Re: [OT] tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 2/12/19 13:27, Mark Thomas wrote:
> Try again. Prompted for certificate. Select valid cert. Connection 
> refused. Ah. the trust store again. Switch back to the OpenSSL
> config.

This is a real point of confusion for users... the difference between
configuring for OpenSSL versus JSSE (especially when using OpenSSL via
JSSE).

Is there any technical reason why we can't accept either type of
certificate for either type of connector? I can't think of a reason
why we couldn't convert from one to the other if necessary.

Sure, it's a bunch of plumbing code that we have to babysit, but the
configuration will be *so* much nicer, regardless of the user's
preference (e.g. PEM-encoded DER files, just like $diety intended, or
the hellspawn that is certificate keystores).

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxjSBgACgkQHPApP6U8
pFi4gA/+NjUUGQaEpE1XDrbE/mC47tZUhGQD1iZakwIgqtE159lAiK8ddZcDC073
xc2oWYRRKuqyzKQ/d7NowfU1FuZc/78dME/M0OJ0PQ/HFx1MKSx3qZnl6jWsIUV8
nayBPG4fKbJfDy7L+brUk/jdxTwE+5NRB2jdE4DcG5uqH4b2OQI2W3aZcNL3wqRW
LbvwyPtRVpm63G3ct8eB81kSlkRo/664bgQNzA+ZV1AiVu17cArKlHS7eyQJHf5A
Btn8WunosrG1haOGGjCM1yEN/aClbmrgoy3sWO6RK22SCgWFkP6CXKkYf5Q+E/4d
vfZWg25YwHQm7uPMEdBhDth9dIm9uZnoxDbzvmE3J7FIT30orJmb+MDLod1hAIYH
CWgJ4oF7uWgk5Q2/+EkF3tSy9OAF6fY3x/y24dH+NHDBWfj/2PXv90ohY/+IMeJQ
oYUuBwZd49BmdJiofw1IoRaDrtlJjw9aIFlszyS+bn87TSe2JozhMymmxhtPPb8C
T9KCMbQGpRkNFm1/PgKNKFi8SaqAdd+wl2f7h88qA8HJ5Xyjmn88VJfHjFdMUoAe
fgK1tcN1J4szSHO3ivCBMnqUeJPUgcWqJC8qh2likk77Mx+Qw3CMzfB0i4Ry7r1g
kg3T1/uRekmyaVTowb4vuVGwYP3p9BCBBFezSEKCGELa8RrQ3rI=
=m+qr
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat configuration on proxy_ajp.conf

[Propes, Barry L]

Ok, thanks, Stephane. I'll work on configuring it similarly to what I had on my 
old one.

-Original Message-
From: [External] Stephane Passignat  
Sent: Tuesday, February 12, 2019 4:00 PM
To: Tomcat Users List 
Subject: Re: Tomcat configuration on proxy_ajp.conf

Hello,

Just load ajp module at least one. No matter if it appears in several file. 
Apache raised some warning. I didn't see side effect on tomcat or apache if 
it's loaded several time. Be sure to set it up only once per vhost.

My experience is, my apache servers have mostly standard conf setup by package 
Installers, and then I load (again) additionnal every vhost loads its modules 
(php, amp, proxy, ldap...). These configuration are stored in a central 
versioning system and installed at deployment time. Then I can deploy apps 
regardless of apache initial setup and operating system (works also on windows 
too).


Regards
Stephane

Envoyé par 
BlueMail
Le 12 févr. 2019, à 22:28, "Propes, Barry L " 
mailto:barry.l.pro...@citi.com.invalid>> a 
écrit:

Hi folks,

First I apologize if this seems more like an Apache question rather than a 
Tomcat question. I just got an upgraded Red Hat Linux build from 6 to 7, and 
Apache went from 2.2.15 to 2.4.6.
In my older Red hat 6 build, I've got a tomcat.conf file that handles ProxyPass 
and ProxyPassReverse attributes.

I see something similar in the conf.d directory on the Red Hat 7 Apache build, 
with a file called "proxy_ajp.conf."

It comes with some ProxyPass lines commented out by default. I was just 
wondering if I still need a tomcat.conf file in the new build or if this 
handles this? I looked for some similar messages and threads but couldn't 
discern.
Again, apologies if this was not the right forum. If this is correct, 
affirmation of such would be great!

Thank you!


Barry Propes
Citimortgage

Re: tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options

[John Palmer]

You're (both) quite right, my apologies.
(this is embarrassing)

In my defense, I've been bouncing back and forth between my personal
desktop machine (windows 10)
where I was having this issue...
and a development server, where this was working just fine.

While at lunch, it occurred to me to wonder if I had the same Tomcat and
TC-Native bits on each .. confirmed after lunch that these were different.
(tc-native 1.2.21 on the desktop, 1.2.19 on the server)
Changed those on my desktop to match those of the server, same issue...
compared the server.xml files and found that on the desktop, where I had
put back the older  (7.x) format Connector stuff and - (the mistake) - left
the clientAuth setting at "want" rather than "true".
corrected that, working as expected.

Went back to the OpenSSL Connector format and saw new errors...
(useServerCipherSuitesOrder="true" in the Connector section caused a
_default_hostConfig (something like that) error...PROBABLY because I had
moved the SSLProtocls  to theSSLHostConfig section moved the
useServerCipherSuitesOrder  attribute to the SSLHostConfig section and
renamed it to honorCipherOrder to fix that).
Also found I had to add the truststoreType and truststorePassword
attributes to the SSLHostConfig element (docs seem to say that's ONLY
for JSSE syntax - but I may be misunderstanding that),

long story short, I now have a Connector element that works correctly:
 







retested with tc-native 1.2.21 on the desktop...  and its working as
expected.
(Still not sure what was going on previously).

thanks, again.


On Tue, Feb 12, 2019 at 12:27 PM Mark Thomas  wrote:

> On 12/02/2019 17:21, John Palmer wrote:
> > using the old Connector/clientAuth="true" or the new
> > Connector/SSLHostConfig/  certificateVerification="REQUIRED"
> (tried
> > lowercase and without the D) format..doesn't seem to work properly.
> >
> > no matter what value I use or which format... the behavior seems to be
> that
> > the client cert is prompted for, but is optional (the web pages are
> > shown whether a cert is selected or Cancel is selected on the prompt.
> > (in the latter case, a JSP scriplet that shows X509 certificate content
> > throws an error, confirming that the client certifcate was not sent).
> >
> > (Openssl s_client cmd confirms that the "Acceptable client certificate CA
> > names"
> > from the trustStore specified ARE being sent).
> >
> > I don't doubt that I'm missing (mistyping or misunderstanding) something
> > (again), but I'm gonna ask for help a little sooner this time  rather
> than
> > continuing to beat a dead horse   :) ...
>
> Maybe. Or you might have hit a Tomcat bug.
>
> So, starting with a clean build of the latest 8.5.x source...
>
> Enable TLS (uncomment the second of the comment out TLS connectors in
> the default server.xml), switch it to NIO2 from APR/native and copy the
> key, cert, etc. into the correct locations.
>
> Starts with TLS enabled with NIO2 (JSSE) on 8443. Can connect with Chrome.
>
> Add certificateVerification="required" to the SSLHostConfig and restart.
>
> Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome
> rejected. Ah. No trust store configured on the connector.
>
> Add caCertificateFile="conf/ca-rsa-cert.pem" to SSLHostConfig and restart.
>
> Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome
> rejected. Realised I tried to use OpenSSL config and I'm using JSSE.
> Removed caCertificateFile="conf/ca-rsa-cert.pem" and added
> truststoreFile="conf/ca-rsa.jks" to SSLHostConfig.
>
> Starts with TLS enabled with NIO2 on 8443. Connection from Chrome
> prompts for client cert. Click cancel - connection rejected. As
> expected. Try again, this time selecting a certificate - connection
> allowed.
>
> All working as expected.
>
> Add Tomcat Native (so OpenSSL is usedd for TLS).
>
> Tomcat starts with NIO2 (OpenSSL) on port 8443.
>
> Prompted for user certificate. Click cancel. Connection refused.
>
> Try again. Prompted for certificate. Select valid cert. Connection
> refused. Ah. the trust store again. Switch back to the OpenSSL config.
>
> Tomcat starts with NIO2 (OpenSSL) on port 8443.
>
> Prompted for user certificate. Click cancel. Connection refused.
>
> Try again. Prompted for certificate. Select valid cert. Connection allowed.
>
> All seems to be working as expected here.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat configuration on proxy_ajp.conf

[Stephane Passignat]

Hello,

Just load ajp module at least one. No matter if it appears in several file. 
Apache raised some warning. I didn't see side effect on tomcat or apache if 
it's loaded several time. Be sure to set it up only once per vhost.

My experience is, my apache servers have mostly standard conf setup by package 
Installers, and then I load (again) additionnal every vhost loads its modules 
(php, amp, proxy, ldap...). These configuration are stored in a central 
versioning system and installed at deployment time. Then I can deploy apps 
regardless of apache initial setup and operating system (works also on windows 
too).


Regards
Stephane

Envoyé par BlueMail
Le 12 févr. 2019, à 22:28, "Propes, Barry L " 
mailto:barry.l.pro...@citi.com.invalid>> a 
écrit:

Hi folks,

First I apologize if this seems more like an Apache question rather than a 
Tomcat question. I just got an upgraded Red Hat Linux build from 6 to 7, and 
Apache went from 2.2.15 to 2.4.6.
In my older Red hat 6 build, I've got a tomcat.conf file that handles ProxyPass 
and ProxyPassReverse attributes.

I see something similar in the conf.d directory on the Red Hat 7 Apache build, 
with a file called "proxy_ajp.conf."

It comes with some ProxyPass lines commented out by default. I was just 
wondering if I still need a tomcat.conf file in the new build or if this 
handles this? I looked for some similar messages and threads but couldn't 
discern.
Again, apologies if this was not the right forum. If this is correct, 
affirmation of such would be great!

Thank you!


Barry Propes
Citimortgage

Tomcat configuration on proxy_ajp.conf

[Propes, Barry L]

Hi folks,

First I apologize if this seems more like an Apache question rather than a 
Tomcat question. I just got an upgraded Red Hat Linux build from 6 to 7, and 
Apache went from 2.2.15 to 2.4.6.
In my older Red hat 6 build, I've got a tomcat.conf file that handles ProxyPass 
and ProxyPassReverse attributes.

I see something similar in the conf.d directory on the Red Hat 7 Apache build, 
with a file called "proxy_ajp.conf."

It comes with some ProxyPass lines commented out by default. I was just 
wondering if I still need a tomcat.conf file in the new build or if this 
handles this? I looked for some similar messages and threads but couldn't 
discern.
Again, apologies if this was not the right forum. If this is correct, 
affirmation of such would be great!

Thank you!


Barry Propes
Citimortgage

Re: Server Name Identification (SNI) configuration Tomcat 8.5.23

[Herb Burnswell]

On Tue, Feb 12, 2019 at 11:37 AM Herb Burnswell 
wrote:

>
>
> On Tue, Feb 12, 2019 at 11:26 AM Mark Thomas  wrote:
>
>> On 12/02/2019 19:21, Herb Burnswell wrote:
>> > All,
>> >
>> > Tomcat: 8.5.23
>> > OS: RHEL 7.5
>> >
>> > I am attempting to set up Tomcat to use two keystore's with SNI.  Tomcat
>> > starts successfully but but I receive a timeout when trying to access
>> > either of the defined server names.
>>
>> 
>>
>> > As mentioned, Tomcat start successfully, but the sites time out.  There
>> is
>> > nothing in the logs that indicate a request is even made.
>> >
>> > Am I missing something in this configuration?  Any guidance is greatly
>> > appreciated.
>>
>> What do the logs say when Tomcat starts with the non-working
>> configuration?
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
> Thanks for the reply Mark.  Unfortunately there no extra information in
> the logs from the non-working configuration.  It appears that everything
> starts successfully with working and non-working configuration.
>
> As mentioned, the timeout attempting to connect to the SNI domains does
> not register in the logs either.
>
> HB
>


Damn, my bad.  I figured it out.

Embarrassingly, I had an incorrect password for one of the keystores.  I
was focusing so much on the configuration parameters I overlooked the
simple part.

Thanks,

HB

Re: Server Name Identification (SNI) configuration Tomcat 8.5.23

[Herb Burnswell]

On Tue, Feb 12, 2019 at 11:26 AM Mark Thomas  wrote:

> On 12/02/2019 19:21, Herb Burnswell wrote:
> > All,
> >
> > Tomcat: 8.5.23
> > OS: RHEL 7.5
> >
> > I am attempting to set up Tomcat to use two keystore's with SNI.  Tomcat
> > starts successfully but but I receive a timeout when trying to access
> > either of the defined server names.
>
> 
>
> > As mentioned, Tomcat start successfully, but the sites time out.  There
> is
> > nothing in the logs that indicate a request is even made.
> >
> > Am I missing something in this configuration?  Any guidance is greatly
> > appreciated.
>
> What do the logs say when Tomcat starts with the non-working configuration?
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Thanks for the reply Mark.  Unfortunately there no extra information in the
logs from the non-working configuration.  It appears that everything starts
successfully with working and non-working configuration.

As mentioned, the timeout attempting to connect to the SNI domains does not
register in the logs either.

HB

Re: Server Name Identification (SNI) configuration Tomcat 8.5.23

[Mark Thomas]

On 12/02/2019 19:21, Herb Burnswell wrote:
> All,
> 
> Tomcat: 8.5.23
> OS: RHEL 7.5
> 
> I am attempting to set up Tomcat to use two keystore's with SNI.  Tomcat
> starts successfully but but I receive a timeout when trying to access
> either of the defined server names.



> As mentioned, Tomcat start successfully, but the sites time out.  There is
> nothing in the logs that indicate a request is even made.
> 
> Am I missing something in this configuration?  Any guidance is greatly
> appreciated.

What do the logs say when Tomcat starts with the non-working configuration?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Server Name Identification (SNI) configuration Tomcat 8.5.23

[Herb Burnswell]

All,

Tomcat: 8.5.23
OS: RHEL 7.5

I am attempting to set up Tomcat to use two keystore's with SNI.  Tomcat
starts successfully but but I receive a timeout when trying to access
either of the defined server names.

Here is a single server name configuration that works successfully:



Here is the SNI configuration that I'm trying:






























As mentioned, Tomcat start successfully, but the sites time out.  There is
nothing in the logs that indicate a request is even made.

Am I missing something in this configuration?  Any guidance is greatly
appreciated.

Best,

HB

Re: tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options

[Mark Thomas]

On 12/02/2019 17:21, John Palmer wrote:
> using the old Connector/clientAuth="true" or the new
> Connector/SSLHostConfig/  certificateVerification="REQUIRED" (tried
> lowercase and without the D) format..doesn't seem to work properly.
> 
> no matter what value I use or which format... the behavior seems to be that
> the client cert is prompted for, but is optional (the web pages are
> shown whether a cert is selected or Cancel is selected on the prompt.
> (in the latter case, a JSP scriplet that shows X509 certificate content
> throws an error, confirming that the client certifcate was not sent).
> 
> (Openssl s_client cmd confirms that the "Acceptable client certificate CA
> names"
> from the trustStore specified ARE being sent).
> 
> I don't doubt that I'm missing (mistyping or misunderstanding) something
> (again), but I'm gonna ask for help a little sooner this time  rather than
> continuing to beat a dead horse   :) ...

Maybe. Or you might have hit a Tomcat bug.

So, starting with a clean build of the latest 8.5.x source...

Enable TLS (uncomment the second of the comment out TLS connectors in
the default server.xml), switch it to NIO2 from APR/native and copy the
key, cert, etc. into the correct locations.

Starts with TLS enabled with NIO2 (JSSE) on 8443. Can connect with Chrome.

Add certificateVerification="required" to the SSLHostConfig and restart.

Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome
rejected. Ah. No trust store configured on the connector.

Add caCertificateFile="conf/ca-rsa-cert.pem" to SSLHostConfig and restart.

Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome
rejected. Realised I tried to use OpenSSL config and I'm using JSSE.
Removed caCertificateFile="conf/ca-rsa-cert.pem" and added
truststoreFile="conf/ca-rsa.jks" to SSLHostConfig.

Starts with TLS enabled with NIO2 on 8443. Connection from Chrome
prompts for client cert. Click cancel - connection rejected. As
expected. Try again, this time selecting a certificate - connection allowed.

All working as expected.

Add Tomcat Native (so OpenSSL is usedd for TLS).

Tomcat starts with NIO2 (OpenSSL) on port 8443.

Prompted for user certificate. Click cancel. Connection refused.

Try again. Prompted for certificate. Select valid cert. Connection
refused. Ah. the trust store again. Switch back to the OpenSSL config.

Tomcat starts with NIO2 (OpenSSL) on port 8443.

Prompted for user certificate. Click cancel. Connection refused.

Try again. Prompted for certificate. Select valid cert. Connection allowed.

All seems to be working as expected here.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Documentation difference between Apache Tomcat 8.0 and 8.5

[Konstantin Kolinko]

вт, 12 февр. 2019 г. в 17:28, Christopher Schultz
:
>
> -BEGIN PGP SIGNED MESSAGE-
>
> Maybe so you can use syslog to aggregate all your logs? IFAIK, there
> is not a good way to send JULI logging to syslog, but log4j supports it.

Certainly, there exists a way. I have not used it yet though.

https://stackoverflow.com/questions/2311697/is-there-a-robust-java-util-logging-handler-implementation-of-syslog
http://rusv.github.io/agafua-syslog/

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

John,

On 2/12/19 12:21, John Palmer wrote:
> using the old Connector/clientAuth="true" or the new 
> Connector/SSLHostConfig/
> certificateVerification="REQUIRED" (tried lowercase and without the
> D) format..doesn't seem to work properly.
> 
> no matter what value I use or which format... the behavior seems to
> be that the client cert is prompted for, but is optional (the
> web pages are shown whether a cert is selected or Cancel is
> selected on the prompt. (in the latter case, a JSP scriplet that
> shows X509 certificate content throws an error, confirming that the
> client certifcate was not sent).
> 
> (Openssl s_client cmd confirms that the "Acceptable client
> certificate CA names" from the trustStore specified ARE being
> sent).
> 
> I don't doubt that I'm missing (mistyping or misunderstanding)
> something (again), but I'm gonna ask for help a little sooner this
> time  rather than continuing to beat a dead horse   :) ...

Can you copy/paste your actual configuration?

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxjAhUACgkQHPApP6U8
pFiS8A//QFTFb+JC6n/QJ+KPZKZ5VYsNavfCZD5bkwoWByrO2KLoYQuzEyBMFHHr
qXZ/Ry1dtW2IYbxP29BopteKx/kdFBe554MoXiDUdKYJSZa3d4Bgq1qkRjRvZ7Xq
kago/cVz/ZmFK9xIYwz1mK1M4WfYCFA8BgIvyp9pQIGMzxCHSn8ull541XtFJrAz
VBH64+3WGhpFjv6vsAwC4MVZY9lwc/2wEXD6k5cnscyHHJQbH3fWwjmpQZgT0PXf
Q4g49YSTjBvvWu9QLE3Vq0QoqGmSnrCj8QjRVp4v5ot5JyxYXfjYY4/Gclu46x1a
IFy+K5hQ7YTNTzkKczT+UZGGCBfxiyW6NVC7tBkVx6t8WPJbIwD1/CUYzEmw6x7P
2IKuwCCkDyApzmU2QYzL7jDeEFuN98URQwhQz+mvRKdQGW5D9C58E8Ka8EEazxgF
dtstzkDeSNA9GEGJbk4H4e6+wiEjbCyBUj2zmxVYYYClA9oVa1888aEzDbSwJB15
eIwYnRal8RJ0hNt3ATh2lPV2NQHt168rf5Y3GMUPbO3kT7uKSjB7p/sJ8zWRxpMw
gL7JxqlGT3RN7wsAe4H84bucgJsIPj5IMoNYILFLMCpiZD9xrpK0d/QVtM2rd3B4
cNZ6cRGiF1hU/BS9Xq6ZVYMMA2G54BRFFEtkhERpLte+3aLPixw=
=fdPZ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options

[John Palmer]

using the old Connector/clientAuth="true" or the new
Connector/SSLHostConfig/  certificateVerification="REQUIRED" (tried
lowercase and without the D) format..doesn't seem to work properly.

no matter what value I use or which format... the behavior seems to be that
the client cert is prompted for, but is optional (the web pages are
shown whether a cert is selected or Cancel is selected on the prompt.
(in the latter case, a JSP scriplet that shows X509 certificate content
throws an error, confirming that the client certifcate was not sent).

(Openssl s_client cmd confirms that the "Acceptable client certificate CA
names"
from the trustStore specified ARE being sent).

I don't doubt that I'm missing (mistyping or misunderstanding) something
(again), but I'm gonna ask for help a little sooner this time  rather than
continuing to beat a dead horse   :) ...

thanks again..
John

Re: Documentation difference between Apache Tomcat 8.0 and 8.5

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 2/12/19 05:51, Mark Thomas wrote:
> On 12/02/2019 09:24, Sashidharan Ramamurthy wrote:
>> Hi Tomcat User group,
>> 
>> In the "Logging In Tomcat" page, in 8.0 version, there is a link
>> and section detailing how to use Apache log4j instead of
>> "java.util.logging"
>> 
>> But the same content is not visible in 8.5 version.
>> 
>> My query is whether from 8.5 or above, is the capability of using
>> apache log4j disabled and we have to use only JULI? Also, there
>> is no tomcat-juli-adapters library in extras of apache 8.5
>> version.
>> 
>> We are using tomcat 8.5.33 in our machines.
>> 
>> Kindly answer this please!! Have removed the links where
>> documentation sites are mentioned..
> 
> Apache log4j 1.x is not longer supported so the adapters and
> associated documentation have been removed from 8.5.x onwards.
> 
> If you wish to use Apache log4j 2.x then you should be able to use
> the log4j / java.util.logging bridge although that does beg the
> question why?
> 
> Applications (as they always have been) are free to configure any 
> logging mechanism they wish. Why do you want to change the
> framework Tomcat uses for its internal logging?

Maybe so you can use syslog to aggregate all your logs? IFAIK, there
is not a good way to send JULI logging to syslog, but log4j supports it.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxi1/0ACgkQHPApP6U8
pFjKYhAAgkSOECLgPBximdZJack8Kaf/aStIjhZZrPazhj4BInt0kt6QFfYzPE08
uZiYUs4+G9j+Wv2yGcF8IPtDzdcL+dsDZEuJ/saNVITLeiNJlndJvjJyRNCQZrA8
R5UKzKcgnDeBHMY/phn/h8/josaaPO9jFXx+UwvRwDtQ+elu5n08sOMDJNvi+lWS
B8wjQJGGl25XZo536kqCHjmuObhlVliz2Og53u8o31lN25grCh/5N/FsS6ccoSth
loJLjsyQ4kEYSAk9TD+oMMbJNx1Z5obtY4E0FZMspnS+Y1k5NnSTKLbV+yQtlORx
XY2V+Qc18Tfk1cbcgwnWkBVvpPfkGPpksYxFix/lPt/b8E3V5q7byXBKbAtCeAlG
2ejb48wSY0UOrKpJQcFmm85OrQKKoPa9Juv7V28hRfgEasvHjiJZB59DrNRBkWAl
P9zVYy/eSQTof+FJm37kO9u8rXoU6uV1oNeN/v6QR1xpQyvngWmi3MpLVP3n/A3k
/E1bNP10RrTBtlk9RHWhhVdS/2tjkBdCwUcgAq2+oZMyUXdEyaBjtQIsK3R+GuXI
KnPB2Rp1upLo5SgtGNfgdX+NMVF54nEY8b/AxUXsYMugUbFBk3PcQk6ARBkkAcbK
urt5hAy9T/vImQ8+0CTImTkG9NLsodjVMNIPQkBxf7qJ5tpDThw=
=AhDx
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: StaticMembers within Multiple Clusters

[Tim K]

On Tue, Feb 12, 2019, 3:17 AM Keiichi Fujino  wrote:

>
> Are you using SSO(org.apache.catalina.authenticator.SingleSignOn)?
> DeltaManager/BackupManager replicate sessions. They do not replicate SSO
> entries.
>
> If you want to replicate SSO Entry in cluster, you can use
> ClusterSingleSignOn.
>
>
> http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-valve.html#org.apache.catalina.ha.authenticator.ClusterSingleSignOn
>
>
>
> --
> Keiichi.Fujino
>

Yes.  I tried adding a Value element for ClusterSingleSignOn to my Cluster
(removed the JvmBinderValue I had) and upon login, I'm noticing that
subsequent calls to my app are removing my SSO cookie, but I don't
understand why.  It successfully gets created but a subsequent call
immediately removes it.

>

OCSP Stapling with Tomcat 8.5

[logo]

Hi all,

I’m wondering why I get 

OCSP Must StapleSupported, OCSP response not stapled
Revocation information  OCSP 
OCSP: http://ocsp.int-x3.letsencrypt.org 

with the SSLlabs check on both the JSSE and the APR connector. The same cert is 
working on Apache or Nginx.

My version info is: 
Server version: Apache Tomcat/8.5.38
Server built:   Feb 5 2019 11:42:42 UTC
Server number:  8.5.38.0
OS Name:Linux
OS Version: 4.9.93-boot2docker
Architecture:   amd64
JVM Version:11.0.2+9-Debian-3
JVM Vendor: Oracle Corporation

My understanding is that tomcat should use OCSP stapling out of the box since 
Java9 with -Djdk.tls.server.enableStatusRequestExtension=true set or APR with 
an OCSP enabled (Let’sEncrypt) certificate.

The documentation on 
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuring_OCSP_Connector
 is not quite clear. I don’t have any client certs to validate. So neither 
option for the certificateVerification attribute makes sense to me.

openssl s_client -connect :443  -servername  -tlsextdebug  
-status  gives me "OCSP response: no response sent“. I have checked that the 
docker container can reach let’s encrypt’s responder.
(BTW 443 is natted to 8443/8843 internally)

Could you please lead me into the right direction? What am I missing?

Thank you.

Peter

Re: Documentation difference between Apache Tomcat 8.0 and 8.5

[Mark Thomas]

On 12/02/2019 09:24, Sashidharan Ramamurthy wrote:
> Hi Tomcat User group,
> 
> In the "Logging In Tomcat" page, in 8.0 version, there is a link and section 
> detailing how to use Apache log4j instead of "java.util.logging"
> 
> But the same content is not visible in 8.5 version.
> 
> My query is whether from 8.5 or above, is the capability of using apache 
> log4j disabled and we have to use only JULI? Also, there is no 
> tomcat-juli-adapters library in extras of apache 8.5 version.
> 
> We are using tomcat 8.5.33 in our machines.
> 
> Kindly answer this please!! Have removed the links where documentation sites 
> are mentioned..

Apache log4j 1.x is not longer supported so the adapters and associated
documentation have been removed from 8.5.x onwards.

If you wish to use Apache log4j 2.x then you should be able to use the
log4j / java.util.logging bridge although that does beg the question why?

Applications (as they always have been) are free to configure any
logging mechanism they wish. Why do you want to change the framework
Tomcat uses for its internal logging?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Documentation difference between Apache Tomcat 8.0 and 8.5

[Sashidharan Ramamurthy]

Hi Tomcat User group,

In the "Logging In Tomcat" page, in 8.0 version, there is a link and section 
detailing how to use Apache log4j instead of "java.util.logging"

But the same content is not visible in 8.5 version.

My query is whether from 8.5 or above, is the capability of using apache log4j 
disabled and we have to use only JULI? Also, there is no tomcat-juli-adapters 
library in extras of apache 8.5 version.

We are using tomcat 8.5.33 in our machines.

Kindly answer this please!! Have removed the links where documentation sites 
are mentioned..

Thanks and Regards,
Sashi

Documentation difference between Apache Tomcat 8.0 and 8.5

[Sashidharan Ramamurthy]

Hi Tomcat User group,

In the "Logging In Tomcat" page, in 8.0 version, there is a link and section 
detailing how to use Apache log4j instead of "java.util.logging"

But the same content is not visible in 8.5 version.

Please note both pages reference below.

https://tomcat.apache.org/tomcat-8.0-doc/logging.html#Using_Log4j
https://tomcat.apache.org/tomcat-8.5-doc/logging.html

My query is whether from 8.5 or above, is the capability of using apache log4j 
disabled and we have to use only JULI? Also, there is no tomcat-juli-adapters 
library in extras of apache 8.5 version.

We are using tomcat 8.5.33 in our machines.

Kindly answer this please!!

Thanks and Regards,
Sashi

Re: StaticMembers within Multiple Clusters

[Keiichi Fujino]

2019年2月12日(火) 1:28 Tim K :

> On Fri, Jan 18, 2019, 12:44 PM Tim K  wrote:
>
> > On Fri, Jan 18, 2019 at 11:05 AM Christopher Schultz
> >  wrote:
> > >
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA256
> > >
> > > Tim,
> > >
> > > On 1/18/19 06:38, Tim K wrote:
> > > > Thanks for this.  The video helps explain it a bit better than the
> > > > documentation.  So I set it up with a backup manager instead of the
> > > > delta manager, changing the channelSendOptions to 6 for the
> > > > cluster.
> > >
> > > If you think you can help clarify the documentation, patches are of
> > > course always welcome.
> > >
> > > > From a maintenance standpoint, what is the best way to stop/start
> > > > the nodes without losing sessions; one at a time, letting it fully
> > > > come up before moving on to the next one (like a ripple restart)?
> > > > I presume you don't want too many nodes to be down at a single
> > > > time.
> > >
> > > I definitely wouldn't bring two down simultaneously if your can avoid
> > > it. The cluster needs time to re-stabalize after the loss of a member,
> > > meaning that new backup nodes must be selected for each session and
> > > then the sessions must be transmitted to those backups nodes. If you
> > > have small amounts of data in the sessions, this will probably be
> > > fairly fast. If you have lots of data or a very busy network, it will
> > > take longer.
> > >
> > > I would recommend setting-up a scenario (even in production) where you
> > > intentionally disable a node in the cluster and watch to see how long
> > > the cluster takes to re-stabalize. I think you'll learn a lot from
> > > that exercise and it will help you plan for scheduled maintenance and
> > > downtime.
> > >
> > > - -chris
> >
> > Is there a way to tell which server was assigned as the primary and
> > backup roles?
> >
> > When I stop a member, is it this line which would tell me how long it
> > took to sync up the sessions?
> > Relocation of map entries was complete in [X] ms.
> >
> > Another question, I'm using the StaticMembershipService; do I need to
> > define a LocalMember for each of my nodes or is that optional/assumed?
> >
> > Also, I recall reading something about the uniqueId might not really
> > be used?  Do I need to set that for each member?
> >
>
>
> I'm noticing my SSO cookie is being removed when I force myself to another
> node.  Is this a bug?
>
>
>
Are you using SSO(org.apache.catalina.authenticator.SingleSignOn)?
DeltaManager/BackupManager replicate sessions. They do not replicate SSO
entries.

If you want to replicate SSO Entry in cluster, you can use
ClusterSingleSignOn.

http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-valve.html#org.apache.catalina.ha.authenticator.ClusterSingleSignOn



-- 
Keiichi.Fujino