Re: JVM keystores and CA

[Igor Cicimov]

Hi Guido,

On Tue, Oct 23, 2018 at 7:49 PM Jäkel, Guido  wrote:

> Dear Igor,
>
> >> 3. In case JAVA_HOME/lib/security/cacerts is my trust store (the
> default) I would
> >> expect Java to use the system store(s) too in case a certificate can
> not be validated
> >> simply because a CA is missing in the Java store. Example, DigiCert
> Global
> >> Root G2 CA is missing in the Java versions older than 8u91 causing
> inexplicable
> >> PKIX exceptions but can be found in the system store, both under
> /etc/ssl/certs and
> >> /usr/share/ca-certificates which are (much) more frequently updated
> with new certs than Java versions.
> >> This actually applies to the case of custom trust store even more so
> >>
> >> Thoughts?
>
> Because Java is platform-independent, it have an own store and don't use
> any of the underlying OS. But one told me that on some Linux distributions,
> there's a script tool to update the Java cert store from the
> CA-Certificates-Package. Using such a tool you get the update more
> frequently.
>
> But actually you probably don't need. You wrote about using Java8u91,
> which is simply complete out of date because the latest is Java8u192. I you
> complain about security things like an outdated certificate store, you
> simply should install a Java version as recent as the CA-Certificates
> package of the hosting OS. Any you will catch other JAVA bugs and security
> issues by the way, too.
>

Just to make it clear, when I mentioned Java8u91 as an example I meant for
the time when lets say Java8u81 was latest at that moment. In that case
when using the built in JVM store you would encounter failed connections to
servers with G2 signed certificates. Then as you said you would need to
import it into the JVM store by yourself or wait for the next Java release
that would include it by default i.e. Java8u91

Re: JVM keystores and CA

[Igor Cicimov]

Hi Chris,

On Tue, Oct 23, 2018 at 8:12 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Igor,
>
> On 10/18/18 19:09, Igor Cicimov wrote:
> > On Fri, Oct 19, 2018 at 2:14 AM Christopher Schultz <
> > ch...@christopherschultz.net> wrote: Java has no notion of CAs, nor
> > does any trust store, really.
> >
> >
> >> Correct, but by loading all CAs in the trust store it kinda
> >> does, indirectly.
> >
> >> A
> > certificate is trusted if it is present in the trust store, full
> > stop. It not need be a "CA". The oly thing being a CA gets you is
> > ... in everyone's default trust stores.
> >
> >
> > The system property javax.net.ssl.trustStore only sets the default
> > trust store for the JVM and any components which choose to use it.
> > For example, if you use HttpURLConnection without any explicit
> > configuration, it will use that. Same with Apache httpclient.
> >
> > But both of those can be configured to use a different trust
> > store, which case they will *not* fall-back to the built-in trust
> > store (the one in JAVA_HOME/lib/security/cacerts.
> >
> >> Well I see couple of issues with this approach of the trsutstore
> >> being the only source of truth. First is the obvious one, when
> >> using a custom trust store I have to load *all* CA certificates
> >> that already exist somewhere else on the server (and in multiple
> >> places) in the trust store too otherwise no certificate will
> >> ever get validated.
> Why would you want to use a custom trust store that also includes the
> whole list of trusted certs from the vendor? Either you want to
> delegate everything to the vendor (e.g. Oracle) or you know who you
> are connecting to, and you only need one cert (or a small selection of
> them) in your trust store.
>
> I think the problem is that people rely on "the trust store for the
> JVM" as the trust store for everything, which is a Bad Idea. Use
> separate trust stores for different types of connections.
>
>
> > When overriding the default trust store for the JVM, the trust
> > store you specify should be the ONLY trust store consulted. It
> > should not fall back. I can confirm this is the case on Java 8 -
> > 11, at least the ones I happen to be using. Any other behavior
> > would be a security problem.
> >
> >> Not sure I can agree with this reasoning too. All apps on the
> >> server use the default system CA store so should we consider them
> >>  insecure? I see no harm of Java looking in the default
> >> location(s) on the server when a cert can not be validated by
> >> looking in the trust store. Otherwise as noted above in case of
> >> custom trust store we need to load all those certificates anyway
> >> ending up with same certificates stored in multiple places,
> >> making the size of the trust store unnecessary big.
>
> You are talking about a web application connecting to an outside
> service like a REST service via HTTPS, right? How many of these
> services could you possibly be connecting to? Why don't you already
> know their CAs?
>

Actually many. My point is I don't have to know their CA's *except* when
they are self signed. So when I connect to an API partner with a certificate
signed by a valid CA then the cert should be obviously validated without me
putting the CA in the trusted store. Isn't this the way any other app would
expect things to happen (except java obviously)?

Another reason is containers where we try to get the smallest possible
image
size. Why would I even bother changing and bloat my image just because I
need
to add CAs in my trust store when they have already been loaded via the
installed
ca-certificates package lets say? Much easier than maintaining my own trust
store
file.


> The default trust store that ships with the JVM is really only good if
> you want to connect to an arbitrary service and inherit all the certs
> that e.g. Oracle trusts. That only makes sense if you don't know in
> advance who you'll be connecting to.
>
> > The proper way to validate a certificate chain is to perform the
> > following algorithm:
> >
> > 0. Start with the server's certificate (the leaf) 1. Is the
> > certificate in the trust store? Yes: chain is valid; stop 2. Is the
> > certificate signed by a cert in the trust store? Yes: chain is
> > valid; stop 3. Is the certificate signed by the next cert in the
> > chain? No: chain is invalid; stop 4. Move to the next cert in the
> > chain 5. Go to step 1
> >
> > So if y

Re: JVM keystores and CA

[Igor Cicimov]

Hi Mark,

On Tue, Oct 23, 2018 at 3:13 AM Mark H. Wood  wrote:

> On Fri, Oct 19, 2018 at 10:09:16AM +1100, Igor Cicimov wrote:
> [snip]
> > To conclude, the way I would expect the trust store to be used and the
> > whole validation done:
> >
> > 1. I use custom trust store because I need to load self signed
> certificates
> > that
> > I need to validate when connecting to lets say partner APIs that use self
> > signed
> > certificates and I know I can trust
> > 2. I would expect nothing else needed in this store as every other valid
> > certificate
> > under the sun is already located in default locations on the server Java
> is
> > running on
> > 3. In case JAVA_HOME/lib/security/cacerts is my trust store (the
> default) I
> > would
> > expect Java to use the system store(s) too in case a certificate can not
> be
> > validated
> > simply because a CA is missing in the Java store. Example, DigiCert
> Global
> > Root G2
> > CA is missing in the Java versions older than 8u91 causing inexplicable
> > PKIX exceptions
> > but can be found in the system store, both under /etc/ssl/certs and
> > /usr/share/ca-certificates
> > which are (much) more frequently updated with new certs than Java
> versions.
> > This actually
> > applies to the case of custom trust store even more so
> >
> > Thoughts?
>
> There are two ways that a truststore can be inadequate.  (1) It can
> lack a certificate that your application should trust.  (2) It can
> contain a certificate that your application should NOT trust.
>
> Suppose that you had an application A which needs to distrust one of the
> CAs (X) that are trusted by the OS maintainers.  And suppose that you had
> other applications on the same host which need to trust that same CA.
>
> The way it currently works, you can copy the systemwide JRE truststore
> once, remove from the copy the certificate for X, and tell A to use
> the copy as its truststore.  Every other application can just default
> to the systemwide truststore.  (This also works if you need to give A
> an additional trusted CA not needed by other applications, and are
> willing to trust all the other CAs.)
>
> The way you suggest it should work, you must remove X from all
> systemwide truststores of every type, and then configure a custom
> truststore for every application except A.
>

I get what you are saying but I really can't imagine I would ever get into
this
kind of situation where I would need to distrust a specific CA and only for
one
single application. Most of the time I need to trust all CA's that the
world is trusting
at that moment.


> Which is more error-prone?
>
> It shouldn't be difficult to write a script that makes a copy of the
> systemwide store and adjusts it to your application's specific needs.
>
> --
> Mark H. Wood
> Lead Technology Analyst
>
> University Library
> Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street
> Indianapolis, IN 46202
> 317-274-0749
> www.ulib.iupui.edu
>

Re: JVM keystores and CA

[Igor Cicimov]

Hi Chris,

On Fri, Oct 19, 2018 at 2:14 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Igor,
>
> On 10/16/18 17:03, Igor Cicimov wrote:
> > On Tue, Oct 16, 2018 at 8:56 PM Igor Cicimov 
> > wrote:
> >
> >> Hi Jose,
> >>
> >> On Tue, Oct 16, 2018 at 5:52 PM Jose María Zaragoza
> >>  wrote:
> >>
> >>> Hi
> >>>
> >>> El mar., 16 oct. 2018 a las 1:49, Igor Cicimov
> >>> () escribió:
> >>>>
> >>>> Hi all,
> >>>>
> >>>> I just want to clarify something that I've been seeing
> >>>> behave
> >>> differently
> >>>> on various Java versions during the years. In case we have
> >>>> the following setting:
> >>>>
> >>>> -Djavax.net.ssl.trustStore=/keystore/truststore.jks"
> >>>>
> >>>> in Tomcat's default config file, is JVM suppose to fall back
> >>>> to the
> >>> global
> >>>> CA store on the server under /etc/ssl/certs for verification
> >>>> in case
> >>> *any*
> >>>> of the certificates returned by a trusted domain are not
> >>>> present in the above JKS store? By any I mean, all the certs
> >>>> in the chain returned by
> >>> the
> >>>> SSL handshake.
> >>>>
> >>>> For example, lets say we have a situation like this:
> >>>>
> >>>> DigiCert Global Root G2 -> RapidSSL TLS RSA CA G1 ->
> >>>> CN=*.mydomain.com
> >>>>
> >>>> Lets say I have imported the *CN=*.mydomain.com
> >>>> <http://mydomain.com>* certificate in the truststore.jks, the
> >>>> question is is JVM going to look under /etc/ssl/certs for
> >>>> RapidSSL in order to validate the CN signature
> >>> and
> >>>> then for DigiCert to validate the RapidSSL cert?
> >>>>
> >>>> As I said I had a mixed luck with this over the years,
> >>>> sometimes it
> >>> works
> >>>> as (I) expect it to work i.e. verify the certs by looking at
> >>>> the system
> >>> CA
> >>>> store and sometimes this is not the case.
> >>>
> >>> My experience is that if you store a server certificate in the
> >>> truststore.jks , don't search anyone more.
> >>>
> >>
> >> That's my experience too ... most of the time. But what happens
> >> when lets say the domain returns multiple certificates in the
> >> handshake, like the intermediate and the domain certificate? For
> >> the example above I gave:
> >>
> >> DigiCert Global Root G2 -> RapidSSL TLS RSA CA G1 ->
> >> CN=*.mydomain.com
> >>
> >> what if what is sent back are the Intermediate (RapidSSL TLS RSA
> >> CA G1) and the domain one (*.mydomain.com) cert in the chain? Is
> >> Java going to need to validate the Intermediate cert now too?
> >> There is only the domain cert in the truststore so how is it
> >> going to validate the Intermediate in this case? Is the
> >> Intermediate ignored maybe since the domain one validates
> >> anyway?
> >>
> >> This behaviour makes sense for me because you are saying that
> >> you
> >>> trust in that certificate because you verified ( by other means
> >>> ) it before Even if certificate is expired ( and server send it
> >>> expired too, obviously ) , I think that is validated as
> >>> trusted
> >>>
> >>> Regards
> >>>
> >>>
> > To make it more clear, with a custom trusted keystore how do the
> > certs that are not trusted get validated? Now Java needs to
> > validate the whole chain so where does it look for the CAs? In its
> > own keystore $JAVA_HOME/jre/lib/security/cacerts or under
> > /etc/ssl/certs ?
>
> Java has no notion of CAs, nor does any trust store, really.


Correct, but by loading all CAs in the trust store it kinda does,
indirectly.

A
> certificate is trusted if it is present in the trust store, full stop.
> It not need be a "CA". The oly thing being a CA gets you is ... in
> everyone's default trust stores.
>

> The system property javax.net.ssl.trustStore only sets the default
> trust store for the JVM and any components which choose to use it. For
> example, if you use HttpU

Re: JVM keystores and CA

[Igor Cicimov]

On Tue, Oct 16, 2018 at 8:56 PM Igor Cicimov  wrote:

> Hi Jose,
>
> On Tue, Oct 16, 2018 at 5:52 PM Jose María Zaragoza 
> wrote:
>
>> Hi
>>
>> El mar., 16 oct. 2018 a las 1:49, Igor Cicimov ()
>> escribió:
>> >
>> > Hi all,
>> >
>> > I just want to clarify something that I've been seeing behave
>> differently
>> > on various Java versions during the years. In case we have the following
>> > setting:
>> >
>> > -Djavax.net.ssl.trustStore=/keystore/truststore.jks"
>> >
>> > in Tomcat's default config file, is JVM suppose to fall back to the
>> global
>> > CA store on the server under /etc/ssl/certs for verification in case
>> *any*
>> > of the certificates returned by a trusted domain are not present in the
>> > above JKS store? By any I mean, all the certs in the chain returned by
>> the
>> > SSL handshake.
>> >
>> > For example, lets say we have a situation like this:
>> >
>> > DigiCert Global Root G2 -> RapidSSL TLS RSA CA G1 -> CN=*.mydomain.com
>> >
>> > Lets say I have imported the *CN=*.mydomain.com <http://mydomain.com>*
>> > certificate in the truststore.jks, the question is is JVM going to look
>> > under /etc/ssl/certs for RapidSSL in order to validate the CN signature
>> and
>> > then for DigiCert to validate the RapidSSL cert?
>> >
>> > As I said I had a mixed luck with this over the years, sometimes it
>> works
>> > as (I) expect it to work i.e. verify the certs by looking at the system
>> CA
>> > store and sometimes this is not the case.
>>
>> My experience is that if you store a server certificate in the
>> truststore.jks , don't search anyone more.
>>
>
> That's my experience too ... most of the time. But what happens when lets
> say the domain returns multiple certificates in the handshake, like the
> intermediate and the domain certificate? For the example above I gave:
>
> DigiCert Global Root G2 -> RapidSSL TLS RSA CA G1 -> CN=*.mydomain.com
>
> what if what is sent back are the Intermediate (RapidSSL TLS RSA CA G1)
> and the domain one (*.mydomain.com) cert in the chain? Is Java going to
> need to validate the Intermediate cert now too? There is only the domain
> cert in the truststore so how is it going to validate the Intermediate in
> this case? Is the Intermediate ignored maybe since the domain one validates
> anyway?
>
> This behaviour makes sense for me because you are saying that you
>> trust in that certificate because you verified ( by other means ) it
>> before
>> Even if certificate is expired ( and server send it expired too,
>> obviously ) , I think that is validated as trusted
>>
>> Regards
>>
>>
To make it more clear, with a custom trusted keystore how do the certs that
are not trusted get validated? Now Java needs to validate the whole chain
so where does it look for the CAs? In its own keystore
$JAVA_HOME/jre/lib/security/cacerts or under /etc/ssl/certs ?

Re: JVM keystores and CA

[Igor Cicimov]

Hi Jose,

On Tue, Oct 16, 2018 at 5:52 PM Jose María Zaragoza 
wrote:

> Hi
>
> El mar., 16 oct. 2018 a las 1:49, Igor Cicimov ()
> escribió:
> >
> > Hi all,
> >
> > I just want to clarify something that I've been seeing behave differently
> > on various Java versions during the years. In case we have the following
> > setting:
> >
> > -Djavax.net.ssl.trustStore=/keystore/truststore.jks"
> >
> > in Tomcat's default config file, is JVM suppose to fall back to the
> global
> > CA store on the server under /etc/ssl/certs for verification in case
> *any*
> > of the certificates returned by a trusted domain are not present in the
> > above JKS store? By any I mean, all the certs in the chain returned by
> the
> > SSL handshake.
> >
> > For example, lets say we have a situation like this:
> >
> > DigiCert Global Root G2 -> RapidSSL TLS RSA CA G1 -> CN=*.mydomain.com
> >
> > Lets say I have imported the *CN=*.mydomain.com <http://mydomain.com>*
> > certificate in the truststore.jks, the question is is JVM going to look
> > under /etc/ssl/certs for RapidSSL in order to validate the CN signature
> and
> > then for DigiCert to validate the RapidSSL cert?
> >
> > As I said I had a mixed luck with this over the years, sometimes it works
> > as (I) expect it to work i.e. verify the certs by looking at the system
> CA
> > store and sometimes this is not the case.
>
> My experience is that if you store a server certificate in the
> truststore.jks , don't search anyone more.
>

That's my experience too ... most of the time. But what happens when lets
say the domain returns multiple certificates in the handshake, like the
intermediate and the domain certificate? For the example above I gave:

DigiCert Global Root G2 -> RapidSSL TLS RSA CA G1 -> CN=*.mydomain.com

what if what is sent back are the Intermediate (RapidSSL TLS RSA CA G1) and
the domain one (*.mydomain.com) cert in the chain? Is Java going to need to
validate the Intermediate cert now too? There is only the domain cert in
the truststore so how is it going to validate the Intermediate in this
case? Is the Intermediate ignored maybe since the domain one validates
anyway?

This behaviour makes sense for me because you are saying that you
> trust in that certificate because you verified ( by other means ) it
> before
> Even if certificate is expired ( and server send it expired too,
> obviously ) , I think that is validated as trusted
>
> Regards
>
>

JVM keystores and CA

[Igor Cicimov]

Hi all,

I just want to clarify something that I've been seeing behave differently
on various Java versions during the years. In case we have the following
setting:

-Djavax.net.ssl.trustStore=/keystore/truststore.jks"

in Tomcat's default config file, is JVM suppose to fall back to the global
CA store on the server under /etc/ssl/certs for verification in case *any*
of the certificates returned by a trusted domain are not present in the
above JKS store? By any I mean, all the certs in the chain returned by the
SSL handshake.

For example, lets say we have a situation like this:

DigiCert Global Root G2 -> RapidSSL TLS RSA CA G1 -> CN=*.mydomain.com

Lets say I have imported the *CN=*.mydomain.com *
certificate in the truststore.jks, the question is is JVM going to look
under /etc/ssl/certs for RapidSSL in order to validate the CN signature and
then for DigiCert to validate the RapidSSL cert?

As I said I had a mixed luck with this over the years, sometimes it works
as (I) expect it to work i.e. verify the certs by looking at the system CA
store and sometimes this is not the case.

Thanks for any help/insites.

Igor

Re: Domain name change in Tomcat

[Igor Cicimov]

On Wed, 8 Aug 2018 1:52 am Laurie Miller-Cook <
laurie.miller-c...@larmerbrown.com> wrote:

> Hi there,
>
> I have an issue where I need to either change the URL of a Website in
> Tomcat.
>
> The current URL is https://training.ondemand.com and this needs to be
> changed to https://wbt.ondemand.com (we have a wildcard SSL certificate)
>
> In my server.xml I have the following
>
>  unpackWARs="true" autoDeploy="true">
>  className="org.apache.catalina.valves.AccessLogValve" directory="logs"
>prefix="Training_access_log" suffix=".txt"
>pattern="%h %l %u %t %r %s %b" />
> 
>
>
> Can I change the host name to wbt.ondemand.com and everything will still
> work or as I expect am I going to have to build a new site from scratch?
>
> All the best
>
> Laurie
>

Just use Alias inside the Host
https://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Host_Name_Aliases

>

Re: JKS certificate for Tomcat client authentication

[Igor Cicimov]

Hi Chris,

On Tue, Feb 27, 2018 at 1:56 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Igor,
>
> On 2/23/18 5:47 PM, Igor Cicimov wrote:
> > On Sat, Feb 24, 2018 at 7:52 AM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
> >>
> >> Igor,
> >>
> >> On 2/23/18 4:45 AM, Igor Cicimov wrote:
> >>> Hi all,
> >>>
> >>> I have the following setup in the tomcat default file on
> >>> Ubunntu-14.04:
> >>>
> >>> JAVA_OPTS="$JAVA_OPTS
> >>> -Djavax.net.ssl.keyStore=/opt/encompass/keystore/keystore.jks"
> >>> JAVA_OPTS="$JAVA_OPTS
> >>> -Djavax.net.ssl.trustStore=/opt/encompass/keystore/truststore.jks"
> >>>
> >>>
> >>>
> The keystore.jks holds dozen of SSL keys our app uses to
> >>> authenticate to various web services. One of these
> >>> certificates expired and I used openssl to create new private
> >>> key (key.pem) and CSR, that the other side signed and sent back
> >>> (cert.pem). Then I concatenated the certificate and the private
> >>> key into single file:
> >>>
> >>> $ cat cert.pem key.pem > cert2.pem
> >>>
> >>> and imported the file into the existing keystore using
> >>> keytool:
> >>>
> >>> $ keytool -delete -alias client-cert -keystore keystore.jks
> >>> -storepass  $ keytool -import -alias client-cert -file
> >>> cert2.pem -keystore keystore.jks -storepass 
> >>>
> >>> The signing root CA and the intermediate certificate already
> >>> exist in the truststore.jks keystore.
> >>>
> >>> Does this procedure sound sane? Is there a better (or maybe
> >>> proper) way of doing it?
> >>
> >> Are you just sanity-checking your process for importing certs
> >> into a JKS bundle?
> >>
> >
> > I'm just sanity-checking the process in terms of keystore
> > functionality and any possible issues for the JVM using and finding
> > the cert and the key in the store.
> >
> > The reason being after importing the new cert our access does not
> > work any more and the issuer has a limited (as they say, *sigh*)
> > troubleshooting capability on their side. Not sure how is that
> > possible having in mind that they have designed and are in control
> > of the authentication (ssl client certs) and authorization
> > (username/password) system (Tivoli Axis2 app if that matters).
> > Building something and then not being able to tell clients if their
> > access is denied due to bad/missing certificate or bad/missing
> > credentials is just unbelievable. They even claim they can't even
> > see our side connecting at all to their web service although in our
> > logs I can see:
> >
> > Invalid Content-Type:text/html. Is this an error message instead of
> > a SOAP response?
> >
> > response coming back but as html error message instead of SOAP
> > response.
>
> You could try my ssltest tool. It supports client TLS authentication.
> Maybe just a sanity-check that there isn't anything wrong with your
> own Java client:
>
> https://github.com/ChristopherSchultz/ssltest
>
> Also, since you have the original (separate) key and (signed)
> certificate files, definitely give this a try:
>
> $ openssl s_client \
> -showcerts \
> -cert cert.pem \
> -key key.pem \
> -connect [endpoint]
>
> If you can't connect using that, then either the cert or the key is
> not correct. OpenSSL should tell you if the key doesn't match the
> cert, or if the password is wrong.
>
> If you remove the -cert and -key arguments and try to connect, the
> service ought to tell you which certificates are acceptable. It will
> probably tell you that anything signed by a particular certificate is
> okay and not your particular certificate (otherwise, they'd have a
> million certs they trust).
>
> Once you can confirm that the crypto material you have (key, certs),
> then you can use ssltest above to see if you have packaged those bits
> into the keystore properly. You might want to use a separate keystore
> for this testing purpose, just in case something else is interfering.
>
> Theoretically, as long as your keystore contains:
>
> 1. The signing (or, more likely, the "intermediate") certificate
> 2. The signed certificate
> 3. The signe

Re: JKS certificate for Tomcat client authentication

[Igor Cicimov]

Hi Chris,

On Sat, Feb 24, 2018 at 7:52 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Igor,
>
> On 2/23/18 4:45 AM, Igor Cicimov wrote:
> > Hi all,
> >
> > I have the following setup in the tomcat default file on
> > Ubunntu-14.04:
> >
> > JAVA_OPTS="$JAVA_OPTS
> > -Djavax.net.ssl.keyStore=/opt/encompass/keystore/keystore.jks"
> > JAVA_OPTS="$JAVA_OPTS
> > -Djavax.net.ssl.trustStore=/opt/encompass/keystore/truststore.jks"
> >
> > The keystore.jks holds dozen of SSL keys our app uses to
> > authenticate to various web services. One of these certificates
> > expired and I used openssl to create new private key (key.pem) and
> > CSR, that the other side signed and sent back (cert.pem). Then I
> > concatenated the certificate and the private key into single file:
> >
> > $ cat cert.pem key.pem > cert2.pem
> >
> > and imported the file into the existing keystore using keytool:
> >
> > $ keytool -delete -alias client-cert -keystore keystore.jks
> > -storepass  $ keytool -import -alias client-cert -file
> > cert2.pem -keystore keystore.jks -storepass 
> >
> > The signing root CA and the intermediate certificate already exist
> > in the truststore.jks keystore.
> >
> > Does this procedure sound sane? Is there a better (or maybe proper)
> > way of doing it?
>
> Are you just sanity-checking your process for importing certs into a
> JKS bundle?
>

I'm just sanity-checking the process in terms of keystore functionality and
any possible issues for the JVM using and finding the cert and the key in
the store.

The reason being after importing the new cert our access does not work any
more and the issuer has a limited (as they say, *sigh*) troubleshooting
capability on their side. Not sure how is that possible having in mind that
they have designed and are in control of the authentication (ssl client
certs) and authorization (username/password) system (Tivoli Axis2 app if
that matters). Building something and then not being able to tell clients
if their access is denied due to bad/missing certificate or bad/missing
credentials is just unbelievable. They even claim they can't even see our
side connecting at all to their web service although in our logs I can see:

Invalid Content-Type:text/html. Is this an error message instead of a SOAP
response?

response coming back but as html error message instead of SOAP response.


> Does the process result in the items you expected to be in the keystore?
>

>From what I can see all the bits are there. I have enabled the java ssl
debugging and can see the cert being loaded on startup and exchanged during
SSL handshake and no errors can be seen in the process, like the usual PKIX
error when matching cert can not be found etc.

Any ideas what can be possibly wrong?


> I'd personally be very paranoid if the JKS file was the only place all
> of those key/cert pairs were stored, because of my (bad) experience
> using JKS keystores in the past. Thankfully, Oracle is finally
> deprecating them and making the default keystore type PKCS12 in the
> future. JKS (and it's surprisingly extant cousin, JSEKS) never should
> have existed.
>
>
Yeah I saw some warning messages with the latest Oracle jdk-1.8_161 about
JKS being deprecated in favour of PKCS12 when I use keytool on the servers.
I never saw those before at least not for jdk-1.7 for sure.


> - -chris
>

Thanks,
Igor

Re: Tomcat 8.5.23

[Igor Cicimov]

On 16 Feb 2018 4:40 am, "Lawrence Lim"  wrote:

Hi,



I just installed tomcat 8.5.23. I am having problems deploying web apps via
manager. To reproduce:



1.   Login to tomcat manager



2.   Go to " WAR file to deploy"



3.   Pick a war file





Error message: FAIL - File upload failed, no file





Workaround: Copy war file to the tomcat webapps directory





I also tried using localhost:8080, same result. So, it's not some weird
networking constraint.


Lawrence Lim
Software Developer
-

ENBRIDGE
TEL: 780-969-6208
10175 101 St NW,  Edmonton, Alberta T5J 0H3

enbridge.com
Integrity. Safety. Respect.

Probably directory permissions. Where did you extract tomcat and what are
the permissions on the directory you are uploading to? Anything in tomcat
log file? What happens if you manually try to copy file to the target
directory as the user tomcat is running under?

JKS certificate for Tomcat client authentication

[Igor Cicimov]

Hi all,

I have the following setup in the tomcat default file on Ubunntu-14.04:

JAVA_OPTS="$JAVA_OPTS
-Djavax.net.ssl.keyStore=/opt/encompass/keystore/keystore.jks"
JAVA_OPTS="$JAVA_OPTS
-Djavax.net.ssl.trustStore=/opt/encompass/keystore/truststore.jks"

The keystore.jks holds dozen of SSL keys our app uses to authenticate to
various web services. One of these certificates expired and I used openssl
to create new private key (key.pem) and CSR, that the other side signed and
sent back (cert.pem). Then I concatenated the certificate and the private
key into single file:

$ cat cert.pem key.pem > cert2.pem

and imported the file into the existing keystore using keytool:

$ keytool -delete -alias client-cert -keystore keystore.jks -storepass 
$ keytool -import -alias client-cert -file cert2.pem -keystore keystore.jks
-storepass 

The signing root CA and the intermediate certificate already exist in the
truststore.jks keystore.

Does this procedure sound sane? Is there a better (or maybe proper) way of
doing it?

Thanks,
Igor

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

[Igor Cicimov]

On Thu, Oct 12, 2017 at 9:17 AM, Igor Cicimov <icici...@gmail.com> wrote:

> On 12 Oct 2017 8:25 am, "Gali, Vamsi A" <vamsi_a_g...@keybank.com.invalid>
> wrote:
>
> The debug log produced following & it's evident that handshake is failing
> due to no ciphers suites in common.
>
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> http-bio--Acceptor-0, setSoTimeout(6) called
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
> for TLSv1.1
> http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
> *** ClientHello, TLSv1.2
> RandomCookie:  GMT: -2042962343 <(204)%20296-2343> bytes = { 199, 95, 13,
> 144, 113, 194, 145, 53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96,
> 238, 97, 6, 240, 239, 53, 188, 180, 41 }
> Session ID:  {}
> Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
> SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_RC4_128_MD5]
> Compression Methods:  { 0 }
> ***
> %% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
> %% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
> http-bio--exec-2, SEND TLSv1.2 ALERT:  fatal, description =
> handshake_failure
> http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
> http-bio--exec-2, called closeSocket()
>
>
>
> http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
> no cipher suites in common
> http-bio--exec-2, IOException in getSession():
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>
>
> There you go, no comment needed.
>
> Also, since you are using JSSE in your tomcat connector, you never
mentioned the Java version you are using? From the logs looks like IHS
offers TLSv1.2 ciphers but tomcat does not support them so maybe you are
running an outdated version of Java, maybe 1.6?

There some tools out there you can use to find the default SSL/TLS cipher
suits that JVM will use (and I think I've seen one from Christopher
Schultz). The tool should provide you with output like this:

$ java Ciphers
DefaultCipher
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_DSS_WITH_DES_CBC_SHA
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_RSA_WITH_DES_CBC_SHA
 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
 SSL_DH_anon_WITH_DES_CBC_SHA
 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*SSL_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_RSA_WITH_DES_CBC_SHA
 SSL_RSA_WITH_NULL_MD5
 SSL_RSA_WITH_NULL_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 TLS_DH_anon_WITH_AES_128_CBC_SHA
 TLS_DH_anon_WITH_AES_128_CBC_SHA256
 TLS_DH_anon_WITH_AES_128_GCM_SHA256
...

then pick up one of the supported default ciphers (marked with star) and
use it in IHS (as it is or translated in IHS way, no idea about that) so
you get a match. I know nothing about IHS so can't help there.

If that doesn't work then I would say IHS does some funky stuff with the
cipher suites in a way that tomcat can't understand them.

Igor

RE: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

[Igor Cicimov]

On 12 Oct 2017 8:25 am, "Gali, Vamsi A" 
wrote:

The debug log produced following & it's evident that handshake is failing
due to no ciphers suites in common.

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio--Acceptor-0, setSoTimeout(6) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
http-bio--exec-2, READ: TLSv1.2 Handshake, length = 57
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -2042962343 bytes = { 199, 95, 13, 144, 113, 194, 145,
53, 176, 117, 165, 93, 196, 76, 17, 104, 214, 95, 96, 238, 97, 6, 240, 239,
53, 188, 180, 41 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x56:0x0,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
***
%% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
http-bio--exec-2, SEND TLSv1.2 ALERT:  fatal, description =
handshake_failure
http-bio--exec-2, WRITE: TLSv1.2 Alert, length = 2
http-bio--exec-2, called closeSocket()



http-bio--exec-2, handling exception: javax.net.ssl.SSLHandshakeException:
no cipher suites in common
http-bio--exec-2, IOException in getSession():
javax.net.ssl.SSLHandshakeException:
no cipher suites in common


There you go, no comment needed.

Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

[Igor Cicimov]

On 11 Oct 2017 1:50 am, "Gali, Vamsi A" 
wrote:

Hello,

Any help is appreciated on this issue.

Thank you,
Vamsi Gali


-Original Message-
From: Gali, Vamsi A
Sent: Thursday, October 05, 2017 12:03 PM
To: 'Tomcat Users List'
Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection

Hello,
I just realized that I didn’t provide the environment info & following are
the details:

Tomcat:  apache-tomcat-7.0.75
IHS: HIS v8.5.5.x
OS: RHEL

We have IHS→mod_proxy(on IHS) → Tomcat.
I know that IHS isn’t the suggested webserver to use with Tomcat but it’s
in use.
[error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection

When Tomcat is accessed through webserver url, it throws ‘500’ with the
following stack on the IHS Error log:

[Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2
socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2419): proxy: HTTPS: connection complete to  TOMCAT-IP:PORT
(TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed,
Could not establish SSL proxy connection.
[Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789]
SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal
alert [level 2 (fatal), description 40 (handshake_failure)]
[TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20
2017] [debug] [client  TOMCAT-IP] [7fa404014a60] Handshake transcript:
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   [Thu
Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  client_version
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_8Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]03
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  TLSV12 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  random
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_32Bits
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]9xx
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
gsksslDissector_Opaque
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]Length: 28
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]1x 62 xx B3 1F 44
xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]x1 91 19 08 25 xx
DC xx E1 xx 20 xx %..o.9 x
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  session_id [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00 [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  cipher_suites [Thu Oct 00
09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 14
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  0x Fx x6 00 00 xx
00 xx 00 xx 00 xx 00 xx   ..V/.5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]
tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  compression_methods
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 01
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  00
.
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Extensions [Thu Oct
00 09:20:20 2017] [debug] [client  TOMCAT-IP]  Length: 00
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP]   Extension Count: 0
[Thu Oct 00 09:20:20 2017] [debug] [client  TOMCAT-IP] end handshake
transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug]
proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2


--
What’s done: IHS & Tomcat keystores contain required signers for proper
communication. During the troubleshooting, I even added IHS server cert as
a signer into Tomcat keystore and vice-versa but cannot get rid of this
error.
Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.

Has anyone ran into similar issues? Or ever tried Tomcat with IHS using
mod_proxy module?


Thank you,
Vamsi Gali


This communication may contain privileged and/or confidential information.
It is intended solely for the use of the addressee. If you are not the
intended recipient, you are strictly prohibited from disclosing, copying,
distributing or using any of this information. If you received this
communication in error, please contact the sender immediately and destroy
the material in its entirety, whether electronic or hard copy. This
communication may contain nonpublic personal information about 

Re: Under system account, Tomcat starts even with shutdown port conflict

[Igor Cicimov]

If you are trying to run it on port <1024 you need authbind enabled

On 9 Jun 2017 1:21 am, "Tou Vue"  wrote:

> Hello,
>
> I have a question regarding how Tomcat starts up under the system account
> and local user account in Windows. I had a Tomcat service that would start
> fine under the system account, but once I configured it to start under the
> local user account, I received a JVM_Bind exception. I looks like the
> Tomcat was not able to access the shutdown port configured.
>
> I figured it was a port conflict, another service was using the same port.
> So, I changed the port so there was no conflict, and Tomcat started up okay
> again. But I'm still wondering why Tomcat was able to start up with the
> system account even with the same port conflict.
>
> Any suggestions would be appreciated.
>
> Thank You,
> Tou Vue
>

Re: SSL on Tomcat7 on AWS not connecting

[Igor Cicimov]

On 17 Nov 2016 4:38 am, "George Chanady"  wrote:
>
> I hope someone can help.I have exhausted all my troubleshooting skills
and all of my newbie Linux knowledge and I am at the end of my rope.
>
> All documentation from around the web always seem to tell me to try
everything I have already tried. I am sure that there must be a caveat that
I am missing.
>
> I have an AWS Linux instance with Tomcat 7.0.73 and cannot for the life
of me get the SSL working.
>
> I set up the AWS instance with nothing else on the server and using a
fresh installation of Tomcat  with basic config settings. I am able to
connect http://mysite.com:8080 but cannot connect with
https://mysite.com:8443.
> I am able to SSH as that is the only way I communicate with the server.
>
> I only have forwarders for port 80 and 443 in the iptables and nothing
else and have security groups in AWS setup to allow all traffic from
everywhere for ports 80, 8080, 443, and 8443.
>
> I have ensured the ports needed are open and listening using netstat
> I have checked to ensure connectivity to the ports from other machines
using netcat
> I checked that the certs were installed properly and that the tomcat
connectors were pointed the proper location
>
> I am attaching my configuration from start to where I hit the wall.
>
> Thanks in advance for any assistance.
>
And you are sure the keystore loads properly?



Are those values for keystoreFile and keystorePass correct? Do you see any
errors in catalina.out log?

Re: TLS 1.2 Handshake on Tomcat 7.0.39 Getting Internal Error: Key format must be RAW

[Igor Cicimov]

On 20 Sep 2016 2:45 am, "Dono Harjanto"  wrote:
>
> Hi All,
>
>
> We have a web app deployed on 3 different servers, all running Tomcat
7.0.39 and Java 8 (update 101/102). Here is the operating system on each
server:
>
> - Production: CentOS 6.4
>
> - Staging 1: CentOS 6.5
>
> - Staging 2: CentOS 6.7
>
>
> When we accessed the web app on Production server, we were able to
connect and connected over TLS 1.2 (as expected). However, when we accessed
the web app on both Staging servers we were able to connect, but it was
connected over TLS 1.1 not TLS 1.2 as TLS 1.2 handshake failed and server
sent an Alert (Level: Fatal, Description: Internal Error) response.
>
>
> We enabled SSL debugging on Tomcat and we saw Tomcat threw
InvalidAlgorithmParameterException exception in catalina.out as shown below:
>
>
> http-bio-8443-exec-1, READ: TLSv1.2 Handshake, length = 70
> *** ECDHClientKeyExchange
> ECDH Public value:  { 4, 245, 39, 156, 56, 88, 62, 108, 141, 237, 93,
240, 210, 228, 91, 60, 14, 109, 138, 121, 126, 100, 36, 194, 93, 101, 131,
119, 120, 57, 120, 222, 73, 123, 122, 218, 253, 91, 170, 240, 251, 73, 214,
29, 192, 234, 109, 189, 40, 249, 161, 176, 172, 179, 36, 162, 229, 69, 160,
221, 242, 53, 100, 34, 215 }
> SESSION KEYGEN:
>
> PreMaster Secret:
> (key bytes not available)
> RSA master secret generation error:
> java.security.InvalidAlgorithmParameterException: Key format must be RAW
> at
com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMasterSecretGenerator.java:67)
> at javax.crypto.KeyGenerator.init(KeyGenerator.java:454)
> at javax.crypto.KeyGenerator.init(KeyGenerator.java:430)
> at sun.security.ssl.Handshaker.calculateMasterSecret(Unknown
Source)
> at sun.security.ssl.Handshaker.calculateKeys(Unknown Source)
> at sun.security.ssl.ServerHandshaker.processMessage(Unknown
Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker.process_record(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
> at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:215)
> at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:298)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
> at java.lang.Thread.run(Unknown Source)
> http-bio-8443-exec-1, handling exception:
java.security.ProviderException:
java.security.InvalidAlgorithmParameterException: Key format must be RAW
> %% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> http-bio-8443-exec-1, SEND TLSv1.2 ALERT:  fatal, description =
internal_error
> http-bio-8443-exec-1, WRITE: TLSv1.2 Alert, length = 2
> [Raw write]: length = 7
> : 15 03 03 00 02 02 50   ..P
> http-bio-8443-exec-1, called closeSocket()
> http-bio-8443-exec-1, IOException in getSession():
javax.net.ssl.SSLException: java.security.ProviderException:
java.security.InvalidAlgorithmParameterException: Key format must be RAW
> http-bio-8443-exec-1, called close()
> http-bio-8443-exec-1, called closeInternal(true)
>
>
>
> Below is the server.xml configuration we have on all servers:
>
>
> 
> SSLEnabled="true"
> scheme="https"
> secure="true"
> clientAuth="false"
> sslProtocol="TLS"
>
> maxHttpHeaderSize="8192"
> maxThreads="150"
> minSpareThreads="25"
> enableLookups="false"
> disableUploadTimeout="true"
> acceptCount="100"
> useBodyEncodingForURI="true"
>
> keystoreType="pkcs12"
> keystoreFile="/path/to/keystore/.filename.p12"
> keystorePass="" />
>
>
>
> Any idea why Tomcat not able to do TLS 1.2 handshake and throwing "Key
format must be RAW" exception? Did we miss anything here?
>
>
>
> Thanks for your help,
>
> Don
>
This sounds like something specific to pkcs can you convert to jks
keystore?

Re: nio connector

[Igor Cicimov]

On 24 May 2016 12:33 pm, "Christopher Schultz" 
wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Jakub,
>
> On 5/23/16 8:03 PM, Ja kub wrote:
> > Christopher, Thx for response, pleas confirm or deny if I
> > understand well.
> >
> > BIO uses thread per http connection (tcp connection). (Shame I
> > didn't realize it!) NIO uses thread per request.
>
> It's more complicated than that, but very close.
>
> > With NIO thread is returned to pool as soon as request is finished
> > (doGet ends).
>
> Yes.
>
> > With BIO thread is returned to pool only when tcp connection is
> > closed !!!
>
> Yes, but even HTTP keepalive has a timeout, and the connection will be
> dropped after that timeout, releasing the thread.
>
> > Given http://kb.mozillazine.org/Network.http.keep-alive.timeout -
> > Amount of time in seconds to keep keep-alive connections alive.
> > Default: 115 seconds. default tomcat keepAliveTimeout 60 s default
> > tomcat maxThreads is 200 With 200 browsers with ajax pooling server
> > every 50 seconds tomcat connector thread pool will be depleted and
> > client no 201 will not be able to connect to tomcat ?
>
> Yes.
>
Although there is default accept queue of 100 so theoretically the conn 301
will be rejected. Right?

> > So with default configuration tomcat 7 will have problem with just
> > 201 on-line clients of an ajax application (with only 4
> > requests/second) ?
>
> If the browse doesn't close those HTTP connections from the Ajax
> clients, the yes, you can trivially DOS your server.
>
> > Why is BIO connector still default one in tomcat 7 server.xml?
>
> Because it was the default when Tomcat 7 shipped and changing defaults
> that are that important is a big deal. You are welcome to change it
> yourself.
>
> > Is there any problem with backward compatibility (don't think so,
> > cause than BIO wouldn't be totally removed in 8.5, but left
> > available ) ?
>
> BIO is 100% gone in Tomcat 8.5.
>
> The protocol (HTTP) and the API (servlet) are still identical, so
> there should be no problems for your application in general.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJXQ71tAAoJEBzwKT+lPKRYZHIP/jbN3vhtHkLHny6kNXguh5Pl
> BpwaRNHojlOqzXQUWidrmQpQPZ+8GKSUcJp3hcwCklRYNqLS9GdENodwYJFhyKRE
> jVFG2KRSVI+difWKpuX+gIVEiFxUV/fQ+1ZhrNUXusElprqku+s15dqsgI5GYu3u
> BlvEUVs5/rYG+KqZFCYXw5lpe/pRd3fs+zNJFKOXYqY2qQRICzXQJDCvICgPp7fZ
> I804dDIR8mhOfffemgaB1OyOy4F3NsPodBA2LsVcbJpecfQy3vWPCSNkLmUT1Nee
> a30Q6VjdMsq+w/C1cGnxxDwxqoK8mXnyUEIH8GmtGyiak4lzJzSXmqO3RjqXHwm8
> tJnJdWNK+lP4EY9dJQrzv4NokZN+rYb9WCogMXKHvTdpmWDzMiMQs3zyFPkbLfKw
> EGeZKaY3zJFIGltPvpk/QRj0+VcXh6x3g9TUtR8ypoETrchAszCJPVUYy8H5yBaX
> N3H9wrJ2OlFmjrXKNRsY1OtuTABiKjVZXtfuTIgyK4tSddM+4gme5iydmURRISMY
> 7G1UQRNtLng8WFpCaIPrrBVUgXXrfkmYu9pEyjgzuMNc1/gf5stQNWH/AagOVt+J
> WR2Nz4nCSjsMDCyo3+AW6pcesp7aPOJ/uAsNAZHJbZvE2mTxsw857jZxonTF1bVN
> V7EDZv5G8d/FFtZuzVzf
> =UEDx
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: Unable to retrieve X-Forwarded-For in Tomcat 8.0 access log

[Igor Cicimov]

On Thu, May 12, 2016 at 4:47 AM, Abhijit Das  wrote:

>
> down vote
>  <>favorite
>  <
> https://stackoverflow.com/questions/37170742/unable-to-retrieve-x-forwarded-for-in-tomcat-8-0-access-log#
> >
> I am injecting a header with a rewrite policy on my LB to pass
> X-Forwarded-For header. Have verified that this appears on all the pages in
> the RESPONSE Header.
>
> I have the following config in server.xml , yet i am not able to see the
> Remote IP/X-Forwarded-For either using %a or %h (I see Loadbalancer IP)
>
> What could be the issue?
>
>internalProxies="10\.202\.13\.198"
>   remoteIpHeader="X-Forwarded-For"
>   proxiesHeader="x-forwarded-by"
>   requestAttributesEnabled="true"
> />
>directory="logs"
>   prefix="localhost_access_log"
>   suffix=".txt"
>   pattern="%t %a %h %{Referer}i %l %S %{User-Agent}i %U %s %r
> %q %A %v %p %b %I %D"
>   requestAttributeEnabled="true"
>   resolveHosts="false"/>
> Log ::
>
> [11/May/2016:11:29:39 -0700] 10.202.13.198 10.202.13.198 https:///index.action
> - 04B3ADCF82A212C6ECD9679BF260732D Mozilla/5.0 (Macintosh; Intel Mac OS X
> 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86
> Safari/537.36 /rest/mywork/latest/status/notification/count 200 GET
> /rest/mywork/latest/status/notification/count HTTP/1.1 10.202.10.17 443 72
> http-nio-8443-exec-17 13
>
> As you see : both %a and % h are : 10.202.13.198 10.202.13.198 (my LB IP)
>
>
> Snippet of my Resonse Header: showing my LB policy is injecting the
> X-Forwarded-For header.
>
> Cache-Control:private
> Content-Encoding:gzip
> Content-Type:application/json
> Date:Wed, 11 May 2016 17:58:55 GMT
> Expires:Wed, 31 Dec 1969 16:00:00 PST
> Server:Apache-Coyote/1.1
> Strict-Transport-Security:max-age=31536000; includeSubDomains
> Transfer-Encoding:chunked
> Vary:User-Agent
> X-AUSERNAME:admin
> X-App-Cluster-Node:4e77b660
> X-App-Cluster-Node-Name:app_prod_clus_node3
> X-Content-Type-Options:nosniff
> X-Forwarded-For:1.1.1.1
> X-Seraph-LoginReason:OK
>
>
Correct me if I've maybe misunderstood something but I have the same case
and I just chuck %{X-Forwarded-For}i in the pattern to capture the header.

Re: tomcat(7.0.56) is not releasing idle jdbc connections

[Igor Cicimov]

On 12 May 2016 9:00 am, "Igor Cicimov" <icici...@gmail.com> wrote:
>
>
> On 12 May 2016 12:16 am, "Niranjan Babu Bommu" <niranjan.bo...@gmail.com>
wrote:
> >
> > I tried the same config on test stacks. numidle always "10" why it is
> > behaving differently in prod?
> >
> Are you sure your testing db config is identical to the prod one?
>
> >  >   auth="Container"
> >   type="javax.sql.DataSource"
> >   testWhileIdle="true"
> >   testOnBorrow="true"
> >   testOnReturn="false"
> >   fairQueue="false"
> >   validationQuery="SELECT 1"
> >   validationInterval="3"
> >   timeBetweenEvictionRunsMillis="3"
> >   maxActive="100"

Also according to your setup you can have up to 100 connections and since
this is a pool the connections will stay open and reused.

Regarding difference with test environment I assume it is simply because
you have different load ie much lower than prod hence less connections.

> >   maxIdle="10"
> >   minIdle="10"
> >   maxWait="1"
> >   initialSize="10"
> >   removeAbandonedTimeout="60"
> >   removeAbandoned="true"
> >   logAbandoned="true"
> >   minEvictableIdleTimeMillis="30"
> >   jmxEnabled="true"
> >
> >
jdbcInterceptors="ConnectionState;StatementFinalizer;ResetAbandonedTimer"
> >   username=""
> >   password=""
> >   driverClassName="com.mysql.jdbc.Driver"
> >
> >
url="jdbc:mysql:///?useServerPrepStmts=falseuseOldAliasMetadataBehavior=true"/>
> >
> > On Wed, May 11, 2016 at 7:35 AM, Niranjan Babu Bommu <
> > niranjan.bo...@gmail.com> wrote:
> >
> > > Hi Mark
> > > I have included defined data source in this mail, do you want me to
> > > include complete server.xml?
> > >
> > > thanks
> > > Niranjan
> > >
> > > On Wed, May 11, 2016 at 7:19 AM, Mark Thomas <ma...@apache.org> wrote:
> > >
> > >> On 11/05/2016 11:58, Niranjan Babu Bommu wrote:
> > >> > Hi,
> > >> >
> > >> > we are migrating prod servers to tomcat, since we are doing it
slowly we
> > >> > have found an issue in jdbc connection pool, tomcat is not
releasing
> > >> idle
> > >> > jdbc connections, even we have tried setting maxIdle="10" but
"NumIdle
> > >> 97"
> > >> > always. due to this threads are piling up in database.
> > >> >
> > >> > I'm including my config here, can someone please help me out, how
to
> > >> > minimize idle jdbc connections.
> > >>
> > >> Where have you added the configuration below?
> > >>
> > >> Mark
> > >>
> > >>
> > >> >
> > >> >  > >> >   auth="Container"
> > >> >   type="javax.sql.DataSource"
> > >> >   testWhileIdle="true"
> > >> >   testOnBorrow="true"
> > >> >   testOnReturn="false"
> > >> >   fairQueue="false"
> > >> >   validationQuery="SELECT 1"
> > >> >   validationInterval="3"
> > >> >   timeBetweenEvictionRunsMillis="3"
> > >> >   maxActive="100"
> > >> >   maxIdle="10"
> > >> >   minIdle="10"
> > >> >   maxWait="1"
> > >> >   initialSize="10"
> > >> >   removeAbandonedTimeout="60"
> > >> >   removeAbandoned="true"
> > >> >   logAbandoned="true"
> > >> >   minEvictableIdleTimeMillis="30"
> > >> >   jmxEnabled="true"
> > >> >
> > >> >
> > >>
jdbcInterceptors="ConnectionState;StatementFinalizer;ResetAbandonedTimer"
> > >> >   username=""
> > >> >   password=""
> > >> >   driverClassName="com.mysql.jdbc.Driver"
> > >> >
> > >> >
> > >>
url="jdbc:mysql:///?useServerPrepStmts=falseuseOldAliasMetadataBehavior=true"/>
> > >> >
> > >> >
> > >>
> > >>
> > >> -
> > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > >> For additional commands, e-mail: users-h...@tomcat.apache.org
> > >>
> > >>
> > >
> > >
> > > --
> > > *Thanks*
> > > *Niranjan*
> > > *+1 781.956.6900 <%2B1%20781.956.6900>*
> > >
> >
> >
> >
> > --
> > *Thanks*
> > *Niranjan*
> > *+1 781.956.6900*

Re: tomcat(7.0.56) is not releasing idle jdbc connections

[Igor Cicimov]

On 12 May 2016 12:16 am, "Niranjan Babu Bommu" 
wrote:
>
> I tried the same config on test stacks. numidle always "10" why it is
> behaving differently in prod?
>
Are you sure your testing db config is identical to the prod one?

>auth="Container"
>   type="javax.sql.DataSource"
>   testWhileIdle="true"
>   testOnBorrow="true"
>   testOnReturn="false"
>   fairQueue="false"
>   validationQuery="SELECT 1"
>   validationInterval="3"
>   timeBetweenEvictionRunsMillis="3"
>   maxActive="100"
>   maxIdle="10"
>   minIdle="10"
>   maxWait="1"
>   initialSize="10"
>   removeAbandonedTimeout="60"
>   removeAbandoned="true"
>   logAbandoned="true"
>   minEvictableIdleTimeMillis="30"
>   jmxEnabled="true"
>
> jdbcInterceptors="ConnectionState;StatementFinalizer;ResetAbandonedTimer"
>   username=""
>   password=""
>   driverClassName="com.mysql.jdbc.Driver"
>
>
url="jdbc:mysql:///?useServerPrepStmts=falseuseOldAliasMetadataBehavior=true"/>
>
> On Wed, May 11, 2016 at 7:35 AM, Niranjan Babu Bommu <
> niranjan.bo...@gmail.com> wrote:
>
> > Hi Mark
> > I have included defined data source in this mail, do you want me to
> > include complete server.xml?
> >
> > thanks
> > Niranjan
> >
> > On Wed, May 11, 2016 at 7:19 AM, Mark Thomas  wrote:
> >
> >> On 11/05/2016 11:58, Niranjan Babu Bommu wrote:
> >> > Hi,
> >> >
> >> > we are migrating prod servers to tomcat, since we are doing it
slowly we
> >> > have found an issue in jdbc connection pool, tomcat is not releasing
> >> idle
> >> > jdbc connections, even we have tried setting maxIdle="10" but
"NumIdle
> >> 97"
> >> > always. due to this threads are piling up in database.
> >> >
> >> > I'm including my config here, can someone please help me out, how to
> >> > minimize idle jdbc connections.
> >>
> >> Where have you added the configuration below?
> >>
> >> Mark
> >>
> >>
> >> >
> >> >  >> >   auth="Container"
> >> >   type="javax.sql.DataSource"
> >> >   testWhileIdle="true"
> >> >   testOnBorrow="true"
> >> >   testOnReturn="false"
> >> >   fairQueue="false"
> >> >   validationQuery="SELECT 1"
> >> >   validationInterval="3"
> >> >   timeBetweenEvictionRunsMillis="3"
> >> >   maxActive="100"
> >> >   maxIdle="10"
> >> >   minIdle="10"
> >> >   maxWait="1"
> >> >   initialSize="10"
> >> >   removeAbandonedTimeout="60"
> >> >   removeAbandoned="true"
> >> >   logAbandoned="true"
> >> >   minEvictableIdleTimeMillis="30"
> >> >   jmxEnabled="true"
> >> >
> >> >
> >>
jdbcInterceptors="ConnectionState;StatementFinalizer;ResetAbandonedTimer"
> >> >   username=""
> >> >   password=""
> >> >   driverClassName="com.mysql.jdbc.Driver"
> >> >
> >> >
> >>
url="jdbc:mysql:///?useServerPrepStmts=falseuseOldAliasMetadataBehavior=true"/>
> >> >
> >> >
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> >
> > --
> > *Thanks*
> > *Niranjan*
> > *+1 781.956.6900 <%2B1%20781.956.6900>*
> >
>
>
>
> --
> *Thanks*
> *Niranjan*
> *+1 781.956.6900*

RE: performance of tomcat 8 is less than tomcat 6

[Igor Cicimov]

On 20 Apr 2016 1:30 pm, "Ravi Chandra Suryavanshi" <
ravi.chandra.suryavan...@ericsson.com> wrote:
>
> Hi Christopher,
> PFA, the requested XMLs. Just want to highlight that tomcat 8  is not
able to use the CPU usage. I have tried maxThread 200,300,400 but result is
same sometimes even less TPS.
> Regards,
> Ravi
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Tuesday, April 19, 2016 7:38 PM
> To: Tomcat Users List
> Subject: Re: performance of tomcat 8 is less than tomcat 6
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Ravi,
>
> On 4/19/16 1:04 AM, Ravi Chandra Suryavanshi wrote:
> > Hi, I am using tomcat 6 in my product. I am planning to upgrade to
> > tomcat 8 as tomcat is going to EoS in Dec-2016. I have just taken the
> > performance of Tomcat 8 and found the 70% less performance compared to
> > tomcat 6. See the below results Tomcat 6 is giving 167473.2/s whereas
> > tomcat 8 is giving 100436.6/s I have just compared with two standalone
> > tomcat which is just hitting the HelloWorld servlet available in
> > example.
> >
> > Kindly let me know what need to configure to boost the performance.
> >
> > Following are my setup: Java=Java 8 HttpClient=HttpClient4 Benchmark
> > tool=jmeter
> >
> > testserver:~# uname -a Linux testserver 3.10.0-229.el7.x86_64 #1 SMP
> > Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> >
> > testserver:~# lscpu Architecture:  x86_64 CPU op-mode(s):
> > 32-bit, 64-bit Byte Order:Little Endian CPU(s):
> > 32 On-line CPU(s) list:   0-31 Thread(s) per core:2 Core(s) per
> > socket:8 Socket(s): 2 NUMA node(s):  2
> > Vendor ID: GenuineIntel CPU family:6 Model:
> > 63 Model name:Intel(R) Xeon(R) CPU E5-2640 v3 @
> > 2.60GHz Stepping:  2 CPU MHz:   2600.000
> > BogoMIPS:  5210.53 Virtualization:VT-x L1d
> > cache: 32K L1i cache: 32K L2 cache:
> > 256K L3 cache:  20480K NUMA node0 CPU(s):
> > 0-7,16-23 NUMA node1 CPU(s): 8-15,24-31
> >
> > testserver:~# vmstat -s 131730840 K total memory 5931052 K used memory
> > 7126352 K active memory 5511616 K inactive memory 116069376 K free
> > memory 20888 K buffer memory 9709520 K swap cache 11681788 K total
> > swap 0 K used swap 11681788 K free swap 54069797 non-nice user cpu
> > ticks 997 nice user cpu ticks 9712353 system cpu ticks
> > 15112937897 idle cpu ticks 37101 IO-wait cpu ticks 73 IRQ cpu ticks
> > 21245 softirq cpu ticks 0 stolen cpu ticks 8918100 pages paged in
> > 267868897 pages paged out 0 pages swapped in 0 pages swapped out
> > 4281536287 interrupts 4185543972 CPU context switches
> > 1456296771 boot time 84815522 forks
> >
> >
> >
> > Tomcat 6 performance
> >
> > Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016
> > _x86_64_(32 CPU) 05:36:33 PM CPU %user %nice
> > %system   %iowait%steal %idle 05:36:38 PM all 37.66
> > 0.00 14.69  0.10  0.00 47.55 05:36:43 PM all
> > 37.61  0.00 14.50  0.01  0.00 47.89 05:36:48 PM
> > all 38.31  0.00 14.48  0.03  0.00 47.19
> > 05:36:53 PM all 37.45  0.00 14.53  0.01
> > 0.00 48.01 05:36:58 PM all 37.97  0.00 14.67
> > 0.02  0.00 47.34 05:37:03 PM all 37.68  0.00
> > 14.62  0.01  0.00 47.69
> >
> > Created the tree successfully using HTTPRequest.jmx Starting the test
> > @ Wed Apr 13 17:34:58 CEST 2016 (1460561698701) Waiting for
> > possible shutdown message on port 4445 summary +  16181 in   1.3s =
> > 12893.2/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
> > Active: 3 Started: 3 Finished: 0 summary + 5187350 in30s =
> > 172911.7/s Avg: 0 Min: 0 Max:31 Err: 0 (0.00%)
> > Active: 24 Started: 24 Finished: 0 summary = 5203531 in  31.3s =
> > 166486.4/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
> > summary + 5207210 in30s = 173573.7/s Avg: 0 Min: 0 Max:
> > 26 Err: 0 (0.00%) Active: 24 Started: 24 Finished: 0 summary =
> > 10410741 in  61.3s = 169957.4/s Avg: 0 Min: 0 Max:67
> > Err: 0 (0.00%) summary + 5039715 in30s = 167990.5/s Avg:
> > 0 Min: 0 Max:13 Err: 0 (0.00%) Active: 24 Started: 24
> > Finished: 0 summary = 15450456 in  91.3s = 169310.8/s Avg: 0
> > Min: 0 Max:67 Err: 0 (0.00%) summary + 5024196 in
> > 30s = 167473.2/s Avg: 0 Min: 0 Max:22 Err: 0
> > (0.00%) Active: 24 Started: 24 Finished: 0 summary = 20474652 in
> > 121s = 168856.1/s Avg: 0 Min: 0 Max:67 Err: 0
> > (0.00%)
> >
> >
> > --
> - 
> - 
> >
> >
> tomcat 8
> >
> > Linux 3.10.0-229.el7.x86_64 (testserver) 

Re: Tomcat 8.5 and TLS

[Igor Cicimov]

On Wed, Apr 6, 2016 at 6:11 AM, Thad Humphries 
wrote:

> My primary interest in Tomcat 8.5 is HTTP/2, so I must set up HTTPS and
> TLS.
>
> Since I eventually must demonstrate the various HTTPS approaches to others,
> I have tried both the APR and the NIO implementation, as well as the
> different  layouts in the docs (
>
> http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
> ),
> and the $CATALINA_BASE/conf/server.xml comments.  I've gotten APR is
> working both ways, but not quite NIO.
>
> When I use the following connector for NIO (from the docs), my SSL works:
>
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>port="8443" maxThreads="200" compression="on"
>scheme="https" secure="true" SSLEnabled="true"
>keystoreFile="conf/foo.jks" keystorePass="changeit"
>clientAuth="false" sslProtocol="TLS">
>   
> 
>
> However when I try the approach in the server.xml comments, Tomcat does not
> start:
>
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
>maxThreads="200" SSLEnabled="true"
>scheme="https" secure="true" clientAuth="false"
>sslProtocol="TLS">
>   
>   
>   certificateKeystoreType="JKS"
>  certificateKeystorePassword="changeit"
>  certificateKeyAlias="tomcat"
>  type="RSA" />
>   
> 
>
> The error at the top of catalina.out is below. I'm trying to understand
> why, both for myself and so that I can explain it to others. The "Caused
> by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements
> were provided for the host name [_default_]. Host names must be unique."
> has me stumped as I have only the one uncommented SSLHostConfig in
> server.xml.
>
> (Once I have this second  working, I must make a write-up for
> folks here, a write-up which I hope will be clearer and more direct than
> the docs. I would be happy to offer that write-up to the wiki or docs.)
>
> 05-Apr-2016 15:32:42.642 SEVERE [main]
> org.apache.tomcat.util.digester.Digester.endElement End event threw
> exception
>  java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
>
> org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
> at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
> at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:966)
> at
>
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1783)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
> at
>
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
> at
>
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
> at
>
> com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
> at
>
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
> at
>
> com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
> at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
>


> *Caused by: java.lang.*
>
> *IllegalArgumentException: Multiple SSLHostConfig elements were provided
> for the host name [_default_]. Host names must be unique.*
>



> at
>
> org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
> at
>
> org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
> 

Re: Tomcat clustering for simplified config

[Igor Cicimov]

On 07/10/2015 10:37 AM, "Mark Bramer"  wrote:
>
> Hi list,
>
> I just signed up to the list - please forgive any newb mistakes but
hopefully I'm following the right format, style and content.
>
> I currently work in a production environment with eight app servers, all
running the same version of Tomcat (currently 7.0.62).  Four servers
support version 1 of our app, the other four servers support version 2.
Within each group of four, two serve completely open content via 80, the
other two support queries of sensitive data via 443.  Servers are named
with a number system where all odd-named servers are for the secure
content, all evens are open.
>
> So here's the setup in a hopefully clearer portrayal:
>
> App Version 1:
> Server 01: secure queries via 443
> Server 02: open content via 80
> Server 03: secure queries via 443
> Server 04: open content via 80
>
> App Version 2:
> Server 05: secure queries via 443
> Server 06: open content via 80
> Server 07: secure queries via 443
> Server 08: open content via 80
>
> Each pair of even and odd named servers are *conceptually* linked, but
physically stand on their own.  All http traffic and https traffic for each
version is directed to a particular server by a load balancer.  No Apache
Web Server is in the mix and we would like to keep it that way for
simplicity.  Load-wise, our eight Tomcats are not taxed.
>
> I'm responsible for upkeep of these servers, which requires regular
version upgrades and configuration changes when any vulnerability is found
by regular, periodic Nessus scans (
http://www.tenable.com/products/nessus-vulnerability-scanner).  Sometimes
the changes are related to ciphers, sometimes other things, but I'd say 90%
of the time, I just need to upgrade to a newer version.
>
> So no big deal conceptually, I fully admit, but doing this across eight
servers is TEDIOUS.  And more importantly, it's a ripe opportunity for
introducing user error.  On three occasions I have brought our production
systems by stupid mistakes in server.xml or other config files, or most
recently, accidentally copying the wrong ROOT from a version 2 (05) box
into the version one boxes (01 and 03). I got things up and running fine
with no serious consequences but this being the third time, I thought
"there has to be a better way" right after I talked myself off the "you're
a complete idiot" ledge.
>
> I'm starting to research Tomcat clustering but everything I see just
talks about load balancing and failover.  **What about ease of
configuration??** I'd like to be able to set up Tomcat 
(clusters?) to help automate what I've described above to make it less
tedious and reduce the chances of making stupid mistakes when I'm on the
6th, 7th, 8th server.  I'm not sure if Tomcat clustering is what I need, or
if I should look at something else.
>
> Can you nice folks help direct me to where I should look for starters?
Will Tomcat clustering get me what I want?  or something else, like
Zookeeper?
>
Sounds like you should start using configuration manager like Puppet, Chef
etc. We use Ansible and pretty happy with it.

Tomcat 7 and APR connector parameters

[Igor Cicimov]

Hi all,

After enabling the APR/Native connector I can see the following warning
messages upon tomcat restart:

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'SSLDisableCompression' to 'true' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'SSLHonorCipherOrder' to 'true' did not find a matching property.

although I can see those options available in the documentation:
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native

The relevant config in server.xml:

  



Am I missing something or am I maybe hitting some limitation related to
tomcat/apr/tcnative version?


OS: Ubuntu 12.04.5 LTS
Tomcat: 7.0.26 (Ubuntu repository)
openssl: 1.0.1-4ubuntu5.31
libtcnative-1: 1.1.22-1build1

Thanks,
Igor

Re: Tomcat 7 and APR connector parameters

[Igor Cicimov]

On 21/09/2015 7:47 PM, "Mark Thomas" <ma...@apache.org> wrote:
>
> On 21/09/2015 10:45, Igor Cicimov wrote:
> > On Mon, Sep 21, 2015 at 6:21 PM, Mark Thomas <ma...@apache.org> wrote:
> >
> >> On 21/09/2015 08:37, Igor Cicimov wrote:
> >>> Hi all,
> >>>
> >>> After enabling the APR/Native connector I can see the following
warning
> >>> messages upon tomcat restart:
> >>>
> >>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> >> property
> >>> 'SSLDisableCompression' to 'true' did not find a matching property.
> >>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> >> property
> >>> 'SSLHonorCipherOrder' to 'true' did not find a matching property.
> >>>
> >>> although I can see those options available in the documentation:
> >>>
> >>
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
> >>
> >> You are looking at the docs for 7.0.64 but running 7.0.26.
> >>
> >> You need to use a more recent Tomcat 7.0.x release if you want to use
> >> those features.
> >>
> >> Mark
> >>
> >
> > Thanks Mark for confirming. Is it possible to specify this in the
> > documentation like which feature is available since which release?
>
> That is (usually) in the change log.
>
> Each release ships with docs appropriate to that release. The website
> always has the docs for the latest release.
>
> Mark
>
True but that means if I was interested in finding when was a feature
introduced in tomcat 7 lets say I need to read dozens (depends on how lucky
I am and when and where I start reading from) of change logs right?

It would be helpful if the latest tomcat docs include something like:

'SSLHonorCipherOrder' | some description (available since tomcat 7.0.x)

I see this on many other web sites for various products and I personally
find this very useful and user friendly.

Thanks,
Igor

Re: Tomcat 7 and APR connector parameters

[Igor Cicimov]

On Mon, Sep 21, 2015 at 6:21 PM, Mark Thomas <ma...@apache.org> wrote:

> On 21/09/2015 08:37, Igor Cicimov wrote:
> > Hi all,
> >
> > After enabling the APR/Native connector I can see the following warning
> > messages upon tomcat restart:
> >
> > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property
> > 'SSLDisableCompression' to 'true' did not find a matching property.
> > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property
> > 'SSLHonorCipherOrder' to 'true' did not find a matching property.
> >
> > although I can see those options available in the documentation:
> >
> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>
> You are looking at the docs for 7.0.64 but running 7.0.26.
>
> You need to use a more recent Tomcat 7.0.x release if you want to use
> those features.
>
> Mark
>

Thanks Mark for confirming. Is it possible to specify this in the
documentation like which feature is available since which release?
Apologises if this has already been done and I have missed it somehow.

Thanks again.
Igor

RE: Multiple JSESSIONID cookies being presented.

[Igor Cicimov]

On 09/09/2015 7:13 AM, "Jeffrey Janner"  wrote:
>
> > -Original Message-
> > From: Jose María Zaragoza [mailto:demablo...@gmail.com]
> > Sent: Tuesday, September 08, 2015 9:22 AM
> > To: Tomcat Users List 
> > Subject: Re: Multiple JSESSIONID cookies being presented.
> >
> > 2015-09-08 15:51 GMT+02:00 Jeffrey Janner :
> > >> -Original Message-
> > >> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> > >> Sent: Friday, September 04, 2015 12:46 PM
> > >> To: Tomcat Users List 
> > >> Subject: Re: Multiple JSESSIONID cookies being presented.
> > >>
> > >> -BEGIN PGP SIGNED MESSAGE-
> > >> Hash: SHA256
> > >>
> > >> Jeffrey,
> > >>
> > > Now, it's been doing this since at least Tomcat 6, I have one running
> > now, and I've never had a problem with it using direct connections.  But
> > now we are front-ending with HaProxy and going to two backend tomcats,
> > and using the JSESSIONID to support sticky-sessions.  I'm afraid the
> > multiple cookies is confusing HaProxy. (Yes, I'm going to ask that user
> > community.)
> > > Jeff
> >
> >
> > You could use another cookie to implement stickyness
> >
> > "You can add a cookie SOME-COOKIE-NAME prefix directive into the
> > backend. Then simply add the cookie directive within each server. Then
> > HAProxy will append a cookie (or add onto an existing one) a
> > identifier for each server. This cookie will be sent back in
> > subsequent requests from the client, letting HAProxy know which server
> > to send the request to. This looks like the following:"
> >
> > backend nodes
> > # Other options above omitted for brevity
> >  cookie SRV_ID prefix
> > server web01 127.0.0.1:9000 cookie check
> > server web02 127.0.0.1:9001 cookie check
> > server web03 127.0.0.1:9002 cookie check
> >
> >
> > https://serversforhackers.com/load-balancing-with-haproxy
> >
> Thanks Jose.  We considered that, as well as having HaProxy just generate
its own sticky-session cookie, but it seemed like a better idea to just let
Tomcat handle it and use stick-tables. We are moving towards a
fully-clustered tomcat, so already having the config in place such that we
only have to turn off the stick-tables and we'd be set to go. I'll
eventually be supporting a fairly large number of backends and don't want
to make the configuration of new ones very complicated. Making them simple
and pushing the complication down to the tomcat level just seemed to make
more sense.

If using more than one haproxy inserting its own cookie is much better
solution since you don't have to sync the stick tables between the lb's.

> In fact, I've parameterized the jvmRoute setting in the Tomcat server.xml
and use the setenv.sh script to calculate the value based on the server the
Tomcat is running on.
> If only there were some way to have HaProxy read an already existing
suffix in the cookie string, like httpd, my life would be perfect.
> Jeff
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: [URGENT] Content-Encoding: gzip not set

[Igor Cicimov]

On 10/03/2015 6:14 AM, Victor Rodriguez victropo...@gmail.com wrote:

 Greetings,

 I have some ALREADY gzipped files that I'm trying to serve up.

 I have the following in my web.xml.

 mime-mapping
 extensionjson/extension
 mime-typeapplication/gzip/mime-type
 /mime-mapping


 And, I have the following in my server.xml:

 Context docBase=/path/to/already-gzipped-json
path=/already-gzipped-json /


 From the command line, I can curl the files and gunzip them just fine, so
 they are coming across gzipped:

 curl http://localhost:8082/already-gzipped-json/fie.json | gunzip -

 However, requests coming from a web browser aren't handled correctly and
 aren't legible in the browser, and I believe it's because
Content-Encoding:
 gzip is not in the response headers.

You mean Accept-Encoding, right? Is tomcat fronted by apache, nginx or
sometning else that can add this header for you? If not then maybe just
consider it as option if you can't solve it in tomcat although according to
the comments you got here from people that are really experts it should be
possible.

 curl -I http://localhost:8082/already-gzipped-json/fie.json

 HTTP/1.1 200 OK
 Server: Apache-Coyote/1.1
 Accept-Ranges: bytes
 Last-Modified: Mon, 09 Mar 2015 17:15:29 GMT
 Content-Type: application/gzip
 Content-Length: 17905
 Date: Mon, 09 Mar 2015 19:11:06 GMT

 How do I tell Tomcat to include the Content-Encoding: gzip response
 header?  Again, these area ALREADY zipped files.  I'm not interested in
 Tomcat doing the gziping on the fly.

 Thanks!
 --
 Sent from neither my iPhone nor my iPad.

Re: [URGENT] Content-Encoding: gzip not set

[Igor Cicimov]

On 10/03/2015 9:13 AM, Christopher Schultz ch...@christopherschultz.net
wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Igor,

 On 3/9/15 6:01 PM, Igor Cicimov wrote:
  On 10/03/2015 6:14 AM, Victor Rodriguez victropo...@gmail.com
  wrote:
 
  Greetings,
 
  I have some ALREADY gzipped files that I'm trying to serve up.
 
  I have the following in my web.xml.
 
  mime-mapping extensionjson/extension
  mime-typeapplication/gzip/mime-type /mime-mapping
 
 
  And, I have the following in my server.xml:
 
  Context docBase=/path/to/already-gzipped-json
  path=/already-gzipped-json /
 
 
  From the command line, I can curl the files and gunzip them just
  fine, so they are coming across gzipped:
 
  curl http://localhost:8082/already-gzipped-json/fie.json | gunzip
  -
 
  However, requests coming from a web browser aren't handled
  correctly and aren't legible in the browser, and I believe it's
  because
  Content-Encoding:
  gzip is not in the response headers.
 
  You mean Accept-Encoding, right? Is tomcat fronted by apache, nginx
  or something else that can add this header for you?

 Ironically, getting this to work as requested in Apache httpd is a
 complete nightmare. The Tomcat solution basically works *exactly* as a
 user would want it to work.

Thanks Chris, good to know before one starts going down this path!

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org

 iQIcBAEBCAAGBQJU/hqbAAoJEBzwKT+lPKRYEmsQAKc1Pm9c9ihQb5A1DDiRYAAN
 p0xj6JxxwjP2a1OawVUSXZU5umftkehDana6mLTPgZ/WtrzGxj8NR1ysl7or/eyC
 slrkLruzp716jkDL2ySZt7l2PsJScOwAC1j1ZsGJA0HyIIHz5AmON0Aff1ihdCGz
 uLXzDS2JyW7pdVFy6YLhfkCibocPv1NsXxo6NCbuTd91Rd2kwe7/KJ4YOLxXh2GX
 oorlctGc4NuiM0eFoj4xeNrEodIalYZvhi8YyPEDpnifuItY2q2yKCAhjZMYVZ+X
 A0WsQgGds5DWkeWPrR1dnGL82ZyoI1hN2vm6j5oWJnmSqzwuuUUdezmWOmXFWOhS
 pIuCW2zvLdP/MDblwsV7NMOopfoqHhTqoM+5p+ttQviCMGe8ubDd5Q/JLenzehEr
 lKdR78m812cuO84CZtKq0yIKF0Ipc1oYtXXKrHKkMbQWHbcvWTRvoqSNYICicXWF
 PmmpRFytUXywUqjj3e++mKRqHWUWkg2WuABocbTtwOTouL8tXop/v018PkUBDf37
 GqDzgVM0Y25O+jkxCj01ftDj+mrsDS5V8FH+sPtvt3DtgdWKTkIByNNeueau6zqh
 zSwB3FSBuWk9Six3DuwhTXHA/RX6kL3nnZX46Tv4RAT0wPkxFH2fKa/eD3IPTnng
 bWw+X47oId6UasMkj3pP
 =LKmV
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: GoDaddy SSL cert update from SHA1 to SHA2

[Igor Cicimov]

On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival 
bkosti...@universallumpers.com wrote:

 Tomcat 6.0.x
 Windows Server 2008
 Running Java 7
 Home grown app written in STS

 Running HTTPS with SHA1 cert
 Obtained SHA2 cert from GoDaddy by sending CSR generated from original
 keystore.  Removed existing aliases from original keystore and loaded new
 root and domain cert to keystore.
 Trying to run up the new cert gives me this error:

 SEVERE: Error starting endpoint
 java.io.IOException: jsse.invalid_ssl_conf
 at
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846)
 at
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
 at
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
 at
 org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
 at
 org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
 at
 org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207)
 at
 org.apache.catalina.connector.Connector.start(Connector.java:1196)
 at
 org.apache.catalina.core.StandardService.start(StandardService.java:540)
 at
 org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
 at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
 at java.lang.reflect.Method.invoke(Unknown Source)
 at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
 Caused by: javax.net.ssl.SSLException: No available certificate or key
 corresponds to the SSL cipher suites which are enabled.

 I feel like I'm missing something basic in the keystore.  Any ideas?
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

 Just guessing but based on the cause given in the above error you probably
have ciphers set in your connector using 128 bit key, something like this:

   ciphers=SSL_RSA_WITH_RC4_128_MD5,
   SSL_RSA_WITH_RC4_128_SHA,
   TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
   TLS_ECDHE_RSA_WITH_RC4_128_SHA,
   TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
   TLS_ECDH_RSA_WITH_RC4_128_SHA

In that case try to change that to match your new 256 bit key now. Of
course take care of the proper cipher suit names for BIO/NIO or APR
connector since they differ (the above example is for BIO/NIO connector).

Re: GoDaddy SSL cert update from SHA1 to SHA2

[Igor Cicimov]

On Fri, Dec 19, 2014 at 9:56 AM, Bruce Kostival 
bkosti...@universallumpers.com wrote:

 Thanks Igor I'll poke around based on your input.
 
 From: Igor Cicimov icici...@gmail.com
 Sent: Thursday, December 18, 2014 15:49
 To: Tomcat Users List
 Subject: Re: GoDaddy SSL cert update from SHA1 to SHA2

 On Fri, Dec 19, 2014 at 9:28 AM, Bruce Kostival 
 bkosti...@universallumpers.com wrote:
 
  Tomcat 6.0.x
  Windows Server 2008
  Running Java 7
  Home grown app written in STS
 
  Running HTTPS with SHA1 cert
  Obtained SHA2 cert from GoDaddy by sending CSR generated from original
  keystore.  Removed existing aliases from original keystore and loaded new
  root and domain cert to keystore.
  Trying to run up the new cert gives me this error:
 
  SEVERE: Error starting endpoint
  java.io.IOException: jsse.invalid_ssl_conf
  at
 
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:846)
  at
 
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
  at
 
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156)
  at
  org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
  at
  org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
  at
  org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:207)
  at
  org.apache.catalina.connector.Connector.start(Connector.java:1196)
  at
  org.apache.catalina.core.StandardService.start(StandardService.java:540)
  at
  org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
  at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
 Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at
 org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
  Caused by: javax.net.ssl.SSLException: No available certificate or key
  corresponds to the SSL cipher suites which are enabled.
 
  I feel like I'm missing something basic in the keystore.  Any ideas?
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
  Just guessing but based on the cause given in the above error you
 probably
 have ciphers set in your connector using 128 bit key, something like this:

ciphers=SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA

 In that case try to change that to match your new 256 bit key now. Of
 course take care of the proper cipher suit names for BIO/NIO or APR
 connector since they differ (the above example is for BIO/NIO connector).

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

 Another possibility is that you have removed the private key used to
generate the new CSR by removing the old aliases from the keystore.

Re: SSL Root Cert install

[Igor Cicimov]

On 06/11/2014 8:46 AM, Matthew Smith matt.trad...@gmail.com wrote:

 I'm running Apache Tomcat 7 on Windows Server 2008 R2 with Java jdk
 1.8.0_25. I was able to use the keytool.exe command with the -genkey
switch
 to create a keystore. I then used keytool.exe to create a CSR which I
 submitted to an issuer and received a certificate. I have to use
 keytool.exe to import the Root and Chain certificates first. I can't get
 the import of the Root certificate to work. I get the error message

 keytool error: java.io.FileNotFoundException:
 C:\Users\Administrator\root.cer (The system cannot find the file
specified)

 Searches I do for this error seem to only net me results when people run
 keytool.exe and it can't find their .keystore. Keytool.exe finds my
 keystore just fine, it can't find the actual root.cer file though. I've
 tried putting that cert file in the C:\Users\Administrator folder with the
 .keystore file, I've put it in the Java jdk folders, I've put it in the
 tomcat7 folder, and keytool.exe still can't find it. I've download the
 Microsoft Process Monitor util and setup a filter to watch for any
 commands/errors related to my root.cer file, and the keytool.exe process
 can access the root.cer file, even though the import fails. I've modified
 the -file command to use the current directory, I've passed it the full
 path to the root.cer file in multiple locations, nothing is working, and
 I've run out of ideas for things to try. Has anyone else seen this problem
 before?
What are the file permissions on the certificate? Is it readable to the
user you are running the keytool with?

Re: Authentication Memcached + Tomcat

[Igor Cicimov]

On 01/11/2014 6:52 AM, Nilson Uehara nilueh...@gmail.com wrote:

 I'm testing Memcached to implement failover on my Tomcat servers.

 Is there any way of implementing security by user / password?
From what I can see here
https://code.google.com/p/memcached-session-manager/wiki/SetupAndConfiguration
the instructions are pretty clear. You need memcache compiled and
configured with sasl support and thats pretty much it.

Re: Enabling ssl in tomcat JSSE / APR

[Igor Cicimov]

On 16/10/2014 12:10 PM, Shashank shashank.rayap...@gmail.com wrote:

 Hi all

 I was trying to enable ssl in my tomcat server. I dont know whether my
 tomcat is using JSSE or APR. but as I created a keystore and imported a
 cert into it , can I use JSSE type irrespective of the connector?

 My server.xml block

 Connector port=9443
 protocol=org.apache.coyote.http11.Http11NioProtocol SSLEnabled=true
 maxThreads=150 scheme=https secure=true  clientAuth=false
 sslProtocol=TLS  keyAlias=x   keystoreFile=
 {$Catalina.home}/cert/pdtkeystore.keystore keystorePass=x/


Nio and Bio are jsse

Re: JNDIRealm Authentication and Roles

[Igor Cicimov]

Hi Felix,

First thanks for your reply.

On Tue, Oct 7, 2014 at 6:35 PM, Felix Schumacher 
felix.schumac...@internetallee.de wrote:

 Hi Igor,

 Am 07.10.2014 07:07, schrieb Igor Cicimov:

 Hi all,

 I've been setting up user authentication based on JNDIRealm and have
 couple
 of questions regarding the operation. I've been using one of the secured
 applications that come with the examples included in Tomcat source for
 testing. My setup with obfuscated names and passwords is as follows.

 Which tomcat version do you use?


It's  7.0.52-1ubuntu0.1 from Ubuntu 14.04 repository, sorry I missed
mentioning that.



 I have the following Realm in the default host:

   Host name=localhost  appBase=webapps unpackWARs=true
 autoDeploy=false
 Realm className=org.apache.catalina.realm.JNDIRealm
debug=99

 debug is not used anymore, so just delete it.


Done.



 connectionURL=ldap://ldap1.mydomain.com:389;
alternateURL=ldap://ldap2.mydomain.com:389;
connectionName=cn=connect,ou=Users,dc=mydomain,dc=com
connectionPassword=password
userBase=ou=Users,dc=mydomain,dc=com
userSearch=uid={0}
roleBase=ou=Groups,dc=mydomain,dc=com
roleName=cn
roleSearch=memberUid={1}

 contextFactory=org.apache.catalina.ldap.realm.LdapTlsContextFactory/

 Do you need the LdapTlsContextFactory? If so, what is your ldap server
 setup?


Good that you mentioned that I wanted to ask about this in a separate
thread. I was searching for STARTTLS support in the JNDIRealm and this was
the only solution I could find. I got the directions from here:
http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo, so I compiled and
installed the context factory since the TLS is a must fro my user case.
It's working fine for me but still wanted to ask, since the above HowTo is
from 2010, has this been maybe integrated in the Tomcat mainstream now and
I have missed something in the documentation or is it still a (only) valid
solution for TLS support?



  ...
   /Host

  and have modified the security constraint roles in the web.xml of the
 examples application to match my LDAP groups:

   auth-constraint
  !-- Anyone with one of the listed roles may access this area --
  !--role-nametomcat/role-name--
  !--role-namerole1/role-name--
  role-nameMyCompany Users/role-name
  !--role-nametomcat-users/role-name--
   /auth-constraint
   ...
   security-role
  role-nametomcat-users/role-name
   /security-role
   security-role
  role-nameMyCompany Users/role-name
   /security-role

 Now when I hit the protected application,
 https://myserver/examples/jsp/security/protected/, I can successfully
 login
 but only if the role-name is set to MyCompany Users. When I replace it
 with the tomcat-users, comment it out and uncomment the tomcat-users role
 name, the authentication fails. The following are the traces from the
 Tomcat log and LDAP log:

 As you are finding below, the realm will only use one rolename from each
 group it found.


Good to have that confirmed, thanks.



 Do you have a real usecase for setting more than one name in a group?


No, not really so shouldn't be a problem to remove the extra ones.



 If you only want to alias a role to another name, you could try adding
 security-role-ref
 links to your web.xml.


Good point.



 If you can modify the ldap values, you could use user-attributes to
 specify roles.


Was also considering that but using the groups for role reference seamed
simpler ie did not require any changes in LDAP. Simpler before I realised
the cn problem which will need LDAP changes to get resolved so I might
reconsider putting the role(s) in user attributes after all.

Cheers,
Igor



 Regards
  Felix



 Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase hasRole
 FINE: Username user1 does NOT have role tomcat-users
 Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase
 hasResourcePermission
 FINE: No role found:  tomcat-users

 Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
 dn=cn=connect,ou=Users,dc=mydomain,dc=com method=128
 Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
 dn=cn=connect,ou=Users,dc=mydomain,dc=com mech=SIMPLE ssf=0
 Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 RESULT tag=97 err=0
 text=
 Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH
 base=ou=Users,dc=mydomain,dc=com scope=1 deref=3 filter=(uid=user1)
 Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH attr=1.1
 Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SEARCH RESULT tag=101
 err=0 nentries=1 text=
 Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND anonymous
 mech=implicit ssf=0
 Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
 dn=uid=user1,ou=Users,dc=mydomain,dc=com method=128
 Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
 dn=uid

Re: JNDIRealm and TLS, was: Re: JNDIRealm Authentication and Roles

[Igor Cicimov]

On Wed, Oct 8, 2014 at 4:16 AM, Felix Schumacher 
felix.schumac...@internetallee.de wrote:

 Am 07.10.2014 um 14:32 schrieb Igor Cicimov:

 Hi Felix,

 First thanks for your reply.

 On Tue, Oct 7, 2014 at 6:35 PM, Felix Schumacher 
 felix.schumac...@internetallee.de wrote:

  Hi Igor,

 Am 07.10.2014 07:07, schrieb Igor Cicimov:

  Hi all,

 I've been setting up user authentication based on JNDIRealm and have
 couple
 of questions regarding the operation. I've been using one of the secured
 applications that come with the examples included in Tomcat source for
 testing. My setup with obfuscated names and passwords is as follows.

  Which tomcat version do you use?

  It's  7.0.52-1ubuntu0.1 from Ubuntu 14.04 repository, sorry I missed
 mentioning that.


  I have the following Realm in the default host:

Host name=localhost  appBase=webapps unpackWARs=true
 autoDeploy=false
  Realm className=org.apache.catalina.realm.JNDIRealm
 debug=99

  debug is not used anymore, so just delete it.

  Done.


   connectionURL=ldap://ldap1.mydomain.com:389;

 alternateURL=ldap://ldap2.mydomain.com:389;
 connectionName=cn=connect,ou=Users,dc=mydomain,dc=com
 connectionPassword=password
 userBase=ou=Users,dc=mydomain,dc=com
 userSearch=uid={0}
 roleBase=ou=Groups,dc=mydomain,dc=com
 roleName=cn
 roleSearch=memberUid={1}

 contextFactory=org.apache.catalina.ldap.realm.LdapTlsContextFactory/

  Do you need the LdapTlsContextFactory? If so, what is your ldap server
 setup?

  Good that you mentioned that I wanted to ask about this in a separate
 thread. I was searching for STARTTLS support in the JNDIRealm and this was
 the only solution I could find. I got the directions from here:
 http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo, so I compiled and
 installed the context factory since the TLS is a must fro my user case.
 It's working fine for me but still wanted to ask, since the above HowTo is
 from 2010, has this been maybe integrated in the Tomcat mainstream now and
 I have missed something in the documentation or is it still a (only) valid
 solution for TLS support?

 If TLS is important to you, I hope you have changed the HostnameVerifier to
 something more sensible :)

 Hmmm was not aware of that will have a look for sure.


 There is a bug request open https://issues.apache.org/
 bugzilla/show_bug.cgi?id=49785
 but only very few people asked for it in the last four years. You can try
 to vote it up.

 Thanks for the link I up voted.


 I have only used ldap servers, which would be reachable by ssl, so there
 was no
 need for me to investigate further. Any reason why your ldap server can't
 be used with ssl?

 Well for ldap ssl is considered deprecated in favour of tls which I use
everywhere possible like ldap, postfix etc. I don't see a reason for using
ssl and opening another port on the server but that's maybe just me :-)



 Felix


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

JNDIRealm Authentication and Roles

[Igor Cicimov]

Hi all,

I've been setting up user authentication based on JNDIRealm and have couple
of questions regarding the operation. I've been using one of the secured
applications that come with the examples included in Tomcat source for
testing. My setup with obfuscated names and passwords is as follows.

I have the following Realm in the default host:

  Host name=localhost  appBase=webapps unpackWARs=true
autoDeploy=false
Realm className=org.apache.catalina.realm.JNDIRealm
   debug=99
   connectionURL=ldap://ldap1.mydomain.com:389;
   alternateURL=ldap://ldap2.mydomain.com:389;
   connectionName=cn=connect,ou=Users,dc=mydomain,dc=com
   connectionPassword=password
   userBase=ou=Users,dc=mydomain,dc=com
   userSearch=uid={0}
   roleBase=ou=Groups,dc=mydomain,dc=com
   roleName=cn
   roleSearch=memberUid={1}

contextFactory=org.apache.catalina.ldap.realm.LdapTlsContextFactory/
...
  /Host

 and have modified the security constraint roles in the web.xml of the
examples application to match my LDAP groups:

  auth-constraint
 !-- Anyone with one of the listed roles may access this area --
 !--role-nametomcat/role-name--
 !--role-namerole1/role-name--
 role-nameMyCompany Users/role-name
 !--role-nametomcat-users/role-name--
  /auth-constraint
  ...
  security-role
 role-nametomcat-users/role-name
  /security-role
  security-role
 role-nameMyCompany Users/role-name
  /security-role

Now when I hit the protected application,
https://myserver/examples/jsp/security/protected/, I can successfully login
but only if the role-name is set to MyCompany Users. When I replace it
with the tomcat-users, comment it out and uncomment the tomcat-users role
name, the authentication fails. The following are the traces from the
Tomcat log and LDAP log:

Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase hasRole
FINE: Username user1 does NOT have role tomcat-users
Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase
hasResourcePermission
FINE: No role found:  tomcat-users

Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
dn=cn=connect,ou=Users,dc=mydomain,dc=com method=128
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
dn=cn=connect,ou=Users,dc=mydomain,dc=com mech=SIMPLE ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 RESULT tag=97 err=0 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH
base=ou=Users,dc=mydomain,dc=com scope=1 deref=3 filter=(uid=user1)
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH attr=1.1
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND anonymous
mech=implicit ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
dn=uid=user1,ou=Users,dc=mydomain,dc=com method=128
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
dn=uid=user1,ou=Users,dc=mydomain,dc=com mech=SIMPLE ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 RESULT tag=97 err=0 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=4 SRCH base= scope=0
deref=3 filter=(objectClass=*)
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND anonymous
mech=implicit ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND
dn=cn=connect,ou=Users,dc=mydomain,dc=com method=128
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND
dn=cn=connect,ou=Users,dc=mydomain,dc=com mech=SIMPLE ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 RESULT tag=97 err=0 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SRCH
base=ou=Groups,dc=mydomain,dc=com scope=1 deref=3
filter=(memberUid=user1)
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SRCH attr=cn
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SEARCH RESULT tag=101
err=0 nentries=2 text=

So the LDAP server returns 2 entries for the role query (filtering by
attr=cn) which can be confirmed by the following LDAP command doing the
same:

$ ldapsearch -LLL -Z -H ldap://myldap:389/ -D
cn=connect,ou=Users,dc=mydomain,dc=com -W -b ou=Groups,dc=mydomain,dc=com
(memberUid=user1) cn
Enter LDAP Password:
dn: cn=tomcat-users,ou=Groups,dc=mydomain,dc=com
cn: MyCompany Users
cn: tomcat-users

dn: cn=user1,ou=Groups,dc=mydomain,dc=com
cn: MyCompany Users
cn: user1


Not sure if understand it correctly, but I thought the Realm would loop
through the cn's returned and find the right one before it fails but looks
like it picks up the first cn only? Is there something I can modify in my
Realm without changing anything on the LDAP side to fix this?

Thanks,
Igor

Re: How to set up TLS-PSK with Tomcat

[Igor Cicimov]

On 19/09/2014 5:16 AM, Borislav Trifonov btrifo...@macroh.com wrote:

 We need to use pre-shared keys, not certificates. TLS supports PSK, but
how does one set this up in Tomcat? All the guides for SSL/TLS in Tomcat
I've found talk about setting up certificates.

Set sslProtocol=TLS and appropriate ciphers=... in the Connector.
Assuming your java version has support for tls_psk you can set those in the
ciphers list. But you dont even say is it java or openssl you are asking
about? Anyway, check the ssl part of the Tomcat Connector documentation for
more details.

Re: Cluster setup stopped working after 3 months in production

[Igor Cicimov]

On 12/08/2014 4:24 PM, Krishna Saranathan krishna.saran...@gmail.com
wrote:

 We have J2EE war application deployed in a cluster setup having two
 nodes. Tomcat 6.0.39 is installed in the both nodes having identical
 war deployed in both. Its deployed in Amazon AWS environment, and the

What distro? Win or linux? And if linux which one?

 two ec2-nodes are beneath an ELB , with session stickiness enabled for
 JSESSIONID. Also the two tomcat nodes are session replication enabled
 too.

 Following is Cluster config updated server.xml file:

=
  Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster
 channelSendOptions=6 channelStartOptions=3

 Manager className=org.apache.catalina.ha.session.DeltaManager
 expireSessionsOnShutdown=false notifyListenersOnReplication=true
 /

 Channel className=org.apache.catalina.tribes.group.GroupChannel

 Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver
 autoBind=0 selectorTimeout=5000
 maxThreads=6
 address=x.x.x.x port= /
 Sender
className=org.apache.catalina.tribes.transport.ReplicationTransmitter
 Transport
className=org.apache.catalina.tribes.transport.nio.PooledParallelSender
 timeout=6
 keepAliveTime=10
 keepAliveCount=0
 /
 /Sender
 Interceptor
className=org.apache.catalina.tribes.group.interceptors.TcpPingInterceptor
 staticOnly=true/
 Interceptor
className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/
 Interceptor
className=org.apache.catalina.tribes.group.interceptors.StaticMembershipInterceptor
 Member className=org.apache.catalina.tribes.membership.StaticMember
 host=x.x.x.x
 port=

 uniqueId={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4}/
 /Interceptor
 /Channel
 Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=
/
 Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve /
 ClusterListener

className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener/
 ClusterListener
 className=org.apache.catalina.ha.session.ClusterSessionListener/
 /Cluster

 ==

 Receiver ip, static member ip and unique id is different in the
 server.xml of the other node in the cluster.

 this was running fine in production environment for 3 months. Suddenly
there was
 an exception logged like this :, and started coming up infinitely.


 ==
 Aug 6, 2014 12:00:39 AM
 org.apache.catalina.tribes.group.interceptors.TcpFailureDetector
 memberDisappeared
 INFO: Received
memberDisappeared[org.apache.catalina.tribes.membership.MemberImpl[tcp://
10.160.40.12:,10.160.40.12,,
 alive=0,id={0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 }, payload={}, command={},
 domain={}, ]] message. Will verify.
 Aug 6, 2014 12:00:39 AM
 org.apache.catalina.tribes.group.interceptors.TcpFailureDetector
 memberDisappeared
 INFO: Verification complete. Member still
 alive[org.apache.catalina.tribes.membership.MemberImpl[tcp://
10.160.40.12:,10.160.40.12,,
 alive=0,id={0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 }, payload={}, command={},
 domain={}, ]]
 Aug 6, 2014 12:00:39 AM org.apache.catalina.ha.tcp.SimpleTcpCluster send
 SEVERE: Unable to send message through cluster sender.
 org.apache.catalina.tribes.ChannelException: Operation has timed
 out(6 ms.).; Faulty members:tcp://10.160.40.12:;
 at
org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:97)
 at
org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:53)
 at
org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:80)
 at
org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:76)
 at
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75)
 at
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75)
 at
org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:88)
 at
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75)
 at
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75)
 at
org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:216)
 at
org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:175)
 at
org.apache.catalina.ha.tcp.SimpleTcpCluster.send(SimpleTcpCluster.java:817)
 at

Re: Cluster setup stopped working after 3 months in production

[Igor Cicimov]

On 12/08/2014 7:47 PM, Krishna Saranathan krishna.saran...@gmail.com
wrote:

 Its linux distro.
 Linux version 2.6.32-358.14.1.el6.x86_64 (
 mockbu...@x86-022.build.eng.bos.redhat.com) (gcc version 4.4.7 20120313
 (Red Hat 4.4.7-3) (GCC) ) #1 SMP Mon Jun 17 15:54:20 EDT 2013

 Java version - 1.6 update 45.

 I doubt change in security group suddenly applied for the port. Am able to
 telnet from server which is shutdown to the currently running server to
  port   . Yes. OS restart was done for a hardware upgrade for RAM and
 disk volume.


Well your logs clearly show the member cant establish connection to
10.160.40.12:
Did you try the telnet to that exact ip and port or you used something else
like internal dns name? Note that some instances on AWS change some
parameters upon restart so check in your console to confirm they have the
ip's you expect them to have.


 On Tue, Aug 12, 2014 at 6:58 AM, Igor Cicimov icici...@gmail.com wrote:

  On 12/08/2014 4:24 PM, Krishna Saranathan krishna.saran...@gmail.com
  wrote:
  
   We have J2EE war application deployed in a cluster setup having two
   nodes. Tomcat 6.0.39 is installed in the both nodes having identical
   war deployed in both. Its deployed in Amazon AWS environment, and the
 
  What distro? Win or linux? And if linux which one?
 
   two ec2-nodes are beneath an ELB , with session stickiness enabled for
   JSESSIONID. Also the two tomcat nodes are session replication enabled
   too.
  
   Following is Cluster config updated server.xml file:
  
 
 
=
Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster
   channelSendOptions=6 channelStartOptions=3
  
   Manager className=org.apache.catalina.ha.session.DeltaManager
   expireSessionsOnShutdown=false notifyListenersOnReplication=true
   /
  
   Channel className=org.apache.catalina.tribes.group.GroupChannel
  
   Receiver
  className=org.apache.catalina.tribes.transport.nio.NioReceiver
   autoBind=0 selectorTimeout=5000
   maxThreads=6
   address=x.x.x.x port= /
   Sender
  className=org.apache.catalina.tribes.transport.ReplicationTransmitter
   Transport
 
className=org.apache.catalina.tribes.transport.nio.PooledParallelSender
   timeout=6
   keepAliveTime=10
   keepAliveCount=0
   /
   /Sender
   Interceptor
 
 
className=org.apache.catalina.tribes.group.interceptors.TcpPingInterceptor
   staticOnly=true/
   Interceptor
 
 
className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/
   Interceptor
 
 
className=org.apache.catalina.tribes.group.interceptors.StaticMembershipInterceptor
   Member className=org.apache.catalina.tribes.membership.StaticMember
   host=x.x.x.x
   port=
  
   uniqueId={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4}/
   /Interceptor
   /Channel
   Valve className=org.apache.catalina.ha.tcp.ReplicationValve
filter=
  /
   Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve
/
   ClusterListener
  
 
 
className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener/
   ClusterListener
   className=org.apache.catalina.ha.session.ClusterSessionListener/
   /Cluster
  
  
 
==
  
   Receiver ip, static member ip and unique id is different in the
   server.xml of the other node in the cluster.
  
   this was running fine in production environment for 3 months. Suddenly
  there was
   an exception logged like this :, and started coming up infinitely.
  
  
   ==
   Aug 6, 2014 12:00:39 AM
   org.apache.catalina.tribes.group.interceptors.TcpFailureDetector
   memberDisappeared
   INFO: Received
 
memberDisappeared[org.apache.catalina.tribes.membership.MemberImpl[tcp://
  10.160.40.12:,10.160.40.12,,
   alive=0,id={0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 }, payload={}, command={},
   domain={}, ]] message. Will verify.
   Aug 6, 2014 12:00:39 AM
   org.apache.catalina.tribes.group.interceptors.TcpFailureDetector
   memberDisappeared
   INFO: Verification complete. Member still
   alive[org.apache.catalina.tribes.membership.MemberImpl[tcp://
  10.160.40.12:,10.160.40.12,,
   alive=0,id={0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 }, payload={}, command={},
   domain={}, ]]
   Aug 6, 2014 12:00:39 AM org.apache.catalina.ha.tcp.SimpleTcpCluster
send
   SEVERE: Unable to send message through cluster sender.
   org.apache.catalina.tribes.ChannelException: Operation has timed
   out(6 ms.).; Faulty members:tcp://10.160.40.12:;
   at
 
 
org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:97

Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384

[Igor Cicimov]

On 23/05/2014 5:43 PM, Sverre Moe sverre@gmail.com wrote:

 I am using the following ciphers in Tomcat:

ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 Somehow Chromium uses the last in that list. That is
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 Though it should support all these ciphers. Is there an ordering I could
 set so that i picks the first one?

I think thats supported in APR only but not in BIO/NIO. But doublecheck
that in the Connector docs please.

Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384

[Igor Cicimov]

On 24/05/2014 1:15 AM, Sverre Moe sverre@gmail.com wrote:

 NIO does support them according to the java documentation.

I was refering to cipher order and tomcat7 connector documentation where
only the apr connector supports the option SSLHonorCipherOrder

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html

These ciphers
 have been implemented in the JSSE provider.
 I have no problem making a connection to Tomcat via a Java program using a
 HttpsConnection and are getting the highest cipher (TLS_ECDHE_RSA_WITH_
 AES_256_GCM_SHA384).


 2014-05-23 10:00 GMT+02:00 Igor Cicimov icici...@gmail.com:

  On 23/05/2014 5:43 PM, Sverre Moe sverre@gmail.com wrote:
  
   I am using the following ciphers in Tomcat:
  
 
 
ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  
   Somehow Chromium uses the last in that list. That is
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
   Though it should support all these ciphers. Is there an ordering I
could
   set so that i picks the first one?
 
  I think thats supported in APR only but not in BIO/NIO. But doublecheck
  that in the Connector docs please.
 

Re: Tomcat 7 cannot get ciphers with SHA256 or SHA384

[Igor Cicimov]

On 21/05/2014 8:22 PM, Sverre Moe sverre@gmail.com wrote:

 I installed Tomcat-7 7.0.42 in OpenSUSE 13.1, configured support for
 TLSv1.2. I then configured a list of strong ciphers only, that I wanted to
 use.

 Connector port=8443
 protocol=org.apache.coyote.http11.Http11NioProtocol maxThreads=150
 clientAuth=false SSLEnabled=true scheme=https secure=true
 sslProtocol=TLSv1.2 sslEnabledProtocols=TLSv1.2 keyAlias=tomcat
 keystoreFile=/usr/share/tomcat/.keystore keystorePass=**
 keystoreType=JKS

ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256
 /

 I have tried running Tomcat with Java 7 and Java 8. Both of these should
 support CBC_SHA256 and CBC_SHA384, but only Java 8 supports GCM_SHA384.
 I have downloaded the Java cryptographic extensions policy files for both
 Java 7 and Java 8.

 The only way I get a connection is when I add the following ciphers:
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

 According to the specification all these ciphers are correct names:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites

 According to the implementation in JSSE provider they are implemented as
 well to work with TLSv1.2

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
 Footnote 1(Java7) Cipher suites with SHA384 and SHA256 are available only
 for TLS 1.2 or later.


 Also how come SSLLabs SSLTest tells me I do not have forward secrecy and
 are using RC4 ciphers. Thought when I set a limited list of ciphers only
 those can be used.

 I tried to edit /usr/sbin/tomcat-sysd (which is started by service tomcat)
 to enable SSL debugging, but nothing shows up in the log files

Have you tried starting tomcat with -Djavax.net.debug=ssl option? You can
also narrow it down like -Djavax.net.debug=ssl:handshake for example.
In case you would really like to have those ciphers in is the apr connector
an option for you?

Re: Tomcat under load frontend reverse proxy timeouts

[Igor Cicimov]

On 27/03/2014 12:39 PM, Frederik Nosi frederik.n...@postecom.it wrote:

 Hi all,

 Having to deal with slow applications deployed under tomcat, with a
reverse proxy in front, frequently i've noticed that even when the frontend
timeouts and closes it's part of the TCP connection, the Tomcat thread
processing the request goes on and on till it finishes. Is there a way to
make the proccessing thread stop when the frontend connection get's closed?


 Thanks in advance,

 Frederik

What kind of application is this? What is the reason that the thread takes
longer than expected? Is it just the load on the app server or its waiting
on the backend database maybe? If load then for sure you can limit the
tomcat connector threads and the accept queue to reduce it and add some
more app servers. If backend connection then you can sync the client
timeout and the db connection timeout.

Re: Expire Sesssion

[Igor Cicimov]

On 05/12/2013 9:47 AM, Crystal Maramba cmara...@acumenllc.com wrote:

 Version: Apache Tomcat 7.0.42
 Server: 2008r2 Standard

 How can I change the expired sessions in Tomcat Manager from 30 minutes
to 480 minutes?

 I think you can do it through the web.xml file located in
\tomcat\conf\web.xml and then restart Tomcat.

 Is there a difference if I change it in the \tomcat\conf location versus
\tomcat\webapps\[web app name]\web-inf\web.xml location?

First one will apply to all apps.

 If I change the web.xml file in the \tomcat\conf\web.xml location will it
override the web app location?

No.

Re: Avoiding/Handling SocketTimeoutException(s) when web application serving resources to mobile clients

[Igor Cicimov]

On Mon, Nov 11, 2013 at 1:25 AM, Howard W. Smith, Jr. 
smithh032...@gmail.com wrote:

 On Sun, Nov 10, 2013 at 9:14 AM, Howard W. Smith, Jr. 
 smithh032...@gmail.com wrote:

  Caused by: java.net.SocketTimeoutException
  at
 
 org.apache.tomcat.util.net.NioBlockingSelector.write(NioBlockingSelector.java:127)
  at
 
 org.apache.tomcat.util.net.NioSelectorPool.write(NioSelectorPool.java:174)
   at
 
 org.apache.coyote.http11.InternalNioOutputBuffer.writeToSocket(InternalNioOutputBuffer.java:163)
 

 my apologies, based on this exception (above), I decided to provide you
 with the following from my tomee/conf/server.xml:


 Connector port=8080
 protocol=org.apache.coyote.http11.Http11NioProtocol
maxThreads=150 connectionTimeout=2
 acceptorThreadCount=2
redirectPort=8443 socket.directBuffer=false/


 I guess the answer may be the connectionTimeout=... (above), but still
 would like to know recommendations of others based on experience with web
 application serving mobile clients. thanks.


In my experience SocketTimeoutException comes up in case of misbehaving
browser (read IE 8 and older), i.e. the client fails to send the complete
request and the socket timeout strikes. In this case you can't fix anything
on the server side but you say your application is used by mobile clients
so this might not be the case.

You don't provide information about the Java and OS version you are running
your app on since this might be related to one of them (or maybe I missed
that info). For Sun Java for example you can try the following:

-Dsun.net.client.defaultReadTimeout=180

which will increase the socket timeout to 30 minutes lets say if the
default one is not enough in case or slow client. Another thing to check is
your OS socket timeout setting, on linux systems for example:

net.ipv4.tcp_keepalive_time = 300

and try adjusting it according to your needs.

Would love to hear some other people experiences and thoughts regarding
this as well, this is really annoying one to troubleshoot.

Cheers,
Igor

Re: Avoiding/Handling SocketTimeoutException(s) when web application serving resources to mobile clients

[Igor Cicimov]

On Mon, Nov 11, 2013 at 11:22 AM, Howard W. Smith, Jr. 
smithh032...@gmail.com wrote:

 On Sun, Nov 10, 2013 at 5:08 PM, Igor Cicimov icici...@gmail.com wrote:

  For Sun Java for example you can try the following:
 
  -Dsun.net.client.defaultReadTimeout=180
 
  which will increase the socket timeout to 30 minutes lets say if the
  default one is not enough in case or slow client. Another thing to check
 is
  your OS socket timeout setting, on linux systems for example:
 
  net.ipv4.tcp_keepalive_time = 300
 
  and try adjusting it according to your needs.
 
  Would love to hear some other people experiences and thoughts regarding
  this as well, this is really annoying one to troubleshoot.
 

 I like the following that was mentioned in a stackoverflow answer[1]:

  It just means the client isn't sending. You don't need to worry about it.
 Browser clients come and go in all sorts of strange ways.

 Correct, and IE is worst with their tradition of not complying to the
standards. Especially if your app is using AJAX http POST requests in
shoert succession and gets worse in case if this id done over SSL. There is
heaps of articles and questions in various forums like this one for example:

http://stackoverflow.com/questions/4796305/why-does-internet-explorer-not-send-http-post-body-on-ajax-call-after-failure

 which talks about timeout in case of re-posting POST requests in case of
failure (IE 6,7,8 send only the header with payload missing so the server
timeouts). The remedy is disabling the keep-alive on the server side but
this comes with the expense of every AJAX call opening new connection.

 I wouldn't put the server read timeout too high: it ties up a thread. If
 a client opens a connection to the server and doesn't send anything
 immediately it is misbehaving pretty badly.

 I agree with all of that and based on that, I will not modify the NIO
 connectiontimeout value. I would like to prevent the stacktrace from being
 logged in tomcat7-stderr log file, so I think I will catch the exception in
 my servlet filter.

 I agree with this one too, no matter how high or low you set your timeout
it will eventually strike since the client simply is not sanding the
complete http request in some particular cases. Also you didn't say
anything about any load balancer or proxy fronting your application. It is
worth checking the timeouts there as well and align them with the
connection timeout on your server (in case you do use one of course).


 [1] http://stackoverflow.com/a/17079991/933054

RE: PersistentManager + JdbcStore

[Igor Cicimov]

On 09/11/2013 6:41 AM, spr...@gmx.eu wrote:

  If you need
  sessions replicated as changes occur then you'll want to look
  at a different solution, like the built-in cluster support.

 Unfortunately it does not work on AWS, no multicast.

Cant you use static membership instead mcast?

 I think I will fix the DynamoDB-Sessionmanager.

 Thank you


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [OT] Using the bin/daemon.sh script on ubuntu.

[Igor Cicimov]

On 06/08/2013 12:40 AM, Jeffrey Janner jeffrey.jan...@polydyne.com
wrote:

  -Original Message-
  From: Christopher Schultz [mailto:ch...@christopherschultz.net]
  Sent: Friday, August 02, 2013 10:30 PM
  To: Tomcat Users List
  Subject: Re: [OT] Using the bin/daemon.sh script on ubuntu.
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Christian
 
  On 8/1/13 11:55 AM, Christian Schneider wrote:
   On our (AWS) installation we have limited space on /opt, therefore we
   attached an EBS volume  to /var/, - otherwise we would get problems
   with the log files. Now it can grow above some GB.
 
  Have you thought about using /mnt/ephemeral[0-9]?
 
  Our instances have ~1TiB in combined ephemeral storage available per
  instance. I'm sure it depends upon the instance type, though. Remember
  that terminating the instance loses the ephemeral data.. that's what
  makes it ... ephemeral. Just remember to copy what you need back to an
  EBS-backed storage volume before you terminate.
 
  - -chris

 Chris,
 If I remember my empirical testing of the AWS ephemeral storage system,
you actually lose data on shutdown, not termination.

Not true, the ephemeral data is only lost on instance termination.

 On my Linux boxes, I use the ephemeral storage for swap space because of
that issue, and really nothing else, though /tmp is a second possibility.
 The big thing about using it, for anything, is you have to code a special
startup script to format it at every boot, as it comes back as raw disk.
 Figuring out how to do that for swap was fun, but it's great now (I've got
loads of swap space that I'll probably never ever use.)
 Jeff

RE: JMX monitoring of tomcat service

[Igor Cicimov]

On 24/07/2013 5:34 AM, honyk j.tosov...@email.cz wrote:

 On 2013-07-23 Cédric Couralet wrote:
  2013/7/23 honyk j.tosov...@email.cz:
   Dear All,
  
   I run tomcat as service on Windows Server 2008 R2. I am not able to
  monitor
   it locally yet (discussed in another thread) so in the meantime I am
  trying
   to establish JMX connection to it acc. to this guide:
   http://tomcat.apache.org/tomcat-7.0-doc/monitoring.html
  
   All params are changed using tomcat7w.exe (in the Java options text
  field)
   and then the service is restarted.
  
   I am experiencing several weird issues:
   1) Basic settings (single line):
   -Dcom.sun.management.jmxremote
   -Dcom.sun.management.jmxremote.port=9090
   -Dcom.sun.management.jmxremote.ssl=false
   -Dcom.sun.management.jmxremote.authenticate=false
 
  If these properties are on the same line in the java options tab, it
  won't work they need to be on different lines.

 Ooops...

 What a shame. Looking into various sources it really seems to be my fatal
 mistake. I'll check tomorrow.


   b) When credentials files were specified, there were still
  'FileNotFound'
   errors in the log (even when absolute paths were used):
   -Dcom.sun.management.jmxremote
   -Dcom.sun.management.jmxremote.port=9090
   -Dcom.sun.management.jmxremote.authenticate=true
   -
  Dcom.sun.management.jmxremote.password.file=../conf/jmxremote.password
   -Dcom.sun.management.jmxremote.access.file=../conf/jmxremote.access
   -Dcom.sun.management.jmxremote.ssl=false
 
  When launching tomcat as a service, without changing the default
  configuration, it will start in the system32 folder (or something else
  on Win 2008) and not in the tomcat folder. So the path for password
  file and acces file should be absolute

 I tried absolute paths as well, but this result is most likely related to
 the above case - all my Java options were on the single line, thus most
 likely ignored completely.

 Jan



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Do you have the Listener setup in your server.xml?

Re: Serve same content to multiple URL's

[Igor Cicimov]

On 05/04/2013 7:26 AM, Chris Arnold carn...@electrichendrix.com wrote:

 On Apr 4, 2013, at 2:38 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Chris,
 
  On 4/4/13 12:28 PM, Chris Arnold wrote:
 
  I have tried to add a second worker (worker2) in workers.properties
  and added a virtualhost like: Here is the configured virtualhost
  for domain2: 2nd virtualhost: JkMount /share|/* worker2
  RedirectMatch ^/$ http://share.domain2.com/share/
 
  If you want the content to be identical, why do you need a second
worker?

 I didn't think I needed a second worker but because the working config
only worked for http://share.domain1.com and nothing else, I wanted to
verify it should work or I needed another worker and you verified I do not
need another worker and in fact, the existing config for
http://share.domain1.com should work for http://share.domain2.com
 
  Why do you need a second VirtualHost, even?

 Apache has to answer for that request (http://share.domain2.com) and pass
it to tomcat
 
You just need to create Alias in the existing VirtualHost in Apache and the
Host in Tomcat.

  When i type http://share.domain2.com i arrive at 1 of our websites
  but not the tomcat content. When i type
  http://share.domain2.com/share i get a 404 error. Do i need to
  define another worker to accomplish this or should the defined
  worker work for any domain given there is a virtualhost defined?
 
  Workers don't care about VirtualHosts: the client's request headers
  will be sent to Tomcat and another round of virtual host resolution
  will occur over there. Having separate workers does not help anything.
 
  I'm not sure why you are getting 404s: any idea if it's a response
  coming from httpd or Tomcat?

 No error logs in apache or tomcat which is weird?

  If you browse to
  http://share.domain2.com/ are you properly redirected (as I would
  expect given the above configuration) to http://share.domain2.com/share?

 It doesn't appear so as a apache site answers the request.

Re: Apache Accessing Tomcat Issue

[Igor Cicimov]

On 29/03/2013 10:29 AM, Chris Arnold carn...@electrichendrix.com wrote:

 Apache Tomcat/7.0.30 on SLES11 SP2. I am trying to configure access to a
webapp using http://share.domain.com. This webapp uses port 8080 and works
fine from inside the LAN. However, we have an apache2 server acting as a
proxy and we want users to not have to type in a port number.

 Now when accessing http://share.domain.com, the result is directories and
files are listed, the jsp files are not running. Here is my complete setup:

You cant overlap apache and tomcat file system

 jk.conf-

 # simple configuration for apache (for AJP connector, modul mod_jk.so)

 IfModule mod_jk.c

 JkWorkersFile /opt/alfresco/tomcat/workers.properties
 JkLogFile /var/log/alfresco/mod_jk.log
 JkShmFile /var/log/alfresco/shm

 # Log level to be used by mod_jk
 JkLogLevel error

 # The following line mounts all JSP files and the /servlet/ uri to
tomcat
 #JkMount /servlets-examples/servlet/* ajp13
 JkMount /share/*.jsp ajp13

 /IfModule


 virtualhost-

 VirtualHost *:80
 ServerName share.domain.com

 #RewriteEngine On
 #RewriteCond %{REQUEST_URI} !^/share/
 #RewriteCond %{HTTPS} on
 #RewriteRule ^/. http://share.paradixent.com/share/ [P]
 #JkMount /share/* worker1

 IfModule mod_jk.c


 # The following line makes apache aware of the location of
 # the /jsp-examples context
 Alias /share /opt/alfresco/tomcat/webapps/share
 Directory /opt/alfresco/tomcat/webapps/share
 Options Indexes FollowSymLinks
 allow from all
 /Directory

 # The following line mounts all JSP files and the /servlet/ uri to
tomcat
 #JkMount /servlets-examples/servlet/* ajp13
 JkMount /share/*.jsp ajp13

 # The following line prohibits users from directly accessing WEB-INF
 Location /share/WEB-INF/
 #AllowOverride None
 deny from all
 /Location

 # if not specified, the global error log is used
 ErrorLog /var/log/apache2domain.com-error_log
 CustomLog /var/log/apache2/domain.com-access_log combined

 /IfModule

 /VirtualHost


 httpd.conf-

 # mod_jk
 Include /opt/alfresco/tomcat/conf/jk.conf


 Mod_jk is loaded:

 web:~ # /usr/sbin/httpd2 -M
 Loaded Modules:
 ...
 jk_module (shared)
  perl_module (shared)
  php5_module (shared)
 Syntax OK




 Here is the log from apache:

 [Thu Mar 28 18:40:14 2013] [error] [client pub ip] proxy: Error reading
from remote server returned by /error/HTTP_INTERNAL_SERVER_ERROR.html.var
 [Thu Mar 28 18:40:28 2013] [error] [client pub ip] (70007)The timeout
specified has expired: proxy: error reading status line from remote server
share.paradixent.com
 [Thu Mar 28 18:40:28 2013] [error] [client pub ip] proxy: Error reading
from remote server returned by /error/HTTP_INTERNAL_SERVER_ERROR.html.var


 Any ideas why the folder and files are being listed instead of running?

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Setting up tomcat to run on port 443 on ubuntu system

[Igor Cicimov]

If installed from package open /etc/default/tomcat7, uncomment thr last
line and make it
AUTHBIND=yes
and then youll be able to bind tomcat to port 80 and/or 443
 On 30/03/2013 1:22 AM, Shyam Yadav shyam.ya...@mobicule.com wrote:

 Hi Ognjen,

 I did all the setting you have mentioned for Unix Daemon for Tomcat, but
 still i am getting the same problem.
 i.e.  Permission Denied.

 Thank you very much sir for helping me out but still its not working.
 This may be my mistake.

 Thanks  Regards,
 Shyam Yadav

Re: mod_jk 1.2.37 never send ping rq

[Igor Cicimov]

On Thu, Mar 7, 2013 at 3:03 AM, dietmar.muel...@eurotours.at wrote:

 hi all

 i setup apache -- mod_jk -- tomcat the firsttime with firewall. what i
 saw was a not working page. after search and read the mod_jk docs
 i see and found the reason. the firewall drop the jk connection. i try to
 set properties like keep_alive and ping but i never see with wireshark any
 package do exact the job, what i read from the doc (might i missunderstand
 something) -- send after some time a ping.
 i expect this on the ajp connection. i watch the complete traffic between
 apache and tomcat

 my config is stright forward:

 worker.list=jkstatus, tc

 worker.jkstatus.type=status

 worker.tc.type=lb
 worker.tc.balance_workers=1

 worker.1.type=ajp13
 worker.1.host=192.168.13.50
 worker.1.port=8009
 worker.1.socket_keepalive=1
 worker.1.ping_mode=A
 worker.1.ping_timeout=1
 worker.1.connection_ping_interval=9000
 worker.1.connection_pool_size=1

 worker.2.type=ajp13
 worker.2.host=192.168.13.51
 worker.2.port=8009
 worker.2.socket_keepalive=1
 worker.2.ping_mode=A
 worker.2.ping_timeout=1
 worker.2.connection_ping_interval=9000
 worker.2.connection_pool_size=1

 i play with the values but i never see something periodical at the network
 side.

 my system:

 redhat 6.4 / 64bit, apache 2.2.15 and mod_jk 1.2.37 -- tomcat latest

 any help / comment is wellcome

 thanks dietmar


Well in this case I can think of only one reason of this not to work: the
firewall is dropping the ICMP packets. What kind of firewall are we talking
about here? Is it hardware one or the iptables on tomcat server. Anyway,
easy to test, switch off the firewall and then check if you can see the
pings.

Re: mod_jk 1.2.37 never send ping rq

[Igor Cicimov]

 redhat 6.4 / 64bit, apache 2.2.15 and mod_jk 1.2.37 -- tomcat latest

 In case of RedHat also check for SELinux policy on the tomcat server. And
for other security things you might be running like maybe AppArmor etc.

Re: mod_jk 1.2.37 never send ping rq

[Igor Cicimov]

On 07/03/2013 4:25 PM, Christopher Schultz ch...@christopherschultz.net
wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Igor,

 On 3/6/13 9:02 PM, Igor Cicimov wrote:
  On Thu, Mar 7, 2013 at 3:03 AM, dietmar.muel...@eurotours.at
  wrote:
 
  hi all
 
  i setup apache -- mod_jk -- tomcat the firsttime with
  firewall. what i saw was a not working page. after search and
  read the mod_jk docs i see and found the reason. the firewall
  drop the jk connection. i try to set properties like keep_alive
  and ping but i never see with wireshark any package do exact the
  job, what i read from the doc (might i missunderstand something)
  -- send after some time a ping. i expect this on the ajp
  connection. i watch the complete traffic between apache and
  tomcat
 
  my config is stright forward:
 
  worker.list=jkstatus, tc
 
  worker.jkstatus.type=status
 
  worker.tc.type=lb worker.tc.balance_workers=1
 
  worker.1.type=ajp13 worker.1.host=192.168.13.50
  worker.1.port=8009 worker.1.socket_keepalive=1
  worker.1.ping_mode=A worker.1.ping_timeout=1
  worker.1.connection_ping_interval=9000
  worker.1.connection_pool_size=1
 
  worker.2.type=ajp13 worker.2.host=192.168.13.51
  worker.2.port=8009 worker.2.socket_keepalive=1
  worker.2.ping_mode=A worker.2.ping_timeout=1
  worker.2.connection_ping_interval=9000
  worker.2.connection_pool_size=1
 
  i play with the values but i never see something periodical at
  the network side.
 
  my system:
 
  redhat 6.4 / 64bit, apache 2.2.15 and mod_jk 1.2.37 -- tomcat
  latest
 
  any help / comment is wellcome
 
  thanks dietmar
 
  Well in this case I can think of only one reason of this not to
  work: the firewall is dropping the ICMP packets. What kind of
  firewall are we talking about here? Is it hardware one or the
  iptables on tomcat server. Anyway, easy to test, switch off the
  firewall and then check if you can see the pings.

 Wrong, mod_jk does not use ICMP to ping the backend server. It uses
 (not surprisingly) TCP/IP packets using the AJP protocol.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iEYEAREIAAYFAlE4IxgACgkQ9CaO5/Lv0PA0XwCgmx2kFWnfERmGvUWNhrNtPQt1
 yuUAn21J7iyaB8jyOEVv8+KC/tvJNfyB
 =s4Eq
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: mod_jk 1.2.37 never send ping rq

[Igor Cicimov]

On 07/03/2013 4:25 PM, Christopher Schultz ch...@christopherschultz.net
wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Igor,

 On 3/6/13 9:02 PM, Igor Cicimov wrote:
  On Thu, Mar 7, 2013 at 3:03 AM, dietmar.muel...@eurotours.at
  wrote:
 
  hi all
 
  i setup apache -- mod_jk -- tomcat the firsttime with
  firewall. what i saw was a not working page. after search and
  read the mod_jk docs i see and found the reason. the firewall
  drop the jk connection. i try to set properties like keep_alive
  and ping but i never see with wireshark any package do exact the
  job, what i read from the doc (might i missunderstand something)
  -- send after some time a ping. i expect this on the ajp
  connection. i watch the complete traffic between apache and
  tomcat
 
  my config is stright forward:
 
  worker.list=jkstatus, tc
 
  worker.jkstatus.type=status
 
  worker.tc.type=lb worker.tc.balance_workers=1
 
  worker.1.type=ajp13 worker.1.host=192.168.13.50
  worker.1.port=8009 worker.1.socket_keepalive=1
  worker.1.ping_mode=A worker.1.ping_timeout=1
  worker.1.connection_ping_interval=9000
  worker.1.connection_pool_size=1
 
  worker.2.type=ajp13 worker.2.host=192.168.13.51
  worker.2.port=8009 worker.2.socket_keepalive=1
  worker.2.ping_mode=A worker.2.ping_timeout=1
  worker.2.connection_ping_interval=9000
  worker.2.connection_pool_size=1
 
  i play with the values but i never see something periodical at
  the network side.
 
  my system:
 
  redhat 6.4 / 64bit, apache 2.2.15 and mod_jk 1.2.37 -- tomcat
  latest
 
  any help / comment is wellcome
 
  thanks dietmar
 
  Well in this case I can think of only one reason of this not to
  work: the firewall is dropping the ICMP packets. What kind of
  firewall are we talking about here? Is it hardware one or the
  iptables on tomcat server. Anyway, easy to test, switch off the
  firewall and then check if you can see the pings.

 Wrong, mod_jk does not use ICMP to ping the backend server. It uses
 (not surprisingly) TCP/IP packets using the AJP protocol.

 - -chris
Thanks Chris for correcting me i thought they are separate.

Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?

[Igor Cicimov]

On 05/03/2013 5:10 PM, Brijesh Deo b...@sonicwall.com wrote:

 Hi,
 Is there a way to make TLS 1.1 required for https connection with Tomcat
server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried
setting [sslProtocol=TLSv1.1] in the Connector definition in server.xml
but that did not stop TLS 1.0 connections from being accepted. I am not
using OpenSSL and instead using JSSE as the TLS provider.
 Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0
to be able to allow only TLS 1.1 connections with https? Please let me know
how to do this.

You need java7 for tls1.1 and 1.2 as far as i know.

Re: mod_jk how to add JK_WORKER_NAME to http-header

[Igor Cicimov]

On 27/02/2013 5:42 AM, Jochen Wißmann jochen.wissm...@kepol.com wrote:

 Hello,

 i am trying to find an easy way to determine from the http-client side,
which  AJP13-worker handled my request.
 So my basic idea is to use mod_header to add mod_jk`s env-variable
JK_WORKER_NAME to the Header of the http-response.
 I tried to get something like this working:

 httpd.conf:
 ...
 Header add TC-Server %{JK_WORKER_NAME}e

I think this should be

Header add TC-Server %{JK_WORKER_NAME}n

Please paste here the worker.properties file too.

 ...

 All my previous attempts resulted in http-responses looking like this:

  HTTP/1.1 200 OK
  Set-Cookie: ARPT=LRWQXVS110.160.11.26CKMLQ; path=/
  Date: Tue, 26 Feb 2013 18:25:31 GMT
  Server: Apache/2.2.22 (Unix) mod_jk/1.2.36 mod_ssl/2.2.22
OpenSSL/0.9.8x DAV/2
  Set-Cookie: JSESSIONID=A4052BF60BA2007F0B0F47E2699AFDE.liferay0; Path=/
  Set-Cookie: GUEST_LANGUAGE_ID=en_US; Expires=Wed, 26-Feb-2014 18:25:31
GMT; Path=/
  Set-Cookie: COOKIE_SUPPORT=true; Expires=Wed, 26-Feb-2014 18:25:31 GMT;
Path=/
  Liferay-Portal: Liferay Portal Community Edition 6.0.6 CE (Bunyan /
Build 6006 / February 17, 2011)
  ETag: 838b4ae2
  Content-Length: 8043
  X-Server-Ip: 110.160.11.26
  TC-Server: (null)
  Content-Type: text/html;charset=utf-8

 Why do i get TC-Server: (null) ?
 Using the Variable JK_WORKER_NAME to log the worker's name via
mod_log_config works fine.

 Am i missing something? Is it even possible to access the env-variable
JK_WORKER_NAME with module mod_header?
 Could anyone please help?
 Thanks!

 Jochen


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: mod_jk how to add JK_WORKER_NAME to http-header

[Igor Cicimov]

On 27/02/2013 10:47 AM, Jochen Wißmann jochen.wissm...@kepol.com wrote:

 On 26.02.2013 22:38, Christopher Schultz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Jochen,

 On 2/26/13 10:41 AM, Jochen Wißmann wrote:

 I tried to get something like this working:

 httpd.conf: ... Header add TC-Server %{JK_WORKER_NAME}e

 This looks like it should work from my brief review of the documentation.

  TC-Server: (null)

 Why do i get TC-Server: (null) ? Using the Variable
 JK_WORKER_NAME to log the worker's name via mod_log_config works
 fine.

 Am i missing something? Is it even possible to access the
 env-variable JK_WORKER_NAME with module mod_header?

 The httpd documentation says so.

 Can you give us more of your httpd.conf? Perhaps the Header
 directive isn't in a place where the environment variable has been
 set, goes out of scope, etc.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iEYEAREIAAYFAlEtK1AACgkQ9CaO5/Lv0PAdmwCgvDx2p5ZNdLAU6E7xXIg4uuu6
 tCcAoLWtF78/eXNDXvmV2FeR6TIOq0qj
 =f/sj
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

 Hi Christopher,

 my setup looks like this.
 * os: ubuntu, running apache  2.2 with mod_jk 1.2.36
 * AJP13-Worker: Liferay Portal Community Edition 6.0.6 CE (Bunyan / Build
6006 / February 17, 2011) , which is based on tomcat-6.0.29

 000-default:
 
 # Load mod_jk configuration
 Include mod-jk.conf

 VirtualHost *:80
 ServerAdmin webmaster@localhost
 DocumentRoot /var/www
 Directory /
 Options FollowSymLinks
 AllowOverride None
 /Directory
 Directory /var/www/
 Options Indexes FollowSymLinks MultiViews
 AllowOverride None
 Order allow,deny
 allow from all
 /Directory

 ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 Directory /usr/lib/cgi-bin
 AllowOverride None
 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
 Order allow,deny
 Allow from all
 /Directory

 ErrorLog ${APACHE_LOG_DIR}/error.log

 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 LogLevel warn

 CustomLog ${APACHE_LOG_DIR}/access.log combined

 Alias /doc/ /usr/share/doc/
 Directory /usr/share/doc/
 Options Indexes MultiViews FollowSymLinks
 AllowOverride None
 Order deny,allow
 Deny from all
 Allow from 127.0.0.0/255.0.0.0 ::1/128
 /Directory
 Header add X-Server-Ip %{SERVER_ADDR}e
 Header merge TC-Server-Ip %{JK_WORKER_NAME}e
 /VirtualHost

 mod_jk.conf:
 -
 # Load mod_jk module
 # Specify the filename of the mod_jk lib
 LoadModule jk_module modules/mod_jk.so

 # Where to find workers.properties
 JkWorkersFile workers.properties

 # Where to put jk logs
 JkLogFile ${APACHE_LOG_DIR}/mod_jk.log

 # Set the jk log level [debug/error/info]
 JkLogLevel info

 # LogFormat
 LogFormat %h %l %u %t \%r\ %s %b %{JK_WORKER_NAME}n
%{JK_LB_FIRST_NAME}n \
  %{JK_LB_FIRST_BUSY}n %{JK_LB_LAST_NAME}n
%{JK_LB_LAST_BUSY}n JkLogFile
 # Select the log format
 JkLogStampFormat  %Y-%m-%d %H:%M:%S,%Q 
 #SetEnv JK_WORKER_NAME {JK_WORKER_NAME}n
 Header add TC-Server-Ip %{JK_NOTE_WORKER_NAME}e
 # JkOptions indicates to send SSK KEY SIZE
 JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

 # JkRequestLogFormat
 JkRequestLogFormat  %w %V %U %T %s %R

 # You can use external file for mount points.
 # It will be checked for updates each 60 seconds.
 # The format of the file is: /url=worker
 # /examples/*=loadbalancer
 JkMountFile uriworkermap.properties

 JkMountCopy all

 # Add shared memory.
 # This directive is present with 1.2.10 and
 # later versions of mod_jk, and is needed for
 # for load balancing to work properly
 JkShmFile /var/log/apache2/jk.shm

 worker.properties:
 
 # Define list of workers that will be used
 # for mapping requests
 worker.list=status,liferay
 # Status worker for managing load balancer
 worker.status.type=status

 # Liferay-Load-balancer
 worker.liferay.port=8009
 worker.liferay.host=127.0.0.1
 worker.liferay.type=ajp13

 uriworkermap.properties:
 --
 # Mount the Servlet context to the ajp13 worker
 /jkstatus/*=status

 # Liferay
 /c=liferay
 /c/*=liferay
 /group=liferay
 /group/*=liferay
 /html/*=liferay
 /image/*=liferay
 /language/*=liferay
 /layouttpl/*=liferay
 /user=liferay
 /user/*=liferay
 /web=liferay
 /web/*=liferay
 /kepol=liferay
 /kepol/*=liferay

 # Liferay Languages
 /da=liferay
 /da/*=liferay
 /de=liferay
 /de/*=liferay
 /en=liferay
 /en/*=liferay
 /ru=liferay
 /ru/*=liferay
 /tr=liferay
 /tr/*=liferay

 Using these 

Re: mod_jk how to add JK_WORKER_NAME to http-header

[Igor Cicimov]

On 27/02/2013 10:47 AM, Jochen Wißmann jochen.wissm...@kepol.com wrote:

 On 26.02.2013 22:38, Christopher Schultz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Jochen,

 On 2/26/13 10:41 AM, Jochen Wißmann wrote:

 I tried to get something like this working:

 httpd.conf: ... Header add TC-Server %{JK_WORKER_NAME}e

 This looks like it should work from my brief review of the documentation.

  TC-Server: (null)

 Why do i get TC-Server: (null) ? Using the Variable
 JK_WORKER_NAME to log the worker's name via mod_log_config works
 fine.

 Am i missing something? Is it even possible to access the
 env-variable JK_WORKER_NAME with module mod_header?

 The httpd documentation says so.

 Can you give us more of your httpd.conf? Perhaps the Header
 directive isn't in a place where the environment variable has been
 set, goes out of scope, etc.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iEYEAREIAAYFAlEtK1AACgkQ9CaO5/Lv0PAdmwCgvDx2p5ZNdLAU6E7xXIg4uuu6
 tCcAoLWtF78/eXNDXvmV2FeR6TIOq0qj
 =f/sj
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

 Hi Christopher,

 my setup looks like this.
 * os: ubuntu, running apache  2.2 with mod_jk 1.2.36
 * AJP13-Worker: Liferay Portal Community Edition 6.0.6 CE (Bunyan / Build
6006 / February 17, 2011) , which is based on tomcat-6.0.29

 000-default:
 
 # Load mod_jk configuration
 Include mod-jk.conf

 VirtualHost *:80
 ServerAdmin webmaster@localhost
 DocumentRoot /var/www
 Directory /
 Options FollowSymLinks
 AllowOverride None
 /Directory
 Directory /var/www/
 Options Indexes FollowSymLinks MultiViews
 AllowOverride None
 Order allow,deny
 allow from all
 /Directory

 ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 Directory /usr/lib/cgi-bin
 AllowOverride None
 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
 Order allow,deny
 Allow from all
 /Directory

 ErrorLog ${APACHE_LOG_DIR}/error.log

 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 LogLevel warn

 CustomLog ${APACHE_LOG_DIR}/access.log combined

 Alias /doc/ /usr/share/doc/
 Directory /usr/share/doc/
 Options Indexes MultiViews FollowSymLinks
 AllowOverride None
 Order deny,allow
 Deny from all
 Allow from 127.0.0.0/255.0.0.0 ::1/128
 /Directory
 Header add X-Server-Ip %{SERVER_ADDR}e
 Header merge TC-Server-Ip %{JK_WORKER_NAME}e
 /VirtualHost

 mod_jk.conf:
 -
 # Load mod_jk module
 # Specify the filename of the mod_jk lib
 LoadModule jk_module modules/mod_jk.so

 # Where to find workers.properties
 JkWorkersFile workers.properties

 # Where to put jk logs
 JkLogFile ${APACHE_LOG_DIR}/mod_jk.log

 # Set the jk log level [debug/error/info]
 JkLogLevel info

 # LogFormat
 LogFormat %h %l %u %t \%r\ %s %b %{JK_WORKER_NAME}n
%{JK_LB_FIRST_NAME}n \
  %{JK_LB_FIRST_BUSY}n %{JK_LB_LAST_NAME}n
%{JK_LB_LAST_BUSY}n JkLogFile
 # Select the log format
 JkLogStampFormat  %Y-%m-%d %H:%M:%S,%Q 
 #SetEnv JK_WORKER_NAME {JK_WORKER_NAME}n
 Header add TC-Server-Ip %{JK_NOTE_WORKER_NAME}e
 # JkOptions indicates to send SSK KEY SIZE
 JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

 # JkRequestLogFormat
 JkRequestLogFormat  %w %V %U %T %s %R

 # You can use external file for mount points.
 # It will be checked for updates each 60 seconds.
 # The format of the file is: /url=worker
 # /examples/*=loadbalancer
 JkMountFile uriworkermap.properties

 JkMountCopy all

 # Add shared memory.
 # This directive is present with 1.2.10 and
 # later versions of mod_jk, and is needed for
 # for load balancing to work properly
 JkShmFile /var/log/apache2/jk.shm

 worker.properties:
 
 # Define list of workers that will be used
 # for mapping requests
 worker.list=status,liferay
 # Status worker for managing load balancer
 worker.status.type=status

 # Liferay-Load-balancer
 worker.liferay.port=8009
 worker.liferay.host=127.0.0.1
 worker.liferay.type=ajp13

 uriworkermap.properties:
 --
 # Mount the Servlet context to the ajp13 worker
 /jkstatus/*=status

 # Liferay
 /c=liferay
 /c/*=liferay
 /group=liferay
 /group/*=liferay
 /html/*=liferay
 /image/*=liferay
 /language/*=liferay
 /layouttpl/*=liferay
 /user=liferay
 /user/*=liferay
 /web=liferay
 /web/*=liferay
 /kepol=liferay
 /kepol/*=liferay

 # Liferay Languages
 /da=liferay
 /da/*=liferay
 /de=liferay
 /de/*=liferay
 /en=liferay
 /en/*=liferay
 /ru=liferay
 /ru/*=liferay
 /tr=liferay
 /tr/*=liferay


Another 

Re: Help in diagnosing server unresponsiveness

[Igor Cicimov]

On Wed, Feb 6, 2013 at 1:15 PM, Zoran Avtarovski zo...@sparecreative.comwrote:

 Here's some updated observations after a not quite incident (CPU and
 memory spiked but the app is still running):

 1. Yesterday we had a 90% CPU spike at a time where there was absolutely
 no server traffic. Verified through both the HTTP logs and the mod_jk
 logs. The CPU spiked and recovered back to average levels.
 2. Used memory spiked at 10GB from a pre incident average of 500MB
 throughout 2 busy days without incident
 3. Used memory has only gone back down to 4GB and is holding at this level
 4. The Used physical memory went up from 2GB to 14GB and has stayed there
 5. Garbage collector time spikes to 24.0. I think with JavaMelody it means
 that GC took 24% of  of the CPU??

 So I think our issues are related to GC. Is there a way to trigger more
 frequent GC which will hopefully be less resource intensive?

 And why have the memory usage levels not recovered?

 Z.



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


Zoran,

First I would like to recommend the following document for reading:
http://www.oracle.com/technetwork/java/javase/gc-tuning-6-140523.html#cms

It explains the GC in JVM 1.6 including the Concurrent Collector settings
which is the one you are using. The values for the GC in the log file are
the time the particular collector spent for the operation so the 24.0 would
probably mean 24 seconds, which might mean that for 24 seconds your
applications might be unresponsive during the CMS GC.

As explained in the document from the above link the GC has minor and major
collecting phases. During the minor collection the objects are GC'ed from
the so called young generation or promoted in the old (tenured) generation.
More of this objects pile up in the old generation more frequent the major
GC needs to run. The major ones take usually much longer (they have to
clean much bigger space) time than the minor ones but the minor ones have
to run more frequently. Now, what you need to find is what is causing your
problem really? If your application creates lot of new objects then you'll
have lots of minor GC running. More of this objects survive, they get moved
to the old generation space and then you'll have lots of major GC running
as well. The danger here is that you might end up with constantly running
GC which will render your application unusable due to pauses. So basically
badly written application can cause lots of problems, not closing
connections and freeing objects etc etc, and in that case even the best GC
tunning in the world will not help you, your application(s) will eventually
get to halt.

So read the document carefully and decide which user case is best for you.
If you are creating lots of new objects then maybe increasing the minor
space (default new/old ratio is 1:3) can help.

Also paste here the results of the GC logs. The link I provided has some
more useful settings and recommendations for the CMS collector. This
collector stops the application threads twice during the operation so you
need to check those times too.

Cheers  Pozdrav,
Igor

Re: Help in diagnosing server unresponsiveness

[Igor Cicimov]

On 03/02/2013 3:17 PM, Zoran Avtarovski zo...@sparecreative.com wrote:

 Hi Howard,

 The move to linux was part of a move in-house for our client as the web
 services are only accessible behind the firewall.

 My gut feeling is that the issue isn't related to the WS as they run on a
 scheduled task 3 times a day. I think the issue lies in our app and
 struggling with not being able to see exactly what's happening during the
 crash. JavaMelody provides some insight but just not enough.


Norhing in the catalina.out or app specific logs?

 I'm quite happy to post the charts for others to see. Just not sure what
 the best way to do it is.


 Z.





 On 3/02/13 3:11 PM, Howard W. Smith, Jr. smithh032...@gmail.com wrote:

 I know this is asking for too much or might be impossible to do but
 process
 of elimination.. If it was possible to eliminate or prevent web services
 from executing or being accessed, and no spikes occur, then problem is
 there. I think you said earlier that system was stable on Windows and
 migration to Linux was driven by the web services requirement. I wonder
 what kind of processing in those web services which may be causing this.
A
 lot of database access, even more database access now because of web
 services? Did some developer try to add a manual call to gc, somewhere in
 the app to free resources. Maybe you can poll any / all developers or
 search code accordingly. Does the spike occur at certain time of day,
 maybe
 some code executed on schedule, or does it occur after certain activity
 occur in the app either by endusers or background processing?
 



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Help in diagnosing server unresponsiveness

[Igor Cicimov]

On 01/02/2013 12:37 PM, Zoran Avtarovski zo...@sparecreative.com wrote:

 Hi Guys,

 We have a application running on the latest Tomcat7 and we are getting a
 server crash or becoming unresponsive. This occur every few days at no
fixed
 intervals or time of day and they certainly don't correlate to any app
 function ­ at least not according to the logs.

 We set setup monitoring using JavaMelody and what we see is dramatic
spikes
 in CPU and memory usage at the time of the crash.

 Memory hovers around 3-5% for the rest of the time and CPU is the same.

 I've looked at the number of sessions, HTTP activity , jdbc activity and
 nothing obvious jumps out.

 I'd really appreciate your collective wisdom in putting into practice some
 strategies to identify the cause of the spikes. This driving me and my
team
 nuts.

 Any help would be appreciated.

 Z.


Take couple of thread dumps during the high cpu usage.

Re: NIO connector issue: SEVERE: Error processing request

[Igor Cicimov]

On Wed, Jan 16, 2013 at 9:34 AM, Kevin Priebe ke...@realtyserver.comwrote:

 Hi,



 We have a setup with Nginx load balancing between 2 clustered tomcat
 instances.  1 instance is on the same server as Nginx and the other is on a
 separate physical server (same rackspace).  We’re using pretty standard
 default settings and are using the NIO tomcat connector.  Tomcat version is
 7.0.32 running on Debian.



 The problem is with the second tomcat instance where at random times will
 start showing SEVERE errors in the tomcat logs, which gets worse and worse
 until the instance is unusable and has to be restarted.  At first we
 thought it was related to high load, but once it happened early in the
 morning when load was fairly low.  It does seem to happen more often at
 high load times though, and is about once a day, sometimes twice.  AWSTATS
 says we get just over a million hits per day to the secondary tomcat
 instance.  Here’s the errors:



 Jan 15, 2013 11:22:21 AM org.apache.coyote.http11.AbstractHttp11Processor
 process

 SEVERE: Error processing request

 java.lang.NullPointerException



 Jan 15, 2013 11:22:21 AM org.apache.coyote.http11.AbstractHttp11Processor
 endRequest

 SEVERE: Error finishing response

 java.lang.NullPointerException

 at
 org.apache.coyote.http11.InternalNioOutputBuffer.flushBuffer(InternalNioOutputBuffer.java:233)

 at
 org.apache.coyote.http11.InternalNioOutputBuffer.endRequest(InternalNioOutputBuffer.java:121)

 at
 org.apache.coyote.http11.AbstractHttp11Processor.endRequest(AbstractHttp11Processor.java:1653)

 at
 org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1046)

 at
 org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)

 at
 org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653)

 at
 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)

 at
 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)

 at java.lang.Thread.run(Thread.java:722)





 Nothing else helpful seems to show up in the logs before it starts
 happening.  This ONLY happens on the tomcat instance on a separate machine
 from Nginx.  Any ideas what might be happening and how it can be resolved?
  We’re not even sure this is related to tomcat or something in the
 communications before it gets to tomcat, but we’re looking at all options
 right now.  Thanks,



 Kevin







   _

 I am using the Free version of SPAMfighter http://www.spamfighter.com/len
 .
 SPAMfighter has removed 3 of my spam emails to date.

 Do you have a slow PC? 
 http://www.spamfighter.com/SLOW-PCfighter?cid=sigen  Try a free scan!

 Hi Kevin,

I'm not nginx nor tomcat expert but it looks like tomcat gets interrupted
during sending the response back ie like the connection gets closed whiles
it's still flushing the output buffer.
Have you done any tuning of the http connections and tcp timeout maybe in
nginx and set the timeout too low? Have you checked for possible network
latency (I know you said they are in the same rackspace but doesn't hurt to
ask), switch problems etc? What else is between nginx and tomcat 2? Can you
see in the nginx logs how much time the requests to instance 1 and instance
2 take? Also by comparing timestamps you should be able to find in nginx
the request that failed (there must be error on nginx side too) and see if
it happens on small or big data streams (check the data size in the log
line) etc.

So my point is start troubleshooting on nginx side until you get response
from some of the more experienced tomcat users/developers here :) And get
ready to send your NIO connector and related nginx settings too I would say
:)

Igor

Re: Secure AJP load balancing problem

[Igor Cicimov]

On 04/01/2013 2:25 AM, Arunkumar Janarthanan arunkumar.webad...@gmail.com
wrote:

 Thanks Mark, I am working on parallely setting up another environment with
 Tomcat 6.x, however to clear an urgent audit I need to show the Apache
 connector uses secure protocol to exchange the data between Apache and
 tomcat. Both these servers are in DMZ and on different servers.

 Hello Chris,

 Thanks for your valuable advice, here is how my configuration looks like.

 *Apache conf:*

 ProxyPassMatch ^/(.*\.jsp|.*\.do)(;jsessionid=.*)?$
 balancer://lb1/$1

 *Balancer Conf:*

 Proxy balancer://lb1
 BalancerMember https://tomcat02.us.rdigest.com:8443
 BalancerMember https://tomcat02.us.rdigest.com:8543
 ProxySet stickysession=JSESSIONID
 ProxySet nofailover=Off
 /Proxy


Since you have sticky sessions dont you need to set up the jvmRoute in the
tomcat connectors?

 *Tomcat conf:*

 Tomcat1:

 Connector port=8443 maxHttpHeaderSize=8192
maxThreads=150 minSpareThreads=25 maxSpareThreads=75
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
clientAuth=false sslProtocol=TLS
 /

 Tomcat2:

 Connector port=8543 maxHttpHeaderSize=8192
maxThreads=150 minSpareThreads=25 maxSpareThreads=75
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
clientAuth=false sslProtocol=TLS
 /


 Thanks again for your assistance extended.

 Regards,
 Arun Janarthanan

 On Wed, Jan 2, 2013 at 10:38 PM, Christopher Schultz 
 ch...@christopherschultz.net wrote:

  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Arun,
 
  On 1/2/13 4:45 PM, Arunkumar Janarthanan wrote:
   I have Apache 2.2.22 and Tomcat 5.5 running on SSL 8443, I have
   tried my balancer members to use HTTPS port
 
  So you are trying to use HTTPS over AJP? Did you mean APR?
 
  Please post your Connectors from server.xml and your relevant httpd
  configuration (e.g. ProxyPass). It would also be helpful if you were
  to describe any transport-guarantee that you may have in your web
  application(s).
 
   and finds the JSP pages doing ok for some reason the struts /
   action servlets would not accept secure protocol instead it
   redirects infinitely with the Tomcat server hostname and non-ssl
   port.
 
  Try a protocol trace using something like Mozilla Firefox's web
  console or similar tools for other web browsers. This will show you
  the request as sent by the browser and the response as seen by the
  browser: it should show the pattern you describe above with more detail.
 
   Anybody had similar experience try configuring secure connectors on
   such environment ?
 
  FWIW, I use stunnel to secure the back-channel between httpd and
  Tomcat (using an AJP connector). While I haven't actually
  performance-tested the two configurations against each other, my
  rationale for this configuration was to reduce the number of SSL
  handshakes that occur between httpd and Tomcat. Also, I've always used
  AJP to tunneling AJP made more sense for us than switching-over to
  HTTPS reverse-proxying.
 
  - -chris
  -BEGIN PGP SIGNATURE-
  Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
  Comment: GPGTools - http://gpgtools.org
  Comment: Using GnuPG with undefined - http://www.enigmail.net/
 
  iEYEAREIAAYFAlDk/TMACgkQ9CaO5/Lv0PAidwCgguSezH47shnxzVXOBF564rFm
  piIAnAy/8p0uTsF5Uxh2ViGVT7PFwgPY
  =sm58
  -END PGP SIGNATURE-
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 

Re: Remove apache tomcat default home page

[Igor Cicimov]

On Fri, Jan 4, 2013 at 3:39 PM, ana kando anaka...@yahoo.com wrote:

 Hi all,

 I just installed a software that bundled with apache tomcat. I
 successfully installed the software and can run the software at
 http://localhost:8080/myapps/

 However, when i remove /myapps from browser, it will go directly to apache
 tomcat default page. Cau you help me to remove this page from being display
 when i go to http://localhost:8080/ ??

 Here is my tomcat version and operating system spec.


 Apache Tomcat 5.5.20
 windows server 64 bit


 I found an article from somewhere in the world to commented out these line
 at file tomcat/conf/web.xml


 servlet-mapping
 servlet-namejsp/servlet-name
 url-pattern*.jsp/url-pattern
 /servlet-mapping
 servlet-mapping
 servlet-namejsp/servlet-name
 url-pattern*.jspx/url-pattern
 /servlet-mapping

 welcome-file-list
 welcome-fileindex.html/welcome-file
 welcome-fileindex.htm/welcome-file
 welcome-fileindex.jsp/welcome-file
 /welcome-file-list


 I also have commented out this line from
 file tomcat/webapps/root/WEB-INF/web.xml

 welcome-file-list
 welcome-fileindex.htm/welcome-file
 /welcome-file-list

 But still not working. Tomcat default page still there.


The default app is under /ROOT directory so delete/rename it if you want to
get read of it. By the way, what do you expect to see when going to
http://localhost:8080/ in that case? Instead of the default page you'll see
404 error page not found. Is that what you want?

Re: Tomcat doesn't process error messages

[Igor Cicimov]

On Thu, Jan 3, 2013 at 1:33 AM, Husarik, Branko branko.husa...@hp.comwrote:

 Hello,

 I am a bit desperate thanks to my issue with Tomcat, which seems to be
 like common matter. I am using Tomcat 6.0.35 as a proxy between Oracle and
 Web service. Tomcat is running on AIX Version 6.1. There is send request
 http message from Oracle to the Proxy and message is forwarded to the Web
 service as https. Web services responses https message to Proxy and it is
 send back to Oracle as http.

 When Web service responds HTTP/1.1 200 OK, everything works well and the
 Soap Message is correctly forwarded back to Oracle.
 When Web service responds HTTP/1.1 500 Internal Server Error, proxy fails
 during getInputStream() method.
 There is thrown IOException and Soap message is not forwarded back. Error
 message is Server returned HTTP response code: 500 for URL:
 https://hktibt.rdm.cz:39990/; and cause is null. I tried to add
 getErrorStream() executing in case getInputStream() is not working, but the
 result is null. Please do you know some way, how to process incoming Error
 messages? Is it caused by bad setup of configuration?

 Thank you very much.

 I am attaching both responses from web service:

 HTTP/1.1 200 OK
 Server: Apache-Coyote/1.1
 Content-Type: text/xml;charset=utf-8
 Content-Length: 878
 Date: Wed, 02 Jan 2013 13:15:24 GMT

 ?xml version=1.0 encoding=UTF-8?SOAP-ENV:Envelope xmlns:SOAP-ENV=
 http://schemas.xmlsoap.org/soap/envelope/;SOAP-ENV:Bodyns0:ActivateServiceRes
 xmlns:ns0=http://selfcare.ei.tmobile.cz/datatypes;ns0:eiMessageContextns1:sender
 xmlns:ns1=http://messaging.ei.tmobile.net/datatypes;VCCNG/ns1:senderns1:correlationId
 xmlns:ns1=http://messaging.ei.tmobile.net/datatypes;1201138552/ns1:correlationId/ns0:eiMessageContextns0:datans0:ServiceHeader
 xmlns:ns1=http://messaging.ei.tmobile.net/datatypes; xmlns:xsd=
 http://www.w3.org/2001/XMLSchema; xmlns:env=
 http://schemas.xmlsoap.org/soap/envelope/; xmlns:xsi=
 http://www.w3.org/2001/XMLSchema-instance
 ns0:userNamesa/ns0:userName/ns0:ServiceHeaderns0:OmsStatusns0:orderStatusIN-PROCESS/ns0:orderStatus/ns0:OmsStatus/ns0:data/ns0:ActivateServiceRes/SOAP-ENV:Body/SOAP-ENV:Envelope

 HTTP/1.1 500 Internal Server Error
 Server: Apache-Coyote/1.1
 Content-Type: text/xml;charset=utf-8
 Content-Length: 1407
 Date: Wed, 02 Jan 2013 13:28:33 GMT
 Connection: close

 ?xml version=1.0 encoding=UTF-8?SOAP-ENV:Envelope xmlns:SOAP-ENV=
 http://schemas.xmlsoap.org/soap/envelope/;SOAP-ENV:BodySOAP-ENV:Faultfaultcode
 xmlns=SOAP-ENV:Server/faultcodefaultstring xmlns=This is an
 operation implementation generated fault/faultstringfaultactor
 xmlns=/detail xmlns=ns:BusinessServiceException xmlns:xs=
 http://www.w3.org/2001/XMLSchema; xmlns:xsi=
 http://www.w3.org/2001/XMLSchema-instance; xmlns:ns=
 http://selfcare.ei.tmobile.cz/datatypes; xmlns:ns0=
 http://schemas.xmlsoap.org/soap/envelope/;ns0:eiMessageContext
 xmlns:ns0=http://messaging.ei.tmobile.net/datatypes;ns0:senderVCCNG/ns0:senderns0:correlationId1213075712/ns0:correlationId/ns0:eiMessageContextns1:timestamp
 xmlns:ns1=http://messaging.ei.tmobile.net/datatypes;2013-01-02T14:28:33.392+01:00/ns1:timestampns1:exceptionClass
 xmlns:ns1=http://messaging.ei.tmobile.net/datatypes;100204/ns1:exceptionClassns1:furtherInfo
 xmlns:ns1=http://messaging.ei.tmobile.net/datatypes;Validation
 error/ns1:furtherInfons:breData xmlns:ns0=
 http://www.tibco.com/schemas/BS_SA/Internal;ns1:reason xmlns:ns1=
 http://selfcare.ei.tmobile.cz/datatypes;NOT_PROPER_TARIFF/ns1:reasonns1:textInfo
 xmlns:ns1=http://selfcare.ei.tmobile.cz/datatypes
 ./ns1:textInfo/ns:breData/ns:BusinessServiceException/detail/SOAP-ENV:Fault/SOAP-ENV:Body/SOAP-ENV:Envelope

 Best Regards

 Braňko


Shouldn't this be handled by the SOAP service logic running on the tomcat
server?

Re: Modify Cache-Control header

[Igor Cicimov]

On 17/11/2012 7:38 AM, Jose María Zaragoza demablo...@gmail.com wrote:

 Hi:

 I'm using Tomcat 6  ( I don't remember the exact release, I hope to be
 forgiven by Pid )

 I need to modify Cache-Control header in some responses ( forcing them
 to not be cached )
 What is the best way to do it ?

 a) To implement a Valve ( check request context path and if it match
 ,to modify response header )
 b) To implement a filter
 c) Others  ( any property in Tomcat's configuration files that I don't
know

Or put apache infront and use mod_expiers


 Thanks and regards

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Certificate Help

[Igor Cicimov]

On Thu, Nov 8, 2012 at 8:32 AM, Alissa Schneider
aschnei...@sensecorp.comwrote:

 Yes, I have...many, many times. But good question!

 -Original Message-
 From: James Lampert [mailto:jam...@touchtonecorp.com]
 Sent: Wednesday, November 07, 2012 3:28 PM
 To: Tomcat Users List
 Subject: Re: SSL Certificate Help

 Alissa Schneider wrote:

  Still, when I visit https://localhost:8443, the browser throws a
  certificate warning. When I click on the certificate warning and view
  certificate, it displays information on my self-signed certificate
  (that I've deleted). I think if I could figure out how to make Tomcat
  point to the CA certificate instead of the old one, this would work
  for me. However, I'm not sure how to clear the Tomcat cache so to
  speak.


 Did you restart Tomcat?

 --
 JHHL

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


Sounds like your browser is still caching your old one. If Firefox then go
to
Tools-Options-Advanced-View Certificates button and delete the
certificate(s) for the localhost.

Re: tomcat 6.0.32 stops expiring sessions

[Igor Cicimov]

On 05/11/2012 6:50 PM, Altmeier, Christian 
christian.altme...@softwareag.com wrote:

 Hi,
 I have a big problem. After some time, tomcat stops expiring sessions.
 We have enabled logging for org.apache.catalina.session.ManagerBase. So
we see that at first everything works fine and suddenly sessions didn't
expire anymore.
 Before tomcat stops expiring sessions, it is noticeable that some
sessions need a lot of time to expire (10 - 30 minutes). In this time,
other session expire as expected.

Isnt that what you would expect if some users stay active for longer? Have
you confirmed that the long lasting sessions are idle? I think default
session timeout in tomcat is 30 minutes so are you saying you have changed
that to a lower value but its not working?

 I hope someone has an idea.

 Tomcat runs  on a 64bit Linux server.

 Greeting
 IDS Scheer Consulting GmbH
 Gesch?ftsf?hrer/Managing Directors: Michael Rehm, Ivo Totev
 Sitz/Registered office: Altenkesseler Stra?e 17, 66115 Saarbr?cken,
Germany - Registergericht/Commercial register: Saarbr?cken HRB 19681
 http://www.ids-scheer-consulting.com

Re: AW: tomcat 6.0.32 stops expiring sessions

[Igor Cicimov]

On 05/11/2012 8:41 PM, Altmeier, Christian 
christian.altme...@softwareag.com wrote:

 No that's OK, I don't mean the time a user stays inactive for some
minutes.
 The session timeout is set to 66 minutes.
 I have sessions which are inactive for 70 hours ...

Which tomcat version? Are they SSL sessions by some chance? Actually can
you post here your Connector config please?

 -Ursprüngliche Nachricht-
 Von: Igor Cicimov [mailto:icici...@gmail.com]
 Gesendet: Montag, 5. November 2012 10:26
 An: Tomcat Users List
 Betreff: Re: tomcat 6.0.32 stops expiring sessions

 On 05/11/2012 6:50 PM, Altmeier, Christian 
christian.altme...@softwareag.com wrote:
 
  Hi,
  I have a big problem. After some time, tomcat stops expiring sessions.
  We have enabled logging for org.apache.catalina.session.ManagerBase.
  So
 we see that at first everything works fine and suddenly sessions didn't
expire anymore.
  Before tomcat stops expiring sessions, it is noticeable that some
 sessions need a lot of time to expire (10 - 30 minutes). In this time,
other session expire as expected.

 Isnt that what you would expect if some users stay active for longer?
Have you confirmed that the long lasting sessions are idle? I think default
session timeout in tomcat is 30 minutes so are you saying you have changed
that to a lower value but its not working?

  I hope someone has an idea.
 
  Tomcat runs  on a 64bit Linux server.
 
  Greeting
  IDS Scheer Consulting GmbH
  Gesch?ftsf?hrer/Managing Directors: Michael Rehm, Ivo Totev
  Sitz/Registered office: Altenkesseler Stra?e 17, 66115 Saarbr?cken,
 Germany - Registergericht/Commercial register: Saarbr?cken HRB 19681
  http://www.ids-scheer-consulting.com
 
 IDS Scheer Consulting GmbH
 Geschäftsführer/Managing Directors: Michael Rehm, Ivo Totev
 Sitz/Registered office: Altenkesseler Straße 17, 66115 Saarbrücken,
Germany - Registergericht/Commercial register: Saarbrücken HRB 19681
 http://www.ids-scheer-consulting.com


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: AW: tomcat 6.0.32 stops expiring sessions

[Igor Cicimov]

On 05/11/2012 10:01 PM, Altmeier, Christian 
christian.altme...@softwareag.com wrote:

 Yes we are using SSL.

The default session timeout for ssl in tomcat6 is 24 hours, maybe that
explains why.

 Tomcat 6.0.32
 Our connector config:
 Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2
redirectPort=8443 scheme=https secure=true proxyName=..xx
proxyPort=443/

 -Ursprüngliche Nachricht-
 Von: Igor Cicimov [mailto:icici...@gmail.com]
 Gesendet: Montag, 5. November 2012 10:56
 An: Tomcat Users List
 Betreff: Re: AW: tomcat 6.0.32 stops expiring sessions

 On 05/11/2012 8:41 PM, Altmeier, Christian 
 christian.altme...@softwareag.com wrote:
 
  No that's OK, I don't mean the time a user stays inactive for some
 minutes.
  The session timeout is set to 66 minutes.
  I have sessions which are inactive for 70 hours ...

 Which tomcat version? Are they SSL sessions by some chance? Actually can
 you post here your Connector config please?
 
  -Ursprüngliche Nachricht-
  Von: Igor Cicimov [mailto:icici...@gmail.com]
  Gesendet: Montag, 5. November 2012 10:26
  An: Tomcat Users List
  Betreff: Re: tomcat 6.0.32 stops expiring sessions
 
  On 05/11/2012 6:50 PM, Altmeier, Christian 
 christian.altme...@softwareag.com wrote:
  
   Hi,
   I have a big problem. After some time, tomcat stops expiring sessions.
   We have enabled logging for org.apache.catalina.session.ManagerBase.
   So
  we see that at first everything works fine and suddenly sessions didn't
 expire anymore.
   Before tomcat stops expiring sessions, it is noticeable that some
  sessions need a lot of time to expire (10 - 30 minutes). In this time,
 other session expire as expected.
 
  Isnt that what you would expect if some users stay active for longer?
 Have you confirmed that the long lasting sessions are idle? I think
default
 session timeout in tomcat is 30 minutes so are you saying you have changed
 that to a lower value but its not working?
 
   I hope someone has an idea.
  
   Tomcat runs  on a 64bit Linux server.
  
   Greeting
   IDS Scheer Consulting GmbH
   Gesch?ftsf?hrer/Managing Directors: Michael Rehm, Ivo Totev
   Sitz/Registered office: Altenkesseler Stra?e 17, 66115 Saarbr?cken,
  Germany - Registergericht/Commercial register: Saarbr?cken HRB 19681
   http://www.ids-scheer-consulting.com
  
  IDS Scheer Consulting GmbH
  Geschäftsführer/Managing Directors: Michael Rehm, Ivo Totev
  Sitz/Registered office: Altenkesseler Straße 17, 66115 Saarbrücken,
 Germany - Registergericht/Commercial register: Saarbrücken HRB 19681
  http://www.ids-scheer-consulting.com
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 IDS Scheer Consulting GmbH
 Geschäftsführer/Managing Directors: Michael Rehm, Ivo Totev
 Sitz/Registered office: Altenkesseler Straße 17, 66115 Saarbrücken,
Germany - Registergericht/Commercial register: Saarbrücken HRB 19681
 http://www.ids-scheer-consulting.com


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: AW: tomcat 6.0.32 stops expiring sessions

[Igor Cicimov]

On 06/11/2012 6:43 AM, Christopher Schultz ch...@christopherschultz.net
wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Igor,

 On 11/5/12 8:01 AM, Igor Cicimov wrote:
  On 05/11/2012 10:01 PM, Altmeier, Christian 
  christian.altme...@softwareag.com wrote:
 
  Yes we are using SSL.
 
  The default session timeout for ssl in tomcat6 is 24 hours, maybe
  that explains why.

 Uh, what?

Hi Chris, I got this from the config page
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
where at the bottom under SSL support it says the default sessionTimeout is
24 hours if not specified.


 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

 iEYEARECAAYFAlCYFq0ACgkQ9CaO5/Lv0PA9GwCgsi0XC263ZmYvc+7WkQuNm9t1
 pjsAoJsYXtiXPA5KVb9ySjf8Rq2nlYcn
 =CHHa
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Implementing SSL and error invocating https://localhost:8443/ (Tomcat 7.0 on Windows 7)

[Igor Cicimov]

On 27/10/2012 9:37 AM, Gabriel Huerta Araujo huert...@hildebrando.com
wrote:

 I have followed below steps:

 1.- Erase keytore
 keytool -delete -keystore .keystore -storepass x_men_gha

 2.- List to verify if it has been deleted.
 keytool -list  -storepass x_men_gha
 Tipo de almacÚn de claves: JKS
 Proveedor de almacÚn de claves: SUN

 Su almacÚn de claves contiene 0 entradas

 3.- Create as stated:
 keytool -genkey -alias tomcat -keyalg RSA
 Escriba la contrase±a del almacÚn de claves:
 La contrase±a del almacÚn de claves es demasiado corta, debe tener al
menos 6 ca
 racteres
 Escriba la contrase±a del almacÚn de claves:
 ┐Cußles son su nombre y su apellido?
   [Unknown]:  Gabriel Huerta
 ┐Cußl es el nombre de su unidad de organizaci¾n?
   [Unknown]:  Desarrollo
 ┐Cußl es el nombre de su organizaci¾n?
   [Unknown]:  Hildebrando
 ┐Cußl es el nombre de su ciudad o localidad?
   [Unknown]:  Queretaro
 ┐Cußl es el nombre de su estado o provincia?
   [Unknown]:  Santiago
 ┐Cußl es el c¾digo de paÝs de dos letras de la unidad?
   [Unknown]:  MX
 ┐Es correcto CN=Gabriel Huerta, OU=Desarrollo, O=Hildebrando,
L=Queretaro, ST=Sa
 ntiago, C=MX?
   [no]:  y

 Escriba la contrase±a clave para tomcat
 (INTRO si es la misma contrase±a que la del almacÚn de claves):


 4.- List to verify it:
 C:\Users\Gabriel Huertakeytool -list
 Escriba la contrase±a del almacÚn de claves:

 Tipo de almacÚn de claves: JKS
 Proveedor de almacÚn de claves: SUN

 Su almacÚn de claves contiene entrada 1

 tomcat, 26/10/2012, PrivateKeyEntry,
 Huella digital de certificado (MD5):
00:37:8B:7F:F1:A4:B6:EE:8F:00:69:95:0A:A8:AD:14


 5.- Import certificate as stated for Tomcat documentation:
  For Verisign.com trial certificates go to:
http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html

 Once there I followed instructions where says Click here to go to the
Installation Instructions, basically I copied below message and pasted it
into a file named certif.cer:
 -BEGIN CERTIFICATE-
 MIIEVzCCAz+gAwIBAgIQFoFkpCjKEt+rEvGfsbk1VDANBgkqhkiG9w0BAQUFADCB
 jDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL
 EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xMjAwBgNV
 BAMTKVZlcmlTaWduIFRyaWFsIFNlY3VyZSBTZXJ2ZXIgUm9vdCBDQSAtIEcyMB4X
 DTA5MDQwMTAwMDAwMFoXDTI5MDMzMTIzNTk1OVowgYwxCzAJBgNVBAYTAlVTMRcw
 FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEwMC4GA1UECxMnRm9yIFRlc3QgUHVycG9z
 ZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMTIwMAYDVQQDEylWZXJpU2lnbiBUcmlh
 bCBTZWN1cmUgU2VydmVyIFJvb3QgQ0EgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQAD
 ggEPADCCAQoCggEBAMCJggWnSVAcIomnvCFhXlCdgafCKCDxVSNQY2jhYGZXcZsq
 ToJmDQ7b9JO39VCPnXELOENP2+4FNCUQnzarLfghsJ8kQ9pxjRTfcMp0bsH+Gk/1
 qLDgvf9WuiBa5SM/jXNvroEQZwPuMZg4r2E2k0412VTq9ColODYNDZw3ziiYdSjV
 fY3VfbsLSXJIh2jaJC5kVRsUsx72s4/wgGXbb+P/XKr15nMIB0yH9A5tiCCXQ5nO
 EV7/ddZqmL3zdeAtyGmijOxjwiy+GS6xr7KACfbPEJYZYaS/P0wctIOyQy6CkNKL
 o5vDDkOZks0zjf6RAzNXZndvsXEJpQe5WO1avm8CAwEAAaOBsjCBrzAPBgNVHRMB
 Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkw
 VzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZ
 LjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAdBgNVHQ4E
 FgQUSBnnkm+SnTRjmcDwmcjWpYyMf2UwDQYJKoZIhvcNAQEFBQADggEBADuswa8C
 0hunHp17KJQ0WwNRQCp8f/u4L8Hz/TiGfybnaMXgn0sKI8Xe79iGE91M7vrzh0Gt
 ap0GLShkiqHGsHkIxBcVMFbEQ1VS63XhTeg36cWQ1EjOHmu+8tQe0oZuwFsYYdfs
 n4EZcpspiep9LFc/hu4FE8SsY6MiasHR2Ay97UsC9A3S7ZaoHfdwyhtcINXCu2lX
 W0Gpi3vzWRvwqgua6dm2WVKJfvPfmS1mAP0YmTcIwjdiNXiU6sSsJEoNlTR9zCoo
 4oKQ8wVoWZpbuPZb5geszhS7YsABUPIAAfF1YQCiMULtpa6HFzzm7sdf72N3HfwE
 aQNg95KnKGrrDUI=
 -END CERTIFICATE-

 Below are all instructions stated for this place which I have follwed:

 Installation Instructions
 For Microsoft Browsers

 1.Click on the Secure Site Trial Root Certificate link above.
 2.Save the certificate into a file with a .cer extension.
 3.Open a Microsoft IE Browser.
 4.Go to Tools  Internet Options  Content  Certificates
 5.Click Import. A certificate manager Import Wizard will appear. Click
Next.
 6.Browse to the location of the recently stored root (done in step 2).
Select ALL files for file type.
 7.Select the certificate and click Open.
 8.Click Next.
 9.Select Automatically select the certificate store based on the type of
the certificate. Click Ok.
 10.Click Next then Finish.
 11.When prompted and asked if you wish to add the following certificate
to the root store, click Yes.

 For last step I was not asked to add trial certificate to the root store.


 I did not do below steps(stated from Tomcat documentation), because these
ones require keystore file:

 Import the Chain Certificate into your keystore

  keytool -import -alias root -keystore your_keystore_filename \
 -trustcacerts -file filename_of_the_chain_certificate


 And finally import your new Certificate

  keytool -import -alias tomcat -keystore your_keystore_filename \
 -file your_certificate_filename



 6.- Restart tomcat: It did not generate any error, but when I open IE
with link 

Re: Tuning session replication on clusters

[Igor Cicimov]

On Thu, Sep 6, 2012 at 5:51 AM, llow...@oreillyauto.com wrote:


 I have a small cluster of 3 nodes running tomcat 6.0.24 with openJDK
 1.6.0_20 on Ubuntu 10.04 LTS.

 I have roughly 5,000-6,000 sessions at any given time, and when I restart
 one of the nodes I am finding that not all sessions are getting
 replicated , even when I have the state transfer  timeout set to 60
 seconds.

 It seems that only sessions that have been touched recently are replicated,
 even if the session is still otherwise valid. I did one test where I
 created about 1,500 sessions and then took out one node, When I brought it
 back online, it only replicated the 4-5 sessions that were from active
 users on the test cluster. It did not replicated the idle sessions that
 were still valid that my prior test had created.

 I  am wanting to tune my settings, but I am unsure where would be the best
 place to start. Should I start with the threads available to the NIO
 Receiver, or would I be better off focusing on a different set of
 attributes first, such as the send or receive timeout values?

 Any tips or pointers as to which setting might be the most productive would
 be greatly appreciated.

 Lee Lowder
 O'Reilly Auto Parts
 Web Systems Administrator
 (417) 862-2674 x1858

 This communication and any attachments are confidential, protected by
 Communications Privacy Act 18 USCS § 2510, solely for the use of the
 intended recipient, and may contain legally privileged material. If you are
 not the intended recipient, please return or destroy it immediately. Thank
 you.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


For starter does your cluster satisfy the requirements bellow?

To run session replication in your Tomcat 6.0 container, the following
steps should be completed:

   - All your session attributes must implement java.io.Serializable
   - Uncomment the Cluster element in server.xml
   - If you have defined custom cluster valves, make sure you have the
   ReplicationValve defined as well under the Cluster element in server.xml
   - If your Tomcat instances are running on the same machine, make sure
   the tcpListenPort attribute is unique for each instance, in most cases
   Tomcat is smart enough to resolve this on it's own by autodetecting
   available ports in the range 4000-4100
   - Make sure your web.xml has the distributable/ element
   - If you are using mod_jk, make sure that jvmRoute attribute is set at
   your Engine Engine name=Catalina jvmRoute=node01  and that the
   jvmRoute attribute value matches your worker name in workers.properties
   - Make sure that all nodes have the same time and sync with NTP service!
   - Make sure that your loadbalancer is configured for sticky session mode.


Also you don't say what are you using for load balancing? Not bad to post
your cluster definition as well.

Re: Tuning session replication on clusters

[Igor Cicimov]

:Igor Cicimov icici...@gmail.com
 To:  Tomcat Users List users@tomcat.apache.org
 Date:09/05/2012 07:12 PM
 Subject: Re: Tuning session replication on clusters



 On Thu, Sep 6, 2012 at 5:51 AM, llow...@oreillyauto.com wrote:

 
  I have a small cluster of 3 nodes running tomcat 6.0.24 with openJDK
  1.6.0_20 on Ubuntu 10.04 LTS.
 
  I have roughly 5,000-6,000 sessions at any given time, and when I restart
  one of the nodes I am finding that not all sessions are getting
  replicated , even when I have the state transfer  timeout set to 60
  seconds.
 
  It seems that only sessions that have been touched recently are
 replicated,
  even if the session is still otherwise valid. I did one test where I
  created about 1,500 sessions and then took out one node, When I brought
 it
  back online, it only replicated the 4-5 sessions that were from active
  users on the test cluster. It did not replicated the idle sessions that
  were still valid that my prior test had created.
 
  I  am wanting to tune my settings, but I am unsure where would be the
 best
  place to start. Should I start with the threads available to the NIO
  Receiver, or would I be better off focusing on a different set of
  attributes first, such as the send or receive timeout values?
 
  Any tips or pointers as to which setting might be the most productive
 would
  be greatly appreciated.
 
  Lee Lowder
  O'Reilly Auto Parts
  Web Systems Administrator
  (417) 862-2674 x1858
 
  This communication and any attachments are confidential, protected by
  Communications Privacy Act 18 USCS § 2510, solely for the use of the
  intended recipient, and may contain legally privileged material. If you
 are
  not the intended recipient, please return or destroy it immediately.
 Thank
  you.
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 For starter does your cluster satisfy the requirements bellow?

 To run session replication in your Tomcat 6.0 container, the following
 steps should be completed:

- All your session attributes must implement java.io.Serializable
- Uncomment the Cluster element in server.xml
- If you have defined custom cluster valves, make sure you have the
ReplicationValve defined as well under the Cluster element in server.xml
- If your Tomcat instances are running on the same machine, make sure
the tcpListenPort attribute is unique for each instance, in most cases
Tomcat is smart enough to resolve this on it's own by autodetecting
available ports in the range 4000-4100
- Make sure your web.xml has the distributable/ element
- If you are using mod_jk, make sure that jvmRoute attribute is set at
your Engine Engine name=Catalina jvmRoute=node01  and that the
jvmRoute attribute value matches your worker name in workers.properties
- Make sure that all nodes have the same time and sync with NTP service!
- Make sure that your loadbalancer is configured for sticky session
 mode.


 Also you don't say what are you using for load balancing? Not bad to post
 your cluster definition as well.

 --
 This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.



 This communication and any attachments are confidential, protected by
 Communications Privacy Act 18 USCS § 2510, solely for the use of the
 intended recipient, and may contain legally privileged material. If you are
 not the intended recipient, please return or destroy it immediately. Thank
 you.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


 --
 This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.



 This communication and any attachments are confidential, protected by
 Communications Privacy Act 18 USCS § 2510, solely for the use of the
 intended recipient, and may contain legally privileged material. If you are
 not the intended recipient, please return or destroy it immediately. Thank
 you.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Unable to change version of Apache Tomcat

[Igor Cicimov]

On Aug 28, 2012 1:39 PM, John Byrne john_by...@apple.com wrote:

 Hello all,

 I'm trying to upgrade to 7.0.29 from 7.0.8 and I've switched the soft
link under Tomcat/ (our setup).  However, this is not upgrading the server.
 I've looked for environment variables but can't find any that would seem
to point to the old version. (see environment variables set below)

 I was wondering whether there is a way to tell what version is in the jar
files.  I've expanded StandardEngine.class in catalina.jar and tried
strings and that didn't work.

 By the way...
 I know it's still 7.0.8 when I look at the catalina out file:
 .
 .
 .
 Aug 28, 2012 3:26:31 AM org.apache.catalina.core.StandardEngine
startInternal
 INFO: Starting Servlet Engine: Apache Tomcat/7.0.8
 .
 .
 .

 Thank you for any help.

 John Byrne
 System Administrator, IST
 john_by...@apple.com



 -
 environment variables below
 -
 BASH=/bin/sh
 BASH_ARGC=()
 BASH_ARGV=()
 BASH_LINENO=([0]=0)
 BASH_SOURCE=([0]=/ngs/app/oto2t/Tomcat/tomcat/bin/startup.sh)
 BASH_VERSINFO=([0]=3 [1]=2 [2]=25 [3]=1 [4]=release
[5]=x86_64-redhat-linux-gnu)
 BASH_VERSION='3.2.25(1)-release'
 CATALINA_BASE=/ngs/app/oto2t/Tomcat/Service
 CATALINA_BASE_PORT=7802
 CATALINA_LOGS=/ngs/app/oto2t/var/log/Service
 CATALINA_OUT=/ngs/app/oto2t/Tomcat/Service/logs/catalina_Service_7802.out
 CATALINA_PID=/ngs/app/oto2t/Tomcat/Service/tomcat_7802.pid
 CATALINA_SHUTDOWN_PORT=7804
 DIRSTACK=()
 EUID=9674
 EXECUTABLE=catalina.sh
 GROUPS=()
 G_BROKEN_FILENAMES=1
 HISTSIZE=1000
 HOME=/ngs/app/oto2t
 HOSTNAME=roadfever.corp.apple.com
 HOSTTYPE=x86_64
 IFS='
 '
 INPUTRC=/etc/inputrc
 JAVA_HOME=/ngs/app/oto2t/java_home
 JAVA_OPTS='-Xms1024m -Xmx2048m -XX:MaxPermSize=1024m
-Dport.http.nonssl=7802 -Dport.http.shutdown=7804
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=5802
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false -Denv=qa
-Duser.timezone=GMT -Dfile.encoding=UTF-8 -Dorg.apache.cocoon.mode=qa
-Dtangosol.coherence.cacheconfig=/conf/coherence-cache-config.xml
-Dsplunk.accesslogs=/ngs/app/oto2t/var/
roadfever.corp.apple.com/accessLogs/Service -DAppName=Service'
 LANG=en_US.UTF-8
 LESSOPEN='|/usr/bin/lesspipe.sh %s'
 LOGNAME=oto2t
 LS_COLORS=
 MACHTYPE=x86_64-redhat-linux-gnu
 MAIL=/var/spool/mail/oto2t
 OPTERR=1
 OPTIND=1
 OSTYPE=linux-gnu

PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/java/jdk1.6.0_19/bin
 PIPESTATUS=([0]=0)
 POSIXLY_CORRECT=y
 PPID=3524
 PRG=/ngs/app/oto2t/Tomcat/tomcat/bin/startup.sh
 PRGDIR=/ngs/app/oto2t/Tomcat/tomcat/bin
 PS4='+ '
 PWD=/ngs/app/oto2t/Tomcat/bin
 SHELL=/bin/bash
 SHELLOPTS=braceexpand:hashall:interactive-comments:posix
 SHLVL=3
 SPLUNK_ACCESS_LOGS=/ngs/app/oto2t/var/
roadfever.corp.apple.com/accessLogs/Service
 TERM=xterm-256color
 TMOUT=900
 UID=9674
 USER=oto2t
 _=-
 os400=false
 Using CATALINA_BASE:   /ngs/app/oto2t/Tomcat/Service
 Using CATALINA_HOME:   /ngs/app/oto2t/Tomcat/tomcat
 Using CATALINA_TMPDIR: /ngs/app/oto2t/Tomcat/Service/temp
 Using JRE_HOME:/ngs/app/oto2t/java_home
 Using CLASSPATH:
/ngs/app/oto2t/Tomcat/tomcat/bin/bootstrap.jar:/ngs/app/oto2t/Tomcat/tomcat/bin/tomcat-juli.jar
 Using CATALINA_PID:/ngs/app/oto2t/Tomcat/Service/tomcat_7802.pid
 Existing PID file found during start.
 Removing/clearing stale PID file.

And you are starting the server how?

Re: Pointing tomcat to a different timezone

[Igor Cicimov]

On Mon, Jul 30, 2012 at 8:39 AM, krishna chaitanya kurnala kkc...@gmail.com
 wrote:

 Dear Tomcat Users,

 I am deploying a Java Application in Tomcat, that is picking the wrong
 Time-zone from OS. I did try to change the time settings at OS level.

 while the OS is PDT
 [root@sdc-cidev10 ~]# date
 Sun Jul 29 15:16:41 PDT 2012

 My Java App is still in Universal Time-zone. Can you please guide me on how
 to set -Duser.timezone property for Tomcat?

 Thanks in advance,
 Krishna Chaitanya


Can't you just use the TimeZone class in your app?

String timeZoneId = Australia/Sydney;
TimeZone timeZone = TimeZone.getTimeZone(timeZoneId);


Is this Sun Oracle Java? Do you have the tzdata package installed?

Re: Intermittent mod_proxy_ajp error - APR does not understand this error code: proxy: dialog

[Igor Cicimov]

On Fri, Jul 27, 2012 at 4:20 AM, Carlucci, Tony acarlu...@mitre.org wrote:

 -Original Message-
 From: Igor Cicimov [mailto:icici...@gmail.com]
 Sent: Wednesday, July 25, 2012 9:12 PM
 To: Tomcat Users List
 Subject: Re: Intermittent mod_proxy_ajp error - APR does not understand
 this
 error code: proxy: dialog
 
 You have max clients on the apache side set to 400 but only 300 threads on
 tomcat side. No wonder you get 500 error...

 Thanks for the suggestion Igor, I increased the tomcat threads to 400 but
 that did not resolve the issue.

 Tony


 
 On Wed, Jul 25, 2012 at 12:22 AM, Carlucci, Tony acarlu...@mitre.org
 wrote:
 
  Cross-posting this to the tomcat users list (also posted to users@httpd
  )...
 
  Hello, I've been trying to track down an intermittent problem with a
 Java
  web application that is running on tcServer fronted by Apache HTTP
 Server.
 We get intermittent Server Unavailable / HTTP 500 errors, and when
 we
  do see them, there is the same set of log statements written to the
 Apache
  HTTP Server error log:
 
  [Mon Jul 23 10:03:15 2012] [error] (70014)End of file found:
  ajp_ilink_receive() can't receive header
  [Mon Jul 23 10:03:15 2012] [error] ajp_read_header: ajp_ilink_receive
  failed
  [Mon Jul 23 10:03:15 2012] [error] (120006)APR does not understand this
  error code: proxy: dialog to 127.0.0.1:7071 (127.0.0.1) failed
 
  We are not seeing any error messages in the tcServer logs.
 
  I believe the issue is with the mod_proxy_ajp module but it's been very
  difficult tracking down what exactly the problem is.   What's
 interesting
  is that this Apache / tcServer configuration is used with other
  applications that work just fine and never have the intermittent 500
 error.
We also can run our application strictly in Tomcat (no Apache front)
  without any intermittent errors.
 
  We haven't ruled out that there could be something in our Java
 application
  code that is causing this, in combination with the mod_proxy_ajp module,
  but we have hit a wall as to what this issue could be.  Has anyone else
  experienced a similar intermittent issue combined with the above error
  messages?  Below is a copy of the error log and some configuration
 settings.
 
  Thanks, Tony
 
  -
  Apache HTTP Error Log
  -
  [Mon Jul 23 10:03:15 2012] [debug] mod_cache.c(141): Adding CACHE_SAVE
  filter for /myapp/
  [Mon Jul 23 10:03:15 2012] [debug] mod_cache.c(148): Adding
  CACHE_REMOVE_URL filter for /myapp/
  [Mon Jul 23 10:03:15 2012] [debug] mod_proxy_ajp.c(45): proxy: AJP:
  canonicalising URL //127.0.0.1:7071/myapp/
  [Mon Jul 23 10:03:15 2012] [debug] proxy_util.c(1506): [client
  ***cleansed***] proxy: ajp: found worker ajp://127.0.0.1:7071/myapp for
  ajp://127.0.0.1:7071/myapp/
  [Mon Jul 23 10:03:15 2012] [debug] mod_proxy.c(1020): Running scheme ajp
  handler (attempt 0)
  [Mon Jul 23 10:03:15 2012] [debug] mod_proxy_http.c(1963): proxy: HTTP:
  declining URL ajp://127.0.0.1:7071/myapp/
  [Mon Jul 23 10:03:15 2012] [debug] mod_proxy_ajp.c(681): proxy: AJP:
  serving URL ajp://127.0.0.1:7071/myapp/
  [Mon Jul 23 10:03:15 2012] [debug] proxy_util.c(2011): proxy: AJP: has
  acquired connection for (127.0.0.1)
  [Mon Jul 23 10:03:15 2012] [debug] proxy_util.c(2067): proxy: connecting
  ajp://127.0.0.1:7071/myapp/ to 127.0.0.1:7071
  [Mon Jul 23 10:03:15 2012] [debug] proxy_util.c(2193): proxy: connected
  /myapp/ to 127.0.0.1:7071
  [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(224): Into
  ajp_marshal_into_msgb
  [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
  ajp_marshal_into_msgb: Header[0] [x-forwarded-for] = [***cleansed***]
  [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
  ajp_marshal_into_msgb: Header[1] [Host] = [***cleansed***]
  [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
  ajp_marshal_into_msgb: Header[2] [Connection] = [keep-alive]
  [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
  ajp_marshal_into_msgb: Header[3] [User-Agent] = [Mozilla/5.0 (Windows NT
  6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57
  Safari/536.11]
  [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
  ajp_marshal_into_msgb: Header[4] [Accept] =
  [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
  ajp_marshal_into_msgb: Header[5] [Accept-Encoding] = [gzip,deflate,sdch]
  [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
  ajp_marshal_into_msgb: Header[6] [Accept-Language] = [en-US,en;q=0.8]
  [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
  ajp_marshal_into_msgb: Header[7] [Accept-Charset] =
  [ISO-8859-1,utf-8;q=0.7,*;q=0.3]
  [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
  ajp_marshal_into_msgb: Header[8] [Cookie] = [SSOTOKEN=***cleansed***]
  [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
  ajp_marshal_into_msgb: Header[9] [SSO_LOGIN] = [***cleansed***]
  [Mon Jul 23 10:03:15 2012

Re: Intermittent mod_proxy_ajp error - APR does not understand this error code: proxy: dialog

[Igor Cicimov]

You have max clients on the apache side set to 400 but only 300 threads on
tomcat side. No wonder you get 500 error...

On Wed, Jul 25, 2012 at 12:22 AM, Carlucci, Tony acarlu...@mitre.orgwrote:

 Cross-posting this to the tomcat users list (also posted to users@httpd
 )...

 Hello, I've been trying to track down an intermittent problem with a Java
 web application that is running on tcServer fronted by Apache HTTP Server.
We get intermittent Server Unavailable / HTTP 500 errors, and when we
 do see them, there is the same set of log statements written to the Apache
 HTTP Server error log:

 [Mon Jul 23 10:03:15 2012] [error] (70014)End of file found:
 ajp_ilink_receive() can't receive header
 [Mon Jul 23 10:03:15 2012] [error] ajp_read_header: ajp_ilink_receive
 failed
 [Mon Jul 23 10:03:15 2012] [error] (120006)APR does not understand this
 error code: proxy: dialog to 127.0.0.1:7071 (127.0.0.1) failed

 We are not seeing any error messages in the tcServer logs.

 I believe the issue is with the mod_proxy_ajp module but it's been very
 difficult tracking down what exactly the problem is.   What's interesting
 is that this Apache / tcServer configuration is used with other
 applications that work just fine and never have the intermittent 500 error.
   We also can run our application strictly in Tomcat (no Apache front)
 without any intermittent errors.

 We haven't ruled out that there could be something in our Java application
 code that is causing this, in combination with the mod_proxy_ajp module,
 but we have hit a wall as to what this issue could be.  Has anyone else
 experienced a similar intermittent issue combined with the above error
 messages?  Below is a copy of the error log and some configuration settings.

 Thanks, Tony

 -
 Apache HTTP Error Log
 -
 [Mon Jul 23 10:03:15 2012] [debug] mod_cache.c(141): Adding CACHE_SAVE
 filter for /myapp/
 [Mon Jul 23 10:03:15 2012] [debug] mod_cache.c(148): Adding
 CACHE_REMOVE_URL filter for /myapp/
 [Mon Jul 23 10:03:15 2012] [debug] mod_proxy_ajp.c(45): proxy: AJP:
 canonicalising URL //127.0.0.1:7071/myapp/
 [Mon Jul 23 10:03:15 2012] [debug] proxy_util.c(1506): [client
 ***cleansed***] proxy: ajp: found worker ajp://127.0.0.1:7071/myapp for
 ajp://127.0.0.1:7071/myapp/
 [Mon Jul 23 10:03:15 2012] [debug] mod_proxy.c(1020): Running scheme ajp
 handler (attempt 0)
 [Mon Jul 23 10:03:15 2012] [debug] mod_proxy_http.c(1963): proxy: HTTP:
 declining URL ajp://127.0.0.1:7071/myapp/
 [Mon Jul 23 10:03:15 2012] [debug] mod_proxy_ajp.c(681): proxy: AJP:
 serving URL ajp://127.0.0.1:7071/myapp/
 [Mon Jul 23 10:03:15 2012] [debug] proxy_util.c(2011): proxy: AJP: has
 acquired connection for (127.0.0.1)
 [Mon Jul 23 10:03:15 2012] [debug] proxy_util.c(2067): proxy: connecting
 ajp://127.0.0.1:7071/myapp/ to 127.0.0.1:7071
 [Mon Jul 23 10:03:15 2012] [debug] proxy_util.c(2193): proxy: connected
 /myapp/ to 127.0.0.1:7071
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(224): Into
 ajp_marshal_into_msgb
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[0] [x-forwarded-for] = [***cleansed***]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[1] [Host] = [***cleansed***]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[2] [Connection] = [keep-alive]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[3] [User-Agent] = [Mozilla/5.0 (Windows NT
 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57
 Safari/536.11]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[4] [Accept] =
 [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[5] [Accept-Encoding] = [gzip,deflate,sdch]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[6] [Accept-Language] = [en-US,en;q=0.8]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[7] [Accept-Charset] =
 [ISO-8859-1,utf-8;q=0.7,*;q=0.3]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[8] [Cookie] = [SSOTOKEN=***cleansed***]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[9] [SSO_LOGIN] = [***cleansed***]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[10] [SSO_ID] = [***cleansed***]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(290):
 ajp_marshal_into_msgb: Header[11] [SSO_EMAIL] = [***cleansed***]
 [Mon Jul 23 10:03:15 2012] [debug] ajp_header.c(450):
 ajp_marshal_into_msgb: Done
 [Mon Jul 23 10:03:15 2012] [debug] mod_proxy_ajp.c(268): proxy:
 APR_BUCKET_IS_EOS
 [Mon Jul 23 10:03:15 2012] [debug] mod_proxy_ajp.c(273): proxy: data to
 read (max 8186 at 4)
 [Mon Jul 23 10:03:15 2012] [debug] mod_proxy_ajp.c(288): proxy: got 

Re: Tomcat 7 Manager App Authentication failure

[Igor Cicimov]

On Fri, Jun 29, 2012 at 11:17 AM, kl2eativ kl2ea...@gmail.com wrote:

 Hello. I am having problems trying to authenticate my tomcat 7 manager
 app. I
 keep getting a 401 Unauthorized page. My config is as follows:
 tomcat-users.xml (Located in /etc/tomcat5)
 [code]
   ?xml version='1.0' encoding='utf-8'?
  tomcat-users
  role rolename=manager-gui/
  user username=manager password=tomcat roles=manager-gui /
  /tomcat-users
 [/code]

 server.xml (Located in /etc/tomcat5)
 [code]

  Resource name=UserDatabase auth=Container
  type=org.apache.catalina.UserDatabase
  description=User database that can be updated and saved
  factory=org.apache.catalina.users.MemoryUserDatabaseFactory
  pathname=etc/tomcat5/tomcat-users.xml /
 [/code]

 I restart the tomcat service ( #service tomcat restart ) , but still cannot
 authenticate. Your help would be greatly
 appreciated.

 --
 View this message in context:
 http://tomcat.10.n6.nabble.com/Tomcat-7-Manager-App-Authentication-failure-tp4983418.html
 Sent from the Tomcat - User mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



First check the security-constraint in the manager app and make sure that
the manager-gui role  is allowed access.

Second, are you trying to access from localhost or remote host?

Igor

Re: Connection timeout

[Igor Cicimov]

Typing this from my phone so sorry for top posting no other option.
You might also check your garbage collection which can introduce some
pauses in some cases. Just a thought ...
 On May 11, 2012 7:26 AM, Jon Drukman j...@cluttered.com wrote:

 Caldarale, Charles R Chuck.Caldarale at unisys.com writes:

  Using JConsole or VisualVM would be a good start.

 OK, I'll take a look at those.

   There's only one app running on this tomcat, if that makes
   any difference.
 
  Does it connect to a database (or any other external resource)?
  If so, are you using a connection pool for the
  DB?  You may have threads queuing up waiting for a
  connection to become available.

 no, there is no external dependency that i'm aware of.

 -jsd-


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Mod_jk returning source code of jsp files

[Igor Cicimov]

Put this line

Include /etc/httpd/conf/mod_jk.conf

inside virtual host.
 On Apr 23, 2012 9:12 PM, ironclaw hand ironclawh...@hotmail.com wrote:



 Hi,

 I am attempting to set up apache and tomcat together for the first time on
 a new machine using some existing configuration files. I am not sure what
 is happening but it looks like apache is just serving up all files so when
 i acccess a jsp file I get the source as if tomcat never executed it.

 I have installed the following versions of software:

 httpd 2.4.2
 Tomcat connectors 1.2.35
 Tomcat 7.0.27

 Below are the mod_jk config (workers.properties and mod_jk.conf) files I
 am currently trying to get working if there is anything else that is needed
 then I can include this. My worker softcat1 is defined in my server.xml for
 tomcat.

 Tomcat works on its own if I access it directly and it does run the jsp
 files ok, it just seems to be when I try via apache.

 I have included my httpd.conf in case it is needed:


 ServerTokens Prod


 ServerRoot /etc/httpd

 PidFile run/httpd.pid


 Timeout 120


 KeepAlive Off

 MaxKeepAliveRequests 100


 KeepAliveTimeout 15


 IfModule prefork.c
 StartServers   8
 MinSpareServers5
 MaxSpareServers   20
 ServerLimit  1024
 #ServerLimit   50
 MaxClients   1024
 #MaxClients50
 MaxRequestsPerChild  4000
 /IfModule


 IfModule worker.c
 StartServers 2
 MaxClients 150
 MinSpareThreads 25
 MaxSpareThreads 75
 ThreadsPerChild 25
 MaxRequestsPerChild  0
 /IfModule


 LoadModule access_compat_module modules/mod_access_compat.so
 LoadModule authz_core_module modules/mod_authz_core.so
 LoadModule authz_host_module modules/mod_authz_host.so
 LoadModule auth_basic_module modules/mod_auth_basic.so
 LoadModule authn_file_module modules/mod_authn_file.so
 LoadModule authn_anon_module modules/mod_authn_anon.so
 LoadModule authn_dbm_module modules/mod_authn_dbm.so
 LoadModule auth_digest_module modules/mod_auth_digest.so
 LoadModule ldap_module modules/mod_ldap.so
 LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
 LoadModule include_module modules/mod_include.so
 LoadModule log_config_module modules/mod_log_config.so
 LoadModule env_module modules/mod_env.so
 LoadModule mime_magic_module modules/mod_mime_magic.so
 LoadModule cern_meta_module modules/mod_cern_meta.so
 LoadModule expires_module modules/mod_expires.so
 LoadModule deflate_module modules/mod_deflate.so
 LoadModule headers_module modules/mod_headers.so
 LoadModule usertrack_module modules/mod_usertrack.so
 LoadModule setenvif_module modules/mod_setenvif.so
 LoadModule mime_module modules/mod_mime.so
 LoadModule dav_module modules/mod_dav.so
 LoadModule status_module modules/mod_status.so
 LoadModule autoindex_module modules/mod_autoindex.so
 LoadModule asis_module modules/mod_asis.so
 LoadModule info_module modules/mod_info.so
 LoadModule dav_fs_module modules/mod_dav_fs.so
 LoadModule vhost_alias_module modules/mod_vhost_alias.so
 LoadModule negotiation_module modules/mod_negotiation.so
 LoadModule dir_module modules/mod_dir.so
 LoadModule imagemap_module modules/mod_imagemap.so
 LoadModule actions_module modules/mod_actions.so
 LoadModule speling_module modules/mod_speling.so
 LoadModule userdir_module modules/mod_userdir.so
 LoadModule alias_module modules/mod_alias.so
 LoadModule rewrite_module modules/mod_rewrite.so
 LoadModule proxy_module modules/mod_proxy.so
 LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
 LoadModule proxy_http_module modules/mod_proxy_http.so
 LoadModule proxy_connect_module modules/mod_proxy_connect.so
 LoadModule cache_module modules/mod_cache.so
 LoadModule suexec_module modules/mod_suexec.so
 #LoadModule disk_cache_module modules/mod_disk_cache.so
 LoadModule file_cache_module modules/mod_file_cache.so
 #LoadModule mem_cache_module modules/mod_mem_cache.so
 LoadModule cgi_module modules/mod_cgi.so
 LoadModule version_module modules/mod_version.so
 LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
 LoadModule unixd_module modules/mod_unixd.so


 Include conf.d/*.conf

 User apache
 Group apache


 ServerAdmin root@localhost


 UseCanonicalName Off

 DocumentRoot /var/webapps


 Directory /
Options FollowSymLinks
AllowOverride None
 /Directory


 Directory /var/webapps


Options Indexes FollowSymLinks

AllowOverride None

Order allow,deny
Allow from all

 /Directory


 IfModule mod_userdir.c

UserDir disable



 /IfModule


 DirectoryIndex index.html index.html.var


 AccessFileName .htaccess

 Files ~ ^\.ht
Order allow,deny
Deny from all
 /Files


 TypesConfig /etc/mime.types

 DefaultType text/plain


 IfModule mod_mime_magic.c
 #   MIMEMagicFile /usr/share/magic.mime
MIMEMagicFile conf/magic
 /IfModule


 HostnameLookups Off


 ErrorLog logs/error_log


 LogLevel warn


 LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\
 combined
 LogFormat %h %l %u %t \%r\ %s %b common
 LogFormat %{Referer}i - %U referer
 

RE: Mod_jk returning source code of jsp files

[Igor Cicimov]

Well you need to have JkMount command inside the virtual host so its up to
you how to do it.
 On Apr 23, 2012 10:53 PM, ironclaw hand ironclawh...@hotmail.com wrote:



 Ok I tried that but apache wont start now. It gives the following error:

 AH00526: Syntax error on line 1 of /etc/httpd/conf/mod_jk.conf:
 JkWorkersFile cannot occur within VirtualHost section
   [FAILED]


  Date: Mon, 23 Apr 2012 22:36:35 +1000
  Subject: Re: Mod_jk returning source code of jsp files
  From: icici...@gmail.com
  To: users@tomcat.apache.org
 
  Put this line
 
  Include /etc/httpd/conf/mod_jk.conf
 
  inside virtual host.
   On Apr 23, 2012 9:12 PM, ironclaw hand ironclawh...@hotmail.com
 wrote:
 
  
  
   Hi,
  
   I am attempting to set up apache and tomcat together for the first
 time on
   a new machine using some existing configuration files. I am not sure
 what
   is happening but it looks like apache is just serving up all files so
 when
   i acccess a jsp file I get the source as if tomcat never executed it.
  
   I have installed the following versions of software:
  
   httpd 2.4.2
   Tomcat connectors 1.2.35
   Tomcat 7.0.27
  
   Below are the mod_jk config (workers.properties and mod_jk.conf) files
 I
   am currently trying to get working if there is anything else that is
 needed
   then I can include this. My worker softcat1 is defined in my
 server.xml for
   tomcat.
  
   Tomcat works on its own if I access it directly and it does run the jsp
   files ok, it just seems to be when I try via apache.
  
   I have included my httpd.conf in case it is needed:
  
  
   ServerTokens Prod
  
  
   ServerRoot /etc/httpd
  
   PidFile run/httpd.pid
  
  
   Timeout 120
  
  
   KeepAlive Off
  
   MaxKeepAliveRequests 100
  
  
   KeepAliveTimeout 15
  
  
   IfModule prefork.c
   StartServers   8
   MinSpareServers5
   MaxSpareServers   20
   ServerLimit  1024
   #ServerLimit   50
   MaxClients   1024
   #MaxClients50
   MaxRequestsPerChild  4000
   /IfModule
  
  
   IfModule worker.c
   StartServers 2
   MaxClients 150
   MinSpareThreads 25
   MaxSpareThreads 75
   ThreadsPerChild 25
   MaxRequestsPerChild  0
   /IfModule
  
  
   LoadModule access_compat_module modules/mod_access_compat.so
   LoadModule authz_core_module modules/mod_authz_core.so
   LoadModule authz_host_module modules/mod_authz_host.so
   LoadModule auth_basic_module modules/mod_auth_basic.so
   LoadModule authn_file_module modules/mod_authn_file.so
   LoadModule authn_anon_module modules/mod_authn_anon.so
   LoadModule authn_dbm_module modules/mod_authn_dbm.so
   LoadModule auth_digest_module modules/mod_auth_digest.so
   LoadModule ldap_module modules/mod_ldap.so
   LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
   LoadModule include_module modules/mod_include.so
   LoadModule log_config_module modules/mod_log_config.so
   LoadModule env_module modules/mod_env.so
   LoadModule mime_magic_module modules/mod_mime_magic.so
   LoadModule cern_meta_module modules/mod_cern_meta.so
   LoadModule expires_module modules/mod_expires.so
   LoadModule deflate_module modules/mod_deflate.so
   LoadModule headers_module modules/mod_headers.so
   LoadModule usertrack_module modules/mod_usertrack.so
   LoadModule setenvif_module modules/mod_setenvif.so
   LoadModule mime_module modules/mod_mime.so
   LoadModule dav_module modules/mod_dav.so
   LoadModule status_module modules/mod_status.so
   LoadModule autoindex_module modules/mod_autoindex.so
   LoadModule asis_module modules/mod_asis.so
   LoadModule info_module modules/mod_info.so
   LoadModule dav_fs_module modules/mod_dav_fs.so
   LoadModule vhost_alias_module modules/mod_vhost_alias.so
   LoadModule negotiation_module modules/mod_negotiation.so
   LoadModule dir_module modules/mod_dir.so
   LoadModule imagemap_module modules/mod_imagemap.so
   LoadModule actions_module modules/mod_actions.so
   LoadModule speling_module modules/mod_speling.so
   LoadModule userdir_module modules/mod_userdir.so
   LoadModule alias_module modules/mod_alias.so
   LoadModule rewrite_module modules/mod_rewrite.so
   LoadModule proxy_module modules/mod_proxy.so
   LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
   LoadModule proxy_http_module modules/mod_proxy_http.so
   LoadModule proxy_connect_module modules/mod_proxy_connect.so
   LoadModule cache_module modules/mod_cache.so
   LoadModule suexec_module modules/mod_suexec.so
   #LoadModule disk_cache_module modules/mod_disk_cache.so
   LoadModule file_cache_module modules/mod_file_cache.so
   #LoadModule mem_cache_module modules/mod_mem_cache.so
   LoadModule cgi_module modules/mod_cgi.so
   LoadModule version_module modules/mod_version.so
   LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
   LoadModule unixd_module modules/mod_unixd.so
  
  
   Include conf.d/*.conf
  
   User apache
   Group apache
  
  
   ServerAdmin 

Re: PLZ help: i've issue with SSL TOMCAT

[Igor Cicimov]

On Tue, Apr 17, 2012 at 8:51 PM, amine20 amin...@hotmail.com wrote:

 hi
 i'm new in tomcat/apache environement, i've succes to add ssl to apache2
 using openssl, but i've tried to do the same in tomcat but unfortunatly
 doesn't WORK.

 this is an explanation of what i have did:
 Step 1.Create a keystore file using Java
 /usr/lib/jvm/java-6-sun-1.6.0.26/jre/bin# keytool -genkey -alias tomcat
 -keyalg RSA

 root@CAS:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/bin# keytool -genkey -alias
 tomcat -keyalg RSA
 Enter key store password: changeit
 Enter key password for tomcat: changeit

 You are about to enter information that will be incorporated into
 your certificate request.  This information is what is called a
 Distinguished Name or DN.  There are quite a few fields but you
 can use supplied default values, displayed between brackets, by just
 hitting Enter, or blank the field by entering the . character
 before hitting Enter.

 Common Name (hostname, IP, or your name): CAS
 Organization Name (company) [The Sample Company]: crdp-nice.cndp.fr
 Organizational Unit Name (department, division): IT
 Locality Name (city, district) [Sydney]: FRANCE
 State or Province Name (full name) [NSW]: TOULON
 Country Name (2 letter code) [AU]: FR
 - now my .keystore file
 is in /root folder
 root@CAS:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/bin# ls -a /root |grep
 .keystore
 .keystore

 Step 2.Configure Tomcat to use the keystore
 a modify the server.xml file as shown:

Connector protocol=org.apache.coyote.http11.Http11Protocol
   port=8443  SSLEnabled=true
   keystoreFile=/root/.keystore keystorePass=changeit
   maxThreads=150 scheme=https secure=true
   clientAuth=false sslProtocol=TLS /
  --
 for testing:
  service tomcat6 restart
 Stopping Tomcat servlet engine: tomcat6.
 Starting Tomcat servlet engine: tomcat6.

 we see tomcat can restart but in log file i got this:

 17 avr. 2012 12:16:30 org.apache.catalina.startup.Catalina start
 INFO: Server startup in 6026 ms
 17 avr. 2012 12:19:20 org.apache.coyote.http11.Http11Protocol pause
 INFO: Suspension de Coyote HTTP/1.1 sur http-8080
 17 avr. 2012 12:19:20 org.apache.coyote.http11.Http11Protocol pause
 INFO: Suspension de Coyote HTTP/1.1 sur http-8443
 17 avr. 2012 12:19:21 org.apache.catalina.core.StandardService stop
 INFO: Arrêt du service Catalina
 17 avr. 2012 12:19:21 org.apache.catalina.loader.WebappClassLoader
 clearReferencesThreads
 GRAVE: The web application [/cas] appears to have started a thread named
 [Thread-2] but has failed to stop it. This is very likely to create a
 memory
 leak.
 17 avr. 2012 12:19:21 org.apache.catalina.loader.WebappClassLoader
 clearReferencesThreads
 GRAVE: The web application [/cas] appears to have started a thread named
 [scheduler_Worker-1] but has failed to stop it. This is very likely to
 create a memory leak.
 17 avr. 2012 12:19:21 org.apache.catalina.loader.WebappClassLoader
 clearReferencesThreads
 GRAVE: The web application [/cas] appears to have started a thread named
 [scheduler_Worker-2] but has failed to stop it. This is very likely to
 create a memory leak.
 17 avr. 2012 12:19:21 org.apache.coyote.http11.Http11Protocol destroy
 INFO: Arrêt de Coyote HTTP/1.1 sur http-8080
 17 avr. 2012 12:19:21 org.apache.coyote.http11.Http11Protocol destroy
 INFO: Arrêt de Coyote HTTP/1.1 sur http-8443
 17 avr. 2012 12:19:23 org.apache.catalina.startup.ClassLoaderFactory
 validateFile
 ATTENTION: Problem with directory [/usr/share/tomcat6/server/classes],
 exists: [false], isDirectory: [false], canRead: [false]
 17 avr. 2012 12:19:23 org.apache.catalina.startup.ClassLoaderFactory
 validateFile
 ATTENTION: Problem with directory [/usr/share/tomcat6/server], exists:
 [false], isDirectory: [false], canRead: [false]
 17 avr. 2012 12:19:23 org.apache.catalina.startup.ClassLoaderFactory
 validateFile
 ATTENTION: Problem with directory [/usr/share/tomcat6/shared/classes],
 exists: [false], isDirectory: [false], canRead: [false]
 17 avr. 2012 12:19:23 org.apache.catalina.startup.ClassLoaderFactory
 validateFile
 ATTENTION: Problem with directory [/usr/share/tomcat6/shared], exists:
 [false], isDirectory: [false], canRead: [false]
 17 avr. 2012 12:19:24 org.apache.coyote.http11.Http11Protocol init
 INFO: Initialisation de Coyote HTTP/1.1 sur http-8080
 17 avr. 2012 12:19:24 org.apache.tomcat.util.net.jsse.JSSESocketFactory
 getStore
 GRAVE: Failed to load keystore type JKS with path /root/.keystore due to
 /root/.keystore (Permission denied)
 java.io.FileNotFoundException: /root/.keystore (Permission denied)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.init(FileInputStream.java:120)
at

 org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:405)
at

 

Re: Tomcat mod_proxy_ajp and workers

[Igor Cicimov]

Thats the MPM worker settings for apache threads. You need to find the ajp
Proxy part in your config.
On Jan 26, 2012 11:14 PM, baba smith junkuri...@gmail.com wrote:

 hi,
 i'm pretty much confused about the workers issue.
 my setup is an apache server and a tomcat that are connected with a
 mode_proxy_ajp connector.
 the porblem is that some time after that both are working, the tomcat stops
 responding to apache. the errors that i see in the apache are:
 1. (70007)The timeout specified has expired: ajp_ilink_receive() can't
 receive header
 2. ajp_read_header: ajp_ilink_receive failed
 3. (120006)APR does not understand this error code: proxy: read response
 failed from 127.0.0.1:9005 (localhost)

 i tries to figure that out reading many posts and i got the idea that maybe
 the apache is configured with more workers than the tomcat and that it
 causes the apache to time out.

 so i looked for the workers configuration and actually i couldnt find any
 workers properties file in neither of the servers. (apache 2.2.15 and
 tomcat
 7, were installed by someone else a couple of months ago).
 is there a default configuration that takes place when there is no
 properties file for the workers?

 the closest thing that i found is in the httpd.conf file of the apache and
 it says:
 IfModule worker.c
   StartServers 4
   MaxClients 300
   MinSpareThreads 25
   MaxSpareThreads 75
   ThreadsPerChild 25
   MaxRequestsPerChild  0
 /IfModule

 whats that?

 thank you for your time :)
 baba

 --
 View this message in context:
 http://tomcat.10.n6.nabble.com/Tomcat-mod-proxy-ajp-and-workers-tp4340550p4340550.html
 Sent from the Tomcat - User mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Unable to access images stored in webapps/myapp/WEB-INF/images ?

[Igor Cicimov]

On Tue, Jan 24, 2012 at 12:21 PM, Alastair Baldwin 
alastairgbald...@yahoo.co.uk wrote:

 Dear Users

 Why am I able to access images stored here:

 http://localhost:8080/imageUploader/1234.jpg


 but not here:

 http://localhost:8080/imageUploader/WEB-INF/images/1234.jpg


 File permissions are the same

 Any ideas?

 Thanks

 Alastair

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


catalina.policy file? Although I'm not clear why on earth would you like to
store images inside the application WEB-INF directory?

Re: More, Re: Problem bringing up SSL with a CA certificate

[Igor Cicimov]

 Caused by: java.io.IOException: SSL configuration is invalid due to No
 available certificate or key corresponds to the SSL cipher suites which are
 enabled.


Are you sure you have downloaded the correct intermediate certs?

 *Note:* When executing the command to import the SSL certificate, you must
specify the actual *Alias* used when you initially created the keystore. If
you are unsure of this, run the following sample command to see the
contents of your keystore: *keytool -list -v -keystore keystorefile.kdb*
*
*
Did you use the same alias as the alias you used to create the keystore
when you imported the certificate? Is your tomcat connector config pointing
to the correct keysore file location?

Igor

On Thu, Jan 19, 2012 at 9:46 AM, James Lampert jam...@touchtonecorp.comwrote:

 I've now got the CA certificates the customer representative is trying to
 use here, and I'm attempting to test them on our box.

 I followed these instructions:

 https://search.thawte.com/**support/ssl-digital-**certificates/index?page=
 **contentactp=CROSSLINKid=**SO15518https://search.thawte.com/support/ssl-digital-certificates/index?page=contentactp=CROSSLINKid=SO15518

 rather than the ones here:

 http://tomcat.apache.org/**tomcat-7.0-doc/ssl-howto.html#**
 Importing_the_Certificatehttp://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Importing_the_Certificate

 which appear to be somewhat out of date, as Thawte calls for both primary
 and secondary x.509 certificates to be loaded into the keystore.

 With no explicit alias reference, and the three certificates placed in the
 keystore, in the order specified by Thawte, I get:

  SEVERE: Failed to initialize end point associated with ProtocolHandler
 [http-bio-8443]   Throwable
 occurred: java.io.IOException: SSL configuration is invalid due to No
 available certificate or key corresponds to the SSL cipher suites which are
 enabled.
  at org.apache.tomcat.util.net.**jsse.JSSESocketFactory.**
 checkConfig(JSSESocketFactory.**java:822)
 at 
 org.apache.tomcat.util.net.**jsse.JSSESocketFactory.init(**JSSESocketFactory.java:470)
  at
 org.apache.tomcat.util.net.**jsse.JSSESocketFactory.**createSocket(**JSSESocketFactory.java:158)
  at org.apache.tomcat.util.net.**
 JIoEndpoint.bind(JIoEndpoint.**java:369)
   at org.apache.tomcat.util.net.**
 AbstractEndpoint.init(**AbstractEndpoint.java:553)
   at org.apache.coyote.**
 AbstractProtocol.init(**AbstractProtocol.java:369)
at org.apache.coyote.http11.**
 AbstractHttp11JsseProtocol.**init(**AbstractHttp11JsseProtocol.**java:119)
   at org.apache.catalina.connector.**
 Connector.initInternal(**Connector.java:937)
   at 
 org.apache.catalina.util.**LifecycleBase.init(**LifecycleBase.java:102)
at
 org.apache.catalina.core.**StandardService.initInternal(**StandardService.java:559)
at org.apache.catalina.util.**
 LifecycleBase.init(**LifecycleBase.java:102)
at org.apache.catalina.core.**
 StandardServer.initInternal(**StandardServer.java:781)
at org.apache.catalina.util.**
 LifecycleBase.init(**LifecycleBase.java:102)
at org.apache.catalina.startup.**
 Catalina.load(Catalina.java:**573)
 at org.apache.catalina.startup.**
 Catalina.load(Catalina.java:**598)
 at 
 sun.reflect.**NativeMethodAccessorImpl.**invoke0(Native
 Method)at
 sun.reflect.**NativeMethodAccessorImpl.**invoke(**
 NativeMethodAccessorImpl.java:**60)
  at sun.reflect.**DelegatingMethodAccessorImpl.**invoke(**
 DelegatingMethodAccessorImpl.**java:37)
  at java.lang.reflect.Method.**invoke(Method.java:611)
 at
 org.apache.catalina.startup.**Bootstrap.load(Bootstrap.java:**281)
   at
 org.apache.catalina.startup.**Bootstrap.main(Bootstrap.java:**449)
  Caused by:
 javax.net.ssl.SSLException: No available certificate or key corresponds to
 the SSL cipher suites which are enabled.
  at com.ibm.jsse2.rc.a(rc.java:53)
   at
 com.ibm.jsse2.rc.accept(rc.**java:13)
  at
 org.apache.tomcat.util.net.**jsse.JSSESocketFactory.**
 checkConfig(JSSESocketFactory.**java:818)
... 20 more
 Jan 18, 2012 2:21:43 PM
 org.apache.catalina.core.**StandardService initInternal
SEVERE: 

Re: Is SSL keystore with AJP connector possible?

[Igor Cicimov]

On Thu, Jan 19, 2012 at 10:09 AM, mandg gsca...@federatedinv.com wrote:

 I'm working on Apache Tomcat/6.0.33 running in Windows 2003 and have been
 asked to setup SSL. Looking at the server.xml file, I see that the AJP/1.3
 connector is configured and not APR.  Like a good newbie that I am with
 Tomcat, I followed the Tomcat instructions for configuring SSL. However,
 the
 docs seemed to step me through the steps for an APR-type connector, not AJP
 since I had specified a keystore and passphrase. When I reviewed the AJP
 connector documentation, I didn't find any attributes to specify for the
 keystore and passphrase.

 So my question is, can I use a keystore for the AJP type of connector? And
 if so, are there any good tutorials out there that can walk me through it.

 If not, can I simply edit out the AJP connector in my server.xml file and
 edit in the APR connector? Or will that somehow break the site/application
 that's running on Tomcat?

 --
 View this message in context:
 http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p3814537.html
 Sent from the Tomcat - User mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


Maybe this will help:

http://www.mulesoft.com/tomcat-ssl

read PART II - Configuring Tomcat to use SSL

basically it says

Notice that if you are using APR, the SSLCertificateFile and
 SSLCertificateKey-type attributes are used in place of the keystoreFile
 attribute.  For more information on the differences between using APR in
 place of JSSE, consult Apache's Tomcat APR 
 Documentationhttp://tomcat.apache.org/tomcat-6.0-doc/apr.html
 .



Igor

Re: Server starts but fails to get any reqs

[Igor Cicimov]

Looks like you have access permission problem. What are you policy settings
and tomcat directory permissions?
On Jan 18, 2012 1:49 PM, deniz denizdurmu...@gmail.com wrote:

 sorry for the weird layout of the error here is the error:



 Jan 18, 2012 10:43:57 AM org.apache.coyote.http11.AbstractHttp11Processor
 process
 SEVERE: Error processing request
 java.security.AccessControlException: access denied
 (java.lang.RuntimePermission setContextClassLoader)
at

 java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
at
 java.security.AccessController.checkPermission(AccessController.java:555)
at
 java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.Thread.setContextClassLoader(Thread.java:1485)
at

 org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:213)
at

 org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
 org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:928)
at

 org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
 org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at

 org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
at

 org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:539)
at

 org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:298)
at

 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at

 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)

 Jan 18, 2012 10:43:57 AM org.apache.coyote.http11.AbstractHttp11Processor
 endRequest
 SEVERE: Error finishing response
 java.lang.ExceptionInInitializerError
at

 org.apache.coyote.http11.AbstractHttp11Processor.prepareResponse(AbstractHttp11Processor.java:1398)
at

 org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Processor.java:756)
at org.apache.coyote.Response.action(Response.java:168)
at

 org.apache.coyote.http11.AbstractOutputBuffer.endRequest(AbstractOutputBuffer.java:310)
at

 org.apache.coyote.http11.InternalOutputBuffer.endRequest(InternalOutputBuffer.java:158)
at

 org.apache.coyote.http11.AbstractHttp11Processor.endRequest(AbstractHttp11Processor.java:1586)
at

 org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1022)
at

 org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:539)
at

 org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:298)
at

 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at

 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
 Caused by: java.security.AccessControlException: access denied
 (java.util.PropertyPermission
 org.apache.tomcat.util.http.FastHttpDateFormat.CACHE_SIZE read)
at

 java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
at
 java.security.AccessController.checkPermission(AccessController.java:555)
at
 java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
 java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1302)
at java.lang.System.getProperty(System.java:742)
at

 org.apache.tomcat.util.http.FastHttpDateFormat.clinit(FastHttpDateFormat.java:38)
... 12 more

 Exception in thread
 ContainerBackgroundProcessor[StandardEngine[Catalina]]
 java.security.AccessControlException: access denied
 (java.lang.RuntimePermission setContextClassLoader)
at

 java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
at
 java.security.AccessController.checkPermission(AccessController.java:555)
at
 java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.Thread.setContextClassLoader(Thread.java:1485)
at

 org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1501)
at

 org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1485)
at java.lang.Thread.run(Thread.java:722)


 --
 View this message in context:
 http://tomcat.10.n6.nabble.com/Server-starts-but-fails-to-get-any-reqs-tp3697010p3697376.html
 Sent from the Tomcat - User mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat session problem

[Igor Cicimov]

And have you set jvmRoute parameter in the server.xml file on the tomcats
to match the route value you use in the balancer?

Maybe read the following section of the mod_proxy_balancer carefully to
make sure all the dependencies are meat:

http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html#stickyness_implementation


Igor
On Thu, Jan 12, 2012 at 8:42 AM, Daniel Mikusa dmik...@vmware.com wrote:

 On Wed, 2012-01-11 at 10:21 -0800, Weffen Cheung wrote:
  Hello,
 
  First Thanks for your reply, Dan.
 
  1. Yes,  I am using apache2+mod_proxy in front of the two tomcats, here
 are the configuration in httpd.conf:
 
ProxyPass /images/ !
  ProxyPass /css/ !
  ProxyPass /js/ !
  ProxyPass /photo/ !
  ProxyPass /icon/ !
  ProxyPass /pg/ !
  ProxyPass /job/ !
  ProxyPass /maintenance/ !
  ProxyRequests Off
 
  Proxy balancer://cluster/
  BalancerMember ajp://localhost:8009/ route=tomcat
 loadfactor=1
  BalancerMember ajp://localhost:8010/ route=tomcat2
 loadfactor=1
  /Proxy
  ProxyPass / balancer://cluster/ stickysession=JSESSIONID
 nofailover=On
  ProxyPassReverse / balancer://cluster/
 
  2. I am not sure that whether the problem occurs on the same tomcat,
 because I have no any idea to confirm that. Could you give me any tips to
 find it out?

 It will take a bit of work, but here are two possibility...

 If you are able to talk with the user when the problem occurs, try to
 get some information from the user:  the time the problem happened, the
 resource that was accessed or anything else that can be used to identify
 the request in the logs.

 Once you have that information, you'll need to look at the access logs
 to find the user's request and see which machine the request was sent
 to.

 Alternatively, if you can get the session id of the problem request, it
 should have the route appended to the end of it.  That would also tell
 you which machine the request was sent to.

  This problem occurs occasionally, and I really don't know whether it is
 because of the session duplication or tomcat session manager itself.

 As I mentioned before, the most likely cause is due to a session,
 request or response object being retained by one of your application's
 servlets.  Doing this can cause problems very similar to the one that
 you are reporting.

 You should check your application to make sure that you never assign the
 session, request or response objects to a field on your Servlet objects.
 This is not thread safe and can cause a problem very similar to you are
 reporting.

 Dan


 
  3. But one thing I am sure is that the two users use different PC to
 login,  which means that cookie is not the reason at all.
 
  Any fellows have such a problem? This problem is so bad that it has
 dried me and my visitors crazy, which is a big security problem!
 
  Any advice is high appreciated!
 
  Thanks in advance!
 
 
  Weffen
 
 
  在 2012-1-11，下午9:52， Daniel Mikusa 写道：
 
   On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote:
   Hello,
  
   I am using 2 tomcat(7.0.11) on my server, with clustering and session
 duplication. All the things are running smoothy except the session problem
 sometimes:
  
   1. userA login, userB login
  
   Are userA and userB on the same TC instance?
  
   2. Sometimes when userB load a page, he found that he has became
 userA, it means that userB's login session data has been replaced with
 userA. Don't know why. Is it a bug?
  
   In most cases this occurs due to a session, request or response object
   being retained by a servlet.  This is bad and can cause behaviors
   similar to the one you are reporting.
  
   Anyone encounter  the same problem??
  
   Any advice would be high appreciated!
  
   One other thought, what do you have in front of the two TC instances?
   Apache HTTPD with mod_proxy? or with mod_jk?
  
   Have you confirmed that the correct session id is being sent from the
   browser to your load balancer and then from the load balancer to your
 TC
   instance?
  
   Dan
 
 
  --
  Weffen Cheung
  E: wef...@gmail.com
  M: 1380618
 
 
 

Re: tomcat session problem

[Igor Cicimov]

But you said you are using Apache as front end right? And here you are
using mod_proxy_balancer to reverse-proxy right?


 ProxyPass / balancer://cluster/ stickysession=JSESSIONID nofailover=On
 ProxyPassReverse / balancer://cluster/



You use sticky sessions on your proxy based on the JSESSIONID right? So the
point is the balancer in your Apache frontend proxy should have the
parameters synchronized with your backend Tomcat servers otherwise your
sessions might end up on a wrong Tomcat server when proxying. Hope this
makes sense?!

Igor
On Thu, Jan 12, 2012 at 12:35 PM, Selvakumar Subramanian 
sselvakum...@gmail.com wrote:

 Hi Igor,

 Thanks for your reply...We are using apache tomact not the http
 serverHope the below parameter is to be used for apache http server
 right? Pls correct me, if i am wrong in understanding

 Thanks
 Selva

 On Wed, Jan 11, 2012 at 6:34 PM, Igor Cicimov icici...@gmail.com wrote:

  And have you set jvmRoute parameter in the server.xml file on the tomcats
  to match the route value you use in the balancer?
 
  Maybe read the following section of the mod_proxy_balancer carefully to
  make sure all the dependencies are meat:
 
 
 
 http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html#stickyness_implementation
 
 
  Igor
  On Thu, Jan 12, 2012 at 8:42 AM, Daniel Mikusa dmik...@vmware.com
 wrote:
 
   On Wed, 2012-01-11 at 10:21 -0800, Weffen Cheung wrote:
Hello,
   
First Thanks for your reply, Dan.
   
1. Yes,  I am using apache2+mod_proxy in front of the two tomcats,
 here
   are the configuration in httpd.conf:
   
  ProxyPass /images/ !
ProxyPass /css/ !
ProxyPass /js/ !
ProxyPass /photo/ !
ProxyPass /icon/ !
ProxyPass /pg/ !
ProxyPass /job/ !
ProxyPass /maintenance/ !
ProxyRequests Off
   
Proxy balancer://cluster/
BalancerMember ajp://localhost:8009/ route=tomcat
   loadfactor=1
BalancerMember ajp://localhost:8010/ route=tomcat2
   loadfactor=1
/Proxy
ProxyPass / balancer://cluster/ stickysession=JSESSIONID
   nofailover=On
ProxyPassReverse / balancer://cluster/
   
2. I am not sure that whether the problem occurs on the same tomcat,
   because I have no any idea to confirm that. Could you give me any tips
 to
   find it out?
  
   It will take a bit of work, but here are two possibility...
  
   If you are able to talk with the user when the problem occurs, try to
   get some information from the user:  the time the problem happened, the
   resource that was accessed or anything else that can be used to
 identify
   the request in the logs.
  
   Once you have that information, you'll need to look at the access logs
   to find the user's request and see which machine the request was sent
   to.
  
   Alternatively, if you can get the session id of the problem request, it
   should have the route appended to the end of it.  That would also tell
   you which machine the request was sent to.
  
This problem occurs occasionally, and I really don't know whether it
 is
   because of the session duplication or tomcat session manager itself.
  
   As I mentioned before, the most likely cause is due to a session,
   request or response object being retained by one of your application's
   servlets.  Doing this can cause problems very similar to the one that
   you are reporting.
  
   You should check your application to make sure that you never assign
 the
   session, request or response objects to a field on your Servlet
 objects.
   This is not thread safe and can cause a problem very similar to you are
   reporting.
  
   Dan
  
  
   
3. But one thing I am sure is that the two users use different PC to
   login,  which means that cookie is not the reason at all.
   
Any fellows have such a problem? This problem is so bad that it has
   dried me and my visitors crazy, which is a big security problem!
   
Any advice is high appreciated!
   
Thanks in advance!
   
   
Weffen
   
   
在 2012-1-11，下午9:52， Daniel Mikusa 写道：
   
 On Wed, 2012-01-11 at 02:29 -0800, Weffen Cheung wrote:
 Hello,

 I am using 2 tomcat(7.0.11) on my server, with clustering and
  session
   duplication. All the things are running smoothy except the session
  problem
   sometimes:

 1. userA login, userB login

 Are userA and userB on the same TC instance?

 2. Sometimes when userB load a page, he found that he has became
   userA, it means that userB's login session data has been replaced with
   userA. Don't know why. Is it a bug?

 In most cases this occurs due to a session, request or response
  object
 being retained by a servlet.  This is bad and can cause behaviors
 similar to the one you are reporting.

 Anyone encounter  the same problem??

 Any advice would be high appreciated

Re: Tomcat AJP Thread Spike and System Hang

[Igor Cicimov]

What module are you using on apache side mod_proxy or mod_jk? Also you
might post the Connector settings from tomcat. Sorry typing from my mobile
just think that info might be useful to some one who can help you more.
 On Dec 22, 2011 10:57 AM, John Minchuk minchuk.j...@gmail.com wrote:

 Quick overview of our setup. Http requests flow from our load balancers, to
 squid proxys, to Apaches, to our Tomcat servers.  We migrated to this setup
 from an Oracle App Server.

 Apache: 2.2.3
 Tomcat: 7.0.11.0
 JVM: 1.6.0_22-b04
 Linux: 2.6.18-194.17.1.el5

 Our production environment has max threads set at 200, the number of
 threads usually hovers around 150.  About twice a day, at seemingly
 unrelated times we get a sudden spike in the number of ajp threads open.
 Eventually this hits our max of 200.  At this point Tomcat still seems
 responsive, but the number of our httpd processes spikes until Apache locks
 ups.  At this point we have monitoring software that kills and restarts
 Apache.  We then manually restart Tomcat.

 Here is a graph of the AJP Threads running.  You can see a sudden jump to
 200 threads.  The other dips are most likely reloads triggered by our
 configuration management software (puppet).

 http://sporkit.com/thread_spike/spike.jpg

 Also interesting to note, these threads (all 200) appear to be in the keep
 alive state.

 http://sporkit.com/thread_spike/threads.jpg

 Our access logs don't indicate a high number of visits, or any one
 particular page that might cause this issue (that I can see).

 At this point we are stumped.  Do we spend our time tracking down memory
 leaks?  Is there something we could do to at least mitigate the problem
 over the holidays?  Any input greatly appreciated.

RE: AJP 1.3 Connector

[Igor Cicimov]

If you have virtual host in apache jkMount needs to be inside the virtual
host.
On Dec 20, 2011 7:27 AM, Troy-McKoy, Vickie vtroy-mc...@decc.sdps.org
wrote:

 Yes.  From the apache host, I pinged and telneted the tomcat host.

  # ping tomcatappserver
 PING tomcatappserver (nn.n.nn.nnn) 56(84) bytes of data.
 64 bytes from tomcatappserver (nn.n.nn.nnn): icmp_seq=1 ttl=64 time=0.140
 ms


 # telnet tomcatappserver 8009
 Trying nn.n.nn.nnn...
 Connected to tomcatappserver (nn.n.nn.nnn).
 Escape character is '^]'.
 Connection closed by foreign host.

 When I attempt to connect to the tomcatappserver via the apachewebserver,
 in firefox browser I get:  Unable to connect.  Firefox can't establish a
 connection to the serer at tomcatappserver:8009.

 I just noticed if I put in the browser, the tomcatappserver url with the
 default port, I get the Apache Tomcat/7.0.14 page.  But, if I put in the
 apachewebserver url with the default port, I get this message:

 Service Temporarily Unavailable
 The server is temporarily unable to service your request due to
 maintenance downtime or capacity problems. Please try again later.

 
 Apache/2.0.64 (Unix) mod_jk/1.2.32 Server at x Port 80


 When I remove the JkMount and JkWorkersFile from httpd.conf, I get the
 default Apache web server page.




 -Original Message-
 From: Tim Watts [mailto:t...@cliftonfarm.org]
 Sent: Monday, December 19, 2011 2:20 PM
 To: Tomcat Users List
 Subject: RE: AJP 1.3 Connector

 On Mon, 2011-12-19 at 13:42 -0500, Troy-McKoy, Vickie wrote:
  Thanks for your response.
 
  When I ping server2, I get valid responses coming back.  When I telnet
  to server2 on port 8009, I am also able to connect.
 

 Did you do the telnet test from a shell on the apache host?  Did you use
 the exact name *as configured* (i.e. server2.ourlab.com)?

 What's the exact error message you're getting and which component
 (browser, apache) is reporting it?


 
  -Original Message-
  From: André Warnier [mailto:a...@ice-sa.com]
  Sent: Saturday, December 17, 2011 7:14 AM
  To: Tomcat Users List
  Subject: Re: AJP 1.3 Connector
 
  Vickie Troy-McKoy wrote:
   Hi,
  
   I'm in need of a little help.  I'm trying to get my tomcat and
  apache web server instances communicating; they are running on two
  different physical servers.  When I attempt a test of the application
  url, it basically says that a connection cannot be established.  I am
  running the following:
  
   RHEL Release 5.6 (x86_64)
   Apache Tomcat 7.0.14
   Apache/2.0.64
   mod_jk/1.2.32
  
   On the 1st physical server, the apache webserver instance resides:
  
   httpd.conf contains the following:
  
   LoadModule jk_module modules/mod_jk.so # JkWorkersFile
   conf/workers.properties JkMount /* server2
  
   workers.properties contain the following:
  
   worker.list=server2
   worker.server2.port=8009
   worker.server2.host=server2.ourlab.com
   worker.server2.type=ajp13
   worker.server2.lbfactor=1
   worker.server2.socket_keepalive=1
  
  
  
   On the 2nd physical server, the apache-tomcat instance resides:
  
   server.xml contains the following:
  
   !-- Define an AJP 1.3 Connector on port 8009 --
   Connector port=8009 enableLookups=false protocol=AJP/1.3
   redirectPort=8443 /
  
   Connector port=8443 maxHttpHeaderSize=8192 protocol=HTTP/1.1
  SSLEnabled=true
[and various other settings]
  
  
  
   I am missing something.  Can someone please provide help?  Thank
  you...
  
  
 
  Hi.
  Your configuration looks fine.
  The problem then should be with the network.
  Try the following :
   From the Apache httpd server (command-line),
 
  1) enter :
  ping server2.ourlab.com
 
  If you get regular messages showing that the ping packets are being
 answered, it's fine.
  If you get error messages, then you have a basic network problem
 accessing server2.ourlab.com from your Apache host.
 
  (faked) example of a good answer :
  PING server2.ourlab.com (192.168.20.1) 56(84) bytes of data.
  64 bytes from server2.ourlab.com (192.168.20.1): icmp_seq=1 ttl=64
  time=0.326 ms
  64 bytes from server2.ourlab.com (192.168.20.1): icmp_seq=2 ttl=64
  time=0.158 ms
  64 bytes from server2.ourlab.com (192.168.20.1): icmp_seq=3 ttl=64
  time=0.156 ms
 
  Example of a bad answer :
  - unknown host
  - network is not reachable
  etc..
 
  2) If the above is fine, then :
  enter :
  telnet server2.ourlab.com 8009
 
  It should at least connect (and may drop the connection right away),
  but the point is : is it connecting ? If it is, you will get an answer
  similar to this :
  Trying 192.168.20.1...
  Connected to colin-int.
  Escape character is '^]'.
 
  xxx
  Connection closed by foreign host.
 
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

Re: AJP 1.3 Connector

[Igor Cicimov]

Firewall?
 On Dec 17, 2011 11:34 AM, Vickie Troy-McKoy vtmc...@hotmail.com wrote:


 Hi,

 I'm in need of a little help.  I'm trying to get my tomcat and apache web
 server instances communicating; they are running on two different physical
 servers.  When I attempt a test of the application url, it basically says
 that a connection cannot be established.  I am running the following:

 RHEL Release 5.6 (x86_64)
 Apache Tomcat 7.0.14
 Apache/2.0.64
 mod_jk/1.2.32

 On the 1st physical server, the apache webserver instance resides:

 httpd.conf contains the following:

 LoadModule jk_module modules/mod_jk.so
 #
 JkWorkersFile conf/workers.properties
 JkMount /* server2

 workers.properties contain the following:

 worker.list=server2
 worker.server2.port=8009
 worker.server2.host=server2.ourlab.com
 worker.server2.type=ajp13
 worker.server2.lbfactor=1
 worker.server2.socket_keepalive=1



 On the 2nd physical server, the apache-tomcat instance resides:

 server.xml contains the following:

 !-- Define an AJP 1.3 Connector on port 8009 --
Connector port=8009 enableLookups=false protocol=AJP/1.3
 redirectPort=8443 /

 Connector port=8443 maxHttpHeaderSize=8192 protocol=HTTP/1.1
 SSLEnabled=true
 [and various other settings]



 I am missing something.  Can someone please provide help?  Thank you...


 ___
 Regards,

 ___
 JESUS--Don't leave earth without Him!
 There is an election going on all the time.
 The Lord votes for you and satan votes against you;
 and you must cast the deciding vote.

Re: LAMP + Tomcat Configuration

[Igor Cicimov]

You need to deploy the war file inside tomcat so you need to make tomcat
aware of its location. Also including the war file in the uri makes no
sense it can not work like that. Did you do any configuration on the tomcat
side? Ajp connector etc. I would suggest you check the tomcat docs to gain
basic idea how tomcat works.
 On Dec 12, 2011 5:50 AM, Truckman truck...@woodbridgedata.com wrote:

 Greetings,



 I apologize for the length/complexity of this but I've learned over the
 years providing more detail generally saves time of those who are kind
 enough to assist.



 I have a slew of standard webservers which run the usual LAMP model -
 CentOS6, Apache 2.2.15-5, MySQL 5.0.77-4, and PHP 5.3.2-6.  I host many
 virtual domains and each virtual server runs off a unique directory,
 roughly
 matching the assigned domain name, like so:



 http://forums.example.com translates to /var/www/html.forums



 No problems whatsoever, except now one of those virtual domains requires
 Tomcat6, and I'm trying to figure out how to integrate Tomcat6 for one
 virtual domain only.  This way, all the other domains I host can remain
 as-is in their working state.



 Using Yum, I installed Tomcat6 and the various auxiliary RPMs:



 apache-tomcat-apis-0.1-1.el6.noarch

 jakarta-commons-dbcp-tomcat5-1.2.1-13.8.el6.noarch

 jakarta-commons-pool-tomcat5-1.3-12.7.el6.x86_64

 tomcat6-6.0.24-24.el6_0.noarch

 tomcat6-admin-webapps-6.0.24-24.el6_0.noarch

 tomcat6-docs-webapp-6.0.24-24.el6_0.noarch

 tomcat6-el-2.1-api-6.0.24-24.el6_0.noarch

 tomcat6-javadoc-6.0.24-24.el6_0.noarch

 tomcat6-jsp-2.1-api-6.0.24-24.el6_0.noarch

 tomcat6-lib-6.0.24-24.el6_0.noarch

 tomcat6-log4j-6.0.24-24.el6_0.noarch

 tomcat6-servlet-2.5-api-6.0.24-24.el6_0.noarch

 tomcat6-webapps-6.0.24-24.el6_0.noarch



 I started Tomcat6, added it to chkconfig so it automatically starts, and as
 I expected Tomcat6 answers on port 8009 (ajp) and port 8080 (tomcat).



 The customer then passed me a forums.war file, stating it needs to be in
 the
 root directory of the virtual server, so I placed it in the
 /var/www/html.forums directory.



 Knowing that apache is answering port 80, and that needs to be forwarded
 up to port 8080, I made the following changes in the virtual server
 configuration, like so:



 VirtualHost  *:80

Servername  forums.example.com

DocumentRoot/var/www/html.forums

Directory /

  Options FollowSymLinks

  AllowOverride All

  Order allow,deny

  Allow from all

  ProxyPass ajp://localhost:8009/

/Directory

 /VirtualHost



 Now, when I hit http://forums.example.com, I get the expected Tomcat6
 welcome page, but http://forums.example.com/forums.war cannot be found.
  I'm
 assuming that's because forums.war is located in the virtual directory in
 regular apache and not where tomcat apache is expecting it.



 I am really confused as what I should be doing next, or even if what I've
 done so far was correct.



 The goal is to have regular apache answer port 80, and call upon tomcat
 on port 8080 (or 8009 ajp) as required by the web application stored in
 regular apache's virtual server directory for that domain.

Re: Is there a way to bounce tomcat with out effecting connected users?

[Igor Cicimov]

Sure, using tomcat cluster and session replication.

On Wed, Nov 30, 2011 at 2:37 PM, Srinivas Chejerla 
srinivascheje...@gmail.com wrote:

 Hi,


 I am trying to find best way to handle tomcat bounce in production
 environments with out effecting connected users
 please give me some suggestions, Is there a way to bounce tomcat with out
 effecting connected users?


 --
 Thanks,
 Srinivas.