Re: Zero downtime deployments

2015-12-03 Thread Neill Lima
Hello Jason,

This approach of using httpd in front of 2+ Tomcats via AJP works well in
my company. There is a bit of config necessary at httpd level so httpd is
aware of all the Tomcats and also Tomcat config needs to be set to listen
to AJP port instead of default port but it is not rocket science.

This facilitates the deployment of nodes sequentially with no downtime. Of
course, there is a shared session server to take care the sessions are not
lost when Tomcats flip up and down.

Reply in pvt if you need help setting up this.

Thanks,

Neill

On Thu, Dec 3, 2015 at 12:08 AM, Jason Britton  wrote:

> Thank you Christopher, reading now and we'll see if I can swing the
> conference :)
>
> On Wed, Dec 2, 2015 at 4:00 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > Jason,
> >
> > On 12/2/15 4:07 PM, Jason Britton wrote:
> > > I was looking for information for how those on the list achieve zero
> > > downtime deployments of their tomcat hosted web applications.  I
> imagine
> > > this can be achieved in a variety of ways, but would love to hear what
> > > works for you.  In our current environment we front multiple tomcat
> > > instances with apache httpd, each tomcat instance hosting one or more
> > > unique web apps.  In order to support this effort we do have the
> > resources
> > > where we could spin up multiple tomcat instances to serve requests for
> a
> > > single application.  I know there is mod_proxy_balancer available for
> > > httpd, and I understand starting with tomcat 7 there is support for
> > > parallel deployment of versioned wars, and tomcat also supports
> > > clustering.  I'm just unsure of what approach I should start digging
> into
> > > and would very much appreciate any of your experiences.  The servers
> > we'll
> > > be rolling out will be using the latest versions of tomcat 8 and apache
> > > httpd 2.4.  Thanks for any insights!
> >
> > Check this out:
> >
> >
> http://people.apache.org/~schultz/ApacheCon%20NA%202015/Load-balancing%20Tomcat%20with%20mod_jk.pdf
> >
> > Start on slide/page 41.
> >
> > Then come to ApacheCon NA 2016 and discuss it!
> >
> > -chris
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>


Re: Understanding how to controlling what data is written to log4j appenders

2015-12-03 Thread Joleen Barker
Konstantin,

The information you gave me for the additivity was PERFECT! It did exactly
what I was looking for. This also really allowed me to understand what
processes were writing to which log. I have the settings in place in my
test environment now and if all goes well the changes will be added in the
production environment soon.

Thank you.

On Thu, Dec 3, 2015 at 9:42 PM, Joleen Barker 
wrote:

> Hello Konstantin,
>
> Thank you for pointing out the typo. The line is actually correct in my
> log4j.properties file and the typo happened when I typed the line in for my
> settings.
>
> I don't know what additivity flag is so I will take a look.
>
> I'll let you know how it goes.
>
> -Joleen
>
> On Thu, Dec 3, 2015 at 7:53 PM, Konstantin Kolinko  > wrote:
>
>> 2015-12-04 2:05 GMT+03:00 Joleen Barker :
>> > I want to have more control over what data is written to the various
>> > appenders in the log4j.properties files. I have played around with the
>> > various configurations in the log4j.properties file but I am not
>> > understanding how they are working in order to grasp how to have more
>> > control. I don't know if it would be a matter of turning off the INFO
>> > setting for the log4j.rootLogger and somehow setting individual logging
>> for
>> > each appender.
>> >
>> > Below is my environment details:
>> > 1) The tomcat version that is running is v8.0.26.0
>> > 2) The OS is a Centos v7 UNIX VM
>> > 3) Java JDK I have installed that Tomcat is using is 1.8.0_60
>> > 4) Due to the catalina.out file growing too large with the default
>> > juli.AsyncFileHandler using the logging.properties file that was found
>> in
>> > the $CATALINA_HOME/conf directory. I changed the settings on a vendors
>> > software to use the log4j logging instead. (So this is NOT my web
>> > application or product written by me.)
>>
>> None of AsyncFileHandler is responsible for catalina.out.
>>
>> The catalina.out file consumes output of ConsoleHandler.
>>
>> >
>> >
>> log4j;logger.org.apache.catalina.core,ContainerBase.[Catalina].[localhost].[/cfcc]=INFO,
>> CFCC
>> >
>>
>> The above line has a typo. s/;/./ after "log4j"
>>
>> > <...>
>>
>>
>> You need to set "additivity" flag for non-root loggers to false.
>> I have not tested, but I think it will be like this:
>>
>>
>>
>> log4j.additivity.org.apache.catalina.core,ContainerBase.[Catalina].[localhost].[/cfcc]=false
>>
>> log4j.additivity.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=false
>>
>> log4j.additivity.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager]=false
>>
>> log4j.additivity.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager]=false
>>
>>
>>
>> Documentation for Log4j 1.x:
>> [1] http://logging.apache.org/log4j/1.2/
>>
>> Guide:
>> [2] http://logging.apache.org/log4j/1.2/manual.html
>>
>> Syntax of log4j.properties file:
>> [3]
>> http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/PropertyConfigurator.html#doConfigure%28java.lang.String,%20org.apache.log4j.spi.LoggerRepository%29
>>
>> Best regards,
>> Konstantin Kolinko
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>


Re: Tomcat log files - Strict permissions - setuid

2015-12-03 Thread Mark H. Wood
On Thu, Dec 03, 2015 at 10:42:40AM -0300, Andres Riancho wrote:
> List,
> 
> I'm trying to secure my tomcat instances. One of the steps I took
> was to run the tomcat process using the non-privileged "tomcat" user,
> and set the file system permissions as restrictive as possible. It all
> works well, but there is something missing: "The tomcat user is able
> to read the access log files":
> 
> root@7083cdc8e2fc:/apps/tomcat/logs# ls -la
> ...
> -rw-rw  1 tomcat tomcat0 Dec  1 19:46 
> 0.0.0.0_access_log.2015-12-01.txt

One fancier approach would be to configure a log sink which passes
records to another process through a socket -- syslog, for example.
There are syslog Handler implementations for java.util.logging, or you
could cook up a custom log recorder to receive from the stock
j.u.l.SocketHandler, or you could configure Tomcat to use
slf4j/logback and its syslog appender.  This will not be simple but it
will be quite adaptable.  You should probably look at simpler methods
first.

> Is there any way to configure tomcat to be able to write to the
> access log file, but have the file owned by root with permissions 600?
> I understand that this is done by starting the tomcat process as root
> and then dropping privileges using setuid() , but was unable to find
> something already built / well documented.

That is what the Commons Daemon tool (jsvc) is for.  That should be a
lot simpler.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: Digital signature


Re: Tomcat log files - Strict permissions - setuid

2015-12-03 Thread Christopher Schultz
Andres,

On 12/3/15 8:42 AM, Andres Riancho wrote:
> List,
> 
> I'm trying to secure my tomcat instances. One of the steps I took
> was to run the tomcat process using the non-privileged "tomcat" user,
> and set the file system permissions as restrictive as possible. It all
> works well, but there is something missing: "The tomcat user is able
> to read the access log files":
> 
> root@7083cdc8e2fc:/apps/tomcat/logs# ls -la
> ...
> -rw-rw  1 tomcat tomcat0 Dec  1 19:46 
> 0.0.0.0_access_log.2015-12-01.txt
> 
> Is there any way to configure tomcat to be able to write to the
> access log file, but have the file owned by root with permissions 600?
> I understand that this is done by starting the tomcat process as root
> and then dropping privileges using setuid() , but was unable to find
> something already built / well documented.

How do you launch Tomcat? If you use the scripts, you could use
something like bin/setenv.sh to check the permissions of the log files
and refuse to start if they aren't the way you want them.

For files that don't already exist, you'll have to refuse to start if
they don't exist, because a process can't create a new file owned by
another user. You'd have to disable file-rotation because of the same
problem.

Are you more worried about a hostile web application running within your
server, a hostile remote user, a vulnerability in a web application, or
a vulnerability in Tomcat?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Tomcat log files - Strict permissions - setuid

2015-12-03 Thread Andres Riancho
List,

I'm trying to secure my tomcat instances. One of the steps I took
was to run the tomcat process using the non-privileged "tomcat" user,
and set the file system permissions as restrictive as possible. It all
works well, but there is something missing: "The tomcat user is able
to read the access log files":

root@7083cdc8e2fc:/apps/tomcat/logs# ls -la
...
-rw-rw  1 tomcat tomcat0 Dec  1 19:46 0.0.0.0_access_log.2015-12-01.txt

Is there any way to configure tomcat to be able to write to the
access log file, but have the file owned by root with permissions 600?
I understand that this is done by starting the tomcat process as root
and then dropping privileges using setuid() , but was unable to find
something already built / well documented.

Ideas?

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 8 JAX-WS javax.xml.ws.WebServiceException: java.io.IOException: Error writing to server

2015-12-03 Thread Mark Thomas
On 03/12/2015 15:27, Bill Wolosek wrote:
> We have also tried different combinations of Java and Tomcat: *
> Tomcat 7/Java 7 = Works * Tomcat 7/Java 8 = Works *
> Tomcat 8/Java 7 = Doesn't Work * Tomcat 8/Java 8 = Doesn't
> Work

Assuming Tomcat 7 == 7.0.39 and Tomcat 8 == 8.0.28 the above list is
somewhat misleading.

> This leads us to think that the issue is with Tomcat 8.

That conclusion is not supported by the evidence. 7.0.39 is over 2.5
years older than 8.0.28. What is far more likely is that you have been
affected by one of the many fixes in that 2.5 year period that has been
applied to both 7.0.x and 8.0.x.

> Either something was changed in Tomcat 8 and we now need to set some
> new timeout/payload settings or Tomcat 8 has a bug related to this
> specific problem.

See my previous comment.

> We have tried setting some of the Tomcat connector settings like
> maxPostSize="-1", connectionTimeout="-1",
> disableUploadTimeout="true", connectionUploadTimeout="-1",
> keepAliveTimeout="-1" but none of these worked and honestly feel like
> a shot in the dark without knowing what is going on server side.

The 2MB limit should have been a broad hint.

The stack trace on the client side could have been clearer but it is
telling you that the server has dropped the connection.

Those two together plus a review of the changelog should have pointed
you towards the maxSwallowSize of the HTTP connector.

You could have reduced the amount changelog to review by testing
different Tomcat 7.0.x versions which should have pointed you towards
7.0.55 making the 2MB hint more obvious.

> We have tried updating the Metro jars server side to the most recent
> release (jaxws-ri-2.2.10) as well as running the client using Java 8.
> Unfortunately none of these worked. Any help would be greatly
> appreciated.

maxSwallowSize=-1 is the quick test to see if this is the issue. After
that, you need to adjust it as appropriate for your environment since
this was added to address CVE-2014-0230.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Tomcat 8 JAX-WS javax.xml.ws.WebServiceException: java.io.IOException: Error writing to server

2015-12-03 Thread Bill Wolosek
Hi Chris,

Thank you very much for your help.  It appears that maxSwallowSize in the 
 configuration has fixed the issue.  Your help is greatly 
appreciated.  

Thank you,
Bill

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Thursday, December 3, 2015 9:49 AM
To: Tomcat Users List
Subject: Re: Tomcat 8 JAX-WS javax.xml.ws.WebServiceException: 
java.io.IOException: Error writing to server

Bill,

On 12/3/15 10:27 AM, Bill Wolosek wrote:
> We have recently updated the tech stack of a JAX-WS webservice running 
> on JRE 1.7.0_17/Tomcat7.0.39 to JRE 1.8.0_66/Tomcat 8.0.28.
> The web app runs on Windows Server 2012. The web service uses a Metro 
> implementation for JAX-WS. The clients run on various windows versions 
> using JRE 7 and the JAX-WS client API built into the JRE.
> The webservice is used to upload files from the client machines to the 
> webservice which saves them in a document management system. The 
> implementation worked pretty much flawlessly under Java 7/Tomcat 7 but 
> we have run into a problem with larger payloads (2MB or larger) 
> running under Java 8/Tomcat 8 server side. The stack trace from the 
> client is:
>
> 12/02/2015 14:12:38.699 [AWT-EventQueue-0] ERROR  
> DocumentImporterMainWindow$SwingAction.importDocument: Unexpected 
> Problem trying to call the CustomerOrderDMService
> javax.xml.ws.WebServiceException: java.io.IOException: Error writing to server
> at 
> com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(Unknown
>  Source)
> at 
> com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.createResponsePacket(Unknown
>  Source)
> at 
> com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(Unknown
>  Source)
> at 
> com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(Unknown
>  Source)
> at 
> com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(Unknown
>  Source)
> at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source)
> at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source)
> at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source)
> at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source)
> at com.sun.xml.internal.ws.client.Stub.process(Unknown Source)
> at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(Unknown Source)
> at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown 
> Source)
> at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown 
> Source)
> at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(Unknown Source)
> at com.sun.proxy.$Proxy30.importDocument(Unknown Source)
> at 
> com.mycompany.documentimporter.DocumentImporterMainWindow$SwingAction.importDocument(DocumentImporterMainWindow.java:681)
> at 
> com.mycompany.documentimporter.DocumentImporterMainWindow$SwingAction.actionPerformed(DocumentImporterMainWindow.java:612)
> at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
> at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
> at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
> at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
> at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown 
> Source)
> at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source)
> at java.awt.Component.processMouseEvent(Unknown Source)
> at javax.swing.JComponent.processMouseEvent(Unknown Source)
> at java.awt.Component.processEvent(Unknown Source)
> at java.awt.Container.processEvent(Unknown Source)
> at java.awt.Component.dispatchEventImpl(Unknown Source)
> at java.awt.Container.dispatchEventImpl(Unknown Source)
> at java.awt.Component.dispatchEvent(Unknown Source)
> at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
> at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
> at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
> at java.awt.Container.dispatchEventImpl(Unknown Source)
> at java.awt.Window.dispatchEventImpl(Unknown Source)
> at java.awt.Component.dispatchEvent(Unknown Source)
> at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
> at java.awt.EventQueue.access$500(Unknown Source)
> at java.awt.EventQueue$3.run(Unknown Source)
> at java.awt.EventQueue$3.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at 
> java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown
>  Source)
> at 
> java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown
>  Source)
> at java.awt.EventQueue$4.run(Unknown Source)
> at java.awt.EventQueue$4.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at 
> 

RE: Tomcat 8 JAX-WS javax.xml.ws.WebServiceException: java.io.IOException: Error writing to server

2015-12-03 Thread Bill Wolosek
Hi Mark,

Your point of assuming Tomcat 7.0.39 = Tomcat 7 and Tomcat 8.0.28 = Tomcat 8 
and not taking all other versions in-between into account was a bad on my part. 
 Thanks for clarifying this for me.

It appears that maxSwallowSize in the  configuration has fixed the 
issue.  I set it to -1 and now the service is working as expected.  Now I just 
need to come up with a good maximum size value.  Thank you very much for your 
help.

Thank you,
Bill
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Thursday, December 3, 2015 11:11 AM
To: Tomcat Users List
Subject: Re: Tomcat 8 JAX-WS javax.xml.ws.WebServiceException: 
java.io.IOException: Error writing to server

On 03/12/2015 15:27, Bill Wolosek wrote:
> We have also tried different combinations of Java and Tomcat: *
> Tomcat 7/Java 7 = Works * Tomcat 7/Java 8 = Works *
> Tomcat 8/Java 7 = Doesn't Work * Tomcat 8/Java 8 = Doesn't
> Work

Assuming Tomcat 7 == 7.0.39 and Tomcat 8 == 8.0.28 the above list is somewhat 
misleading.

> This leads us to think that the issue is with Tomcat 8.

That conclusion is not supported by the evidence. 7.0.39 is over 2.5 years 
older than 8.0.28. What is far more likely is that you have been affected by 
one of the many fixes in that 2.5 year period that has been applied to both 
7.0.x and 8.0.x.

> Either something was changed in Tomcat 8 and we now need to set some 
> new timeout/payload settings or Tomcat 8 has a bug related to this 
> specific problem.

See my previous comment.

> We have tried setting some of the Tomcat connector settings like 
> maxPostSize="-1", connectionTimeout="-1", disableUploadTimeout="true", 
> connectionUploadTimeout="-1", keepAliveTimeout="-1" but none of these 
> worked and honestly feel like a shot in the dark without knowing what 
> is going on server side.

The 2MB limit should have been a broad hint.

The stack trace on the client side could have been clearer but it is telling 
you that the server has dropped the connection.

Those two together plus a review of the changelog should have pointed you 
towards the maxSwallowSize of the HTTP connector.

You could have reduced the amount changelog to review by testing different 
Tomcat 7.0.x versions which should have pointed you towards
7.0.55 making the 2MB hint more obvious.

> We have tried updating the Metro jars server side to the most recent 
> release (jaxws-ri-2.2.10) as well as running the client using Java 8.
> Unfortunately none of these worked. Any help would be greatly 
> appreciated.

maxSwallowSize=-1 is the quick test to see if this is the issue. After that, 
you need to adjust it as appropriate for your environment since this was added 
to address CVE-2014-0230.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: URL based redirection working partially with Apache tomcat

2015-12-03 Thread Christopher Schultz
To whom it may concern,

On 12/3/15 10:54 AM, Kernel freak wrote:
> Hello friends,
> 
> I would like to deploy multiple webapps(as of now 2,waiting for domain name
> for 3rd) on a single Apache Tomcat instance. I have been partially
> successful as one URL is working properly, other is not.
> 
> Situation :
> 1) I have created two folders called domain1_webapps  and domain2_webapps
> and put the respective webapps named ROOT.war in each of them.
> 2) Then I configured server.xml as mentioned below.
> 
> 
>   autoDeploy="true"/>
>  appBase="domain1_webapps"/>
>  appBase="domain2_webapps"/>
> 
> Right now when I call www.domain-one.com( not domain-one.com), I get the
> correct site. But for the 2nd one, I have to call
> www.domain-two.com/app_name.
> 
> *How can I remove in 2nd domain the app_name context-path which is getting
> appended. Kindly let me know. *
> 
> The ironical situation is I have not kept the app_name anywhere, guess
> Tomcat must be retrieving it from POM.xml.
> 
> Reference question on SO :
> http://stackoverflow.com/questions/34069289/apache-tomcat-url-based-redirection-partially-works

Have you read the documentation for how to deploy a web application in
Tomcat?

http://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Defining_a_context

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Tomcat 8 JAX-WS javax.xml.ws.WebServiceException: java.io.IOException: Error writing to server

2015-12-03 Thread Bill Wolosek
We have recently updated the tech stack of a JAX-WS webservice running on JRE 
1.7.0_17/Tomcat7.0.39 to JRE 1.8.0_66/Tomcat 8.0.28. The web app runs on 
Windows Server 2012. The web service uses a Metro implementation for JAX-WS. 
The clients run on various windows versions using JRE 7 and the JAX-WS client 
API built into the JRE. The webservice is used to upload files from the client 
machines to the webservice which saves them in a document management system. 
The implementation worked pretty much flawlessly under Java 7/Tomcat 7 but we 
have run into a problem with larger payloads (2MB or larger) running under Java 
8/Tomcat 8 server side. The stack trace from the client is:
12/02/2015 14:12:38.699 [AWT-EventQueue-0] ERROR  
DocumentImporterMainWindow$SwingAction.importDocument: Unexpected Problem 
trying to call the CustomerOrderDMService
javax.xml.ws.WebServiceException: java.io.IOException: Error writing to server
at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(Unknown
 Source)
at 
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.createResponsePacket(Unknown
 Source)
at 
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(Unknown 
Source)
at 
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(Unknown
 Source)
at 
com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(Unknown 
Source)
at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source)
at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source)
at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source)
at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source)
at com.sun.xml.internal.ws.client.Stub.process(Unknown Source)
at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(Unknown Source)
at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown 
Source)
at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown 
Source)
at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(Unknown Source)
at com.sun.proxy.$Proxy30.importDocument(Unknown Source)
at 
com.mycompany.documentimporter.DocumentImporterMainWindow$SwingAction.importDocument(DocumentImporterMainWindow.java:681)
at 
com.mycompany.documentimporter.DocumentImporterMainWindow$SwingAction.actionPerformed(DocumentImporterMainWindow.java:612)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$500(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at 
java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown
 Source)
at 
java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown
 Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at 
java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown
 Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.io.IOException: Error writing to server
at 

Re: Tomcat 8 JAX-WS javax.xml.ws.WebServiceException: java.io.IOException: Error writing to server

2015-12-03 Thread David kerber

On 12/3/2015 10:48 AM, Christopher Schultz wrote:
...


We have also tried different combinations of Java and Tomcat:
* Tomcat 7/Java 7 = Works
* Tomcat 7/Java 8 = Works
* Tomcat 8/Java 7 = Doesn't Work
* Tomcat 8/Java 8 = Doesn't Work

This leads us to think that the issue is with Tomcat 8.


Really? Java 7 + Tomcat 8 works, so... Tomcat 8 is the problem?


Take another look, Chris - you misread his table.  Both entries with 
Tomcat 8 fail, and both with Tomcat 7 succeed.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



URL based redirection working partially with Apache tomcat

2015-12-03 Thread Kernel freak
Hello friends,

I would like to deploy multiple webapps(as of now 2,waiting for domain name
for 3rd) on a single Apache Tomcat instance. I have been partially
successful as one URL is working properly, other is not.

Situation :
1) I have created two folders called domain1_webapps  and domain2_webapps
and put the respective webapps named ROOT.war in each of them.
2) Then I configured server.xml as mentioned below.


 



Right now when I call www.domain-one.com( not domain-one.com), I get the
correct site. But for the 2nd one, I have to call
www.domain-two.com/app_name.

*How can I remove in 2nd domain the app_name context-path which is getting
appended. Kindly let me know. *

The ironical situation is I have not kept the app_name anywhere, guess
Tomcat must be retrieving it from POM.xml.

Reference question on SO :
http://stackoverflow.com/questions/34069289/apache-tomcat-url-based-redirection-partially-works

Regards,
Kernel


Re: Tomcat 8 JAX-WS javax.xml.ws.WebServiceException: java.io.IOException: Error writing to server

2015-12-03 Thread Christopher Schultz
Bill,

On 12/3/15 10:27 AM, Bill Wolosek wrote:
> We have recently updated the tech stack of a JAX-WS webservice
> running on JRE 1.7.0_17/Tomcat7.0.39 to JRE 1.8.0_66/Tomcat 8.0.28.
> The web app runs on Windows Server 2012. The web service uses a Metro
> implementation for JAX-WS. The clients run on various windows
> versions using JRE 7 and the JAX-WS client API built into the JRE.
> The webservice is used to upload files from the client machines to
> the webservice which saves them in a document management system. The
> implementation worked pretty much flawlessly under Java 7/Tomcat 7
> but we have run into a problem with larger payloads (2MB or larger)
> running under Java 8/Tomcat 8 server side. The stack trace from the
> client is:
>
> 12/02/2015 14:12:38.699 [AWT-EventQueue-0] ERROR  
> DocumentImporterMainWindow$SwingAction.importDocument: Unexpected Problem 
> trying to call the CustomerOrderDMService
> javax.xml.ws.WebServiceException: java.io.IOException: Error writing to server
> at 
> com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(Unknown
>  Source)
> at 
> com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.createResponsePacket(Unknown
>  Source)
> at 
> com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(Unknown
>  Source)
> at 
> com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(Unknown
>  Source)
> at 
> com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(Unknown
>  Source)
> at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source)
> at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source)
> at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source)
> at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source)
> at com.sun.xml.internal.ws.client.Stub.process(Unknown Source)
> at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(Unknown Source)
> at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown 
> Source)
> at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown 
> Source)
> at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(Unknown Source)
> at com.sun.proxy.$Proxy30.importDocument(Unknown Source)
> at 
> com.mycompany.documentimporter.DocumentImporterMainWindow$SwingAction.importDocument(DocumentImporterMainWindow.java:681)
> at 
> com.mycompany.documentimporter.DocumentImporterMainWindow$SwingAction.actionPerformed(DocumentImporterMainWindow.java:612)
> at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
> at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
> at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
> at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
> at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown 
> Source)
> at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source)
> at java.awt.Component.processMouseEvent(Unknown Source)
> at javax.swing.JComponent.processMouseEvent(Unknown Source)
> at java.awt.Component.processEvent(Unknown Source)
> at java.awt.Container.processEvent(Unknown Source)
> at java.awt.Component.dispatchEventImpl(Unknown Source)
> at java.awt.Container.dispatchEventImpl(Unknown Source)
> at java.awt.Component.dispatchEvent(Unknown Source)
> at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
> at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
> at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
> at java.awt.Container.dispatchEventImpl(Unknown Source)
> at java.awt.Window.dispatchEventImpl(Unknown Source)
> at java.awt.Component.dispatchEvent(Unknown Source)
> at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
> at java.awt.EventQueue.access$500(Unknown Source)
> at java.awt.EventQueue$3.run(Unknown Source)
> at java.awt.EventQueue$3.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at 
> java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown
>  Source)
> at 
> java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown
>  Source)
> at java.awt.EventQueue$4.run(Unknown Source)
> at java.awt.EventQueue$4.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at 
> java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown
>  Source)
> at java.awt.EventQueue.dispatchEvent(Unknown Source)
> at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
> at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
> at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
> at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
> at 

Re: Zero downtime deployments

2015-12-03 Thread Kevin Hale Boyes
Thanks for this link to the presentation.
How do you all deal with some of the other dependencies that the web
application has?

For example, if v2 of my application needs new database columns or worse, a
change to an existing column how can I have v1 and v2 running at the same
time?  We use Oracle as our database though the problem exists for many
database servers.

Thanks,
Kevin.

On 3 December 2015 at 01:31, Neill Lima  wrote:

> Hello Jason,
>
> This approach of using httpd in front of 2+ Tomcats via AJP works well in
> my company. There is a bit of config necessary at httpd level so httpd is
> aware of all the Tomcats and also Tomcat config needs to be set to listen
> to AJP port instead of default port but it is not rocket science.
>
> This facilitates the deployment of nodes sequentially with no downtime. Of
> course, there is a shared session server to take care the sessions are not
> lost when Tomcats flip up and down.
>
> Reply in pvt if you need help setting up this.
>
> Thanks,
>
> Neill
>
> On Thu, Dec 3, 2015 at 12:08 AM, Jason Britton 
> wrote:
>
> > Thank you Christopher, reading now and we'll see if I can swing the
> > conference :)
> >
> > On Wed, Dec 2, 2015 at 4:00 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > > Jason,
> > >
> > > On 12/2/15 4:07 PM, Jason Britton wrote:
> > > > I was looking for information for how those on the list achieve zero
> > > > downtime deployments of their tomcat hosted web applications.  I
> > imagine
> > > > this can be achieved in a variety of ways, but would love to hear
> what
> > > > works for you.  In our current environment we front multiple tomcat
> > > > instances with apache httpd, each tomcat instance hosting one or more
> > > > unique web apps.  In order to support this effort we do have the
> > > resources
> > > > where we could spin up multiple tomcat instances to serve requests
> for
> > a
> > > > single application.  I know there is mod_proxy_balancer available for
> > > > httpd, and I understand starting with tomcat 7 there is support for
> > > > parallel deployment of versioned wars, and tomcat also supports
> > > > clustering.  I'm just unsure of what approach I should start digging
> > into
> > > > and would very much appreciate any of your experiences.  The servers
> > > we'll
> > > > be rolling out will be using the latest versions of tomcat 8 and
> apache
> > > > httpd 2.4.  Thanks for any insights!
> > >
> > > Check this out:
> > >
> > >
> >
> http://people.apache.org/~schultz/ApacheCon%20NA%202015/Load-balancing%20Tomcat%20with%20mod_jk.pdf
> > >
> > > Start on slide/page 41.
> > >
> > > Then come to ApacheCon NA 2016 and discuss it!
> > >
> > > -chris
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> >
>


Re: Zero downtime deployments

2015-12-03 Thread jieryn
Use http://flywaydb.org/ to perform database migrations. You will need
at least 3 versions in order to perform an incompatible database
change. v1 is existing behavior, v2 is a shim that bridges v1 and v3,
and then v3 cleans up the shim and removes all the unnecessary hacks.
When you have v1 rolled out against N images, then you can start
rolling out compat shim v2 which adds some temporary work for the db
and coexists, then when all instances are at v2 you can move to v3
which uses all the new stuff.

I haven't found anything better or more efficient than the 2-step
deployment with live code.

On Thu, Dec 3, 2015 at 2:21 PM, Kevin Hale Boyes  wrote:
> Thanks for this link to the presentation.
> How do you all deal with some of the other dependencies that the web
> application has?
>
> For example, if v2 of my application needs new database columns or worse, a
> change to an existing column how can I have v1 and v2 running at the same
> time?  We use Oracle as our database though the problem exists for many
> database servers.
>
> Thanks,
> Kevin.
>
> On 3 December 2015 at 01:31, Neill Lima  wrote:
>
>> Hello Jason,
>>
>> This approach of using httpd in front of 2+ Tomcats via AJP works well in
>> my company. There is a bit of config necessary at httpd level so httpd is
>> aware of all the Tomcats and also Tomcat config needs to be set to listen
>> to AJP port instead of default port but it is not rocket science.
>>
>> This facilitates the deployment of nodes sequentially with no downtime. Of
>> course, there is a shared session server to take care the sessions are not
>> lost when Tomcats flip up and down.
>>
>> Reply in pvt if you need help setting up this.
>>
>> Thanks,
>>
>> Neill
>>
>> On Thu, Dec 3, 2015 at 12:08 AM, Jason Britton 
>> wrote:
>>
>> > Thank you Christopher, reading now and we'll see if I can swing the
>> > conference :)
>> >
>> > On Wed, Dec 2, 2015 at 4:00 PM, Christopher Schultz <
>> > ch...@christopherschultz.net> wrote:
>> >
>> > > Jason,
>> > >
>> > > On 12/2/15 4:07 PM, Jason Britton wrote:
>> > > > I was looking for information for how those on the list achieve zero
>> > > > downtime deployments of their tomcat hosted web applications.  I
>> > imagine
>> > > > this can be achieved in a variety of ways, but would love to hear
>> what
>> > > > works for you.  In our current environment we front multiple tomcat
>> > > > instances with apache httpd, each tomcat instance hosting one or more
>> > > > unique web apps.  In order to support this effort we do have the
>> > > resources
>> > > > where we could spin up multiple tomcat instances to serve requests
>> for
>> > a
>> > > > single application.  I know there is mod_proxy_balancer available for
>> > > > httpd, and I understand starting with tomcat 7 there is support for
>> > > > parallel deployment of versioned wars, and tomcat also supports
>> > > > clustering.  I'm just unsure of what approach I should start digging
>> > into
>> > > > and would very much appreciate any of your experiences.  The servers
>> > > we'll
>> > > > be rolling out will be using the latest versions of tomcat 8 and
>> apache
>> > > > httpd 2.4.  Thanks for any insights!
>> > >
>> > > Check this out:
>> > >
>> > >
>> >
>> http://people.apache.org/~schultz/ApacheCon%20NA%202015/Load-balancing%20Tomcat%20with%20mod_jk.pdf
>> > >
>> > > Start on slide/page 41.
>> > >
>> > > Then come to ApacheCon NA 2016 and discuss it!
>> > >
>> > > -chris
>> > >
>> > > -
>> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> > > For additional commands, e-mail: users-h...@tomcat.apache.org
>> > >
>> > >
>> >
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat FIPS with FIPS capable OpenSSL

2015-12-03 Thread Nithesh Kb
Wow Amazing worked!!!

04-Dec-2015 00:45:30.500 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
04-Dec-2015 00:45:30.500 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].
04-Dec-2015 00:45:30.561 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
FIPS mode...
04-Dec-2015 00:45:30.576 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Successfully
entered FIPS mode
04-Dec-2015 00:45:30.577 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized (OpenSSL 1.0.1p 9 Jul 2015)
04-Dec-2015 00:45:30.935 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["http-apr-8080"]
04-Dec-2015 00:45:30.973 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["ajp-apr-8009"]
04-Dec-2015 00:45:30.976 INFO [main]
org.apache.catalina.startup.Catalina.load Initialization processed in 2308
ms



On Fri, Dec 4, 2015 at 12:47 AM, Nithesh Kb  wrote:

> *HI Tomcat Experts,*
> *I'm trying to enable fips mode in tomcat but i get these exception,*
>
> *04-Dec-2015 00:00:34.787 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
> FIPS mode...*
> *04-Dec-2015 00:00:34.791 SEVERE [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
> initialize the SSLEngine.*
> * java.lang.Exception: error:2D06C06E:FIPS
> routines:FIPS_mode_set:fingerprint does not match*
> * at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*
>
> *Steps that i have followed,*
> *1. Built FIPS Capable Openssl 
> [**https://www.openssl.org/docs/UserGuide-2.0.pdf
> **]*
> *2. Installed tomcat APR and APR util 
> [**http://stackoverflow.com/questions/34022646/how-to-make-tomcat-fips-mode-enabling
> *
> *]*
> *3. Installed TC-native *
>
> *Changes made in server.xml*
>
>   SSLEngine="on" FIPSMode="on" />
>
>
>port="8080"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> secure="false"
> SSLEnabled="false"
> scheme="http"
> URIEncoding="UTF-8"
> enableLookups="true"
> acceptCount="10"
> server="NA"/>
>
> *and the exception for this,*
> *   04-Dec-2015 00:00:34.725 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
> based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.*
> *04-Dec-2015 00:00:34.725 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
> capabilities: IPv6 [true], sendfile [true], accept filters [false], random
> [true].*
> *04-Dec-2015 00:00:34.787 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
> FIPS mode...*
> *04-Dec-2015 00:00:34.791 SEVERE [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
> initialize the SSLEngine.*
> * java.lang.Exception: error:2D06C06E:FIPS
> routines:FIPS_mode_set:fingerprint does not match*
> * at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*
> * at
> org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:329)*
> * at
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:135)*
>
> *It works fine if i made FIPSMode="false"*
>
> *logs are attached *
>
> *please help me how to proceed on this.*
> *Thanks in advance.*
> Thanks,
> Nithesh
>
> On Fri, Dec 4, 2015 at 12:39 AM, Nithesh Kb  wrote:
>
>> HI Tomcat Experts,
>> I'm trying to enable fips mode in tomcat but i get these exception,
>>
>> *04-Dec-2015 00:00:34.787 INFO [main]
>> org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
>> FIPS mode...*
>> *04-Dec-2015 00:00:34.791 SEVERE [main]
>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
>> initialize the SSLEngine.*
>> * java.lang.Exception: error:2D06C06E:FIPS
>> routines:FIPS_mode_set:fingerprint does not match*
>> * at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*
>>
>> *Steps that i have followed,*
>> *1. Built FIPS Capable Openssl*
>>
>>
>> Thanks,
>> Nithesh
>>
>
>


RE: Zero downtime deployments

2015-12-03 Thread Tauzell, Dave
If you cannot use a tool like flyway you can do it by hand, too.  The key is 
that all database changes need to be backwards compatible.  For example:

So, if you want to drop a column:
1. Deploy new version of app that doesn't require column X
2. Shutdown version which does
3. drop column X

If you want to rename a column:
1. Deploy new version of app that writes data to old column name + new name
2. shutdown old version
3. drop old column

We generally test out our old version of an app running against the new 
database schema to make sure this process will work.

-Dave

-Original Message-
From: jieryn [mailto:jie...@gmail.com]
Sent: Thursday, December 03, 2015 1:32 PM
To: Tomcat Users List
Subject: Re: Zero downtime deployments

Use http://flywaydb.org/ to perform database migrations. You will need at least 
3 versions in order to perform an incompatible database change. v1 is existing 
behavior, v2 is a shim that bridges v1 and v3, and then v3 cleans up the shim 
and removes all the unnecessary hacks.
When you have v1 rolled out against N images, then you can start rolling out 
compat shim v2 which adds some temporary work for the db and coexists, then 
when all instances are at v2 you can move to v3 which uses all the new stuff.

I haven't found anything better or more efficient than the 2-step deployment 
with live code.

On Thu, Dec 3, 2015 at 2:21 PM, Kevin Hale Boyes  wrote:
> Thanks for this link to the presentation.
> How do you all deal with some of the other dependencies that the web
> application has?
>
> For example, if v2 of my application needs new database columns or
> worse, a change to an existing column how can I have v1 and v2 running
> at the same time?  We use Oracle as our database though the problem
> exists for many database servers.
>
> Thanks,
> Kevin.
>
> On 3 December 2015 at 01:31, Neill Lima  wrote:
>
>> Hello Jason,
>>
>> This approach of using httpd in front of 2+ Tomcats via AJP works
>> well in my company. There is a bit of config necessary at httpd level
>> so httpd is aware of all the Tomcats and also Tomcat config needs to
>> be set to listen to AJP port instead of default port but it is not rocket 
>> science.
>>
>> This facilitates the deployment of nodes sequentially with no
>> downtime. Of course, there is a shared session server to take care
>> the sessions are not lost when Tomcats flip up and down.
>>
>> Reply in pvt if you need help setting up this.
>>
>> Thanks,
>>
>> Neill
>>
>> On Thu, Dec 3, 2015 at 12:08 AM, Jason Britton 
>> wrote:
>>
>> > Thank you Christopher, reading now and we'll see if I can swing the
>> > conference :)
>> >
>> > On Wed, Dec 2, 2015 at 4:00 PM, Christopher Schultz <
>> > ch...@christopherschultz.net> wrote:
>> >
>> > > Jason,
>> > >
>> > > On 12/2/15 4:07 PM, Jason Britton wrote:
>> > > > I was looking for information for how those on the list achieve
>> > > > zero downtime deployments of their tomcat hosted web
>> > > > applications.  I
>> > imagine
>> > > > this can be achieved in a variety of ways, but would love to
>> > > > hear
>> what
>> > > > works for you.  In our current environment we front multiple
>> > > > tomcat instances with apache httpd, each tomcat instance
>> > > > hosting one or more unique web apps.  In order to support this
>> > > > effort we do have the
>> > > resources
>> > > > where we could spin up multiple tomcat instances to serve
>> > > > requests
>> for
>> > a
>> > > > single application.  I know there is mod_proxy_balancer
>> > > > available for httpd, and I understand starting with tomcat 7
>> > > > there is support for parallel deployment of versioned wars, and
>> > > > tomcat also supports clustering.  I'm just unsure of what
>> > > > approach I should start digging
>> > into
>> > > > and would very much appreciate any of your experiences.  The
>> > > > servers
>> > > we'll
>> > > > be rolling out will be using the latest versions of tomcat 8
>> > > > and
>> apache
>> > > > httpd 2.4.  Thanks for any insights!
>> > >
>> > > Check this out:
>> > >
>> > >
>> >
>> http://people.apache.org/~schultz/ApacheCon%20NA%202015/Load-balancin
>> g%20Tomcat%20with%20mod_jk.pdf
>> > >
>> > > Start on slide/page 41.
>> > >
>> > > Then come to ApacheCon NA 2016 and discuss it!
>> > >
>> > > -chris
>> > >
>> > > -
>> > >  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> > > For additional commands, e-mail: users-h...@tomcat.apache.org
>> > >
>> > >
>> >
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

This e-mail and any files transmitted with it are confidential, may contain 
sensitive information, and are intended solely for the use of the individual or 
entity to whom they are addressed. If you have received 

Tomcat FIPS with FIPS capable OpenSSL

2015-12-03 Thread Nithesh Kb
HI Tomcat Experts,
I'm trying to enable fips mode in tomcat but i get these exception,

*04-Dec-2015 00:00:34.787 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
FIPS mode...*
*04-Dec-2015 00:00:34.791 SEVERE [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
initialize the SSLEngine.*
* java.lang.Exception: error:2D06C06E:FIPS
routines:FIPS_mode_set:fingerprint does not match*
* at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*

*Steps that i have followed,*
*1. Built FIPS Capable Openssl*


Thanks,
Nithesh


Re: Tomcat FIPS with FIPS capable OpenSSL

2015-12-03 Thread Nithesh Kb
*HI Tomcat Experts,*
*I'm trying to enable fips mode in tomcat but i get these exception,*

*04-Dec-2015 00:00:34.787 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
FIPS mode...*
*04-Dec-2015 00:00:34.791 SEVERE [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
initialize the SSLEngine.*
* java.lang.Exception: error:2D06C06E:FIPS
routines:FIPS_mode_set:fingerprint does not match*
* at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*

*Steps that i have followed,*
*1. Built FIPS Capable Openssl
[**https://www.openssl.org/docs/UserGuide-2.0.pdf
**]*
*2. Installed tomcat APR and APR util
[**http://stackoverflow.com/questions/34022646/how-to-make-tomcat-fips-mode-enabling
*
*]*
*3. Installed TC-native *

*Changes made in server.xml*






*and the exception for this,*
*   04-Dec-2015 00:00:34.725 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.*
*04-Dec-2015 00:00:34.725 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].*
*04-Dec-2015 00:00:34.787 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
FIPS mode...*
*04-Dec-2015 00:00:34.791 SEVERE [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
initialize the SSLEngine.*
* java.lang.Exception: error:2D06C06E:FIPS
routines:FIPS_mode_set:fingerprint does not match*
* at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*
* at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:329)*
* at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:135)*

*It works fine if i made FIPSMode="false"*

*logs are attached *

*please help me how to proceed on this.*
*Thanks in advance.*
Thanks,
Nithesh

On Fri, Dec 4, 2015 at 12:39 AM, Nithesh Kb  wrote:

> HI Tomcat Experts,
> I'm trying to enable fips mode in tomcat but i get these exception,
>
> *04-Dec-2015 00:00:34.787 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
> FIPS mode...*
> *04-Dec-2015 00:00:34.791 SEVERE [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
> initialize the SSLEngine.*
> * java.lang.Exception: error:2D06C06E:FIPS
> routines:FIPS_mode_set:fingerprint does not match*
> * at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*
>
> *Steps that i have followed,*
> *1. Built FIPS Capable Openssl*
>
>
> Thanks,
> Nithesh
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Understanding how to controlling what data is written to log4j appenders

2015-12-03 Thread Joleen Barker
I want to have more control over what data is written to the various
appenders in the log4j.properties files. I have played around with the
various configurations in the log4j.properties file but I am not
understanding how they are working in order to grasp how to have more
control. I don't know if it would be a matter of turning off the INFO
setting for the log4j.rootLogger and somehow setting individual logging for
each appender.

Below is my environment details:
1) The tomcat version that is running is v8.0.26.0
2) The OS is a Centos v7 UNIX VM
3) Java JDK I have installed that Tomcat is using is 1.8.0_60
4) Due to the catalina.out file growing too large with the default
juli.AsyncFileHandler using the logging.properties file that was found in
the $CATALINA_HOME/conf directory. I changed the settings on a vendors
software to use the log4j logging instead. (So this is NOT my web
application or product written by me.)
5) I set the swallowOutput="true" in the vendors .xml file to stop
messages for stdout and stderr from going to the catalina.out files.
6) Most messages are now going to the catalina (no extention) and/or the
localhost files which are rolled over daily when there is activity.
7) The vendors web application uses the context of cfcc. The Connector
details are found in the
\server\conf\Catalina\localhost\cfcc.xml
8) I have A LOT of duplication in the log files. I would like to change
that if I can.
9) Below are my log4j.properties settings:

log4j.rootLogger=INFO, CATALINA

# Define all the appenders
log4j.appender.CATALINA=org.apache.log4j.DailyRollingFileAppender
log4j.appender.CATALINA.File=${catalina.base}/logs/catalina
log4j.appender.CATALINA.Append=true
log4j.appender.CATALINA.Encoding=UTF-8
# Roll-over the log once per day
log4j.appender.CATALINA.DatePattern='.'-MM-dd'.log'
log4j.appender.CATALINA.layout = org.apache.log4j.PatternLayout
log4j.appender.CATALINA.layout.ConversionPattern = %d [%t] %-5p %c- %m%n

log4j.appender.CFCC=org.apache.log4j.DailyRollingFileAppender
log4j.appender.CFCC.File=${catalina.base}/logs/cfcc
log4j.appender.CFCC.Append=true
log4j.appender.CFCC.Encoding=UTF-8
log4j.appender.CFCC.DatePattern='.'-MM-dd'.log'
log4j.appender.CFCC.layout = org.apache.log4j.PatternLayout
log4j.appender.CFCC.layout.ConversionPattern = %d [%t] %-5p %c- %m%n

log4j.appender.LOCALHOST=org.apache.log4j.DailyRollingFileAppender
log4j.appender.LOCALHOST.File=${catalina.base}/logs/localhost
log4j.appender.LOCALHOST.Append=true
log4j.appender.LOCALHOST.Encoding=UTF-8
log4j.appender.LOCALHOST.DatePattern='.'-MM-dd'.log'
log4j.appender.LOCALHOST.layout = org.apache.log4j.PatternLayout
log4j.appender.LOCALHOST.layout.ConversionPattern = %d [%t] %-5p %c- %m%n

log4j.appender.MANAGER=org.apache.log4j.DailyRollingFileAppender
log4j.appender.MANAGER.File=${catalina.base}/logs/manager.
log4j.appender.MANAGER.Append=true
log4j.appender.MANAGER.Encoding=UTF-8
log4j.appender.MANAGER.DatePattern='.'-MM-dd'.log'
log4j.appender.MANAGER.layout = org.apache.log4j.PatternLayout
log4j.appender.MANAGER.layout.ConversionPattern = %d [%t] %-5p %c- %m%n

log4j.appender.HOST-MANAGER=org.apache.log4j.DailyRollingFileAppender
log4j.appender.HOST-MANAGER.File=${catalina.base}/logs/host-manager.
log4j.appender.HOST-MANAGER.Append=true
log4j.appender.HOST-MANAGER.Encoding=UTF-8
log4j.appender.HOST-MANAGER.DatePattern='.'-MM-dd'.log'
log4j.appender.HOST-MANAGER.layout = org.apache.log4j.PatternLayout
log4j.appender.HOST-MANAGER.layout.ConversionPattern = %d [%t] %-5p %c- %m%n

log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
log4j.appender.CONSOLE.Encoding=UTF-8
log4j.appender.CONSOLE.layout = org.apache.log4j.PatternLayout
log4j.appender.CONSOLE.layout.ConversionPattern = %d [%t] %-5p %c- %m%n

# Configure which loggers log to which appenders

log4j;logger.org.apache.catalina.core,ContainerBase.[Catalina].[localhost].[/cfcc]=INFO,
CFCC

log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=OFF,
LOCALHOST
log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager]=\
  INFO, MANAGER
log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager]=\
  INFO, HOST-MANAGER

At this time ALL the same messages are written to the cfcc and the
localhost log files. Absolutely no difference. All the messagse that
are written to these two logs are also in the catalina log alongs with
the tomcat startup messages. I would like to separate the tomcat
startup messages from the web application messages that are written to
both the localhost and cfcc logs.

Thank you for your help in advance.

-Joleen


Apache httpd / mod_proxy_ajp logging

2015-12-03 Thread tomcat

Hi.

Although the above module is a httpd-level, this might still be the right place 
to ask :

I am usually using mod_jk as an Apache httpd / Tomcat connector.
With mod_jk, there is a separate JkLogLevel directive to set the log level, and also a 
separate logfile.


Would anyone here know what is available in that respect with mod_proxy_ajp ?
Can I trace at the httpd level what is actually being proxied to Tomcat ?

Thanks.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Understanding how to controlling what data is written to log4j appenders

2015-12-03 Thread Konstantin Kolinko
2015-12-04 2:05 GMT+03:00 Joleen Barker :
> I want to have more control over what data is written to the various
> appenders in the log4j.properties files. I have played around with the
> various configurations in the log4j.properties file but I am not
> understanding how they are working in order to grasp how to have more
> control. I don't know if it would be a matter of turning off the INFO
> setting for the log4j.rootLogger and somehow setting individual logging for
> each appender.
>
> Below is my environment details:
> 1) The tomcat version that is running is v8.0.26.0
> 2) The OS is a Centos v7 UNIX VM
> 3) Java JDK I have installed that Tomcat is using is 1.8.0_60
> 4) Due to the catalina.out file growing too large with the default
> juli.AsyncFileHandler using the logging.properties file that was found in
> the $CATALINA_HOME/conf directory. I changed the settings on a vendors
> software to use the log4j logging instead. (So this is NOT my web
> application or product written by me.)

None of AsyncFileHandler is responsible for catalina.out.

The catalina.out file consumes output of ConsoleHandler.

>
> log4j;logger.org.apache.catalina.core,ContainerBase.[Catalina].[localhost].[/cfcc]=INFO,
CFCC
>

The above line has a typo. s/;/./ after "log4j"

> <...>


You need to set "additivity" flag for non-root loggers to false.
I have not tested, but I think it will be like this:


log4j.additivity.org.apache.catalina.core,ContainerBase.[Catalina].[localhost].[/cfcc]=false
log4j.additivity.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=false
log4j.additivity.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager]=false
log4j.additivity.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager]=false



Documentation for Log4j 1.x:
[1] http://logging.apache.org/log4j/1.2/

Guide:
[2] http://logging.apache.org/log4j/1.2/manual.html

Syntax of log4j.properties file:
[3] 
http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/PropertyConfigurator.html#doConfigure%28java.lang.String,%20org.apache.log4j.spi.LoggerRepository%29

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Understanding how to controlling what data is written to log4j appenders

2015-12-03 Thread Joleen Barker
Hello Konstantin,

Thank you for pointing out the typo. The line is actually correct in my
log4j.properties file and the typo happened when I typed the line in for my
settings.

I don't know what additivity flag is so I will take a look.

I'll let you know how it goes.

-Joleen

On Thu, Dec 3, 2015 at 7:53 PM, Konstantin Kolinko 
wrote:

> 2015-12-04 2:05 GMT+03:00 Joleen Barker :
> > I want to have more control over what data is written to the various
> > appenders in the log4j.properties files. I have played around with the
> > various configurations in the log4j.properties file but I am not
> > understanding how they are working in order to grasp how to have more
> > control. I don't know if it would be a matter of turning off the INFO
> > setting for the log4j.rootLogger and somehow setting individual logging
> for
> > each appender.
> >
> > Below is my environment details:
> > 1) The tomcat version that is running is v8.0.26.0
> > 2) The OS is a Centos v7 UNIX VM
> > 3) Java JDK I have installed that Tomcat is using is 1.8.0_60
> > 4) Due to the catalina.out file growing too large with the default
> > juli.AsyncFileHandler using the logging.properties file that was found in
> > the $CATALINA_HOME/conf directory. I changed the settings on a vendors
> > software to use the log4j logging instead. (So this is NOT my web
> > application or product written by me.)
>
> None of AsyncFileHandler is responsible for catalina.out.
>
> The catalina.out file consumes output of ConsoleHandler.
>
> >
> >
> log4j;logger.org.apache.catalina.core,ContainerBase.[Catalina].[localhost].[/cfcc]=INFO,
> CFCC
> >
>
> The above line has a typo. s/;/./ after "log4j"
>
> > <...>
>
>
> You need to set "additivity" flag for non-root loggers to false.
> I have not tested, but I think it will be like this:
>
>
>
> log4j.additivity.org.apache.catalina.core,ContainerBase.[Catalina].[localhost].[/cfcc]=false
>
> log4j.additivity.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=false
>
> log4j.additivity.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager]=false
>
> log4j.additivity.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager]=false
>
>
>
> Documentation for Log4j 1.x:
> [1] http://logging.apache.org/log4j/1.2/
>
> Guide:
> [2] http://logging.apache.org/log4j/1.2/manual.html
>
> Syntax of log4j.properties file:
> [3]
> http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/PropertyConfigurator.html#doConfigure%28java.lang.String,%20org.apache.log4j.spi.LoggerRepository%29
>
> Best regards,
> Konstantin Kolinko
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>