Re: SSLHostConfig configuration
On Tue, Sep 10, 2019 at 5:38 AM Mark Thomas wrote: > On 10/09/2019 13:14, Herb Burnswell wrote: > > > > > My apologies for my ignorance here, when you say 'configured on the > > SSLHostConfig' are you saying it should NOT be in this block: > > > > > > > > > > > > > > certificateKeystoreFile="/app/config/keystore.p12" > > certificateKeyAlias="example_wildcard" > > certificateKeystorePassword="maskedpasswd" > > truststoreFile="/app/config/truststore.p12" > > truststorePassword="maskedpasswd" > > type="RSA"/> > > > > > > > > > > > > This is how I tried to configure it and we still receive the > "trustAnchors > > parameter must be non-empty" error. Can you clarify where you mean the > > truststore directives should be defined? > > > You need to move the trust store config from the Certificate to the > > SSLHostConfig like this: > > > >hostName="*.example1.com" > >truststoreFile="/app/config/truststore.p12" > > truststorePassword="maskedpasswd" > >> > > > >certificateKeystoreType="PKCS12" > >certificateKeystoreFile="/app/config/keystore.p12" > >certificateKeyAlias="example_wildcard" > >certificateKeystorePassword="maskedpasswd" > >type="RSA" > >/> > > > > > > Mark > Thank you Mark, that appears to have done the trick. Greatly appreciated.. HB > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: SSLHostConfig configuration
On Tue, Sep 10, 2019 at 3:46 AM Mark Thomas wrote > > > > >> Questions: > >> > >> 1. What has changed in between Tomcat 8.5.32 --> 8.5.40 that seemingly > now > >> requires truststore information in this connector configuration? > > > There have have been several changes aimed at making it easier to switch > > between JSSE and OpenSSL based TLS implementations. Tomcat tries to > > store all provided keys and certs in an in-memory Java keystore and then > > provides the connectors with the keys and certs in the format they > > require. With the wide range of keystores and key formats there have > > been a few edge cases where the translation process broke. This looks > > like one of them. > > > There are additional fixes in later 8.5.x releases so you may wish to > > try one of those. > > Thank you for the information. As far as using a newer version of Tomcat with fixes, we want to go with the 8.5.40 version that is packaged with the application for support reasons. > >> 2. What needs to be done to allow this to work in the 8.5.40 Tomcat > version? > > > truststoreFile and truststorePassword should be configured on the > > SSLHostConfig not on the Certificate element. > My apologies for my ignorance here, when you say 'configured on the SSLHostConfig' are you saying it should NOT be in this block: This is how I tried to configure it and we still receive the "trustAnchors parameter must be non-empty" error. Can you clarify where you mean the truststore directives should be defined? Thanks again, HB > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
SSLHostConfig configuration
All, We have a Tomcat application (that ships/includes Tomcat with it) that requires we use multiple domains and therefore set up SSLHostConfig settings in our server.xml file to accommodate each domain. We have been using this configuration and it works well: Tomcat 8.5.32 This works fine in 8.5.32. However, we are rolling out an updated version of the application and it ships with Tomcat 8.5.40. If we try to run with the same configuration above in the 8.5.40 version of Tomcat, the application fails to start with the following SEVERE error: SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:639) at org.apache.catalina.startup.Catalina.load(Catalina.java:662) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.software.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:325) at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:995) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) ... 18 more Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) at org.apache.catalina.connector.Connector.initInternal(Connector.java:993) ... 19 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.(PKIXParameters.java:157) at java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:130) at org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:483) at org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:414) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98) ... 26 more As you can see it complains about "trustAnchors parameter must be non-empty". However if I try to add trust entry lines into the connector config: I still receive the same SEVERE error. Questions: 1. What has changed in between Tomcat 8.5.32 --> 8.5.40 that seemingly now requires truststore information in this connector configuration? 2. What needs to be done to allow this to work in the 8.5.40 Tomcat version? Thanks in advance, any guidance is greatly appreciated. HB
Re: Tomcat session management with Redisson
On Mon, Feb 18, 2019 at 11:13 AM Harpreet Sandhu wrote:
> If you want to go with redis in HA environment. You should opt redis
> sentinel over master-slave architecture.
>
Thanks Harpreet. I did switch to using the sentinel configuration as I
have:
sentinel 1 -- sentinel 2 sentinel 3
redis master --- redis slave
However, the application says it cannot connect to the sentinel servers:
INFO | jvm 1| main| 2019/02/18 15:23:11.722 |
[localhost-startStop-1] WARN
org.redisson.connection.SentinelConnectionManager - Can't connect to
sentinel server. Unable to connect to: node1:26379
INFO | jvm 1| main| 2019/02/18 15:23:11.722 |
[localhost-startStop-1] WARN
org.redisson.connection.SentinelConnectionManager - Can't connect to
sentinel server. Unable to connect to: node2:26379
INFO | jvm 1| main| 2019/02/18 15:23:11.722 |
[localhost-startStop-1] WARN
org.redisson.connection.SentinelConnectionManager - Can't connect to
sentinel server. Unable to connect to: node3:26379
I posted a question on the redis-db google group as I thought it may not be
appropriate for this Tomcat User Group:
https://groups.google.com/forum/#!topic/redis-db/-mTTnahSgZo
If you have experience with the Tomcat --> Sentinel connectivity, I'd be
grateful for any guidance..
thanks,
HB
> On Tue 19 Feb, 2019, 12:29 AM Herb Burnswell wrote:
>
> > On Fri, Feb 15, 2019 at 12:21 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA256
> > >
> > > Herb,
> > >
> > > On 2/14/19 12:41, Herb Burnswell wrote:
> > > > Tomcat 8.5.23 RHEL 7.5
> > > >
> > > > We are looking to set up session management via Redisson to offload
> > > > the CPU consumption of using Tomcat's built in clustering session
> > > > management. We have CPU licensing limits and need to conserve as
> > > > much CPU as possible.
> > >
> > > Dumb question: aren't you just going to move the CPU cycles to another
> > > system?
> > >
> >
> > Thanks for the reply. Short answer, yes. But that is the idea. We can
> > only use 2 CPU's per application node (3 nodes) with our licensing
> > structure so we do not want to take cycles away from the application to
> > manage sessions.
> >
> >
> > > Another dumb question: do you actually need clustering?
> > >
> >
> > If I'm using the term correctly, yes. The idea would be for HA
> > functionality; If users were connected to node 3 and the node failed for
> > some reason, their session would be picked up by node 1 or 2
> > uninterrupted. Sorry if I confused the intent.
> >
> >
> > >
> > > > I have never set up a configuration this way, however I have Redis
> > > > set up and running as 1 Master, 1 Slave. I seemingly just need to
> > > > point our application to it. I have read this doc on how to:
> > > >
> > > > https://github.com/redisson/redisson/tree/master/redisson-tomcat
> > > >
> > > > It seems pretty straight forward except for the redisson.conf
> > > > configuration:
> > > >
> > > > Add RedissonSessionManager into tomcat/conf/context.xml
> > > >
> > > > > > > configPath="${catalina.base}/redisson.conf" readMode="REDIS"
> > > > updateMode="DEFAULT"/>
> > >
> > > I would do this in the application's context.xml file instead of the
> > > global/default one. That means modifying the application's
> > > META-INF/context.xml file, or, if you deploy via files from outside
> > > your WAR/dir application, then conf/[engine]/[hostname]/[appname].xml.
> > >
> >
> > Yes, this is requiring the editing a application specific xml file.
> >
> >
> > >
> > > > I am more familiar with YAML so plan on configuring the
> > > > redisson.conf as such. I have read the referenced configuration
> > > > wiki page:
> > > >
> > > > https://github.com/redisson/redisson/wiki/2.-Configuration
> > > >
> > > > However, it has a great deal of options and I'm not sure what is
> > > > and is not needed.
> > > >
> > > > I am reaching out here on the Tomcat user group to see if anyone
> > > > else is using Redisson for session management and if maybe I can
> > > > get some guidance on a basic redisson.conf configuration. I'd also
> > > > be interested in c
Re: Tomcat session management with Redisson
On Mon, Feb 18, 2019 at 12:27 PM John Dale wrote:
> Regarding clustering and state recovery, I opted some time ago to
> store session information in the database - I prefer full control over
> session state for security/obscurity reasons.
>
> Load balancing is straightforward this way.
>
> I'm not sure I would ever need more than 2 nodes for my purposes,
> though, since Java can address such a huge memory space. It's an
> amazing computing environment now compared to what we had 20 years
> ago.
>
Thanks John, this is my motivation. I really want the insight and load
balancing capability.
Do you use Redis for the DB or other?
HB
>
> On 2/18/19, Christopher Schultz wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Herb,
> >
> > On 2/18/19 13:59, Herb Burnswell wrote:
> >> On Fri, Feb 15, 2019 at 12:21 PM Christopher Schultz <
> >> ch...@christopherschultz.net> wrote:
> >>
> >> Herb,
> >>
> >> On 2/14/19 12:41, Herb Burnswell wrote:
> >>>>> Tomcat 8.5.23 RHEL 7.5
> >>>>>
> >>>>> We are looking to set up session management via Redisson to
> >>>>> offload the CPU consumption of using Tomcat's built in
> >>>>> clustering session management. We have CPU licensing limits
> >>>>> and need to conserve as much CPU as possible.
> >>
> >> Dumb question: aren't you just going to move the CPU cycles to
> >> another system?
> >>
> >>
> >>> Thanks for the reply. Short answer, yes. But that is the idea.
> >>> We can only use 2 CPU's per application node (3 nodes) with our
> >>> licensing structure so we do not want to take cycles away from
> >>> the application to manage sessions.
> >
> > Okay, so if you move the session-management to another machine, you
> > don't have to pay app-license fees for the session-management server?
> > Fair enough.
> >
> > Just remember that you still need code "managing" sessions from your
> > Tomcat note to your Redisson server. I can't imagine that the
> > Tomcat->Resisson code would be any less complicated than the Tomcat ->
> > Tomcat code. You might want to validate that assumption before
> > committing any resources toward solving a problem by adding complexity
> > to your deployments.
> >
> >> Another dumb question: do you actually need clustering?
> >>
> >>
> >>> If I'm using the term correctly, yes. The idea would be for HA
> >>> functionality; If users were connected to node 3 and the node
> >>> failed for some reason, their session would be picked up by node
> >>> 1 or 2 uninterrupted. Sorry if I confused the intent.
> >
> > That's exactly what you will get.
> >
> > If you do NOT use clustering, a failed node will require the users who
> > were on the failed node to re-login to a surviving node. Only you can
> > determine whether that is an acceptable consequence of a failed node
> > for your users and application. I, as well as many others, have
> > decided that fail-over is such a rare event and logins such a
> > non-issue that introducing the complexity of clustering is not justified
> > .
> >
> >>>>> I have never set up a configuration this way, however I have
> >>>>> Redis set up and running as 1 Master, 1 Slave. I seemingly
> >>>>> just need to point our application to it. I have read this
> >>>>> doc on how to:
> >>>>>
> >>>>> https://github.com/redisson/redisson/tree/master/redisson-tomcat
> >>>>>
> >>>>>
> >>>>>
> > It seems pretty straight forward except for the redisson.conf
> >>>>> configuration:
> >>>>>
> >>>>> Add RedissonSessionManager into tomcat/conf/context.xml
> >>>>>
> >>>>> >>>>> className="org.redisson.tomcat.RedissonSessionManager"
> >>>>> configPath="${catalina.base}/redisson.conf" readMode="REDIS"
> >>>>> updateMode="DEFAULT"/>
> >>
> >> I would do this in the application's context.xml file instead of
> >> the global/default one. That means modifying the application's
> >> META-INF/context.xml file, or, if you deploy via files from
> >> outside your WAR/dir application, then
> >> conf/[engine]/[hostname]/[appname].xml.
> >>
> >>
> >>
Re: Tomcat session management with Redisson
On Fri, Feb 15, 2019 at 12:21 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Herb,
>
> On 2/14/19 12:41, Herb Burnswell wrote:
> > Tomcat 8.5.23 RHEL 7.5
> >
> > We are looking to set up session management via Redisson to offload
> > the CPU consumption of using Tomcat's built in clustering session
> > management. We have CPU licensing limits and need to conserve as
> > much CPU as possible.
>
> Dumb question: aren't you just going to move the CPU cycles to another
> system?
>
Thanks for the reply. Short answer, yes. But that is the idea. We can
only use 2 CPU's per application node (3 nodes) with our licensing
structure so we do not want to take cycles away from the application to
manage sessions.
> Another dumb question: do you actually need clustering?
>
If I'm using the term correctly, yes. The idea would be for HA
functionality; If users were connected to node 3 and the node failed for
some reason, their session would be picked up by node 1 or 2
uninterrupted. Sorry if I confused the intent.
>
> > I have never set up a configuration this way, however I have Redis
> > set up and running as 1 Master, 1 Slave. I seemingly just need to
> > point our application to it. I have read this doc on how to:
> >
> > https://github.com/redisson/redisson/tree/master/redisson-tomcat
> >
> > It seems pretty straight forward except for the redisson.conf
> > configuration:
> >
> > Add RedissonSessionManager into tomcat/conf/context.xml
> >
> > > configPath="${catalina.base}/redisson.conf" readMode="REDIS"
> > updateMode="DEFAULT"/>
>
> I would do this in the application's context.xml file instead of the
> global/default one. That means modifying the application's
> META-INF/context.xml file, or, if you deploy via files from outside
> your WAR/dir application, then conf/[engine]/[hostname]/[appname].xml.
>
Yes, this is requiring the editing a application specific xml file.
>
> > I am more familiar with YAML so plan on configuring the
> > redisson.conf as such. I have read the referenced configuration
> > wiki page:
> >
> > https://github.com/redisson/redisson/wiki/2.-Configuration
> >
> > However, it has a great deal of options and I'm not sure what is
> > and is not needed.
> >
> > I am reaching out here on the Tomcat user group to see if anyone
> > else is using Redisson for session management and if maybe I can
> > get some guidance on a basic redisson.conf configuration. I'd also
> > be interested in comments on if there are better options or things
> > to watch out for.
>
> I don't have any experience with either Redis or Redisson, but what is
> wrong with the default/sample configuration you have provided above?
>
I have through much trial and error been using this config:
{
"masterSlaveServersConfig":{
"idleConnectionTimeout":1,
"connectTimeout":1,
"timeout":3000,
"retryAttempts":3,
"retryInterval":1500,
"failedSlaveReconnectionInterval":3000,
"failedSlaveCheckInterval":6,
"password":"",
"subscriptionsPerConnection":5,
"clientName":true,
"subscriptionConnectionMinimumIdleSize":1,
"subscriptionConnectionPoolSize":50,
"slaveConnectionMinimumIdleSize":32,
"slaveConnectionPoolSize":64,
"masterConnectionMinimumIdleSize":32,
"masterConnectionPoolSize":64,
"readMode":"SLAVE",
"subscriptionMode":"SLAVE",
"slaveAddresses":[
":6379",
"database":0
},
"threads":0,
"nettyThreads":0,
"transportMode":"NIO"
}
However, I am getting a couple exceptions and am not sure what might be the
issue:
INFO | jvm 1| main| 2019/02/18 10:09:33.068 | Feb 18, 2019
10:09:33 AM org.apache.catalina.core.StandardContext startInternal
INFO | jvm 1| main| 2019/02/18 10:09:33.068 | SEVERE: The session
manager failed to start
INFO | jvm 1| main| 2019/02/18 10:09:33.068 |
org.apache.catalina.LifecycleException: Failed to start component
[org.redisson.tomcat.RedissonSessionManager[]]
INFO | jvm 1| main| 2019/02/18 10:09:33.068 | at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167)
INFO | jvm 1| main| 2019/02/18 10:09:33.068 | at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5224)
INFO
Tomcat session management with Redisson
All, Tomcat 8.5.23 RHEL 7.5 We are looking to set up session management via Redisson to offload the CPU consumption of using Tomcat's built in clustering session management. We have CPU licensing limits and need to conserve as much CPU as possible. I have never set up a configuration this way, however I have Redis set up and running as 1 Master, 1 Slave. I seemingly just need to point our application to it. I have read this doc on how to: https://github.com/redisson/redisson/tree/master/redisson-tomcat It seems pretty straight forward except for the redisson.conf configuration: Add RedissonSessionManager into tomcat/conf/context.xml I am more familiar with YAML so plan on configuring the redisson.conf as such. I have read the referenced configuration wiki page: https://github.com/redisson/redisson/wiki/2.-Configuration However, it has a great deal of options and I'm not sure what is and is not needed. I am reaching out here on the Tomcat user group to see if anyone else is using Redisson for session management and if maybe I can get some guidance on a basic redisson.conf configuration. I'd also be interested in comments on if there are better options or things to watch out for. Thanks in advance, HB
Re: Server Name Identification (SNI) configuration Tomcat 8.5.23
On Tue, Feb 12, 2019 at 11:37 AM Herb Burnswell wrote: > > > On Tue, Feb 12, 2019 at 11:26 AM Mark Thomas wrote: > >> On 12/02/2019 19:21, Herb Burnswell wrote: >> > All, >> > >> > Tomcat: 8.5.23 >> > OS: RHEL 7.5 >> > >> > I am attempting to set up Tomcat to use two keystore's with SNI. Tomcat >> > starts successfully but but I receive a timeout when trying to access >> > either of the defined server names. >> >> >> >> > As mentioned, Tomcat start successfully, but the sites time out. There >> is >> > nothing in the logs that indicate a request is even made. >> > >> > Am I missing something in this configuration? Any guidance is greatly >> > appreciated. >> >> What do the logs say when Tomcat starts with the non-working >> configuration? >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > Thanks for the reply Mark. Unfortunately there no extra information in > the logs from the non-working configuration. It appears that everything > starts successfully with working and non-working configuration. > > As mentioned, the timeout attempting to connect to the SNI domains does > not register in the logs either. > > HB > Damn, my bad. I figured it out. Embarrassingly, I had an incorrect password for one of the keystores. I was focusing so much on the configuration parameters I overlooked the simple part. Thanks, HB
Re: Server Name Identification (SNI) configuration Tomcat 8.5.23
On Tue, Feb 12, 2019 at 11:26 AM Mark Thomas wrote: > On 12/02/2019 19:21, Herb Burnswell wrote: > > All, > > > > Tomcat: 8.5.23 > > OS: RHEL 7.5 > > > > I am attempting to set up Tomcat to use two keystore's with SNI. Tomcat > > starts successfully but but I receive a timeout when trying to access > > either of the defined server names. > > > > > As mentioned, Tomcat start successfully, but the sites time out. There > is > > nothing in the logs that indicate a request is even made. > > > > Am I missing something in this configuration? Any guidance is greatly > > appreciated. > > What do the logs say when Tomcat starts with the non-working configuration? > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks for the reply Mark. Unfortunately there no extra information in the logs from the non-working configuration. It appears that everything starts successfully with working and non-working configuration. As mentioned, the timeout attempting to connect to the SNI domains does not register in the logs either. HB
Server Name Identification (SNI) configuration Tomcat 8.5.23
All, Tomcat: 8.5.23 OS: RHEL 7.5 I am attempting to set up Tomcat to use two keystore's with SNI. Tomcat starts successfully but but I receive a timeout when trying to access either of the defined server names. Here is a single server name configuration that works successfully: Here is the SNI configuration that I'm trying: As mentioned, Tomcat start successfully, but the sites time out. There is nothing in the logs that indicate a request is even made. Am I missing something in this configuration? Any guidance is greatly appreciated. Best, HB
