subject:"Using SSL with Tomcat"

Re: Trouble using SSL with Tomcat 9

2017-09-27 Thread Don Flinn

Thanks Chuck,

As is obvious, I'm not an experienced admin, but a developer.  I picked
another unused port, 447, and tried again.  I'm not running Tomcat as
root.  I want to get the self signed cert working before purchasing an SSL
certificate.

This WORKED.  Thanks for all the help.  Note that I just picked an unused
port at random, not knowing any better.  I'm sure that there is a more
sophisticated way to pick a port to use.  I'm guessing that if I have
Tomcat grab that port it will keep it while it is running.  But for now I'm
over-joyed,

Don

On Wed, Sep 27, 2017 at 1:24 PM, Caldarale, Charles R <
chuck.caldar...@unisys.com> wrote:

> > From: Don Flinn [mailto:fl...@alum.mit.edu]
> > Subject: Re: Trouble using SSL with Tomcat 9
>
> > I installed a new download of tomcat 9, established one application with
> > php/java bridge (need php and java access). Set the SSL port to an unused
> > port, 443, and ran my app who's only out put is an H1 message.  This time
> I
> > get the expected error from Chrome with the red warning about bad
> > certificate.  However, the redirect went to https://localhost/Financial/
> > index.php - i.e. NO port number and of course drilling down couldn't find
> > my app which is at port 443, I believe.
>
> Port 443 is the standard HTTPS port, so it won't show up in the https: URL
> since it's the default.
>
> Unless you're running Tomcat as root (a very, very bad idea), you'll need
> to
> use iptables or equivalent to let Tomcat listen on port 443.
> https://wiki.apache.org/tomcat/HowTo#How_to_run_
> Tomcat_without_root_privileg
> es.3F
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>

RE: Trouble using SSL with Tomcat 9

2017-09-27 Thread Caldarale, Charles R

> From: Don Flinn [mailto:fl...@alum.mit.edu] 
> Subject: Re: Trouble using SSL with Tomcat 9

> I installed a new download of tomcat 9, established one application with
> php/java bridge (need php and java access). Set the SSL port to an unused
> port, 443, and ran my app who's only out put is an H1 message.  This time
I
> get the expected error from Chrome with the red warning about bad
> certificate.  However, the redirect went to https://localhost/Financial/
> index.php - i.e. NO port number and of course drilling down couldn't find
> my app which is at port 443, I believe.

Port 443 is the standard HTTPS port, so it won't show up in the https: URL
since it's the default.

Unless you're running Tomcat as root (a very, very bad idea), you'll need to
use iptables or equivalent to let Tomcat listen on port 443.
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileg
es.3F

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

Re: Trouble using SSL with Tomcat 9

2017-09-27 Thread Don Flinn

Hi Andre

I installed a new download of tomcat 9, established one application with
php/java bridge (need php and java access). Set the SSL port to an unused
port, 443, and ran my app who's only out put is an H1 message.  This time I
get the expected error from Chrome with the red warning about bad
certificate.  However, the redirect went to https://localhost/Financial/
index.php - i.e. NO port number and of course drilling down couldn't find
my app which is at port 443, I believe.

Progress, but still no cigar.

The tomcat logs only showed  a 302. -  0:0:0:0:0:0:0:1 - -
[27/Sep/2017:05:08:12 -0400] "GET
/Financials/index.php?XDEBUG_SESSION_START=netbeans-xdebug
HTTP/1.1" 302 -

Don't know what my next step should be - any suggestions.  Your help to
this point has been great.  I greatly appreciate the help you are giving me.

Also, I'm sure you have seen, another user, John Ellis, is having somewhat
similar problems.


Don

On Mon, Sep 25, 2017 at 10:26 AM, André Warnier (tomcat) 
wrote:

> On 25.09.2017 15:57, Don Flinn wrote:
>
>> Andre,
>>
>> I've attached the output from netstat -a.  I see 8080 listening, but not
>> 8443.  I've also
>> attached the screen shot of the result of running my "protected"
>> application in Tomcat.
>>
>
> This list removes most attachments, so we did not get the screenshot.
> You have ti post it to dropbox or so, for us to have a look.
>
> But you should definitely look in the tomcat logfiles (in the subdirectory
> inventively named "logs"), to see why it did not open port 8443 when
> supposedly told to do so.
>
> As I mentioned, when I have Norton Security and it shuts down Windows
>> firewall and runs
>> its own firewall.
>>
>
> Yes, but if port 8443 is not open and listening, that's a secondary
> consideration now. The first is why tomcat does not open that port.
>
> P.S. There are additional options to netstat, which will also print the
> name of the process which "owns" that port. Makes it easier to scan the
> list, because it will say
> "tomcat" next to the ones opened by tomcat.
>
>
>> Don
>>
>> On Sun, Sep 24, 2017 at 5:52 PM, André Warnier (tomcat) > > wrote:
>>
>> On 24.09.2017 16 :08, Don Flinn wrote:
>>
>> Andre,
>>
>> I apologize for not giving all my information. As you perceived,
>> I'm
>> running Windows. Other info, Windows 10, Tomcat 9, java
>> 1.8.0_144.  As you
>> suggested, using netstat and telnet I found that port 8443 is not
>> open.
>> Looking further Windows firewall is controlled by Norton
>> security.  I am
>> now trying to find out how to open ports in Norton security using
>> the
>> Norton blog.
>>
>> Thank you for your help.  As is obvious, I'm a newbee in low
>> level admin
>> work.  I'm hoping that when I get port 8443 open things will
>> work.  I'll
>> let you know.
>>
>> Maybe wait just a second more, before you go digging in the firewall.
>> You say that you found out that "the port is not open".
>> That is not the same thing as
>> - the port /is/ open
>> - but it cannot be connected to
>> If netstat shows the port open and listening, but you cannot connect
>> to it with
>> telnet, it is probably a firewall issue.
>> But if the port is not open, then it is a tomcat issue.
>> Provided that you configured tomcat properly, the port should be
>> open, firewall or no
>> firewall. (A firewall can only block access by a client, to a server
>> port that is
>> open. It cannot prevent a server process to open that port for
>> listening.)
>> If it isn't open, the tomcat logs should tell you why.
>>
>>
>>
>>
>>
>> Don
>>
>>
>>
>> On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) <
>> a...@ice-sa.com
>> >
>> wrote:
>>
>> On 24.09.2017 02 :36, Don Flinn wrote:
>>
>> I'm trying to use a self signed certificate generated in
>> keytool.  When I
>> run the application Chrome, Firefox and internet Explorer
>> using
>> localhost:8080/ all the browsers do a redirect to
>> localhost:8443
>> and
>> then return This site can’t be reachedL*ocalhost* refused
>> to connect.
>> There is no red lined out protocol in any of the
>> browsers.  All the Tomcat
>> logs show no errors or warnings.  I can access
>> applications that are not
>> protected and tomcat itself.
>>
>>
>> I would suggest that you first re-read what you wrote above,
>> line by line,
>> and reflect quietly on what each line is telling you.
>>
>> 1) you say "localhost". That means that you are using a
>> browser as client,
>> on the same machine as the one which is running the server.
>> 2) you also say that one of the

Re: Trouble using SSL with Tomcat 9

2017-09-25 Thread Don Flinn

I've put the log files, the jpg of the chrome page and the netstat -a -b in
Google Drive and sent you a link.

My application is somewhat complex and hopefully not the cause of the
problem.  It is composed of a large number of php and  javascript files in
the Financials application, which includes the php/java bridge, which calls
into a java application called JFin in a number of places, which also has a
large number of java files,  The JFin jar is placed in the
webapps/Financials/WEB-INFO/lib directory along with a large number of
other jars, which are includes in the java files.  All this runs fine under
Tomcat on port 8080.  The log files ect. that I sent are when I run
localhost:8080/Financials.  The log files capture the restart of Tomcat and
the run of the Financials application. I also have run it under debug in
NetBeans 8.2. and it never gets to the first line in Financials/index.php.

The logs capture Tomcat startup, then run as
localhost:8080/Financials.index.php
in chrome and then at 12:49 I ran it in netbeans debug.  The logs look ok
in the first two cases, but when run under netbeans the tomcat stderr gave
an error -
25-Sep-2017 12:56:18.251 INFO [http-nio-8080-exec-1]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request
header
 Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
 java.lang.IllegalArgumentException: Invalid character found in method
name. HTTP method names must be tokens
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(
Http11InputBuffer.java:406)

I don't know what this means.  Is it a clue or is it an artifact of
NetBeans debug?  It didn't show up in the run directly from chrome.  I ran
it again at about 1:30pm directly from chrome and the error again didn't
show up.

So the

On Mon, Sep 25, 2017 at 10:26 AM, André Warnier (tomcat) 
wrote:

> On 25.09.2017 15:57, Don Flinn wrote:
>
>> Andre,
>>
>> I've attached the output from netstat -a.  I see 8080 listening, but not
>> 8443.  I've also
>> attached the screen shot of the result of running my "protected"
>> application in Tomcat.
>>
>
> This list removes most attachments, so we did not get the screenshot.
> You have ti post it to dropbox or so, for us to have a look.
>
> But you should definitely look in the tomcat logfiles (in the subdirectory
> inventively named "logs"), to see why it did not open port 8443 when
> supposedly told to do so.
>
> As I mentioned, when I have Norton Security and it shuts down Windows
>> firewall and runs
>> its own firewall.
>>
>
> Yes, but if port 8443 is not open and listening, that's a secondary
> consideration now. The first is why tomcat does not open that port.
>
> P.S. There are additional options to netstat, which will also print the
> name of the process which "owns" that port. Makes it easier to scan the
> list, because it will say
> "tomcat" next to the ones opened by tomcat.
>
>
>> Don
>>
>> On Sun, Sep 24, 2017 at 5:52 PM, André Warnier (tomcat) > > wrote:
>>
>> On 24.09.2017 16 :08, Don Flinn wrote:
>>
>> Andre,
>>
>> I apologize for not giving all my information. As you perceived,
>> I'm
>> running Windows. Other info, Windows 10, Tomcat 9, java
>> 1.8.0_144.  As you
>> suggested, using netstat and telnet I found that port 8443 is not
>> open.
>> Looking further Windows firewall is controlled by Norton
>> security.  I am
>> now trying to find out how to open ports in Norton security using
>> the
>> Norton blog.
>>
>> Thank you for your help.  As is obvious, I'm a newbee in low
>> level admin
>> work.  I'm hoping that when I get port 8443 open things will
>> work.  I'll
>> let you know.
>>
>> Maybe wait just a second more, before you go digging in the firewall.
>> You say that you found out that "the port is not open".
>> That is not the same thing as
>> - the port /is/ open
>> - but it cannot be connected to
>> If netstat shows the port open and listening, but you cannot connect
>> to it with
>> telnet, it is probably a firewall issue.
>> But if the port is not open, then it is a tomcat issue.
>> Provided that you configured tomcat properly, the port should be
>> open, firewall or no
>> firewall. (A firewall can only block access by a client, to a server
>> port that is
>> open. It cannot prevent a server process to open that port for
>> listening.)
>> If it isn't open, the tomcat logs should tell you why.
>>
>>
>>
>>
>>
>> Don
>>
>>
>>
>> On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) <
>> a...@ice-sa.com
>> >
>> wrote:
>>
>> On 24.09.2017 02 :36, Don Flinn wrote:
>>
>> I'm trying to use a self signed certificate generated in
>> keytool.  When I
>> run the application

Re: Trouble using SSL with Tomcat 9

2017-09-25 Thread tomcat

On 25.09.2017 15:57, Don Flinn wrote:

Andre,

I've attached the output from netstat -a. I see 8080 listening, but not 8443.
I've also
attached the screen shot of the result of running my "protected" application in
Tomcat.

This list removes most attachments, so we did not get the screenshot.
You have ti post it to dropbox or so, for us to have a look.

But you should definitely look in the tomcat logfiles (in the subdirectory inventively
named "logs"), to see why it did not open port 8443 when supposedly told to do so.

As I mentioned, when I have Norton Security and it shuts down Windows firewall
and runs
its own firewall.

Yes, but if port 8443 is not open and listening, that's a secondary consideration now. The
first is why tomcat does not open that port.

P.S. There are additional options to netstat, which will also print the name of the
process which "owns" that port. Makes it easier to scan the list, because it will say

"tomcat" next to the ones opened by tomcat.

Don

On Sun, Sep 24, 2017 at 5:52 PM, André Warnier (tomcat) > wrote:

On 24.09.2017 16 :08, Don Flinn wrote:

Andre,

I apologize for not giving all my information. As you perceived, I'm
running Windows. Other info, Windows 10, Tomcat 9, java 1.8.0_144. As
you
suggested, using netstat and telnet I found that port 8443 is not open.
Looking further Windows firewall is controlled by Norton security. I am
now trying to find out how to open ports in Norton security using the
Norton blog.

Thank you for your help. As is obvious, I'm a newbee in low level admin
work. I'm hoping that when I get port 8443 open things will work. I'll
let you know.

Maybe wait just a second more, before you go digging in the firewall.
You say that you found out that "the port is not open".
That is not the same thing as
- the port /is/ open
- but it cannot be connected to
If netstat shows the port open and listening, but you cannot connect to it
with
telnet, it is probably a firewall issue.
But if the port is not open, then it is a tomcat issue.
Provided that you configured tomcat properly, the port should be open,
firewall or no
firewall. (A firewall can only block access by a client, to a server port
that is
open. It cannot prevent a server process to open that port for listening.)
If it isn't open, the tomcat logs should tell you why.

Don

On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) >
wrote:

On 24.09.2017 02 :36, Don Flinn wrote:

I'm trying to use a self signed certificate generated in
keytool. When I
run the application Chrome, Firefox and internet Explorer using
localhost:8080/ all the browsers do a redirect to
localhost:8443
and
then return This site can’t be reachedL*ocalhost* refused to
connect.
There is no red lined out protocol in any of the browsers. All
the Tomcat
logs show no errors or warnings. I can access applications
that are not
protected and tomcat itself.

I would suggest that you first re-read what you wrote above, line
by line,
and reflect quietly on what each line is telling you.

1) you say "localhost". That means that you are using a browser as
client,
on the same machine as the one which is running the server.
2) you also say that one of the browsers is IE.
3) (1) and (2) together imply that the host in a Windows server
(and the
client also of course).
4) you are not saying which version of Tomcat you are using,
neither which
version of Java, neither which version of Windows. That makes
helping you
more complicated and time-consuming, and delays any help, because
now we
have to ask you, and you have to respond.
5) "refused to connect" : before any kind of SSL dialog can even
take
place, the browser must be able to establish a TCP connection to the
host:port in question.
"refused to connect" seens to indicate that this is not the case.
6) the logs do not show anything : that would seem to corroborate
(5) :
tomcat does not even see this connection. iow, there is no
connection.

Re: Trouble using SSL with Tomcat 9

2017-09-25 Thread Don Flinn

Andre,

I've attached the output from netstat -a.  I see 8080 listening, but not
8443.  I've also attached the screen shot of the result of running my
"protected" application in Tomcat.  As I mentioned, when I have Norton
Security and it shuts down Windows firewall and runs its own firewall.

Don

On Sun, Sep 24, 2017 at 5:52 PM, André Warnier (tomcat) 
wrote:

> On 24.09.2017 16:08, Don Flinn wrote:
>
>> Andre,
>>
>> I apologize for not giving all my information. As you perceived, I'm
>> running Windows. Other info, Windows 10, Tomcat 9, java 1.8.0_144.  As you
>> suggested, using netstat and telnet I found that port 8443 is not open.
>> Looking further Windows firewall is controlled by Norton security.  I am
>> now trying to find out how to open ports in Norton security using the
>> Norton blog.
>>
>> Thank you for your help.  As is obvious, I'm a newbee in low level admin
>> work.  I'm hoping that when I get port 8443 open things will work.  I'll
>> let you know.
>>
>> Maybe wait just a second more, before you go digging in the firewall.
> You say that you found out that "the port is not open".
> That is not the same thing as
> - the port /is/ open
> - but it cannot be connected to
> If netstat shows the port open and listening, but you cannot connect to it
> with telnet, it is probably a firewall issue.
> But if the port is not open, then it is a tomcat issue.
> Provided that you configured tomcat properly, the port should be open,
> firewall or no firewall. (A firewall can only block access by a client, to
> a server port that is open. It cannot prevent a server process to open that
> port for listening.)
> If it isn't open, the tomcat logs should tell you why.
>
>
>
>
>
> Don
>>
>>
>>
>> On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) 
>> wrote:
>>
>> On 24.09.2017 02:36, Don Flinn wrote:
>>>
>>> I'm trying to use a self signed certificate generated in keytool.  When I
 run the application Chrome, Firefox and internet Explorer using
 localhost:8080/ all the browsers do a redirect to localhost:8443
 and
 then return This site can’t be reachedL*ocalhost* refused to connect.
 There is no red lined out protocol in any of the browsers.  All the
 Tomcat
 logs show no errors or warnings.  I can access applications that are not
 protected and tomcat itself.


>>> I would suggest that you first re-read what you wrote above, line by
>>> line,
>>> and reflect quietly on what each line is telling you.
>>>
>>> 1) you say "localhost". That means that you are using a browser as
>>> client,
>>> on the same machine as the one which is running the server.
>>> 2) you also say that one of the browsers is IE.
>>> 3) (1) and (2) together imply that the host in a Windows server (and the
>>> client also of course).
>>> 4) you are not saying which version of Tomcat you are using, neither
>>> which
>>> version of Java, neither which version of Windows.  That makes helping
>>> you
>>> more complicated and time-consuming, and delays any help, because now we
>>> have to ask you, and you have to respond.
>>> 5) "refused to connect" : before any kind of SSL dialog can even take
>>> place, the browser must be able to establish a TCP connection to the
>>> host:port in question.
>>> "refused to connect" seens to indicate that this is not the case.
>>> 6) the logs do not show anything : that would seem to corroborate (5) :
>>> tomcat does not even see this connection. iow, there is no connection.
>>>
>>> There are several possible reasons for this.
>>> a) Tomcat never opens the port 8443 for listening on it.
>>> That can be checked, with tomcat running, with the "netstat" utility
>>> program, included in Windows. With the proper arguments (which I will
>>> leave
>>> to you as an exercise)(but "netstat -h" will help), netstat will show you
>>> on which ports tomcat is listening locally.  If this does not include a
>>> ":8443" port, then it is not listening on that port, and certainly the
>>> logs
>>> of tomcat will tell you why.
>>> b) tomcat does listen on port 8443, but something else is blocking access
>>> to that port.
>>> Then you probably have to check your local firewall settings (or whatever
>>> else in whatever version of Windows may be blocking connections to a
>>> port).
>>>
>>> Another quick way to check if tomcat (or anything) is listening on port
>>> 8443 (and/or something is blocking it) would be, in a command window, to
>>> run the following command :
>>> telnet localhost 8443
>>> (also with tomcat running)
>>> If it also tells you "no connection", then (a) or (b) above would be
>>> confirmed.
>>> If it connects, then you may get another message, due to the fact that it
>>> expects an SSL connection. (If it did not expect an SSL connection, you'd
>>> just get a blank page until you type something else).
>>> Obviously, access to tomcat's port 8080 is fine, so you can compare the
>>> responses above with what happens when you substitute

Re: Trouble using SSL with Tomcat 9

2017-09-24 Thread tomcat

On 24.09.2017 16:08, Don Flinn wrote:

Andre,

I apologize for not giving all my information. As you perceived, I'm
running Windows. Other info, Windows 10, Tomcat 9, java 1.8.0_144. As you
suggested, using netstat and telnet I found that port 8443 is not open.
Looking further Windows firewall is controlled by Norton security. I am
now trying to find out how to open ports in Norton security using the
Norton blog.

Thank you for your help. As is obvious, I'm a newbee in low level admin
work. I'm hoping that when I get port 8443 open things will work. I'll
let you know.

But if the port is not open, then it is a tomcat issue.
Provided that you configured tomcat properly, the port should be open, firewall or no
firewall. (A firewall can only block access by a client, to a server port that is open. It
cannot prevent a server process to open that port for listening.)

If it isn't open, the tomcat logs should tell you why.

Don

On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat)
wrote:

On 24.09.2017 02:36, Don Flinn wrote:

I'm trying to use a self signed certificate generated in keytool. When I
run the application Chrome, Firefox and internet Explorer using
localhost:8080/ all the browsers do a redirect to localhost:8443
and
then return This site can’t be reachedL*ocalhost* refused to connect.
There is no red lined out protocol in any of the browsers. All the Tomcat
logs show no errors or warnings. I can access applications that are not
protected and tomcat itself.

I would suggest that you first re-read what you wrote above, line by line,
and reflect quietly on what each line is telling you.

1) you say "localhost". That means that you are using a browser as client,
on the same machine as the one which is running the server.
2) you also say that one of the browsers is IE.
3) (1) and (2) together imply that the host in a Windows server (and the
client also of course).
4) you are not saying which version of Tomcat you are using, neither which
version of Java, neither which version of Windows. That makes helping you
more complicated and time-consuming, and delays any help, because now we
have to ask you, and you have to respond.
5) "refused to connect" : before any kind of SSL dialog can even take
place, the browser must be able to establish a TCP connection to the
host:port in question.
"refused to connect" seens to indicate that this is not the case.
6) the logs do not show anything : that would seem to corroborate (5) :
tomcat does not even see this connection. iow, there is no connection.

There are several possible reasons for this.
a) Tomcat never opens the port 8443 for listening on it.
That can be checked, with tomcat running, with the "netstat" utility
program, included in Windows. With the proper arguments (which I will leave
to you as an exercise)(but "netstat -h" will help), netstat will show you
on which ports tomcat is listening locally. If this does not include a
":8443" port, then it is not listening on that port, and certainly the logs
of tomcat will tell you why.
b) tomcat does listen on port 8443, but something else is blocking access
to that port.
Then you probably have to check your local firewall settings (or whatever
else in whatever version of Windows may be blocking connections to a port).

Another quick way to check if tomcat (or anything) is listening on port
8443 (and/or something is blocking it) would be, in a command window, to
run the following command :
telnet localhost 8443
(also with tomcat running)
If it also tells you "no connection", then (a) or (b) above would be
confirmed.
If it connects, then you may get another message, due to the fact that it
expects an SSL connection. (If it did not expect an SSL connection, you'd
just get a blank page until you type something else).
Obviously, access to tomcat's port 8080 is fine, so you can compare the
responses above with what happens when you substitute 8080 for 8443.

Once the above is really cleared up, then it may be worth looking at the
rest of the information which you sent below.

If I set

CONFIDENTIAL to NONE everything works with
localhost:8080.

My SSL files in tomcat -

*server.xml -*

Connector
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEI
mplementation"
SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar"
secure="true" sslProtocol="TLS" clientAuth="false" />

*web.xml -*

Financials
/*

Re: Trouble using SSL with Tomcat 9

2017-09-24 Thread Don Flinn

Andre,

I apologize for not giving all my information. As you perceived, I'm
running Windows. Other info, Windows 10, Tomcat 9, java 1.8.0_144.  As you
suggested, using netstat and telnet I found that port 8443 is not open.
Looking further Windows firewall is controlled by Norton security.  I am
now trying to find out how to open ports in Norton security using the
Norton blog.

Thank you for your help.  As is obvious, I'm a newbee in low level admin
work.  I'm hoping that when I get port 8443 open things will work.  I'll
let you know.

Don



On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) 
wrote:

> On 24.09.2017 02:36, Don Flinn wrote:
>
>> I'm trying to use a self signed certificate generated in keytool.  When I
>> run the application Chrome, Firefox and internet Explorer using
>> localhost:8080/ all the browsers do a redirect to localhost:8443
>> and
>> then return This site can’t be reachedL*ocalhost* refused to connect.
>> There is no red lined out protocol in any of the browsers.  All the Tomcat
>> logs show no errors or warnings.  I can access applications that are not
>> protected and tomcat itself.
>>
>
> I would suggest that you first re-read what you wrote above, line by line,
> and reflect quietly on what each line is telling you.
>
> 1) you say "localhost". That means that you are using a browser as client,
> on the same machine as the one which is running the server.
> 2) you also say that one of the browsers is IE.
> 3) (1) and (2) together imply that the host in a Windows server (and the
> client also of course).
> 4) you are not saying which version of Tomcat you are using, neither which
> version of Java, neither which version of Windows.  That makes helping you
> more complicated and time-consuming, and delays any help, because now we
> have to ask you, and you have to respond.
> 5) "refused to connect" : before any kind of SSL dialog can even take
> place, the browser must be able to establish a TCP connection to the
> host:port in question.
> "refused to connect" seens to indicate that this is not the case.
> 6) the logs do not show anything : that would seem to corroborate (5) :
> tomcat does not even see this connection. iow, there is no connection.
>
> There are several possible reasons for this.
> a) Tomcat never opens the port 8443 for listening on it.
> That can be checked, with tomcat running, with the "netstat" utility
> program, included in Windows. With the proper arguments (which I will leave
> to you as an exercise)(but "netstat -h" will help), netstat will show you
> on which ports tomcat is listening locally.  If this does not include a
> ":8443" port, then it is not listening on that port, and certainly the logs
> of tomcat will tell you why.
> b) tomcat does listen on port 8443, but something else is blocking access
> to that port.
> Then you probably have to check your local firewall settings (or whatever
> else in whatever version of Windows may be blocking connections to a port).
>
> Another quick way to check if tomcat (or anything) is listening on port
> 8443 (and/or something is blocking it) would be, in a command window, to
> run the following command :
> telnet localhost 8443
> (also with tomcat running)
> If it also tells you "no connection", then (a) or (b) above would be
> confirmed.
> If it connects, then you may get another message, due to the fact that it
> expects an SSL connection. (If it did not expect an SSL connection, you'd
> just get a blank page until you type something else).
> Obviously, access to tomcat's port 8080 is fine, so you can compare the
> responses above with what happens when you substitute 8080 for 8443.
>
> Once the above is really cleared up, then it may be worth looking at the
> rest of the information which you sent below.
>
>  If I set 
>
>> CONFIDENTIAL to NONE everything works with
>> localhost:8080.
>>
>> My SSL files in tomcat -
>>
>> *server.xml -*
>>
>> Connector
>> protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEI
>> mplementation"
>> SSLEnabled="true" acceptCount="100" clientAuth="false"
>> disableUploadTimeout="true" enableLookups="false" maxThreads="25"
>> port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar"
>> secure="true" sslProtocol="TLS" clientAuth="false" />
>>
>> *web.xml -*
>>
>> 
>>  
>>  Financials
>>  /*
>>  
>>  
>>  CONFIDENTIAL
>>  
>> 
>>
>> *the output from my keystore  list -*
>>
>> C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe"
>> -list  -v -keystore c:/temp/mkeystore2.jks
>> Enter keystore password:
>>
>> Keystore type: JKS
>> Keystore provider: SUN
>>
>> Your keystore contains 1 entry
>>
>> Alias name: tomcat
>> Creation date: Sep 23, 2017
>> Entry type: PrivateKeyEntry
>> Certificate chain length: 1
>> Certificate[1]:
>> Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
>> Issuer:

Re: Trouble using SSL with Tomcat 9

2017-09-24 Thread tomcat

On 24.09.2017 02:36, Don Flinn wrote:

I'm trying to use a self signed certificate generated in keytool. When I
run the application Chrome, Firefox and internet Explorer using
localhost:8080/ all the browsers do a redirect to localhost:8443 and
then return This site can’t be reachedL*ocalhost* refused to connect.
There is no red lined out protocol in any of the browsers. All the Tomcat
logs show no errors or warnings. I can access applications that are not
protected and tomcat itself.

I would suggest that you first re-read what you wrote above, line by line, and reflect
quietly on what each line is telling you.

1) you say "localhost". That means that you are using a browser as client, on the same
machine as the one which is running the server.

2) you also say that one of the browsers is IE.
3) (1) and (2) together imply that the host in a Windows server (and the client also of
course).
4) you are not saying which version of Tomcat you are using, neither which version of
Java, neither which version of Windows. That makes helping you more complicated and
time-consuming, and delays any help, because now we have to ask you, and you have to respond.
5) "refused to connect" : before any kind of SSL dialog can even take place, the browser
must be able to establish a TCP connection to the host:port in question.

"refused to connect" seens to indicate that this is not the case.
6) the logs do not show anything : that would seem to corroborate (5) : tomcat does not
even see this connection. iow, there is no connection.

b) tomcat does listen on port 8443, but something else is blocking access to
that port.
Then you probably have to check your local firewall settings (or whatever else in whatever
version of Windows may be blocking connections to a port).

Another quick way to check if tomcat (or anything) is listening on port 8443 (and/or
something is blocking it) would be, in a command window, to run the following command :

telnet localhost 8443
(also with tomcat running)
If it also tells you "no connection", then (a) or (b) above would be confirmed.
If it connects, then you may get another message, due to the fact that it expects an SSL
connection. (If it did not expect an SSL connection, you'd just get a blank page until you
type something else).
Obviously, access to tomcat's port 8080 is fine, so you can compare the responses above
with what happens when you substitute 8080 for 8443.

Once the above is really cleared up, then it may be worth looking at the rest of the
information which you sent below.

If I set

CONFIDENTIAL to NONE everything works with
localhost:8080.

My SSL files in tomcat -

*server.xml -*

Connector
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar"
secure="true" sslProtocol="TLS" clientAuth="false" />

*web.xml -*

Financials
/*

CONFIDENTIAL

*the output from my keystore list -*

C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe"
-list -v -keystore c:/temp/mkeystore2.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Sep 23, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 6b5fe428
Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 12:57:19 EDT 2018
Certificate fingerprints:
MD5: 11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE
SHA1: 63:EF:21:21:3C:22:82:46:21:84:9C:81:C6:B0:C1:EC:0F:1C:87:31
SHA256:
4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE:0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: 46 C9 48 D4 54 2A 54 CE 24 1F 22 ED 1D FC 6E 14 F.H.T*T.$."...n.
0010: BE 6F 4A 49.oJI
]
]

What am I doing wrong? I want to get a self-signed keystore working before
I purchase a commercial

Trouble using SSL with Tomcat 9

2017-09-23 Thread Don Flinn

I'm trying to use a self signed certificate generated in keytool.  When I
run the application Chrome, Firefox and internet Explorer using
localhost:8080/ all the browsers do a redirect to localhost:8443 and
then return This site can’t be reachedL*ocalhost* refused to connect.
There is no red lined out protocol in any of the browsers.  All the Tomcat
logs show no errors or warnings.  I can access applications that are not
protected and tomcat itself. If I set 
CONFIDENTIAL to NONE everything works with
localhost:8080.

My SSL files in tomcat -

*server.xml -*

Connector
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar"
secure="true" sslProtocol="TLS" clientAuth="false" />

*web.xml -*



Financials
/*


CONFIDENTIAL



*the output from my keystore  list -*

C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe"
-list  -v -keystore c:/temp/mkeystore2.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Sep 23, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 6b5fe428
Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 12:57:19 EDT 2018
Certificate fingerprints:
 MD5:  11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE
 SHA1: 63:EF:21:21:3C:22:82:46:21:84:9C:81:C6:B0:C1:EC:0F:1C:87:31
 SHA256:
4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE:0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7
 Signature algorithm name: SHA256withRSA
 Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: 46 C9 48 D4 54 2A 54 CE   24 1F 22 ED 1D FC 6E 14  F.H.T*T.$."...n.
0010: BE 6F 4A 49.oJI
]
]

What am I doing wrong?  I want to get a self-signed keystore working before
I purchase a commercial certificate.

Don

Re: Using SSL with Tomcat

2014-06-30 Thread Daniel Mikusa

On Fri, Jun 27, 2014 at 4:52 PM, Jerome A. Wendell jawend...@suddenlink.net
 wrote:

 From: Jerome A. Wendell [mailto:jawend...@suddenlink.net]
 Sent: Friday, June 27, 2014 4:48 PM
 To: 'Tomcat Users List'
 Subject: RE: Using SSL with Tomcat

 From: Daniel Mikusa [mailto:dmik...@gopivotal.com]
 Sent: Friday, June 27, 2014 2:49 PM
 To: Tomcat Users List; jawend...@suddenlink.net
 Subject: Re: Using SSL with Tomcat

 On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell   mailto:
 jawend...@suddenlink.net jawend...@suddenlink.net wrote:

  I am new to Tomcat, and just recently installed it as a container to

  run GeoServer.  Everything is running fine, but now I have been asked

  to setup GeoServer to run using SSL.  An EV Certificate is already

  installed on the server.

 Where does this exist?  What format is it in?  Keep in mind that when
 using Tomcat and the BIO (default) or NIO connectors, you'll need a
 keystore in either Java Keystore or PKCS12 format.

 http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

 http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

 Based on the documentation the default port for running Tomcat

  using SSL is 8443.  I have configured the firewall to use port 8443,

  and edited the server.xml by removing the commenting from the

  following

  section:

  Connector port=8443

  protocol=org.apache.coyote.http11.Http11Protocol

 maxThreads=150 SSLEnabled=true scheme=https

  secure=true

 clientAuth=false sslProtocol=TLS /

  I restarted Tomcat, but it is still not listening on port 8443.  Is

  there something else that I need to do to get Tomcat working on port
 8443?

 Did you check the logs?  It's possible that something failed with your SSL
 setup and so it's not listening on port 8443.  From your configuration, I'd
 guess that it's not able to find your keystore.  See the keystore*

 attributes here, specifically keystoreFile.

 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

 Dan

  I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.

  Any suggestions are appreciated.

  Thanks,

  Jerome Wendell

 Daniel,

 In reviewing the documentation, since I am just using Tomcat as a
 container it seems that I should not have to implement SSL as shown below:

 Is there any additional configuration in Tomcat to operate as described
 above, or is all of the setup in Microsoft IIS?

If you want to have IIS (or another server like HTTP or Nginx) sit in front
of Tomcat then all of your SSL configuration would typically be done in
IIS.  This results in a request flow that looks like this...

   Client Browser - HTTPS - IIS - HTTP or AJP - Tomcat

I know nothing about IIS, so I can't comment on it's setup (although I'm
sure others on the list can and certainly will help if needed).  Best I can
do is point you to the IIS docs for the Tomcat connector.  This shows how
to setup IIS so that it takes requests and forwards them via AJP to your
Tomcat server.

  http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html

Dan

 SSL and Tomcat

 It is important to note that configuring Tomcat to take advantage of
 secure sockets is usually only necessary when running it as a stand-alone
 web server. When running Tomcat primarily as a Servlet/JSP container behind
 another web server, such as Apache or Microsoft IIS, it is usually
 necessary to configure the primary web server to handle the SSL connections
 from users. Typically, this server will negotiate all SSL-related
 functionality, then pass on any requests destined for the Tomcat container
 only after decrypting those requests. Likewise, Tomcat will return
 cleartext responses, that will be encrypted before being returned to the
 user's browser. In this environment, Tomcat knows that communications
 between the primary web server and the client are taking place over a
 secure connection (because your application needs to be able to ask about
 this), but it does not participate in the encryption or decryption itself.

 Thanks,

 Jerome Wendell

RE: Using SSL with Tomcat

2014-06-30 Thread Jerome A. Wendell

-Original Message-
From: Daniel Mikusa [mailto:dmik...@gopivotal.com] 
Sent: Monday, June 30, 2014 8:37 AM
To: Tomcat Users List
Subject: Re: Using SSL with Tomcat

On Fri, Jun 27, 2014 at 4:52 PM, Jerome A. Wendell jawend...@suddenlink.net
 wrote:

 From: Jerome A. Wendell [mailto:jawend...@suddenlink.net]
 Sent: Friday, June 27, 2014 4:48 PM
 To: 'Tomcat Users List'
 Subject: RE: Using SSL with Tomcat

 From: Daniel Mikusa [mailto:dmik...@gopivotal.com]
 Sent: Friday, June 27, 2014 2:49 PM
 To: Tomcat Users List; jawend...@suddenlink.net
 Subject: Re: Using SSL with Tomcat

 On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell   mailto:
 jawend...@suddenlink.net jawend...@suddenlink.net wrote:

  I am new to Tomcat, and just recently installed it as a container to

  run GeoServer.  Everything is running fine, but now I have been 
  asked

  to setup GeoServer to run using SSL.  An EV Certificate is already

  installed on the server.

 Where does this exist?  What format is it in?  Keep in mind that when 
 using Tomcat and the BIO (default) or NIO connectors, you'll need a 
 keystore in either Java Keystore or PKCS12 format.

 http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Cer
 tificate_Keystore

 http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Cer
 tificate_Keystore

 Based on the documentation the default port for running Tomcat

  using SSL is 8443.  I have configured the firewall to use port 8443,

  and edited the server.xml by removing the commenting from the

  following

  section:

  Connector port=8443

  protocol=org.apache.coyote.http11.Http11Protocol

 maxThreads=150 SSLEnabled=true scheme=https

  secure=true

 clientAuth=false sslProtocol=TLS /

  I restarted Tomcat, but it is still not listening on port 8443.  Is

  there something else that I need to do to get Tomcat working on port
 8443?

 Did you check the logs?  It's possible that something failed with your 
 SSL setup and so it's not listening on port 8443.  From your 
 configuration, I'd guess that it's not able to find your keystore.  See the 
 keystore*

 attributes here, specifically keystoreFile.

 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-
 _BIO_and_NIO

 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-
 _BIO_and_NIO

 Dan

  I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.

  Any suggestions are appreciated.

  Thanks,

  Jerome Wendell

 Daniel,

 In reviewing the documentation, since I am just using Tomcat as a 
 container it seems that I should not have to implement SSL as shown below:

 Is there any additional configuration in Tomcat to operate as 
 described above, or is all of the setup in Microsoft IIS?

If you want to have IIS (or another server like HTTP or Nginx) sit in front of 
Tomcat then all of your SSL configuration would typically be done in IIS.  This 
results in a request flow that looks like this...

   Client Browser - HTTPS - IIS - HTTP or AJP - Tomcat

I know nothing about IIS, so I can't comment on it's setup (although I'm sure 
others on the list can and certainly will help if needed).  Best I can do is 
point you to the IIS docs for the Tomcat connector.  This shows how to setup 
IIS so that it takes requests and forwards them via AJP to your Tomcat server.

  http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html

Dan

Dan,

Thank you very much for your reply and the information provided.  I will review 
the documentation and see what I need to do.

Thanks,

Jerome

 SSL and Tomcat

 It is important to note that configuring Tomcat to take advantage of 
 secure sockets is usually only necessary when running it as a 
 stand-alone web server. When running Tomcat primarily as a Servlet/JSP 
 container behind another web server, such as Apache or Microsoft IIS, 
 it is usually necessary to configure the primary web server to handle 
 the SSL connections from users. Typically, this server will negotiate 
 all SSL-related functionality, then pass on any requests destined for 
 the Tomcat container only after decrypting those requests. Likewise, 
 Tomcat will return cleartext responses, that will be encrypted before 
 being returned to the user's browser. In this environment, Tomcat 
 knows that communications between the primary web server and the 
 client are taking place over a secure connection (because your 
 application needs to be able to ask about this), but it does not participate 
 in the encryption or decryption itself.

 Thanks,

 Jerome Wendell

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Using SSL with Tomcat

2014-06-27 Thread Jerome A. Wendell

I am new to Tomcat, and just recently installed it as a container to run
GeoServer.  Everything is running fine, but now I have been asked to setup
GeoServer to run using SSL.  An EV Certificate is already installed on the
server.  Based on the documentation the default port for running Tomcat
using SSL is 8443.  I have configured the firewall to use port 8443, and
edited the server.xml by removing the commenting from the following section:

 

Connector port=8443
protocol=org.apache.coyote.http11.Http11Protocol

   maxThreads=150 SSLEnabled=true scheme=https
secure=true

   clientAuth=false sslProtocol=TLS /

 

I restarted Tomcat, but it is still not listening on port 8443.  Is there
something else that I need to do to get Tomcat working on port 8443?

 

I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.

 

Any suggestions are appreciated.

 

Thanks,

 

Jerome Wendell

Re: Using SSL with Tomcat

2014-06-27 Thread Daniel Mikusa

On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell 
jawend...@suddenlink.net wrote:

 I am new to Tomcat, and just recently installed it as a container to run
 GeoServer.  Everything is running fine, but now I have been asked to setup
 GeoServer to run using SSL.  An EV Certificate is already installed on the
 server.


Where does this exist?  What format is it in?  Keep in mind that when using
Tomcat and the BIO (default) or NIO connectors, you'll need a keystore in
either Java Keystore or PKCS12 format.


http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

 Based on the documentation the default port for running Tomcat
 using SSL is 8443.  I have configured the firewall to use port 8443, and
 edited the server.xml by removing the commenting from the following
 section:



 Connector port=8443
 protocol=org.apache.coyote.http11.Http11Protocol

maxThreads=150 SSLEnabled=true scheme=https
 secure=true

clientAuth=false sslProtocol=TLS /



 I restarted Tomcat, but it is still not listening on port 8443.  Is there
 something else that I need to do to get Tomcat working on port 8443?


Did you check the logs?  It's possible that something failed with your SSL
setup and so it's not listening on port 8443.  From your configuration, I'd
guess that it's not able to find your keystore.  See the keystore*
attributes here, specifically keystoreFile.


http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

Dan





 I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.



 Any suggestions are appreciated.



 Thanks,



 Jerome Wendell

RE: Using SSL with Tomcat

2014-06-27 Thread Jerome A. Wendell

From: Daniel Mikusa [mailto:dmik...@gopivotal.com] 
Sent: Friday, June 27, 2014 2:49 PM
To: Tomcat Users List; jawend...@suddenlink.net
Subject: Re: Using SSL with Tomcat

On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell jawend...@suddenlink.net 
wrote:

I am new to Tomcat, and just recently installed it as a container to run
GeoServer.  Everything is running fine, but now I have been asked to setup
GeoServer to run using SSL.  An EV Certificate is already installed on the
server.

Where does this exist?  What format is it in?  Keep in mind that when using 
Tomcat and the BIO (default) or NIO connectors, you'll need a keystore in 
either Java Keystore or PKCS12 format.

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

 Based on the documentation the default port for running Tomcat
using SSL is 8443.  I have configured the firewall to use port 8443, and
edited the server.xml by removing the commenting from the following section:

Connector port=8443
protocol=org.apache.coyote.http11.Http11Protocol

   maxThreads=150 SSLEnabled=true scheme=https
secure=true

   clientAuth=false sslProtocol=TLS /

I restarted Tomcat, but it is still not listening on port 8443.  Is there
something else that I need to do to get Tomcat working on port 8443?

Did you check the logs?  It's possible that something failed with your SSL 
setup and so it's not listening on port 8443.  From your configuration, I'd 
guess that it's not able to find your keystore.  See the keystore* attributes 
here, specifically keystoreFile.

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

Dan

I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.

Any suggestions are appreciated.

Thanks,

Jerome Wendell

Daniel,

Thank you very much for your reply.  I will check the logs and see if they show 
anything.  I am not sure about the format, so I will have to look into that 
also.

Thanks,

Jerome Wendell

RE: Using SSL with Tomcat

2014-06-27 Thread Jerome A. Wendell

From: Daniel Mikusa [mailto:dmik...@gopivotal.com] 
Sent: Friday, June 27, 2014 2:49 PM
To: Tomcat Users List; jawend...@suddenlink.net
Subject: Re: Using SSL with Tomcat

On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell   
mailto:jawend...@suddenlink.net jawend...@suddenlink.net wrote:

 I am new to Tomcat, and just recently installed it as a container to 

 run GeoServer.  Everything is running fine, but now I have been asked 

 to setup GeoServer to run using SSL.  An EV Certificate is already 

 installed on the server.

Where does this exist?  What format is it in?  Keep in mind that when using 
Tomcat and the BIO (default) or NIO connectors, you'll need a keystore in 
either Java Keystore or PKCS12 format.

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

Based on the documentation the default port for running Tomcat

 using SSL is 8443.  I have configured the firewall to use port 8443, 

 and edited the server.xml by removing the commenting from the 

 following

 section:

 Connector port=8443

 protocol=org.apache.coyote.http11.Http11Protocol

maxThreads=150 SSLEnabled=true scheme=https

 secure=true

clientAuth=false sslProtocol=TLS /

 I restarted Tomcat, but it is still not listening on port 8443.  Is 

 there something else that I need to do to get Tomcat working on port 8443?

Did you check the logs?  It's possible that something failed with your SSL 
setup and so it's not listening on port 8443.  From your configuration, I'd 
guess that it's not able to find your keystore.  See the keystore*

attributes here, specifically keystoreFile.

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

Dan

 I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.

 Any suggestions are appreciated.

 Thanks,

 Jerome Wendell

Daniel,

In reviewing the documentation, since I am just using Tomcat as a container it 
seems that I should not have to implement SSL as shown below:

Is there any additional configuration in Tomcat to operate as described above, 
or is all of the setup in Microsoft IIS?

Thanks,

Jerome Wendell

RE: Using SSL with Tomcat

2014-06-27 Thread Jerome A. Wendell

From: Jerome A. Wendell [mailto:jawend...@suddenlink.net] 
Sent: Friday, June 27, 2014 4:48 PM
To: 'Tomcat Users List'
Subject: RE: Using SSL with Tomcat

From: Daniel Mikusa [mailto:dmik...@gopivotal.com] 
Sent: Friday, June 27, 2014 2:49 PM
To: Tomcat Users List; jawend...@suddenlink.net
Subject: Re: Using SSL with Tomcat

On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell   
mailto:jawend...@suddenlink.net jawend...@suddenlink.net wrote:

 I am new to Tomcat, and just recently installed it as a container to 

 run GeoServer.  Everything is running fine, but now I have been asked 

 to setup GeoServer to run using SSL.  An EV Certificate is already 

 installed on the server.

Where does this exist?  What format is it in?  Keep in mind that when using 
Tomcat and the BIO (default) or NIO connectors, you'll need a keystore in 
either Java Keystore or PKCS12 format.

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

Based on the documentation the default port for running Tomcat

 using SSL is 8443.  I have configured the firewall to use port 8443, 

 and edited the server.xml by removing the commenting from the 

 following

 section:

 Connector port=8443

 protocol=org.apache.coyote.http11.Http11Protocol

maxThreads=150 SSLEnabled=true scheme=https

 secure=true

clientAuth=false sslProtocol=TLS /

 I restarted Tomcat, but it is still not listening on port 8443.  Is 

 there something else that I need to do to get Tomcat working on port 8443?

Did you check the logs?  It's possible that something failed with your SSL 
setup and so it's not listening on port 8443.  From your configuration, I'd 
guess that it's not able to find your keystore.  See the keystore*

attributes here, specifically keystoreFile.

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

Dan

 I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.

 Any suggestions are appreciated.

 Thanks,

 Jerome Wendell

Daniel,

In reviewing the documentation, since I am just using Tomcat as a container it 
seems that I should not have to implement SSL as shown below:

Is there any additional configuration in Tomcat to operate as described above, 
or is all of the setup in Microsoft IIS?

Thanks,

Jerome Wendell

Sorry, I did not realize the image would not come through.  The section of the 
documentation that I was referring to is below:

SSL and Tomcat

It is important to note that configuring Tomcat to take advantage of secure 
sockets is usually only necessary when running it as a stand-alone web server. 
When running Tomcat primarily as a Servlet/JSP container behind another web 
server, such as Apache or Microsoft IIS, it is usually necessary to configure 
the primary web server to handle the SSL connections from users. Typically, 
this server will negotiate all SSL-related functionality, then pass on any 
requests destined for the Tomcat container only after decrypting those 
requests. Likewise, Tomcat will return cleartext responses, that will be 
encrypted before being returned to the user's browser. In this environment, 
Tomcat knows that communications between the primary web server and the client 
are taking place over a secure connection (because your application needs to be 
able to ask about this), but it does not participate in the encryption or 
decryption itself.

Thanks,

Jerome Wendell

RE: Memory leak in using SSL with Tomcat 6.0.18 - Solved

2010-08-05 Thread B. Balakrishna Rao

The problem with memory leak using Tomcat 6.0.18 with SSL+JSSE is solved.
I have implemented native SSL(using Apache APR) instead of JSSE SSL and the 
problem went away.
Thanks for your help on this.

Please note that memory leak using with SSL+JSSE is still exist on tomcat 
6.0.29 version.

Thanks,
Bala.

-Original Message-
From: B. Balakrishna Rao 
Sent: Thursday, August 05, 2010 10:17 AM
To: Tomcat Users List
Subject: RE: Memory leak in using SSL with Tomcat 6.0.18

Hi Chris,

Attached is the image for incoming references for 
com.sun.net.ssl.internal.ssl.SSLSocketImpl objects.
Please let me know if you want any further details.

Thanks,


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, August 04, 2010 10:14 PM
To: Tomcat Users List
Subject: Re: Memory leak in using SSL with Tomcat 6.0.18

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

B.,

On 8/4/2010 10:19 AM, B. Balakrishna Rao wrote:
 Please note that, the 2,996 count is on production environment.
 The counts 7 and 10 are on my local environment.

Ok.

 Below is the procedure I am following on my local environment to test this:
 
 Log in - do some operations - log out.
 I am calling session.invalidate() method upon log out.

Whether you log out of not shouldn't have anything to do with these objects 
staying around.

 After that, I am taking the heap dump. Eclipse Memory Analyzer tool 
 will do a full GC before it produce the results. Hence, 
 com.sun.net.ssl.internal.ssl.SSLSocketImpl should be GCed??

Most likely.

Since you're using a profiler, can you show us what the stack trace is of the 
code that created the SSLSocketImpl objects?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxZmNEACgkQ9CaO5/Lv0PA3DwCdEpwgPIclWBmmlfM+wD5VX0w4
YPIAn2P5+aVG9u8UswVYPEd5ctXh2jO1
=kV3t
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.

RE: Memory leak in using SSL with Tomcat 6.0.18 - Solved

2010-08-05 Thread Sarath Babu Polavarapu

Good Work Bala.

-Original Message-
From: B. Balakrishna Rao [mailto:balakrishna_...@persistent.co.in] 
Sent: Thursday, August 05, 2010 5:29 PM
To: Tomcat Users List
Subject: RE: Memory leak in using SSL with Tomcat 6.0.18 - Solved

The problem with memory leak using Tomcat 6.0.18 with SSL+JSSE is solved.
I have implemented native SSL(using Apache APR) instead of JSSE SSL and the 
problem went away.
Thanks for your help on this.

Please note that memory leak using with SSL+JSSE is still exist on tomcat 
6.0.29 version.

Thanks,
Bala.

-Original Message-
From: B. Balakrishna Rao 
Sent: Thursday, August 05, 2010 10:17 AM
To: Tomcat Users List
Subject: RE: Memory leak in using SSL with Tomcat 6.0.18

Hi Chris,

Attached is the image for incoming references for 
com.sun.net.ssl.internal.ssl.SSLSocketImpl objects.
Please let me know if you want any further details.

Thanks,

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, August 04, 2010 10:14 PM
To: Tomcat Users List
Subject: Re: Memory leak in using SSL with Tomcat 6.0.18

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

B.,

On 8/4/2010 10:19 AM, B. Balakrishna Rao wrote:
 Please note that, the 2,996 count is on production environment.
 The counts 7 and 10 are on my local environment.

Ok.

 Below is the procedure I am following on my local environment to test this:

 Log in - do some operations - log out.
 I am calling session.invalidate() method upon log out.

Whether you log out of not shouldn't have anything to do with these objects 
staying around.

 After that, I am taking the heap dump. Eclipse Memory Analyzer tool 
 will do a full GC before it produce the results. Hence, 
 com.sun.net.ssl.internal.ssl.SSLSocketImpl should be GCed??

Most likely.

Since you're using a profiler, can you show us what the stack trace is of the 
code that created the SSLSocketImpl objects?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxZmNEACgkQ9CaO5/Lv0PA3DwCdEpwgPIclWBmmlfM+wD5VX0w4
YPIAn2P5+aVG9u8UswVYPEd5ctXh2jO1
=kV3t
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.

DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.

Re: Memory leak in using SSL with Tomcat 6.0.18

2010-08-05 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

B.,

On 8/5/2010 12:46 AM, B. Balakrishna Rao wrote:
 Attached is the image for incoming references for
 com.sun.net.ssl.internal.ssl.SSLSocketImpl objects. Please let me
 know if you want any further details.

This list strips attachments.

Glad that you've solved your issue, though it's troubling that your use
of the JSSE resulted in an apparent leak of SSLSocketImpl classes.

Next time you run across an issue, please try to provide a few shreds of
information so we can actually help you.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxa3BkACgkQ9CaO5/Lv0PBlbgCdHsIMMWQAMZv3JrQ/Lt+ojwrB
KQ0AoIj9qRRCCCeaWVRI3nINdmvRVb2y
=yQLn
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Memory leak in using SSL with Tomcat 6.0.18

2010-08-04 Thread Mark Thomas

On 04/08/2010 10:49, B. Balakrishna Rao wrote:
 Hi,
 
 We are using Tomcathttp://www.coderanch.com/forums/f-56/Tomcat 6.0.18 on 
 Linux environment(Red hat Linux) for our production.
 We have enabled SSL by deploying SSL certificates. We observed that, over a 
 period of time, the memory consumption is increasing and we are facing 
 serious performance issues.
 I have taken a heap dump and analyzed it using 
 Eclipsehttp://www.myeclipseide.com/module-htmlpages-display-pid-1.html 
 Memory analyzer. What I found was, com.sun.net.ssl.internal.ssl.SSLSocketImpl 
 objects are never Garbage collected.
 The leak report by Memory analyzer is as follows:
 2,996 instances of com.sun.net.ssl.internal.ssl.SSLSocketImpl, loaded by 
 system class loader occupy 219,843,760 (62.76%) bytes
 Upon drilling down, these objects are being held by finalizer method of GC.
 I have got the following similar link:
 http://forums.sun.com/thread.jspa?threadID=5266266
 
 Can anybody tell me if there is any memory leak issues exists with Tomcat 
 6.0.18? I read somewhere that, the memory leak issue with SSL was fixed on 
 6.0.20.

Have you tried reading the changelog?

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Memory leak in using SSL with Tomcat 6.0.18

2010-08-04 Thread Mark Thomas

On 04/08/2010 11:54, B. Balakrishna Rao wrote:
 Hi Mark,
 
 Thanks for your reply.
 I tried reading the change log. It appears that in Tomcat 6.0.20 there is a 
 fix related to memory leak using SSL.
 What I am thinking is that if this is the issue with the Tomcat 6.0.18 or an 
 issue with my application. 
 Can you confirm if there is a memory leak issue exists in using SSL with 
 tomcat 6.0.18 on Linux environment which similar to my problem? It helps me 
 concentrate on upgrading the Tomcat in my production.
 Please let me know if you need any further details about my environment.

I'm pretty sure the fix you are referring to was fixed in 6.0.21, not
6.0.20.

I suggest you read the bug report and compare the details there to what
you are seeing to determine if they are the same.

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Memory leak in using SSL with Tomcat 6.0.18

2010-08-04 Thread B. Balakrishna Rao

Hi Mark,

I am trying to apply the patch that is available for the fix below:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47744#c2

However, after giving the below command, putty simply hangs.

patch sslsession-memory-fix.patch

I am using Red hat Linux with Apache Tomcat 6.0.18.
Another issue: Do I need to update the tomcat-coyote.jar along with this patch?
Please refer the below text from the above link:
 If you apply the patch, update tomcat-coyote.jar..

Can you help me on this please?

Thanks,
Bala.



-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Wednesday, August 04, 2010 4:28 PM
To: Tomcat Users List
Subject: Re: Memory leak in using SSL with Tomcat 6.0.18

On 04/08/2010 11:54, B. Balakrishna Rao wrote:
 Hi Mark,

 Thanks for your reply.
 I tried reading the change log. It appears that in Tomcat 6.0.20 there is a 
 fix related to memory leak using SSL.
 What I am thinking is that if this is the issue with the Tomcat 6.0.18 or an 
 issue with my application.
 Can you confirm if there is a memory leak issue exists in using SSL with 
 tomcat 6.0.18 on Linux environment which similar to my problem? It helps me 
 concentrate on upgrading the Tomcat in my production.
 Please let me know if you need any further details about my environment.

I'm pretty sure the fix you are referring to was fixed in 6.0.21, not
6.0.20.

I suggest you read the bug report and compare the details there to what
you are seeing to determine if they are the same.

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Memory leak in using SSL with Tomcat 6.0.18

2010-08-04 Thread Mark Thomas

On 04/08/2010 13:40, B. Balakrishna Rao wrote:
 Hi Mark,
 
 I am trying to apply the patch that is available for the fix below:
 https://issues.apache.org/bugzilla/show_bug.cgi?id=47744#c2

Why? What makes you think that is the problem you are seeing?

 However, after giving the below command, putty simply hangs.
 
 patch sslsession-memory-fix.patch

Impossible to comment given the lack of context information provided.

 I am using Red hat Linux with Apache Tomcat 6.0.18. 
 Another issue: Do I need to update the tomcat-coyote.jar along with this 
 patch?
 Please refer the below text from the above link:
  If you apply the patch, update tomcat-coyote.jar..
 
 Can you help me on this please?

Given your difficulties in applying patch, I suspect you will have
difficulties building the source too. Assuming this patch fixes the
issue you are seeing (and I have yet to see any evidence that it will)
why not just use a binary that already includes the fix?

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Memory leak in using SSL with Tomcat 6.0.18

2010-08-04 Thread B. Balakrishna Rao

Hi Mark,

I have implemented your suggestion. I have deployed my application in Tomcat 
6.0.29 version under the same environment as Tomcat 6.0.18(test environment).

After performing the similar operations on both tomcat versions one after 
another, I have taken the heap dumps from both versions.
What I observed is: Number of com.sun.net.ssl.internal.ssl.SSLSocketImpl 
objects are 10 in tomcat 6.0.18 and 7 in tomcat 6.0.29.
I can't able to say that the issue is fixed :(

Well I am attaching my original mail on this issue for your reference.

We are using Tomcat 6.0.18 on Linux environment(Red hat Linux) for our 
production.
We have enabled SSL by deploying SSL certificates. We observed that, over a 
period of time, the memory consumption is increasing and we are facing serious 
performance issues.
I have taken a heap dump and analyzed it using Eclipse Memory analyzer. What I 
found was, com.sun.net.ssl.internal.ssl.SSLSocketImpl objects are never Garbage 
collected.
The leak report by Memory analyzer is as follows:
2,996 instances of com.sun.net.ssl.internal.ssl.SSLSocketImpl, loaded by 
system class loader occupy 219,843,760 (62.76%) bytes
Upon drilling down, these objects are being held by finalizer method of GC.
I have got the following similar link:
http://forums.sun.com/thread.jspa?threadID=5266266

Can anybody tell me if there is any memory leak issues exists with Tomcat 
6.0.18? I read somewhere that, the memory leak issue with SSL was fixed on 
6.0.20.

Balakrishna Rao | Senior Software Engineer | Persistent Systems
balakrishna_...@persistent.co.in  | Cell: +91 9704373579 | Tel: +91 (40) 
30875030
Innovation in software product design, development and delivery- 
www.persistentsys.com

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Wednesday, August 04, 2010 6:19 PM
To: Tomcat Users List
Subject: Re: Memory leak in using SSL with Tomcat 6.0.18

On 04/08/2010 13:40, B. Balakrishna Rao wrote:
 Hi Mark,

 I am trying to apply the patch that is available for the fix below:
 https://issues.apache.org/bugzilla/show_bug.cgi?id=47744#c2

Why? What makes you think that is the problem you are seeing?

 However, after giving the below command, putty simply hangs.

 patch sslsession-memory-fix.patch

Impossible to comment given the lack of context information provided.

 I am using Red hat Linux with Apache Tomcat 6.0.18.
 Another issue: Do I need to update the tomcat-coyote.jar along with this 
 patch?
 Please refer the below text from the above link:
  If you apply the patch, update tomcat-coyote.jar..

 Can you help me on this please?

Given your difficulties in applying patch, I suspect you will have
difficulties building the source too. Assuming this patch fixes the
issue you are seeing (and I have yet to see any evidence that it will)
why not just use a binary that already includes the fix?

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Memory leak in using SSL with Tomcat 6.0.18

2010-08-04 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 8/4/2010 10:06 AM, B. Balakrishna Rao wrote:
 I have implemented your suggestion. I have deployed my application 
 in Tomcat 6.0.29 version under the same environment as Tomcat
 6.0.18(test environment).
 
 After performing the similar operations on both tomcat versions one 
 after another, I have taken the heap dumps from both versions. What I
 observed is: Number of com.sun.net.ssl.internal.ssl.SSLSocketImpl
 objects are 10 in tomcat 6.0.18 and 7 in tomcat 6.0.29.

 I can't able to say that the issue is fixed :(

Neither of these object counts seem unreasonable. Both are much better
than the original report of nearly 3000 object instances.

What is maxThreads set to? I would imagine that there would be a number
SSLSocketImpl objects around for each current connection, plus some that
hadn't yet been GC'd.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxZdVUACgkQ9CaO5/Lv0PAPVgCgljnlorFrcO3FYLY6otoUErxh
M+0Anjo11qs18M5XLOOzQTQlJ5RF/xwY
=iAZ5
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Memory leak in using SSL with Tomcat 6.0.18

2010-08-04 Thread B. Balakrishna Rao

Hi Chris,

Please note that, the 2,996 count is on production environment.
The counts 7 and 10 are on my local environment.

Below is the procedure I am following on my local environment to test this:

Log in - do some operations - log out.
I am calling session.invalidate() method upon log out. After that, I am taking 
the heap dump. Eclipse Memory Analyzer tool will do a full GC before it produce 
the results. Hence, com.sun.net.ssl.internal.ssl.SSLSocketImpl should be GCed??


Thanks,
Bala.


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Wednesday, August 04, 2010 7:43 PM
To: Tomcat Users List
Subject: Re: Memory leak in using SSL with Tomcat 6.0.18

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 8/4/2010 10:06 AM, B. Balakrishna Rao wrote:
 I have implemented your suggestion. I have deployed my application 
 in Tomcat 6.0.29 version under the same environment as Tomcat
 6.0.18(test environment).
 
 After performing the similar operations on both tomcat versions one 
 after another, I have taken the heap dumps from both versions. What I
 observed is: Number of com.sun.net.ssl.internal.ssl.SSLSocketImpl
 objects are 10 in tomcat 6.0.18 and 7 in tomcat 6.0.29.

 I can't able to say that the issue is fixed :(

Neither of these object counts seem unreasonable. Both are much better
than the original report of nearly 3000 object instances.

What is maxThreads set to? I would imagine that there would be a number
SSLSocketImpl objects around for each current connection, plus some that
hadn't yet been GC'd.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxZdVUACgkQ9CaO5/Lv0PAPVgCgljnlorFrcO3FYLY6otoUErxh
M+0Anjo11qs18M5XLOOzQTQlJ5RF/xwY
=iAZ5
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.

Re: Memory leak in using SSL with Tomcat 6.0.18

2010-08-04 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

B.,

On 8/4/2010 10:19 AM, B. Balakrishna Rao wrote:
 Please note that, the 2,996 count is on production environment.
 The counts 7 and 10 are on my local environment.

Ok.

 Below is the procedure I am following on my local environment to test this:
 
 Log in - do some operations - log out.
 I am calling session.invalidate() method upon log out.

Whether you log out of not shouldn't have anything to do with these
objects staying around.

 After that, I am taking the heap dump. Eclipse Memory Analyzer tool
 will do a full GC before it produce the results. Hence, 
 com.sun.net.ssl.internal.ssl.SSLSocketImpl should be GCed??

Most likely.

Since you're using a profiler, can you show us what the stack trace is
of the code that created the SSLSocketImpl objects?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxZmNEACgkQ9CaO5/Lv0PA3DwCdEpwgPIclWBmmlfM+wD5VX0w4
YPIAn2P5+aVG9u8UswVYPEd5ctXh2jO1
=kV3t
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Memory leak in using SSL with Tomcat 6.0.18

2010-08-04 Thread B. Balakrishna Rao

Hi Chris,

Attached is the image for incoming references for 
com.sun.net.ssl.internal.ssl.SSLSocketImpl objects.
Please let me know if you want any further details.

Thanks,


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Wednesday, August 04, 2010 10:14 PM
To: Tomcat Users List
Subject: Re: Memory leak in using SSL with Tomcat 6.0.18

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

B.,

On 8/4/2010 10:19 AM, B. Balakrishna Rao wrote:
 Please note that, the 2,996 count is on production environment.
 The counts 7 and 10 are on my local environment.

Ok.

 Below is the procedure I am following on my local environment to test this:
 
 Log in - do some operations - log out.
 I am calling session.invalidate() method upon log out.

Whether you log out of not shouldn't have anything to do with these
objects staying around.

 After that, I am taking the heap dump. Eclipse Memory Analyzer tool
 will do a full GC before it produce the results. Hence, 
 com.sun.net.ssl.internal.ssl.SSLSocketImpl should be GCed??

Most likely.

Since you're using a profiler, can you show us what the stack trace is
of the code that created the SSLSocketImpl objects?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxZmNEACgkQ9CaO5/Lv0PA3DwCdEpwgPIclWBmmlfM+wD5VX0w4
YPIAn2P5+aVG9u8UswVYPEd5ctXh2jO1
=kV3t
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

using SSL in tomcat

2010-02-16 Thread syskarthik


I need to use the existing Private Key  Certifiate generated for a wildcard
sub-domain like *.maindomain.com in Tomcat. May I know the steps to import
the key  certificate to the keystore so that tomcat can use it for secure
mode operation.
-- 
View this message in context: 
http://old.nabble.com/using-SSL-in-tomcat-tp27606934p27606934.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: using SSL in tomcat

2010-02-16 Thread Mark Thomas

On 16/02/2010 11:30, syskarthik wrote:
 
 I need to use the existing Private Key  Certifiate generated for a wildcard
 sub-domain like *.maindomain.com in Tomcat. May I know the steps to import
 the key  certificate to the keystore so that tomcat can use it for secure
 mode operation.

Tomcat version?
Java version?
key format?
certificate format?
keystore type?
Tomcat connector (BIO/NIO/APR)?

http://catb.org/~esr/faqs/smart-questions.html



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

help using SSL with Tomcat error no server.pem?

2006-04-14 Thread Jana Nguyen

Hi there,

I've posted my issues not being able to connect using tomcat with ssl
using port 8443 some days ago, but did not get any response.

I am running Tomcat 5.5 on RH Linux as user 'tomcat', I'm trying to
get tomcat to run on a secure port 8443 instead of 8080.  I
uncommented the SSL HTTP/1.1 Connector entry in
$CATALINA_HOME/conf/server.xml and generated a host certificate as
user 'tomcat' :

%keytool -genkey -alias tomcat -keyalg RSA

The .keystore file got generated in the tomcat home
dir at /export/home/tomcat.  After that I restarted the tomcat
container I launch my browser to:

https://hostname:8443

I get error unable to connect to server

In catalina.out file, error:

Apr 14, 2006 2:49:36 PM
org.apache.tomcat.util.net.puretls.PureTLSSocketFactory init
INFO: Error initializing SocketFactory
java.io.FileNotFoundException: server.pem (No such file or directory)

This is what looks like in my server.xml file at section SSL:

 !-- Define a SSL HTTP/1.1 Connector on port 8443 --

   Connector port=8443 maxHttpHeaderSize=8192
  maxThreads=150 minSpareThreads=25 maxSpareThreads=75
  enableLookups=false disableUploadTimeout=true
  acceptCount=100 scheme=https secure=true
  clientAuth=false sslProtocol=TLS /

   !-- Define an AJP 1.3 Connector on port 8009 --
   Connector port=8009
  enableLookups=false redirectPort=8443 protocol=AJP/1.3 /

Any help would be appreciated!

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: help using SSL with Tomcat error no server.pem?

2006-04-14 Thread Bill Barker

You are using the PureTLS flavor of the SSL Connector.  This one expects 
something closer to an OpenSSL style keystore (which defaults to 
'server.pem' if not specified) with the private key and cert PEM encoded in 
the same text file.  In particular, it doesn't use a JKS keystore.

Assuming that you meant to use PureTLS, you should consult the PureTLS docs 
for more information on what it needs.  It seems that the PureTLS examples 
got left out of the TC 5 docs.  There is some documentation at 
http://tomcat.apache.org/tomcat-3.3-doc/tomcat-ssl-howto.html#s6, that while 
it's for Tomcat 3, the configuration attributes are the same as for TC 5 
(since TC 5 PureTLS support is a port of the TC 3 version :).  In 
particular, it's 'clientauth' not 'clientAuth'.

If you meant to use JSSE, then either remove the PureTLS jar from the 
classpath, or (e.g. it's an installed extension needed for other apps), add 
the attribute to your Connector / tag:
   sSLImplementation=org.apache.tomcat.util.net.jsse.JSSEImplementation
which will override Tomcat's preference for PureTLS if found.  Even so, you 
need to go back and read 
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html since from below you 
haven't finished setting up your keystore.

Jana Nguyen [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
Hi there,

I've posted my issues not being able to connect using tomcat with ssl
using port 8443 some days ago, but did not get any response.

I am running Tomcat 5.5 on RH Linux as user 'tomcat', I'm trying to
get tomcat to run on a secure port 8443 instead of 8080.  I
uncommented the SSL HTTP/1.1 Connector entry in
$CATALINA_HOME/conf/server.xml and generated a host certificate as
user 'tomcat' :

%keytool -genkey -alias tomcat -keyalg RSA

The .keystore file got generated in the tomcat home
dir at /export/home/tomcat.  After that I restarted the tomcat
container I launch my browser to:

https://hostname:8443

I get error unable to connect to server

In catalina.out file, error:

Apr 14, 2006 2:49:36 PM
org.apache.tomcat.util.net.puretls.PureTLSSocketFactory init
INFO: Error initializing SocketFactory
java.io.FileNotFoundException: server.pem (No such file or directory)

This is what looks like in my server.xml file at section SSL:

 !-- Define a SSL HTTP/1.1 Connector on port 8443 --

   Connector port=8443 maxHttpHeaderSize=8192
  maxThreads=150 minSpareThreads=25 maxSpareThreads=75
  enableLookups=false disableUploadTimeout=true
  acceptCount=100 scheme=https secure=true
  clientAuth=false sslProtocol=TLS /

   !-- Define an AJP 1.3 Connector on port 8009 --
   Connector port=8009
  enableLookups=false redirectPort=8443 protocol=AJP/1.3 
/

Any help would be appreciated! 




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Trouble using SSL with Tomcat 9

RE: Trouble using SSL with Tomcat 9

Re: Trouble using SSL with Tomcat 9

Re: Trouble using SSL with Tomcat 9

Re: Trouble using SSL with Tomcat 9

Re: Trouble using SSL with Tomcat 9

Re: Trouble using SSL with Tomcat 9

Re: Trouble using SSL with Tomcat 9

Re: Trouble using SSL with Tomcat 9

Trouble using SSL with Tomcat 9

Re: Using SSL with Tomcat

RE: Using SSL with Tomcat

Using SSL with Tomcat

Re: Using SSL with Tomcat

RE: Using SSL with Tomcat

RE: Using SSL with Tomcat

RE: Using SSL with Tomcat

RE: Memory leak in using SSL with Tomcat 6.0.18 - Solved

RE: Memory leak in using SSL with Tomcat 6.0.18 - Solved

Re: Memory leak in using SSL with Tomcat 6.0.18

Re: Memory leak in using SSL with Tomcat 6.0.18

Re: Memory leak in using SSL with Tomcat 6.0.18

RE: Memory leak in using SSL with Tomcat 6.0.18

Re: Memory leak in using SSL with Tomcat 6.0.18

RE: Memory leak in using SSL with Tomcat 6.0.18

Re: Memory leak in using SSL with Tomcat 6.0.18

RE: Memory leak in using SSL with Tomcat 6.0.18

Re: Memory leak in using SSL with Tomcat 6.0.18

RE: Memory leak in using SSL with Tomcat 6.0.18

using SSL in tomcat

Re: using SSL in tomcat

help using SSL with Tomcat error no server.pem?

Re: help using SSL with Tomcat error no server.pem?

33 matches

Site Navigation

Mail list logo

Footer information