Yeah, I'm still *not* running tomcat as root. I ran it as root once to see if I could tease out any useful error messages, and I probably caused errors by doing so.
In any case I'll read the docs, and thanks. On Fri, May 6, 2016 at 12:24 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Matthew, > > On 5/5/16 9:09 PM, Matthew Herzog wrote: > > You said, "the http-bio-8443 endpoint is an HTTP connector, not an > > AJP13 connector." > > > > This is confusing to me because all the tutorials I have read don't > > say anything about commenting out the line in server.xml that > > reads: > > > > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> > > Usually tutorials are written to get you started quickly, and don't > want to explain what's really going on. > > Read the documentation for "redirectPort" on this page: > https://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html > (or this page) > https://tomcat.apache.org/tomcat-8.0-doc/config/http.html > > The redirectPort has meaning, but it's not the meaning you were > thinking. The real port being used above is 8009. You can set the > redirect port to 12345 and you will still use port 8009 to connect to > your AJP connector. > > In your case, it appears you are not even using your AJP connector, so > its configuration is essentially meaningless. > > > I had assumed port 8443 was analogous to port 443. Bad assumption > > on my part. > > 8443 is traditionally the port used by non-privileged processes to > listen for HTTPS requests. That's why you'll likely see a <Connector > port="8443" SSLEngine="on" secure="true" ... /> somewhere in your > configuration. In order to use TLS (the modern name for what used to > be called SSL), you definitely need to have a keystore. > > (I suppose you could use NULL authentication and/or key exchange and > yes, I guess you could use a pre-shared key, but I don't believe > Tomcat currently supports such setups, and obviously using NULL > authentication and/or key exchange pretty much means that you aren't > using encryption, so there's no point in using HTTPS at that point.) > > But, really: don't run Tomcat as root. If there's a reason you think > you should be (or need to be) running Tomcat as root, let us know and > we'll tell you how to fix that so you don't need to run as root anymore. > > Hope that helps, > - -chris > > > On Thu, May 5, 2016 at 5:28 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Matthew, > > > > On 5/5/16 5:05 PM, Matthew Herzog wrote: > >>>> when I run the startup script > >>>> > >>>> /usr/bin/java -Djava.security.egd=file:/dev/./urandom > >>>> -Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m > >>>> -XX:+UseConcMarkSweepGC -classpath > >>>> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-ju > li. > > > >>>> > jar:/usr/share/java/commons-daemon.jar > >>>> > >>>> > > -Dcatalina.base=/usr/share/tomcat > > -Dcatalina.home=/usr/share/tomcat > >>>> -Djava.endorsed.dirs= > >>>> -Djava.io.tmpdir=/var/cache/tomcat/temp > >>>> -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.prop > ert > > > >>>> > ies > >>>> > >>>> > > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > >>>> org.apache.catalina.startup.Bootstrap start > >>>> > >>>> I see the following error. > >>>> > >>>> SEVERE: Failed to initialize end point associated with > >>>> ProtocolHandler ["http-bio-8443"] > >>>> > >>>> java.io.FileNotFoundException: /root/.keystore (No such file > >>>> or directory) So if I change my ajp config from > >>>> > >>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" > >>>> /> to > >>>> > >>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="80" > >>>> /> > >>>> > >>>> will I be able to avoid the keystore work? I'm doing a proof > >>>> of concept so my cluster will never be exposed to the > >>>> Internet. > > > > You are confused about a few things: > > > > 1. It's never good to run as root. Stop doing that. > > > > 2. The "redirectPort" attribute doesn't have any effect on what > > ports Tomcat binds to. > > > > 3. The http-bio-8443 endpoint is an HTTP connector, not an AJP13 > > connector. > > > > 4. If you want to enable TLS, then yes, you will need a keystore. > > > > So, if you don't need HTTPS, then disable whatever connector you > > have that looks kind of like this: > > > > <Connector port="443" secure="true" ... /> > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlcsHHoACgkQ9CaO5/Lv0PBKhQCgsJu9C2UMC96ZGNdP5NB3OwpV > +qoAnA7gObq81vvSAtQg49aTwjZw7oN6 > =TA7w > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- "I am no Einstein." -- Albert Einstein
