Switch to in-memory key store in tomcat 8.5.23 fails application to load

[Emil John]

Context
---

Exact tomcat version, Operating Systems, other configurations-

Current Tomcat version - 8.5.15
Operating Systems - Windows/ Linux
Upgrading to tomcat version - 8.5.23
Application - Java Application.

I have an application with tomcat, say fooapp. I also have a custom
keystore type, say DKS (Java by default has the JKS keystore). During start
of my application, it loads the DKS keystore to get the certificate for the
application. This is done using the following changes in server.xml


 throws unimplmented method

I am setting the provider type properly in java.security which is also used
while loading the application.

Has anybody faced similar problem?

Thanks,
Emil

Cannot get a connection, pool error Timeout waiting for ideal object

[Halder, Arpan [ITSUS Non J]]

Hi All,

Need urgent help. We are using apache tomcat version -7.0.67  and sporadically 
facing issue that application become unresponsive and below error message 
encountered in Catalina.out log:

ExceptionCannot get a connection, pool error Timeout waiting for idle object
Exception in detailorg.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot get a 
connection, pool error Timeout waiting for idle object
within doFilter of Session Filter
url :/SPECTRA/login
Chain.doFilter()..
Inside Login Method.

We had to restart tomcat service every time and issue gets resolved for the 
time being and again reappears sporadically. Could you please advise if we need 
to change any tomcat setting to mitigate this issue from happening in future.

Please let us know if you need anything else from my side in this regards. 
Thank you in advance.

Thanks and Regards,
Arpan

Arpan Halder 
Tata Consultancy Services providing services to:
Global Data and Analytics
Application Support / ITAS
Route 22 West▪NJ 08876 ▪ USA
Mobile: +1 (908) 392 2947 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Dynamic session cookie domain... possible?

[Philippe Busque]

Hello,

I'm migrating from Tomcat 8.0.X to Tomcat 9.0.5 and I have a issue I've been 
dragging for too long that I wise to correct.
I have been searching for a workaround and so far, I've found nothing so far 
that work out of the box.

Here is the situation:

We have a single webapp  that can handle multiple domains, some of which are 
sub-domains.
Example: www.example1.com, images.example1.com, assets.example1.com, 
www.example2.com

As far as I know Tomcat only allows us to set define a domain through a 
sessionCookieDomain in the context. But this domain is fixed.
If I set sessionCookieDomain=".example1.com", this will break www.example2.com 
and vice-versa.

If I leave sessionCookieDomain empty, I don't get sub-domain support as no 
domain is set and the browser fallback to the current domain serviced.

All the manipulation of the session cookie  are managed in the 
org.apache.catalina.connector.Response class and is not customizable.

So far, when we were using Tomcat 8, we were able to do a workaround by 
overriding the method addSessionCookieInternal inside the Response class 
through a facade, but this is a dirty hack and I would rather not alter any of 
Tomcat's inner classes... And a proxy is out of the question, Response not 
being an interface.

The other workaround I can think of is  splitting  *.example1.com & 
example2.com into 2 separate tomcat instance or webapps, but that would only 
duplicate the resources required (ram + disk space) for as many different domains 
we decide to support.


Is there therefor a better way to handle manipulating session cookies, or is it 
frozen and out of reach for multiple subdomain?

A "SessionCookieProcessor", which would take the context & the cookie, would be 
most welcome for such  a case

Thanks
--

*Philippe Busque*
, rue St-Charles Ouest,
Tour Est, bureau 255
Longueuil (Québec) Canada J4K 5G4
Tél. : 450-449-0102 ext. 3017
Télec. : 450-449-8725

Ce message et les fichiers d’accompagnement transmis avec celui-ci s’adressent 
expressément au(x) destinataire(s) et peuvent contenir des renseignements 
confidentiels et privilégiés. Si vous recevez ce message par erreur, veuillez 
en aviser immédiatement l’expéditeur par courrier électronique. Veuillez 
également ne pas en prendre connaissance et en supprimer toutes les copies 
immédiatement. Technologies Interactives Mediagrif Inc. et ses filiales 
n’acceptent aucune responsabilité à l’égard des opinions exprimées dans le 
message ou des conséquences de tout virus informatique qui pourrait être 
transmis avec ce message. Ce message fait également l’objet d’un copyright. Il 
est interdit d’en reproduire, adapter ou transmettre quelque partie que ce soit 
sans le consentement écrit du détenteur du copyright.

This email and any files transmitted with it are solely intended for the use of 
the addressee(s) and may contain information that is confidential and 
privileged. If you receive this email in error, please advise us by return 
email immediately. Please also disregard the contents of the email, delete it 
and destroy any copies immediately. Mediagrif Interactive Technologies Inc. and 
its subsidiaries do not accept liability for the views expressed in the email 
or for the consequences of any computer viruses that may be transmitted with 
this email. This email is also subject to copyright. No part of it should be 
reproduced, adapted or transmitted without the written consent of the copyright 
owner.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: using default cacerts AND custom keystore

[Chris Cheshire]

On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas  wrote:
> On 14/02/18 17:17, Chris Cheshire wrote:
>> I am trying to set up my webapp to connect to an external database via
>> ssl. The database uses a self-signed certificate. I have created a
>> keystore with the self-signed CA and the client key & cert. This
>> keystore is configured via JAVA_OPTS in setenv.sh
>>
>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \
>> -Djavax.net.ssl.keyStorePassword=password \
>> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
>> -Djavax.net.ssl.trustStorePassword=password"
>>
>> This allows me to connect to the database without a problem. However
>> now I cannot connect to any external web service because their certs
>> will no longer validate.
>>
>> How do I configure tomcat such that the default cacerts is used in
>> addition to my self-signed certificates without importing those into
>> the default keystore (which is a Bad Idea™)?
>
> This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS
> connections.
>
> The short answer is rather than using system properties, you should set
> the keystore and truststore programmatically so they apply just to the
> database connections rather than globally.
>

So after a bit of digging [1,2] I found that this is achieved by
adding the following parameters to the mysql jdbc url in the resource
definition:

clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
clientCertificateKeyStorePassword=password
trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
trustCertificateKeyStorePassword=changeit

Note that  [2] has a couple of errors.
A) it specifies clientCertificateKeyStore[Url|Password] in lieu of
trustStore system property, that should be
trustCertificateKeyStore[Url|Password]
B) it specifies specifies the urls in the form
file:path_to_truststore_file, that is also incorrect it should be
file://path_to_truststore_file (which will give a triple slash if an
absolute path is used)


[1] 
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html
[2] 
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html

Hope this helps someone else that happens to read the archives.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: using default cacerts AND custom keystore

[Mark Thomas]

On 14/02/18 17:17, Chris Cheshire wrote:
> I am trying to set up my webapp to connect to an external database via
> ssl. The database uses a self-signed certificate. I have created a
> keystore with the self-signed CA and the client key & cert. This
> keystore is configured via JAVA_OPTS in setenv.sh
> 
> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \
> -Djavax.net.ssl.keyStorePassword=password \
> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
> -Djavax.net.ssl.trustStorePassword=password"
> 
> This allows me to connect to the database without a problem. However
> now I cannot connect to any external web service because their certs
> will no longer validate.
> 
> How do I configure tomcat such that the default cacerts is used in
> addition to my self-signed certificates without importing those into
> the default keystore (which is a Bad Idea™)?

This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS
connections.

The short answer is rather than using system properties, you should set
the keystore and truststore programmatically so they apply just to the
database connections rather than globally.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

using default cacerts AND custom keystore

[Chris Cheshire]

I am trying to set up my webapp to connect to an external database via
ssl. The database uses a self-signed certificate. I have created a
keystore with the self-signed CA and the client key & cert. This
keystore is configured via JAVA_OPTS in setenv.sh

JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \
-Djavax.net.ssl.keyStorePassword=password \
-Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
-Djavax.net.ssl.trustStorePassword=password"

This allows me to connect to the database without a problem. However
now I cannot connect to any external web service because their certs
will no longer validate.

How do I configure tomcat such that the default cacerts is used in
addition to my self-signed certificates without importing those into
the default keystore (which is a Bad Idea™)?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 7.0.85 released

[Violeta Georgieva]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.85.

Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Expression Language and Java
WebSocket technologies.

This release contains a number of bug fixes and improvements compared to
version 7.0.84.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Apache Tomcat website:
http://tomcat.apache.org

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guides from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Enjoy

The Apache Tomcat team

[ANN] Apache Tomcat 8.0.50 released

[Violeta Georgieva]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.50.

Please note that Apache Tomcat 8.x users should normally be using 8.5.x
releases in preference to 8.0.x releases. The Apache Tomcat team
announced that support for Apache Tomcat 8.0.x will end on
30 June 2018.

Apache Tomcat 8.0 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.

Apache Tomcat 8.0.50 includes fixes for issues identified in 8.0.49 as
well as other enhancements and changes.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html

Apache Tomcat website:
http://tomcat.apache.org

Downloads:
http://tomcat.apache.org/download-80.cgi

Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x:
http://tomcat.apache.org/migration.html

Enjoy

The Apache Tomcat team