RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

2020-12-09 Thread Amit Pande
Thank you George for letting us know on -Dorg.bouncycastle.rsa.allow_multi_use=true" JVM option. Will explore this further and update the document (https://github.com/amitlpande/tomcat-9-fips/blob/master/README.md) appropriately. Albeit reluctantly, we have given in to use BCFIPS (over

RE: [EXTERNAL] Re: Bouncy Castle FIPS on RHEL 7.3

2020-12-09 Thread Amit Pande
To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: Bouncy Castle FIPS on RHEL 7.3 Stefan, On 11/30/20 19:17, Stefan Mayr wrote: > Hi, > > Am 30.11.2020 um 17:09 schrieb Amit Pande: >> I guess I will have to investigate the RHEL 7.3 entropy issue separately >> (poss

RE: [EXTERNAL] Re: Bouncy Castle FIPS on RHEL 7.3

2020-11-30 Thread Amit Pande
- From: Christopher Schultz Sent: Wednesday, November 25, 2020 9:42 PM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: Bouncy Castle FIPS on RHEL 7.3 Amit, On 11/25/20 12:40, Amit Pande wrote: > Thank you Chris for the inputs. Admittedly, I didn’t know the internals of > Sun JCE/JSSE

RE: [EXTERNAL] Re: Bouncy Castle FIPS on RHEL 7.3

2020-11-25 Thread Amit Pande
25, 2020 10:33 AM To: users@tomcat.apache.org Subject: [EXTERNAL] Re: Bouncy Castle FIPS on RHEL 7.3 Amit, On 11/24/20 11:21, Amit Pande wrote: > Probably not directly related to Tomcat but still sharing. Advanced > apologies for that. > > I am using bouncy castle FIPS library and observ

RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?

2020-11-24 Thread Amit Pande
multiple reasons. >>> >>> Are there any other dependencies Tomcat has on the underlying stack, >>> besides that provided by a Java crypto provider like BC-FIPS, having >>> a bearing on FIPS compliance? >>> >&g

Bouncy Castle FIPS on RHEL 7.3

2020-11-24 Thread Amit Pande
Probably not directly related to Tomcat but still sharing. Advanced apologies for that. I am using bouncy castle FIPS library and observed that specifically on RHEL 7.3, the library usage is causing tremendous slowness. e.g. below key tool command taking several minutes to finish. keytool

Re: [EXTERNAL] Re: Embedded vs Standalone Tomcat

2020-10-20 Thread Amit Pande
Thank you so much Igal for the inputs. Thanks, Amit Thanks, Amit From: Igal Sapir Sent: Sunday, October 18, 2020 11:36:22 AM To: Tomcat Users List Subject: [EXTERNAL] Re: Embedded vs Standalone Tomcat Amit, On Fri, Oct 16, 2020 at 8:32 AM Amit Pande wrote

Embedded vs Standalone Tomcat

2020-10-16 Thread Amit Pande
My apologies in advance if this has been already discussed in the group. I am looking for experiences of the community, any nitpicks, etc. Currently we are using standalone Tomcat version (9.x) to host a web applications which are essentially hosting REST APIs. We plan to move to micro services

RE: [EXTERNAL] Re: Enabling FIPS for Tomcat

2020-09-30 Thread Amit Pande
: Enabling FIPS for Tomcat On 29/09/2020 16:25, Amit Pande wrote: > Dear all, > > The link below documents how to enable FIPS (using Bouncy Castle) for Tomcat. > > https://github.com/amitlpande/tomcat-9-fips > > Kindly let me know your inputs if this needs any corrections, en

Enabling FIPS for Tomcat

2020-09-29 Thread Amit Pande
Dear all, The link below documents how to enable FIPS (using Bouncy Castle) for Tomcat. https://github.com/amitlpande/tomcat-9-fips Kindly let me know your inputs if this needs any corrections, enhancements. Also, a request to Tomcat leads: It is possible for these steps to be part of

Mitigating slow HTTP headers vulnerability

2020-06-09 Thread Amit Pande
(My apologies if this has been discussed already.) Slow HTTP headers vulnerability was reported by scanner tool, on Tomcat 8.5.54. There might be not any perfect solution to address this issue, but wanted to understand some of the best practices to mitigate this vulnerability.

RE: [EXTERNAL] Re: Ensuring clean Tomcat shutdown

2020-06-08 Thread Amit Pande
nServer = Registry.getRegistry(null, null).getMBeanServer();Set objectNames = mBeanServer.queryNames(new ObjectName(ALL_WEB_MODULES_QRY), null); El dom., 7 jun. 2020 a las 3:50, Amit Pande () escribió: > When the application does not clean up the resources, during shutdown, > we see WAR

Ensuring clean Tomcat shutdown

2020-06-06 Thread Amit Pande
When the application does not clean up the resources, during shutdown, we see WARNINGs in Catalina logs: "WARNING [Catalina-utility-21] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads The web application [AAA] appears to have started a thread named [BBB] but has failed

Re: [EXTERNAL] Re: Query regarding bindOnInit default value..

2020-03-29 Thread Amit Pande
Thanks for the inputs, Mark. Thanks, Amit > On Mar 29, 2020, at 5:06 PM, Mark Thomas wrote: > > On 29/03/2020 08:11, Amit Pande wrote: >> Hello all, >> >> I was exploring Tomcat configuration which doesn't accept requests until the >> web application is

Query regarding bindOnInit default value..

2020-03-29 Thread Amit Pande
Hello all, I was exploring Tomcat configuration which doesn't accept requests until the web application is deployed. "bindOnInit" connector attributes when set to false, makes socket bind when the connector starts and not when the connector is initialized. Wanted to know, why the default

RE: [EXTERNAL] Re: Uploads breaking post upgrade to 9.0.31

2020-03-18 Thread Amit Pande
/2020 17:56, Amit Pande wrote: > Using Tomcat 9.0.31. > > When using large JSON payload (little less than 2 MB) for POST requests, randomly (all random failures seen are on Windows and not on *ix), we are seeing: > > JSON parse error: Unexpected end-of-input in VALUE_STRING; n

RE: [EXTERNAL] Re: Uploads breaking post upgrade to 9.0.31

2020-03-17 Thread Amit Pande
Using Tomcat 9.0.31. When using large JSON payload (little less than 2 MB) for POST requests, randomly (all random failures seen are on Windows and not on *ix), we are seeing: JSON parse error: Unexpected end-of-input in VALUE_STRING; nested exception is

Re: [EXTERNAL] [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS

2019-06-20 Thread Amit Pande
Could you please clarify: Affected versions 8.5.0 to 8.5.40 Mitigation says: 8.5.40 or later What am I missing? > On Jun 20, 2019, at 2:25 PM, Mark Thomas wrote: > > CVE-2019-10072 Apache Tomcat HTTP/2 DoS > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions

Re: [EXTERNAL] Re: Request header too large..

2018-11-05 Thread Amit Pande
the documentation be made more elaborate? Can we mention that this attribute puts the upper bound on combined size of all request headers and the request line? Thanks, Amit On 11/3/18, 4:39 AM, "Mark Thomas" wrote: On 03/11/2018 01:35, Amit Pande wrote: > Thanks Chris. Yes, I will

Re: [EXTERNAL] Re: Request header too large..

2018-11-02 Thread Amit Pande
Thanks Chris. Yes, I will soon send out the patch for review. Thanks, Amit On 11/2/18, 5:25 PM, "Christopher Schultz" wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Amit, On 11/2/18 17:16, Amit Pande wrote: > As per current implementation (

Request header too large..

2018-11-02 Thread Amit Pande
As per current implementation (below snippet is from 8.5.28), if the request header is too large (by default >8K, the default maxHttpHeaderSize), is thrown below error message is seen. For request -- 02-Nov-2018 15:15:47.649 INFO [catalina-exec-40]

Re: [EXTERNAL] Re: Hostnames with underscores

2018-10-26 Thread Amit Pande
erscore too. Thanks, Amit On Oct 26, 2018, at 12:02 PM, M. Manna mailto:manme...@gmail.com>> wrote: Have you checked the connector config doc for relaxedPathChars and relaxedQueryChars? On Fri, 26 Oct 2018 at 18:00, Amit Pande mailto:amit.pa...@veritas.com>> wrote: Hello all,

Hostnames with underscores

2018-10-26 Thread Amit Pande
Hello all, Recent Tomcat versions (8.5.32 I think) has made a stricter validation for hostnames with underscores in it. (https://bz.apache.org/bugzilla/show_bug.cgi?id=62371) This is understandably for addressing security issues (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816)

Re: [EXTERNAL] Re: Tomcat custom location for configuration

2018-10-26 Thread Amit Pande
cleaned up in next Tomcat release(s), right? Thanks, Amit On 10/4/18, 12:15 PM, "Christopher Schultz" wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Amit, On 10/4/18 12:17, Amit Pande wrote: > Thanks! I will take a detailed relook at using CATALINA_

Re: [EXTERNAL] Re: Tomcat custom location for configuration

2018-10-04 Thread Amit Pande
4/18, 8:38 AM, "Mark Thomas" wrote: On 03/10/18 17:18, Amit Pande wrote: > Thank you so much, Mark! > > In our case, the server.xml contains some information which is generated run time (pre-config before Tomcat is started) like the paths to key sto

Re: [EXTERNAL] Re: Tomcat custom location for configuration

2018-10-03 Thread Amit Pande
, Amit On 10/3/18, 10:16 AM, "Mark Thomas" wrote: On 02/10/18 17:41, Amit Pande wrote: > Hello SMEs, > > I am looking at Tomcat documentation to see if there is a way to move the “/conf” to a custom location and use this path while running the startup/shutdown sc

Tomcat custom location for configuration

2018-10-02 Thread Amit Pande
Hello SMEs, I am looking at Tomcat documentation to see if there is a way to move the “/conf” to a custom location and use this path while running the startup/shutdown scripts. I have looked at the

Re: [EXTERNAL] Using CLIENT-CERT

2018-04-11 Thread Amit Pande
Thank you so much Chris and Mark! Sincerely appreciate the inputs. Sent from my iPhone > On Apr 11, 2018, at 8:16 AM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > Mark and Amit, > >> On 4/10/18 2:21 AM, Mark Thomas wrote: >>> On 9

Re: [EXTERNAL] Using CLIENT-CERT

2018-04-09 Thread Amit Pande
d resource? Appreciate your inputs. On 4/8/18, 6:44 PM, "Amit Pande" <amit.pa...@veritas.com> wrote: I am trying to setup Tomcat (8.5.28) and the web-app correctly in order to get the mutual authentication (using client certificates) done but only for some recours

Using CLIENT-CERT

2018-04-08 Thread Amit Pande
I am trying to setup Tomcat (8.5.28) and the web-app correctly in order to get the mutual authentication (using client certificates) done but only for some recourses and not all. For instance, I have a “authenticate” API for which I want to enable the client certificate authentication. So, I

Bug 45014 - Request and Response classes should have wrappers for use in Valves

2017-10-05 Thread Amit Pande
https://bz.apache.org/bugzilla/show_bug.cgi?id=45014 Any plans/thoughts on merging Chris' mod in Tomcat 9.x branch? It is really a nice to have built in support for Valves to have wrapper classes for Request and Response. We also had a requirement to read the request payload at a valve level

Re: Tomcat 8.5 : Jasper errors

2017-02-27 Thread Amit Pande
) The jasper ant task is as follows -→ (This directory has the above mentioned jar file) On 2/25/17, 7:32 AM, "Amit Pande" <amit.pa...@verit

Tomcat 8.5 : Jasper errors

2017-02-25 Thread Amit Pande
When upgraded from Tomcat 8.0.x to 8.5.x, while building our custom tags, the build is failing with below stack trace. The exception file not found does not give any clue on what’s the problem with the custom tag definition. I tried setting verbose attribute in jspc ant task as well as tried

Re: JIO Connector support in Tomcat 8.5

2017-02-20 Thread Amit Pande
instead of private. Appreciate your thoughts. Thanks, Amit On 2/16/17, 11:48 AM, "Christopher Schultz" <ch...@christopherschultz.net> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Amit, On 2/13/17 8:19 PM, Amit Pande wrote: > Thank

Re: JIO Connector support in Tomcat 8.5

2017-02-14 Thread Amit Pande
Any suggestions on this? Could the Tomcat NIO connector be modified to receive the file descriptor from the other process ( mentioned below)? Thanks, Amit Original Message Subject: Re: JIO Connector support in Tomcat 8.5 From: Amit Pande <amit.pa...@veritas.com> Dat

Re: JIO Connector support in Tomcat 8.5

2017-02-13 Thread Amit Pande
Original Message Subject: Re: JIO Connector support in Tomcat 8.5 From: Christopher Schultz <ch...@christopherschultz.net> Date: Feb 13, 2017, 18:58 To: Tomcat Users List <users@tomcat.apache.org> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Amit, On 2/13/17 6:55 PM

JIO Connector support in Tomcat 8.5

2017-02-13 Thread Amit Pande
As I understand, the JIO/BIO connector support has been dropped in Tomcat 8.5 +. While I understand the need to push to the NIO based connectors, just wondering whether the JIO connector support could have been left as it in Tomcat 8.5 and beyond. We had extended the BIO connector to have a

Threadlocal leaks while Tomcat shutdown

2016-09-17 Thread Amit Pande
This might not be the right forum to ask this question. Yet wanted to if anyone faced this issue. Our application uses Jacorb library to talk to legacy daemons over CORBA. However while stopping the Tomcat, observing following errors. They are from the jacrob.jar ..but not sure how to prevent

Tomcat as Windows Service

2016-09-07 Thread Amit Pande
Hello experts, We have configured the Tomcat to run as a Windows Service. And Windows SCM has a default time of 30 seconds, but the Tomcat process does not start/stop within this time. So, if we restart the service via SCM, we receive the Address in Use exceptions (as previous Tomcat process

Re: Custom Key Manager

2016-07-31 Thread Amit Pande
Thanks a lot Chris, will do that. Appreciate your help. Thanks, Amit On 31/07/16 6:37 pm, "Christopher Schultz" <ch...@christopherschultz.net> wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >Amit, > >On 7/26/16 4:59 AM, Amit Pande wrote: >> &

Re: Custom Key Manager

2016-07-27 Thread Amit Pande
Any pointers here, experts ? On 26/07/16 2:29 pm, "Amit Pande" <amit.pa...@veritas.com> wrote: > >In Tomcat (7.x+), there is a provision to hook in a custom implementation >for trust manager by mentioning class name in connector's >trustManagerClassName attribu

Re: Using JMX to get ONLY running applications

2016-07-13 Thread Amit Pande
. Unless asked here, I would have never known the ³shared² loader is still supported (and undocumented) in latest releases. Same is true with attributes associated with Tomcat Mbeans. Thanks, Amit On 14/07/16 2:18 am, "Mark Thomas" <ma...@apache.org> wrote: >On 13/07/2016 12:1

Re: Using JMX to get ONLY running applications

2016-07-13 Thread Amit Pande
to be the case. I even checked the SERVLET Mbean as well did not see the expected state. Is there anything wrong that I am doing ? Is this a BUG ? Using Tomcat 8.0.30. Thanks, Amit On 13/07/16 1:05 pm, "Amit Pande" <amit.pa...@veritas.com> wrote: >I managed to use jCOnsole a

Re: Using JMX to get ONLY running applications

2016-07-13 Thread Amit Pande
] org.apache.catalina.core.StandardContext.loadOnStartup Servlet [dispatcher] in web application [/testApp] threw load() exception I still see state for testApp as "STARTED". How can I accurately know if the application is started without any errors ? Appreciate your help. Thanks, Amit

Using JMX to get ONLY running applications

2016-07-12 Thread Amit Pande
Hello all, I see there are JMX APIs to get the web applications currently deployed in Tomcat. However, I see that even if the applications are failed to deploy, they still get listed. Is there any way to get ONLY deployed and RUNNING applications ? Below is sample snippet which gives all the

Re: Tomcat 8.0 : Custom server.xml path

2016-07-12 Thread Amit Pande
Any thoughts on this ? On 11/07/16 1:15 pm, "Amit Pande" <amit.pa...@veritas.com> wrote: >Hello all, > > >We have a custom cluster deployment scenario which requires to put config >files on a shared disk. > >With reference to above requirement, we need t

Tomcat 8.0 : Custom server.xml path

2016-07-11 Thread Amit Pande
Hello all, We have a custom cluster deployment scenario which requires to put config files on a shared disk. With reference to above requirement, we need to put server.xml (and possibly other files from TOMCAT_DIR\conf) on the shared disk. Is there any way to do this ? Possible to do in

Re: Remote Address/Host Filter per connector ..

2016-07-07 Thread Amit Pande
ports , but I want to configure connecting to my web app using one of it via only the localhost and thus I wanted to set appropriate remote address filters. Thanks, Amit On 07/07/16 4:05 pm, "André Warnier (tomcat)" <a...@ice-sa.com> wrote: >On 07.07.2016 11:57, Amit Pande

Remote Address/Host Filter per connector ..

2016-07-07 Thread Amit Pande
Hello all, In my server.xml, within in single Service element, I have two HTTP connectors defined listening on two different ports (12345 & 54321 for example). It is possible to apply the remote address/host filter so that request to one of the ports (12345) are allowed only via localhost ?

Re: Tomcat 8 : Shared loader

2016-06-15 Thread Amit Pande
Thank you Mark for your valuable inputs. They are indeed a great help. Thanks, Amit On 15/06/16 7:00 pm, "Mark Thomas" <ma...@apache.org> wrote: >On 15/06/2016 12:03, Amit Pande wrote: >> >> >> On 15/06/16 4:06 pm, "Mark Thomas" <ma...@ap

Re: Tomcat 8 : Shared loader

2016-06-15 Thread Amit Pande
Thanks a lot, Lulseged for your inputs. With this approach, did you see any apparent issues / precautions that we should be aware of ? Thanks, Amit On 15/06/16 3:54 pm, "Lulseged Zerfu" wrote: >It should be shared.loader: >shared.loader="${catalina.base}/shared" > >>

Re: Tomcat 8 : Shared loader

2016-06-15 Thread Amit Pande
On 15/06/16 4:06 pm, "Mark Thomas" <ma...@apache.org> wrote: >On 15/06/2016 11:00, Amit Pande wrote: >> We develop multiple web application which happen to share the same >>stack (Spring, Hibernate,etc). >> >> Thinking of sharing these third party lib

Tomcat 8 : Shared loader

2016-06-15 Thread Amit Pande
We develop multiple web application which happen to share the same stack (Spring, Hibernate,etc). Thinking of sharing these third party libraries instead of duplicating in each web app war. IIUC, putting those in Tomcat (8)'s lib folder might cause issues since the classes in there are loaded