[ANN] Apache Tomcat 8.0.29 available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.29.

Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.

Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28 as
well as other enhancements and changes. The notable changes since 8.0.28
include:

- Add an option to control (per context) quoting of EL expressions in
  JSP attributes

- Correct a regression in the fix for 56777 that added support for
  URIs in config file locations

- Add a new RestCsrfPreventionFilter that provides basic CSRF
  protection for REST APIs

-  Use instance manager for WebSocket server endpoint instances


Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-80.cgi

Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

TLS certificate configuration in Tomcat 9

[Christopher Schultz]

All,

Is the PEM-based certificate configuration available for both JSSE-based
and APR-based connectors in Tomcat 9 at this point? The documentation
says e.g. the "certificateFile" attribute is for "OpenSSL Only", and
when I try to launch Tomcat using the NIO connector and a PEM-based
certificate file, Tomcat says that the keystore is corrupted (even
though no keystore was actually specified).

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS fails in Firefox and Chrome

[Christopher Schultz]

Mark,

On 11/24/15 1:56 PM, Mark Robinson wrote:
> My config is pretty vanilla.
> 
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="8443" maxThreads="200"
> ciphers="TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_
SCSV,TLS_DH_anon_WITH_AES_128_GCM_SHA256,TLS_DH_anon_WITH_AES_128_CBC_SHA256,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_DH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_DH_anon_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_ECDHE_ECDSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WITH_NULL_SHA,SSL_RSA_WITH_NULL_SHA,TLS_ECDH_ECDSA_WITH_NULL_SHA,TLS_ECDH_RSA_WITH_NULL_SHA,TLS_ECDH_anon_WITH_NULL_SHA,SSL_RSA_WITH_NULL_MD5,TLS_KRB5_WITH_3DES_EDE_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_KRB5_WITH_DES_CBC_SHA,TLS_KRB5_WITH_DES_CBC_MD5,TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5"
> scheme="https" secure="true" SSLEnabled="true"
> keystoreFile="conf/keystore.jks" keystorePass="changeit"
> clientAuth="false" sslProtocol="TLS"/>
> 
> This fails, because of the three problematic ciphers.


I'm just going to list the ciphers you have in order here and make some
comments.

TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

So the top 3 are giving you problems with ff and Chrome. I have ff using
the second of those ciphers right now with a site I control, but SSL is
being terminated by AWS ELB (likely some variant of haproxy).

I just configured Tomcat 9 with sslProtocol="TLS" and I was able to
connect using OpenSSL s_client -tls1_2 but not with other options. I was
also unable to connect with Firefox 42, but Chrome 46 and Safari 9 can
connect. I didn't try any versions of MSIE.

Note that the TLS_RSA_WITH_AES_128_GCM_SHA256 algorithm is defined by
TLSv1.2 and not before, thus only a TLSv1.2 handshake should be able to
negotiate them.

I added SSL_RSA_WITH_3DES_EDE_CBC_SHA, a cipher defined in TLSv1
(arbitrarily-chosen), and now all browsers can connect. Strange that
Firefox doesn't want to negotiate with only TLSv1.2 ciphers...

When Firefox connects, it negotiates the 3DES cipher instead of the
higher-security TLS_* ciphers. I wonder if Firefox doesn't support the
RSA version of these ciphers, and I have an RSA key and no DHE key for
my test server. Thus, Firefox can't negotiate until I supply a cipher
that it does support.

I can see that Chrome is using the DHE_RSA flavor when it handshakes. I
think this is truly an issue of Firefox simply not supporting the
ciphers you have chosen.

Let's look at the rest of the list:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA !
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA !
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA !
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Those listed above which I've annotated with a ! are somewhat low on
security, as defined as having only 112 bits. Everything below this line
should never be used unless you (a) don't actually care about security
or (b) have other controls in place to mitigate the 

Re: TLS certificate configuration in Tomcat 9

[Rémy Maucherat]

2015-11-25 16:26 GMT+01:00 Christopher Schultz :

> All,
>
> Is the PEM-based certificate configuration available for both JSSE-based
> and APR-based connectors in Tomcat 9 at this point? The documentation
> says e.g. the "certificateFile" attribute is for "OpenSSL Only", and
> when I try to launch Tomcat using the NIO connector and a PEM-based
> certificate file, Tomcat says that the keystore is corrupted (even
> though no keystore was actually specified).
>
> No, you really have to use OpenSSL, so either the APR connector, or the
NIOx connectors with the OpenSSL implementation. You will get warnings as
well if you don't use the appropriate properties for your connector.

Rémy

Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube

[Mark Thomas]

On 25/11/2015 22:38, George Sexton wrote:
> Mark,
> 
> On 11/24/2015 4:11 PM, Mark Thomas wrote:
>> All,
>>
>> As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is
>> now available on the Apache Tomcat YouTube channel:
>>
>> https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
> 
> I watched the video and I have two comments. First, I'm really excited
> about SNI support. For my particular use-case, it's going to be really
> nice.
> 
> Second, for my use case, I deploy hundreds ( like 700+ on one server
> right now) of virtual hosts. I deploy and un-deploy hosts kind of
> randomly depending on things that are happening. I use the host-manager
> application to deploy/undeploy virtual hosts. At startup time, I have a
> script that generates the host entries to a file, and then I include
> that file within server.xml using an entity expansion.
> 
> I'm trying to understand how I could dynamically deploy a new host with
> an SSL certificate. Since the certificate configuration seems to be
> getting done at the connector, it "looks" to me like deploying a host
> with a new certificate (or changed certificate) would require
> re-starting the connector (tomcat). That would be really painful for me,
> forcing me to delay cert changes until maintenance times.

You are correct, that - currently - a Connector restart would be required.

> I wish that configuration was more consolidated. Right now (and if I'm
> doing this wrong, let me know), I have the generated host snippet that
> gets included in server.xml. Then, I have
> $CATALINA_BASE/conf/Catalina/hostname/context.xml which contains the
> context docBase, and access log valve configuration. Now, I'm looking at
> a 3rd thing with the certificates named in the Connector entry. Is there
> any way that .pem files that are in
> $CATALINA_BASE/conf/Catalina/hostname could be auto-loaded for that
> virtual host? I'm just kind of brainstorming.

The separation of the Host element and the SSLVirtualHost element was
bugging me slightly, as was the duplication of the default host
information. This is a good use case for trying to come up with
something better / consolidated.

> Also, just thinking out
> loud, it would be really nice if Tomcat automatically found a host
> configuration xml file in $CATALINA_BASE/conf/Catalina/hostname so that
> I don't have to do the kind of ugly hack of the entity inclusion which
> has it's own problems (picture JSVC restart after deploying new host).

We'd need to think about naming, otherwise there will be the potential
for the file being treated as a context file.

> I appreciate your thoughts, and if I'm doing something the hard way, any
> suggestions you might have.

I can't think of a better way right now. I'll see what I can come up
with. It is probably worth creating an enhancement request in Bugzilla
against 9.0.x with the info you provided above.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender

[Joleen Barker]

Sorry. I all of a sudden noticed the swallowOutput="false" in the cfcc.xml
I had. I changed this to be true and now it appears most of the messages
are being written to the locahost file. I don't see any messages missing. I
will leave it run over night and see what happens and report tomorrow.

-Joleen

On Wed, Nov 25, 2015 at 3:50 PM, Joleen Barker 
wrote:

> I didn't get too far. For the option b and setting the swallowOutput=true
> in right place I need to get some clarification.
>
> I was looking up more information about the swallowOutput parm so I
> understood more. In Christopher's comments he spoke about updating the
> context xml. This is where I am confused. When I think of the word
> "context" it has always referring to the vendors web page to log in with
> and the context set is "cfcc". There is a file named cfcc.xml in the
> /server/conf/Catalina/localhost directory. Then there is
> the actual context.xml file located in the /server/conf
> directory. I am not sure which one I would put the swallowOutput parm in.
> Maybe it would be both.
>
> The only items in the context.xml file that are not commented out are the
> following settings and it's a pretty small file:
>
> 
> WEB-INF/web.xml
> ${catalina.base}/conf/web.xml
> ...
> ...
> 
> ...
> ...
>  />
> 
>
> The cfcc.xml file that I have has the following:
>
> 
>  charsetMapperClass="org.apache.catalina.util.CharsetMapper"
> className="org.apache.catalina.core.StandardContext" cookies="true"
> crossContext="false" debug="0" displayName="Secure Internet File Transfer
> Web Services" docBase="/opt/mftcc730/server/webapps/cfcc"
> mapperClass="org.apache.catalina.core.StandardContextMapper" path="/cfcc"
> privileged="false" reloadable="false" swallowOutput="false"
> useHttpOnly="false" useNaming="true"
> wrapperClass="org.apache.catalina.core.StandardWrapper">
> 
> 
>  directory="/opt/mftcc730/server/logs" prefix="localhost_cfcc_"
> suffix=".txt" timestamp="true" verbosity="2"/>
>  connectionName="cfcc" connectionPassword="TgPGKAy//0gDOq2Co5UnM2AE8pM="
> connectionURL="jdbc:mysql://192.168.1.7:3306/mft730?characterEncoding=UTF8"
> debug="0" digest="SHA" driverName="com.mysql.jdbc.Driver"
> roleNameCol="RoleID" userCredCol="Passwd" userNameCol="UserID"
> userRoleTable="UsersMap" userTable="Users" validate="true"/>
>  type="javax.sql.DataSource"/>
> 
>
> Thank you.
>
> -Joleen
>
>
> On Wed, Nov 25, 2015 at 10:16 AM, Joleen Barker 
> wrote:
>
>> Thank you for some direction.
>>
>> I'll go ahead and put back the logging as it was from the vendor using
>> the logging.properties file, etc. etc. so as to minimize their lack of
>> support due to me changing a lot in their product.
>>
>> Then I'll go on to try option b.
>>
>> I'll report back with how it goes.
>>
>> -Joleeb
>> Joleen,
>>
>> On 11/24/15 4:31 PM, Joleen Barker wrote:
>> > I have setup the logrotate using cron in the past and it was very
>> > successful on the Linux boxes but I could not find an equivalent setup
>> for
>> > AIX. Things seem so much easier on Linux. The company wants a universal
>> > approach so that left that option out.
>>
>> Only some things are easier on Linux.
>>
>> This may help:
>> http://www-01.ibm.com/support/docview.wss?uid=isg3T1012796
>>
>> > I did see the section you copied in from the catalina.sh file but
>> couldnt
>> > make much out from it so I left it alone.
>> >
>> > I like the sound of option b. I know where the context xml file is.
>> (Under
>> > the Catalina/localhost/.xml) Im not sure if this is what you
>> mean
>> > by descriptor.
>>
>> Yup, that's the one. Just add the swallowOutput setting and restart the
>> web application. (Or restart Tomcat if that's easier for you.)
>>
>> > If I did this would I leave the log4j config changes that I
>> > have in place that already?
>>
>> No, you wouldn't have to use log4j at all. JULI can do log-rotation as
>> well, though the options aren't as nice as log4j. Log4j is a really
>> great logging system, actually.
>>
>> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: Tomcat hanging when acting as GWT server.

[Christopher Schultz]

Simon,

On 11/25/15 12:55 PM, Simon Callan wrote:
> The different versions of tomcat all show the same issue. We have this issue 
> on two systems, and only two systems. We have not been able to reproduce this 
> on any other system we have access to.
> 
> Having investigated further, I appear to have provoked tomcat into producing 
> a pair of exception backtraces in the log files:
> 
> 25-Nov-2015 17:28:21.642 SEVERE [http-nio-8443-exec-7] 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
>  java.lang.RuntimeException: Could not generate DH keypair
> at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
> at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
> at 
> org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:351)
> at 
> org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:208)
> at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1476)
> at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Unknown Source)
> Caused by: java.lang.RuntimeException: Could not generate DH keypair
> at sun.security.ssl.ECDHCrypt.(Unknown Source)
> at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(Unknown Source)
> at sun.security.ssl.ServerHandshaker.trySetCipherSuite(Unknown Source)
> at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
> at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)
> at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker$1.run(Unknown Source)
> at sun.security.ssl.Handshaker$1.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
> at 
> org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:301)
> at 
> org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:359)
> ... 7 more
> Caused by: java.security.InvalidAlgorithmParameterException: unknown curve 
> name: 1.2.840.10045.3.1.7
> at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown 
> Source)
> ... 20 more
> 
> 25-Nov-2015 17:28:21.642 SEVERE [http-nio-8443-exec-1] 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
>  java.lang.RuntimeException: Could not generate DH keypair
> at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
> at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
> at 
> org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:351)
> at 
> org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:208)
> at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1476)
> at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Unknown Source)
> Caused by: java.lang.RuntimeException: Could not generate DH keypair
> at sun.security.ssl.ECDHCrypt.(Unknown Source)
> at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(Unknown Source)
> at sun.security.ssl.ServerHandshaker.trySetCipherSuite(Unknown Source)
> at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
> at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)
> at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker$1.run(Unknown Source)
> at sun.security.ssl.Handshaker$1.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
> at 
> org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:301)
> at 
> org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:359)
> ... 7 more
> Caused by: java.security.InvalidAlgorithmParameterException: unknown curve 
> name: 1.2.840.10045.3.1.7
> at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown 
> 

Re: [ANN] Apache Tomcat 8.0.29 available

[Christopher Schultz]

Violeta,

On 11/25/15 3:00 PM, Violeta Georgieva wrote:
> 2015-11-25 21:38 GMT+02:00 Felix Schumacher <
> felix.schumac...@internetallee.de>:
>>
>>
>>
>> Am 25. November 2015 20:24:17 MEZ, schrieb Violeta Georgieva <
> miles...@gmail.com>:
>>> Hi,
>>>
>>> 2015-11-25 20:42 GMT+02:00 David Balažic :

 Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html

 "TLSv1.0 is no an alias"

 Should probably be "TLSv1.0 is not an alias"
>>>
>>> I fixed it.
>>
>> I believe it should have been "TLSv1.0 is no(w) an alias ... and will
> no(t) work ..."
> 
> Yep you are right.
> I fixed it.

Also, I'm fairly sure:

> Synchronize OpenSSL to JSSE cipher mapping to recent OpenSSL 
> changes. In particular, TLSv1.0 is no an alias for those ciphers that
> require TLSv1 and will no work with SDSLv3.

s/SDSLv3/SSLv3/

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender

[Joleen Barker]

I changed it back to use the log4j setting as I liked it better and the
boss wants the files to rollover at midnight each night. Now when I startup
the catalina.out file is empty and the logs appear to be split between the
catalina file (not catalina.out) and the localhost file. Some of the
messages are doubled between the two files.


We will see what happens now with the swallowOutput=true. I'm so excited to
see what is there tomorrow morning. lol

-Joleen

On Wed, Nov 25, 2015 at 6:59 PM, Joleen Barker 
wrote:

> Sorry. I all of a sudden noticed the swallowOutput="false" in the cfcc.xml
> I had. I changed this to be true and now it appears most of the messages
> are being written to the locahost file. I don't see any messages missing. I
> will leave it run over night and see what happens and report tomorrow.
>
> -Joleen
>
> On Wed, Nov 25, 2015 at 3:50 PM, Joleen Barker 
> wrote:
>
>> I didn't get too far. For the option b and setting the swallowOutput=true
>> in right place I need to get some clarification.
>>
>> I was looking up more information about the swallowOutput parm so I
>> understood more. In Christopher's comments he spoke about updating the
>> context xml. This is where I am confused. When I think of the word
>> "context" it has always referring to the vendors web page to log in with
>> and the context set is "cfcc". There is a file named cfcc.xml in the
>> /server/conf/Catalina/localhost directory. Then there is
>> the actual context.xml file located in the /server/conf
>> directory. I am not sure which one I would put the swallowOutput parm in.
>> Maybe it would be both.
>>
>> The only items in the context.xml file that are not commented out are the
>> following settings and it's a pretty small file:
>>
>> 
>> WEB-INF/web.xml
>> ${catalina.base}/conf/web.xml
>> ...
>> ...
>> 
>> ...
>> ...
>> > />
>> 
>>
>> The cfcc.xml file that I have has the following:
>>
>> 
>> > charsetMapperClass="org.apache.catalina.util.CharsetMapper"
>> className="org.apache.catalina.core.StandardContext" cookies="true"
>> crossContext="false" debug="0" displayName="Secure Internet File Transfer
>> Web Services" docBase="/opt/mftcc730/server/webapps/cfcc"
>> mapperClass="org.apache.catalina.core.StandardContextMapper" path="/cfcc"
>> privileged="false" reloadable="false" swallowOutput="false"
>> useHttpOnly="false" useNaming="true"
>> wrapperClass="org.apache.catalina.core.StandardWrapper">
>> 
>> 
>> > directory="/opt/mftcc730/server/logs" prefix="localhost_cfcc_"
>> suffix=".txt" timestamp="true" verbosity="2"/>
>> > connectionName="cfcc" connectionPassword="TgPGKAy//0gDOq2Co5UnM2AE8pM="
>> connectionURL="jdbc:mysql://
>> 192.168.1.7:3306/mft730?characterEncoding=UTF8" debug="0" digest="SHA"
>> driverName="com.mysql.jdbc.Driver" roleNameCol="RoleID"
>> userCredCol="Passwd" userNameCol="UserID" userRoleTable="UsersMap"
>> userTable="Users" validate="true"/>
>> > type="javax.sql.DataSource"/>
>> 
>>
>> Thank you.
>>
>> -Joleen
>>
>>
>> On Wed, Nov 25, 2015 at 10:16 AM, Joleen Barker 
>> wrote:
>>
>>> Thank you for some direction.
>>>
>>> I'll go ahead and put back the logging as it was from the vendor using
>>> the logging.properties file, etc. etc. so as to minimize their lack of
>>> support due to me changing a lot in their product.
>>>
>>> Then I'll go on to try option b.
>>>
>>> I'll report back with how it goes.
>>>
>>> -Joleeb
>>> Joleen,
>>>
>>> On 11/24/15 4:31 PM, Joleen Barker wrote:
>>> > I have setup the logrotate using cron in the past and it was very
>>> > successful on the Linux boxes but I could not find an equivalent setup
>>> for
>>> > AIX. Things seem so much easier on Linux. The company wants a universal
>>> > approach so that left that option out.
>>>
>>> Only some things are easier on Linux.
>>>
>>> This may help:
>>> http://www-01.ibm.com/support/docview.wss?uid=isg3T1012796
>>>
>>> > I did see the section you copied in from the catalina.sh file but
>>> couldnt
>>> > make much out from it so I left it alone.
>>> >
>>> > I like the sound of option b. I know where the context xml file is.
>>> (Under
>>> > the Catalina/localhost/.xml) Im not sure if this is what you
>>> mean
>>> > by descriptor.
>>>
>>> Yup, that's the one. Just add the swallowOutput setting and restart the
>>> web application. (Or restart Tomcat if that's easier for you.)
>>>
>>> > If I did this would I leave the log4j config changes that I
>>> > have in place that already?
>>>
>>> No, you wouldn't have to use log4j at all. JULI can do log-rotation as
>>> well, though the options aren't as nice as log4j. Log4j is a really
>>> great logging system, actually.
>>>
>>> -chris
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
>

Re: [ANNOUNCE] CFP open for ApacheCon North America 2016

[Christopher Schultz]

Tomcat Users,

On 11/25/15 12:32 PM, Rich Bowen wrote:
> Community growth starts by talking with those interested in your
> project. ApacheCon North America is coming, are you?
> 
> We are delighted to announce that the Call For Presentations (CFP) is
> now open for ApacheCon North America.

Okay, folks, it's that time again.

Last year, we didn't get much feedback when we asked, but I'll go ahead
and ask again: what kinds of presentations at ApacheCon would encourage
you to attend?

Last year at ApacheCon North America we had the following Tomcat-related
presentations:

Intro to Load-Balancing Tomcat with httpd and mod_jk
Tomcat Clustering: Part 1 - Reverse Proxies
Tomcat Clustering: Part 2 - Load-Balancing
Tomcat Clustering: Part 3 - Session Replication
Monitoring Apache Tomcat
Choosing tomcat Connectors: Internals and Performances

This year at ApacheCon Europe we had the following Tomcat-related
presentations:

Tomcat 9 Progress Report
Tomcat Cluster
Server Side TLS (for HTTP/2) and Java

What other topics would you folks like to see at ApacheCon?

Maybe you have a topic you'd like to *present* at ApacheCon? Attendance
is free for ApacheCon if you are a presenter and if you do a bit of work
(mostly being an MC for a half-day in a single room), you can even get
travel assistance.

My employer is generous enough to pay for my attendance AND I don't have
to take vacation. Consider it continuing education. Or, if you present,
consider it payment for great software you've been using at no cost
along with (hopefully) top-notch technical support form this community.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube

[George Sexton]

Mark,

On 11/24/2015 4:11 PM, Mark Thomas wrote:

All,

As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is
now available on the Apache Tomcat YouTube channel:

https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g


I watched the video and I have two comments. First, I'm really excited 
about SNI support. For my particular use-case, it's going to be really nice.


Second, for my use case, I deploy hundreds ( like 700+ on one server 
right now) of virtual hosts. I deploy and un-deploy hosts kind of 
randomly depending on things that are happening. I use the host-manager 
application to deploy/undeploy virtual hosts. At startup time, I have a 
script that generates the host entries to a file, and then I include 
that file within server.xml using an entity expansion.


I'm trying to understand how I could dynamically deploy a new host with 
an SSL certificate. Since the certificate configuration seems to be 
getting done at the connector, it "looks" to me like deploying a host 
with a new certificate (or changed certificate) would require 
re-starting the connector (tomcat). That would be really painful for me, 
forcing me to delay cert changes until maintenance times.


I wish that configuration was more consolidated. Right now (and if I'm 
doing this wrong, let me know), I have the generated host snippet that 
gets included in server.xml. Then, I have 
$CATALINA_BASE/conf/Catalina/hostname/context.xml which contains the 
context docBase, and access log valve configuration. Now, I'm looking at 
a 3rd thing with the certificates named in the Connector entry. Is there 
any way that .pem files that are in 
$CATALINA_BASE/conf/Catalina/hostname could be auto-loaded for that 
virtual host? I'm just kind of brainstorming. Also, just thinking out 
loud, it would be really nice if Tomcat automatically found a host 
configuration xml file in $CATALINA_BASE/conf/Catalina/hostname so that 
I don't have to do the kind of ugly hack of the entity inclusion which 
has it's own problems (picture JSVC restart after deploying new host).


I appreciate your thoughts, and if I'm doing something the hard way, any 
suggestions you might have.





Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube

[Christopher Schultz]

Mark,

On 11/25/15 6:44 PM, Mark Thomas wrote:
> On 25/11/2015 22:38, George Sexton wrote:
>> Mark,
>>
>> On 11/24/2015 4:11 PM, Mark Thomas wrote:
>>> All,
>>>
>>> As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is
>>> now available on the Apache Tomcat YouTube channel:
>>>
>>> https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
>>
>> I watched the video and I have two comments. First, I'm really excited
>> about SNI support. For my particular use-case, it's going to be really
>> nice.
>>
>> Second, for my use case, I deploy hundreds ( like 700+ on one server
>> right now) of virtual hosts. I deploy and un-deploy hosts kind of
>> randomly depending on things that are happening. I use the host-manager
>> application to deploy/undeploy virtual hosts. At startup time, I have a
>> script that generates the host entries to a file, and then I include
>> that file within server.xml using an entity expansion.
>>
>> I'm trying to understand how I could dynamically deploy a new host with
>> an SSL certificate. Since the certificate configuration seems to be
>> getting done at the connector, it "looks" to me like deploying a host
>> with a new certificate (or changed certificate) would require
>> re-starting the connector (tomcat). That would be really painful for me,
>> forcing me to delay cert changes until maintenance times.
> 
> You are correct, that - currently - a Connector restart would be required.
> 
>> I wish that configuration was more consolidated. Right now (and if I'm
>> doing this wrong, let me know), I have the generated host snippet that
>> gets included in server.xml. Then, I have
>> $CATALINA_BASE/conf/Catalina/hostname/context.xml which contains the
>> context docBase, and access log valve configuration. Now, I'm looking at
>> a 3rd thing with the certificates named in the Connector entry. Is there
>> any way that .pem files that are in
>> $CATALINA_BASE/conf/Catalina/hostname could be auto-loaded for that
>> virtual host? I'm just kind of brainstorming.
> 
> The separation of the Host element and the SSLVirtualHost element was
> bugging me slightly, as was the duplication of the default host
> information. This is a good use case for trying to come up with
> something better / consolidated.

I'd like to point-out that this is no more painful than doing the same
operation on Tomcat 7 or 8... you still need to restart the connector if
you want to change something about the TLS configuration. I just wanted
to make it clear that this isn't any kind of loss of capabilties or a
regression or anything.

I suppose the Connector could "search" through the configured s
looking for one that had a name (or alias) matching the SNI name in the
TLS handshake, and then looking for an appropriate SSLHostConfig (or
whatever) configuration to go with it. That would slow-down the
handshake ever so slightly.

This is all new stuff, and so it doesn't have the support yet for fancy
re-configuration at runtime, yet. This is good feedback.

What if adding a  at runtime -- either directly, programatically,
or by using JMX/some other technique -- could also add an SSLHostConfig
to wherever is appropriate? So, if we were to move SSLHostConfig from
the Connector to the Host itself, or leave it where it is, Tomcat could
take-care of the complexity there for you?

>> Also, just thinking out
>> loud, it would be really nice if Tomcat automatically found a host
>> configuration xml file in $CATALINA_BASE/conf/Catalina/hostname so that
>> I don't have to do the kind of ugly hack of the entity inclusion which
>> has it's own problems (picture JSVC restart after deploying new host).
> 
> We'd need to think about naming, otherwise there will be the potential
> for the file being treated as a context file.

+1

Instead of using conf/Catalina/[hostname].xml (or similar), we could use
a subdirectory:

conf/Catalina/hosts/[hostname].xml

The "hosts" subdirectory should never be confused with a context
deployment descriptor.

>> I appreciate your thoughts, and if I'm doing something the hard way, any
>> suggestions you might have.
> 
> I can't think of a better way right now. I'll see what I can come up
> with. It is probably worth creating an enhancement request in Bugzilla
> against 9.0.x with the info you provided above.

+1

This was a milestone release with a "1.0" wy down the line -- mostly
because of the fact that we have to wait-around for the Servlet and
other related specifications to be finalized -- so I think we have
plenty of time to change our minds about things.

I've had many occasions to talk to Mark about Tomcat use versus
implementation and he's made it perfectly clear to me that he is neither
an application developer nor an administrator, so he's not a good
resource for coming up with real-world requirements. That is, he's not a
"user" of Tomcat and therefore not in a great position to be able to
guess what the best way for users to use Tomcat would be.

That's where we -- the users and 

RE: Tomcat hanging when acting as GWT server.

[Simon Callan]

>>> Then, after the user logs-out (from the either completely responsive
>>> or completely non-responsive web application), the web application becomes 
>>> (or remains) unresponsive?
>>
>> What I mean by this is:
>> 1. User starts web-app, and uses it normally.

>Do you mean that the user starts using the web application? It's rare for a 
>user to start (e.g. launch, deploy, etc.) a
> web application. I'm trying to parse-out the difference between the web 
> application starting up in Tomcat versus
> a user logging-into it -- the two are radically different things.

The user opens the application home page in the web browser.

>> 2. In a separate tab, the user tries to go to the tomcat home page, or the 
>> tomcat manager.
> IE displays the standard "This page can't be displayed" error message.

> Immediately, or is there a time lag? Do you get an HTTP response, or a 
> failure to connect?
> MSIE is terrible at telling users what is really going on. Get a protocol 
> analyzer if necessary
> (e.g. fiddler, or whatever plug-ins are available for MSIE).

It's fast enough that I cannot see any visible lag.

>> 3. The user can continue using the web-app.
> In the first tab?

Yes.

>> 4. The user closes the web browser and restarts it or logs out from the 
>> web-app,
> and goes to the web-app start page. IE displays the standard "This page can't 
> be displayed" error message.
> So at this point, nobody can connect?

Correct.

>> It’s as though the RPC ("POST /clearcore/ClearCore/CCService HTTP/1.1") 
>> commands are working fine, but the normal page GET is failing.

> After the web application is deployed (launched in Tomcat, before any web 
> browser has tried to connect),
> can you login to the Tomcat manager? It is something that GWT/your 
> application is doing that locks you out
> of the Tomcat manager? Or is the manager actually never available?

The tomcat manager works perfectly before we start using out application. 
Having investigated further, if you have the tomcat manager already open in a 
tab when you start the application in another tab, the manager seems to keep 
running. As long as you don’t open a new tab, it all seems fine.

>> Is it possible to kill the code that processes GET requests without 
>> affecting POST messages?
> No.

That's what I thought.

>> If we configure tomcat to use HTTPS on port 8443, we get the error. If we 
>> leave tomcat in the standard HTTP port 8080 settings, everything is fine. >> 
>> We haven't tried having both HTTP and HTTPS configured simultaneously.
> That's certainly odd.

We have now tried both HTTP and HTTPS, and the HTTP connection has no issues, 
even after running our application.

> Is there a working system? I noticed that you have two different Tomcat 
> versions.
> Does one of them work and the other does not? You didn't mention that this 
> was only affecting one system...

The different versions of tomcat all show the same issue. We have this issue on 
two systems, and only two systems. We have not been able to reproduce this on 
any other system we have access to.

Having investigated further, I appear to have provoked tomcat into producing a 
pair of exception backtraces in the log files:

25-Nov-2015 17:28:21.642 SEVERE [http-nio-8443-exec-7] 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
 java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at 
org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:351)
at 
org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:208)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1476)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.RuntimeException: Could not generate DH keypair
at sun.security.ssl.ECDHCrypt.(Unknown Source)
at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(Unknown Source)
at sun.security.ssl.ServerHandshaker.trySetCipherSuite(Unknown Source)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)
at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at 

Re: [ANN] Apache Tomcat 8.0.29 available

[Felix Schumacher]

Am 25. November 2015 20:24:17 MEZ, schrieb Violeta Georgieva 
:
>Hi,
>
>2015-11-25 20:42 GMT+02:00 David Balažic :
>>
>> Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
>>
>> "TLSv1.0 is no an alias"
>>
>> Should probably be "TLSv1.0 is not an alias"
>
>I fixed it.

I believe it should have been "TLSv1.0 is no(w) an alias ... and will no(t) 
work ..."

Regards, 
Felix

>Thanks,
>Violeta
>
>> Regards,
>> David Balažic
>>
>> > -Original Message-
>> > From: Mark Thomas [mailto:ma...@apache.org]
>> > Sent: 25. November 2015 17:22
>> > To: users@tomcat.apache.org
>> > Cc: d...@tomcat.apache.org; annou...@apache.org;
>> > annou...@tomcat.apache.org
>> > Subject: [ANN] Apache Tomcat 8.0.29 available
>> > Importance: Low
>> >
>> > The Apache Tomcat team announces the immediate availability of
>Apache
>> > Tomcat 8.0.29.
>> >
>> > Apache Tomcat 8 is an open source software implementation of the
>Java
>> > Servlet, JavaServer Pages, Java Unified Expression Language and
>Java
>> > WebSocket technologies.
>> >
>> > Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28
>as
>> > well as other enhancements and changes. The notable changes since
>8.0.28
>> > include:
>> >
>> > - Add an option to control (per context) quoting of EL expressions
>in
>> >   JSP attributes
>> >
>> > - Correct a regression in the fix for 56777 that added support for
>> >   URIs in config file locations
>> >
>> > - Add a new RestCsrfPreventionFilter that provides basic CSRF
>> >   protection for REST APIs
>> >
>> > -  Use instance manager for WebSocket server endpoint instances
>> >
>> >
>> > Please refer to the change log for the complete list of changes:
>> > http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
>> >
>> > Downloads:
>> > http://tomcat.apache.org/download-80.cgi
>> >
>> > Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x:
>> > http://tomcat.apache.org/migration.html
>> >
>> > Enjoy!
>> >
>> > - The Apache Tomcat team
>> >
>> >
>-
>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> > For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANNOUNCE] CFP open for ApacheCon North America 2016

[Rich Bowen]

Community growth starts by talking with those interested in your
project. ApacheCon North America is coming, are you?

We are delighted to announce that the Call For Presentations (CFP) is
now open for ApacheCon North America. You can submit your proposed
sessions at
http://events.linuxfoundation.org/events/apache-big-data-north-america/program/cfp
for big data talks and
http://events.linuxfoundation.org/events/apachecon-north-america/program/cfp
for all other topics.

ApacheCon North America will be held in Vancouver, Canada, May 9-13th
2016. ApacheCon has been running every year since 2000, and is the place
to build your project communities.

While we will consider individual talks we prefer to see related
sessions that are likely to draw users and community members. When
submitting your talk work with your project community and with related
communities to come up with a full program that will walk attendees
through the basics and on into mastery of your project in example use
cases. Content that introduces what's new in your latest release is also
of particular interest, especially when it builds upon existing well
know application models. The goal should be to showcase your project in
ways that will attract participants and encourage engagement in your
community, Please remember to involve your whole project community (user
and dev lists) when building content. This is your chance to create a
project specific event within the broader ApacheCon conference.

Content at ApacheCon North America will be cross-promoted as
mini-conferences, such as ApacheCon Big Data, and ApacheCon Mobile, so
be sure to indicate which larger category your proposed sessions fit into.

Finally, please plan to attend ApacheCon, even if you're not proposing a
talk. The biggest value of the event is community building, and we count
on you to make it a place where your project community is likely to
congregate, not just for the technical content in sessions, but for
hackathons, project summits, and good old fashioned face-to-face networking.

-- 
rbo...@apache.org
http://apache.org/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Apache Tomcat 8.0.29 available

[Violeta Georgieva]

2015-11-25 21:38 GMT+02:00 Felix Schumacher <
felix.schumac...@internetallee.de>:
>
>
>
> Am 25. November 2015 20:24:17 MEZ, schrieb Violeta Georgieva <
miles...@gmail.com>:
> >Hi,
> >
> >2015-11-25 20:42 GMT+02:00 David Balažic :
> >>
> >> Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
> >>
> >> "TLSv1.0 is no an alias"
> >>
> >> Should probably be "TLSv1.0 is not an alias"
> >
> >I fixed it.
>
> I believe it should have been "TLSv1.0 is no(w) an alias ... and will
no(t) work ..."

Yep you are right.
I fixed it.

> Regards,
> Felix
>
> >Thanks,
> >Violeta
> >
> >> Regards,
> >> David Balažic
> >>
> >> > -Original Message-
> >> > From: Mark Thomas [mailto:ma...@apache.org]
> >> > Sent: 25. November 2015 17:22
> >> > To: users@tomcat.apache.org
> >> > Cc: d...@tomcat.apache.org; annou...@apache.org;
> >> > annou...@tomcat.apache.org
> >> > Subject: [ANN] Apache Tomcat 8.0.29 available
> >> > Importance: Low
> >> >
> >> > The Apache Tomcat team announces the immediate availability of
> >Apache
> >> > Tomcat 8.0.29.
> >> >
> >> > Apache Tomcat 8 is an open source software implementation of the
> >Java
> >> > Servlet, JavaServer Pages, Java Unified Expression Language and
> >Java
> >> > WebSocket technologies.
> >> >
> >> > Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28
> >as
> >> > well as other enhancements and changes. The notable changes since
> >8.0.28
> >> > include:
> >> >
> >> > - Add an option to control (per context) quoting of EL expressions
> >in
> >> >   JSP attributes
> >> >
> >> > - Correct a regression in the fix for 56777 that added support for
> >> >   URIs in config file locations
> >> >
> >> > - Add a new RestCsrfPreventionFilter that provides basic CSRF
> >> >   protection for REST APIs
> >> >
> >> > -  Use instance manager for WebSocket server endpoint instances
> >> >
> >> >
> >> > Please refer to the change log for the complete list of changes:
> >> > http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
> >> >
> >> > Downloads:
> >> > http://tomcat.apache.org/download-80.cgi
> >> >
> >> > Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x:
> >> > http://tomcat.apache.org/migration.html
> >> >
> >> > Enjoy!
> >> >
> >> > - The Apache Tomcat team
> >> >
> >> >
> >-
> >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: [ANN] Apache Tomcat 8.0.29 available

[Violeta Georgieva]

Hi,

2015-11-25 20:42 GMT+02:00 David Balažic :
>
> Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
>
> "TLSv1.0 is no an alias"
>
> Should probably be "TLSv1.0 is not an alias"

I fixed it.
Thanks,
Violeta

> Regards,
> David Balažic
>
> > -Original Message-
> > From: Mark Thomas [mailto:ma...@apache.org]
> > Sent: 25. November 2015 17:22
> > To: users@tomcat.apache.org
> > Cc: d...@tomcat.apache.org; annou...@apache.org;
> > annou...@tomcat.apache.org
> > Subject: [ANN] Apache Tomcat 8.0.29 available
> > Importance: Low
> >
> > The Apache Tomcat team announces the immediate availability of Apache
> > Tomcat 8.0.29.
> >
> > Apache Tomcat 8 is an open source software implementation of the Java
> > Servlet, JavaServer Pages, Java Unified Expression Language and Java
> > WebSocket technologies.
> >
> > Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28 as
> > well as other enhancements and changes. The notable changes since 8.0.28
> > include:
> >
> > - Add an option to control (per context) quoting of EL expressions in
> >   JSP attributes
> >
> > - Correct a regression in the fix for 56777 that added support for
> >   URIs in config file locations
> >
> > - Add a new RestCsrfPreventionFilter that provides basic CSRF
> >   protection for REST APIs
> >
> > -  Use instance manager for WebSocket server endpoint instances
> >
> >
> > Please refer to the change log for the complete list of changes:
> > http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
> >
> > Downloads:
> > http://tomcat.apache.org/download-80.cgi
> >
> > Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x:
> > http://tomcat.apache.org/migration.html
> >
> > Enjoy!
> >
> > - The Apache Tomcat team
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

RE: [ANN] Apache Tomcat 8.0.29 available

[David Balažic]

Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html

"TLSv1.0 is no an alias"

Should probably be "TLSv1.0 is not an alias"

Regards,
David Balažic

> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org]
> Sent: 25. November 2015 17:22
> To: users@tomcat.apache.org
> Cc: d...@tomcat.apache.org; annou...@apache.org;
> annou...@tomcat.apache.org
> Subject: [ANN] Apache Tomcat 8.0.29 available
> Importance: Low
> 
> The Apache Tomcat team announces the immediate availability of Apache
> Tomcat 8.0.29.
> 
> Apache Tomcat 8 is an open source software implementation of the Java
> Servlet, JavaServer Pages, Java Unified Expression Language and Java
> WebSocket technologies.
> 
> Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28 as
> well as other enhancements and changes. The notable changes since 8.0.28
> include:
> 
> - Add an option to control (per context) quoting of EL expressions in
>   JSP attributes
> 
> - Correct a regression in the fix for 56777 that added support for
>   URIs in config file locations
> 
> - Add a new RestCsrfPreventionFilter that provides basic CSRF
>   protection for REST APIs
> 
> -  Use instance manager for WebSocket server endpoint instances
> 
> 
> Please refer to the change log for the complete list of changes:
> http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
> 
> Downloads:
> http://tomcat.apache.org/download-80.cgi
> 
> Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x:
> http://tomcat.apache.org/migration.html
> 
> Enjoy!
> 
> - The Apache Tomcat team
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender

[Joleen Barker]

I didn't get too far. For the option b and setting the swallowOutput=true
in right place I need to get some clarification.

I was looking up more information about the swallowOutput parm so I
understood more. In Christopher's comments he spoke about updating the
context xml. This is where I am confused. When I think of the word
"context" it has always referring to the vendors web page to log in with
and the context set is "cfcc". There is a file named cfcc.xml in the
/server/conf/Catalina/localhost directory. Then there is
the actual context.xml file located in the /server/conf
directory. I am not sure which one I would put the swallowOutput parm in.
Maybe it would be both.

The only items in the context.xml file that are not commented out are the
following settings and it's a pretty small file:


WEB-INF/web.xml
${catalina.base}/conf/web.xml
...
...

...
...



The cfcc.xml file that I have has the following:










Thank you.

-Joleen


On Wed, Nov 25, 2015 at 10:16 AM, Joleen Barker 
wrote:

> Thank you for some direction.
>
> I'll go ahead and put back the logging as it was from the vendor using the
> logging.properties file, etc. etc. so as to minimize their lack of support
> due to me changing a lot in their product.
>
> Then I'll go on to try option b.
>
> I'll report back with how it goes.
>
> -Joleeb
> Joleen,
>
> On 11/24/15 4:31 PM, Joleen Barker wrote:
> > I have setup the logrotate using cron in the past and it was very
> > successful on the Linux boxes but I could not find an equivalent setup
> for
> > AIX. Things seem so much easier on Linux. The company wants a universal
> > approach so that left that option out.
>
> Only some things are easier on Linux.
>
> This may help:
> http://www-01.ibm.com/support/docview.wss?uid=isg3T1012796
>
> > I did see the section you copied in from the catalina.sh file but couldnt
> > make much out from it so I left it alone.
> >
> > I like the sound of option b. I know where the context xml file is.
> (Under
> > the Catalina/localhost/.xml) Im not sure if this is what you
> mean
> > by descriptor.
>
> Yup, that's the one. Just add the swallowOutput setting and restart the
> web application. (Or restart Tomcat if that's easier for you.)
>
> > If I did this would I leave the log4j config changes that I
> > have in place that already?
>
> No, you wouldn't have to use log4j at all. JULI can do log-rotation as
> well, though the options aren't as nice as log4j. Log4j is a really
> great logging system, actually.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Question related to Session management in Tomcat !

[Christopher Schultz]

Utkarsh,

On 11/25/15 6:29 AM, Utkarsh Dave wrote:
> Thank You Mark
> 
> On Wed, Nov 25, 2015 at 4:39 PM, Mark Thomas  wrote:
> 
>> On 25/11/2015 10:50, Utkarsh Dave wrote:
>>> Hello,
>>>
>>> I need inputs/answers on below points to implement a secure session
>>> management application
>>> Or if there is there any configuration that may need to be tuned to
>> improve
>>> below please point me to that
>>> A)
>>> Are Session IDs cryptographically strong and do not reveal sensitive
>>> information so that they can't be guessed easily or used to find attack
>>> vectors.
>>> Does we meet below
>>> 1. Does Strong entropy sources being used to generate the session ID
>> value
>>
>> Yes, it uses java.security.SecureRandom by default.
>>
>>> 2. Does Strong cryptographic algorithms being used to generate the
>> session
>>> ID value
>>
>> Yes, SHA1PRNG by default.
>>
>>> 3. Does the session ID value provides at least 128 bits of entropy.
>>
>> Yes, the session ID is 16 bytes / 128 bits long by default.
>>
>>> 4. Is the session ID value meaningless to prevent information disclosure
>>> attacks, allowing recovery of the contents of the ID and extract details
>> of
>>> the user, the session, or the inner workings of the web application.
>>
>> Yes.
>>
>>> B)
>>> Are the Session IDs fully validated before they may be used.
>>> When using session ID to keep authentication state and track user
>> progress
>>> within a web application, the application MUST treat the session ID as
>>> untrusted data,
>>> and sanitize and validate it before use.
>>
>> Yes.
>>
>> As with most things in Tomcat, configuration provides a lot of control
>> over session ID generation but the default settings meet the
>> requirements you set out above.
>>
>> Mark

Good luck on your checkbox-based security audit!

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender

[Joleen Barker]

Thank you for some direction.

I'll go ahead and put back the logging as it was from the vendor using the
logging.properties file, etc. etc. so as to minimize their lack of support
due to me changing a lot in their product.

Then I'll go on to try option b.

I'll report back with how it goes.

-Joleeb
Joleen,

On 11/24/15 4:31 PM, Joleen Barker wrote:
> I have setup the logrotate using cron in the past and it was very
> successful on the Linux boxes but I could not find an equivalent setup for
> AIX. Things seem so much easier on Linux. The company wants a universal
> approach so that left that option out.

Only some things are easier on Linux.

This may help:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1012796

> I did see the section you copied in from the catalina.sh file but couldnt
> make much out from it so I left it alone.
>
> I like the sound of option b. I know where the context xml file is. (Under
> the Catalina/localhost/.xml) Im not sure if this is what you mean
> by descriptor.

Yup, that's the one. Just add the swallowOutput setting and restart the
web application. (Or restart Tomcat if that's easier for you.)

> If I did this would I leave the log4j config changes that I
> have in place that already?

No, you wouldn't have to use log4j at all. JULI can do log-rotation as
well, though the options aren't as nice as log4j. Log4j is a really
great logging system, actually.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Apache Tomcat 8.0.29 available

[Violeta Georgieva]

Chris,

2015-11-26 2:52 GMT+02:00 Christopher Schultz :
>
> Violeta,
>
> On 11/25/15 3:00 PM, Violeta Georgieva wrote:
> > 2015-11-25 21:38 GMT+02:00 Felix Schumacher <
> > felix.schumac...@internetallee.de>:
> >>
> >>
> >>
> >> Am 25. November 2015 20:24:17 MEZ, schrieb Violeta Georgieva <
> > miles...@gmail.com>:
> >>> Hi,
> >>>
> >>> 2015-11-25 20:42 GMT+02:00 David Balažic :
> 
>  Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
> 
>  "TLSv1.0 is no an alias"
> 
>  Should probably be "TLSv1.0 is not an alias"
> >>>
> >>> I fixed it.
> >>
> >> I believe it should have been "TLSv1.0 is no(w) an alias ... and will
> > no(t) work ..."
> >
> > Yep you are right.
> > I fixed it.
>
> Also, I'm fairly sure:
>
> > Synchronize OpenSSL to JSSE cipher mapping to recent OpenSSL
> > changes. In particular, TLSv1.0 is no an alias for those ciphers that
> > require TLSv1 and will no work with SDSLv3.
>
> s/SDSLv3/SSLv3/

I fixed that with the first commit. Do I miss something?

Thanks,
Vily

> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube

[Martijn Bos]

Mark,

On 2015-11-24 23:11:34, Mark Thomas wrote:
> All,
> 
> As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is
> now available on the Apache Tomcat YouTube channel:
> 
> https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

I think I gonna like these series.
For now I just quickly scanned through the video, but I will definetly watch 
the whole video soon.

Thanks for your efforts...keep 'm coming.

-- 
Met vriendelijke groet,

Martijn Bos
+31 6 39477001

(Public pgp-key : http://maboc.nl/pubkey.maboc.asc)


signature.asc
Description: Digital signature

Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube

[Rémy Maucherat]

2015-11-25 12:06 GMT+01:00 Johan Compagner :

> thx,
>
> one question i have, is server push always code?
> because for me it is
> if this js file is hit (served by the default servlet of tomcat i guess).
> also send in this set..
>
> So its kind of a configuration, or should i just use a filter for that?
>
> It is code only, so you should use a filter for your use case. There may
be configuration for this eventually, but the most likely is that this
config is delegated to frameworks, which will then use the code.

Rémy

Re: Question related to Session management in Tomcat !

[Mark Thomas]

On 25/11/2015 10:50, Utkarsh Dave wrote:
> Hello,
> 
> I need inputs/answers on below points to implement a secure session
> management application
> Or if there is there any configuration that may need to be tuned to improve
> below please point me to that
> A)
> Are Session IDs cryptographically strong and do not reveal sensitive
> information so that they can't be guessed easily or used to find attack
> vectors.
> Does we meet below
> 1. Does Strong entropy sources being used to generate the session ID value

Yes, it uses java.security.SecureRandom by default.

> 2. Does Strong cryptographic algorithms being used to generate the session
> ID value

Yes, SHA1PRNG by default.

> 3. Does the session ID value provides at least 128 bits of entropy.

Yes, the session ID is 16 bytes / 128 bits long by default.

> 4. Is the session ID value meaningless to prevent information disclosure
> attacks, allowing recovery of the contents of the ID and extract details of
> the user, the session, or the inner workings of the web application.

Yes.

> B)
> Are the Session IDs fully validated before they may be used.
> When using session ID to keep authentication state and track user progress
> within a web application, the application MUST treat the session ID as
> untrusted data,
> and sanitize and validate it before use.

Yes.

As with most things in Tomcat, configuration provides a lot of control
over session ID generation but the default settings meet the
requirements you set out above.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question related to Session management in Tomcat !

[Utkarsh Dave]

Hello,

I need inputs/answers on below points to implement a secure session
management application
Or if there is there any configuration that may need to be tuned to improve
below please point me to that
A)
Are Session IDs cryptographically strong and do not reveal sensitive
information so that they can't be guessed easily or used to find attack
vectors.
Does we meet below
1. Does Strong entropy sources being used to generate the session ID value
2. Does Strong cryptographic algorithms being used to generate the session
ID value
3. Does the session ID value provides at least 128 bits of entropy.
4. Is the session ID value meaningless to prevent information disclosure
attacks, allowing recovery of the contents of the ID and extract details of
the user, the session, or the inner workings of the web application.

B)
Are the Session IDs fully validated before they may be used.
When using session ID to keep authentication state and track user progress
within a web application, the application MUST treat the session ID as
untrusted data,
and sanitize and validate it before use.

Thanks a lot for your time.

Utkarsh Dave

Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube

[Johan Compagner]

thx,

one question i have, is server push always code?
because for me it is
if this js file is hit (served by the default servlet of tomcat i guess).
also send in this set..

So its kind of a configuration, or should i just use a filter for that?


On 25 November 2015 at 00:11, Mark Thomas  wrote:

> All,
>
> As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is
> now available on the Apache Tomcat YouTube channel:
>
> https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
Johan Compagner
Servoy

Re: Today's Tomcat 9 HTTP/2 webinar is now available on YouTube

[Mark Thomas]

On 25/11/2015 11:06, Johan Compagner wrote:
> thx,
> 
> one question i have, is server push always code?

At the moment, yes.

> because for me it is
> if this js file is hit (served by the default servlet of tomcat i guess).
> also send in this set..
> 
> So its kind of a configuration, or should i just use a filter for that?

A Filter would work for now.

Anything else would require the default servlet to parse the static
content to look for whatever marker is used to indicate additional
resources to push. I'm not sure that is a good solution.

Mark


> 
> 
> On 25 November 2015 at 00:11, Mark Thomas  wrote:
> 
>> All,
>>
>> As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is
>> now available on the Apache Tomcat YouTube channel:
>>
>> https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question related to Session management in Tomcat !

[Utkarsh Dave]

Thank You Mark

On Wed, Nov 25, 2015 at 4:39 PM, Mark Thomas  wrote:

> On 25/11/2015 10:50, Utkarsh Dave wrote:
> > Hello,
> >
> > I need inputs/answers on below points to implement a secure session
> > management application
> > Or if there is there any configuration that may need to be tuned to
> improve
> > below please point me to that
> > A)
> > Are Session IDs cryptographically strong and do not reveal sensitive
> > information so that they can't be guessed easily or used to find attack
> > vectors.
> > Does we meet below
> > 1. Does Strong entropy sources being used to generate the session ID
> value
>
> Yes, it uses java.security.SecureRandom by default.
>
> > 2. Does Strong cryptographic algorithms being used to generate the
> session
> > ID value
>
> Yes, SHA1PRNG by default.
>
> > 3. Does the session ID value provides at least 128 bits of entropy.
>
> Yes, the session ID is 16 bytes / 128 bits long by default.
>
> > 4. Is the session ID value meaningless to prevent information disclosure
> > attacks, allowing recovery of the contents of the ID and extract details
> of
> > the user, the session, or the inner workings of the web application.
>
> Yes.
>
> > B)
> > Are the Session IDs fully validated before they may be used.
> > When using session ID to keep authentication state and track user
> progress
> > within a web application, the application MUST treat the session ID as
> > untrusted data,
> > and sanitize and validate it before use.
>
> Yes.
>
> As with most things in Tomcat, configuration provides a lot of control
> over session ID generation but the default settings meet the
> requirements you set out above.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender

[Joleen Barker]

Alas, no luck. This is what I found in my directory:

-rw-r--r--.  root  root  30694 Nov 25 22:49 catalina
-rw-r--r--.  root  root 0 Nov 25 22:49 catalina.out
-rw-r--r--.  root  root 0 Nov 25 22:49  host-manager
-rw-r--r--.  root  root  31909 Nov 25 22:49  localhost
-rw-r--r--.  root  root 0 Nov 25 22:49
 localhost_access_log.2015-11-25.txt
-rw-r--r--.  root  root 0 Nov 25 22:49  manager
[root@centos7sys1 logs]# date
Thu Nov 26 00:07:25 EST 2015



On Wed, Nov 25, 2015 at 7:22 PM, Joleen Barker 
wrote:

> I changed it back to use the log4j setting as I liked it better and the
> boss wants the files to rollover at midnight each night. Now when I startup
> the catalina.out file is empty and the logs appear to be split between the
> catalina file (not catalina.out) and the localhost file. Some of the
> messages are doubled between the two files.
>
>
> We will see what happens now with the swallowOutput=true. I'm so excited
> to see what is there tomorrow morning. lol
>
> -Joleen
>
> On Wed, Nov 25, 2015 at 6:59 PM, Joleen Barker 
> wrote:
>
>> Sorry. I all of a sudden noticed the swallowOutput="false" in the
>> cfcc.xml I had. I changed this to be true and now it appears most of the
>> messages are being written to the locahost file. I don't see any messages
>> missing. I will leave it run over night and see what happens and report
>> tomorrow.
>>
>> -Joleen
>>
>> On Wed, Nov 25, 2015 at 3:50 PM, Joleen Barker 
>> wrote:
>>
>>> I didn't get too far. For the option b and setting the
>>> swallowOutput=true in right place I need to get some clarification.
>>>
>>> I was looking up more information about the swallowOutput parm so I
>>> understood more. In Christopher's comments he spoke about updating the
>>> context xml. This is where I am confused. When I think of the word
>>> "context" it has always referring to the vendors web page to log in with
>>> and the context set is "cfcc". There is a file named cfcc.xml in the
>>> /server/conf/Catalina/localhost directory. Then there is
>>> the actual context.xml file located in the /server/conf
>>> directory. I am not sure which one I would put the swallowOutput parm in.
>>> Maybe it would be both.
>>>
>>> The only items in the context.xml file that are not commented out are
>>> the following settings and it's a pretty small file:
>>>
>>> 
>>> WEB-INF/web.xml
>>> ${catalina.base}/conf/web.xml
>>> ...
>>> ...
>>> 
>>> ...
>>> ...
>>> >> classname="org.apache.catalina.valves.CometConnectionManagerValve" />
>>> 
>>>
>>> The cfcc.xml file that I have has the following:
>>>
>>> 
>>> >> charsetMapperClass="org.apache.catalina.util.CharsetMapper"
>>> className="org.apache.catalina.core.StandardContext" cookies="true"
>>> crossContext="false" debug="0" displayName="Secure Internet File Transfer
>>> Web Services" docBase="/opt/mftcc730/server/webapps/cfcc"
>>> mapperClass="org.apache.catalina.core.StandardContextMapper" path="/cfcc"
>>> privileged="false" reloadable="false" swallowOutput="false"
>>> useHttpOnly="false" useNaming="true"
>>> wrapperClass="org.apache.catalina.core.StandardWrapper">
>>> 
>>> 
>>> >> directory="/opt/mftcc730/server/logs" prefix="localhost_cfcc_"
>>> suffix=".txt" timestamp="true" verbosity="2"/>
>>> >> connectionName="cfcc" connectionPassword="TgPGKAy//0gDOq2Co5UnM2AE8pM="
>>> connectionURL="jdbc:mysql://
>>> 192.168.1.7:3306/mft730?characterEncoding=UTF8" debug="0" digest="SHA"
>>> driverName="com.mysql.jdbc.Driver" roleNameCol="RoleID"
>>> userCredCol="Passwd" userNameCol="UserID" userRoleTable="UsersMap"
>>> userTable="Users" validate="true"/>
>>> >> type="javax.sql.DataSource"/>
>>> 
>>>
>>> Thank you.
>>>
>>> -Joleen
>>>
>>>
>>> On Wed, Nov 25, 2015 at 10:16 AM, Joleen Barker >> > wrote:
>>>
 Thank you for some direction.

 I'll go ahead and put back the logging as it was from the vendor using
 the logging.properties file, etc. etc. so as to minimize their lack of
 support due to me changing a lot in their product.

 Then I'll go on to try option b.

 I'll report back with how it goes.

 -Joleeb
 Joleen,

 On 11/24/15 4:31 PM, Joleen Barker wrote:
 > I have setup the logrotate using cron in the past and it was very
 > successful on the Linux boxes but I could not find an equivalent
 setup for
 > AIX. Things seem so much easier on Linux. The company wants a
 universal
 > approach so that left that option out.

 Only some things are easier on Linux.

 This may help:
 http://www-01.ibm.com/support/docview.wss?uid=isg3T1012796

 > I did see the section you copied in from the catalina.sh file but
 couldnt
 > make much out from it so I left it alone.
 >
 > I like the sound of option b. I know where the context xml file is.
 (Under
 > the Catalina/localhost/.xml) Im not sure if this is