Re: Getting "Invalid message received with signature xxxxx" messages in catalina.out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 11/18/16 2:39 PM, Christopher Schultz wrote: > James, > > On 11/18/16 2:06 PM, James H. H. Lampert wrote: >> On 11/18/16, 9:08 AM, Caldarale, Charles R wrote: >>> No, 8009 is the default port for communication between httpd >>> and Tomcat. 8005 is the default shutdown port. > >>> Correct. If you're not using it, remove (or comment out) the >>> declaration. > >> Fascinating. > >> Can somebody point me to the right docs, so I can learn more >> about this? > > There are a couple of resources. > > The first would be to have a look at the stock server.xml that > comes with Tomcat, since you can find the AJP Connector on port > 8009 defined in there. I'm not sure there is any documentation on > the web that says what the default configuration is... because it's > just so easy to look. > > The second would be the configuration guide's coverage of the AJP > connector[1], which will largely be irrelevant to you. > > If you aren't using AJP for anything, you should probably just > disable it by commenting-out the element, or deleting > it entirely. > > AJP is only useful if you have a reverse-proxy out in front of > Tomcat and you'd like to use AJP as the communication protocol > between that proxy and Tomcat. No proxy = no AJP, unless you are > running some weird kind web browser that for some reason > understands AJP. Oh, one more thing: if someone is probing your network, you might want to find out who it is. It might be a basic security scan by a blue team, or it could be malware scanning the network to see if anything interesting is available. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYL1wyAAoJEBzwKT+lPKRYr+0P/R3TEm6PYbm7CfN78lZjoN7C Fq/QqulXpRcMO3HaUlo+Xg4coapDC2BX6u/ck/znNIFjXa7CHlEwglmtZ3UF8qbU 4URHPKvV040gcAYsEqOJmd3P6jCtjo4UN4ZnS58V9K99KnZibt8y3NFnofR9KVaN axB6OifluDYrlS0q3p+CmRhBPDBsVjajadzR/hoNIm2bjgXkjNAAcNaCHokj1Dbj xMBwSx6c2jbAWD+GRXGMUDxI3UMa3eRK6rL18JQ2GQ96L13Kk1EjozoXwxctf3+D 5sTRpafMWtMCE4dIBYZ4LIqvoQgfa/sz2ZfDNiSbU1I0Hw6Y+RZ+6VvjuSWcTEEM dA44Ee3tZaqwuLmhZb1UUDj0o35kRz5z661IUSONmOh9mA4cIbfE7RFqJlJhZiPj 47B0+LO4xbpNsNpR7Rdsz/8HFVFur9LuvcJ2Ta6UFv9Pzj1Nc8gqibRwfGA0dV5t gEgdZ3uWrIba4c8HkB/NJDvrtG6rkyoRCUesrgjskuoUuC1qbMA3SV5et9vgqMvS BvQNgsnzXqWEXKOCnRQwI3bDcbtEUfV8EtDDZrhmgBCXGmexf0Fs3KKm0AOS9qOj zhmbN3E523PJqEj+op4PQLzUoimPWqtXboKX0qkiqZek92YptHq7ydOoJ87PmJRw OqGjeldxAdDc8fnzXvyc =ey8d -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting "Invalid message received with signature xxxxx" messages in catalina.out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 11/18/16 2:06 PM, James H. H. Lampert wrote: > On 11/18/16, 9:08 AM, Caldarale, Charles R wrote: >> No, 8009 is the default port for communication between httpd and >> Tomcat. 8005 is the default shutdown port. > >> Correct. If you're not using it, remove (or comment out) the >> declaration. > > Fascinating. > > Can somebody point me to the right docs, so I can learn more about > this? There are a couple of resources. The first would be to have a look at the stock server.xml that comes with Tomcat, since you can find the AJP Connector on port 8009 defined in there. I'm not sure there is any documentation on the web that says what the default configuration is... because it's just so easy to look. The second would be the configuration guide's coverage of the AJP connector[1], which will largely be irrelevant to you. If you aren't using AJP for anything, you should probably just disable it by commenting-out the element, or deleting it entirely. AJP is only useful if you have a reverse-proxy out in front of Tomcat and you'd like to use AJP as the communication protocol between that proxy and Tomcat. No proxy = no AJP, unless you are running some weird kind web browser that for some reason understands AJP. - -chris [1] http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYL1kHAAoJEBzwKT+lPKRYIOcP/35mDYqAGqLbpCprbz++u1z8 qI0o9jskt1ksaicyD08bI+zpFOvU1dd4wRtipMuExcFyrkNKnuIsIgPGw4PO5zBN D1v75QsSmsivC3Z4/xaN3rbAL+La8WcwfOP17uww9uEVk7kEFS4iBu8U0fdV2DPw VglX9bch8S0WR2PlcrpaEobDpH9R8jQQuxig9GhXEN6j9SX+q/qgPRZweXCcFERJ p+fbyhDQTFHJzqjrJ+aYly2/4HfvHJtgsXQc006Vy6eq/QMXjQLykA+B9RpXAW+N 74Ayk26O9l52vvupvYqaJwLB1ExwHz89WQRyPWvQL2OpwI+n82uGtnOkiSREq7t4 Nrlfy/PAIJnpB2tVkKTlvNm7wmF0rt4+3JUlM7UA7cT5SKBhQkYRGGlFLpnaTsdW wPM45gWOf/ANSFt00Mv0uLIIw1JUUHOOtBs1fSiwiRr7EMsoXHxyiRJefZ1fU+gP yyCtcY6oiEmw2JpbrbSrG7tkDUR/GpVDoBRNPMIH4uR6K53xA6zxBUbWP7vBIQPr 2z+R3hVURy9I78VNr2Ox3GBTpTEg6gaCiLgxIACzWvyE47QRI/jJ1naZzsEo4sav l3m4iCLKu6OA8vWQk26SsIu/Ugs1lJM4kZQ5LJx9Rt43apQ6HLrSraPEOW0SKr8O kgIr7aodnkRVnYURregX =czD/ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Getting "Invalid message received with signature xxxxx" messages in catalina.out
> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] > Subject: Re: Getting "Invalid message received with signature x" messages > in catalina.out > > No, 8009 is the default port for communication between httpd and Tomcat. > > 8005 is > > the default shutdown port. > > If you're not using it, remove (or comment out) the declaration. > Can somebody point me to the right docs, so I can learn more about this? Start with the FAQ: https://wiki.apache.org/tomcat/FAQ/Connectors Then the official places: http://tomcat.apache.org/tomcat-8.5-doc/config/http.html http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting "Invalid message received with signature xxxxx" messages in catalina.out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chuck, On 11/18/16 12:08 PM, Caldarale, Charles R wrote: >> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] >> Subject: Re: Getting "Invalid message received with signature >> x" messages in catalina.out > >> This is interesting: > redirectPort="8443" /> > >> Isn't 8009 some sort of backchannel control port, perhaps the one >> used for controlled shutdown of Tomcat? > > No, 8009 is the default port for communication between httpd and > Tomcat. 8005 is the default shutdown port. > >> It seems to be defined as an AJP port "straight out of the box," >> is also so-defined on our own Tomcat server, and is presumably >> so-defined at all our other customer installations. > > Correct. If you're not using it, remove (or comment out) the > declaration. > > >> And yet this is the first time I've ever seen these error >> messages. > > Something with access to your network is probing that port. +1 And they aren't speaking AJP, which is why you are getting that error. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYL1PWAAoJEBzwKT+lPKRYqLoP/iqvju0oCJdz6KNLeLpmQrFP MmGFfDmGxjox1HHx7ApTC2jq1/q0yYlsqafCuQ1kDrkBbqfr10LI7IwWkfakKEcB pEZakhyt5Pi6uGJjjM2LuoDBSJ/KBYC391MqENcsrm7fFJzfjVIxjsl15YGYiko/ BR2ghLUiH0Qy2H/KzzmWFdEtUf5eeUQMMcdCpctcm9+RPjuiJ/cJXwQIt+M8wLGV KVt7OtgX0ly+4n7Msy+yDFDn/T/cdKq6BigAXhqXl0Ho0bKztolryb9FbQJ7unB+ Lkug3/z/EekoftgyxZBFBe9+6XTJKFMuesCzPWij9K9DgKFozyUy9rqfZMUCpyzg v8u6khJHNIGSONmHNISlcj1yeeqNxW800ZYzsHyxfU6JZTVAvC2JxdPKaZG5amXi /OjiN8q6tYeHD3xF0YkQixSTjzjka+2AyawKECUKu5GLl1Sxpt4MDCtJu1PX5X8C GiNxSPY8fMGCNnV4AetSIK4YOOWjsxvkomAeKFgEvpb7NdokFRG6If0GF4Z0O1DG ZP5QPRz6g9vmk26+MPHsSh4KBT3yj8iJag5f5le4NqYJ8AeNL4BaKWoqRdHpACq1 u9SoowjOgJfQNjI/QAs0V14bQYIlLgUN2e2QMtJ0hfD4+1f9OgmYW6kd1zNWF+W8 MHIy7SogtXLH5IXU4biO =W6NW -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting "Invalid message received with signature xxxxx" messages in catalina.out
On 11/18/16, 9:08 AM, Caldarale, Charles R wrote: No, 8009 is the default port for communication between httpd and Tomcat. 8005 is the default shutdown port. Correct. If you're not using it, remove (or comment out) the declaration. Fascinating. Can somebody point me to the right docs, so I can learn more about this? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Getting "Invalid message received with signature xxxxx" messages in catalina.out
> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] > Subject: Re: Getting "Invalid message received with signature x" messages > in catalina.out > This is interesting: > > Isn't 8009 some sort of backchannel control port, perhaps the one used > for controlled shutdown of Tomcat? No, 8009 is the default port for communication between httpd and Tomcat. 8005 is the default shutdown port. > It seems to be defined as an AJP port "straight out of the box," is also > so-defined on our own Tomcat server, and is presumably so-defined at all > our other customer installations. Correct. If you're not using it, remove (or comment out) the declaration. > And yet this is the first time I've ever seen these error messages. Something with access to your network is probing that port. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting "Invalid message received with signature xxxxx" messages in catalina.out
On 18.11.2016 17:56, James H. H. Lampert wrote: On 11/17/16, 9:00 PM, Christopher Schultz wrote: There must be another connector. This one uses HTTP, and the error messages you posted are using AJP. Do you have a connector in conf/server.xml that you thought was disabled, but isn't? Dear Mr. Schultz: This is interesting: Isn't 8009 some sort of backchannel control port, perhaps the one used for controlled shutdown of Tomcat? It seems to be defined as an AJP port "straight out of the box," is also so-defined on our own Tomcat server, and is presumably so-defined at all our other customer installations. And yet this is the first time I've ever seen these error messages. Now, I'm more puzzled than ever about this. My own guess : at the date at which these messages started to happen, some additional (monitoring ?) program was started in your network, which sends HTTP messages to any server port it finds listening. Only in this case, it sends HTTP messages to a port which does not understand HTTP, so it complains. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting "Invalid message received with signature xxxxx" messages in catalina.out
On 11/17/16, 9:00 PM, Christopher Schultz wrote: There must be another connector. This one uses HTTP, and the error messages you posted are using AJP. Do you have a connector in conf/server.xml that you thought was disabled, but isn't? Dear Mr. Schultz: This is interesting: Isn't 8009 some sort of backchannel control port, perhaps the one used for controlled shutdown of Tomcat? It seems to be defined as an AJP port "straight out of the box," is also so-defined on our own Tomcat server, and is presumably so-defined at all our other customer installations. And yet this is the first time I've ever seen these error messages. Now, I'm more puzzled than ever about this. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting "Invalid message received with signature xxxxx" messages in catalina.out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 11/17/16 12:52 PM, James H. H. Lampert wrote: > On 11/17/16, 9:34 AM, Christopher Schultz wrote: > >> Presumably, you have httpd out in front of your Tomcat >> instances? > > I wouldn't know. Tomcat is running by itself, rather than under > Apache (or anything else), using JSSE, rather than OpenSSL. > Connector tag is: > >> > keystoreFile=[REDACTED} alias=[REDACTED] maxThreads="150" >> scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" >> /> >> There must be another connector. This one uses HTTP, and the error messages you posted are using AJP. Do you have a connector in conf/server.xml that you thought was disabled, but isn't? > Two other details (the first of which I hadn't known at the time of > the initial query): 1. This particular Tomcat server has been > running nonstop since June 5th. Yay, uptime! Probably needs some OS patches, though :) > 2. Our webapp uses BIRT reports, and the customer has been having > response time issues and error messages, particularly in connection > with the BIRT reports. It's not clear whether BIRT is related, here. Probably not, but good to know. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYLoraAAoJEBzwKT+lPKRYFZ4P/iq+MrtsOQ3LFNjjQwfljeM8 71yIF/DluUh3ZBgHPFd/rVgjfPb1TxNL1b6nXtSz2A2zJ4BMB09F09nrdWCLfsrB QspdD38v1RGf2rf61DCCx1pvjN3RL/epBKMKPOUbiBGYFS2dMVsxf7T4+X6L9Iuy rObjSNJzhcPr5plNtRw+lu8IAL92rid0+Z66oczD08g7Z+cgc3J78KFgiHUULQ6x pOpzmY/T1+cHT3bP9vsFIsMKsxIy8yaE9HjiAmH1G/+dsHabHfu9sy/l6JzEPvHa ohXbdJD7GVjNI8ibN6VfBO1Na6zUUMxIBXFyMyHw7HaTSkPlpxeC+ejb6RG/S4Rn KmkDomjjStphrmADJeHooC728RIqdsyQ/n6UvUxVPySrfH0RsNxJZ4wKZdfSHypt wYG49Os8QhBPTwyyypl4CT22/YsWxG/4jpWxih+mzn/y5TsV3tb6+EtdE+p/TASb MjejlhcUYFTSlZHlRobgwM6xuIiyYeEqtqGNGGd2JHohuk+nSFZf2hHpJ8KpE/4v 1ygvvq5z1MENTxcy5VHtxy3b45yLStVq2M0dDwnPhVMtfvGtfJBhx08bbK73ah+Y 9y7/QwmuYPkCbRwCNKtQkYu5tSO0Ka1CCnF2YOg0hQg2yfkU6HWE+x+oKhZ6NgEs vPuHaTY7vTXyVF/QQgDJ =8RL+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting "Invalid message received with signature xxxxx" messages in catalina.out
On 11/17/16, 9:34 AM, Christopher Schultz wrote: Presumably, you have httpd out in front of your Tomcat instances? I wouldn't know. Tomcat is running by itself, rather than under Apache (or anything else), using JSSE, rather than OpenSSL. Connector tag is: Two other details (the first of which I hadn't known at the time of the initial query): 1. This particular Tomcat server has been running nonstop since June 5th. 2. Our webapp uses BIRT reports, and the customer has been having response time issues and error messages, particularly in connection with the BIRT reports. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting "Invalid message received with signature xxxxx" messages in catalina.out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 11/17/16 11:54 AM, James H. H. Lampert wrote: > Ladies and Gentlemen: > > Got a customer box, Tomcat 7.0.47 running on an AS/400, and I'm > getting a lot of >> Nov 17, 2016 3:39:44 AM org.apache.coyote.ajp.AjpMessage >> processHeader SEVERE: Invalid message received with signature >> 18245 > > with occasional >> Nov 17, 2016 3:41:06 AM org.apache.coyote.ajp.AjpMessage >> processHeader SEVERE: Invalid message received with signature >> 18501 > mixed in. > > They're coming in clusters, about 3-4 within a minute or two, > separated by anywhere from a few minutes to a few hours. > > I'm also seeing occasional clusters of >> java.io.IOException: The requested resource is busy. > > The only contexts running are two instances of our own CRM > front-end, along with manager and host-manager. > > I've never seen this before, and a Google search on the message > seems to mainly return answers for a different Apache product. > > Can anybody tell me what it is I'm looking at? Presumably, you have httpd out in front of your Tomcat instances? Please check to see that these two configuration settings match each other: httpd/mod_jk: worker.name.max_packet_size=[some value] (or for mod_proxy_ajp: ProxyIOBufferSize [some value] ) Tomcat: http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYLeonAAoJEBzwKT+lPKRYh4gP/jzjoUkDLQViSXJAT6NcxL38 qHHZBNIfaZivtnDkuRb7TTHDOyFu/5jM5SfSzr/B9lPwKAc0H8c9DhubfoQZ0CX7 6kuILJOoUOAfwTLIuHxQ3UjwzWwEucT0ephjg+rGn8KJH27h8j+2bZJjKymjZEBK Y8bik/xJYzI0hNyrUdTW4garbCCOvJ7fOr0SW5b2Qnin3BqvcyikOolw2nVCrkHr AoVV+/kD+M9F2oOsRHCifz/dQ5w213vfJcQ5ZjicDnfeTglcZoaDCBzzDGqiWxmP 4hsHcRH+y7a7SEelXG9+DVkmp1VbHJUA5S89zXdjcoktZKRRVNUXZZIoed9CYyym QVcD3+9l86EL8VgjsLYE3ILVRybACEgryEFADy+hWGCDjtSB84WVnNAPoHTIOSm+ Fi5YUMnf2POlZGAEr61zIM7HOwlnL7EB1RrHhSXeMzFtrL4BFuNDFfQRgMVLT0Me HAM4uabjneJu3IZbG8ai6vE4XJvjx+7+SyFMaRyyNsqi1S4NhpX7Vm5QdSquMcH2 6Os8IBG4SCn3oFq7YfN1eMGOgnfLLa2iOKwFJDgdEwllNbVYV90Re6SRFeTpX5aV oRUfrsxbcJ9Xh56A40Lnf2UVYn6J706tKCGU7nPVY5DrR2z3VoHjDk5NDGW6K7uO Rku5XM/DrQ93VvAas27c =UePC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org