Re: Replacement / alternatives of Tomcat-juli.jar and Tomcat-juli-adapters.jar in Tomcat 9

2021-02-25 Thread Ravi Kumar 
Hi Luis,
Thank you for your suggestion and valuable information.
Appreciate the assistance.

Regards,
Ravi

On Wed, Feb 24, 2021 at 10:06 PM Luis Rodríguez Fernández 
wrote:

> Hello Ravi,
>
> Here [1] upi can find an example of tomcat 9 + log4j2.
>
> Hope it helps,
>
> Luis
>
> [1] https://github.com/lurodrig/log4j2-in-tomcat
>
> El mié, 24 feb 2021 a las 17:09, Ravi Kumar ()
> escribió:
>
> > Hi Mark,
> >
> > Thanks for the suggestion and help. We will review and revert .
> >
> > Thanks again.
> > Regards,
> > Ravi
> >
> > On Wed, Feb 24, 2021 at 9:30 PM Mark Thomas  wrote:
> >
> > > On 24/02/2021 15:57, Ravi Kumar wrote:
> > > > Hi Tomcat Team,
> > > >
> > > > We used to have *Tomcat-juli.jar and Tomcat-juli-adapters.jar*
> > available
> > > on
> > > > Tomcat7 download pages under the EXTRAS directory.
> > > >
> > > > But with Tomcat 9, we don't have these 2 jars or in fact extras
> folder
> > > > available. We use these jars for logging purposes of the
> > web-application
> > > > console.
> > > >
> > > > Could you please suggest any alternative jars or any other way for
> > > > accommodating this replacements in Tomcat 9 ?
> > >
> > > Those were for log4j 1.x which is no longer supported.
> > >
> > > If you want to use log4j 2.x that can intercept java.util.logging
> > > (Tomcat's default logging system) without additional Tomcat JARs.
> > > Details on how to intercept j.u.l should be in the log4j 2.x docs.
> > >
> > > Mark
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> >
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>

Re: Run servlets on Nashorn written in server-side JavaScript

2021-02-25 Thread leo 

Rony,

On 25 Feb 2021, at 2:47, Rony G. Flatscher (Apache) wrote:

P.S.: Have tested my implementation with Nashorn on Java 8 and it 
works out of the box! Still, you
would need to test the implementation thoroughly yourself (stability, 
performance, resources) and
would be asked to come back with feedback on each of these qualities. 
So stay tuned, will publish a
link to the implementation with a proper Nashorn/JavaScript sample war 
in this mail thread in a few

days.


How cool is this! Let me know when you it ready, please. Thanks a lot!

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Feature request for SSL Valve

2021-02-25 Thread Alex 

Christopher.

Thank you for your answer.

On 25.02.21 21:10, Christopher Schultz wrote:

Alex,

On 2/24/21 22:05, Alex wrote:

Hi.

I try to setup HAProxy to send some TLS Information's to tomcat.

As described in the documentation of SSL Valve are several parameters available 
and

most of them are also available in HAProxy.

http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#SSL_Valve

The only parameter which is not able to use is sslClientCertHeader because

this header expects a PEM formatted certificate but HAProxy can

send the certificate in DER format.

http://cbonte.github.io/haproxy-dconv/2.3/configuration.html#7.3.4-ssl_c_der

Where can I add the Feature request to be this feature be considered

to be added into tomcat ssl valve?


Hmm. Sending binary data in an HTTP header field? You are going to definitely 
find some problems there.

Or were you going to try something like:

   http-request set-header X-Client-Certificate %[ssl_c_der,base64]

As suggested here: https://serverfault.com/a/859328 ?


I got also a similar answer on the haproxy list.

http-request add-header X-SSL-Client-Cert -BEGIN\ CERTIFICATE-\ 
%[ssl_c_der,base64]\ -END\ CERTIFICATE-\ # don't forget last space

https://www.mail-archive.com/haproxy@formilux.org/msg39893.html


If so, you are base64-encoding a DER value which is essentially a PEM-formatted 
value :)

But sure, it seems like adding this kind of thing would be okay. Are you able 
to provide a patch/PR?

-chris


Regards
Alex

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Feature request for SSL Valve

2021-02-25 Thread Christopher Schultz 

Alex,

On 2/24/21 22:05, Alex wrote:

Hi.

I try to setup HAProxy to send some TLS Information's to tomcat.

As described in the documentation of SSL Valve are several parameters 
available and


most of them are also available in HAProxy.

http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#SSL_Valve

The only parameter which is not able to use is sslClientCertHeader because

this header expects a PEM formatted certificate but HAProxy can

send the certificate in DER format.

http://cbonte.github.io/haproxy-dconv/2.3/configuration.html#7.3.4-ssl_c_der 



Where can I add the Feature request to be this feature be considered

to be added into tomcat ssl valve?


Hmm. Sending binary data in an HTTP header field? You are going to 
definitely find some problems there.


Or were you going to try something like:

  http-request set-header X-Client-Certificate %[ssl_c_der,base64]

As suggested here: https://serverfault.com/a/859328 ?

If so, you are base64-encoding a DER value which is essentially a 
PEM-formatted value :)


But sure, it seems like adding this kind of thing would be okay. Are you 
able to provide a patch/PR?


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Correct manager.xml for Tomcat 8 manager GUI

2021-02-25 Thread Luis Rodríguez Fernández 
Hello Patrick,

Check if you have also the webapps/manager/META-INF/context.xml By default
that RemoteAddrValve [1] configuration only allows connections from the
same host.

Cheers,

Luis

[1]
https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteAddrValve.html

El mié, 24 feb 2021 a las 20:13, Mark Eggers ()
escribió:

> On 2/24/2021 9:54 AM, Patrick Baldwin wrote:
> > Hi, I'm trying to reconfigure a pre-existing dev Tomcat 8 server so folks
> > can use the manager GUI; so far, I just get the ERR_CONNECTION_REFUSED
> > message.
> >
> > I've stripped the tomcat users file down to just:
> >
> > $ cat /usr/local/tomcat/conf/tomcat-users.xml
> > 
> >   
> >   
> > 
> >
> > And the  /usr/local/tomcat/conf/Catalina/localhost /manager.xml is
> > currently:
> > $ pwd
> > /usr/local/tomcat/conf/Catalina/localhost
> > $ cat manager.xml
> > 
> >
> > 
> >  className="org.apache.catalina.webresources.DirResourceSet"
> > webAppMount="/WEB-INF/classes" base="/usr/local/tomcat/webapps/manager"
> />
> > 
> >
> > 
> >
> >
> > Not seeing an error in catalina.out about the manager, looks like it's
> > deploying OK:
> >
> > 24-Feb-2021 12:00:56.070 INFO [localhost-startStop-1]
> > org.apache.catalina.startup.HostConfig.deployDescriptor Deploying
> > configuration descriptor
> > [/usr/local/tomcat/conf/Catalina/localhost/manager.xml]
> > 24-Feb-2021 12:00:56.092 INFO [localhost-startStop-1]
> > org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of
> > configuration descriptor
> > [/usr/local/tomcat/conf/Catalina/localhost/manager.xml] has finished in
> > [22] ms
> >
> > Since it's a dev system, I've temporarily turned off the firewall and
> > selinux to make sure they aren't the issue.
> >
> > Any thoughts?
> >
>
> What version of Tomcat 8?
>
> For all recent versions of Tomcat (even 7), you'll need the following:
>
> http://tomcat.apache.org/xml;
>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
>xsi:schemaLocation="http://tomcat.apache.org/xml
> tomcat-users.xsd"
>version="1.0">
> 
> 
>
> . . . just my two cents
> /mde/
>
>
>
>
>

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

Re: JNDI ldaps Problem with SSO

2021-02-25 Thread Luis Rodríguez Fernández 
Hello Susan,

org.apache.catalina.realm.JNDIRealm used the container log so
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = ALL
should give you some more details. By default these logs go to
the localhost.-MM-DD.log, if you want to print them in the console you
can always change the handler
to org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers =
java.util.logging.ConsoleHandler

Depending on your Active Directory configuration you may need to provide
connectionName and connectionPassword properties, from [1]:

*"When making a connection in order to search the directory and retrieve
user and role information, the realm authenticates itself to the directory
with the username and password specified by
the connectionName and connectionPassword properties. If these properties
are not specified the connection is anonymous. This is sufficient in many
cases."*

Cheers,

Luis

[1] http://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html









El jue, 25 feb 2021 a las 18:26, Brian Wolfe ()
escribió:

> Seems there might be some debug you can turn on. I haven't tried it myself.
> But Look at this for reference.
> https://ldapwiki.com/wiki/Tomcat%20And%20LDAP
>
> On Thu, Feb 25, 2021 at 11:18 AM  wrote:
>
> > Dear Brian
> >
> > Thank you for your reply
> >
> > We can see the successful handshake with the LDAP Server.
> > We think, after that, some more data  goes back and forth and then the
> > connection is closed. We can't see, what is exactly happening - its
> TLSv1.3
> > When using ldap with port 3268 - its all good.
> > So the search itself seems to be fine.
> >
> > Only ldaps with port 3269 fails
> >
> > Is there maybe another debug Option for the ldap?
> >
> > Thank you
> >
> > Susan
> >
> >
> >
> > > -Original Message-
> > > From: Brian Wolfe 
> > > Sent: Donnerstag, 25. Februar 2021 17:00
> > > To: Tomcat Users List 
> > > Subject: Re: JNDI ldaps Problem with SSO
> > >
> > > if you define the truststore on the command line it will ignore the
> > cacerts file.
> > > Also looks like you're trying to connect to AD over the catalog port.
> > > I would suggest using the LDAPS port 636. The GC port is used to search
> > > things within the forest that may not be in the domain. small change
> but
> > > shouldn't cause a connection issue if you're using the catalog port.
> > >
> > > You shouldn't have to configure any additional SSL stuff on the realm.
> > As long
> > > as your JNDI url is ldaps it should know to use SSL. Java will
> negotiate
> > the SSL
> > > for you.
> > >
> > > One thing you can do is turn on SSL debug and look at the negotiation
> to
> > see
> > > if it is negotiating SSL.
> > > *-Djavax.net.debug=ssl*
> > > You should see it negotiate with the ldap server on startup. You will
> > also be
> > > able to see the whole SSL handshake and see if it's failing.
> > >
> > > On Thu, Feb 25, 2021 at 10:35 AM  wrote:
> > >
> > > > Hi Bill
> > > >
> > > > Thank you for your fast reply
> > > >
> > > > We are using RHEL7
> > > >
> > > > The JAVA is using it's default cacerts which includes all ROOT CA's
> of
> > > > the LDAP Server.
> > > > We also added another Trusstore in the JAVA OPTS of the Tomcat JVM,
> > > > which also includes the whole chain of the LDAP Server Cert:
> > > >
> > > > tomcat   21503 1  2 Feb16 ?05:32:41
> > /usr/java/latest/bin/java
> > > >
> -Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging.
> > > > properties
> > > > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> > > > -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks
> > > > -Djavax.net.ssl.trustStorePassword=xxx
> > > > -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> > > > -Dnm.data.home=/opt/tomcat/data
> > > > -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> > > > -Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf
> > > > -Djavax.security.auth.useSubjectCredsOnly=false
> > > > -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> > > > -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
> > > > -classpath
> > > > /opt/tomcat/apache-tomcat-
> > > 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-
> > > > tomcat-8.0.36/bin/tomcat-juli.jar
> > > > -Dcatalina.base=/opt/tomcat/tomcat8_appway1
> > > > -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
> > > > -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
> > > > org.apache.catalina.startup.Bootstrap start
> > > >
> > > > Our server.xml only contains the ldap realm and database realm.
> > > > Could it be, that a ssl config is necessary too?
> > > >
> > > > Thank you
> > > >
> > > > Susan
> > > >
> > > > > -Original Message-
> > > > > From: Bill Stewart 
> > > > > Sent: Donnerstag, 25. Februar 2021 16:04
> > > > > To: Tomcat Users List 
> > > > > Subject: Re: JNDI ldaps Problem with SSO
> > > > >
> > > > > On Thu, Feb 25, 2021 at 2:31 AM wrote:
> > > > >
> > > > > We are having a problem

Re: JNDI ldaps Problem with SSO

2021-02-25 Thread Brian Wolfe 
Seems there might be some debug you can turn on. I haven't tried it myself.
But Look at this for reference.
https://ldapwiki.com/wiki/Tomcat%20And%20LDAP

On Thu, Feb 25, 2021 at 11:18 AM  wrote:

> Dear Brian
>
> Thank you for your reply
>
> We can see the successful handshake with the LDAP Server.
> We think, after that, some more data  goes back and forth and then the
> connection is closed. We can't see, what is exactly happening - its TLSv1.3
> When using ldap with port 3268 - its all good.
> So the search itself seems to be fine.
>
> Only ldaps with port 3269 fails
>
> Is there maybe another debug Option for the ldap?
>
> Thank you
>
> Susan
>
>
>
> > -Original Message-
> > From: Brian Wolfe 
> > Sent: Donnerstag, 25. Februar 2021 17:00
> > To: Tomcat Users List 
> > Subject: Re: JNDI ldaps Problem with SSO
> >
> > if you define the truststore on the command line it will ignore the
> cacerts file.
> > Also looks like you're trying to connect to AD over the catalog port.
> > I would suggest using the LDAPS port 636. The GC port is used to search
> > things within the forest that may not be in the domain. small change but
> > shouldn't cause a connection issue if you're using the catalog port.
> >
> > You shouldn't have to configure any additional SSL stuff on the realm.
> As long
> > as your JNDI url is ldaps it should know to use SSL. Java will negotiate
> the SSL
> > for you.
> >
> > One thing you can do is turn on SSL debug and look at the negotiation to
> see
> > if it is negotiating SSL.
> > *-Djavax.net.debug=ssl*
> > You should see it negotiate with the ldap server on startup. You will
> also be
> > able to see the whole SSL handshake and see if it's failing.
> >
> > On Thu, Feb 25, 2021 at 10:35 AM  wrote:
> >
> > > Hi Bill
> > >
> > > Thank you for your fast reply
> > >
> > > We are using RHEL7
> > >
> > > The JAVA is using it's default cacerts which includes all ROOT CA's of
> > > the LDAP Server.
> > > We also added another Trusstore in the JAVA OPTS of the Tomcat JVM,
> > > which also includes the whole chain of the LDAP Server Cert:
> > >
> > > tomcat   21503 1  2 Feb16 ?05:32:41
> /usr/java/latest/bin/java
> > > -Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging.
> > > properties
> > > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> > > -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks
> > > -Djavax.net.ssl.trustStorePassword=xxx
> > > -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> > > -Dnm.data.home=/opt/tomcat/data
> > > -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> > > -Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf
> > > -Djavax.security.auth.useSubjectCredsOnly=false
> > > -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> > > -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
> > > -classpath
> > > /opt/tomcat/apache-tomcat-
> > 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-
> > > tomcat-8.0.36/bin/tomcat-juli.jar
> > > -Dcatalina.base=/opt/tomcat/tomcat8_appway1
> > > -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
> > > -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
> > > org.apache.catalina.startup.Bootstrap start
> > >
> > > Our server.xml only contains the ldap realm and database realm.
> > > Could it be, that a ssl config is necessary too?
> > >
> > > Thank you
> > >
> > > Susan
> > >
> > > > -Original Message-
> > > > From: Bill Stewart 
> > > > Sent: Donnerstag, 25. Februar 2021 16:04
> > > > To: Tomcat Users List 
> > > > Subject: Re: JNDI ldaps Problem with SSO
> > > >
> > > > On Thu, Feb 25, 2021 at 2:31 AM wrote:
> > > >
> > > > We are having a problem with our Single sign On config.
> > > > > When using ldap - all works well.
> > > > >
> > > > > When switiching to ldaps , the User loses to connection all
> > > > > together (Server not reachable)
> > > > >
> > > > > server.xml
> > > > >
> > > > > Good:
> > > > >  > > > >connectionURL="ldap://x..com:3268;
> > > > >userBase="DC=XXXINTRA,DC=CH"
> > > > >userSubtree="true"
> > > > >userSearch="(sAMAccountName={0})"
> > > > >userRoleName="memberOf"
> > > > >
> > > > >
> > > > > roleBase="OU=PF00_App-
> > > > Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU
> > > > > =PF00,DC=XXXINTRA,DC=ch
> > > > > "
> > > > >roleName="CN"
> > > > >
> roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > > > >roleSubtree="true"
> > > > >roleNested="true" />
> > > > >
> > > > > bad:
> > > > >
> > > > >  > > > >connectionURL="ldaps://x..com:3269"
> > > > >userBase="DC=XXXINTRA,DC=CH"
> > > > >userSubtree="true"
> > > > >userSearch="(sAMAccountName={0})"
> > > > >

RE: JNDI ldaps Problem with SSO

2021-02-25 Thread Susan.Wood 
Dear Brian 

Thank you for your reply

We can see the successful handshake with the LDAP Server. 
We think, after that, some more data  goes back and forth and then the 
connection is closed. We can't see, what is exactly happening - its TLSv1.3 
When using ldap with port 3268 - its all good. 
So the search itself seems to be fine. 

Only ldaps with port 3269 fails 

Is there maybe another debug Option for the ldap? 

Thank you 

Susan 



> -Original Message-
> From: Brian Wolfe 
> Sent: Donnerstag, 25. Februar 2021 17:00
> To: Tomcat Users List 
> Subject: Re: JNDI ldaps Problem with SSO
> 
> if you define the truststore on the command line it will ignore the cacerts 
> file.
> Also looks like you're trying to connect to AD over the catalog port.
> I would suggest using the LDAPS port 636. The GC port is used to search
> things within the forest that may not be in the domain. small change but
> shouldn't cause a connection issue if you're using the catalog port.
> 
> You shouldn't have to configure any additional SSL stuff on the realm. As long
> as your JNDI url is ldaps it should know to use SSL. Java will negotiate the 
> SSL
> for you.
> 
> One thing you can do is turn on SSL debug and look at the negotiation to see
> if it is negotiating SSL.
> *-Djavax.net.debug=ssl*
> You should see it negotiate with the ldap server on startup. You will also be
> able to see the whole SSL handshake and see if it's failing.
> 
> On Thu, Feb 25, 2021 at 10:35 AM  wrote:
> 
> > Hi Bill
> >
> > Thank you for your fast reply
> >
> > We are using RHEL7
> >
> > The JAVA is using it's default cacerts which includes all ROOT CA's of
> > the LDAP Server.
> > We also added another Trusstore in the JAVA OPTS of the Tomcat JVM,
> > which also includes the whole chain of the LDAP Server Cert:
> >
> > tomcat   21503 1  2 Feb16 ?05:32:41 /usr/java/latest/bin/java
> > -Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging.
> > properties
> > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> > -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks
> > -Djavax.net.ssl.trustStorePassword=xxx
> > -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> > -Dnm.data.home=/opt/tomcat/data
> > -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> > -Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf
> > -Djavax.security.auth.useSubjectCredsOnly=false
> > -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> > -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
> > -classpath
> > /opt/tomcat/apache-tomcat-
> 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-
> > tomcat-8.0.36/bin/tomcat-juli.jar
> > -Dcatalina.base=/opt/tomcat/tomcat8_appway1
> > -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
> > -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
> > org.apache.catalina.startup.Bootstrap start
> >
> > Our server.xml only contains the ldap realm and database realm.
> > Could it be, that a ssl config is necessary too?
> >
> > Thank you
> >
> > Susan
> >
> > > -Original Message-
> > > From: Bill Stewart 
> > > Sent: Donnerstag, 25. Februar 2021 16:04
> > > To: Tomcat Users List 
> > > Subject: Re: JNDI ldaps Problem with SSO
> > >
> > > On Thu, Feb 25, 2021 at 2:31 AM wrote:
> > >
> > > We are having a problem with our Single sign On config.
> > > > When using ldap - all works well.
> > > >
> > > > When switiching to ldaps , the User loses to connection all
> > > > together (Server not reachable)
> > > >
> > > > server.xml
> > > >
> > > > Good:
> > > >  > > >connectionURL="ldap://x..com:3268;
> > > >userBase="DC=XXXINTRA,DC=CH"
> > > >userSubtree="true"
> > > >userSearch="(sAMAccountName={0})"
> > > >userRoleName="memberOf"
> > > >
> > > >
> > > > roleBase="OU=PF00_App-
> > > Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU
> > > > =PF00,DC=XXXINTRA,DC=ch
> > > > "
> > > >roleName="CN"
> > > >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > > >roleSubtree="true"
> > > >roleNested="true" />
> > > >
> > > > bad:
> > > >
> > > >  > > >connectionURL="ldaps://x..com:3269"
> > > >userBase="DC=XXXINTRA,DC=CH"
> > > >userSubtree="true"
> > > >userSearch="(sAMAccountName={0})"
> > > >userRoleName="memberOf"
> > > >
> > > >  roleBase="OU=PF00_App-
> > >
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> > > RA,DC=ch"
> > > >roleName="CN"
> > > >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > > >roleSubtree="true"
> > > >roleNested="true" />
> > > >
> > >
> > > If you are running Tomcat on Windows, my

Re: JNDI ldaps Problem with SSO

2021-02-25 Thread Brian Wolfe 
if you define the truststore on the command line it will ignore the cacerts
file. Also looks like you're trying to connect to AD over the catalog port.
I would suggest using the LDAPS port 636. The GC port is used to search
things within the forest that may not be in the domain. small change but
shouldn't cause a connection issue if you're using the catalog port.

You shouldn't have to configure any additional SSL stuff on the realm. As
long as your JNDI url is ldaps it should know to use SSL. Java will
negotiate the SSL for you.

One thing you can do is turn on SSL debug and look at the negotiation to
see if it is negotiating SSL.
*-Djavax.net.debug=ssl*
You should see it negotiate with the ldap server on startup. You will also
be able to see the whole SSL handshake and see if it's failing.

On Thu, Feb 25, 2021 at 10:35 AM  wrote:

> Hi Bill
>
> Thank you for your fast reply
>
> We are using RHEL7
>
> The JAVA is using it's default cacerts which includes all ROOT CA's of the
> LDAP Server.
> We also added another Trusstore in the JAVA OPTS of the Tomcat JVM, which
> also includes the whole chain of the LDAP Server Cert:
>
> tomcat   21503 1  2 Feb16 ?05:32:41 /usr/java/latest/bin/java
> -Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks
> -Djavax.net.ssl.trustStorePassword=xxx
> -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> -Dnm.data.home=/opt/tomcat/data
> -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> -Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf
> -Djavax.security.auth.useSubjectCredsOnly=false
> -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath
> /opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar
> -Dcatalina.base=/opt/tomcat/tomcat8_appway1
> -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
> -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
> org.apache.catalina.startup.Bootstrap start
>
> Our server.xml only contains the ldap realm and database realm.
> Could it be, that a ssl config is necessary too?
>
> Thank you
>
> Susan
>
> > -Original Message-
> > From: Bill Stewart 
> > Sent: Donnerstag, 25. Februar 2021 16:04
> > To: Tomcat Users List 
> > Subject: Re: JNDI ldaps Problem with SSO
> >
> > On Thu, Feb 25, 2021 at 2:31 AM wrote:
> >
> > We are having a problem with our Single sign On config.
> > > When using ldap - all works well.
> > >
> > > When switiching to ldaps , the User loses to connection all together
> > > (Server not reachable)
> > >
> > > server.xml
> > >
> > > Good:
> > >  > >connectionURL="ldap://x..com:3268;
> > >userBase="DC=XXXINTRA,DC=CH"
> > >userSubtree="true"
> > >userSearch="(sAMAccountName={0})"
> > >userRoleName="memberOf"
> > >
> > >
> > > roleBase="OU=PF00_App-
> > Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU
> > > =PF00,DC=XXXINTRA,DC=ch
> > > "
> > >roleName="CN"
> > >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > >roleSubtree="true"
> > >roleNested="true" />
> > >
> > > bad:
> > >
> > >  > >connectionURL="ldaps://x..com:3269"
> > >userBase="DC=XXXINTRA,DC=CH"
> > >userSubtree="true"
> > >userSearch="(sAMAccountName={0})"
> > >userRoleName="memberOf"
> > >
> > >  roleBase="OU=PF00_App-
> > Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> > RA,DC=ch"
> > >roleName="CN"
> > >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > >roleSubtree="true"
> > >roleNested="true" />
> > >
> >
> > If you are running Tomcat on Windows, my question is whether the Java
> > running your Tomcat server trusts the Windows certificate store for the
> > secure LDAP.
> >
> > If you are running Tomcat on Windows, try adding the following parameter
> to
> > the Java command line for your application:
> >
> > -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
> >
> > (If you are using procrun which is likely on Windows, this means to go
> to the
> > "Java" tab for the Tomcat service configuration and add the above line
> to the
> > "Java Options" text box.)
> >
> > Bill
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


-- 
Thanks,
Brian Wolfe
https://www.linkedin.com/in/brian-wolfe-3136425a/

RE: JNDI ldaps Problem with SSO

2021-02-25 Thread Susan.Wood 
Hi Bill 

Thank you for your fast reply

We are using RHEL7 

The JAVA is using it's default cacerts which includes all ROOT CA's of the LDAP 
Server. 
We also added another Trusstore in the JAVA OPTS of the Tomcat JVM, which also 
includes the whole chain of the LDAP Server Cert: 

tomcat   21503 1  2 Feb16 ?05:32:41 /usr/java/latest/bin/java 
-Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging.properties
 -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 
-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks 
-Djavax.net.ssl.trustStorePassword=xxx -Djdk.tls.ephemeralDHKeySize=2048 
-Xmx12G -XX:+UseThreadPriorities -Dnm.data.home=/opt/tomcat/data 
-Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf 
-Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf 
-Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false 
-Duser.timezone=Europe/Berlin 
-Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath 
/opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar
 -Dcatalina.base=/opt/tomcat/tomcat8_appway1 
-Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36 
-Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp 
org.apache.catalina.startup.Bootstrap start

Our server.xml only contains the ldap realm and database realm. 
Could it be, that a ssl config is necessary too? 

Thank you 

Susan 

> -Original Message-
> From: Bill Stewart 
> Sent: Donnerstag, 25. Februar 2021 16:04
> To: Tomcat Users List 
> Subject: Re: JNDI ldaps Problem with SSO
> 
> On Thu, Feb 25, 2021 at 2:31 AM wrote:
> 
> We are having a problem with our Single sign On config.
> > When using ldap - all works well.
> >
> > When switiching to ldaps , the User loses to connection all together
> > (Server not reachable)
> >
> > server.xml
> >
> > Good:
> >  >connectionURL="ldap://x..com:3268;
> >userBase="DC=XXXINTRA,DC=CH"
> >userSubtree="true"
> >userSearch="(sAMAccountName={0})"
> >userRoleName="memberOf"
> >
> >
> > roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU
> > =PF00,DC=XXXINTRA,DC=ch
> > "
> >roleName="CN"
> >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >roleSubtree="true"
> >roleNested="true" />
> >
> > bad:
> >
> >  >connectionURL="ldaps://x..com:3269"
> >userBase="DC=XXXINTRA,DC=CH"
> >userSubtree="true"
> >userSearch="(sAMAccountName={0})"
> >userRoleName="memberOf"
> >
> >  roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> RA,DC=ch"
> >roleName="CN"
> >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >roleSubtree="true"
> >roleNested="true" />
> >
> 
> If you are running Tomcat on Windows, my question is whether the Java
> running your Tomcat server trusts the Windows certificate store for the
> secure LDAP.
> 
> If you are running Tomcat on Windows, try adding the following parameter to
> the Java command line for your application:
> 
> -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
> 
> (If you are using procrun which is likely on Windows, this means to go to the
> "Java" tab for the Tomcat service configuration and add the above line to the
> "Java Options" text box.)
> 
> Bill

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JNDI ldaps Problem with SSO

2021-02-25 Thread Bill Stewart 
On Thu, Feb 25, 2021 at 2:31 AM wrote:

We are having a problem with our Single sign On config.
> When using ldap - all works well.
>
> When switiching to ldaps , the User loses to connection all together
> (Server not reachable)
>
> server.xml
>
> Good:
> connectionURL="ldap://x..com:3268;
>userBase="DC=XXXINTRA,DC=CH"
>userSubtree="true"
>userSearch="(sAMAccountName={0})"
>userRoleName="memberOf"
>
>  
> roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch
> "
>roleName="CN"
>roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
>roleSubtree="true"
>roleNested="true" />
>
> bad:
>
> connectionURL="ldaps://x..com:3269"
>userBase="DC=XXXINTRA,DC=CH"
>userSubtree="true"
>userSearch="(sAMAccountName={0})"
>userRoleName="memberOf"
>
>  
> roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch"
>roleName="CN"
>roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
>roleSubtree="true"
>roleNested="true" />
>

If you are running Tomcat on Windows, my question is whether the Java
running your Tomcat server trusts the Windows certificate store for the
secure LDAP.

If you are running Tomcat on Windows, try adding the following parameter to
the Java command line for your application:

-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT

(If you are using procrun which is likely on Windows, this means to go to
the "Java" tab for the Tomcat service configuration and add the above line
to the "Java Options" text box.)

Bill

JNDI ldaps Problem with SSO

2021-02-25 Thread Susan.Wood 
Hi all

apache-tomcat-8.0.36

java version "1.8.0_281"
Java(TM) SE Runtime Environment (build 1.8.0_281-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)

We are having a problem with our Single sign On config.
When using ldap - all works well.

When switiching to ldaps , the User loses to connection all together (Server 
not reachable)



server.xml

Good:
ldap://x..com:3268;
   userBase="DC=XXXINTRA,DC=CH"
   userSubtree="true"
   userSearch="(sAMAccountName={0})"
   userRoleName="memberOf"
   
roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch
 "
   roleName="CN"
   roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
   roleSubtree="true"
   roleNested="true" />

bad:




Connectivity to the DC is fine (ldapsearch with ldaps works),  SSL connection 
itself seems to be fine, Certificates are fine, we are sending the trustore as 
well. All is in the relevant cacerts too.
We have a https Server in Front and a proxy Setting to the tomcat.

/usr/java/latest/bin/java 
-Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/logging.properties
 -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 
-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxRootCore.jks 
-Djavax.net.ssl.trustStorePassword=xx -Djdk.tls.ephemeralDHKeySize=2048 
-Xmx12G -XX:+UseThreadPriorities -Dnm.data.home=/opt/tomcat/data 
-Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf 
-Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf 
-Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=false 
-Duser.timezone=Europe/Berlin 
-Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath 
/opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar
 -Dcatalina.base=/opt/tomcat/tomcat8_appway1 
-Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36 
-Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp 
org.apache.catalina.startup.Bootstrap start


We do not see a direct Error in the Catalina.out

Domain controller seems to close the connection. The Error is "The Parameter is 
incorrect", "The System cannot find the path specified."

What are we missing?

Do I need to configure some SSL Realm in the server.xml as well?

Thank you


Susan Wood

System Engineering
Telefon +41-58-223 70 83
Mobile   +41-79-375 34 58
susan.w...@swisscom.com

Swisscom (Schweiz) AG
Business Customers
Solution Center Banking
Ey 10
3063 Ittigen
www.swisscom.com
Postadresse:
Postfach
3050 Bern

Re: Tomcat Manager

2021-02-25 Thread Mark Thomas 
On 24/02/2021 20:18, Robert Hicks wrote:
> Is there a way (my google-fu is failing) to use the command line version of
> the manager but not have the front end UI available at all?

Remove the HTMLManager servlet entries from WEB-INF/web.xml

You may also wish to remove the Status servlet and the JMXProxy servlet
as well.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org