Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 3/23/15 11:26 AM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chuck, On 3/23/15 10:33 AM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28) Really? The Tomcat ROOT web application is taking up 3 times as much heap space in Tomcat 6 as Tomcat 7? Just remember that the numbers out of top are at best approximations, and, as Rainer pointed out, not taking measurements immediately after a GC is a guarantee of an apples versus oranges comparison. The appropriate tools (e.g., VisualVM) must be used for any rational analysis. +1 The output of top and ps are completely irrelevant. The very minimum would be the output of jmap -heap, and only after a full GC were to have been run. The appropriate java-specific tools must certainly be used to find out /what/ is using this memory inside the JVM. But qualifying the output of top or ps as irrelevant is probably a bit over the top. After all, they do indicate how much the JVM is (approximately) using from an OS perspective, and that is probably not totally irrelevant here. With no heap size hints, you will get the JVM's default for that environment. Tomcat's memory usage profile may have changed between versions, and the JVM is under no contract to do things exactly the same way every time when it comes to GC activity. Just because the process is taking 512MiB of virtual memory doesn't mean that Tomcat is using all of that heap. If you look, you may find that the heap is 90% empty. In that case, the output of top/ps is irrelevant. If you want to make sure that the JVM doesn't take more than a certain amount of memory, you have to tell it that. I wanted to see the respective startup commands to check if there wasn't some change in the default startup script switches (like -Xms/-Xmx) which would explain the difference. But apparently not. Even if a GC would make the two look less different, the question would remain as to why one Tomcat would need a GC for that, and the other not. It depends upon how many minor GCs happen and when: some relatively short-lived objects may be promoted to the old generation more quickly in Tomcat 7. One particular thing I can think of that changed was the way annotation and SCI scanning is done: that produces a TON of garbage on startup. I understand all that. But the basic view, from a sysadmin's point of view is this : Tomcat 6(6.0.28) Virtual Memory: 6772 MB Resident Memory: 81 MB Tomcat 7(7.0.54) Virtual Memory: 6778 MB Resident Memory: 148 MB Presumably, the above numbers are taken some time (minutes ?) after the respective Tomcat starts, with only the basic standard ROOT application. So whatever it is due to in Java, as a sysadmin one could legitimately wonder why Tomcat 7 seems to need some 70 MB more resident memory than Tomcat 6, no ? And it is the same platform and the same Java JVM, so the startup defaults of the JVM themselves should be the same. And there are no heap size hints in one case or the other. I mean, we are talking about 70 million bytes per instance here, not just some little bit of garbage left and right. Does figuring this out really require going through the heap dump taking/analysis scenario ? In my naive view, I would have imagined that if there was such a jump between one version and the other (neither of them really young), it would have been obvious already to someone else, and the explanation would have been known already. I guess maybe the fundamental question here is : is the above normal and expected, or is there some as-yet mysterious reason for which this happens on the OP's system and nowhere else ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 3/23/15 11:26 AM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chuck, On 3/23/15 10:33 AM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28) Really? The Tomcat ROOT web application is taking up 3 times as much heap space in Tomcat 6 as Tomcat 7? Just remember that the numbers out of top are at best approximations, and, as Rainer pointed out, not taking measurements immediately after a GC is a guarantee of an apples versus oranges comparison. The appropriate tools (e.g., VisualVM) must be used for any rational analysis. +1 The output of top and ps are completely irrelevant. The very minimum would be the output of jmap -heap, and only after a full GC were to have been run. The appropriate java-specific tools must certainly be used to find out /what/ is using this memory inside the JVM. But qualifying the output of top or ps as irrelevant is probably a bit over the top. After all, they do indicate how much the JVM is (approximately) using from an OS perspective, and that is probably not totally irrelevant here. With no heap size hints, you will get the JVM's default for that environment. Tomcat's memory usage profile may have changed between versions, and the JVM is under no contract to do things exactly the same way every time when it comes to GC activity. Just because the process is taking 512MiB of virtual memory doesn't mean that Tomcat is using all of that heap. If you look, you may find that the heap is 90% empty. In that case, the output of top/ps is irrelevant. If you want to make sure that the JVM doesn't take more than a certain amount of memory, you have to tell it that. I wanted to see the respective startup commands to check if there wasn't some change in the default startup script switches (like -Xms/-Xmx) which would explain the difference. But apparently not. Even if a GC would make the two look less different, the question would remain as to why one Tomcat would need a GC for that, and the other not. It depends upon how many minor GCs happen and when: some relatively short-lived objects may be promoted to the old generation more quickly in Tomcat 7. One particular thing I can think of that changed was the way annotation and SCI scanning is done: that produces a TON of garbage on startup. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVEWNYAAoJEBzwKT+lPKRYJMIQALmPvwr+c2azd7fGbeg+gcER BnKCpRCbCCDlxVgQozjeJ/LAfKQJ9/SmN01M0FUtmnV6HG/Lq4H2w2Pjjhh7m6pt 20bugp5DpS8ZyoyG/eFyryvItuNjjYJjBGP9n29IlgoC1N1XiW6wwM5payGKLYt9 8uROwgocZz2FxR2c3R5XdNpkUSWTeXwRRr1dg88FXxLF6RAUwZgOXkHR5Olpoz1c aqBuMBEc91Q3UJ1oLuSl5IsrUf1JVHQonB/Aojl2eXrquWSQfARPNRKp6+9kBAiT 1EXS58SWxGt+y5myhAFOFXErxxwq7bJfZzYlrXEdBpXNEZ9ccw6yDvFIN/HbZlLj Pj+1K3MgQzNn7rZEUy3sFXdcBJGBJvzNui7+sPJMPIRGF7+4asdlnmrG2w7odaSM AuPJThRKjZgUJUPOqlr9PQKh9nzZkKLUjQTM9L9MYqKff51DPY0E9IrYIIbBeWBg GaIP4ZiTQy03K8MDlM1GlDBNwcQmqhxklgXAqkCSZKECmkuen2AJ3ycI0fDUWEvn ubyzxqB8GOennxH8yt4Ofanp/JzDfnGtqOpOUUrcPMqNb6py4Z2rKYS0TVTy9eIy pZiQPKshJBt3KPmWURnNPoZkiw525AxL79gdMbvFuPYl4WpAW7zVZfxGNzNHNtDr Q4Cg/lfnN1VkbmNDFDiG =00uv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
David Marsh wrote: Hello, I'm trying to get SPNEGO authentication working with Tomcat 8. I've followed the guidelines on the website. jaas.conf com.sun.security.jgss.krb5.initiate {...}; com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=trueprincipal=HTTP/tc01.kerbtest.local@KERBTEST.LOCALuseKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tc01.keytab storeKey=true;}; krb5.ini [libdefaults]default_realm = KERBTEST.LOCALdefault_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true [realms]KERBTEST.LOCAL = {kdc = Server2012dc.kerbtest.local:88} [domain_realm]kerbtest.local= KERBTEST.LOCAL.kerbtest.local= KERBTEST.LOCAL I want to use the tomcat manager app to test SPNEGO with Active Directory, Tomcat is currently installed on the domain controller. And that may well be the problem. It seems like authentication is never completed as in the browser (which is where ? also on the same host ? what browser are you using ?) (if it is IE : does it have enable Windows Integrated Authentication checked ? and is the tomcat server recognised as being part of the Intranet zone ?) Also let us know what kind of platforms are involved at - the browser level - the tomcat level - the KDC level (yes, I know, currenty the same as tomcat; but maybe not in future) Recently I was having some problems also with Kerberos authentication, and while digging the web for information, I remember reading somewhere that it would not work if the browser was on the same host as the server (I do not remember if this counted also for the Tomcat webserver, and I do not remember if this was platform-specific). But maybe your problem is a variation of the same issue ? So basically, what I am telling you is to search in Google more specifically for things such as Kerberos and localhost or similar.. Also, get an appropriate browser plugin to be able to really trace what kind of HTTP headers are passed back and forth between the browser and the Tomcat server. I get prompted for credentials over and over. That is where the browser plugin (Fiddler, HttpFox, LiveHttpHeaders, etc..) is invaluable. It will tell you if the browser is even /trying/ to perform Kerberos authentication e.g. So there appear two issues :-1. Authentication is not succeeding2. SPNEGO accept header is not currently sent I have created the tc01 and test users in active directory, and the keytab as instructed. I run tomcat as tc01 user :-runas /env /user:tc01@kerbtest.local startup.bat Output from running tomcat :- Server startup in 3443 ms24-Mar-2015 10:26:56.485 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Statusinterface]' against GET /html -- false24-Mar-2015 10:26:56.496 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html -- false24-Mar-2015 10:26:56.510 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html -- false24-Mar-2015 10:26:56.525 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html -- true24-Mar-2015 10:26:56.544 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking cons traint 'SecurityConstraint[Statusinterface]' against GET /html -- false24-Mar-2015 10:26:56.560 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html -- false24-Mar-2015 10:26:56.575 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html -- false24-Mar-2015 10:26:56.587 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html -- true24-Mar-2015 10:26:56.599 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): tc01.k erbtest.local KeyTab: load() entry length: 74; type: 23Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALJava config name: C:\Program Files\Apache Software
SPNEGO test configuration with Manager webapp
Hello, I'm trying to get SPNEGO authentication working with Tomcat 8. I've followed the guidelines on the website. jaas.conf com.sun.security.jgss.krb5.initiate {...}; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule requireddoNotPrompt=true principal=HTTP/tc01.kerbtest.local@KERBTEST.LOCALuseKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tc01.keytabstoreKey=true;}; krb5.ini [libdefaults]default_realm = KERBTEST.LOCALdefault_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true [realms]KERBTEST.LOCAL = {kdc = Server2012dc.kerbtest.local:88} [domain_realm]kerbtest.local= KERBTEST.LOCAL.kerbtest.local= KERBTEST.LOCAL I want to use the tomcat manager app to test SPNEGO with Active Directory, Tomcat is currently installed on the domain controller. It seems like authentication is never completed as in the browser I get prompted for credentials over and over.So there appear two issues :-1. Authentication is not succeeding2. SPNEGO accept header is not currently sent I have created the tc01 and test users in active directory, and the keytab as instructed. I run tomcat as tc01 user :-runas /env /user:tc01@kerbtest.local startup.bat Output from running tomcat :- Server startup in 3443 ms24-Mar-2015 10:26:56.485 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Statusinterface]' against GET /html -- false24-Mar-2015 10:26:56.496 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html -- false24-Mar-2015 10:26:56.510 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html -- false24-Mar-2015 10:26:56.525 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html -- true24-Mar-2015 10:26:56.544 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Statusinterface]' against GET /html -- false24-Mar-2015 10:26:56.560 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html -- false24-Mar-2015 10:26:56.575 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html -- false24-Mar-2015 10:26:56.587 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html -- true24-Mar-2015 10:26:56.599 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): tc01.kerbtest.local KeyTab: load() entry length: 74; type: 23Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALJava config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\krb5.iniLoaded from Java configAdded key: 23version: 7 KdcAccessibility: resetLooking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3, number of retries =3, #bytes=160 KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=160 KrbKdcReq send: #bytes read=185Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMPPre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove Server2012dc.kerbtest.local:88 KDCRep: init() encoding tag is 126 req type is 11KRBError: sTime is Tue Mar 24 10:26:57 GMT 2015 1427192817000 suSec is 627351 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30Pre-Authentication Data: PA-DATA type = 11
Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
Some numbers from a test here on RHEL 6, using Java 1.7.0_76 and TC 6.0.43, 7.0.59 and 8.0.20. Measurement is taken directly after start (a) plus once after one request to a non-existing page and two full GCs (b). Only manager was deployed, not example webapps or docs. GC was run using jcmd PID GC.run Numbers from ps RSSa RSSb SZaSZbVSZaVSZb tc6 62372 68336 272952 273532 1091808 1094128 tc7 63608 70456 271710 271978 1086840 1087912 tc8 72576 79140 272257 272525 1089028 1090100 Differences between TC6 and 7 marginal, differences between tc7 and 8 only noticable in RSS, around 9MB. Numbers from jstat -gc. First Capacity: Semi Spaces start with 512KB and grow to 768.0KB (TC6), 896.0KB (tc7) and 1024.0 (tc8). Those indicate increasing allocations, but are not relevant for total memory use. Edena EdenbOldaOldb Perma Permb tc6 4288.0 6656.0 10688.0 16320.0 21248.0 21248.0 tc7 4288.0 7168.0 10688.0 17904.0 21248.0 21248.0 tc8 6144.0 8640.0 15316.0 21316.0 21248.0 21248.0 Again this is capacity so including garbage and unused. We see that Perm is unchanged. For all versions Eden grows by 2.4-2.9 MB due to allocation activity. Numbers for tc6 and 7 are again very similar, tc8 numbers are slightly higher already after startup. Old (Tenured) grows by about 6-7MB, again very similar for tc 6 and tc 7 and slightly higher for TC 8. Now for the used numbers after GC, which are more relevant (allocation rates are another topic): Edena EdenbOldaOldb Perma Permb tc6 2910.8 69.3 7231.7 7984.1 13923.0 14429.1 tc7 2326.1 73.8 8504.4 9661.2 13910.1 15340.1 tc8 203.7 60.9 10577.6 12599.7 16183.3 17653.8 So the live objects are Edenb+Oldb: Edenb+Oldb tc6 8053.4 tc7 9735.0 tc8 12660.6 And here we see some increase but the total amount of about 2MB between tc 6 and 7 and about another 3 MB between 7 and 8 seems to be not really problematic. The same holds true for perm, there's an increase of about 1MB between 6 and 7 and 2 MB between 7 and 8. Finally: where does the difference between RSS, Sz and the sum of heap and eden come from? Example for TC 8 case b: RSS: 79140 SZ: 272525 Sum of RSS due to smaps: 79088 so roughly consistent. S0+S1+E+O+P capacity: 53252, but Rss 40872, so a delta of 38MB to RSS. smaps entries that can be identified: TypeSize Rss Perm 21248 17656 Old21316 15040 Eden+S0+S1 10688 8176 libjvm.so 11732 7712 (read-only) Then about 21 thread stack reservations, total Size 21676, total Rss 2804. So the delta goes down to 38 - 7.7 - 2.8 = 28MB. Some more segments, that I can't fully interprete are: Size Rssfrom -to Perm File 8852 7648 7f281800-7f28188a5000 rw-p 8940 6496 7f281400-7f28148bb000 rw-p 51116 4064 7f283527-7f283845b000 rw-p 2496 2048 7f283500-7f283527 rwxp 1788 1732 7f283d443000-7f283d602000 r--s .../lib/rt.jar 3304 1444 7f282c00-7f282c33a000 rw-p 784 784 7f283f1d9000-7f283f29d000 rw-p .../lib/amd64/server/libjvm.so 1564 648 3f6d20-3f6d387000 r-xp /lib64/libc-2.12.so 536 524 7f283000-7f2830086000 rw-p 272 208 7f283f29d000-7f283f2e1000 rw-p and those nearly make up the missing 28MB Rss (whatever they are). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 20:47, David Marsh wrote: Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. I've only given your config a quick scan, but the thing that jumps out at me is spaces in the some of the paths. I'm not sure how well krb5.ini will handle those. It might be fine. It might not be. Mark David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an
Re: SPNEGO test configuration with Manager webapp
Hi. Just nitpicking, but with Kerberos everything has to be just right : Is the keytab file used by Tomcat owned by the user under which Tomcat runs ? (This may or may not matter under Windows, but it is absolutely mandatory under Linux, so you may want to check). Also verify that your SPNs are really in the form required by Windows AD/Kerberos. I seem to remember that there was something special there for the form of the services/hostnames, as compared to a Linux-style environment. tip : (maybe you already did that in a previous post) : there exists a Kerberos command-line utility which allows to check, from the client side, that this client (at the Windows level) can login to the Kerberos DC. Unfortunately, I do not remember its exact name, nor if it is available under Windows. (kinit ?) (You may need to install the MIT Kerberos binaries for Windows : http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html) tip : in an environment supposed to do SSO, you are right in thinking that if you see a login dialog from the browser, it is already a sign that something in the settings is not right. That browser login dialog is kind of a browser's last resort if something else before did not work. Related tip : under Linux, there is a Kerberos config file at the webserver level, and inside it there is a parameter : KrbMethodK5Passwd on/off If off, you should never see a browser login dialog (*). If on, you may see one (but see previous tip). I do not know if the same config file or parameter type is also used under windows/Tomcat/Kerberos. (*) you may instead just see a blank browser page This is one of the most complete articles I've seen so far, about what settings are exactly needed at browser level (and what happens otherwise) : https://ping.force.com/Support/PingIdentityArticle?id=kA340008RiECAU (make sure that you *really* follow every detail; Kerberos stuff is *really* picky) More useful pages : http://web.mit.edu/kerberos/ http://web.mit.edu/kerberos/krb5-1.13/doc/index.html http://web.mit.edu/kerberos/krb5-latest/doc/user/tkt_mgmt.html#obtaining-tickets-with-kinit (and display them with klist) And finally, here is a hodgepodge of pages which I found relevant during a recent bout of fighting with Kerberos auth (that was with Apache httpd, not Tomcat, but the underlying stuff is the same). A lot of information is repeated over these pages, and some of it is contradictory, but it might save you some hours of browsing anyway : http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/ https://www.drupal.org/node/2123615 http://stackoverflow.com/questions/19842318/apache-kerberos-authentication-client-didnt-delegate-us-their-credential http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iis-ie.aspx https://msdn.microsoft.com/library/aa480609.aspx#wss_ch7_kerbtechsupp_topic5 https://www.johnthedeveloper.co.uk/single-sign-on-active-directory-php-ubuntu http://seriousbirder.com/blogs/apache-with-kerberos-active-directory-authentication/ http://fluxcoil.net/doku.php/software/kerberos/kerberized_apache http://serverfault.com/questions/641974/apache-kerberos-authentication-to-active-directory-not-happening-is-krb5kdc-er http://www.websense.com/content/support/library/shared/v76/auth_service_config/test_ie8.aspx http://www.microhowto.info/howto/add_a_host_or_service_principal_to_a_keytab_using_mit_kerberos.html http://windowsitpro.com/security/kerberos-active-directory David Marsh wrote: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to
Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
Rainer Jung wrote: Some numbers from a test here on RHEL 6, using Java 1.7.0_76 and TC 6.0.43, 7.0.59 and 8.0.20. Measurement is taken directly after start (a) plus once after one request to a non-existing page and two full GCs (b). Only manager was deployed, not example webapps or docs. GC was run using jcmd PID GC.run Numbers from ps RSSa RSSb SZaSZbVSZaVSZb tc6 62372 68336 272952 273532 1091808 1094128 tc7 63608 70456 271710 271978 1086840 1087912 tc8 72576 79140 272257 272525 1089028 1090100 Differences between TC6 and 7 marginal, differences between tc7 and 8 only noticable in RSS, around 9MB. Numbers from jstat -gc. First Capacity: Semi Spaces start with 512KB and grow to 768.0KB (TC6), 896.0KB (tc7) and 1024.0 (tc8). Those indicate increasing allocations, but are not relevant for total memory use. Edena EdenbOldaOldb Perma Permb tc6 4288.0 6656.0 10688.0 16320.0 21248.0 21248.0 tc7 4288.0 7168.0 10688.0 17904.0 21248.0 21248.0 tc8 6144.0 8640.0 15316.0 21316.0 21248.0 21248.0 Again this is capacity so including garbage and unused. We see that Perm is unchanged. For all versions Eden grows by 2.4-2.9 MB due to allocation activity. Numbers for tc6 and 7 are again very similar, tc8 numbers are slightly higher already after startup. Old (Tenured) grows by about 6-7MB, again very similar for tc 6 and tc 7 and slightly higher for TC 8. Now for the used numbers after GC, which are more relevant (allocation rates are another topic): Edena EdenbOldaOldb Perma Permb tc6 2910.8 69.3 7231.7 7984.1 13923.0 14429.1 tc7 2326.1 73.8 8504.4 9661.2 13910.1 15340.1 tc8 203.7 60.9 10577.6 12599.7 16183.3 17653.8 So the live objects are Edenb+Oldb: Edenb+Oldb tc6 8053.4 tc7 9735.0 tc8 12660.6 And here we see some increase but the total amount of about 2MB between tc 6 and 7 and about another 3 MB between 7 and 8 seems to be not really problematic. The same holds true for perm, there's an increase of about 1MB between 6 and 7 and 2 MB between 7 and 8. Finally: where does the difference between RSS, Sz and the sum of heap and eden come from? Example for TC 8 case b: RSS: 79140 SZ: 272525 Sum of RSS due to smaps: 79088 so roughly consistent. S0+S1+E+O+P capacity: 53252, but Rss 40872, so a delta of 38MB to RSS. smaps entries that can be identified: TypeSize Rss Perm 21248 17656 Old21316 15040 Eden+S0+S1 10688 8176 libjvm.so 11732 7712 (read-only) Then about 21 thread stack reservations, total Size 21676, total Rss 2804. So the delta goes down to 38 - 7.7 - 2.8 = 28MB. Some more segments, that I can't fully interprete are: Size Rssfrom -to Perm File 8852 7648 7f281800-7f28188a5000 rw-p 8940 6496 7f281400-7f28148bb000 rw-p 51116 4064 7f283527-7f283845b000 rw-p 2496 2048 7f283500-7f283527 rwxp 1788 1732 7f283d443000-7f283d602000 r--s .../lib/rt.jar 3304 1444 7f282c00-7f282c33a000 rw-p 784 784 7f283f1d9000-7f283f29d000 rw-p .../lib/amd64/server/libjvm.so 1564 648 3f6d20-3f6d387000 r-xp /lib64/libc-2.12.so 536 524 7f283000-7f2830086000 rw-p 272 208 7f283f29d000-7f283f2e1000 rw-p and those nearly make up the missing 28MB Rss (whatever they are). I don't know how to describe the above, nor the dedication that went into gathering that (and at this late European hour at that). Brilliant ? In any case, thank you. But now, for the mere humans among us, what does it mean in terms of the OP and his original question : why does Tomcat 7 seem to be using 70 MB more memory at startup than Tomcat 6 ? Is it : - it doesn't matter. The numbers shown are wrong, and if you run 10 instances of Tomcat 7 at the same time, you will see that they are not really using 700 MB more than before. or - it is normal and expected. Tomcat 7 - because of the new Servlet Spec - needs to borogrove the watchamecalits, and this is using 70 MB more heap than before. In return, you get a 25% performance improvement later.. or - we have no clue. It does not happen on other machines, so there must be something special on your machine, and to find out what we need heap dumps. or - obviously some cleverer and definitive answer derived from Rainer's exhaustive analysis abobe, and which is ? From the above analysis, I get the impression that there is only really a couple of MB additional memory used as one goes from Tomcat 6 to Tomcat 7 and then to Tomcat 8. And that this can easily be explained by additional things/functionality which each version does, compared to the previous one. But then, what could explain the 70 MB difference as shown by top ? Is it really just illusory ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
socket not released after error starting Connector
Hello, I'm using JMX to stop and start the 8443 connector, but it seems that if an error is encountered during the start operation the socket is not being released and subsequent stop operations have no effect, i.e. tomcat continues to hold the socket. This prevents the connector from being restarted as it then gets address already in use errors. (Motivation for doing this is to allow certificates to be updated in keystore and have them take effect without restarting tomcat.) For example, if the .keystore file is configured with incorrect permissions then the start operation fails with Permission denied. 24-Mar-2015 09:20:50.145 INFO [RMI TCP Connection(3)-127.0.0.1] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [http-nio-8443] 24-Mar-2015 09:20:50.149 SEVERE [RMI TCP Connection(3)-127.0.0.1] org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore Failed to load keystore type JKS with path /Users/gi120958/.keystore due to /Users/gi120958/.keystore (Permission denied) java.io.FileNotFoundException: /Users/gi120958/.keystore (Permission denied) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.init(FileInputStream.java:146) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:430) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:336) ... After correcting permissions on .keystore, stop the connector and then attempt to start the connector - but it fails with Address already in use. 24-Mar-2015 09:21:17.162 INFO [RMI TCP Connection(8)-127.0.0.1] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler [http-nio-8443] 24-Mar-2015 09:21:23.494 INFO [RMI TCP Connection(4)-127.0.0.1] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [http-nio-8443] 24-Mar-2015 09:21:23.494 SEVERE [RMI TCP Connection(4)-127.0.0.1] org.apache.coyote.AbstractProtocol.start Failed to start end point associated with ProtocolHandler [http-nio-8443] java.net.BindException: Address already in use at sun.nio.ch.Net.bind0(Native Method) at sun.nio.ch.Net.bind(Net.java:444) at sun.nio.ch.Net.bind(Net.java:436) at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:214) at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:343) at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:739) at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:472) at org.apache.coyote.http11.Http11NioProtocol.start(Http11NioProtocol.java:81) at org.apache.catalina.connector.Connector.startInternal(Connector.java:986) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:300) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801) at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1487) at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:97) at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1328) at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1420) at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:848) at sun.reflect.GeneratedMethodAccessor47.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:322) at sun.rmi.transport.Transport$1.run(Transport.java:177) at sun.rmi.transport.Transport$1.run(Transport.java:174) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Transport.java:173) at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:556) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:811) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:670) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) 24-Mar-2015 09:21:23.494 SEVERE [RMI TCP Connection(4)-127.0.0.1] org.apache.tomcat.util.modeler.BaseModelMBean.invoke Exception invoking method start org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8443]] at
Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
I understand all that. But the basic view, from a sysadmin's point of view is this : Tomcat 6(6.0.28) Virtual Memory: 6772 MB Resident Memory: 81 MB Tomcat 7(7.0.54) Virtual Memory: 6778 MB Resident Memory: 148 MB what does that Resident exactly mean here? i guess the total heap the java vm has taken after startup? Because that could be quite logical, maybe tomcat 7 needs a lot more data because of that annotation scanning Doesn't it load in way more classes? All that processing and then also maybe loading in up front way more classes then before will mean that the heap (and none heap in this scenario) is already way more loaded. johan
RE: SPNEGO test configuration with Manager webapp
I was using Internet explorer and had added the ip address of to domain controller/ tomcat server to the trusted sites list in the Intranet zone.I was not using https.I was using a Windows 8 client VM to talk to a Windows Server 2012 VM. I have now tried Firefox with SPNEGO and can confirm with this set up I get similar logs and http header WWW-Authenticate: Negotiate is sent. In this test I do not get popup prompt but I still get 401 Http status. almBase.hasUserDataPermission User data constraint has no restrictionsLooking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3, number of retries =3, #bytes=160 KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=160 KrbKdcReq send: #bytes read=185Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMPPre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove Server2012dc.kerbtest.local:88 KDCRep: init() encoding tag is 126 req type is 11KRBError: sTime is Tue Mar 24 15:06:51 GMT 2015 1427209611000 suSec is 507817 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMPPre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for default_tkt_enctypes: 23 18 17.Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3, number of retries =3, #bytes=243 KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=243 KrbKdcReq send: #bytes read=100 KrbKdcReq send: kdc=Server2012dc.kerbtest.local TCP:88, timeout=3, number of retries =3, #bytes=243 KDCCommunication: kdc=Server2012dc.kerbtest.local TCP:88, timeout=3,Attempt =1, #bytes=243DEBUG: TCPClient reading 1467 bytes KrbKdcReq send: #bytes read=1467 KdcAccessibility: remove Server2012dc.kerbtest.local:88Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/tc01.kerbtest.localSearch Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound ticket for HTTP/tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 01:06:51 GMT 2015
RE: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
Some of the observations during the GC call monitoring / heap dump from JMAP: Tomcat Version Stages Java Heap Usage Java Heap Capacity Virtual memory (by top) Resident Memory (by top) Tomcat 6 After tomcat startup 17.18 MB 367.8 MB 6712 MB 175 MB After functional operation 18.77 MB 367.8 MB 6745 MB 207 MB After Operation 45.51 MB 331.0 MB 6745 MB 235 MB Tomcat 7 After tomcat startup 57.90 MB 655.8 MB 6795 MB 423 MB After functional operation 97.64 MB 655.8 MB 6828 MB 558 MB After Operation 142.58 MB 1864.0 MB 6828 MB 1000 MB Observation: • Top’s reported virtual memory is approximately same. • Resident memory correlates with Java heap capacity. Refer to next slide for details. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, March 24, 2015 9:00 PM To: Tomcat Users List Subject: Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28) Johan Compagner wrote: I understand all that. But the basic view, from a sysadmin's point of view is this : Tomcat 6(6.0.28) Virtual Memory: 6772 MB Resident Memory: 81 MB Tomcat 7(7.0.54) Virtual Memory: 6778 MB Resident Memory: 148 MB what does that Resident exactly mean here? i guess the total heap the java vm has taken after startup? Because that could be quite logical, maybe tomcat 7 needs a lot more data because of that annotation scanning Doesn't it load in way more classes? All that processing and then also maybe loading in up front way more classes then before will mean that the heap (and none heap in this scenario) is already way more loaded. That's the kind of thing that I mean. The OP is asking : assuming the same host, the same JVM, the same startup parameters, the same default ROOT application, why does Tomcat 7 seem to be using 70 MB more RAM at startup than Tomcat 6 ? The answer can be : - it doesn't matter. The numbers shown are wrong, and if you run 10 instances of Tomcat 7 at the same time, you will see that they are not really using 700 MB more than before. or - it is normal and expected. Tomcat 7 - because of the new Servlet Spec - needs to borogrove the watchamecalits, and this is using 70 MB more heap than before. In return, you get a 25% performance improvement later.. or - we have no clue. It does not happen on other machines, so there must be something special on your machine, and to find out what we need heap dumps. or ??? The OP just wants to know which, but instead we are just telling him that he should take heap dumps or examine cryptic memory allocation displays etc.. He may not be adverse to that in the end, but some basic preliminary guidance may be helpful. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.orgmailto:users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.orgmailto:users-h...@tomcat.apache.org DISCLAIMER: --- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or NEC or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of NEC or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. . ---
Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
On 24/03/2015 15:04, Johan Compagner wrote: I understand all that. But the basic view, from a sysadmin's point of view is this : Tomcat 6(6.0.28) Virtual Memory: 6772 MB Resident Memory: 81 MB Tomcat 7(7.0.54) Virtual Memory: 6778 MB Resident Memory: 148 MB what does that Resident exactly mean here? i guess the total heap the java vm has taken after startup? Because that could be quite logical, maybe tomcat 7 needs a lot more data because of that annotation scanning Doesn't it load in way more classes? No. It uses byte code scanning to analyse all the classes and then only loads the few that it needs to. This will , as Chris pointed out, generate a huge amount of garbage. All that processing and then also maybe loading in up front way more classes then before will mean that the heap (and none heap in this scenario) is already way more loaded. I would expect Tomcat 7 to load more classes since it has more features (annotation scanning, 2 WebSocket implementations etc.) Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
On 3/24/2015 10:24 AM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 3/23/15 11:26 AM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chuck, On 3/23/15 10:33 AM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28) Really? The Tomcat ROOT web application is taking up 3 times as much heap space in Tomcat 6 as Tomcat 7? Just remember that the numbers out of top are at best approximations, and, as Rainer pointed out, not taking measurements immediately after a GC is a guarantee of an apples versus oranges comparison. The appropriate tools (e.g., VisualVM) must be used for any rational analysis. +1 The output of top and ps are completely irrelevant. The very minimum would be the output of jmap -heap, and only after a full GC were to have been run. The appropriate java-specific tools must certainly be used to find out /what/ is using this memory inside the JVM. But qualifying the output of top or ps as irrelevant is probably a bit over the top. After all, they do indicate how much the JVM is (approximately) using from an OS perspective, and that is probably not totally irrelevant here. With no heap size hints, you will get the JVM's default for that environment. Tomcat's memory usage profile may have changed between versions, and the JVM is under no contract to do things exactly the same way every time when it comes to GC activity. Just because the process is taking 512MiB of virtual memory doesn't mean that Tomcat is using all of that heap. If you look, you may find that the heap is 90% empty. In that case, the output of top/ps is irrelevant. If you want to make sure that the JVM doesn't take more than a certain amount of memory, you have to tell it that. I wanted to see the respective startup commands to check if there wasn't some change in the default startup script switches (like -Xms/-Xmx) which would explain the difference. But apparently not. Even if a GC would make the two look less different, the question would remain as to why one Tomcat would need a GC for that, and the other not. It depends upon how many minor GCs happen and when: some relatively short-lived objects may be promoted to the old generation more quickly in Tomcat 7. One particular thing I can think of that changed was the way annotation and SCI scanning is done: that produces a TON of garbage on startup. I understand all that. But the basic view, from a sysadmin's point of view is this : Tomcat 6(6.0.28) Virtual Memory: 6772 MB Resident Memory: 81 MB Tomcat 7(7.0.54) Virtual Memory: 6778 MB Resident Memory: 148 MB Presumably, the above numbers are taken some time (minutes ?) after the respective Tomcat starts, with only the basic standard ROOT application. So whatever it is due to in Java, as a sysadmin one could legitimately wonder why Tomcat 7 seems to need some 70 MB more resident memory than Tomcat 6, no ? And it is the same platform and the same Java JVM, so the startup defaults of the JVM themselves should be the same. And there are no heap size hints in one case or the other. I mean, we are talking about 70 million bytes per instance here, not But is this really the usage on a per instance basis, or is it maybe just on the *first* instance, and later instances might be less due to sharing? I don't know, just throwing suggestions against the fan to see what sticks... My gut tells me that it's related to the jar scanning that TC does on start up in v.7 and later, but I haven't done any verification on that, nor do I have the spare cycles to do so. just some little bit of garbage left and right. Does figuring this out really require going through the heap dump taking/analysis scenario ? In my naive view, I would have imagined that if there was such a jump between one version and the other (neither of them really young), it would have been obvious already to someone else, and the explanation would have been known already. I guess maybe the fundamental question here is : is the above normal and expected, or is there some as-yet mysterious reason for which this happens on the OP's system and nowhere else ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 15:17, David Marsh wrote: snip/ SPNEGO is fickle. Sometimes the smallest change can cause problems. Set up a test environment as close to the How-To as possible. You should definitely be using three separate machines (or VMs). Get this working. If your test environment doesn't work, figure out what you did wrong. Suggest clarifications to the docs if required. (I know the How-To describes a working system - I wrote the how-to and still have the VMs which I use for testing.) Once you have that test environment working, start changing it to reflect what you really want one thing at a time. Make sure to log on/off the machine where Tomcat is running (and ideally reboot at least the Tomcat server between each change). I got caught out with this before thinking something was working only for it all to stop working after a reboot. At some point, you'll get stuck on a change that always breaks things. That would be the point to come back and ask for help telling: - what config works - what change you make - how it stops working Hopefully, we'll be able to suggest a way forward. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Mark Thomas wrote: On 24/03/2015 20:47, David Marsh wrote: Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. I've only given your config a quick scan, but the thing that jumps out at me is spaces in the some of the paths. I'm not sure how well krb5.ini will handle those. It might be fine. It might not be. Mark Considering your Kerberos logs, you may want to have a look at this : https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771 (gotten to by Googling for kerberos preauthentication, as this term seemed to appear in the logs). To me, your logs (assuming that they are the Tomcat Kerberos logs) would seem to indicate that it is Tomcat who is trying to pre-authenticate to the KDC, and failing to do so (for whatever reason I don't really know). I am not really a specialist of Kerberos, but from what I understand of it, the first action of a Kerberos client - when it logs in, which in this case could be construed as when Tomcat starts up - is to contact a Kerberos ticket granting server (usually the same as the KDC), and obtain a ticket-granting ticket from it. Then later, when the client wants to access a service, it re-contacts the KDC, passes it this ticket-granting ticket, and requests another ticket to access the desired service. Then it sends this service ticket to the host hosting the desired service, for authentication. For whatever reason, it looks as if Tomcat is at least trying to get such an initial ticket-granting ticket for itself at start, and failing. Maybe such a ticket is a necessary pre-condition for Tomcat's Kerberos stack, to be able to authenticate tomcat service tickets presented to it later by a browser client ? In terms of debugging what happens, I think that for the time being you should forget the browser clients for a moment, and concentrate on Tomcat and this Kerberos log of his, and find out why these seemingly error-messages appear in the log at start. I would assume that, if everything went as expected, one would see at least some message indicating success, which is not in evidence here for now. Maybe the SPNs don't match, between the KDC and the Tomcat server ? ktlist may be a good tool on both, to list what's there and compare. David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true
Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rahul, On 3/24/15 11:56 AM, Rahul Kumar Singh wrote: Some of the observations during the GC call monitoring / heap dump from JMAP: Tomcat Version Stages Java Heap Usage Java Heap Capacity Virtual memory (by top) Resident Memory (by top) Well, that was a fun game re-formatting that into a spreadsheet. :( Observation: * Top’s reported virtual memory is approximately same. * Resident memory correlates with Java heap capacity. Refer to next slide for details. What, no next slide? Anyhow, you can see how top's view is a bit skewed: Tomcat Version Java Heap Resident Memory Tomcat 617.18 MB175 MB 18.77 MB207 MB 45.51 MB235 MB Tomcat 757.90 MB423 MB 97.64 MB558 MB 142.58 MB 1000 MB In the Tomcat 6 case, there is only 45MiB heap usage and top reports 235MiB. For Tomcat 7, it's 142/1000, so 'top' is off by more than a factor of 5. If the question is what is taking up all that space, then the answer is hook-up a memory profiler and look. If the question is how do I limit the amount of memory Tomcat's JVM process will take, then the answer is use -Xmx to set the maximum heap size. If the question really is is what has changed between Tomcat 6.0.whatever and Tomcat 7.0.whatever that could account for every byte of difference in heap usage between the two, I would say that Tomcat's source repository is open o the public including a complete version history, and anyone wishing to answer that question with any degree of certainty is welcome to dig-around in there. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVEbpkAAoJEBzwKT+lPKRYwSEP/jQnN5zSo/W20OIesgzidISa oHNsJWMYt+XrNNzLxejlgSbeHfRyzu3uFIZetlt7Lyox4OCxOPJKRuCTm6wtwqmF s2d/k3m4mZ2Swtcb5lxtfxO4twYgrg9PSEMJsouOkzP8/SDzWoxPMCyJZkV0BP5O jkqNcGU0LoMukns5tFnKqpaV0pY6onUAQ6qBHdmIHjbCHWqefYYdPPV5Hp6CIKS/ DJMvMMW+H8dHtU7b0K66y2MARs3Chn8rQGOU8xyObrM6SOWPTH9fkN/5JjRZ7BYB /Hk/4/eoVZdqG3OCE241Vrc9STHZGZXzgsdIZZs/cxz8lERVqGOLm3VfhRtkX/67 1iHfAnKjp63m7I0KzN+PKzFs/vUUgYopOPEL9vsBgdQ9pfhe+q8EazBzwKcdrowY Tud6wm/CpnnjrcOm0T7sIIu+dLScNzq2zUui2jHP7A1z5RL1AxFIYhuIS1oMQ1lb KKU2ULfgfQopVY+qXHDURj195zZ9Emh1rEZdi0JcxZc6ZI/gwzxUCjVwfvWkOVri EQ+SnLdmFzLOkN/lpaHQnvaZhxAPvDx08lvpgINoU68ct1ulrrIxd404o26wH4Jw CqYkxeuLFkESlYZuvMk3gv90GrIT1G4FQTRx+Pfm1tMXZgYL0aGhN8e4Krsy2bRi IhUZvAucHVSRvy2jFem9 =Zj6u -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 3/24/15 10:24 AM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 3/23/15 11:26 AM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chuck, On 3/23/15 10:33 AM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28) Really? The Tomcat ROOT web application is taking up 3 times as much heap space in Tomcat 6 as Tomcat 7? Just remember that the numbers out of top are at best approximations, and, as Rainer pointed out, not taking measurements immediately after a GC is a guarantee of an apples versus oranges comparison. The appropriate tools (e.g., VisualVM) must be used for any rational analysis. +1 The output of top and ps are completely irrelevant. The very minimum would be the output of jmap -heap, and only after a full GC were to have been run. The appropriate java-specific tools must certainly be used to find out /what/ is using this memory inside the JVM. But qualifying the output of top or ps as irrelevant is probably a bit over the top. After all, they do indicate how much the JVM is (approximately) using from an OS perspective, and that is probably not totally irrelevant here. With no heap size hints, you will get the JVM's default for that environment. Tomcat's memory usage profile may have changed between versions, and the JVM is under no contract to do things exactly the same way every time when it comes to GC activity. Just because the process is taking 512MiB of virtual memory doesn't mean that Tomcat is using all of that heap. If you look, you may find that the heap is 90% empty. In that case, the output of top/ps is irrelevant. If you want to make sure that the JVM doesn't take more than a certain amount of memory, you have to tell it that. I wanted to see the respective startup commands to check if there wasn't some change in the default startup script switches (like -Xms/-Xmx) which would explain the difference. But apparently not. Even if a GC would make the two look less different, the question would remain as to why one Tomcat would need a GC for that, and the other not. It depends upon how many minor GCs happen and when: some relatively short-lived objects may be promoted to the old generation more quickly in Tomcat 7. One particular thing I can think of that changed was the way annotation and SCI scanning is done: that produces a TON of garbage on startup. I understand all that. But the basic view, from a sysadmin's point of view is this : Tomcat 6(6.0.28) Virtual Memory: 6772 MB Resident Memory: 81 MB Tomcat 7(7.0.54) Virtual Memory: 6778 MB Resident Memory: 148 MB Presumably, the above numbers are taken some time (minutes ?) after the respective Tomcat starts, with only the basic standard ROOT application. So whatever it is due to in Java, as a sysadmin one could legitimately wonder why Tomcat 7 seems to need some 70 MB more resident memory than Tomcat 6, no ? It's a reasonable question but the answer is complicated. As far as the OS is concerned, the Java process has used all that memory. As far as Java is concerned, however, the heap may be (nearly) entirely empty. If Tomcat 7 generates a lot more garbage on startup than Tomcat 6 and the JVM feels like it's got plenty of room to expand the heap (say, there is a whole gig out there untouched, but which it's allowed to grab), then the heap will continue expand. If a full GC doesn't occur, then long-lived objects that are only necessary during startup will still use up heap space, etc. For most JVMs, even a full GC won't actually shrink the total size of the heap: once the memory has been requested from the OS, it's there forever. I believe newer JVMs have options to allow that memory to be returned to the OS, but I haven't done very much investigation into those features. Re-sizing the heap is an expensive operation, which is why most of us recommend that -Xmx == -Xms because if you're going to allow the JVM to take that much memory eventually, you may as well do yourself a favor and allocate it all at once on JVM launch. And it is the same platform and the same Java JVM, so the startup defaults of the JVM themselves should be the same. And there are no heap size hints in one case or the other. Correct. I suspect that the OP has no idea that the heap will be allowed to grow to whatever its default max size is. Without capping the heap size, it's no wonder the memory seems to climb without bound. I think this is a fundamental ignorance about the way the a JVM claims and manages memory. I mean, we are talking about 70 million bytes per instance here, not just some little bit of garbage left and right. Does figuring this out
Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
Johan Compagner wrote: I understand all that. But the basic view, from a sysadmin's point of view is this : Tomcat 6(6.0.28) Virtual Memory: 6772 MB Resident Memory: 81 MB Tomcat 7(7.0.54) Virtual Memory: 6778 MB Resident Memory: 148 MB what does that Resident exactly mean here? i guess the total heap the java vm has taken after startup? Because that could be quite logical, maybe tomcat 7 needs a lot more data because of that annotation scanning Doesn't it load in way more classes? All that processing and then also maybe loading in up front way more classes then before will mean that the heap (and none heap in this scenario) is already way more loaded. That's the kind of thing that I mean. The OP is asking : assuming the same host, the same JVM, the same startup parameters, the same default ROOT application, why does Tomcat 7 seem to be using 70 MB more RAM at startup than Tomcat 6 ? The answer can be : - it doesn't matter. The numbers shown are wrong, and if you run 10 instances of Tomcat 7 at the same time, you will see that they are not really using 700 MB more than before. or - it is normal and expected. Tomcat 7 - because of the new Servlet Spec - needs to borogrove the watchamecalits, and this is using 70 MB more heap than before. In return, you get a 25% performance improvement later.. or - we have no clue. It does not happen on other machines, so there must be something special on your machine, and to find out what we need heap dumps. or ??? The OP just wants to know which, but instead we are just telling him that he should take heap dumps or examine cryptic memory allocation displays etc.. He may not be adverse to that in the end, but some basic preliminary guidance may be helpful. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. That means, that tomcat is believing, it can use kerberos/SPNEGO and firefox is able to get a service ticket, for the server and sends it back. That far it is looking promising. But I assume the authentication does not complete, right? IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should print out a lot of debug information, which should end up in catalina.out. Felix || I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail:
RE: SPNEGO test configuration with Manager webapp
Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. That means, that tomcat is believing, it can use
RE: SPNEGO test configuration with Manager webapp
Using startup.bat to launch tomcat :- runas /env /user:tc01@kerbtest.local startup.bat Here are the logs with the kerberos debug :- Server startup in 509 ms KeyTabInputStream, readName(): KERBTEST.LOCAL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 78; type: 23 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Java config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\kr b5.ini Loaded from Java config Added key: 23version: 0 KdcAccessibility: reset Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number of retries =3, #bytes=164 KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=164 KrbKdcReq send: #bytes read=185 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove win-dc01.kerbtest.local:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Tue Mar 24 20:51:24 GMT 2015 1427230284000 suSec is 441380 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 17. Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number of retries =3, #bytes=247 KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=247 KrbKdcReq send: #bytes read=100 KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=3, number of retries =3, #bytes=247 KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=3,Attempt =1, #bytes=247 DEBUG: TCPClient reading 1483 bytes KrbKdcReq send: #bytes read=1483 KdcAccessibility: remove win-dc01.kerbtest.local:88 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoC redElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5 AcceptCredential) Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat. keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat. keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KER BTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 06:51:24 GMT 2015 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number of retries =3, #bytes=164 KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=164 KrbKdcReq send: #bytes read=185 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove win-dc01.kerbtest.local:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Tue Mar 24 20:51:24 GMT 2015 1427230284000 suSec is
Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:02 schrieb David Marsh: I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL The documentation refers to HTTP/win-*tc01*... not *dc01*. This is important. It has to be the alias for the tomcat server! Regards Felix useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -
SPNEGO test configuration with Manager webapp
I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
I copied old config file to mail yes. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 (7.0.54) memory consuption is very high(3 times) than Tomcat 6 (6.0.28)
On 3/23/2015 11:28 PM, Rahul Kumar Singh wrote: Also interesting is cat /proc/PID/maps but here one would need to calculate sizes per line from the two hex addresses given at the start of each line. Something like: cat /proc/PID/maps | perl -n -e '($a,$b)=split(/[- ]/);print hex($b)-hex($a), , $_;' | sort -n (replace PID by the current Tomcat java process id). Command: cat /proc/19487/maps | perl -n -e '($a,$b)=split(/[- ]/);print hex($b) -hex($a), , $_;' |sort -n abc.txt OUTPUT 0d4b8000-0e736000 rw-p 0d4b8000 00:00 0 [heap] ff60-ffe0 ---p 00:00 0 [vsyscall] 2aaab000-2aab3000 r--s 00061000 09:01 2519920 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/ext/gnome-java-bridge.jar 2aab3000-2aab5000 r--s 6000 09:01 1834753 /opt/tomcat/bin/bootstrap.jar 2aab5000-2aab6000 r--s 5000 09:01 1834758 /opt/tomcat/bin/commons-daemon.jar 2aab6000-2aab8000 r--s 8000 09:01 1834770 /opt/tomcat/bin/tomcat-juli.jar 2aab8000-2aac5000 r-xp 09:01 2519898 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libverify.so 2aac5000-2acc4000 ---p d000 09:01 2519898 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libverify.so 2acc4000-2acc6000 rw-p c000 09:01 2519898 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libverify.so 2acc6000-2acef000 r-xp 09:01 2519877 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libjava.so 2acef000-2aeee000 ---p 00029000 09:01 2519877 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libjava.so 2aeee000-2aef rw-p 00028000 09:01 2519877 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libjava.so 2aef-2aef1000 r--p 2aef 00:00 0 2aef1000-2aef2000 rw-p 2aef1000 00:00 0 2aef2000-2aefa000 rw-s 09:01 2056360 /tmp/hsperfdata_app/19487 2aefe000-2af08000 r-xp 09:01 261147 /lib64/libnss_files-2.5.so 2af08000-2b107000 ---p a000 09:01 261147 /lib64/libnss_files-2.5.so 2b107000-2b108000 r--p 9000 09:01 261147 /lib64/libnss_files-2.5.so 2b108000-2b109000 rw-p a000 09:01 261147 /lib64/libnss_files-2.5.so 2b109000-2b111000 r-xp 09:01 2519899 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libzip.so 2b111000-2b31 ---p 8000 09:01 2519899 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libzip.so 2b31-2b311000 rw-p 7000 09:01 2519899 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libzip.so 2b311000-2b771000 rwxp 2b311000 00:00 0 2b771000-2e311000 rw-p 2b771000 00:00 0 2e311000-2e323000 rw-p 2e311000 00:00 0 2e323000-2e3d1000 rw-p 2e323000 00:00 0 2e3d1000-2e3e rw-p 2e3d1000 00:00 0 2e3e-2e424000 rw-p 2e3e 00:00 0 2e424000-2e51f000 rw-p 2e424000 00:00 0 2e51f000-2f3cd000 rw-p 2e51f000 00:00 0 2f3cd000-2f60c000 rw-p 2f3cd000 00:00 0 2f60c000-2f6ec000 ---p 2f60c000 00:00 0 2f6ec000-2fba2000 rw-p 2f6ec000 00:00 0 2fba2000-2fc9e000 rw-p 2fba2000 00:00 0 2fc9e000-2aaab0b4d000 rw-p 2fc9e000 00:00 0 2aaab0b4d000-2aaab0b5c000 rw-p 2aaab0b4d000 00:00 0 2aaab0b5c000-2aaab0ba rw-p 2aaab0b5c000 00:00 0 2aaab0ba-2aaace81c000 rw-p 2aaab0ba 00:00 0 2aaace81c000-2aaace9d7000 r--s 01c8f000 09:01 2519963 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/rt.jar 2aaace9d7000-2aaad0cd4000 rw-p 2aaace9d7000 00:00 0 2aaad0cd4000-2aaad42a3000 r--p 09:01 2227921 /usr/lib/locale/locale-archive 2aaad42a3000-2aaad42b3000 r-xp 09:01 2519890 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libnio.so 2aaad42b3000-2aaad44b3000 ---p 0001 09:01 2519890 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libnio.so 2aaad44b3000-2aaad44b4000 rw-p 0001 09:01 2519890 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libnio.so 2aaad44b4000-2aaad44c9000 r-xp 09:01 2519889 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libnet.so 2aaad44c9000-2aaad46c9000 ---p 00015000 09:01 2519889 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/amd64/libnet.so 2aaad46c9000-2aaad46ca000 rw-p 00015000 09:01 2519889