Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384

[Sverre Moe]

When using JSSE it seems the cipher order is predetermined.
http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html

"cipher suites supported by SunJSSE in preference order and the release in
which they were introduced."


2014-05-24 1:15 GMT+02:00 Igor Cicimov :

> On 24/05/2014 1:15 AM, "Sverre Moe"  wrote:
> >
> > NIO does support them according to the java documentation.
>
> I was refering to cipher order and tomcat7 connector documentation where
> only the apr connector supports the option SSLHonorCipherOrder
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
>
> These ciphers
> > have been implemented in the JSSE provider.
> > I have no problem making a connection to Tomcat via a Java program using
> a
> > HttpsConnection and are getting the highest cipher (TLS_ECDHE_RSA_WITH_
> > AES_256_GCM_SHA384).
> >
> >
> > 2014-05-23 10:00 GMT+02:00 Igor Cicimov :
> >
> > > On 23/05/2014 5:43 PM, "Sverre Moe"  wrote:
> > > >
> > > > I am using the following ciphers in Tomcat:
> > > >
> > >
> > >
>
> ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
> > > >
> > > > Somehow Chromium uses the last in that list. That is
> > > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> > > > Though it should support all these ciphers. Is there an ordering I
> could
> > > > set so that i picks the first one?
> > >
> > > I think thats supported in APR only but not in BIO/NIO. But doublecheck
> > > that in the Connector docs please.
> > >
>

Re: Tomcat is down or refused connection

[Mark Eggers]

On 5/23/2014 5:34 PM, Terence M. Bandoian wrote:

On 5/23/2014 1:22 AM, Ballarpure, Akshay (EXT-Tata Consultancy Ser -
IN/Hyderabad) wrote:



Hello,
Soap request is failing with below message in our application.

2014/05/20 06:48:43 [ERROR]   (browse_csl)   failed to
reach startSearch service, soapRC 502
2014/05/20 06:48:43 [ERROR]   (soap)Error 502
fault: SOAP-ENV:Server [no subcode]

I am seeing below messages in Apache's Mod JK log file.

[Tue May 20 06:48:43 2014] [57070:140373099702016] [error]
ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or
refused connection. No response has been sent to the client (yet)
[Tue May 20 06:48:43 2014] [56884:140373020112640] [error]
ajp_service::jk_ajp_common.c (2643): (worker1) connecting to tomcat
failed.

Could you please check and let me know the reason for the above ?

Thanks,
Akshay



Sounds like Tomcat is down.

-Terence Bandoian


Sounds like your application is broken, or Tomcat is down, or someone 
unplugged a network cable, or someone changed firewall rules, or . . .


Seriously, you have given us no information.

And by no, I mean all of this is missing:

1. architecture
   a. Apache HTTPD (I'm guessing yes)
   b. mod_jk versus mod_proxy_ajp
   c. intervening firewalls
   d. number of Tomcats being supported
   e. load balancing or not
   f. using Tomcat native or not
2. versions - of anything
   a. Apache HTTPD (or whatever else you're using here)
   b. Tomcat version - exact, please
   c. Java version - exact, please
   d. OS and version - exact please
3. Tomcat settings - primarily JVM settings
4. Configurations
   a. server.xml
   b. workers.properties - if that's what you're using
   c. Apache HTTPD configuration - if that's what you're using
5. Log files - more than what you've provided
   a. catalina logs (Tomcat logs around the time of the event)
   b. application logs (around the time of the event)
6. What is this application supposed to be doing??

There is more, but this is a good start.

A 502 normally means that servers can't talk to each other. This could 
mean that Tomcat is down, it could mean that an intervening firewall has 
dropped connections, it could mean many, many things.


Don't know without lots more information.

. . . . it's Friday, welcome to more than my 2 cents
/mde/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat is down or refused connection

[Terence M. Bandoian]

On 5/23/2014 1:22 AM, Ballarpure, Akshay (EXT-Tata Consultancy Ser - 
IN/Hyderabad) wrote:



Hello,
Soap request is failing with below message in our application.

2014/05/20 06:48:43 [ERROR]   (browse_csl)   failed to reach 
startSearch service, soapRC 502
2014/05/20 06:48:43 [ERROR]   (soap)Error 502 fault: 
SOAP-ENV:Server [no subcode]

I am seeing below messages in Apache's Mod JK log file.

[Tue May 20 06:48:43 2014] [57070:140373099702016] [error] 
ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused 
connection. No response has been sent to the client (yet)
[Tue May 20 06:48:43 2014] [56884:140373020112640] [error] 
ajp_service::jk_ajp_common.c (2643): (worker1) connecting to tomcat failed.

Could you please check and let me know the reason for the above ?

Thanks,
Akshay



Sounds like Tomcat is down.

-Terence Bandoian

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384

[Igor Cicimov]

On 24/05/2014 1:15 AM, "Sverre Moe"  wrote:
>
> NIO does support them according to the java documentation.

I was refering to cipher order and tomcat7 connector documentation where
only the apr connector supports the option SSLHonorCipherOrder

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html

These ciphers
> have been implemented in the JSSE provider.
> I have no problem making a connection to Tomcat via a Java program using a
> HttpsConnection and are getting the highest cipher (TLS_ECDHE_RSA_WITH_
> AES_256_GCM_SHA384).
>
>
> 2014-05-23 10:00 GMT+02:00 Igor Cicimov :
>
> > On 23/05/2014 5:43 PM, "Sverre Moe"  wrote:
> > >
> > > I am using the following ciphers in Tomcat:
> > >
> >
> >
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
> > >
> > > Somehow Chromium uses the last in that list. That is
> > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> > > Though it should support all these ciphers. Is there an ordering I
could
> > > set so that i picks the first one?
> >
> > I think thats supported in APR only but not in BIO/NIO. But doublecheck
> > that in the Connector docs please.
> >

Re: Java Wrapper Service -Linux

[Mark Eggers]

On 5/23/2014 6:05 AM, vicky wrote:

Guys,

CAn someone please share the steps needed to configure the Java wrapper service 
for Tomcat.

I'm using Tomcat 7 with JDK 1.7 on a Linux machine

I have added the wrapper.conf under "/conf " directory & wrapper script under 
"/bin".

WHile executing the "./wrapper  -c ../conf/wrapper.conf " command,  I' getting 
the below error :-

please guide me through as I couldn't find the steps over web.

+++=
wrapper  | --> Wrapper Started as Console
wrapper  | Java Service Wrapper Community Edition 64-bit 3.5.11
wrapper  |   Copyright (C) 1999-2011 Tanuki Software, Ltd. All Rights Reserved.
wrapper  | http://wrapper.tanukisoftware.com
wrapper  |
wrapper  | Launching a JVM...
jvm 1| Wrapper (Version 3.2.0) http://wrapper.tanukisoftware.org
jvm 1|
jvm 1| WARNING - The Wrapper jar file currently in use is version "3.2.0"
jvm 1|   while the version of the Wrapper which launched this JVM is
jvm 1|   "3.5.11".
jvm 1|   The Wrapper may appear to work correctly but some features 
may
jvm 1|   not function correctly.  This configuration has not been 
tested
jvm 1|   and is not supported.
jvm 1|
jvm 1| WrapperSimpleApp: Unable to locate the class : 
java.lang.ClassNotFoundException: 
jvm 1|
jvm 1| WrapperSimpleApp Usage:
jvm 1|   java org.tanukisoftware.wrapper.WrapperSimpleApp {app_class} 
[app_parameters]
jvm 1|
jvm 1| Where:
jvm 1|   app_class:  The fully qualified class name of the application 
to run.
jvm 1|   app_parameters: The parameters that would normally be passed to the
jvm 1|   application.
jvm 1| Wrapper code received an unknown packet type: -122
wrapper  | <-- Wrapper Stopped


+++


Vicky,

This question is for a third party Java services wrapper. Some people 
use scripts, and others use commons-daemon, which is an ASF product and 
comes with the original Tomcat distributions.


Instructions for using commons-daemon are found here:

http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon

That being said, a quick Google search led to this:

http://wrapper.tanukisoftware.com/doc/english/integrate-start-stop-nix.html

Although it details Tomcat 4.x (yikes!), it should be easy enough to 
modify those instructions to start and stop Tomcat 6, 7, or 8.


The modifications are left as an exercise for the reader.

. . . . just my two cents.
/mde/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AJP protocol with Apache Tomcat Version 7.0.52

[Mark Thomas]

On 23/05/2014 19:26, pradeepgm wrote:
>> You have a blocking AJP connector (BIO) with maxThreads of 250.
>> Therefore that connector can support a maximum of 250 connections. You
>> have httpd with MaxClients 1536 and - since AJP uses persistent
>> connections - you have httpd trying to create up to 1536 persistent
>> connections. The first 250 attempts will be fine. Attempt 251 are going
>> to fail. 
> 
> As I mentioned above this is our staging environment. We have 2 apache httpd
> servers serving 8-10 tomcat applications. This is running fine for past 3-4
> years with  Tomcat 6. We have upgraded one of those 10 applications into
> Tomcat 7 and now we are facing this Tomcat hung state on that 7.x instance.
> 
> At a high level is there any direct relationship between maxThread from
> Tomcat with  ServerLimit and MaxClients from httpd.  
> 
> Assume that we configure 250 maxThread for all those 10 Tomcat instances,
> what will be the ideal value for ServerLimit and MaxClients? Is it like 250
> X 10?

Go read the documents you have already been told to read rather than
expecting us to spoonfeed you the answer. If you want that kind of
support you have to pay for it. Here you are expected to do some of the
leg work yourself (in the hope that you might a) learn something b) be
better able to help yourself next time and c) be in a position to guide
others to a similar state of enlightenment in the future).

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AJP protocol with Apache Tomcat Version 7.0.52

[pradeepgm]

> You have a blocking AJP connector (BIO) with maxThreads of 250.
> Therefore that connector can support a maximum of 250 connections. You
> have httpd with MaxClients 1536 and - since AJP uses persistent
> connections - you have httpd trying to create up to 1536 persistent
> connections. The first 250 attempts will be fine. Attempt 251 are going
> to fail. 

As I mentioned above this is our staging environment. We have 2 apache httpd
servers serving 8-10 tomcat applications. This is running fine for past 3-4
years with  Tomcat 6. We have upgraded one of those 10 applications into
Tomcat 7 and now we are facing this Tomcat hung state on that 7.x instance.

At a high level is there any direct relationship between maxThread from
Tomcat with  ServerLimit and MaxClients from httpd.  

Assume that we configure 250 maxThread for all those 10 Tomcat instances,
what will be the ideal value for ServerLimit and MaxClients? Is it like 250
X 10?

Pradeep GM



--
View this message in context: 
http://tomcat.10.x6.nabble.com/AJP-protocol-with-Apache-Tomcat-Version-7-0-52-tp5017650p5017855.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AJP protocol with Apache Tomcat Version 7.0.52

[Mark Thomas]

On 23/05/2014 17:59, Mark Eggers wrote:
> In general, it's not a good idea to reference a zip file. Post
> information inline without comments, and with sensitive information
> obscured (not removed - since that can alter the configuration meaning).

+1

Thanks for doing this.



> address="10.181.42.52"
>redirectPort="443"
>enableLookups="false"
>protocol="AJP/1.3"
>URIEncoding="UTF-8"
>tomcatAuthentication="false"
>maxPostSize="0"
>bufferSize="4096"
>maxThreads="250"
>scheme="https"
>proxyPort="443"
>proxyName="test.community..com"
>secure="true"
>maxConnections="245"/>



> In httpd.conf, you have:
> 
> ServerLimit  1536
> MaxClients   1536
> 
> This seems to be a bit excessive.

That is an understatement.

As suspected from the description of the issue the root cause is poor
configuration.

You have a blocking AJP connector (BIO) with maxThreads of 250.
Therefore that connector can support a maximum of 250 connections. You
have httpd with MaxClients 1536 and - since AJP uses persistent
connections - you have httpd trying to create up to 1536 persistent
connections. The first 250 attempts will be fine. Attempt 251 are going
to fail.

The correct fix is to disable connection reuse or switch to the NIO AJP
connector which does not have the 1 thread per connection limitation.

You need to read these:
http://people.apache.org/~markt/presentations/2012-10-Apache-Tomcat-Reverse-proxies.pdf
http://people.apache.org/~markt/presentations/2012-10-Apache-Tomcat-Reverse-proxies-notes-rjung.txt

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AJP protocol with Apache Tomcat Version 7.0.52

[Mark Eggers]

On 5/23/2014 8:09 AM, pradeepgm wrote:

Attached all files here.  Just masked the customer domain.
conf-files.zip


Please note that we have multiple tomcat instances supported by one
common apache httpd server. I just added the one (Tomcat 7) which is
having this issue (server hung). All remaining tomcat's are running
on Tomcat 6 version.

Pradeep GM


Pradeep,

In general, it's not a good idea to reference a zip file. Post 
information inline without comments, and with sensitive information 
obscured (not removed - since that can alter the configuration meaning).


I'm posting the relevant portions of the configuration inline, since I 
don't think it's fair for future readers to have to find zip files and 
unzip them.


#
# workers.properties - in toto
#
worker.list=jkstatus,externalLB

worker.externalstg1.port=9011
worker.externalstg1.host=10.181.42.51
worker.externalstg1.type=ajp13
worker.externalstg1.connect_timeout=15000
worker.externalstg1.prepost_timeout=5000
worker.externalstg1.socket_timeout=60
worker.externalstg1.connection_pool_timeout=0

worker.externalstg2.port=9011
worker.externalstg2.host=10.181.42.52
worker.externalstg2.type=ajp13
worker.externalstg2.connect_timeout=15000
worker.externalstg2.prepost_timeout=5000
worker.externalstg2.socket_timeout=60
worker.externalstg2.connection_pool_timeout=0

worker.externalLB.type=lb
worker.externalLB.balance_workers=externalstg1,externalstg2
worker.externalLB.sticky_session=1
worker.externalLB.session_cookie=JSESSIONID
worker.externalLB.session_path=;xyz

worker.jkstatus.type=status









  


 

  

#
# mod-jk.conf
#
LoadModule jk_module modules/mod_jk.so
JkWorkersFile conf/workers.properties
JkLogLevel error
JkLogStampFormat  "[%a %b %d %H:%M:%S %Y]"
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat "%U %w %V %q %T"

#
# portions of httpd.conf
#

StartServers8
MinSpareServers 5
MaxSpareServers20
ServerLimit  1536
MaxClients   1536
MaxRequestsPerChild  4000



#
# external-test.conf - hopefully it's in /etc/httpd/conf.d
#

ServerName test.community..com

Options -Indexes
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} /etc/passwd$
RewriteRule .* - [F]


UseCanonicalName on
ProxyRequests off
ProxyPreserveHost On

ProxyPass /server-status !
ProxyPass /server-info !
ProxyPass /jkmanager/ !
JKMount / ricohexternalLB
JKMount /* ricohexternalLB


KeepAliveTimeout 2

Include conf/jive-cache.conf

Header append Vary User-Agent

AddOutputFilterByType INCLUDES;DEFLATE text/html text/plain 
text/css text/javascript application/x-javascript application/xml

SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ 
no-gzip dont-vary


BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
BrowserMatch "MSIE 6"  no-gzip dont-vary




If I've left out salient portions of httpd.conf, I apologize. mod_proxy, 
mod_proxy_httpd, mod_proxy_ftp, and mod_dav are all in use. 
mod_proxy_ajp is not (since mod_ajp is).


I suggest that you read very carefully the following:

http://tomcat.apache.org/connectors-doc/generic_howto/timeouts.html
http://tomcat.apache.org/connectors-doc/reference/workers.html
http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html

Also, read the example workers.properties file found in the conf 
directory of the source distribution for the Tomcat connectors.


In particular, start with the documentation concerning 
connection_pool_timeout.


There are other settings here that are either not used (because you 
haven't set the directive the settings alter), or don't exist.


In httpd.conf, you have:

ServerLimit  1536
MaxClients   1536

This seems to be a bit excessive.

There is a lot more, however this should give you enough to get started.

. . . . just my two cents
/mde/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384

[Sverre Moe]

NIO does support them according to the java documentation. These ciphers
have been implemented in the JSSE provider.
I have no problem making a connection to Tomcat via a Java program using a
HttpsConnection and are getting the highest cipher (TLS_ECDHE_RSA_WITH_
AES_256_GCM_SHA384).


2014-05-23 10:00 GMT+02:00 Igor Cicimov :

> On 23/05/2014 5:43 PM, "Sverre Moe"  wrote:
> >
> > I am using the following ciphers in Tomcat:
> >
>
> ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
> >
> > Somehow Chromium uses the last in that list. That is
> > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> > Though it should support all these ciphers. Is there an ordering I could
> > set so that i picks the first one?
>
> I think thats supported in APR only but not in BIO/NIO. But doublecheck
> that in the Connector docs please.
>

Re: AJP protocol with Apache Tomcat Version 7.0.52

[pradeepgm]

Attached all files here.  Just masked the customer domain. conf-files.zip
  

Please note that we have multiple tomcat instances supported by one common
apache httpd server. I just added the one (Tomcat 7) which is having this
issue (server hung). All remaining tomcat's are running on Tomcat 6 version.

Pradeep GM



--
View this message in context: 
http://tomcat.10.x6.nabble.com/AJP-protocol-with-Apache-Tomcat-Version-7-0-52-tp5017650p5017851.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Java Wrapper Service -Linux

[vicky]

Guys,

CAn someone please share the steps needed to configure the Java wrapper service 
for Tomcat.

I'm using Tomcat 7 with JDK 1.7 on a Linux machine

I have added the wrapper.conf under "/conf " directory & wrapper 
script under "/bin".

WHile executing the "./wrapper  -c ../conf/wrapper.conf " command,  I' getting 
the below error :-

please guide me through as I couldn't find the steps over web.

+++=
wrapper  | --> Wrapper Started as Console
wrapper  | Java Service Wrapper Community Edition 64-bit 3.5.11
wrapper  |   Copyright (C) 1999-2011 Tanuki Software, Ltd. All Rights Reserved.
wrapper  | http://wrapper.tanukisoftware.com
wrapper  |
wrapper  | Launching a JVM...
jvm 1| Wrapper (Version 3.2.0) http://wrapper.tanukisoftware.org
jvm 1|
jvm 1| WARNING - The Wrapper jar file currently in use is version "3.2.0"
jvm 1|   while the version of the Wrapper which launched this JVM is
jvm 1|   "3.5.11".
jvm 1|   The Wrapper may appear to work correctly but some features 
may
jvm 1|   not function correctly.  This configuration has not been 
tested
jvm 1|   and is not supported.
jvm 1|
jvm 1| WrapperSimpleApp: Unable to locate the class : 
java.lang.ClassNotFoundException: 
jvm 1|
jvm 1| WrapperSimpleApp Usage:
jvm 1|   java org.tanukisoftware.wrapper.WrapperSimpleApp {app_class} 
[app_parameters]
jvm 1|
jvm 1| Where:
jvm 1|   app_class:  The fully qualified class name of the application 
to run.
jvm 1|   app_parameters: The parameters that would normally be passed to the
jvm 1|   application.
jvm 1| Wrapper code received an unknown packet type: -122
wrapper  | <-- Wrapper Stopped


+++


Thanks
Vicky

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CATALINA_PID != real PID

[Leon Rosenberg]

The usual Heisenbug.

regards
Leon


On Fri, May 23, 2014 at 1:24 PM, Арсений Зинченко wrote:

> Hi, Leon.
>
> Thanks for replay.
>
> Don't know why - but now it works good :-)
>

Re: CATALINA_PID != real PID

[Арсений Зинченко]

Hi, Leon.

Thanks for replay.

Don't know why - but now it works good :-)

Re: CATALINA_PID != real PID

[Leon Rosenberg]

Hello Arseniy,

I don't know why it doesn't work for you, it works for me:

export CATALINA_PID=/opt/app/tomcat7/pid

*/opt/app/tomcat7*$ more pid

5856

ps aux | grep 5856:

thales5856  0.0 43.6 642472 228788 ?   Sl   Apr28  29:19
/opt/java/jdk1.7.0_45/bin/java
-Djava.util.logging.config.file=/opt/app/tomcat7/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server
-Xmx256m -Djava.endorsed.dirs=/opt/app/tomcat7/endorsed -classpath
/opt/app/tomcat7/bin/bootstrap.jar:/opt/app/tomcat7/bin/tomcat-juli.jar
-Dcatalina.base=/opt/app/tomcat7 -Dcatalina.home=/opt/app/tomcat7
-Djava.io.tmpdir=/opt/app/tomcat7/temp
org.apache.catalina.startup.Bootstrap start

I am using CATALINA_PID solely to be able to use the force opton:

bin/shutdown.sh -force

for automatical releases from jenkins (the only way I know to wait until
shutdown is finished).

Maybe you have a wrapper script that starts another script, that starts
tomcat, and this is why your pid differ?


regards

Leon


On Fri, May 23, 2014 at 12:03 PM, Арсений Зинченко wrote:

> Hi, guys.
>
> I set:
>
> $ export CATALINA_PID="$CATALINA_HOME/conf/catalina.pid"
>
> Started *Tomcat*:
>
> $ ./bin/startup.shUsing CATALINA_BASE:
> /home/tomcats/apache-tomcat-7.0.53Using CATALINA_HOME:
> /home/tomcats/apache-tomcat-7.0.53Using CATALINA_TMPDIR:
> /home/tomcats/apache-tomcat-7.0.53/tempUsing JRE_HOME:
> /usr/java/jdk1.6.0_45/jre/Using CLASSPATH:
>
> /home/tomcats/apache-tomcat-7.0.53/bin/bootstrap.jar:/home/tomcats/apache-tomcat-7.0.53/bin/tomcat-juli.jarUsing
> CATALINA_PID:
> /home/tomcats/apache-tomcat-7.0.53/conf/catalina.pidTomcat started.
>
> Checked pid-file:
>
> $ cat /home/tomcats/apache-tomcat-7.0.53/conf/catalina.pid28461
>
> But - there is no process 28461:
>
> $ ps aux | grep 28461
> tomcats  28599  0.0  0.0 103240   872 pts/0S+   12:50   0:00 grep 28461
>
> $ ps -p 28461
>   PID TTY  TIME CMD
>
> And Tomcat's JVM runs with other PID:
>
> $ ps u | grep tomcat | grep java | grep -v grep | cut -d" " -f 330133
>
> So - for what exactly CATALINA_PID variable needs or - why it's return
> wrong number?
>
> From "*Tomcat the Definitive Guide*" of *Jason Brittain* book we know that:
>
> CATALINA_PID This variable may optionally hold the path to the process ID
> file that Tomcat should use when starting up and shutting down. None
>
> Use:
>
> $ cat /etc/redhat-releaseCentOS release 6.4 (Final)
>
> Thanks for advice.
>

CATALINA_PID != real PID

[Арсений Зинченко]

Hi, guys.

I set:

$ export CATALINA_PID="$CATALINA_HOME/conf/catalina.pid"

Started *Tomcat*:

$ ./bin/startup.shUsing CATALINA_BASE:
/home/tomcats/apache-tomcat-7.0.53Using CATALINA_HOME:
/home/tomcats/apache-tomcat-7.0.53Using CATALINA_TMPDIR:
/home/tomcats/apache-tomcat-7.0.53/tempUsing JRE_HOME:
/usr/java/jdk1.6.0_45/jre/Using CLASSPATH:
/home/tomcats/apache-tomcat-7.0.53/bin/bootstrap.jar:/home/tomcats/apache-tomcat-7.0.53/bin/tomcat-juli.jarUsing
CATALINA_PID:
/home/tomcats/apache-tomcat-7.0.53/conf/catalina.pidTomcat started.

Checked pid-file:

$ cat /home/tomcats/apache-tomcat-7.0.53/conf/catalina.pid28461

But - there is no process 28461:

$ ps aux | grep 28461
tomcats  28599  0.0  0.0 103240   872 pts/0S+   12:50   0:00 grep 28461

$ ps -p 28461
  PID TTY  TIME CMD

And Tomcat's JVM runs with other PID:

$ ps u | grep tomcat | grep java | grep -v grep | cut -d" " -f 330133

So - for what exactly CATALINA_PID variable needs or - why it's return
wrong number?

>From "*Tomcat the Definitive Guide*" of *Jason Brittain* book we know that:

CATALINA_PID This variable may optionally hold the path to the process ID
file that Tomcat should use when starting up and shutting down. None

Use:

$ cat /etc/redhat-releaseCentOS release 6.4 (Final)

Thanks for advice.

Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384

[Igor Cicimov]

On 23/05/2014 5:43 PM, "Sverre Moe"  wrote:
>
> I am using the following ciphers in Tomcat:
>
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
>
> Somehow Chromium uses the last in that list. That is
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> Though it should support all these ciphers. Is there an ordering I could
> set so that i picks the first one?

I think thats supported in APR only but not in BIO/NIO. But doublecheck
that in the Connector docs please.

Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384

[Sverre Moe]

I am using the following ciphers in Tomcat:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"

Somehow Chromium uses the last in that list. That is
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Though it should support all these ciphers. Is there an ordering I could
set so that i picks the first one?


2014-05-23 8:52 GMT+02:00 David Bullock :

> NSA:  "So, how much do you want to not actually *use* string ciphers with
> perfect forward secrecy"?
> Mozilla,Google,Opera,et-al:  "Hey, that's a business model RIGHT THERE!
>  How much do you even have?"
> NSA:  "How about, not being put out of business permanently, family members
> keeping up their low incidence of accidental deaths?"
> Cryptographically-savvy: *Sigh*
> World: "Hang on, I'll just quickly email you that password ..."
>
>
>
>
> *David BullockMachaira Enterprises Pty Ltd
> *
> PO Box 31
> Canowindra NSW 2804
>
> 02 6344 1100
> http://machaira.com.au/
>
>
>
> On 23 May 2014 16:13, Sverre Moe  wrote:
>
> > I have found out that the connector can use these ciphers, but Chromium
> > can't.
> > I wrote a small Java program that makes a HttpsConnection with Tomcat
> > without problem.
> >
> > Output with -Djavax.net.debug=ssl
> > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
> > *** Finished
> > verify_data:  { 167, 191, 12, 139, 75, 162, 8, 69, 1, 129, 65, 129 }
> > ***
> > main, WRITE: TLSv1.2 Handshake, length = 96
> > main, READ: TLSv1.2 Change Cipher Spec, length = 1
> > main, READ: TLSv1.2 Handshake, length = 96
> > *** Finished
> > verify_data:  { 4, 236, 148, 186, 214, 130, 187, 88, 249, 51, 183, 102 }
> > ***
> > %% Cached client session: [Session-1,
> > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
> > main, WRITE: TLSv1.2 Application Data, length = 224
> > main, READ: TLSv1.2 Application Data, length = 11472
> >
> > It chose among these ciphers:
> >
> >
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> >
> > If I also add the following ciphers:
> >
> >
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> > Then my little Java program uses only these and not the GCM ciphers.
> > Chromium does not use GCM either if I throw along CBC ciphers.
> >
> >
> > It seems neither Chromium, Firefox or Opera supports these higher
> ciphers.
> > No AES_256_GCM and no SHA384.
> >
> >
> > 2014-05-23 0:53 GMT+02:00 Igor Cicimov :
> >
> > > On 21/05/2014 8:22 PM, "Sverre Moe"  wrote:
> > > >
> > > > I installed Tomcat-7 7.0.42 in OpenSUSE 13.1, configured support for
> > > > TLSv1.2. I then configured a list of strong ciphers only, that I
> wanted
> > > to
> > > > use.
> > > >
> > > >  > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150"
> > > > clientAuth="false" SSLEnabled="true" scheme="https" secure="true"
> > > > sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" keyAlias="tomcat"
> > > > keystoreFile="/usr/share/tomcat/.keystore" keystorePass="**"
> > > > keystoreType="JKS"
> > > >
> > >
> > >
> >
> ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256"
> > > > />
> > > >
> > > > I have tried running Tomcat with Java 7 and Java 8. Both of these
> > should
> > > > support CBC_SHA256 and CBC_SHA384, but only Java 8 supports
> GCM_SHA384.
> > > > I have downloaded the Java cryptographic extensions policy files for
> > both
> > > > Java 7 and Java 8.
> > > >
> > > > The only way I get a connection is when I add the following ciphers:
> > > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> > > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> > > >
> > > > According to the specification all these ciphers are correct names:
> > > >
> > >
> > >
> >
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites
> > > >
> > > > According to the implementation in JSSE provider they are implemented
> > as
> > > > well to work with TLSv1.2
> > > >
> > >
> > >
> >
> http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
> > > > Footnote 1(Java7) Cipher suites with SHA384 and SHA256 are available
> > only
> > > > for TLS 1.2 or later.
> > > >
> > > >
> > > > Also how come SSLLabs SSLTest tells me I do not have forward secrecy
> > and
> > > > are using RC4 ciphers. Thought when I set a limited list of ciphers
> > only
> > > > those can be used.
> > > >
> > > > I tried to edit /usr/sbin/tomcat-sysd (which is started by service
> > > tomcat)
> > > > to enable SSL debugging, but nothing shows up in the log files
> > >
> > > Have you tried starting tomcat with -Djavax.net.debug=ssl option? You
> can
> > > also narrow it down like -Djavax.net.debug=ssl:handshake for exampl

Re: AJP protocol with Apache Tomcat Version 7.0.52

[Mark Thomas]

On 23/05/2014 03:42, pradeepgm wrote:
> Now we have configured three tomcat instances with below configurations to
> test the above issue
> 
> 1. AJP BIO with JkOptions +DisableReuse, connectionTimeout=2,
> maxThreads=250, maxConnection=245
> 2. AJP NIO with maxThreads=250, maxConnection=245, connectionTimeout=2
> and bufferSize=4096
> 3. Http NIO with maxThreads=250, maxConnection=245, connectionTimeout=2
> 
> We have been told that above issue ( tomcat hung and not responding) is due
> to AJP

Utter nonsense. It is most likely be due to poor configuration on your
part but since you haven't bothered to provide the relevant parts (or
indeed any parts) of your httpd configuration no-one here is going to be
able to point out the issue(s).

> (be it BIO or NIO) connector and if we use http this issue would not
> surface.

Whether or not switching to HTTP "fixes" the issue is going to depend on
what the problem is and how the default settings for AJP and HTTP
interact with the problem.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org