Re: SSL BIO/NIO setup with openssl CA puzzle
On 26/10/12 13:24, Daniel Mikusa wrote: On Oct 26, 2012, at 5:11 AM, Brian Burch wrote: My production tomcat 7.0.26 (and its predecessors back as far as tc 5) have been running with its original SSL server certificate in a JKS keystore for many years. I decided to retire my ancient java-based Certificate Authority and create a new CA using openssl 1.0.1 under ubuntu linux. Just my $0.02, but if you are just using Java based applications, stick with keytool. It will save you time. Well, yes, that was true for me too Dan (see case 2 below). But the tomcat wiki describes how to support pkcs12 and it ought to work (or say under what circumstances it will not). I followed the guidance in http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File I thought it would be sensible to generate all my new certificates and keystores using only openssl, so that I could use the same procedures for java and non-java applications. This meant I needed to produce a PKCS12 keystore for tomcat to use. I hit a succession of problems and resolved them, so I thought it would be helpful to update the wiki once I had a keystore that worked properly (details of tips and gotchas available). There are a lot of variables that I've explored, but I haven't yet succeeded with my pure openssl approach. I believe that what you are trying to do should work. It might be easier to debug if we could see a list of the commands that you've run. Maybe just copy and paste your shell session? Thanks for your interest, Dan. I've gone through all the steps in my notes carefully, and done my best to confirm these results. 1. Verify the openssl self-signed CA certificate (rsa 2048 bit key) 1.1. openssl x509 -noout -text cacert.pem displays OK. 1.2. strip all lines before -BEGIN CERTIFICATE- and after -END CERTIFICATE- 1.3. keytool -printcert -file cacert-bare.pem displays the self-signed certificate and extensions. 2. create a JKS keystore and issue a cert with the openssl CA 2.1. keytool -genkeypair -alias tomcat -keyalg RSA -keysize 1024 -keystore jks-keystore -validity 2000 -dname CN=www.mydomain.com,OU=servers,O=mydomain.com .. using the same passphrase for the private key and the keystore. 2.2. keytool -list -v -keystore jks-keystore displays the RSA key wrapped with a self-signed certificate. 2.3. keytool -certreq -keystore jks-keystore -file jks-req -alias tomcat 2.4. issue the new certificate from the openssl CA, AND THEN strip everything from the file outside the delimiters. 2.5. keytool -printcert -file jks-servercert-bare.pem displays the ca-signed certificate and extensions. 2.6. keytool -importcert -keystore jks-keystore -file cacert-bare.pem -alias Certificate Authority 2.7. keytool -importcert -keystore jks-keystore -file jks-servercert-bare.pem -alias tomcat 2.8. keytool -list -v -keystore jks-keystore shows the keystore contents as two entries: 2.8.1. the first has an alias of tomcat, a private key entry and the two certificates which comprise the complete chain. 2.8.2. the second has an alias of Certificate Authority, with only the CA's certificate. Observation 2.8.2 indicates that I have put too much into this certificate store and that step 2.6 was redundant. Nevertheless, tomcat is perfectly happy to start its SSL Connector using this keystore. 3. create a PKCS12 keystore and issue a cert with the openssl CA 3.1. CA.pl -newreq, with appropriate parameter values for the DN of the server and an RSA 1024 bit key pair. This command creates newkey.pem and newreq.pem files, both without any text before or after the delimiter lines. 3.2. openssl rsa -noout -text -in newkey.pem opens and prints the contents of the key pair. 3.3. openssl req -noout -text -in newreq.pem opens and prints the contents of the certificate request, including the server's new public key. 3.4. CA.pl -sign, issues the server certificate. It is prefixed with a text representation of the contents. 3.5. Strip everything outside the delimiters from the newcert.pem file. 3.6. openssl x509 -noout -text -in newcert-bare.pem opens and prints the contents of the certificate, including the server's public key. 3.7. openssl pkcs12 -export -in newcert-bare.pem -inkey newkey.pem -name tomcat -chain -CAfile cacert-bare.pem -caname Certificate Authority -out keystore-pkcs12 (using the same password for the keystore as the key). 3.8. openssl pkcs12 -noout -info -in keystore-pkcs12 -- displays the kinds of things in the binary file, i.e. MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 3.9. keytool -list -keystore keystore-pkcs12 -storetype pkcs12 -- displays the kinds of things in the binary file, i.e. Keystore type:
Re: Handling requests when under load - ACCEPT and RST vs non-ACCEPT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Asankha, On 10/29/12 11:56 PM, Asankha C. Perera wrote: Hi Chris Sorry, also what is your OS (be as specific as possible) and what JVM are you running on? Locally for the Wireshark capture I ran this on: asankha@asankha-dm4:~$ uname -a Linux asankha-dm4 3.2.0-31-generic #50-Ubuntu SMP Fri Sep 7 16:16:45 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux asankha@asankha-dm4:~$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION=Ubuntu 12.04.1 LTS asankha@asankha-dm4:~$ java -version java version 1.6.0_33 Java(TM) SE Runtime Environment (build 1.6.0_33-b03) Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03, mixed mode) On EC2 nodes (c1.xlarge), I saw this with Ubuntu 10.10, with the same JDK on x64 platforms - but I believe this issue applies across for any OS I'm interested to know if Tomcat can refuse to accept a connection when overloaded - without accepting and closing the ones that it cannot handle. Also, are you using a load balancer, or connecting directly to the EC2 instance? Do you have a public, static IP? If you use a static IP, Amazon proxies your connections. I'm not sure what happens if you use a non-static IP (which are public, but can change). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCRSk4ACgkQ9CaO5/Lv0PBtJgCgqMlmEhWIl1DqwG9Ts0pO8PsQ Sh4An0bKLBucHwbJc5rgxWPOKPImj+iy =yDJz -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Windows Service Security
We are running Tomcat 7.0.29 on Windows 2008 R2 Service Pack 1. My question is this, the documentation specifically states, For optimal security, the service should be run as a separate user, with reduced permissions (see the Windows Services administration tool and its documentation). I am unable to find this Windows Services administration tool documentation; I have looked on the Wiki, the How-to's, and the all-knowing Google. However, my specific question is still unclear. I do NOT want this service running as SYSTEM. Can the Tomcat service run as a standard user, does the user need elevated permissions, or does it require local administrator access? Thank you very much Bill __ For information pertaining to Willis' email confidentiality and monitoring policy, usage restrictions, or for specific company registration and regulatory status information, please visit http://www.willis.com/email_trailer.aspx We are now able to offer our clients an encrypted email capability for secure communication purposes. If you wish to take advantage of this service or learn more about it, please let me know or contact your Client Advocate for full details. ~W67897 __
RE: Windows Service Security
-Original Message- From: Burn William [mailto:william.b...@willis.com] Sent: Wednesday, October 31, 2012 9:01 AM To: users@tomcat.apache.org Subject: Windows Service Security Can the Tomcat service run as a standard user, Yes does the user need elevated permissions, I don't believe so, I don't grant my standard user any specific privileges. or does it require local administrator access? No. I wouldn't do that. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do I get Tomcat 7 to start up faster in Linux CentOS kernel version 2.6.18?
Dilshad, On 30.10.2012 22:55, Dilshad Shahid wrote: I am experiencing a problem with slow start up times for Tomcat 7. I have done some testing by tweaking configuration parameters both on Linux CentOS kernel version 2.6.18 and on Windows 7 using this link as my primary guide: http://wiki.apache.org/tomcat/HowTo/FasterStartUp and managed only a modest improvement. Tomcat 7 itself starts blazingly fast. Even on 5-years-old-average-web-server, fresh Tomcat 7 install starts in less than 200 ms. What are your numbers? If your FRESH Tomcat 7 installations starts fast, but Tomcat 7 with your webapp(s) deployed drags, then: (a) Try setting entropy source to /dev/./urandom as the document you referenced suggest. (b) If (a) does not work for you, you will have to find out why is your webapp slow. Use a profiler to find that out. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: PDF Download problem tomcat = 7.0.27
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Johnny, On 10/30/12 3:44 PM, Johnny Six wrote: It looks like Tomcat7 is munging the content-type header. The correct response header should be: Content-Type: multipart/byteranges; boundary=CATALINA_MIME_BOUNDARY good Content-Type: multipart/byteranges;boundary=CATALINA_MIME_BOUNDARY bad Where there needs to be a space after the ';' character. Says who? In my code, i am setting these values by hand, via setHeader, but Tomcat7 seems to parse it and remove the space (don't know why). If i downgrade to Tomcat6, this problem goes away, and i get the right headers again, exactly as what i set them to be. Those headers are equivalent. Tomcat team needs to probably fix this bug. Feel free to read the rest of this thread before you say stupid things like this publicly. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCRUOsACgkQ9CaO5/Lv0PBmPgCeNyiJOEfJ3TSeokAWaTJSXdRf sl8AoKR4VrEo6SXvEkBP31OrzT9ahAXU =3xqa -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do I get Tomcat 7 to start up faster in Linux CentOS kernel version 2.6.18?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dilshad, On 10/30/12 5:55 PM, Dilshad Shahid wrote: I am experiencing a problem with slow start up times for Tomcat 7. How slow is slow? If it takes long enough to take a thread dump, please take one or more thread dumps to see what the JVM is doing. Then we may be able to help you. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCRUVcACgkQ9CaO5/Lv0PDnVACfW+5RnIVWEVcgw/rNgN9HnRTN sTIAn1SRl4O1oQYvHTG6Sf4YQw4rbVaX =ucvL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL BIO/NIO setup with openssl CA puzzle
On Oct 31, 2012, at 10:23 AM, Brian Burch wrote: On 26/10/12 13:24, Daniel Mikusa wrote: On Oct 26, 2012, at 5:11 AM, Brian Burch wrote: My production tomcat 7.0.26 (and its predecessors back as far as tc 5) have been running with its original SSL server certificate in a JKS keystore for many years. I decided to retire my ancient java-based Certificate Authority and create a new CA using openssl 1.0.1 under ubuntu linux. Just my $0.02, but if you are just using Java based applications, stick with keytool. It will save you time. Well, yes, that was true for me too Dan (see case 2 below). But the tomcat wiki describes how to support pkcs12 and it ought to work (or say under what circumstances it will not). I followed the guidance in http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File I thought it would be sensible to generate all my new certificates and keystores using only openssl, so that I could use the same procedures for java and non-java applications. This meant I needed to produce a PKCS12 keystore for tomcat to use. I hit a succession of problems and resolved them, so I thought it would be helpful to update the wiki once I had a keystore that worked properly (details of tips and gotchas available). There are a lot of variables that I've explored, but I haven't yet succeeded with my pure openssl approach. I believe that what you are trying to do should work. It might be easier to debug if we could see a list of the commands that you've run. Maybe just copy and paste your shell session? Thanks for your interest, Dan. I've gone through all the steps in my notes carefully, and done my best to confirm these results. 1. Verify the openssl self-signed CA certificate (rsa 2048 bit key) 1.1. openssl x509 -noout -text cacert.pem displays OK. 1.2. strip all lines before -BEGIN CERTIFICATE- and after -END CERTIFICATE- 1.3. keytool -printcert -file cacert-bare.pem displays the self-signed certificate and extensions. 2. create a JKS keystore and issue a cert with the openssl CA 2.1. keytool -genkeypair -alias tomcat -keyalg RSA -keysize 1024 -keystore jks-keystore -validity 2000 -dname CN=www.mydomain.com,OU=servers,O=mydomain.com .. using the same passphrase for the private key and the keystore. 2.2. keytool -list -v -keystore jks-keystore displays the RSA key wrapped with a self-signed certificate. 2.3. keytool -certreq -keystore jks-keystore -file jks-req -alias tomcat 2.4. issue the new certificate from the openssl CA, AND THEN strip everything from the file outside the delimiters. 2.5. keytool -printcert -file jks-servercert-bare.pem displays the ca-signed certificate and extensions. 2.6. keytool -importcert -keystore jks-keystore -file cacert-bare.pem -alias Certificate Authority 2.7. keytool -importcert -keystore jks-keystore -file jks-servercert-bare.pem -alias tomcat 2.8. keytool -list -v -keystore jks-keystore shows the keystore contents as two entries: 2.8.1. the first has an alias of tomcat, a private key entry and the two certificates which comprise the complete chain. 2.8.2. the second has an alias of Certificate Authority, with only the CA's certificate. Observation 2.8.2 indicates that I have put too much into this certificate store and that step 2.6 was redundant. Nevertheless, tomcat is perfectly happy to start its SSL Connector using this keystore. Have you tried deleting the second alias? Does it continue to work without this alias? Also, it might be interesting to convert this working JKS keystore into a PKCS12 keystore and see if it continues to work with Tomcat. I think you can do that with a command like this… keytool -importkeystore -srckeystore jks-keystore -srcstoretype jks -srcstorepass changeit -srcalias tomcat -destkeystore pkcs12-keystore -deststoretype pkcs12 -deststorepass changeit 3. create a PKCS12 keystore and issue a cert with the openssl CA 3.1. CA.pl -newreq, with appropriate parameter values for the DN of the server and an RSA 1024 bit key pair. This command creates newkey.pem and newreq.pem files, both without any text before or after the delimiter lines. 3.2. openssl rsa -noout -text -in newkey.pem opens and prints the contents of the key pair. 3.3. openssl req -noout -text -in newreq.pem opens and prints the contents of the certificate request, including the server's new public key. 3.4. CA.pl -sign, issues the server certificate. It is prefixed with a text representation of the contents. 3.5. Strip everything outside the delimiters from the newcert.pem file. 3.6. openssl x509 -noout -text -in newcert-bare.pem opens and prints the contents of the certificate, including the server's public key. 3.7. openssl pkcs12 -export -in newcert-bare.pem -inkey newkey.pem -name tomcat
RE: Windows Service Security
Good Afternoon Bill did you have a chance to take a look at the how to for configuring Windows domain controller (to enable Tomcat to support Windows authentication) http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Built-in_Tomcat_support Does this help? Martin __ Please do not alter or otherwise disrupt this communication..Thank You From: william.b...@willis.com To: users@tomcat.apache.org Subject: Windows Service Security Date: Wed, 31 Oct 2012 16:01:08 + We are running Tomcat 7.0.29 on Windows 2008 R2 Service Pack 1. My question is this, the documentation specifically states, For optimal security, the service should be run as a separate user, with reduced permissions (see the Windows Services administration tool and its documentation). I am unable to find this Windows Services administration tool documentation; I have looked on the Wiki, the How-to's, and the all-knowing Google. However, my specific question is still unclear. I do NOT want this service running as SYSTEM. Can the Tomcat service run as a standard user, does the user need elevated permissions, or does it require local administrator access? Thank you very much Bill __ For information pertaining to Willis' email confidentiality and monitoring policy, usage restrictions, or for specific company registration and regulatory status information, please visit http://www.willis.com/email_trailer.aspx We are now able to offer our clients an encrypted email capability for secure communication purposes. If you wish to take advantage of this service or learn more about it, please let me know or contact your Client Advocate for full details. ~W67897 __
Re: How do I get Tomcat 7 to start up faster in Linux CentOS kernel version 2.6.18?
On 30/10/2012 21:55, Dilshad Shahid wrote: I am experiencing a problem with slow start up times for Tomcat 7. I have done some testing by tweaking configuration parameters both on Linux CentOS kernel version 2.6.18 and on Windows 7 using this link as my primary guide: http://wiki.apache.org/tomcat/HowTo/FasterStartUp and managed only a modest improvement. The improvements seemed to result when I added metadata-complete=true attribute to the element of my WEB-INF/web.xml file and when I added the names of almost all the jars we use for our application to the tomcat.util.scan.DefaultJarScanner.jarsToSkip property in conf/catalina.properties file. Use a servlet 3.0 web.xml, set metadata-complete=true and include an empty absolute ordering section and that will disable all of the Servlet 3.0 Jar scanning. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Comma related bug in org.apache.catalina.valves.RemoteIpValve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simon, On 10/30/12 1:39 PM, Simon Dean wrote: I'm using Tomcat 6.0.35 on Windows 7 and RHEL 6.x. I think I've stumbled upon a bug in org.apache.catalina.valves.RemoteIpValve. I think you have, too. Please log this in Tomcat's bugzilla: https://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%206 Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCRXS4ACgkQ9CaO5/Lv0PDUoACfeydqUq443assy94UqMd16fXv 348AoIwaVHXf1/AhlQJeoR1EFjZvXdAO =bnWL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Injecting JNDI datasource context outside tomcat container
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pramod, On 10/30/12 11:32 AM, p.krishnamoor...@accenture.com wrote: Hi, I was working to inject the JNDI datasource context outside the tomcat container. I referred this link - https://blogs.oracle.com/randystuph/entry/injecting_jndi_datasources_for_junit. In order to initialize the datasource context, I had to put three java-naming jars (naming-java-5.0.28, naming-resources-5.5.15, naming-factory-5.5.12) and now Junits are running fine. But now my tomcat server is not starting up; it throws exception - Name java:comp is not bound in this Contex It would be nice, if someone can share some thoughts on this. If you added those JARs to your webapp, then you'll need to remove them because they probably interfere with the standard JNDI libraries provided by Tomcat. Just adjust your build process such that the libraries are not included when building the real webapp but *are* included when running your unit tests. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCRXdQACgkQ9CaO5/Lv0PDOdACdFauhqAOty9TQiFR6IkI0TBKs v2oAnA97L74i6PRDRheJdERr1lSSNSFa =ssn/ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RFE: jarsToSkip option within each jar file
Greetings, I really like that Apache Tomcat provides a way to skip JAR files for scanning. I would like to see this become an optional property within the JAR file itself. Obviously, this means that the JAR would still have to be loaded up in order to discover the entry, but this would ease up fear of common named jars from being false positively excluded. Another situation is where many of my projects have full version numbers and I don't want to code those out fully in the catalina.properties. I propose something like jar!/META-INF/org.apache.tomcat.util.scan.DefaultJarScanner with property skip=true which would let us include that meta information directly in the JAR itself. This might require some documentation as well to catalina.properties. What do you think? -Jesse -- There are 10 types of people in this world, those that can read binary and those that can not. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: unknown state in VisualVM
In case this would help further, I also see this in my debug mod_jk log: [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [info] ajp_connect_to_endpoint::jk_ajp_common.c (995): Failed opening socket to ( 127.0.0.1:8011) (errno=111) [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [error] ajp_send_request::jk_ajp_common.c (1630): (worker3) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=111) [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [info] ajp_service::jk_ajp_common.c (2623): (worker3) sending request to tomcat failed (recoverable), because of error during request sending (attempt=1) [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [info] service::jk_lb_worker.c (1558): All tomcat instances are busy or in error state [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [error] service::jk_lb_worker.c (1563): All tomcat instances failed, no more workers left [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [info] jk_handler::mod_jk.c (2788): Service error=0 for worker=lbworker The port used for worker3 should definitely have been listening. Is this normal? The application is under load, 1500 jmeter users. Thanks, Charles On Mon, Oct 29, 2012 at 11:48 AM, Charles Richard charle...@thelearningbar.com wrote: Load test users from Jmeter. Cheers, Charles On Mon, Oct 29, 2012 at 11:25 AM, André Warnier a...@ice-sa.com wrote: Charles Richard wrote: I'm doing some performance tuning on our application and noticed a couple of days ago that which a load of 1500 users, my threads in VisualVM would Just a side question : where are these users ? are these processes running on the same machine ? --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: unknown state in VisualVM
Actually, never mind, wrong timestamp, apache and mod_jk are seemingly down during load with no errors in Apache or mod_jk log. Thanks, Charles On Wed, Oct 31, 2012 at 3:38 PM, Charles Richard charle...@thelearningbar.com wrote: In case this would help further, I also see this in my debug mod_jk log: [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [info] ajp_connect_to_endpoint::jk_ajp_common.c (995): Failed opening socket to ( 127.0.0.1:8011) (errno=111) [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [error] ajp_send_request::jk_ajp_common.c (1630): (worker3) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=111) [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [info] ajp_service::jk_ajp_common.c (2623): (worker3) sending request to tomcat failed (recoverable), because of error during request sending (attempt=1) [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [info] service::jk_lb_worker.c (1558): All tomcat instances are busy or in error state [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [error] service::jk_lb_worker.c (1563): All tomcat instances failed, no more workers left [Wed Oct 31 11:33:16 2012] [4110:47377141191536] [info] jk_handler::mod_jk.c (2788): Service error=0 for worker=lbworker The port used for worker3 should definitely have been listening. Is this normal? The application is under load, 1500 jmeter users. Thanks, Charles On Mon, Oct 29, 2012 at 11:48 AM, Charles Richard charle...@thelearningbar.com wrote: Load test users from Jmeter. Cheers, Charles On Mon, Oct 29, 2012 at 11:25 AM, André Warnier a...@ice-sa.com wrote: Charles Richard wrote: I'm doing some performance tuning on our application and noticed a couple of days ago that which a load of 1500 users, my threads in VisualVM would Just a side question : where are these users ? are these processes running on the same machine ? --**--** - To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Comma related bug in org.apache.catalina.valves.RemoteIpValve
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 31 October 2012 17:18 To: Tomcat Users List Subject: Re: Comma related bug in org.apache.catalina.valves.RemoteIpValve -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simon, On 10/30/12 1:39 PM, Simon Dean wrote: I'm using Tomcat 6.0.35 on Windows 7 and RHEL 6.x. I think I've stumbled upon a bug in org.apache.catalina.valves.RemoteIpValve. I think you have, too. Please log this in Tomcat's bugzilla: https://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%206 Thanks Chris. I've now raised: https://issues.apache.org/bugzilla/show_bug.cgi?id=54080 Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCRXS4ACgkQ9CaO5/Lv0PDUoACfeydqUq443assy94UqMd16f Xv 348AoIwaVHXf1/AhlQJeoR1EFjZvXdAO =bnWL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - The information contained in this message may be CONFIDENTIAL and is intended for the addressee only. Any unauthorised use, dissemination of the information, or copying of this message is prohibited. If you are not the addressee, please notify the sender immediately by return e-mail and delete this message. Although this e-mail and any attachments are believed to be free of any virus, or other defect which might affect any computer or system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by Moneysupermarket.com Financial Group Limited for any loss or damage from receipt or use thereof. The views expressed are of the individual, and do not necessarily reflect the views of Moneysupermarket.com Financial Group Limited. Moneysupermarket.com Limited is an appointed representative of Moneysupermarket.com Financial Group Limited, which is authorised and regulated by the Financial Services Authority (FSA FRN 303190). Moneysupermarket.com Financial Group Limited, registered in England No. 3157344. Registered Office: Moneysupermarket House, St. David’s Park, Ewloe, CH5 3UZ. Telephone 01244 665700.
Apache httpd reverse proxy setup
Hi, There are at least 3 different approaches for configuring Apache httpd 2.2 to act as a reverse proxy for Tomcat 7.0: a) mod_proxy_http b) mod_proxy_ajp c) mod_jk There's been quite a lot of discussion about the differences of each one but a lot of that discussion appears to be either not very analytical or outdated. What are the current differences and tradeoffs with using these alternatives? Quite a few writers appear recommend mod_jk if performance and HA features are critical. But Apache 2.2 mod_proxy supports some load balancing and failover features through mod_proxy_balancer. Also, mod_cache can be used to offload static resource serving from the back-end to provide something similar to JkMount. Does mod_jk still have a lead when it comes to these features? From a setup point of view, using mod_proxy_http/ajp is a lot simpler than mod_jk because e.g. on a Linux system you can typically install these using a system package manager. For mod_jk you need to either have a compilation environment on your production system (which the sysops don't like) or compile and package the module on another machine with a compatible OS setup. marko
Re: Apache httpd reverse proxy setup
On 31/10/2012 19:55, Marko Asplund wrote: Hi, There are at least 3 different approaches for configuring Apache httpd 2.2 to act as a reverse proxy for Tomcat 7.0: a) mod_proxy_http b) mod_proxy_ajp c) mod_jk There's been quite a lot of discussion about the differences of each one but a lot of that discussion appears to be either not very analytical or outdated. What are the current differences and tradeoffs with using these alternatives? http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp The mod_proxy_ajp stability issues are less of an issue now than they were when I wrote that article. What that means is if you want the SSL benefits of AJP with the mod_proxy_xxx benefits of consistent configuration then mod_proxy_ajp is the way to go. Mark Quite a few writers appear recommend mod_jk if performance and HA features are critical. But Apache 2.2 mod_proxy supports some load balancing and failover features through mod_proxy_balancer. Also, mod_cache can be used to offload static resource serving from the back-end to provide something similar to JkMount. Does mod_jk still have a lead when it comes to these features? From a setup point of view, using mod_proxy_http/ajp is a lot simpler than mod_jk because e.g. on a Linux system you can typically install these using a system package manager. For mod_jk you need to either have a compilation environment on your production system (which the sysops don't like) or compile and package the module on another machine with a compatible OS setup. marko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Service Security
Martin Gainty wrote: Good Afternoon Bill did you have a chance to take a look at the how to for configuring Windows domain controller (to enable Tomcat to support Windows authentication) http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Built-in_Tomcat_support Does this help? Probably not at all, except in utterly confusing the OP, if he is not familiar with this list. He's not asking about authenticating Tomcat users. He's asking about running Tomcat as a normal Windows user, as opposed to LocalSystem e.g. Bill, - create a local user, e.g. tomcat - stop Tomcat - use whatever path the Microsoft geniuses have invented this week to reach the Services applet - search for the Apache Tomcat Service - right click on it and select Settings or Properties (ditto) - in the tab Login as (or ditto), change the account to the one you just created - before you restart Tomcat, make sure that all it's files/directories can be read/written by this user - then restart Tomcat As long as the Tomcat process (and any of its webapps) does not need any Windows network resources (network shares or printers or the like), you'll be fine. If you need any of these, then you'll have to use a Domain user instead of a local one. (Note that Tomcat probably does not need any of those, since it was running fine as LocalSystem and that user does not have access to Windows network resources either). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Comma related bug in org.apache.catalina.valves.RemoteIpValve
Simon Dean wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 31 October 2012 17:18 To: Tomcat Users List Subject: Re: Comma related bug in org.apache.catalina.valves.RemoteIpValve -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simon, On 10/30/12 1:39 PM, Simon Dean wrote: I'm using Tomcat 6.0.35 on Windows 7 and RHEL 6.x. I think I've stumbled upon a bug in org.apache.catalina.valves.RemoteIpValve. I think you have, too. Please log this in Tomcat's bugzilla: https://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%206 Thanks Chris. I've now raised: https://issues.apache.org/bugzilla/show_bug.cgi?id=54080 It's actually going to be interesting to see the patch, because the number of characters that can be used as separators between regexes, which don't themselves have any special meaning in regexes, is pretty limited. We'll probably end up with something like tagregex1,regex2,.../tag. Or a single regex, with | between the alternatives (which could be a workaround for you now, I guess). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache httpd reverse proxy setup
Marko Asplund wrote: Hi, There are at least 3 different approaches for configuring Apache httpd 2.2 to act as a reverse proxy for Tomcat 7.0: a) mod_proxy_http b) mod_proxy_ajp c) mod_jk There's been quite a lot of discussion about the differences of each one but a lot of that discussion appears to be either not very analytical or outdated. What are the current differences and tradeoffs with using these alternatives? Quite a few writers appear recommend mod_jk if performance and HA features are critical. But Apache 2.2 mod_proxy supports some load balancing and failover features through mod_proxy_balancer. Also, mod_cache can be used to offload static resource serving from the back-end to provide something similar to JkMount. Does mod_jk still have a lead when it comes to these features? From a setup point of view, using mod_proxy_http/ajp is a lot simpler than mod_jk because e.g. on a Linux system you can typically install these using a system package manager. For mod_jk you need to either have a compilation environment on your production system (which the sysops don't like) or compile and package the module on another machine with a compatible OS setup. Just a note to say that on a Linux system above is probably too broad a generalisation. To my knowledge, most Linux distributions offer a mod_jk package. RedHat doesn't, which is indeed a pain. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Comma related bug in org.apache.catalina.valves.RemoteIpValve
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Comma related bug in org.apache.catalina.valves.RemoteIpValve We'll probably end up with something like tagregex1,regex2,.../tag. Or a single regex, with | between the alternatives (which could be a workaround for you now, I guess). I have a vague memory of a discussion on either the dev or users' list about simply removing the comma separation, and using just regex standard formats. As I recall, the final resolution was to remove the comma separation in Tomcat 7, but keep it in 6 for compatibility - even if it is broken and not completely resolvable. If you look at the RemoteIpValve doc for 7, you'll see there's no mention of comma-separated regexes. The moral of the story: upgrade. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Service Security
Bill, - create a local user, e.g. tomcat - stop Tomcat - use whatever path the Microsoft geniuses have invented this week to reach the Services applet - search for the Apache Tomcat Service - right click on it and select Settings or Properties (ditto) - in the tab Login as (or ditto), change the account to the one you just created - before you restart Tomcat, make sure that all it's files/directories can be read/written by this user - then restart Tomcat As long as the Tomcat process (and any of its webapps) does not need any Windows network resources (network shares or printers or the like), you'll be fine. If you need any of these, then you'll have to use a Domain user instead of a local one. (Note that Tomcat probably does not need any of those, since it was running fine as LocalSystem and that user does not have access to Windows network resources either). Or you can use one of the two built in accounts in Windows 2008 (and possibly Windows 2003) : Local Service and Network Service. From what I have seen, these two accounts are simple users on the computer (with some extended right for accessing network share for Network Service). They have no administratives right on the system, so you have to allow them read or write access on the different folder where tomcat might read or write. Documentation for these accounts can be found here : http://msdn.microsoft.com/en-us/library/windows/desktop/ms686005(v=vs.85).aspx
Rediect to another Tomcat instance...
Hi All, I need to do a redirect from one Tomcat instance to another on the same physical server. That should be possible correct? Regards, -Tony
Re: Rediect to another Tomcat instance...
Tony Anecito wrote: Hi All, I need to do a redirect from one Tomcat instance to another on the same physical server. That should be possible correct? From the way you phrase this, I guess you mean proxy rather than re-direct. If so, as far as I know you are out of luck, because I think Tomcat doesn't do proxy. If you provide a bit more details about what exactly you want to do, maybe someone can help you better. P.S. Tony, you've been on this list for a while. I never hurts to provide Tomcat version, host type etc.. Saves time later, usually. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Service Security
Cédric Couralet wrote: Bill, - create a local user, e.g. tomcat - stop Tomcat - use whatever path the Microsoft geniuses have invented this week to reach the Services applet - search for the Apache Tomcat Service - right click on it and select Settings or Properties (ditto) - in the tab Login as (or ditto), change the account to the one you just created - before you restart Tomcat, make sure that all it's files/directories can be read/written by this user - then restart Tomcat As long as the Tomcat process (and any of its webapps) does not need any Windows network resources (network shares or printers or the like), you'll be fine. If you need any of these, then you'll have to use a Domain user instead of a local one. (Note that Tomcat probably does not need any of those, since it was running fine as LocalSystem and that user does not have access to Windows network resources either). Or you can use one of the two built in accounts in Windows 2008 (and possibly Windows 2003) : Local Service and Network Service. From what I have seen, these two accounts are simple users on the computer (with some extended right for accessing network share for Network Service). They have no administratives right on the system, so you have to allow them read or write access on the different folder where tomcat might read or write. Documentation for these accounts can be found here : http://msdn.microsoft.com/en-us/library/windows/desktop/ms686005(v=vs.85).aspx Maybe as a suggestion for the people who make the installers for Tomcat/Windows ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Rediect to another Tomcat instance...
Hi Andre, I have a blog app that I want to isolate to another Tomcat instance and leave my web services on my exsting one. Can I not run the second Tomcat service on port 82 for example and redirect requests for my blog to the second Tomcat running of port 82? Does that help? -Tony --- On Wed, 10/31/12, André Warnier a...@ice-sa.com wrote: From: André Warnier a...@ice-sa.com Subject: Re: Rediect to another Tomcat instance... To: Tomcat Users List users@tomcat.apache.org Date: Wednesday, October 31, 2012, 3:02 PM Tony Anecito wrote: Hi All, I need to do a redirect from one Tomcat instance to another on the same physical server. That should be possible correct? From the way you phrase this, I guess you mean proxy rather than re-direct. If so, as far as I know you are out of luck, because I think Tomcat doesn't do proxy. If you provide a bit more details about what exactly you want to do, maybe someone can help you better. P.S. Tony, you've been on this list for a while. I never hurts to provide Tomcat version, host type etc.. Saves time later, usually. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Service Security
Maybe as a suggestion for the people who make the installers for Tomcat/Windows ? I'm not sure I understand (you'll have to excuse my poor understanding of english nuance :) ) My reply was not a suggestion, but it would be great if the installer could provide the option. I never looked how the installer was made so i do not know if it is possible. -- Cédric Couralet
RE: Rediect to another Tomcat instance...
From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: Re: Rediect to another Tomcat instance... I have a blog app that I want to isolate to another Tomcat instance and leave my web services on my exsting one. Can I not run the second Tomcat service on port 82 for example and redirect requests for my blog to the second Tomcat running of port 82? This is the most popular mechanism: http://tuckey.org/urlrewrite/ You can install it as a filter in your default (ROOT) webapp, and it can redirect to wherever you want. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Rediect to another Tomcat instance...
Many thanks Chuck! --- On Wed, 10/31/12, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Caldarale, Charles R chuck.caldar...@unisys.com Subject: RE: Rediect to another Tomcat instance... To: Tomcat Users List users@tomcat.apache.org Date: Wednesday, October 31, 2012, 4:04 PM From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: Re: Rediect to another Tomcat instance... I have a blog app that I want to isolate to another Tomcat instance and leave my web services on my exsting one. Can I not run the second Tomcat service on port 82 for example and redirect requests for my blog to the second Tomcat running of port 82? This is the most popular mechanism: http://tuckey.org/urlrewrite/ You can install it as a filter in your default (ROOT) webapp, and it can redirect to wherever you want. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org