from:"James Lampert"

Re: AW: Outbound SSL?

2019-05-31 Thread James Lampert

This just keeps getting weirder and weirder.

I extracted the actual request
> https://maps.googleapis.com/maps/api/geocode/json?key==
from where it had been logged to catalina.out, and built a simple
program to feed it to Scott Klement's HTTPAPI, an open-source HTTP
interface for OS/400-native programs. It has a rather rich debugging
capability.

Once I got it working on our box, I sent it over to the "problem" box.
And it worked perfectly: it got what appears to be the expected
response.

Of course, it's doing all of this natively, rather than through Java.

We also know that Tomcat is running under a 64-bit Java 7 JVM on that
box. And we also know that we've got this product running in Java 6,
7, and 8, on IBM Midrange boxes, WinDoze boxes, and Linux boxes,
without the problem occurring.

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Shutdown.sh doesn't. At least not reliably. (7.0.25)

2012-11-27 Thread James Lampert

Running Tomcat on various AS/400s (V6R1 or later OS), we've found that 
shutdown.sh doesn't reliably shut down the server, and we frequently 
have to shut it down forcibly (i.e., finding CATALINA on a WRKACTJOB, 
and giving it a 4 with OPTION(*IMMED)).


Port 8009 does appear to be open before we call shutdown.sh, and it does 
appear to be closed after we call it.


Any idea what the problem could be? Or where I should look for 
indications of what it could be?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Shutdown.sh doesn't. At least not reliably. (7.0.25)

2012-11-27 Thread James Lampert


Konstantin Kolinko wrote:


2. Shutdown command is sent to port 8005. (8009 is a port used by AJP
protocol connector).


Thanks. That at least clears up a misconception on my part. Researching 
it cleared up another misconception on my part: that the Catalina job 
directly owns the ports. Actually, the ports are owned by a QP0ZSPWT job 
(that is itself probably owned by the Catalina job.)


Once I know how to get a thread dump on an AS/400 (the link didn't cover 
that; I've got a question out to the Java-400 list at Midrange.com about 
that), I'll try another shutdown/restart on our box, and see what 
happens to port 8005 and the QP0ZSPWT job.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Shutdown.sh doesn't. At least not reliably. (7.0.25)

2012-11-27 Thread James Lampert


Christopher Schultz wrote:


Maybe use DMPJVM? Sorry for the through-Google link [PDF]:


THANKS! Never heard of such a thing until you brought it to my 
attention, and it's enough of an eye-opener that I would have gladly 
forgiven even a through-LMGTFY link.


DMPJVM looks like it may be just the thing. I don't want to risk 
unnecessarily disrupting anybody right now, but later this afternoon, 
I'm going to run some test shutdowns.


Among the responses I got on java40...@midrange.com, one fellow user 
remarked that he'd been seeing the same phenomenon, and another had this 
comment:

Tomcat won't shut down while there are non-daemon threads running.


Still another turned me on to WRKJVMJOB (yet another command I'd never 
heard of). Applying option 11 of that (Display Threads) to the 
QP0ZSPWT job (the only active QP0ZSPWT in the system, evidently slaved 
to the CATALINA job), I get:

 Thread  Name  Status
 515Fmain  TIMW
 5162JIT Compilatio   THDW
 5164JVMTI event re   THDW
 5165Signal Dispatc   THDW
 5167Gc Slave Thread   THDW
 5168i5/OS informat   JVAW
 516AMemoryPoolMXBe   THDW
 516BAttach API wai   SEMW
 516CGC Daemon THDW
 516DFinalizer thread  THDW
 5172ContainerBackg   THDW
 5173http-bio-8080-   TIMW
 5174http-bio-8080-   THDW
 5175http-bio-443-A   TIMW
 5176http-bio-443-A   THDW
 5177ajp-bio-8009-A   TIMW
 5178ajp-bio-8009-A   THDW
 51BBhttp-bio-443-e   THDW
 51BChttp-bio-443-e   THDW
 51BDhttp-bio-443-e   THDW
 51BEhttp-bio-443-e   THDW
 51BFhttp-bio-8080-   THDW
 51C0http-bio-8080-   THDW
 51C1http-bio-8080-   THDW
 51C4http-bio-443-e   THDW
 51DDhttp-bio-443-e   THDW
 51DEhttp-bio-443-e   THDW
 51DFhttp-bio-443-e   THDW
 51E0http-bio-443-e   THDW
 51E1http-bio-443-e   THDW
 51E8Java2D Disposer   THDW
 51F6http-bio-8080-   THDW
 51F7http-bio-8080-   THDW
 51F8http-bio-8080-   THDW
 51F9http-bio-8080-   THDW
 51FAhttp-bio-8080-   THDW
 51FChttp-bio-8080-   THDW
 520Bhttp-bio-8080-   THDW
(funny, a few seconds ago, it didn't have nearly that many threads; 
evidently it is indeed currently in use). I note that option 12 appears 
to be plumbed into DMPJVM.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Certificate Help

2012-11-07 Thread James Lampert


Alissa Schneider wrote:


Still, when I visit https://localhost:8443, the browser throws a
certificate warning. When I click on the certificate warning and view
certificate, it displays information on my self-signed certificate
(that I've deleted). I think if I could figure out how to make Tomcat
point to the CA certificate instead of the old one, this would work
for me. However, I'm not sure how to clear the Tomcat cache so to
speak.



Did you restart Tomcat?

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Restricting certain ports to certain contexts?

2012-10-16 Thread James Lampert


We have a situation:

A Tomcat server with a number of contexts.

One of those contexts should be available unsecured on port 8080.

The others should only be available secured, on port 443.

Is there a way we can restrict 8080 to the one unsecured context?

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Restricting certain ports to certain contexts?

2012-10-16 Thread James Lampert


Caldarale, Charles R wrote:


Read the servlet spec, chapter 13 (the 3.0 version is, unfortunately, harder to 
comprehend than the earlier versions).  Put the following in the 
WEB-INF/web.xml of the webapps you wish to restrict to HTTPS:

user-data-constraint
  transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint

It might be possible to add the above to just the global conf/web.xml file and then 
override the global setting for the one unsecured webapp by setting its 
transport-guarantee to NONE, but I haven't tried it.


Thanks.

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Exceptions in Catalina.log and Catalina.yyyy-mm-dd.log files on AS/400

2012-10-12 Thread James Lampert


Christopher Schultz wrote:


This is what I get from my own web.xml:

0003c  3f  78  6d  6c  20  76  65  72  73  69  6f  6e  3d  22  31
  ?   x   m   l  sp   v   e   r   s   i   o   n   =  1
0202e  30  22  20  65  6e  63  6f  64  69  6e  67  3d  22  49  53
   .   0 sp   e   n   c   o   d   i   n   g   =  I   S
0404f  2d  38  38  35  39  2d  31  22  3f  3e  0a
   O   -   8   8   5   9   -   1  ? nl
054


Well THAT's weird:

Aside from the file's pathname having one directory level you didn't 
mention (WEB-INF), . . .


The CCSID on the file says 819 (ISO 8859-1: Latin Alphabet Number 1). 
If do a head on the file, without piping it into od, I get the 
expected text.


If I download it to a WinDoze box via FTP, in binary mode, and open it 
in Hex Editor, everything matches.


But if I pipe a head into an od as you described, the hex values 
come up as if the file were EBCDIC.


And what's even weirder is that Tomcat, and the webapp, come up just 
fine, after the exceptions are logged.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Exceptions in Catalina.log and Catalina.yyyy-mm-dd.log files on AS/400

2012-10-12 Thread James Lampert


Reversing the flow to
 od -t x1a web.xml | head -n 5

shows the correct hex values. But then it shows the character values as 
if interpreting them in EBCDIC.


This suggests that there's a good reason why head and od aren't in 
the manuals for QSHELL (the unix-like interface that was added to 
OS/400 when Java support was added).


At any rate, the weirdest part of all is that everything does come up 
properly, even after the exceptions are thrown.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Exceptions in Catalina.log and Catalina.yyyy-mm-dd.log files on AS/400

2012-10-11 Thread James Lampert


Pid * wrote:


Examine the first few bytes of the input. I seem to remember a
character encoding issue causing this error.


Of what input in particular? At least some of these exceptions appear to 
be getting thrown in the process of bringing up Tomcat, so I'm guessing 
we're not talking about a request.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Not sure what to make of this, Re: bringing up HTTPS on Tomcat

2012-10-05 Thread James Lampert


Mark H. Wood wrote:

I have no idea what DCM is or does.  Maybe it works with PKCS #12
files, which can carry both parts in a single container.


That part isn't really relevant here (I hope), but to clarify:

DCM = Digital Certificate Manager. It's part of the IBM Midrange 
operating system (i.e, OS/400, i5OS, or whatever they're calling it 
this week). It uses an entirely different keystore format from that used 
by Java and Keytool (and, by extension, Tomcat), and so far as I (and 
the real IBM Midrange gurus on the various Midrange.com lists) can 
determine, there's nothing currently available to convert a keystore 
between the IBM-proprietary format and the Java format.


We've had more than one customer who screwed themselves out of a 
certificate signing fee by failing to appreciate the distinction, even 
though we do our best to warn them about it.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Not sure what to make of this, Re: bringing up HTTPS on Tomcat

2012-10-04 Thread James Lampert

We have a customer (who shall remain nameless), who had previously 
ignored our instructions and used IBM DCM instead of Keytool to produce 
a keystore, and had it signed, all the while blissfully ignorant of the 
fact that none of it would be the least bit compatible with Tomcat.


I just got an email from that customer, with this puzzling phrase:


Had to split it up into a .key and .crt file. This is the output.


which was followed by the output from a keytool -printcert on the .crt file.

The -printcert output looks sensible, with 9 ObjectID items in it. But 
what do I make of their comment about having to split it up?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?

2012-07-30 Thread James Lampert

I have just wiped the Tomcat installation on the V5R4 box in question, 
and done a clean install of 7.0.25.


No change in its behavior.

I tried a modified version of our standard Tomcat-launch CL program, 
that adds a CATALINA_OPTS environment variable, with a value of 
-verbose:class (excerpt from CL program below):


ADDENVVAR  ENVVAR(CATALINA_HOME) + 
 VALUE('/wintouch/tomcat') REPLACE(*YES)   
ADDENVVAR  ENVVAR(CATALINA_OPTS) + 
 VALUE('-verbose:class') REPLACE(*YES) 
ADDENVVAR  ENVVAR(JAVA_OPTS) + 
 VALUE('-Dos400.awt.native=true +  
 -Djava.awt.headless=true +
 -Djava.version=1.6 -Xms256m -Xmx512m') +  
 REPLACE(*YES) 
   
SBMJOB CMD(QSH +   
 CMD('/wintouch/tomcat/bin/startup.sh')) + 
 JOB(CATALINA) JOBD(WINTOUCH/WTSRVC) + 
 INLLIBL(QGPL QTEMP) CPYENVVAR(*YES) + 
 ALWMLTTHD(*YES)   


(ADDENVVAR being the CL command to set an environment variable, SBMJOB 
to submit a batch job, and QSH to launch QShell, and the CPYENVVAR 
parameter telling SBMJOB to pass the environment variables from the 
submitting job to the submitted job. Placing the environment variables 
in the CL program that launches Tomcat, rather than in catalina.sh or 
setenv.sh, allows us to avoid having to either roll our own version of 
the Tomcat ZIP file, or manually install the environment variables, 
every time we install (or update) Tomcat.)


The STDOUT spool file:

 /wintouch/tomcat/bin/catalina.sh: 001-0019 Error found searching for command 
tty. No such path or directory.
 Using CATALINA_BASE:   /wintouch/tomcat 
 Using CATALINA_HOME:   /wintouch/tomcat 
 Using CATALINA_TMPDIR: /wintouch/tomcat/temp
 Using JRE_HOME:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit   
 Using CLASSPATH:   /wintouch/tomcat/bin/bootstrap.jar:/wintouch/tomcat/bin/tomcat-juli.jar  
tells me that it's at least getting to the point in catalina.sh where it 
spits out selected environment variables, and that it's getting the 
environment variables we set in the CL program.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?

2012-07-26 Thread James Lampert


Tim Watts wrote:


I made some suggestions to this effect the other day:

http://tomcat.10.n6.nabble.com/Tomcat-7-0-25-on-an-AS-400-V5R4-Another-try-Help-td4984199.html#a4984215

Maybe you already tried them or didn't get the email.


Thanks for the link. I'm guessing that the email probably got lost in 
the perpetual torrential flood of email, because I'm sure it must have 
arrived, but I never saw it.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?

2012-07-26 Thread James Lampert


Tim Watts wrote:


http://tomcat.10.n6.nabble.com/Tomcat-7-0-25-on-an-AS-400-V5R4-Another-try-Help-td4984199.html#a4984215



- Add these lines to the end of conf/logging.properties:

org.apache.catalina.startup.Bootstrap.level = ALL
org.apache.catalina.startup.ClassLoaderFactory.level = ALL 


No effect whatsoever. The catalina.out log and the spool file produced 
by STDOUT are exactly the same as before.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?

2012-07-26 Thread James Lampert


Tim Watts wrote:


import java.io.File;
import java.net.URL;
import java.net.URLClassLoader;

public class FindClass {
public static void main(String[] args) {
try {
URLClassLoader loader = new URLClassLoader(
new URL[] {new 
File(/wintouch/tomcat/lib/catalina.jar).toURI().toURL()});
loader.loadClass(args[0]);
System.out.println(URLClassLoader found class ' +args[0] 
+');
}
catch (Exception e) {
e.printStackTrace();
}
}
} 


I tried it. I'm surprised I was able to get it to compile and run on 
only the second try (the first try, I had left the stream file editor in 
the default EBCDIC codepage when I pasted in your source, which JAVAC, 
not surprisingly, didn't like at all).


At any rate, I get:

java FindClass org.apache.catalina.startup.Catalina  
URLClassLoader found class 'org.apache.catalina.startup.Catalina'



And so far as I can determine without doing a clean install of Tomcat, 
nothing is customized at all, at this point, other than maybe setting 
port numbers (which it isn't even getting to, yet), and adding your 
diagnostic lines in logging.properties.


Paul Holm, on the Midrange.com Java list, suggested turning on verbose 
mode on Java; I'm not entirely sure how I would even do that for Tomcat.


What would be the next step?

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?

2012-07-24 Thread James Lampert

To recap, I've got a situation where Tomcat is crashing on takeoff, on a 
V5R4 AS/400, with what appears to be the same setup that works fine on a 
V6 box, and showing correct environment variables in the STDOUT spool 
file, and leaving this in Catalina.out.

java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
  at java.net.URLClassLoader.findClass(URLClassLoader.java:432)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:642)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:608)
  at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:236)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425)



to which Rainer Jung replied:
. . .
All this works by default in an untampered Tomcat installation. It can 
break:


- if catalina.jar is not in /wintouch/tomcat/lib or it is not readable

- if catalina.properties is not in /wintouch/tomcat/conf, or it is not 
readable, or the entries for the server.loader or common.loader are broken


- the start scripts do not set -Dcatalina.base=/wintouch/tomcat/ and 
-Dcatalina.home=/wintouch/tomcat/ when starting the JVM


- you are changing the place of the used properties file by giving a 
non-default value in the system property -Dcatalina.config during startup.


I can find, so far, no evidence to indicate any of these possibilities. 
But is there some diagnostic I could enable, that would allow me to find 
out more detail about the problem? Or maybe something I could try from a 
QShell command line in a terminal session?


--
James H. H. Lampert
Touchtone Corporation

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?

2012-07-20 Thread James Lampert


Christopher Schultz wrote:

export -s JAVA_OPTS=-Dos400.awt.native=true
-Djava.awt.headless=true -Xms256m -Xmx512m

In my catalina.sh script.


FYI it is recommended to customize catalina.sh by creating a setenv.sh
script and using that. That way, you don't have to play games with
updating catalina.sh when a new release comes out.


We're doing the equivalent with ADDENVVAR statements (and 
CPYENVVAR(*YES) on the SBMJOB statement) in the CL program that launches 
the script (that way, we don't even have to bother with a setenv.sh).


And I agree, Tomcat won't run at all on an AS/400 without those 
environment variables being set *somewhere* for the CATALINA job.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?

2012-07-19 Thread James Lampert

Theoretically, I've ironed out the bugs concerning which JVMs Tomcat 
will run under, but it still isn't coming up.


The STDOUT from attempting to start Tomcat is as follows:


/wintouch/tomcat/bin/catalina.sh: 001-0019 Error found searching for command 
tty. No such path or directory.
Using CATALINA_BASE:   /wintouch/tomcat 
Using CATALINA_HOME:   /wintouch/tomcat 
Using CATALINA_TMPDIR: /wintouch/tomcat/temp
Using JRE_HOME:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit   
Using CLASSPATH:   /wintouch/tomcat/bin/bootstrap.jar:/wintouch/tomcat/bin/tomcat-juli.jar  



Which is to say, /QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre is a JVM 
that, so far as I'm aware, doesn't have any problems with Tomcat. 
Everything above is exactly the same as in a successful launch on our 
V6R1 box.


And Catalina.out is mercifully short this time:


java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
at java.net.URLClassLoader.findClass(URLClassLoader.java:432)
at java.lang.ClassLoader.loadClass(ClassLoader.java:642) 
at java.lang.ClassLoader.loadClass(ClassLoader.java:608) 
at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:236)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425)



It's obviously trying to tell me SOMETHING, but I can't determine WHAT 
it's trying to tell me.


Any ideas? I don't see the class it's complaining about in either of the 
two JARs listed on the classpath dumped to STDOUT, but if that were the 
problem, it wouldn't work here, either.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?

2012-07-19 Thread James Lampert


Tim:

This is normally in TC_HOME/lib/catalina.jar.
 A. Does it exist there?
 B. Does the user the process is running as have permission to read
that file and directory?
 C. If yes to A  B, is the file corrupt?


/wintouch/tomcat/lib/catalina.jar exists. I had to FTP it elsewhere to 
check its validity, but it seems valid. And the authorities for it look 
exactly the same as those for /wintouch/tomcat/bin/bootstrap.jar.


Rainer:


- if catalina.jar is not in /wintouch/tomcat/lib or it is not readable

- if catalina.properties is not in /wintouch/tomcat/conf, or it is not 
readable, or the entries for the server.loader or common.loader are broken

- the start scripts do not set -Dcatalina.base=/wintouch/tomcat/ and 
-Dcatalina.home=/wintouch/tomcat/ when starting the JVM

- you are changing the place of the used properties file by giving a 
non-default value in the system property -Dcatalina.config during startup.


Everything looks like it's in the right place, undamaged, and without 
authority issues.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: default context

2012-06-28 Thread James Lampert


David kerber wrote:
If I'm not mistaken (which is definitely possible), if you name it 
ROOT.war, it will also become the default context.


Quite true. Even a neophyte like me is aware of that. ;-p

(And there's a lot more about Tomcat that I *don't* know, than there is 
that I *do* -- it was just this month that I learned, for example, that 
on an AS/400, you not only need Java 6 for Tomcat 7, you need a specific 
Java 6, and also that you can set up the environment variables from the 
CL program that launches Tomcat, rather than having to mess with 
startup.sh or catalina.sh, or create a setenv.sh.)


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

High CPU usage in Tomcat 7

2012-06-20 Thread James Lampert

We just had a report of extremely high CPU usage from the Tomcat job on 
one of our customer installations. A WRKACTJOB screen shot from before 
we forcibly shut Tomcat down and restarted it shows:


Subsystem/Job   Type  CPU %  FunctionStatus
  CATALINA  BCH  .0  CMD-QSH TIMW
  QP0ZSPWT  BCI   112.2  JVM-org.apache  TIMW
(QP0ZSPWT being the system-generated job that's doing the actual work 
for the CATALINA job.)


Of particular interest is that, at least at the moment the screen shot 
was taken, the QP0ZSPWT job was taking up what appears to be more than 
an entire processor, even though it's in a time-wait state.


Based on a Google search on tomcat 7 high cpu usage, I'm suspecting a 
previously unknown tightloop in our application (which was what I 
suspected even before I did the Google search). The pages I looked at 
also said something about profiling and thread dumps, to find the 
offending thread, but since the job has been terminated and restarted, 
and is not currently malfunctioning, I wouldn't be able to do so even if 
I knew how (which at present I don't).


I've passed on the log files generated by our application itself to 
someone better equipped to deal with them than I, and I've asked the 
Java-400 List at Midrange.com about AS/400-specific steps to track down 
the offending thread if the problem is observed again, but I would also 
value any insights this list might offer.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

shutdown.sh troubleshooting on AS/400

2012-06-19 Thread James Lampert

In my experience, shutdown.sh has never worked reliably on AS/400, and 
I don't know why, or even understand enough about how it works (or 
enough about shell scripts) to troubleshoot it.


Can somebody shed some light on it?

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat shutdown.sh troubleshooting on AS/400

2012-06-19 Thread James Lampert

In my experience, Tomcat's shutdown.sh has never worked reliably on 
AS/400, and I don't know why, or even understand enough about how it 
works (or enough about shell scripts) to troubleshoot it.


Here's the script. I can tell that it eventually transfers control to 
catalina.sh (which is also what launches Tomcat), but that's about all I 
can make out without help.


#!/bin/sh  
   
# Licensed to the Apache Software Foundation (ASF) under one or more   
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.  
# The ASF licenses this file to You under the Apache License, Version 2.0  
# (the License); you may not use this file except in compliance with 
# the License.  You may obtain a copy of the License at
#  
# http://www.apache.org/licenses/LICENSE-2.0   
#  
# Unless required by applicable law or agreed to in writing, software  
# distributed under the License is distributed on an AS IS BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
# See the License for the specific language governing permissions and  
# limitations under the License.   
   
# -
# Stop script for the CATALINA Server  
#  
# $Id: shutdown.sh 1202062 2011-11-15 06:50:02Z mturk $
# -

# Better OS/400 detection: see Bugzilla 31132
os400=false  
case `uname` in
OS400*) os400=true;; 
esac 
 
# resolve links - $0 may be a softlink   
PRG=$0 
 
while [ -h $PRG ] ; do 
  ls=`ls -ld $PRG` 
  link=`expr $ls : '.*- \(.*\)$'` 
  if expr $link : '/.*'  /dev/null; then  
PRG=$link   
  else
PRG=`dirname $PRG`/$link  
  fi  
done  
  
PRGDIR=`dirname $PRG`   
EXECUTABLE=catalina.sh
  
# Check that target executable exists 
if $os400; then   
  # -x will Only work on the os400 if the files are:  
  # 1. owned by the user  
  # 2. owned by the PRIMARY group of the user 
  # this will not work if the user belongs in secondary groups
  eval
else  
  if [ ! -x $PRGDIR/$EXECUTABLE ]; then   
echo Cannot find $PRGDIR/$EXECUTABLE   
echo The file is absent or does not have execute permission
echo This file is needed to run this program   
exit 1   
  fi 
fi   
 
exec $PRGDIR/$EXECUTABLE stop $@   



Can somebody shed some light on it?

--
JHHL


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat shutdown.sh troubleshooting on AS/400

2012-06-19 Thread James Lampert

. . . and when I looked back at the box I was testing, Tomcat *had* 
finally shut down. And when I ran both the start and stop scripts this 
time, the stop script worked perfectly (and promptly).


Weird. Why would the shutdown take so long as to give the impression it 
had failed entirely, then eventually work, then later work promptly?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat not starting properly on a customer's AS/400, and I have no idea why. Help?

2012-06-18 Thread James Lampert

We're attempting to bring up apache-tomcat-7.0.25.zip on a customer's 
AS/400, the same as we've done on several other AS/400s (including our 
own), and it's not working.


In catalina.out, I'm seeing this:

Jun 18, 2012 11:36:23 AM org.apache.catalina.core.AprLifecycleListener init 
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /QSYS.LIB/QSHELL.LIB:/QSYS.LIB/LTL38.LIB:/QSYS.LIB/ERBLIB.LIB:/QSYS.LIB/ERBQGPL.LIB:/QSYS.LIB/SEQUEL.LIB:/QSYS.LIB/SEQUELWI.LIB:/QSYS.LIB/SEQUELEX.LIB:/QSYS.LIB/ESEND.LIB:/QSYS.LIB/QTEMP.LIB:/QSYS.LIB/QGPL.LIB:/QSYS.LIB/QRPG.LIB:/QSYS.LIB/QIDU.LIB:/QSYS.LIB/TAATOOL.LIB:/QSYS.LIB/ALKWIN.LIB:/QSYS.LIB/OMNISITE.LIB:/QSYS.LIB/OMNIFIXES.LIB:/QSYS.LIB/OMNITRACS.LIB:/QSYS.LIB/OMNIDATA.LIB:/QSYS.LIB/OMNINATL.LIB:/QSYS.LIB/LIBEXPAT.LIB:/QSYS.LIB/LIBFTP.LIB:/QSYS.LIB/ACCLIB.LIB
Jun 18, 2012 11:36:26 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-bio-1093]
Jun 18, 2012 11:36:26 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [ajp-bio-8009] 
Jun 18, 2012 11:36:26 AM org.apache.catalina.startup.Catalina load  
INFO: Initialization processed in 3280 ms   
Jun 18, 2012 11:36:26 AM org.apache.catalina.core.StandardService startInternal 
INFO: Starting service Catalina 
Jun 18, 2012 11:36:26 AM org.apache.catalina.core.StandardEngine startInternal  
INFO: Starting Servlet Engine: Apache Tomcat/7.0.25 
Jun 18, 2012 11:36:26 AM org.apache.catalina.startup.HostConfig deployDirectory 
INFO: Deploying web application directory /wintouch/tomcat/webapps/ROOT 
Jun 18, 2012 11:36:27 AM org.apache.catalina.core.ContainerBase addChildInternal
SEVERE: ContainerBase.addChild: start:  
org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[]]
at java.lang.Throwable.init(Throwable.java:218)  
at java.lang.Throwable.init(Throwable.java:218) 
at java.lang.Exception.init(Exception.java:59)  
at org.apache.catalina.LifecycleException.init(LifecycleException.java:74)  
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)   
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:897)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615)  
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1095)   
at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1617)   
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) 
at java.util.concurrent.FutureTask.run(FutureTask.java:138)   
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)  
Caused by: java.lang.ArrayStoreException   
at java.lang.Throwable.init(Throwable.java:181) 
at java.lang.Exception.init(Exception.java:29)  
at java.lang.RuntimeException.init(RuntimeException.java:32)
at java.lang.ArrayStoreException.init(ArrayStoreException.java:29)   
at java.util.Arrays.copyOf(Arrays.java:2883)   
at java.lang.StringCoding.encode(StringCoding.java:277)

Re: Tomcat not starting properly on a customer's AS/400, and I have no idea why. Help?

2012-06-18 Thread James Lampert


/QSYS.LIB/QSHELL.LIB:/QSYS.LIB/LTL38.LIB:/QSYS.LIB/ERBLIB.LIB:/QSYS.LIB/ERBQGPL.LIB:/QSYS.LIB/SEQUEL.LIB:/QSYS.LIB/SEQUELWI.LIB:/QSYS.LIB/SEQUELEX.LIB:/QSYS.LIB/ESEND.LIB:/QSYS.LIB/QTEMP.LIB:/QSYS.LIB/QGPL.LIB:/QSYS.LIB/QRPG.LIB:/QSYS.LIB/QIDU.LIB:/QSYS.LIB/TAATOOL.LIB:/QSYS.LIB/ALKWIN.LIB:/QSYS.LIB/OMNISITE.LIB:/QSYS.LIB/OMNIFIXES.LIB:/QSYS.LIB/OMNITRACS.LIB:/QSYS.LIB/OMNIDATA.LIB:/QSYS.LIB/OMNINATL.LIB:/QSYS.LIB/LIBEXPAT.LIB:/QSYS.LIB/LIBFTP.LIB:/QSYS.LIB/ACCLIB.LIB


Konstantin Kolinko wrote:

Just guessing at straws: you may try to simplify your environment (do
you need all that libraries as mentioned in  java.library.path?  what
is your default charset?)


Hmm. This is interesting. The value shown for java.library.path seems to 
be the product and user portions of the job's library list (an 
AS/400-specific concept analogous to the path in DOS, WinDoze, or 
Linux, or to a Java classpath) at the time the job was launched.


Comparing the same message on our own AS/400, I see

QSYS.LIB:/QSYS.LIB/QSYS2.LIB:/QSYS.LIB/QHLPSYS.LIB:/QSYS.LIB/QUSRSYS.LIB:/QSYS.LIB/QSHELL.LIB:/QSYS.LIB/WTI1###.LIB:/QSYS.LIB/WINTOUCH.LIB:/QSYS.LIB/QGPL.LIB:/QSYS.LIB/QTEMP.LIB:/QSYS.LIB/AQUESTVIEW.LIB:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/lib/ppc:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/lib/ppc/classic:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/lib/ppc/default


which is the system, product, and user portions of the job's 
library list, followed by three Java-related directories in the 
integrated file system.


I just tried shutting down Tomcat, removing most of the contents of the 
library list, and restarting it. No change, and I did a bit of digging: 
it seems that a system setting on the problem box appears to be causing 
jobs to be submitted with the default user portion of the library 
list, rather than that of the submitting job. Interesting. This calls 
for further study.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat not starting properly on a customer's AS/400, and I have no idea why. Help?

2012-06-18 Thread James Lampert


Found the problem:

The lines
# Java 6 settings if needed 
export -s JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre  
export -s CATALINA_HOME=/wintouch/tomcat
export -s JAVA_OPTS=-Dos400.awt.native=true -Djava.awt.headless=true -Djava.version=1.6 -Xms256m -Xmx512m 
(which have been necessary in every AS/400 Tomcat installation I've 
participated in) were missing.


I've been told that there is a more elegant place to put them than in 
catalina.sh, but I can't remember *where* I was told to put them, and if 
just sticking them in catalina.sh is considered a bad practice, I'd like 
very much to switch to the preferred place for these lines.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat not starting properly on a customer's AS/400, and I have no idea why. Help?

2012-06-18 Thread James Lampert


Mark Thomas wrote:

On 18/06/2012 22:02, James Lampert wrote:

Found the problem:

The lines

# Java 6 settings if
needed
export -s
JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre 
export -s
CATALINA_HOME=/wintouch/tomcat   
export -s JAVA_OPTS=-Dos400.awt.native=true -Djava.awt.headless=true
-Djava.version=1.6 -Xms256m -Xmx512m 

(which have been necessary in every AS/400 Tomcat installation I've
participated in) were missing.

I've been told that there is a more elegant place to put them than in
catalina.sh, but I can't remember *where* I was told to put them, and if
just sticking them in catalina.sh is considered a bad practice, I'd like
very much to switch to the preferred place for these lines.


Create setenv.sh and put them in there.


Thanks. I'll try it shortly.

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat not starting properly on a customer's AS/400, and I have no idea why. Help?

2012-06-18 Thread James Lampert


# Java 6 settings if needed
export -s JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre
export -s CATALINA_HOME=/wintouch/tomcat
export -s JAVA_OPTS=-Dos400.awt.native=true -Djava.awt.headless=true 
-Djava.version=1.6 -Xms256m -Xmx512m


I just tried moving them out of bin/catalina.sh and into bin/setenv.sh 
on our production AS/400, and restarted Tomcat, and everything continues 
to work just fine.


Thanks to both who gave me the answer, and especially thanks for not 
screaming at me for mucking about in catalina.sh without knowing what 
I'm doing.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Problem with deployment of a WAR file from Manager

2012-04-17 Thread James Lampert

We are having a very frustrating error on one customer box, with a 
Tomcat version and a WAR file that are working perfectly elsewhere.


That same WAR file runs perfectly on this same box, if expanded from the 
command line.


Can anybody here shed any light on this?

--
James H. H. Lampert
Touchtone Corporation

SEVERE: Error deploying web application archive 
/wintouch/tomcat/webapps/ROOT.war
Throwable occurred: java.lang.IllegalArgumentException: The archive 
[jar:file:/wintouch/tomcat/webapps/ROOT.war!/] is malformed and will be 
ignored: an entry contains an illegal path [META-INF/MANIFEST.MF] which 
was not expanded to 
[/WINTOUCH/TOMCAT/webapps/ROOT//META-INF/MANIFEST.MF] since that is 
outside of the defined docBase [/wintouch/tomcat/webapps/ROOT/]

   at org.apache.catalina.startup.ExpandWar.expand(ExpandWar.java:122)
   at 
org.apache.catalina.startup.ContextConfig.fixDocBase(ContextConfig.java:667) 

   at 
org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:790)
   at 
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:318) 

   at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) 

   at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) 

   at 
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:401) 


   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110)
   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139)
   at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:897) 

   at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
   at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615)
   at 
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:958)
   at 
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:536)

   at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1467)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) 

   at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) 


   at java.lang.reflect.Method.invoke(Method.java:611)
   at 
org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:301) 

   at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:848)
   at 
com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:773)
   at 
org.apache.catalina.manager.ManagerServlet.check(ManagerServlet.java:1436)
   at 
org.apache.catalina.manager.HTMLManagerServlet.upload(HTMLManagerServlet.java:334) 

   at 
org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServlet.java:211) 


   at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
   at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) 

   at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) 

   at 
org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:187) 

   at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) 

   at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) 

   at 
org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108) 

   at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) 

   at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) 

   at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) 

   at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) 

   at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581) 

   at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) 

   at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) 

   at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
   at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) 

   at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
   at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) 

   at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
   at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309) 

   at 
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:897) 

   at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:919) 


   at

Re: Problem with deployment of a WAR file from Manager

2012-04-17 Thread James Lampert


Konstantin Kolinko wrote:
. . .

In essence it checks that File.getCanonicalPath() of (webapp root
directory + archive entry) is as expected.


  at org.apache.catalina.startup.ExpandWar.expand(ExpandWar.java:122)


My colleague at the next desk found this:

https://issues.apache.org/bugzilla/show_bug.cgi?id=50737

which is more-or-less as you say.

The funny thing is that the customer is on a more recent iOS (or 
whatever IBM is calling it this week; to me, OS/400 is OS/400) than we 
(and most of the other customers) are (V7R1 vs V6R1).


And where the example at the above link is failing on one lousy 
character being of mismatched case, we have this in the CL program:

 SBMJOB CMD(QSH +
 CMD('/WINTOUCH/TOMCAT/BIN/STARTUP.SH')) +
 JOB(CATALINA) JOBD(WINTOUCH/WTSRVC) +
 CPYENVVAR(*YES) ALWMLTTHD(*YES)

but the actual path in the file system is:
 /wintouch/tomcat/bin/startup.sh

with every single letter being of mismatched case.

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Generating a Keystore

2012-04-17 Thread James Lampert


Victoria Johnson - Kio wrote:
  The text on Apache is really confusing me about setting up SSL on 
Tomcat,

what do I do with this command

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA


Well, first you need to be sure you're NOT running this on an AS/400. 
For some reason, Keytool is broken under OS/400.


At any rate, you need to find out where Java is on the computer you're 
using, and put it into your executable path.


Then you call the Keytool command:

keytool -genkey -keystore whatever you want to call your keystore 
-alias whatever alias you wish to use -keyalg RSA [-keysize keylength]


or for a more concrete example,

-genkey -keystore foo.ks -alias bar -keyalg RSA -keysize 2048

You will be prompted for a password; the default for Tomcat is 
changeit; you should probably give it this password unless you have a 
reason to do otherwise.


You will be prompted for a first and last name. DON'T give it that. 
Give it the URL of your website, e.g., www.foobar.com so that people 
don't get certificate is for the wrong domain warnings in their browsers.


You will be prompted for the particulars of who you are and where you 
are. These are important if you plan on having it signed by a CA, so 
that people don't get self-signed certificate warnings in their browsers.


Once you have a keystore, you can hook it to your Tomcat server by 
editing the server.xml file.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

New Tomcat install on a customer box: Tomcat 7.0.25 starts, then throws an exception and shuts down, and I don't know why.

2012-03-20 Thread James Lampert


Anybody know what to make of this?

Here's the scenario: Tomcat 7.0.25 freshly installed on an AS/400 
running V6R1. The box has no port restrictions set up in it. The only 
ports in use, in the 8000-8099 range are 8000, 8001, 8005, and 8035.


I launch Tomcat, and 8080 and 8009 both open up. Then something connects 
to them via loopback. Then the CATALINA job ends (reporting a normal 
end), and 8080 and 8009 both close, with connections from Loopback 
sitting on the ports until they time out.


HMmmm. Looks like Tomcat is trying to open 8005 itself, and 
finding it taken by something entirely different. What does Tomcat use 
8005 for, anyway, and can it be reassigned?


catalina.out shows:

Mar 20, 2012 2:17:31 PM org.apache.catalina.core.AprLifecycleListener init 
INFO: The APR based Apache Tomcat Native library which allows optimal performan . . .
Mar 20, 2012 2:17:34 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-bio-8080]   
Mar 20, 2012 2:17:34 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [ajp-bio-8009]
Mar 20, 2012 2:17:34 PM org.apache.catalina.startup.Catalina load  
INFO: Initialization processed in 5880 ms  
Mar 20, 2012 2:17:34 PM org.apache.catalina.core.StandardService startInternal 
INFO: Starting service Catalina
Mar 20, 2012 2:17:34 PM org.apache.catalina.core.StandardEngine startInternal  
INFO: Starting Servlet Engine: Apache Tomcat/7.0.25
Mar 20, 2012 2:17:34 PM org.apache.catalina.startup.HostConfig deployDirectory 
INFO: Deploying web application directory /wintouch/tomcat/webapps/ROOT
Mar 20, 2012 2:17:36 PM org.apache.catalina.startup.HostConfig deployDirectory 
INFO: Deploying web application directory /wintouch/tomcat/webapps/docs
Mar 20, 2012 2:17:36 PM org.apache.catalina.startup.HostConfig deployDirectory 
INFO: Deploying web application directory /wintouch/tomcat/webapps/examples
Mar 20, 2012 2:17:37 PM org.apache.catalina.startup.HostConfig deployDirectory 
INFO: Deploying web application directory /wintouch/tomcat/webapps/host-manager
Mar 20, 2012 2:17:38 PM org.apache.catalina.startup.HostConfig deployDirectory 
INFO: Deploying web application directory /wintouch/tomcat/webapps/manager 
Mar 20, 2012 2:17:38 PM org.apache.coyote.AbstractProtocol start   
INFO: Starting ProtocolHandler [http-bio-8080]   
Mar 20, 2012 2:17:38 PM org.apache.coyote.AbstractProtocol start   
INFO: Starting ProtocolHandler [ajp-bio-8009]
Mar 20, 2012 2:17:38 PM org.apache.catalina.startup.Catalina start 
INFO: Server startup in 4480 ms
Mar 20, 2012 2:17:38 PM org.apache.catalina.core.StandardServer await  
SEVERE: StandardServer.await: create[localhost:8005]:  
Throwable occurred: java.net.BindException: The socket name is already in use. 
at java.net.PlainSocketImpl.bind(PlainSocketImpl.java:395)
at java.net.ServerSocket.bind(ServerSocket.java:330)  
at java.net.ServerSocket.init(ServerSocket.java:196)
at org.apache.catalina.core.StandardServer.await(StandardServer.java:422) 
at org.apache.catalina.startup.Catalina.await(Catalina.java:728)  
at org.apache.catalina.startup.Catalina.start(Catalina.java:674) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)   
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) 
at java.lang.reflect.Method.invoke(Method.java:611)  
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)   
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)
Mar 20, 2012 2:17:38 PM org.apache.coyote.AbstractProtocol pause  
INFO: Pausing ProtocolHandler [http-bio-8080]   
Mar 20, 2012 2:17:38 PM org.apache.coyote.AbstractProtocol pause  
INFO: Pausing ProtocolHandler [ajp-bio-8009]
Mar 20, 2012 2:17:39 PM org.apache.catalina.core.StandardService stopInternal 
INFO: Stopping service Catalina   
Mar 20, 2012 2:17:39 PM org.apache.coyote.AbstractProtocol stop   
INFO: Stopping ProtocolHandler [http-bio-8080]  
Mar 20, 2012 2:17:39 PM

Question about certificate durations

2012-01-24 Thread James Lampert

I notice that the self-signed certificates I've been generating have the 
default 90-day validity period.


Does this have any bearing on the validity period once I get the 
keystore signed by a CA?


--
JHHL

P.S.: I haven't heard from anybody, here or on the Java400-L list, since 
I posted the environment variables on my crash-on-takeoff problem.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 7 in Java 6 on V5R4 (. . . 3 . . . 2 . . . 1 . . . crash-on-takeoff)

2012-01-23 Thread James Lampert

We're now trying to bring up Tomcat 7 on a V5R4 AS/400, after 
successfully doing so on V6 and V7 boxes. They have Java 6 installed, 
and I'm told that they installed some PTFs over the weekend, but it's 
still crashing on takeoff.


In catalina.sh, we have:
# Java 6 settings if needed 
export -s JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre  
export -s CATALINA_HOME=/wintouch/tomcat
export -s JAVA_OPTS=-Dos400.awt.native=true -Djava.awt.headless=true -Djava.version=1.6 -Xms256m -Xmx512m 

# OS specific support.  $var _must_ be set to either true or false. 
cygwin=false
darwin=false
os400=true  
case `uname` in   
CYGWIN*) cygwin=true;;  
Darwin*) darwin=true;;  
OS400*) os400=true;;
esac


and there is definitely a java in the
/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/bin directory, and so far
as I'm aware, all the JARs are present in the right subdirectories of
/wintouch/tomcat, but in catalina.out, I get:
Attaching Java program to /QIBM/ProdData/Java400/jdk6/lib/charsets.jar.  
Attaching Java program to /QIBM/ProdData/Java400/jdk6/lib/resources.jar. 
Attaching Java program to /QIBM/ProdData/Java400/jdk6/lib/rt.jar.
eval: 001-0014 Command /QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/bin/java not found.
java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina   
at java.net.URLClassLoader.findClass(URLClassLoader.java:432)   
at java.lang.ClassLoader.loadClass(ClassLoader.java:642)
at java.lang.ClassLoader.loadClass(ClassLoader.java:608)
at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:236)   
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425)   


When I delete catalina.out and try again, I get the same, only starting
from the ClassNotFoundException.

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Problem bringing up SSL with a CA certificate

2012-01-23 Thread James Lampert


Christopher Schultz wrote:

Did you also put your server's key into the keystore?


It seems that when the customer rep jumped the gun and submitted a CSR 
to Thawte before we even had Tomcat running on a self-signed 
certificate, he did so using IBM DCM, whose keystores are incompatible 
with Keytool, and presumably also with Tomcat.


Fortunately, there's still a few days left to get a revocation and 
refund, and start from scratch the right way.


Don't you just love it when end-users jump the gun, and pay good money 
to a third party for things before you have the specs to give them?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 in Java 6 on V5R4 (. . . 3 . . . 2 . . . 1 . . . crash-on-takeoff)

2012-01-23 Thread James Lampert


Caldarale, Charles R wrote:

One thing you didn't tell us was exactly how you start Tomcat.  Have
you tried starting Tomcat from a command prompt so you can see the
display of the derived variables, such as CLASSPATH?


We start it from a variation of the OS/400 CL program given in this blog 
entry by BetterThanZero: 
http://as400samplecode.blogspot.com/2011/06/install-tomcat-on-iseries-as400-tomcat.html


His CL program is:

PGM  
ADDENVVAR  ENVVAR(JAVA_HOME) +   
 VALUE('/QIBM/ProdData/Java400/jdk15')   
MONMSG MSGID(CPF)
SBMJOB CMD(QSH +  
 CMD('/apache/apache-tomcat-6.0.32/bin/start+
 up.sh')) JOB(CATALINA) JOBQ($jobqName) +
 CPYENVVAR(*YES) ALWMLTTHD(*YES)  


ours is adjusted to where we put Tomcat in the file system.

And up until a few minutes ago (hours after I first looked at your 
post), how to launch from a command line had not occurred to me (the 
answer, of course, would be to type the value of the CMD parameter on 
the adjusted version of the SBM job above (sometimes, even after 
almost eighteen years of working with the AS/400 platform, I surprise 
myself with how dense I can be!).


At any rate,


qsh CMD('/WINTOUCH/TOMCAT/BIN/STARTUP.SH')


produces:

/WINTOUCH/TOMCAT/BIN/catalina.sh: 001-0019 Error found searching for command 
tty. No such path or directory.  
Using CATALINA_BASE:   /wintouch/tomcat  
Using CATALINA_HOME:   /wintouch/tomcat  
Using CATALINA_TMPDIR: /wintouch/tomcat/temp 
Using JRE_HOME:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre
Using CLASSPATH:   /wintouch/tomcat/bin/bootstrap.jar:/wintouch/tomcat/bi
n/tomcat-juli.jar


at which point it sits there for under 2 seconds before terminating, 
leaving this in catalina.out:


java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina 
at java.net.URLClassLoader.findClass(URLClassLoader.java:432) 
at java.lang.ClassLoader.loadClass(ClassLoader.java:642)  
at java.lang.ClassLoader.loadClass(ClassLoader.java:608)  
at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:236) 
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) 


By contrast, if I enter the same command on a command line on our V6 
box, I got the same, except for the initial no such path or directory 
exception, and then it sat there until I signed on from another terminal 
session and (after first verifying that the port had opened) terminating 
Tomcat.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: More, Re: Problem bringing up SSL with a CA certificate

2012-01-19 Thread James Lampert


Ognjen Blagojevic wrote:

You must find keystore with earlier generated key pair (the one you also 
used to generate CSR for CA), and import all three certificates into 
that keystore.


Dear Ognjen:

Thanks. That does sound vaguely like something we went through ourselves 
some years ago, when we first got our jar-signing certificate working.


I've put in a request for the person responsible for the CSR to find it 
and get it to me.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

New development, Re: More, Re: Problem bringing up SSL with a CA certificate

2012-01-19 Thread James Lampert


Ognjen Blagojevic wrote:

You must find keystore with earlier generated key pair (the one you also 
used to generate CSR for CA), and import all three certificates into 
that keystore.


Dear Ognjen:

At this point, I still don't have the keystore used to generate the CSR, 
but I *do* now have the CSR itself. Does that help?


--
JHHL


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Problem bringing up SSL with a CA certificate

2012-01-18 Thread James Lampert

So far, I've had complete success using self-signed certificates, both 
here and on the customer box, once I found out that the CN needs to 
match the domain name.


But now, we're trying to get the customer box up on a CA-signed 
certificate, and Tomcat doesn't like it. (Given that we haven't done it 
on our own box, it's kind of a case of the blind leading the blind.) We 
had our contact with the customer follow the procedure given on


http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Importing_the_Certificate

and I put the resulting keystore into service, started Tomcat, and got 
this in logs/catalina.out:


SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-443]  
Throwable occurred: java.io.IOException: Alias name tomcat does not identify a key entry 
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:567) 
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505) 
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)   
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)   
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)  
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)   
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:937) 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)  
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)  
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) 
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)   
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) 
at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)   
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)   
at java.lang.reflect.Method.invoke(Method.java:611)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)  
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)  
Jan 18, 2012 12:15:16 PM org.apache.catalina.core.StandardService initInternal  
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]
Throwable occurred: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) 
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) 
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)   
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) 
at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)   
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)   
at java.lang.reflect.Method.invoke(Method.java:611)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)  
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)  
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed   
at

More, Re: Problem bringing up SSL with a CA certificate

2012-01-18 Thread James Lampert

I've now got the CA certificates the customer representative is trying 
to use here, and I'm attempting to test them on our box.


I followed these instructions:

https://search.thawte.com/support/ssl-digital-certificates/index?page=contentactp=CROSSLINKid=SO15518

rather than the ones here:

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Importing_the_Certificate

which appear to be somewhat out of date, as Thawte calls for both 
primary and secondary x.509 certificates to be loaded into the keystore.


With no explicit alias reference, and the three certificates placed in 
the keystore, in the order specified by Thawte, I get:


SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443]   
Throwable occurred: java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:822)  
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:470) 
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) 
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)  
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369) 
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)  
at org.apache.catalina.connector.Connector.initInternal(Connector.java:937)  
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)   
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)   
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)   
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)   
at org.apache.catalina.startup.Catalina.load(Catalina.java:573)  
at org.apache.catalina.startup.Catalina.load(Catalina.java:598)  
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)   
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) 
at java.lang.reflect.Method.invoke(Method.java:611)  
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.ibm.jsse2.rc.a(rc.java:53)
at com.ibm.jsse2.rc.accept(rc.java:13)   
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:818) 
... 20 more 
Jan 18, 2012 2:21:43 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
Throwable occurred: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)  
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)  
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)  
at

Re: More, Re: Problem bringing up SSL with a CA certificate

2012-01-18 Thread James Lampert


Dear Igor (et al):

Thanks for getting back to me. To answer the questions (and pose a few 
more):


Igor Cicimov wrote:


Are you sure you have downloaded the correct intermediate certs?


I didn't download them myself; neither did I place the order. But I'll 
pass this on to the fellow who did.



 *Note:* When executing the command to import the SSL certificate, you must
specify the actual *Alias* used when you initially created the keystore. If


The results are exactly the same whether I specify the alias (and yes, 
it's the correct one; this I did set myself) or not.


One thing I noticed: the Thawte instructions call for importing first 
the primary, then the secondary, then the purchased certificate. Yet 
when I do a keytool -list on the keystore, it comes up in a different 
sequence:

secondary, Jan 18, 2012, trustedCertEntry,
Certificate fingerprint (MD5): EB:A3:71:66:38:5E:3E:F4:24:64:ED:97:52:E9:9F:1B
wintouch, Jan 18, 2012, trustedCertEntry,
Certificate fingerprint (MD5): 55:D7:4D:D4:83:01:D6:E0:EB:A4:F3:9A:06:BD:87:38
primary, Jan 18, 2012, trustedCertEntry,
Certificate fingerprint (MD5): D6:6A:92:1C:83:BF:A2:AE:6F:99:5B:44:E7:C2:AB:2A


Would this be a reason to suspect that the person who got the certs 
either (a) got the wrong secondary for the certificate purchased, (b) 
purchased the wrong kind of certificate for HTTPS, or (c) both?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: About certificates in Tomcat SSL support

2012-01-13 Thread James Lampert


Mark H. Wood wrote:

As already pointed out, there's your problem.  To identify a networked
service, the value of CN should be the FQDN of the host providing the
service.  (This is why people suddenly became interested in securing
DNS:  we are relying on it to validate certificate bindings to services!)

Yes, the prompts are confusing.  A recent release of OpenSSL, for
example, just updated the CN prompt from Common Name (eg, YOUR name)
to Common Name (e.g. server FQDN or YOUR name).


Thanks for the additional detail.

We now have the customer set up with a less-frightening self-signed 
certificate, specific to their domain, pending installation of a 
CA-signed certificate (which I sincerely hope is domain-specific).


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

About certificates in Tomcat SSL support

2012-01-12 Thread James Lampert


Scenario:

I created a self-signed certificate for the box I was testing:
CN = James Lampert
OU = Development Lab
O = Touchtone Corporation
L = Costa Mesa
ST = California
C = US

I then installed it into the Tomcat server on that box. Connecting to 
the site with Firefox, I was told that the certificate was not trusted, 
and asked whether to trust it. After I said to trust it, Firefox now 
lets me in without further question.


Then, I temporarily installed the certificate on a customer's Tomcat 
server, just to verify that SSL support was working there. When I 
connected to it with Firefox, the initial message questioning the 
validity of the certificate said something about it being for a 
different server (so far as I'm aware, it isn't for *any* particular 
server).


Looking at the two Tomcat servers in Microsloth Imploder, even after 
telling it to trust the certificate, I consistently get a message, The 
security certificate presented by this website was issued for a 
different website's address.


Looking at the two Tomcat servers in a different version of Firefox, on 
a different WinDoze box, both Tomcat servers give me the message, that 
it is not trusted because it is self-signed, and that it is only valid 
for James Lampert.


What exactly do I need to do, for a certificate to be recognized as the 
correct one for a given server?


Also: we have a CA-signed certificate that we use to sign JARs. Is that 
the same sort of certificate used for Tomcat?


--
JHHL


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: About certificates in Tomcat SSL support

2012-01-12 Thread James Lampert


I created a self-signed certificate for the box I was testing:
CN = James Lampert


Pid * wrote:

The Common Name must match the domain name of the server as seen by the client.


Hmm. So where Keytool asks

What is your first and last name?


you answer not with what it's asking for, but with the intended domain 
name. Makes perfect sense.


Thanks.

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)

2012-01-10 Thread James Lampert


Tim Watts wrote:

That's a possibility if it's padding the passwords as well.   I'm not an
AS/400 expert by any means.  Is /foo a preallocated file and if so could
the problem be with the way it was allocated?


The Java-400 list over at Midrange.com is also in on this (albeit not 
this specific message).


I tried putting the password, and some of the values, in single quotes, 
and others in double quotes. No change in behavior: the confirmation 
message fields were padded, and the quote marks were shown in them.


Hmm. THIS is INTERESTING!

If I FTP a keystore created on my WinDoze box onto the 400, then KEYTOOL 
there can read it. FASCINATING.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)

2012-01-10 Thread James Lampert

Well, using a keystore created on my WinDoze box, and FTP'd to the 400 
definitely works: Port 8443 came right up.


But that still leaves open the question of why on earth keytool fails to 
create valid keystores on the 400, whether run from QShell or QP2Term.


Inquiring minds want to know.

BTW: Like any other developer distributing Java products, we have a 
keystore with the CA-signed certificate we use to sign JARs. Would that 
KS and certificate also work for SSL support on Tomcat? Or is it limited 
to JAR-signing? (Not that we would ever want to let that keystore, and 
its passwords, out of our hands!)


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 7 SSL activation on AS/400?

2012-01-09 Thread James Lampert


I'm attempting to bring up SSL support in Tomcat 7, on an AS/400 (V6R1).

Tomcat itself runs nicely, but following the instructions on
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
I am consistently getting:
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] 
Throwable occurred: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)   
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)   
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)   
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)   
at org.apache.catalina.startup.Catalina.load(Catalina.java:573)  
at org.apache.catalina.startup.Catalina.load(Catalina.java:598)  
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)   
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) 
at java.lang.reflect.Method.invoke(Method.java:611)  
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed 
at org.apache.catalina.connector.Connector.initInternal(Connector.java:939)  
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)   
... 12 more  
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect 
at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)   
at java.security.KeyStore.load(KeyStore.java:414)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306) 
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)  
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)  
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369) 
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)   
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) 
at org.apache.catalina.connector.Connector.initInternal(Connector.java:937)  
... 13 more  
Caused by: java.security.UnrecoverableKeyException: Password verification failed  
... 26 more  


I've tried it with the default keystore name, location, and passwords; 
I've tried it with an explicit name, location, and both key and keystore 
paswords. The above exceptions are thrown consistently, except for one 
occasion when the keystore simply didn't exist where expected.


--
James H. H. Lampert

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)

2012-01-09 Thread James Lampert


Tim Watts (from the Tomcat Users List) wrote:

Can you successfully run this command:

keytool -list -keystore {path/to/your/keystore/file} -storepass 
{passwd-in-server.xml}


It gives the same error message. And yes, EBCDIC is the default encoding 
for AS/400s. The attributes on /foo show that it has a CCSID of 819, 
though, which (if my memory and the IBM docs are correct) is ASCII.


Here's a QShell transcript from a test I ran specifically so that I 
could post everything without betraying any passwords:



keytool -genkey -alias foo -keyalg RSA -keystore /foo
  Enter keystore password: 
bar  
  What is your first and last name?
[Unknown]: 
James Lampert
  What is the name of your organizational unit?
[Unknown]: 
Development Lab  
  What is the name of your organization?   
[Unknown]: 
Touchtone Corporation
  What is the name of your City or Locality?   
[Unknown]: 
Costa Mesa   
  What is the name of your State or Province?  
[Unknown]: 
California  
  What is the two-letter country code for this unit?  
[Unknown]:
US  
  Is CN=James Lampert
  
  
  
  , OU=Development Lab  
  
  
  
  , O=Touchtone Corporation 
, L=Costa Mesa 
 
 
 
   , ST=California 
 
 
 
   , C=US  
 
 
 
   correct? (type yes or no)

[no]:
yes   

  Enter key password for foo: 
  (RETURN if same as keystore password):
bar   
  $   
keytool -list  -keystore /foo -storepass bar
  keytool error (likely untranslated): java.io.IOException: Keystore was tampered with, or password was incorrect 
  $   


Another thought occurred to me: Could the trailing blanks shown in the 
confirmation message have anything to do with the problem?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

50 matches

Mail list logo