Re: org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Handshake failed
On Fri, Jan 5, 2018 at 12:25 AM, Michael Peng < michael.p...@entrustdatacard.com> wrote: > Do the changes make sense, and what would be the side effect ? In our > case, the "netInBuffer" could be full, i.e., postion = limit for large > data. Maybe the "netInBuffer" should not be cleared since "compact" would > reset the "netInBuffer", should it? > > The buffer is flipped after that and the NIO code is the same anyway, so the change doesn't make sense indeed as is. Rémy
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Handshake failed
Hi, There we use Http11Nio2Protocol, and configure TLSv1.2 for our services, and encountered Handshake failure intermittently when posting big chunk of data from HttpClient via HTTP POST with following exception: https-jsse-nio2-15443-exec-9, fatal error: 80: problem unwrapping net record javax.net.ssl.SSLException: Unsupported record version Unknown-152.152 %% Invalidated: [Session-5, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] https-jsse-nio2-15443-exec-9, SEND TLSv1.2 ALERT: fatal, description = internal_error Padded plaintext before ENCRYPTION: len = 80 : 0E B4 29 73 84 93 21 64 30 2D 90 D4 99 E4 67 2E ..)s..!d0-g. 0010: 02 50 50 C3 E0 45 C2 70 5D 09 E7 EC 1D 03 1F CE .PP..E.p]... 0020: CC 25 05 97 23 88 AA 17 FC D3 41 B6 1B 53 68 A6 .%..#.A..Sh. 0030: 1F BF 53 4D 78 F3 D2 24 D4 09 E1 D4 42 B8 3F 34 ..SMx..$B.?4 0040: 2C BD 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D ,... https-jsse-nio2-15443-exec-9, WRITE: TLSv1.2 Alert, length = 80 03-Jan-2018 16:45:36.987 FINE [https-jsse-nio2-15443-exec-9] org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Handshake failed javax.net.ssl.SSLException: Unsupported record version Unknown-152.152 at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552) at sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:113) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.apache.tomcat.util.net.SecureNio2Channel.handshakeUnwrap(SecureNio2Channel.java:495) at org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:289) at org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:204) at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1675) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:946) at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:98) at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:91) at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) at sun.nio.ch.Invoker$2.run(Invoker.java:218) at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) If we switched to Http11NioProtocol, it worked ok. And if we modify the SecurityNio2Channel.handshakeUnwrap() by commenting out the following lines, protected SSLEngineResult handshakeUnwrap() throws IOException { //if (netInBuffer.position() == netInBuffer.limit()) { ////clear the buffer if we have emptied it out on data //netInBuffer.clear(); //} SSLEngineResult result; We tried both HttpClient Post and browser post with the changes, it seemed to work. Looks like our http client tried to close the socket every time from the log message (not sure though) Do the changes make sense, and what would be the side effect ? In our case, the "netInBuffer" could be full, i.e., postion = limit for large data. Maybe the "netInBuffer" should not be cleared since "compact" would reset the "netInBuffer", should it? Please advise. Thanks, Michael
RE: GC allocation failure
Thank you. I will make initial and max heap to be same value. Ambica Sanka Sr J2EE IV Developer office 703.661.7928 atpco.net linkedIn / twitter @atpconews 45005 Aviation Drive Dulles, VA 20166 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, January 04, 2018 12:20 PM To: users@tomcat.apache.org Subject: Re: GC allocation failure -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ambica, On 1/4/18 11:17 AM, Sanka, Ambica wrote: > I am seeing below highlighted errors in native_err logs in all my > tomcat applications. I also increased memory for the VM from 4GB to > 8GB. Still seeing those. When do we get that errors? I am reading > online that when program asks for memory and java cannot give, that's > when we see them. Please suggest. Java HotSpot(TM) 64-Bit Server VM > (25.20-b23) for linux-amd64 JRE (1.8.0_20-b26), built on Jul 30 2014 > 13:13:52 by "java_re" with gcc 4.3.0 20080428 (Red Hat > 4.3.0-8) Memory: 4k page, physical 8061572k(2564740k free), swap > 4063228k(4063228k free) > > CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError > -XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/ > -XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456 -XX:+PrintGC > -XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers > -XX:+UseCompressedOops -XX:+UseParallelGC Others have commented on those messages you received, but nobody mentioned your heap configuration. In the above command-line arguments, you have specified both the minimum and maximum heap memory. You have expressed those values in bytes which makes it somewhat hard to read what they actually are, but this is what you have in readable units: - -XX:InitialHeapSize=128M -XX:MaxHeapSize=256M So you aren't using an 8GiB heap. You aren't even using a 4GiB heap. You are using a 256 *megabyte* heap. If you really want an 8GiB heap, you'll need to set it properly in your command-line arguments. Note that setting the initial heap size to anything other than the maximum heap size just makes the JVM take longer to get the heap generations sized appropriately. For a long-running server process, I think it never makes any sense to set initial < max heap size. Always set them to the same value so that the heap itself does not have to be expanded/resized during heap allocations. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpOYkMdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjKfBAAikZ9mfKhO5VcEGyd spKC8m4Ot1N+qtkR02ftBf7Sh0CQRjMBFsQUzd2Y+F2w7lPT8bpCnxThKfrkjrkk ySrF7mVF82aVUM72Abh65tK+E4HJhbZWzGAx7NtSx5XDS5ga9nFvJ42Ea/+pzqUf ZQmnRIXhj4gWf+q8mk1bIeR0siSc9J7e575CxMkJWji4gIgLgVMMJTZ1Euwya83W ohTe1Bi355kKiiX3ikRutFgv91fX5kSdNkf+u4huvEBccyDJRaK2MapJ+KOMVUbJ OodFqlO4eFkeL/KxyclWr8OnAgPj4VaNfaq7jNzZyI5MpZymKhuy8uKnUN10XN8r tZO/ZFroeEmLDpM6imPIj1eHcgq/emFg1gT9QW8G08WfWFkSF7fm60Xi3U+4/8si uB3zCFXq9g5EjQ5p2MdpNyQPsHXm5E/J4iS5XyBKkjcuNkVfYneEMP+alOMHIIGI SxS1Hb54VgV+//etPHgycVVoomw5JFW3erRkiMd6edQL5K9m/j+xHJhbr5nbcYKe Nj3lPFPQ5hP02qySf+flZQYayX3HNgCXqhFfDDCANKejU7I4ZC2bSySrWrPkuTfc Dgk+TXlvLRvZ5xWzyM8F1NlsJ/OV+mk23WIyGX7Riyqw9lPghzO+i1mHtyZzg2g8 8zBZXehds+nzTCCBP6MUNqH+I50= =DPai -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: GC allocation failure
Am 04.01.2018 um 18:20 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ambica, On 1/4/18 11:17 AM, Sanka, Ambica wrote: I am seeing below highlighted errors in native_err logs in all my tomcat applications. I also increased memory for the VM from 4GB to 8GB. Still seeing those. When do we get that errors? I am reading online that when program asks for memory and java cannot give, that's when we see them. Please suggest. Java HotSpot(TM) 64-Bit Server VM (25.20-b23) for linux-amd64 JRE (1.8.0_20-b26), built on Jul 30 2014 13:13:52 by "java_re" with gcc 4.3.0 20080428 (Red Hat 4.3.0-8) Memory: 4k page, physical 8061572k(2564740k free), swap 4063228k(4063228k free) CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/ -XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456 -XX:+PrintGC -XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers -XX:+UseCompressedOops -XX:+UseParallelGC Others have commented on those messages you received, but nobody mentioned your heap configuration. In the above command-line arguments, you have specified both the minimum and maximum heap memory. You have expressed those values in bytes which makes it somewhat hard to read what they actually are, but this is what you I *think* the JVM top line in GC output always shows bytes, even if you were using other units in the original switches. have in readable units: - -XX:InitialHeapSize=128M -XX:MaxHeapSize=256M but yes, that is a valid point! So you aren't using an 8GiB heap. You aren't even using a 4GiB heap. You are using a 256 *megabyte* heap. If you really want an 8GiB heap, you'll need to set it properly in your command-line arguments. Note that setting the initial heap size to anything other than the maximum heap size just makes the JVM take longer to get the heap generations sized appropriately. For a long-running server process, I think it never makes any sense to set initial < max heap size. Always set them to the same value so that the heap itself does not have to be expanded/resized during heap allocations. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: GC allocation failure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ambica, On 1/4/18 11:17 AM, Sanka, Ambica wrote: > I am seeing below highlighted errors in native_err logs in all my > tomcat applications. I also increased memory for the VM from 4GB to > 8GB. Still seeing those. When do we get that errors? I am reading > online that when program asks for memory and java cannot give, > that's when we see them. Please suggest. Java HotSpot(TM) 64-Bit > Server VM (25.20-b23) for linux-amd64 JRE (1.8.0_20-b26), built on > Jul 30 2014 13:13:52 by "java_re" with gcc 4.3.0 20080428 (Red Hat > 4.3.0-8) Memory: 4k page, physical 8061572k(2564740k free), swap > 4063228k(4063228k free) > > CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError > -XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/ > -XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456 > -XX:+PrintGC -XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers > -XX:+UseCompressedOops -XX:+UseParallelGC Others have commented on those messages you received, but nobody mentioned your heap configuration. In the above command-line arguments, you have specified both the minimum and maximum heap memory. You have expressed those values in bytes which makes it somewhat hard to read what they actually are, but this is what you have in readable units: - -XX:InitialHeapSize=128M -XX:MaxHeapSize=256M So you aren't using an 8GiB heap. You aren't even using a 4GiB heap. You are using a 256 *megabyte* heap. If you really want an 8GiB heap, you'll need to set it properly in your command-line arguments. Note that setting the initial heap size to anything other than the maximum heap size just makes the JVM take longer to get the heap generations sized appropriately. For a long-running server process, I think it never makes any sense to set initial < max heap size. Always set them to the same value so that the heap itself does not have to be expanded/resized during heap allocations. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpOYkMdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjKfBAAikZ9mfKhO5VcEGyd spKC8m4Ot1N+qtkR02ftBf7Sh0CQRjMBFsQUzd2Y+F2w7lPT8bpCnxThKfrkjrkk ySrF7mVF82aVUM72Abh65tK+E4HJhbZWzGAx7NtSx5XDS5ga9nFvJ42Ea/+pzqUf ZQmnRIXhj4gWf+q8mk1bIeR0siSc9J7e575CxMkJWji4gIgLgVMMJTZ1Euwya83W ohTe1Bi355kKiiX3ikRutFgv91fX5kSdNkf+u4huvEBccyDJRaK2MapJ+KOMVUbJ OodFqlO4eFkeL/KxyclWr8OnAgPj4VaNfaq7jNzZyI5MpZymKhuy8uKnUN10XN8r tZO/ZFroeEmLDpM6imPIj1eHcgq/emFg1gT9QW8G08WfWFkSF7fm60Xi3U+4/8si uB3zCFXq9g5EjQ5p2MdpNyQPsHXm5E/J4iS5XyBKkjcuNkVfYneEMP+alOMHIIGI SxS1Hb54VgV+//etPHgycVVoomw5JFW3erRkiMd6edQL5K9m/j+xHJhbr5nbcYKe Nj3lPFPQ5hP02qySf+flZQYayX3HNgCXqhFfDDCANKejU7I4ZC2bSySrWrPkuTfc Dgk+TXlvLRvZ5xWzyM8F1NlsJ/OV+mk23WIyGX7Riyqw9lPghzO+i1mHtyZzg2g8 8zBZXehds+nzTCCBP6MUNqH+I50= =DPai -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: GC allocation failure
Hi Ambica, Am 04.01.2018 um 17:17 schrieb Sanka, Ambica: I am seeing below highlighted errors in native_err logs in all my tomcat applications. I also increased memory for the VM from 4GB to 8GB. Still seeing those. When do we get that errors? I am reading online that when program asks for memory and java cannot give, that's when we see them. Please suggest. Java HotSpot(TM) 64-Bit Server VM (25.20-b23) for linux-amd64 JRE (1.8.0_20-b26), built on Jul 30 2014 13:13:52 by "java_re" with gcc 4.3.0 20080428 (Red Hat 4.3.0-8) Memory: 4k page, physical 8061572k(2564740k free), swap 4063228k(4063228k free) CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/ -XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456 -XX:+PrintGC -XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers -XX:+UseCompressedOops -XX:+UseParallelGC 3.203: [GC (Allocation Failure) 31744K->6311K(121856K), 0.0097261 secs] 3.578: [GC (Allocation Failure) 38055K->12368K(121856K), 0.0089875 secs] 3.756: [GC (Allocation Failure) 44112K->19589K(121856K), 0.0100339 secs] 3.897: [GC (Allocation Failure) 51333K->25872K(153600K), 0.0092326 secs] 4.172: [GC (Allocation Failure) 89360K->38878K(153600K), 0.0152940 secs] 4.417: [GC (Allocation Failure) 102366K->50311K(148480K), 0.0148816 secs] 4.594: [GC (Allocation Failure) 95367K->49903K(151040K), 0.0197327 secs] 4.765: [GC (Allocation Failure) 94959K->50213K(148992K), 0.0149008 secs] 4.946: [GC (Allocation Failure) 96293K->52257K(150528K), 0.0172634 secs] 5.129: [GC (Allocation Failure) 98337K->53118K(151040K), 0.0139426 secs] 5.313: [GC (Allocation Failure) 102270K->53234K(152064K), 0.0122307 secs] 5.498: [GC (Allocation Failure) 102386K->53579K(153088K), 0.0166336 secs] 5.655: [GC (Allocation Failure) 104779K->54486K(153600K), 0.0161735 secs] 6.885: [GC (Allocation Failure) 105686K->51523K(153600K), 0.0123126 secs] These messages are normal, as long as there are not other problems or errors they are nothing to worry about. Java manages memory in regions of different sizes and meaning. Allocation for new objects is done in the so-called eden space. This memory region is managed in a very simple way. The JVM allocates from it until it is full (not enough free space left for the current allocation). Then it interrupts the application and runs a Garbage Collection (GC) for this memory region, copying any objects which are still alive from this region into another one (typically into one of the two survivor spaces). At the end of the GC run, eden will be fully cleared and the application can continue, again allocating from eden. The above message is shown, whenever a GC run for eden happens. The reason for the GC run is shown, here "(Allocation Failure)". The GC for eden in your case takes about 10-20 milliseconds and runs about 4-5 times per second. The string "Failure" is somewhat misleading, the failed allocation will be retried and typically succeeds once the GC finishes. Although you can adjust eden size with specific JVM flags, you probably have only set the heap size, which is the combined size of several JVM memory regions. In that case the JVM will try to auto-tune eden size. If you want to set eden size explicitly, you might need to do more measurements to deduce good settings from those. That would be a somewhat more difficult and not Tomcat specific topic. Unrelated: note that you JVM 8 patch level 20 is very old. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: GC allocation failure
Ambica, On Jan 4, 2018 9:47 PM, "Sanka, Ambica" wrote: I am seeing below highlighted errors in native_err logs in all my tomcat applications. I also increased memory for the VM from 4GB to 8GB. Still seeing those. When do we get that errors? It is not an error. It is a very normal phenomenon for all Java based application. I am reading online that when program asks for memory and java cannot give, that's when we see them. Please suggest. That's true. Imagine this scenario: you have a warehouse where you keep different types of stuff. Say you kept adding new stuffs daily. One day you'll eventually run out of space. On that day you have two options: 1. get rid off some old stuffs which are not needed and make room for the new stuffs 2. Extend your old warehouse Same thing happens when you run Java programs. What you are seeing in the log that's called Garbage Collection(GC) and similar to opt#1. What you did by increasing memory is like opt#2. Again, GC activity is normal until that operation takes long time and affect your application response time. I will suggest that please read about Garbage Collection in Java. Google is your friend. Thanks! Suvendu Java HotSpot(TM) 64-Bit Server VM (25.20-b23) for linux-amd64 JRE (1.8.0_20-b26), built on Jul 30 2014 13:13:52 by "java_re" with gcc 4.3.0 20080428 (Red Hat 4.3.0-8) Memory: 4k page, physical 8061572k(2564740k free), swap 4063228k(4063228k free) CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/ -XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456 -XX:+PrintGC -XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers -XX:+UseCompressedOops -XX:+UseParallelGC 3.203: [GC (Allocation Failure) 31744K->6311K(121856K), 0.0097261 secs] 3.578: [GC (Allocation Failure) 38055K->12368K(121856K), 0.0089875 secs] 3.756: [GC (Allocation Failure) 44112K->19589K(121856K), 0.0100339 secs] 3.897: [GC (Allocation Failure) 51333K->25872K(153600K), 0.0092326 secs] 4.172: [GC (Allocation Failure) 89360K->38878K(153600K), 0.0152940 secs] 4.417: [GC (Allocation Failure) 102366K->50311K(148480K), 0.0148816 secs] 4.594: [GC (Allocation Failure) 95367K->49903K(151040K), 0.0197327 secs] 4.765: [GC (Allocation Failure) 94959K->50213K(148992K), 0.0149008 secs] 4.946: [GC (Allocation Failure) 96293K->52257K(150528K), 0.0172634 secs] 5.129: [GC (Allocation Failure) 98337K->53118K(151040K), 0.0139426 secs] 5.313: [GC (Allocation Failure) 102270K->53234K(152064K), 0.0122307 secs] 5.498: [GC (Allocation Failure) 102386K->53579K(153088K), 0.0166336 secs] 5.655: [GC (Allocation Failure) 104779K->54486K(153600K), 0.0161735 secs] 6.885: [GC (Allocation Failure) 105686K->51523K(153600K), 0.0123126 secs] Thanks Ambica.
GC allocation failure
I am seeing below highlighted errors in native_err logs in all my tomcat applications. I also increased memory for the VM from 4GB to 8GB. Still seeing those. When do we get that errors? I am reading online that when program asks for memory and java cannot give, that's when we see them. Please suggest. Java HotSpot(TM) 64-Bit Server VM (25.20-b23) for linux-amd64 JRE (1.8.0_20-b26), built on Jul 30 2014 13:13:52 by "java_re" with gcc 4.3.0 20080428 (Red Hat 4.3.0-8) Memory: 4k page, physical 8061572k(2564740k free), swap 4063228k(4063228k free) CommandLine flags: -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/apache/ancillariesmonitoring/logs/ -XX:InitialHeapSize=128985152 -XX:MaxHeapSize=268435456 -XX:+PrintGC -XX:+PrintGCTimeStamps -XX:+UseCompressedClassPointers -XX:+UseCompressedOops -XX:+UseParallelGC 3.203: [GC (Allocation Failure) 31744K->6311K(121856K), 0.0097261 secs] 3.578: [GC (Allocation Failure) 38055K->12368K(121856K), 0.0089875 secs] 3.756: [GC (Allocation Failure) 44112K->19589K(121856K), 0.0100339 secs] 3.897: [GC (Allocation Failure) 51333K->25872K(153600K), 0.0092326 secs] 4.172: [GC (Allocation Failure) 89360K->38878K(153600K), 0.0152940 secs] 4.417: [GC (Allocation Failure) 102366K->50311K(148480K), 0.0148816 secs] 4.594: [GC (Allocation Failure) 95367K->49903K(151040K), 0.0197327 secs] 4.765: [GC (Allocation Failure) 94959K->50213K(148992K), 0.0149008 secs] 4.946: [GC (Allocation Failure) 96293K->52257K(150528K), 0.0172634 secs] 5.129: [GC (Allocation Failure) 98337K->53118K(151040K), 0.0139426 secs] 5.313: [GC (Allocation Failure) 102270K->53234K(152064K), 0.0122307 secs] 5.498: [GC (Allocation Failure) 102386K->53579K(153088K), 0.0166336 secs] 5.655: [GC (Allocation Failure) 104779K->54486K(153600K), 0.0161735 secs] 6.885: [GC (Allocation Failure) 105686K->51523K(153600K), 0.0123126 secs] Thanks Ambica.
Re: Using existing LetsEncrypt certs with tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Paul, On 1/4/18 12:50 AM, Paul Beard wrote: > > >> On Jan 3, 2018, at 11:33 AM, Christopher Schultz >> wrote: >> >> In there, I detail how to put everything together. There is a >> script that builds a Java keystore that Tomcat can use. That >> script demonstrates how to take an existing >> key+certificate+chain, convert it into a Java keystore and then >> make it active. The script actually requests a renewal of the >> certificate from Let's Encrypt (which may say "no renewal >> required") and then only re-builds the keystore if the key/cert >> have actually changed. > > This looks great but I suspect my problems are more basic, like > getting *any* cert to be honored, even a self-signed one. Were you able to get Let's Encrypt to generate a key and LE-signed certificate? If not, that's obviously the first step. You don't need TLS working in order to get an LE-signed certificate. Slide #20 has the command you need to run in order to get an initial certificate. Slides 16-19 cover the iptables routing required to allow LE to connect over port 80/443 when Tomcat is binding to port 8080/8443. > This step — ... /> — eludes me. I added that to an existing Connector stanza > but I am seeing these errors which suggests (?) I did that wrong: > > SEVERE: Failed to initialize end point associated with > ProtocolHandler ["http-bio-8443"] java.io.IOException: Keystore was > tampered with, or password was incorrect Slides 21 - 24 cover my investigation for how to replace Tomcat's keystore while it's running in a safe-ish way. The presentation was a bit of an explanation for how I was able to ultimately build the final script. You don't have do perform every step in the presentation. What you really want to do is look at slide #28 which has the overview of the process *after* you have the first cert from LE. So, assuming you have it, you can basically use my script directly. > protocol="org.apache.coyote.http11.Http11Protocol" > keystoreFile="conf/keystore.jks" keystorePass="qwerty" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" /> I'd recommend that you use NIO. I'd also recommend that you upgrade from Tomcat 7.0.x to Tomcat 8.5.x if possible. It already handled dynamic reloading of TLS configuration so you won't need any (albeit short) unavailability of your Tomcat instance. > But that seems outside the scope of what I was asking. I’ll take > another look tomorrow…took entirely too long to get the symlink > step to word as expected. Had to change to the conf directory for > it to work. Too late in the day for this to make any sense. :) > Thanks for the presentation. I’m sure it will make sense to me > eventually. Mark pointed to the Tomcat "presentations" page where you can find a link to this LE/Tomcat presentation as well as the audio my presentation of these slides at ApacheCon in Miami last year. Perhaps the audio will give you more information than is actually contained in the slides. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpOSTIdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgqjBAAyHiPpPlRwEUbfGoq NlPv7icn4y9IrZTQfiCh4kZYP9KeloA9A9Eqi0+NaifApTrnsi6QdS3Ry1ttX9Yg gX7MWD18smBmZvG4BwQY3KXzb+mOZHuJx+3QKrbFBNw++vOS332igyw26pymMEVd vxmYAnf3m3BddMYL3+Gv4QEPbv9LE9vU3b41xxYQ//Pdf4yhkoMTssX2QpSn6Bt2 CL3RGB5lcckIsCUaTS75z/7YHjollodYrOBWc87BruiBg6Wxpq0B6qXmWGuMEI9Q Di8rm+sM+E8OJgkQKH9TNtepENVcindw36G+C2mjOhg6Ss+talhs4xOxCBuwoJyM m0I3A/7kmk+Zenmm5EVxOT93aZ5N76lElTNzDgxn4gQ+8uQbROoYDHNTzYxJ2E01 HDLmDR9SCnhaSiK5kHH90/JYvXvnOZNXYfTpvTjUGIx1tYRr+VJl9uDFFw2XWz2Q iJQS/TPR88SPxrmjvnzk/DFQ/AEPxDRrpiCJurIlD+msHeDLHXkt8Ph5zXkXdCJX n2kDkd7cOc0Q8b1Pr0j4/IhxeHkxy8tipXNsQraDOc9xdndPYDlJY1X5uh6rKs2G te6tNdYOfP7PB5W+bdDbt0AqQVjLb+IUhFXwUWDAo+q/QWQEiyaXXaU3mEB6Tctv 95WdGIZUyK4cUVDqvnIrNURAfRs= =2lUy -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ALv2 Tomcat Training material
On Thu, Jan 4, 2018 at 8:01 AM, Mark Thomas wrote: > On 04/01/18 11:31, Marek Czernek wrote: >> Hi Mark, >> >> I think this is a great idea. Before doing any brainstorming though, I >> wonder about the following: >> >> 1. Who'd be the target audience? And what skill level would you want to >>target? Any pre-requisites? People that ask questions on freenode :) > The short version is whatever the Tomcat community (i.e. the members of > this list) would find most useful. Possible examples that come to mind are: > - an introductory course for an experienced sysadmin that knows nothing > about Tomcat > - in depth trouble-shooting > > But rather than just my random ideas, I'd love to hear what the > community wants. I can try and compile a list of questions from my IRC scrollback to add as ideas. I also started a quickstarts repo on github but that's mostly focused on tomcat embedded since there isn't much in the way of examples around. I also considered working on interactive courses and putting them on https://katacoda.com/. > >> 2. Should it be purely Tomcat, or do you want to talk about various >>frameworks that integrate with Tomcat in some manner? (Hibernate >>comes to mind, for example) > > This is is easy. Purely Tomcat. > >> 3. What goals would you like to achieve? I.e., would you want to create >>a course for a community and potential future contributors, or would >>your goal be a course for experts to get things done asap? Imho >>those two goals require different approaches. If the answer is >>'both', that could be sub-optimal (though understandable). Or do you >>imagine completely different goal(s)? > > My original thinking was training for end users of any/all levels. > However, if there was interest we could add some modules on how to > become a contributor, committer, PMC member etc. +1, I sometimes get questions about how to contribute, become a committer, etc and share my experience (and the CONTRIBUTING guide on github), but having a more formal document on what to do for our project would be nice. > >> My main question is 'WHY'. What is the hole we're trying to fill in. Do >> you want people to have quick yet quite deep understanding of basic >> concepts and fundamentals? Do you want people to be more excited about >> Tomcat? Do you want to shed light on an obscure integration pattern that >> is highly useful? Do you want to create a certification that would be >> beneficial for job interviews? Some of the answers might be >> complimentary, but a lot of them are almost opposite to each other, imho. > > Why? Because I think that there is a community demand for this. I once > ran a Tomcat training course at ApacheCon for which I did ZERO marketing > (the only marketing was that it was listed as an option when registering > - and an expensive option at that) and ~15 people signed up. > > I want to help people understand how to use Tomcat. Hopefully, a > side-effect will be that even more great people show up here. > > I'm not interested in creating a certification or anything similar. > > HTH explain my thinking. > > Mark > > >> >> >> On 01/04/2018 11:16 AM, Mark Thomas wrote: >>> Hi, >>> >>> One of the things on my TODO list is to put together some Tomcat >>> training material licensed under the Apache License (version 2). i.e. >>> material that would be made freely available for folks to use. >>> >>> I'd also like to make the training material available on YouTube as well >>> as run some training courses (for a small fee) to deliver the material >>> face to face. >>> >>> The structure I have in mind is a series of modules (say 30 mins in >>> length) that can be organised in different ways to suit different needs. >>> e.g. put the introductory modules for each area together to provide an >>> 'Introduction to Tomcat course', put all the TLS modules together to >>> provide an in depth 'Tomcat and TLS' course etc. >>> >>> I think a lot of the raw content is already available. We have the >>> various Tomcat presentations that have been given over the years and my >>> employer has agreed to let me make use of the material from our (now >>> possibly a little dated) Tomcat training courses. >>> >>> I can't do this alone. Not in any reasonable time frame anyway. So I am >>> reaching out to the community for help. >>> >>> The first step is to come with: >>> - a list of modules >>> - potential courses formed from combinations of modules >>> >>> I am asking for your ideas for modules, courses and combinations of >>> modules that could make up those courses. >>> >>> We have a blank wiki page to host this: >>> https://cwiki.apache.org/confluence/display/TOMCAT/Tomcat+Training+Course >>> >>> Feel free to ask for edit access to that page (you'll need to create an >>> account and let us know the user name) so you can add ideas directly or >>> add ideas to this thread and I'll add them to the wiki page. >>> >>> The second step is to start populating the modules with actual
authentication via IIS front-end proxy
Hi Team, We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache to host javacontainer for Rest calls for our Siebel application. The javacontainer is listening to Port 9001 as below- We are trying to setup Windows Authentication in Apache by using Reverse Proxy with IIS, and have followed the below steps as per the Apache documentation. ---Steps followed : There are three steps to configuring IIS to provide Windows authentication. They are: 1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To). This is done and working as expected 2. Configure IIS to use Windows authentication This is done and working as expected 3. Configure Tomcat to use the authentication user information from IIS by setting the tomcatAuthentication attribute on the AJP connector to false. Alternatively, set the tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat performs the authorization. Q1 We were able to configure the reverse proxy with Anon user but the Windows authentication is failing at Apache level with below error :- Thread[http-nio-9001-exec-15,5,main][2017-12-27 13:17:12.637] [null] Error while login : The username cannot be empty. Please select a username. Q2 Our configuration is using "HTTP" protocol, do we need to change the server.xml entry for 9001 to use AJP protocol and then add entry " tomcatAuthentication=False" Q3 Do we need to install AJP connector on top of Tomcat or its installed by default, or we do not need it for Windows Authentication. Thanks & Regards, Suraj Agrawal -Original Message- From: users-h...@tomcat.apache.org [mailto:users-h...@tomcat.apache.org] Sent: Wednesday, January 3, 2018 12:03 PM To: Agrawal, Suraj (CORP) Subject: WELCOME to users@tomcat.apache.org Hi! This is the ezmlm program. I'm managing the users@tomcat.apache.org mailing list. I'm working for my owner, who can be reached at users-ow...@tomcat.apache.org. Acknowledgment: I have added the address suraj.agra...@adp.com to the users mailing list. Welcome to users@tomcat.apache.org! Please save this message so that you know the address you are subscribed under, in case you later want to unsubscribe or change your subscription address. --- Administrative commands for the users list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: To subscribe to the list, send a message to: To remove your address from the list, send a message to: Send mail to the following for info and FAQ for this list: Similar addresses exist for the digest list: To get messages 123 through 145 (a maximum of 100 per request), mail: To get an index with subject and author for messages 123-456 , mail: They are always returned as sets of 100, max 2000 per request, so you'll actually get 100-499. To receive all messages with the same subject as message 12345, send a short message to: The messages should contain one line or word of text to avoid being treated as sp@m, but I will ignore their content. Only the ADDRESS you send to is important. You can start a subscription for an alternate address, for example "john@host.domain", just add a hyphen and your address (with '=' instead of '@') after the command word: To stop subscription for this address, mail: In both cases, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete your subscription. If despite following these instructions, you do not get the desired results, please contact my owner at users-ow...@tomcat.apache.org. Please be patient, my owner is a lot slower than I am ;-) --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 46578 invoked by uid 99); 3 Jan 2018 17:02:40 - Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jan 2018 17:02:40 + Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 0FA551805A5 for ; Wed, 3 Jan 2018 17:02:40 + (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -2.311 X-Spam-Level: X-Spam-Status: No, score=-2.311 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=es.adp.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id VFHSDlZ9kk9y for ; Wed, 3 Jan 2018 17:02:37
Re: ALv2 Tomcat Training material
On 04.01.2018 14:01, Mark Thomas wrote: On 04/01/18 11:31, Marek Czernek wrote: Hi Mark, I think this is a great idea. Before doing any brainstorming though, I wonder about the following: 1. Who'd be the target audience? And what skill level would you want to target? Any pre-requisites? The short version is whatever the Tomcat community (i.e. the members of this list) would find most useful. Possible examples that come to mind are: - an introductory course for an experienced sysadmin that knows nothing about Tomcat Suggestion : explain to an experienced sysadmin who knows nothing about Tomcat or Java (but a lot about system utilities etc) how to set up a coherent and easy-to-manage logging system for tomcat (and applications therein), including (safe) log rotation, archiving, cleanup etc. - in depth trouble-shooting But rather than just my random ideas, I'd love to hear what the community wants. 2. Should it be purely Tomcat, or do you want to talk about various frameworks that integrate with Tomcat in some manner? (Hibernate comes to mind, for example) This is is easy. Purely Tomcat. 3. What goals would you like to achieve? I.e., would you want to create a course for a community and potential future contributors, or would your goal be a course for experts to get things done asap? Imho those two goals require different approaches. If the answer is 'both', that could be sub-optimal (though understandable). Or do you imagine completely different goal(s)? My original thinking was training for end users of any/all levels. However, if there was interest we could add some modules on how to become a contributor, committer, PMC member etc. My main question is 'WHY'. What is the hole we're trying to fill in. Do you want people to have quick yet quite deep understanding of basic concepts and fundamentals? Do you want people to be more excited about Tomcat? Do you want to shed light on an obscure integration pattern that is highly useful? Do you want to create a certification that would be beneficial for job interviews? Some of the answers might be complimentary, but a lot of them are almost opposite to each other, imho. Why? Because I think that there is a community demand for this. I once ran a Tomcat training course at ApacheCon for which I did ZERO marketing (the only marketing was that it was listed as an option when registering - and an expensive option at that) and ~15 people signed up. I want to help people understand how to use Tomcat. Hopefully, a side-effect will be that even more great people show up here. I'm not interested in creating a certification or anything similar. HTH explain my thinking. Mark On 01/04/2018 11:16 AM, Mark Thomas wrote: Hi, One of the things on my TODO list is to put together some Tomcat training material licensed under the Apache License (version 2). i.e. material that would be made freely available for folks to use. I'd also like to make the training material available on YouTube as well as run some training courses (for a small fee) to deliver the material face to face. The structure I have in mind is a series of modules (say 30 mins in length) that can be organised in different ways to suit different needs. e.g. put the introductory modules for each area together to provide an 'Introduction to Tomcat course', put all the TLS modules together to provide an in depth 'Tomcat and TLS' course etc. I think a lot of the raw content is already available. We have the various Tomcat presentations that have been given over the years and my employer has agreed to let me make use of the material from our (now possibly a little dated) Tomcat training courses. I can't do this alone. Not in any reasonable time frame anyway. So I am reaching out to the community for help. The first step is to come with: - a list of modules - potential courses formed from combinations of modules I am asking for your ideas for modules, courses and combinations of modules that could make up those courses. We have a blank wiki page to host this: https://cwiki.apache.org/confluence/display/TOMCAT/Tomcat+Training+Course Feel free to ask for edit access to that page (you'll need to create an account and let us know the user name) so you can add ideas directly or add ideas to this thread and I'll add them to the wiki page. The second step is to start populating the modules with actual content. As a motivator to get this done, I'd like to run a public Tomcat training course in late March / early April using this material. My current thinking is that the course would cost ~£100 plus food per person for the full day. Possible locations for this course are: - Cardiff - Birmingham - Manchester - Glasgow (all in the UK - if successful we can expand to mainland Europe and beyond) My second request is for feedback on which location(s) are preferable and what content would you like to see in the training course. I'll take this feedback, put togeth
Re: WELCOME to users@tomcat.apache.org
Additional suggestion : the next time, use a meaningful subject for your emails to the list, indicating the kind of issue your are stuck with. That will help people here to see quickly if they can respond usefully to your questions, without having to read the whole message. bad : hit "reply" on a previous unrelated message bad : !! URGENT HELP NEEDED !! bad : Problem with Tomcat !!! good : authentication via IIS front-end proxy good : hit "reply list" on the previous *related* message On 04.01.2018 15:07, André Warnier (tomcat) wrote: Hi. On 03.01.2018 18:31, Agrawal, Suraj (CORP) wrote: Hi Team, We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache to host javacontainer for Rest calls for our Siebel application. The javacontainer is listening to Port 9001 as below- We are trying to setup Windows Authentication in Apache by using Reverse Proxy with IIS, and have followed the below steps as per the Apache documentation. ---Steps followed : There are three steps to configuring IIS to provide Windows authentication. They are: 1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To). This is done and working as expected There is a bit of confusing information in the page http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html in that it talks (in the title and elsewhere) of the "ISAPI redirector", but then later it mentions "The mod_jk module uses the AJP protocol to send requests to the Tomcat containers". In fact, "mod_jk" and "ISAPI redirector" are functionaly the same thing (and probably much the same code), but - mod_jk is the plugin proxy module to use with an Apache httpd webserver front-end (under Linux and/or Windows) - isapi_redirector is the plugin proxy module to use with an IIS webserver front-end (Windows only) But /both/ use the same protocol to talk with the back-end Tomcat, and that protocol is AJP, not HTTP. So in both cases, what they are "talking to" is the AJP Connector in Tomcat, and not the HTTP Connector. The AJP protocol is somewhat different from HTTP : - both essentially carry the same information (requests and responses) but - HTTP carries all its information back and forth in a text form as per HTTP RFC - AJP encodes some of this information in a binary form (a bit more efficient) - one of the "binary" parameters which the AJP protocol does transmit from the front-end to the back-end, is the authenticated user-id on the front-end, if any. (HTTP does not normally do this in any standard way). At the Tomcat level (the AJP Connector), the attribute "tomcatAuthentication" (true/false) serves to tell Tomcat to either "believe" (false) the user-id that it receives from the front-end through AJP, or to ignore it (true) and do its own authentication anyway. At the Tomcat level, this "tomcatAuthentication" attribute only makes sense with the AJP Connector (and protocol). See : http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Common_Attributes (tomcatAuthentication AND tomcatAuthorization) while here : http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes this attribute is not mentioned (so if you add it, it will simply be ignored). 2. Configure IIS to use Windows authentication This is done and working as expected 3. Configure Tomcat to use the authentication user information from IIS by setting the tomcatAuthentication attribute on the AJP connector to false. Alternatively, set the tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat performs the authorization. Right. But on which Tomcat connector did you set this ? (HTTP or AJP ?) Q1 We were able to configure the reverse proxy with Anon user but the Windows authentication is failing at Apache level with below error :- Thread[http-nio-9001-exec-15,5,main][2017-12-27 13:17:12.637] [null] Error while login : The username cannot be empty. Please select a username. Your problem may be there, with this "anonymous" authentication at the IIS level. Maybe the isapi_redirector interprets this as "no user", and transmits an empty user-id to Tomcat. Have you tried with a real Windows-level user-id ? Q2 Our configuration is using "HTTP" protocol, do we need to change the server.xml entry for 9001 to use AJP protocol and then add entry " tomcatAuthentication=False" Yes, probably. Q3 Do we need to install AJP connector on top of Tomcat or its installed by default, or we do not need it for Windows Authentication. You do need it. It is provided by default, but you may need to uncomment the corresponding lines in the server.xml file. Considering your previous statements above, make sure that the HTTP Connector (if any) and the AJP Connector (if any) use different ports. And on the IIS/ISAPI redirector side, make sure that the settings specify the correct (AJP) port. This is all quite logical, but a bit convoluted, due to the many ways i
Re: WELCOME to users@tomcat.apache.org
Hi. On 03.01.2018 18:31, Agrawal, Suraj (CORP) wrote: Hi Team, We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache to host javacontainer for Rest calls for our Siebel application. The javacontainer is listening to Port 9001 as below- We are trying to setup Windows Authentication in Apache by using Reverse Proxy with IIS, and have followed the below steps as per the Apache documentation. ---Steps followed : There are three steps to configuring IIS to provide Windows authentication. They are: 1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To). This is done and working as expected There is a bit of confusing information in the page http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html in that it talks (in the title and elsewhere) of the "ISAPI redirector", but then later it mentions "The mod_jk module uses the AJP protocol to send requests to the Tomcat containers". In fact, "mod_jk" and "ISAPI redirector" are functionaly the same thing (and probably much the same code), but - mod_jk is the plugin proxy module to use with an Apache httpd webserver front-end (under Linux and/or Windows) - isapi_redirector is the plugin proxy module to use with an IIS webserver front-end (Windows only) But /both/ use the same protocol to talk with the back-end Tomcat, and that protocol is AJP, not HTTP. So in both cases, what they are "talking to" is the AJP Connector in Tomcat, and not the HTTP Connector. The AJP protocol is somewhat different from HTTP : - both essentially carry the same information (requests and responses) but - HTTP carries all its information back and forth in a text form as per HTTP RFC - AJP encodes some of this information in a binary form (a bit more efficient) - one of the "binary" parameters which the AJP protocol does transmit from the front-end to the back-end, is the authenticated user-id on the front-end, if any. (HTTP does not normally do this in any standard way). At the Tomcat level (the AJP Connector), the attribute "tomcatAuthentication" (true/false) serves to tell Tomcat to either "believe" (false) the user-id that it receives from the front-end through AJP, or to ignore it (true) and do its own authentication anyway. At the Tomcat level, this "tomcatAuthentication" attribute only makes sense with the AJP Connector (and protocol). See : http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Common_Attributes (tomcatAuthentication AND tomcatAuthorization) while here : http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes this attribute is not mentioned (so if you add it, it will simply be ignored). 2. Configure IIS to use Windows authentication This is done and working as expected 3. Configure Tomcat to use the authentication user information from IIS by setting the tomcatAuthentication attribute on the AJP connector to false. Alternatively, set the tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat performs the authorization. Right. But on which Tomcat connector did you set this ? (HTTP or AJP ?) Q1 We were able to configure the reverse proxy with Anon user but the Windows authentication is failing at Apache level with below error :- Thread[http-nio-9001-exec-15,5,main][2017-12-27 13:17:12.637] [null] Error while login : The username cannot be empty. Please select a username. Your problem may be there, with this "anonymous" authentication at the IIS level. Maybe the isapi_redirector interprets this as "no user", and transmits an empty user-id to Tomcat. Have you tried with a real Windows-level user-id ? Q2 Our configuration is using "HTTP" protocol, do we need to change the server.xml entry for 9001 to use AJP protocol and then add entry " tomcatAuthentication=False" Yes, probably. Q3 Do we need to install AJP connector on top of Tomcat or its installed by default, or we do not need it for Windows Authentication. You do need it. It is provided by default, but you may need to uncomment the corresponding lines in the server.xml file. Considering your previous statements above, make sure that the HTTP Connector (if any) and the AJP Connector (if any) use different ports. And on the IIS/ISAPI redirector side, make sure that the settings specify the correct (AJP) port. This is all quite logical, but a bit convoluted, due to the many ways in which you can use a front-end with Tomcat, and the many ways in which one can do authentication/authorization in the WWW. I have found that it often helps to draw a schema in advance, such as browser <--(1)--> front-end (2) <-(4)---> tomcat (5) + proxy module (3) + Connector(6) where : (1) is the protocol used between the browser and the front-end http server (HTTP or HTTPS) (2) is the front-end webserver (Apache httpd or IIS (or others)), which can be doing its own authentication/authorization or
Re: ALv2 Tomcat Training material
On 04/01/18 11:31, Marek Czernek wrote: > Hi Mark, > > I think this is a great idea. Before doing any brainstorming though, I > wonder about the following: > > 1. Who'd be the target audience? And what skill level would you want to > target? Any pre-requisites? The short version is whatever the Tomcat community (i.e. the members of this list) would find most useful. Possible examples that come to mind are: - an introductory course for an experienced sysadmin that knows nothing about Tomcat - in depth trouble-shooting But rather than just my random ideas, I'd love to hear what the community wants. > 2. Should it be purely Tomcat, or do you want to talk about various > frameworks that integrate with Tomcat in some manner? (Hibernate > comes to mind, for example) This is is easy. Purely Tomcat. > 3. What goals would you like to achieve? I.e., would you want to create > a course for a community and potential future contributors, or would > your goal be a course for experts to get things done asap? Imho > those two goals require different approaches. If the answer is > 'both', that could be sub-optimal (though understandable). Or do you > imagine completely different goal(s)? My original thinking was training for end users of any/all levels. However, if there was interest we could add some modules on how to become a contributor, committer, PMC member etc. > My main question is 'WHY'. What is the hole we're trying to fill in. Do > you want people to have quick yet quite deep understanding of basic > concepts and fundamentals? Do you want people to be more excited about > Tomcat? Do you want to shed light on an obscure integration pattern that > is highly useful? Do you want to create a certification that would be > beneficial for job interviews? Some of the answers might be > complimentary, but a lot of them are almost opposite to each other, imho. Why? Because I think that there is a community demand for this. I once ran a Tomcat training course at ApacheCon for which I did ZERO marketing (the only marketing was that it was listed as an option when registering - and an expensive option at that) and ~15 people signed up. I want to help people understand how to use Tomcat. Hopefully, a side-effect will be that even more great people show up here. I'm not interested in creating a certification or anything similar. HTH explain my thinking. Mark > > > On 01/04/2018 11:16 AM, Mark Thomas wrote: >> Hi, >> >> One of the things on my TODO list is to put together some Tomcat >> training material licensed under the Apache License (version 2). i.e. >> material that would be made freely available for folks to use. >> >> I'd also like to make the training material available on YouTube as well >> as run some training courses (for a small fee) to deliver the material >> face to face. >> >> The structure I have in mind is a series of modules (say 30 mins in >> length) that can be organised in different ways to suit different needs. >> e.g. put the introductory modules for each area together to provide an >> 'Introduction to Tomcat course', put all the TLS modules together to >> provide an in depth 'Tomcat and TLS' course etc. >> >> I think a lot of the raw content is already available. We have the >> various Tomcat presentations that have been given over the years and my >> employer has agreed to let me make use of the material from our (now >> possibly a little dated) Tomcat training courses. >> >> I can't do this alone. Not in any reasonable time frame anyway. So I am >> reaching out to the community for help. >> >> The first step is to come with: >> - a list of modules >> - potential courses formed from combinations of modules >> >> I am asking for your ideas for modules, courses and combinations of >> modules that could make up those courses. >> >> We have a blank wiki page to host this: >> https://cwiki.apache.org/confluence/display/TOMCAT/Tomcat+Training+Course >> >> Feel free to ask for edit access to that page (you'll need to create an >> account and let us know the user name) so you can add ideas directly or >> add ideas to this thread and I'll add them to the wiki page. >> >> The second step is to start populating the modules with actual content. >> As a motivator to get this done, I'd like to run a public Tomcat >> training course in late March / early April using this material. My >> current thinking is that the course would cost ~£100 plus food per >> person for the full day. Possible locations for this course are: >> - Cardiff >> - Birmingham >> - Manchester >> - Glasgow >> (all in the UK - if successful we can expand to mainland Europe and >> beyond) >> >> My second request is for feedback on which location(s) are preferable >> and what content would you like to see in the training course. I'll take >> this feedback, put together a course and then make it available to book. >> >> I look forward to all your ideas. >> >> Mark >> >> --
Re: ALv2 Tomcat Training material
Hi Mark, I think this is a great idea. Before doing any brainstorming though, I wonder about the following: 1. Who'd be the target audience? And what skill level would you want to target? Any pre-requisites? 2. Should it be purely Tomcat, or do you want to talk about various frameworks that integrate with Tomcat in some manner? (Hibernate comes to mind, for example) 3. What goals would you like to achieve? I.e., would you want to create a course for a community and potential future contributors, or would your goal be a course for experts to get things done asap? Imho those two goals require different approaches. If the answer is 'both', that could be sub-optimal (though understandable). Or do you imagine completely different goal(s)? My main question is 'WHY'. What is the hole we're trying to fill in. Do you want people to have quick yet quite deep understanding of basic concepts and fundamentals? Do you want people to be more excited about Tomcat? Do you want to shed light on an obscure integration pattern that is highly useful? Do you want to create a certification that would be beneficial for job interviews? Some of the answers might be complimentary, but a lot of them are almost opposite to each other, imho. On 01/04/2018 11:16 AM, Mark Thomas wrote: Hi, One of the things on my TODO list is to put together some Tomcat training material licensed under the Apache License (version 2). i.e. material that would be made freely available for folks to use. I'd also like to make the training material available on YouTube as well as run some training courses (for a small fee) to deliver the material face to face. The structure I have in mind is a series of modules (say 30 mins in length) that can be organised in different ways to suit different needs. e.g. put the introductory modules for each area together to provide an 'Introduction to Tomcat course', put all the TLS modules together to provide an in depth 'Tomcat and TLS' course etc. I think a lot of the raw content is already available. We have the various Tomcat presentations that have been given over the years and my employer has agreed to let me make use of the material from our (now possibly a little dated) Tomcat training courses. I can't do this alone. Not in any reasonable time frame anyway. So I am reaching out to the community for help. The first step is to come with: - a list of modules - potential courses formed from combinations of modules I am asking for your ideas for modules, courses and combinations of modules that could make up those courses. We have a blank wiki page to host this: https://cwiki.apache.org/confluence/display/TOMCAT/Tomcat+Training+Course Feel free to ask for edit access to that page (you'll need to create an account and let us know the user name) so you can add ideas directly or add ideas to this thread and I'll add them to the wiki page. The second step is to start populating the modules with actual content. As a motivator to get this done, I'd like to run a public Tomcat training course in late March / early April using this material. My current thinking is that the course would cost ~£100 plus food per person for the full day. Possible locations for this course are: - Cardiff - Birmingham - Manchester - Glasgow (all in the UK - if successful we can expand to mainland Europe and beyond) My second request is for feedback on which location(s) are preferable and what content would you like to see in the training course. I'll take this feedback, put together a course and then make it available to book. I look forward to all your ideas. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Marek Czernek Associate Quality Engineer
ALv2 Tomcat Training material
Hi, One of the things on my TODO list is to put together some Tomcat training material licensed under the Apache License (version 2). i.e. material that would be made freely available for folks to use. I'd also like to make the training material available on YouTube as well as run some training courses (for a small fee) to deliver the material face to face. The structure I have in mind is a series of modules (say 30 mins in length) that can be organised in different ways to suit different needs. e.g. put the introductory modules for each area together to provide an 'Introduction to Tomcat course', put all the TLS modules together to provide an in depth 'Tomcat and TLS' course etc. I think a lot of the raw content is already available. We have the various Tomcat presentations that have been given over the years and my employer has agreed to let me make use of the material from our (now possibly a little dated) Tomcat training courses. I can't do this alone. Not in any reasonable time frame anyway. So I am reaching out to the community for help. The first step is to come with: - a list of modules - potential courses formed from combinations of modules I am asking for your ideas for modules, courses and combinations of modules that could make up those courses. We have a blank wiki page to host this: https://cwiki.apache.org/confluence/display/TOMCAT/Tomcat+Training+Course Feel free to ask for edit access to that page (you'll need to create an account and let us know the user name) so you can add ideas directly or add ideas to this thread and I'll add them to the wiki page. The second step is to start populating the modules with actual content. As a motivator to get this done, I'd like to run a public Tomcat training course in late March / early April using this material. My current thinking is that the course would cost ~£100 plus food per person for the full day. Possible locations for this course are: - Cardiff - Birmingham - Manchester - Glasgow (all in the UK - if successful we can expand to mainland Europe and beyond) My second request is for feedback on which location(s) are preferable and what content would you like to see in the training course. I'll take this feedback, put together a course and then make it available to book. I look forward to all your ideas. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using existing LetsEncrypt certs with tomcat
On 04/01/18 05:50, Paul Beard wrote: > > >> On Jan 3, 2018, at 11:33 AM, Christopher Schultz >> wrote: >> >> In there, I detail how to put everything together. There is a script >> that builds a Java keystore that Tomcat can use. That script >> demonstrates how to take an existing key+certificate+chain, convert it >> into a Java keystore and then make it active. The script actually >> requests a renewal of the certificate from Let's Encrypt (which may >> say "no renewal required") and then only re-builds the keystore if the >> key/cert have actually changed. > > This looks great but I suspect my problems are more basic, like getting *any* > cert to be honored, even a self-signed one. > > This step — — > eludes me. I added that to an existing Connector stanza but I am seeing these > errors which suggests (?) I did that wrong: > > SEVERE: Failed to initialize end point associated with ProtocolHandler > ["http-bio-8443"] > java.io.IOException: Keystore was tampered with, or password was incorrect > > > keystoreFile="conf/keystore.jks" keystorePass="qwerty" >maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" /> > > But that seems outside the scope of what I was asking. I’ll take another look > tomorrow…took entirely too long to get the symlink step to word as expected. > Had to change to the conf directory for it to work. Too late in the day for > this to make any sense. > > Thanks for the presentation. I’m sure it will make sense to me eventually. This might help. https://www.youtube.com/watch?v=I6TbMqH9WFg The complete list of webinars, presentations etc. (many with audio or video) is available here: http://tomcat.apache.org/presentations.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org