Re: Tomcat with half open tcp sockets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 9/29/18 08:31, Alex O'Ree wrote: > Does tomcat detect or mitigate against half open tcp connections? Not directly. Basically, that's the OS's job. > I recently ran into an issue where something in between a java > jaxws client and a jaxws service running in tomcat is interfering > with the tcp stream. Resolving this client side has been a > challenge due the transmitting thread hanging forever waiting to > read from the remote server and not being able to be interrupted or > aborted. While troubleshooting this, it dawned on me that services > running in tomcat may run into a similar problem and was wondering > if tomcat has any safe guards for this scenario. If it does, what > is the strategy used? I'm thinking maybe I can something similar > client side. In these cases, the only option the server has is to close the connection and then let the TCP stack purge the connection after some time in the penalty box (FIN_WAIT, FIN_WAIT2, or TIME_WAIT). If you see these kinds of connections piling-up, you may want to tweak the options of your TCP stack to have them cleared-out more quickly. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluzrmsACgkQHPApP6U8 pFh2rg//cX7UAqis6qKHTDpgOSSBjFIusm7kdxW58/VpWcp/JzUfNhFLLl0aeCsT NbU38l0W0UqYXTCu0sMuPCKGLGYpwuAOCuWq6mJq4VFWtUCyBmCP/A2pvtTzW8js f4e0npXpp/3TxdDx9xNpLfWDv6nzqyzEXhIvfWvjtxNmcA1kGq2ueeHgVCWwb6v0 CJ1VbF52R3B8Gq61u86uV8PPTsUKVIDnn+e+snkLlGMl+lcdBUcGBsxguOaoDHca lRN4gkpXjk946Nor7wPkMG4hUBndD7L/nhWNqrqZnd8TKJJxD+98U419LRFq0xSG qyAx75oNUUwo2l14q/xGTdAGwOzijfOyvnVscljV9fWGEtOMjOFoqPFlHK6QCec7 ysZGuSoEJPuBYfFzdnQE4aOiRNYnAkYAmv6CEq/o0DEgZpuxm/ZAaMzrfP6XH8wk 072o62Cq0gN50q2KYSi7XJD61Akh4nJUl/7XSYKFU8Tj+jHYQBdw22EXEsgrhPuW gyTdH4TxHv40NmMOv9YQXOA0oyiXq/PXGA85gIhQyJdFoa4U8LXC++UBJCk3gNW8 pOO2pFSJ8WAfOrK45Fcl/NgK4066BSqaQu6txnb/Bo/7VCPrPZvZ2/VgLaO/L6jD nb8sXBkozGtrS2sigKHx7HzJNb0r5EE1Uqbpk3YFYcntrl4afHs= =yRjT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat custom location for configuration
Hello SMEs, I am looking at Tomcat documentation to see if there is a way to move the “/conf” to a custom location and use this path while running the startup/shutdown scripts. I have looked at the https://github.com/apache/tomcat85/blob/TOMCAT_8_5_34/java/org/apache/catalina/startup/Catalina.java and confirmed we can pass a -config to the Tomcat scripts (catalina.bat/sh, startup.bat/sh, etc). Wanted to confirm: 1. Why is “-config” option not documented as part of help of the startup/shutdown scripts? Is this a supported configuration that we can use without worrying about future breaking changes in this? 2. Currently, as part of “-config” option we’re able to pass on the path to server.xml only. What is required to be done so that entire Tomcat configuration (conf directory) can be moved to a custom location? 3. I am still debugging why, but on Linux setups, I have observed “configtest” script isn’t working with “-config ”. I am seeing “WARNING: Unable to load server configuration from [path_to_server_dot_xml] Configuration error detected!”. Is this know issue on Linux system? It seemed to work fine for Windows. Appreciate your inputs. Thanks, Amit
AW: [bulk] Re: SSL on Tomcat
Hey, arbeitet ihr gerade irgendwo? Hier hier gerade alle Anwendungen von außen nicht erreichbar gewesen. Über intern ging ... LG Mario -Ursprüngliche Nachricht- Von: Loai Abdallatif [mailto:loai.abdalla...@gmail.com] Gesendet: Dienstag, 2. Oktober 2018 09:07 An: Tomcat Users List Betreff: [bulk] Re: SSL on Tomcat Thanks Chris, Luis On Tue, Oct 2, 2018 at 10:00 AM Luis Rodríguez Fernández wrote: > Hello Christopher, > > It makes sense, thank you very much for your advice! > > Cheers, > > Luis > > El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (< > ch...@christopherschultz.net>) escribió: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Luis, > > > > On 10/1/18 11:06 AM, Luis Rodríguez Fernández wrote: > > > Agree with Christopher, you have to fix your client. Just get the > > > root Certificate Authority public key and import it in your client > > > truststore. > > > > I'd recommend trusting the finest-grained cert you can get away with. > > That might not always be the root CA cert. It might be the server's > > cert directly. > > > > > If you did not change it the client (java) the default keystore is > > > located in $JAVA_HOME/jre/lib/security/cacerts. Something like: > > > > > > keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts > > > -storepass trust_store_password_here -alias Root -import -file > > > the_downloaded_ca.crt > > > > > > The default password for cacerts is changeit > > > > FWIW, I wouldn't recommend changing the JVM's trust store. I say so > > for two reasons: > > > > 1. You will be trusting that certificate for ALL JVMS LAUNCHED > > AFTERWARD. Perhaps you don't want some other service to trust your > > 192.168.1.120 certificate when it's only supposed to be used with a > > single client service. > > > > 2. You will have to remember to update the trust store every time > > you change your Java installation. That means upgrades, downgrades, etc. > > > > The best way to do this IMO is to create a trust store specific for > > that service (client) and use it EXPLICITLY. > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8 > > pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb > > w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc > > fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/ > > lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT > > TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC > > YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4 > > xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr > > SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz > > MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z > > C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff > > KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4= > > =okQm > > -END PGP SIGNATURE- > > > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett >
Re: SSL on Tomcat
Thanks Chris, Luis On Tue, Oct 2, 2018 at 10:00 AM Luis Rodríguez Fernández wrote: > Hello Christopher, > > It makes sense, thank you very much for your advice! > > Cheers, > > Luis > > El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (< > ch...@christopherschultz.net>) escribió: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Luis, > > > > On 10/1/18 11:06 AM, Luis Rodríguez Fernández wrote: > > > Agree with Christopher, you have to fix your client. Just get the > > > root Certificate Authority public key and import it in your client > > > truststore. > > > > I'd recommend trusting the finest-grained cert you can get away with. > > That might not always be the root CA cert. It might be the server's > > cert directly. > > > > > If you did not change it the client (java) the default keystore is > > > located in $JAVA_HOME/jre/lib/security/cacerts. Something like: > > > > > > keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts > > > -storepass trust_store_password_here -alias Root -import -file > > > the_downloaded_ca.crt > > > > > > The default password for cacerts is changeit > > > > FWIW, I wouldn't recommend changing the JVM's trust store. I say so > > for two reasons: > > > > 1. You will be trusting that certificate for ALL JVMS LAUNCHED > > AFTERWARD. Perhaps you don't want some other service to trust your > > 192.168.1.120 certificate when it's only supposed to be used with a > > single client service. > > > > 2. You will have to remember to update the trust store every time you > > change your Java installation. That means upgrades, downgrades, etc. > > > > The best way to do this IMO is to create a trust store specific for > > that service (client) and use it EXPLICITLY. > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8 > > pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb > > w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc > > fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/ > > lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT > > TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC > > YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4 > > xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr > > SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz > > MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z > > C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff > > KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4= > > =okQm > > -END PGP SIGNATURE- > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett >
Re: SSL on Tomcat
Hello Christopher, It makes sense, thank you very much for your advice! Cheers, Luis El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (< ch...@christopherschultz.net>) escribió: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Luis, > > On 10/1/18 11:06 AM, Luis Rodríguez Fernández wrote: > > Agree with Christopher, you have to fix your client. Just get the > > root Certificate Authority public key and import it in your client > > truststore. > > I'd recommend trusting the finest-grained cert you can get away with. > That might not always be the root CA cert. It might be the server's > cert directly. > > > If you did not change it the client (java) the default keystore is > > located in $JAVA_HOME/jre/lib/security/cacerts. Something like: > > > > keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts > > -storepass trust_store_password_here -alias Root -import -file > > the_downloaded_ca.crt > > > > The default password for cacerts is changeit > > FWIW, I wouldn't recommend changing the JVM's trust store. I say so > for two reasons: > > 1. You will be trusting that certificate for ALL JVMS LAUNCHED > AFTERWARD. Perhaps you don't want some other service to trust your > 192.168.1.120 certificate when it's only supposed to be used with a > single client service. > > 2. You will have to remember to update the trust store every time you > change your Java installation. That means upgrades, downgrades, etc. > > The best way to do this IMO is to create a trust store specific for > that service (client) and use it EXPLICITLY. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8 > pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb > w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc > fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/ > lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT > TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC > YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4 > xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr > SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz > MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z > C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff > KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4= > =okQm > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett