Re: Tomcat 7 SSL Session ID
Hey, http://users.telenet.be/goelenv/SSLTomcat.zip in this link you can find a netbeans project that will generate the fault.. The index.html page will send requests to the index.jsp page, the thread sleep is just to emulate a long process of a request (like database things, etc) Kind regards, Vincent 2012/12/10 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 12/10/12 10:22 AM, Martin Gainty wrote: we need to get your architect into this discussion Why is your code implementing 2 different Connections to accomplish this functionality when one Connection at a time will suffice? You have no idea what you are talking about. There is only one connection. There is only one connector. The OP is reporting that his SSL session id expires long before he is expecting it to expire. This has nothing to do with webapps and connectors except he happens to have a connector and a webapp. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDGXhIACgkQ9CaO5/Lv0PDwtQCgk63c5ZUVojVhdgVpHpF5IMkX 3lYAoKPCpNeo8lEquukN/BRxPjuFfl1E =tdIg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
2012/12/11 André Warnier a...@ice-sa.com:
Cédric Couralet wrote:
...
One question, though, in the tomcat doc (for 6.0.x) for the
JMXRemoteListener, the configuration is :
-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
while mine is
-Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
(notice the {} ).
is it my mistake?
No, it is not a mistake. The above are lines extracted from a shell script,
I presume.
In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent.
The {} form helps to clarify things for the shell when the character which
*follows* the name of the variable, could be considered by the shell as part
of the variable name.
For example in :
echo something $my_file_conf
it is not clear whether the name of the variable is my or my_file or
my_file_conf.
(or anything in-between), and by default the shell will use the longer
possibility.
Writing this as
echo something ${my_file}_conf
leaves only one possible interpretation.
In $CATALINA_BASE/conf/jmxremote.password there is really no ambiguity
(because / cannot be part of a variable name), but the form
${CATALINA_BASE}/conf/jmxremote.password is anyway clearer and less prone
to oversights.
(But it is slightly more work to type, and as programmers are a notoriously
lazy and hubristic bunch, they rarely go through the trouble).
I suppose that - just to kid Christopher - I could on like this, talking
about interpolation and stuff, but I'll leave it at that because it's
already late here.
I finally had some times to do some testing.
First even with useLocalPorts=true, the JmxConnectorServer listen on
all interfaces but won't accept connection from remote host. From the
tomcat code, only the rmi client socket is forced to localhost at
least on tomcat 6.0.x. A RMI server Socket could be created to force
listening on a specified interface but I am not sure of any side
effect.
Second, for my password problem, there was a problem with my
configuration. In the tomcat service for JavaOptions, i had
-Dcom.sun.management.jmxremote.authenticate=true (with a space after
true), so when parsing the system properties in the Listener, the
lines (in the init() method):
String authenticateValue = System.getProperty(
com.sun.management.jmxremote.authenticate, true);
authenticate = Boolean.parseBoolean(authenticateValue);
returned false.
This is only a problem with tomcat as a service (on windows), in
command line i'm guessing the double space won't be taken into account
by the shell.
And now, another problem with this is that i can't reference
catalina.base in those options. I tried :
%CATALINA_BASE%, $CATALINA_BASE , ${catalina.base} and neither values
are expanded.
Is it possible at all?
It is not so much of a problem, i can write the path by hand, but it
would be nice to have.
Cédric
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 SSL Session ID
Session.SessionTrackingModelListener.java contains
context.setSessionTrackingModes(modes); with no exception handling /**
* @param sessionTrackingModes
* @throws IllegalArgumentException
* If sessionTrackingModes specifies
* {@link SessionTrackingMode#SSL} in combination with any other
* {@link SessionTrackingMode}
* @throws IllegalStateException
* If the context has already been initialised
* @throws UnsupportedOperationException
* @since Servlet 3.0 TODO SERVLET3 - Add comments
*/
public void setSessionTrackingModes(SetSessionTrackingMode
sessionTrackingModes) throws IllegalStateException, IllegalArgumentException;
Moral of the story..always catch declared Exceptions
where is the jsp you test with?
Martin
__ Please do not alter or otherwise
disrupt this communication..thank you
Date: Mon, 17 Dec 2012 09:47:09 +0100
Subject: Re: Tomcat 7 SSL Session ID
From: goel...@gmail.com
To: users@tomcat.apache.org
Hey,
http://users.telenet.be/goelenv/SSLTomcat.zip
in this link you can find a netbeans project that will generate the fault..
The index.html page will send requests to the index.jsp page, the thread
sleep is just to emulate a long process of a request (like database things,
etc)
Kind regards,
Vincent
2012/12/10 Christopher Schultz ch...@christopherschultz.net
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Martin,
On 12/10/12 10:22 AM, Martin Gainty wrote:
we need to get your architect into this discussion
Why is your code implementing 2 different Connections to
accomplish this functionality when one Connection at a time will
suffice?
You have no idea what you are talking about. There is only one
connection. There is only one connector. The OP is reporting that his
SSL session id expires long before he is expecting it to expire.
This has nothing to do with webapps and connectors except he happens
to have a connector and a webapp.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDGXhIACgkQ9CaO5/Lv0PDwtQCgk63c5ZUVojVhdgVpHpF5IMkX
3lYAoKPCpNeo8lEquukN/BRxPjuFfl1E
=tdIg
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Cédric Couralet wrote:
2012/12/11 André Warnier a...@ice-sa.com:
Cédric Couralet wrote:
...
One question, though, in the tomcat doc (for 6.0.x) for the
JMXRemoteListener, the configuration is :
-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
while mine is
-Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
(notice the {} ).
is it my mistake?
No, it is not a mistake. The above are lines extracted from a shell script,
I presume.
In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent.
The {} form helps to clarify things for the shell when the character which
*follows* the name of the variable, could be considered by the shell as part
of the variable name.
For example in :
echo something $my_file_conf
it is not clear whether the name of the variable is my or my_file or
my_file_conf.
(or anything in-between), and by default the shell will use the longer
possibility.
Writing this as
echo something ${my_file}_conf
leaves only one possible interpretation.
In $CATALINA_BASE/conf/jmxremote.password there is really no ambiguity
(because / cannot be part of a variable name), but the form
${CATALINA_BASE}/conf/jmxremote.password is anyway clearer and less prone
to oversights.
(But it is slightly more work to type, and as programmers are a notoriously
lazy and hubristic bunch, they rarely go through the trouble).
I suppose that - just to kid Christopher - I could on like this, talking
about interpolation and stuff, but I'll leave it at that because it's
already late here.
I finally had some times to do some testing.
First even with useLocalPorts=true, the JmxConnectorServer listen on
all interfaces but won't accept connection from remote host. From the
tomcat code, only the rmi client socket is forced to localhost at
least on tomcat 6.0.x. A RMI server Socket could be created to force
listening on a specified interface but I am not sure of any side
effect.
Second, for my password problem, there was a problem with my
configuration. In the tomcat service for JavaOptions, i had
-Dcom.sun.management.jmxremote.authenticate=true (with a space after
true), so when parsing the system properties in the Listener, the
lines (in the init() method):
String authenticateValue = System.getProperty(
com.sun.management.jmxremote.authenticate, true);
authenticate = Boolean.parseBoolean(authenticateValue);
returned false.
This is only a problem with tomcat as a service (on windows), in
command line i'm guessing the double space won't be taken into account
by the shell.
And now, another problem with this is that i can't reference
catalina.base in those options. I tried :
%CATALINA_BASE%, $CATALINA_BASE , ${catalina.base} and neither values
are expanded.
Is it possible at all?
It is not so much of a problem, i can write the path by hand, but it
would be nice to have.
Where do you /set/ CATALINA_BASE ?
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat7-maven-plugin
As far as this goes, there is definitely something strange going on, and I think it points to the SSL self signed cert. Can someone verify that the tomcat7 maven plugin works with self signed SSL? I have setup another TC7 server on a remote BSD VM with the absolute basic configuration. Since the first server has the manager application running on a self signed SSL certificate (not sure if I mentioned that before), I decided NOT to set it [SSL] up on the new machine, and it works as expected and can be reproduced on demand. I notice that when I script the command using curl, I have to pass it the -k option to get it to work. I am wondering if that might be the problem that I am seeing, just masked by the 401 error. I'm looking in the tomcat logs and I'm not seeing anything out of the ordinary though. Maybe that error is only returned by maven. Anyone? On Thu, Dec 13, 2012 at 9:48 AM, Josh Gooding josh.good...@gmail.comwrote: On Thu, Dec 13, 2012 at 9:36 AM, Olivier Lamy ol...@apache.org wrote: 2012/12/13 Josh Gooding josh.good...@gmail.com: On Wed, Dec 12, 2012 at 6:05 PM, Olivier Lamy ol...@apache.org wrote: Good detailed description :-). Hey even I get it right once in a while... ;) I just wonder about the cli you are using ? cli as in command line interface? - Win 7, CentOS, and Ubuntu terminals, and yes I get my fair share of flack for not letting Eclipse just do it. Of course I'm a control freak when it comes to my code... :-) I mean mvn tomcat7:deploy or something else ? or you bind deploy to a lifecycle phase ? Oh I gotcha. tomcat7:deploy I didn't bind the deploy to the life-cycle phase yet. I want to get it working first. So let me form possibly some better questions here: 1 - Where does the plug in 2012/12/12 Josh Gooding josh.good...@gmail.com: I didn't want to come here to ask as I always hate to bother anyone, but maybe I should have come here first. I'm coming up short on answers and ideas. I'm having an issue with using maven and the tomcat7 plugin. Maven version -3.0.4 Tomcat version - 7.0.29 .jdk version - 1.6 tomcat7-maven-plugin version - 2.0 Hey group, I am having an issue here with using the tomcat7-maven-plugin in conjunction with the tomcat 7 manager. here's what I have so far. tomcat-users.xml - tomcat-users role rolename=manager-gui/ role rolename=manager-script/ role rolename=admin/ user username=localTomcatAdmin password=password roles=manager-gui,manager-script,admin/ /tomcat-users in my M2_HOME/conf/settings.xml: (note not in my .m2/ directory) (I'll get to this definition in a minute) pluginGroups pluginGrouporg.apache.tomcat.maven/pluginGroup /pluginGroups servers server idLocalTomcatServer/id usernamelocalTomcatAdmin/username passwordpassword/password /server /servers now for the last piece, in my pom-deploy.xml (parent) I have this: plugin groupIdorg.apache.tomcat.maven/groupId artifactIdtomcat7-maven-plugin/artifactId version2.0/version configuration serverLocalTomcatServer/server path/TripTixRX/path port8080/port /configuration /plugin I have verified that the manager works with the applied credentials, I can login and supply the credentials to my local /manager/html. The problem is that when I deploy through maven as mvn tomcat7:deploy and returns me the dreaded 401 - Unauthorized page with the same credentials. It's almost like maven is not parsing the configuration for the plugin maybe? At this point I don't know what to do. I've turned on verbose output in maven and it shows what appears that the plugin is attempting to upload the war file twice and returns the 401 page. I also have a question as to getting this to work initially. I added the pluginGrouporg.apache.tomcat.maven/pluginGroup to my conf/settings.xml to get the tomcat7 plugin to download and work, is this normal or should I not have to define it here? I mean having to change and version maven settings.xml files seems a bit counter intuitive for preserving maximum portability right, or am I looking at this from the wrong angle? Any information anyone can provide as to where to look or what could be causing this issue, I would be greatly appreciated. Warmest regards, - Josh -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy |
Re: JMX with Listener
Where do you /set/ CATALINA_BASE? Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I would like to reference it in another. As I say it, I don't think java can do it so i may be out of luck.
Re: Odd behavior observed on Eclipse's tomcat: added webapp silently ignored...
On Dec 16, 2012, at 5:03 PM, Julien Martin wrote:
Hello,
After adding a webapp (war) to my Eclipse's Tomcat (7.0.34), I
unfortunately noticed that tomcat does add it to the server but doesn't
attempt to deploy it!!
Hard to say what's going on here, with the given info. Couple suggestions...
1.) Try generating a WAR file and deploying it outside of Eclipse? If this
works, the you know the problem is with your Eclipse setup.
2.) Try creating a simple test WAR with a Hello World servlet and deploy
that. Does it work?
The only suspicious log was the following one:
*ATTENTION: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting
property 'source' to 'org.eclipse.jst.jee.server:kadjoukor' did not find a
matching property*
I don't think this will prevent your application from starting. It's simply
saying that you have a Context element that has an attribute source, however
source is not a valid attribute for the Context element. To correct this,
locate the Context element that has this attribute and remove it.
For a list of valid properties, see the docs here.
https://tomcat.apache.org/tomcat-7.0-doc/config/context.html
*
*
FYI, this started occuring after I added the latest tomcat server (7.0.34)
to eclipse. Also my app is called *kadkjoukor*.
It's likely that the previous version you were using did not check for invalid
attributes. Older versions of Tocmat just ignored invalid attributes.
Dan
Can anyone please help?
Regards,
Julien.
*
*
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat common and webapp classloader
Any sample project you could share ? Attach it in a new jira issue. That will help for debugging your use case. Thanks 2012/12/16 Antonio Manuel Muñiz Martín amu...@klicap.es: Hello. I'm giving a try to tomcat6-maven-plugin. Good work guys, it's great! I'm getting some extrange behavior with classloaders, I think that tomcat common classloader is interfering in webapp classloader. I have Spring 2.5.5 artifacts at tomcat level (tomcat lib) and Spring 3.1.1 at webapp level (WEB-INF/lib), and I'm getting errors because 2.5.5 is loaded before in the webapp. I tried to use delegate = false in the plugin config in order to get first the webapp artifacts, but the behavior is the same. My plugin config: plugin groupIdorg.apache.tomcat.maven/groupId artifactIdtomcat6-maven-plugin/artifactId version2.0/version configuration port8080/port path/app/path serverXmlsrc/main/config/server.xml/serverXml additionalConfigFilesDirsrc/main/config/tomcat-conf/additionalConfigFilesDir systemProperties JAVA_OPTS-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf/JAVA_OPTS /systemProperties delegatefalse/delegate /configuration dependencies dependency groupIdes.klicap.clinker/groupId artifactIdjosso-tomcat60-agent/artifactId version1.3.0/version /dependency /dependencies /plugin Note that josso-tomcat60-agent is the dependency that I want at tomcat level and it gets Spring 2.5.5 transitively. Am I using delegate correctly? Thanks! -- Antonio Manuel Muñiz Martín Software Developer at klicap - ingeniería del puzle work phone + 34 954 894 322 www.klicap.es | blog.klicap.es - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Cédric Couralet wrote: Where do you /set/ CATALINA_BASE? Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I would like to reference it in another. As I say it, I don't think java can do it so i may be out of luck. When you run Tomcat 7 as a Service, you run in fact the program tomcat7.exe. This program is a service wrapper. It contains the necessary plumbing to behave like a Service for Windows, and itself then runs the Java VM which runs Tomcat. When it starts the Java VM, it also provides it with run parameters, which it takes from the Windows Registry. Tomcat7.exe is a renamed copy of the Apache prunsrv program, of which more info here : http://commons.apache.org/daemon/procrun.html That's one part of it. The second part is the tomcat7w.exe program. That is also a renamed version of the prunmgr program of the same Apache procrun project. This program is a GUI Registry editor, which /sets/ the parameters in the Registry, that tomcat7.exe will later read and interpret to run the JVM. More info here : http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html To remove/install the Tomcat7 service, you can run the service.bat command-file in (tomcat_dir)/bin. Now /this/ command-file is a Windows command-file, and it looks in the Windows environment of the process in which you run it, for a value %CATALINA_BASE%. And then it uses that value to set the appropriate parameters to run the tomcat7.exe program in install service mode (which initially sets the Registry parameters). So if you open a command window, set the CATALINA_BASE variable, and then run the service.bat script to create the service, that would probably do what you want. Later if you want to change it, you can probably do this by running tomcat7.exe with the //US (update service) switch (see the doc). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
2012/12/17 André Warnier a...@ice-sa.com:
Cédric Couralet wrote:
Where do you /set/ CATALINA_BASE?
Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I
would like to reference it in another. As I say it, I don't think java
can
do it so i may be out of luck.
[snip great explanation on tomcat as a windows service]
Later if you want to change it, you can probably do this by running
tomcat7.exe with the //US (update service) switch (see the doc).
Thank you for all this :)
I know I can probably do it by updating (or uninstall/install) the
service, but I was wondering if one could set a jvm option like
-Dtest=true and then reference it in another Java option like
-Dtest2=${test}, but it is far from being a question in topic.
My initial problem is resolved :
- JMXRemoteLifecycleListener listens on all interface - seems normal
as any connection from remote hosts seems to be rejected.
- the authenticate=true was not taken into account by tomcat - it
was due to a space after the true in the java_options for the
service. That space cause the line
authenticate=Boolean.parseBolean(authenticateValue) to return false.
It can't happen when running in command line, as the spaces will be
considered as one by the shell.
Thanks everyone for the big help.
Cédric
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL Session ID
If you run the test.jsp page.. When you send a request and interrupt it
while it's processing.. For example by pressing the stop loading button
immediatly after sending the request or by pressing the refresh button fast
enough..
When you look what happens then: the SSL connection sends close notifies
which should make sure no more data is sent over the connection..
This does happen, the client has sent it's TCP close packet and after that
it receives application data from the server while it shouldn't do that
according to the ssl specs.. When the client receives this application data
after the connection is already closed, it sends a TCP rst packet causing
an invalidate of the server...
This problem has nothing to do with not using the exception handling but
seems to me more a problem of Tomcat's priority of TCP specs in front of
SSL specs
2012/12/17 Martin Gainty mgai...@hotmail.com
Session.SessionTrackingModelListener.java contains
context.setSessionTrackingModes(modes); with no exception handling /**
* @param sessionTrackingModes
* @throws IllegalArgumentException
* If sessionTrackingModes specifies
* {@link SessionTrackingMode#SSL} in combination with any
other
* {@link SessionTrackingMode}
* @throws IllegalStateException
* If the context has already been initialised
* @throws UnsupportedOperationException
* @since Servlet 3.0 TODO SERVLET3 - Add comments
*/
public void setSessionTrackingModes(SetSessionTrackingMode
sessionTrackingModes) throws IllegalStateException,
IllegalArgumentException;
Moral of the story..always catch declared Exceptions
where is the jsp you test with?
Martin
__ Please do not alter or
otherwise disrupt this communication..thank you
Date: Mon, 17 Dec 2012 09:47:09 +0100
Subject: Re: Tomcat 7 SSL Session ID
From: goel...@gmail.com
To: users@tomcat.apache.org
Hey,
http://users.telenet.be/goelenv/SSLTomcat.zip
in this link you can find a netbeans project that will generate the
fault..
The index.html page will send requests to the index.jsp page, the thread
sleep is just to emulate a long process of a request (like database
things,
etc)
Kind regards,
Vincent
2012/12/10 Christopher Schultz ch...@christopherschultz.net
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Martin,
On 12/10/12 10:22 AM, Martin Gainty wrote:
we need to get your architect into this discussion
Why is your code implementing 2 different Connections to
accomplish this functionality when one Connection at a time will
suffice?
You have no idea what you are talking about. There is only one
connection. There is only one connector. The OP is reporting that his
SSL session id expires long before he is expecting it to expire.
This has nothing to do with webapps and connectors except he happens
to have a connector and a webapp.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDGXhIACgkQ9CaO5/Lv0PDwtQCgk63c5ZUVojVhdgVpHpF5IMkX
3lYAoKPCpNeo8lEquukN/BRxPjuFfl1E
=tdIg
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Odd behavior observed on Eclipse's tomcat: added webapp silently ignored...
On 16 Dec 2012, at 22:03, Julien Martin bal...@gmail.com wrote:
Hello,
After adding a webapp (war) to my Eclipse's Tomcat (7.0.34), I
unfortunately noticed that tomcat does add it to the server but doesn't
attempt to deploy it!!
The only suspicious log was the following one:
*ATTENTION: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting
property 'source' to 'org.eclipse.jst.jee.server:kadjoukor' did not find a
matching property*
It is not a problem, it's just a warning.
Eclipse adds this property to Context elements for its own purposes.
p
*
*
FYI, this started occuring after I added the latest tomcat server (7.0.34)
to eclipse. Also my app is called *kadkjoukor*.
Can anyone please help?
Regards,
Julien.
*
*
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat common and webapp classloader
Hi Olivier, My fault, I found the problem, I had two spring versions in my dependencies. However I have another question, could I use dependencies from non-central repository in the plugin dependencies? It seems like the plugin only search for dependencies at central. Thanks, Antonio. 2012/12/17 Olivier Lamy ol...@apache.org: Any sample project you could share ? Attach it in a new jira issue. That will help for debugging your use case. Thanks 2012/12/16 Antonio Manuel Muñiz Martín amu...@klicap.es: Hello. I'm giving a try to tomcat6-maven-plugin. Good work guys, it's great! I'm getting some extrange behavior with classloaders, I think that tomcat common classloader is interfering in webapp classloader. I have Spring 2.5.5 artifacts at tomcat level (tomcat lib) and Spring 3.1.1 at webapp level (WEB-INF/lib), and I'm getting errors because 2.5.5 is loaded before in the webapp. I tried to use delegate = false in the plugin config in order to get first the webapp artifacts, but the behavior is the same. My plugin config: plugin groupIdorg.apache.tomcat.maven/groupId artifactIdtomcat6-maven-plugin/artifactId version2.0/version configuration port8080/port path/app/path serverXmlsrc/main/config/server.xml/serverXml additionalConfigFilesDirsrc/main/config/tomcat-conf/additionalConfigFilesDir systemProperties JAVA_OPTS-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf/JAVA_OPTS /systemProperties delegatefalse/delegate /configuration dependencies dependency groupIdes.klicap.clinker/groupId artifactIdjosso-tomcat60-agent/artifactId version1.3.0/version /dependency /dependencies /plugin Note that josso-tomcat60-agent is the dependency that I want at tomcat level and it gets Spring 2.5.5 transitively. Am I using delegate correctly? Thanks! -- Antonio Manuel Muñiz Martín Software Developer at klicap - ingeniería del puzle work phone + 34 954 894 322 www.klicap.es | blog.klicap.es - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Antonio Manuel Muñiz Martín Software Developer at klicap - ingeniería del puzle work phone + 34 954 894 322 www.klicap.es | blog.klicap.es - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0 - http client
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Vicky, On 12/14/12 2:12 PM, vicky wrote: Thanks guys for responding, from network side there are no issues infact as confirmed by our Network team Of /course/ the network team says that the network is fine ;) I am accessing my application over http port, i seek your advise on tunning my http client with respect to my tomcat Again, it's likely that your application needs to be tuned, not Tomcat. If you want to blame Tomcat for overhead, then create a trivial webapp (or use something from the 'examples' webapp) and run your load test against that. Then, you'll be tuning Tomcat and not just randomly changing things and hoping they work. 1We're using MultiThreadedHttpConnectionManager, In this do you guys have any recommendation/best practices for setting up the parameters like maxHostConnections, maxTotalConnections,connection timeout w.r.t tomcat Are you using Apache JMeter? Are you running it locally, or over a network? Please describe your load-test scenario. To narrow down response time issue , i took couple of thread dumps ,related to it i have following concerns I am getting hard time in making sense out of thread dumps , please shed some light on my below queries , Any weblink will be a great help :- It would help if you were to post one or those. 2 There were many http threads were in waiting state, is it bad ?? That depends upon what waiting means in your thread dump. Different JVMs and different tools use different words for different things. Sad but true. Also, RUNNABLE doesn't always mean runnable, which is frustrating. 3 In thread dumps there are many types of thread like http ,TP,scheduler etc a) when request is received by tomcat which type of thread will handle the request. The names of the threads are affected by a number of different configuration parameters. Posting the thread dump will help. It would also help to know if you have an Executor defined. b) does there is a different thread type in case we're forwarding a request from apache to Tomcat over AJP port That depends upon your configuration. Please post your Connector configuration(s). c) In case if slow response respone from an application , what ideally we should look in thread dumps Look at methods that often show up on the top of the call stack. Does we should focus on the no. of HTTP idle threads or scheduler threads or something else. Idle threads should not be a problem. If you have idle threads, then you either a) are not providing enough load to your webapp and you can pile more on or b) have more threads allocated than requests you are willing to accept (e.g. your thread pool is too big) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDPbUcACgkQ9CaO5/Lv0PAHsQCeMfbuLSvvcX7BABjIa0vFJ/qR bvcAn2i4Oicmbyp8sfCsK7iLH0Ptn1CA =X3/R -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does maxPostSize has an effect on file upload?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nick, On 12/14/12 4:28 PM, Williams, Nick wrote: If it was using the global Content-length header, it would count not only the encoded data bytes, but also the parts separators, headers etc.. So that's nice. It counts only the net data bytes, which is easier to compare to the size on disk of a file that you would upload. Indeed. A great explanation for why this would be done, and a much more logical way to do it than just using Content-Length (the easy way out). Also, Tomcat has to fully drain the input stream, anyway, so bombing earlier by checking the Content-Length doesn't actually improve anything. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDPbmsACgkQ9CaO5/Lv0PDEQgCfYIxtmmsCqWthDN5fciu4CYup l80An3Bt3nlSB0zfe3YN6ax1VHnnx7o/ =Eny7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Does maxPostSize has an effect on file upload?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nick, On 12/14/12 5:36 PM, Williams, Nick wrote: The way Tomcat is apparently doing it now is much more sensible, in my humble opinion, because it does allow a direct and easy comparison with the files being uploaded. And since as per above it needs to be kept in some cases anyway, my vote - if I had one - would be to not change it. I must agree with André. The process of base64 encoding a file increases the number of bytes it takes to transmit it. But since that is not the actual size of the file, the extra length should not be counted towards the post size. The process by which the part lengths are added up DECODED is a much more accurate way to do it, in my opinion. Right. It also protects against uploading a file using gzip encoding where the actual file is larger that the upload limit. It also means that uploading a zip bomb[1] can be detected and prevented. Reasonable people can argue about the appropriateness of the first point above (is the admin trying to cap the number of bytes uploaded or the number of bytes effectively placed on the filesystem?) but the second one is very important to the stability of a server. How confusing would it be to a user who uploads a file that is 1,989,956 bytes to get notified that the file exceeded the 2 MB limit? The user certainly wouldn't understand that his file base64 encoded was larger than 2 MB. He would think the site was broken. Files are rarely uploaded using base64 over HTTP -- that kind of thing is much more common when using binary-intolerant systems like SMTP. I'm not sure any normal user-agents can upload using base64, anyway. I think you basically have identity, compress, gzip, and deflate content-encodings. Anything done with base64 would have to have a custom client and the webapp would have to handle the decoding. - -chris [1] http://en.wikipedia.org/wiki/Zip_bomb -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDPcSUACgkQ9CaO5/Lv0PDmOgCePVBEtJBvjvZKA8Y6q0HJKxx6 v/gAoJwZePfcY+yiCO6A1YtciYH9cJZZ =sG2l -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.35, PersistentManager with FileStore - Session file size increases endlessly
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 12/17/12 1:28 PM, Nico Peters wrote: Hi Chris, the context.xml looks like this: ?xml version='1.0' encoding='utf-8'? Context !-- Default set of monitored resources -- WatchedResourceWEB-INF/web.xml/WatchedResource Manager className=org.apache.catalina.session.PersistentManager saveOnRestart=true minIdleSwap=0 So you want sessions to be purged from memory (and put on the disk) ASAP? That seems aggressive. I don't think you want to use HttpSession at all if that's the case. maxIdleSwap=60 Force swap-to-disk after 60 seconds. maxIdleBackup=0 So you want to copy sessions to disk as soon as possible? Store className=org.apache.catalina.session.FileStore / /Manager /Context Unfortunately, I didn't have any more detailed information. I haven't thought about dumping the thread, because I had to solve the problem fast. I hope someone has some more information for that incident. It's tough to tell what might have happened without much information. Have you performed a read/write test on the disk? Hardware test on the server? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDPctUACgkQ9CaO5/Lv0PC4DwCeLGGE1UA74RyxZtEsPVxJ86Aj NrEAnRqboKG0lG45jddMI2YOtbA+DvOa =mtUW -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat common and webapp classloader
2012/12/17 Antonio Manuel Muñiz Martín amu...@klicap.es: Hi Olivier, My fault, I found the problem, I had two spring versions in my dependencies. However I have another question, could I use dependencies from non-central repository in the plugin dependencies? It seems like the plugin only search for dependencies at central. Must work if you declare your repository in pluginRepositories section. Thanks, Antonio. 2012/12/17 Olivier Lamy ol...@apache.org: Any sample project you could share ? Attach it in a new jira issue. That will help for debugging your use case. Thanks 2012/12/16 Antonio Manuel Muñiz Martín amu...@klicap.es: Hello. I'm giving a try to tomcat6-maven-plugin. Good work guys, it's great! I'm getting some extrange behavior with classloaders, I think that tomcat common classloader is interfering in webapp classloader. I have Spring 2.5.5 artifacts at tomcat level (tomcat lib) and Spring 3.1.1 at webapp level (WEB-INF/lib), and I'm getting errors because 2.5.5 is loaded before in the webapp. I tried to use delegate = false in the plugin config in order to get first the webapp artifacts, but the behavior is the same. My plugin config: plugin groupIdorg.apache.tomcat.maven/groupId artifactIdtomcat6-maven-plugin/artifactId version2.0/version configuration port8080/port path/app/path serverXmlsrc/main/config/server.xml/serverXml additionalConfigFilesDirsrc/main/config/tomcat-conf/additionalConfigFilesDir systemProperties JAVA_OPTS-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf/JAVA_OPTS /systemProperties delegatefalse/delegate /configuration dependencies dependency groupIdes.klicap.clinker/groupId artifactIdjosso-tomcat60-agent/artifactId version1.3.0/version /dependency /dependencies /plugin Note that josso-tomcat60-agent is the dependency that I want at tomcat level and it gets Spring 2.5.5 transitively. Am I using delegate correctly? Thanks! -- Antonio Manuel Muñiz Martín Software Developer at klicap - ingeniería del puzle work phone + 34 954 894 322 www.klicap.es | blog.klicap.es - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Antonio Manuel Muñiz Martín Software Developer at klicap - ingeniería del puzle work phone + 34 954 894 322 www.klicap.es | blog.klicap.es - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.33 update on Windows
good post On Wed, Dec 12, 2012 at 8:51 AM, Justin Larose justin.lar...@nexweb.orgwrote: Konstantin Kolinko knst.koli...@gmail.com wrote on 12/11/2012 09:12:16 AM: From: Konstantin Kolinko knst.koli...@gmail.com To: Tomcat Users List users@tomcat.apache.org Date: 12/11/2012 09:12 AM Subject: Re: Tomcat 7.33 update on Windows 2012/12/11 Justin Larose justin.lar...@nexweb.org: I just updated Tomcat 7 from version 7.11 to 7.33 on my windows server but when I goto the URL I am seeing 500 error, Cannot load JDBC driver class 'com.microsoft.sqlserver.jdbc.SQLServerDriver' Not sure why. I made a copy of all config directories prior to install and copied them all to the new Tomcat home. Below is the full stack. (...) root cause java.lang.ClassNotFoundException: com.microsoft.sqlserver.jdbc.SQLServerDriver What jar contains the above class and whether it is present in your installation? I guess you forgot to copy it. (It should be placed into Tomcat's lib/ directory). Thanks for your help Konstantin. It was missing a sql file in the lib directory. It wasn't there when I copied the old Tomcat directory so I had to copy it from another server. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ** This email and any files transmitted with it are intended solely for the use of the individual or agency to whom they are addressed. If you have received this email in error please notify the Navy Exchange Service Command e-mail administrator. This footnote also confirms that this email message has been scanned for the presence of computer viruses. Thank You! **
Re: Tomcat common and webapp classloader
yea should work On Mon, Dec 17, 2012 at 3:28 PM, Olivier Lamy ol...@apache.org wrote: 2012/12/17 Antonio Manuel Muñiz Martín amu...@klicap.es: Hi Olivier, My fault, I found the problem, I had two spring versions in my dependencies. However I have another question, could I use dependencies from non-central repository in the plugin dependencies? It seems like the plugin only search for dependencies at central. Must work if you declare your repository in pluginRepositories section. Thanks, Antonio. 2012/12/17 Olivier Lamy ol...@apache.org: Any sample project you could share ? Attach it in a new jira issue. That will help for debugging your use case. Thanks 2012/12/16 Antonio Manuel Muñiz Martín amu...@klicap.es: Hello. I'm giving a try to tomcat6-maven-plugin. Good work guys, it's great! I'm getting some extrange behavior with classloaders, I think that tomcat common classloader is interfering in webapp classloader. I have Spring 2.5.5 artifacts at tomcat level (tomcat lib) and Spring 3.1.1 at webapp level (WEB-INF/lib), and I'm getting errors because 2.5.5 is loaded before in the webapp. I tried to use delegate = false in the plugin config in order to get first the webapp artifacts, but the behavior is the same. My plugin config: plugin groupIdorg.apache.tomcat.maven/groupId artifactIdtomcat6-maven-plugin/artifactId version2.0/version configuration port8080/port path/app/path serverXmlsrc/main/config/server.xml/serverXml additionalConfigFilesDirsrc/main/config/tomcat-conf/additionalConfigFilesDir systemProperties JAVA_OPTS-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf/JAVA_OPTS /systemProperties delegatefalse/delegate /configuration dependencies dependency groupIdes.klicap.clinker/groupId artifactIdjosso-tomcat60-agent/artifactId version1.3.0/version /dependency /dependencies /plugin Note that josso-tomcat60-agent is the dependency that I want at tomcat level and it gets Spring 2.5.5 transitively. Am I using delegate correctly? Thanks! -- Antonio Manuel Muñiz Martín Software Developer at klicap - ingeniería del puzle work phone + 34 954 894 322 www.klicap.es | blog.klicap.es - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Antonio Manuel Muñiz Martín Software Developer at klicap - ingeniería del puzle work phone + 34 954 894 322 www.klicap.es | blog.klicap.es - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 SSL Session ID
The peer can't receive the SSL close_notify or the TCP FIN until it has
received all the pending data from the sender. Conversely, if there is any
TCP data in flight back to the sender when the peer receives the
close_notify and FIN it will not be discarded. The response close_notify and
FIN can only be sent after any pending data.
EJP
-Original Message-
From: Vincent Goelen [mailto:goel...@gmail.com]
Sent: Tuesday, 18 December 2012 3:52 AM
To: Tomcat Users List
Subject: Re: Tomcat 7 SSL Session ID
If you run the test.jsp page.. When you send a request and interrupt it
while it's processing.. For example by pressing the stop loading button
immediatly after sending the request or by pressing the refresh button fast
enough..
When you look what happens then: the SSL connection sends close notifies
which should make sure no more data is sent over the connection..
This does happen, the client has sent it's TCP close packet and after that
it receives application data from the server while it shouldn't do that
according to the ssl specs.. When the client receives this application data
after the connection is already closed, it sends a TCP rst packet causing an
invalidate of the server...
This problem has nothing to do with not using the exception handling but
seems to me more a problem of Tomcat's priority of TCP specs in front of SSL
specs
2012/12/17 Martin Gainty mgai...@hotmail.com
Session.SessionTrackingModelListener.java contains
context.setSessionTrackingModes(modes); with no exception handling /**
* @param sessionTrackingModes
* @throws IllegalArgumentException
* If sessionTrackingModes specifies
* {@link SessionTrackingMode#SSL} in combination with any
other
* {@link SessionTrackingMode}
* @throws IllegalStateException
* If the context has already been initialised
* @throws UnsupportedOperationException
* @since Servlet 3.0 TODO SERVLET3 - Add comments
*/
public void setSessionTrackingModes(SetSessionTrackingMode
sessionTrackingModes) throws IllegalStateException,
IllegalArgumentException; Moral of the story..always catch declared
Exceptions where is the jsp you test with?
Martin
__ Please do not alter or
otherwise disrupt this communication..thank you Date: Mon, 17 Dec
2012 09:47:09 +0100
Subject: Re: Tomcat 7 SSL Session ID
From: goel...@gmail.com
To: users@tomcat.apache.org
Hey,
http://users.telenet.be/goelenv/SSLTomcat.zip
in this link you can find a netbeans project that will generate the
fault..
The index.html page will send requests to the index.jsp page, the
thread sleep is just to emulate a long process of a request (like
database
things,
etc)
Kind regards,
Vincent
2012/12/10 Christopher Schultz ch...@christopherschultz.net
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Martin,
On 12/10/12 10:22 AM, Martin Gainty wrote:
we need to get your architect into this discussion
Why is your code implementing 2 different Connections to
accomplish this functionality when one Connection at a time will
suffice?
You have no idea what you are talking about. There is only one
connection. There is only one connector. The OP is reporting that
his SSL session id expires long before he is expecting it to expire.
This has nothing to do with webapps and connectors except he
happens to have a connector and a webapp.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDGXhIACgkQ9CaO5/Lv0PDwtQCgk63c5ZUVojVhdgVpHpF5IMkX
3lYAoKPCpNeo8lEquukN/BRxPjuFfl1E
=tdIg
-END PGP SIGNATURE-
--
--- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
How to Enable SSL on Tomcat 7 on Linux Test using curl?
Am using JDK 1.6, tomcat 7.0.32, and Red Hat Linux. I need help setting up SSL on my local tomcat instance. After looking at the instructions on the official tomcat 7 website: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html I followed the directions like this: (1) cd $CATALINA_HOME/conf (2) Create a certificate and store it in a new key store. keytool -genkey -alias tomcat -keyalg RSA -keystore .jks (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml, specifying your key store file and password. Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=./conf/keystore.jks keystorePass=mypassword / (4) Export the certificate from the key store. keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks When I tried to (which would have been Step # 5) import the certificate into the trust store. keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts I get the following prompt for my password (after which I entered in mypassword): Enter keystore password: keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect (I disregarded this step by the way because I found it on Google but not on the official Tomcat7-SSL-Howto documentation - please let me know if its necessary). Tomcat's server output: INFO: Initializing ProtocolHandler [http-bio-8080] Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-bio-8443] Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-bio-8009] Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-bio-8080] Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-bio-8443] Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP INFO: Server startup in 9611 ms When I go to my bash shell and type this in: curl -X GET https://localhost:8443 I get the following error output: curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Am I missing a step here? I just want to enable SSL on Tomcat 7 and test it using curl. Would appreciate it if someone could point me in the right direction. If you wish to see this posting with better syntax coloring or my full server.xml, please check out these identical (but with more detail) forum posts: http://stackoverflow.com/questions/13925146/how-to-enable-ssl-on-tomcat-7-on-linux-test-using-curl http://www.coderanch.com/t/600556/Tomcat/Enable-SSL-Tomcat-Linux Happy programming, James
Re: How to Enable SSL on Tomcat 7 on Linux Test using curl?
On 18 December 2012 13:03, James Dekker james.dek...@gmail.com wrote: Am using JDK 1.6, tomcat 7.0.32, and Red Hat Linux. I need help setting up SSL on my local tomcat instance. After looking at the instructions on the official tomcat 7 website: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html I followed the directions like this: (1) cd $CATALINA_HOME/conf (2) Create a certificate and store it in a new key store. keytool -genkey -alias tomcat -keyalg RSA -keystore .jks (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml, specifying your key store file and password. Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=./conf/keystore.jks keystorePass=mypassword / (4) Export the certificate from the key store. keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks When I tried to (which would have been Step # 5) import the certificate into the trust store. keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts I get the following prompt for my password (after which I entered in mypassword): Enter keystore password: keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect (I disregarded this step by the way because I found it on Google but not on the official Tomcat7-SSL-Howto documentation - please let me know if its necessary). Tomcat's server output: INFO: Initializing ProtocolHandler [http-bio-8080] Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-bio-8443] Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-bio-8009] Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-bio-8080] Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-bio-8443] Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP INFO: Server startup in 9611 ms When I go to my bash shell and type this in: curl -X GET https://localhost:8443 I get the following error output: curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Am I missing a step here? I just want to enable SSL on Tomcat 7 and test it using curl. When I was investigating APR and SSL, i found the link http://code.google.com/p/jianwikis/wiki/TomcatSSLWithAPR . There is section almost at the end giving and example of using CURL. Maybe that will help Johanes Would appreciate it if someone could point me in the right direction. If you wish to see this posting with better syntax coloring or my full server.xml, please check out these identical (but with more detail) forum posts: http://stackoverflow.com/questions/13925146/how-to-enable-ssl-on-tomcat-7-on-linux-test-using-curl http://www.coderanch.com/t/600556/Tomcat/Enable-SSL-Tomcat-Linux Happy programming, James - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to Enable SSL on Tomcat 7 on Linux Test using curl?
I'm not sure about the curl part but I think there is a couple of things you would want to change. 1) when you use the genkey with -keystore .jks, you should expect a file name .jks (without quotes) to be generated in the /conf directory if you have CD in as in the step 1. So, the keystoreFile in step 3 should be keystoreFile=.jks instead. If you have configure this correctly, then you should be able to use a browser and access https://localhost:8443/ Make sure this is working first before proceeding. If this is working, then any other problem should be with curl instead. 2) when you hit the Keystore was tampered ... error, it is because the password is wrong. Since you are trying to import the cert in the JVM default cacerts, then the password should be changeit (without quotes) However, I would think this is unlikely to be of any use because if you are testing with curl, you need to specify to curl where is the trusted cert found. If you are using a java client, then you can define the location of trusted keystore by specifying the property -Djavax.net.ssl.trustStore=/path/to/jre/lib/security/cacerts I believe the error you hit shows that your tomcat is correct but the parameter defined for curl is not. Hope this helps. On Tue, Dec 18, 2012 at 10:03 AM, James Dekker james.dek...@gmail.comwrote: Am using JDK 1.6, tomcat 7.0.32, and Red Hat Linux. I need help setting up SSL on my local tomcat instance. After looking at the instructions on the official tomcat 7 website: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html I followed the directions like this: (1) cd $CATALINA_HOME/conf (2) Create a certificate and store it in a new key store. keytool -genkey -alias tomcat -keyalg RSA -keystore .jks (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml, specifying your key store file and password. Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=./conf/keystore.jks keystorePass=mypassword / (4) Export the certificate from the key store. keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks When I tried to (which would have been Step # 5) import the certificate into the trust store. keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts I get the following prompt for my password (after which I entered in mypassword): Enter keystore password: keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect (I disregarded this step by the way because I found it on Google but not on the official Tomcat7-SSL-Howto documentation - please let me know if its necessary). Tomcat's server output: INFO: Initializing ProtocolHandler [http-bio-8080] Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-bio-8443] Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-bio-8009] Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-bio-8080] Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-bio-8443] Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP INFO: Server startup in 9611 ms When I go to my bash shell and type this in: curl -X GET https://localhost:8443 I get the following error output: curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Am I missing a step here? I just want to enable SSL on Tomcat 7 and test it using curl. Would appreciate it if someone could point me in the right direction. If you wish to see this posting with better syntax coloring or my full server.xml, please check out these identical (but with more detail) forum posts: http://stackoverflow.com/questions/13925146/how-to-enable-ssl-on-tomcat-7-on-linux-test-using-curl http://www.coderanch.com/t/600556/Tomcat/Enable-SSL-Tomcat-Linux Happy programming, James
Re: How to Enable SSL on Tomcat 7 on Linux Test using curl?
Thanks Mr. Han Ming Low, But that 2nd line number was a typo its supposed to state: (2) Create a certificate and store it in a new key store. keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks Thanks for responding to my inquiry, James On Dec 17, 2012, at 6:51 PM, Han Ming Low hanmin...@gmail.com wrote: I'm not sure about the curl part but I think there is a couple of things you would want to change. 1) when you use the genkey with -keystore .jks, you should expect a file name .jks (without quotes) to be generated in the /conf directory if you have CD in as in the step 1. So, the keystoreFile in step 3 should be keystoreFile=.jks instead. If you have configure this correctly, then you should be able to use a browser and access https://localhost:8443/ Make sure this is working first before proceeding. If this is working, then any other problem should be with curl instead. 2) when you hit the Keystore was tampered ... error, it is because the password is wrong. Since you are trying to import the cert in the JVM default cacerts, then the password should be changeit (without quotes) However, I would think this is unlikely to be of any use because if you are testing with curl, you need to specify to curl where is the trusted cert found. If you are using a java client, then you can define the location of trusted keystore by specifying the property -Djavax.net.ssl.trustStore=/path/to/jre/lib/security/cacerts I believe the error you hit shows that your tomcat is correct but the parameter defined for curl is not. Hope this helps. On Tue, Dec 18, 2012 at 10:03 AM, James Dekker james.dek...@gmail.comwrote: Am using JDK 1.6, tomcat 7.0.32, and Red Hat Linux. I need help setting up SSL on my local tomcat instance. After looking at the instructions on the official tomcat 7 website: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html I followed the directions like this: (1) cd $CATALINA_HOME/conf (2) Create a certificate and store it in a new key store. keytool -genkey -alias tomcat -keyalg RSA -keystore .jks (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml, specifying your key store file and password. Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=./conf/keystore.jks keystorePass=mypassword / (4) Export the certificate from the key store. keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks When I tried to (which would have been Step # 5) import the certificate into the trust store. keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts I get the following prompt for my password (after which I entered in mypassword): Enter keystore password: keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect (I disregarded this step by the way because I found it on Google but not on the official Tomcat7-SSL-Howto documentation - please let me know if its necessary). Tomcat's server output: INFO: Initializing ProtocolHandler [http-bio-8080] Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-bio-8443] Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-bio-8009] Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-bio-8080] Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-bio-8443] Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP INFO: Server startup in 9611 ms When I go to my bash shell and type this in: curl -X GET https://localhost:8443 I get the following error output: curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Am I missing a step here? I just want to enable SSL on Tomcat 7 and test it using curl. Would appreciate it if someone could point me in the right direction. If you
