Re: certificate re-loading for apache tomcat without the apache restart

[Christopher Schultz]

Raghavendran,

On 9/26/22 7:43 AM, Ragavendhiran Bhiman (rabhiman) wrote:

Is there any way to reload new certificates as well with restarting the tomcat 
services?


Yes, but you will have to use JMX to essentially re-configure the 
connector, and then reload/restart it.



The mail below explains the modification of certificates only considered and 
not the new ones.
Our scenario is to load new certificates as well if the nssdb got changed 
dynamically.


Usually a "new" certificate would be one that doesn't just replace an 
existing one, but requires a separate , etc.


Maybe if you explain what you are really trying to do, we could give you 
better help.


-chris


From: Ivano Luberti 
Date: Monday, 26 September 2022 at 12:51 PM
To: users@tomcat.apache.org 
Subject: Re: certificate re-loading for apache tomcat without the apache restart
Agree

Here you can find documentation of what Peter says

https://tomcat.apache.org/tomcat-10.0-doc/manager-howto.html#Reload_TLS_configuration

using  a call to the manager app.

It doesn't take into account new certificates but only existing ones,
because it dosn't reparse server.xml

Il 26/09/2022 09:18, l...@kreuser.name ha scritto:

Raghavendran,


Am 26.09.2022 um 08:54 schrieb Ragavendhiran Bhiman 
(rabhiman):

Hi All,

I have a scenario where I need to reload the certificates which are newly 
updated in the NSS DB without restarting the apache – tomcat.
Is there any way to do it?

Kindly share some piece of code to achieve the reloading of the certificates 
without restarting the apache tomcat service itself.



curl -u  -p  
"https://myserver.mydomain/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port==reloadSslHostConfig="

you need that  with at least roles="manager-jmx" in tomcat-users.xml



Note : Trial from my side : Tried to restart the Apache connector, but still it 
is reloading the old certificates only and not the new certificates.
If possible how to achieve the loading of the new one?


Many Thanks for your help.

Regards,

Raghavendran


Hope this helps

Peter

--

Archimede Informatica tratta i dati personali in conformità a quanto
stabilito dal Regolamento UE n. 2016/679 (GDPR) e dal D. Lgs. 30 giugno
2003 n. 196
per come modificato dal D.Lgs. 10 agosto 2018 n. 101.
Informativa completa


dott. Ivano Mario Luberti

Archimede Informatica società cooperativa a r. l.
Via Gereschi 36, 56127 Pisa

tel.: +39 050/580959 | fax: +39 050/8932061

web: www.archicoop.it
linkedin: 
www.linkedin.com/in/ivanoluberti
facebook: 
www.facebook.com/archimedeinformaticapisa/



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8.5.8x patch upgrade failing

[Christopher Schultz]

Doug,

On 9/23/22 11:20 AM, Cannatella, Douglas wrote:

We are currently using Tomcat 8.5.53 and tried to upgrade patch
8.5.81 & 8.5.82 using Ivanti Patch tool.

Did it work?


Our project is using OpenJDK version: 1.8.0_242, Microsoft
Framework 4.0.0 running TR/ OneSource Indirect Tax Determination

That sounds like a fun environment.


Ivanti patch tool has overlayed Tomcat service running on the D
drive, on the C drive including war files and registry settings.
Sounds great. Is that what it's supposed to do? We don't know anything 
about Ivanti.



Is there any way to manual install patches to keep Tomcat version
8.5.82 current on the D drive which is running Catalina under Windows
2019 Server.
The Apache Tomcat project periodically produces new versions of 
supported versions of Apache Tomcat. All 4 currently-supported major 
versions (8.5, 9.0, 10.0, and 10.1) receive roughly monthly patch releases.


The Apache Tomcat team does not distribute actual patches. Instead, we 
release new versions of the complete package. It should be easy to stay 
up-to-date if you are comfortable with Apache Tomcat. Simply download 
and install the update whenever it becomes available.


Here are two resources you might want to refer to:

https://tomcat.apache.org/presentations.html#latest-split-installation

https://github.com/Bill-Stewart/ApacheTomcatSetup

Generally, releases within the same major version (e.g. 8.5.x) are all 
compatible, but READ THE CHANGELOG 
(https://tomcat.apache.org/tomcat-8.5-doc/changelog.html) to see if 
anything might affect your environment. You are upgrading past a LOT of 
revisions, so you will haev to do a lot of reading.


Also read the MIGRATION GUIDE 
(https://tomcat.apache.org/migration.html), especially the "Notable 
Changes" section for your version(s).



Do I need capture logs which one's and capture Tomcat access
log
, or threadumps?
You only need to do such things if you care to do so. Thread dumps are 
only useful if you are experiencing a problem. Logs can either be useful 
or not, depending on your needs.



Next steps to download Tomcat manual installation on DEV
environment? Next step to download Apache Tomcat(r) - Apache Tomcat 8
Software Downloads
windows-x64.zip?
Yes, that's the right place to get the latest ZIP distribution of Apache 
Tomcat.



https://cwiki.apache.org/confluence/display/TOMCAT/Troubleshooting+and+Diagnostics
Apache Tomcat 8 (8.5.82) - Tomcat 
Setup


Yes, that's a good place to get started.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 9.0.67 available

[Rémy Maucherat]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.67.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.67 is a bugfix and feature release. The notable
changes compared to 9.0.65 include:

- Add support for authenticating WebSocket clients with an HTTP forward
   proxy when establishing a connection to a WebSocket endpoint via a
   forward proxy that requires authentication. Based on a patch provided
   by Joe Mokos.

- Various fixes for edge case bugs in EL processing.

- Improve host header handling for HTTP/2 requests.

Along with lots of other bug fixes and improvements.

Please refer to the change log for the complete list of changes:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html


Downloads:
https://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
https://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 10.1.0 (stable) available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.1.0 (stable).

This is the first stable release of the 10.1.x branch.

Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.


The notable changes compared to 10.1.0-M17 include:

- Add support for authenticating WebSocket clients with an HTTP forward
  proxy when establishing a connection to a WebSocket endpoint via a
  forward proxy that requires authentication. Based on a patch provided
  by Joe Mokos.

- Various fixes for edge case bugs in EL processing.

- Improve host header handling for HTTP/2 requests.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.1-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: certificate re-loading for apache tomcat without the apache restart

[Ragavendhiran Bhiman (rabhiman)]

Is there any way to reload new certificates as well with restarting the tomcat 
services?
The mail below explains the modification of certificates only considered and 
not the new ones.
Our scenario is to load new certificates as well if the nssdb got changed 
dynamically.

Thanks & Regards,
Raghavendran

From: Ivano Luberti 
Date: Monday, 26 September 2022 at 12:51 PM
To: users@tomcat.apache.org 
Subject: Re: certificate re-loading for apache tomcat without the apache restart
Agree

Here you can find documentation of what Peter says

https://tomcat.apache.org/tomcat-10.0-doc/manager-howto.html#Reload_TLS_configuration

using  a call to the manager app.

It doesn't take into account new certificates but only existing ones,
because it dosn't reparse server.xml

Il 26/09/2022 09:18, l...@kreuser.name ha scritto:
> Raghavendran,
>
>> Am 26.09.2022 um 08:54 schrieb Ragavendhiran Bhiman 
>> (rabhiman):
>>
>> Hi All,
>>
>> I have a scenario where I need to reload the certificates which are newly 
>> updated in the NSS DB without restarting the apache – tomcat.
>> Is there any way to do it?
>>
>> Kindly share some piece of code to achieve the reloading of the certificates 
>> without restarting the apache tomcat service itself.
>>
>>
> curl -u  -p  
> "https://myserver.mydomain/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port=  port>=reloadSslHostConfig="
>
> you need that  with at least roles="manager-jmx" in tomcat-users.xml
>
>
>> Note : Trial from my side : Tried to restart the Apache connector, but still 
>> it is reloading the old certificates only and not the new certificates.
>> If possible how to achieve the loading of the new one?
>>
>>
>> Many Thanks for your help.
>>
>> Regards,
>>
>> Raghavendran
>>
> Hope this helps
>
> Peter
--

Archimede Informatica tratta i dati personali in conformità a quanto
stabilito dal Regolamento UE n. 2016/679 (GDPR) e dal D. Lgs. 30 giugno
2003 n. 196
per come modificato dal D.Lgs. 10 agosto 2018 n. 101.
Informativa completa


dott. Ivano Mario Luberti

Archimede Informatica società cooperativa a r. l.
Via Gereschi 36, 56127 Pisa

tel.: +39 050/580959 | fax: +39 050/8932061

web: www.archicoop.it
linkedin: 
www.linkedin.com/in/ivanoluberti
facebook: 
www.facebook.com/archimedeinformaticapisa/

Re: certificate re-loading for apache tomcat without the apache restart

[Ivano Luberti]

Agree

Here you can find documentation of what Peter says

https://tomcat.apache.org/tomcat-10.0-doc/manager-howto.html#Reload_TLS_configuration

using  a call to the manager app.

It doesn't take into account new certificates but only existing ones, 
because it dosn't reparse server.xml


Il 26/09/2022 09:18, l...@kreuser.name ha scritto:

Raghavendran,


Am 26.09.2022 um 08:54 schrieb Ragavendhiran Bhiman 
(rabhiman):

Hi All,

I have a scenario where I need to reload the certificates which are newly 
updated in the NSS DB without restarting the apache – tomcat.
Is there any way to do it?

Kindly share some piece of code to achieve the reloading of the certificates 
without restarting the apache tomcat service itself.



curl -u  -p  
"https://myserver.mydomain/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port==reloadSslHostConfig="

you need that  with at least roles="manager-jmx" in tomcat-users.xml



Note : Trial from my side : Tried to restart the Apache connector, but still it 
is reloading the old certificates only and not the new certificates.
If possible how to achieve the loading of the new one?


Many Thanks for your help.

Regards,

Raghavendran


Hope this helps

Peter

--

Archimede Informatica tratta i dati personali in conformità a quanto
stabilito dal Regolamento UE n. 2016/679 (GDPR) e dal D. Lgs. 30 giugno 
2003 n. 196

per come modificato dal D.Lgs. 10 agosto 2018 n. 101.
Informativa completa 



dott. Ivano Mario Luberti

Archimede Informatica società cooperativa a r. l.
Via Gereschi 36, 56127 Pisa

tel.: +39 050/580959 | fax: +39 050/8932061

web: www.archicoop.it
linkedin: www.linkedin.com/in/ivanoluberti
facebook: www.facebook.com/archimedeinformaticapisa/

Re: certificate re-loading for apache tomcat without the apache restart

[logo]

Raghavendran,

> Am 26.09.2022 um 08:54 schrieb Ragavendhiran Bhiman (rabhiman) 
> :
> 
> Hi All,
> 
> I have a scenario where I need to reload the certificates which are newly 
> updated in the NSS DB without restarting the apache – tomcat.
> Is there any way to do it?
> 
> Kindly share some piece of code to achieve the reloading of the certificates 
> without restarting the apache tomcat service itself.
> 
> 

curl -u  -p  
"https://myserver.mydomain/manager/jmxproxy?invoke=Catalina:type=ProtocolHandler,port==reloadSslHostConfig="

you need that  with at least roles="manager-jmx" in tomcat-users.xml


> 
> Note : Trial from my side : Tried to restart the Apache connector, but still 
> it is reloading the old certificates only and not the new certificates.
> If possible how to achieve the loading of the new one?
> 
> 
> Many Thanks for your help.
> 
> Regards,
> 
> Raghavendran
> 

Hope this helps

Peter

certificate re-loading for apache tomcat without the apache restart

[Ragavendhiran Bhiman (rabhiman)]

Hi All,

I have a scenario where I need to reload the certificates which are newly 
updated in the NSS DB without restarting the apache – tomcat.
Is there any way to do it?

Kindly share some piece of code to achieve the reloading of the certificates 
without restarting the apache tomcat service itself.



Note : Trial from my side : Tried to restart the Apache connector, but still it 
is reloading the old certificates only and not the new certificates.
If possible how to achieve the loading of the new one?


Many Thanks for your help.

Regards,

Raghavendran