Re: Protecting a cluster from malicious membership
2019年2月12日(火) 1:44 Christopher Schultz : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mark, > > On 2/11/19 03:49, Mark Thomas wrote: > > On 10/02/2019 14:37, Christopher Schultz wrote: > >> All, > >> > >> I'm looking at the security of Tomcat's Clustering components, > >> and I think that the following are true. Please let me know if > >> anything in here is inaccurate: > >> > >> 1. a. Default membership uses multicast b. Multicast (UDP) can't > >> be authenticated c. Therefore multicast membership cannot be > >> secured on its own d. ... unless you use the "domain" attribute > >> as a kind of "password" to get into a segment of the cluster > >> > >> 2. a. Static membership enumerates all members of the cluster on > >> all nod es b. Therefore, joining a malicious node to the cluster > >> is unlikely > >> > >> 3. a. Adding EncryptInterceptor encrypts i. TcpFailureDetector > >> traffic ii. All actual content traffic b. Therefore, adding > >> EncryptInterceptor effectively secures the cluster, even if the > >> membership cannot be completely locked-down > > > > Nothing jumps out at me as wrong. > > > > Also, I'd expect to see a bunch of errors at the valid nodes when > > they failed to decrypt messages from the invalid nodes. That should > > provide a clear indication that something unexpected was going on. > > Yep, that's detection, though... not prevention. > > Thanks for the review. > > A follow-up to 1d above... if I try to (maliciously) join a cluster > which has been separated into domains whose identities I do not know, > I just end up in a (potentially unnamed) domain all by myself, right? > So I'm a "member" of the cluster, but I can't meaningfully interact > with any of the other legitimate members? > > If DomainFilterInterceptor has been enabled in cluster, you can't interact with any of the other legitimate members. > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhpngACgkQHPApP6U8 > pFgh/A/9HCmE9xBbfLKPq7gcjsPWJlvX3zd2RomvLT0Psr+XvVwja2sd4o20enNg > 68+NB60AgKq2YVa4h5vQvn3/EPOaqWLSsR/j6EvHNwnko27STg8PGpNdpGCbnrE0 > EcAOxVOI3BjP2m7o8dW/uALwXaFRFJK0Ijpk6IdkMORSxr6cScoEXodHzjs/x1M+ > rM/laF0tQ19W58J6bGmHw92mYFZ2aho2qhQKH6J/N4WnR5lBlrb3rwuTZgpLomxO > EO2BRwPmonGsYfRG74+4jMsV9dZnlWplRrgPbbCCgOYC0nhdTNRXkXBeUfhd9m3h > BRPkG+DbpysVC+6nyTqOpMJy7iGaY/cRyEJK8T5cvnQIF5ByjbXMR92qVaLCRkzA > al+nRZA2GG56kWBc5vWhRg0++P7CXPKZmMe2IvUGYyBsuVBDCMTydymiA3Q8mvcc > 1pV3n+or7yXQjfN1Ak/DdBAnPcI2ykwA1LJazuPOfAk6cyZy1ebBHYwPGAHDBFKz > hXiL/3rmjG8E3+hK3nbJ22xhTmnAh5/B2V+pkRf6gCk3TbcsPDgc5K++1yri56EQ > 4t4bGwmv3hRgy6EYpfiVZfXwLl3J/eThYeXdzbmt0eY4bDVmHxcrBxUf3yanYiY2 > zFh6q7CLyjgqYuaV1QLYzP17fAWdSY+xtATNANdvYquqxREQV5o= > =x0Xw > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Keiichi.Fujino
Re: tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements
wow. All working now. (I think- verifying the Client Cert prompt - borwser is NOT prompting, but I may not have a cert for it to send) certificateKeystoreFile etc instead of certificateKeyFile and truststoreFile instead of caCertificateFile ( I spent a lot of time searching and trying things. Glad I finally ASKED). Thanks again. On Mon, Feb 11, 2019 at 11:22 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > John, > > On 2/11/19 10:42, John Palmer wrote: > > I'm new to implementing APR/tc-natiive for SSL/TLS on Windows > > Server 2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 > > format in the SSLHostConfig/Certificate elements for the keystore > > and truststore.. (I would prefer to drop the JKS format for several > > reasons) questions are: is this allowed? > > Absolutely. And switching away from JCEKS/JKS files is a good idea. > They never should have existed in the first place. > > > if so, what am I doing wrong? > > :) > > > ...while the old (tomcat 7) connector element format works very > > well... for example: > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > keyAlias="FQDNservername" keystoreFile="C:\certs\servername.pfx" > > keystorePass="password" keystoreType="PKCS12" clientAuth="true" > > truststoreFile="C:\certs\truststore.pfx" truststoreType="PKCS12" > > truststorePass="password" > >> > > > /> > > > > trying to use these .pfx files in the new > > Connector/SSLHostConfig/Certificate elements doesn't work: (there's > > no equivalent to the ...Type attribute for certificateFile, > > caCertificateFile, and the description for each says ..."The format > > is PEM-encoded." and no equivalent for the ...Password attribute > > for caCertificateFile). > > You want to use certificateKeystoreType="PKCS12" and > certificateKeystoreFile="C:/certs/truststore.pfx". Don't use > backslashes. They will ruin your life. (But in this case, it should > not matter which kind of slash you use.) > > I notice that you have another thread where you are trying to use > tcnative. If you are using tcnative with the APR connector, you cannot > use keystores such as the above. But you are specifically using the > NIO2 protocol, so you will be using the OpenSSL JSSE provider, so I > think you are okay. > > > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > >> > > > /> > caCertificateFile="C:\certs\trustStore.PFX" > >> > > Change to truststoreFile="C:/certs/trustStore.PFX". > > > > certificateKeyPassword="password" /> > > Change to certificateKeystoreFile and make sure to set > certificateKeystoreType="PKCS12". Also > certificateKeystorePassword="password". > > > > > > > Hope that helps. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhr2QACgkQHPApP6U8 > pFh8Xg/8D8bhkADQxGG/wr50VXMuZQDe8ubFQ0zAXWcloCKe2FwvH1p2PJ6ZeMAR > +RR+a+laIraGSL6T81/4vGSPS87YYwGMnKumwyBCLBSNnj8U7y4mZaURvCgiAc1u > LITmLrcAhBHrr20pj1ULFO9tKGKadXVGjhspJ3/CdH+pfxvDq+3MMdwW5D66YAiD > qDV47Z0Avv3FB/PlXCprmfdTj98F4+O2giQn5WvuejmBotW+c3301qdolQIFYKAH > hGi5Snr2ERLkm+FCbU/4GYhf7W+lD0OAKO7unBePRHvLphaCmbKCoecWTdiTSULb > t7H+17DYy59nqxO2B+ExYBz5X2NCm/BjyUXsV5qQIQwQGjCdBbNTNBtaJFQ58SsV > Yfmdp+dK5k9FfcEdR5aIyWmFHz7RosnBOOvn3pkIOqCMbzlACM7Qo0vYbX47OmH5 > F2Hxe3w4P2kBVXDr3gCUuUvb304hnDKcVcGxkIFlNaYcz9a0LwIF6KAKsbTOilhl > cilCs9Fa/XYScvvwChw53ilVLDysl1RAifN2rNIRv+12vHqOyCEr/lpHow8xkrbN > kG1JFKsQ9yBYqVydMTDgDevmqTvymPzAaWJhXSzTnIIkStacMTslxSaHCZP2R+Zk > SoV9Wc/C8nZ5QnxEOn5Zn8HwM90+Y0Er6Ed/seKOn5SIVGTjzpo= > =eR3x > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: how to use separate shared dlls for OpenSSL, APR, and libtcnative-1...
> For Windows, you are better off using the all-in-one statically-linked > DLL provided by the Tomcat team. ... > In general, the Tomcat team tries to keep on top of the latest news > and releases from both APR and OpenSSL, so you shouldn't have to wait > too long between a newly-published version of APR or OpenSSL and a new > release of tcnative. I'm fine with that... this week we've seen the new TC-Native released and then tomcat 9 updated Friday and 8.5 updated over the weekend (I think). Pretty darn quick, in any case. > I would question whether or not you really need libtcnative at all. me too. but see below: > Are you going to be using a Tomcat installation without any kind of > load-balancer or reverse-proxy in between it and your users? We're using a load-balancer, but terminating the SSL (TLS) connection at Tomcat rather than at the load-balancer... (we need the client certificate info for authentication. I understand that with a SSL connection terminated at a load balance, the client certificate info can be forwarded to tomcat - but I don't want to fight that battle just now). I'm investigating using tc-native for: improved SSL (TLS) processing compared to the JSSE implementation (I hope) TLS1.3 support HTTP/2 Support (possibly the use of more mainstream certs/truststore format (Windows environment) than the JKS format - (not that using JKS format is a big deal, but I have found Key Store Explorer to be REAL helpful in figuring out problems with keystores or truststores that weren't real obvious using keytool.exe by itself and in adding/removing Issuer or Root certs as new ones come into use or expire). Thanks.,.. On Mon, Feb 11, 2019 at 11:38 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > John, > > On 2/11/19 10:46, John Palmer wrote: > > (I'm new to using TC-native, interested in how to accomplish "In > > security conscious production environments, it is recommended to > > use separate shared dlls for OpenSSL, APR, and libtcnative-1, and > > update them as needed according to security bulletins. " > > For Windows, you are better off using the all-in-one statically-linked > DLL provided by the Tomcat team. If you really want separate ones, > you'll need to build everything yourself. > > I think that quote is easy to misinterpret. The problem is not the > fact that the library is statically-linked and therefore less secure. > The problem is that the native library bundles 3 separate packages: > Apache Portable Runtime (APR), OpenSSL, and Tomcat's native library > (libtcnative). Because they are bundled together, you cannot upgrade > any single one of them independently of the others. > > If APR publishes a fix for a vulnerability, you cannot upgrade just > apr-x.y.z.dll to get that fix. Instead, you'd have to wait for the > Tomcat team to publish an updated bundle that includes that new > version. Save with OpenSSL, etc. > > In general, the Tomcat team tries to keep on top of the latest news > and releases from both APR and OpenSSL, so you shouldn't have to wait > too long between a newly-published version of APR or OpenSSL and a new > release of tcnative. > > If you have the capability of building your own libraries, then you > can always get the latest from the upstream source and stay even more > up-to-date than you would is you wanted for the releases from Tomcat. > > > Apparently I need a concrete example (step-by-step, where to get > > the dlls, where to put them (and make sure tomcat finds them) > > etc... preferably I wouldn't have to compile anything myself. > > If you don't want to compile yourself, you'll need to trust ... > someone else. The Tomcat team only publishes the all-in-one DLL. > > I would question whether or not you really need libtcnative at all. > Are you going to be using a Tomcat installation without any kind of > load-balancer or reverse-proxy in between it and your users? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhsygACgkQHPApP6U8 > pFj7Rg//f75XYfYrgJSe14KeizoybHnzpDbZ/XDxyZ8ytTBU5hx2YIQBR9ucrYYA > x01ArX6dCU209EBkLnXCThNXqrxv/pOvRo4MUiUw+oUMg5sjNL61cz/DaqwCj4WX > PtzqaYSlUhYmAiRPrdv5zwvmqMR6L8ArHfpTqCw6Tov2fdlyyc9B0Yb+Om98Jn3a > wLj+o24FOMm9Vpuz2EyMuHhslz1xiGK7O7CyiGXGK9ZjigcqFQiR77PtnZYXnlhk > jM0DJKFFo+tMri5zNs7bkAT/2DOhKmlMfD+G3LcTL4PZKbx6r30BqgXNf/b++A+8 > gmOtgLHZmCK9/UcI3TX3pk2IciDZbHaCDa7YOLiFAkzSjSd3QpdxnIDJ/aoiqcz2 > mkTyXEHeErNClzX+P+gkK2oVyz5B28EeQlC0ls2Q0SecI3DeXx+ZgO9MIsofMzyG > lkG1XL9oNYA/6wOaKXMYB/xA0dbiYtpQZsVCR65I0FjJ3cD7pvvez8UjAzrvYObm > LXi0fVCRrlHSDVfRCt5OZ/P3c8l2/1cz3k0jTbA9k+NEq5+tvmErMuEWnXadd5Y2 > aukaVKg3afR6SvGTBpaDS38peyFOFjkR5uJ0+9H4ZKogCqiUqesqVSzh2hhKqIIx > 4wqP1VwtsL/rujLm0p3nr9c3HbamzznpCXXQOy9oOAMbZwmeTag= > =9OOQ > -END PGP SIGNATURE- >
Re: tomcat 8.5.38 change to catalina.sh
вт, 12 февр. 2019 г. в 00:17, Charles Slivkoff : > > More details. > > CATALINA_PID is being defined before calling catalina.sh. > > The 8.5.37 version is storing a PID value, but it is not the correct PID. > Might this have been the reason for the change? > > The 8.5.38 version does not even create the file. > > I can also see this same behavior on Ubuntu 18.04.1 LTS. > The two most recent changes to catalina.sh in Tomcat 8.5 are http://svn.apache.org/viewvc?view=revision=1850830 http://svn.apache.org/viewvc?view=revision=1848048 I have several thoughts here. I think Bug 63041 is the place to discuss a solution to this issue. https://bz.apache.org/bugzilla/show_bug.cgi?id=63041 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 8.5.38 change to catalina.sh
More details.
CATALINA_PID is being defined before calling catalina.sh.
The 8.5.37 version is storing a PID value, but it is not the correct PID. Might
this have been the reason for the change?
The 8.5.38 version does not even create the file.
I can also see this same behavior on Ubuntu 18.04.1 LTS.
From: Charles Slivkoff
Sent: Monday, February 11, 2019 4:00:28 PM
To: users@tomcat.apache.org
Subject: Fw: tomcat 8.5.38 change to catalina.sh
This change in catalina.sh is preventing the PID file from being saved.
I don't see this mentioned in the changelog.
https://tomcat.apache.org/tomcat-8.5-doc/changelog.html
I understand the syntax in both is valid in both cases: single-& verses
double-&.
I'm observing this on RHEL 6 and 7.
RHEL6$ /bin/sh --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
RHEL7$ /bin/sh --version
GNU bash, version 4.2.46(2)-release (x86_64-redhat-linux-gnu)
Can anyone shed any light on why this might be happening?
$ diff -u apache-tomcat-8.5.37/bin/catalina.sh
apache-tomcat-8.5.38/bin/catalina.sh
--- apache-tomcat-8.5.37/bin/catalina.sh2018-12-12 07:07:49.0
-0500
+++ apache-tomcat-8.5.38/bin/catalina.sh2019-02-05 06:44:05.0
-0500
@@ -476,7 +476,7 @@
-Dcatalina.home="\"$CATALINA_HOME\"" \
-Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
org.apache.catalina.startup.Bootstrap "$@" start \
- 2\>\&1 \& echo \$! \>\"$catalina_pid_file\" \; \} $catalina_out_command
"&"
+ 2\>\&1 \&\& echo \$! \>\"$catalina_pid_file\" \; \}
$catalina_out_command "&"
else
eval \{ $_NOHUP "\"$_RUNJAVA\"" "\"$LOGGING_CONFIG\"" $LOGGING_MANAGER
$JAVA_OPTS $CATALINA_OPTS \
@@ -486,7 +486,7 @@
-Dcatalina.home="\"$CATALINA_HOME\"" \
-Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
org.apache.catalina.startup.Bootstrap "$@" start \
- 2\>\&1 \& echo \$! \>\"$catalina_pid_file\" \; \} $catalina_out_command
"&"
+ 2\>\&1 \&\& echo \$! \>\"$catalina_pid_file\" \; \}
$catalina_out_command "&"
fi
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Fw: tomcat 8.5.38 change to catalina.sh
This change in catalina.sh is preventing the PID file from being saved.
I don't see this mentioned in the changelog.
https://tomcat.apache.org/tomcat-8.5-doc/changelog.html
I understand the syntax in both is valid in both cases: single-& verses
double-&.
I'm observing this on RHEL 6 and 7.
RHEL6$ /bin/sh --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
RHEL7$ /bin/sh --version
GNU bash, version 4.2.46(2)-release (x86_64-redhat-linux-gnu)
Can anyone shed any light on why this might be happening?
$ diff -u apache-tomcat-8.5.37/bin/catalina.sh
apache-tomcat-8.5.38/bin/catalina.sh
--- apache-tomcat-8.5.37/bin/catalina.sh2018-12-12 07:07:49.0
-0500
+++ apache-tomcat-8.5.38/bin/catalina.sh2019-02-05 06:44:05.0
-0500
@@ -476,7 +476,7 @@
-Dcatalina.home="\"$CATALINA_HOME\"" \
-Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
org.apache.catalina.startup.Bootstrap "$@" start \
- 2\>\&1 \& echo \$! \>\"$catalina_pid_file\" \; \} $catalina_out_command
"&"
+ 2\>\&1 \&\& echo \$! \>\"$catalina_pid_file\" \; \}
$catalina_out_command "&"
else
eval \{ $_NOHUP "\"$_RUNJAVA\"" "\"$LOGGING_CONFIG\"" $LOGGING_MANAGER
$JAVA_OPTS $CATALINA_OPTS \
@@ -486,7 +486,7 @@
-Dcatalina.home="\"$CATALINA_HOME\"" \
-Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
org.apache.catalina.startup.Bootstrap "$@" start \
- 2\>\&1 \& echo \$! \>\"$catalina_pid_file\" \; \} $catalina_out_command
"&"
+ 2\>\&1 \&\& echo \$! \>\"$catalina_pid_file\" \; \}
$catalina_out_command "&"
fi
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to use separate shared dlls for OpenSSL, APR, and libtcnative-1...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 2/11/19 10:46, John Palmer wrote: > (I'm new to using TC-native, interested in how to accomplish "In > security conscious production environments, it is recommended to > use separate shared dlls for OpenSSL, APR, and libtcnative-1, and > update them as needed according to security bulletins. " For Windows, you are better off using the all-in-one statically-linked DLL provided by the Tomcat team. If you really want separate ones, you'll need to build everything yourself. I think that quote is easy to misinterpret. The problem is not the fact that the library is statically-linked and therefore less secure. The problem is that the native library bundles 3 separate packages: Apache Portable Runtime (APR), OpenSSL, and Tomcat's native library (libtcnative). Because they are bundled together, you cannot upgrade any single one of them independently of the others. If APR publishes a fix for a vulnerability, you cannot upgrade just apr-x.y.z.dll to get that fix. Instead, you'd have to wait for the Tomcat team to publish an updated bundle that includes that new version. Save with OpenSSL, etc. In general, the Tomcat team tries to keep on top of the latest news and releases from both APR and OpenSSL, so you shouldn't have to wait too long between a newly-published version of APR or OpenSSL and a new release of tcnative. If you have the capability of building your own libraries, then you can always get the latest from the upstream source and stay even more up-to-date than you would is you wanted for the releases from Tomcat. > Apparently I need a concrete example (step-by-step, where to get > the dlls, where to put them (and make sure tomcat finds them) > etc... preferably I wouldn't have to compile anything myself. If you don't want to compile yourself, you'll need to trust ... someone else. The Tomcat team only publishes the all-in-one DLL. I would question whether or not you really need libtcnative at all. Are you going to be using a Tomcat installation without any kind of load-balancer or reverse-proxy in between it and your users? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhsygACgkQHPApP6U8 pFj7Rg//f75XYfYrgJSe14KeizoybHnzpDbZ/XDxyZ8ytTBU5hx2YIQBR9ucrYYA x01ArX6dCU209EBkLnXCThNXqrxv/pOvRo4MUiUw+oUMg5sjNL61cz/DaqwCj4WX PtzqaYSlUhYmAiRPrdv5zwvmqMR6L8ArHfpTqCw6Tov2fdlyyc9B0Yb+Om98Jn3a wLj+o24FOMm9Vpuz2EyMuHhslz1xiGK7O7CyiGXGK9ZjigcqFQiR77PtnZYXnlhk jM0DJKFFo+tMri5zNs7bkAT/2DOhKmlMfD+G3LcTL4PZKbx6r30BqgXNf/b++A+8 gmOtgLHZmCK9/UcI3TX3pk2IciDZbHaCDa7YOLiFAkzSjSd3QpdxnIDJ/aoiqcz2 mkTyXEHeErNClzX+P+gkK2oVyz5B28EeQlC0ls2Q0SecI3DeXx+ZgO9MIsofMzyG lkG1XL9oNYA/6wOaKXMYB/xA0dbiYtpQZsVCR65I0FjJ3cD7pvvez8UjAzrvYObm LXi0fVCRrlHSDVfRCt5OZ/P3c8l2/1cz3k0jTbA9k+NEq5+tvmErMuEWnXadd5Y2 aukaVKg3afR6SvGTBpaDS38peyFOFjkR5uJ0+9H4ZKogCqiUqesqVSzh2hhKqIIx 4wqP1VwtsL/rujLm0p3nr9c3HbamzznpCXXQOy9oOAMbZwmeTag= =9OOQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 2/11/19 10:42, John Palmer wrote: > I'm new to implementing APR/tc-natiive for SSL/TLS on Windows > Server 2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 > format in the SSLHostConfig/Certificate elements for the keystore > and truststore.. (I would prefer to drop the JKS format for several > reasons) questions are: is this allowed? Absolutely. And switching away from JCEKS/JKS files is a good idea. They never should have existed in the first place. > if so, what am I doing wrong? :) > ...while the old (tomcat 7) connector element format works very > well... for example: protocol="org.apache.coyote.http11.Http11Nio2Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > keyAlias="FQDNservername" keystoreFile="C:\certs\servername.pfx" > keystorePass="password" keystoreType="PKCS12" clientAuth="true" > truststoreFile="C:\certs\truststore.pfx" truststoreType="PKCS12" > truststorePass="password" >> > /> > > trying to use these .pfx files in the new > Connector/SSLHostConfig/Certificate elements doesn't work: (there's > no equivalent to the ...Type attribute for certificateFile, > caCertificateFile, and the description for each says ..."The format > is PEM-encoded." and no equivalent for the ...Password attribute > for caCertificateFile). You want to use certificateKeystoreType="PKCS12" and certificateKeystoreFile="C:/certs/truststore.pfx". Don't use backslashes. They will ruin your life. (But in this case, it should not matter which kind of slash you use.) I notice that you have another thread where you are trying to use tcnative. If you are using tcnative with the APR connector, you cannot use keystores such as the above. But you are specifically using the NIO2 protocol, so you will be using the OpenSSL JSSE provider, so I think you are okay. > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >> > /> caCertificateFile="C:\certs\trustStore.PFX" >> Change to truststoreFile="C:/certs/trustStore.PFX". > certificateKeyPassword="password" /> Change to certificateKeystoreFile and make sure to set certificateKeystoreType="PKCS12". Also certificateKeystorePassword="password". > > Hope that helps. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhr2QACgkQHPApP6U8 pFh8Xg/8D8bhkADQxGG/wr50VXMuZQDe8ubFQ0zAXWcloCKe2FwvH1p2PJ6ZeMAR +RR+a+laIraGSL6T81/4vGSPS87YYwGMnKumwyBCLBSNnj8U7y4mZaURvCgiAc1u LITmLrcAhBHrr20pj1ULFO9tKGKadXVGjhspJ3/CdH+pfxvDq+3MMdwW5D66YAiD qDV47Z0Avv3FB/PlXCprmfdTj98F4+O2giQn5WvuejmBotW+c3301qdolQIFYKAH hGi5Snr2ERLkm+FCbU/4GYhf7W+lD0OAKO7unBePRHvLphaCmbKCoecWTdiTSULb t7H+17DYy59nqxO2B+ExYBz5X2NCm/BjyUXsV5qQIQwQGjCdBbNTNBtaJFQ58SsV Yfmdp+dK5k9FfcEdR5aIyWmFHz7RosnBOOvn3pkIOqCMbzlACM7Qo0vYbX47OmH5 F2Hxe3w4P2kBVXDr3gCUuUvb304hnDKcVcGxkIFlNaYcz9a0LwIF6KAKsbTOilhl cilCs9Fa/XYScvvwChw53ilVLDysl1RAifN2rNIRv+12vHqOyCEr/lpHow8xkrbN kG1JFKsQ9yBYqVydMTDgDevmqTvymPzAaWJhXSzTnIIkStacMTslxSaHCZP2R+Zk SoV9Wc/C8nZ5QnxEOn5Zn8HwM90+Y0Er6Ed/seKOn5SIVGTjzpo= =eR3x -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Protecting a cluster from malicious membership
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/11/19 03:49, Mark Thomas wrote: > On 10/02/2019 14:37, Christopher Schultz wrote: >> All, >> >> I'm looking at the security of Tomcat's Clustering components, >> and I think that the following are true. Please let me know if >> anything in here is inaccurate: >> >> 1. a. Default membership uses multicast b. Multicast (UDP) can't >> be authenticated c. Therefore multicast membership cannot be >> secured on its own d. ... unless you use the "domain" attribute >> as a kind of "password" to get into a segment of the cluster >> >> 2. a. Static membership enumerates all members of the cluster on >> all nod es b. Therefore, joining a malicious node to the cluster >> is unlikely >> >> 3. a. Adding EncryptInterceptor encrypts i. TcpFailureDetector >> traffic ii. All actual content traffic b. Therefore, adding >> EncryptInterceptor effectively secures the cluster, even if the >> membership cannot be completely locked-down > > Nothing jumps out at me as wrong. > > Also, I'd expect to see a bunch of errors at the valid nodes when > they failed to decrypt messages from the invalid nodes. That should > provide a clear indication that something unexpected was going on. Yep, that's detection, though... not prevention. Thanks for the review. A follow-up to 1d above... if I try to (maliciously) join a cluster which has been separated into domains whose identities I do not know, I just end up in a (potentially unnamed) domain all by myself, right? So I'm a "member" of the cluster, but I can't meaningfully interact with any of the other legitimate members? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhpngACgkQHPApP6U8 pFgh/A/9HCmE9xBbfLKPq7gcjsPWJlvX3zd2RomvLT0Psr+XvVwja2sd4o20enNg 68+NB60AgKq2YVa4h5vQvn3/EPOaqWLSsR/j6EvHNwnko27STg8PGpNdpGCbnrE0 EcAOxVOI3BjP2m7o8dW/uALwXaFRFJK0Ijpk6IdkMORSxr6cScoEXodHzjs/x1M+ rM/laF0tQ19W58J6bGmHw92mYFZ2aho2qhQKH6J/N4WnR5lBlrb3rwuTZgpLomxO EO2BRwPmonGsYfRG74+4jMsV9dZnlWplRrgPbbCCgOYC0nhdTNRXkXBeUfhd9m3h BRPkG+DbpysVC+6nyTqOpMJy7iGaY/cRyEJK8T5cvnQIF5ByjbXMR92qVaLCRkzA al+nRZA2GG56kWBc5vWhRg0++P7CXPKZmMe2IvUGYyBsuVBDCMTydymiA3Q8mvcc 1pV3n+or7yXQjfN1Ak/DdBAnPcI2ykwA1LJazuPOfAk6cyZy1ebBHYwPGAHDBFKz hXiL/3rmjG8E3+hK3nbJ22xhTmnAh5/B2V+pkRf6gCk3TbcsPDgc5K++1yri56EQ 4t4bGwmv3hRgy6EYpfiVZfXwLl3J/eThYeXdzbmt0eY4bDVmHxcrBxUf3yanYiY2 zFh6q7CLyjgqYuaV1QLYzP17fAWdSY+xtATNANdvYquqxREQV5o= =x0Xw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: StaticMembers within Multiple Clusters
On Fri, Jan 18, 2019, 12:44 PM Tim K wrote: > On Fri, Jan 18, 2019 at 11:05 AM Christopher Schultz > wrote: > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Tim, > > > > On 1/18/19 06:38, Tim K wrote: > > > Thanks for this. The video helps explain it a bit better than the > > > documentation. So I set it up with a backup manager instead of the > > > delta manager, changing the channelSendOptions to 6 for the > > > cluster. > > > > If you think you can help clarify the documentation, patches are of > > course always welcome. > > > > > From a maintenance standpoint, what is the best way to stop/start > > > the nodes without losing sessions; one at a time, letting it fully > > > come up before moving on to the next one (like a ripple restart)? > > > I presume you don't want too many nodes to be down at a single > > > time. > > > > I definitely wouldn't bring two down simultaneously if your can avoid > > it. The cluster needs time to re-stabalize after the loss of a member, > > meaning that new backup nodes must be selected for each session and > > then the sessions must be transmitted to those backups nodes. If you > > have small amounts of data in the sessions, this will probably be > > fairly fast. If you have lots of data or a very busy network, it will > > take longer. > > > > I would recommend setting-up a scenario (even in production) where you > > intentionally disable a node in the cluster and watch to see how long > > the cluster takes to re-stabalize. I think you'll learn a lot from > > that exercise and it will help you plan for scheduled maintenance and > > downtime. > > > > - -chris > > Is there a way to tell which server was assigned as the primary and > backup roles? > > When I stop a member, is it this line which would tell me how long it > took to sync up the sessions? > Relocation of map entries was complete in [X] ms. > > Another question, I'm using the StaticMembershipService; do I need to > define a LocalMember for each of my nodes or is that optional/assumed? > > Also, I recall reading something about the uniqueId might not really > be used? Do I need to set that for each member? > I'm noticing my SSO cookie is being removed when I force myself to another node. Is this a bug? >
how to use separate shared dlls for OpenSSL, APR, and libtcnative-1...
(I'm new to using TC-native, interested in how to accomplish "In security conscious production environments, it is recommended to use separate shared dlls for OpenSSL, APR, and libtcnative-1, and update them as needed according to security bulletins. " Apparently I need a concrete example (step-by-step, where to get the dlls, where to put them (and make sure tomcat finds them) etc... preferably I wouldn't have to compile anything myself. thanks...
tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements
I'm new to implementing APR/tc-natiive for SSL/TLS on Windows Server 2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 format in the SSLHostConfig/Certificate elements for the keystore and truststore.. (I would prefer to drop the JKS format for several reasons) questions are: is this allowed? if so, what am I doing wrong? ...while the old (tomcat 7) connector element format works very well... for example: trying to use these .pfx files in the new Connector/SSLHostConfig/Certificate elements doesn't work: (there's no equivalent to the ...Type attribute for certificateFile, caCertificateFile, and the description for each says ..."The format is PEM-encoded." and no equivalent for the ...Password attribute for caCertificateFile). .. the above gives errors: 11-Feb-2019 08:25:06.415 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[org.apache.coyote.http11.Http11Nio2Protocol-443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:661) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:995) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) ... 12 more Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:161) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) at org.apache.catalina.connector.Connector.initInternal(Connector.java:993) ... 13 more Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:222) at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:94) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) ... 20 more Adding certificateFile="C:\certs\servername.pfx" to the Certificate element causes this error (apparently its expecting a PEM file): 11-Feb-2019 08:40:56.179 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio2-443"] 11-Feb-2019 08:40:56.226 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context java.lang.Exception: Unable to load certificate key C:\certs\satlwsrmdwb01.pfx (error:0909006C:PEM routines:get_name:no start line) at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:284) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:161) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) at org.apache.catalina.connector.Connector.initInternal(Connector.java:993) at
Re: Tomcat 9.0 with security manager reports access denied
Am 25.01.2019 um 21:58 schrieb Mark Thomas: > On 25/01/2019 20:34, Mark Thomas wrote: >> On 25/01/2019 11:12, Mark Thomas wrote: >>> On 24/01/2019 12:19, Kai Hofmann wrote: Hello, I try to activate the security manager for my own Application within Tomcat 9.0.x. The problem ist that I got 2 different access denied's that should (from my point of view) not happen. So this might be a bug - but I am not 100% sure. To make a long story short I have put all information into a stackoverflow question: https://stackoverflow.com/questions/54254003/tomcat-9-0-with-security-manager-reports-access-denied Maybe someone could help me with this problem? >>> >>> Strange. >>> >>> The failures might be related to running as a Windows service but I >>> don't immediately see how. I wonder if there is a configuration issue. >>> >>> I ran a similar test locally on Linux and I don't see those failures. I >>> did see a couple of other minor issues that I am in the process of fixing. >>> >>> Once I've finished fixing the issues I can see on Linux, I'll install >>> the latest 9.0.x code as a Windows service and see if I can reproduce >>> any of those failures. >> >> I see some additional instances of "denied" but not the ones you saw, >> >> I did notice that the security policy file was not configured correctly. >> "==" is required when setting catalina.policy >> >> I'll look into getting the additional failures I've observed fixed but >> it would help if you could provide the steps to reproduce the failures >> you see from a clean Tomcat install. > > The additional failures are expected. java.beans.Introspector is trying > to load classes that don't exist and they fail. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > Dear Mark, thanks for the hint with the '==' for the catalina.policy definition. This fixed one of my exceptions. The seconds exception could then be fixed with adding permission java.util.PropertyPermission "org.apache.juli.logging.UserDataHelper.CONFIG", "read"; to the policies. So every thing works here on windows as service ;-) Greetings PowerStat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Receiving 403 with Tomcat 9, works with Tomcat 8
Hi Mark Am Freitag, 8. Februar 2019, 09:30:32 CET schrieb Jörg Schaible: > Hi Mark, > > Am Mittwoch, 6. Februar 2019, 15:32:26 CET schrieb Mark Thomas: > > [snip] > > > You need to set cors.allowed.origin to an appropriate value. See: > > http://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#CORS_Filter > > thanks for your pointers, but unfortunately even setting the value to '*' > has no effect, we still get the 403 for this request. Is there anything > else we can to to debug this? Some logger settings? Just as final remark. After correcting the parameter name, the filter works as expected. Sometimes the problem is in front of the keyboard... ;-) Thanks and cheers, Jörg - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 8.5.38 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.38. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers technologies. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from the 9.0.x branch. The notable changes since 8.5.37 include: - Update the packaged version of the Tomcat Native Library to 1.2.21 to pick up the memory leak fixes when using NIO/NIO2 with OpenSSL. - Correct a regression in the fix for 53737 that did not correctly scan the web application directory structure for JSPs. - Improve HTTP/2 timeout handling Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: http://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8.5 SPNEGO Active Directory stuck with a "Failed authenticate() test"
On 08/02/2019 21:43, Michael Osipov wrote: > Am 2019-02-08 um 12:54 schrieb Tommy Schneider: >> Hello, >> >> I'm trying to set up Tomcat 8.5 with SPNEGO in the following environment: >> >> Tomcat: 8.5.37 built: Dec 12 2018 12:07:02 UTC >> Platform/OS: AIX 7.2 ppc64 >> Java: Eclipse OpenJ9 9-internal+0-adhoc.jenkins >> >>> From what I can see in the catalina log I think it's almost working >> (AD user is returned back correctly), but in the web application I >> always get stuck with a HTTP 401. No matter whether I'm using a JNDI >> realm or a simple JAAS realm. I also tried different approaches in the >> application's web.xml like using "*" as generic role name or >> specifiying a list of role names like they should come back from the >> AD). I'm starting to think the cause may still be somewhere in the >> SPNEGO/Kerberos stuff and not in my realm/application config. >> >> Currently I'm trying to use a simple JAAS realm (as I found a tutorial >> saying this is the simplest way to go when you just need the user name >> and no roles) >> snippet from server.xml >> > autoDeploy="true"> >> >> > className="org.apache.catalina.authenticator.SpnegoAuthenticator" >> storeDelegatedCredential="true"> >> > className="org.apache.catalina.realm.JAASRealm" >> allRolesMode="strictAuthOnly" /> >> >> >> snippet from catalina.out: >> Found KeyTab /opt/apache-tomcat-8.5/conf/tomcat.keytab for >> HTTP/mymachine.mycompany@mycompany.com >> Found ticket for >> HTTP/mymachine.mycompany@mycompany.com to go to >> krbtgt/mycompany@mycompany.com expiring on Fri Feb 08 21:26:27 CET >> 2019 >> Entered Krb5Context.acceptSecContext with state=STATE_NEW >> Looking for keys for: >> HTTP/mymachine.mycompany@mycompany.com >> Added key: 17version: 15 >> Added key: 18version: 15 >> Added key: 23version: 15 >> Found unsupported keytype (3) for >> HTTP/mymachine.mycompany@mycompany.com >> Found unsupported keytype (1) for >> HTTP/mymachine.mycompany@mycompany.com >> >>> EType: >> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >> Using builtin default etypes for permitted_enctypes >> default etypes for permitted_enctypes: 18 17 16 23. >> >>> EType: >> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >> MemoryCache: add >> 1549621587/000784/231A915D0FE70A039CF82095FC685C843F4D981D20A70F972015D8EB16D07CA5/myusern...@mycompany.com >> >> to myusern...@mycompany.com| >> HTTP/mymachine.mycompany@mycompany.com >> >>> KrbApReq: authenticate succeed. >> >>> EType: >> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >> >>>Delegated Creds have pname=myusern...@mycompany.com >> sname=krbtgt/mycompany@mycompany.com authtime=null >> starttime=20190208095329Z >> endtime=20190208195235ZrenewTill=20190215095235Z >> Krb5Context setting peerSeqNumber to: 883655442 >> >>> EType: >> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >> Krb5Context setting mySeqNumber to: 318684000 >> [Krb5LoginModule]: Entering logout >> [Krb5LoginModule]: logged out Subject >> 08-Feb-2019 11:26:27.415 FINE [https-jsse-nio-443-exec-5] >> org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed >> authenticate() test >> >> I'm happy with the part where "myusern...@mycompany.com" is returned >> back from the AD, so I think most of the stuff is configured correctly >> so far. However I have no idea what the last 3 lines indicate. Is it >> ok that the "logout" occurs here? What causes the authenticator to >> fail? Is this still related to the SPNEGO stuff or is it caused by the >> realm or an incorrect web.xml in the application (I tried different >> variants here and it all seems to end up with a >> "org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed >> authenticate() test". >> >> Let me know if you need more configuration details. >> Any help would be greatly appreciated > > We need more debug output. This doesn't really help. Please enable it, > it will help. The Kerberos debug output you see is is just Sun-internal > which has nothing to do with the Tomcat code. To be more specific, add the following to you logging.properties: org.apache.catalina.authenticator.level = FINE Restart Tomcat and then try the test again. Mark > > The logout() is performed on the LoginContext required to obtain server > credentials. The are released (hence logout performed) as soon as the > security context has been established and the GSS src name has been > obtained. > > Michael > > > - > To unsubscribe, e-mail:
Re: ant install java.net.ProtocolException: Server redirected too many times (20)
On 08/02/2019 22:37, Barry Kimelman wrote:
> I am trying to build an app under tomcat 9-0-14 that I had previously built
> under tomcat 7 several years ago.
>
> however when I run the "ant install" command it fails with the following
> errors.
>
> BUILD FAILED
> C:\barry\hockey3\build.xml:369: java.net.ProtocolException: Server
> redirected too many times (20)
>
> build.xml : 362 , 371
> 362:363:description="Install application to servlet container">
> 364:
> 365: 366:username="${manager.username}"
> 367:password="${manager.password}"
> 368:path="${app.path}"
> 369:localWar="file://${build.home}"/>
> 370:
> 371:
>
> Here is a directory listing where my java software is located
>
>
> C:\Program Files\Java>dir
> Volume in drive C is TI10673200G
> Volume Serial Number is 5E9D-3D3F
>
> Directory of C:\Program Files\Java
>
> 01/16/2019 11:47 AM .
> 01/16/2019 11:47 AM ..
> 01/01/2019 03:47 PM jdk1.8.0_191
> 01/16/2019 11:46 AM jre1.8.0_201
>0 File(s) 0 bytes
>4 Dir(s) 589,238,714,368 bytes free
>
> I am running on a Windows 10 64 bit system.
>
> Any ideas on how to resolve this issue ? So far my searches have not turned
> up anything usefull.
What is "manager.url" configured as?
You might want to check that manager.username and manager.password are
valid too by opening a browser at manager.url and testing them.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: session caching on tomcat 7 with APR
On 09/02/2019 19:32, Усманов Азат Анварович wrote: > Hello everyone! I have a webapp running on tomcat 7.0.92 with java 7 with > APR/tomcat native 1.2.19 on RHEL 6 > > I've tested website(debug.ieml.ru) on which my webapp is running on ssllabs > server test and one thing I've noticed is the orange warning line saying > Session resumption (caching)No (IDs empty) > which obviously means that session caching is not enabled > > So the question is how to enable it when using Apr > > tomcat connector documentation has sessionCacheSize attribute but it is for > JSSE only and not APR > > Am I missing some other attribute which enables on APR connector > > or does this mean that APR doesn't use SSL session caching? It appears the default was changed to disable session caching in 1.2.x in this commit: https://svn.apache.org/viewvc?view=revision=1686258 I don't see a way to restore this with configuration in 7.0.x. I think it is worth considering removing the code that disables session caching by default. I'll start a discussion on dev@ Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: migration from tomcat 7.0 to 8.5
On 04/10/2017 15:53, Aquatic Safaris Diver wrote: > > I've read the migration manuals and have tried to make the changes to > my configuration to work correctly in tomcat v8.5, but it's not. I'm > not an experton XML files and JDK so please help me. I'm sure this is crazy > simple > for you experts. Why make life difficult for yourself? Just package those libraries in your web application's WEB-INF/lib directory. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Protecting a cluster from malicious membership
On 10/02/2019 14:37, Christopher Schultz wrote: > All, > > I'm looking at the security of Tomcat's Clustering components, and I > think that the following are true. Please let me know if anything in > here is inaccurate: > > 1. a. Default membership uses multicast >b. Multicast (UDP) can't be authenticated >c. Therefore multicast membership cannot be secured on its own >d. ... unless you use the "domain" attribute as a kind of > "password" to get into a segment of the cluster > > 2. a. Static membership enumerates all members of the cluster on all nod > es >b. Therefore, joining a malicious node to the cluster is unlikely > > 3. a. Adding EncryptInterceptor encrypts > i. TcpFailureDetector traffic > ii. All actual content traffic >b. Therefore, adding EncryptInterceptor effectively secures the > cluster, even if the membership cannot be completely locked-down Nothing jumps out at me as wrong. Also, I'd expect to see a bunch of errors at the valid nodes when they failed to decrypt messages from the invalid nodes. That should provide a clear indication that something unexpected was going on. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
