Tomcat 7 SSL Session ID
Hey, I'm doing some research about the SSL session tracking / SSL Session id's. Now I'm having some problems when requests are send to the server in quick succession, I notice the problem is fixed or at least less occuring when the keepAlive server setting is set to 0.. When the keepAliveTimeout is not set to 0 I can see in the SSL debug logs the SSL session get's invalidated after some requests with a Broken Pipe exception. Is this because there are too many open connections during the keepAliveTimeout? It also only happens when processing the requests takes some time (fe. storing items in database) or when I put the threat to sleep for testing purpose. When inspecting the traffic I see some tcp-rst packages (problem is here?) from previous connections while the current one is being processed. My question is why these SSL Sessions get invalidated after alot of quick requests to the server since this gives a problem with my SSL Session tracking since the id changes then. I can provide a sample jsp project where the Invalidation occurs if wanted.. PS. I'm running Tomcat 7 on a mac osx Lion 10.7.4 server.xml settings: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 keepAliveTimeout=0 scheme=https secure=true clientAuth=false sslProtocol=SSLv3 SSLEngine=on SSLEnabled=true ciphers = TLS_RSA_WITH_AES_256_CBC_SHA SSLCipherSuite =TTLS_RSA_WITH_AES_256_CBC_SHA SSLHonorCipherOrder = true keystoreFile=*** keystorePass=***/ Thanks in advance, Vincent Goelen
Re: tomcat6 with crl doesn't load
On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: I have a self signed server certificate - and the user certs have no association/connection to the server cert. I apologize, but I'm not exactly sure what you are trying to configure with the certs and the crl file. Can you take a step back from the problem and give us some higher level details on what you are trying to achieve with this configuration? Dan OK, I'm am emulating the production enviroment for the application my development team works on. The production environment is on goverment facilitiies and equipment. Users authenticate with a Common Access Card (CAC) PIN. Our current environment has a locally developed PIN check, which is insufficient going forward. Rather than developing code to do all of the work, it seems most appropriate to simply utilize the abilities built into tomcat to do that before our application even gets accessed. The development server I stood up is a virtual server, running CentOS 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips. I used openssl to generate a self-signed certificate, rather than getting an actual SSL cert from an outside source since this is a closed development system. With that in mind, we are working to implement Certificate Authentication Validation within Tomcat. I've got the environment configured to prompt for the certificate and through the browser/client enviroment the PIN prompt is triggered without issue as long as the crlFile parameter isn't set in the connector. That was easy. My problem comes when I attempt to implement Certificate Revocation List checking. The Government has a root certificate and about 20-30 different intermediate certificate authorities that could have issued the user certificate. I have loaded the root and intermediate government certificate into my local truststore and am loading it properly (based on the fact that the user certificates are recognized and accepted). I have downloaded all the root certificate CRL data and each individual CA's CRL data. Through the openssl commands, I converted them to PEM and then copied them all into one file massive CRL. I have also, for testing, created a file with the root CRL data and the CRL data for the CA which issued my Certificate. When I run the complete CRL, I run out of memory (271 MB CRL). When I run just the root my CA, it doesn't run out of memory, but it also doesn't trigger the PIN prompt (I assume the crl check happens before the PIN is checked?), and just displays Page cannot be displayed. I know my certificate is OK - when I use it to access other sites that require that certificate, it works fine. Does that give you a clear(er) picture? :) Definitely. A couple suggestions… 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for crlFile and you can see how this is being configured and utilized. https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2.) Maybe try using Tomcat native and the APR connector. This would offload SSL to openssl which may handle things more efficiently. Dan OK - I enabled Tomcat native the APR, but now it doesn't prompt me for the Client Certificate. The log file has: Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clientAuth' to 'true' did not find a matching property. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: I have a self signed server certificate - and the user certs have no association/connection to the server cert. I apologize, but I'm not exactly sure what you are trying to configure with the certs and the crl file. Can you take a step back from the problem and give us some higher level details on what you are trying to achieve with this configuration? Dan OK, I'm am emulating the production enviroment for the application my development team works on. The production environment is on goverment facilitiies and equipment. Users authenticate with a Common Access Card (CAC) PIN. Our current environment has a locally developed PIN check, which is insufficient going forward. Rather than developing code to do all of the work, it seems most appropriate to simply utilize the abilities built into tomcat to do that before our application even gets accessed. The development server I stood up is a virtual server, running CentOS 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips. I used openssl to generate a self-signed certificate, rather than getting an actual SSL cert from an outside source since this is a closed development system. With that in mind, we are working to implement Certificate Authentication Validation within Tomcat. I've got the environment configured to prompt for the certificate and through the browser/client enviroment the PIN prompt is triggered without issue as long as the crlFile parameter isn't set in the connector. That was easy. My problem comes when I attempt to implement Certificate Revocation List checking. The Government has a root certificate and about 20-30 different intermediate certificate authorities that could have issued the user certificate. I have loaded the root and intermediate government certificate into my local truststore and am loading it properly (based on the fact that the user certificates are recognized and accepted). I have downloaded all the root certificate CRL data and each individual CA's CRL data. Through the openssl commands, I converted them to PEM and then copied them all into one file massive CRL. I have also, for testing, created a file with the root CRL data and the CRL data for the CA which issued my Certificate. When I run the complete CRL, I run out of memory (271 MB CRL). When I run just the root my CA, it doesn't run out of memory, but it also doesn't trigger the PIN prompt (I assume the crl check happens before the PIN is checked?), and just displays Page cannot be displayed. I know my certificate is OK - when I use it to access other sites that require that certificate, it works fine. Does that give you a clear(er) picture? :) Definitely. A couple suggestions… 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for crlFile and you can see how this is being configured and utilized. https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2.) Maybe try using Tomcat native and the APR connector. This would offload SSL to openssl which may handle things more efficiently. Dan OK - I enabled Tomcat native the APR, but now it doesn't prompt me for the Client Certificate. The log file has: Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clientAuth' to 'true' did not find a matching property. clientAuth only works for the BIO / NIO connectors. I think you want SSLVerifyClient with the APR connector. https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
On Wed, Nov 28, 2012 at 8:45 AM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: I have a self signed server certificate - and the user certs have no association/connection to the server cert. I apologize, but I'm not exactly sure what you are trying to configure with the certs and the crl file. Can you take a step back from the problem and give us some higher level details on what you are trying to achieve with this configuration? Dan OK, I'm am emulating the production enviroment for the application my development team works on. The production environment is on goverment facilitiies and equipment. Users authenticate with a Common Access Card (CAC) PIN. Our current environment has a locally developed PIN check, which is insufficient going forward. Rather than developing code to do all of the work, it seems most appropriate to simply utilize the abilities built into tomcat to do that before our application even gets accessed. The development server I stood up is a virtual server, running CentOS 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips. I used openssl to generate a self-signed certificate, rather than getting an actual SSL cert from an outside source since this is a closed development system. With that in mind, we are working to implement Certificate Authentication Validation within Tomcat. I've got the environment configured to prompt for the certificate and through the browser/client enviroment the PIN prompt is triggered without issue as long as the crlFile parameter isn't set in the connector. That was easy. My problem comes when I attempt to implement Certificate Revocation List checking. The Government has a root certificate and about 20-30 different intermediate certificate authorities that could have issued the user certificate. I have loaded the root and intermediate government certificate into my local truststore and am loading it properly (based on the fact that the user certificates are recognized and accepted). I have downloaded all the root certificate CRL data and each individual CA's CRL data. Through the openssl commands, I converted them to PEM and then copied them all into one file massive CRL. I have also, for testing, created a file with the root CRL data and the CRL data for the CA which issued my Certificate. When I run the complete CRL, I run out of memory (271 MB CRL). When I run just the root my CA, it doesn't run out of memory, but it also doesn't trigger the PIN prompt (I assume the crl check happens before the PIN is checked?), and just displays Page cannot be displayed. I know my certificate is OK - when I use it to access other sites that require that certificate, it works fine. Does that give you a clear(er) picture? :) Definitely. A couple suggestions… 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for crlFile and you can see how this is being configured and utilized. https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2.) Maybe try using Tomcat native and the APR connector. This would offload SSL to openssl which may handle things more efficiently. Dan OK - I enabled Tomcat native the APR, but now it doesn't prompt me for the Client Certificate. The log file has: Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clientAuth' to 'true' did not find a matching property. clientAuth only works for the BIO / NIO connectors. I think you want SSLVerifyClient with the APR connector. https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native Dan OK... thanks. That was purely me and literacy this morning. I looked RIGHT at that line and decided, nope...must not apply to me. I changed everything ELSE. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Invocation condition of ErrorReportValve
Hi, why does the ErrorReportValve trigger the report on this condition only? if ((statusCode 400) || (response.getContentCount() 0)) return; So, even if I do a reponse.setStatus(404), this valve is executed. According to the Javadoc: if setStatus is invoked [1], the response should be left untouched in constrast to the sendErroor method. Especially this sentence makes it clear If this method is used to set an error code, then the container's error page mechanism will not be triggered. Shouldn't that include a response.isError() check? [1] http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#setStatus%28int%29 Thanks, Mike - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Nagios plugin script for use with JMXProxy
On Tue, Nov 27, 2012 at 05:37:18PM -0500, Christopher Schultz wrote: I have developed a Perl script that can be used with Nagios to check on a Tomcat instance via the manager's JMXProxyServlet. Someone asked me to publish it, which I'm happy to do. I'm just wondering what the best thing to do is. Allow me to add my thanks! I see several options: 1. Submit a patch to the Tomcat source 2. Drop the file into the Tomcat wiki 3. Stick the file on Apache's related-projects stash -- I have forgotten the address at this point :( 4. Host it on my own website Maybe Nagios has a third-party plugins corral? -- Mark H. Wood, Lead System Programmer mw...@iupui.edu I don't do doorbusters. pgpnNSX0H6LHV.pgp Description: PGP signature
Re: Nagios plugin script for use with JMXProxy
On 28/11/12 17:19, Mark H. Wood wrote: On Tue, Nov 27, 2012 at 05:37:18PM -0500, Christopher Schultz wrote: I have developed a Perl script that can be used with Nagios to check on a Tomcat instance via the manager's JMXProxyServlet. Someone asked me to publish it, which I'm happy to do. I'm just wondering what the best thing to do is. Allow me to add my thanks! I see several options: 1. Submit a patch to the Tomcat source 2. Drop the file into the Tomcat wiki 3. Stick the file on Apache's related-projects stash -- I have forgotten the address at this point :( 4. Host it on my own website Maybe Nagios has a third-party plugins corral? Many thanks from me as well. Indeed Nagios has a third-party plugins corral, you can reach it at http://exchange.nagios.org/directory/Plugins There you can also find instruction there on how to submit your own project - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
On Wed, Nov 28, 2012 at 9:03 AM, Will Nordmeyer quark...@gmail.com wrote: On Wed, Nov 28, 2012 at 8:45 AM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: Does that give you a clear(er) picture? :) Definitely. A couple suggestions… 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for crlFile and you can see how this is being configured and utilized. https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2.) Maybe try using Tomcat native and the APR connector. This would offload SSL to openssl which may handle things more efficiently. Dan OK - I enabled Tomcat native the APR, but now it doesn't prompt me for the Client Certificate. The log file has: Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clientAuth' to 'true' did not find a matching property. clientAuth only works for the BIO / NIO connectors. I think you want SSLVerifyClient with the APR connector. https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native Dan OK... thanks. That was purely me and literacy this morning. I looked RIGHT at that line and decided, nope...must not apply to me. I changed everything ELSE. I've got the tomcat-native APR configured, but when I add the SSL Certificate Revocation options, it prompts me for my cert and then gives a page cannot be displayed. Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true scheme=https maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 disableUploadTimeout=true compression=on compressableMimeType=text/html,text/xml,text/plain,text/css,text/ javascript,application/xml,application/x-javascript,application/javascript connectionTimeout=2 secure=true SSLCertificateFile=/etc/ssl/certs/mycert01.crt SSLCertificateKeyFile=/etc/ssl/certs/mykey01.pem SSLPassword=dmapsdev SSLCACertificateFile=/etc/ssl/certs/root-certs.pem SSLVerifyClient=require SSLCARevocationFile=/etc/ssl/certs/CRL-bundle.crl sslProtocol=TLS / Without the SSLCARevocationFile, it prompts for my certificate, gets the PIN and goes to the app. How can I test/trace the Revocation File issues. The CRL-bundle.crl file has 39 different X509 formatted CRLs, totaling 271 MB of data. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Invocation condition of ErrorReportValve
Michael-O 1983-01...@gmx.net wrote: Hi, why does the ErrorReportValve trigger the report on this condition only? if ((statusCode 400) || (response.getContentCount() 0)) return; So, even if I do a reponse.setStatus(404), this valve is executed. According to the Javadoc: if setStatus is invoked [1], the response should be left untouched in constrast to the sendErroor method. Especially this sentence makes it clear If this method is used to set an error code, then the container's error page mechanism will not be triggered. Shouldn't that include a response.isError() check? [1] http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#setStatus%28int%29 Yep. This sort of thing drives me nuts with the Servlet spec. The document is mean to be definitive but isn't. Half the requirements are in the Javadoc and the Javadoc is no longer included in the specification (for no good reason) and the spec lead refuses to add it back in. You used to be able to search one doc for a phrase, method, class, whatever and find all the references. Now it is right pain to figure out what the expected behaviour is. Raise a bugzilla entry for this one and it'll get looked at and (assuming there is a problem as there does appear to be from the fragment you quoted) it will get fixed. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
On Nov 28, 2012, at 11:56 AM, Will Nordmeyer wrote: On Wed, Nov 28, 2012 at 9:03 AM, Will Nordmeyer quark...@gmail.com wrote: On Wed, Nov 28, 2012 at 8:45 AM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: Does that give you a clear(er) picture? :) Definitely. A couple suggestions… 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for crlFile and you can see how this is being configured and utilized. https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2.) Maybe try using Tomcat native and the APR connector. This would offload SSL to openssl which may handle things more efficiently. Dan OK - I enabled Tomcat native the APR, but now it doesn't prompt me for the Client Certificate. The log file has: Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clientAuth' to 'true' did not find a matching property. clientAuth only works for the BIO / NIO connectors. I think you want SSLVerifyClient with the APR connector. https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native Dan OK... thanks. That was purely me and literacy this morning. I looked RIGHT at that line and decided, nope...must not apply to me. I changed everything ELSE. I've got the tomcat-native APR configured, but when I add the SSL Certificate Revocation options, it prompts me for my cert and then gives a page cannot be displayed. You might want to try and capture some traces with Wireshark. This could give you some more insight into what is happening as the request is made. Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true scheme=https maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 disableUploadTimeout=true compression=on compressableMimeType=text/html,text/xml,text/plain,text/css,text/ javascript,application/xml,application/x-javascript,application/javascript connectionTimeout=2 secure=true SSLCertificateFile=/etc/ssl/certs/mycert01.crt SSLCertificateKeyFile=/etc/ssl/certs/mykey01.pem SSLPassword=dmapsdev SSLCACertificateFile=/etc/ssl/certs/root-certs.pem SSLVerifyClient=require SSLCARevocationFile=/etc/ssl/certs/CRL-bundle.crl sslProtocol=TLS / Without the SSLCARevocationFile, it prompts for my certificate, gets the PIN and goes to the app. How can I test/trace the Revocation File issues. The CRL-bundle.crl file has 39 different X509 formatted CRLs, totaling 271 MB of data. Couple thoughts… 1.) Check that your certificates and CRL file are all valid and functioning properly. I'm not an expert with openssl, but I think openssl verify can be used to test this from the command line. 2.) Perhaps start with a smaller CRL file or create a set of testing certs that you can use to verify behavior. Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
Daniel Mikusa wrote: On Nov 28, 2012, at 11:56 AM, Will Nordmeyer wrote: On Wed, Nov 28, 2012 at 9:03 AM, Will Nordmeyer quark...@gmail.com wrote: On Wed, Nov 28, 2012 at 8:45 AM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: Does that give you a clear(er) picture? :) Definitely. A couple suggestions… 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for crlFile and you can see how this is being configured and utilized. https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2.) Maybe try using Tomcat native and the APR connector. This would offload SSL to openssl which may handle things more efficiently. Dan OK - I enabled Tomcat native the APR, but now it doesn't prompt me for the Client Certificate. The log file has: Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clientAuth' to 'true' did not find a matching property. clientAuth only works for the BIO / NIO connectors. I think you want SSLVerifyClient with the APR connector. https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native Dan OK... thanks. That was purely me and literacy this morning. I looked RIGHT at that line and decided, nope...must not apply to me. I changed everything ELSE. I've got the tomcat-native APR configured, but when I add the SSL Certificate Revocation options, it prompts me for my cert and then gives a page cannot be displayed. You might want to try and capture some traces with Wireshark. This could give you some more insight into what is happening as the request is made. You may also try with Firefox as a browser, with the HttpFox plugin. I just ran a quick test with a HTTPS website, and it seems to show a good portion of the SSL exchanges. It will not be as telling, but is a lot easier to use than Wireshark. One problem with IE is the friendly error messages option, which hides the real server responses and displays some built-in page instead, which tells you nothing really about the problem. Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true scheme=https maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 disableUploadTimeout=true compression=on compressableMimeType=text/html,text/xml,text/plain,text/css,text/ javascript,application/xml,application/x-javascript,application/javascript connectionTimeout=2 secure=true SSLCertificateFile=/etc/ssl/certs/mycert01.crt SSLCertificateKeyFile=/etc/ssl/certs/mykey01.pem SSLPassword=dmapsdev SSLCACertificateFile=/etc/ssl/certs/root-certs.pem SSLVerifyClient=require SSLCARevocationFile=/etc/ssl/certs/CRL-bundle.crl sslProtocol=TLS / Without the SSLCARevocationFile, it prompts for my certificate, gets the PIN and goes to the app. How can I test/trace the Revocation File issues. The CRL-bundle.crl file has 39 different X509 formatted CRLs, totaling 271 MB of data. Couple thoughts… 1.) Check that your certificates and CRL file are all valid and functioning properly. I'm not an expert with openssl, but I think openssl verify can be used to test this from the command line. 2.) Perhaps start with a smaller CRL file or create a set of testing certs that you can use to verify behavior. Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat8 Cartridge for OpenShift PaaS
Hi all, Development has begun on supporting Tomcat8 on Red Hat's OpenShift PaaS (https://openshift.redhat.com). OpenShift supports various development frameworks via cartridges. There are currently cartridges for Tomcat6 (via JBossEWS1.0) and soon will be a cartridge for Tomcat7 (via JBossEWS2.0). The new Tomcat8 community cartridge will be developed here: https://github.com/openshift/origin-community-cartridges The community project for OpenShift Origin is here: https://github.com/openshift Looking forward to working with the TC8 community. Thanks -Bill -- Bill DeCoste Principal Software Engineer, Red Hat 978-204-0920 wdeco...@redhat.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Invocation condition of ErrorReportValve
Am 2012-11-28 18:26, schrieb Mark Thomas: Michael-O 1983-01...@gmx.net wrote: Hi, why does the ErrorReportValve trigger the report on this condition only? if ((statusCode 400) || (response.getContentCount() 0)) return; So, even if I do a reponse.setStatus(404), this valve is executed. According to the Javadoc: if setStatus is invoked [1], the response should be left untouched in constrast to the sendErroor method. Especially this sentence makes it clear If this method is used to set an error code, then the container's error page mechanism will not be triggered. Shouldn't that include a response.isError() check? [1] http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#setStatus%28int%29 Yep. This sort of thing drives me nuts with the Servlet spec. The document is mean to be definitive but isn't. Half the requirements are in the Javadoc and the Javadoc is no longer included in the specification (for no good reason) and the spec lead refuses to add it back in. You used to be able to search one doc for a phrase, method, class, whatever and find all the references. Now it is right pain to figure out what the expected behaviour is. Raise a bugzilla entry for this one and it'll get looked at and (assuming there is a problem as there does appear to be from the fragment you quoted) it will get fixed. Mark, issue has been created: https://issues.apache.org/bugzilla/show_bug.cgi?id=54220 I have depicted a new possible condition based on the Javadocs and the spec. Please have look. Mike - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Writing to response and issuing sendError
Hi, I am having again trouble with the respone.sendError method. The docs say that an IllegalStateException is thrown if response has already been committed. So this should cause an exception: protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.println(ERROR); out.flush(); response.sendError(404); } The exception is thrown out to the console but the response is still written. If I leave out the flush (which commits the response). The error page comes up. Is this undefined behavior or some missing code path to transform the ISE to a HTTP 500 error response? I am on Tomcat 6.0.35 Thanks, Mike - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Writing to response and issuing sendError
On 28/11/2012 20:34, Michael-O wrote: Hi, I am having again trouble with the respone.sendError method. The docs say that an IllegalStateException is thrown if response has already been committed. So this should cause an exception: protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.println(ERROR); out.flush(); response.sendError(404); } The exception is thrown out to the console but the response is still written. If I leave out the flush (which commits the response). The error page comes up. Is this undefined behavior or some missing code path to transform the ISE to a HTTP 500 error response? Nope. Think about it. Once the response has been committed the response status line and the headers have been written to the client as well as at least some if not all of the response body. Tomcat can't take back the data it has already sent. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Writing to response and issuing sendError
From: Michael-O [mailto:1983-01...@gmx.net] Subject: Writing to response and issuing sendError The exception is thrown out to the console but the response is still written. As it should be - it's already committed, and may well have been delivered. If I leave out the flush (which commits the response). The error page comes up. Also as it should be. Is this undefined behavior No, it's operating as required by the spec. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Writing to response and issuing sendError
Am 2012-11-28 21:39, schrieb Mark Thomas: On 28/11/2012 20:34, Michael-O wrote: Hi, I am having again trouble with the respone.sendError method. The docs say that an IllegalStateException is thrown if response has already been committed. So this should cause an exception: protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.println(ERROR); out.flush(); response.sendError(404); } The exception is thrown out to the console but the response is still written. If I leave out the flush (which commits the response). The error page comes up. Is this undefined behavior or some missing code path to transform the ISE to a HTTP 500 error response? Nope. Think about it. Once the response has been committed the response status line and the headers have been written to the client as well as at least some if not all of the response body. Tomcat can't take back the data it has already sent. Sigh, I forgot that the body has already been sent over the wire. Your explanation makes perfectly sense then. sendError is coming too late. I'd prefer that this ISE would have a message. The source contains a commented exception message. Thanks, Mike - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Writing to response and issuing sendError
Am 2012-11-28 21:41, schrieb Caldarale, Charles R: From: Michael-O [mailto:1983-01...@gmx.net] Subject: Writing to response and issuing sendError The exception is thrown out to the console but the response is still written. As it should be - it's already committed, and may well have been delivered. If I leave out the flush (which commits the response). The error page comes up. Also as it should be. Is this undefined behavior No, it's operating as required by the spec. Yes, thanks! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 with crl doesn't load
On Wed, Nov 28, 2012 at 1:39 PM, André Warnier a...@ice-sa.com wrote: Daniel Mikusa wrote: On Nov 28, 2012, at 11:56 AM, Will Nordmeyer wrote: On Wed, Nov 28, 2012 at 9:03 AM, Will Nordmeyer quark...@gmail.com wrote: On Wed, Nov 28, 2012 at 8:45 AM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa dmik...@vmware.com wrote: On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: Does that give you a clear(er) picture? :) Definitely. A couple suggestions… 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for crlFile and you can see how this is being configured and utilized. https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2.) Maybe try using Tomcat native and the APR connector. This would offload SSL to openssl which may handle things more efficiently. Dan OK - I enabled Tomcat native the APR, but now it doesn't prompt me for the Client Certificate. The log file has: Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clientAuth' to 'true' did not find a matching property. clientAuth only works for the BIO / NIO connectors. I think you want SSLVerifyClient with the APR connector. https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native Dan OK... thanks. That was purely me and literacy this morning. I looked RIGHT at that line and decided, nope...must not apply to me. I changed everything ELSE. I've got the tomcat-native APR configured, but when I add the SSL Certificate Revocation options, it prompts me for my cert and then gives a page cannot be displayed. You might want to try and capture some traces with Wireshark. This could give you some more insight into what is happening as the request is made. You may also try with Firefox as a browser, with the HttpFox plugin. I just ran a quick test with a HTTPS website, and it seems to show a good portion of the SSL exchanges. It will not be as telling, but is a lot easier to use than Wireshark. One problem with IE is the friendly error messages option, which hides the real server responses and displays some built-in page instead, which tells you nothing really about the problem. I ran with Firefox HttpFox - Just gets an NS_ERROR_NET_RESET. The catalina.out file shows nothing, I don't see any indication that the server is doing anything with the revocation list when it gets my certificate. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using the Tomcat Native Library can only connect over ipv6 But not over ipv4
Op 27-11-2012 23:56, Christopher Schultz schreef: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harm-Jan, On 11/27/12 3:32 PM, Zorro wrote: Op 27-11-2012 20:00, Christopher Schultz schreef: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harm-Jan, On 11/26/12 3:16 PM, Zorro wrote: I have now this in my server.xml: For IPv4: Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 address=0.0.0.0 / For IPv6: Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 address=::0 / With this setup I can connect to port 80 over Ipv4 And IPv6 to my Linux box. So, a recap: * NIO/BIO connector binds to both IPv4 and IPv6 when no address is specified * APR connector binds only to IPv6 interface is IPv6 is available, otherwise only IPv4 * Linux vs. Windows is not relevant Do I have that all right? Or does Linux work as expected (bind to both interfaces) and Windows does not? Ideally, this should work everywhere: Connector port=80 protocol=HTTP/1.1 / ... and listen on both 0.0.0.0:80 and :::80 The only configuration shown by Zorro has two connectors and says that works on Windows. On a Windows Vista PC I have also installed Tomcat 7.0.32 and the Windows installation set downloaded from tomcat.apache.org uses per default the Native Library. I have not changed anything in the configuration yet and on that PC a telnet 127.0.0.1 80 is ok while a IPv6 telnet ::1 80 fails. You mean using the above configuration? So, you have 2 connectors on Windows and one of them doesn't work at all? Please stop Tomcat, delete all log files, confirm your (2-connector) configuration, start Tomcat, then re-post your Connector configuration and the complete catalina.out log file, plus versions of everything all at once. Better yet, if you could provide a matrix of configurations that *do* work versus *don't* work, that would be great, too. I'm specifically interested in knowing if this is a generic APR problem, or only APR-on-Windows. Jeffrey Janner has had problems on Windows (which may be a win32 TCP/IP stack problem) but if it doesn't work on Linux, either, then perhaps it really is a bug with APR or tcnative. Maybe its worth it to include it in the documentation of the native library. Maybe it's worth filing a bug report. If I can get you to cough-up full details, it will make it much easier. - -chris Chris, This is what I observed. Tomcat 7.0.32 1. Linux (Fedora 14, gcc 4.5.1, OpenJDK IcedTea6 1.9.10 java version 1.6.0_20) One connector for port 80 defined without the address attribute: * NIO/BIO connector binds to both IPv4 and IPv6 when no address is specified * APR connector binds only to IPv6 interface if IPv6 is available, otherwise only IPv4 - 2. Windows Vista (java version 1.7.0_09) One connector for port 80 defined without the address attribute: * NIO/BIO connector binds to both IPv4 and IPv6 when no address is specified * APR connector binds only to IPv4 interface (not to IPv6). What about when specifying two connectors, one for IPV4 and one for IPv6? Chris, André, Specifying 2 Connectors in the server.xml: For IPv4: Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 address=0.0.0.0/ For IPv6: Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 address=::0/ 1. Linux * APR connector binds for IPv6 to the IPv6 Connector and for IPv4 to the IPv4 Connector * NIO/BIO connector binds to the IPv4 Connector For NIO/BIO the catalina.log shows exceptions: SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-0:0:0:0:0:0:0:0-80] java.net.BindException: Address already in use /0:0:0:0:0:0:0:0:80 at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:406) ... - 2. Windows Vista * APR connector binds for IPv6 to the IPv6 Connector and for IPv4 to the IPv4 Connector * NIO/BIO connector binds to the IPv4 Connector For NIO/BIO the catalina.log shows exceptions: 28-nov-2012 21:45:55 org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-0:0:0:0:0:0:0:0-80] java.net.BindException: Address already in use: JVM_Bind /0:0:0:0:0:0:0:0:80 at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:406) ... Regards, Harm-Jan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using the Tomcat Native Library can only connect over ipv6 But not over ipv4
Zorro wrote: Op 27-11-2012 23:56, Christopher Schultz schreef: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harm-Jan, On 11/27/12 3:32 PM, Zorro wrote: Op 27-11-2012 20:00, Christopher Schultz schreef: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harm-Jan, On 11/26/12 3:16 PM, Zorro wrote: I have now this in my server.xml: For IPv4: Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 address=0.0.0.0 / For IPv6: Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 address=::0 / With this setup I can connect to port 80 over Ipv4 And IPv6 to my Linux box. So, a recap: * NIO/BIO connector binds to both IPv4 and IPv6 when no address is specified * APR connector binds only to IPv6 interface is IPv6 is available, otherwise only IPv4 * Linux vs. Windows is not relevant Do I have that all right? Or does Linux work as expected (bind to both interfaces) and Windows does not? Ideally, this should work everywhere: Connector port=80 protocol=HTTP/1.1 / ... and listen on both 0.0.0.0:80 and :::80 The only configuration shown by Zorro has two connectors and says that works on Windows. On a Windows Vista PC I have also installed Tomcat 7.0.32 and the Windows installation set downloaded from tomcat.apache.org uses per default the Native Library. I have not changed anything in the configuration yet and on that PC a telnet 127.0.0.1 80 is ok while a IPv6 telnet ::1 80 fails. You mean using the above configuration? So, you have 2 connectors on Windows and one of them doesn't work at all? Please stop Tomcat, delete all log files, confirm your (2-connector) configuration, start Tomcat, then re-post your Connector configuration and the complete catalina.out log file, plus versions of everything all at once. Better yet, if you could provide a matrix of configurations that *do* work versus *don't* work, that would be great, too. I'm specifically interested in knowing if this is a generic APR problem, or only APR-on-Windows. Jeffrey Janner has had problems on Windows (which may be a win32 TCP/IP stack problem) but if it doesn't work on Linux, either, then perhaps it really is a bug with APR or tcnative. Maybe its worth it to include it in the documentation of the native library. Maybe it's worth filing a bug report. If I can get you to cough-up full details, it will make it much easier. - -chris Chris, This is what I observed. Tomcat 7.0.32 1. Linux (Fedora 14, gcc 4.5.1, OpenJDK IcedTea6 1.9.10 java version 1.6.0_20) One connector for port 80 defined without the address attribute: * NIO/BIO connector binds to both IPv4 and IPv6 when no address is specified * APR connector binds only to IPv6 interface if IPv6 is available, otherwise only IPv4 - 2. Windows Vista (java version 1.7.0_09) One connector for port 80 defined without the address attribute: * NIO/BIO connector binds to both IPv4 and IPv6 when no address is specified * APR connector binds only to IPv4 interface (not to IPv6). What about when specifying two connectors, one for IPV4 and one for IPv6? Chris, André, Specifying 2 Connectors in the server.xml: For IPv4: Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 address=0.0.0.0/ For IPv6: Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 address=::0/ 1. Linux * APR connector binds for IPv6 to the IPv6 Connector and for IPv4 to the IPv4 Connector * NIO/BIO connector binds to the IPv4 Connector For NIO/BIO the catalina.log shows exceptions: SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-0:0:0:0:0:0:0:0-80] java.net.BindException: Address already in use /0:0:0:0:0:0:0:0:80 at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:406) ... - 2. Windows Vista * APR connector binds for IPv6 to the IPv6 Connector and for IPv4 to the IPv4 Connector * NIO/BIO connector binds to the IPv4 Connector For NIO/BIO the catalina.log shows exceptions: 28-nov-2012 21:45:55 org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-0:0:0:0:0:0:0:0-80] java.net.BindException: Address already in use: JVM_Bind /0:0:0:0:0:0:0:0:80 at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:406) ... Maybe I am interpreting this wrong, but in my view this confirms what I was trying to explain before (and again, I am no expert but I go by what I found by Googling). It goes a bit along these lines (and sorry if I'm mixing up things a bit, I have a cold, I'm tired and want to go to bed; but I'm sure you can correct). - On an O.S. which has a dual-capable IP stack (meaning basically : an IP stack which is basically IPv6, but can handle IPv4 also) : - java connectors, when not specifying an address, will bind to both ::0 (IPv6) and 0.0.0.0 (IPv4) (there is no magic there, it's the IP stack who does it). - java connectors, when
Re: Tomcat with multiple domains
Hi! Thanks for your quick and detailed answers. Actually I think I did all the things you mentioned but it still does not work. So here are the changes I made: 1. I checked that the following entries are in the engine tag: Server port=8005 shutdown=SHUTDOWN ... Service name=Catalina ... Engine name=Catalina defaultHost=localhost Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Host name=www.my2nddomain.com appBase=/opt/apache-tomcat-7.0.32/my2nddomain unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false /Host /Engine /Service /Server 2. In the host file I altered the entries to 88.84.140.85www.my2nddomain.com 88.84.140.85www.my1rstdomain.com 3. I actually did not really understand what you meant by Also, since you are using the /etc/hosts file instead of the DNS system, the client (browser) also has those entries in its hosts file. And, as Konstantin pointed out, you don't put the port number in the /etc/hosts file. If you are using DNS for the clients, make sure that it has entries for both hosts, pointing to the same IP address. I'm not shure if I understand the meaning of DNS in this case correctly. Do you mean a DNS on my local machine or do you mean the DNS on a remote machine? I've got a pure domain hoster and I set an A record entry such that the domain is forwarded to my server / ip address 88.84.140.85. Both domains are actually pointing to this ip address since both are hosted by the same domain hoster. I do not explicitly use DNS on my local machine, at least I did not configure it. And how can the client (browser) have entries in a host file? The current status is that when calling www.my1rstdomain.com:8080 points to the webapp installed for www.my2nddomain.com:8080. 2012/11/27 Jeffrey Janner jeffrey.jan...@polydyne.com: -Original Message- From: Paul van Hoven [mailto:paul.van.ho...@googlemail.com] Sent: Tuesday, November 27, 2012 2:13 PM To: Tomcat Users List Subject: Re: Tomcat with multiple domains Thanks for the answer. I followed the tutorial you propose ( http://wiki.apache.org/tomcat/TomcatDevelopmentVirtualHosts ). But it is still not working. Here is my new configuration server.xml Host name=2nddomain.com appBase=/opt/apache-tomcat-7.0.32/2nddomain.com unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Alias2nddomain.com/Alias Aliaswww.2nddomain.com/Alias /Host The directory /opt/apache-tomcat-7.0.32/2nddomain.com contains a ROOT.war file. I edited the /etc/hosts file and added the following entries: 88.84.140.88 www.2nddomain.com:8080 88.84.140.88 www.1rstdomain.com:8080 Then I restarted the system and the tomcat server. Entering www.2nddomain.com:8080 sends me to 1rstdomain.com. I noticed that the file /opt/apache-tomcat-7.0.32/2nddomain.com/ROOT.war remains untouched by tomcat, at least nothing is extracted from the war file. So what else am I missing here? Make sure that the new Host/Host definition is nested inside the Engine/Engine tags. You also do not need the first Alias line. The name= parameter takes care of that mapping for you. In general, the nesting works this way: Server ... Service ... Connector ... / Connector ... / Engine ... Host name=host1.com ... Aliaswww.host1.com/Alias /Host Host name=www.host2.com ... Aliashost2.com/Alias /Host Host name=www.myhost.com ... / /Engine /Service /Server There are a myriad other tag sets that could be included in there and it's very important that they be nested properly to work properly. Also, since you are using the /etc/hosts file instead of the DNS system, the client (browser) also has those entries in its hosts file. And, as Konstantin pointed out, you don't put the port number in the /etc/hosts file. If you are using DNS for the clients, make sure that it has entries for both hosts, pointing to the same IP address. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org