Re: very basic question about apache and tomcat
Am 19.09.2012 23:31, schrieb Mead, Jen L: Hi Everybody, Now I will show my real ignorance about what I know after NOT working with Apache or Tomcat for several years now. I have been working on a project that allows our CGI web pages to authenticate users from their windows desktop against Windows AD and not requiring any kind of unix account. I am slowly getting the information I need to move forward but information is just not out there to get. I am just chipping away at it. My basic question is: do I need to install apache as well as tomcat to have an httpd.conf file? I have tomcat running on several AIX servers, 6.1 and 5.3, with tomcat 7.0.27 installed. I was doing a simple search to find the httpd.conf file when I realized none of my servers have it installed. When I try to find out which app creates it I get the answer apache (from google searches). So I guess that tomcat is a subset of apache? A virtual java app I suppose? See I told you the questions were basic. Yikes it is hard to understand as a newbie, especially when I can load tomcat and get web pages working in a few minutes. LOL Any help is appreciated in regard to helping me wrap my brain around this. ARGH Regards, Jen Jen L Mead | Sys Admin | ICC Operations | Con-way | Office 503-450-8641 SAFETY| LEADERSHIP | INTEGRITY | COMMITMENT | EXCELLENCE | Driven by Integrity Hi Jen, basic answer: Apache HTTPD and Apache Tomcat have generally nothing in common. They are totally different. The httpd.conf is the main configuration file for the Apache HTTPD Webserver. It comes with the installation of an Apache HTTPD Webserver and is located in apache_home/conf/httpd.conf. Tomcat neither generates nor reads this file. Bye Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Updating Tomcat-Server from Version 6.0.16 to 7.0.30
Pid wrote: Try the latest 6.0.x first, then if your app is fine, try 7.0.x. Things changed in 6 that sometimes catch people out. Okay, thank you! My problem is: I don't know anything about the behave of applications/webservices which the tomcat 6.0.16 is running at the moment. So I am not able to determine whether everything works fine or not after a change to tomcat 7. At least till some users start complaining :D. But my own Web-Project doesn't run under 6.0.16. Therefore I had to upgrade to version 7.0.x. I did it this morning and till now everything went well. I hope this lasts Best regards Andi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exploting tomcat vulnerability with example
On 09/19/2012 07:55 PM, Pid * wrote: On 19 Sep 2012, at 13:20, Daniel Mikusa dmik...@vmware.com wrote: On Sep 19, 2012, at 5:02 AM, Ragini wrote: Hi all, For my research work I want to have different attacking scenarios which exploits vulnerability of JAVA based applications. This java applications can be just any web-application, desktopapplication or any other. For this, I was thinking to exploit vulnerabilities of tomcat itself (because it is in java). I went through different vulnerabilities of different versions of tomcat on apache tomcat's official site. They have provided information about what is the vulnerability and what is its consequences. But I am looking for some real time example by which I can exhibit the exploitation of tomcat’s vulnerability. The version of the tomcat can be just any. I would like to try vulnerabilities like authentication bypass, information disclosure or some other which really compromises the security. Try looking at Metasploit. +1 p Dan Could anybody please suggest some source where I can get step by step information about exploiting tomcat’s vulnerability with example ? It would be nice if the example web application used for exploitation is also in java. I would really appreciate your any kind of help regarding this. Thanks. Richa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Thanks Dan..Metasploit sound really good... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Setting JVM Parameters in Windows Service for Tomcat7
Hi, I want to set JVM Parameters in a Windows Service (Windows7) for Tomcat7 (7.0.30) The documentation tells, that this could be done by calling tomcat7 //US//Tomcat7 ... This method works, but it is not practicable for our production environment, because these settings are stored in the registry. Is it possible to specify these parameters in setenv.bat or somewhere else? When I start tomcat with catalina.bat run the setenv.bat is read. But when I start tomcat as a windows service the setenv.bat is ignored. Matthias - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
On 20.09.2012 11:41, Matthias Müller wrote: The documentation tells, that this could be done by calling tomcat7 //US//Tomcat7 ... This method works, but it is not practicable for our production environment, because these settings are stored in the registry. Is it possible to specify these parameters in setenv.bat or somewhere else? When I start tomcat with catalina.bat run the setenv.bat is read. But when I start tomcat as a windows service the setenv.bat is ignored. There's helper application (tomcat.exe or tomcatw.exe, I always forget which one is which) located in bin folder. You can specify service properties there. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Best practices for upgrading Tomcat on Windows?
On 19 September 2012 23:58, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 9/19/12 4:32 PM, David A. Rush wrote: Is there a set of best practices documented anywhere for upgrading Tomcat on Windows? I run Tomcat as a Windows service on several machines. I can, and have many times, completely removed Tomcat and reinstalled a new version, but there's probably a better way, particular for minor version updates (such as 7.0.x to 7.0.x+n). I've developed a standard way of setting up Tomcat that's used across multiple machines, but it doesn't lend itself well to upgrades. I don't use the Windows installer, but rather make bulk copies of the Tomcat code and use the service installer script, somewhat modified for our peculiarities. For minor version updates, should I be able to stop the Tomcat windows service, copy any customized files such as server.xml and catalina.properties and setenv.bat, copy new code over old code, copy the customized files back, and start the service again? There are no hard-and-fast rules for what will and won't change with a Tomcat release, even at the minor-revision level. Tomcat itself doesn't offer any upgrade options -- just separate installs. Honestly, I think that works out quite well, since it encourages you to install multiple versions side-by-side which makes roll-backs quite easy: if the latest version has some bug that scuttles your project, you can just uninstall the upgrade and go back to business as usual. IMO, the best way to upgrade Tomcat is to use a catalina.base which is distinct from catalina.home. Read the README.txt file that comes with Tomcat to see how that's done. Once you are comfortable with that, upgrading to a new version of Tomcat is as simple as doing a diff between your customized server.xml (and catalina.properties, if you end up customizing that for whatever reason) and the new stock server.xml from the latest Tomcat and merging-in whatever is new, switching the catalina.base parameter to your service and restarting Tomcat. Switching back is the opposite procedure. I would recommend this technique to anyone using Tomcat, whether they are running on Microsoft Windows or not. +1 In addition if you want to be ultra cautious or you replicate the install repeatedly: Store the bin/setenv.(bat|sh) and conf/ directories in some form of version control (limit to what is appropriate for your environment) e.g. I have a 'production base config' which: (a) Configures Tomcat for logging using logback (including access logs) (b) Configures Tomcat server.xml to use a specific set of connectors and specifies the ports via properties in catalina.properties. (c) Configures Tomcat web.xml for production usage (settings as per Tomcat JSP documentation optimised for production). (d) Configures the Manager and host applications (via a custom context.xml) with IP valve and user id's as specified. (e) Configures JMX so the JMX listener is on a specific set of ports (specified in catalina.properties). (f) Could potentially configure clustering here in the same way. A lot of this is likely specific to my environments but it goes a long way to automating a base setup that is production ready - yet can still be remotely debugged (with caveats) if absolutely necessary - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaTi8ACgkQ9CaO5/Lv0PDpaACeNNxBsU4it2CXaxdpNp/5x5n+ 5KQAnA0l0i07nPgYTUBOkfsa5VF4EWYH =uuLR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Best Regards, Brett Delle Grazie - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
Hi Matthias, Mikolaj is right, you can set the tomcat and java properties by running tomcatw.exe (%CATALINA_HOME%\bin) Hope this helps Jean-Louis -Matthias Müller mm4...@googlemail.com a écrit : - A : users@tomcat.apache.org De : Matthias Müller mm4...@googlemail.com Date : 20/09/2012 11:57 Objet : Setting JVM Parameters in Windows Service for Tomcat7 Hi, I want to set JVM Parameters in a Windows Service (Windows7) for Tomcat7 (7.0.30) The documentation tells, that this could be done by calling tomcat7 //US//Tomcat7 ... This method works, but it is not practicable for our production environment, because these settings are stored in the registry. Is it possible to specify these parameters in setenv.bat or somewhere else? When I start tomcat with catalina.bat run the setenv.bat is read. But when I start tomcat as a windows service the setenv.bat is ignored. Matthias - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
The documentation tells, that this could be done by calling tomcat7 //US//Tomcat7 ... This method works, but it is not practicable for our production environment, because these settings are stored in the registry. Matthias - can you please elaborate on exactly what it is not practicable for our production environment means? Thanks Chris
Re: ajp_ilink_receive error - please advise
On Sep 19, 2012, at 5:38 PM, Django Radonich-Camp wrote: hello. we are running an application on tomcat and experiencing intermittent periods where the application is non-responsive and thus non-functional. the general set up is apache and tomcat, with mod_proxy_ajp as the connector (specific details and configs below). during these events, the primary apache error log shows the following: 1. (104)Connection reset by peer: ajp_ilink_receive() can't receive header 2. (70007)The timeout specified has expired: ajp_ilink_receive() can't receive header it looks like error #1 repeats for a while and then error #2 repeats for a while. at the same time in the application specific apache error log (as specified in the vhost set up for app) we see the following errors repeated (though in mixed order from below): 3. [error] ajp_read_header: ajp_ilink_receive failed 4. [error] (120006)APR does not understand this error code: proxy: read response failed from (null) (localhost) 5. [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:8009 (localhost) 6. [error] [client X.X.X.X] proxy: error processing end and occasionally: 7. [error] proxy: read zero bytes, expecting 464 bytes the catalina.out log registers nothing during the time period the application is unresponsive. a couple of other things to note: - these events are coming under light to no load as far as i can tell. - these events last from about 5 to 30 minutes and then everything works again as expected with no manual intervention. - the time of day of for the events is not consistent. - these events initially occured rarely, but over the last month have ramped up to daily. any suggestions on how to fix or further troubleshoot this problem? and thanks in advance for the help. Here are a couple additional troubleshooting steps you can take on your Tomcat instances... 1.) Enable garbage collection logging. Look for any full GC's. 2.) Take some thread dumps during an incident. Look for blocking. Dan below please find more information on versions and configs... let me know if more info is needed. OS Name:Linux (ubuntu 10.04.4) OS Version: 2.6.32-31-server Architecture: amd64 JVM Version:1.6.0_32-b05 JVM Vendor: Sun Microsystems Inc. Server version: Apache Tomcat/6.0.24 apache: Apache/2.2.14 MPM configs START-- IfModule mpm_prefork_module StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 26 MaxRequestsPerChild 1000 /IfModule END balancer conf START-- Proxy balancer://mysite_balancer* Order deny,allow Allow from all /Proxy ProxyPassMatch ^/(.+.cf[cm])(.*)?$ balancer://mysite_balancer/irised/client stickysession=JSESSIONID|jsessionid ProxyPassReverseCookiePath /irised / Proxy balancer://mysite_balancer BalancerMember ajp://localhost:8009 route=www1 retry=5 /Proxy END connector xml START-- Connector URIEncoding=UTF-8 port=8009 protocol=AJP/1.3 connectionTimeout=2 redirectPort=8443 / END - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
HI Matthias, I sent a question out a few days ago that I could *not* get the JVM Parameters set via the command-line using //US//. Can you give me an example of the syntax that worked for you ? I'm just looking to set the min/max heap sizes. Thanks Pat On Sep 20, 2012, at 5:41 AM, Matthias Müller wrote: Hi, I want to set JVM Parameters in a Windows Service (Windows7) for Tomcat7 (7.0.30) The documentation tells, that this could be done by calling tomcat7 //US//Tomcat7 ... This method works, but it is not practicable for our production environment, because these settings are stored in the registry. Is it possible to specify these parameters in setenv.bat or somewhere else? When I start tomcat with catalina.bat run the setenv.bat is read. But when I start tomcat as a windows service the setenv.bat is ignored. Matthias - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
On 20.09.2012 14:49, Patrick Flaherty wrote: I sent a question out a few days ago that I could *not* get the JVM Parameters set via the command-line using //US//. Can you give me an example of the syntax that worked for you ? I'm just looking to set the min/max heap sizes. http://commons.apache.org/daemon/procrun.html Syntax is not so easy to use. The easiest way is to use tomcatw.exe - unless you have to use CLI. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
On 20 September 2012 13:53, Mikolaj Rydzewski m...@ceti.pl wrote: On 20.09.2012 14:49, Patrick Flaherty wrote: I sent a question out a few days ago that I could *not* get the JVM Parameters set via the command-line using //US//. Can you give me an example of the syntax that worked for you ? I'm just looking to set the min/max heap sizes. http://commons.apache.org/daemon/procrun.html Syntax is not so easy to use. The easiest way is to use tomcatw.exe - unless you have to use CLI. http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html The default service name is 'Tomcat7' so presuming %CATALINA_HOME% represents the tomcat home directory: Note that for updating the service via command line you need to use tomcat7.exe not tomcat7w.exe so to increase your default heap size from 256 to 512 Mb you would use: %CATALINA_HOME%/bin/tomcat.exe //US//Tomcat7 --JvmMx=512 -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Best Regards, Brett Delle Grazie - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
On Sep 20, 2012, at 9:25 AM, Brett Delle Grazie wrote: On 20 September 2012 13:53, Mikolaj Rydzewski m...@ceti.pl wrote: On 20.09.2012 14:49, Patrick Flaherty wrote: I sent a question out a few days ago that I could *not* get the JVM Parameters set via the command-line using //US//. Can you give me an example of the syntax that worked for you ? I'm just looking to set the min/max heap sizes. http://commons.apache.org/daemon/procrun.html Syntax is not so easy to use. The easiest way is to use tomcatw.exe - unless you have to use CLI. http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html The default service name is 'Tomcat7' so presuming %CATALINA_HOME% represents the tomcat home directory: Note that for updating the service via command line you need to use tomcat7.exe not tomcat7w.exe so to increase your default heap size from 256 to 512 Mb you would use: %CATALINA_HOME%/bin/tomcat.exe //US//Tomcat7 --JvmMx=512 Hi Mikolaj, Have you tried this and gotten it to work ? My check to see if it took has been to open tomcatw.exe and check the values there. No matter what I've tried I cannot get it to take. Thanks Pat -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Best Regards, Brett Delle Grazie - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Installer info
We have an application to install that involves deployment of wars to /webapps/. Before installation, I need to verify some things about the version of tomcat installed. is there a method or command I can call to get the tomcat major version and minor version? Is there any additional info that I can query that may be helpful that an installer would need to know? thanks J.V. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installer info
On Sep 20, 2012, at 10:05 AM, J.V. wrote: We have an application to install that involves deployment of wars to /webapps/. Before installation, I need to verify some things about the version of tomcat installed. Would bin/version.sh|bat work? $./bin/version.sh Using CATALINA_BASE: /Users/danielmikusa/Development/servers/apache-tomcat-7.0.29 Using CATALINA_HOME: /Users/danielmikusa/Development/servers/apache-tomcat-7.0.29 Using CATALINA_TMPDIR: /Users/danielmikusa/Development/servers/apache-tomcat-7.0.29/temp Using JRE_HOME: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home Using CLASSPATH: /Users/danielmikusa/Development/servers/apache-tomcat-7.0.29/bin/bootstrap.jar:/Users/danielmikusa/Development/servers/apache-tomcat-7.0.29/bin/tomcat-juli.jar Server version: Apache Tomcat/7.0.29 Server built: Jul 3 2012 11:31:52 Server number: 7.0.29.0 OS Name:Mac OS X OS Version: 10.7.4 Architecture: x86_64 JVM Version:1.6.0_35-b10-428-11M3811 JVM Vendor: Apple Inc. Dan is there a method or command I can call to get the tomcat major version and minor version? Is there any additional info that I can query that may be helpful that an installer would need to know? thanks J.V. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
On 20.09.2012 15:59, Patrick Flaherty wrote: Have you tried this and gotten it to work ? My check to see if it took has been to open tomcatw.exe and check the values there. No matter what I've tried I cannot get it to take. Yes, it works for me in both ways (either via CLI or GUI). In fact I use ant script to modify service parameters (please forgive broken lines): target name=update-tomcat-service exec executable=${root}\\bin\\tomcat6.exe dir=${root}\\bin arg line=//US//Tomcat6 --Startup=auto --JvmMs ${tomcat.memory.size} --JvmMx ${tomcat.memory.size} --StartPath quot;${root}quot; --JvmOptions -Dcom.sun.management.jmxremote;-verbose:gc;-XX:-DisableExplicitGC;-XX:+PrintGCTimeStamps;-XX:+PrintGCDetails;-Xloggc:logs\gc.log;-XX:+HeapDumpOnOutOfMemoryError;-XX:HeapDumpPath=logs;-XX:+UseConcMarkSweepGC;-XX:+UseParNewGC;-XX:+CMSClassUnloadingEnabled;-XX:MaxPermSize=256m/ /exec /target -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: configured truststore ignored by tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan, On 9/19/12 10:33 AM, Daniel Mikusa wrote: On Sep 19, 2012, at 2:40 AM, marco_strull...@swissre.com wrote: Hi all, I have a tomcat 6.0.35 that needs to connect to a remote server using https, so it is acting as a https client: it means that tomcat must have the remote server certificate installed. The ideal solution I found is to configure the truststore in the server.xml. Please see the following: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=keystore/keystore.p12 keystoreType=pkcs12 keystorePass=password truststoreFile=keystore/truststore.p12 truststoreType=pkcs12 truststorePass=password clientAuth=optional sslProtocol=TLS / So, I configured the truststore and the server.xml. This will configure the keystone / truststore used by the Connector. It does not configure the keystone / truststore used by the JVM for making HTTPS client requests. +1 After restarting tomcat I got an ssl excetpion sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Enabling the property javax.net.debug I could see that tomcat is simply ignoring the truststore I configured. Let me add that I tried also with no luck to change the truststore format to jks. I add also that the remote server cert is inside the truststore since I can see it with keytool. Do you know why? What else could I check? See explanation above. Here is an example. The trick is to set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword system properties. http://www.exampledepot.com/egs/javax.net.ssl/client.html or you could disable validation all together. Not something you'd want to do for a production site though. http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html Better yet, configure the library (httpclient?) directly to use the truststore of your choosing: there's no need to set the trust store for the entire JVM (also, it makes your application more configurable IMO). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBbJmkACgkQ9CaO5/Lv0PB6xgCgrdgSV/77X+gmULLUI6lugmqC m6MAnjW6wKyU643y/gpTGSZ4VaRyW9dV =Ih1h -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Proxy Support in tomcat 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vijay, On 9/20/12 1:36 AM, Vijay Kumar wrote: Hi all, I have a scenario where i don't want to contact from my application to a web-service using https. So you want to avoid using the HTTPS protocol? I don't want to change firewall details and want to enable 443 port. ...but you want to use port 443? Well, if you don't want HTTPS on port 443, then you can configure an HTTP connector for port 443 and use that. You will confuse a lot of clients that way, though. Is there any way that can configure a proxy and can handle this scenario. What would the proxy do? Re-route port 80 to port 443? Why not just bind to port 443? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBbJr0ACgkQ9CaO5/Lv0PD+wACff9Onwr5td+Mzji65E1kOYNon n5QAn3mDr2cqGOJQMV96cU0pQKccF/k+ =8SKw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: very basic question about apache and tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeff, On 9/19/12 7:38 PM, Jeff wrote: I have a related question since we recently implemented authentication to AD via LDAP in our Tomcat WebApp but it currently prompts the user for every new session, even if they are hitting the site from their windows workstation that is already authenticated to the domain. Is there a way to do it that detects the user's current AD session and eliminates the need to prompt them, preferably browser (Chrome/FF/IE) independent? If so, it would be great! I believe this is possible, but you need your browser to be complicit by sending your Kerberos token(s). I have no idea how to do that, but I believe others on the list (André? Warnier) have done such things. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBbJzoACgkQ9CaO5/Lv0PBk+wCfQgsPrw1+zbSv7KvtpyYeM5y5 X/0An2KDNsv+OXSoTI0blxpJFeDcUKvV =DiiC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Updating Tomcat-Server from Version 6.0.16 to 7.0.30
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas, On 9/20/12 2:57 AM, Andreas Stadelmeier wrote: Pid wrote: Try the latest 6.0.x first, then if your app is fine, try 7.0.x. Things changed in 6 that sometimes catch people out. Okay, thank you! My problem is: I don't know anything about the behave of applications/webservices which the tomcat 6.0.16 is running at the moment. So I am not able to determine whether everything works fine or not after a change to tomcat 7. At least till some users start complaining :D. So you don't have any kind of testing procedure before rolling-out to production? Yikes! When switching between major version numbers, I generally install the latest Tomcat version in development and run like that for several months before planning an upgrade in production. We have several full rounds of testing before anything like that gets upgraded in production. The plan is less stringent when updating point-releases. We do the same thing with major JVM upgrades. But my own Web-Project doesn't run under 6.0.16. Therefore I had to upgrade to version 7.0.x. I did it this morning and till now everything went well. I hope this lasts Me too! yum update service tomcat restart cross_fingers is not a great upgrade procedure. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBbJ/AACgkQ9CaO5/Lv0PBCkACgpw3SUfAqipzCuUsqbdQXRvzh uuwAnRqZepW4O1Vtb/TaKINtae1xMbKp =USVx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
mod_jk/1.2.32 - Error connecting to Tomcat only on one page
Hello all, English is not my native language, please excuse typing errors. I met a problem which I do not manage to explain... My environement (one server) : Server version : Apache Tomcat/5.5.26 Server built : Jan 28 2008 01:35:23 Server number : 5.5.26.0 OS Name : Linux (Red Hat Enterprise Linux Server release 5.2 (Tikanga)) OS Version : 2.6.18-92.el5 Architecture : i386 JVM Version : 1.6.0_06-b02 JVM Vendor : Sun Microsystems Inc. Web server version : Apache/2.2.21 (Unix) mod_jk/1.2.32 Web server communicate with application server by AJP/13, module mo_jk. My configuration : Server.xml : [...] !-- Define an AJP 1.3 Connector on port 8011 -- Connector port=8011 enableLookups=false redirectPort=8443 debug=0 maxThreads=600 keepAlive=true backlog=8192 minSpareThreads=25 maxSpareThreads=250 connectionTimeout=60 protocol=AJP/1.3 / [...] worker.properties : # define worker worker.list=ajp13 # Set properties for ajp13 = tomcat worker.ajp13.type=ajp13 worker.ajp13.host=localhost worker.ajp13.port=8011 worker.ajp13.connection_pool_size=1200 worker.ajp13.connection_pool_timeout=600 worker.ajp13.socket_keepalive=true worker.ajp13.socket_timeout=600 My VirtualHost : [...] JkMount /* ajp13 [...] Usually, it's work correctly, but sometime, only on certain pages, woker can't connect to Tomcat. In my logs files, I have : mod_jk.log : [...] [Wed Sep 19 19:23:05 2012][2923:47030846901328] [error] ajp_service::jk_ajp_common.c (2626): (ajp13) connecting to tomcat failed. [Wed Sep 19 19:26:21 2012][2956:47030846901328] [error] ajp_service::jk_ajp_common.c (2626): (ajp13) connecting to tomcat failed. [Wed Sep 19 19:26:27 2012][1941:47030846901328] [error] ajp_service::jk_ajp_common.c (2626): (ajp13) connecting to tomcat failed. [Wed Sep 19 19:26:27 2012][2917:47030846901328] [error] ajp_service::jk_ajp_common.c (2626): (ajp13) connecting to tomcat failed. [Wed Sep 19 19:26:28 2012][1821:47030846901328] [error] ajp_service::jk_ajp_common.c (2626): (ajp13) connecting to tomcat failed. [Wed Sep 19 19:26:29 2012][2906:47030846901328] [error] ajp_service::jk_ajp_common.c (2626): (ajp13) connecting to tomcat failed. [...] [Wed Sep 19 19:27:11 2012][2926:47030846901328] [error] ajp_service::jk_ajp_common.c (2626): (ajp13) connecting to tomcat failed. [...] VirtualHost log file : [...] ipuser1 - - [19/Sep/2012:19:26:06 +0200] GET /page1 HTTP/1.1 200 49467 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 162574 ipuser1 - - [19/Sep/2012:19:26:21 +0200] GET /page2 HTTP/1.1 500 21 http://servername/page1; Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 104361 ipuser1 - - [19/Sep/2012:19:26:26 +0200] GET /page2 HTTP/1.1 500 21 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 105824 ipuser1 - - [19/Sep/2012:19:26:27 +0200] GET /page2 HTTP/1.1 500 21 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 105062 ipuser1 - - [19/Sep/2012:19:26:28 +0200] GET /page2 HTTP/1.1 500 21 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 106297 ipuser1 - - [19/Sep/2012:19:26:29 +0200] GET /page2 HTTP/1.1 500 21 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 105792 ipuser1 - - [19/Sep/2012:19:26:30 +0200] GET /page2 HTTP/1.1 500 21 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 104940 [...] ipuser1 - - [19/Sep/2012:19:27:08 +0200] GET /page1 HTTP/1.1 200 49095 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 352904 ipuser1 - - [19/Sep/2012:19:27:11 +0200] GET /page2 HTTP/1.1 500 21 http://servername/page1; Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 105703 ipuser1 - - [19/Sep/2012:19:27:17 +0200] GET /page3 HTTP/1.1 200 8882 http://servername/page1; Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 411922 [...]
Re: Setting JVM Parameters in Windows Service for Tomcat7
Hi Mikolaj, Is this a Windows platform ? -Pat On Sep 20, 2012, at 10:16 AM, Mikolaj Rydzewski wrote: On 20.09.2012 15:59, Patrick Flaherty wrote: Have you tried this and gotten it to work ? My check to see if it took has been to open tomcatw.exe and check the values there. No matter what I've tried I cannot get it to take. Yes, it works for me in both ways (either via CLI or GUI). In fact I use ant script to modify service parameters (please forgive broken lines): target name=update-tomcat-service exec executable=${root}\\bin\\tomcat6.exe dir=${root}\ \bin arg line=//US//Tomcat6 --Startup=auto --JvmMs $ {tomcat.memory.size} --JvmMx ${tomcat.memory.size} --StartPath quot; ${root}quot; --JvmOptions -Dcom.sun.management.jmxremote;- verbose:gc;-XX:-DisableExplicitGC;-XX:+PrintGCTimeStamps;-XX: +PrintGCDetails;-Xloggc:logs\gc.log;-XX:+HeapDumpOnOutOfMemoryError;- XX:HeapDumpPath=logs;-XX:+UseConcMarkSweepGC;-XX:+UseParNewGC;-XX: +CMSClassUnloadingEnabled;-XX:MaxPermSize=256m/ /exec /target -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
On 20.09.2012 16:39, Patrick Flaherty wrote: Is this a Windows platform ? Looking at the path I suppose so :-) ${root}\\bin\\tomcat6.exe -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: very basic question about apache and tomcat
Hi Chris, I met you at a PERL conference years and years ago along with a bunch of other people you met. Anyways. Exactly what I am trying to do is allow folks to use their web browser (I would like to stick with tomcat 7.0.27 on aix 6.1) from their windows workstation and authenticate against the windows domain. I am hoping this can be accomplished without creating unix accounts. The permissions for it, page access or run the tool would reside in the tomcat configuration side, but all authentification would be from the windows side. If you can tell me how to do that I would be pretty happy. I cannot find documentation on how to do it and I am not a java person nor have I touched this stuff in a very long time. I was doing strictly unix admin work until a few months ago. That doesn't mean I won't hack and experiment, I have a sandbox here at work that I can do anything on to get this configuration figured out. Thanks in advance and happy to be working with you! Jen -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, September 19, 2012 4:07 PM To: Tomcat Users List Subject: Re: very basic question about apache and tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jen, On 9/19/12 5:52 PM, Mead, Jen L wrote: That was very insightful. All the documentation that I am looking into specifies apache as the application. Maybe, just maybe the server.xml file will contain what I need to move forward. The lack of documentation for what I am trying to do is frustrating. I am not even sure I can do it without loading apache with or instead of tomcat. Thanks for the info. Can you describe what you need to accomplish without specifically referring to Apache httpd or Apache Tomcat? Something like: We have a Java web application that needs to authentication against Microsoft AD server, and there are no other moving parts required unless we need them to support this configuration. The reason that I ask is that Tomcat (with some special support libraries and configuration) can authenticate directly against Microsoft AD and Apache httpd isn't necessary at all. If you /require/ Apache httpd to perform the authentication, then we can tell you how to do that, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaUA4ACgkQ9CaO5/Lv0PBlrACcChzrMo5ZRki1yGdFhxY8H+tZ 6KMAn2AEND/wIIyFOoJDd1ZmfOwjHwsT =javS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Setting JVM Parameters in Windows Service for Tomcat7
Hi Patrick if passing the -D options are not working for you when running service why not SET JAVA_OPTS=-Xms1024m -Xmx1024m and then run the service? net start will *usually* display running services so you can see if TC star Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Thu, 20 Sep 2012 16:47:05 +0200 From: m...@ceti.pl To: users@tomcat.apache.org Subject: Re: Setting JVM Parameters in Windows Service for Tomcat7 On 20.09.2012 16:39, Patrick Flaherty wrote: Is this a Windows platform ? Looking at the path I suppose so :-) ${root}\\bin\\tomcat6.exe -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk/1.2.32 - Error connecting to Tomcat only on one page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nicolas, On 9/20/12 10:37 AM, Nicolas Sarazin wrote: English is not my native language, please excuse typing errors. Welcome! I met a problem which I do not manage to explain... My environment (one server) : Server version : Apache Tomcat/5.5.26 You have 10 days to upgrade, at which point you will be flying without a parachute: Apache support for Tomcat 5.5.x expires in 10 days. I highly recommend that you get Tomcat 7 or at least Tomcat 6 into your test environments ASAP. JVM Version : 1.6.0_06-b02 You could afford to upgrade that, too. Oracle is on 1.6.0_35. Web server version : Apache/2.2.21 (Unix) mod_jk/1.2.32 2.2.23 and 1.2.37 My VirtualHost : [...] JkMount /* ajp13 [...] Do you have anything else? If not, why bother with Apache httpd? [...] !-- Define an AJP 1.3 Connector on port 8011 -- Connector port=8011 enableLookups=false redirectPort=8443 debug=0 maxThreads=600 keepAlive=true backlog=8192 minSpareThreads=25 maxSpareThreads=250 connectionTimeout=60 protocol=AJP/1.3 / [...] That's a huge backlog, especially when you always expect a certain maximum number of connections coming from Apache httpd. worker.properties : # define worker worker.list=ajp13 # Set properties for ajp13 = tomcat worker.ajp13.type=ajp13 worker.ajp13.host=localhost worker.ajp13.port=8011 worker.ajp13.connection_pool_size=1200 worker.ajp13.connection_pool_timeout=600 worker.ajp13.socket_keepalive=true worker.ajp13.socket_timeout=600 What MPM are you using? If you are using prefork, then your connection_pool_size is all wrong. Generally speaking, you should allow mod_jk to determine its own value for connection_pool_size when using Apache httpd. How many backend Tomcat servers do you have? Looks like one. Let's assume you are using threaded MPM in httpd (otherwise the value for 1200 is insane) and you are using only one backend Tomcat server. You have 1200 connections configured in httpd (connection_pool_size), but Tomcat can only accept 600 of them (maxThreads) at any given time. You have used backlog=8192 to cover this up so things become even more confusing. Usually, it's work correctly, but sometime, only on certain pages, woker can't connect to Tomcat. In my logs files, I have : I think it's only a coincidence that /page2 consistently gives you 500-response errors, here. Try looking at a wider section of your httpd access log to determine if there really is something special about /page2 (of course, /page2 could be returning 500-response itself: you might want to check on that). At the beginning, I thought that the problem came from a bad configuration here : In server.xml file : maxThreads=600 In worker.properties : worker.ajp13.connection_pool_size=1200 But at the present time, there was no overload on the servers. You should really get your connection allocations straightened-out, even if you don't expect them to be a problem. If you expect 1200 connections from httpd, then set maxThreads=1200 in Tomcat. I see you have the same timeout values for both sides of the connection (good!). You don't need that insanely-high TCP backlog, so remove that, too. How can we explain this behavior ? There are lots of explanations for what you are seeing. A few questions: 1. Do you really need Apache httpd at all? 2. Can you configure cping/cpong for connection liveness testing? 3. Have you tried disabling AJP connection re-use altogether? localhost communication is fast fast fast. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBbOikACgkQ9CaO5/Lv0PDhEwCfdEvr3VNpF/IEUvNlEzKD6qzN 1AsAoMQKM5BJXP/6etm2MsPbL3H32OOu =02al -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: very basic question about apache and tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jen, On 9/20/12 11:19 AM, Mead, Jen L wrote: I met you at a PERL conference years and years ago along with a bunch of other people you met. Unlikely... I've never been to a Perl conference. [OT NB: I've found out that I'm not the only Christopher Schultz in the world -- even in my own local region. I got pulled-over for speeding one time and was told that my license had been suspended *and* revoked (I'm not sure how that's different than just being revoked, but what the hey). Anyhow, turns out that the state I was living in used soundex codes for driver's license numbers and another (apparently evil) Christopher Schultz and I had license numbers differing only by one digit, so the cop had it all wrong. Fun ride.] Anyways. Exactly what I am trying to do is allow folks to use their web browser (I would like to stick with tomcat 7.0.27 on aix 6.1) from their windows workstation and authenticate against the windows domain. Ok. I am hoping this can be accomplished without creating unix accounts. Mirroring AD in UNIX would be foolish. It wouldn't get you anywhere, anyway, since Tomcat doesn't have a module to authenticate against the local UNIX environment, anyway. The permissions for it, page access or run the tool would reside in the tomcat configuration side, but all authentication would be from the windows side. So you want your clients to provide Kerberos tokens to Tomcat? Have you arranged for that kind of thing? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBbO0QACgkQ9CaO5/Lv0PATtwCgg8Lqf2fu+NXSDHY6h+IKg8ag rMwAnjH2bKM7P+DvmjDYQJ+tU/WyAwjw =ylwm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 9/20/12 11:37 AM, Martin Gainty wrote: if passing the -D options are not working for you when running service why not SET JAVA_OPTS=-Xms1024m -Xmx1024m and then run the service? Environment variables are irrelevant when running services. That's why the registry values exist. net start will *usually* display running services so you can see if TC star I don't think he's having a problem starting Tomcat. Just having a problem applying his preferred parameters to the JVM. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBbO9MACgkQ9CaO5/Lv0PA1qgCbByLNXB642fmUh+Yrvh/maV4v EAUAn1SE2EuW5B0AojEZ8xMpO7gPV+fa =75x5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
Hi Mikolaj, I got it to work. I was not using a space after the --JvmMs and -- JvmMx switches. So in summary the following works: \tomcat7.exe //US//tomcat7 --JvmMs 512 --JvmMx 1024 Thanks for everyone's help. -Pat On Sep 20, 2012, at 10:16 AM, Mikolaj Rydzewski wrote: On 20.09.2012 15:59, Patrick Flaherty wrote: Have you tried this and gotten it to work ? My check to see if it took has been to open tomcatw.exe and check the values there. No matter what I've tried I cannot get it to take. Yes, it works for me in both ways (either via CLI or GUI). In fact I use ant script to modify service parameters (please forgive broken lines): target name=update-tomcat-service exec executable=${root}\\bin\\tomcat6.exe dir=${root}\ \bin arg line=//US//Tomcat6 --Startup=auto --JvmMs $ {tomcat.memory.size} --JvmMx ${tomcat.memory.size} --StartPath quot; ${root}quot; --JvmOptions -Dcom.sun.management.jmxremote;- verbose:gc;-XX:-DisableExplicitGC;-XX:+PrintGCTimeStamps;-XX: +PrintGCDetails;-Xloggc:logs\gc.log;-XX:+HeapDumpOnOutOfMemoryError;- XX:HeapDumpPath=logs;-XX:+UseConcMarkSweepGC;-XX:+UseParNewGC;-XX: +CMSClassUnloadingEnabled;-XX:MaxPermSize=256m/ /exec /target -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: very basic question about apache and tomcat
Hi Chris, See responses below: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, September 20, 2012 8:50 AM To: Tomcat Users List Subject: Re: very basic question about apache and tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Jen, On 9/20/12 11:19 AM, Mead, Jen L wrote: I met you at a PERL conference years and years ago along with a bunch of other people you met. -Unlikely... I've never been to a Perl conference. -[OT NB: I've found out that I'm not the only Christopher Schultz in the world -- even in my ---own local region. I got pulled-over for speeding one time and was told that my license had been -suspended -*and* revoked (I'm not sure how that's different than just being revoked, but what the hey). --Anyhow, turns out that the state I was living in used soundex codes for driver's license --numbers and another (apparently evil) Christopher Schultz and I had license numbers differing -only by one digit, so the cop had it all wrong. Fun ride.] LOL, bummer. Yes you do have a famous name. Anyways. Exactly what I am trying to do is allow folks to use their web browser (I would like to stick with tomcat 7.0.27 on aix 6.1) from their windows workstation and authenticate against the windows domain. -Ok. I am hoping this can be accomplished without creating unix accounts. -Mirroring AD in UNIX would be foolish. It wouldn't get you anywhere, anyway, since Tomcat -doesn't have a module to authenticate against the local UNIX environment, anyway. The permissions for it, page access or run the tool would reside in the tomcat configuration side, but all authentication would be from the windows side. -So you want your clients to provide Kerberos tokens to Tomcat? Have you arranged for that kind -of thing? - -chris Yes I have to a point. We have HP support and mostly it is in India and we don't direct access with them. I opened a ticket but they are requesting that I tell them exactly how to do it. I am working with them on that. They are waiting for me to test from my AIX environment to iron out all those pieces. I know they need to configure my server into their environment and maybe it will require a special user account. If you have info on that that would be good. Could you tell me which modules / libraries I need to download and install for tomcat to authenticate against the windows environment and how to tweak them? I am ready to dig into this. Jen -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBbO0QACgkQ9CaO5/Lv0PATtwCgg8Lqf2fu+NXSDHY6h+IKg8ag rMwAnjH2bKM7P+DvmjDYQJ+tU/WyAwjw =ylwm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: very basic question about apache and tomcat
Mead, Jen L mead@con-way.com wrote: Hi Chris, I met you at a PERL conference years and years ago along with a bunch of other people you met. Anyways. Exactly what I am trying to do is allow folks to use their web browser (I would like to stick with tomcat 7.0.27 on aix 6.1) from their windows workstation and authenticate against the windows domain. I am hoping this can be accomplished without creating unix accounts. The permissions for it, page access or run the tool would reside in the tomcat configuration side, but all authentification would be from the windows side. If you can tell me how to do that I would be pretty happy. I cannot find documentation on how to do it Did you find this? http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html I haven't tested this when Tomcat is on a non-Windows platform. It is certainly possible for this to work although whether any other pieces (such as samba) are required and what their configuration might be I don't know. OTOH, it might just work. I'll add looking at this to my to do list but it is a long list... Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: very basic question about apache and tomcat
Yes, I did not find that useful. It is very vague to say the least. If I am missing something please let me know. I want to use Built-in Tomcat support. Jen -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, September 20, 2012 9:20 AM To: Tomcat Users List Subject: RE: very basic question about apache and tomcat Mead, Jen L mead@con-way.com wrote: Hi Chris, I met you at a PERL conference years and years ago along with a bunch of other people you met. Anyways. Exactly what I am trying to do is allow folks to use their web browser (I would like to stick with tomcat 7.0.27 on aix 6.1) from their windows workstation and authenticate against the windows domain. I am hoping this can be accomplished without creating unix accounts. The permissions for it, page access or run the tool would reside in the tomcat configuration side, but all authentification would be from the windows side. If you can tell me how to do that I would be pretty happy. I cannot find documentation on how to do it Did you find this? http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html I haven't tested this when Tomcat is on a non-Windows platform. It is certainly possible for this to work although whether any other pieces (such as samba) are required and what their configuration might be I don't know. OTOH, it might just work. I'll add looking at this to my to do list but it is a long list... Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A little trouble with SSL
Christopher Schultz chris at christopherschultz.net writes: Andrea, On 8/29/2010 10:39 PM, Andrea Freire wrote: There are the configuration files. Your attachments were stripped by the list. Please paste them inline and try again. -chris I know that is too late the answer but I want to post that I did. the problem was that I wasnt installed the tomcat native library, I just follow the step in the next link to install the library: http://tomcat.apache.org/native-doc/ You have to install this if you want to configure ssl direct in tomcat. :D Andrea - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: very basic question about apache and tomcat
Mead, Jen L mead@con-way.com wrote: Yes, I did not find that useful. It is very vague to say the least. You are the one being vague. You are not being very forthcoming. That page provides detailed, step-by-step configuration instructions. As I said, the page assumes Tomcat is running on a Windows machine but that may be necessary for Windows authentication to work. I haven't tested it and performing that testing is at the end of a long to do list. There is nothing stopping you from testing this. If I am missing something please let me know. I want to use Built-in Tomcat support. You appear to have missed the section entitled built-in Tomcat support which is an exact match for what you are looking for. Mark Jen -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, September 20, 2012 9:20 AM To: Tomcat Users List Subject: RE: very basic question about apache and tomcat Mead, Jen L mead@con-way.com wrote: Hi Chris, I met you at a PERL conference years and years ago along with a bunch of other people you met. Anyways. Exactly what I am trying to do is allow folks to use their web browser (I would like to stick with tomcat 7.0.27 on aix 6.1) from their windows workstation and authenticate against the windows domain. I am hoping this can be accomplished without creating unix accounts. The permissions for it, page access or run the tool would reside in the tomcat configuration side, but all authentification would be from the windows side. If you can tell me how to do that I would be pretty happy. I cannot find documentation on how to do it Did you find this? http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html I haven't tested this when Tomcat is on a non-Windows platform. It is certainly possible for this to work although whether any other pieces (such as samba) are required and what their configuration might be I don't know. OTOH, it might just work. I'll add looking at this to my to do list but it is a long list... Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Static Membership Session Replication
Hey, Really hoping somebody can help. I am attempting a cluster with session replication. Tomcat 7, apache with mod_jk. The cluster and load balancing seems to be ok but I cannot get session replication working. I am using static membership as I am testing this on EC2. The load balancer and 2 workers are on individual servers. I have two tomcat instances, tomcatone and tomcattwo. When starting up tomcattwo I saw this ONCE on tomcattwo and never again : *INFO: Manager [localhost#/ClusterApp], requesting session state from org.apache.catalina.tribes.membership.MemberImpl[tcp://tomcatone:4110,tomcatone,4110, alive=0, securePort=-1, UDP Port=-1, id={1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 }, payload={}, command={}, domain={100 101 108 116 97 45 115 116 97 ...(12)}, ]. This operation will timeout if no session state has been received within 60 seconds.* *Sep 20, 2012 3:19:45 PM org.apache.catalina.ha.session.DeltaManager waitForSendAllSessions* *SEVERE: Manager [localhost#/ClusterApp]: No session state send at 9/20/12 3:18 PM received, timing out after 60,109 ms.* The failure was due to firewall I think. Now the firewall is open and I haven't seen this again. Weird. Right now it doesn't look like the nodes are trying to communicate at all. Many thanks in advance! Server.xml's and logs : *tomcatone server.xml* * * ?xml version='1.0' encoding='utf-8'? !-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- !-- Note: A Server is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/server.html -- Server port=8005 shutdown=SHUTDOWN !-- Security listener. Documentation at /docs/config/listeners.html Listener className=org.apache.catalina.security.SecurityListener / -- !--APR library loader. Documentation at /docs/apr.html -- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / !--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -- Listener className=org.apache.catalina.core.JasperListener / !-- Prevent memory leaks due to use of particular java/javax APIs-- Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / !-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html -- GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !-- A Service is a collection of one or more Connectors that share a single Container Note: A Service is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/service.html -- Service name=Catalina !--The connectors can use a shared executor, you can define one or more named thread pools-- !-- Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ -- !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / !-- A Connector using the shared thread pool-- !-- Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / -- !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration,
RE: very basic question about apache and tomcat
Thanks. I am in the process of testing. The earlier answer from Chris suggested that I might need some additional modules / libraries. I am following it step by step and I do see the unix part. I have sent my windows domain people a request to create a Kerberos key and an account I can test with. However, they provided one on a box I did not have root on and it was way too frustrating trying to get unix admin in India to understand what to do. I now have a sandbox environment with root and am trying different things, it has not worked so far. Have you tried using this documentation? If not then please don't comment on how easy it is and straight forward. I am doing my best and have been in computing, unix in particular, for over 30yrs. Regards, Jen -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, September 20, 2012 10:09 AM To: Tomcat Users List Subject: RE: very basic question about apache and tomcat Mead, Jen L mead@con-way.com wrote: Yes, I did not find that useful. It is very vague to say the least. You are the one being vague. You are not being very forthcoming. That page provides detailed, step-by-step configuration instructions. As I said, the page assumes Tomcat is running on a Windows machine but that may be necessary for Windows authentication to work. I haven't tested it and performing that testing is at the end of a long to do list. There is nothing stopping you from testing this. If I am missing something please let me know. I want to use Built-in Tomcat support. You appear to have missed the section entitled built-in Tomcat support which is an exact match for what you are looking for. Mark Jen -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, September 20, 2012 9:20 AM To: Tomcat Users List Subject: RE: very basic question about apache and tomcat Mead, Jen L mead@con-way.com wrote: Hi Chris, I met you at a PERL conference years and years ago along with a bunch of other people you met. Anyways. Exactly what I am trying to do is allow folks to use their web browser (I would like to stick with tomcat 7.0.27 on aix 6.1) from their windows workstation and authenticate against the windows domain. I am hoping this can be accomplished without creating unix accounts. The permissions for it, page access or run the tool would reside in the tomcat configuration side, but all authentification would be from the windows side. If you can tell me how to do that I would be pretty happy. I cannot find documentation on how to do it Did you find this? http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html I haven't tested this when Tomcat is on a non-Windows platform. It is certainly possible for this to work although whether any other pieces (such as samba) are required and what their configuration might be I don't know. OTOH, it might just work. I'll add looking at this to my to do list but it is a long list... Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
Hi, Environment variables are irrelevant when running services. That's why the registry values exist. That's a good point! Thanks for the nice discussion. Matthias - can you please elaborate on exactly what it is not practicable for our production environment means? I want to put the configuration files and property settings in a local VCS (e.g. a local git) so that I can track the changes. But now I see, that there are some technical reasons for using the registry. I think I will use a batch-script then which sets the registry. Matthias PS There are two ways of setting the registry: 1. CLI via tomcat.exe //US//Tomcat7 ... There are some examples in the service.bat file. 2. gui via tomcatw.exe But I think both ways are not compatible. I.E. when using tomcat.exe //US//Tomcat7 I won't find the values in tomcatw.exe But that's not a problem for me. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
need help: how to Tomcat self signed cert?
I am generating a self signed cert using open SSL with the following commands openssl req -x509 -notes -days 365 -newkey rsa:2048 -keyout privateKey.key -out ca.crt I accept all the defaults when prompted except for 'Common Name' and enter my IP address there. This generates : ca.crt It then export this to a ca.p12 with: $openssl pkcs12 -export -in ca.crt -inkey privateKey.key -out ca.p12 I then copy this file to $TOMCAT_HOME/conf/a.keystore Then I run this command $open ssl pkcs12 -in ca.p12 -out ca.pem -clcerts -nokeys -nodes and copy this to $TOMCAT_HOME/conf/ca.pem Before doing this, I remove some junk at the top of the file before ---BEGIN CERTIFICATE --- I then modify my server.xml and open port 8443 and point to the a.keystore file. This seems to work OK. However when I generate a.keystore and ca.pem using BouncyCastle, the certs do not seem to work but I have all the same settings. When generating in pure Java, I am required to install the JCE to generate the keys. I am not sure why openssl does not require some download or license to generate the RSA keys and why it lets me generate with a key size of 2048 without some sort of extension (openssl must have some export controls correct)? My first question is: 1) Why does the first method (using openssl) work? Would I not need to apply JCE to my local jdk/jre when running Tomcat for the certs to work? 2) What is wrong with generating the keys in Java? I am essentially following this: http://blog.thilinamb.com/2010/01/how-to-generate-self-signed.html Except there is no keystore to initially load so I skipped that part. any help on generating a self signed cert in Java that would mirror the openssl generation would be greatly appreciated. J.V. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
On 9/20/2012 3:02 PM, Matthias Müller wrote: Hi, Environment variables are irrelevant when running services. That's why the registry values exist. That's a good point! Thanks for the nice discussion. Matthias - can you please elaborate on exactly what it is not practicable for our production environment means? I want to put the configuration files and property settings in a local VCS (e.g. a local git) so that I can track the changes. But now I see, that there are some technical reasons for using the registry. I think I will use a batch-script then which sets the registry. Matthias PS There are two ways of setting the registry: 1. CLI via tomcat.exe //US//Tomcat7 ... There are some examples in the service.bat file. 2. gui via tomcatw.exe But I think both ways are not compatible. I.E. when using tomcat.exe //US//Tomcat7 I won't find the values in tomcatw.exe I think you will if you completely stop and restart tomcatw.exe, but not if you leave it running while making the changes. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
On Sep 20, 2012, at 3:02 PM, Matthias Müller wrote: Hi, Environment variables are irrelevant when running services. That's why the registry values exist. That's a good point! Thanks for the nice discussion. Matthias - can you please elaborate on exactly what it is not practicable for our production environment means? I want to put the configuration files and property settings in a local VCS (e.g. a local git) so that I can track the changes. But now I see, that there are some technical reasons for using the registry. I think I will use a batch-script then which sets the registry. Matthias PS There are two ways of setting the registry: 1. CLI via tomcat.exe //US//Tomcat7 ... There are some examples in the service.bat file. 2. gui via tomcatw.exe But I think both ways are not compatible. I.E. when using tomcat.exe //US//Tomcat7 I won't find the values in tomcatw.exe But that's not a problem for me. I do not see the compatibility issue you describe. When I was struggling to get the command-line (tomcat7.exe //US//) to work. I was using the tomcatw.exe GUI to see if my command-line was taking (I also check the registry). Now that I have figured out how to change the min/max heap via the command-line I use tomcatw.exe and it reflects any change I make via the command- line. At least that is my experience. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: very basic question about apache and tomcat
On 9/19/2012 6:38 PM, Jeff wrote: I have a related question since we recently implemented authentication to AD via LDAP in our Tomcat WebApp but it currently prompts the user for every new session, even if they are hitting the site from their windows workstation that is already authenticated to the domain. Is there a way to do it that detects the user's current AD session and eliminates the need to prompt them, preferably browser (Chrome/FF/IE) independent? If so, it would be great! You might try Waffle. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: very basic question about apache and tomcat
Terence M. Bandoian tere...@tmbsw.com wrote: On 9/19/2012 6:38 PM, Jeff wrote: I have a related question since we recently implemented authentication to AD via LDAP in our Tomcat WebApp but it currently prompts the user for every new session, even if they are hitting the site from their windows workstation that is already authenticated to the domain. Is there a way to do it that detects the user's current AD session and eliminates the need to prompt them, preferably browser (Chrome/FF/IE) independent? If so, it would be great! You might try Waffle. Waffle is a Windows native solution. The OP wants Tomcat running on AIX. Waffle is not going to work. If moving Tomcat to Windows was an option, then Waffle would be a possibility (and that is made clear in Tomcat's docs - as are a number of other options). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Comet not sending response under load
Hello Everyone, I am having an issue where tomcat 6.0.35 comet is not sending a response when the host is under significant load. It is also sending the end event which, as far as I understand, means the CometEvent is not being closed. I am suspicious that this may be because the legacy code I am debugging is using comet timeouts to handle rescheduling. When a request comes in and there is no data immediately available our code sets cometEvent.setTimeout(3) and then attaches some attributes to the event. I can log the response, it is there waiting to be sent, and the read event which is triggering the response completes successfully. The problem only occurs when running on our prod and staging CentOS 5.4 but not on local CentOS 6.3 or Windows machines. Any ideas on why the response and end event would be getting held up under load? Code below Thank you, Heath public class MyCometProcessor extends HttpServlet implements CometProcessor { @Override public void event(CometEvent cometEvent) throws IOException, ServletException { HttpServletRequest request = cometEvent.getHttpServletRequest(); try { if (cometEvent.getEventType() == CometEvent.EventType.BEGIN) { // do nothing } else if (cometEvent.getEventType() == CometEvent.EventType.READ) { new CometReadHandler(cometEvent).process(); } else if (cometEvent.getEventType() == CometEvent.EventType.ERROR) { if (cometEvent.getEventSubType() == CometEvent.EventSubType.TIMEOUT) { new CometTimeoutHandler(cometEvent).process(); } cometEvent.close(); } else if (cometEvent.getEventType() == CometEvent.EventType.END) { cometEvent.close(); } } catch (Exception e) { try { cometEvent.close(); } catch (Exception ignore) {} throw new ServletException(e); } } } public class CometReadHandler { private final CometEvent cometEvent; public CometReadHandler(CometEvent cometEvent) { if (cometEvent.getEventType() != CometEvent.EventType.READ) { throw new IllegalArgumentException(...); } this.cometEvent = cometEvent; } public void process() throws Exception { InputStream inStream; Element messageResponse; try { inStream = cometEvent.getHttpServletRequest().getInputStream(); messageResponse = generateMessage(inStream); } catch (Throwable thrown) { // log return; } if (messageResponse == null) { cometEvent.setTimeout(3); cometEvent.getHttpServletRequest().setAttribute(key, dataObject); } else { try { new MessageSender(cometEvent).send(messageResponse); } finally { try { cometEvent.close(); } catch (Exception ignore) { } } } } } public class CometTimeoutHandler { private final CometEvent cometEvent; public CometTimeoutHandler(CometEvent cometEvent) { if (cometEvent.getEventType() != CometEvent.EventType.END cometEvent.getEventSubType() != CometEvent.EventSubType.TIMEOUT) { throw new IllegalArgumentException(); } this.cometEvent = cometEvent; } public void process() throws Exception { // generate message and send, message is generated and logged and I see it in the logs } } public class MessageSender { private final CometEvent cometEvent; public MessageSender(CometEvent cometEvent) { this.cometEvent = cometEvent; } public void send(Element xmlResponse) throws IOException, ServletException { cometEvent.getHttpServletResponse().setContentType(text/xml); PrintWriter writer = cometEvent.getHttpServletResponse().getWriter(); MessagingUtil.outputElement(xmlResponse, writer); writer.flush(); } } __ This message, including any attachments, is confidential and contains information intended only for the person(s) named above. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply email and permanently delete the original transmission from all of your systems and hard drives, including any attachments, without making a copy.
Sticky sessions not working
I'm running Apache Tomcat 7.0.14 and Apache 2.2.21 (mod_jk1.2.37). I am trying to load balance two Tomcat Servers and sticky sessions are not working. I am running a two-factor authentication package and it looks like my LB configuration is directing the user to one Tomcat for part of the transaction and to the other Tomcat server for the other part. When I bring down one of the Tomcat servers, everything works fine; but with both Tomcat servers up, I get 500 errors. So, I am trying to stick the webserver session to one particular Tomcat server. Listed below is my configuration. Also, I tried without the domain directive also. I am not quite sure if that's a random name or should it be something specific. Can someone please assist? Thank you... *workers.properties* worker.list=loadbalancer,status # Define Node1 # modify the host as your host IP or DNS name. worker.node1.domain=jvm1 worker.node1.port= worker.node1.host=t*20.x. worker.node1.type=ajp13 worker.node1.lbfactor=1 worker.node1.ping_mode=A # Define Node2 # modify the host as your host IP or DNS name. worker.node2.domain=jvm2 worker.node2.port= worker.node2.host=t*21.x. worker.node2.type=ajp13 worker.node2.lbfactor=1 worker.node2.ping_mode=A # Load-balancing behaviour worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=node1,node2 worker.loadbalancer.sticky_session=True # Status worker for managing load balancer worker.status.type=status # Added per Anakam direction 113010 worker.node1.socket_keepalive=True worker.node1.socket_timeout=300 # Added per Anakam direction 113010 worker.node2.socket_keepalive=True worker.node2.socket_keepalive=300 *server.xml on Tomcat Node 1* Engine name=Catalina defaultHost=localhost jvmRoute=node1 *server.xml on Tomcat Node 2* Engine name=Catalina defaultHost=localhost jvmRoute=node2
RE: very basic question about apache and tomcat
Mead, Jen L mead@con-way.com wrote: Thanks. I am in the process of testing. The earlier answer from Chris suggested that I might need some additional modules / libraries. I am following it step by step and I do see the unix part. I have sent my windows domain people a request to create a Kerberos key and an account I can test with. However, they provided one on a box I did not have root on and it was way too frustrating trying to get unix admin in India to understand what to do. I now have a sandbox environment with root and am trying different things, it has not worked so far. Setting up this for the first time is rather like setting up SSL CLIENT-AUTH for the first time. There are lots of moving parts and if you get just one thing wrong the whole lot fails. The error messages may not be too helpful when this happens. Posting the full error message, associated stack trace and exactly what you did to get to that point well help us to help you. Without those specifics, there is little the folks here can do to help and so far you have not provided any details apart from it has not worked. You will find this a whole lot easier if you can start from a known working configuration and take little steps towards the configuration you want. There are so many things that can go wrong that going directly to the configuration you want is going to be very high risk. I'd strongly recommend that you following something like the following approach: Part one 1. Create a three local Windows VMs (domain controller, server, client) and do a clean install of the OS. 2. Snapshot the VMs. 3. Configure them as per the Tomcat docs so Windows auth works. The Tomcat docs should take you through this step by step (although they do not try and are not intended to teach Windows administration). 4. Make notes as you go so you can repeat this. If you spot any errors or omissions in the Tomcat docs, report them. 5. Snapshot the working configuration. 6. Revert to the clean VMs and make sure you can repeat the configuration. Part two Repeat part one but in your dev environment but use the domain controller from the dev environment rather than your VM (so you only have two VMs). You'll need co-operation from the domain admins but since you'll have your notes from part one you'll be able to tell them exactly what to do (which unfortunately it sounds like they need). Part three Repeat part one but with all machines in the dev environment rather than VMs. Part 4 Repeat part one but with Tomcat on an AIX machine. By this point, you should be familiar enough with the process that any problems will be because of running on AIX. Again, report any issues here and we'll do what we can to help. My best guess at this point is that it will either just work or you'll need to install samba, add the machine to the domain and do some additional (currently unknown) configuration. I'm leaning towards the just work option since I can't see why the Tomcat server needs to be part of the domain if it has it's own service account. On the other hand, I'm not that familiar wth the details of the Kerberos protocol and it is a while since I looked at all of this so I could easily be wrong. Part 5 Repeat part 4 on your live environment. Thinking about this, you might want to move Tomcat to AIX as part 2 since at that point (assuming you have root access to an AIX dev machine) you'll still be in full control and a fair amount of tweaking may be required. Have you tried using this documentation? Actually no, I haven't tried using that documentation. On the other hand I implemented that feature. I figured out how to make built-in Windows authentication work (the JVM does the hard work) from the references linked in the documentation and then I implemented Tomcat's built-in support for Windows authentication and also wrote the documentation. And I have a working configuration in a series of VMs on the machine in front of me. The documentation very deliberately provides detailed step-by-step instructions that are known to work. If you find any errors or omissions let us know. If not then please don't comment on how easy it is and straight forward. I am doing my best and have been in computing, unix in particular, for over 30yrs. Given that intended tone is not something that comes across well in e-mail communication, your final paragraph reads as arrogant rather than the tone you intended (I'm assuming you weren't aiming for arrogance). That is unlikely to encourage anyone here to help. That is particularly unfortunate when the person you are directing your comments at implemented the feature you are trying to use and could be the person best placed to help you. Mark Regards, Jen -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, September 20, 2012 10:09 AM To: Tomcat Users List Subject: RE: very basic question about apache and tomcat Mead, Jen L
Re: need help: how to Tomcat self signed cert?
Which HTTP connector are you using? Mark J.V. jvsr...@gmail.com wrote: I am generating a self signed cert using open SSL with the following commands openssl req -x509 -notes -days 365 -newkey rsa:2048 -keyout privateKey.key -out ca.crt I accept all the defaults when prompted except for 'Common Name' and enter my IP address there. This generates : ca.crt It then export this to a ca.p12 with: $openssl pkcs12 -export -in ca.crt -inkey privateKey.key -out ca.p12 I then copy this file to $TOMCAT_HOME/conf/a.keystore Then I run this command $open ssl pkcs12 -in ca.p12 -out ca.pem -clcerts -nokeys -nodes and copy this to $TOMCAT_HOME/conf/ca.pem Before doing this, I remove some junk at the top of the file before ---BEGIN CERTIFICATE --- I then modify my server.xml and open port 8443 and point to the a.keystore file. This seems to work OK. However when I generate a.keystore and ca.pem using BouncyCastle, the certs do not seem to work but I have all the same settings. When generating in pure Java, I am required to install the JCE to generate the keys. I am not sure why openssl does not require some download or license to generate the RSA keys and why it lets me generate with a key size of 2048 without some sort of extension (openssl must have some export controls correct)? My first question is: 1) Why does the first method (using openssl) work? Would I not need to apply JCE to my local jdk/jre when running Tomcat for the certs to work? 2) What is wrong with generating the keys in Java? I am essentially following this: http://blog.thilinamb.com/2010/01/how-to-generate-self-signed.html Except there is no keystore to initially load so I skipped that part. any help on generating a self signed cert in Java that would mirror the openssl generation would be greatly appreciated. J.V. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ajp_ilink_receive error - please advise
thank you for the replies chris and dan. chris: 1. upgrading apache is possible, but not easy (puppet manages the install). 2. unfortunately i have not figured out how to reproduce the problem. we did extensive load testing on the system prior to launch and not once did we see this problem... dan: 1. good idea. do you know a good reference for setting this up? 2. also, what is the process for capturing thread dumps? this will be difficult however because the incidents are random and so far, mostly ocurring in the middle of the night. thanks again for the help. On Thu, Sep 20, 2012 at 5:35 AM, Daniel Mikusa dmik...@vmware.com wrote: On Sep 19, 2012, at 5:38 PM, Django Radonich-Camp wrote: hello. we are running an application on tomcat and experiencing intermittent periods where the application is non-responsive and thus non-functional. the general set up is apache and tomcat, with mod_proxy_ajp as the connector (specific details and configs below). during these events, the primary apache error log shows the following: 1. (104)Connection reset by peer: ajp_ilink_receive() can't receive header 2. (70007)The timeout specified has expired: ajp_ilink_receive() can't receive header it looks like error #1 repeats for a while and then error #2 repeats for a while. at the same time in the application specific apache error log (as specified in the vhost set up for app) we see the following errors repeated (though in mixed order from below): 3. [error] ajp_read_header: ajp_ilink_receive failed 4. [error] (120006)APR does not understand this error code: proxy: read response failed from (null) (localhost) 5. [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:8009 (localhost) 6. [error] [client X.X.X.X] proxy: error processing end and occasionally: 7. [error] proxy: read zero bytes, expecting 464 bytes the catalina.out log registers nothing during the time period the application is unresponsive. a couple of other things to note: - these events are coming under light to no load as far as i can tell. - these events last from about 5 to 30 minutes and then everything works again as expected with no manual intervention. - the time of day of for the events is not consistent. - these events initially occured rarely, but over the last month have ramped up to daily. any suggestions on how to fix or further troubleshoot this problem? and thanks in advance for the help. Here are a couple additional troubleshooting steps you can take on your Tomcat instances... 1.) Enable garbage collection logging. Look for any full GC's. 2.) Take some thread dumps during an incident. Look for blocking. Dan below please find more information on versions and configs... let me know if more info is needed. OS Name:Linux (ubuntu 10.04.4) OS Version: 2.6.32-31-server Architecture: amd64 JVM Version:1.6.0_32-b05 JVM Vendor: Sun Microsystems Inc. Server version: Apache Tomcat/6.0.24 apache: Apache/2.2.14 MPM configs START-- IfModule mpm_prefork_module StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 26 MaxRequestsPerChild 1000 /IfModule END balancer conf START-- Proxy balancer://mysite_balancer* Order deny,allow Allow from all /Proxy ProxyPassMatch ^/(.+.cf[cm])(.*)?$ balancer://mysite_balancer/irised/client stickysession=JSESSIONID|jsessionid ProxyPassReverseCookiePath /irised / Proxy balancer://mysite_balancer BalancerMember ajp://localhost:8009 route=www1 retry=5 /Proxy END connector xml START-- Connector URIEncoding=UTF-8 port=8009 protocol=AJP/1.3 connectionTimeout=2 redirectPort=8443 / END - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Comet not sending response under load
I forgot to mention my connector looks like Connector port=8080 protocol=org.apache.coyote.http11.Http11NioProtocol connectionTimeout=2 emptySessionPath=true redirectPort=8443 / And that the timeout is set during the read event. The docs say that the timeout should only be set during the begin event but not why. From: Heath Gerhardt Sent: Thursday, September 20, 2012 3:28 PM To: 'users@tomcat.apache.org' Subject: Comet not sending response under load Hello Everyone, I am having an issue where tomcat 6.0.35 comet is not sending a response when the host is under significant load. It is also sending the end event which, as far as I understand, means the CometEvent is not being closed. I am suspicious that this may be because the legacy code I am debugging is using comet timeouts to handle rescheduling. When a request comes in and there is no data immediately available our code sets cometEvent.setTimeout(3) and then attaches some attributes to the event. I can log the response, it is there waiting to be sent, and the read event which is triggering the response completes successfully. The problem only occurs when running on our prod and staging CentOS 5.4 but not on local CentOS 6.3 or Windows machines. Any ideas on why the response and end event would be getting held up under load? Code below Thank you, Heath public class MyCometProcessor extends HttpServlet implements CometProcessor { @Override public void event(CometEvent cometEvent) throws IOException, ServletException { HttpServletRequest request = cometEvent.getHttpServletRequest(); try { if (cometEvent.getEventType() == CometEvent.EventType.BEGIN) { // do nothing } else if (cometEvent.getEventType() == CometEvent.EventType.READ) { new CometReadHandler(cometEvent).process(); } else if (cometEvent.getEventType() == CometEvent.EventType.ERROR) { if (cometEvent.getEventSubType() == CometEvent.EventSubType.TIMEOUT) { new CometTimeoutHandler(cometEvent).process(); } cometEvent.close(); } else if (cometEvent.getEventType() == CometEvent.EventType.END) { cometEvent.close(); } } catch (Exception e) { try { cometEvent.close(); } catch (Exception ignore) {} throw new ServletException(e); } } } public class CometReadHandler { private final CometEvent cometEvent; public CometReadHandler(CometEvent cometEvent) { if (cometEvent.getEventType() != CometEvent.EventType.READ) { throw new IllegalArgumentException(...); } this.cometEvent = cometEvent; } public void process() throws Exception { InputStream inStream; Element messageResponse; try { inStream = cometEvent.getHttpServletRequest().getInputStream(); messageResponse = generateMessage(inStream); } catch (Throwable thrown) { // log return; } if (messageResponse == null) { cometEvent.setTimeout(3); cometEvent.getHttpServletRequest().setAttribute(key, dataObject); } else { try { new MessageSender(cometEvent).send(messageResponse); } finally { try { cometEvent.close(); } catch (Exception ignore) { } } } } } public class CometTimeoutHandler { private final CometEvent cometEvent; public CometTimeoutHandler(CometEvent cometEvent) { if (cometEvent.getEventType() != CometEvent.EventType.END cometEvent.getEventSubType() != CometEvent.EventSubType.TIMEOUT) { throw new IllegalArgumentException(); } this.cometEvent = cometEvent; } public void process() throws Exception { // generate message and send, message is generated and logged and I see it in the logs } } public class MessageSender { private final CometEvent cometEvent; public MessageSender(CometEvent cometEvent) { this.cometEvent = cometEvent; } public void send(Element xmlResponse) throws IOException, ServletException { cometEvent.getHttpServletResponse().setContentType(text/xml); PrintWriter writer = cometEvent.getHttpServletResponse().getWriter(); MessagingUtil.outputElement(xmlResponse, writer); writer.flush(); } } __ This message, including any attachments, is confidential and contains information intended only for the
Re: very basic question about apache and tomcat
On 20 September 2012 17:20, Mark Thomas ma...@apache.org wrote: Mead, Jen L mead@con-way.com wrote: Hi Chris, I met you at a PERL conference years and years ago along with a bunch of other people you met. Anyways. Exactly what I am trying to do is allow folks to use their web browser (I would like to stick with tomcat 7.0.27 on aix 6.1) from their windows workstation and authenticate against the windows domain. I am hoping this can be accomplished without creating unix accounts. The permissions for it, page access or run the tool would reside in the tomcat configuration side, but all authentification would be from the windows side. If you can tell me how to do that I would be pretty happy. I cannot find documentation on how to do it Did you find this? http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html I haven't tested this when Tomcat is on a non-Windows platform. It is certainly possible for this to work although whether any other pieces (such as samba) are required and what their configuration might be I don't know. OTOH, it might just work. Samba is one way, in that context the AIX box becomes a member of the Windows AD. If that isn't possible: Another alternative is bi or uni-directional cross-realm trusts. That's where there is a Unix Kerberos realm and the Windows AD realm and there is a trust either between each realm or in one direction only. Cross-realm keys are quite easy to create in the more recent versions of Windows Server (2008+) In this situation, the authentication trust could be configured only one way (i.e. Windows AD users are trusted for authentication purposes to the AIX Tomcat service). I'm a bit fuzzy on the details since I last looked at this several years ago. From what I remember the following is needed: (a) cross-realm keys in one or both directions (i.e. resulting in one or two sets of keys) - getting this right on the Windows side was quite difficult due to different encryption standards in use, different 'versions' of keys etc. modern versions of Windows Server do make this easier. (b) a key on the AIX box representing the service (Tomcat) but in this case the service key is for the local Unix Kerberos realm, not the Windows AD realm (c) A browser that permits Kerberos based authentication (e.g. Firefox, or IE with the site added to the trusted sites area). (d) Patience, luck and lots of log perusal. I've used this in a managed service environment but its complicated and error prone to configure. I'll add looking at this to my to do list but it is a long list... Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Re: very basic question about apache and tomcat
On 9/20/2012 4:24 PM, Mark Thomas wrote: Terence M. Bandoian tere...@tmbsw.com wrote: On 9/19/2012 6:38 PM, Jeff wrote: I have a related question since we recently implemented authentication to AD via LDAP in our Tomcat WebApp but it currently prompts the user for every new session, even if they are hitting the site from their windows workstation that is already authenticated to the domain. Is there a way to do it that detects the user's current AD session and eliminates the need to prompt them, preferably browser (Chrome/FF/IE) independent? If so, it would be great! You might try Waffle. Waffle is a Windows native solution. The OP wants Tomcat running on AIX. Waffle is not going to work. If moving Tomcat to Windows was an option, then Waffle would be a possibility (and that is made clear in Tomcat's docs - as are a number of other options). Mark Hi, Mark- You're right. I should have prefaced that with If you're running on Windows. However, a second person (see above) asked basically the same question as the OP and I'm not sure what platform they're on. The built-in Java implementation sounds great if Tomcat 7 is being used. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sticky sessions not working
Hello, Add : worker.node1.route=node1 And : worker.node2.route=node2 To use sticky session. These directives attach name route at the end of JSESSIONID. Best regards, Nicolas SARAZIN Le vendredi 21 septembre 2012, Lou Henry a écrit : I'm running Apache Tomcat 7.0.14 and Apache 2.2.21 (mod_jk1.2.37). I am trying to load balance two Tomcat Servers and sticky sessions are not working. I am running a two-factor authentication package and it looks like my LB configuration is directing the user to one Tomcat for part of the transaction and to the other Tomcat server for the other part. When I bring down one of the Tomcat servers, everything works fine; but with both Tomcat servers up, I get 500 errors. So, I am trying to stick the webserver session to one particular Tomcat server. Listed below is my configuration. Also, I tried without the domain directive also. I am not quite sure if that's a random name or should it be something specific. Can someone please assist? Thank you... *workers.properties* worker.list=loadbalancer,status # Define Node1 # modify the host as your host IP or DNS name. worker.node1.domain=jvm1 worker.node1.port= worker.node1.host=t*20.x. worker.node1.type=ajp13 worker.node1.lbfactor=1 worker.node1.ping_mode=A # Define Node2 # modify the host as your host IP or DNS name. worker.node2.domain=jvm2 worker.node2.port= worker.node2.host=t*21.x. worker.node2.type=ajp13 worker.node2.lbfactor=1 worker.node2.ping_mode=A # Load-balancing behaviour worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=node1,node2 worker.loadbalancer.sticky_session=True # Status worker for managing load balancer worker.status.type=status # Added per Anakam direction 113010 worker.node1.socket_keepalive=True worker.node1.socket_timeout=300 # Added per Anakam direction 113010 worker.node2.socket_keepalive=True worker.node2.socket_keepalive=300 *server.xml on Tomcat Node 1* Engine name=Catalina defaultHost=localhost jvmRoute=node1 *server.xml on Tomcat Node 2* Engine name=Catalina defaultHost=localhost jvmRoute=node2