[ANN] Apache Tomcat 8.0.29 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.29. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28 as well as other enhancements and changes. The notable changes since 8.0.28 include: - Add an option to control (per context) quoting of EL expressions in JSP attributes - Correct a regression in the fix for 56777 that added support for URIs in config file locations - Add a new RestCsrfPreventionFilter that provides basic CSRF protection for REST APIs - Use instance manager for WebSocket server endpoint instances Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
TLS certificate configuration in Tomcat 9
All, Is the PEM-based certificate configuration available for both JSSE-based and APR-based connectors in Tomcat 9 at this point? The documentation says e.g. the "certificateFile" attribute is for "OpenSSL Only", and when I try to launch Tomcat using the NIO connector and a PEM-based certificate file, Tomcat says that the keystore is corrupted (even though no keystore was actually specified). -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS fails in Firefox and Chrome
Mark, On 11/24/15 1:56 PM, Mark Robinson wrote: > My config is pretty vanilla. > > protocol="org.apache.coyote.http11.Http11NioProtocol" > port="8443" maxThreads="200" > ciphers="TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_ SCSV,TLS_DH_anon_WITH_AES_128_GCM_SHA256,TLS_DH_anon_WITH_AES_128_CBC_SHA256,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_DH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_DH_anon_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_ECDHE_ECDSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WITH_NULL_SHA,SSL_RSA_WITH_NULL_SHA,TLS_ECDH_ECDSA_WITH_NULL_SHA,TLS_ECDH_RSA_WITH_NULL_SHA,TLS_ECDH_anon_WITH_NULL_SHA,SSL_RSA_WITH_NULL_MD5,TLS_KRB5_WITH_3DES_EDE_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_KRB5_WITH_DES_CBC_SHA,TLS_KRB5_WITH_DES_CBC_MD5,TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" > scheme="https" secure="true" SSLEnabled="true" > keystoreFile="conf/keystore.jks" keystorePass="changeit" > clientAuth="false" sslProtocol="TLS"/> > > This fails, because of the three problematic ciphers. I'm just going to list the ciphers you have in order here and make some comments. TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 So the top 3 are giving you problems with ff and Chrome. I have ff using the second of those ciphers right now with a site I control, but SSL is being terminated by AWS ELB (likely some variant of haproxy). I just configured Tomcat 9 with sslProtocol="TLS" and I was able to connect using OpenSSL s_client -tls1_2 but not with other options. I was also unable to connect with Firefox 42, but Chrome 46 and Safari 9 can connect. I didn't try any versions of MSIE. Note that the TLS_RSA_WITH_AES_128_GCM_SHA256 algorithm is defined by TLSv1.2 and not before, thus only a TLSv1.2 handshake should be able to negotiate them. I added SSL_RSA_WITH_3DES_EDE_CBC_SHA, a cipher defined in TLSv1 (arbitrarily-chosen), and now all browsers can connect. Strange that Firefox doesn't want to negotiate with only TLSv1.2 ciphers... When Firefox connects, it negotiates the 3DES cipher instead of the higher-security TLS_* ciphers. I wonder if Firefox doesn't support the RSA version of these ciphers, and I have an RSA key and no DHE key for my test server. Thus, Firefox can't negotiate until I supply a cipher that it does support. I can see that Chrome is using the DHE_RSA flavor when it handshakes. I think this is truly an issue of Firefox simply not supporting the ciphers you have chosen. Let's look at the rest of the list: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA ! TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA ! SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA ! TLS_EMPTY_RENEGOTIATION_INFO_SCSV Those listed above which I've annotated with a ! are somewhat low on security, as defined as having only 112 bits. Everything below this line should never be used unless you (a) don't actually care about security or (b) have other controls in place to mitigate the
Re: TLS certificate configuration in Tomcat 9
2015-11-25 16:26 GMT+01:00 Christopher Schultz: > All, > > Is the PEM-based certificate configuration available for both JSSE-based > and APR-based connectors in Tomcat 9 at this point? The documentation > says e.g. the "certificateFile" attribute is for "OpenSSL Only", and > when I try to launch Tomcat using the NIO connector and a PEM-based > certificate file, Tomcat says that the keystore is corrupted (even > though no keystore was actually specified). > > No, you really have to use OpenSSL, so either the APR connector, or the NIOx connectors with the OpenSSL implementation. You will get warnings as well if you don't use the appropriate properties for your connector. Rémy
Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube
On 25/11/2015 22:38, George Sexton wrote: > Mark, > > On 11/24/2015 4:11 PM, Mark Thomas wrote: >> All, >> >> As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is >> now available on the Apache Tomcat YouTube channel: >> >> https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g > > I watched the video and I have two comments. First, I'm really excited > about SNI support. For my particular use-case, it's going to be really > nice. > > Second, for my use case, I deploy hundreds ( like 700+ on one server > right now) of virtual hosts. I deploy and un-deploy hosts kind of > randomly depending on things that are happening. I use the host-manager > application to deploy/undeploy virtual hosts. At startup time, I have a > script that generates the host entries to a file, and then I include > that file within server.xml using an entity expansion. > > I'm trying to understand how I could dynamically deploy a new host with > an SSL certificate. Since the certificate configuration seems to be > getting done at the connector, it "looks" to me like deploying a host > with a new certificate (or changed certificate) would require > re-starting the connector (tomcat). That would be really painful for me, > forcing me to delay cert changes until maintenance times. You are correct, that - currently - a Connector restart would be required. > I wish that configuration was more consolidated. Right now (and if I'm > doing this wrong, let me know), I have the generated host snippet that > gets included in server.xml. Then, I have > $CATALINA_BASE/conf/Catalina/hostname/context.xml which contains the > context docBase, and access log valve configuration. Now, I'm looking at > a 3rd thing with the certificates named in the Connector entry. Is there > any way that .pem files that are in > $CATALINA_BASE/conf/Catalina/hostname could be auto-loaded for that > virtual host? I'm just kind of brainstorming. The separation of the Host element and the SSLVirtualHost element was bugging me slightly, as was the duplication of the default host information. This is a good use case for trying to come up with something better / consolidated. > Also, just thinking out > loud, it would be really nice if Tomcat automatically found a host > configuration xml file in $CATALINA_BASE/conf/Catalina/hostname so that > I don't have to do the kind of ugly hack of the entity inclusion which > has it's own problems (picture JSVC restart after deploying new host). We'd need to think about naming, otherwise there will be the potential for the file being treated as a context file. > I appreciate your thoughts, and if I'm doing something the hard way, any > suggestions you might have. I can't think of a better way right now. I'll see what I can come up with. It is probably worth creating an enhancement request in Bugzilla against 9.0.x with the info you provided above. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender
Sorry. I all of a sudden noticed the swallowOutput="false" in the cfcc.xml I had. I changed this to be true and now it appears most of the messages are being written to the locahost file. I don't see any messages missing. I will leave it run over night and see what happens and report tomorrow. -Joleen On Wed, Nov 25, 2015 at 3:50 PM, Joleen Barkerwrote: > I didn't get too far. For the option b and setting the swallowOutput=true > in right place I need to get some clarification. > > I was looking up more information about the swallowOutput parm so I > understood more. In Christopher's comments he spoke about updating the > context xml. This is where I am confused. When I think of the word > "context" it has always referring to the vendors web page to log in with > and the context set is "cfcc". There is a file named cfcc.xml in the > /server/conf/Catalina/localhost directory. Then there is > the actual context.xml file located in the /server/conf > directory. I am not sure which one I would put the swallowOutput parm in. > Maybe it would be both. > > The only items in the context.xml file that are not commented out are the > following settings and it's a pretty small file: > > > WEB-INF/web.xml > ${catalina.base}/conf/web.xml > ... > ... > > ... > ... > /> > > > The cfcc.xml file that I have has the following: > > > charsetMapperClass="org.apache.catalina.util.CharsetMapper" > className="org.apache.catalina.core.StandardContext" cookies="true" > crossContext="false" debug="0" displayName="Secure Internet File Transfer > Web Services" docBase="/opt/mftcc730/server/webapps/cfcc" > mapperClass="org.apache.catalina.core.StandardContextMapper" path="/cfcc" > privileged="false" reloadable="false" swallowOutput="false" > useHttpOnly="false" useNaming="true" > wrapperClass="org.apache.catalina.core.StandardWrapper"> > > > directory="/opt/mftcc730/server/logs" prefix="localhost_cfcc_" > suffix=".txt" timestamp="true" verbosity="2"/> > connectionName="cfcc" connectionPassword="TgPGKAy//0gDOq2Co5UnM2AE8pM=" > connectionURL="jdbc:mysql://192.168.1.7:3306/mft730?characterEncoding=UTF8" > debug="0" digest="SHA" driverName="com.mysql.jdbc.Driver" > roleNameCol="RoleID" userCredCol="Passwd" userNameCol="UserID" > userRoleTable="UsersMap" userTable="Users" validate="true"/> > type="javax.sql.DataSource"/> > > > Thank you. > > -Joleen > > > On Wed, Nov 25, 2015 at 10:16 AM, Joleen Barker > wrote: > >> Thank you for some direction. >> >> I'll go ahead and put back the logging as it was from the vendor using >> the logging.properties file, etc. etc. so as to minimize their lack of >> support due to me changing a lot in their product. >> >> Then I'll go on to try option b. >> >> I'll report back with how it goes. >> >> -Joleeb >> Joleen, >> >> On 11/24/15 4:31 PM, Joleen Barker wrote: >> > I have setup the logrotate using cron in the past and it was very >> > successful on the Linux boxes but I could not find an equivalent setup >> for >> > AIX. Things seem so much easier on Linux. The company wants a universal >> > approach so that left that option out. >> >> Only some things are easier on Linux. >> >> This may help: >> http://www-01.ibm.com/support/docview.wss?uid=isg3T1012796 >> >> > I did see the section you copied in from the catalina.sh file but >> couldnt >> > make much out from it so I left it alone. >> > >> > I like the sound of option b. I know where the context xml file is. >> (Under >> > the Catalina/localhost/.xml) Im not sure if this is what you >> mean >> > by descriptor. >> >> Yup, that's the one. Just add the swallowOutput setting and restart the >> web application. (Or restart Tomcat if that's easier for you.) >> >> > If I did this would I leave the log4j config changes that I >> > have in place that already? >> >> No, you wouldn't have to use log4j at all. JULI can do log-rotation as >> well, though the options aren't as nice as log4j. Log4j is a really >> great logging system, actually. >> >> -chris >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
Re: Tomcat hanging when acting as GWT server.
Simon, On 11/25/15 12:55 PM, Simon Callan wrote: > The different versions of tomcat all show the same issue. We have this issue > on two systems, and only two systems. We have not been able to reproduce this > on any other system we have access to. > > Having investigated further, I appear to have provoked tomcat into producing > a pair of exception backtraces in the log files: > > 25-Nov-2015 17:28:21.642 SEVERE [http-nio-8443-exec-7] > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > java.lang.RuntimeException: Could not generate DH keypair > at sun.security.ssl.Handshaker.checkThrown(Unknown Source) > at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) > at javax.net.ssl.SSLEngine.unwrap(Unknown Source) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:351) > at > org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:208) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1476) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Unknown Source) > Caused by: java.lang.RuntimeException: Could not generate DH keypair > at sun.security.ssl.ECDHCrypt.(Unknown Source) > at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(Unknown Source) > at sun.security.ssl.ServerHandshaker.trySetCipherSuite(Unknown Source) > at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source) > at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source) > at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source) > at sun.security.ssl.Handshaker.processLoop(Unknown Source) > at sun.security.ssl.Handshaker$1.run(Unknown Source) > at sun.security.ssl.Handshaker$1.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) > at > org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:301) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:359) > ... 7 more > Caused by: java.security.InvalidAlgorithmParameterException: unknown curve > name: 1.2.840.10045.3.1.7 > at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown > Source) > ... 20 more > > 25-Nov-2015 17:28:21.642 SEVERE [http-nio-8443-exec-1] > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > java.lang.RuntimeException: Could not generate DH keypair > at sun.security.ssl.Handshaker.checkThrown(Unknown Source) > at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) > at javax.net.ssl.SSLEngine.unwrap(Unknown Source) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:351) > at > org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:208) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1476) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Unknown Source) > Caused by: java.lang.RuntimeException: Could not generate DH keypair > at sun.security.ssl.ECDHCrypt.(Unknown Source) > at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(Unknown Source) > at sun.security.ssl.ServerHandshaker.trySetCipherSuite(Unknown Source) > at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source) > at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source) > at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source) > at sun.security.ssl.Handshaker.processLoop(Unknown Source) > at sun.security.ssl.Handshaker$1.run(Unknown Source) > at sun.security.ssl.Handshaker$1.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) > at > org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:301) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:359) > ... 7 more > Caused by: java.security.InvalidAlgorithmParameterException: unknown curve > name: 1.2.840.10045.3.1.7 > at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown >
Re: [ANN] Apache Tomcat 8.0.29 available
Violeta, On 11/25/15 3:00 PM, Violeta Georgieva wrote: > 2015-11-25 21:38 GMT+02:00 Felix Schumacher < > felix.schumac...@internetallee.de>: >> >> >> >> Am 25. November 2015 20:24:17 MEZ, schrieb Violeta Georgieva < > miles...@gmail.com>: >>> Hi, >>> >>> 2015-11-25 20:42 GMT+02:00 David Balažic: Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html "TLSv1.0 is no an alias" Should probably be "TLSv1.0 is not an alias" >>> >>> I fixed it. >> >> I believe it should have been "TLSv1.0 is no(w) an alias ... and will > no(t) work ..." > > Yep you are right. > I fixed it. Also, I'm fairly sure: > Synchronize OpenSSL to JSSE cipher mapping to recent OpenSSL > changes. In particular, TLSv1.0 is no an alias for those ciphers that > require TLSv1 and will no work with SDSLv3. s/SDSLv3/SSLv3/ -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender
I changed it back to use the log4j setting as I liked it better and the boss wants the files to rollover at midnight each night. Now when I startup the catalina.out file is empty and the logs appear to be split between the catalina file (not catalina.out) and the localhost file. Some of the messages are doubled between the two files. We will see what happens now with the swallowOutput=true. I'm so excited to see what is there tomorrow morning. lol -Joleen On Wed, Nov 25, 2015 at 6:59 PM, Joleen Barkerwrote: > Sorry. I all of a sudden noticed the swallowOutput="false" in the cfcc.xml > I had. I changed this to be true and now it appears most of the messages > are being written to the locahost file. I don't see any messages missing. I > will leave it run over night and see what happens and report tomorrow. > > -Joleen > > On Wed, Nov 25, 2015 at 3:50 PM, Joleen Barker > wrote: > >> I didn't get too far. For the option b and setting the swallowOutput=true >> in right place I need to get some clarification. >> >> I was looking up more information about the swallowOutput parm so I >> understood more. In Christopher's comments he spoke about updating the >> context xml. This is where I am confused. When I think of the word >> "context" it has always referring to the vendors web page to log in with >> and the context set is "cfcc". There is a file named cfcc.xml in the >> /server/conf/Catalina/localhost directory. Then there is >> the actual context.xml file located in the /server/conf >> directory. I am not sure which one I would put the swallowOutput parm in. >> Maybe it would be both. >> >> The only items in the context.xml file that are not commented out are the >> following settings and it's a pretty small file: >> >> >> WEB-INF/web.xml >> ${catalina.base}/conf/web.xml >> ... >> ... >> >> ... >> ... >> > /> >> >> >> The cfcc.xml file that I have has the following: >> >> >> > charsetMapperClass="org.apache.catalina.util.CharsetMapper" >> className="org.apache.catalina.core.StandardContext" cookies="true" >> crossContext="false" debug="0" displayName="Secure Internet File Transfer >> Web Services" docBase="/opt/mftcc730/server/webapps/cfcc" >> mapperClass="org.apache.catalina.core.StandardContextMapper" path="/cfcc" >> privileged="false" reloadable="false" swallowOutput="false" >> useHttpOnly="false" useNaming="true" >> wrapperClass="org.apache.catalina.core.StandardWrapper"> >> >> >> > directory="/opt/mftcc730/server/logs" prefix="localhost_cfcc_" >> suffix=".txt" timestamp="true" verbosity="2"/> >> > connectionName="cfcc" connectionPassword="TgPGKAy//0gDOq2Co5UnM2AE8pM=" >> connectionURL="jdbc:mysql:// >> 192.168.1.7:3306/mft730?characterEncoding=UTF8" debug="0" digest="SHA" >> driverName="com.mysql.jdbc.Driver" roleNameCol="RoleID" >> userCredCol="Passwd" userNameCol="UserID" userRoleTable="UsersMap" >> userTable="Users" validate="true"/> >> > type="javax.sql.DataSource"/> >> >> >> Thank you. >> >> -Joleen >> >> >> On Wed, Nov 25, 2015 at 10:16 AM, Joleen Barker >> wrote: >> >>> Thank you for some direction. >>> >>> I'll go ahead and put back the logging as it was from the vendor using >>> the logging.properties file, etc. etc. so as to minimize their lack of >>> support due to me changing a lot in their product. >>> >>> Then I'll go on to try option b. >>> >>> I'll report back with how it goes. >>> >>> -Joleeb >>> Joleen, >>> >>> On 11/24/15 4:31 PM, Joleen Barker wrote: >>> > I have setup the logrotate using cron in the past and it was very >>> > successful on the Linux boxes but I could not find an equivalent setup >>> for >>> > AIX. Things seem so much easier on Linux. The company wants a universal >>> > approach so that left that option out. >>> >>> Only some things are easier on Linux. >>> >>> This may help: >>> http://www-01.ibm.com/support/docview.wss?uid=isg3T1012796 >>> >>> > I did see the section you copied in from the catalina.sh file but >>> couldnt >>> > make much out from it so I left it alone. >>> > >>> > I like the sound of option b. I know where the context xml file is. >>> (Under >>> > the Catalina/localhost/.xml) Im not sure if this is what you >>> mean >>> > by descriptor. >>> >>> Yup, that's the one. Just add the swallowOutput setting and restart the >>> web application. (Or restart Tomcat if that's easier for you.) >>> >>> > If I did this would I leave the log4j config changes that I >>> > have in place that already? >>> >>> No, you wouldn't have to use log4j at all. JULI can do log-rotation as >>> well, though the options aren't as nice as log4j. Log4j is a really >>> great logging system, actually. >>> >>> -chris >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> >
Re: [ANNOUNCE] CFP open for ApacheCon North America 2016
Tomcat Users, On 11/25/15 12:32 PM, Rich Bowen wrote: > Community growth starts by talking with those interested in your > project. ApacheCon North America is coming, are you? > > We are delighted to announce that the Call For Presentations (CFP) is > now open for ApacheCon North America. Okay, folks, it's that time again. Last year, we didn't get much feedback when we asked, but I'll go ahead and ask again: what kinds of presentations at ApacheCon would encourage you to attend? Last year at ApacheCon North America we had the following Tomcat-related presentations: Intro to Load-Balancing Tomcat with httpd and mod_jk Tomcat Clustering: Part 1 - Reverse Proxies Tomcat Clustering: Part 2 - Load-Balancing Tomcat Clustering: Part 3 - Session Replication Monitoring Apache Tomcat Choosing tomcat Connectors: Internals and Performances This year at ApacheCon Europe we had the following Tomcat-related presentations: Tomcat 9 Progress Report Tomcat Cluster Server Side TLS (for HTTP/2) and Java What other topics would you folks like to see at ApacheCon? Maybe you have a topic you'd like to *present* at ApacheCon? Attendance is free for ApacheCon if you are a presenter and if you do a bit of work (mostly being an MC for a half-day in a single room), you can even get travel assistance. My employer is generous enough to pay for my attendance AND I don't have to take vacation. Consider it continuing education. Or, if you present, consider it payment for great software you've been using at no cost along with (hopefully) top-notch technical support form this community. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube
Mark, On 11/24/2015 4:11 PM, Mark Thomas wrote: All, As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is now available on the Apache Tomcat YouTube channel: https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g I watched the video and I have two comments. First, I'm really excited about SNI support. For my particular use-case, it's going to be really nice. Second, for my use case, I deploy hundreds ( like 700+ on one server right now) of virtual hosts. I deploy and un-deploy hosts kind of randomly depending on things that are happening. I use the host-manager application to deploy/undeploy virtual hosts. At startup time, I have a script that generates the host entries to a file, and then I include that file within server.xml using an entity expansion. I'm trying to understand how I could dynamically deploy a new host with an SSL certificate. Since the certificate configuration seems to be getting done at the connector, it "looks" to me like deploying a host with a new certificate (or changed certificate) would require re-starting the connector (tomcat). That would be really painful for me, forcing me to delay cert changes until maintenance times. I wish that configuration was more consolidated. Right now (and if I'm doing this wrong, let me know), I have the generated host snippet that gets included in server.xml. Then, I have $CATALINA_BASE/conf/Catalina/hostname/context.xml which contains the context docBase, and access log valve configuration. Now, I'm looking at a 3rd thing with the certificates named in the Connector entry. Is there any way that .pem files that are in $CATALINA_BASE/conf/Catalina/hostname could be auto-loaded for that virtual host? I'm just kind of brainstorming. Also, just thinking out loud, it would be really nice if Tomcat automatically found a host configuration xml file in $CATALINA_BASE/conf/Catalina/hostname so that I don't have to do the kind of ugly hack of the entity inclusion which has it's own problems (picture JSVC restart after deploying new host). I appreciate your thoughts, and if I'm doing something the hard way, any suggestions you might have. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube
Mark, On 11/25/15 6:44 PM, Mark Thomas wrote: > On 25/11/2015 22:38, George Sexton wrote: >> Mark, >> >> On 11/24/2015 4:11 PM, Mark Thomas wrote: >>> All, >>> >>> As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is >>> now available on the Apache Tomcat YouTube channel: >>> >>> https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g >> >> I watched the video and I have two comments. First, I'm really excited >> about SNI support. For my particular use-case, it's going to be really >> nice. >> >> Second, for my use case, I deploy hundreds ( like 700+ on one server >> right now) of virtual hosts. I deploy and un-deploy hosts kind of >> randomly depending on things that are happening. I use the host-manager >> application to deploy/undeploy virtual hosts. At startup time, I have a >> script that generates the host entries to a file, and then I include >> that file within server.xml using an entity expansion. >> >> I'm trying to understand how I could dynamically deploy a new host with >> an SSL certificate. Since the certificate configuration seems to be >> getting done at the connector, it "looks" to me like deploying a host >> with a new certificate (or changed certificate) would require >> re-starting the connector (tomcat). That would be really painful for me, >> forcing me to delay cert changes until maintenance times. > > You are correct, that - currently - a Connector restart would be required. > >> I wish that configuration was more consolidated. Right now (and if I'm >> doing this wrong, let me know), I have the generated host snippet that >> gets included in server.xml. Then, I have >> $CATALINA_BASE/conf/Catalina/hostname/context.xml which contains the >> context docBase, and access log valve configuration. Now, I'm looking at >> a 3rd thing with the certificates named in the Connector entry. Is there >> any way that .pem files that are in >> $CATALINA_BASE/conf/Catalina/hostname could be auto-loaded for that >> virtual host? I'm just kind of brainstorming. > > The separation of the Host element and the SSLVirtualHost element was > bugging me slightly, as was the duplication of the default host > information. This is a good use case for trying to come up with > something better / consolidated. I'd like to point-out that this is no more painful than doing the same operation on Tomcat 7 or 8... you still need to restart the connector if you want to change something about the TLS configuration. I just wanted to make it clear that this isn't any kind of loss of capabilties or a regression or anything. I suppose the Connector could "search" through the configured s looking for one that had a name (or alias) matching the SNI name in the TLS handshake, and then looking for an appropriate SSLHostConfig (or whatever) configuration to go with it. That would slow-down the handshake ever so slightly. This is all new stuff, and so it doesn't have the support yet for fancy re-configuration at runtime, yet. This is good feedback. What if adding a at runtime -- either directly, programatically, or by using JMX/some other technique -- could also add an SSLHostConfig to wherever is appropriate? So, if we were to move SSLHostConfig from the Connector to the Host itself, or leave it where it is, Tomcat could take-care of the complexity there for you? >> Also, just thinking out >> loud, it would be really nice if Tomcat automatically found a host >> configuration xml file in $CATALINA_BASE/conf/Catalina/hostname so that >> I don't have to do the kind of ugly hack of the entity inclusion which >> has it's own problems (picture JSVC restart after deploying new host). > > We'd need to think about naming, otherwise there will be the potential > for the file being treated as a context file. +1 Instead of using conf/Catalina/[hostname].xml (or similar), we could use a subdirectory: conf/Catalina/hosts/[hostname].xml The "hosts" subdirectory should never be confused with a context deployment descriptor. >> I appreciate your thoughts, and if I'm doing something the hard way, any >> suggestions you might have. > > I can't think of a better way right now. I'll see what I can come up > with. It is probably worth creating an enhancement request in Bugzilla > against 9.0.x with the info you provided above. +1 This was a milestone release with a "1.0" wy down the line -- mostly because of the fact that we have to wait-around for the Servlet and other related specifications to be finalized -- so I think we have plenty of time to change our minds about things. I've had many occasions to talk to Mark about Tomcat use versus implementation and he's made it perfectly clear to me that he is neither an application developer nor an administrator, so he's not a good resource for coming up with real-world requirements. That is, he's not a "user" of Tomcat and therefore not in a great position to be able to guess what the best way for users to use Tomcat would be. That's where we -- the users and
RE: Tomcat hanging when acting as GWT server.
>>> Then, after the user logs-out (from the either completely responsive >>> or completely non-responsive web application), the web application becomes >>> (or remains) unresponsive? >> >> What I mean by this is: >> 1. User starts web-app, and uses it normally. >Do you mean that the user starts using the web application? It's rare for a >user to start (e.g. launch, deploy, etc.) a > web application. I'm trying to parse-out the difference between the web > application starting up in Tomcat versus > a user logging-into it -- the two are radically different things. The user opens the application home page in the web browser. >> 2. In a separate tab, the user tries to go to the tomcat home page, or the >> tomcat manager. > IE displays the standard "This page can't be displayed" error message. > Immediately, or is there a time lag? Do you get an HTTP response, or a > failure to connect? > MSIE is terrible at telling users what is really going on. Get a protocol > analyzer if necessary > (e.g. fiddler, or whatever plug-ins are available for MSIE). It's fast enough that I cannot see any visible lag. >> 3. The user can continue using the web-app. > In the first tab? Yes. >> 4. The user closes the web browser and restarts it or logs out from the >> web-app, > and goes to the web-app start page. IE displays the standard "This page can't > be displayed" error message. > So at this point, nobody can connect? Correct. >> It’s as though the RPC ("POST /clearcore/ClearCore/CCService HTTP/1.1") >> commands are working fine, but the normal page GET is failing. > After the web application is deployed (launched in Tomcat, before any web > browser has tried to connect), > can you login to the Tomcat manager? It is something that GWT/your > application is doing that locks you out > of the Tomcat manager? Or is the manager actually never available? The tomcat manager works perfectly before we start using out application. Having investigated further, if you have the tomcat manager already open in a tab when you start the application in another tab, the manager seems to keep running. As long as you don’t open a new tab, it all seems fine. >> Is it possible to kill the code that processes GET requests without >> affecting POST messages? > No. That's what I thought. >> If we configure tomcat to use HTTPS on port 8443, we get the error. If we >> leave tomcat in the standard HTTP port 8080 settings, everything is fine. >> >> We haven't tried having both HTTP and HTTPS configured simultaneously. > That's certainly odd. We have now tried both HTTP and HTTPS, and the HTTP connection has no issues, even after running our application. > Is there a working system? I noticed that you have two different Tomcat > versions. > Does one of them work and the other does not? You didn't mention that this > was only affecting one system... The different versions of tomcat all show the same issue. We have this issue on two systems, and only two systems. We have not been able to reproduce this on any other system we have access to. Having investigated further, I appear to have provoked tomcat into producing a pair of exception backtraces in the log files: 25-Nov-2015 17:28:21.642 SEVERE [http-nio-8443-exec-7] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.RuntimeException: Could not generate DH keypair at sun.security.ssl.Handshaker.checkThrown(Unknown Source) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) at javax.net.ssl.SSLEngine.unwrap(Unknown Source) at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:351) at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:208) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1476) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Unknown Source) Caused by: java.lang.RuntimeException: Could not generate DH keypair at sun.security.ssl.ECDHCrypt.(Unknown Source) at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(Unknown Source) at sun.security.ssl.ServerHandshaker.trySetCipherSuite(Unknown Source) at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source) at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source) at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker$1.run(Unknown Source) at sun.security.ssl.Handshaker$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at
Re: [ANN] Apache Tomcat 8.0.29 available
Am 25. November 2015 20:24:17 MEZ, schrieb Violeta Georgieva: >Hi, > >2015-11-25 20:42 GMT+02:00 David Balažic : >> >> Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html >> >> "TLSv1.0 is no an alias" >> >> Should probably be "TLSv1.0 is not an alias" > >I fixed it. I believe it should have been "TLSv1.0 is no(w) an alias ... and will no(t) work ..." Regards, Felix >Thanks, >Violeta > >> Regards, >> David Balažic >> >> > -Original Message- >> > From: Mark Thomas [mailto:ma...@apache.org] >> > Sent: 25. November 2015 17:22 >> > To: users@tomcat.apache.org >> > Cc: d...@tomcat.apache.org; annou...@apache.org; >> > annou...@tomcat.apache.org >> > Subject: [ANN] Apache Tomcat 8.0.29 available >> > Importance: Low >> > >> > The Apache Tomcat team announces the immediate availability of >Apache >> > Tomcat 8.0.29. >> > >> > Apache Tomcat 8 is an open source software implementation of the >Java >> > Servlet, JavaServer Pages, Java Unified Expression Language and >Java >> > WebSocket technologies. >> > >> > Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28 >as >> > well as other enhancements and changes. The notable changes since >8.0.28 >> > include: >> > >> > - Add an option to control (per context) quoting of EL expressions >in >> > JSP attributes >> > >> > - Correct a regression in the fix for 56777 that added support for >> > URIs in config file locations >> > >> > - Add a new RestCsrfPreventionFilter that provides basic CSRF >> > protection for REST APIs >> > >> > - Use instance manager for WebSocket server endpoint instances >> > >> > >> > Please refer to the change log for the complete list of changes: >> > http://tomcat.apache.org/tomcat-8.0-doc/changelog.html >> > >> > Downloads: >> > http://tomcat.apache.org/download-80.cgi >> > >> > Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x: >> > http://tomcat.apache.org/migration.html >> > >> > Enjoy! >> > >> > - The Apache Tomcat team >> > >> > >- >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> > For additional commands, e-mail: users-h...@tomcat.apache.org >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANNOUNCE] CFP open for ApacheCon North America 2016
Community growth starts by talking with those interested in your project. ApacheCon North America is coming, are you? We are delighted to announce that the Call For Presentations (CFP) is now open for ApacheCon North America. You can submit your proposed sessions at http://events.linuxfoundation.org/events/apache-big-data-north-america/program/cfp for big data talks and http://events.linuxfoundation.org/events/apachecon-north-america/program/cfp for all other topics. ApacheCon North America will be held in Vancouver, Canada, May 9-13th 2016. ApacheCon has been running every year since 2000, and is the place to build your project communities. While we will consider individual talks we prefer to see related sessions that are likely to draw users and community members. When submitting your talk work with your project community and with related communities to come up with a full program that will walk attendees through the basics and on into mastery of your project in example use cases. Content that introduces what's new in your latest release is also of particular interest, especially when it builds upon existing well know application models. The goal should be to showcase your project in ways that will attract participants and encourage engagement in your community, Please remember to involve your whole project community (user and dev lists) when building content. This is your chance to create a project specific event within the broader ApacheCon conference. Content at ApacheCon North America will be cross-promoted as mini-conferences, such as ApacheCon Big Data, and ApacheCon Mobile, so be sure to indicate which larger category your proposed sessions fit into. Finally, please plan to attend ApacheCon, even if you're not proposing a talk. The biggest value of the event is community building, and we count on you to make it a place where your project community is likely to congregate, not just for the technical content in sessions, but for hackathons, project summits, and good old fashioned face-to-face networking. -- rbo...@apache.org http://apache.org/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] Apache Tomcat 8.0.29 available
2015-11-25 21:38 GMT+02:00 Felix Schumacher < felix.schumac...@internetallee.de>: > > > > Am 25. November 2015 20:24:17 MEZ, schrieb Violeta Georgieva < miles...@gmail.com>: > >Hi, > > > >2015-11-25 20:42 GMT+02:00 David Balažic: > >> > >> Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html > >> > >> "TLSv1.0 is no an alias" > >> > >> Should probably be "TLSv1.0 is not an alias" > > > >I fixed it. > > I believe it should have been "TLSv1.0 is no(w) an alias ... and will no(t) work ..." Yep you are right. I fixed it. > Regards, > Felix > > >Thanks, > >Violeta > > > >> Regards, > >> David Balažic > >> > >> > -Original Message- > >> > From: Mark Thomas [mailto:ma...@apache.org] > >> > Sent: 25. November 2015 17:22 > >> > To: users@tomcat.apache.org > >> > Cc: d...@tomcat.apache.org; annou...@apache.org; > >> > annou...@tomcat.apache.org > >> > Subject: [ANN] Apache Tomcat 8.0.29 available > >> > Importance: Low > >> > > >> > The Apache Tomcat team announces the immediate availability of > >Apache > >> > Tomcat 8.0.29. > >> > > >> > Apache Tomcat 8 is an open source software implementation of the > >Java > >> > Servlet, JavaServer Pages, Java Unified Expression Language and > >Java > >> > WebSocket technologies. > >> > > >> > Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28 > >as > >> > well as other enhancements and changes. The notable changes since > >8.0.28 > >> > include: > >> > > >> > - Add an option to control (per context) quoting of EL expressions > >in > >> > JSP attributes > >> > > >> > - Correct a regression in the fix for 56777 that added support for > >> > URIs in config file locations > >> > > >> > - Add a new RestCsrfPreventionFilter that provides basic CSRF > >> > protection for REST APIs > >> > > >> > - Use instance manager for WebSocket server endpoint instances > >> > > >> > > >> > Please refer to the change log for the complete list of changes: > >> > http://tomcat.apache.org/tomcat-8.0-doc/changelog.html > >> > > >> > Downloads: > >> > http://tomcat.apache.org/download-80.cgi > >> > > >> > Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x: > >> > http://tomcat.apache.org/migration.html > >> > > >> > Enjoy! > >> > > >> > - The Apache Tomcat team > >> > > >> > > >- > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> > For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Re: [ANN] Apache Tomcat 8.0.29 available
Hi, 2015-11-25 20:42 GMT+02:00 David Balažic: > > Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html > > "TLSv1.0 is no an alias" > > Should probably be "TLSv1.0 is not an alias" I fixed it. Thanks, Violeta > Regards, > David Balažic > > > -Original Message- > > From: Mark Thomas [mailto:ma...@apache.org] > > Sent: 25. November 2015 17:22 > > To: users@tomcat.apache.org > > Cc: d...@tomcat.apache.org; annou...@apache.org; > > annou...@tomcat.apache.org > > Subject: [ANN] Apache Tomcat 8.0.29 available > > Importance: Low > > > > The Apache Tomcat team announces the immediate availability of Apache > > Tomcat 8.0.29. > > > > Apache Tomcat 8 is an open source software implementation of the Java > > Servlet, JavaServer Pages, Java Unified Expression Language and Java > > WebSocket technologies. > > > > Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28 as > > well as other enhancements and changes. The notable changes since 8.0.28 > > include: > > > > - Add an option to control (per context) quoting of EL expressions in > > JSP attributes > > > > - Correct a regression in the fix for 56777 that added support for > > URIs in config file locations > > > > - Add a new RestCsrfPreventionFilter that provides basic CSRF > > protection for REST APIs > > > > - Use instance manager for WebSocket server endpoint instances > > > > > > Please refer to the change log for the complete list of changes: > > http://tomcat.apache.org/tomcat-8.0-doc/changelog.html > > > > Downloads: > > http://tomcat.apache.org/download-80.cgi > > > > Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x: > > http://tomcat.apache.org/migration.html > > > > Enjoy! > > > > - The Apache Tomcat team > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
RE: [ANN] Apache Tomcat 8.0.29 available
Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html "TLSv1.0 is no an alias" Should probably be "TLSv1.0 is not an alias" Regards, David Balažic > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: 25. November 2015 17:22 > To: users@tomcat.apache.org > Cc: d...@tomcat.apache.org; annou...@apache.org; > annou...@tomcat.apache.org > Subject: [ANN] Apache Tomcat 8.0.29 available > Importance: Low > > The Apache Tomcat team announces the immediate availability of Apache > Tomcat 8.0.29. > > Apache Tomcat 8 is an open source software implementation of the Java > Servlet, JavaServer Pages, Java Unified Expression Language and Java > WebSocket technologies. > > Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28 as > well as other enhancements and changes. The notable changes since 8.0.28 > include: > > - Add an option to control (per context) quoting of EL expressions in > JSP attributes > > - Correct a regression in the fix for 56777 that added support for > URIs in config file locations > > - Add a new RestCsrfPreventionFilter that provides basic CSRF > protection for REST APIs > > - Use instance manager for WebSocket server endpoint instances > > > Please refer to the change log for the complete list of changes: > http://tomcat.apache.org/tomcat-8.0-doc/changelog.html > > Downloads: > http://tomcat.apache.org/download-80.cgi > > Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x: > http://tomcat.apache.org/migration.html > > Enjoy! > > - The Apache Tomcat team > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender
I didn't get too far. For the option b and setting the swallowOutput=true in right place I need to get some clarification. I was looking up more information about the swallowOutput parm so I understood more. In Christopher's comments he spoke about updating the context xml. This is where I am confused. When I think of the word "context" it has always referring to the vendors web page to log in with and the context set is "cfcc". There is a file named cfcc.xml in the /server/conf/Catalina/localhost directory. Then there is the actual context.xml file located in the /server/conf directory. I am not sure which one I would put the swallowOutput parm in. Maybe it would be both. The only items in the context.xml file that are not commented out are the following settings and it's a pretty small file: WEB-INF/web.xml ${catalina.base}/conf/web.xml ... ... ... ... The cfcc.xml file that I have has the following: Thank you. -Joleen On Wed, Nov 25, 2015 at 10:16 AM, Joleen Barkerwrote: > Thank you for some direction. > > I'll go ahead and put back the logging as it was from the vendor using the > logging.properties file, etc. etc. so as to minimize their lack of support > due to me changing a lot in their product. > > Then I'll go on to try option b. > > I'll report back with how it goes. > > -Joleeb > Joleen, > > On 11/24/15 4:31 PM, Joleen Barker wrote: > > I have setup the logrotate using cron in the past and it was very > > successful on the Linux boxes but I could not find an equivalent setup > for > > AIX. Things seem so much easier on Linux. The company wants a universal > > approach so that left that option out. > > Only some things are easier on Linux. > > This may help: > http://www-01.ibm.com/support/docview.wss?uid=isg3T1012796 > > > I did see the section you copied in from the catalina.sh file but couldnt > > make much out from it so I left it alone. > > > > I like the sound of option b. I know where the context xml file is. > (Under > > the Catalina/localhost/.xml) Im not sure if this is what you > mean > > by descriptor. > > Yup, that's the one. Just add the swallowOutput setting and restart the > web application. (Or restart Tomcat if that's easier for you.) > > > If I did this would I leave the log4j config changes that I > > have in place that already? > > No, you wouldn't have to use log4j at all. JULI can do log-rotation as > well, though the options aren't as nice as log4j. Log4j is a really > great logging system, actually. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Question related to Session management in Tomcat !
Utkarsh, On 11/25/15 6:29 AM, Utkarsh Dave wrote: > Thank You Mark > > On Wed, Nov 25, 2015 at 4:39 PM, Mark Thomaswrote: > >> On 25/11/2015 10:50, Utkarsh Dave wrote: >>> Hello, >>> >>> I need inputs/answers on below points to implement a secure session >>> management application >>> Or if there is there any configuration that may need to be tuned to >> improve >>> below please point me to that >>> A) >>> Are Session IDs cryptographically strong and do not reveal sensitive >>> information so that they can't be guessed easily or used to find attack >>> vectors. >>> Does we meet below >>> 1. Does Strong entropy sources being used to generate the session ID >> value >> >> Yes, it uses java.security.SecureRandom by default. >> >>> 2. Does Strong cryptographic algorithms being used to generate the >> session >>> ID value >> >> Yes, SHA1PRNG by default. >> >>> 3. Does the session ID value provides at least 128 bits of entropy. >> >> Yes, the session ID is 16 bytes / 128 bits long by default. >> >>> 4. Is the session ID value meaningless to prevent information disclosure >>> attacks, allowing recovery of the contents of the ID and extract details >> of >>> the user, the session, or the inner workings of the web application. >> >> Yes. >> >>> B) >>> Are the Session IDs fully validated before they may be used. >>> When using session ID to keep authentication state and track user >> progress >>> within a web application, the application MUST treat the session ID as >>> untrusted data, >>> and sanitize and validate it before use. >> >> Yes. >> >> As with most things in Tomcat, configuration provides a lot of control >> over session ID generation but the default settings meet the >> requirements you set out above. >> >> Mark Good luck on your checkbox-based security audit! -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender
Thank you for some direction. I'll go ahead and put back the logging as it was from the vendor using the logging.properties file, etc. etc. so as to minimize their lack of support due to me changing a lot in their product. Then I'll go on to try option b. I'll report back with how it goes. -Joleeb Joleen, On 11/24/15 4:31 PM, Joleen Barker wrote: > I have setup the logrotate using cron in the past and it was very > successful on the Linux boxes but I could not find an equivalent setup for > AIX. Things seem so much easier on Linux. The company wants a universal > approach so that left that option out. Only some things are easier on Linux. This may help: http://www-01.ibm.com/support/docview.wss?uid=isg3T1012796 > I did see the section you copied in from the catalina.sh file but couldnt > make much out from it so I left it alone. > > I like the sound of option b. I know where the context xml file is. (Under > the Catalina/localhost/.xml) Im not sure if this is what you mean > by descriptor. Yup, that's the one. Just add the swallowOutput setting and restart the web application. (Or restart Tomcat if that's easier for you.) > If I did this would I leave the log4j config changes that I > have in place that already? No, you wouldn't have to use log4j at all. JULI can do log-rotation as well, though the options aren't as nice as log4j. Log4j is a really great logging system, actually. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] Apache Tomcat 8.0.29 available
Chris, 2015-11-26 2:52 GMT+02:00 Christopher Schultz: > > Violeta, > > On 11/25/15 3:00 PM, Violeta Georgieva wrote: > > 2015-11-25 21:38 GMT+02:00 Felix Schumacher < > > felix.schumac...@internetallee.de>: > >> > >> > >> > >> Am 25. November 2015 20:24:17 MEZ, schrieb Violeta Georgieva < > > miles...@gmail.com>: > >>> Hi, > >>> > >>> 2015-11-25 20:42 GMT+02:00 David Balažic : > > Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html > > "TLSv1.0 is no an alias" > > Should probably be "TLSv1.0 is not an alias" > >>> > >>> I fixed it. > >> > >> I believe it should have been "TLSv1.0 is no(w) an alias ... and will > > no(t) work ..." > > > > Yep you are right. > > I fixed it. > > Also, I'm fairly sure: > > > Synchronize OpenSSL to JSSE cipher mapping to recent OpenSSL > > changes. In particular, TLSv1.0 is no an alias for those ciphers that > > require TLSv1 and will no work with SDSLv3. > > s/SDSLv3/SSLv3/ I fixed that with the first commit. Do I miss something? Thanks, Vily > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube
Mark, On 2015-11-24 23:11:34, Mark Thomas wrote: > All, > > As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is > now available on the Apache Tomcat YouTube channel: > > https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > I think I gonna like these series. For now I just quickly scanned through the video, but I will definetly watch the whole video soon. Thanks for your efforts...keep 'm coming. -- Met vriendelijke groet, Martijn Bos +31 6 39477001 (Public pgp-key : http://maboc.nl/pubkey.maboc.asc) signature.asc Description: Digital signature
Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube
2015-11-25 12:06 GMT+01:00 Johan Compagner: > thx, > > one question i have, is server push always code? > because for me it is > if this js file is hit (served by the default servlet of tomcat i guess). > also send in this set.. > > So its kind of a configuration, or should i just use a filter for that? > > It is code only, so you should use a filter for your use case. There may be configuration for this eventually, but the most likely is that this config is delegated to frameworks, which will then use the code. Rémy
Re: Question related to Session management in Tomcat !
On 25/11/2015 10:50, Utkarsh Dave wrote: > Hello, > > I need inputs/answers on below points to implement a secure session > management application > Or if there is there any configuration that may need to be tuned to improve > below please point me to that > A) > Are Session IDs cryptographically strong and do not reveal sensitive > information so that they can't be guessed easily or used to find attack > vectors. > Does we meet below > 1. Does Strong entropy sources being used to generate the session ID value Yes, it uses java.security.SecureRandom by default. > 2. Does Strong cryptographic algorithms being used to generate the session > ID value Yes, SHA1PRNG by default. > 3. Does the session ID value provides at least 128 bits of entropy. Yes, the session ID is 16 bytes / 128 bits long by default. > 4. Is the session ID value meaningless to prevent information disclosure > attacks, allowing recovery of the contents of the ID and extract details of > the user, the session, or the inner workings of the web application. Yes. > B) > Are the Session IDs fully validated before they may be used. > When using session ID to keep authentication state and track user progress > within a web application, the application MUST treat the session ID as > untrusted data, > and sanitize and validate it before use. Yes. As with most things in Tomcat, configuration provides a lot of control over session ID generation but the default settings meet the requirements you set out above. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Question related to Session management in Tomcat !
Hello, I need inputs/answers on below points to implement a secure session management application Or if there is there any configuration that may need to be tuned to improve below please point me to that A) Are Session IDs cryptographically strong and do not reveal sensitive information so that they can't be guessed easily or used to find attack vectors. Does we meet below 1. Does Strong entropy sources being used to generate the session ID value 2. Does Strong cryptographic algorithms being used to generate the session ID value 3. Does the session ID value provides at least 128 bits of entropy. 4. Is the session ID value meaningless to prevent information disclosure attacks, allowing recovery of the contents of the ID and extract details of the user, the session, or the inner workings of the web application. B) Are the Session IDs fully validated before they may be used. When using session ID to keep authentication state and track user progress within a web application, the application MUST treat the session ID as untrusted data, and sanitize and validate it before use. Thanks a lot for your time. Utkarsh Dave
Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube
thx, one question i have, is server push always code? because for me it is if this js file is hit (served by the default servlet of tomcat i guess). also send in this set.. So its kind of a configuration, or should i just use a filter for that? On 25 November 2015 at 00:11, Mark Thomaswrote: > All, > > As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is > now available on the Apache Tomcat YouTube channel: > > https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Johan Compagner Servoy
Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube
On 25/11/2015 11:06, Johan Compagner wrote: > thx, > > one question i have, is server push always code? At the moment, yes. > because for me it is > if this js file is hit (served by the default servlet of tomcat i guess). > also send in this set.. > > So its kind of a configuration, or should i just use a filter for that? A Filter would work for now. Anything else would require the default servlet to parse the static content to look for whatever marker is used to indicate additional resources to push. I'm not sure that is a good solution. Mark > > > On 25 November 2015 at 00:11, Mark Thomaswrote: > >> All, >> >> As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is >> now available on the Apache Tomcat YouTube channel: >> >> https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question related to Session management in Tomcat !
Thank You Mark On Wed, Nov 25, 2015 at 4:39 PM, Mark Thomaswrote: > On 25/11/2015 10:50, Utkarsh Dave wrote: > > Hello, > > > > I need inputs/answers on below points to implement a secure session > > management application > > Or if there is there any configuration that may need to be tuned to > improve > > below please point me to that > > A) > > Are Session IDs cryptographically strong and do not reveal sensitive > > information so that they can't be guessed easily or used to find attack > > vectors. > > Does we meet below > > 1. Does Strong entropy sources being used to generate the session ID > value > > Yes, it uses java.security.SecureRandom by default. > > > 2. Does Strong cryptographic algorithms being used to generate the > session > > ID value > > Yes, SHA1PRNG by default. > > > 3. Does the session ID value provides at least 128 bits of entropy. > > Yes, the session ID is 16 bytes / 128 bits long by default. > > > 4. Is the session ID value meaningless to prevent information disclosure > > attacks, allowing recovery of the contents of the ID and extract details > of > > the user, the session, or the inner workings of the web application. > > Yes. > > > B) > > Are the Session IDs fully validated before they may be used. > > When using session ID to keep authentication state and track user > progress > > within a web application, the application MUST treat the session ID as > > untrusted data, > > and sanitize and validate it before use. > > Yes. > > As with most things in Tomcat, configuration provides a lot of control > over session ID generation but the default settings meet the > requirements you set out above. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender
Alas, no luck. This is what I found in my directory: -rw-r--r--. root root 30694 Nov 25 22:49 catalina -rw-r--r--. root root 0 Nov 25 22:49 catalina.out -rw-r--r--. root root 0 Nov 25 22:49 host-manager -rw-r--r--. root root 31909 Nov 25 22:49 localhost -rw-r--r--. root root 0 Nov 25 22:49 localhost_access_log.2015-11-25.txt -rw-r--r--. root root 0 Nov 25 22:49 manager [root@centos7sys1 logs]# date Thu Nov 26 00:07:25 EST 2015 On Wed, Nov 25, 2015 at 7:22 PM, Joleen Barkerwrote: > I changed it back to use the log4j setting as I liked it better and the > boss wants the files to rollover at midnight each night. Now when I startup > the catalina.out file is empty and the logs appear to be split between the > catalina file (not catalina.out) and the localhost file. Some of the > messages are doubled between the two files. > > > We will see what happens now with the swallowOutput=true. I'm so excited > to see what is there tomorrow morning. lol > > -Joleen > > On Wed, Nov 25, 2015 at 6:59 PM, Joleen Barker > wrote: > >> Sorry. I all of a sudden noticed the swallowOutput="false" in the >> cfcc.xml I had. I changed this to be true and now it appears most of the >> messages are being written to the locahost file. I don't see any messages >> missing. I will leave it run over night and see what happens and report >> tomorrow. >> >> -Joleen >> >> On Wed, Nov 25, 2015 at 3:50 PM, Joleen Barker >> wrote: >> >>> I didn't get too far. For the option b and setting the >>> swallowOutput=true in right place I need to get some clarification. >>> >>> I was looking up more information about the swallowOutput parm so I >>> understood more. In Christopher's comments he spoke about updating the >>> context xml. This is where I am confused. When I think of the word >>> "context" it has always referring to the vendors web page to log in with >>> and the context set is "cfcc". There is a file named cfcc.xml in the >>> /server/conf/Catalina/localhost directory. Then there is >>> the actual context.xml file located in the /server/conf >>> directory. I am not sure which one I would put the swallowOutput parm in. >>> Maybe it would be both. >>> >>> The only items in the context.xml file that are not commented out are >>> the following settings and it's a pretty small file: >>> >>> >>> WEB-INF/web.xml >>> ${catalina.base}/conf/web.xml >>> ... >>> ... >>> >>> ... >>> ... >>> >> classname="org.apache.catalina.valves.CometConnectionManagerValve" /> >>> >>> >>> The cfcc.xml file that I have has the following: >>> >>> >>> >> charsetMapperClass="org.apache.catalina.util.CharsetMapper" >>> className="org.apache.catalina.core.StandardContext" cookies="true" >>> crossContext="false" debug="0" displayName="Secure Internet File Transfer >>> Web Services" docBase="/opt/mftcc730/server/webapps/cfcc" >>> mapperClass="org.apache.catalina.core.StandardContextMapper" path="/cfcc" >>> privileged="false" reloadable="false" swallowOutput="false" >>> useHttpOnly="false" useNaming="true" >>> wrapperClass="org.apache.catalina.core.StandardWrapper"> >>> >>> >>> >> directory="/opt/mftcc730/server/logs" prefix="localhost_cfcc_" >>> suffix=".txt" timestamp="true" verbosity="2"/> >>> >> connectionName="cfcc" connectionPassword="TgPGKAy//0gDOq2Co5UnM2AE8pM=" >>> connectionURL="jdbc:mysql:// >>> 192.168.1.7:3306/mft730?characterEncoding=UTF8" debug="0" digest="SHA" >>> driverName="com.mysql.jdbc.Driver" roleNameCol="RoleID" >>> userCredCol="Passwd" userNameCol="UserID" userRoleTable="UsersMap" >>> userTable="Users" validate="true"/> >>> >> type="javax.sql.DataSource"/> >>> >>> >>> Thank you. >>> >>> -Joleen >>> >>> >>> On Wed, Nov 25, 2015 at 10:16 AM, Joleen Barker >> > wrote: >>> Thank you for some direction. I'll go ahead and put back the logging as it was from the vendor using the logging.properties file, etc. etc. so as to minimize their lack of support due to me changing a lot in their product. Then I'll go on to try option b. I'll report back with how it goes. -Joleeb Joleen, On 11/24/15 4:31 PM, Joleen Barker wrote: > I have setup the logrotate using cron in the past and it was very > successful on the Linux boxes but I could not find an equivalent setup for > AIX. Things seem so much easier on Linux. The company wants a universal > approach so that left that option out. Only some things are easier on Linux. This may help: http://www-01.ibm.com/support/docview.wss?uid=isg3T1012796 > I did see the section you copied in from the catalina.sh file but couldnt > make much out from it so I left it alone. > > I like the sound of option b. I know where the context xml file is. (Under > the Catalina/localhost/.xml) Im not sure if this is