Shutdown command does not terminate tomcat process
I use tomcat6 on Linux. I run tomcat with shutdown port configured as follows: Server port=8005 shutdown=SHUTDOWN //... After I start tomcat, I find that: # jps -l 24819 org.apache.catalina.startup.Bootstrap 25103 sun.tools.jps.Jps # Now when I issue SHUTDOWN command to tcp/8005, logs show that the connectors are being shutdown: May 29, 2010 3:11:55 PM org.apache.coyote.http11.Http11Protocol pause INFO: Pausing Coyote HTTP/1.1 on http-8080 May 29, 2010 3:11:55 PM org.apache.coyote.http11.Http11Protocol pause INFO: Pausing Coyote HTTP/1.1 on http-8443 May 29, 2010 3:11:56 PM org.apache.catalina.core.StandardService stop INFO: Stopping service Catalina May 29, 2010 3:11:57 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-8080 May 29, 2010 3:11:57 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-8443 But I find that the process is till running: # jps -l 24819 org.apache.catalina.startup.Bootstrap 25103 sun.tools.jps.Jps # why does this happen? Does not shutdown command to shutdown port kill tomcat? pl help, /U -- View this message in context: http://old.nabble.com/Shutdown-command-does-not-terminate-tomcat-process-tp28719038p28719038.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
hello Pid, am i right in assuming that the identity certificate+private key is installed in keystoreFile of the SSL connector (C:\keystore below) and the CA certificate chain is installed in jre/lib/security/cacerts? Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=C:\keystore keystorePass=changeit / any assistance appreciated, /U -Original Message- From: /U [uma...@comcast.net] Date: 04/10/2010 12:02 AM To: users@tomcat.apache.org Subject: Re: Installing certificate chain on Tomat Note: Original message sent as attachment - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- -- pidster.com -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28202227.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
Thank you Chris for your suggestion. Here is my connector: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/users/me/.keystore keystorePass=changeit / I have received the following keys/certs from CA: - file1: private key for myhost - file2: identity certificate for myhost signed by CA1 - file3: certificate for CA1 signed by entrust I installed private key (file1) and myhost cert (file2) into /users/me/.keystore using the ImportKey utility. I installed the CA1's certificated into /users/me/.keystore using keytool. My keytool lookslike this: $ keytool -list -keystore /users/me/.keystore ...password... Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries CA1, Apr 10, 2010, trustedCertEntry, Certificate fingerprint (MD5): 2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE tomcat, Apr 10, 2010, PrivateKeyEntry, Certificate fingerprint (MD5): CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50 $ I did not install any certificates into truststore (jre/lib/security/cacerts). When I connect browser to https://myhost, i get a cert error that myhost is signed by CA1and cannot be trusted. Browser show only one cert (for myhost) and not show the full cert chain (myhost - CA1 and CA1 - entrust). Why is the full cert chain not sent to browser. Since entrust CA cert is in browser CA list, if tomcat send full cert chain to browser, it would be trusted. Also, when I use openss client, I see that full cert chain is not sent: C:\ openssl s_client -connect myhost:443 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=YY/L=XX/O=myhost Inc./OU=IT/CN=myhost i:/C=US/O=CA1, Inc./OU=www.CA1.net is incorporated by reference/OU=..., Inc./CN=CA1Certification Authority Why does this chain not have CA1-entrust certificate. what i do wrong? should all CA certs be in truststore? what is the defaulttruststore of tomcat? what is difference between truststore and keystore. is it correct to say all CA certs be in truststore and private key and identity cert be in keystore? many thanx, /U Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 /U, On 4/10/2010 12:01 AM, /U wrote: i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I have private key (PEM), identity cert (PEM) (CA X trusts myhost) and a cert chain file (PEM file) (entrust trusts CA X) The cert chain is: (entrust) === trusts == (CA X) == trusts == myhost I have converted the private key and identify cert into DER form and have imported into /etc/keystore (tomcat's keystore). Tomcat does not use /etc/keystore unless you tell it to do so. Can you show us your server.xml, specifically your SSL Connector element? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvAtWgACgkQ9CaO5/Lv0PDQBgCgnPJP17/F6OI2UXPRaQ7xnKau RTUAoLYShr4IVwKZJrOfyvZKGkGAvnUQ =/uks -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28204196.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
I tried this on different systems (*nix and XP) and hence the
differences in my excerpts. but in each case, the connector
config correct refers to keystore. i am sorry i quoted different
configs - will stick to *nix from now on.
i am confused about one thing: whil keystore is explicitly specified
in connector config, what about the truststore?
i assume truststore stores the trusted CA certs (as opposed to
private keys/identity cert). Is this correct?
Why does not connector config not refer to truststore config ?
Or is that by default become ${JAVA_HOME}/jre/lib/security/cacerts?
What is the relation/differences (as far as tomcat is concerned) between
keystore, truststore and {JAVA_HOME}/jre/lib/security/cacerts?
with sincere thanx!
/U
Christopher Schultz-2 wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/U,
On 4/10/2010 12:01 AM, /U wrote:
i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I
have
private key (PEM),
identity cert (PEM) (CA X trusts myhost)
and a cert chain file (PEM file) (entrust trusts CA X)
The cert chain is: (entrust) === trusts == (CA X) == trusts == myhost
I have converted the private key and identify cert into DER form
and have imported into /etc/keystore (tomcat's keystore).
Tomcat does not use /etc/keystore unless you tell it to do so. Can you
show us your server.xml, specifically your SSL Connector element?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkvAtWgACgkQ9CaO5/Lv0PDQBgCgnPJP17/F6OI2UXPRaQ7xnKau
RTUAoLYShr4IVwKZJrOfyvZKGkGAvnUQ
=/uks
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
View this message in context:
http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p2820.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Installing certificate chain on Tomat
i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I have
private key (PEM),
identity cert (PEM) (CA X trusts myhost)
and a cert chain file (PEM file) (entrust trusts CA X)
The cert chain is: (entrust) === trusts == (CA X) == trusts == myhost
I have converted the private key and identify cert into DER form
and have imported into /etc/keystore (tomcat's keystore).
I have imported the certificate chain PEM file into
${JAVA_HOME}/jre/lib/security/cacerts.
when I login to tomcat i get warning that certificate
myhost isused by CA X is not trrusted.
It seems like browser does not get full cert chain (entrust = CA X =
myhost).
what could I be doing wrong? pl help.
Regs,
/U
--
View this message in context:
http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28199836.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
AprHttp11 Connector - unable to locate certificates
by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) ... 40 more Thanx! /U -- View this message in context: http://old.nabble.com/AprHttp11-Connector---unable-to-locate-certificates-tp26311889p26311889.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Exception handling Container property change
Hello.
This exception stack trace is very distracting to the folks who watch for
problems in the log. Could you pl tell me if writing my own Custom
VirtualWebappClassLoader requires me to intrument the classloader
woth a specific MBean?
Thanks,
/U
/U wrote:
Thanks! It looks like this is related to the long conversation we had
about
using VirtualWebappClassLoader a couple of months ago.
I needed to use VirtualWebappLoader and hence chose to extend
WebappLoader (CustomWebappClassLoader) and install the class in
${CATALINA_BASE}/lib.
This classloader is used with multiple contexts but in loading
a specific context alone, Tomcat yields this error:
Caused by: java.lang.Exception: ManagedBean is not found with
CustomWebappClassLoader
at
org.apache.catalina.mbeans.MBeanUtils.createMBean(MBeanUtils.java:397)
... 46 more
Is my custom WebappLoader supposed to provide an MBean? If I choose not
to,
would it be a fatal error (as in one which would abort the context)?
Regards,
/U
-- Original message --
From: Caldarale, Charles R [EMAIL PROTECTED]
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Subject: Exception handling Container property change
Everytime I load my app context, the log yields the following
MBean exception.
Mar 3, 2008 9:12:30 PM
org.apache.catalina.mbeans.ServerLifecycleListener propertyChange
SEVERE: Exception handling Container property change
javax.management.MBeanException
at
org.apache.catalina.mbeans.MBeanUtils.createMBean(MBeanUtils.java:398)
Look further in the logs - there should be a nested exception related to
the one above with this text:
ManagedBean is not found with mname
The actual mname will tell you what MBean can't be created.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/%22Exception-handling-Container-property-change%22-tp15820562p17590598.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
