Switch to in-memory key store in tomcat 8.5.23 fails application to load
Context --- Exact tomcat version, Operating Systems, other configurations- Current Tomcat version - 8.5.15 Operating Systems - Windows/ Linux Upgrading to tomcat version - 8.5.23 Application - Java Application. I have an application with tomcat, say fooapp. I also have a custom keystore type, say DKS (Java by default has the JKS keystore). During start of my application, it loads the DKS keystore to get the certificate for the application. This is done using the following changes in server.xml throws unimplmented method I am setting the provider type properly in java.security which is also used while loading the application. Has anybody faced similar problem? Thanks, Emil
Cannot get a connection, pool error Timeout waiting for ideal object
Hi All, Need urgent help. We are using apache tomcat version -7.0.67 and sporadically facing issue that application become unresponsive and below error message encountered in Catalina.out log: ExceptionCannot get a connection, pool error Timeout waiting for idle object Exception in detailorg.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot get a connection, pool error Timeout waiting for idle object within doFilter of Session Filter url :/SPECTRA/login Chain.doFilter().. Inside Login Method. We had to restart tomcat service every time and issue gets resolved for the time being and again reappears sporadically. Could you please advise if we need to change any tomcat setting to mitigate this issue from happening in future. Please let us know if you need anything else from my side in this regards. Thank you in advance. Thanks and Regards, Arpan Arpan Halder Tata Consultancy Services providing services to: Global Data and Analytics Application Support / ITAS Route 22 West▪NJ 08876 ▪ USA Mobile: +1 (908) 392 2947 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Dynamic session cookie domain... possible?
Hello, I'm migrating from Tomcat 8.0.X to Tomcat 9.0.5 and I have a issue I've been dragging for too long that I wise to correct. I have been searching for a workaround and so far, I've found nothing so far that work out of the box. Here is the situation: We have a single webapp that can handle multiple domains, some of which are sub-domains. Example: www.example1.com, images.example1.com, assets.example1.com, www.example2.com As far as I know Tomcat only allows us to set define a domain through a sessionCookieDomain in the context. But this domain is fixed. If I set sessionCookieDomain=".example1.com", this will break www.example2.com and vice-versa. If I leave sessionCookieDomain empty, I don't get sub-domain support as no domain is set and the browser fallback to the current domain serviced. All the manipulation of the session cookie are managed in the org.apache.catalina.connector.Response class and is not customizable. So far, when we were using Tomcat 8, we were able to do a workaround by overriding the method addSessionCookieInternal inside the Response class through a facade, but this is a dirty hack and I would rather not alter any of Tomcat's inner classes... And a proxy is out of the question, Response not being an interface. The other workaround I can think of is splitting *.example1.com & example2.com into 2 separate tomcat instance or webapps, but that would only duplicate the resources required (ram + disk space) for as many different domains we decide to support. Is there therefor a better way to handle manipulating session cookies, or is it frozen and out of reach for multiple subdomain? A "SessionCookieProcessor", which would take the context & the cookie, would be most welcome for such a case Thanks -- *Philippe Busque* , rue St-Charles Ouest, Tour Est, bureau 255 Longueuil (Québec) Canada J4K 5G4 Tél. : 450-449-0102 ext. 3017 Télec. : 450-449-8725 Ce message et les fichiers d’accompagnement transmis avec celui-ci s’adressent expressément au(x) destinataire(s) et peuvent contenir des renseignements confidentiels et privilégiés. Si vous recevez ce message par erreur, veuillez en aviser immédiatement l’expéditeur par courrier électronique. Veuillez également ne pas en prendre connaissance et en supprimer toutes les copies immédiatement. Technologies Interactives Mediagrif Inc. et ses filiales n’acceptent aucune responsabilité à l’égard des opinions exprimées dans le message ou des conséquences de tout virus informatique qui pourrait être transmis avec ce message. Ce message fait également l’objet d’un copyright. Il est interdit d’en reproduire, adapter ou transmettre quelque partie que ce soit sans le consentement écrit du détenteur du copyright. This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Mediagrif Interactive Technologies Inc. and its subsidiaries do not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: using default cacerts AND custom keystore
On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomaswrote: > On 14/02/18 17:17, Chris Cheshire wrote: >> I am trying to set up my webapp to connect to an external database via >> ssl. The database uses a self-signed certificate. I have created a >> keystore with the self-signed CA and the client key & cert. This >> keystore is configured via JAVA_OPTS in setenv.sh >> >> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \ >> -Djavax.net.ssl.keyStorePassword=password \ >> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \ >> -Djavax.net.ssl.trustStorePassword=password" >> >> This allows me to connect to the database without a problem. However >> now I cannot connect to any external web service because their certs >> will no longer validate. >> >> How do I configure tomcat such that the default cacerts is used in >> addition to my self-signed certificates without importing those into >> the default keystore (which is a Bad Idea™)? > > This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS > connections. > > The short answer is rather than using system properties, you should set > the keystore and truststore programmatically so they apply just to the > database connections rather than globally. > So after a bit of digging [1,2] I found that this is achieved by adding the following parameters to the mysql jdbc url in the resource definition: clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks clientCertificateKeyStorePassword=password trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks trustCertificateKeyStorePassword=changeit Note that [2] has a couple of errors. A) it specifies clientCertificateKeyStore[Url|Password] in lieu of trustStore system property, that should be trustCertificateKeyStore[Url|Password] B) it specifies specifies the urls in the form file:path_to_truststore_file, that is also incorrect it should be file://path_to_truststore_file (which will give a triple slash if an absolute path is used) [1] https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html [2] https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html Hope this helps someone else that happens to read the archives. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: using default cacerts AND custom keystore
On 14/02/18 17:17, Chris Cheshire wrote: > I am trying to set up my webapp to connect to an external database via > ssl. The database uses a self-signed certificate. I have created a > keystore with the self-signed CA and the client key & cert. This > keystore is configured via JAVA_OPTS in setenv.sh > > JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \ > -Djavax.net.ssl.keyStorePassword=password \ > -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \ > -Djavax.net.ssl.trustStorePassword=password" > > This allows me to connect to the database without a problem. However > now I cannot connect to any external web service because their certs > will no longer validate. > > How do I configure tomcat such that the default cacerts is used in > addition to my self-signed certificates without importing those into > the default keystore (which is a Bad Idea™)? This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS connections. The short answer is rather than using system properties, you should set the keystore and truststore programmatically so they apply just to the database connections rather than globally. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
using default cacerts AND custom keystore
I am trying to set up my webapp to connect to an external database via ssl. The database uses a self-signed certificate. I have created a keystore with the self-signed CA and the client key & cert. This keystore is configured via JAVA_OPTS in setenv.sh JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \ -Djavax.net.ssl.keyStorePassword=password \ -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \ -Djavax.net.ssl.trustStorePassword=password" This allows me to connect to the database without a problem. However now I cannot connect to any external web service because their certs will no longer validate. How do I configure tomcat such that the default cacerts is used in addition to my self-signed certificates without importing those into the default keystore (which is a Bad Idea™)? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 7.0.85 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.85. Apache Tomcat is an open source software implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. This release contains a number of bug fixes and improvements compared to version 7.0.84. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html Apache Tomcat website: http://tomcat.apache.org Downloads: http://tomcat.apache.org/download-70.cgi Migration guides from Apache Tomcat 5.5.x and 6.0.x: http://tomcat.apache.org/migration.html Enjoy The Apache Tomcat team
[ANN] Apache Tomcat 8.0.50 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.50. Please note that Apache Tomcat 8.x users should normally be using 8.5.x releases in preference to 8.0.x releases. The Apache Tomcat team announced that support for Apache Tomcat 8.0.x will end on 30 June 2018. Apache Tomcat 8.0 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.50 includes fixes for issues identified in 8.0.49 as well as other enhancements and changes. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html Apache Tomcat website: http://tomcat.apache.org Downloads: http://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x: http://tomcat.apache.org/migration.html Enjoy The Apache Tomcat team