RE: Re: FW: tomcat 8080 thread not reduced

[smith]

Thanks, Philippe

But we never monitored tomcat busy thread count high (we monitored one minutes 
interval through nagios to get tomcat manager result, not high than 10). This 
is strange

-Original Message-
From: Philippe Busque [mailto:pbus...@mediagrif.com] 
Sent: Monday, January 16, 2017 8:09 PM
To: users@tomcat.apache.org
Subject: Re: Re: FW: tomcat 8080 thread not reduced

We're having a similar issues with our numberous Tomcat instances.

Our connector config look like this.

 


Sometime, the number of active connection would jump very high (up to 190), due 
to some external issues (database lock, etc) and threads would accumulate.

Even though a connectionTimeout is set, and therefor set keepAliveTimeout as 
the same value,  threads are never released once the problem is  resolved until 
Tomcat is restarted.  We would end up with maybe 5-10 busy workers, but 190 
idle workers/ threads

I think the issue is related to how the StandardThreadExecutor is implemented. 
The StandardThreadExecutor is a front for the default Java ThreadPoolExecutor.  
If I'm not mistaken, ThreadPoolExecutor is distributing work in round robin 
fashion among all defined workers, rather than sticking to the core threads.


As a result, should a website has any constant traffic (Apache AJP ping, load 
balancer monitoring, normal traffic, etc), all thread will be hit at least once 
within the configured  keepAliveTimeout, reseting it. So unless the 
keepAliveTimeout is set to a very low value, which defeat the purpose, thread 
will never be released .


This is what I've come to suspect from looking at the StandardThreadExecutor, 
but never really had the opportunity to do deeper test with load.
But from Tomcat 6 to tomcat 8, we were never able to  decrease the number of 
'idle' workers back from the highest value it had reached.


Le 2017-01-16 à 05:24, André Warnier (tomcat) a écrit :
> On 16.01.2017 11:10, smith wrote:
>> We has same problem on dev env that no any traffic to the serive,
>
> Ah. That is /new/ information, which may change the suggestions below.
> It looks like you should really find out what these threads are doing, 
> probably by doing a few thread dumps.
> See here e.g. :
> http://stackoverflow.com/questions/18573411/tomcat-thread-dump
>
> Again : we do not know your application, so we can only make guesses 
> based on the information that you provide.
>
>  will try on dev first
>>
>> -Original Message-
>> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
>> Sent: Monday, January 16, 2017 10:08 AM
>> To: users@tomcat.apache.org
>> Subject: Re: FW: tomcat 8080 thread not reduced
>>
>> On 16.01.2017 09:50, smith wrote:
>>> Busy one is process customer request, do not know what non-busy one 
>>> is doing, always keep 120 for many days. I don't think 20s timeout 
>>> will not cause so long connection
>>>
>>> -smith
>>
>> And did you actually try it ?
>>
>> We do not know your website or your application, so we cannot tell 
>> how many clients there are, what these clients are really requesting, 
>> how many requests each client is sending before going away, etc.
>>
>> KeepAlive means that when a client has sent its /last/ request and 
>> received the response, one thread is going to remain "not free" (but 
>> doing nothing) for the duration of the KeepAlive timeout. This thread 
>> will keep waiting, for KeepAliveTimeout seconds, just in case the 
>> client would still send another request (which it may never do, 
>> depending on the application).
>>
>> Imagine that your application is so that the average client
>> - connects to your site
>> - sends a single HTTP request, which gets processed in 0.1 s
>> - receives the response
>> - and then goes away
>> and that the above sequence happens once every second, from different 
>> clients.
>> After one second, there will be one thread waiting for another 19 
>> seconds before becoming free (and potentially destroyed or re-used).
>> After 2 seconds, there will be 2 such threads. After 3 seconds, 3 
>> threads. And so on. After 20 seconds, the first thread will be freed, 
>> but there will be 19 other threads still waiting, and one new thread 
>> just created.
>> If everything stays perfectly regular like that, your will have 
>> /permanently/ 20 threads in existence, even if the minimum is 10.
>> If you change the above so that there is a new client every 0.5 s, 
>> you will have permanently 40 threads (of which only 2 maximum are 
>> really doing something).
>>
>> The point is : KeepAlive is not "bad", and in some cases having a 
>> relatively long KeepAliveTimeout is the right thing to do. Also, 
>> having a high number of threads sitting idle is not necessarily a 
>> problem.
>> Your own scenario is probably not like the above perfectly regular 
>> and irrealistic one above. But there may be a perfectly logical 
>> reason why you have so many threads on average, and I am just trying 
>> to give you ideas for finding out the reason.
>>

RE: FW: tomcat 8080 thread not reduced

[smith]

Thanks chris

So the tomcat default executor will not reduce the thread count until it reach 
to the max configuration? Will it reduce when it reach to max?
And why the default not reduce the thread?

-Smith

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Tuesday, January 17, 2017 7:18 PM
To: Tomcat Users List
Subject: Re: FW: tomcat 8080 thread not reduced

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Smith,

On 1/16/17 8:22 PM, smith wrote:
> Yes, I think thread count should be reduced when those threads are 
> idle
> 
> Is this right? Or it will not reduced?

Id you want Tomcat to reduce the number of idle threads, you'll need to 
explicitly configure an  and use that with your  .

- -chris

> -Original Message- From: Christopher Schultz 
> [mailto:ch...@christopherschultz.net] Sent: Monday, January 16,
> 2017 2:20 PM To: Tomcat Users List Subject: Re: FW: tomcat 8080 thread 
> not reduced
> 
> Smith,
> 
> There are your only active s:
> 
> On 1/14/17 1:30 AM, smith wrote:
>> > connectionTimeout="2" redirectPort="8443" />
> 
>> [snip]
> 
>> 
> 
> You have not changed any settings from the default. What makes you 
> think that your thread count should be reduced when those threads are 
> idle?
> 
> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYfm4EAAoJEBzwKT+lPKRY7RkP/1Pd1MNlaCCLGAX/vVXPTsTi
ZO+zBM888owqJNcMgtoZnXHdJQnsX2ulfeFLJGEXtBby1L8zR/E+B2/lXFjlU2Bj
h3PHPKH3w7Lj/pKnWUoErSCiqKhIIg3XsfBZfIaHE+jSBvibO30luzUwbLWXgTkb
0sK/tmdvoautPEyXSo0X9bg0FCrFnmbv3pJhCz4kUPtpLKXb9ffQchitCshqu96d
jZF5RgAqP2U9j5au0GKsHwAbDVXdM/qd04DbJjcS19LIsRYXCrUvMduRYVaiA5KK
PbV9slZ23hLDrqI3nE/jR5MATl2HzeqLs7sVpYMWhWgMYst1cgFvIQVnVjKa1uah
CTlHhBYbzrtYHnZBdKcBN1wpMnpnM6HM9CZCyRvrG4AqUvmKhQx/OHoUbP8DH8uc
8JRgTskpYO2MESsiDAVRBIe1MN/jm/YbZVRikooCA5JgVUNQf9k2CyZy9oDqz25d
dAiMwKdZ8ZS6bhglGx2SJm9pePM+Kt5N9TiUE+TkTOsoLmqgiSm5SAXOuQMLzfI4
a1LMR72GDogxckMmumfjSRwwvkoEGqR6VrQ8dzfp+mhaYysRgHAbzxAe4ZWCl9Bz
7UFn8cHCMjNHOwBFbkcuuCXoaUpfLE4spauFiU8FFnkmrvs/BWiXTplh596fgzsE
MzaClwNfP/RGKNqi4fsc
=W1gG
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Ability to set cipher suites for websocket connections

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 1/17/17 2:53 PM, Mark Thomas wrote:
> On 17/01/2017 19:32, Christopher Schultz wrote:
>> Mark,
>> 
>> On 1/17/17 8:39 AM, Mark Thomas wrote:
>>> On 17/01/2017 11:23, Michael Orr wrote:
 Hi,
 
 There is a user property 
 "org.apache.tomcat.websocket.SSL_PROTOCOLS" that you can use
 to provide the list of permitted SSL protocols when
 connecting to a websocket with WsWebSocketContainer.  I was
 expecting that there would be a similar property to allow you
 to set the list of permitted SSL cipher suites as well.
 
 I've checked the code (for version 7.0.73, and also
 9.0.0.M15) and there doesn't seem to be any mention of such
 an option.  I can see it calling
 SSLEngine.setEnabledProtocols() but not 
 SSLEngine.setEnabledCipherSuites().
 
 Is there a particular reason why there is no 
 "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or
 is it simply an oversight?
>> 
>>> No reason I can think of. Patches welcome :)
>> 
>> I'm curious: since the existing  (possibly) contains a
>> TLS configuration, why does Websocket specifically require a
>> separate configuration?
> 
> This is for the WebSocket client, not the server.

Hah... of course. *duh*

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYfp9xAAoJEBzwKT+lPKRYXtUP/2nXCnYzF48W3aHwf6ZWKdoR
b29zH1GEB7gQH8HB9DbfkKKThJJVjPfOcRdXK5W9Yjg98ay2d6JWuQbgi1zT8sGa
0mr4QBMYluQ7PhUhkWvJtC83ZvaI6jgcI9dsmdjt3hn09FgKS987RO/RBuwoyLLF
z3HTCAfSQRlhTS0I7n4cbYIyqhFxTYk2OCp2og8qrqHo+I9zlkuAe39Fuz3QIXUi
WaxCO9PFKWmCVqyo91/lqtUxObs1Svs6BMVpVnKBObLRRxOL73qVdoKEkLORVsQg
AUdaEZTyQGUGONXNZNzKR6rmGY8wytzzl6ZJpSIg1YZMjRj/DSI+xp0X25bFIyMF
Uh5R367lYnKJUcJ6JuWGvi1lw+JwyeL5+WDgac4BuA7ZPZ01XN3NNWOst2yHkPoL
N0njcvIlOEXS4UHzpdBRcNlnmPYcC271ED8qT4RbnYA067ZPXaLvcvOS4OgCmlkD
LeTsGekVPNswP7P71A2JTFfqxtUcLv3SAV2F3ORbL+FHWAeL+/UAeVBKK/S2UCNu
mlqVAEUo5mGLzU/0UsAglHyq+h5BDpxMHDO8ck74MeotDTwEtKle2fJaEe6O/X7F
wFPFSFW8G9kYtzMv0p9DvREu5+rc8RIUwf7dzpFYJYb20rlECaAAKV4zOXv8BPQt
ZijQj1hGK4wQTaQEXUxT
=kJo4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TomcatCon @ ApacheCon

[Mark Thomas]

On 09/01/2017 11:57, Mark Thomas wrote:



> I look forward to hearing your topic ideas.

Thanks for all the great ideas so far. I've tried to pull them all
together here:
https://cwiki.apache.org/confluence/display/TOMCAT/TomcatCon+NA+2017

I'm waiting to hear back from the ApacheCon folks as to how this would
work. I'll update this thread with info as I get it.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tcnative.dll apr-1.5.2-win32-src - unable to compile with openssl-1.0.2j-fips-x86_64

[marcus presley]

Chris,


Yes, I must use FIPs.  The customer wants FIPs enabled with Tomcat.


I believe its statically linked.



Here's the commands I used to build files.

=


openssl make command

nmake -f ms\nt.mak


tcnative.dll make command

nmake -f NMAKEMakefile WITH_APR=C:\deps-x64\apr-%APR_VER% 
WITH_OPENSSL=C:\deps-x64\openssl-%OPENSSL_VER% APR_DECLARE_STATIC=1

=

Marcus

From: Christopher Schultz 
Sent: Tuesday, January 17, 2017 2:17 PM
To: Tomcat Users List
Subject: Re: Tcnative.dll apr-1.5.2-win32-src - unable to compile with 
openssl-1.0.2j-fips-x86_64

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Marcus,

On 1/15/17 10:27 PM, marcus presley wrote:
> I'm able to compile and generate the tcnative.dll, but now I
> receive the following error when starting Tomcat.
>
>
> 15-Jan-2017 19:21:20.624 SEVERE [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed
> to initialize the SSLEngine. java.lang.Exception:
> error:2D06B06F:FIPS
> routines:FIPS_check_incore_fingerprint:fingerprint does not match
> at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)


Did you statically-link OpenSSL with tcnative.dll, or are you using a
shared-library for OpenSSL?

For OpenSSL-FIPS to work properly, it needs to be able to checksum
itself. Static-linking interferes with that.

Are you sure you need FIPS?

- -chris

>  From: David Oswell
>  Sent: Sunday, January 15, 2017 12:46 PM To:
> Tomcat Users List Subject: Re: Tcnative.dll apr-1.5.2-win32-src -
> unable to compile with openssl-1.0.2j-fips-x86_64
>
> I was able to get it to work with VS2008 & Win DDK7 (7600.16385.1)
> , although for cmsc I had to add (was only working on x64 build);
> %XCOPYD% "%WINDDK%\lib\win7\amd64" lib\amd64\ as some of the
> headers weren't the full variants from the other directories, while
> win7 was. I don't recall taht error when I was trying to get
> openssl to build, only encountered missing symbol/files issues.
>
> On Sat, Jan 14, 2017 at 3:11 AM, Mark Thomas 
> wrote:
>
>> On 13 January 2017 20:55:15 GMT+00:00, marcus presley <
>> marcus_pres...@hotmail.com> wrote:
>>> Hi Mark,
>>>
>>>
>>> I was able to work through the cmsc failed error.  I rebuilt
>>> my environment with Visual Studio 2010 and this resolved the
>>> issue.
>>>
>>>
>>> I'm experiencing another issue below, when I'm compiling the
>>> openssl source.
>>>
>>>
>>> error LNK2005: getenv already defined in MSVCRT.lib
>>>
>>>
>>> and
>>>
>>>
>>> warning LNK4098: defaultlib 'MSVCRT' conflicts with use of
>>> other libs; use /NODEFAULTLIB: library
>>
>> I'm not 100% sure of my ground here so keep that in mind when you
>> read this reply.
>>
>> The primary driver for the build environment described in the
>> wiki is to produce DLLs that depend only on msvcrt.dll and not on
>> any of the later versions. This simplifies distribution.
>>
>> The only version of Visual Studio I managed to do this with was
>> VS6. And that was many years ago when I was trying to build
>> something to test with locally.
>>
>> Later versions of visual studio always seemed to introduce a
>> dependency on a later version of msvcrt.dll
>>
>> I can only recommend that you use the exact build environment set
>> out in the wiki. Once you step outside of that I'm on unfamiliar
>> ground. I'f you want something that you can use locally then I
>> can suggest enabling the option in that warning and see what
>> happens.
>>
>> Mark
>>
>>>
>>>
>>>
>>> Marcus
>>>
>>>
>>>
>>>
>>>  From: Mark Thomas
>>>  Sent: Thursday, January 12, 2017 6:42 PM To:
>>> Tomcat Users List Subject: Re: Tcnative.dll apr-1.5.2-win32-src
>>> - unable to compile with openssl-1.0.2j-fips-x86_64
>>>
>>> On 12/01/2017 22:48, marcus presley wrote:
 Mark,


 I am building the environment but the bat file is failing at
 the
>>> following line:


 set VSBaseDir=C:\cmsc-master\msvc popd if not exist
 "%VSBaseDir%\bin\i386\lib.exe" goto Failed


 I explicitly copied lib.exe the directory
 "%VSBaseDir%\bin\i386", but
>>> I still receive the error.
>>>
>>> I've never seen that error. Is VSBaseDir set correctly?
>>>
>>> Mark
>>>
>>>


 Marcus



  From: marcus presley
  Sent: Thursday, January 12, 2017
 3:39 PM To: Tomcat Users List Subject: Re: Tcnative.dll
 apr-1.5.2-win32-src - unable to compile
>>> with openssl-1.0.2j-fips-x86_64

 Hi Mark,


 Thanks for the guide.  Can I use Visual Studio 2015 or should
 I use
>>> the versions you have outlined in guide?


 Marcus


  From: Mark Thomas
  Sent: Thursday, January 12, 2017 2:47 PM
 To: Tomcat Users List Subject: Re: 

Re: After upgrade to Tomcat 7.0.72+, JSF Error: FacesContext already released in JSF tools with

[Mark Thomas]

On 15/01/2017 19:52, Hadas Toronchik wrote:
> We have a JSF based application, and we upgraded tomcat to 7.0.72
> Since then , several hours after the tomcat starts we receive JSF Exceptions 
> when just trying to open JSF based pages that worked fine before
> If we clean all Generated Servlet pages it goes away again for a couple of 
> hours.

Possibly related to the tag reuse changes. 7.0.74 should be available in
a few days that contains the necessary fixes.

Mark


> Another company reported a similar issue: 
> https://jira.sakaiproject.org/browse/SAK-31912 - they say that after 
> downgrading to 7.0.70 the problem disappears...
> 
> Here is the Exception:
> 2017-01-10 13:49:37,490 ERROR [http-nio-0.0.0.0-8080-exec-24] [UID:, MSG_ID:] 
> [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[jsp]] 
> 
> java.lang.IllegalStateException: FacesContext already released
>at 
> org.apache.myfaces.context.servlet.ServletFacesContextImpl.getResponseWriter(ServletFacesContextImpl.java:241)
>  ~[myfaces-impl-1.1.5.jar:1.1.5]
>at 
> javax.faces.webapp.UIComponentTag.setupResponseWriter(UIComponentTag.java:933)
>  ~[myfaces-api-1.1.5.jar:1.1.5]
>at 
> javax.faces.webapp.UIComponentTag.doStartTag(UIComponentTag.java:313) 
> ~[myfaces-api-1.1.5.jar:1.1.5]
>at 
> org.apache.jsp.app.layout.include2.search_jsp._jspService(search_jsp.java:239)
>  ~[na:na]
>at 
> org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) 
> [jasper.jar:7.0.73]
>at 
> javax.servlet.http.HttpServlet.service(HttpServlet.java:731) 
> [servlet-api.jar:na]
>at 
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
>  [jasper.jar:7.0.73]
>at 
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395) 
> [jasper.jar:7.0.73]
>at 
> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) 
> [jasper.jar:7.0.73]
>at 
> javax.servlet.http.HttpServlet.service(HttpServlet.java:731) 
> [servlet-api.jar:na]
>at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
>  [catalina.jar:7.0.73]
>at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>  [catalina.jar:7.0.73]
>at 
> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:747)
>  [catalina.jar:7.0.73]
>at 
> org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:603)
>  [catalina.jar:7.0.73]
>at 
> org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:542)
>  [catalina.jar:7.0.73]
>at 
> org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:897)
>  [jasper.jar:7.0.73]
>at 
> org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:656) 
> [jasper.jar:7.0.73]
>at 
> org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:137) 
> [panaya-struts-1.1.jar:1.1]
>at 
> org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:177) 
> [panaya-struts-1.1.jar:1.1]
>at 
> org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:756) 
> [panaya-struts-1.1.jar:1.1]
>at 
> org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:881)
>  [panaya-struts-1.1.jar:1.1]
>at 
> org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:473) 
> [panaya-struts-1.1.jar:1.1]
>at 
> org.apache.jsp.app.layout.mainLayout2_jsp._jspx_meth_t_005finsert_005f2(mainLayout2_jsp.java:2062)
>  [_/:na]
>at 
> org.apache.jsp.app.layout.mainLayout2_jsp._jspx_meth_f_005fview_005f0(mainLayout2_jsp.java:408)
>  [_/:na]
>at 
> org.apache.jsp.app.layout.mainLayout2_jsp._jspService(mainLayout2_jsp.java:310)
>  [_/:na]
>at 
> org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) 
> [jasper.jar:7.0.73]
>at 
> javax.servlet.http.HttpServlet.service(HttpServlet.java:731) 
> [servlet-api.jar:na]
>at 
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
>  [jasper.jar:7.0.73]
>at 
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395) 
> [jasper.jar:7.0.73]
>at 
> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339) 
> [jasper.jar:7.0.73]
>at 
> javax.servlet.http.HttpServlet.service(HttpServlet.java:731) 
> [servlet-api.jar:na]
>at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
>  [catalina.jar:7.0.73]
>at 
> 

Re: Tomcat embedded context: Unable to find [java:]

[Mark Thomas]

On 16/01/2017 09:13, Tom Eugelink wrote:
> Trying to launch Tomcat 8.0.39 embedded with a datasource configured, I
> get this error:
> 
> /Failed to log into the database: Name [java:/comp/env/myDsName] is not
> bound in this Context. Unable to find [java:]./
> 
> I'm configuring the default Tomcat ContactFactory. This is the relevant
> source:
> 
> System.setProperty("java.naming.factory.initial",
> "org.apache.naming.java.javaURLContextFactory");

Try replacing the above line with:
tomcat.enableNaming();

Mark


> 
> StandardContext standardContext =
> (StandardContext)tomcat.addWebapp("/mywebapp, "/path/to/web/resources");
> standardContext.getNamingResources().addResource(createJdbcResource());
> 
> org.apache.catalina.webresources.StandardRoot standardRoot = new
> org.apache.catalina.webresources.StandardRoot(standardContext);
> standardContext.setResources(standardRoot);
> 
> private static org.apache.tomcat.util.descriptor.web.ContextResource
> createJdbcResource() {
> org.apache.tomcat.util.descriptor.web.ContextResource resource =
> new org.apache.tomcat.util.descriptor.web.ContextResource();
> resource.setAuth("Container");
> resource.setName("jdbc/myDsName");
> resource.setType("javax.sql.DataSource");
> resource.setProperty("driverClassName",
> "nl.pinkroccade.jdbc.RollbackOnlyDriver");
> resource.setProperty("url", "...");
> resource.setProperty("username", "...");
> resource.setProperty("password", "...");
> return resource;
> }
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Ability to set cipher suites for websocket connections

[Mark Thomas]

On 17/01/2017 19:32, Christopher Schultz wrote:
> Mark,
> 
> On 1/17/17 8:39 AM, Mark Thomas wrote:
>> On 17/01/2017 11:23, Michael Orr wrote:
>>> Hi,
>>>
>>> There is a user property
>>> "org.apache.tomcat.websocket.SSL_PROTOCOLS" that you can use to
>>> provide the list of permitted SSL protocols when connecting to a
>>> websocket with WsWebSocketContainer.  I was expecting that there
>>> would be a similar property to allow you to set the list of 
>>> permitted SSL cipher suites as well.
>>>
>>> I've checked the code (for version 7.0.73, and also 9.0.0.M15)
>>> and there doesn't seem to be any mention of such an option.  I
>>> can see it calling SSLEngine.setEnabledProtocols() but not 
>>> SSLEngine.setEnabledCipherSuites().
>>>
>>> Is there a particular reason why there is no 
>>> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is
>>> it simply an oversight?
> 
>> No reason I can think of. Patches welcome :)
> 
> I'm curious: since the existing  (possibly) contains a TLS
> configuration, why does Websocket specifically require a separate
> configuration?

This is for the WebSocket client, not the server.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Ability to set cipher suites for websocket connections

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 1/17/17 8:39 AM, Mark Thomas wrote:
> On 17/01/2017 11:23, Michael Orr wrote:
>> Hi,
>> 
>> There is a user property
>> "org.apache.tomcat.websocket.SSL_PROTOCOLS" that you can use to
>> provide the list of permitted SSL protocols when connecting to a
>> websocket with WsWebSocketContainer.  I was expecting that there
>> would be a similar property to allow you to set the list of 
>> permitted SSL cipher suites as well.
>> 
>> I've checked the code (for version 7.0.73, and also 9.0.0.M15)
>> and there doesn't seem to be any mention of such an option.  I
>> can see it calling SSLEngine.setEnabledProtocols() but not 
>> SSLEngine.setEnabledCipherSuites().
>> 
>> Is there a particular reason why there is no 
>> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is
>> it simply an oversight?
> 
> No reason I can think of. Patches welcome :)

I'm curious: since the existing  (possibly) contains a TLS
configuration, why does Websocket specifically require a separate
configuration?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIbBAEBCAAGBQJYfnE3AAoJEBzwKT+lPKRYwpoP+OgM+lcIrhZ8AO6Vxyx9CliL
GzwiFbgPgnCfpTnsLIT+0ZU+xQ2zg1RcCVOlKMTTRWRClioUf4+oDqGCm0BY2jAi
uAAAaDp1MXj4rNLb8sStJJmvQW0x3Mm6z4X8Pn9EZ1uR+9s21dHCpkbpxcKOu6z2
ZHNvQOwjgB0mpbj1/q9otfJx/sKZlozwOh4LJ7/vrask+vmRjsFK1rN0vjAXgo79
PLLsHWbXYHFKLKpMwEQnZ44LvtEl4FrYFZalN/R8FYMIOSBEx7MUxPOdq62U5w3p
O0Xelq0ijqT2pkrh4150Jt0Ff+3pkuUqL/MsXW+Gwfh6l/OdrQWN/ppEihy7VAbw
ytrv3V1lP3tewr8VJBWAfuz9wp+1bOmoRFDzsUrrsH4SPj0jrs0DTBBa8832dZa0
EWBlcU1qmr+QMzT4NjOSIg8JDzb13fB/ZxUWi3TldKTMaHggXvY0fxU098McDt+x
pOhCd0l6jHy0Z1H2+2Xlc7wroXwVYqdJjDFV6+MCiEhA2PNN6MQoVcHJffmvcsYW
84kKMIY9+IXGs8z6N/71v+3TB4PhXg0t0QcW+zzlyzZqRfMJGUsq/4FdVeeJ4s84
mxJ0cX1j96sUOs7nMaXBZ3uliIXQRwprMH0YebqGcMi8DZrrQ9r5vDjKzKsz7ZI8
UGcuzam6DjJqYKhryl0=
=IvJ1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TomcatCon @ ApacheCon

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 1/9/17 6:57 AM, Mark Thomas wrote:
> All,
> 
> There is the opportunity (if we can pull it together as a
> community) to run a dedicated Tomcat conference alongside ApacheCon
> NA 2017. The dates are May 16 to 18.
> 
> The call for papers closes on Feb 11 so we have around a month to
> get organised. We'll also need to convince the conference
> organisers that a) there is a demand for this and b) we have a
> plan.
> 
> Getting the right content is going to be critical to success. I've
> been thinking about this for a while and I think we can identify
> the right content if as many folks as possible on this list answer
> the following question:
> 
> "What topic(s) need to be covered in a Tomcat conference to make it
> as easy as possible to get your employer to pay for you to
> attend?"
> 
> We have up to three days and potentially multiple tracks so even if
> you think you have a niche requirement, please speak up. We
> typically have a number of Tomcat committers speaking at ApacheCon
> so finding someone to cover a particular topic shouldn't be too
> tricky. Equally, if you have a topic you could present on that you
> think others would find useful, speak up.
> 
> Do feel free to add your +1 if someone else mentions a topic your
> are interested first. Having an idea of how popular the topics are
> would also be helpful.
> 
> Also, we don't have to stick to the standard "Sit and listen to
> someone present for 40 mins" format. Discussions, workshops,
> hackathons are all possible.
> 
> Some topic ideas to get the ball rolling.
> 
> Hands-on workshop: Configuring TLS with Apache Tomcat Reverse
> Proxying to Apache Tomcat Load-balancing with Apache Tomcat 
> Clustering  with Apache Tomcat Tomcat Clinic (like the users list
> but with everyone in the same room)
> 
> I look forward to hearing your topic ideas.

This isn't really Tomcat-specific, but it might require a bit of
configuration change from the default.

I don't know a thing about Websocket other than vaguely how it works
from an HTTP-upgrade-to-wide-open-byte-transfer-channel point of view.
I know some of the use-cases it covers, but I'm not sure how I would
get started. I'd love for someone to give a tour of some simple
application to dissect it and describe what's going on. It could even
be a "tour of the snake example" for all I care.

I think some people think that presentations at e.g. ApacheCon need to
be highly technical or complex, or presented by people whose names
they recognize.

I disagree.

If someone will come and give a presentation on Websocket, I'll waive
their registration fee[1].

- -chris

[1] Note that all speakers get their registration fees waived. :)
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYfnDvAAoJEBzwKT+lPKRYBjsP+wRlTQxG9ThwIkhIX9d8IhDl
MBGbgOUDaZltywpppaZJA/rl6Ecbo59Opq1WlANaf3Mro18NyXRyXy9ghpKcls5Z
y2ei72EAA/sfGqJxjoNixIwGE4SKV8WH7a3Uf4Hjn1TMRqiNloh5Aq8CVaWwHBxN
C7evrN9w12ySL3UAGxAfisjudWY4SwuRL17AcWQb9USJ/kGL36OjVCnkyY1SAcjl
FMZ0sgGFXZUqf6S41AGFRUqd0Ji397GJhEQH7XGgh+EGBXDlTTV/vdddbh34UaDZ
Meti6p7eKSHynod3em2yrXBSXgRPjkeYL8w4s58+nby04XH91Nhgp8WIGXHms7dk
LjmXUKB/GXV2vRVi+kTPW6+gumTT8aQkqY0SPkm8RpOFNfAGiY25oGwnP4O3bnkK
wBVyv9pFmm66G/igVg3L9mF9fUPBXeNldEt/2R9zVd7IyBIVNL+bD3siAZm17kxK
j9kG6JF9APndbPsH4qxzOPsQ1E/l7ifYMOUsatylBA84ofjuuyRJKKaqvP6hvnm8
0Awm23Kje4v5olYFaFZ/wDq1Ewrv4YoY2Hoi/KomOxLI/BQ3VzHPQyDzlgin+2em
jnlIKpc8A13MMCuIbdoRTlQ4XI7sfU8bLTmATUwLQBSgGxDQ8Ys6Y/KEwOR5LTn8
07NmHnZuG1AfasveRvtR
=Mjfz
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TomcatCon @ ApacheCon

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 1/17/17 6:29 AM, André Warnier (tomcat) wrote:
> "How to get the most performance / lowest resource usage out of
> your Tomcat"
> 
> Admittedly, this is a vast and tortuous subject. But it seems to me
> that considering - java's reputation in general for being a
> computing resource hog - the multitude of parameters available in
> terms of settings for the Connectors, Executors, database
> connections pools, GC etc.

What about Jean-Frereric's and my previous presentations on connector
performance? It doesn't cover GC and DB, of course.

> To provide some kind of (admittedly narrow) real-world link to the 
> above, see the current thread on the user's list, entitled
> originally "tomcat 8080 thread not reduced". Clearly it shows that,
> for example, the way in which Tomcat allocates/deallocates
> request-processing threads is not very clear from the available
> documentation, nor whether it has really an impact on tomcat's
> resource usage or performance.

The confusion is about the default default defaults. I believe that
(a) documentation update is in order and (b) an implementation change
might be in order as well. There is no reason why a  with
e.g. minSpareThreads should not create an  that behaves as
if it had been configured with separate /s.

> To provide a wider context : most of the experts who are answering 
> questions on this tomcat user's list are tomcat code committers,
> for whom java in general, and the tomcat code in particular, hold
> no mysteries.  For such people, some highly technical presentation
> subject would probably seem most appealing.  But the purpose of
> Mark's appeal seems to be to gather a wider potential audience, so
> it may be sensible to choose some subjects with could potentially
> appeal to people who would not normally go to such highly-focused
> presentations.

+1

I just got off the phone with a customer who was struggling to
understand why his TLS certificate wouldn't load. He replaced the old
cert with the one one and restarted the service. TLS wouldn't come up.
Anyone with experience would know that the key and cert need to match,
but he didn't understand that: he was just following the "SSL guide"
from his CA -- which was awful, by the way.

I kind of scoffed at markt's suggestion that we have a "Configuring
TLS with Apache Tomcat" workshop, but I think that 90% of the
attendees to an ApacheCon could use a tutorial on what TLS is, what a
certificate is, and why there are so many moving parts.

> In any case, if you want to convince your boss to send you there,
> there has to be a presentation title which your boss can understand
> and relate to. Without of course making it so appealing that he
> will decide to attend himself.

So what is your boss interested in? I think I still owe you a few beers.
.

- -chris

> On 16.01.2017 15:10, Berneburg, Cris J. - US wrote:
>> Mark
>> 
>>> "What topic(s) need to be covered in a Tomcat conference to
>>> make it as easy as possible to get your employer to pay for you
>>> to attend?"
>> 
>> OK, you asked for it.  :-)
>> 
>> - The best and worst moments in Tomcat history. Specific
>> examples.  Memorable events.  Could be just for the year so the
>> same topic with different content could be presented next year, 
>> like an episode.
>> 
>> - Tomcat vision roadmap. History and plans for the future.
>> Respond to RFC and bug reports. Other things?
>> 
>> - A day in the life of a Tomcat developer/contributor. Typical vs
>> ideal vs worst.  Humor.  Specific examples.  Multiple 
>> presenters.
>> 
>> -- Cris Berneburg CACI Lead Software Engineer
>> 
>> -Original Message- From: Mark Thomas
>> [mailto:ma...@apache.org] Sent: Monday, January 09, 2017 6:58 AM 
>> To: users@tomcat.apache.org Subject: TomcatCon @ ApacheCon
>> 
>> All,
>> 
>> There is the opportunity (if we can pull it together as a
>> community) to run a dedicated Tomcat conference alongside
>> ApacheCon NA 2017. The dates are May 16 to 18.
>> 
>> The call for papers closes on Feb 11 so we have around a month to
>> get organised. We'll also need to convince the conference
>> organisers that a) there is a demand for this and b) we have a
>> plan.
>> 
>> Getting the right content is going to be critical to success.
>> I've been thinking about this for a while and I think we can
>> identify the right content if as many folks as possible on this
>> list answer the following question:
>> 
>> 
>> We have up to three days and potentially multiple tracks so even
>> if you think you have a niche requirement, please speak up. We
>> typically have a number of Tomcat committers speaking at
>> ApacheCon so finding someone to cover a particular topic
>> shouldn't be too tricky. Equally, if you have a topic you could
>> present on that you think others would find useful, speak up.
>> 
>> Do feel free to add your +1 if someone else mentions a topic your
>> are interested first. Having an idea of how popular the 

Re: FW: tomcat 8080 thread not reduced

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Smith,

On 1/16/17 8:22 PM, smith wrote:
> Yes, I think thread count should be reduced when those threads are
> idle
> 
> Is this right? Or it will not reduced?

Id you want Tomcat to reduce the number of idle threads, you'll need
to explicitly configure an  and use that with your 
.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: Monday, January 16,
> 2017 2:20 PM To: Tomcat Users List Subject: Re: FW: tomcat 8080
> thread not reduced
> 
> Smith,
> 
> There are your only active s:
> 
> On 1/14/17 1:30 AM, smith wrote:
>> > connectionTimeout="2" redirectPort="8443" />
> 
>> [snip]
> 
>> 
> 
> You have not changed any settings from the default. What makes you
> think that your thread count should be reduced when those threads
> are idle?
> 
> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYfm4EAAoJEBzwKT+lPKRY7RkP/1Pd1MNlaCCLGAX/vVXPTsTi
ZO+zBM888owqJNcMgtoZnXHdJQnsX2ulfeFLJGEXtBby1L8zR/E+B2/lXFjlU2Bj
h3PHPKH3w7Lj/pKnWUoErSCiqKhIIg3XsfBZfIaHE+jSBvibO30luzUwbLWXgTkb
0sK/tmdvoautPEyXSo0X9bg0FCrFnmbv3pJhCz4kUPtpLKXb9ffQchitCshqu96d
jZF5RgAqP2U9j5au0GKsHwAbDVXdM/qd04DbJjcS19LIsRYXCrUvMduRYVaiA5KK
PbV9slZ23hLDrqI3nE/jR5MATl2HzeqLs7sVpYMWhWgMYst1cgFvIQVnVjKa1uah
CTlHhBYbzrtYHnZBdKcBN1wpMnpnM6HM9CZCyRvrG4AqUvmKhQx/OHoUbP8DH8uc
8JRgTskpYO2MESsiDAVRBIe1MN/jm/YbZVRikooCA5JgVUNQf9k2CyZy9oDqz25d
dAiMwKdZ8ZS6bhglGx2SJm9pePM+Kt5N9TiUE+TkTOsoLmqgiSm5SAXOuQMLzfI4
a1LMR72GDogxckMmumfjSRwwvkoEGqR6VrQ8dzfp+mhaYysRgHAbzxAe4ZWCl9Bz
7UFn8cHCMjNHOwBFbkcuuCXoaUpfLE4spauFiU8FFnkmrvs/BWiXTplh596fgzsE
MzaClwNfP/RGKNqi4fsc
=W1gG
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tcnative.dll apr-1.5.2-win32-src - unable to compile with openssl-1.0.2j-fips-x86_64

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Marcus,

On 1/15/17 10:27 PM, marcus presley wrote:
> I'm able to compile and generate the tcnative.dll, but now I
> receive the following error when starting Tomcat.
> 
> 
> 15-Jan-2017 19:21:20.624 SEVERE [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed
> to initialize the SSLEngine. java.lang.Exception:
> error:2D06B06F:FIPS
> routines:FIPS_check_incore_fingerprint:fingerprint does not match 
> at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)


Did you statically-link OpenSSL with tcnative.dll, or are you using a
shared-library for OpenSSL?

For OpenSSL-FIPS to work properly, it needs to be able to checksum
itself. Static-linking interferes with that.

Are you sure you need FIPS?

- -chris

>  From: David Oswell
>  Sent: Sunday, January 15, 2017 12:46 PM To:
> Tomcat Users List Subject: Re: Tcnative.dll apr-1.5.2-win32-src -
> unable to compile with openssl-1.0.2j-fips-x86_64
> 
> I was able to get it to work with VS2008 & Win DDK7 (7600.16385.1)
> , although for cmsc I had to add (was only working on x64 build); 
> %XCOPYD% "%WINDDK%\lib\win7\amd64" lib\amd64\ as some of the
> headers weren't the full variants from the other directories, while
> win7 was. I don't recall taht error when I was trying to get
> openssl to build, only encountered missing symbol/files issues.
> 
> On Sat, Jan 14, 2017 at 3:11 AM, Mark Thomas 
> wrote:
> 
>> On 13 January 2017 20:55:15 GMT+00:00, marcus presley < 
>> marcus_pres...@hotmail.com> wrote:
>>> Hi Mark,
>>> 
>>> 
>>> I was able to work through the cmsc failed error.  I rebuilt
>>> my environment with Visual Studio 2010 and this resolved the
>>> issue.
>>> 
>>> 
>>> I'm experiencing another issue below, when I'm compiling the
>>> openssl source.
>>> 
>>> 
>>> error LNK2005: getenv already defined in MSVCRT.lib
>>> 
>>> 
>>> and
>>> 
>>> 
>>> warning LNK4098: defaultlib 'MSVCRT' conflicts with use of
>>> other libs; use /NODEFAULTLIB: library
>> 
>> I'm not 100% sure of my ground here so keep that in mind when you
>> read this reply.
>> 
>> The primary driver for the build environment described in the
>> wiki is to produce DLLs that depend only on msvcrt.dll and not on
>> any of the later versions. This simplifies distribution.
>> 
>> The only version of Visual Studio I managed to do this with was
>> VS6. And that was many years ago when I was trying to build
>> something to test with locally.
>> 
>> Later versions of visual studio always seemed to introduce a
>> dependency on a later version of msvcrt.dll
>> 
>> I can only recommend that you use the exact build environment set
>> out in the wiki. Once you step outside of that I'm on unfamiliar
>> ground. I'f you want something that you can use locally then I
>> can suggest enabling the option in that warning and see what
>> happens.
>> 
>> Mark
>> 
>>> 
>>> 
>>> 
>>> Marcus
>>> 
>>> 
>>> 
>>> 
>>>  From: Mark Thomas
>>>  Sent: Thursday, January 12, 2017 6:42 PM To:
>>> Tomcat Users List Subject: Re: Tcnative.dll apr-1.5.2-win32-src
>>> - unable to compile with openssl-1.0.2j-fips-x86_64
>>> 
>>> On 12/01/2017 22:48, marcus presley wrote:
 Mark,
 
 
 I am building the environment but the bat file is failing at
 the
>>> following line:
 
 
 set VSBaseDir=C:\cmsc-master\msvc popd if not exist
 "%VSBaseDir%\bin\i386\lib.exe" goto Failed
 
 
 I explicitly copied lib.exe the directory
 "%VSBaseDir%\bin\i386", but
>>> I still receive the error.
>>> 
>>> I've never seen that error. Is VSBaseDir set correctly?
>>> 
>>> Mark
>>> 
>>> 
 
 
 Marcus
 
 
 
  From: marcus presley
  Sent: Thursday, January 12, 2017
 3:39 PM To: Tomcat Users List Subject: Re: Tcnative.dll
 apr-1.5.2-win32-src - unable to compile
>>> with openssl-1.0.2j-fips-x86_64
 
 Hi Mark,
 
 
 Thanks for the guide.  Can I use Visual Studio 2015 or should
 I use
>>> the versions you have outlined in guide?
 
 
 Marcus
 
 
  From: Mark Thomas
  Sent: Thursday, January 12, 2017 2:47 PM 
 To: Tomcat Users List Subject: Re: Tcnative.dll
 apr-1.5.2-win32-src - unable to compile
>>> with openssl-1.0.2j-fips-x86_64
 
 On 12/01/2017 18:56, marcus presley wrote:
> Forum,
> 
> 
> I have been unsuccessful, trying to compile 'tcnative.dll'
> with
>>> Visual Studio 2015.
 
 
>>> https://cwiki.apache.org/confluence/display/TOMCAT/
>> Building+the+Tomcat+Native+Connector+binaries+for+Windows
>>> 
>>> Building the Tomcat Native Connector binaries for Windows 
>>> ...> Building+the+Tomcat+Native+Connector+binaries+for+Windows>
>>> 

Re: Ability to set cipher suites for websocket connections

[Michael Orr]

On 17 January 2017 at 13:39, Mark Thomas  wrote:
> On 17/01/2017 11:23, Michael Orr wrote:
>> Hi,
>>
>> There is a user property "org.apache.tomcat.websocket.SSL_PROTOCOLS"
>> that you can use to provide the list of permitted SSL protocols when
>> connecting to a websocket with WsWebSocketContainer.  I was expecting
>> that there would be a similar property to allow you to set the list of
>> permitted SSL cipher suites as well.
>>
>> I've checked the code (for version 7.0.73, and also 9.0.0.M15) and
>> there doesn't seem to be any mention of such an option.  I can see it
>> calling SSLEngine.setEnabledProtocols() but not
>> SSLEngine.setEnabledCipherSuites().
>>
>> Is there a particular reason why there is no
>> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is it
>> simply an oversight?
>
> No reason I can think of. Patches welcome :)
>
> Mark
>
>>
>> Thanks, and keep up the great work!
>>
>> Michael
>>

I'll see what I can do!

Thanks for your fast response.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Ability to set cipher suites for websocket connections

[Mark Thomas]

On 17/01/2017 11:23, Michael Orr wrote:
> Hi,
> 
> There is a user property "org.apache.tomcat.websocket.SSL_PROTOCOLS"
> that you can use to provide the list of permitted SSL protocols when
> connecting to a websocket with WsWebSocketContainer.  I was expecting
> that there would be a similar property to allow you to set the list of
> permitted SSL cipher suites as well.
> 
> I've checked the code (for version 7.0.73, and also 9.0.0.M15) and
> there doesn't seem to be any mention of such an option.  I can see it
> calling SSLEngine.setEnabledProtocols() but not
> SSLEngine.setEnabledCipherSuites().
> 
> Is there a particular reason why there is no
> "org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is it
> simply an oversight?

No reason I can think of. Patches welcome :)

Mark

> 
> Thanks, and keep up the great work!
> 
> Michael
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TomcatCon @ ApacheCon

[tomcat]

Hi.
Sorry for top-posting, but it seems to be the practice so far in this thread.

Although I will be unable to attend anyway, I have a suggestion for a topic :

"How to get the most performance / lowest resource usage out of your Tomcat"

Admittedly, this is a vast and tortuous subject. But it seems to me that 
considering
- java's reputation in general for being a computing resource hog
- the multitude of parameters available in terms of settings for the Connectors, 
Executors, database connections pools, GC etc.
*and* the fact that many (a majority of ?) "tomcat users" (in the sense of this list) are 
not fundamentally java web applications developers, but rather sysadmins tasked with 
setting up and running tomcat systems,
some kind of "top-down" presentation, starting with some basic principles, and providing 
some guidelines as what to do in some real-world scenarios, should be susceptible of 
interesting a vaster potential public.


And the fact that the potential benefit of attending, may help some in reducing the 
overall computing resources that have to be dedicated to run their applications (or 
conversely increase the bandwidth of their existing infrastructure investment), may also 
provide an argument for one's boss to send one there.


To provide some kind of (admittedly narrow) real-world link to the above, see the current 
thread on the user's list, entitled originally "tomcat 8080 thread not reduced".
Clearly it shows that, for example, the way in which Tomcat allocates/deallocates 
request-processing threads is not very clear from the available documentation, nor whether 
it has really an impact on tomcat's resource usage or performance.


To provide a wider context : most of the experts who are answering questions on this 
tomcat user's list are tomcat code committers, for whom java in general, and the tomcat 
code in particular, hold no mysteries.  For such people, some highly technical 
presentation subject would probably seem most appealing.  But the purpose of Mark's appeal 
seems to be to gather a wider potential audience, so it may be sensible to choose some 
subjects with could potentially appeal to people who would not normally go to such 
highly-focused presentations.  I am not really advocating a "tomcat for dummies" 
presentation, but maybe something more akin to a tomcat marketing approach would be nice.
In any case, if you want to convince your boss to send you there, there has to be a 
presentation title which your boss can understand and relate to. Without of course making 
it so appealing that he will decide to attend himself.




On 16.01.2017 15:10, Berneburg, Cris J. - US wrote:

Mark


"What topic(s) need to be covered in a Tomcat conference to make it
as easy as possible to get your employer to pay for you to attend?"


OK, you asked for it.  :-)

- The best and worst moments in Tomcat history.
Specific examples.  Memorable events.  Could be just for the year so the same 
topic with different content could be presented next year, like an episode.

- Tomcat vision roadmap.
History and plans for the future.  Respond to RFC and bug reports.  Other 
things?

- A day in the life of a Tomcat developer/contributor.
Typical vs ideal vs worst.  Humor.  Specific examples.  Multiple presenters.

--
Cris Berneburg
CACI Lead Software Engineer

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Monday, January 09, 2017 6:58 AM
To: users@tomcat.apache.org
Subject: TomcatCon @ ApacheCon

All,

There is the opportunity (if we can pull it together as a community) to run a 
dedicated Tomcat conference alongside ApacheCon NA 2017. The dates are May 16 
to 18.

The call for papers closes on Feb 11 so we have around a month to get 
organised. We'll also need to convince the conference organisers that a) there 
is a demand for this and b) we have a plan.

Getting the right content is going to be critical to success. I've been 
thinking about this for a while and I think we can identify the right content 
if as many folks as possible on this list answer the following
question:


We have up to three days and potentially multiple tracks so even if you think 
you have a niche requirement, please speak up. We typically have a number of 
Tomcat committers speaking at ApacheCon so finding someone to cover a 
particular topic shouldn't be too tricky. Equally, if you have a topic you 
could present on that you think others would find useful, speak up.

Do feel free to add your +1 if someone else mentions a topic your are 
interested first. Having an idea of how popular the topics are would also be 
helpful.

Also, we don't have to stick to the standard "Sit and listen to someone present for 
40 mins" format. Discussions, workshops, hackathons are all possible.

Some topic ideas to get the ball rolling.

Hands-on workshop: Configuring TLS with Apache Tomcat Reverse Proxying to 
Apache Tomcat Load-balancing with Apache Tomcat Clustering  with Apache Tomcat 
Tomcat Clinic 

Ability to set cipher suites for websocket connections

[Michael Orr]

Hi,

There is a user property "org.apache.tomcat.websocket.SSL_PROTOCOLS"
that you can use to provide the list of permitted SSL protocols when
connecting to a websocket with WsWebSocketContainer.  I was expecting
that there would be a similar property to allow you to set the list of
permitted SSL cipher suites as well.

I've checked the code (for version 7.0.73, and also 9.0.0.M15) and
there doesn't seem to be any mention of such an option.  I can see it
calling SSLEngine.setEnabledProtocols() but not
SSLEngine.setEnabledCipherSuites().

Is there a particular reason why there is no
"org.apache.tomcat.websocket.SSL_CIPHER_SUITES" property, or is it
simply an oversight?

Thanks, and keep up the great work!

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org