Re: Compiling mod_jk in CentOs release 6.5
/configure --with-apxs=/usr/lib64/httpd/modules whenever I run above I keep getting this: configure: error: You must specify a valid --with-apxs path Any ideas why I am getting this error? - --with-apxs needs to be given the full path to the apxs program (in httpd-devel package). So, if it's in /usr/lib64/httpd/modules (which it shouldn't be), then you need to say: $ ./configure --with-apxs=/usr/lib64/httpd/modules/apxs On my Amazon Linux system (which is RHEL-compatible, which should obviously be fairly similar to CentOS), apxs is in /usr/sbin/apxs PFB link which gives some shell scrpt to compile mod_jk on CENTOS. I am not a shell script expert but what I found in this script is using below line (which includes path to aspx) to configure aspx: http://www.cafe-encounter.net/p1086/build-mod_jk-for-centos ./configure --with-apxs=/usr/sbin/apxs So why dont you try to use this path instead of /usr/lib64/httpd/modules/apxs Thanks, Shailesh On Thu, May 1, 2014 at 8:29 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Fidelis, On 5/1/14, 10:53 AM, Fidelis Mnyanyi wrote: Hi everyone, I am trying to setup apache http server to work with tomcat 7 through the jk connector (version 1.2.40-src). My server is CentOs release 6.5. I couldn't find the binary distribution of mod_jk for CentOs release 6.5 on the net. I am trying to compile it from source but I am getting this problem when trying to execute the following: - unzip the source - go to jk/native directory - run ./configure --with-apxs=/usr/lib64/httpd/modules whenever I run above I keep getting this: configure: error: You must specify a valid --with-apxs path Any ideas why I am getting this error? - --with-apxs needs to be given the full path to the apxs program (in httpd-devel package). So, if it's in /usr/lib64/httpd/modules (which it shouldn't be), then you need to say: $ ./configure --with-apxs=/usr/lib64/httpd/modules/apxs On my Amazon Linux system (which is RHEL-compatible, which should obviously be fairly similar to CentOS), apxs is in /usr/sbin/apxs - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYmFBAAoJEBzwKT+lPKRYxbgP/3utBpl016BI93kyldLQB8Tr j7qdCLiE4bdFPyYCiVmpG4kXOuxJn3m9BxY45J2l3b8NtNCHyVYNhENCQASzx0Dj bd4OAozrH1h51xEvRfnQjSPoqHyrWAucMRThT2ye6EjLEtNlTMIgM5CmVg1NqaFV ZqVR1PEcGNSoEA2hYHK9fG89mHnWoOaauIMluNhFndRFH+EWTbTDocDSp4wzih7o NnfVzfSKYEk1WqdeBSI9PiotKhONag6qflAkjnqBmehmO0k+fMuNcTBgRLPUIzYK 5NUwKu8P2iXYemvVHxaGPMTCKw76ue26+3e2PrW8s3bpk5PmoDu21MFedMc5njGD YACl/rntnWSF4dN+UlC+YiXjlg3OaC9bYw5QnNOHiKsHG1VULyTw1pePN5NnM1W/ 4hiI/3uy20tc5vm8CX0/eBVW783lo/zQYXgMV+XFq/IyZqnRE4swWr6Zn/3LaxgE 2pwu4tQVQuS6l2XphjPRQ2Ey2cb0HhW6K+5Yjgsy5/3ithDefyCtw7fdII56EcgB MJcLs3htKwqtH/uYYOnaPeHkasOMbe/qqMS0J1nXYFL7EZaP9Rex/iTA/58LibM7 mIm2uLzbBzvUpGzqAMKiMmUCmdZnoxRCzkFJkXzHff+7UMt9ZXkFok1E9NjoLH9S iXjl+jUVhMPMDmNSjoDs =rmAO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Compiling mod_jk in CentOs release 6.5
PFB link which gives some shell scrpt to compile mod_jk on CENTOS. I am not a shell script expert but what I found in this script is using below line (which includes path to aspx) to configure aspx: http://www.cafe-encounter.net/p1086/build-mod_jk-for-centos ./configure --with-apxs=/usr/sbin/apxs So why dont you try to use this path instead of /usr/lib64/httpd/modules/apxs Also I have successfully compiled configured and installed it using the above path (/usr/sbin/aspx) for RHEL on Rackspace. I followed steps from below link http://it.toolbox.com/blogs/lim/compiling-tomcat-connector-mod_jk-on-redhat-6805 thanks, Shailesh. On Sat, May 3, 2014 at 1:40 PM, J Java jforjava1...@gmail.com wrote: /configure --with-apxs=/usr/lib64/httpd/modules whenever I run above I keep getting this: configure: error: You must specify a valid --with-apxs path Any ideas why I am getting this error? - --with-apxs needs to be given the full path to the apxs program (in httpd-devel package). So, if it's in /usr/lib64/httpd/modules (which it shouldn't be), then you need to say: $ ./configure --with-apxs=/usr/lib64/httpd/modules/apxs On my Amazon Linux system (which is RHEL-compatible, which should obviously be fairly similar to CentOS), apxs is in /usr/sbin/apxs PFB link which gives some shell scrpt to compile mod_jk on CENTOS. I am not a shell script expert but what I found in this script is using below line (which includes path to aspx) to configure aspx: http://www.cafe-encounter.net/p1086/build-mod_jk-for-centos ./configure --with-apxs=/usr/sbin/apxs So why dont you try to use this path instead of /usr/lib64/httpd/modules/apxs Thanks, Shailesh On Thu, May 1, 2014 at 8:29 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Fidelis, On 5/1/14, 10:53 AM, Fidelis Mnyanyi wrote: Hi everyone, I am trying to setup apache http server to work with tomcat 7 through the jk connector (version 1.2.40-src). My server is CentOs release 6.5. I couldn't find the binary distribution of mod_jk for CentOs release 6.5 on the net. I am trying to compile it from source but I am getting this problem when trying to execute the following: - unzip the source - go to jk/native directory - run ./configure --with-apxs=/usr/lib64/httpd/modules whenever I run above I keep getting this: configure: error: You must specify a valid --with-apxs path Any ideas why I am getting this error? - --with-apxs needs to be given the full path to the apxs program (in httpd-devel package). So, if it's in /usr/lib64/httpd/modules (which it shouldn't be), then you need to say: $ ./configure --with-apxs=/usr/lib64/httpd/modules/apxs On my Amazon Linux system (which is RHEL-compatible, which should obviously be fairly similar to CentOS), apxs is in /usr/sbin/apxs - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYmFBAAoJEBzwKT+lPKRYxbgP/3utBpl016BI93kyldLQB8Tr j7qdCLiE4bdFPyYCiVmpG4kXOuxJn3m9BxY45J2l3b8NtNCHyVYNhENCQASzx0Dj bd4OAozrH1h51xEvRfnQjSPoqHyrWAucMRThT2ye6EjLEtNlTMIgM5CmVg1NqaFV ZqVR1PEcGNSoEA2hYHK9fG89mHnWoOaauIMluNhFndRFH+EWTbTDocDSp4wzih7o NnfVzfSKYEk1WqdeBSI9PiotKhONag6qflAkjnqBmehmO0k+fMuNcTBgRLPUIzYK 5NUwKu8P2iXYemvVHxaGPMTCKw76ue26+3e2PrW8s3bpk5PmoDu21MFedMc5njGD YACl/rntnWSF4dN+UlC+YiXjlg3OaC9bYw5QnNOHiKsHG1VULyTw1pePN5NnM1W/ 4hiI/3uy20tc5vm8CX0/eBVW783lo/zQYXgMV+XFq/IyZqnRE4swWr6Zn/3LaxgE 2pwu4tQVQuS6l2XphjPRQ2Ey2cb0HhW6K+5Yjgsy5/3ithDefyCtw7fdII56EcgB MJcLs3htKwqtH/uYYOnaPeHkasOMbe/qqMS0J1nXYFL7EZaP9Rex/iTA/58LibM7 mIm2uLzbBzvUpGzqAMKiMmUCmdZnoxRCzkFJkXzHff+7UMt9ZXkFok1E9NjoLH9S iXjl+jUVhMPMDmNSjoDs =rmAO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to specify log rotation in Tomcat 6
Thanks Chris for your answer. 1) For the 1st point whether Tomcat starts giving problems if catalina.out becomes more than 2GB, I had a apprehension about it and hence my query. 2) For the 2nd point, I can try truncating tomcat on our UAT environment and see if there are any problems as it would be risky to try it on our production. Regards -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, April 28, 2014 6:47 PM To: Tomcat Users List Subject: Re: How to specify log rotation in Tomcat 6 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Randir, On 4/28/14, 7:15 AM, Randhir Singh wrote: Thanks a lot Chris for your answer. I would stick to this subject line among the others. I have some important questions based on this: 1) Does Tomcat start giving problems if catalina.out becomes more than 2 GB? Are there any indications that there will be problems? 2) Can this catalina.out file be truncated on the running Tomcat or should the Tomcat be stopped, the catalina.out truncated and then the Tomcat is started. Did you try it either way? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTXlTTAAoJEBzwKT+lPKRY57oP/RZLHRl1gKJcYX9aSX4Dd85a O67AKSyapy6pYvHzGEooxSuA5XxY+3aZLZOQOb7wQ0sPPVIRMWwh/viu3+AT0gyn dlp7rRkdFOLdFuQpoNS6PACQastNYwJIuBbwSuEMgmWOAZOcSZJSWcbkVr5ZQMzC UHBczlDxxFIO6ORMf8yEqp6uh1f3+rbLeKT0GiVodKYZpOsEC2eAgcGXd5GHg7YX n+LGhorrvRTsyo7knkLSXbkygIYjoitnMVLJM9yTCW9LRNlKKOxaDMuP3VzsE/NP vHUnRUzZRI4LeBC51xfqBrXBcxzJm1ReEzz+wLJK/ssiPT6WwOy6mLAcaeRq/p0w 39TthboPtfbK5E8U3D1qg0QHE/bu/XXS63YVbvnGH4OhFNDmrXjJh/pte1xNyeRc cIY+Nb20MHJErhHFuoLRnc+qO+UjTTzJBSQwu1pmJnIB6EUC/Lb3bnfWE6kEomfv Ws8kNAplpKiN5kCJHJflg6Vu1jzLmw0C7/kI3dfS9kXaznMTGNz5FvoRs9GDbzcE kYqDZlhaOTfaDBl0N9/A4f+qX92PS3w3Z0StShlonTx7bMegmXbeRmInSadWEZrA kCLRA9V8jsILnkhh+qnWzXX6ovZXWNrdPA/8mfhxJaF2Y6RRyt43De6TJg2h8qc+ MTWw/e/r8uc7Kg06x7l2 =3rg8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- *STL Disclaimer:* The content of this message may be legally privileged and confidential and are for the use of the intended recipient(s) only. It should not be read, copied and used by anyone other than the intended recipient(s). If you have received this message in error, please immediately notify the sender, preserve its confidentiality and delete it. Before opening any attachments please check them for viruses and defects. No employee or agent is authorised to conclude any binding agreement on behalf of Sterlite Technologies Limited with another party by email without express written confirmation by authorised person. Visit us at www.sterlitetechnologies.com Please consider environment before printing this email ! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to specify log rotation in Tomcat 6
Thanks for your answer. I can try truncating Tomcat on our UAT environment and see if there are any issues. Regards -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Monday, April 28, 2014 7:02 PM To: Tomcat Users List Subject: Re: How to specify log rotation in Tomcat 6 2014-04-28 15:15 GMT+04:00 Randhir Singh randhir.si...@sterlite.com: Thanks a lot Chris for your answer. I would stick to this subject line among the others. I have some important questions based on this: 1) Does Tomcat start giving problems if catalina.out becomes more than 2 GB? Tomcat - no. There were reports of the file growing up to 50 Gb and more on some systems. If it fills all available space on the hard drive, there may be problems coming from OS that are likely to affect Tomcat. 2) Can this catalina.out file be truncated on the running Tomcat or should the Tomcat be stopped, the catalina.out truncated and then the Tomcat is started. It can be. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- *STL Disclaimer:* The content of this message may be legally privileged and confidential and are for the use of the intended recipient(s) only. It should not be read, copied and used by anyone other than the intended recipient(s). If you have received this message in error, please immediately notify the sender, preserve its confidentiality and delete it. Before opening any attachments please check them for viruses and defects. No employee or agent is authorised to conclude any binding agreement on behalf of Sterlite Technologies Limited with another party by email without express written confirmation by authorised person. Visit us at www.sterlitetechnologies.com Please consider environment before printing this email ! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: regarding escaping of single quotes in attrbutes of html tags
The rules:
http://tomcat.apache.org/lists.html#tomcat-users
6. Do not top-post
7. Do not use HTML e-mails
As you can see from the above, from HTML point of view there is no difference.
onclick=
=3Dclicked('Hello')Hello/a=0A/body=0A/html=0A=0AI was wo=
ndering why the single quotes are now being escaped in html output.=0A=0ATh=
The change was intentional and is mentioned in changelog.
2) See 'Jasper' section of the changelog, starting with 7.0.43
http://tomcat.apache.org/bugreport.html#Changelog
I am sorry about top posting, and using HTML.
I did read the changelog and this change is mentioned, but there was no
explanation regarding why this change was required.
Currently we have Jmeter scripts that go through raw HTTP responses and check
for the presence of certain strings. These scripts started to fail after we
upgraded our tomcat, we have now modified our scripts to look for #039; as
well as single quotes. I just wanted to know if there was a purpose for this
change, I mean was anything broken because single quotes were not escaped?
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to monitor performance of tomcat
Thanks a lot for your detailed reply. The JAVA_OPTS variable in $CATALINA_HOME/bin/startup.sh has the value as: JAVA_OPTS=$JAVA_OPTS -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 I checked for free space on the VM instance with Red Hat Linux as the OS on which the Tomcat is hosted with a total memory of 19 GB, I found that there is around 8 GB of free space in the server. As per your inputs, I am planning to increase the memory allocation for Heap size and PermGen size to almost double as below: JAVA_OPTS=$JAVA_OPTS -Xms2048m -Xmx2048m -XX:MaxPermSize=512m -Dcwom.bl.ip=127.0.0.1 -Dcwom.bl.port=1399 I hope, this should avoid the hang-up issues where Tomcat does not seem to respond. I plan to implement this in the UAT environment at first and see how it goes. Regards -Original Message- From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Monday, April 28, 2014 7:39 PM To: 'Randhir Singh' Subject: RE: How to monitor performance of tomcat -Original Message- From: Randhir Singh [mailto:randhir.si...@sterlite.com] Sent: Monday, April 28, 2014 5:47 AM To: Jeffrey Janner; Tomcat Users List Subject: RE: How to monitor performance of tomcat Thanks for your valuable inputs. I am a bit of a novice to this. When this problem happens, it is quite a loss of face in front of the users who are widely spread geographically. I checked the catalina.out logs on the 2 days that the problem happened on 23rd 25th April, the findings are as below: 23rd April '14: The catalina.out log showed the message like, -- - -- - - Caused by: org.jboss.remoting.InvocationFailureException: Socket timed out. Waited 30 milliseconds for response while calling on InvokerLocator [socket://hostname of our machine:4173/?invokerDestructionDelay=5000timeout=30]; nested exception is: java.net.SocketTimeoutException: Read timed out -- - -- - - 3 times among other exceptions in a span of around 2 minutes. 25th April '14: The errors captured in the logs were like, -- - -- - - java.lang.OutOfMemoryError: GC overhead limit exceeded This error specifically means that the JVM is basically spending all of its time doing garbage collection and not really getting any significant amount of memory back for its efforts. The end user experiences this usually as a hung system. It might eventually come back or it might end up with a different, more severe, OOM error. There are lots of various causes for this: too small memory allocation; too much load; an activity generating a lot of objects, most of which persist for a long time; memory leaks; or a combination of the above. How to address it? a) Profile what parts of the app are being used with this occurs and have the dev team look at what could be causing the problem. There might be a better way to perform the action requested. b) Increase the available memory (double it or more). This is only a band-aid and you may still have the problem, but less often. Have the dev team look for memory leaks. c) Anyone else with ideas? Jeff -- - -- - - 4 times among other exceptions in a span of around 2 minutes. Requesting a reply on this. Regards __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. -- *STL Disclaimer:* The content of this message may be legally privileged and confidential and are for the use of the intended recipient(s) only. It should not be read, copied and used by anyone other than the intended recipient(s). If you have received this message in error, please immediately notify the sender, preserve its confidentiality and delete it. Before opening any attachments please check them for viruses and defects. No employee or agent is authorised to conclude any binding agreement on behalf of Sterlite Technologies Limited with another party by email
Re: regarding escaping of single quotes in attrbutes of html tags
2014-05-03 16:26 GMT+04:00 Vimil Saju vimils...@yahoo.com:
The rules:
http://tomcat.apache.org/lists.html#tomcat-users
6. Do not top-post
7. Do not use HTML e-mails
As you can see from the above, from HTML point of view there is no difference.
onclick=
=3Dclicked('Hello')Hello/a=0A/body=0A/html=0A=0AI was wo=
ndering why the single quotes are now being escaped in html output.=0A=0ATh=
The change was intentional and is mentioned in changelog.
2) See 'Jasper' section of the changelog, starting with 7.0.43
http://tomcat.apache.org/bugreport.html#Changelog
I am sorry about top posting, and using HTML.
I did read the changelog and this change is mentioned, but there was no
explanation regarding why this change was required.
That boils down to what is written in JSP specification.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55198#c5
Unfortunately fixing that issue was not as easy as it could be, with
followup fixes going into 7.0.50, 52, 53 and in upcoming 54.
Currently we have Jmeter scripts that go through raw HTTP responses and check
for the presence of certain strings. These scripts started to fail after we
upgraded our tomcat, we have now modified our scripts to look for ' as well
as single quotes. I just wanted to know if there was a purpose for this
change, I mean was anything broken because single quotes were not escaped?
Single quotes inside of double quotes are not really broken, but we
are using a function that escapes all special chars (' )
regardless of context.
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat7 Client Certificate Authentication Using Datasource Ralm Fails
Hi,
Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Hi, In Tomcat7, we are trying to do client certificate authentication using datasource realm. But it fails. Please fnd the configuration below: server.xml: ?xml version=1.0 encoding=UTF-8 standalone=no ? Server port=8005 shutdown=SHUTDOWNListener SSLEngine=on className=org.apache.catalina.core.AprLifecycleListener/ Listener className=org.apache.catalina.core.JasperListener/ Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener/ !-- GlobalNamingResourcesResource auth=Container description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase/ /GlobalNamingResources -- Service name=Catalina Connector SSLEnabled=true clientAuth=true connectionTimeout=1 keyAlias=masfed_server_dit keystoreFile=/opt/ADP/keystores/masfed_server_dit.jks keystorePass=sso@di maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11Protocol scheme=https secure=true server=Server sslProtocol=TLS truststorefile=/opt/ADP/keystores/masfed_server_dit.jks truststorepass=sso@di enablelookups=false/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ Engine defaultHost=localhost name=Catalina !-- Realm className=org.apache.catalina.realm.MemoryRealm resourceName=UserDatabase/ -- !-- Realm className=org.apache.catalina.realm.LockOutRealmRealm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm -- GlobalNamingResources Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/FederationDS userTable=T_USER userNameCol=USERNAME userCredCol=PASSWORD userRoleTable=T_USER_ROLES roleNameCol=ROLENAME debug=99 allRolesMode=authOnly / /GlobalNamingResources Host appBase=webapps autoDeploy=true name=localhost unpackWARs=trueValve className=org.apache.catalina.valves.AccessLogValve directory=logs pattern=%h %l %u %t quot;%rquot; %s %b prefix=localhost_access_log. suffix=.txt/ /Host /Engine /Service /Server security role configuration tomcat_base/conf/web.xml: - security-role role-namemasFedClient/role-name /security-role security-constraint web-resource-collection web-resource-nameall/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemasFedClient/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method !-- realm-nametomcat-users/realm-name -- realm-namejdbc/FederationDS/realm-name /login-config Database has all the required tables and columns. But authentication fails with the below mentioned error: FINE: Checking validity for '$' May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal FINE: Got user name from X509 certificate: $$ May 03, 2014 7:16:29 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Failed authenticate() test For security purpose, I had mad the certificate cn name as $$. The error message does not tell why the authentication is failing. Do I need to enable additional logs. If so how to enable. Request your help in fixing this issue. Any help would be highly appreciated. Thanks Dhaya
RE: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Date: Sat, 3 May 2014 19:31:17 -0400 Subject: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails From: dhayamoorthi2...@gmail.com To: users@tomcat.apache.org Hi, In Tomcat7, we are trying to do client certificate authentication using datasource realm. But it fails. Please fnd the configuration below: server.xml: ?xml version=1.0 encoding=UTF-8 standalone=no ? Server port=8005 shutdown=SHUTDOWNListener SSLEngine=on className=org.apache.catalina.core.AprLifecycleListener/ Listener className=org.apache.catalina.core.JasperListener/ Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener/ !-- GlobalNamingResourcesResource auth=Container description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase/ /GlobalNamingResources -- Service name=Catalina Connector SSLEnabled=true clientAuth=true connectionTimeout=1 keyAlias=masfed_server_dit keystoreFile=/opt/ADP/keystores/masfed_server_dit.jks keystorePass=sso@di maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11Protocol scheme=https secure=true server=Server sslProtocol=TLS truststorefile=/opt/ADP/keystores/masfed_server_dit.jks truststorepass=sso@di enablelookups=false/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ Engine defaultHost=localhost name=Catalina !-- Realm className=org.apache.catalina.realm.MemoryRealm resourceName=UserDatabase/ -- !-- Realm className=org.apache.catalina.realm.LockOutRealmRealm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm -- GlobalNamingResources Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/FederationDS userTable=T_USER userNameCol=USERNAME userCredCol=PASSWORD userRoleTable=T_USER_ROLES roleNameCol=ROLENAME debug=99 allRolesMode=authOnly / /GlobalNamingResources Host appBase=webapps autoDeploy=true name=localhost unpackWARs=trueValve className=org.apache.catalina.valves.AccessLogValve directory=logs pattern=%h %l %u %t quot;%rquot; %s %b prefix=localhost_access_log. suffix=.txt/ /Host /Engine /Service /Server security role configuration tomcat_base/conf/web.xml: - security-role role-namemasFedClient/role-name /security-role security-constraint web-resource-collection web-resource-nameall/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemasFedClient/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method !-- realm-nametomcat-users/realm-name -- realm-namejdbc/FederationDS/realm-name /login-config Database has all the required tables and columns. But authentication fails with the below mentioned error: FINE: Checking validity for '$' MGthis is an insane value..change it to something meaningful using [A-Z][O-9] characters MGbesides which your user_name length is WAY beyond the 15 byte allocation for the table create table T_USER ( user_name varchar(15) not null primary key, user_pass varchar(15) not null ); MG May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal FINE: Got user name from X509 certificate: $$ May 03, 2014 7:16:29 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Failed authenticate() test For security purpose, I had mad the certificate cn name as $$. MGcn is ROLE not the user_name MGhttps://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html The error message does not tell why the authentication is failing. MGyes it does ..it cannot authenticate $$ Do I need to enable additional
Re: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Hi, Please find the meaningful log again. FINE: Authenticating client certificate chain May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=ssodemo01.es.ad.adp.com, OU=DataExchange, ADP Technologies, O=Automatic Data Processing, Inc, STREET=1 ADP Blvd., L=Roseland, ST=New Jersey, POSTALCODE=07068, C=US, SERIALNUMBER=0568328, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US' May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase getPrincipal FINE: Got user name from X509 certificate: CN=ssodemo01.es.ad.adp.com, OU=DataExchange, ADP Technologies, O=Automatic Data Processing, Inc, STREET=1 ADP Blvd., L=Roseland, ST=New Jersey, POSTALCODE=07068, C=US, SERIALNUMBER=0568328, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US May 03, 2014 8:11:00 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Failed authenticate() test Desc T_User NameNull Type --- -- USERNAMENOT NULL CHAR(1000) PASSWORD CHAR(24) DESCRIPTION CHAR(500) Desc T_Roles NameNull Type --- - ROLENAMENOT NULL CHAR(100) DESCRIPTION CHAR(250) Desc T_User_Roles Name Null Type -- USERNAME CHAR(1000) ROLENAME NOT NULL CHAR(100) Appreciate your help and support. Thanks Dhaya On Sat, May 3, 2014 at 8:37 PM, Martin Gainty mgai...@hotmail.com wrote: Date: Sat, 3 May 2014 19:31:17 -0400 Subject: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails From: dhayamoorthi2...@gmail.com To: users@tomcat.apache.org Hi, In Tomcat7, we are trying to do client certificate authentication using datasource realm. But it fails. Please fnd the configuration below: server.xml: ?xml version=1.0 encoding=UTF-8 standalone=no ? Server port=8005 shutdown=SHUTDOWNListener SSLEngine=on className=org.apache.catalina.core.AprLifecycleListener/ Listener className=org.apache.catalina.core.JasperListener/ Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener/ !-- GlobalNamingResourcesResource auth=Container description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase/ /GlobalNamingResources -- Service name=Catalina Connector SSLEnabled=true clientAuth=true connectionTimeout=1 keyAlias=masfed_server_dit keystoreFile=/opt/ADP/keystores/masfed_server_dit.jks keystorePass=sso@di maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11Protocol scheme=https secure=true server=Server sslProtocol=TLS truststorefile=/opt/ADP/keystores/masfed_server_dit.jks truststorepass=sso@di enablelookups=false/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ Engine defaultHost=localhost name=Catalina !-- Realm className=org.apache.catalina.realm.MemoryRealm resourceName=UserDatabase/ -- !-- Realm className=org.apache.catalina.realm.LockOutRealmRealm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm -- GlobalNamingResources Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/FederationDS userTable=T_USER userNameCol=USERNAME userCredCol=PASSWORD userRoleTable=T_USER_ROLES roleNameCol=ROLENAME debug=99 allRolesMode=authOnly / /GlobalNamingResources Host appBase=webapps autoDeploy=true name=localhost unpackWARs=trueValve className=org.apache.catalina.valves.AccessLogValve directory=logs pattern=%h %l %u %t %r %s %b prefix=localhost_access_log. suffix=.txt/ /Host /Engine /Service /Server security role configuration tomcat_base/conf/web.xml: - security-role role-namemasFedClient/role-name /security-role security-constraint web-resource-collection web-resource-nameall/web-resource-name
Re: BLOCKED threads
Chris, Thanks for the reply. Sorry for not being very clear. Actually, those two threads holding the locks that caused other threads to be blocked. Here is one of the threads that was blocked because of lock on StandarClassLoader. There are around 47 threads in BLOCKED state waiting on the same lock. http-bio-28080-exec-548 daemon prio=10 tid=0x7fcbac06 nid=0x76e0 waiting for monitor entry [0x7fcc012ef000] java.lang.Thread.State: BLOCKED (on object monitor) at java.lang.ClassLoader.loadClass(ClassLoader.java:405) - waiting to lock 0x000700810fc8 (a org.apache.catalina.loader.StandardClassLoader) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at com.singularity.ee.agent.util.be.a(be.java:19) at com.singularity.ee.agent.appagent.services.transactionmonitor.jdbc.hb.f(hb.java:311) at com.singularity.ee.agent.appagent.services.transactionmonitor.jdbc.hb.c(hb.java:260) at com.singularity.ee.agent.appagent.services.transactionmonitor.jdbc.hb.b(hb.java:144) at com.singularity.ee.agent.appagent.services.transactionmonitor.jdbc.c.a(c.java:76) at com.singularity.ee.agent.appagent.services.transactionmonitor.common.e.a(e.java:488) at com.singularity.ee.agent.appagent.services.transactionmonitor.common.e.a(e.java:441) at com.singularity.ee.agent.appagent.services.transactionmonitor.common.e.a(e.java:375) at com.singularity.ee.agent.appagent.services.transactionmonitor.jdbc.c.a(c.java:32) at com.singularity.ee.agent.appagent.services.bciengine.a.onMethodEnd(a.java:62) at com.singularity.ee.agent.appagent.entrypoint.bciengine.FastMethodInterceptorDelegator.safeOnMethodEndNoReentrantCheck(FastMethodInterceptorDelegator.java:408) at com.singularity.ee.agent.appagent.entrypoint.bciengine.FastMethodInterceptorDelegator.safeOnMethodEnd(FastMethodInterceptorDelegator.java:350) at oracle.jdbc.driver.OraclePreparedStatementWrapper.executeQuery(OraclePreparedStatementWrapper.java:1491) at org.apache.tomcat.dbcp.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) at org.apache.tomcat.dbcp.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96) at sun.reflect.GeneratedMethodAccessor204.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:122) at org.hibernate.engine.jdbc.internal.proxy.AbstractProxyHandler.invoke(AbstractProxyHandler.java:81) at com.sun.proxy.$Proxy397.executeQuery(Unknown Source) at org.hibernate.loader.Loader.getResultSet(Loader.java:2031) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1832) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1811) at org.hibernate.loader.Loader.doQuery(Loader.java:899) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:341) at org.hibernate.loader.Loader.doList(Loader.java:2516) at org.hibernate.loader.Loader.doList(Loader.java:2502) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2332) at org.hibernate.loader.Loader.list(Loader.java:2327) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:490) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:355) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:195) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1247) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:101) On 5/2/14, 9:19 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rallavagu, On 5/2/14, 6:22 PM, Rallavagu wrote: Tomcat Version: 7.0.47 JVM Version: 1.7.0_51-b13 I see many blocked threads (90) in the thread dump. There are mainly two monitors that block 69 threads. One of them is below. It appears that it is simply trying to log. -- http-bio-28080-exec-396 daemon prio=10 tid=0x7fcbc814f000 nid=0x5804 runnable [0x7fcc2144d000] java.lang.Thread.State: RUNNABLE at java.lang.Throwable.getStackTraceElement(Native Method) This thread is not blocked. What makes you think it is? at java.lang.Throwable.getOurStackTrace(Throwable.java:827) - locked 0x0007e1886340 (a java.util.NoSuchElementException) at java.lang.Throwable.printStackTrace(Throwable.java:656) - locked 0x0007e207a5a8 (a java.io.PrintWriter) at java.lang.Throwable.printStackTrace(Throwable.java:721) at
Re: BLOCKED threads
Here is the thread BLOCKED waiting on another lock. http-bio-28080-exec-613 daemon prio=10 tid=0x7fcbac0e0800 nid=0x7897 waiting for monitor entry [0x7fcb915d3000] java.lang.Thread.State: BLOCKED (on object monitor) at java.util.logging.StreamHandler.publish(StreamHandler.java:191) - waiting to lock 0x0007008187b0 (a java.util.logging.ConsoleHandler) at java.util.logging.ConsoleHandler.publish(ConsoleHandler.java:105) at java.util.logging.Logger.log(Logger.java:610) at java.util.logging.Logger.doLog(Logger.java:631) at java.util.logging.Logger.logp(Logger.java:831) at org.apache.juli.logging.DirectJDKLog.log(DirectJDKLog.java:185) at org.apache.juli.logging.DirectJDKLog.error(DirectJDKLog.java:151) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) - locked 0x0007e1b0f808 (a org.apache.tomcat.util.net.SocketWrapper) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Locked ownable synchronizers: - 0x0007e1b0f8d0 (a java.util.concurrent.ThreadPoolExecutor$Worker) On 5/2/14, 9:19 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rallavagu, On 5/2/14, 6:22 PM, Rallavagu wrote: Tomcat Version: 7.0.47 JVM Version: 1.7.0_51-b13 I see many blocked threads (90) in the thread dump. There are mainly two monitors that block 69 threads. One of them is below. It appears that it is simply trying to log. -- http-bio-28080-exec-396 daemon prio=10 tid=0x7fcbc814f000 nid=0x5804 runnable [0x7fcc2144d000] java.lang.Thread.State: RUNNABLE at java.lang.Throwable.getStackTraceElement(Native Method) This thread is not blocked. What makes you think it is? at java.lang.Throwable.getOurStackTrace(Throwable.java:827) - locked 0x0007e1886340 (a java.util.NoSuchElementException) at java.lang.Throwable.printStackTrace(Throwable.java:656) - locked 0x0007e207a5a8 (a java.io.PrintWriter) at java.lang.Throwable.printStackTrace(Throwable.java:721) at java.util.logging.SimpleFormatter.format(SimpleFormatter.java:157) - locked 0x0007008187e8 (a java.util.logging.SimpleFormatter) at java.util.logging.StreamHandler.publish(StreamHandler.java:196) - locked 0x0007008187b0 (a java.util.logging.ConsoleHandler) at java.util.logging.ConsoleHandler.publish(ConsoleHandler.java:105) at java.util.logging.Logger.log(Logger.java:610) at java.util.logging.Logger.doLog(Logger.java:631) at java.util.logging.Logger.logp(Logger.java:831) at org.apache.juli.logging.DirectJDKLog.log(DirectJDKLog.java:185) at org.apache.juli.logging.DirectJDKLog.error(DirectJDKLog.java:151) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) - locked 0x0007e0ba5dd8 (a org.apache.tomcat.util.net.SocketWrapper) at
