Re: tomcat 7 with APR connector on ubuntu

2014-01-16 Thread Mubeen Shah
Thank you Brett for your comments.

Here is tomcat startup script (/etc/init.d/tomcat7)

#!/bin/bash
# tomcat start/stop script

export JAVA_HOME=/usr/lib/jvm/java-7-oracle
export CATALINA_HOME=/opt/tomcat7

start() {
   su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/startup.sh
}

stop() {
   su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/shutdown.sh
}

case $1 in
  start|stop) $1;;
  restart) stop; start;;
  *) echo Run as $0 start|stop|restart; exit 1;;
esac

I made slight change in startup.sh file too (replaced old exec line):
exec authbind --deep $PRGDIR/$EXECUTABLE start $@

my setenv.sh file:
CATALINA_OPTS=-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true
-Xmx512m -XX:+UseConcMarkSweepGC
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/apr/lib

I installed authbind previously and executed following lines:
sudo touch /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80
sudo chown tomcat7 /etc/authbind/byport/80

When I am removing APR connector from server.xml, tomcat working fine with
tomcat7 user.

Regards,
Mubeen

On Thu, Jan 16, 2014 at 5:41 AM, Brett Delle Grazie 
brett.dellegra...@gmail.com wrote:

 Hi,

 See interleaved.


 On 15 January 2014 16:53, Mubeen Shah mubeens...@gmail.com wrote:

  Hello,
 
  I am trying to configure tomcat 7 on ubuntu machine and wanted to run it
 as
  non-root on port 80, Here is what I did so far:
 
  OS (Ubuntu 12.04 LTS):
 
  - installed oracle JDK 1.7.0_45 using apt-get
  - downloaded and extracted tomcat 7.0.50 (.gz format)
  - created ubuntu user 'tomcat' and granted 'chown -R CATALINA_HOME' to
 this
  user
  - changed tomcat default port to 80 in server.xml
  - installed and configured authbind tool
  - created sh script /etc/init.d/tomcat7 to start tomcat as tomcat user.
 

 What was in this script?


  - tomcat 7 was working as expected on 80 port as non-root user.
 

 That is surprising, see further below.


  - later I configured APR 1.5.0 and tried to run tomcat again, I got this
  error:
 
  Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
 init
  INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
  version 1.5.0.
  Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
 init
  INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
  [false], random [true].
  Jan 15, 2014 6:24:46 AM org.apache.catalina.core.AprLifecycleListener
  initializeSSL
  INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
  Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
  INFO: Initializing ProtocolHandler [http-apr-80]
  Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
  SEVERE: Failed to initialize end point associated with ProtocolHandler
  [http-apr-80]
  java.lang.Exception: Socket bind failed: [13] Permission denied
  at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:430)
  at
 
 org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
  at
  org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
  at
 org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
  at
 
 org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
  at
 org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
  at
 
 org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
  at
 org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:664)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at
 
 sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
  at
 
 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:606)
  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
 

 This is expected.


 
  If I am removing out this line from server.xml:
  Listener className=org.apache.catalina.core.AprLifecycleListener
  SSLEngine=on /
 
  Tomcat working on 80 port as non-root user and starting http-bio-80
  properly.
 
  Another thing is if I am trying to run tomcat as root along with APR
  support, its working just fine.
 
  Any advise why its working on http-bio-80 while throwing bind exception
  on http-apr-80??
 

 Linux will not allow anything but root to bind on ports  1024.
 Usually the process starts as root, binds to the port and then drops it's
 privileges back to the desired user.
 You'll need to use jsvc to start Tomcat and drop privileges. It is simply
 apache commons daemon and you should use version 1.0.15 or higher, I'm not
 sure what version is in 12.04 LTS so you may need to 

Re: jasper2 doesn't support the validateXml attribute

2014-01-16 Thread André Warnier

Gernot wrote:

2014/1/15 Mark Thomas ma...@apache.org


Gernot gern...@nurfuerspam.de wrote:

Hi,

I did an upgrade from tomcat 7.0.29 to 7.0.50.
In 7.0.50 jasper2 ant task quits with error 'jasper2 doesn't support
the
validateXml attribute'

Here's the mentioned code:
   jasper2 validateXml=false
uriroot=${build}
webXmlFragment=${build}/WEB-INF/generated_web.xml
addWebXmlMappings=true
outputDir=${build}/WEB-INF/classes
compilerSourceVM=7.0
compilerTargetVM=7.0 /


I havn't found any information about this in tomcat's changelog.
Is this a bug? Or a feature?
What's the suggested way to handle this error?

Thanks

It got renamed to validateTld to better describe what it actually does as
part of the XML work in 7.0.48 (which wasn't released until 7.0.50). I see
at least one place in the docs where this wasn't changed. I'll get that
fixed for the next release. If this turns out to be a problem for folks we
can add support for the old name as well.

Mark



In my opinion it's not a good idea to break api in minor version upgrade.
And why isn't there any comment in the changelog?

Please document changes in the changelog!



In the principle, you are probably right.
But regarding the tone, the appropriate answer here would probably be : how much are you 
willing to pay for this ?
In other words, maybe it temporarily slipped your mind that Tomcat is Open Source and 
Free, and that the people who contribute to it are doing this on a voluntary base ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Adding another schema to the web.xml

2014-01-16 Thread Blaise Gervais
Hello,

I have a webapp named portal who gather informations about other webapps
(modules) running on the same Tomcat instance. The portal use JMX to
list all the webapps and then parse the web.xml to extract the module 's
name and description. So I can create a page with a link to all those
modules (Like the Tomcat manager).

But now, some modules expects parameters and I would like to be able to
ask for those parameters to the user before sending them to the module.
To keep everything in a single place, I would like to create a schema who
describe those parameters and use it inside the web.xml.

The app is intended to be deployed only on our tomcat who don't validate
the web.xml. Does that seems to be a good idea ?

Thanks


Re: Adding another schema to the web.xml

2014-01-16 Thread André Warnier

Blaise Gervais wrote:

Hello,

I have a webapp named portal who gather informations about other webapps
(modules) running on the same Tomcat instance. The portal use JMX to
list all the webapps and then parse the web.xml to extract the module 's
name and description. So I can create a page with a link to all those
modules (Like the Tomcat manager).

But now, some modules expects parameters and I would like to be able to
ask for those parameters to the user before sending them to the module.
To keep everything in a single place, I would like to create a schema who
describe those parameters and use it inside the web.xml.

The app is intended to be deployed only on our tomcat who don't validate
the web.xml. Does that seems to be a good idea ?



Personal subjective comments only :

This sounds like a question a bit out of scope for this Tomcat Users list, and is more a 
question of generic application design.


About the idea : it sounds nice as a proof of concept kind of app.
But I get the impression that you are making it a bit more complicated that it ought to 
be.  That your portal app would gather info about the other apps and present it in a nice 
page with links, sounds nice.
But then, when the user chooses an application, why do you just not re-direct them to the 
corresponding application, which already knows how to ask for and handle its own parameters ?
(There are probably also quite a bit of security issues and other complexities involved 
otherwise)(independently of coherence, maintenance, webapp separation etc.)


All in all, it sounds to me as a bit over-engineered, if you get my meaning.

Only my 2 cent, as M.E. would say.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [ANN] Apache Tomcat 7.0.50 released

2014-01-16 Thread Violeta Georgieva
2014/1/12 David Law tomcat.u...@apconsult.de

 Thanks for that. :-)

 You might like to correct this Typo under Tomcat 7.0.50 / Catalina:
 Streamline handling of WebSocket messages whe...
 to when or where for example.

Thanks for pointing that. I fixed it with r1558789.

Regards
Violeta

 All the best,
 DaveLaw


 On 12/01/2014 11:15, Violeta Georgieva wrote:

 The Apache Tomcat team announces the immediate availability of Apache
 Tomcat 7.0.50.

 Apache Tomcat is an open source software implementation of the Java
 Servlet, JavaServer Pages and Java Expression Language technologies.

 This release contains a number of bug fixes and improvements compared to
 version 7.0.47.

 Please refer to the change log for the complete list of changes:
 http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

 Note: This version has 4 zip binaries: a generic one and
three bundled with Tomcat native binaries for Windows
operating
systems running on different CPU architectures.

 Note: Use of the JSR-356 Java WebSocket 1.0 implementation requires Java
7.

 Note: If you use the APR/native AJP or HTTP connector you *must* upgrade
to version 1.1.29 or later of the APR/native library.

 Downloads:
 http://tomcat.apache.org/download-70.cgi

 Migration guides from Apache Tomcat 5.5.x and 6.0.x:
 http://tomcat.apache.org/migration.html



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



SSL certificates

2014-01-16 Thread Miten Mehta
Hi,

I am understanding SSL for tomcat using
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
1)I create jks using self signed certificate using keytool.
2) I generate CSR from that keystore/certificate.
3) I get it signed by CA who gives me root certificate and signed
certificate.
4) I need to delete the existing certificate from keystore and then import
root and signed one ?

The docs do not mention to delete the existing certificate then if I import
it for same alias will not it complain ?
Do I need to keep existing certificate and import new one under new alias ?
will existing become redundant ?

Regards,

Miten


Re: SSL certificates

2014-01-16 Thread James H. H. Lampert

On 1/16/14 9:01 AM, Miten Mehta wrote:

Hi,

I am understanding SSL for tomcat using
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
1)I create jks using self signed certificate using keytool.
2) I generate CSR from that keystore/certificate.
3) I get it signed by CA who gives me root certificate and signed
certificate.


So far, so good.


4) I need to delete the existing certificate from keystore and then import
root and signed one ?


NO! ABSOLUTELY NOT!

You import the signed certificate into THE SAME KEYSTORE, UNDER THE SAME 
ALIAS, *ON TOP OF* THE UNSIGNED CERTIFICATE!


Not only will it not complain; it is the ONLY way to apply the CSR reply.

--
James H. H. Lampert
Touchtone Corporation


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL certificates

2014-01-16 Thread Miten Mehta
Hi,

Adding more clarification for ease below.

1) create keystore.jks with self signed cert (alias tomcat).
2) generate old.csr and send for signing to CA
3) get back new.cer (signed certificate) and root.cer (root certificate)
4) delete existing cert from keystore.jks (alias tomcat)
5) import root cert (alias root)
6) import new cert (alias tomcat)

From server.xml now in connector entry for ssl use alias tomcat to refer to
it.  Earlier when there was only tomcat (no root) the alias might not have
been needed but now since there are two cert we need alias.

Regards,

Miten.


On Thu, Jan 16, 2014 at 10:31 PM, Miten Mehta indiami...@gmail.com wrote:

 Hi,

 I am understanding SSL for tomcat using
 http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
 1)I create jks using self signed certificate using keytool.
 2) I generate CSR from that keystore/certificate.
 3) I get it signed by CA who gives me root certificate and signed
 certificate.
 4) I need to delete the existing certificate from keystore and then import
 root and signed one ?

 The docs do not mention to delete the existing certificate then if I
 import it for same alias will not it complain ?
 Do I need to keep existing certificate and import new one under new alias
 ? will existing become redundant ?

 Regards,

 Miten




Re: SSL certificates

2014-01-16 Thread Ike Ikonne
Hi,

Step #4 is not correct; if you delete the existing certificate you would
have lost everything.  Please follow the instruction  given by James H. H. 
Lampert.

Thanks,

Ike




From:   Miten Mehta indiami...@gmail.com
To: users@tomcat.apache.org, 
Date:   01/16/2014 11:09 AM
Subject:Re: SSL certificates



Hi,

Adding more clarification for ease below.

1) create keystore.jks with self signed cert (alias tomcat).
2) generate old.csr and send for signing to CA
3) get back new.cer (signed certificate) and root.cer (root certificate)
4) delete existing cert from keystore.jks (alias tomcat)
5) import root cert (alias root)
6) import new cert (alias tomcat)

From server.xml now in connector entry for ssl use alias tomcat to refer 
to
it.  Earlier when there was only tomcat (no root) the alias might not have
been needed but now since there are two cert we need alias.

Regards,

Miten.


On Thu, Jan 16, 2014 at 10:31 PM, Miten Mehta indiami...@gmail.com 
wrote:

 Hi,

 I am understanding SSL for tomcat using
 http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html.
 1)I create jks using self signed certificate using keytool.
 2) I generate CSR from that keystore/certificate.
 3) I get it signed by CA who gives me root certificate and signed
 certificate.
 4) I need to delete the existing certificate from keystore and then 
import
 root and signed one ?

 The docs do not mention to delete the existing certificate then if I
 import it for same alias will not it complain ?
 Do I need to keep existing certificate and import new one under new 
alias
 ? will existing become redundant ?

 Regards,

 Miten





Re: SSL certificates

2014-01-16 Thread James H. H. Lampert

? will existing become redundant ?


NO, the SIGNED certificate will, at least in effect, be MERGED with the 
original certificate.


Deleting the original certificate from the keystore before importing the 
signed one will render the signed certificate WORTHLESS.


--
James H. H. Lampert

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Why does Tomcat take so long to start? how can I monitor status?

2014-01-16 Thread Bradley Rogers
I have an application where Tomcat under Centos linux takes about 4 minutes
to be online from the time it starts.  i dont know what its doing but
wonder if there is a way to ping something in the tomcat to check status?


Re: Why does Tomcat take so long to start? how can I monitor status?

2014-01-16 Thread Daniel Mikusa
On Jan 16, 2014, at 3:04 PM, Bradley Rogers bradley.rogers.engin...@gmail.com 
wrote:

 I have an application where Tomcat under Centos linux takes about 4 minutes
 to be online from the time it starts.

My initial thought is that it's probably the application.  This is true most of 
the time.  Occasionally there can be JAR scanning issues though or an issue 
with entropy.  See here for more info.

  https://wiki.apache.org/tomcat/HowTo/FasterStartUp

  i dont know what its doing but wonder if there is a way to ping something in 
 the tomcat to check status?

My first thought would be to just watch the logs (increasing the log levels if 
necessary) and see what it's doing.  If it sits for a long time in one place or 
you see no output, take a few thread dump, 10 - 15 seconds apart (kill -3 
pid) and investigate further.

Dan


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: How to validate or parse HTTP request headers ( tomcat version 6.0.18 )

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Kalasareddy,

On 1/15/14, 1:12 AM, kalasareddy lingaraja wrote:
 yes i did it, but thing is that after parsing request in filter: if
 it is success then i should redirect the request to web service
 which running in embedded tomcat instance,
 
 could you help me how to shift control to web service from filter

Read the Javadoc for javax.servlet.Filter.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2E/PAAoJEBzwKT+lPKRY2MUP/0RtFBnpOkydN4RcqfPMEs5K
qzS8j55y11eMsur7mKzWqqLwjblKGS3hmMCwRHxJ4aPIiNhIXxKmlzQqqZIYl81p
LK6FRoC+axBz0Fy5sOS9Oy8WW4atP2BLwZ/XhOrrWUhx07vRh9CK5AFo8R5AC7SE
8Y/H2TVQ8M+F5k9ldaD0oiy+ugS+ljILepYKCgOnk+WrK4LHTBHGe7jQiCpLCeXQ
4bYF0cyCUkNStQLchp8X8QPmhiVyVv4PxE1kmQ37O0YdFJ9i3PY8J1MDHQbDqKvZ
7mo5nz7BxICYXb3bOHwRT/bWRFoJsk/kA+SKgPQ6axlJ7fhV5oWPLfV0EoHQvwS3
N+eXrXtz6SK7yYo2ys8pZ4A0d+7WJJiVaw8ZwnDzW4J/0JiCPfbo4rvULQn6i1fu
6N11zaRY+ebFcqVfmRgI08k/1tjXVWcff8OgsvdfipdwlY32eWzX/gzZaxulaMcK
Rtrz9PKL5iEWG8nU0AUIAEBvj3TtbO+RwKB9vvvCXCURQcXuRUbylcA/xRi2E2Yt
jxSJJVYkO2tViP4Ox09YZ13SBdqImHaI8Y7uetv7V4qhtl4ZRfxLVYc18iXTsZYF
WRBCN1NkXkuKssiQC8Y01fP1lfS4pBOuRk8/tckfsOJisp4iV2uq/qDENf5+wkKB
D2yAcBEMPLcZI4RQxK8O
=AlPE
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [tomcat7] rhel 6 - init.d script works; does not start on reboot

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Eddie,

On 1/15/14, 11:01 AM, Bush, Eddie wrote:
 
 
 -Original Message- From: Daniel Mikusa
 [mailto:dmik...@gopivotal.com] Sent: Wednesday, January 15, 2014
 9:54 AM To: Tomcat Users List Subject: Re: [tomcat7] rhel 6 -
 init.d script works; does not start on reboot
 
 On Jan 15, 2014, at 10:32 AM, Bush, Eddie
 eddie.b...@williams.com wrote:
 
 Howdy, List!
 
 I'm in a bit of a pickle here. I'm a senior dev, and quite good
 at that, but for my new client I'm also charged with configuring
 our machines. We're running on Tomcat 7, so I grabbed the tgz and
 installed it per the instructions.
 
 Everything works great! ... until I reboot the server :) At that
 point, everything else comes up, but tomcat does not.
 
 I have removed all logs and rebooted and see nothing notable in
 any of the tomcat logs (because, of course, it did not start),
 nor can I find anything in syslog or messages. The chkconfig
 command reports that the script is configured to run for runlevel
 2-5, and I've even inspected the links in rc.d/rc*.d and they are
 linked to the init.d script (which is the same danged script that
 works interactively via service tomcat start/stop!)
 
 Dan Where did you get the init script from? EB Off the net
 somewhere, initially. I tweaked it to use sudo to change user to
 tomcat:tomcat though, and I changed the chkconfig declaration to be
 extremely similar to what nginx uses, since that works fine.
 chkconfig likes the script, and sets it up in what looks to be
 perfect form (comparing to other things). These are pretty standard
 scripts though, yes? They basically just delegate to the scripts
 distributed with tomcat, which all end up calling catalina.sh :-)

Note that you shouldn't have to use sudo in init.d scripts: only
root should be running those in the first place.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2FBlAAoJEBzwKT+lPKRYQ+kP/R/FPKYQSwZTR87T4R7fJi9V
kgD6dD/6wzOsvlWwCbebsWMisJlARAV2vAYJIfeh5+RdL8DLllmQk0Bj/mpQ8a2e
lsKRBInQLOg08HM1hKzb2F9R/AvGkO9aPuc8LesVKVoUGUdiGKoKf2knPx2TT7dp
4myJWniEzhyHIHzKg/MBraLrs1CoLk9Ud4T7hwrvJ6KPrC/MaNUFOH6PpnJqpQCj
smUyPDsHRuoRq7ZYpJkl6LV/H4bJW7AAVa9Pgbt9ykEvuwYlV8UlwIzA7nf8mOBv
nCr661b/HLU3R6Frpop+9nkkUqGlNsQVzy60n6ADWrZasgBfP1y8r7CN5MBpE8D2
IvlrfnivmaCpfmYbHaKLojiT7/hd2oYFtL2OMzNGJrEFDIdwDNwg0FthK1dZ7PA2
QxRwO2yXK1dV4F/LV5XJsxvbRlNlIXYK8KGKxeBAVY+NMj0pllUl1ciDBFXhG0hW
73P46/7sP29Ct0d1x3jblYK9UlVatP2U8uxmR+jW0i39hzQvkwNJJFwuNfeVymvl
MmnXHwU89v0LR2eCYTGN2DmAcKaOlof8D1rD9S6iyyaT0FxzbQ5dE/tAoIoQnWh/
3zDV/8xXCBSxSalH4qv8wu2/xNLG4NLGvOmuO4QZTKI1S4zQfpGSA37ToRiukUJ4
7Fwzy7ou9H9hN7HMmc7z
=zA2t
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Tomcat 7.0.47 using JmxRemoteLifecycleListener with SSL

2014-01-16 Thread Erik Engstrom
I can get SSL working without JmxRemoteLifecycleListener, and I can get
JmxRemoteLifecycleListener to work correctly without SSL.  However if I try
to use both I get the following error in catalina.out:

failed loading capabilities library -- /usr/lib/libcap.so: cannot open
shared object file: No such file or directory.
Jan 16, 2014 4:34:20 PM
org.apache.catalina.mbeans.JmxRemoteLifecycleListener createServer
SEVERE: The JMX connector server could not be created or failed to start
for the Platform server
java.io.IOException: Cannot bind to URL [rmi://localhost:1900/jmxrmi]:
javax.naming.CommunicationException [Root exception is
java.rmi.ConnectIOException: non-JRMP server at remote endpoint]
at
javax.management.remote.rmi.RMIConnectorServer.newIOException(Unknown
Source)
at javax.management.remote.rmi.RMIConnectorServer.start(Unknown
Source)
at
org.apache.catalina.mbeans.JmxRemoteLifecycleListener.createServer(JmxRemoteLifecycleListener.java:304)
at
org.apache.catalina.mbeans.JmxRemoteLifecycleListener.lifecycleEvent(JmxRemoteLifecycleListener.java:258)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:347)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:725)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.startup.Catalina.start(Catalina.java:691)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:243)
Caused by: javax.naming.CommunicationException [Root exception is
java.rmi.ConnectIOException: non-JRMP server at remote endpoint]
at com.sun.jndi.rmi.registry.RegistryContext.bind(Unknown Source)
at com.sun.jndi.toolkit.url.GenericURLContext.bind(Unknown Source)
at javax.naming.InitialContext.bind(Unknown Source)
at javax.management.remote.rmi.RMIConnectorServer.bind(Unknown
Source)
... 20 more
Caused by: java.rmi.ConnectIOException: non-JRMP server at remote endpoint
at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
at sun.rmi.server.UnicastRef.newCall(Unknown Source)
at sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source)
... 24 more

the ports still get opened but I can not connect via jconsole using ssl or
not.  If I set com.sun.management.jmxremote.ssl=true I can connect properly
without ssl.

The relevant configuration from server.xml:

Listener className=org.apache.catalina.mbeans.JmxRemoteLifecycleListener
rmiRegistryPortPlatform=1900 rmiServerPortPlatform=11900 /

and java properties:

-Djavax.net.ssl.keyStore=$KEYSTORE
-Djavax.net.ssl.keyStorePassword=$KEY_PASS
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Djavax.net.ssl.trustStore=$TRUSTSTORE
-Djavax.net.ssl.trustStorePassword=$TRUST_PASS
-Dcom.sun.management.jmxremote.registry.ssl=true
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.authenticate=false
-Djava.rmi.server.hostname=$HOST_IP -Dcom.sun.management.jmxremote.ssl=true

Is it supported to use these together?  If so what am I doing wrong?

Thanks,

Erik


Re: Tomcat 7.0.47 using JmxRemoteLifecycleListener with SSL

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Erik,

On 1/16/14, 4:37 PM, Erik Engstrom wrote:
 I can get SSL working without JmxRemoteLifecycleListener, and I can
 get JmxRemoteLifecycleListener to work correctly without SSL.
 However if I try to use both I get the following error in
 catalina.out:
 
 failed loading capabilities library -- /usr/lib/libcap.so: cannot
 open shared object file: No such file or directory. Jan 16, 2014
 4:34:20 PM org.apache.catalina.mbeans.JmxRemoteLifecycleListener
 createServer SEVERE: The JMX connector server could not be created
 or failed to start for the Platform server java.io.IOException:
 Cannot bind to URL [rmi://localhost:1900/jmxrmi]: 
 javax.naming.CommunicationException [Root exception is 
 java.rmi.ConnectIOException: non-JRMP server at remote endpoint] 
 at 
 javax.management.remote.rmi.RMIConnectorServer.newIOException(Unknown

 
Source)
 at javax.management.remote.rmi.RMIConnectorServer.start(Unknown 
 Source) at 
 org.apache.catalina.mbeans.JmxRemoteLifecycleListener.createServer(JmxRemoteLifecycleListener.java:304)

 
at
 org.apache.catalina.mbeans.JmxRemoteLifecycleListener.lifecycleEvent(JmxRemoteLifecycleListener.java:258)

 
at
 org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)

 
at
 org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)

 
at
 org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)

 
at
 org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:347)

 
at
 org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:725)

 
at
 org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)

 
at org.apache.catalina.startup.Catalina.start(Catalina.java:691)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
 sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at
 sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at
 java.lang.reflect.Method.invoke(Unknown Source) at
 org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322) at
 sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
 sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at
 sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at
 java.lang.reflect.Method.invoke(Unknown Source) at 
 org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:243)

 
Caused by: javax.naming.CommunicationException [Root exception is
 java.rmi.ConnectIOException: non-JRMP server at remote endpoint] at
 com.sun.jndi.rmi.registry.RegistryContext.bind(Unknown Source) at
 com.sun.jndi.toolkit.url.GenericURLContext.bind(Unknown Source) at
 javax.naming.InitialContext.bind(Unknown Source) at
 javax.management.remote.rmi.RMIConnectorServer.bind(Unknown 
 Source) ... 20 more Caused by: java.rmi.ConnectIOException:
 non-JRMP server at remote endpoint at
 sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source) 
 at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source) 
 at sun.rmi.server.UnicastRef.newCall(Unknown Source) at
 sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source) ... 24
 more
 
 the ports still get opened but I can not connect via jconsole using
 ssl or not.  If I set com.sun.management.jmxremote.ssl=true I can
 connect properly without ssl.
 
 The relevant configuration from server.xml:
 
 Listener
 className=org.apache.catalina.mbeans.JmxRemoteLifecycleListener 
 rmiRegistryPortPlatform=1900 rmiServerPortPlatform=11900 /
 
 and java properties:
 
 -Djavax.net.ssl.keyStore=$KEYSTORE 
 -Djavax.net.ssl.keyStorePassword=$KEY_PASS 
 -Dcom.sun.management.jmxremote.ssl.need.client.auth=true 
 -Djavax.net.ssl.trustStore=$TRUSTSTORE 
 -Djavax.net.ssl.trustStorePassword=$TRUST_PASS 
 -Dcom.sun.management.jmxremote.registry.ssl=true 
 -Dcom.sun.management.jmxremote 
 -Dcom.sun.management.jmxremote.authenticate=false 
 -Djava.rmi.server.hostname=$HOST_IP
 -Dcom.sun.management.jmxremote.ssl=true
 
 Is it supported to use these together?  If so what am I doing
 wrong?

Why is libcap.so (not) being loaded?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2FLjAAoJEBzwKT+lPKRYs5oQAIjwUrNfiSKII5mto5mRFhmf
g7qMBbZAkVBPFAR1AAyrulNRHDk4UXwiXF16I4zWfmqEvsGa0g63Swdcp3SdydbM
9pruhSnUxoD/V9n6WgiwPNKCg4mkJcKBTTxMDaTXbyR+BA604e6ZFFfNo/Pxgb/l
R1mo10H6ucCglRTftEN0zGT9D6ust9TCeFpVZdtnMUWKsz1NZk5ipKegSwcucktr
AuYuV8AEuLFTH9Cc6OPjAVCDPWrmA3jhAImbX1je4dpqM9GgoYmcSemQkx7fSAdT
nvfVRTpc3s4N/gsir3wWQvttjGea6e+21lkEm1KgnLohsFXV/omb61lkTnxVktDz
ejMuizVJ0fYCSJhKdW2GtubDAfJclP4GTxFFsEZSLroaNbV5BX6XqiiYdEJFM5qV
/BszNs9CMVFLtQCL8t3nkZBtYLf0r3T+Y3bpf+cOUvq1ftCmRoG5/9qrqmoAd//C
RcfrQ3uKRmLZy4fbB3gF1vQX5inJ6UM99WqKLUbb5jnsTGI6NWHVnmvz8AbjvapE
WYSiwYz1Fe6vqfiIVcPpMuPGadTex4wdAy2Q9Se3j3ZYFsyHr43xL44Y7XDpzWKO
egxJG3cMTapWC4F3+g75x674I0xFk4i1x46Ug870oowZxy8lEIxpbuTRAV39Jb66

Re: Why does Tomcat take so long to start? how can I monitor status?

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dan,

On 1/16/14, 3:41 PM, Daniel Mikusa wrote:
 On Jan 16, 2014, at 3:04 PM, Bradley Rogers
 bradley.rogers.engin...@gmail.com wrote:
 
 I have an application where Tomcat under Centos linux takes about
 4 minutes to be online from the time it starts.
 
 My initial thought is that it's probably the application.  This is
 true most of the time.  Occasionally there can be JAR scanning
 issues though or an issue with entropy.  See here for more info.
 
 https://wiki.apache.org/tomcat/HowTo/FasterStartUp
 
 i dont know what its doing but wonder if there is a way to ping
 something in the tomcat to check status?
 
 My first thought would be to just watch the logs (increasing the
 log levels if necessary) and see what it's doing.  If it sits for a
 long time in one place or you see no output, take a few thread
 dump, 10 - 15 seconds apart (kill -3 pid) and investigate
 further.

I don't like using kill -3 because the thread dump goes to stdout
(usually catalina.out, kinda polluting it). I like using jstack
better because it goes to the terminal running jstack and not to the
JVM's stdout.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2FM6AAoJEBzwKT+lPKRYttoP/Rp91A/yYCRxV9orAAVYcXot
QOAsToZbSHNwMPSpHyPQZw1hWB/Hox9ATkFElFpqEJB8vluijr+9lCPXgPs+lJKi
AfKfOCwPzygmCnMxn2khWsmEdzG6O0m6L+vhDZu+bfijD02y+LELFcd1tZ4CJGfR
zWeEZEnSQhTmSRNBiywEYyYO7WTp9pxXFGxsKAo2h/xwMOr9i/IbS7VQncSb+Z2R
tn3sXgw3got+aSku5rxqQaV0L9Co4LSgT+cGE+ndoLVRSwNAQx/M4WOZAn3sFUpU
ziB+Gg4DhG+XeSmfFTyeobUBvP6T2Qy/st6Q1wLzXbtrq8I1vEgOcsKxBGFgelb4
H5y946ip7cRbH4lqgdNwHjpalfhc2EfgnJIp4nAi64INnpOvf/8uNd4srcFALRmw
aY9KtlX59dxxhT753zkq7EZItitE/Acu3UyrIL+rhwB1naNNmHmjfKQbdEgg6AKR
Sajs0oBhY766YkvRbIYZQuf6U668vYfJKefgWosabUAz13w5zJ6nUtpH1Y3WaL/P
8MxFTr3JNRufuEyvGMmCEsECpZXAJaBssvJJkOEQLHkNrpIYxvFO5Y6Orj9FgKSS
YhwNF2I16YkryiS0kgqFyEJ8eFFO29pn/hECqNJKJfdHkl7kMyRPgMBYeRfUWDzX
78qM4tPanNuhLh/+8xHC
=1tAu
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL certificates

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Miten,

On 1/16/14, 12:09 PM, Miten Mehta wrote:
 Hi,
 
 Adding more clarification for ease below.
 
 1) create keystore.jks with self signed cert (alias tomcat).

Why are you self-signing a certificate if you are going to get it
signed by a CA?

 2) generate old.csr and send for signing to CA 3) get back new.cer
 (signed certificate) and root.cer (root certificate) 4) delete
 existing cert from keystore.jks (alias tomcat) 5) import root cert
 (alias root) 6) import new cert (alias tomcat)

You should be able to create a server key, then a CSR. I happen to
hate keytool (and Java key stores in general) so I avoid it whenever
possible but I'd be surprised if you couldn't create a CSR without
creating a self-signing certificate in the process.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2FQDAAoJEBzwKT+lPKRY/cwP/jQc9t1QkhKwyzUxw2yZNVjx
fk0fHIucw+EkxMRa9Xue/DouZPpGRbdvzMRVn8Jr7wzBPIqUNmNITfCSYduJVNWu
8atVHG9CwRK0HVLnN/CESjm1Ex46jOn9BiAzH9n1AZ9UfY+a3MS6z/9XjS/NMxmJ
yhRkkltYUHdtjHEoFCehhormbHcS44CAR9uxkPXW+MeJCwWu2JXL0dxu/BGVY/Rj
7niOd9kk5ziKcN1NfYWXSClOV81AuxlW6vJnaP8+ZzW9JZRE/9Od1Hx3Ie+WmxG+
9y+x2j4WwS7xyN4nD1Sfg5bK0lUFe4HFsexmnMEbUcsY4SbvgjhaTuBaqam+JZgx
31e9hTcZKaQ0042qRk8dOYNM9vi7Wje9pYuUca3yIOPDorIXBSU2dK2rW9hF5ZJ7
HiBhLHRa88b9tWX79y3hOAOuYnTxBVttrXXlGs4U+iiheynwhGYUrx+vpPyMY1mm
GyZEln8RiTOZhpMOzcYAsHvG4pUjHFs7sSPBOjA3sMTVC7/6EH5AHzsPgLyIXUHZ
00XoQgsWs4LNQ4NyfekChtotX8VeIJR2KZRNlVU++sTpkGdkYx03LMnFC201th0K
A+1VH1lE6ii6mfVCH6impeN0P1GFMLHn+bqVREvPgEnMT9lIS0xBak7gvnDOd0dN
qDg299ebMIvnMMDsi483
=0XWS
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL certificates

2014-01-16 Thread James H. H. Lampert

On 1/16/14 1:49 PM, Christopher Schultz wrote:

Why are you self-signing a certificate if you are going to get it
signed by a CA?


A newly-created keypair in a Java keystore is, by definition, a 
self-signed certificate. And you can't create a CSR without having a 
keypair from which to create it.


One suggestion:

If you haven't done this dozens of times, or don't do it several times a 
year, or haven't done it for a particular CA,


MAKE AT LEAST ONE BACKUP COPY OF YOUR KEYSTORE BEFORE YOU SUBMIT YOUR 
CSR TO THE CA!


That way (and I've been there a number of times) if you screw up your 
keystore while trying to install the signed certificate, you can try again.


You really don't want to pay the fee to the CA, and then find out you've 
screwed up something that you have no way of unscrewing.


Also: if by any chance you're running Tomcat on an AS/400, you want to 
do this whole process on something else entirely, and then FTP your 
keystore into place on the 400. Keytool does NOT work well on AS/400s, 
and I haven't the slightest idea why.


--
James H. H. Lampert

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL certificates

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 1/16/14, 5:04 PM, James H. H. Lampert wrote:
 On 1/16/14 1:49 PM, Christopher Schultz wrote:
 Why are you self-signing a certificate if you are going to get
 it signed by a CA?
 
 A newly-created keypair in a Java keystore is, by definition, a 
 self-signed certificate.

That's probably one of the reasons I'm continually confused by using
keytool... generating an RSA key pair should never require the
creation of a certificate. *shrugs*

 And you can't create a CSR without having a keypair from which to
 create it.

That is always true. But you don't need a certificate to create a CSR.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2FuBAAoJEBzwKT+lPKRYSq8QALpnk2BWQnxBN1ouVZY4B3RJ
Xvx7kQOtgk6hhduwpWtvGbnEH6qjjWFo1rexoFZ/9XM0ig5zgIZ9dxnD1H3G20KU
eNrmnVEx6t6wREDXJdbVQ6xYfcx2iQwGcoa4fcA9/SwUb3T17fnOVeFDcaR8wexF
z04FgoQkRWY0bfD0N1mwmsqgqsjGFYrrWxryRM8SaiHkouJb2a0Ly+xLMIHa5/4d
GAqb5/MVGL3NzBUU5S+8K4k0/AtQ7D0wj4tvH+LYpgvNtfWT6D4lXVBk3JVgBOWE
k1Znkx2kjE45NcB9Oq/lknv1yixwsSMojTuimKYtjWLGgUNFMxt5wPM30NdQG+0d
245GkrBc873onHufIJtqiPzLXMx9SqCCsXVVn5ArVhuJ26Zd/qAVGXvxIhFmkjZD
0OvtgWzNoPrGAVyUXGbwXuDIF7UVotjwePcA7V2aUtOI3QntK9TcJ5icxp4rEbj/
SXxkZ4iDQduL5UFWtfTilK9eZ76BvcJWeU68NsLXm6oA44gYdXO73dDIpsUPtJRh
q0q502GtUgZkpVqDoo0V75R8nZhVoIf7hW/Z1lIh38q4e2V5o+ndfEvMYTWGpyH8
HQ3Cj8Jc/wByt7ub5h+HFj47M8ysLwcF9U1fh4EuiqG5rdtP0ejMnPdsYDIBk8uG
k9Bw/gOfegL5SM4yMA48
=ifdp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Oracle Application Server 10g R3 works fine with RK-1048 codepage but Tomcat 7.0.47 does not.

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Тимур,

Let's start over again: you are providing WAY too much extra
information all at once. We don't need to see your web.xml file. We
don't need to see your HTML files. I looked at your comparison but
there was no indication of where the files were different. I can read
neither Russian nor Kazakh. What you do need to do is answer the
questions we are asking to try to help you.

Please answer this simple question:

If the data is correctly-stored in the database (as verified by some
other means), does the fetched-data display correctly in your web pages?

If it's not displaying correctly, please tell us what the Content-Type
HTTP response header is for the page (specifically, the character
encoding). Also, please tell us what the character encoding is for the
/database connection/ to Oracle (the one made from your application to
Oracle).

Finally, how are you connecting to Oracle? Are you using a
Tomcat-configured DataSource or is your web application configuring
things on its own?

I can see that when you attempt to use user.language=ru and
user.country=kz, you get this error from Oracle's driver:

 org.apache.catalina.core.ApplicationContext log MESSAGE =
 ORA-00604: error occurred at recursive SQL level 1 ORA-12705:
 invalid or unknown NLS parameter value specified , ERRORCODE = 604

Can you give us the whole stack trace from that?

It's clear from that error that the default localization settings are
being used to make the database connection. You may have to override
them in order to force the use of the CL8MSWIN1251 code page in the
driver. If the driver is using the correct character encoding, then
Java should get the correct String value. Generating a web page
containing the proper characters should be trivial: just make sure you
send the proper character encoding to the client in your Content-Type
response header.

After you get character-display working, we can tacking character
*input* which is more complicated. Let's make sure we can get data
out, first. Otherwise, you'll never know if you can get the data *in*
correctly.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2FsDAAoJEBzwKT+lPKRYu84QALcPPMlvjL6RIMoOL4mFOARa
tq8sQXRPt7zWEI0N+dGcmJyvPnAPnvqjWhOsvVSgOd74W/GYXnJ7iw00d/ETW8qK
wlIeLwBAeeHvC5qIPAJUVuMAq4YAIK11+eofKdRM67GuHy8QCK8xAh80E574uwcs
X6zl1/C3jFec2jz0CQskz6YBEAjBK82h9sgZrfNcR+5QOuzqU8bH6CgHLwdJyLiP
2stBT5TJTIHhvUVlB+249GL75fdZHgv4122G8D+mZcpKJkRN44ZlKZF24CrXuPzv
2fhmfShoGLa4ylJM7ZgQy0jnqjuuxYmJGSLRviH69Gtd6xk5ha9lcTXwmME0Z/Qt
C5krjLumfVariSdspNvqvaLWjMAGh7gEMzOyp/wzy3GVXdABwwZEDC00ENt3CxzO
5R2pdxHaXr53THufxbJMc7YzX+ZtV2kMh2FfNR5cW1UY9ABF9Ljx/z2qjcMqWINK
o0edm4VpEVNeg5ms6nvoI1o6cjfaheDfRMaeRoXCbp/uC6JfH/l+p5RF0Vcuhe/h
aVZ9yd6LYY1EmHjEypHmBaXQSKVfdEZUfz60Xm5SZn2GdCyh9QRbVW1vN0+v1gto
c5v7TcwazpY+1ZM25qcPB307/o+73qqJGJlGq4PnnskOLKIelcJ7XCGi9WypQbRw
VvEP9yTXdeX53JQ6R2ij
=dFj8
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: tomcat 7 with APR connector on ubuntu

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Brett,

On 1/15/14, 7:41 PM, Brett Delle Grazie wrote:
 On 15 January 2014 16:53, Mubeen Shah mubeens...@gmail.com
 wrote:
 
 Hello,
 
 I am trying to configure tomcat 7 on ubuntu machine and wanted to
 run it as non-root on port 80, Here is what I did so far:
 
 OS (Ubuntu 12.04 LTS):
 
 - installed oracle JDK 1.7.0_45 using apt-get - downloaded and
 extracted tomcat 7.0.50 (.gz format) - created ubuntu user
 'tomcat' and granted 'chown -R CATALINA_HOME' to this user -
 changed tomcat default port to 80 in server.xml - installed and
 configured authbind tool - created sh script
 /etc/init.d/tomcat7 to start tomcat as tomcat user.
 
 
 What was in this script?
 
 
 - tomcat 7 was working as expected on 80 port as non-root user.
 
 
 That is surprising, see further below.

[snip]

 Linux will not allow anything but root to bind on ports  1024. 
 Usually the process starts as root, binds to the port and then
 drops it's privileges back to the desired user.

Note that the OP is using authbind (or at least attempting to do so).

 You'll need to use jsvc to start Tomcat and drop privileges.

Um... authbind?

Perhaps authbind doesn't work with Java and/or Tomcat/APR but this is
precisely what authbind was designed to do.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2F0JAAoJEBzwKT+lPKRYuVsQALp+Hbtc/SjgszPUeTgc9aJ7
0UEg4S3cHqozrXVgn45V+zAXYqsCfzoge0nS9VK4ar/RJiF0mVMLG3TUm6+0fget
l7O1YDZU+VgNEBd/ci/25BmZwZIJ4e9d53N24mJ2Et7FuWuhFOK8FrtcfFmyZPRa
j0xndOJCNg7Yeub6kYLRWDXIuLdRkzwWMtqGnQ4kb15pyM1TdMiaL4BvYDfECjC8
uwwU0jipJE+2JPTqwzn+MgUolcVEmJRoL0MfGyMT1kE4smLXFOGPuDFL7cmJtikx
Elmr7BvTMc9POY4BzXEkVwCfHcA+dqKJNzeELfJffzVD2qKvM2m3Ivp4vZglukKE
Joho1PWeN1dRasU+ncZI+EiDtnE8tI114kHrehBBTYjdM0q9zQnYGewycBVQMIrU
/TbxbOdUB8rBM3yIN1JRA6psE+r9jVxg/6sva+qN8gww7eQJFtvVI8oRViHT4sya
dMI162eRDYhN9L2ZZv51UV6LBHTaKybL1WZQRahJw3rFysQQk51DXGPuOiKruzyF
FwcrMVxvyaANGRsr4YpjfKg9sKBxjXbO+AhCX6loY8SUWHufy7nAT8+LGayRirjR
LlDYQqcaMWzxZCPYOLl1VcjkUuGSJQP7th2xXdiHSGwZPj9W31RFsZHp0pQESBkD
/7vB2xDCfrJk2zKbPKa0
=o6Wu
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Would a developer please add this mime type to the distro?

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jeffrey,

On 1/13/14, 5:36 PM, Jeffrey Janner wrote:
 -Original Message- From: Konstantin Kolinko
 [mailto:knst.koli...@gmail.com] Sent: Friday, January 10, 2014
 9:04 PM To: Tomcat Users List Subject: Re: Would a developer
 please add this mime type to the distro?
 
 2014/1/11 Jeffrey Janner jeffrey.jan...@polydyne.com:
 Tomcat 7 did a good job of collecting all the new Microsoft
 mime
 types into the standard web.xml file, but missed the mapping for
 the .one file type for OneNote, even though that's fully
 documented on the Microsoft Mime Types page.
 
 1. What page, exactly?
 
 
 The one on Microsoft's TechNet: 
 http://technet.microsoft.com/en-us/library/ee309278(v=office.12).aspx

  My guess is whomever transcribed this list into HTTPD, accidently
 skipped this one entry. This is the page I built the entries in my
 web.xml from years ago.
 
 The entry is:
 
 mime-mapping extensionone/extension 
 mime-typeapplication/onenote/mime-type /mime-mapping
 
 I know I can always add it to my local web.xml, but it's now
 the only
 one I need and I figured that others might like to have it
 available as a default as well.
 
 2. The list of mime types in Tomcat is kept in sync with the
 similar list in Apache HTTPD.
 
 If I look at HTTPD trunk, that mime-type is mapped to extensions 
 onetoc onetoc2 onetmp onepkg.
 
 http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/mime.types?vie

 
w=markup#l159
 
 3. IMHO application/onenote is not a valid mime type on the
 Internet, as it is not registered with IANA.
 
 http://www.iana.org/assignments/media-types/media- 
 types.xhtml#application
 
 
 What?  You expect Microsoft to do things the generally accepted
 and/or correct way?
 
 4. Formally, a way to go is to file an enhancement request.
 
 And I do that how?

Bugzilla:

https://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%207

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2F2jAAoJEBzwKT+lPKRY1VMP/ii2AfLqCjwIdGWlF4qOcLEt
YxvLnNiz8vFv/0hC9xfGEo8TVKI7WhYSO4W/rkdX3lTEOHSHARTUt09rWpz7IXVQ
Nn14DcbrV3fX/nVrH2TSgR4bo0h3MVH/PNCIr7BQxF4Erj3bsPYo48kj1+ULxN/5
WLnG5hfo+7KQPnCto21vDQhsDDU4x3Oi2Fbdt24EE8kKnL+X2RhtSEfLIMicgS7k
FoA3Xp/3ZwiyJiFMpLtvgLE0vVMp2Mh29WKP+8s0l6qs8oc2ITTD6tcdgyQn6t3e
JByTGAwh4BirlCKid7WRIIxDNK7rRjqbrTRuB2eL6IlOi5KLRvp0DcJwkoNMhDFx
hNVgoR3SpcJX+aOCcE5NXsDzd7MalaQr23U6i5kdF5iqkPgtg0R+Qvp3F1LsCZja
1TelJmeeYuGKYvnym/N+dhrmU7RbFSVBxz/vQ7aGNipOYMyek7/goXRtsbrUzGCq
cuqmmLETBgWVPFc4CbdirnJHarBdEo9ndR9uQW4IuTrCSELbB621SMuuJhKN9Okw
xESnTXtS95p58OMdWi0mP+pcvyUBibDSMFb8/BQqOb/Pj1yETdWhwqPIvxYGTuo6
g84t8UKZpbUyTtgeJsgaE05JqmwsLPabjT5asIAlVmwVlgnhKShy8hurTe5UzPE2
ULcRUcDYVJBNYouaCp79
=Qr2q
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 7.0.47 using JmxRemoteLifecycleListener with SSL

2014-01-16 Thread Erik Engstrom
I think it is due to this bug in commons-daemon
https://issues.apache.org/jira/browse/DAEMON-246  but it did not seem to
keep the service from running properly.  I will try with the latest version
that is supposed to have a fix for it but I don't think it will help this
problem.



On Thu, Jan 16, 2014 at 3:45 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Erik,

 On 1/16/14, 4:37 PM, Erik Engstrom wrote:
  I can get SSL working without JmxRemoteLifecycleListener, and I can
  get JmxRemoteLifecycleListener to work correctly without SSL.
  However if I try to use both I get the following error in
  catalina.out:
 
  failed loading capabilities library -- /usr/lib/libcap.so: cannot
  open shared object file: No such file or directory. Jan 16, 2014
  4:34:20 PM org.apache.catalina.mbeans.JmxRemoteLifecycleListener
  createServer SEVERE: The JMX connector server could not be created
  or failed to start for the Platform server java.io.IOException:
  Cannot bind to URL [rmi://localhost:1900/jmxrmi]:
  javax.naming.CommunicationException [Root exception is
  java.rmi.ConnectIOException: non-JRMP server at remote endpoint]
  at
  javax.management.remote.rmi.RMIConnectorServer.newIOException(Unknown
 
 
 Source)
  at javax.management.remote.rmi.RMIConnectorServer.start(Unknown
  Source) at
 
 org.apache.catalina.mbeans.JmxRemoteLifecycleListener.createServer(JmxRemoteLifecycleListener.java:304)
 
 
 at
 
 org.apache.catalina.mbeans.JmxRemoteLifecycleListener.lifecycleEvent(JmxRemoteLifecycleListener.java:258)
 
 
 at
 
 org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
 
 
 at
 
 org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
 
 
 at
 
 org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
 
 
 at
  org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:347)
 
 
 at
 
 org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:725)
 
 
 at
  org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
 
 
 at org.apache.catalina.startup.Catalina.start(Catalina.java:691)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
  sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at
  sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at
  java.lang.reflect.Method.invoke(Unknown Source) at
  org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322) at
  sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
  sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at
  sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at
  java.lang.reflect.Method.invoke(Unknown Source) at
 
 org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:243)
 
 
 Caused by: javax.naming.CommunicationException [Root exception is
  java.rmi.ConnectIOException: non-JRMP server at remote endpoint] at
  com.sun.jndi.rmi.registry.RegistryContext.bind(Unknown Source) at
  com.sun.jndi.toolkit.url.GenericURLContext.bind(Unknown Source) at
  javax.naming.InitialContext.bind(Unknown Source) at
  javax.management.remote.rmi.RMIConnectorServer.bind(Unknown
  Source) ... 20 more Caused by: java.rmi.ConnectIOException:
  non-JRMP server at remote endpoint at
  sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
  at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
  at sun.rmi.server.UnicastRef.newCall(Unknown Source) at
  sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source) ... 24
  more
 
  the ports still get opened but I can not connect via jconsole using
  ssl or not.  If I set com.sun.management.jmxremote.ssl=true I can
  connect properly without ssl.
 
  The relevant configuration from server.xml:
 
  Listener
  className=org.apache.catalina.mbeans.JmxRemoteLifecycleListener
  rmiRegistryPortPlatform=1900 rmiServerPortPlatform=11900 /
 
  and java properties:
 
  -Djavax.net.ssl.keyStore=$KEYSTORE
  -Djavax.net.ssl.keyStorePassword=$KEY_PASS
  -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
  -Djavax.net.ssl.trustStore=$TRUSTSTORE
  -Djavax.net.ssl.trustStorePassword=$TRUST_PASS
  -Dcom.sun.management.jmxremote.registry.ssl=true
  -Dcom.sun.management.jmxremote
  -Dcom.sun.management.jmxremote.authenticate=false
  -Djava.rmi.server.hostname=$HOST_IP
  -Dcom.sun.management.jmxremote.ssl=true
 
  Is it supported to use these together?  If so what am I doing
  wrong?

 Why is libcap.so (not) being loaded?

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJS2FLjAAoJEBzwKT+lPKRYs5oQAIjwUrNfiSKII5mto5mRFhmf
 g7qMBbZAkVBPFAR1AAyrulNRHDk4UXwiXF16I4zWfmqEvsGa0g63Swdcp3SdydbM
 9pruhSnUxoD/V9n6WgiwPNKCg4mkJcKBTTxMDaTXbyR+BA604e6ZFFfNo/Pxgb/l
 R1mo10H6ucCglRTftEN0zGT9D6ust9TCeFpVZdtnMUWKsz1NZk5ipKegSwcucktr
 

Re: tomcat 7 with APR connector on ubuntu

2014-01-16 Thread Mubeen Shah
Hello,

I am able to run tomcat with jsvc daemon on port 80, but I can see
jsvc.exec process twice with different pid (one with root and other with
non-root):

root 28890  0.0  0.0 jsvc.exec -java-home /usr/lib/jvm/java-7-oracle
-user tomcat7 -pidfile /opt/tomcat7/logs/catalina-daemon.pid -wait 10
-outfile /opt/tomcat7/logs/catalina-daemon.out -errfile 1 -classpath
/opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar
-Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xmx512m
-XX:+UseConcMarkSweepGC -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7
-Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp
org.apache.catalina.startup.Bootstrap

tomcat7  28891  3.1  4.6 jsvc.exec -java-home /usr/lib/jvm/java-7-oracle
-user tomcat7 -pidfile /opt/tomcat7/logs/catalina-daemon.pid -wait 10
-outfile /opt/tomcat7/logs/catalina-daemon.out -errfile 1 -classpath
/opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar
-Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xmx512m
-XX:+UseConcMarkSweepGC -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7
-Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp
org.apache.catalina.startup.Bootstrap

while process with root not consuming memory or cpu, so is it normal jsvc
behavior or I missed something?

Regards,
Mubeen



On Thu, Jan 16, 2014 at 1:53 PM, Mubeen Shah mubeens...@gmail.com wrote:

 Thank you Brett for your comments.

 Here is tomcat startup script (/etc/init.d/tomcat7)

 #!/bin/bash
 # tomcat start/stop script

 export JAVA_HOME=/usr/lib/jvm/java-7-oracle
 export CATALINA_HOME=/opt/tomcat7

 start() {
su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/startup.sh
 }

 stop() {
su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/shutdown.sh
 }

 case $1 in
   start|stop) $1;;
   restart) stop; start;;
   *) echo Run as $0 start|stop|restart; exit 1;;
 esac

 I made slight change in startup.sh file too (replaced old exec line):
 exec authbind --deep $PRGDIR/$EXECUTABLE start $@

 my setenv.sh file:
 CATALINA_OPTS=-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true
 -Xmx512m -XX:+UseConcMarkSweepGC
 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/apr/lib

 I installed authbind previously and executed following lines:
 sudo touch /etc/authbind/byport/80
 sudo chmod 500 /etc/authbind/byport/80
 sudo chown tomcat7 /etc/authbind/byport/80

 When I am removing APR connector from server.xml, tomcat working fine with
 tomcat7 user.

 Regards,
 Mubeen

 On Thu, Jan 16, 2014 at 5:41 AM, Brett Delle Grazie 
 brett.dellegra...@gmail.com wrote:

 Hi,

 See interleaved.


 On 15 January 2014 16:53, Mubeen Shah mubeens...@gmail.com wrote:

  Hello,
 
  I am trying to configure tomcat 7 on ubuntu machine and wanted to run
 it as
  non-root on port 80, Here is what I did so far:
 
  OS (Ubuntu 12.04 LTS):
 
  - installed oracle JDK 1.7.0_45 using apt-get
  - downloaded and extracted tomcat 7.0.50 (.gz format)
  - created ubuntu user 'tomcat' and granted 'chown -R CATALINA_HOME' to
 this
  user
  - changed tomcat default port to 80 in server.xml
  - installed and configured authbind tool
  - created sh script /etc/init.d/tomcat7 to start tomcat as tomcat
 user.
 

 What was in this script?


  - tomcat 7 was working as expected on 80 port as non-root user.
 

 That is surprising, see further below.


  - later I configured APR 1.5.0 and tried to run tomcat again, I got this
  error:
 
  Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
 init
  INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
  version 1.5.0.
  Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
 init
  INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
  [false], random [true].
  Jan 15, 2014 6:24:46 AM org.apache.catalina.core.AprLifecycleListener
  initializeSSL
  INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
  Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
  INFO: Initializing ProtocolHandler [http-apr-80]
  Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
  SEVERE: Failed to initialize end point associated with ProtocolHandler
  [http-apr-80]
  java.lang.Exception: Socket bind failed: [13] Permission denied
  at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:430)
  at
 
 org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
  at
 org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
  at
  org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
  at
 

Re: tomcat 7 with APR connector on ubuntu

2014-01-16 Thread Brett Delle Grazie
Christopher,

On 16 January 2014 22:28, Christopher Schultz
ch...@christopherschultz.netwrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Brett,

 On 1/15/14, 7:41 PM, Brett Delle Grazie wrote:
  On 15 January 2014 16:53, Mubeen Shah mubeens...@gmail.com
  wrote:
 
  Hello,
 
  I am trying to configure tomcat 7 on ubuntu machine and wanted to
  run it as non-root on port 80, Here is what I did so far:
 
  OS (Ubuntu 12.04 LTS):
 
  - installed oracle JDK 1.7.0_45 using apt-get - downloaded and
  extracted tomcat 7.0.50 (.gz format) - created ubuntu user
  'tomcat' and granted 'chown -R CATALINA_HOME' to this user -
  changed tomcat default port to 80 in server.xml - installed and
  configured authbind tool - created sh script
  /etc/init.d/tomcat7 to start tomcat as tomcat user.
 
 
  What was in this script?
 
 
  - tomcat 7 was working as expected on 80 port as non-root user.
 
 
  That is surprising, see further below.

 [snip]

  Linux will not allow anything but root to bind on ports  1024.
  Usually the process starts as root, binds to the port and then
  drops it's privileges back to the desired user.

 Note that the OP is using authbind (or at least attempting to do so).


Yes I missed that in the original message, thank you for pointing it out.



  You'll need to use jsvc to start Tomcat and drop privileges.

 Um... authbind?


Noted.



 Perhaps authbind doesn't work with Java and/or Tomcat/APR but this is
 precisely what authbind was designed to do.


The OP looks like they've locally compiled APR. I wonder if that's the root
cause.


 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJS2F0JAAoJEBzwKT+lPKRYuVsQALp+Hbtc/SjgszPUeTgc9aJ7
 0UEg4S3cHqozrXVgn45V+zAXYqsCfzoge0nS9VK4ar/RJiF0mVMLG3TUm6+0fget
 l7O1YDZU+VgNEBd/ci/25BmZwZIJ4e9d53N24mJ2Et7FuWuhFOK8FrtcfFmyZPRa
 j0xndOJCNg7Yeub6kYLRWDXIuLdRkzwWMtqGnQ4kb15pyM1TdMiaL4BvYDfECjC8
 uwwU0jipJE+2JPTqwzn+MgUolcVEmJRoL0MfGyMT1kE4smLXFOGPuDFL7cmJtikx
 Elmr7BvTMc9POY4BzXEkVwCfHcA+dqKJNzeELfJffzVD2qKvM2m3Ivp4vZglukKE
 Joho1PWeN1dRasU+ncZI+EiDtnE8tI114kHrehBBTYjdM0q9zQnYGewycBVQMIrU
 /TbxbOdUB8rBM3yIN1JRA6psE+r9jVxg/6sva+qN8gww7eQJFtvVI8oRViHT4sya
 dMI162eRDYhN9L2ZZv51UV6LBHTaKybL1WZQRahJw3rFysQQk51DXGPuOiKruzyF
 FwcrMVxvyaANGRsr4YpjfKg9sKBxjXbO+AhCX6loY8SUWHufy7nAT8+LGayRirjR
 LlDYQqcaMWzxZCPYOLl1VcjkUuGSJQP7th2xXdiHSGwZPj9W31RFsZHp0pQESBkD
 /7vB2xDCfrJk2zKbPKa0
 =o6Wu
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


-- 
Kind regards,

Brett


Re: serialization and newest tomcat

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ray,

On 1/12/14, 8:45 AM, Ray Holme wrote:
 [S]erialization causes some problems in apache-tomcat-7.0.35
 
 I have several applications and run on fedora linux. I have used
 many releases of fedora and tomcat.
 
 My applications are characterized by a) all use a DB (firebird) b)
 all use both jsp and java servlets c) all use transient java beans
 for a round of interaction (user request - user response) d) all
 have 1 or more session java beans for each user (login - logout) e)
 all have 1 or more application beans (initialized at startup, can
 refresh, passed around) f) all have an application specific jar and
 share a common code jar
 
 Long ago I added serialization to almost all of the java beans to
 stop tomcat whining in the catalina.out file. This worked just fine
 until the most recent tomcat release.
 
 On my development machine, java changes build new jars and
 apache/tomcat must be restarted to work right. Starting with the
 new release, problems with connections happened.
 
 After research, I discovered that the applications were going nuts
 with connection requests and xinetd was shutting down the
 connection factory service. It took a 30 minute wait (or reboot) to
 fix this problem. My guess is that the application wide beans were
 not only being made fresh as always happens (they use one
 connection each to initialize), but that the serialized versions
 were coming back up and trying to refresh causing lots of strange
 connections to be created (if one is not passed, one is made and
 there are many routines each needing a connection).
 
 To solve this problem, I stopped serialization. This solved the
 problem.
 
 From the notes I got from others (thanks Mark and ...):
 
 serialization can be stopped by putting this in many places - here
 is one: appname/META-INF/context.xml
 
 Manager pathname= /

Can I venture a guess as to one other important detail you have left
out? It sounds like some of the objects you are putting into the
user's session (HttpSession: the stuff getting serialized to disk
across web application reload or Tomcat stop/start) may have
references to those application-scoped objects. Here's an example of
what I mean:

public class GlobalBean
  implements Serializable
{
}

public class UserBean
  implements Serializable
{
  private GlobalBean _global;
  public UserBean(GlobalBean gb)
  {
_global = gb;
  }
}

... in your webapp's ServletContextListener:

init() {
  ...
  ServletContext application = getServletContext();
  application.setAttribute(globalBean new GlobalBean());
  ...
}

... in your servlet:

doGet() {
  ...
  ServletContext application = getServletContext();
  GlobalBean gb = (GlobalBean)application.getAttribute(globalBean);
  HttpSession session = request.getSession();
  session.setAttribute(userBean, new UserBean(gb));
  ...
}

If the above are all happening, then when you de-serialize the
UserBeans, they will de-serialize the GlobalBean instance along with
themselves. If your GlobalBean has to do a bunch of db access or
whatever to initialize itself, it will either have to do that on
deserialization to make itself sane, or it will be in a non-sane
state. In either case, you won't get the newly-created GlobalBean from
your ServletContextListener (or similar) and things may get ... weird.

If this is the case, and you don't really care about the user's
session info, then by all means: disable session serialization and be
done with it. If you need this to work -- or if you need your web
application's sessions to be distributable -- then you are necessarily
going to have to change something with your architecture in order to
get this kind of thing to work in a sane way. My recommendation would
be to pass a GlobalBean into any method on the UserBean that needs to
access it, rather than keeping a reference of any kind. It's kind of
like IOC except ... not really anything like that ;)

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2GDqAAoJEBzwKT+lPKRYOZcQAKEqbjKbJ3zYm8c6pShgltSj
IzJ0NwWEredE19MEB39p1JXRMP7AyfaPogyHLATQUyEcJWIP0MrWVDptRWXNlEYU
kbo3ybmJZGGn7MydLSzctzVZsLlgG58E+cta4WkShLtc72tTJq3Zv3T0XlH6RVaS
8LPuLluYwIGJ6OSPR4tH2/QDd26W6psIJdmqabh0Jbbw5rKaqr1l1+Ib2Yhj0XV1
W+LwAdZYc5RpHDvxKSsJd2lrql3yG2aRXAn2/BHxx0trO8ag25oBq9gfmezDOeyP
AwBWQI4ralPGr6cYDDKkgz5uILUsKWeoIneLXxeH9lN5qARm3le59waWPMnL/jjC
Md0BTIoLP8o1GAFboChDpVJWbLC029p4iLE7bzR1zzuz/g9dvsqcmKsT1mEEtdPi
usZ8sKg9X67KcYYfq2T0nKFtQTZF8YXUPjoUOPeC04p4VQsdi2saYLYJ7X2JPHDJ
A8odCpEm27u3aH7wUCb0EbQFqOce2KwCN3B9YPe0MBb709jBXmcb3Z00yQiZVecW
RaIC8/IU6seeOYG8PJTyLvNNLbcrRYU41mufmt+gx48EMZMPZe33yWa3mh4CBzaX
lTdscmOnRS4doOIjpA1n5wZgtUjcO91Q8rp23fov3WAE/FmC+OiQjBfUJ6UbcO21
1LsZanvSMh9ns8I8lgAU
=qSiT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: 

Re: tomcat 7 with APR connector on ubuntu

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mubeen,

On 1/16/14, 5:33 PM, Mubeen Shah wrote:
 Hello,
 
 I am able to run tomcat with jsvc daemon on port 80, but I can see 
 jsvc.exec process twice with different pid (one with root and
 other with non-root):
 
 root 28890  0.0  0.0 jsvc.exec -java-home
 /usr/lib/jvm/java-7-oracle -user tomcat7 -pidfile
 /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile
 /opt/tomcat7/logs/catalina-daemon.out -errfile 1 -classpath 
 /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar

 
- -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties
 -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 
 -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xmx512m 
 -XX:+UseConcMarkSweepGC -Djava.endorsed.dirs=
 -Dcatalina.base=/opt/tomcat7 -Dcatalina.home=/opt/tomcat7
 -Djava.io.tmpdir=/opt/tomcat7/temp 
 org.apache.catalina.startup.Bootstrap
 
 tomcat7  28891  3.1  4.6 jsvc.exec -java-home
 /usr/lib/jvm/java-7-oracle -user tomcat7 -pidfile
 /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile
 /opt/tomcat7/logs/catalina-daemon.out -errfile 1 -classpath 
 /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar

 
- -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties
 -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 
 -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xmx512m 
 -XX:+UseConcMarkSweepGC -Djava.endorsed.dirs=
 -Dcatalina.base=/opt/tomcat7 -Dcatalina.home=/opt/tomcat7
 -Djava.io.tmpdir=/opt/tomcat7/temp 
 org.apache.catalina.startup.Bootstrap
 
 while process with root not consuming memory or cpu, so is it
 normal jsvc behavior or I missed something?

You missed something:
http://commons.apache.org/proper/commons-daemon/jsvc.html#How_jsvc_works

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2GGkAAoJEBzwKT+lPKRYw5IP/RO2ibHL+gM5YK3m1f2brZNm
dCarMBnV3ptmY5Zjx5mEDwRkPcYs8zdGLnl9l/OXOXczUKEJRwwEFomwyEnF2qhp
+YL6K8lVMBuUirILdViGIGAKBfNnl5s6vUrua+Fp1zQ687xM9/zGn9Wdpv8Jf0Z4
98A+SZ+Nb/w/1eQhszW8LV0DKEtxbViaTJ3i343b47VLWb35Za+e27gge8tolyU3
4zhmhn+rPWA/It15/5+4+SmZA+N/Zwwwjwj5BYZAz2+V1WHHjenHNzs5/YsTAzup
aEzaEngwEP8xyDcnGJIgr/9U52qBCQFJi8kHQMZ4n8eiB85Pi+/Wt9s33xpokS76
uLzrcJrmiW07fupQ+F3hmRVsv7xr3yzw/wlnKqF1yKNcTOV/0FfR0rvdpVAo6SIz
U4wmtY4tGOEaxQXed96hdn+K1qqMApXFW88aphkKw0vvaeB8FTOxtTxsU+5cDyoI
TkMweuFnRUwB7g16ssuBtXAGhyVHw8qhl2kc3x15dyvTKNPfOOQ6QwRr0BP4G/oJ
svMRUx/WGLA7uZAAX3Lop5ePKpQiLZ/1s//Tb4h+Z22LzsU7ln4eZL3GLCcpe2vN
Ek/romlUNlS3AbECsPvD52JPokvxY0sfuklUXdhgIeEObjNGhrakrRHLwMOnBdRI
l/zJXItaOlnmwargVlG2
=8m9c
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: tomcat 7 with APR connector on ubuntu

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Brett,

On 1/16/14, 5:44 PM, Brett Delle Grazie wrote:
 Christopher,
 
 On 16 January 2014 22:28, Christopher Schultz 
 ch...@christopherschultz.netwrote:
 
 Brett,
 
 On 1/15/14, 7:41 PM, Brett Delle Grazie wrote:
 On 15 January 2014 16:53, Mubeen Shah mubeens...@gmail.com 
 wrote:
 
 Hello,
 
 I am trying to configure tomcat 7 on ubuntu machine and
 wanted to run it as non-root on port 80, Here is what I did
 so far:
 
 OS (Ubuntu 12.04 LTS):
 
 - installed oracle JDK 1.7.0_45 using apt-get -
 downloaded and extracted tomcat 7.0.50 (.gz format) -
 created ubuntu user 'tomcat' and granted 'chown -R
 CATALINA_HOME' to this user - changed tomcat default port
 to 80 in server.xml - installed and configured authbind
 tool - created sh script /etc/init.d/tomcat7 to start
 tomcat as tomcat user.
 
 
 What was in this script?
 
 
 - tomcat 7 was working as expected on 80 port as non-root
 user.
 
 
 That is surprising, see further below.
 
 [snip]
 
 Linux will not allow anything but root to bind on ports 
 1024. Usually the process starts as root, binds to the port
 and then drops it's privileges back to the desired user.
 
 Note that the OP is using authbind (or at least attempting to do
 so).
 
 
 Yes I missed that in the original message, thank you for pointing
 it out.
 
 
 
 You'll need to use jsvc to start Tomcat and drop privileges.
 
 Um... authbind?
 
 
 Noted.
 
 
 
 Perhaps authbind doesn't work with Java and/or Tomcat/APR but this
 is precisely what authbind was designed to do.
 
 
 The OP looks like they've locally compiled APR. I wonder if
 that's the root cause.

Possibly. I seem to recall someone complaining about tcnative not
working properly with a new APR version (but I think it was 2.0, not
1.5). It's possible that libapr 1.5.0 has some incompatibility or
something.

It's also possible that authbind (I've never used it) requires some
configuration specifically against the libapr/libtcnative/etc. and not
just against Java itself. That might explain why the BIO connector
works on port 80 but not APR.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2GInAAoJEBzwKT+lPKRYIkMP/R90tuLvVLjHFXK9Am/+6P9Z
NjCyH5eT0FN5y6yoJdwQSaw7Tj8Z0pU806ATcWnjyU+YSUiHZIt6nFt+C+dB3+NE
dLzNybNEiZkIl/1Z05zwpG77M3/pgFz5xh2z5jolMOQe1RED8+ga6rH6t433AztL
tjSW4GcrzlhM3Ml/NgteDeQr30CCwQaeFA+m6WVJwgM5BE9LG7pK4DXOgN5abWLq
5zKGVy/YrdPMCuALZsAVr8o6bzUDoUPYwmVcn0ti81qentyiq418mtmTYkRYIWzW
UqVznlL499wws1tCoRktbYW7jssg6H8OAqC11Wrb6f0LOAY/kFoQPxzM9y5YyEZ3
w35so9GWagbTJM1DuHMbvRpPye5mZHZOIxt+h+Xk+U+S2PAVXJFfMVXIZX04BPmR
DceAyIPDng0IHUoLgdYNesTZqPmzF73th+AaYR+JvY15dIjuG14g53DJ7vbu7lwG
meXaYL4AvbQt6hX4y5FbABGfnpJI7KlUVLOH9c06c7tNm6yD3KqAJwzBzGMzLOKG
Cm2x+5IkRzFC4IzzacCnLYz/2z0m8Sx6yW/l8Ve2NILXcr8f1MRIKT+rbLeQZc43
kODxkDQnoOfo44vAVAM8yKYbMVQSccTqzlux9kNVqz0blHU0fNHYzQURTW9EL59r
bRYMgAPCny2YB8a4lHNi
=h6au
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 7.0.47 using JmxRemoteLifecycleListener with SSL

2014-01-16 Thread Erik Engstrom
the latest commons-daemon 1.0.15 makes the libcap error go away but does
not fix the CommunicationException


On Thu, Jan 16, 2014 at 4:32 PM, Erik Engstrom esengst...@gmail.com wrote:

 I think it is due to this bug in commons-daemon
 https://issues.apache.org/jira/browse/DAEMON-246  but it did not seem to
 keep the service from running properly.  I will try with the latest version
 that is supposed to have a fix for it but I don't think it will help this
 problem.



 On Thu, Jan 16, 2014 at 3:45 PM, Christopher Schultz 
 ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Erik,

 On 1/16/14, 4:37 PM, Erik Engstrom wrote:
  I can get SSL working without JmxRemoteLifecycleListener, and I can
  get JmxRemoteLifecycleListener to work correctly without SSL.
  However if I try to use both I get the following error in
  catalina.out:
 
  failed loading capabilities library -- /usr/lib/libcap.so: cannot
  open shared object file: No such file or directory. Jan 16, 2014
  4:34:20 PM org.apache.catalina.mbeans.JmxRemoteLifecycleListener
  createServer SEVERE: The JMX connector server could not be created
  or failed to start for the Platform server java.io.IOException:
  Cannot bind to URL [rmi://localhost:1900/jmxrmi]:
  javax.naming.CommunicationException [Root exception is
  java.rmi.ConnectIOException: non-JRMP server at remote endpoint]
  at
  javax.management.remote.rmi.RMIConnectorServer.newIOException(Unknown
 
 
 Source)
  at javax.management.remote.rmi.RMIConnectorServer.start(Unknown
  Source) at
 
 org.apache.catalina.mbeans.JmxRemoteLifecycleListener.createServer(JmxRemoteLifecycleListener.java:304)
 
 
 at
 
 org.apache.catalina.mbeans.JmxRemoteLifecycleListener.lifecycleEvent(JmxRemoteLifecycleListener.java:258)
 
 
 at
 
 org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
 
 
 at
 
 org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
 
 
 at
 
 org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
 
 
 at
  org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:347)
 
 
 at
 
 org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:725)
 
 
 at
  org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
 
 
 at org.apache.catalina.startup.Catalina.start(Catalina.java:691)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
  sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at
  sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at
  java.lang.reflect.Method.invoke(Unknown Source) at
  org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322) at
  sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
  sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at
  sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at
  java.lang.reflect.Method.invoke(Unknown Source) at
 
 org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:243)
 
 
 Caused by: javax.naming.CommunicationException [Root exception is
  java.rmi.ConnectIOException: non-JRMP server at remote endpoint] at
  com.sun.jndi.rmi.registry.RegistryContext.bind(Unknown Source) at
  com.sun.jndi.toolkit.url.GenericURLContext.bind(Unknown Source) at
  javax.naming.InitialContext.bind(Unknown Source) at
  javax.management.remote.rmi.RMIConnectorServer.bind(Unknown
  Source) ... 20 more Caused by: java.rmi.ConnectIOException:
  non-JRMP server at remote endpoint at
  sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
  at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
  at sun.rmi.server.UnicastRef.newCall(Unknown Source) at
  sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source) ... 24
  more
 
  the ports still get opened but I can not connect via jconsole using
  ssl or not.  If I set com.sun.management.jmxremote.ssl=true I can
  connect properly without ssl.
 
  The relevant configuration from server.xml:
 
  Listener
  className=org.apache.catalina.mbeans.JmxRemoteLifecycleListener
  rmiRegistryPortPlatform=1900 rmiServerPortPlatform=11900 /
 
  and java properties:
 
  -Djavax.net.ssl.keyStore=$KEYSTORE
  -Djavax.net.ssl.keyStorePassword=$KEY_PASS
  -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
  -Djavax.net.ssl.trustStore=$TRUSTSTORE
  -Djavax.net.ssl.trustStorePassword=$TRUST_PASS
  -Dcom.sun.management.jmxremote.registry.ssl=true
  -Dcom.sun.management.jmxremote
  -Dcom.sun.management.jmxremote.authenticate=false
  -Djava.rmi.server.hostname=$HOST_IP
  -Dcom.sun.management.jmxremote.ssl=true
 
  Is it supported to use these together?  If so what am I doing
  wrong?

 Why is libcap.so (not) being loaded?

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJS2FLjAAoJEBzwKT+lPKRYs5oQAIjwUrNfiSKII5mto5mRFhmf
 

Re: SSL certificates

2014-01-16 Thread James H. H. Lampert

Christopher Schultz wrote:

That is always true. But you don't need a certificate to create a CSR.

shrug
If Keytool and the Java Keystore format even recognize any difference 
between the concepts of keypair and self-signed certificate, it 
would be news to me.

shrug

Speaking of one who regularly installs (and secures) Tomcat on AS/400s 
(in fact, that's the only platform I can recall EVER personally 
installing it on, because I have colleagues who know how to do it on 
other platforms): The messes people can make for themselves by 
misunderstanding the subtleties of Keytool are nothing, compared to the 
mess people can make for themselves trying to use IBM's Digital 
Certificate Manager to secure Tomcat on their 400s (hint: DCM and Tomcat 
are completely incompatible with each other).


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: tomcat 7 with APR connector on ubuntu

2014-01-16 Thread Brett Delle Grazie
Mubeen,


On 16 January 2014 08:53, Mubeen Shah mubeens...@gmail.com wrote:

 Thank you Brett for your comments.

 You're welcome.
However as per list convention, please do not top post (
http://tomcat.apache.org/lists.html)


 Here is tomcat startup script (/etc/init.d/tomcat7)

 #!/bin/bash
 # tomcat start/stop script

 export JAVA_HOME=/usr/lib/jvm/java-7-oracle
 export CATALINA_HOME=/opt/tomcat7

 start() {
su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/startup.sh
 }

 stop() {
su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/shutdown.sh
 }

 case $1 in
   start|stop) $1;;
   restart) stop; start;;
   *) echo Run as $0 start|stop|restart; exit 1;;
 esac

 I made slight change in startup.sh file too (replaced old exec line):
 exec authbind --deep $PRGDIR/$EXECUTABLE start $@


Which version of authbind is being used?

What does your connector element in server.xml look like?
Are there any other connector elements in server.xml?



 my setenv.sh file:
 CATALINA_OPTS=-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true
 -Xmx512m -XX:+UseConcMarkSweepGC
 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/apr/lib


You might need to add -Djava.library.path=/usr/local/apr/lib into
CATALINA_OPTS as well
I take it you compiled libtcnative locally?




 I installed authbind previously and executed following lines:
 sudo touch /etc/authbind/byport/80
 sudo chmod 500 /etc/authbind/byport/80
 sudo chown tomcat7 /etc/authbind/byport/80


 When I am removing APR connector from server.xml, tomcat working fine with
 tomcat7 user.


Leaving the authbind call in place, can you test with your APR connector at
port  1024 (e.g. the default 8080).
Does Tomcat start? If not, what is the error?



 Regards,
 Mubeen

 On Thu, Jan 16, 2014 at 5:41 AM, Brett Delle Grazie 
 brett.dellegra...@gmail.com wrote:

  Hi,
 
  See interleaved.
 
 
  On 15 January 2014 16:53, Mubeen Shah mubeens...@gmail.com wrote:
 
   Hello,
  
   I am trying to configure tomcat 7 on ubuntu machine and wanted to run
 it
  as
   non-root on port 80, Here is what I did so far:
  
   OS (Ubuntu 12.04 LTS):
  
   - installed oracle JDK 1.7.0_45 using apt-get
   - downloaded and extracted tomcat 7.0.50 (.gz format)
   - created ubuntu user 'tomcat' and granted 'chown -R CATALINA_HOME' to
  this
   user
   - changed tomcat default port to 80 in server.xml
   - installed and configured authbind tool
   - created sh script /etc/init.d/tomcat7 to start tomcat as tomcat
 user.
  
 
  What was in this script?
 
 
   - tomcat 7 was working as expected on 80 port as non-root user.
  
 
  That is surprising, see further below.
 
 
   - later I configured APR 1.5.0 and tried to run tomcat again, I got
 this
   error:
  
   Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
  init
   INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
   version 1.5.0.
   Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
  init
   INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
   [false], random [true].
   Jan 15, 2014 6:24:46 AM org.apache.catalina.core.AprLifecycleListener
   initializeSSL
   INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
   Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
   INFO: Initializing ProtocolHandler [http-apr-80]
   Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
   SEVERE: Failed to initialize end point associated with ProtocolHandler
   [http-apr-80]
   java.lang.Exception: Socket bind failed: [13] Permission denied
   at
 org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:430)
   at
  
 
 org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
   at
 org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
   at
  
 org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
   at
  org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
   at
  
 
 org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
   at
  org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
   at
  
 
 org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
   at
  org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
   at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
   at org.apache.catalina.startup.Catalina.load(Catalina.java:664)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at
  
 
 sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
   at
  
 
 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:606)
   at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
  
 
  This is expected.
 
 
  
   If I am removing out 

Re: SSL certificates

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 1/16/14, 6:18 PM, James H. H. Lampert wrote:
 Christopher Schultz wrote:
 That is always true. But you don't need a certificate to create a
 CSR.
 shrug If Keytool and the Java Keystore format even recognize any
 difference between the concepts of keypair and self-signed
 certificate, it would be news to me. shrug
 
 Speaking of one who regularly installs (and secures) Tomcat on
 AS/400s (in fact, that's the only platform I can recall EVER
 personally installing it on, because I have colleagues who know how
 to do it on other platforms): The messes people can make for
 themselves by misunderstanding the subtleties of Keytool are
 nothing, compared to the mess people can make for themselves trying
 to use IBM's Digital Certificate Manager to secure Tomcat on their
 400s (hint: DCM and Tomcat are completely incompatible with each
 other).

:)

Give me OpenSSL any day of the week. ;)

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS2GrbAAoJEBzwKT+lPKRYe4AP/i12by+gfG8QzkITOr/Pr5My
kKLSmXad3+Cw0Fl1gRjei6hRsZnX7gdvye4MBAVW//z8JhzejXFp20KJmdUDsNE4
EFn/oT7SOTF/Dmga28u/qte8212KIktkxziIMCigoXiXVbQ9Ym4eBdBxlqEtiouc
5lMuGuLfCshGP9xd8NigghLtWS4B06YG6Rc9I8BWPeXj1aPAB8naaHeLlrQvAGeb
/urAPZn9R+3Kow0Hs06OqIC06FN4VCIujq6aZ2pIBCe2apQkUC2ftBP50xYkwN5e
f9PohTuhE9Sk2H9VzxZqCumy6vEIfTfZtrjw0gbF8e/x9brUOfZ1clIoyyYrjNCa
A4a84uGBFrX4wHwLQRT/0biXYz9X61AaMmRBOF3Dvargf5Q+u99PYXBcTWcUTPJA
byv8OpywtCBaRcR5DbSSN999JFf8kYOn6DFzcj8xEN/auWQ0AJdLZLZdeNEszwZi
WcnDHH9MAFPj4a042sue3en9JAtFT/GA2zlgpx9UW/hzv//MvTxE5UO8Ap7GDw/0
1sHsOk+1yNt21o2LQ/bS3Zn0e9Ad76hiTbdWeoBj80eUpsOH1h6xd+vZ7glYd617
CBlexfEMdifTcVh320gYM2b+NUuN+jtPspp+f9KQSZtti5OnWqQylrBMXVbvUIWE
keGqbCCKZlqfQfe485Bf
=OZem
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL certificates

2014-01-16 Thread James H. H. Lampert

Christopher Schultz wrote:

:)

Give me OpenSSL any day of the week. ;)


Dunno. Can't recall ever having any experience with it at all. Just DCM 
(for securing IBM-proprietary servers, like their Secured Telnet [NOT 
ssh] server and their various proprietary web-serving products), and 
Keytool (for securing Tomcat, and [if I remember right] for prepping 
jar-signing keys).


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Oracle Application Server 10g R3 works fine with RK-1048 codepage but Tomcat 7.0.47 does not.

2014-01-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Тимур,

On 1/16/14, 8:23 PM, Тимур Кулибаев wrote:
 Hello, Chris !  Thank you for your response.   Below are answers to
 your questions.
 
 +++If the data is correctly-stored in the database (as verified by
 some +++other means), does the fetched-data display correctly in
 your web pages?
 
 Yes, data is displayed correctly in web-pages. Only problem is
 that with Tomcat 7 Kazakh letters are not displayed correctly. But
 with Oracle Application Server all data including Kazakh letters
 are displayed correctly.

So... data is displayed correctly in web pages or data is not
displayed correctly in web pages? You said both above.

 +++If it's not displaying correctly, please tell us what the
 Content-Type +++HTTP response header is for the page (specifically,
 the character +++encoding).
 
 For Tomcat 7:   lang=ru-RU, content=Oracle UIX,
 charset=UTF-8 type=text/css inside of pages I can see that all
 user data is in UTF-8 - we need force Tomcat works in
 Windows-1251.

If you are indeed setting the charset to UTF-8, then the page
character encoding should be in UTF-8. You don't want to advertise
UTF-8 and then use Windows-1251.

 For Oracle AS: lang=ru, content=Oracle UIX, charset=UTF-8 
 type=text/css inside of pages I can see that all user data is in 
 Windows-1251 that is correct.

If the server is advertising the character set as UTF-8 but using
Windows-1251 then that is a big bug.

I suspect you are not sure what character encoding is being used, but
you know that the characters you expect to work are not working.

 I don't know from where servlet takes charset=UTF-8 as its
 web.xml

Stop right there: charset=UTF-8 has nothing to do with web.xml.

 sets Windows-1251 as servlet default codepage

There is nothing called servlet default codepage.

 Looking through servlet source code there is not explicit 
 HttpServletResponse.setContentType().  May be it comes from
 UIX configuration tables residing in database, I'll ask developers
 about it and let you know.

You will need to check that out. UIX is an Oracle technology and can
do whatever it wants to do.

 +++Also, please tell us what the character encoding is for the 
 +++/database connection/ to Oracle (the one made from your
 application +++to Oracle).

 Database has CL8MSWIN1251 as default codepage and character
 encoding for the database connection to Oracle is also
 CL8MSWIN1251.

Can you confirm that is the case? When setting user.country=kz, it
causes the connection to fail to connect because the locale isn't
supported. That makes me think that you will have to explicitly set
the charset of the connection in order for things to work. For my
money, I'd set the connection charset to UTF-8 because things just
tend to work when you use UTF-8.

 +++Finally, how are you connecting to Oracle? Are you using a 
 +++Tomcat-configured DataSource or is your web application
 configuring +++things on its own?
 
 DataSource is not used. My web-application reads jdbc-connection
 string from web.xml: init-param 
 param-namekz.ft.uix.app.driver/param-name
 
 param-valuejdbc:oracle:thin:@10.1.102.124:1526:fb/param-value 
 /init-param
 
 
 +++I can see that when you attempt to use user.language=ru and 
 +++user.country=kz, you get this error from Oracle's driver:
 
 +++ org.apache.catalina.core.ApplicationContext log MESSAGE = +++
 ORA-00604: error occurred at recursive SQL level 1 ORA-12705: +++
 invalid or unknown NLS parameter value specified , ERRORCODE = 604
 
 +++Can you give us the whole stack trace from that?
 
 First I generated list of all available locales based on java-code
 given here 
 http://www.avajava.com/tutorials/lessons/how-do-i-display-all-available-locales.html;jsessionid=0F8CED6D22D750F6C83FD9477A3A874D

 
see attached available locales list and one does not contain kz
 so driver cannot understand this incorrect setting.

If the driver is choking on that setting, I think it's clear that some
character set is being set by whatever kz.ft.uix.app.driver does.

 +++Can you give us the whole stack trace from that?
 
 [No, I can't give you that for some reason]

 When set -Duser.language=ru -Duser.country=RU than no errors,
 all is ok, only Kazakh letters displayed incorrectly. Tomcat 7 and
 Oracle AS uses the same jdbc-driver ojdbc14.jar from Oracle AS.
 Operation systems of hosts have the same configuration.
 
 Oracle AS works in Windows-1251, it sends user data from database
 to browser in Windows-1251. Tomcat 7 works in UTF-8 , it sends user
 data from database to browser in UTF-8, t's the root of the
 trouble. How to make Tomcat 7 works in Windows-1251 ?

The character set used between the server and the browser should not
be an issue as long as:

a. The characters are not already corrupted, and any java.lang.String
values have correct characters
b. The page's character encoding can support the character in question
c. The server sends an accurate character encoding to the client in
the 

Stopping/pausing a Connector

2014-01-16 Thread Randy Toor
Hi,

I'm running embedded tomcat (unfortunately still using the deprecated classes 
and not the newer Tomcat class) and I'm trying to configure my connector at 
runtime to reject requests.

If I use connector.pause(), any requests just hang until I call 
connector.resume().

If I use connector.stop(), the first request gets a 503 service unavailable, 
but any subsequent requests just hang for some reason until I start it again.

Is the latter behaviour expected?  And what would be the best way for me to get 
the 503 service unavailable (or some error) every time?

Tomcat7, by the way.
  

Re: Oracle Application Server 10g R3 works fine with RK-1048 codepage but Tomcat 7.0.47 does not.

2014-01-16 Thread Terence M. Bandoian
On 1/16/2014 7:23 PM, Тимур Кулибаев wrote:
 Hello, Chris !  Thank you for your response.   Below are answers to your 
 questions.

 +++If the data is correctly-stored in the database (as verified by some
 +++other means), does the fetched-data display correctly in your web
pages?

 Yes, data is displayed correctly in web-pages. Only problem is that
with Tomcat 7
 Kazakh letters are not displayed correctly. But with Oracle
Application Server
 all data including Kazakh letters are displayed correctly.

 +++If it's not displaying correctly, please tell us what the Content-Type
 +++HTTP response header is for the page (specifically, the character
 +++encoding).

 For Tomcat 7:   lang=ru-RU, content=Oracle UIX, charset=UTF-8
type=text/css
 inside of pages I can see that all user data is in UTF-8 - we need
force Tomcat works
 in Windows-1251

 For Oracle AS:  lang=ru,content=Oracle UIX, charset=UTF-8
type=text/css
 inside of pages I can see that all user data is in Windows-1251 that
is correct.

 I don't know from where servlet takes charset=UTF-8 as its web.xml
sets Windows-1251
 as servlet default codepage. Looking through servlet source code there
is not explicit
 HttpServletResponse.setContentType().  May be it comes from UIX
configuration tables
 residing in database, I'll ask developers about it and let you know.

 +++Also, please tell us what the character encoding is for the
 +++/database connection/ to Oracle (the one made from your application
to Oracle).
 Database has CL8MSWIN1251 as default codepage and character encoding
for the database
 connection to Oracle is also CL8MSWIN1251.

 +++Finally, how are you connecting to Oracle? Are you using a
 +++Tomcat-configured DataSource or is your web application configuring
 +++things on its own?

 DataSource is not used. My web-application reads jdbc-connection
string from web.xml:
 init-param
 param-namekz.ft.uix.app.driver/param-name

param-valuejdbc:oracle:thin:@10.1.102.124:1526:fb/param-value
 /init-param


 +++I can see that when you attempt to use user.language=ru and
 +++user.country=kz, you get this error from Oracle's driver:

 +++ org.apache.catalina.core.ApplicationContext log MESSAGE =
 +++ ORA-00604: error occurred at recursive SQL level 1 ORA-12705:
 +++ invalid or unknown NLS parameter value specified , ERRORCODE = 604

 +++Can you give us the whole stack trace from that?

 First I generated list of all available locales based on java-code
given here
http://www.avajava.com/tutorials/lessons/how-do-i-display-all-available-locales.html;jsessionid=0F8CED6D22D750F6C83FD9477A3A874D
 see attached available locales list and one does not contain kz
 so driver cannot understand this incorrect setting. When set
-Duser.language=ru
 -Duser.country=RU than no errors, all is ok, only Kazakh letters
displayed
 incorrectly. Tomcat 7 and Oracle AS uses the same jdbc-driver
ojdbc14.jar from
 Oracle AS.  Operation systems of hosts have the same configuration.

 Oracle AS works in Windows-1251, it sends user data from database to
browser in
 Windows-1251. Tomcat 7 works in UTF-8 , it sends user data from
database to browser in UTF-8,
 t's the root of the trouble.   How to make Tomcat 7 works in
Windows-1251 ?

 Thank you,
 wating for your answer,
 Timur


Hi, Timur-

To send a response using the Windows 1251 character set, the character
encoding of the response should be set somewhere.  Information about the
setContentType method of HttpServletResponse, which may be used to set
the character encoding of the response, may be found here:

http://docs.oracle.com/javaee/7/api/javax/servlet/ServletResponse.html

Information about the JSP page directive, which may also be used to set
the character encoding of the response, may be found in the JavaServer
Pages Specification.

As an aside, there doesn't appear to be a body element in your HTML.  It
won't solve your problem, but, for more information, see:

http://www.w3.org/TR/html401/struct/global.html

-Terence Bandoian


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Possible Apache Tomcat workshop after ApacheCon 2014

2014-01-16 Thread Mark Thomas
Cross-posted to users and dev list. Please reply on the users list.

All,

There is the possibility of holding a Tomcat specific summit/workshop
after ApacheCon 2014 [1] (i.e. Thursday 10th). If there is interest, I
am happy to take the lead to organise this.

My current thinking is for a workshop that is organised along the lines
of a BarCamp [2] with a theme similar to that of the Tomcat users list
so each session is a discussion about an issue one or more users is having.

If space is available I'd like to follow this up on the Friday with a
hackathon where the primary focus is fixing any bugs identified on
Thursday and implementing any useful new features that were identified.

Before I approach the conference organisers, I'd like to know if there
is interest in this event and if folks are likely to attend. I'd expect
the BarCamp/Hackathon to be free but I don't know for sure at this
stage. Please reply to this thread if you would be interested in
attending such an event. Also, if you have ideas on how to might be
improved please reply with those too.

Thanks,

Mark


[1] http://events.linuxfoundation.org/events/apachecon-north-america
[2] http://en.wikipedia.org/wiki/BarCamp

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org