Tomcat Manager App and Federation

2023-04-14 Thread Robert Hicks 
Does the manager app support something like Apache CXF to authenticate
people to the manager application or is the manager application only
accessible through username/password?

Robert

Re: Logging "location" header from the HTTP response

2022-05-26 Thread Robert Hicks 
On Thu, May 26, 2022 at 11:37 AM Konstantin Kolinko 
wrote:

> чт, 26 мая 2022 г. в 18:19, Robert Hicks :
> >
> > We would like to start logging the response location in Tomcat. I am not
> > sure where to look something like that up.
>
> You are not mentioning the version number, but from other threads I
> assume that it is 9.0.x.
>
> Here:
> https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Log_Valve
>
> Look for "%{xxx}o"
>
> Best regards,
> Konstantin Kolinko
>

Thanks! I see how to do it now.

Bob

Logging "location" header from the HTTP response

2022-05-26 Thread Robert Hicks 
We would like to start logging the response location in Tomcat. I am not
sure where to look something like that up.

Thanks,

Bob

9.0.60 fix question

2022-04-07 Thread Robert Hicks 
   - [image: Fix:] Fix potential thread-safety issue that could cause
   HTTP/1.1 request processing to wait, and potentially timeout, waiting for
   additional data when the full request has been received. (markt)


What would that actually look like? Tomcat spinning its gears and not
serving anything?

Thanks,

Bob

Re: Possibly Silly Question

2022-03-25 Thread Robert Hicks 
Just looking the history page says:

*Apache Tomcat 3.0.x*. Initial Apache Tomcat release.

Wikipedia also mentions:
2.0 1998 Tomcat started off in November 1998[16]
 as a
servlet reference
implementation
 by James
Duncan Davidson , a
software architect at Sun Microsystems.
So that probably means it was "internal" only.

On Fri, Mar 25, 2022 at 11:45 AM 
wrote:

> Good morning,
>
> Doing some history research, but was there EVER a released version 1x or
> 2x of Tomcat? IF so, what version numbers had been out there, once upon a
> time ago?
>
> Thank you,
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Infrastructure Engineer
> Asst Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>

Re: Tomcat 9.0.58 and OpenJDK 1.8.0_322

2022-02-17 Thread Robert Hicks 
We think our java.security file is borked somehow. So going down that road
at the moment.

--
Bob

On Thu, Feb 17, 2022 at 12:49 PM Thad Humphries 
wrote:

> What is your use for SHA-1? Are you using it in your own code, like
> `MessageDigest.getInstance("SHA-1")` or do you have signed JARs? Or maybe
> certificates that use SHA-1? (though I don't think those have been a thing
> for quite some time)
>
> java.security.MessageDigest for Java 8 supposed to support MD5, SHA-1, and
> SHA-256 (see
> https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html
> ).
> I see references that SHA-1 has been disable for signed JARs (ex.,
> https://bugs-stage.openjdk.java.net/browse/JDK-8270610 and more
> https://adoptium.net/release_notes.html). However I do not see that SHA-1
> has been dropped from MessageDigest.
>
> Asking for a friend...
>
> On Wed, Feb 16, 2022 at 4:03 PM Noelette Stout 
> wrote:
>
> > Based on those errors, it sounds like SHA-1 has been desupported in the
> > newer OpenJDK version.
> >
> > On Wed, Feb 16, 2022 at 1:55 PM Robert Hicks 
> > wrote:
> >
> > > We are currently running Tomcat 9.0.40 and OpenJDK (Red Hat) 1.8.0_292
> > and
> > > have no issues.
> > >
> > > We upgrade to the ones in the subject line and Tomcat throws "SHA1PRNG
> > > SecureRandom not available" and "SHA MessageDigest not available" and
> > > "SHA-1 not available" and others.
> > >
> > > We downgrade to .40 and _292 and all is well again.
> > >
> > > Was there a change that could possibly cause that?
> > >
> > > Has anyone else seen this behavior?
> > >
> > > We are currently troubleshooting to see if we missed something on our
> end
> > > and can supply logs when that happens.
> > >
> > > Thanks!
> > >
> > > --
> > > Bob
> > >
> >
> >
> > --
> > Noelette Stout
> > ITS Enterprise Applications - Senior Application Administrator
> > Idaho State University
> > E-mail: stounoel "at" isu "dot" edu
> > Desk: 208-282-2554
> >
>
>
> --
> "Hell hath no limits, nor is circumscrib'd In one self-place; but where we
> are is hell, And where hell is, there must we ever be" --Christopher
> Marlowe, *Doctor Faustus* (v. 111-13)
>

Tomcat 9.0.58 and OpenJDK 1.8.0_322

2022-02-16 Thread Robert Hicks 
We are currently running Tomcat 9.0.40 and OpenJDK (Red Hat) 1.8.0_292 and
have no issues.

We upgrade to the ones in the subject line and Tomcat throws "SHA1PRNG
SecureRandom not available" and "SHA MessageDigest not available" and
"SHA-1 not available" and others.

We downgrade to .40 and _292 and all is well again.

Was there a change that could possibly cause that?

Has anyone else seen this behavior?

We are currently troubleshooting to see if we missed something on our end
and can supply logs when that happens.

Thanks!

--
Bob

Re: Interesting log capability request

2021-10-07 Thread Robert Hicks 
The catalina.out log should capture that information already, right?

This is what I see when I shutdown my barebones Tomcat:

07-Oct-2021 15:19:03.276 INFO [main]
org.apache.catalina.core.StandardServer.await A valid shutdown command was
received via the shutdown port. Stopping the Server instance.
07-Oct-2021 15:19:03.277 INFO [main]
org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler
["http-nio-8080"]
07-Oct-2021 15:19:03.546 INFO [main]
org.apache.catalina.core.StandardService.stopInternal Stopping service
[Catalina]
07-Oct-2021 15:19:03.599 INFO [main]
org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler
["http-nio-8080"]
07-Oct-2021 15:19:03.647 INFO [main]
org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler
["http-nio-8080"]

If you have webapps going it should take a little longer of course.

--
Bob

On Thu, Oct 7, 2021 at 3:05 PM 
wrote:

> I have an app team that wants to know if it's possible to capture how long
> the Tomcat Shutdown takes? I don't think there is without modifying
> something in the Catalina.sh under the Stop section, but wondering if there
> is something already built in.
>
> Thanks,
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Infrastructure Engineer
> Asst Vice President
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>

Re: [ANN] Apache Tomcat 9.0.50 available

2021-07-06 Thread Robert Hicks 
Yeah, weird. Downloaded it again and it's fine.

I am using that Java version on purpose, thanks.

On Tue, Jul 6, 2021 at 10:17 AM Konstantin Kolinko 
wrote:

> Logs from my smoke-testing of Windows installer
> (apache-tomcat-9.0.50.exe) a week ago:
>
> 28-Jun-2021 16:26:48.587 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Server version
> name:   Apache Tomcat/9.0.50
> 28-Jun-2021 16:26:48.607 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Server built:
>   Jun 28 2021 08:46:44 UTC
> 28-Jun-2021 16:26:48.607 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Server version
> number: 9.0.50.0
>
> The same logs are if I unpack and start apache-tomcat-9.0.50.zip
>
> SHA 512 of that file is
>
> 10515ccee311282386bb0549808d646c3c60b584f4c20f4ad577ac6068f0e4eb09ae93abc11df29c1328e2632df2c1c449d4002becdd6464c79766ade506c058
> *apache-tomcat-9.0.50.zip
>
> So all is OK. Please check your files.
>
> BTW, the current version of Java 8 is 8u292.
>
> вт, 6 июл. 2021 г. в 17:10, Robert Hicks :
> >
> > I did a version and there seems to be a mismatch?
> >
> > PS C:\apache-tomcat-9.0.50> cd bin
> > PS C:\apache-tomcat-9.0.50\bin> .\version.bat
> > Using CATALINA_BASE:   "C:\apache-tomcat-9.0.50"
> > Using CATALINA_HOME:   "C:\apache-tomcat-9.0.50"
> > Using CATALINA_TMPDIR: "C:\apache-tomcat-9.0.50\temp"
> > Using JRE_HOME:"C:\jdk8u282\jre"
> > Using CLASSPATH:
> >
> "C:\apache-tomcat-9.0.50\bin\bootstrap.jar;C:\apache-tomcat-9.0.50\bin\tomcat-juli.jar"
> > Using CATALINA_OPTS:   "-server -Xmx1024m -XX:MetaspaceSize=256m
> > -XX:MaxMetaspaceSize=256m
> > -Dorg.apache.catalina.connector.RECYCLE_FACADES=true
> > -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true
> > -Dorg.apache.tomcat.util.http.ServerCookie.ALWAYS_ADD_EXPIRES=true
> > -D.org.apache.catalina.connector.ALLOW_BACKSLASH=false
> >
> -Dorg.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true"
> > Server version: *Apache Tomcat/9.0.48*
> > Server built:   *Jun 10 2021 09:22:01 UTC*
> > Server number:  *9.0.48.0*
> > OS Name:Windows 10
> > OS Version: 10.0
> > Architecture:   amd64
> > JVM Version:1.8.0_282-b08
> > JVM Vendor: AdoptOpenJDK
> > PS C:\apache-tomcat-9.0.50\bin>
> >
> > On Mon, Jul 5, 2021 at 4:02 AM Rémy Maucherat  wrote:
> >
> > > The Apache Tomcat team announces the immediate availability of Apache
> > > Tomcat 9.0.50.
> > >
> > > Apache Tomcat 9 is an open source software implementation of the Java
> > > Servlet, JavaServer Pages, Java Unified Expression Language, Java
> > > WebSocket and JASPIC technologies.
> > >
> > > Apache Tomcat 9.0.50 is a bugfix and feature release. The notable
> > > changes compared to 9.0.48 include:
> > >
> > > - Re-work the HTTP/2 overhead protection to reduce the likelihood of
> > >false positives. Note that the default overheadCountFactor has
> changed
> > >from 1 to 10 and that the useful range is now 0 to ~20.
> > >
> > > - Update to Eclipse JDT compiler 4.20.
> > >
> > > - Fix regressions in JSP compilation in the previous release.
> > >
> > > Along with lots of other bug fixes and improvements.
> > >
> > > Please refer to the change log for the complete list of changes:
> > > http://tomcat.apache.org/tomcat-9.0-doc/changelog.html
> > >
> > >
> > > Downloads:
> > > http://tomcat.apache.org/download-90.cgi
> > >
> > > Migration guides from Apache Tomcat 7.x and 8.x:
> > > http://tomcat.apache.org/migration.html
> > >
> > > Enjoy!
> > >
> > > - The Apache Tomcat team
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: [ANN] Apache Tomcat 9.0.50 available

2021-07-06 Thread Robert Hicks 
I did a version and there seems to be a mismatch?

PS C:\apache-tomcat-9.0.50> cd bin
PS C:\apache-tomcat-9.0.50\bin> .\version.bat
Using CATALINA_BASE:   "C:\apache-tomcat-9.0.50"
Using CATALINA_HOME:   "C:\apache-tomcat-9.0.50"
Using CATALINA_TMPDIR: "C:\apache-tomcat-9.0.50\temp"
Using JRE_HOME:"C:\jdk8u282\jre"
Using CLASSPATH:
"C:\apache-tomcat-9.0.50\bin\bootstrap.jar;C:\apache-tomcat-9.0.50\bin\tomcat-juli.jar"
Using CATALINA_OPTS:   "-server -Xmx1024m -XX:MetaspaceSize=256m
-XX:MaxMetaspaceSize=256m
-Dorg.apache.catalina.connector.RECYCLE_FACADES=true
-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true
-Dorg.apache.tomcat.util.http.ServerCookie.ALWAYS_ADD_EXPIRES=true
-D.org.apache.catalina.connector.ALLOW_BACKSLASH=false
-Dorg.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true"
Server version: *Apache Tomcat/9.0.48*
Server built:   *Jun 10 2021 09:22:01 UTC*
Server number:  *9.0.48.0*
OS Name:Windows 10
OS Version: 10.0
Architecture:   amd64
JVM Version:1.8.0_282-b08
JVM Vendor: AdoptOpenJDK
PS C:\apache-tomcat-9.0.50\bin>

On Mon, Jul 5, 2021 at 4:02 AM Rémy Maucherat  wrote:

> The Apache Tomcat team announces the immediate availability of Apache
> Tomcat 9.0.50.
>
> Apache Tomcat 9 is an open source software implementation of the Java
> Servlet, JavaServer Pages, Java Unified Expression Language, Java
> WebSocket and JASPIC technologies.
>
> Apache Tomcat 9.0.50 is a bugfix and feature release. The notable
> changes compared to 9.0.48 include:
>
> - Re-work the HTTP/2 overhead protection to reduce the likelihood of
>false positives. Note that the default overheadCountFactor has changed
>from 1 to 10 and that the useful range is now 0 to ~20.
>
> - Update to Eclipse JDT compiler 4.20.
>
> - Fix regressions in JSP compilation in the previous release.
>
> Along with lots of other bug fixes and improvements.
>
> Please refer to the change log for the complete list of changes:
> http://tomcat.apache.org/tomcat-9.0-doc/changelog.html
>
>
> Downloads:
> http://tomcat.apache.org/download-90.cgi
>
> Migration guides from Apache Tomcat 7.x and 8.x:
> http://tomcat.apache.org/migration.html
>
> Enjoy!
>
> - The Apache Tomcat team
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat 9 and FIP-140 mode

2021-05-24 Thread Robert Hicks 
Follow on question as we are in the weeds on this now.

OpenSSL is in FIPS mode. The JDK is in FIPS mode. I think Tomcat is as the
Listener has SSLEngine="on" and FIPSMODE="on" but I am still getting the
following errors:

failed to set property [FIPSMODE] to [on]

In reading around, does the connector for the Http11AprProtocol need to be
configured as well? It is currently commented out but the section on
"configure the server.xml" here leads me to believe it needs to be:

https://stackoverflow.com/questions/34022646/how-to-make-tomcat-fips-mode-enabling

--
Bob


On Mon, Aug 24, 2020 at 2:49 PM Robert Hicks  wrote:

>
>
> On Mon, Aug 24, 2020 at 12:48 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Robert,
>>
>> On 8/24/20 11:04, Robert Hicks wrote:
>> > Maybe it's just better to straight up ask. I've found a couple of
>> > Google searches but nothing for Tomcat 9 and the information seems
>> > sporadic, incomplete, or contradictory.
>> >
>> > How do you enable FIPS-140 for Tomcat 9 (using JDK 8)?
>>
>> The Sun/Oracle-provided crypto providers should already be FIPS-140
>> certified, as long as you use them in the proper configuration.
>>
>> There is nothing Tomcat-specific about enabling FIPS for the SunJCE
>> provider because it needs to be done at the JRE-level.
>>
>> This document is WebLogic-centric, but it shows how to enable FIPS-140
>> mode for the whole JVM and therefore isn't WebLogic-specific, either:
>>
>> https://docs.oracle.com/middleware/1213/wls/SECMG/fips.htm
>>
>> Tomcat includes code for ensuring that OpenSSL is in FIPS-mode when
>> that module is in use, but we don't do anything about the built-in
>> providers. Given the information in that document above, it looks like
>> it's possible to trigger a test to determine whether FIPS is indeed
>> active; perhaps Tomcat could initiate such a test as a sanity-check if
>> FIPS-mode is "required" (through some as-yet-determined configuration
>> option).
>>
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9D71kACgkQHPApP6U8
>> pFhcyQ//e5GXmD6jxAJYAlqfnDyrHVWQQO7TrFQxfHiJ/pvbqrFjvB230rchyRLm
>> DuWQ0C7dRMdiCLGvie3Q4KcBTkFrivlP4pckqfIihP0aETeZITFkGaWUu269ZoVD
>> ZScWxVHwLtfEf0/NR8a8g9ttjcntO7dm44BeqtOJQVST2/ti8EMZGizjx+YJREOE
>> L10CdPrUNTvoCd8s/UzThEnCBes96GjZAUid9cum1xQuyw8k3nzCNuJizNW6cE7c
>> 7BQlnXqCBqyRYloa2vJIMQ4jsNzuMsqHFQKG9UXI4ocszn/YAdSs5Zg/PFsXwwmj
>> RxSVzYJ3JUW7kg20+PNjGQ9GQFTYXtgXGManxZiOAWoiy3UR+152tiz08tfBYxBV
>> SeALsJpOKKe3+loZgUhTURsgh8qj1UC8FrfUOAr8cLmMR+HZqMvhBUcgJrv2LKi1
>> pdLarO2c/zg2O6QUwoE03qgtkKJ5ifPNOTl5hWrPFy4AQMzX+cCX2v4SkpyzV0Ty
>> gXJSJ+5b0pVwCwrf6KMi3UvJZhT+gHNttJJE/vXIZaGlft+aWvXrd3qpYcy8IND8
>> JSstrM573yCNbguYHMiT8Aa6P8jfY4enyMEkgcX/gm0LnOekCrzUl8hq5XQ/y1eo
>> g+g7pI7Dyln3FyRiUmKOp9gjND9QtFe/awvAemSvr9WRprr766k=
>> =N6LM
>> -END PGP SIGNATURE-
>>
>
> Thanks Chris!
>
> Bob
>

JEP 411: Deprecate the Security Manager for Removal

2021-05-19 Thread Robert Hicks 
Is that the "same" security manager we flip on for Tomcat or just an
unfortunate naming coincidence?

-- 
Bob

Tomcat (catalina.jar) Security Question

2021-05-06 Thread Robert Hicks 
We are getting evaluated and one of the items that I need to do is change
the "ServerInfo.properties" in the catalina.jar to set "server.info" and
"server.version" to nonsense (really).

I have the following Valve setup as well:



At what point would the "ServerInfo.properties" actually show a version and
server name to an end user?

I am just wondering if mucking with the jar every release is a worthwhile
thing and what security implications (if any) are involved.

Thanks,

Bob

Tomcat Manager

2021-02-24 Thread Robert Hicks 
Is there a way (my google-fu is failing) to use the command line version of
the manager but not have the front end UI available at all?

Thanks,

Bob

Re: Virtual event focussed on Tomcat Security

2020-10-16 Thread Robert Hicks 
On Thu, Oct 15, 2020 at 2:01 PM Mark Thomas  wrote:

> On 29/09/2020 12:25, Mark Thomas wrote:
> > Hi all,
> >
> > We (the Tomcat community) have some funding from Google to help us
> > improve Tomcat security. Our original plan was to use the funding to
> > support an in-person security focussed hackathon. As you would expect,
> > those plans are on hold for now. We would, therefore, like to explore
> > the possibility of doing something virtually.
> >
> > The purpose of this email is to gather input from the community about
> > what such an event should look like. With that input we can put together
> > a plan for the event. So, over to you. What would your ideal virtual
> > event focussed on Tomcat Security look like?
>
> Summarising the suggestions so far:
> - application security / OWASP
> - making HTTP requests *from* Tomcat
>  - SSO / SAML / OpenIDConnect
>
> The first two are more application security focussed and would not have
> to be Tomcat specific.
>
> The third is more likely to Tomcat specific depending on the extent to
> which the SSO mechanism ties into Tomcat's internals.
>
> All the suggestions so far have been for conference like presentations
> (if I am reading them correctly).
>
> Other possibilities:
> - hackathon to implement (with support from committers) new security
>   features (no idea what these might be - suggestions welcome)
>
> - hackathon to run $tool_of_choice against Tomcat code base, review the
>   results and fix (with committer support) those that need fixing.
>   Suggestions as to tools to use welcome*
>
> Anything else you'd like to suggest that is related to Tomcat and security.
>
> There hasn't been any thought given to timing yet.
>
> Mark
>
>
>
> * I'll note that over the years most if not all of the major static
> analysis tools have been run against the Tomcat code base and the
> results have been very heavy on the false positives. Most of the work is
> likely to be separating the few useful results from a lot of noise.
>
>
Has a "when" been decided yet?

Thanks,

Bob

Re: Tomcat 9 and FIP-140 mode

2020-08-24 Thread Robert Hicks 
On Mon, Aug 24, 2020 at 12:48 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Robert,
>
> On 8/24/20 11:04, Robert Hicks wrote:
> > Maybe it's just better to straight up ask. I've found a couple of
> > Google searches but nothing for Tomcat 9 and the information seems
> > sporadic, incomplete, or contradictory.
> >
> > How do you enable FIPS-140 for Tomcat 9 (using JDK 8)?
>
> The Sun/Oracle-provided crypto providers should already be FIPS-140
> certified, as long as you use them in the proper configuration.
>
> There is nothing Tomcat-specific about enabling FIPS for the SunJCE
> provider because it needs to be done at the JRE-level.
>
> This document is WebLogic-centric, but it shows how to enable FIPS-140
> mode for the whole JVM and therefore isn't WebLogic-specific, either:
>
> https://docs.oracle.com/middleware/1213/wls/SECMG/fips.htm
>
> Tomcat includes code for ensuring that OpenSSL is in FIPS-mode when
> that module is in use, but we don't do anything about the built-in
> providers. Given the information in that document above, it looks like
> it's possible to trigger a test to determine whether FIPS is indeed
> active; perhaps Tomcat could initiate such a test as a sanity-check if
> FIPS-mode is "required" (through some as-yet-determined configuration
> option).
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9D71kACgkQHPApP6U8
> pFhcyQ//e5GXmD6jxAJYAlqfnDyrHVWQQO7TrFQxfHiJ/pvbqrFjvB230rchyRLm
> DuWQ0C7dRMdiCLGvie3Q4KcBTkFrivlP4pckqfIihP0aETeZITFkGaWUu269ZoVD
> ZScWxVHwLtfEf0/NR8a8g9ttjcntO7dm44BeqtOJQVST2/ti8EMZGizjx+YJREOE
> L10CdPrUNTvoCd8s/UzThEnCBes96GjZAUid9cum1xQuyw8k3nzCNuJizNW6cE7c
> 7BQlnXqCBqyRYloa2vJIMQ4jsNzuMsqHFQKG9UXI4ocszn/YAdSs5Zg/PFsXwwmj
> RxSVzYJ3JUW7kg20+PNjGQ9GQFTYXtgXGManxZiOAWoiy3UR+152tiz08tfBYxBV
> SeALsJpOKKe3+loZgUhTURsgh8qj1UC8FrfUOAr8cLmMR+HZqMvhBUcgJrv2LKi1
> pdLarO2c/zg2O6QUwoE03qgtkKJ5ifPNOTl5hWrPFy4AQMzX+cCX2v4SkpyzV0Ty
> gXJSJ+5b0pVwCwrf6KMi3UvJZhT+gHNttJJE/vXIZaGlft+aWvXrd3qpYcy8IND8
> JSstrM573yCNbguYHMiT8Aa6P8jfY4enyMEkgcX/gm0LnOekCrzUl8hq5XQ/y1eo
> g+g7pI7Dyln3FyRiUmKOp9gjND9QtFe/awvAemSvr9WRprr766k=
> =N6LM
> -END PGP SIGNATURE-
>

Thanks Chris!

Bob

Tomcat 9 and FIP-140 mode

2020-08-24 Thread Robert Hicks 
Maybe it's just better to straight up ask. I've found a couple of Google
searches but nothing for Tomcat 9 and the information seems sporadic,
incomplete, or contradictory.

How do you enable FIPS-140 for Tomcat 9 (using JDK 8)?

Thanks in advance.

-- 
Bob

Re: Tomcat 9 and FIPS-140

2020-08-19 Thread Robert Hicks 
Oops...here's the article.

https://docs.bmc.com/docs/sso81/configuring-an-external-tomcat-instance-for-fips-140-231147871.html

This is not for BMC just straight Tomcat 9 on JDK8.

On Tue, Aug 18, 2020 at 6:56 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Robert,
>
> On 8/18/20 16:19, Robert Hicks wrote:
> > Is this article good for enabling FIPS-140 for Tomcat 9?
>
> [citation needed]
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl88XHcACgkQHPApP6U8
> pFjw5Q/+PXzrigAURYaMW8OtPDMWoc1PnGiClAN6e6uiCkhHBIoXbcZe+LCckRVe
> VmvjxNPjWIgf/Vu9LYxHpsw/OnmUj/hbBFshOTFf9/943Y+We0NDZOJV2ojsvBz+
> 8j4PcJnlN6RJrr64dt03J/aBf/ptuAaMB+Ir7sPHCAYcEm0946mSXzv5GOAP6MRy
> bwQWqkXBzXew98cR+4g+6B64X9jFmIeo9Jmw1w7nlc3c8lbMyfs5Et2beNYTGVS/
> 7BDhRKiX+W57WnVyhtDlwNdFWUaJ/rny3bv14xoaav/UwBz9AlbFc8aZCkPVYtSV
> SN+df6pAR458xEWNhnq31Gi3Sff14fBlIQNlPI7yjiprNl/FxJ7s2DEeQS+XzUv0
> lGH/JEqxTkTYD80CM2etZp9c5cXbfDV5OyKtZuba1qNIcf52tnjUmc9nJELKV2Vc
> ofCQT6a1MGwkwRuMTAFB9CERforfUwA/yZN9hU4FjPczHeEMcLN4pdiPCoROIE+M
> Pd0W5xo/47pRG3Xzy8VtTKpIMafVZd0e+nYDvEHO7+kKRYUSpnaLPP49dXR+3fLW
> ZuiskDpYhrcWEz5sWlXKD3mvGRv9cWfKTTotmQUQoS17acLHaBoS99ynXG2AIi0f
> kola3Gu/UjB00Dnw9j6VW7+8s2dy87y0X4wWJqRgD1A8YBie2Ok=
> =wFJ1
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Tomcat 9 and FIPS-140

2020-08-18 Thread Robert Hicks 
Is this article good for enabling FIPS-140 for Tomcat 9?

Thanks,

Bob

Tomcat shutdown password complexity

2020-05-08 Thread Robert Hicks 
I am trying to find what the password complexity can be. I've looked at
several hardening guides and they are all "WordsLikeThis". Does the
shutdown password take symbols and numbers or at least hyphenated words?

Thanks,

Bob

Re: Tomcat 9 : relaxedQueryChars

2020-03-05 Thread Robert Hicks 
On Wed, Mar 4, 2020 at 4:46 PM Mark Thomas  wrote:

> On 04/03/2020 20:20, Robert Hicks wrote:
> > We are getting the following over and over in our catalina.out file:
> >
> > java.lang.IllegalArgumentException: Invalid character found in the
> request
> > target. The valid characters are defined in RFC 7230 and RFC 3986
>
> Do you know what URIs are triggering those?
>
> We recently improved the HTTP header logging to report invalid
> characters in %nn form. We could add that to this exception message so
> you have some chance of figuring out what the issue is.
>
> > Our server.xml has the following copied from an online search I think:
> >
> > relaxedQueryChars="[]|{}^"
>
> That is all of the allowed characters.
>
> It is an attribute value so you'll need to encode at least " and <. Wjat
> you have above is fine.
>
> > I found something else that said the following might also help in
> > catalina.properties:
> >
> > org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
>
> I'd be very careful using that.
>
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Thanks Mark, we are going to figure out when we can up the logging level to
capture it and move from there.

--
Bob

Tomcat 9 : relaxedQueryChars

2020-03-04 Thread Robert Hicks 
We are getting the following over and over in our catalina.out file:

java.lang.IllegalArgumentException: Invalid character found in the request
target. The valid characters are defined in RFC 7230 and RFC 3986

Our server.xml has the following copied from an online search I think:

relaxedQueryChars="[]|{}^"


However, the docs say that only the following are valid and others are
ignored:


" < > [ \ ] ^ ` { | }


Do the characters have to be exactly like that instead of encoding them?
For example:


relaxedQueryChars= " < > [ \ ] ^ ` { | }


I found something else that said the following might also help in
catalina.properties:


org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true


Thanks for any help.


--

Bob

Re: Tomcat 9 relaxedQueryChars format

2019-11-29 Thread Robert Hicks 
Yeah, I read that and I will talk to my co-admin about it.

Thanks!

On Fri, Nov 29, 2019 at 10:43 AM M. Manna  wrote:

> To clarify (along with my last reply) - what you are trying to do is not
> correct. The tomcat documentation confirms that only the following are
> allowed
>
> The HTTP/1.1 specification <https://tools.ietf.org/rfc/rfc7230.txt>
> requires
> > that certain characters are %nn encoded when used in URI query strings.
> > Unfortunately, many user agents including all the major browsers are not
> > compliant with this specification and use these characters in unencoded
> > form. To prevent Tomcat rejecting such requests, this attribute may be
> used
> > to specify the additional characters to allow. If not specified, no
> > additional characters will be allowed. The value may be any combination
> of
> > the following characters: " < > [ \ ] ^ ` { | } . Any other characters
> > present in the value will be ignored.
>
>
> On Fri, 29 Nov 2019 at 15:39, M. Manna  wrote:
>
> > Robert,
> >
> > On Fri, 29 Nov 2019 at 15:28, Robert Hicks 
> wrote:
> >
> >> What is the correct format?
> >>
> >> I see the following used when I do a search:
> >>
> >> relaxedQueryChars="[,],{,}.|"
> >>
> >> relaxedQueryChars="[ ] { } |"
> >>
> >> relaxedQueryChars="[]|{}^"
> >>
> >> We use that last one. I am running down this error:
> >>
> >> java.lang.IllegalArgumentException: Invalid character found in the
> >> request target. The valid characters are defined in RFC 7230 and RFC
> >> 3986
> >>
> >> Thanks!
> >>
> >> --
> >>
> >>
> > This is a working version in Http11AprProtocol
> >
> > relaxedQueryChars="{[,:]|}"
> >
> >
> >
> >
> >> Bob
> >>
> >
>

Tomcat 9 relaxedQueryChars format

2019-11-29 Thread Robert Hicks 
What is the correct format?

I see the following used when I do a search:

relaxedQueryChars="[,],{,}.|"

relaxedQueryChars="[ ] { } |"

relaxedQueryChars="[]|{}^"

We use that last one. I am running down this error:

java.lang.IllegalArgumentException: Invalid character found in the
request target. The valid characters are defined in RFC 7230 and RFC
3986

Thanks!

-- 

Bob

Re: EOL for Tomcat 9.X ?

2019-10-18 Thread Robert Hicks 
Thanks!

--
Bob

On Fri, Oct 18, 2019 at 11:41 AM Olaf Kock  wrote:

>
> On 18.10.19 17:25, Robert Hicks wrote:
> > Management is asking me if there is an end of life for Tomcat 9
> reported. I
> > don't see anything on the tomcat web site.
>
> Mark recently answered this to a the same question for Tomcat 8.5:
>
>
> There is no official date.
>
> The Tomcat project maintains 3 major versions in parallel. Currently
> these are:
> - 9.0.x
> - 8.5.x
> - 7.0.x
>
> We always provide at least 12 months notice of EOL.
>
> Major releases are aligned with releases of the Servlet specification.
> The current timetable for the next Servlet spec is TBD.
>
> We haven't even announced EOL for 7.0.x yet so you have:
> - x years until Tomcat 10 / Servlet 4.next is released
> - 1 year for 7.0.x EOL
> - y years until Tomcat 11 / Servlet 4.next+1 is released
> - 1 year for 8.5.x EOL
>
> Taking low estimates for x and y of 1 and 2 respectively, you have at
> least 5 years before 8.5.x is EOL.
>
> Take that figure as an "Engineering Estimate". Also known as a "wild
> guess".
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

EOL for Tomcat 9.X ?

2019-10-18 Thread Robert Hicks 
Management is asking me if there is an end of life for Tomcat 9 reported. I
don't see anything on the tomcat web site.

Thanks,

--
Bob

Tomcat 9.0.20 : send email on errors

2019-07-22 Thread Robert Hicks 
Using the default logging (java.util.logging) is it possible to have Tomcat
itself (not a jsp or servlet) send an email if it is unable to log or there
are errors in its log files?

The scenario I am thinking of would be if the logging file system is full
or unavailable due to other issues.

Thanks,

Bob