS man-in-middle Tomcat Users vulnerability List us...@tomcat.apa che.org Caterpillar: Confidential Green Retain Until: 02/18/2010 On 19/01/2010 02:31, Steve G. Johnson wrote: Mark, Since we do not know how to switch connectors, or install OpenSSL, and do not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet is to wait until Tomcat is fixed (coming soon). You can replace JDK with JRE in what I previously. Switching from BIO to NIO is a simple change to server.xml, if you are interested. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail:
RE: SSLv3/TLS man-in-middle vulnerability
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability For Steve to switch to the APR/native connectors, all he needs to do in this config is download the native libraries and restart, correct? No, the SSL config is completely different. Easier to use the NIO Connector, as Mark suggested. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Subject: Re: SSLv3/TLS man-in-middle vulnerability Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure =true clientAuth=false sslProtocol=TLS keystoreFile=xxx keystorePass=xxx keystoreType=PKCS12 / Add the following attribute to the above: protocol=org.apache.coyote.http11.Http11NioProtocol Leave the AJP Connector alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
You're right. I'd completely forgotten the SSL. Odd, since I do nothing but SSL here. As I recall, it's re-issue your certificate in OpenSSL format (or convert it) and change the SSL specific parameters as follows: Drop the sslProtocol and keystore* attributes and replace with SSLEngine=on SSLCertificateFile=path SSLCertificateKeyFile=path SSLPassword=password Yes, re-issuing the cert or converting it will be a hassle, but is well documented on the website, as are the above attributes/parameters. I addressed this as an answer to Mark's original suggestion, and I quote: Right now, the quickest way to fix this is to switch to the APR/native connector and use 1.1.19 In particular, he stated that switching to the NIO connector at this point wouldn't address it (from my reading of his post), as the fix will require a JDK/JRE fix from the vendor and a workaround isn't available yet. But the 1.1.19 APR has the workaround available now. Jeff -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, January 19, 2010 9:29 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability For Steve to switch to the APR/native connectors, all he needs to do in this config is download the native libraries and restart, correct? No, the SSL config is completely different. Easier to use the NIO Connector, as Mark suggested. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability In particular, he stated that switching to the NIO connector at this point wouldn't address it (from my reading of his post), as the fix will require a JDK/JRE fix from the vendor and a workaround isn't available yet. You ignored Filip's post: NIO doesn't allow handshakes and is not vulnerable. Instead it will time out the request. So if using Tomcat 6, then NIO is a work around. http://marc.info/?l=tomcat-userm=126384310705143w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
Hi Charles, FYI: This is in my listener list: Listener className=org.apache.catalina.core.AprLifecycleListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.storeconfig.StoreConfigLifecycleListener/ Added the protocol entry and now trying to start Tomcat manager results in page cannot be displayed. Removing entry it starts. Added as follows: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS protocol=org.apache.coyote.http11.Http11NioProtocol keystoreFile=xxx keystorePass=xxx keystoreType=PKCS12 / Steve Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. Caldarale, Charles R Chuck.Caldarale@ To unisys.com Tomcat Users List users@tomcat.apache.org 01/19/2010 07:33 cc AM Subject RE: SSLv3/TLS man-in-middle Please respond to vulnerability Tomcat Users List us...@tomcat.apa che.org Caterpillar: Confidential Green Retain Until: 02/18/2010 From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Subject: Re: SSLv3/TLS man-in-middle vulnerability Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure =true clientAuth=false sslProtocol=TLS keystoreFile=xxx keystorePass=xxx keystoreType=PKCS12 / Add the following attribute to the above: protocol=org.apache.coyote.http11.Http11NioProtocol Leave the AJP Connector alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability FYI: This is in my listener list: Listener className=org.apache.catalina.core.AprLifecycleListener / If the tcnative library isn't found, the above listener will simply display a message stating so in the logs, so it doesn't hurt to have it in there. But do check the logs to make sure that message is being displayed. Added the protocol entry and now trying to start Tomcat manager results in page cannot be displayed. You need to move up to 6.0.20, as mentioned earlier. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
Ah, didn't exactly ignore it, just forgot about it. I'd already removed it from the thread. Good point. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, January 19, 2010 9:56 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability In particular, he stated that switching to the NIO connector at this point wouldn't address it (from my reading of his post), as the fix will require a JDK/JRE fix from the vendor and a workaround isn't available yet. You ignored Filip's post: NIO doesn't allow handshakes and is not vulnerable. Instead it will time out the request. So if using Tomcat 6, then NIO is a work around. http://marc.info/?l=tomcat-userm=126384310705143w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: SSLv3/TLS man-in-middle vulnerability If you have to stay with 5.5.23, you'll need to go with the ARP SSL connector. (slap me if I'm still wrong Charles, but I checked the doc and there doesn't appear to be support for NIO in 5.5.x) That is correct; NIO was introduced with Tomcat 6.0. There are noticeable performance and security improvements in 6.0.x, so that would be the preferred approach, even if APR is used. Migration to 6.0.x is pretty much painless: http://tomcat.apache.org/migration.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TCNative installation failed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nikolay, On 1/19/2010 9:59 AM, Nikolay Diulgerov wrote: I followed this instruction (http://tomcat.apache.org/native-doc/), installed all the required packages for the compilation of TCNative (1.1.19), The configuration, compilation and installation went OK. Great! Now in my $CATALINA_HOME/lib folder I have Where does CATALINA_HOME point? LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CATALINA_HOME/lib export LD_LIBRARY_PATH That looks good. But when I start tomcat, it seems tcnative library cannot be found (so not loaded). Jan 19, 2010 9:54:13 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /appsrv/jdk1.6.0_16/jre/lib/amd64/server:/appsrv/jdk1.6.0_16/jre/lib/amd 64:/appsrv/jdk1.6.0_16/jre/../lib/amd64::/appsrv/tomcat/lib:/usr/java/pa ckages/lib/amd64:/lib:/usr/lib Is CATALINA_HOME set to /appsrv/tomcat? If so, then your LD_LIBRARY_PATH appears to be set correctly, which is good. Now in my $CATALINA_HOME/lib folder I have drwxr-xr-x 3 niki niki4096 2010-01-19 09:05 . drwxr-xr-x 13 niki niki4096 2010-01-19 08:43 .. -rw-r--r-- 1 niki niki 1574152 2010-01-19 09:05 libtcnative-1.a -rwxr-xr-x 1 niki niki 911 2010-01-19 09:05 libtcnative-1.la lrwxrwxrwx 1 niki niki 23 2010-01-19 09:05 libtcnative-1.so - libtcnative-1.so.0.1.19 lrwxrwxrwx 1 niki niki 23 2010-01-19 09:05 libtcnative-1.so.0 - libtcnative-1.so.0.1.19 -rwxr-xr-x 1 niki niki 889278 2010-01-19 09:05 libtcnative-1.so.0.1.19 drwxr-xr-x 2 niki niki4096 2010-01-19 09:05 pkgconfig The file libtcnative-1.so should be all you need (well, plus the file to which it points). Everything you have done looks correct. I have a few possibilities I can think of: 1. Your tcnative library doesn't match the architecture of the JVM (i.e. JVM is 64-bit while library is 32-bit). You can find out what type the library is by doing: $ file $CATALINA_HOME/lib/libtcnative-1.so.0.1.19 2. You are running under a SecurityManager which does not permit you to load that native library from that location. Are you using a SecurityManager? 3. Your file paths are incorrect. You didn't say explicitly what CATALINA_HOME was, but I suspect everything is in order. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktWALUACgkQ9CaO5/Lv0PCwiwCgplfaRNcJeA/wPbt79YJ8/azP SJ8An0jK1zK/5UjC72COJYD0g32c5YpO =Z2Hj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
multiple URI
Greetings, I want a servlet to serve two different urls: http://server/A and http://server/B, but I don't want to install this servlet as a ROOT servlet. Is this possible in tomcat 6? Thank you. Sincerely yours, Vadym Chepkov - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: multiple URI
From: Vadym Chepkov [mailto:chep...@yahoo.com] Subject: multiple URI I want a servlet to serve two different urls: http://server/A and http://server/B, but I don't want to install this servlet as a ROOT servlet. Is this possible in tomcat 6? Do you mean you want the same webapp to be accessed by multiple URLs? If it's ok to have more than one instance of the webapp, just deploy it multiple times, once for each URL. If you want aliases for a single webapp, the easiest thing is to forward or redirect requests to the aliases using the tuckey rewrite filter: http://tuckey.org/urlrewrite/ - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Modifying value or format of HTTPServletRequest.getRemoteUser()
I have a Jaas plugin where I'm using basic auth. It authenticates the user successfully, and in the jaas plugin I make it so request.getUserPrincipal().getName() it returns the format of the username I want shown to the app. But HttpServletRequest.getRemoteUser always returns the value of the username in the HTTP AUTHORIZATION header. How do I modify what getRemoteUser returns to always match the request.getUserPrincipal().getName()? Thanks, Christopher
Different apps clustering on the same Tomcat?
Is it possible to get two apps in the same Tomcat instance to exchange session info, in a cluster? If so, how? Thanks! --johnt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Different apps clustering on the same Tomcat?
From: John Tangney [mailto:jo...@jdtangney.com] Subject: Different apps clustering on the same Tomcat? Is it possible to get two apps in the same Tomcat instance to exchange session info, in a cluster? If so, how? Not sure what you're asking. If there's only one Tomcat instance, there's no cluster. Multiple apps in one Tomcat cannot share a session, since that's prohibited by the servlet spec. You can create a bean from a class in a shared library to hold data needed by both apps. If you really do have a cluster of multiple Tomcat instances, you can choose to replicate session information across them by any of several means. Consult the documentation for details: http://tomcat.apache.org/tomcat-6.0-doc/cluster-howto.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Realm
Hi, I'm using tomcat5.5. my question is: is it possible to implement a realm to identify valid users of a web application: the username and password get from LDAP directory server central, and the role of the user get from local file such as tomcat-user.xml instead. Thanks, Aihong Yin. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Clsuter 6.0.18 White sites
Hi everybody, We have some issues with a Tomcat Cluster. Sometimes (after a few hours without restart of services) , the webserver doesn´t deliver the complete content to the browser. It means, in the browser ther appear the header and some parts of the website, but then only blank and white website. In the source code in HTML view it is the same leak. Only after a restart of the services the content will be completely delivered. It is a Win 2003 Server with JDK 1.6, the Server jvm.dll is called from Tomcat. It is a 2 node cluster with Apache 2.2.14 and Tomcat 6.0.20 and mod_jk 1.2.28. In front of these cluster there is a Hardware loadbalanacer BigIP from F5. Somebody any idea, why the cluster stops delivering of contents after a period of hours? Greetings Alexander
RE: multiple URI
Modify your servlet mapping in your web.xml so that you have more than one mapping to that servlet. Take the following xml snippet as an example, each of the three servlet mappings will map to a single servlet. This would allow someone to use three different URL's to access the same servlet. servlet servlet-nameRequestFactory/servlet-name servlet-classcom.foo.web.servlet.RequestFactory/servlet-class /servlet servlet-mapping servlet-nameRequestFactory/servlet-name url-pattern/RequestFactory/url-pattern /servlet-mapping servlet-mapping servlet-nameRequestFactory/servlet-name url-pattern/Request/url-pattern /servlet-mapping servlet-mapping servlet-nameRequestFactory/servlet-name url-pattern/SomeOtherUrl /url-pattern /servlet-mapping -Original Message- From: Vadym Chepkov [mailto:chep...@yahoo.com] Sent: Tuesday, January 19, 2010 12:17 PM To: users@tomcat.apache.org Subject: multiple URI Greetings, I want a servlet to serve two different urls: http://server/A and http://server/B, but I don't want to install this servlet as a ROOT servlet. Is this possible in tomcat 6? Thank you. Sincerely yours, Vadym Chepkov - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Cluster 6.0.20 White sites
Hi everybody, We have some issues with a Tomcat Cluster. Sometimes (after a few hours without restart of services) , the webserver doesn´t deliver the complete content to the browser. It means, in the browser ther appear the header and some parts of the website, but then only blank and white website. In the source code in HTML view it is the same leak. Only after a restart of the services the content will be completely delivered. It is a Win 2003 Server with JDK 1.6 32-Bit, the Server jvm.dll is called from Tomcat. It is a 2 node cluster with Apache 2.2.14 and Tomcat 6.0.20 and mod_jk 1.2.28. In front of these cluster there is a Hardware loadbalanacer BigIP from F5. Somebody any idea, why the cluster stops delivering of contents after a period of hours? Greetings Alexander