Re: AW: Outbound SSL?
This just keeps getting weirder and weirder. I extracted the actual request > https://maps.googleapis.com/maps/api/geocode/json?key== from where it had been logged to catalina.out, and built a simple program to feed it to Scott Klement's HTTPAPI, an open-source HTTP interface for OS/400-native programs. It has a rather rich debugging capability. Once I got it working on our box, I sent it over to the "problem" box. And it worked perfectly: it got what appears to be the expected response. Of course, it's doing all of this natively, rather than through Java. We also know that Tomcat is running under a 64-bit Java 7 JVM on that box. And we also know that we've got this product running in Java 6, 7, and 8, on IBM Midrange boxes, WinDoze boxes, and Linux boxes, without the problem occurring. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Shutdown.sh doesn't. At least not reliably. (7.0.25)
Running Tomcat on various AS/400s (V6R1 or later OS), we've found that shutdown.sh doesn't reliably shut down the server, and we frequently have to shut it down forcibly (i.e., finding CATALINA on a WRKACTJOB, and giving it a 4 with OPTION(*IMMED)). Port 8009 does appear to be open before we call shutdown.sh, and it does appear to be closed after we call it. Any idea what the problem could be? Or where I should look for indications of what it could be? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Shutdown.sh doesn't. At least not reliably. (7.0.25)
Konstantin Kolinko wrote: 2. Shutdown command is sent to port 8005. (8009 is a port used by AJP protocol connector). Thanks. That at least clears up a misconception on my part. Researching it cleared up another misconception on my part: that the Catalina job directly owns the ports. Actually, the ports are owned by a QP0ZSPWT job (that is itself probably owned by the Catalina job.) Once I know how to get a thread dump on an AS/400 (the link didn't cover that; I've got a question out to the Java-400 list at Midrange.com about that), I'll try another shutdown/restart on our box, and see what happens to port 8005 and the QP0ZSPWT job. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Shutdown.sh doesn't. At least not reliably. (7.0.25)
Christopher Schultz wrote: Maybe use DMPJVM? Sorry for the through-Google link [PDF]: THANKS! Never heard of such a thing until you brought it to my attention, and it's enough of an eye-opener that I would have gladly forgiven even a through-LMGTFY link. DMPJVM looks like it may be just the thing. I don't want to risk unnecessarily disrupting anybody right now, but later this afternoon, I'm going to run some test shutdowns. Among the responses I got on java40...@midrange.com, one fellow user remarked that he'd been seeing the same phenomenon, and another had this comment: Tomcat won't shut down while there are non-daemon threads running. Still another turned me on to WRKJVMJOB (yet another command I'd never heard of). Applying option 11 of that (Display Threads) to the QP0ZSPWT job (the only active QP0ZSPWT in the system, evidently slaved to the CATALINA job), I get: Thread Name Status 515Fmain TIMW 5162JIT Compilatio THDW 5164JVMTI event re THDW 5165Signal Dispatc THDW 5167Gc Slave Thread THDW 5168i5/OS informat JVAW 516AMemoryPoolMXBe THDW 516BAttach API wai SEMW 516CGC Daemon THDW 516DFinalizer thread THDW 5172ContainerBackg THDW 5173http-bio-8080- TIMW 5174http-bio-8080- THDW 5175http-bio-443-A TIMW 5176http-bio-443-A THDW 5177ajp-bio-8009-A TIMW 5178ajp-bio-8009-A THDW 51BBhttp-bio-443-e THDW 51BChttp-bio-443-e THDW 51BDhttp-bio-443-e THDW 51BEhttp-bio-443-e THDW 51BFhttp-bio-8080- THDW 51C0http-bio-8080- THDW 51C1http-bio-8080- THDW 51C4http-bio-443-e THDW 51DDhttp-bio-443-e THDW 51DEhttp-bio-443-e THDW 51DFhttp-bio-443-e THDW 51E0http-bio-443-e THDW 51E1http-bio-443-e THDW 51E8Java2D Disposer THDW 51F6http-bio-8080- THDW 51F7http-bio-8080- THDW 51F8http-bio-8080- THDW 51F9http-bio-8080- THDW 51FAhttp-bio-8080- THDW 51FChttp-bio-8080- THDW 520Bhttp-bio-8080- THDW (funny, a few seconds ago, it didn't have nearly that many threads; evidently it is indeed currently in use). I note that option 12 appears to be plumbed into DMPJVM. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Help
Alissa Schneider wrote: Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. Did you restart Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Restricting certain ports to certain contexts?
We have a situation: A Tomcat server with a number of contexts. One of those contexts should be available unsecured on port 8080. The others should only be available secured, on port 443. Is there a way we can restrict 8080 to the one unsecured context? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restricting certain ports to certain contexts?
Caldarale, Charles R wrote: Read the servlet spec, chapter 13 (the 3.0 version is, unfortunately, harder to comprehend than the earlier versions). Put the following in the WEB-INF/web.xml of the webapps you wish to restrict to HTTPS: user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint It might be possible to add the above to just the global conf/web.xml file and then override the global setting for the one unsecured webapp by setting its transport-guarantee to NONE, but I haven't tried it. Thanks. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Exceptions in Catalina.log and Catalina.yyyy-mm-dd.log files on AS/400
Christopher Schultz wrote: This is what I get from my own web.xml: 0003c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 ? x m l sp v e r s i o n = 1 0202e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 49 53 . 0 sp e n c o d i n g = I S 0404f 2d 38 38 35 39 2d 31 22 3f 3e 0a O - 8 8 5 9 - 1 ? nl 054 Well THAT's weird: Aside from the file's pathname having one directory level you didn't mention (WEB-INF), . . . The CCSID on the file says 819 (ISO 8859-1: Latin Alphabet Number 1). If do a head on the file, without piping it into od, I get the expected text. If I download it to a WinDoze box via FTP, in binary mode, and open it in Hex Editor, everything matches. But if I pipe a head into an od as you described, the hex values come up as if the file were EBCDIC. And what's even weirder is that Tomcat, and the webapp, come up just fine, after the exceptions are logged. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Exceptions in Catalina.log and Catalina.yyyy-mm-dd.log files on AS/400
Reversing the flow to od -t x1a web.xml | head -n 5 shows the correct hex values. But then it shows the character values as if interpreting them in EBCDIC. This suggests that there's a good reason why head and od aren't in the manuals for QSHELL (the unix-like interface that was added to OS/400 when Java support was added). At any rate, the weirdest part of all is that everything does come up properly, even after the exceptions are thrown. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Exceptions in Catalina.log and Catalina.yyyy-mm-dd.log files on AS/400
Pid * wrote: Examine the first few bytes of the input. I seem to remember a character encoding issue causing this error. Of what input in particular? At least some of these exceptions appear to be getting thrown in the process of bringing up Tomcat, so I'm guessing we're not talking about a request. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Not sure what to make of this, Re: bringing up HTTPS on Tomcat
Mark H. Wood wrote: I have no idea what DCM is or does. Maybe it works with PKCS #12 files, which can carry both parts in a single container. That part isn't really relevant here (I hope), but to clarify: DCM = Digital Certificate Manager. It's part of the IBM Midrange operating system (i.e, OS/400, i5OS, or whatever they're calling it this week). It uses an entirely different keystore format from that used by Java and Keytool (and, by extension, Tomcat), and so far as I (and the real IBM Midrange gurus on the various Midrange.com lists) can determine, there's nothing currently available to convert a keystore between the IBM-proprietary format and the Java format. We've had more than one customer who screwed themselves out of a certificate signing fee by failing to appreciate the distinction, even though we do our best to warn them about it. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Not sure what to make of this, Re: bringing up HTTPS on Tomcat
We have a customer (who shall remain nameless), who had previously ignored our instructions and used IBM DCM instead of Keytool to produce a keystore, and had it signed, all the while blissfully ignorant of the fact that none of it would be the least bit compatible with Tomcat. I just got an email from that customer, with this puzzling phrase: Had to split it up into a .key and .crt file. This is the output. which was followed by the output from a keytool -printcert on the .crt file. The -printcert output looks sensible, with 9 ObjectID items in it. But what do I make of their comment about having to split it up? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?
I have just wiped the Tomcat installation on the V5R4 box in question, and done a clean install of 7.0.25. No change in its behavior. I tried a modified version of our standard Tomcat-launch CL program, that adds a CATALINA_OPTS environment variable, with a value of -verbose:class (excerpt from CL program below): ADDENVVAR ENVVAR(CATALINA_HOME) + VALUE('/wintouch/tomcat') REPLACE(*YES) ADDENVVAR ENVVAR(CATALINA_OPTS) + VALUE('-verbose:class') REPLACE(*YES) ADDENVVAR ENVVAR(JAVA_OPTS) + VALUE('-Dos400.awt.native=true + -Djava.awt.headless=true + -Djava.version=1.6 -Xms256m -Xmx512m') + REPLACE(*YES) SBMJOB CMD(QSH + CMD('/wintouch/tomcat/bin/startup.sh')) + JOB(CATALINA) JOBD(WINTOUCH/WTSRVC) + INLLIBL(QGPL QTEMP) CPYENVVAR(*YES) + ALWMLTTHD(*YES) (ADDENVVAR being the CL command to set an environment variable, SBMJOB to submit a batch job, and QSH to launch QShell, and the CPYENVVAR parameter telling SBMJOB to pass the environment variables from the submitting job to the submitted job. Placing the environment variables in the CL program that launches Tomcat, rather than in catalina.sh or setenv.sh, allows us to avoid having to either roll our own version of the Tomcat ZIP file, or manually install the environment variables, every time we install (or update) Tomcat.) The STDOUT spool file: /wintouch/tomcat/bin/catalina.sh: 001-0019 Error found searching for command tty. No such path or directory. Using CATALINA_BASE: /wintouch/tomcat Using CATALINA_HOME: /wintouch/tomcat Using CATALINA_TMPDIR: /wintouch/tomcat/temp Using JRE_HOME:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit Using CLASSPATH: /wintouch/tomcat/bin/bootstrap.jar:/wintouch/tomcat/bin/tomcat-juli.jar tells me that it's at least getting to the point in catalina.sh where it spits out selected environment variables, and that it's getting the environment variables we set in the CL program. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?
Tim Watts wrote: I made some suggestions to this effect the other day: http://tomcat.10.n6.nabble.com/Tomcat-7-0-25-on-an-AS-400-V5R4-Another-try-Help-td4984199.html#a4984215 Maybe you already tried them or didn't get the email. Thanks for the link. I'm guessing that the email probably got lost in the perpetual torrential flood of email, because I'm sure it must have arrived, but I never saw it. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?
Tim Watts wrote: http://tomcat.10.n6.nabble.com/Tomcat-7-0-25-on-an-AS-400-V5R4-Another-try-Help-td4984199.html#a4984215 - Add these lines to the end of conf/logging.properties: org.apache.catalina.startup.Bootstrap.level = ALL org.apache.catalina.startup.ClassLoaderFactory.level = ALL No effect whatsoever. The catalina.out log and the spool file produced by STDOUT are exactly the same as before. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?
Tim Watts wrote: import java.io.File; import java.net.URL; import java.net.URLClassLoader; public class FindClass { public static void main(String[] args) { try { URLClassLoader loader = new URLClassLoader( new URL[] {new File(/wintouch/tomcat/lib/catalina.jar).toURI().toURL()}); loader.loadClass(args[0]); System.out.println(URLClassLoader found class ' +args[0] +'); } catch (Exception e) { e.printStackTrace(); } } } I tried it. I'm surprised I was able to get it to compile and run on only the second try (the first try, I had left the stream file editor in the default EBCDIC codepage when I pasted in your source, which JAVAC, not surprisingly, didn't like at all). At any rate, I get: java FindClass org.apache.catalina.startup.Catalina URLClassLoader found class 'org.apache.catalina.startup.Catalina' And so far as I can determine without doing a clean install of Tomcat, nothing is customized at all, at this point, other than maybe setting port numbers (which it isn't even getting to, yet), and adding your diagnostic lines in logging.properties. Paul Holm, on the Midrange.com Java list, suggested turning on verbose mode on Java; I'm not entirely sure how I would even do that for Tomcat. What would be the next step? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?
To recap, I've got a situation where Tomcat is crashing on takeoff, on a V5R4 AS/400, with what appears to be the same setup that works fine on a V6 box, and showing correct environment variables in the STDOUT spool file, and leaving this in Catalina.out. java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina at java.net.URLClassLoader.findClass(URLClassLoader.java:432) at java.lang.ClassLoader.loadClass(ClassLoader.java:642) at java.lang.ClassLoader.loadClass(ClassLoader.java:608) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:236) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) to which Rainer Jung replied: . . . All this works by default in an untampered Tomcat installation. It can break: - if catalina.jar is not in /wintouch/tomcat/lib or it is not readable - if catalina.properties is not in /wintouch/tomcat/conf, or it is not readable, or the entries for the server.loader or common.loader are broken - the start scripts do not set -Dcatalina.base=/wintouch/tomcat/ and -Dcatalina.home=/wintouch/tomcat/ when starting the JVM - you are changing the place of the used properties file by giving a non-default value in the system property -Dcatalina.config during startup. I can find, so far, no evidence to indicate any of these possibilities. But is there some diagnostic I could enable, that would allow me to find out more detail about the problem? Or maybe something I could try from a QShell command line in a terminal session? -- James H. H. Lampert Touchtone Corporation - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?
Christopher Schultz wrote: export -s JAVA_OPTS=-Dos400.awt.native=true -Djava.awt.headless=true -Xms256m -Xmx512m In my catalina.sh script. FYI it is recommended to customize catalina.sh by creating a setenv.sh script and using that. That way, you don't have to play games with updating catalina.sh when a new release comes out. We're doing the equivalent with ADDENVVAR statements (and CPYENVVAR(*YES) on the SBMJOB statement) in the CL program that launches the script (that way, we don't even have to bother with a setenv.sh). And I agree, Tomcat won't run at all on an AS/400 without those environment variables being set *somewhere* for the CATALINA job. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?
Theoretically, I've ironed out the bugs concerning which JVMs Tomcat will run under, but it still isn't coming up. The STDOUT from attempting to start Tomcat is as follows: /wintouch/tomcat/bin/catalina.sh: 001-0019 Error found searching for command tty. No such path or directory. Using CATALINA_BASE: /wintouch/tomcat Using CATALINA_HOME: /wintouch/tomcat Using CATALINA_TMPDIR: /wintouch/tomcat/temp Using JRE_HOME:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit Using CLASSPATH: /wintouch/tomcat/bin/bootstrap.jar:/wintouch/tomcat/bin/tomcat-juli.jar Which is to say, /QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre is a JVM that, so far as I'm aware, doesn't have any problems with Tomcat. Everything above is exactly the same as in a successful launch on our V6R1 box. And Catalina.out is mercifully short this time: java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina at java.net.URLClassLoader.findClass(URLClassLoader.java:432) at java.lang.ClassLoader.loadClass(ClassLoader.java:642) at java.lang.ClassLoader.loadClass(ClassLoader.java:608) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:236) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) It's obviously trying to tell me SOMETHING, but I can't determine WHAT it's trying to tell me. Any ideas? I don't see the class it's complaining about in either of the two JARs listed on the classpath dumped to STDOUT, but if that were the problem, it wouldn't work here, either. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.25 on an AS/400, V5R4, Another try. Help?
Tim: This is normally in TC_HOME/lib/catalina.jar. A. Does it exist there? B. Does the user the process is running as have permission to read that file and directory? C. If yes to A B, is the file corrupt? /wintouch/tomcat/lib/catalina.jar exists. I had to FTP it elsewhere to check its validity, but it seems valid. And the authorities for it look exactly the same as those for /wintouch/tomcat/bin/bootstrap.jar. Rainer: - if catalina.jar is not in /wintouch/tomcat/lib or it is not readable - if catalina.properties is not in /wintouch/tomcat/conf, or it is not readable, or the entries for the server.loader or common.loader are broken - the start scripts do not set -Dcatalina.base=/wintouch/tomcat/ and -Dcatalina.home=/wintouch/tomcat/ when starting the JVM - you are changing the place of the used properties file by giving a non-default value in the system property -Dcatalina.config during startup. Everything looks like it's in the right place, undamaged, and without authority issues. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: default context
David kerber wrote: If I'm not mistaken (which is definitely possible), if you name it ROOT.war, it will also become the default context. Quite true. Even a neophyte like me is aware of that. ;-p (And there's a lot more about Tomcat that I *don't* know, than there is that I *do* -- it was just this month that I learned, for example, that on an AS/400, you not only need Java 6 for Tomcat 7, you need a specific Java 6, and also that you can set up the environment variables from the CL program that launches Tomcat, rather than having to mess with startup.sh or catalina.sh, or create a setenv.sh.) -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
High CPU usage in Tomcat 7
We just had a report of extremely high CPU usage from the Tomcat job on one of our customer installations. A WRKACTJOB screen shot from before we forcibly shut Tomcat down and restarted it shows: Subsystem/Job Type CPU % FunctionStatus CATALINA BCH .0 CMD-QSH TIMW QP0ZSPWT BCI 112.2 JVM-org.apache TIMW (QP0ZSPWT being the system-generated job that's doing the actual work for the CATALINA job.) Of particular interest is that, at least at the moment the screen shot was taken, the QP0ZSPWT job was taking up what appears to be more than an entire processor, even though it's in a time-wait state. Based on a Google search on tomcat 7 high cpu usage, I'm suspecting a previously unknown tightloop in our application (which was what I suspected even before I did the Google search). The pages I looked at also said something about profiling and thread dumps, to find the offending thread, but since the job has been terminated and restarted, and is not currently malfunctioning, I wouldn't be able to do so even if I knew how (which at present I don't). I've passed on the log files generated by our application itself to someone better equipped to deal with them than I, and I've asked the Java-400 List at Midrange.com about AS/400-specific steps to track down the offending thread if the problem is observed again, but I would also value any insights this list might offer. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
shutdown.sh troubleshooting on AS/400
In my experience, shutdown.sh has never worked reliably on AS/400, and I don't know why, or even understand enough about how it works (or enough about shell scripts) to troubleshoot it. Can somebody shed some light on it? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat shutdown.sh troubleshooting on AS/400
In my experience, Tomcat's shutdown.sh has never worked reliably on AS/400, and I don't know why, or even understand enough about how it works (or enough about shell scripts) to troubleshoot it. Here's the script. I can tell that it eventually transfers control to catalina.sh (which is also what launches Tomcat), but that's about all I can make out without help. #!/bin/sh # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the License); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an AS IS BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # - # Stop script for the CATALINA Server # # $Id: shutdown.sh 1202062 2011-11-15 06:50:02Z mturk $ # - # Better OS/400 detection: see Bugzilla 31132 os400=false case `uname` in OS400*) os400=true;; esac # resolve links - $0 may be a softlink PRG=$0 while [ -h $PRG ] ; do ls=`ls -ld $PRG` link=`expr $ls : '.*- \(.*\)$'` if expr $link : '/.*' /dev/null; then PRG=$link else PRG=`dirname $PRG`/$link fi done PRGDIR=`dirname $PRG` EXECUTABLE=catalina.sh # Check that target executable exists if $os400; then # -x will Only work on the os400 if the files are: # 1. owned by the user # 2. owned by the PRIMARY group of the user # this will not work if the user belongs in secondary groups eval else if [ ! -x $PRGDIR/$EXECUTABLE ]; then echo Cannot find $PRGDIR/$EXECUTABLE echo The file is absent or does not have execute permission echo This file is needed to run this program exit 1 fi fi exec $PRGDIR/$EXECUTABLE stop $@ Can somebody shed some light on it? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat shutdown.sh troubleshooting on AS/400
. . . and when I looked back at the box I was testing, Tomcat *had* finally shut down. And when I ran both the start and stop scripts this time, the stop script worked perfectly (and promptly). Weird. Why would the shutdown take so long as to give the impression it had failed entirely, then eventually work, then later work promptly? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat not starting properly on a customer's AS/400, and I have no idea why. Help?
We're attempting to bring up apache-tomcat-7.0.25.zip on a customer's AS/400, the same as we've done on several other AS/400s (including our own), and it's not working. In catalina.out, I'm seeing this: Jun 18, 2012 11:36:23 AM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /QSYS.LIB/QSHELL.LIB:/QSYS.LIB/LTL38.LIB:/QSYS.LIB/ERBLIB.LIB:/QSYS.LIB/ERBQGPL.LIB:/QSYS.LIB/SEQUEL.LIB:/QSYS.LIB/SEQUELWI.LIB:/QSYS.LIB/SEQUELEX.LIB:/QSYS.LIB/ESEND.LIB:/QSYS.LIB/QTEMP.LIB:/QSYS.LIB/QGPL.LIB:/QSYS.LIB/QRPG.LIB:/QSYS.LIB/QIDU.LIB:/QSYS.LIB/TAATOOL.LIB:/QSYS.LIB/ALKWIN.LIB:/QSYS.LIB/OMNISITE.LIB:/QSYS.LIB/OMNIFIXES.LIB:/QSYS.LIB/OMNITRACS.LIB:/QSYS.LIB/OMNIDATA.LIB:/QSYS.LIB/OMNINATL.LIB:/QSYS.LIB/LIBEXPAT.LIB:/QSYS.LIB/LIBFTP.LIB:/QSYS.LIB/ACCLIB.LIB Jun 18, 2012 11:36:26 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-bio-1093] Jun 18, 2012 11:36:26 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-bio-8009] Jun 18, 2012 11:36:26 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3280 ms Jun 18, 2012 11:36:26 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jun 18, 2012 11:36:26 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.25 Jun 18, 2012 11:36:26 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /wintouch/tomcat/webapps/ROOT Jun 18, 2012 11:36:27 AM org.apache.catalina.core.ContainerBase addChildInternal SEVERE: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[]] at java.lang.Throwable.init(Throwable.java:218) at java.lang.Throwable.init(Throwable.java:218) at java.lang.Exception.init(Exception.java:59) at org.apache.catalina.LifecycleException.init(LifecycleException.java:74) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:897) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1095) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1617) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:619) Caused by: java.lang.ArrayStoreException at java.lang.Throwable.init(Throwable.java:181) at java.lang.Exception.init(Exception.java:29) at java.lang.RuntimeException.init(RuntimeException.java:32) at java.lang.ArrayStoreException.init(ArrayStoreException.java:29) at java.util.Arrays.copyOf(Arrays.java:2883) at java.lang.StringCoding.encode(StringCoding.java:277)
Re: Tomcat not starting properly on a customer's AS/400, and I have no idea why. Help?
/QSYS.LIB/QSHELL.LIB:/QSYS.LIB/LTL38.LIB:/QSYS.LIB/ERBLIB.LIB:/QSYS.LIB/ERBQGPL.LIB:/QSYS.LIB/SEQUEL.LIB:/QSYS.LIB/SEQUELWI.LIB:/QSYS.LIB/SEQUELEX.LIB:/QSYS.LIB/ESEND.LIB:/QSYS.LIB/QTEMP.LIB:/QSYS.LIB/QGPL.LIB:/QSYS.LIB/QRPG.LIB:/QSYS.LIB/QIDU.LIB:/QSYS.LIB/TAATOOL.LIB:/QSYS.LIB/ALKWIN.LIB:/QSYS.LIB/OMNISITE.LIB:/QSYS.LIB/OMNIFIXES.LIB:/QSYS.LIB/OMNITRACS.LIB:/QSYS.LIB/OMNIDATA.LIB:/QSYS.LIB/OMNINATL.LIB:/QSYS.LIB/LIBEXPAT.LIB:/QSYS.LIB/LIBFTP.LIB:/QSYS.LIB/ACCLIB.LIB Konstantin Kolinko wrote: Just guessing at straws: you may try to simplify your environment (do you need all that libraries as mentioned in java.library.path? what is your default charset?) Hmm. This is interesting. The value shown for java.library.path seems to be the product and user portions of the job's library list (an AS/400-specific concept analogous to the path in DOS, WinDoze, or Linux, or to a Java classpath) at the time the job was launched. Comparing the same message on our own AS/400, I see QSYS.LIB:/QSYS.LIB/QSYS2.LIB:/QSYS.LIB/QHLPSYS.LIB:/QSYS.LIB/QUSRSYS.LIB:/QSYS.LIB/QSHELL.LIB:/QSYS.LIB/WTI1###.LIB:/QSYS.LIB/WINTOUCH.LIB:/QSYS.LIB/QGPL.LIB:/QSYS.LIB/QTEMP.LIB:/QSYS.LIB/AQUESTVIEW.LIB:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/lib/ppc:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/lib/ppc/classic:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/lib/ppc/default which is the system, product, and user portions of the job's library list, followed by three Java-related directories in the integrated file system. I just tried shutting down Tomcat, removing most of the contents of the library list, and restarting it. No change, and I did a bit of digging: it seems that a system setting on the problem box appears to be causing jobs to be submitted with the default user portion of the library list, rather than that of the submitting job. Interesting. This calls for further study. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat not starting properly on a customer's AS/400, and I have no idea why. Help?
Found the problem: The lines # Java 6 settings if needed export -s JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre export -s CATALINA_HOME=/wintouch/tomcat export -s JAVA_OPTS=-Dos400.awt.native=true -Djava.awt.headless=true -Djava.version=1.6 -Xms256m -Xmx512m (which have been necessary in every AS/400 Tomcat installation I've participated in) were missing. I've been told that there is a more elegant place to put them than in catalina.sh, but I can't remember *where* I was told to put them, and if just sticking them in catalina.sh is considered a bad practice, I'd like very much to switch to the preferred place for these lines. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat not starting properly on a customer's AS/400, and I have no idea why. Help?
Mark Thomas wrote: On 18/06/2012 22:02, James Lampert wrote: Found the problem: The lines # Java 6 settings if needed export -s JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre export -s CATALINA_HOME=/wintouch/tomcat export -s JAVA_OPTS=-Dos400.awt.native=true -Djava.awt.headless=true -Djava.version=1.6 -Xms256m -Xmx512m (which have been necessary in every AS/400 Tomcat installation I've participated in) were missing. I've been told that there is a more elegant place to put them than in catalina.sh, but I can't remember *where* I was told to put them, and if just sticking them in catalina.sh is considered a bad practice, I'd like very much to switch to the preferred place for these lines. Create setenv.sh and put them in there. Thanks. I'll try it shortly. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat not starting properly on a customer's AS/400, and I have no idea why. Help?
# Java 6 settings if needed export -s JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre export -s CATALINA_HOME=/wintouch/tomcat export -s JAVA_OPTS=-Dos400.awt.native=true -Djava.awt.headless=true -Djava.version=1.6 -Xms256m -Xmx512m I just tried moving them out of bin/catalina.sh and into bin/setenv.sh on our production AS/400, and restarted Tomcat, and everything continues to work just fine. Thanks to both who gave me the answer, and especially thanks for not screaming at me for mucking about in catalina.sh without knowing what I'm doing. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problem with deployment of a WAR file from Manager
We are having a very frustrating error on one customer box, with a Tomcat version and a WAR file that are working perfectly elsewhere. That same WAR file runs perfectly on this same box, if expanded from the command line. Can anybody here shed any light on this? -- James H. H. Lampert Touchtone Corporation SEVERE: Error deploying web application archive /wintouch/tomcat/webapps/ROOT.war Throwable occurred: java.lang.IllegalArgumentException: The archive [jar:file:/wintouch/tomcat/webapps/ROOT.war!/] is malformed and will be ignored: an entry contains an illegal path [META-INF/MANIFEST.MF] which was not expanded to [/WINTOUCH/TOMCAT/webapps/ROOT//META-INF/MANIFEST.MF] since that is outside of the defined docBase [/wintouch/tomcat/webapps/ROOT/] at org.apache.catalina.startup.ExpandWar.expand(ExpandWar.java:122) at org.apache.catalina.startup.ContextConfig.fixDocBase(ContextConfig.java:667) at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:790) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:318) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:401) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:897) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:958) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:536) at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1467) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:611) at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:301) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:848) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:773) at org.apache.catalina.manager.ManagerServlet.check(ManagerServlet.java:1436) at org.apache.catalina.manager.HTMLManagerServlet.upload(HTMLManagerServlet.java:334) at org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServlet.java:211) at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:187) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:897) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:919) at
Re: Problem with deployment of a WAR file from Manager
Konstantin Kolinko wrote: . . . In essence it checks that File.getCanonicalPath() of (webapp root directory + archive entry) is as expected. at org.apache.catalina.startup.ExpandWar.expand(ExpandWar.java:122) My colleague at the next desk found this: https://issues.apache.org/bugzilla/show_bug.cgi?id=50737 which is more-or-less as you say. The funny thing is that the customer is on a more recent iOS (or whatever IBM is calling it this week; to me, OS/400 is OS/400) than we (and most of the other customers) are (V7R1 vs V6R1). And where the example at the above link is failing on one lousy character being of mismatched case, we have this in the CL program: SBMJOB CMD(QSH + CMD('/WINTOUCH/TOMCAT/BIN/STARTUP.SH')) + JOB(CATALINA) JOBD(WINTOUCH/WTSRVC) + CPYENVVAR(*YES) ALWMLTTHD(*YES) but the actual path in the file system is: /wintouch/tomcat/bin/startup.sh with every single letter being of mismatched case. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Generating a Keystore
Victoria Johnson - Kio wrote: The text on Apache is really confusing me about setting up SSL on Tomcat, what do I do with this command %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA Well, first you need to be sure you're NOT running this on an AS/400. For some reason, Keytool is broken under OS/400. At any rate, you need to find out where Java is on the computer you're using, and put it into your executable path. Then you call the Keytool command: keytool -genkey -keystore whatever you want to call your keystore -alias whatever alias you wish to use -keyalg RSA [-keysize keylength] or for a more concrete example, -genkey -keystore foo.ks -alias bar -keyalg RSA -keysize 2048 You will be prompted for a password; the default for Tomcat is changeit; you should probably give it this password unless you have a reason to do otherwise. You will be prompted for a first and last name. DON'T give it that. Give it the URL of your website, e.g., www.foobar.com so that people don't get certificate is for the wrong domain warnings in their browsers. You will be prompted for the particulars of who you are and where you are. These are important if you plan on having it signed by a CA, so that people don't get self-signed certificate warnings in their browsers. Once you have a keystore, you can hook it to your Tomcat server by editing the server.xml file. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
New Tomcat install on a customer box: Tomcat 7.0.25 starts, then throws an exception and shuts down, and I don't know why.
Anybody know what to make of this? Here's the scenario: Tomcat 7.0.25 freshly installed on an AS/400 running V6R1. The box has no port restrictions set up in it. The only ports in use, in the 8000-8099 range are 8000, 8001, 8005, and 8035. I launch Tomcat, and 8080 and 8009 both open up. Then something connects to them via loopback. Then the CATALINA job ends (reporting a normal end), and 8080 and 8009 both close, with connections from Loopback sitting on the ports until they time out. HMmmm. Looks like Tomcat is trying to open 8005 itself, and finding it taken by something entirely different. What does Tomcat use 8005 for, anyway, and can it be reassigned? catalina.out shows: Mar 20, 2012 2:17:31 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performan . . . Mar 20, 2012 2:17:34 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-bio-8080] Mar 20, 2012 2:17:34 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-bio-8009] Mar 20, 2012 2:17:34 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 5880 ms Mar 20, 2012 2:17:34 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Mar 20, 2012 2:17:34 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.25 Mar 20, 2012 2:17:34 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /wintouch/tomcat/webapps/ROOT Mar 20, 2012 2:17:36 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /wintouch/tomcat/webapps/docs Mar 20, 2012 2:17:36 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /wintouch/tomcat/webapps/examples Mar 20, 2012 2:17:37 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /wintouch/tomcat/webapps/host-manager Mar 20, 2012 2:17:38 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /wintouch/tomcat/webapps/manager Mar 20, 2012 2:17:38 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-bio-8080] Mar 20, 2012 2:17:38 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [ajp-bio-8009] Mar 20, 2012 2:17:38 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 4480 ms Mar 20, 2012 2:17:38 PM org.apache.catalina.core.StandardServer await SEVERE: StandardServer.await: create[localhost:8005]: Throwable occurred: java.net.BindException: The socket name is already in use. at java.net.PlainSocketImpl.bind(PlainSocketImpl.java:395) at java.net.ServerSocket.bind(ServerSocket.java:330) at java.net.ServerSocket.init(ServerSocket.java:196) at org.apache.catalina.core.StandardServer.await(StandardServer.java:422) at org.apache.catalina.startup.Catalina.await(Catalina.java:728) at org.apache.catalina.startup.Catalina.start(Catalina.java:674) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:611) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450) Mar 20, 2012 2:17:38 PM org.apache.coyote.AbstractProtocol pause INFO: Pausing ProtocolHandler [http-bio-8080] Mar 20, 2012 2:17:38 PM org.apache.coyote.AbstractProtocol pause INFO: Pausing ProtocolHandler [ajp-bio-8009] Mar 20, 2012 2:17:39 PM org.apache.catalina.core.StandardService stopInternal INFO: Stopping service Catalina Mar 20, 2012 2:17:39 PM org.apache.coyote.AbstractProtocol stop INFO: Stopping ProtocolHandler [http-bio-8080] Mar 20, 2012 2:17:39 PM
Question about certificate durations
I notice that the self-signed certificates I've been generating have the default 90-day validity period. Does this have any bearing on the validity period once I get the keystore signed by a CA? -- JHHL P.S.: I haven't heard from anybody, here or on the Java400-L list, since I posted the environment variables on my crash-on-takeoff problem. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7 in Java 6 on V5R4 (. . . 3 . . . 2 . . . 1 . . . crash-on-takeoff)
We're now trying to bring up Tomcat 7 on a V5R4 AS/400, after successfully doing so on V6 and V7 boxes. They have Java 6 installed, and I'm told that they installed some PTFs over the weekend, but it's still crashing on takeoff. In catalina.sh, we have: # Java 6 settings if needed export -s JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre export -s CATALINA_HOME=/wintouch/tomcat export -s JAVA_OPTS=-Dos400.awt.native=true -Djava.awt.headless=true -Djava.version=1.6 -Xms256m -Xmx512m # OS specific support. $var _must_ be set to either true or false. cygwin=false darwin=false os400=true case `uname` in CYGWIN*) cygwin=true;; Darwin*) darwin=true;; OS400*) os400=true;; esac and there is definitely a java in the /QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/bin directory, and so far as I'm aware, all the JARs are present in the right subdirectories of /wintouch/tomcat, but in catalina.out, I get: Attaching Java program to /QIBM/ProdData/Java400/jdk6/lib/charsets.jar. Attaching Java program to /QIBM/ProdData/Java400/jdk6/lib/resources.jar. Attaching Java program to /QIBM/ProdData/Java400/jdk6/lib/rt.jar. eval: 001-0014 Command /QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre/bin/java not found. java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina at java.net.URLClassLoader.findClass(URLClassLoader.java:432) at java.lang.ClassLoader.loadClass(ClassLoader.java:642) at java.lang.ClassLoader.loadClass(ClassLoader.java:608) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:236) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) When I delete catalina.out and try again, I get the same, only starting from the ClassNotFoundException. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem bringing up SSL with a CA certificate
Christopher Schultz wrote: Did you also put your server's key into the keystore? It seems that when the customer rep jumped the gun and submitted a CSR to Thawte before we even had Tomcat running on a self-signed certificate, he did so using IBM DCM, whose keystores are incompatible with Keytool, and presumably also with Tomcat. Fortunately, there's still a few days left to get a revocation and refund, and start from scratch the right way. Don't you just love it when end-users jump the gun, and pay good money to a third party for things before you have the specs to give them? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 in Java 6 on V5R4 (. . . 3 . . . 2 . . . 1 . . . crash-on-takeoff)
Caldarale, Charles R wrote: One thing you didn't tell us was exactly how you start Tomcat. Have you tried starting Tomcat from a command prompt so you can see the display of the derived variables, such as CLASSPATH? We start it from a variation of the OS/400 CL program given in this blog entry by BetterThanZero: http://as400samplecode.blogspot.com/2011/06/install-tomcat-on-iseries-as400-tomcat.html His CL program is: PGM ADDENVVAR ENVVAR(JAVA_HOME) + VALUE('/QIBM/ProdData/Java400/jdk15') MONMSG MSGID(CPF) SBMJOB CMD(QSH + CMD('/apache/apache-tomcat-6.0.32/bin/start+ up.sh')) JOB(CATALINA) JOBQ($jobqName) + CPYENVVAR(*YES) ALWMLTTHD(*YES) ours is adjusted to where we put Tomcat in the file system. And up until a few minutes ago (hours after I first looked at your post), how to launch from a command line had not occurred to me (the answer, of course, would be to type the value of the CMD parameter on the adjusted version of the SBM job above (sometimes, even after almost eighteen years of working with the AS/400 platform, I surprise myself with how dense I can be!). At any rate, qsh CMD('/WINTOUCH/TOMCAT/BIN/STARTUP.SH') produces: /WINTOUCH/TOMCAT/BIN/catalina.sh: 001-0019 Error found searching for command tty. No such path or directory. Using CATALINA_BASE: /wintouch/tomcat Using CATALINA_HOME: /wintouch/tomcat Using CATALINA_TMPDIR: /wintouch/tomcat/temp Using JRE_HOME:/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit/jre Using CLASSPATH: /wintouch/tomcat/bin/bootstrap.jar:/wintouch/tomcat/bi n/tomcat-juli.jar at which point it sits there for under 2 seconds before terminating, leaving this in catalina.out: java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina at java.net.URLClassLoader.findClass(URLClassLoader.java:432) at java.lang.ClassLoader.loadClass(ClassLoader.java:642) at java.lang.ClassLoader.loadClass(ClassLoader.java:608) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:236) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) By contrast, if I enter the same command on a command line on our V6 box, I got the same, except for the initial no such path or directory exception, and then it sat there until I signed on from another terminal session and (after first verifying that the port had opened) terminating Tomcat. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: More, Re: Problem bringing up SSL with a CA certificate
Ognjen Blagojevic wrote: You must find keystore with earlier generated key pair (the one you also used to generate CSR for CA), and import all three certificates into that keystore. Dear Ognjen: Thanks. That does sound vaguely like something we went through ourselves some years ago, when we first got our jar-signing certificate working. I've put in a request for the person responsible for the CSR to find it and get it to me. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
New development, Re: More, Re: Problem bringing up SSL with a CA certificate
Ognjen Blagojevic wrote: You must find keystore with earlier generated key pair (the one you also used to generate CSR for CA), and import all three certificates into that keystore. Dear Ognjen: At this point, I still don't have the keystore used to generate the CSR, but I *do* now have the CSR itself. Does that help? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problem bringing up SSL with a CA certificate
So far, I've had complete success using self-signed certificates, both here and on the customer box, once I found out that the CN needs to match the domain name. But now, we're trying to get the customer box up on a CA-signed certificate, and Tomcat doesn't like it. (Given that we haven't done it on our own box, it's kind of a case of the blind leading the blind.) We had our contact with the customer follow the procedure given on http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Importing_the_Certificate and I put the resulting keystore into service, started Tomcat, and got this in logs/catalina.out: SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-443] Throwable occurred: java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:567) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:937) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:573) at org.apache.catalina.startup.Catalina.load(Catalina.java:598) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:611) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) Jan 18, 2012 12:15:16 PM org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]] Throwable occurred: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:573) at org.apache.catalina.startup.Catalina.load(Catalina.java:598) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:611) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at
More, Re: Problem bringing up SSL with a CA certificate
I've now got the CA certificates the customer representative is trying to use here, and I'm attempting to test them on our box. I followed these instructions: https://search.thawte.com/support/ssl-digital-certificates/index?page=contentactp=CROSSLINKid=SO15518 rather than the ones here: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Importing_the_Certificate which appear to be somewhat out of date, as Thawte calls for both primary and secondary x.509 certificates to be loaded into the keystore. With no explicit alias reference, and the three certificates placed in the keystore, in the order specified by Thawte, I get: SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443] Throwable occurred: java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:822) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:470) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:937) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:573) at org.apache.catalina.startup.Catalina.load(Catalina.java:598) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:611) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at com.ibm.jsse2.rc.a(rc.java:53) at com.ibm.jsse2.rc.accept(rc.java:13) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:818) ... 20 more Jan 18, 2012 2:21:43 PM org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] Throwable occurred: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at
Re: More, Re: Problem bringing up SSL with a CA certificate
Dear Igor (et al): Thanks for getting back to me. To answer the questions (and pose a few more): Igor Cicimov wrote: Are you sure you have downloaded the correct intermediate certs? I didn't download them myself; neither did I place the order. But I'll pass this on to the fellow who did. *Note:* When executing the command to import the SSL certificate, you must specify the actual *Alias* used when you initially created the keystore. If The results are exactly the same whether I specify the alias (and yes, it's the correct one; this I did set myself) or not. One thing I noticed: the Thawte instructions call for importing first the primary, then the secondary, then the purchased certificate. Yet when I do a keytool -list on the keystore, it comes up in a different sequence: secondary, Jan 18, 2012, trustedCertEntry, Certificate fingerprint (MD5): EB:A3:71:66:38:5E:3E:F4:24:64:ED:97:52:E9:9F:1B wintouch, Jan 18, 2012, trustedCertEntry, Certificate fingerprint (MD5): 55:D7:4D:D4:83:01:D6:E0:EB:A4:F3:9A:06:BD:87:38 primary, Jan 18, 2012, trustedCertEntry, Certificate fingerprint (MD5): D6:6A:92:1C:83:BF:A2:AE:6F:99:5B:44:E7:C2:AB:2A Would this be a reason to suspect that the person who got the certs either (a) got the wrong secondary for the certificate purchased, (b) purchased the wrong kind of certificate for HTTPS, or (c) both? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: About certificates in Tomcat SSL support
Mark H. Wood wrote: As already pointed out, there's your problem. To identify a networked service, the value of CN should be the FQDN of the host providing the service. (This is why people suddenly became interested in securing DNS: we are relying on it to validate certificate bindings to services!) Yes, the prompts are confusing. A recent release of OpenSSL, for example, just updated the CN prompt from Common Name (eg, YOUR name) to Common Name (e.g. server FQDN or YOUR name). Thanks for the additional detail. We now have the customer set up with a less-frightening self-signed certificate, specific to their domain, pending installation of a CA-signed certificate (which I sincerely hope is domain-specific). -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
About certificates in Tomcat SSL support
Scenario: I created a self-signed certificate for the box I was testing: CN = James Lampert OU = Development Lab O = Touchtone Corporation L = Costa Mesa ST = California C = US I then installed it into the Tomcat server on that box. Connecting to the site with Firefox, I was told that the certificate was not trusted, and asked whether to trust it. After I said to trust it, Firefox now lets me in without further question. Then, I temporarily installed the certificate on a customer's Tomcat server, just to verify that SSL support was working there. When I connected to it with Firefox, the initial message questioning the validity of the certificate said something about it being for a different server (so far as I'm aware, it isn't for *any* particular server). Looking at the two Tomcat servers in Microsloth Imploder, even after telling it to trust the certificate, I consistently get a message, The security certificate presented by this website was issued for a different website's address. Looking at the two Tomcat servers in a different version of Firefox, on a different WinDoze box, both Tomcat servers give me the message, that it is not trusted because it is self-signed, and that it is only valid for James Lampert. What exactly do I need to do, for a certificate to be recognized as the correct one for a given server? Also: we have a CA-signed certificate that we use to sign JARs. Is that the same sort of certificate used for Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: About certificates in Tomcat SSL support
I created a self-signed certificate for the box I was testing: CN = James Lampert Pid * wrote: The Common Name must match the domain name of the server as seen by the client. Hmm. So where Keytool asks What is your first and last name? you answer not with what it's asking for, but with the intended domain name. Makes perfect sense. Thanks. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)
Tim Watts wrote: That's a possibility if it's padding the passwords as well. I'm not an AS/400 expert by any means. Is /foo a preallocated file and if so could the problem be with the way it was allocated? The Java-400 list over at Midrange.com is also in on this (albeit not this specific message). I tried putting the password, and some of the values, in single quotes, and others in double quotes. No change in behavior: the confirmation message fields were padded, and the quote marks were shown in them. Hmm. THIS is INTERESTING! If I FTP a keystore created on my WinDoze box onto the 400, then KEYTOOL there can read it. FASCINATING. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)
Well, using a keystore created on my WinDoze box, and FTP'd to the 400 definitely works: Port 8443 came right up. But that still leaves open the question of why on earth keytool fails to create valid keystores on the 400, whether run from QShell or QP2Term. Inquiring minds want to know. BTW: Like any other developer distributing Java products, we have a keystore with the CA-signed certificate we use to sign JARs. Would that KS and certificate also work for SSL support on Tomcat? Or is it limited to JAR-signing? (Not that we would ever want to let that keystore, and its passwords, out of our hands!) -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7 SSL activation on AS/400?
I'm attempting to bring up SSL support in Tomcat 7, on an AS/400 (V6R1). Tomcat itself runs nicely, but following the instructions on http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html I am consistently getting: SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] Throwable occurred: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:573) at org.apache.catalina.startup.Catalina.load(Catalina.java:598) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:611) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:939) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) ... 12 more Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(KeyStore.java:414) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:937) ... 13 more Caused by: java.security.UnrecoverableKeyException: Password verification failed ... 26 more I've tried it with the default keystore name, location, and passwords; I've tried it with an explicit name, location, and both key and keystore paswords. The above exceptions are thrown consistently, except for one occasion when the keystore simply didn't exist where expected. -- James H. H. Lampert - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)
Tim Watts (from the Tomcat Users List) wrote: Can you successfully run this command: keytool -list -keystore {path/to/your/keystore/file} -storepass {passwd-in-server.xml} It gives the same error message. And yes, EBCDIC is the default encoding for AS/400s. The attributes on /foo show that it has a CCSID of 819, though, which (if my memory and the IBM docs are correct) is ASCII. Here's a QShell transcript from a test I ran specifically so that I could post everything without betraying any passwords: keytool -genkey -alias foo -keyalg RSA -keystore /foo Enter keystore password: bar What is your first and last name? [Unknown]: James Lampert What is the name of your organizational unit? [Unknown]: Development Lab What is the name of your organization? [Unknown]: Touchtone Corporation What is the name of your City or Locality? [Unknown]: Costa Mesa What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is CN=James Lampert , OU=Development Lab , O=Touchtone Corporation , L=Costa Mesa , ST=California , C=US correct? (type yes or no) [no]: yes Enter key password for foo: (RETURN if same as keystore password): bar $ keytool -list -keystore /foo -storepass bar keytool error (likely untranslated): java.io.IOException: Keystore was tampered with, or password was incorrect $ Another thought occurred to me: Could the trailing blanks shown in the confirmation message have anything to do with the problem? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org