Re: tomcat ssl setup

2017-09-26 Thread Konstantin Kolinko 
2017-09-27 2:52 GMT+03:00 John Ellis :
> Mark I don't see where you wrote anything in this reply?

The rules:
http://tomcat.apache.org/lists.html#tomcat-users
-> 6. Top-posting is bad.

Mark posted a link to Webinar video on Youtube, from 2016 webinar series,
"TLS key/certificate generation"

Also available here:
http://tomcat.apache.org/presentations.html


>
> https://youtu.be/I6TbMqH9WFg
>
> Mark
>

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat ssl setup

2017-09-26 Thread John Ellis 
Mark I don't see where you wrote anything in this reply?

John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Tuesday, September 26, 2017 5:49 PM
To: Tomcat Users List 
Subject: RE: tomcat ssl setup

On 26 September 2017 20:26:58 BST, John Ellis  
wrote:
>Yesterday my boss suggested setting up Tomcat vers. 8 as he thought 
>this is what Jira and/or Confluence would use so I did that and it 
>worked fine on http port of 8080. I then edited the server.xml file 
>again for the SSL port and got the same result as before; never gets to 
>a webpage login using the secure port of 8443 but I can still get the 
>webpage on port 8080. When I look at the Tomcat 8 Catalina log file I 
>see several lines where it says- "java.security.KeyStoreException:
>Cannot store non-PrivateKeys". I have been googling that error and 
>found a couple of posts saying to change from JKS to JCEKS but when I 
>ran the commands I didn't have JKS in the command; only RSA for the 
>algorithm. Can someone provide me with the proper keytool commands that
>I need to use to create an SSL certificate for Tomcat?   
>
>John Ellis
>
>405.285.2500 office
>
>
>
>
>http://biz-e.io
>
>-Original Message-
>From: Mark Thomas [mailto:ma...@apache.org]
>Sent: Friday, September 22, 2017 2:20 PM
>To: Tomcat Users List 
>Subject: Re: tomcat ssl setup
>
>On 22/09/17 16:44, John Ellis wrote:
>> I have installed Tomcat 9.0.0.M27 on this test server but I still get
>the same result; when I try to connect to Tomcat on the secure port of
>8443 it just sits there and has a spinner up at the top of the browser 
>window but if I try to connect to it back on the non-secure port of
>8080 it works fine. Here is a Dropbox link to the server.xml file that 
>I edited-
>> 
>> https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0
>> 
>> Here is a Dropbox link to the Catalina log file-
>> 
>>
>https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0
>> 
>> Thanks,
>> 
>> John Ellis
>
>How did you generate the key and certificate files?
>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

https://youtu.be/I6TbMqH9WFg

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat ssl setup

2017-09-26 Thread Mark Thomas 
On 26 September 2017 20:26:58 BST, John Ellis  
wrote:
>Yesterday my boss suggested setting up Tomcat vers. 8 as he thought
>this is what Jira and/or Confluence would use so I did that and it
>worked fine on http port of 8080. I then edited the server.xml file
>again for the SSL port and got the same result as before; never gets to
>a webpage login using the secure port of 8443 but I can still get the
>webpage on port 8080. When I look at the Tomcat 8 Catalina log file I
>see several lines where it says- "java.security.KeyStoreException:
>Cannot store non-PrivateKeys". I have been googling that error and
>found a couple of posts saying to change from JKS to JCEKS but when I
>ran the commands I didn't have JKS in the command; only RSA for the
>algorithm. Can someone provide me with the proper keytool commands that
>I need to use to create an SSL certificate for Tomcat?   
>
>John Ellis
>
>405.285.2500 office
>
>
>
>
>http://biz-e.io
>
>-Original Message-
>From: Mark Thomas [mailto:ma...@apache.org] 
>Sent: Friday, September 22, 2017 2:20 PM
>To: Tomcat Users List 
>Subject: Re: tomcat ssl setup
>
>On 22/09/17 16:44, John Ellis wrote:
>> I have installed Tomcat 9.0.0.M27 on this test server but I still get
>the same result; when I try to connect to Tomcat on the secure port of
>8443 it just sits there and has a spinner up at the top of the browser
>window but if I try to connect to it back on the non-secure port of
>8080 it works fine. Here is a Dropbox link to the server.xml file that
>I edited-
>> 
>> https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0
>> 
>> Here is a Dropbox link to the Catalina log file-
>> 
>>
>https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0
>> 
>> Thanks,
>> 
>> John Ellis
>
>How did you generate the key and certificate files?
>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

https://youtu.be/I6TbMqH9WFg

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat ssl setup

2017-09-26 Thread John Ellis 
Yes I have run into that. I'm using an xml editor to check my work.

John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: l...@kreuser.name [mailto:l...@kreuser.name] 
Sent: Tuesday, September 26, 2017 3:32 PM
To: Tomcat Users List 
Subject: Re: tomcat ssl setup

G, I hate formatting in Mails...

Beware of “ when copying source code!

> Am 26.09.2017 um 22:25 schrieb l...@kreuser.name:
> 
> John,
> 
> 
> 
>> Am 26.09.2017 um 21:26 schrieb John Ellis :
>> 
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
>> what Jira and/or Confluence would use so I did that and it worked fine on 
>> http port of 8080. I then edited the server.xml file again for the SSL port 
>> and got the same result as before; never gets to a webpage login using the 
>> secure port of 8443 but I can still get the webpage on port 8080. When I 
>> look at the Tomcat 8 Catalina log file I see several lines where it says- 
>> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
>> googling that error and found a couple of posts saying to change from JKS to 
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
>> for the algorithm. Can someone provide me with the proper keytool commands 
>> that I need to use to create an SSL certificate for Tomcat?   
>> 
>> John Ellis
>> 
>> 405.285.2500 office
>> 
>> 
> 
> 
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride 
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
> 
> So my setup is as follows:
> 
> server.xml:
> 
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>allowTrace="false"
>maxThreads="150"
>SSLEnabled="true"
>compression="off"
>scheme="https"
>server="Apache Tomcat"
>secure="true"
   defaultSSLHostConfigName=“localhost” > 
> 
>hostName="localhost"
>honorCipherOrder="true"
>certificateVerification="none"
>protocols="TLSv1.2"
>
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
>  certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
>  certificateKeystorePassword="changeit"
>  certificateKeyAlias="tomcat"
>  type="RSA" />
>
>  
> 
> https://stackoverflow.com/questions/10175812/how-to-create-a-self-sign
> ed-certificate-with-openssl 
>  ned-certificate-with-openssl>
> 
> I use openssl to create the certs (as let’s encrypt for an official cert will 
> generate the same structure) and then convert to JKS:
> 
> openssl genrsa -aes256 -out server.key 4096 -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512  -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
> #there is more to it to get SAN extensions, but that’s not necessary 
> to get it running
> 
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key 
> -out server.crt # you may need your own ca and a signing-process to 
> make this work in all browsers
> 
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
> 
> openssl pkcs12 -export -in server.crt -inkey server.key -out 
> jssecacerts -name tomcat keytool -list -v -keystore jssecacerts 
> -storepass changeit
> 
> 
> Hope this helps for a start.
> 
> Regards
> 
> Peter
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat ssl setup

2017-09-26 Thread logo 
G, I hate formatting in Mails...

Beware of “ when copying source code!

> Am 26.09.2017 um 22:25 schrieb l...@kreuser.name:
> 
> John,
> 
> 
> 
>> Am 26.09.2017 um 21:26 schrieb John Ellis :
>> 
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
>> what Jira and/or Confluence would use so I did that and it worked fine on 
>> http port of 8080. I then edited the server.xml file again for the SSL port 
>> and got the same result as before; never gets to a webpage login using the 
>> secure port of 8443 but I can still get the webpage on port 8080. When I 
>> look at the Tomcat 8 Catalina log file I see several lines where it says- 
>> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
>> googling that error and found a couple of posts saying to change from JKS to 
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
>> for the algorithm. Can someone provide me with the proper keytool commands 
>> that I need to use to create an SSL certificate for Tomcat?   
>> 
>> John Ellis
>> 
>> 405.285.2500 office
>> 
>> 
> 
> 
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride 
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
> 
> So my setup is as follows:
> 
> server.xml:
> 
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>allowTrace="false"
>maxThreads="150"
>SSLEnabled="true"
>compression="off"
>scheme="https"
>server="Apache Tomcat"
>secure="true"
   defaultSSLHostConfigName=“localhost” > 
> 
>hostName="localhost"
>honorCipherOrder="true"
>certificateVerification="none"
>protocols="TLSv1.2"
>
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
>  certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
>  certificateKeystorePassword="changeit"
>  certificateKeyAlias="tomcat"
>  type="RSA" />
>
>  
> 
> https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
>  
> 
> 
> I use openssl to create the certs (as let’s encrypt for an official cert will 
> generate the same structure) and then convert to JKS:
> 
> openssl genrsa -aes256 -out server.key 4096 -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512  -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
> #there is more to it to get SAN extensions, but that’s not necessary to get 
> it running
> 
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out 
> server.crt
> # you may need your own ca and a signing-process to make this work in all 
> browsers
> 
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
> 
> openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts 
> -name tomcat
> keytool -list -v -keystore jssecacerts -storepass changeit
> 
> 
> Hope this helps for a start.
> 
> Regards
> 
> Peter
> 
> 
> 
> 
> 
> 
> 
> 
> 
>

RE: tomcat ssl setup

2017-09-26 Thread John Ellis 
Yes version 8.5 is what I downloaded & tried but I had already tried both 
versions (M26 and M27) of 9.0.0. I think this is just something that I am 
overlooking here; I am not a programmer and have just had to learn all of this 
to work with Jira and Confluence, that we use here in our office. I will try 
this tomorrow.
Thanks so much for the info! 

John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: l...@kreuser.name [mailto:l...@kreuser.name] 
Sent: Tuesday, September 26, 2017 3:26 PM
To: Tomcat Users List 
Subject: Re: tomcat ssl setup

John,



> Am 26.09.2017 um 21:26 schrieb John Ellis :
> 
> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
> what Jira and/or Confluence would use so I did that and it worked fine on 
> http port of 8080. I then edited the server.xml file again for the SSL port 
> and got the same result as before; never gets to a webpage login using the 
> secure port of 8443 but I can still get the webpage on port 8080. When I look 
> at the Tomcat 8 Catalina log file I see several lines where it says- 
> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
> googling that error and found a couple of posts saying to change from JKS to 
> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
> for the algorithm. Can someone provide me with the proper keytool commands 
> that I need to use to create an SSL certificate for Tomcat?   
> 
> John Ellis
> 
> 405.285.2500 office
> 
> 


We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride a 
dead horse, also SSL setup has changed quite a bit in 8.5/9.0.

So my setup is as follows:

server.xml:

 

 

  

https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
 


I use openssl to create the certs (as let’s encrypt for an official cert will 
generate the same structure) and then convert to JKS:

openssl genrsa -aes256 -out server.key 4096 -subj 
"/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
openssl req -new -key server.key -out server.csr -sha512  -subj 
"/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
#there is more to it to get SAN extensions, but that’s not necessary to get it 
running

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out 
server.crt # you may need your own ca and a signing-process to make this work 
in all browsers

#Verify Server Cert
openssl x509 -in server.crt -text -noout

openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts -name 
tomcat keytool -list -v -keystore jssecacerts -storepass changeit


Hope this helps for a start.

Regards

Peter












-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat ssl setup

2017-09-26 Thread logo 
John,



> Am 26.09.2017 um 21:26 schrieb John Ellis :
> 
> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
> what Jira and/or Confluence would use so I did that and it worked fine on 
> http port of 8080. I then edited the server.xml file again for the SSL port 
> and got the same result as before; never gets to a webpage login using the 
> secure port of 8443 but I can still get the webpage on port 8080. When I look 
> at the Tomcat 8 Catalina log file I see several lines where it says- 
> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
> googling that error and found a couple of posts saying to change from JKS to 
> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
> for the algorithm. Can someone provide me with the proper keytool commands 
> that I need to use to create an SSL certificate for Tomcat?   
> 
> John Ellis
> 
> 405.285.2500 office
> 
> 


We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride a 
dead horse, also SSL setup has changed quite a bit in 8.5/9.0.

So my setup is as follows:

server.xml:

 

 

  

https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
 


I use openssl to create the certs (as let’s encrypt for an official cert will 
generate the same structure) and then convert to JKS:

openssl genrsa -aes256 -out server.key 4096 -subj 
"/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
openssl req -new -key server.key -out server.csr -sha512  -subj 
"/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
#there is more to it to get SAN extensions, but that’s not necessary to get it 
running

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out 
server.crt
# you may need your own ca and a signing-process to make this work in all 
browsers

#Verify Server Cert
openssl x509 -in server.crt -text -noout

openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts -name 
tomcat
keytool -list -v -keystore jssecacerts -storepass changeit


Hope this helps for a start.

Regards

Peter

RE: tomcat ssl setup

2017-09-26 Thread John Ellis 
Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
what Jira and/or Confluence would use so I did that and it worked fine on http 
port of 8080. I then edited the server.xml file again for the SSL port and got 
the same result as before; never gets to a webpage login using the secure port 
of 8443 but I can still get the webpage on port 8080. When I look at the Tomcat 
8 Catalina log file I see several lines where it says- 
"java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
googling that error and found a couple of posts saying to change from JKS to 
JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
for the algorithm. Can someone provide me with the proper keytool commands that 
I need to use to create an SSL certificate for Tomcat?   

John Ellis

405.285.2500 office




http://biz-e.io

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Friday, September 22, 2017 2:20 PM
To: Tomcat Users List 
Subject: Re: tomcat ssl setup

On 22/09/17 16:44, John Ellis wrote:
> I have installed Tomcat 9.0.0.M27 on this test server but I still get the 
> same result; when I try to connect to Tomcat on the secure port of 8443 it 
> just sits there and has a spinner up at the top of the browser window but if 
> I try to connect to it back on the non-secure port of 8080 it works fine. 
> Here is a Dropbox link to the server.xml file that I edited-
> 
> https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0
> 
> Here is a Dropbox link to the Catalina log file-
> 
> https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0
> 
> Thanks,
> 
> John Ellis

How did you generate the key and certificate files?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re[2]: Tomcat 7/8/9 context path restrictions/validation

2017-09-26 Thread Konstantin Ryadov 
>Четверг, 21 сентября 2017, 11:27 +03:00 от Mark Thomas :
>
>On 20/09/17 10:47, Konstantin Ryadov wrote:
>> 
>> Hello!
>> Could you explain context path (e.g. described on  
>> https://tomcat.apache.org/tomcat-7.0-doc/config/context.html ) value set in 
>> server.xml limitations?
>> Does it exist any context path validation (unescaped symbols, whitespaces 
>> and so on)?
>> Is first “/” always required in context path value? What is the difference 
>> between value with first “/” and without?
>
>A leading "/" is required unless it is the root context in which case
>the path is "".
>
>"/" and "/ROOT" are both always converted to "".
>
>
>"/" and "#" are reserved since they have special meanings.
>
>Other than that, anything goes. If you use characters that are not
>permitted in a URL then you'll need to use %nn escaping when writing the
>request URL. The OS may also limit the characters that can be used.
>
>Mark
>

Thank you for the answer, Mark.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Randomly tomcat process create another copy process of it. Now see two PIDs of tomcat running

2017-09-26 Thread Naresh Yadav 
Hi all,

Already posted my problem on stackoverflow but not got any respo/nses so
thought
of posting here. Please read and help me with possible resolutions ??

https://stackoverflow.com/questions/46409358/randomly-tomcat-process-create-another-copy-process-of-it-now-see-two-pids-of-t

Thanks
Naresh

different a thread status in tomcat7,tomcat8

2017-09-26 Thread 박원석 
Hello, I'm operating some services under this environment.

1. server
OS : RHEL 6.x
JVM : 1.8.0_x
WEB : httpd 2.2.24
WAS : tomcat-8.0.44(tomcat-native1.2.14)
2. server
OS : RHEL 6.x
JVM : 1.8.0_x
WEB : httpd 2.2.24
WAS : tomcat-7.0.75(tomcat-native1.2.14)

  
  


I can see a RUNNABLE thread in my tomcat8.0.44  server that waits keep
alive timeout(connectionTimeout) status.


*only tomcat8 ===ajp-apr-8009-exec-8 (RUNNABLE)* - 42


org.apache.tomcat.jni.Socket.recvbb(Native Method)
org.apache.coyote.ajp.AjpAprProcessor.readSocket(AjpAprProcessor.java:256)
org.apache.coyote.ajp.AjpAprProcessor.read(AjpAprProcessor.java:197)
org.apache.coyote.ajp.AbstractAjpProcessor.readMessage(AbstractAjpProcessor.java:1091)
org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:804)
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2458)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:745)


but I can't see a RUNNABLE thread in my tomcat7.0.75 server that server
service a reguest and exactly change to TIMED_WATING status . why differnt
beetween tomcat7 and tomcat8 ??


*ajp-apr-8009-exec-5 (TIMED_WAITING)* - 39


sun.misc.Unsafe.park(Native Method)
java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:215)
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2078)
java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:467)
org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:85)
org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:31)
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1066)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:745)

Java 9 support + HSTS for tomcat.apache.org

2017-09-26 Thread Oliver Heister 
Hi all,

I have two suggestions:

1. The table on http://tomcat.apache.org/whichversion.html has a column
“Supported Java Versions” which has entries like “8 and later”.  My
understanding from e.g.
https://marc.info/?l=tomcat-dev&m=150617891913261&w=2 is that currently no
stable tomcat release supports Java 9 yet.

IMO a remark regarding Java 9 should be added to
http://tomcat.apache.org/whichversion.html .


 2. Currently MITM attacks by evil ISPs or WiFi networks are possible
against people downloading tomcat from
http://tomcat.apache.org/download-80.cgi . (The page has links to PGP, md5
and sha1 hashes for validation, but the links are on a http page that does
not redirect to https. This means they could be replaced in case of MITM.)

IMO a HTTP 301 redirect to the https version and HSTS headers should be
added to http://tomcat.apache.org/ .



Should I try to submit issues in Bugzilla for both?


Best Regards

Oliver

R: debian 9 and tomcat 8 error at startup

2017-09-26 Thread r.bottoni 
Hi Emmanuel,
Thank you!
It works!
Roberto


-Messaggio originale-
Da: Emmanuel Bourg [mailto:ebo...@apache.org] 
Inviato: martedì 26 settembre 2017 08:19
A: Tomcat Users List ; r.bott...@afterbit.com
Oggetto: Re: debian 9 and tomcat 8 error at startup

Hi Roberto,

You have to install the libservlet3.1-java package. This is a mistake in the 
packaging that will be fixed in a future update (Debian bug #867247).

Emmanuel Bourg


Le 26/09/2017 à 07:56, r.bott...@afterbit.com a écrit :
> Hi,
> i have installed tomcat 8 on a Debian server using aptitude command.
> but when tomcat starts, I get this strange error :
> 
> 
> 26-Sep-2017 07:47:14.613 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Server version:
> Apache Tomcat/8.5.14 (Debian)
> 26-Sep-2017 07:47:14.614 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Server built:
> Sep 3 2017 17:51:58 UTC
> 26-Sep-2017 07:47:14.614 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Server number:
> 8.5.14.0
> 26-Sep-2017 07:47:14.614 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log OS Name:
> Linux
> 26-Sep-2017 07:47:14.614 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log OS Version:
> 4.9.0-3-amd64
> 26-Sep-2017 07:47:14.614 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Architecture:
> amd64
> 26-Sep-2017 07:47:14.614 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Java Home:
> /usr/lib/jvm/java-8-oracle/jre
> 26-Sep-2017 07:47:14.614 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log JVM Version:
> 1.8.0_144-b01
> 26-Sep-2017 07:47:14.614 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
> Oracle Corporation
> 26-Sep-2017 07:47:14.615 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:
> /var/lib/tomcat8
> 26-Sep-2017 07:47:14.615 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:
> /usr/share/tomcat8
> 26-Sep-2017 07:47:14.615 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument:
> -Djava.util.logging.config.file=/var/lib/tomcat8/conf/logging.properti
> es
> 26-Sep-2017 07:47:14.615 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: 
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> 26-Sep-2017 07:47:14.615 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -Djava.awt.headless=true
> 26-Sep-2017 07:47:14.615 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -XX:+UseConcMarkSweepGC
> 26-Sep-2017 07:47:14.615 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -Djdk.tls.ephemeralDHKeySize=2048
> 26-Sep-2017 07:47:14.616 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: 
> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
> 26-Sep-2017 07:47:14.616 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -Dcatalina.base=/var/lib/tomcat8
> 26-Sep-2017 07:47:14.616 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -Dcatalina.home=/usr/share/tomcat8
> 26-Sep-2017 07:47:14.616 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -Djava.io.tmpdir=/tmp/tomcat8-tomcat8-tmp
> 26-Sep-2017 07:47:14.616 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR 
> based Apache Tomcat Native library which allows optimal performance in 
> production environments was not found on the java.library.path:
> /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
> 26-Sep-2017 07:47:14.764 INFO [main]
> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler 
> ["http-nio-8080"]
> 26-Sep-2017 07:47:14.789 INFO [main]
> org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a 
> shared selector for servlet write/read
> 26-Sep-2017 07:47:14.791 INFO [main]
> org.apache.catalina.startup.Catalina.load Initialization processed in
> 684 ms
> 26-Sep-2017 07:47:14.826 INFO [main]
> org.apache.catalina.core.StandardService.startInternal Starting 
> service Catalina
> 26-Sep-2017 07:47:14.826 INFO [main]
> org.apache.catalina.core.StandardEngine.startInternal Starting Servlet
> Engine: Apache Tomcat/8.5.14 (Debian)
> 26-Sep-2017 07:47:14.843 INFO [localhost-startStop-1] 
> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
> application directory /var/lib/tomcat8/webapps/ROOT
> 26-Sep-2017 07:47:15.141 WARNING [localhost-startStop-1] 
> org.apache.tomcat.util.scan.StandardJarScanner.scan Failed to scan 
> [file:/usr/share/java/el-api-3.0.jar] from classloader hierarchy
>  java.io.FileNotFoundException: /usr/share/java/el-api-3.0.j