Re: #tomcat on Freenode?

2021-09-15 Thread Coty Sutherland
Hi all,

It's been quite a while now and all of the communities that I'm a part of
have moved from Freenode to Libera.Chat at this point. I can't even access
Freenode now without jumping through some hoops to get new credentials, so
I'm definitely not doing that. Some users in #tomcat on libera.chat have
pointed out that we still reference Freenode from our project page even
though none of us are there anymore. Should we just remove the irc page at
this point? Or do we want to update it to point to libera.chat? If there
are no objections, I'll just update the reference.

On Tue, May 25, 2021 at 9:19 AM Coty Sutherland  wrote:

> On Thu, May 20, 2021 at 1:03 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Coty,
>>
>> On 5/19/21 15:28, Coty Sutherland wrote:
>> > Hi all,
>> >
>> > I was just notified about some mess going on with Freenode which has
>> > seemingly resulted in a mass exodus of users from the freenode servers.
>>
>> I read about this last night and I immediately thought "I wonder if Coty
>> will say anything about this." :)
>>
>
> lol, of course :P
>
>
>> It's an "interesting" situation, for some values of "interesting."
>>
>> We (well, Coty) maintains a presence on #freenode because it appears to
>> help some people. Probably a very small number of people (relatively
>> speaking). Removing that resource may cause some people to fail to get
>> help. OTOH, we don't maintain a presence on fb, AIM, or Parler and we
>> prefer the mailing list for most interactions for a whole host of reasons.
>>
>
> I wasn't exactly proposing that we remove the resource, just that in light
> of all the people migrating away from freenode and the likelihood that the
> Fedora community will do the same, I won't be available there going forward
> (I really only started hanging out on freenode because the Fedora community
> communicates there a lot). And since I was basically the only committer
> hanging around, I didn't think it was worth keeping a reference on the
> project page which makes it look as if the channel was an 'official' place
> to get help. I'm equally as OK leaving it, but since I was the only person
> paying it any attention I thought it was worth asking how others thought :)
>
>
>> I don't think there are any people who are using #freenode because they
>> don't trust the ASF infrastructure. I think they just want to use IRC.
>> (Which, for those who are unfamiliar, is like Slack but without all the
>> stupid cat photos.) #freenode was great because you didn't have to pay
>> The Man to run an IRC channel/server for you and you also didn't have to
>> run it yourself. It was a nice, shared infrastructure. All of that still
>> exists. It's just got a bad taste to it because something that was free
>> and grassroots is now owned by a corporation and Corporations Are Bad
>> m'kay.
>>
>> If we want to provide support via IRC, there is nothing wrong with
>> #freenode in spite of recent events, IMHO.
>>
>> I think the question should be "is a realtime support system appropriate
>> for our community?" I tend to think not, but I'm not the only one here.
>>
>
> I wouldn't call what is being provided in #tomcat on freenode "realtime
> support" haha There's maybe one question a month there on average (at least
> when I'm online during the week), and sometimes they even go unanswered
> depending on who is available at the time.
>
>
>> If we are going to "quit" #freenode, should we put our efforts into
>> pointing people to the mailing list(s) instead of pointing them to
>> another competing platform? I think we should funnel people to the
>> mailing lists. If the mailing list has too high a bar, then I guess we
>> can point them to Slack. (Does Slack require an account? Requiring
>> signup sucks. At least subscribing to a mailing list doesn't mean you
>> need another entry in your password safe.)
>>
>> Anyhow, I'd love to hear what others think. But I would suggest that you
>> consider your motivations before doing anything. Specifically:
>>
>> 1. Why abandon #freenode?
>>
>> 2. Why move to anything other than mailing-list?
>>
>
> I agree, we should drive everyone to mailing lists but not everyone likes
> them so having a few options is good for the community IMO. Also, we aren't
> really abandoning anything because we don't really maintain it, it's led by
> community folk as far as I know; I'm not a moderator. I was just suggesting
> that if it's not a resource we're actively maintaining that we maybe
> shouldn't point to it from the project page.
>
>
>> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>


Re: Tomcat Usage Data Interest

2021-07-27 Thread Coty Sutherland
On Mon, Jul 26, 2021 at 1:16 PM Mark Thomas  wrote:

> On 26/07/2021 12:13, Coty Sutherland wrote:
> > Hi all,
> >
> > I'm curious about whether or not we have/can get some information about
> the
> > usage of Tomcat out in the wild. Things like download count across
> various
> > versions (including archived version downloads) for the last few years,
> svn
> > history and GitHub stats, project website visitors, committer numbers
> (and
> > some other info which I can get from the regular board reports), counts
> of
> > tomcat-users list unique topics, etc. I'd like to compile data into a
> > community interest report (or something like that) and try to draw some
> > insights on which way the Tomcat project is trending. I would also be
> > looking to include adoption outside of just the vanilla ASF distro, like
> > the most popular Tomcat Docker container, Ansible collection, tomcat
> > package downloads from any OS that has the data available, etc.
> >
> > Does anyone think that such a report has value? Is there already
> something
> > like this in existence somewhere (there is an annual jrebel technology
> > report like https://www.jrebel.com/blog/2020-java-technology-report
> which
> > is pretty cool, but it's a survey)? Feel free to tell me that this
> > undertaking has little value and I can move on to something else :)
> > Thoughts?
>
> In no particular order.
>
> There is Apache Kibble
> https://kibble.apache.org/
> The live demo uses ASF data.
>
> The mirror network makes download stats tricky.
>

Yeah, I was thinking that would be the hardest datapoint to try and capture.


> We can get Maven central stats via repository.a.o
>
> In terms of whether a report has value, more insight into the community
> is good. The users mailing list is an incredibly small proportion of the
> active Tomcat users. Anything that provides us with a better
> understanding of the wider community can only help. I'd be particularly
> interested in things we could do to broaden our reach. That may well
> create some interesting debate on how to best do that.
>

OK, I'll start gathering some data and circle back at some point :)

Thanks for the affirmation.


> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Tomcat Usage Data Interest

2021-07-27 Thread Coty Sutherland
Excellent. I'll check it out, I'm on a mission to get data about the Tomcat
package usage in Fedora and it's proving to be difficult lol

On Mon, Jul 26, 2021 at 5:32 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Coty,
>
> On 7/26/21 07:13, Coty Sutherland wrote:
> > Hi all,
> >
> > I'm curious about whether or not we have/can get some information about
> the
> > usage of Tomcat out in the wild. Things like download count across
> various
> > versions (including archived version downloads) for the last few years,
> svn
> > history and GitHub stats, project website visitors, committer numbers
> (and
> > some other info which I can get from the regular board reports), counts
> of
> > tomcat-users list unique topics, etc. I'd like to compile data into a
> > community interest report (or something like that) and try to draw some
> > insights on which way the Tomcat project is trending. I would also be
> > looking to include adoption outside of just the vanilla ASF distro, like
> > the most popular Tomcat Docker container, Ansible collection, tomcat
> > package downloads from any OS that has the data available, etc.
> >
> > Does anyone think that such a report has value? Is there already
> something
> > like this in existence somewhere (there is an annual jrebel technology
> > report like https://www.jrebel.com/blog/2020-java-technology-report
> which
> > is pretty cool, but it's a survey)? Feel free to tell me that this
> > undertaking has little value and I can move on to something else :)
> > Thoughts?
>
> Certainly would be interesting.
>
> Debian has "popularity contest". It looks like it would be a ton of
> data, but it's available: https://popcon.debian.org/
>
> I don't happen to use the Debian-packaged version of Tomcat, but I am a
> Debian user and fan.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Tomcat Usage Data Interest

2021-07-26 Thread Coty Sutherland
Hi all,

I'm curious about whether or not we have/can get some information about the
usage of Tomcat out in the wild. Things like download count across various
versions (including archived version downloads) for the last few years, svn
history and GitHub stats, project website visitors, committer numbers (and
some other info which I can get from the regular board reports), counts of
tomcat-users list unique topics, etc. I'd like to compile data into a
community interest report (or something like that) and try to draw some
insights on which way the Tomcat project is trending. I would also be
looking to include adoption outside of just the vanilla ASF distro, like
the most popular Tomcat Docker container, Ansible collection, tomcat
package downloads from any OS that has the data available, etc.

Does anyone think that such a report has value? Is there already something
like this in existence somewhere (there is an annual jrebel technology
report like https://www.jrebel.com/blog/2020-java-technology-report which
is pretty cool, but it's a survey)? Feel free to tell me that this
undertaking has little value and I can move on to something else :)
Thoughts?



Thanks,
Coty


Re: #tomcat on Freenode?

2021-05-25 Thread Coty Sutherland
On Thu, May 20, 2021 at 1:03 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Coty,
>
> On 5/19/21 15:28, Coty Sutherland wrote:
> > Hi all,
> >
> > I was just notified about some mess going on with Freenode which has
> > seemingly resulted in a mass exodus of users from the freenode servers.
>
> I read about this last night and I immediately thought "I wonder if Coty
> will say anything about this." :)
>

lol, of course :P


> It's an "interesting" situation, for some values of "interesting."
>
> We (well, Coty) maintains a presence on #freenode because it appears to
> help some people. Probably a very small number of people (relatively
> speaking). Removing that resource may cause some people to fail to get
> help. OTOH, we don't maintain a presence on fb, AIM, or Parler and we
> prefer the mailing list for most interactions for a whole host of reasons.
>

I wasn't exactly proposing that we remove the resource, just that in light
of all the people migrating away from freenode and the likelihood that the
Fedora community will do the same, I won't be available there going forward
(I really only started hanging out on freenode because the Fedora community
communicates there a lot). And since I was basically the only committer
hanging around, I didn't think it was worth keeping a reference on the
project page which makes it look as if the channel was an 'official' place
to get help. I'm equally as OK leaving it, but since I was the only person
paying it any attention I thought it was worth asking how others thought :)


> I don't think there are any people who are using #freenode because they
> don't trust the ASF infrastructure. I think they just want to use IRC.
> (Which, for those who are unfamiliar, is like Slack but without all the
> stupid cat photos.) #freenode was great because you didn't have to pay
> The Man to run an IRC channel/server for you and you also didn't have to
> run it yourself. It was a nice, shared infrastructure. All of that still
> exists. It's just got a bad taste to it because something that was free
> and grassroots is now owned by a corporation and Corporations Are Bad
> m'kay.
>
> If we want to provide support via IRC, there is nothing wrong with
> #freenode in spite of recent events, IMHO.
>
> I think the question should be "is a realtime support system appropriate
> for our community?" I tend to think not, but I'm not the only one here.
>

I wouldn't call what is being provided in #tomcat on freenode "realtime
support" haha There's maybe one question a month there on average (at least
when I'm online during the week), and sometimes they even go unanswered
depending on who is available at the time.


> If we are going to "quit" #freenode, should we put our efforts into
> pointing people to the mailing list(s) instead of pointing them to
> another competing platform? I think we should funnel people to the
> mailing lists. If the mailing list has too high a bar, then I guess we
> can point them to Slack. (Does Slack require an account? Requiring
> signup sucks. At least subscribing to a mailing list doesn't mean you
> need another entry in your password safe.)
>
> Anyhow, I'd love to hear what others think. But I would suggest that you
> consider your motivations before doing anything. Specifically:
>
> 1. Why abandon #freenode?
>
> 2. Why move to anything other than mailing-list?
>

I agree, we should drive everyone to mailing lists but not everyone likes
them so having a few options is good for the community IMO. Also, we aren't
really abandoning anything because we don't really maintain it, it's led by
community folk as far as I know; I'm not a moderator. I was just suggesting
that if it's not a resource we're actively maintaining that we maybe
shouldn't point to it from the project page.


> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: #tomcat on Freenode?

2021-05-20 Thread Coty Sutherland
On Thu, May 20, 2021 at 4:24 AM Rémy Maucherat  wrote:

> We should probably drop the IRC page and focus on the mailing lists for the
> website (they are the only official channel). A wiki page can mention other
> things like Slack.
>

Yeah, I like that idea. Let's drop the IRC page and add an entry for
libera.chat (there are a few people in #tomcat on there now) and later when
a Slack channel is created we can add it there too.

I'll leave it in case anyone has any other comments, and will remove
irc.html from the site next week.


#tomcat on Freenode?

2021-05-19 Thread Coty Sutherland
Hi all,

I was just notified about some mess going on with Freenode which has
seemingly resulted in a mass exodus of users from the freenode servers.
There are some updates available at
https://gist.github.com/joepie91/df80d8d36cd9d1bde46ba018af497409/ which
make it seem like we should no longer point users to #tomcat on freenode
(we point to it on https://tomcat.apache.org/irc.html).

Should we take any action on that, like remove the page or update it to
point to https://libera.chat/ after we establish a channel there? I'm not
sure how much value there is/was in the freenode channel because questions
are so infrequent, so we may be able to safely drop the reference.



Thanks,
Coty


Re: After OS update from RHEL 6.3 to 6.10 seeing 503 error

2020-07-30 Thread Coty Sutherland
On Wed, Jul 29, 2020 at 4:41 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Satish,
>
> On 7/29/20 2:56 PM, Satish Chhatpar 02 wrote:
> > After  OS update from RHEL 6.6  to 6.10, seeing 503 error.
> >
> > Need help to fix this.
> >
> >
> >
> > 
> > 503 Service Temporarily Unavailable
> > 
> > Service Temporarily Unavailable
> > The server is temporarily unable to service your
> > request due to maintenance downtime or capacity
> > problems. Please try again later.
> > Additionally, a 404 Not Found
> > error was encountered while trying to use an ErrorDocument to handle the
> request.
> > 
> >
> >
> > Tomcat version is 6.0.53
> >
> > mod_jk/1.2.37
> >
> >
> >
> > Server version: Apache/2.2.15 (Unix)
> > Server built:   Feb 19 2018 06:33:11
> > Server's Module Magic Number: 20051115:25
> > Server loaded:  APR 1.3.9, APR-Util 1.3.9
> > Compiled using: APR 1.3.9, APR-Util 1.3.9
> > Architecture:   64-bit
> > Server MPM: Prefork
> >   threaded: no
> > forked: yes (variable process count)
> > Server compiled with
> >  -D APACHE_MPM_DIR="server/mpm/prefork"
> >  -D APR_HAS_SENDFILE
> >  -D APR_HAS_MMAP
> >  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> >  -D APR_USE_SYSVSEM_SERIALIZE
> >  -D APR_USE_PTHREAD_SERIALIZE
> >  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
> >  -D APR_HAS_OTHER_CHILD
> >  -D AP_HAVE_RELIABLE_PIPED_LOGS
> >  -D DYNAMIC_MODULE_LIMIT=128
> >  -D HTTPD_ROOT="/etc/httpd"
> >  -D SUEXEC_BIN="/usr/sbin/suexec"
> >  -D DEFAULT_PIDLOG="run/httpd.pid"
> >  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> >  -D DEFAULT_LOCKFILE="logs/accept.lock"
> >  -D DEFAULT_ERRORLOG="logs/error_log"
> >  -D AP_TYPES_CONFIG_FILE="conf/mime.types"
> >  -D SERVER_CONFIG_FILE="conf/httpd.conf"
> >
> >
> >
> > In access logs I  404
> >
> >   "GET /commerce/servlet/gben-OrderStatusWebService HTTP/1.1" 404 - 0
> "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/45.0.2454.85 Safari/537.36"
> >
> >
> > In error log I see
> >
> > Response header name 'Cache/Control' contains invalid characters,
> aborting request
> >
> >
> >
> > in mod_jk log  I see
> >
> >
> > [Wed Jul 29 19:24:31.877 2020] [912:139700310231008] [debug]
> jk_open_socket::jk_connect.c (485): socket TCP_NODELAY set to On
> > [Wed Jul 29 19:24:31.877 2020] [912:139700310231008] [debug]
> jk_open_socket::jk_connect.c (522): socket SO_KEEPALIVE set to On
> > [Wed Jul 29 19:24:31.877 2020] [912:139700310231008] [debug]
> jk_open_socket::jk_connect.c (609): trying to connect socket 39 to
> 10.80.1.84:8901
> > [Wed Jul 29 19:24:31.877 2020] [912:139700310231008] [trace]
> nb_connect::jk_connect.c (227): enter
> > [Wed Jul 29 19:24:31.878 2020] [912:139700310231008] [trace]
> nb_connect::jk_connect.c (273): exit
> > [Wed Jul 29 19:24:31.878 2020] [912:139700310231008] [debug]
> jk_open_socket::jk_connect.c (635): socket 39 [172.16.133.13:46132 ->
> 10.80.1.84:8901] connected
> > [Wed Jul 29 19:24:31.878 2020] [912:139700310231008] [trace]
> jk_open_socket::jk_connect.c (638): exit
> > [Wed Jul 29 19:24:31.878 2020] [912:139700310231008] [trace]
> ajp_handle_cping_cpong::jk_ajp_common.c (880): enter
> > [Wed Jul 29 19:24:31.878 2020] [912:139700310231008] [trace]
> ajp_connection_tcp_send_message::jk_ajp_common.c (1178): enter
> > [Wed Jul 29 19:24:31.878 2020] [912:139700310231008] [debug]
> ajp_connection_tcp_send_message::jk_ajp_common.c (1184): sending to ajp13
> pos=4 len=5 max=16
> > [Wed Jul 29 19:24:31.878 2020] [912:139700310231008] [debug]
> ajp_connection_tcp_send_message::jk_ajp_common.c (1184): 12 34 00
> 01 0A 00 00 00 00 00 00 00 00 00 00 00  - .4..
> > [Wed Jul 29 19:24:31.878 2020] [912:139700310231008] [trace]
> jk_tcp_socket_sendfull::jk_connect.c (841): enter
> > [Wed Jul 29 19:24:31.878 2020] [912:139700310231008] [trace]
> jk_tcp_socket_sendfull::jk_connect.c (871): exit
> > [Wed Jul 29 19:24:31.878 2020] [912:139700310231008] [trace]
> ajp_connection_tcp_send_message::jk_ajp_common.c (1212): exit
> > [Wed Jul 29 19:24:31.878 2020] [912:139700310231008] [trace]
> jk_is_input_event::jk_connect.c (986): enter
> > [Wed Jul 29 19:24:31.880 2020] [912:139700310231008] [trace]
> jk_is_input_event::jk_connect.c (1031): exit
> > [Wed Jul 29 19:24:31.880 2020] [912:139700310231008] [trace]
> ajp_connection_tcp_get_message::jk_ajp_common.c (1245): enter
> > [Wed Jul 29 19:24:31.880 2020] [912:139700310231008] [trace]
> jk_tcp_socket_recvfull::jk_connect.c (892): enter
> > [Wed Jul 29 19:24:31.880 2020] [912:139700310231008] [trace]
> jk_tcp_socket_recvfull::jk_connect.c (921): exit
> > [Wed Jul 29 19:24:31.880 2020] [912:139700310231008] [trace]
> jk_tcp_socket_recvfull::jk_connect.c (892): enter
> > [Wed Jul 29 19:24:31.880 2020] [912:139700310231008] [trace]
> jk_tcp_socket_recvfull::jk_connect.c (921): exit
> > [Wed Jul 29 19:24:31.880 2020] [912:139700310231008] [debug]
> ajp_connection_tcp_get_message::jk_ajp_common.c (1379): received from ajp13
> pos=0 

Re: File "catalina.out" not being created/populated when using Tomcat 9.0.31 + Ubuntu 20.04, and content goes to the Ubuntu syslog instead?

2020-07-07 Thread Coty Sutherland


With this kind of service (and, similarly, Coty Sutherland's work @
> RedHat), I might re-think my policy of always using the vanilla
> packages from Apache.
>
> It's *really* nice when the package-manager can do it all.
>

It really is ;)


Re: Tomcat not part of RHEL 8 distro?

2020-07-07 Thread Coty Sutherland
On Thu, Jul 2, 2020 at 3:43 PM Sean Neeley 
wrote:

> I heard that tomcat is no longer available for RHEL 8.  Does anyone know
> why this is?  What free alternatives are there for java servlets, which
> have rpm packages managed by Red Hat?  Thanks
>

The answer to your question is pretty complicated IMO, but check out
https://access.redhat.com/solutions/661403 or open a support ticket and
inquire further (both suggestions assume you have a support subscription).
As far as what other free servlet containers there are available, I don't
know of any in RHEL, but the Tomcat package still exists on Fedora. There
is a BZ to create an EPEL 8 Tomcat package, but honestly I don't think it's
likely to get much traction because the dependencies needed to build Tomcat
on RHEL 8 are no longer provided either and would have to be added back to
the distro. The best way forward for you is probably to repackage the
Tomcat binaries from the ASF into an RPM (which should be pretty easy and
you can use https://src.fedoraproject.org/rpms/tomcat as an example), if
that's what you need to install. Otherwise you can just unzip/untar Tomcat
and use it as usual.


> --
>
> Sean Neeley | Senior Developer
>
> t. 630.395.9600 x6234
>
> sean.nee...@producepro.com
>
> Produce Pro Software™
>
> Chicago | Los Angeles | Philadelphia | Austin
>
> Website  | Facebook
>  | Twitter
>  | Instagram
>  | LinkedIn
>  | YouTube
> 
>


Re: [ANN] New committer: Raymond Augé

2020-07-02 Thread Coty Sutherland
Congrats and welcome!

On Thu, Jul 2, 2020 at 10:40 AM Mark Thomas  wrote:

> On behalf of the Tomcat committers I am pleased to announce that
> Raymond Augé (rotty3000) has been voted in as a new Tomcat committer.
>
> Please join me in welcoming him.
>
> Kind regards,
>
> Mark
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>


Re: Having trouble with tomcat 7 installation on RHEL 7.8 power pc

2020-07-02 Thread Coty Sutherland
The RHEL 7 Tomcat package uses systemd and the journal to capture stdout
instead of catalina.out. Did you check the journal to see if the thread
dumps are logged there from your invocations of kill -3? You can use
`journalctl -u tomcat` to check it.

On Wed, Jul 1, 2020 at 6:58 PM Sean Neeley 
wrote:

> On Wed, Jul 1, 2020 at 5:24 PM calder  wrote:
>
> > On Wed, Jul 1, 2020, 15:32 Sean Neeley 
> wrote:
> >
> > > I tried switching from Java 1.8 to Java 11 to see if that makes a
> > > difference.  Now the VM Thread is using a lot less CPU:
> > >
> > >   PID USER  PR  NIVIRTRESSHR S %CPU %MEM TIME+
> > COMMAND
> > >  2320 tomcat20   0 4659072  47872  19904 R 99.9  0.6  22:15.16 java
> > >  2326 tomcat20   0 4659072  47872  19904 R  4.6  0.6   0:56.43 VM
> > > Thread
> > >
> > > I tried running jstack on the processes, but I get this:
> > >
> > > 2320: Unable to open socket file: target process not responding or
> > HotSpot
> > > VM not loaded
> > >
> >
> > Did you attempt to run the command as the "Tomcat user"?
> >
> > BTW,  Oracle recommends the use of "jcmd" over "jstack". Personally, I'd
> > give Mission Control/Flight Recorder a go.
> >
>
> I'm definitely running it as the tomcat user.  I just tried jcmd with no
> arguments and the command completely hangs.  The only way to terminate it
> is a kill -9.  This seems almost like an OS level issue.  We are opening a
> ticket with Red Hat support to see what they say.
>


Re: CentOS Tomcat install seems to ignore setenv.sh

2020-05-18 Thread Coty Sutherland
On Wed, May 13, 2020 at 5:06 PM Patrick Baldwin 
wrote:

> On Wed, May 13, 2020 at 1:31 PM Coty Sutherland 
> wrote:
>
> > Hi,
> >
> > Please see responses in line below. I'm top posting a bit because the
> > thread got off in the weeds about permissions it seems, which are
> important
> > but not exactly relevant to your problem IMO.
> >
> >
> Indeed, thank you.
>
>
> > On Tue, May 12, 2020 at 11:28 AM Patrick Baldwin <
> > pbald...@myersinfosys.com>
> > wrote:
> >
> > > I've gotten passed an odd (to me, anyway) issue with one of our clients
> > > CentOS systems.
> > >
> > > When our webapp starts running, tomcat dies shortly thereafter with an
> > > OutOfMemoryError. This apparently just started a few days ago.
> > >
> >
> > The issue isn't really odd. The JVM is telling you that something is
> > preventing the garbage collector from being effective and therefore
> > exhausting your heap space. See
> >
> >
> https://docs.oracle.com/javase/8/docs/technotes/guides/vm/gctuning/parallel.html#parallel_collector_excessive_gc
> > for more information about the particular OOME you noted that you're
> > experiencing.
> >
> >
> Reading that, I'm not quite sure if this error would happen if tomcat is
> honoring the memory restrictions that have been (hopefully?) set in config.
> One of our devs thinks the issue is with tomcat not honoring memory
> restrictions, so I'm trying to see if there's any way I can make sure it
> is.
>
> I'm also trying to figure out if this could be an issue with the Java code,
> and not tomcat config per se.
>
>
> >
> > > System info:
> > >
> > > Tomcat Version: Apache Tomcat/7.0.76
> > >
> > > JVM version: 1.8.0_191-b12
> > >
> > > OS: CentOS Linux release 7.6.1810 (Core)
> > >
> > >
> > > This seemed to indicate that catalina.sh isn’t the place for
> environment
> > > variables on Tomcat 7 for Linux:
> > >
> > > https://forums.centos.org/viewtopic.php?t=54207
> > >
> > >
> > > Since there isn’t a setenv.sh in /usr/local/tomcat/bin, we create one:
> > >
> > >
> >
> https://stackoverflow.com/questions/9480210/tomcat-7-setenv-sh-is-not-found
> > >
> > > 195$ ls -l /usr/local/tomcat/bin/setenv.sh
> > >
> > > -rwxrwxrwx. 1 root tomcat 110 May 11 12:56
> > /usr/local/tomcat/bin/setenv.sh
> > >
> > > 45$ cat /usr/local/tomcat/bin/setenv.sh
> > >
> >
> > Assuming you've installed tomcat using yum, the startup doesn't use
> > startup.sh at all so the setenv.sh script is ignored. Instead you want to
> > put your settings into /etc/tomcat/tomcat.conf which is sourced by the
> > systemd service unit. If you want to learn more about how that works,
> check
> > out the unit file to see which scripts it calls
> (/usr/libexec/tomcat/server
> > -> /usr/libexec/tomcat/preamble -> /usr/libexec/tomcat/functions).
> >
> >
> >
> To /etc/tomcat/tomcat.conf I added:
>
> # You can pass some parameters to java here if you wish to
> #JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"
>
> JAVA_OPTS="-Xmx2048m -XX:MaxPermSize=2048m"
>
> And now see:
>
>  sudo journalctl -u tomcat -f :
>
> May 13 15:50:01 protrack server[24306]: OpenJDK 64-Bit Server VM warning:
> ignoring option MaxPermSize=2048m; support was removed in 8.0
>
> ...
>
> May 13 15:50:01 protrack server[24306]: INFO: Command line argument:
> -Xmx2048m
>
> May 13 15:50:01 protrack server[24306]: May 13, 2020 3:50:01 PM
> org.apache.catalina.startup.VersionLoggerListener log
>
> May 13 15:50:01 protrack server[24306]: INFO: Command line argument:
> -XX:MaxPermSize=2048m
>
> May 13 15:50:01 protrack server[24306]: May 13, 2020 3:50:01 PM
> org.apache.catalina.startup.VersionLoggerListener log
>
> May 13 15:50:01 protrack server[24306]: INFO: Command line argument:
> -Xms2048m
>
> May 13 15:50:01 protrack server[24306]: May 13, 2020 3:50:01 PM
> org.apache.catalina.startup.VersionLoggerListener log
>
> May 13 15:50:01 protrack server[24306]: INFO: Command line argument:
> -Xmx2048m
>
> ...
>
> May 13 15:51:23 protrack server[24306]: SEVERE: Unexpected death of
> background thread ContainerBackgroundProcessor[StandardEngine[Catalina]]
>
> May 13 15:51:23 protrack server[24306]: java.lang.OutOfMemoryError: GC
> overhead limit exceeded
>
> May 13 15:51:23 protrack server[24306]: Exception in thread
> "ContainerBackgroundProcessor[StandardEngine[Catalina]]"

Re: CentOS Tomcat install seems to ignore setenv.sh

2020-05-13 Thread Coty Sutherland
Hi,

Please see responses in line below. I'm top posting a bit because the
thread got off in the weeds about permissions it seems, which are important
but not exactly relevant to your problem IMO.

On Tue, May 12, 2020 at 11:28 AM Patrick Baldwin 
wrote:

> I've gotten passed an odd (to me, anyway) issue with one of our clients
> CentOS systems.
>
> When our webapp starts running, tomcat dies shortly thereafter with an
> OutOfMemoryError. This apparently just started a few days ago.
>

The issue isn't really odd. The JVM is telling you that something is
preventing the garbage collector from being effective and therefore
exhausting your heap space. See
https://docs.oracle.com/javase/8/docs/technotes/guides/vm/gctuning/parallel.html#parallel_collector_excessive_gc
for more information about the particular OOME you noted that you're
experiencing.


> System info:
>
> Tomcat Version: Apache Tomcat/7.0.76
>
> JVM version: 1.8.0_191-b12
>
> OS: CentOS Linux release 7.6.1810 (Core)
>
>
> This seemed to indicate that catalina.sh isn’t the place for environment
> variables on Tomcat 7 for Linux:
>
> https://forums.centos.org/viewtopic.php?t=54207
>
>
> Since there isn’t a setenv.sh in /usr/local/tomcat/bin, we create one:
>
> https://stackoverflow.com/questions/9480210/tomcat-7-setenv-sh-is-not-found
>
> 195$ ls -l /usr/local/tomcat/bin/setenv.sh
>
> -rwxrwxrwx. 1 root tomcat 110 May 11 12:56 /usr/local/tomcat/bin/setenv.sh
>
> 45$ cat /usr/local/tomcat/bin/setenv.sh
>

Assuming you've installed tomcat using yum, the startup doesn't use
startup.sh at all so the setenv.sh script is ignored. Instead you want to
put your settings into /etc/tomcat/tomcat.conf which is sourced by the
systemd service unit. If you want to learn more about how that works, check
out the unit file to see which scripts it calls (/usr/libexec/tomcat/server
-> /usr/libexec/tomcat/preamble -> /usr/libexec/tomcat/functions).


> export CATALINA_OPTS="-server -Xms2048m -Xmx2048m"
>
> export JAVA_OPTS="-XX:PermSize=256m -XX:MaxPermSize=2048m"
>
> 46$
>
>
> System memory before starting tomcat:
>
> 188$ free -h
>
>   totalusedfree  shared  buff/cache
> available
>
> Mem:11G2.3G2.2G2.0G7.1G
> 6.7G
>
> Swap:  8.0G1.0G7.0G
>
>
> Started tomcat,  with sudo service tomcat start
>
> Tomcat journal error:
>
>
> May 11 17:48:59 protrack server[7298]: SEVERE: Unexpected death of
> background thread ContainerBackgroundProcessor[StandardEngine[Catalina]]
>
> May 11 17:48:59 protrack server[7298]: java.lang.OutOfMemoryError: GC
> overhead limit exceeded
>
> May 11 17:48:59 protrack server[7298]: Exception in thread
> "ContainerBackgroundProcessor[StandardEngine[Catalina]]"
> java.lang.OutOfMemoryError: GC overhead limit exceeded
>
> May 11 17:49:38 protrack server[7298]: Exception:
> java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in
> thread "http-bio-8080-AsyncTimeout"
>
> May 11 17:49:39 protrack server[7298]: Exception:
> java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in
> thread "ajp-bio-8009-AsyncTimeout"
>
> May 11 17:49:42 protrack server[7298]: Exception in thread
>
> "org.springframework.scheduling.quartz.SchedulerFactoryBean#0_QuartzSchedulerThread"
>
>
> Application log error:
>
> Caused by: java.lang.OutOfMemoryError: GC overhead limit exceeded
>
> 2020-05-11 17:49:50
> [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-2]
> ERROR o.s.t.i.TransactionInterceptor - Application exception overridden by
> rollback exception
>
> java.lang.OutOfMemoryError: GC overhead limit exceeded
>
>
> System memory while tomcat is up, after the OutOfMemoryError pops:
>
> ksmq_tv 191$ free -h
>
>   totalusedfree  shared  buff/cache
> available
>
> Mem:11G3.5G1.0G2.0G7.1G
> 5.5G
>
> Swap:  8.0G1.0G7.0G
>
>
> Stopped with  sudo service tomcat stop
>
>
>
> System memory after tomcat stopped:
>
> ksmq_tv 194$ free -h
>
>   totalusedfree  shared  buff/cache
> available
>
> Mem:11G795M3.7G2.0G7.1G
> 8.2G
>
> Swap:  8.0G1.0G7.0G
>
>
>
> It sure doesn't look like something is actually running the system out of
> memory at a system level; usage is definitely impacted by starting our app,
> but that's expected.
>

The system isn't running out of memory, Tomcat's JVM is. This could be due
to numerous things, so you'll have to do some digging to find out why that
is. I'd start by enabling/collecting/reviewing GC logging and a heap dump
from the time of the OOME, which you may have to take manually (I don't
recall if the HeapDumpOnOutOfMemory argument triggers with a GC overhead
error). As a simple solution try and increase the amount of heap that you
give the instance to see if the problem goes away or if it occurs after a

Re: Tomcat Server Using 100% CPU

2019-08-08 Thread Coty Sutherland
I'd suggest writing a small script to loop about 10 times and capture top
and thread dumps with jstack at the same time, then wait a few seconds then
repeat. After that you can grab the pid/tid from the top output and compare
that with your thread dump to see exactly what the thread is doing for the
iteration/duration you specify.

Other questions that I haven't seen asked, how long does the CPU usage
persist? Is it only at startup or does it randomly start after some uptime?
Have your webapps or dependencies changed around the time the issue
started? Do the working and nonworking servers run the same webapps with
the same workload?

On Thu, Aug 8, 2019 at 2:09 PM Eric Robinson 
wrote:

> Utkarsh and John, thank you for your feedback.
>
> Since everything was originally on Windows, and we built a new Linux
> server with fresh tomcat installs, and the only thing we moved over from
> the old Windows servers was the tomcat application folder itself, and the
> 100% CPU problem persisted, I can't imagine what else could be causing it
> except the tomcats, but I'm open to ideas.
>
> When it happens, all the tomcats start using high CPU at the same time.
> See the following top output.
>
> top - 11:06:44 up 1 day,  6:59,  7 users,  load average: 36.85, 32.67,
> 34.89
> Tasks: 245 total,   4 running, 241 sleeping,   0 stopped,   0 zombie
> %Cpu(s): 80.7 us, 13.5 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  5.7 si,
> 0.0 st
> KiB Mem : 48132572 total, 11677420 free,  5572688 used, 30882464 buff/cache
> KiB Swap: 15626236 total, 15584324 free,41912 used. 41859232 avail Mem
>
>   PID USER  PR  NIVIRTRESSHR S  %CPU %MEM TIME+ COMMAND
> 19379 site211   20   0 3529072 447444  24632 S 120.4  0.9   3:37.19 java
> 20092 site555   20   0 2530376 375500  24496 S  72.4  0.8   2:01.44 java
> 21077 site450   20   0 2530292 298260  24292 S  69.6  0.6   1:10.92 java
> 20378 site436   20   0 3262200 347160  24096 S  68.3  0.7   2:47.26 java
> 19957 site522   20   0 2596856 373532  24364 S  52.0  0.8   2:37.13 java
> 19537 site396   20   0 2862724 386860  23820 S  51.1  0.8   2:34.25 java
> 19228 site116   20   0 3595652 490032  24640 S  50.5  1.0   5:03.28 java
> 20941 site456   20   0 2596996 338740  24488 S  49.2  0.7   1:32.89 java
> 20789 site354   20   0 2596920 327612  24480 S  42.9  0.7   1:30.47 java
> 20657 site327   20   0 3123004 346308  24540 S  41.4  0.7   1:50.97 java
> 20524 site203   20   0 2458376 340400  25416 S  39.8  0.7   1:48.01 java
> 19675 site487   20   0 2530296 390948  24408 S  35.7  0.8   2:37.95 java
> 20233 site535   20   0 2530292 324112  24360 S  32.9  0.7   1:54.31 java
> 19809 site514   20   0 2530216 400308  24340 S  25.7  0.8   2:35.97 java
>44 root  20   0   0  0  0 R  19.1  0.0 159:46.15
> ksoftirqd/7
>  3926 root  20   0  208512  22668   4128 S  16.9  0.0 242:45.07 iotop
>  2036 root  20   0   0  0  0 R  13.2  0.0   1:38.31
> kworker/7:0
>
> I'll check the localhost_access logs and see if something suspicious
> stands out.
>
> --Eric
>
>
> -Original Message-
> From: Utkarsh Dave 
> Sent: Thursday, August 8, 2019 12:33 PM
> To: Tomcat Users List 
> Subject: Re: Tomcat Server Using 100% CPU
>
> Did you reviewed the localhost_access log file. Which web-application is
> using tomcat the most ?
>
> On Thu, Aug 8, 2019 at 9:53 AM Eric Robinson 
> wrote:
>
> > We have a farm of VMs, each running multiple instances of tomcat (up
> > to 80 instances per server). Everything has been running fine for
> > years, but recently one server has started nailing the CPU to 100%
> utilization.
> >
> > We have tried:
> >
> >
> >   *   Different versions of tomcat and JDK
> >   *   Doubling the resources to 16 cores and 56 GB RAM
> >   *   Moving the VM to different physical server
> >   *   Rebuilding the tomcat instances on a brand new VM using Windows
> > Server 2019
> >   *   Rebuilding the tomcat instances on a brand new VM using Red Hat
> > Enterprise Linux 7.5
> >
> > Nothing has worked. No matter where we run the tomcats, they drive CPU
> > up to 100%. Meanwhile the other six servers are still running fine.
> > They all run the same canned tomcat applications.
> >
> > We would appreciate some guidance on getting to the bottom of this
> problem.
> >
> > --Eric
> >
> >
> > Disclaimer : This email and any files transmitted with it are
> > confidential and intended solely for intended recipients. If you are
> > not the named addressee you should not disseminate, distribute, copy or
> alter this email.
> > Any views or opinions presented in this email are solely those of the
> > author and might not represent those of Physician Select Management.
> > Warning: Although Physician Select Management has taken reasonable
> > precautions to ensure no viruses are present in this email, the
> > company cannot accept responsibility for any loss or damage arising
> > from the use of this email or attachments.
> >
> Disclaimer : This email and any files 

Re: how to enable OCSP for Tomcat w OpenSSL

2019-04-02 Thread Coty Sutherland
Hi,

On Mon, Apr 1, 2019 at 3:30 PM John Palmer  wrote:

> What, if anything, needs to be configured to ENABLE (preferably REQUIRE)
> tomat to do CLIENT certificate revocation checking via OCSP in Tomcat
> 8.5.38 using Openssl ?


Setting `certificateVerification="require"` on your Connector and using a
client certificate that has an OCSP URI should be it. See
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates
for more information on how to configure it.


>


> I'm sure I'm missing something simple and obvious (once pointed out) but
> I've been struggling with this all morning).
>
> 1) using Openssl (the tc-native-1.dll binary for Windows, compiled w OCSP
> support - the X64 dll from
> tomcat-native-1.2.21-openssl-1.1.1a-ocsp-win32-bin.zip)
> (will this even work with NIO2 ? - I don't HAVE to use NIO2)
>

It will work, but only if you're using the openssl implementation.


> (i'd prefer to have this working with OpenSSl for a couple of reasons).
> (extra points for a configuration to allow it to use Axways (formerly
> Tumbleweed) Desktop Validator for its OCSP-caching features).
>
> 2) using JSSE (java 8 (1.8.0_202)) with the NIO2 connector
> (I've tried adding -Dcom.sun.net.ssl.checkRevocation=true to the Java
> options for the tomat service).
>
>
> I can't see anything indicating OCSP checks in the logs for either.
>

There isn't any OCSP code in Tomcat and tomcat-native doesn't log much of
anything when it's in use, so there's not much indication that it's working
there.


>
> (when the tc-native-1.dll is present, the logs show it being used:
> INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
> Loaded APR based Apache Tomcat Native library [1.2.21] using APR version
> [1.6.5].
> INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
> APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
> random [true].
> INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
> APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
> INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL
> OpenSSL successfully initialized [OpenSSL 1.1.1a  20 Nov 2018]
> INFO [main]
> org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol
> The ["https-openssl-nio2-192.168.1.16-443"] connector has been configured
> to support negotiation to [h2] via ALPN
> INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
> ProtocolHandler ["https-openssl-nio2-192.168.1.16-443"]
> )
>
>
> for JSSE, by adding -Djavax.net.debug=ssl to the Java Options for the
> tomcat service I see logging for key & trust stores being loaded, etc. in
> tomcat8-stdout(date).log
> the server requesting a client cert, the Client cert being received and
> finding a trusted root for it ("Found trusted certificate:"),
> but nothing about revocation checking
> (I do see:
> check handshake state: certificate_verify[15]
> update handshake state: certificate_verify[15]
>
> but I'm not sure that's revocation checking...).
>
> for OpenSLL, I'mnot sure how to enable equivalent loggingby enabling
> pretty much ALL the logging
> org.apache.coyote.http2.level=ALL
> org.apache.level=ALL
> org.apache.catalina.session.level=ALL
> I can see the truststore ("Added client CA cert") being loaded but not much
> else about certificates.
>
>
> Wireshark shows me OCSP calls for the SERVER cert, presumable from the
> browswer (fireFox).
> (I'm testing this on a personal computer, tomcat and browser on the same
> computer).
> If there are equivalent OCSP calls for the CLIENT cert, I'm not seeing
> them.
>
>
> the Connector part of the server xml.config file is (ip address and server
> name etc removed):
>
>   address="a.b.c.d"
> port="443"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> maxThreads="150"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> >
>  />
>  protocols="+TLSv1.2+TLSv1.3"
> honorCipherOrder="true"
> certificateVerification="REQUIRED"
> truststoreFile="C:/certs/trustStore.pfx"
> truststoreType="PKCS12"
> truststorePassword="abcdef"
> >
>  certificateKeystoreFile="C:/certs/(server).pfx"
> certificateKeystoreType="PKCS12"
> certificateKeystorePassword="abcdef"
> />
> 
> 
>


Re: [ANN] New committer: Woonsan Ko

2018-12-20 Thread Coty Sutherland
Congratulations and Welcome Woonsan!

On Wed, Dec 19, 2018 at 9:08 PM Keiichi Fujino  wrote:

> Congratulations!
> Welcome Woonsan!
>
> 2018年12月19日(水) 18:56 Mark Thomas :
>
> > On behalf of the Tomcat committers I am pleased to announce that
> > Woonsan Ko (woonsan) has been voted in as a new Tomcat committer.
> >
> > Please join me in welcoming him.
> >
> > Kind regards,
> >
> > Mark
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: dev-h...@tomcat.apache.org
> >
> >
>
> --
> Keiichi.Fujino
>


Re: OCSP stapling in tomcat 7 with APR

2018-10-15 Thread Coty Sutherland
On Mon, Oct 15, 2018 at 11:39 AM Mark Thomas  wrote:

> On 15/10/18 16:20, Усманов Азат Анварович wrote:
> > how do I make sure ocsp is enabled on tomcat native
> >
> > when I try to pass --enable-ocsp to tomcat native configure i get
> unrecognized option warning
>
> As far as I can tell, you'd need to explicitly define OPENSSL_NO_OCSP to
> disable OCSP when building on Linux so you should be good with a
> standard build.
>

+1, just build it and as long as the openssl version you're using supports
it you're good.


>
> Mark
>
>
> >
> >
> >   ./configure  --with-apr=/usr/local/apr
> --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl
> --enable-ocsp
> > configure: WARNING: unrecognized options: --enable-ocsp
> > checking build system type... x86_64-pc-linux-gnu
> > checking host system type... x86_64-pc-linux-gnu
> > checking target system type... x86_64-pc-linux-gnu
> > checking for a BSD-compatible install... /usr/bin/install -c
> > checking for working mkdir -p... yes
> > Tomcat Native Version: 1.2.17
> > checking for chosen layout... tcnative
> > checking for APR... yes
> > configure: APR 1.6.5 detected.
> >   setting CC to "gcc"
> >   setting CPP to "gcc -E"
> >   setting LIBTOOL to "/usr/local/apr/build-1/libtool"
> > checking JAVA_HOME... /usr/java/jdk1.7.0_79
> >   adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
> > checking for JDK os include directory...  linux
> >   adding "-I/usr/java/jdk1.7.0_79/include/linux" to
> TCNATIVE_PRIV_INCLUDES
> > checking for gcc... gcc
> > checking whether the C compiler works... yes
> > checking for C compiler default output file name... a.out
> > checking for suffix of executables...
> > checking whether we are cross compiling... no
> > checking for suffix of object files... o
> > checking whether we are using the GNU C compiler... yes
> > checking whether gcc accepts -g... yes
> > checking for gcc option to accept ISO C89... none needed
> > checking for OpenSSL library... using openssl from
> /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
> > checking OpenSSL library version >= 1.0.2... ok
> > checking for OpenSSL DSA support... yes
> >   adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
> >   setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib
> -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
> >   adding "-DHAVE_OPENSSL" to CFLAGS
> >   setting TCNATIVE_LIBS to ""
> >   setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt
> -lcrypt  -lpthread"
> > checking for apr_pollset_wakeup in -lapr-1... yes
> >   adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
> > configure: creating ./config.status
> > config.status: creating tcnative.pc
> > config.status: creating Makefile
> > config.status: executing default commands
> > configure: WARNING: unrecognized options: --enable-ocsp
> >
> >
> >
> > 
> > От: Mark Thomas 
> > Отправлено: 15 октября 2018 г. 15:01:58
> > Кому: users@tomcat.apache.org
> > Тема: Re: OCSP stapling in tomcat 7 with APR
> >
> > On 14/10/18 18:45, Усманов Азат Анварович wrote:
> >> Hello everyone! I have  an java 7 web app running on tomcat 7 with
> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP
> stapling on tomcat
> >> so that
> >> When OCSP is enabled, a server will pre-fetch the OCSP response for its
> own certificate and deliver the response to the user's browser during the
> TLS handshake. This eliminates the need to make a separate connection to
> the CA's revocation service before the Web page is displayed, improving the
> page's performance and reliability.
> >> I did search the mailing list and found this question
> >> https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html
> >> but that user  is using  JSSE implementation for TLS not APR
> >>  documentation for tomcat7 does have an example
> >>
> >> Connector port="8443"
> >>protocol="org.apache.coyote.http11.Http11AprProtocol"
> >>secure="true" scheme="https"
> >>SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
> >>SSLCertificateKeyFile="/path/to/ocsp-cert.key"
> >>SSLCACertificateFile="/path/to/ca.pem"
> >>SSLVerifyClient="require"
> >>SSLVerifyDepth="10"
> >>clientAuth="true"/>
> >>
> >>
> >> but that is for client-cert verification, Can we do it on server side?
> or do I miss something on how ocsp is supposed to work in the first place?
> >
> > If you build an OCSP enabled version of the APR/native connector, OCSP
> > stapling should just happen without any additional configuration.
> > Assuming you use an appropriate certificate etc.
> >
> > Mark
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org

Re: 2018.03.07-2 Bundle issue with tomcat 8 - Post

2018-08-28 Thread Coty Sutherland
On Fri, Aug 17, 2018 at 9:51 AM Olaf Kock  wrote:

>
> On 17.08.2018 15:40, Mandal, Jayanta wrote:
> > Tomcat Version : We upgraded our tomcat environment from bundle
> 2016.10.31-2 to 2018.03.07-2 & suddenly we are seeing all Post method
> stopped working with new bundle.
> >
> >
> > Previous Value
> >
> > Changed Value
> >
> > Bundle
> >
> > 2016.10.31-2
> >
> >
> > 2018.03.07-2
> >
> > Tomcat Server:
> >
> > :  8.0.18-62_patch_01.ep7.el6.-patch-01
> >
> > 8.0.36-17.ep7.el6.0
>

This version information shows that you're using a version of Tomcat
provided by a Red Hat product. For assistance with this, please open a
support case with Red Hat.


> >
> As the downloads on tomcat.apache.org have only 3 digits for the version
> numbers: You're asking about /some/ version that /someone/ has packaged
> according to unknown standards and with unknown patches. Plus, it's a
> version that is already past its end of life, check
> https://tomcat.apache.org/tomcat-80-eol.html
>
> Your best bet is to upgrade to 8.5 or 9.0. Use a stock version from
> tomcat.apache.org if you expect help on this list. If you expect support
> from your OS vendor (or whoever packaged this version for you), they'd
> be the ones to contact. They might provide support beyond this version's
> end-of-life.
>
> Olaf
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: problem in starting tomcat

2018-06-27 Thread Coty Sutherland
On Wed, Jun 27, 2018 at 1:08 PM, Prateek  wrote:

> Hi Chris,
>
> By hardened, I meant that support for some FIPS non-complaint algos were
> removed/disabled.
>
> Thanks for confirming again that this is a clear problem with the JVM.
>

>From what you've given us this is a JVM problem and nothing that we can fix
for you. At this point, we're just trying to verify that you get the same
issue on a stable JVM as you do with the Java 11 Early Access release.


>
> While the current version of Java is 10, as per the support roadmap at
> http://www.oracle.com/technetwork/java/javase/eol-135779.html
> the support for Java 10 ends within 6 months of end of support for Java
> 8.  We are trying to have our product ship with the version of Java, which
> has support availability beyond these timelines.
>
> I have tried running with Java 10 and hit the same issue.  I am not sure
> about the Java 11.super-alpha that you were referring to.  Can you please
> point me in that direction.
>

Please provide the hs_err_pid from a run with Java 10 so that we can verify
that the failure is the same.


>
> Thanks and Regards,
> Prateek.
>
> From: Christopher Schultz
> Sent: Wednesday, June 27, 2018 10:04 PM
> To: users@tomcat.apache.org
> Subject: Re: problem in starting tomcat
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Prateek,
>
> On 6/27/18 12:04 PM, Prateek wrote:
> > Hi Chris,
> >
> > We are running, libtcnative version 1.2.16 with apr version 1.6.3,
> > compiled from the source, configured to use a hardened version of
> > OpenSSL version 1.0.2.
>
> (LOL hardened OpenSSL)
>
> Given your full crash-dump, it's clear it's a problem with the JVM,
> though. Your use of libtcnative appears to be irrelevant.
>
> > Also, we have tried using the release quality JVM build
> > (1.8.0_162) and have no issues with launching tomcat with that.
> > (Assume that we can take this for hw being good)
>
> So when you use a JVM that's expected to work, it works? Great.
>
> > We are preparing for moving to the latest version of JRE available
> > given that support for Java 8 is going to end soon.
>
> Sure, support for Java 8 ends soon, but the current version of Java is
> 10, not 11.
>
> What happens when you run with Java 10.stable instead of Java
> 11.super-alpha?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlszvJ4ACgkQHPApP6U8
> pFg9KRAAyJZMLi2mw1dItLi2QGwZmOw8uenFECwhrdYVnmSZNH3QvnWGm5+50fQC
> AsZJft984pezFBf7ASWd6GsjdoBRRDpb6x2WBODe2BvpdwBw9vcIDjGgR/9mNoxE
> /Bj62wydfLBuOxIOCIBLa2St7ktPglnyLXwWn6c1hwK3CzjBSaiUx9TTPBil8ym1
> w8JI2Y9kH0fuY69BfpLm1Sj6jnsXtsF0PUZF93tCd8cfUImMUwGaUjXWm35xNfFK
> k5FxIlG+oATbiBpntsd14EUyBqGDiLVKuv1kBf1medXakd09IRb9tKGVK0Dm64AP
> xGghDjPF7ugrQTX682hrOBYM+OjH5AFrHsOp505nnb+5AJEukmSDljeeYq2IWCiy
> YSCuN4j6jD5wi/PzEQ3h/hfX8RwAH4RARu1DYIMU+f6oA6RYmVT76Hn1tbkhT2Qb
> wKZsEfZ4EzaCIqwK0a6ZEkp1zCuxYoJWZwp0YTc/ROI2wB1iHqgJEVxBS/VF6UX9
> W+8GlPPVJu6ydlWau4J5f9X4t+BSiWs4EEiJlSfNZ8IsYwBMa4EK1jR1nbg2PAe5
> h5QLFg2zGa+1hxFLb1YredQKEtf1EIcvuZjrcVCpAHK1RgJBxBhKdzE4LaBAwMw8
> zqOZCnGlLWbfMxiRLWOG3wxuyorvU1aLwHDutbh3IJYAtryuTrY=
> =J+nk
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>


Re: problem in starting tomcat

2018-06-26 Thread Coty Sutherland
On Tue, Jun 26, 2018 at 12:27 PM, Prateek Yadav 
wrote:

> Thanks for reply
>  I already tested it for more than one machine so hardware problem can not
> be a case.
>

What happens if you don't specify that OnError call? Can you attach a
fuller stack trace if not the entire hs_err_pid log (make sure there isn't
anything sensitive in there)? If the JVM is crashing you should still get
an hs_err_pid log, but given that the crash is in libc and we don't know
what isegencore.sh is, removing it and getting a clearer stack trace would
be nice.


>
> On Tue, Jun 26, 2018, 9:40 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Prateek,
> >
> > On 6/25/18 11:20 PM, Prateek wrote:
> > > Hi, My configuration: OS:REDHAT 7.5 (64 bit) Tomcat: 8.5.31 Jdk-
> > > jdk-11(Early-Access)
> > >
> > > When I am trying to start my server I got following error as: A
> > > fatal error has been detected by the Java Runtime Environment: # #
> > > SIGSEGV (0xb) at pc=0x7fd4f206e28a, pid=2412, tid=2412 # # JRE
> > > version:  (11.0+18) (build ) # Java VM: Java HotSpot(TM) 64-Bit
> > > Server VM (11-ea+18, mixed mode, aot, sharing, tiered, compressed
> > > oops, g1 gc, linux-amd64) # Problematic frame: # C
> > > [libc.so.6+0x8128a]  strlen+0x2a
> >
> > Are you running any custom native code (including libtcnative)? If
> > not, either the JVM or your hardware is to blame.
> >
> > First, I'd re-try with a release-quality JVM build instead of the
> > "early access" build, which may have some bugs in it. If that doesn't
> > help, it's time to look at your hardware.
> >
> > Run several rounds of memtest86+ on your hardware to see whether it
> > finds any errors. If you find errors, you have a hardware failure in
> > your CPU, motherboard, or memory, and you'll need to replace one or
> > more components.
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZV8ACgkQHPApP6U8
> > pFjRFw//XnOm0FrbRjc0ELxDiF/uuWCAEHHKjMjEBat04DG6TTMwTAUikmm0wTXR
> > 2oecK+zU/Zc2cgN6i/pFagUbjeNz1WxHfKmsBK6w2loyLlkJ0WZfmaVhAB7NCbep
> > njp+OtdtDXoQb+wegkQddihDXGhnUEMszMKdPOTvOJEk5dbY7vNIX7a7ktOVseMu
> > hsbggpUtrz8DHwe8BwiOmCK7L5VCdfjMWG23rSPustulVQEu34bKKB9p6ke/cQwg
> > KWuWOa0yPQk1RRu9Fue9mqI+ppQVpVb6bZ6nqmlktCtqQ7sS5A4Pyx794/Kht5bs
> > xKZd+CmxS1+hDTBCTpfIhHbo+r7RXiJ2yOP+/VIzOPTMb+wLUGIgjbSM2opeUC62
> > S0YaqWVzUseMbivZVMxC+S4kTiabM1Dr7MbXtEf6Gu3QrybB7epwImO+l98t+Jjg
> > nY0WIXS+8FdZHoNpItliUjj6ciPNtVUFubghYQAKsn5tHUx+s6Tcos2kEnUPsm6N
> > RMpKb2fBEs9DJTa2GCAHRsSPVE9daDJsDxm5yP8h5AQd82QpSj2s2KoX7oTZ8rV3
> > 3pYfi4nNIXm+6y/HmQG3oU1MYui4i4wHrgSeuFOD80/JkKQhwDwvEz7gFe3ui06U
> > KN3jnT6YIlFGvurfw1r9ZRBLeDVrdyzqu92ot4NtfCkRKdoBUNg=
> > =2XQn
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>


Re: How to configure Tomcat for OCSP stapling?

2018-05-28 Thread Coty Sutherland
Hi,

On Mon, May 28, 2018 at 7:22 PM, Mark Boon  wrote:

> My company asked to enable OCSP stapling for our Tomcat server. I found
> the documentation about configuring a Tomcat OCSP Connector here:
>
> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#
> Configuring_OCSP_Connector
>
>
>
> However, if I’m not mistaken those are instructions for how to set up an
> OCSP responder. But I think in my case, the OCSP responder is the CA that
> issued the certificate. What I need is to instruct Tomcat so that it makes
> the call to the OCSP responder that is specified in the CA signed
> certificate and ‘staples’ the resulting ticket to the certificate before
> presenting it to the client.
>

You're correct. The configuration document does mention the OCSP responder,
but you really don't need to do anything special in tomcat to enable OCSP.
If your connector has certificateVerification or clientAuth enabled, then
tomcat will do the needful with the client certificate (including verify it
with OCSP if the OCSP url is present).


>
>
> Does anyone know of a place with instructions how to do something like
> this? Or possibly I’m not quite understanding the process of OCSP stapling,
> in which case any pointers on what it means and how it works with Tomcat
> would be much appreciated.
>
>
>
>
>
> *Mark Boon*
> *Staff Engineer*
> mb...@vmware.com
> 3401 Hillview Avenue, Palo Alto, CA 94304
> 
> 650.123.4567 Office
> 808.234.4892 Mobile
>
> [image: e] 
>
>
>


Re: javax.servlet.Filter failed to start error. How to debug it?

2018-04-03 Thread Coty Sutherland
On Tue, Apr 3, 2018 at 8:47 AM, Luis Rodríguez Fernández
 wrote:
> Hello there,
>
> I've realized that if I make a typo in my  declaration I get
> something in the catalina.out like:
>
> Apr 03, 2018 2:27:01 PM org.apache.catalina.core.StandardContext
> startInternal
> SEVERE: One or more Filters failed to start. Full details will be found in
> the appropriate container log file
> Apr 03, 2018 2:27:01 PM org.apache.catalina.core.StandardContext
> startInternal
> SEVERE: Context [/examples] startup failed due to previous errors

Did you check the localhost.$(date).log ? That is the "appropriate
container log file" mentioned in the message above, unless you changed
the Host's name or logging config to turn it off :)

> The catalina.log gives me the same information :(
>
> I have also tried increasing the logging level of org.apache.catalina.core
> adding
>
> org.apache.catalina.core.level = ALL
> org.apache.catalina.startup.level = ALL
>
> into my ${CATALINA_HOME}/conf/logging.properties I did not get any useful
> information neither.
>
> Is there a way of debugging these kind of issues?
>
> Thanks in advance,
>
> Luis
>
> Server version: Apache Tomcat/9.0.5
> Server built:   Feb 6 2018 21:42:23 UTC
> Server number:  9.0.5.0
> OS Name:Linux
> OS Version: 4.4.0-116-generic
> Architecture:   amd64
> JVM Version:1.8.0_151-b12
> JVM Vendor: Oracle Corporation
>
> Tomcat running on docker FROM tomcat:9.0.5-jre8-alpine
> Alpine release 3.7.0
> Linux d799b4063c4c 4.4.0-116-generic
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: HOME user folder change & tomcat HOME

2018-03-27 Thread Coty Sutherland
Hi,

This sounds like a problem specific to the distribution's tomcat
package, which is usually better served by the distribution's
community rather than Tomcat's (they repackage what we provide). You
may want to ask on their users list/support forum/etc, but I will try
and help though :)

On Tue, Mar 27, 2018 at 11:27 AM, Jérôme Redouté  wrote:
> Hello,
>
> I've installed tomcat8 on Debian 9, to run a web App (XNAT)
>
> I've a proble concerning the HOME directory of my user "xnat".
>
> Before the HOME was, as expected, in /home/xnat

Before what? Before you installed the Debain tomcat package? Or did
you install the xnat package? Something else?

> but now (after deploying XNAT app), it moved to /var/lib/tomcat8

When you say deploy, do you mean install xnat's package? Or copy a war
into place? I ask because /var/lib/tomcat8 isn't CATALINA_BASE or
CATALINA_HOME (which were my first thoughts), so it seems to have some
configuration elsewhere.

>
> and I can't reverse back the the original HOME.
>
> I suspect it is related to misconfiguration of tomcat, but I can't find
> wher.

That output looks pretty standard for a distro's tomcat package
(follows FHS with /usr/share/tomcat8, etc).

>
> Can you help me?
>
> few infos concerning my tomcat install:
>
>> Using CATALINA_BASE:   /usr/share/tomcat8
>> Using CATALINA_HOME:   /usr/share/tomcat8
>> Using CATALINA_TMPDIR: /usr/share/tomcat8/temp
>> Using JRE_HOME:/usr
>> Using CLASSPATH:
>> /usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar
>> Server version: Apache Tomcat/8.5.14 (Debian)
>> Server built:   Sep 3 2017 17:51:58 UTC
>> Server number:  8.5.14.0
>> OS Name:Linux
>> OS Version: 4.9.0-6-amd64
>> Architecture:   amd64
>> JVM Version:1.8.0_162-8u162-b12-1~deb9u1-b12
>> JVM Vendor: Oracle Corporation
>
>
>
>
> Thanks
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: worker0 tomcat ,manager is not wotking

2018-03-20 Thread Coty Sutherland
On Tue, Mar 20, 2018 at 6:40 AM, Loai Abdallatif
 wrote:
> Thanks Schultz
>
> the error is described in the url link below, The issue has been fixed
> using following these steps:
>
>- Go to Tomcat installation and then /opt/worker0/webapps/manager/
>META-INF
>- Open context.xml and comment Valve section as below, and it now works
>fine, but why is that happened?

You commented out the RemoteAddrValve
(https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Remote_Address_Valve)
so you were trying to access the manager application on an IP that
wasn't allowed (wasn't 127.0.0.1).

>
>**   sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
>
>
> source : https://geekflare.com/tomcat-login-problem/
>
> On Tue, Mar 20, 2018 at 12:32 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Loai,
>>
>> On 3/19/18 4:43 PM, Loai Abdallatif wrote:
>> > I have running three tomcat instances worker0,worker1 and worker2
>> >
>> > the http connector to workero is listening on port 8080 but the
>> > manager is not opening as below and the tomcat-users.xml is
>> > configured as this:
>> >
>> > root@appserver01:/opt/worker0/conf# cat tomcat-users.xml > > version="1.0" encoding="utf-8"?>  > > rolename="manager-gui"/> > > password="password" roles="manager-gui"/> 
>> >
>> > unfortunatly still not working and keep sending forbidden as below
>>
>> Your image was stripped from the mailing list. Can you find a way to
>> show the problem using text only?
>>
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqwOogdHGNocmlzQGNo
>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjP7w/6Ah5ZC6Y+jZz1R0VT
>> CxqPg1HpD5eRZLrxvBXodo1CqkHHZsJhdI82HrtnSOpBvqr4o9+Bp9M6X/3lubvn
>> A5e+zrNSslVCpALd3r8qUJxwdcK/EcHKVruUHAee7U61Y0wz1JXLhjtX+etARA4w
>> 1AioSXc5o2R3JC5ssKAoFT6fg8vzh9JRXkSF8HM4g6RpU3ynR2Zh2Ixoa6Fl8Mf5
>> j+4UPuvBJnn/pX76RWn2cfEPGwK6sjn7rgNBMz/qEZhXC8otLfPGYOc4Tn/otImO
>> yDeuqetssNd99iw7LAaHB5gm3biqfr5TN3pqBvVojpqqmlDL+XJIYAn2Rik/w9rC
>> jzzcuU9eox/iCONPVheywjjafH89onYlkW4Dy/xMF/G7+bAMyzHxSFWzhst7PSZJ
>> 7aG2FKVo1m10OThEPtFZkembz6tYxpzSx2V+nxvD5P6BqxCQwW8I8BAHIyemStK5
>> LRBRBKtz4yS7fBJdz+YEjJU49XAtwDR+aF41pv3gv5rrbkroysPoCPgOQI+Xo/wR
>> bLsAkYp5y8XPoMWVqCT1KOCE2zkVA3kt1vWpEP6kzsElQUQUpG2E5PU93WZ2q5j/
>> svGGJlSffcsXhUrxSYc1kj8N7EUZasKl1yEWVBHsjGR4TjYkbu5JQIqtVKcjIdAv
>> fmRGxlQqqQuj+5q9m9UKb+tIA1M=
>> =QBdh
>> -END PGP SIGNATURE-
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Binding a non root user to port 443

2018-03-13 Thread Coty Sutherland
This looks like a continuation of this thread from 11 days ago:
https://www.mail-archive.com/users@tomcat.apache.org/msg128541.html

On Tue, Mar 13, 2018 at 2:16 PM, Cheltenham, Chris
 wrote:
> Chris,
>
> I see JSVC will allow a non root user to bund to 443
> Somehow I have to get these libraries into TOMCAT?
>
> Correct?
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Tuesday, March 13, 2018 2:03 PM
> To: Tomcat Users List 
> Subject: Re: Binding a non root user to port 443
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 3/13/18 1:26 PM, Cheltenham, Chris wrote:
>> Is there a way to redirect ports 80 and 443 to 8443.
>>
>> I have a non root user but I cannot use CentOS firewalld nor iptables.
>
> How about authbind?
>
>> I have tried these things.
>>
>> 

Re: where to find org.apache.catalina.filters.RemoteAddrFilter?

2018-03-01 Thread Coty Sutherland
On Thu, Mar 1, 2018 at 3:35 PM, Zari Ladak  wrote:
> Hi All,
>
> I would like to use the org.apache.catalina.filters.RemoteAddrFilter
> filter as part of my web.xml settings. I am just curious to know which
> jar file has that class.

You can find which paths are included in which jars from the build.xml
(though it takes a bit of knowledge about what ant is doing), or a
quick grep on the jar files in lib:

$ grep RemoteAddrFilter lib/*
Binary file lib/catalina.jar matches

> Please let me know
> Thanks,
> Zari
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] Running as user tomcat [authbind]

2018-02-26 Thread Coty Sutherland
On Mon, Feb 26, 2018 at 9:59 AM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Coty and André,
>
> On 2/23/18 6:58 PM, Coty Sutherland wrote:
>> Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :)
>> I've been planning to push a solution for that, just haven't gotten
>> around to it yet.
>>
>> On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat)
>> <a...@ice-sa.com> wrote:
>>> On 23.02.2018 23:32, André Warnier (tomcat) wrote:
>>>>
>>>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>>
>>>>>
>>>>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
>>>>>> <ccheltenham-...@philasd.org>:
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> I am trying to run tomcat as a non root user.
>>>>>>
>>>>>> It will start as the tomcat user but it will not bind to
>>>>>> connector 443 unless it starts as root.
>>>>>>
>>>>>> Does anyone know why?
>>>>>
>>>>>
>>>>> Unix will not let you open ports below 1024 as non-root
>>>>> user!
>>>>>
>>>>> You may use a proxy in front of it or maybe use iptables to
>>>>> be able to use standard ports AND user tomcat.
>>>>
>>>>
>>>> See also :
>>>> https://commons.apache.org/proper/commons-daemon/jsvc.html
>>>
>>>
>>> Or if you are running under Linux, check :
>>> https://en.wikipedia.org/wiki/Authbind
>
> I'm curious ... can authbind be used to *restrict* processes as well
> as to grant them access? For example, let's say that I want Tomcat to
> be able to bind to port 8080, it generally will be able to do that
> unless some other process has bound already. But let's say I
> specifically DO NOT want Tomcat to be able to bind to port 8443. Can I
> use authbind to set a blacklist of ports, too? Or, can I blacklist
> everything and set up a whitelist that contains only port 8080?

I'm not sure about authbind, but selinux is effectively a whitelist
which only includes a handful of ports (in http_port_t)...assuming
that it's enabled.

>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqUINQdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhYvw//eQnox1raRYjATtfC
> 7Wn2ddcQ+I7jMChOfT81W1AABazC865OAAhgHDOB/rd6JXZMIQAPDizCPz4mXmNn
> lPuH0s2UWyBPPo6WwKFhim7/Z33A8WAFSrJoor2vwyfC+p6F9iOOkC1CK0QB2mkU
> KuK3CqcsVHkeRxDOc6qTaX0KQG9FnnrMD/whmdml2mEOHOesT5/ZwPUwwgtLH8Di
> ljbstzWAbV3/3Nbb2aPbvpZCJpyBmYWAoIUjzzYVv5J+pLB2EL+6Pf2znBltUiO9
> cEmC5ybC22cLuS/w5KCKHtP+qFecYFjhQux+uNrCQPPCi0IXE9DaxwU5qYp7FXae
> q8qhH+4KRhO7kOOBqyMaVVMXXR0+Xdo52aEyCqv2go1uO0Ebp4TiPQq3iC4mUW+8
> FrMK6MsgtnQzJXuk9RvtPpBQ/6q36WJ91lQ0FnjFZA1JS49Y9PDT52FoTz6g3TUD
> R1I996R798zSCowDTwaZLfd4xsBzqzI2RcU6rMWbGGhlM5pu2TSd0AzM6vet7iHw
> m1+6iN5NbQE/u+dU9x7zuRHpn2hQBLf6+r4DZyiZrm/Y58FgpnO8g5i35jiwttuv
> 7NuGU0AYX2/gYEiVPpPwwbs19o6DOhp3dHoTy/Em78DqgP6pv22vlxnMZ9TCS4Fz
> 2JHYqvyhsydWUPEFcoRO+9I888Q=
> =2rU6
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Running as user tomcat

2018-02-23 Thread Coty Sutherland
Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :) I've
been planning to push a solution for that, just haven't gotten around
to it yet.

On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat)  wrote:
> On 23.02.2018 23:32, André Warnier (tomcat) wrote:
>>
>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>>>
>>> Hi Chris,
>>>
>>>
>>>
 Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
 :

 Hello All,

 I am trying to run tomcat as a non root user.

 It will start as the tomcat user but it will not bind to connector 443
 unless it starts
 as root.

 Does anyone know why?
>>>
>>>
>>> Unix will not let you open ports below 1024 as non-root user!
>>>
>>> You may use a proxy in front of it or maybe use iptables to be able to
>>> use standard
>>> ports AND user tomcat.
>>
>>
>> See also : https://commons.apache.org/proper/commons-daemon/jsvc.html
>
>
> Or if you are running under Linux, check :
> https://en.wikipedia.org/wiki/Authbind
>
>
>
>>
>>>
 23-Feb-2018 09:14:59.140 SEVERE [main]
 org.apache.catalina.core.StandardService.initInternal Failed to
 initialize connector
 [Connector[HTTP/1.1-443]]
 org.apache.catalina.LifecycleException: Failed to initialize component
 [Connector[HTTP/1.1-443]]

 I’m using java 9.0.4 and Tomcat 8.5.28


 ===

 Thank You;

 Chris Cheltenham
 Technology Services
 The School District of Philadelphia

 Work # 215-400-5025
 Cell # 215-301-6571
>>>
>>>
>>> Best regards
>>>
>>> Peter
>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Error parsing HTTP request header, HTTP method names must be tokens

2018-02-20 Thread Coty Sutherland
On Tue, Feb 20, 2018 at 4:01 PM, Alex O'Ree  wrote:
> I keep running into the an IllegalArgumentException at or near startup of
> tomcat 8.5 with a bunch of cxf web services deployed and I have no idea
> what's causing it. The error message mentions turning on logging at the
> debug level.

Random shot in the dark given the minimal date provided :) Does it
look like this:

INFO [http-nio-8080-exec-3]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
request header
 Note: further occurrences of HTTP request parsing errors will be
logged at DEBUG level.
 java.lang.IllegalArgumentException: Invalid character found in the
request target. The valid characters are defined in RFC 7230 and RFC
3986
at 
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:460)
at 
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:291)
at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1376)
at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

If so, then your client is sending you requests with unencoded special
characters that are now disallowed by Tomcat.

> Question: Assuming i need to edit the logging.properties file, which
> setting/line do i have to edit to reveal what the root cause is?

I can't answer that without more information. What is throwing the
exception? A stack trace would be helpful.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TomcatCon Training: Tomcat for Administrators

2018-02-19 Thread Coty Sutherland
On Mon, Feb 19, 2018 at 4:30 PM, Mark Thomas <ma...@apache.org> wrote:
> On 19/02/18 17:53, Israel Timoteo wrote:
>> Any plans for having this type of sessions in the US?
>
> We are expecting a Tomcat presence ApacheCon NA in September in Canada.
> I expect we'll have some of this content available there.
>
> Beyond that it will be down to there being:
> - the audience
> - the content available that the audience want
> - someone available who can deliver the content
>
> The community can help with at least 2 of those 3.
>
> There is also the possibility of delivery via a Webinar style approach
> but I'm really not sure how well that would work for a training course.

Did I suggest (or mention that I was planning on) doing something like
https://www.katacoda.com/ before? I think an interactive approach to
training would be awesome. Using containers for Tomcat seems a bit
redundant to me (mostly because I don't have any real deployments of
Tomcat), I think that using them for demoing things and having
reproducible environments would be a good user experience for
trainees.

>
> Mark
>
>>
>> 
>> Israel Timoteo
>>
>>> On Feb 19, 2018, at 10:50 AM, Rémy Maucherat <r...@apache.org> wrote:
>>>
>>> On Mon, Feb 19, 2018 at 5:28 PM, Mark Thomas <ma...@apache.org> wrote:
>>>
>>>> On 19/02/18 16:23, Coty Sutherland wrote:
>>>>> Do we plan on doing any audio or video to go along with the slides for
>>>>> these? We could add them to the youtube channel for those that can't
>>>>> attend the live training.
>>>>
>>>> My current thinking is that I'd do a separate recording of the modules
>>>> for that rather than try and record the sessions. I want to be able to
>>>> focus on the attendees in the training. The recording would be video of
>>>> the slides and demos with audio of me talking.
>>>>
>>>
>>> As you said in London, that's material that is usually really nice when
>>> you're there, but really boring when you're by yourself watching on
>>> youtube. Although I agree we need one (current) copy of the trainings on
>>> youtube for reference ...
>>>
>>> Rémy
>>>
>>>
>>>>
>>>> Mark
>>>>
>>>>
>>>>>
>>>>> On Mon, Feb 19, 2018 at 9:50 AM, Mark Thomas <ma...@apache.org> wrote:
>>>>>> All,
>>>>>>
>>>>>> The Apache Tomcat PMC is delighted to announce that the registration for
>>>>>> the training course "Tomcat for Administrators" is now open.
>>>>>>
>>>>>> This one-day training course will take place in central Manchester, UK
>>>>>> on Tuesday April 10, 2018.
>>>>>>
>>>>>> Full details, including the schedule is available on the website:
>>>>>> http://tomcat.apache.org/conference.html
>>>>>>
>>>>>> Registration is via EventBrite:
>>>>>> https://www.eventbrite.com/e/tomcatcon-training-tomcat-for-
>>>> administrators-tickets-43039556472?aff=lists
>>>>>>
>>>>>> We hope to see you there.
>>>>>>
>>>>>> Mark
>>>>>> on behalf of the Apache Tomcat PMC
>>>>>>
>>>>>> -
>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>>
>>>>>
>>>>> -
>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>
>>>>
>>>>
>>>> -
>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>
>>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TomcatCon Training: Tomcat for Administrators

2018-02-19 Thread Coty Sutherland
Do we plan on doing any audio or video to go along with the slides for
these? We could add them to the youtube channel for those that can't
attend the live training.

On Mon, Feb 19, 2018 at 9:50 AM, Mark Thomas  wrote:
> All,
>
> The Apache Tomcat PMC is delighted to announce that the registration for
> the training course "Tomcat for Administrators" is now open.
>
> This one-day training course will take place in central Manchester, UK
> on Tuesday April 10, 2018.
>
> Full details, including the schedule is available on the website:
> http://tomcat.apache.org/conference.html
>
> Registration is via EventBrite:
> https://www.eventbrite.com/e/tomcatcon-training-tomcat-for-administrators-tickets-43039556472?aff=lists
>
> We hope to see you there.
>
> Mark
> on behalf of the Apache Tomcat PMC
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: OOM Issues with Tomcat/8.5.20 and JRE/1.8.0_144-b01

2018-02-15 Thread Coty Sutherland
On Thu, Feb 15, 2018 at 10:02 AM, Kanduri, Rakesh Kumar X. -ND
 wrote:
> Hi All,
>
> We are facing Out Of Memory issue in our Tomcat Server v8.5.20 as shown in 
> the below logs.
> Note: Though the error message says insufficient memory, we checked for the 
> available physical memory on the server and there is sufficient amount of 
> free memory available at the time of this Error.
> The same set of applications are working fine without any issues on 
> TC/7.0.35.B.RELEASE; JRE/1.7.0_17-b02
> Hence any insights and recommendations to fix this issue will be very 
> helpful. Thank you.
>
> Error:
> Exception in thread "JMX server connection timeout 16183" Hibernate: update 
> ONAIRAUTOMATION.IMAGINE_SCHEDULES_AUDIT_TBL set TIME_STARTED=?, TIME_ENDED=?, 
> FILENAME=?, SCHEDULES_COUNT=?, SCHEDULE_ELEMENTS_COUNT=?, AS_RUN_COUNT=?, 
> STATUS=?, ERROR_MESSAGE=? where AUDIT_ID=?
> java.lang.OutOfMemoryError: Metaspace
> Exception in thread "RMI TCP Connection(idle)" java.lang.OutOfMemoryError: 
> Metaspace

You're running out of space in the JVM's Metaspace region (where class
metadata is stored), not system memory.  Metaspace is roughly
equivalent to PermGen from Java 7 and prior versions. The exception
means that you have more classes being loaded in the JVM than will fit
in your currently defined Metaspace. My first suggestion would be to
try increasing the size of Metaspace via the JVM argument
MaxMetaSpaceSize. I'd also suggest reading up on the exception in the
Oracle documentation for Java 8, here
https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/memleaks002.html
(search for Metaspace).

> #
> # There is insufficient memory for the Java Runtime Environment to continue.
> # Native memory allocation (malloc) failed to allocate 1380048 bytes for 
> Chunk::new
> # An error report file with more information is saved as:
> # /tmp/hs_err_pid11058.log
>
> Regards,
> Rakesh Kumar Kanduri
> Disney ABC Television Group
> Cognizant Technology Solutions Ltd. | 
> www.cognizant.com
> US Dial: +1 973 368 9600 Ext 670002
> Offshore Direct: +91-40-66690-002 | Cell: +91 9985429546
> DATG IT ESB On Call # +1 818 869 2690
> Email - 
> datg.dl-esb.infrastruct...@disney.com
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tool to analyze the core/heap dump

2018-02-05 Thread Coty Sutherland
On Mon, Feb 5, 2018 at 3:16 PM, Igal @ Lucee.org  wrote:
> On 2/5/2018 11:15 AM, Johan Compagner wrote:
>>
>> Jvisualvm that ships with java8 or yourkit (you can evaluate for some
>> time)
>>
>> Op 5 feb. 2018 19:43 schreef "D, Dwarakesh (External)" <
>> dwarakes...@xerox.com>:
>>
>>> We have core and heap dump files generated from tomcat in our Solaris
>>> server. Is there any best tool to analyze those logs, please suggest on
>>> this.
>>>
>>> Thanks,
>>> Dwarakesh
>
> Try Eclipse MAT:
> https://www.eclipse.org/mat/

+1 for MAT, though it's a bit difficult if you're using IBM's JDK. For
core dumps, ADB on Solaris works well.

> Igal Sapir
> Lucee Core Developer
> Lucee.org 
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Can't Get SSL to Work in 8.5

2018-01-23 Thread Coty Sutherland
On Tue, Jan 23, 2018 at 2:16 PM, Kenneth Taylor
<kenneth.tay...@dataexpress.com> wrote:
> Coty,
>
> Thank you very much. That worked.  The only thing is its not redirecting to 
> SSL if you hit the regular URL.  Are we missing something?

Do you have a CONFIDENTIAL transport guarantee defined for the
applications that you want to redirect? The redirectPort doesn't work
exactly like most people think it does (e.g. it doesn't redirect all
traffic to the port), it redirects traffic for applications with a
transport guarantee that requires SSL. From the http configuration doc
(https://tomcat.apache.org/tomcat-8.5-doc/config/http.html) for
redirectPort: "If this Connector is supporting non-SSL requests, and a
request is received for which a matching 
requires SSL transport, Catalina will automatically redirect the
request to the port number specified here."

You can place a confidential transport guarantee in your application's
web.xml such as:


  
CONFIDENTIAL
  


I guess if you wanted to redirect EVERYTHING from 8080 to 8443 you
could add a constraint in the global web.xml:


  
Everything
/*
  
  
CONFIDENTIAL
  


but...I'm not sure if that would play nicely with everything or cause
problems :)

HTH

>  connectionTimeout="2"
> port="8080"
> protocol="HTTP/1.1"
> redirectPort="8443"
> scheme="http"
> secure="false"/>
>
>  SSLEnabled="true"
> maxThreads="20"
> port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
> scheme="https"
> secure="true">
>  name="_default_"
> clientAuth="false"
> sslProtocol="TLS"
> protocols="TLSv1.2"
> sessionCacheSize="5"
> sessionTimeout="960">
>  certificateKeyAlias="dmb-kenneth"
> certificateKeystoreFile="conf/localhost-rsa.jks"
> certificateKeystorePassword="=NR5^vtuW_/?"
> certificateVerification="optionalNoCA"
> type="RSA"/>
> 
> 
>
> Thanks
> Ken
>
> -Original Message-
> From: Coty Sutherland [mailto:csuth...@apache.org]
> Sent: Monday, January 22, 2018 2:24 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: Can't Get SSL to Work in 8.5
>
> On Mon, Jan 22, 2018 at 2:23 PM, Kenneth Taylor 
> <kenneth.tay...@dataexpress.com> wrote:
>> We are trying to get SSL to work in 8.5 and have been unsuccessful.  We 
>> followed all the instructions in the Tomcat documentation and what help is 
>> available on the net but have been unable to get TC to startup with an SSL 
>> Connector configured.
>>
>> Here is our Connector configuration:
>>
>> > scheme="http" redirectPort="8443" secure="false"/>
>>
>> > SSLEnabled="true"
>> clientAuth="false"
>> maxThreads="20"
>> port="8443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
>> scheme="https"
>> secure="true"
>> sslProtocol="TLS">
>
> Remove  `clientAuth="false"` and `sslProtocol="TLS"` from the Connector 
> element and place them inside the SSLHostConfig element below. These two 
> attributes are now SSLHostConfig attributes (even though they are allowed in 
> the Connector because tomcat translates them to a default SSLHostConfig 
> object initialized with those values).
> It's also noteworthy that you're using the default values for clientAuth and 
> sslProtocol, so they aren't necessary.
>
>> > hostName="localhost"
>
> You need an SSLHostConfig that's named _default_ for this to work (which is 
> the default name) so remove hostName="localhost" too and this should work :)
>
> I'm going to file a BZ and see if others are interested in catching this NPE 
> and doing something more useful with it. I'm also going to file an 
> enhancement to remove the requirement to have a _default_ SSLHostConfig, if 
> possible.
>
>> protocols="TLSv1.2"
>> sessionCacheSize="15"
>> sessionTimeout="960">
>>  >  certificateKeyAlias="localhost"
>>  certificateKeystoreFile="conf/localhost-rsa.jks"
>>  certificateKeystorePassword="=NR5^vtuW_/?"
>>  certificateVerification="option

Re: Can't Get SSL to Work in 8.5

2018-01-22 Thread Coty Sutherland
On Mon, Jan 22, 2018 at 2:23 PM, Kenneth Taylor
 wrote:
> We are trying to get SSL to work in 8.5 and have been unsuccessful.  We 
> followed all the instructions in the Tomcat documentation and what help is 
> available on the net but have been unable to get TC to startup with an SSL 
> Connector configured.
>
> Here is our Connector configuration:
>
>  scheme="http" redirectPort="8443" secure="false"/>
>
>  SSLEnabled="true"
> clientAuth="false"
> maxThreads="20"
> port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
> scheme="https"
> secure="true"
> sslProtocol="TLS">

Remove  `clientAuth="false"` and `sslProtocol="TLS"` from the
Connector element and place them inside the SSLHostConfig element
below. These two attributes are now SSLHostConfig attributes (even
though they are allowed in the Connector because tomcat translates
them to a default SSLHostConfig object initialized with those values).
It's also noteworthy that you're using the default values for
clientAuth and sslProtocol, so they aren't necessary.

>  hostName="localhost"

You need an SSLHostConfig that's named _default_ for this to work
(which is the default name) so remove hostName="localhost" too and
this should work :)

I'm going to file a BZ and see if others are interested in catching
this NPE and doing something more useful with it. I'm also going to
file an enhancement to remove the requirement to have a _default_
SSLHostConfig, if possible.

> protocols="TLSv1.2"
> sessionCacheSize="15"
> sessionTimeout="960">
>certificateKeyAlias="localhost"
>  certificateKeystoreFile="conf/localhost-rsa.jks"
>  certificateKeystorePassword="=NR5^vtuW_/?"
>  certificateVerification="optionalNoCA"
>  type="RSA"/>
> 
> 
>
> Here is the error we get:
>
> Jan 19, 2018 2:24:07 PM org.apache.catalina.core.StandardService initInternal
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Failed to initialize component 
> [Connector[HTTP/1.1-8443]]
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
> at 
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler 
> initialization failed
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:999)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> ... 12 more
> Caused by: java.lang.IllegalArgumentException: java.lang.NullPointerException
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:970)
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613)
> at 
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
> ... 13 more
> Caused by: java.lang.NullPointerException
> at java.io.FileInputStream.(FileInputStream.java:130)
> at java.io.FileInputStream.(FileInputStream.java:93)
> at java.io.FileReader.(FileReader.java:58)
> at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:74)
> at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:193)
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
> ... 20 more
>
> We tried all kinds of variations of the configuration. We've run out of 
> things to try.
> We are using a JKS keystore created in Java code using the Bouncy Castle API. 
>  The config files are all in the correct location.
> The keystore has a private key and certificate 

Re: Subscription to tomcat-users

2018-01-05 Thread Coty Sutherland
Is there some reason why this user can't subscribe to the users@ list?
They found me in freenode and seemingly get no response from the list
emails (users@ and users-help@).

Cheers,

On Fri, Jan 5, 2018 at 3:40 PM, Alex  wrote:
> Hello,
>
> This is my address that doesn't get into the tomcat-users mailing list.
>  Can I please get subscribed?
>
> Thank you!
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: ALv2 Tomcat Training material

2018-01-04 Thread Coty Sutherland
On Thu, Jan 4, 2018 at 8:01 AM, Mark Thomas  wrote:
> On 04/01/18 11:31, Marek Czernek wrote:
>> Hi Mark,
>>
>> I think this is a great idea. Before doing any brainstorming though, I
>> wonder about the following:
>>
>> 1. Who'd be the target audience? And what skill level would you want to
>>target? Any pre-requisites?

People that ask questions on freenode :)

> The short version is whatever the Tomcat community (i.e. the members of
> this list) would find most useful. Possible examples that come to mind are:
> - an introductory course for an experienced sysadmin that knows nothing
> about Tomcat
> - in depth trouble-shooting
>
> But rather than just my random ideas, I'd love to hear what the
> community wants.

I can try and compile a list of questions from my IRC scrollback to
add as ideas. I also started a quickstarts repo on github but that's
mostly focused on tomcat embedded since there isn't much in the way of
examples around. I also considered working on interactive courses and
putting them on https://katacoda.com/.

>
>> 2. Should it be purely Tomcat, or do you want to talk about various
>>frameworks that integrate with Tomcat in some manner? (Hibernate
>>comes to mind, for example)
>
> This is is easy. Purely Tomcat.
>
>> 3. What goals would you like to achieve? I.e., would you want to create
>>a course for a community and potential future contributors, or would
>>your goal be a course for experts to get things done asap? Imho
>>those two goals require different approaches. If the answer is
>>'both', that could be sub-optimal (though understandable). Or do you
>>imagine completely different goal(s)?
>
> My original thinking was training for end users of any/all levels.
> However, if there was interest we could add some modules on how to
> become a contributor, committer, PMC member etc.

+1, I sometimes get questions about how to contribute, become a
committer, etc and share my experience (and the CONTRIBUTING guide on
github), but having a more formal document on what to do for our
project would be nice.

>
>> My main question is 'WHY'. What is the hole we're trying to fill in. Do
>> you want people to have quick yet quite deep understanding of basic
>> concepts and fundamentals? Do you want people to be more excited about
>> Tomcat? Do you want to shed light on an obscure integration pattern that
>> is highly useful? Do you want to create a certification that would be
>> beneficial for job interviews? Some of the answers might be
>> complimentary, but a lot of them are almost opposite to each other, imho.
>
> Why? Because I think that there is a community demand for this. I once
> ran a Tomcat training course at ApacheCon for which I did ZERO marketing
> (the only marketing was that it was listed as an option when registering
> - and an expensive option at that) and ~15 people signed up.
>
> I want to help people understand how to use Tomcat. Hopefully, a
> side-effect will be that even more great people show up here.
>
> I'm not interested in creating a certification or anything similar.
>
> HTH explain my thinking.
>
> Mark
>
>
>>
>>
>> On 01/04/2018 11:16 AM, Mark Thomas wrote:
>>> Hi,
>>>
>>> One of the things on my TODO list is to put together some Tomcat
>>> training material licensed under the Apache License (version 2). i.e.
>>> material that would be made freely available for folks to use.
>>>
>>> I'd also like to make the training material available on YouTube as well
>>> as run some training courses (for a small fee) to deliver the material
>>> face to face.
>>>
>>> The structure I have in mind is a series of modules (say 30 mins in
>>> length) that can be organised in different ways to suit different needs.
>>> e.g. put the introductory modules for each area together to provide an
>>> 'Introduction to Tomcat course', put all the TLS modules together to
>>> provide an in depth 'Tomcat and TLS' course etc.
>>>
>>> I think a lot of the raw content is already available. We have the
>>> various Tomcat presentations that have been given over the years and my
>>> employer has agreed to let me make use of the material from our (now
>>> possibly a little dated) Tomcat training courses.
>>>
>>> I can't do this alone. Not in any reasonable time frame anyway. So I am
>>> reaching out to the community for help.
>>>
>>> The first step is to come with:
>>> - a list of modules
>>> - potential courses formed from combinations of modules
>>>
>>> I am asking for your ideas for modules, courses and combinations of
>>> modules that could make up those courses.
>>>
>>> We have a blank wiki page to host this:
>>> https://cwiki.apache.org/confluence/display/TOMCAT/Tomcat+Training+Course
>>>
>>> Feel free to ask for edit access to that page (you'll need to create an
>>> account and let us know the user name) so you can add ideas directly or
>>> add ideas to this thread and I'll add them to the wiki page.
>>>
>>> The second step is to start populating the 

Re: getting "BindException: permission denied" exception when trying to change port 8080 to 8090

2018-01-02 Thread Coty Sutherland
seinfo --portcon=8080
portcon tcp 8080 system_u:object_r:http_cache_port_t:s0
portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
~~~

Note that a port that works (8080) is labeled http_cache_port_t which
is usable by tomcat_domain and port 8090 is just labeled as an
unreserved_port_t.

> Thanks,Alceu
>
> Em quinta-feira, 21 de dezembro de 2017 18:49:48 BRST, Coty Sutherland 
> <csuth...@apache.org> escreveu:
>
> This behavior is due to a fix in the selinux-policy package; see
> https://bugzilla.redhat.com/show_bug.cgi?id=1432083 for more details.
> If you check /var/log/audit/audit.log you'll see an AVC denial, such
> as:
>
> type=AVC msg=audit(1513815897.006:136): avc:  denied  { name_bind
> } for  pid=1467 comm="java" src=8090
> scontext=system_u:system_r:tomcat_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket ...
>
> Previous version tomcat were incorrectly labeled unconfined_t and
> could do whatever they wanted, that has been address and now tomcat is
> confined by selinux as it should be :)
>
> You can fix the problem by adding the port you want to allow to the
> system's HTTP port type, http_port_t: `semanage port --add -t
> http_port_t -p tcp 8090`
>
> Cheers,
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: getting "BindException: permission denied" exception when trying to change port 8080 to 8090

2017-12-21 Thread Coty Sutherland
On Thu, Dec 21, 2017 at 2:45 PM, Alceu R. de Freitas Jr.
 wrote:
>  Hello Cristopher,
> I never saw something like that too. I also search on Google, all occurrences 
> happened with people trying to run Tomcat on privileged ports (<1024).
> Here is a quick test, with port 9090:
>
> [root@localhost ~]# systemctl stop tomcat
> [root@localhost ~]# rm -f /var/log/tomcat/*
> [root@localhost ~]# vi /etc/tomcat/server.xml
> [root@localhost ~]# grep -A 2 'Connector port="9090"' /etc/tomcat/server.xml
> connectionTimeout="2"
>redirectPort="8443" />
> [root@localhost ~]# systemctl start tomcat
> [root@localhost ~]# systemctl status tomcat
> ● tomcat.service - Apache Tomcat Web Application Container
>Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor 
> preset: disabled)
>Active: active (running) since Qui 2017-12-21 17:39:57 -02; 6s ago
>  Main PID: 4385 (java)
>CGroup: /system.slice/tomcat.service
>└─4385 /usr/lib/jvm/jre/bin/java -classpath 
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-da...
>
> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
> org.apache.catalina.startup.HostConfig deployDirectory
> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deployment 
> of web application directory /var/lib/tomcat/webapps/manager has finish… in 
> 498 ms
> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
> org.apache.catalina.startup.HostConfig deployDirectory
> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deploying 
> web application directory /var/lib/tomcat/webapps/ROOT
> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
> org.apache.catalina.startup.TldConfig execute
> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: At least one 
> JAR was scanned for TLDs yet contained no TLDs. Enable debug logging …tion 
> time.
> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
> org.apache.catalina.startup.HostConfig deployDirectory
> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deployment 
> of web application directory /var/lib/tomcat/webapps/ROOT has finished in 534 
> ms
> Dez 21 17:40:03 localhost.localdomain server[4385]: dez 21, 2017 5:40:03 PM 
> org.apache.catalina.startup.HostConfig deployDirectory
> Dez 21 17:40:03 localhost.localdomain server[4385]: INFORMAÇÕES: Deploying 
> web application directory /var/lib/tomcat/webapps/examples
> Hint: Some lines were ellipsized, use -l to show in full.
> [root@localhost ~]# less /var/log/tomcat/catalina.2017-12-21.log
> GRAVE: Failed to initialize end point associated with ProtocolHandler 
> ["http-bio-9090"]
> java.net.BindException: Permissão negada (Bind failed) :9090
> at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413)
> at 
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
> at 
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
> at 
> org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at 
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:642)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:667)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427)
> Caused by: java.net.BindException: Permissão negada (Bind failed)
> at java.net.PlainSocketImpl.socketBind(Native Method)
> at 
> java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:387)
> at java.net.ServerSocket.bind(ServerSocket.java:375)
> at java.net.ServerSocket.(ServerSocket.java:237)
> at java.net.ServerSocket.(ServerSocket.java:181)
> at 
> org.apache.tomcat.util.net.DefaultServerSocketFactory.createSocket(DefaultServerSocketFactory.java:49)
> at 

Re: Apache tomcat 7.0.82 RFC issue (UNCLASSIFIED)

2017-12-11 Thread Coty Sutherland
On Mon, Dec 11, 2017 at 9:34 AM, Lueders, Paul T CIV USARMY NGIC (US)
 wrote:
> CLASSIFICATION: UNCLASSIFIED
>
> I am running Apache tomcat 7.0.82.  It is not running behind any other web 
> server.  I am getting:
> Java.lang.IllegalArgumentException: Invalid Character found in the request 
> target.  The valid characters are defined in RFC 7230 and RFC 3986

The problem is that your clients are sending unencoded characters
which are not allowed by the spec. See
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 or search the
users list archives for 'RFC 7230' or 'RFC 3986' for more information.

> How can I correct this in the tomcat configuration files?

Search for 'tomcat.util.http.parser.HttpParser.requestTargetAllow' in
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html to see
what options are available. Presently you can allow {, }, and | but
other characters will still yield a 400 response.

> Thanks a lot,
>
> Paul Lueders
> CLASSIFICATION: UNCLASSIFIED
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: unable to set the "secure="true" flag on server.xml

2017-11-30 Thread Coty Sutherland
On Thu, Nov 30, 2017 at 1:39 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Naga,
>
> On 11/30/17 12:29 PM, Naga Ramesh wrote:
>> Thanks Chris..
>>
>> See the below output and here not showing the secure.
>>
>> < HTTP/1.1 200 OK < Set-Cookie:
>> JSESSIONID=D14ACAB7CADB83FAD5C11296C75A09DB; Path=/; HttpOnly <
>> X-Frame-Options: DENY < X-Content-Type-Options: nosniff <
>> X-XSS-Protection: 1; mode=block < Content-Type:
>> text/html;charset=ISO-8859-1 < Content-Length: 5472 < Date: Thu, 30
>> Nov 2017 17:26:37 GMT < Server:
>
> HTTP response headers don't say anything about "secure" anyway.

Actually, they do :) Setting a cookie to secure keeps it from being
transmitted over HTTP.

Set-Cookie: JSESSIONID=07429A0D611B540BF985E10197241E5D; Path=/;
Secure; HttpOnly

>
> What are you trying to accomplish, and what have you tried?
>
> I'm not sure secure="true" does what you think it does.
>
> Please answer the questions I asked in my previous post. They will go
> a long way toward helping you.

That would definitely help.

>
> - -chris
>
>> -Original Message- From: Christopher Schultz
>> [mailto:ch...@christopherschultz.net] Sent: Thursday, November 30,
>> 2017 10:52 PM To: users@tomcat.apache.org Subject: Re: unable to
>> set the "secure="true" flag on server.xml
>>
>> Naga,
>>
>> On 11/30/17 12:11 PM, Naga Ramesh wrote:
>>> I have configured the tomcat8 version & used the AWS ELB, but I
>>> have set the “secure="true" flag on tomcat8/conf/server.xml file
>>> end, after that service started and login page came but I am
>>> unable to login the application and getting the oops session
>>> expired error message coming.
>>
>> Please post your  configuration.
>>
>> What did you expect secure="true" to actually do?
>>
>>> Note: we have applied the SSL on AWS ELB end.
>>
>> So you are terminating TLS at the ELB, right?
>>
>>> ELB(https) -à tomcat-conenctor-8080
>>
>> Traffic from ELB -> Tomcat is using HTTPS?
>>
>> Why encrypt within your own VLAN?
>>
>> -chris
>>
>> -
>>
>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>> -
>>
>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlogUF4dHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFinKxAAhhchuEFgo8dc+pZv
> YTg65qRlt7xS6s3ewlhY7RUrmNvzgYmjJC5tW81mNjNHhfPtMq7/WYNqoIS77b1+
> gZNYk4CtdNt8q3mJ0BUIqOoaSs9esvCv5WCs9jTh/dyhxra13s33V5NFkOvB26dB
> YgsxvZAxFYgim2Yp8Q1xoN8CRhi8UVLidd3V8QIebZQ3oFbBjKZzvXm9BShlablj
> RWuHHoj5A2Ks+BBqK6HR1Y1ZNoFqxaMtO7ZuxC4ytJVfhOvEXA2YoYDfOvxfHSIj
> WVGwCczp3TRHCW/blFGOMqoctLY9bbJcgLb4ZZQloo1B4tced4XFBz7ELJZ52FrI
> srHhH+md2udfGQ7ByJDOW7710IkDUXJvIO1JfJw/vC3s7rlGE61fXfncHPLg2Rer
> XA0Ij9cjGVRC7aPr/d2+tAGB9aO2BhEQimVMX0MzNLhoiQhFHK+Tuq8jCKWVUMzl
> m6VQNYulvisC0TnLQlzkFma+FZAlJ/RdkxQO3bFKaCt1UMMmluW0WQCAkmrCITzM
> Lz8dfXF1NIMGsCJYLzqWw/Bbtk8EoMEw4euV8Zwjnfo6iVB4fufOQiFdjr2AMQV3
> FT0pnfEZC+5KUMwhjbPBKmX7mivkckNGrB3MpUuvFW1XZpAFVK14W7HaGA++EbJY
> TB83V9GzPjyofj16b8lbJudggyY=
> =4btR
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Question - Tomcat Memory

2017-11-16 Thread Coty Sutherland
On Thu, Nov 16, 2017 at 1:48 PM, Ramya Elineni
 wrote:
> The "Initial memory pool" and "maximum memory pool" are the two 
> configurations under Tomcat. I couldn't find any detailed explanation of how 
> Tomcat uses these settings. I request you to please provide me that 
> informaiotn so that I can have the appropriate values set on a production 
> environment. We are encountering issues where Tomcat is running on the higher 
> end of the maximum memory pool configuration after about 25 days of its last 
> restart. Thanks.

I assume that you're referring to the JVM arguments Xms and Xmx. There
isn't a tomcat-specific setting to control JVM memory allocations;
you'll need to read more about that in the java documentation of the
appropriate JVM, but it isn't much more to the arguments than what you
already stated. As far as 'appropriate values' goes, those are
subjective because everyone's application's have different memory
needs. You will have to do some load testing to determine how much
memory your application will need to function properly. If your
application is behavior abnormally and there are OutOfMemoryExceptions
occurring you can also analyze a heap dump from the event to determine
if you have an application problem causing memory issues, or if you
just need more memory.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: OSCP support in tomcat-native (was OCSP)

2017-11-10 Thread Coty Sutherland
On Thu, Nov 9, 2017 at 1:45 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Coty,
>
> On 11/9/17 12:19 PM, Coty Sutherland wrote:
>> Hi,
>>
>> I'm trying to determine whether or not we fully support OCSP in
>> tomcat-native 1.2.x on Linux. There isn't any documentation about
>> it other than some on the Downloads page that says it's
>> experimental on Windows:
>>
>> "The Windows binaries are available in two variants. a) Default.
>> This is what people usually use. This version of library is
>> included in Apache Tomcat distributions. b) OCSP-enabled. This one
>> has enabled (experimental) support for verification of client SSL
>> certificates via OCSP protocol (45392)."
>>
>> I see that it's enabled by default when building Linux, but for
>> Windows you have to enable it in the build.
>>
>> Can anyone help me out here?
>
> Without reading anything at all (from memory), I believe it all has to
> do with how OpenSSL itself was built.
>
> The reason we are mum on *NIX is because the consumer is expected to
> provide their own OpenSSL library, while the Windows build comes from
> us with a statically-linked OpenSSL (with or without OSCP compiled-in).

So technically all OCSP support is considered experimental then (since
we consider OCSP support in Windows experimental where we know that
openssl supports it)? It isn't just a pass through to openssl, the
call to the OCSP server (for example) happens inside of tomcat-native.
I have a user complaining about the fact that there's no logging in
those functions, so I plan to eventually add some, but I wanted to
make sure we are confident that it works correctly first :)

> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEokkACgkQHPApP6U8
> pFgdcA/+LomHqxKsVS5VMn9ZCZT3Vuwdwl6JbBL5Tfrx+r226zfEvDDP/xjrKDNm
> WxD+fXhfi4Vrf+vcZEdTSr2/ubCQIIE+fgj2WYhz9XWWGgPNOK1LRgk92HvWqy9B
> tSbv5+hg6T7+gP8YoNKSr32j+MicgbkNE8BGmewMJNOMKkyHTWeGZaU726kqGeFC
> oCGmuUbcWWxcE6wkk48Cdsy+/oTZcvAEDu82Pfl490joBI7gCURqa2AfYpv7b3qu
> oYs/T7Cm+YMZAIU/kZBtlEQUUIscc/vf2AqHM8n22Uft5s9F9e1pSnm3aWmzAF6a
> fM3NifxyQl1Yabl5wTfXxm3hBTzovZJsOQhfASq1pkbNS2dRGg1s9Z4ITXzCYwVv
> +whoNLocxWeFmOY8S9CQM4PaGDPEWT2Pd7dFL1ae9xBNdNuc4mnbnvk980DpCHbG
> 7p6+U8T7Pun+GBC602VXDgdajfGHO6bWhwuu33H7G1JgGnPnrYaOCLupaQhXT/FC
> ZQiyex2n+j3g07d269gs3UqsHxM3SA3COdogNpdfOYrdq+cYhov19G3R2O+lGd1/
> WqciphuopiUbMtDs+s88zhw5AZldwEDHdsI2bxzthjATbT7VH+BLGSR+aF8SS3H/
> ybix8mdlIP4G28Ml2q7jYzXoBji7SeTNt95Bes0xaQ6FcfaPI+Q=
> =uwu2
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Service killed by signal 9

2017-11-10 Thread Coty Sutherland
On Fri, Nov 10, 2017 at 4:31 AM, Greg Huber  wrote:
> Since switching to jsvc, randomly I am getting tomcat restarting, looking
> at the logs I see that the jsvc is using alot of memory total-vm:  and
> being killed by the system.
>
> Nov  9 13:11:11 prodbox kernel: Out of memory: Kill process 1287 (jsvc)
> score 121 or sacrifice child
> Nov  9 13:11:11 prodbox kernel: Killed process 1287 (jsvc)
> total-vm:3453120kB, anon-rss:378280kB, file-rss:0kB, shmem-rss:0kB
>
> I am using the below on properties on the startup (from previous version
> statup scripts):
>
> -Xms256M -Xmx768m -Xss1280k -XX:+UseParallelGC -XX:MaxGCPauseMillis=1500
> -XX:GCTimeRatio=9 -server -XX:+DisableExplicitGC
>
> (I replaced -Xss256k with -Xss1280k to stop crashing see
> https://issues.apache.org/jira/browse/DAEMON-365)

The root cause for that broke a lot of things, so I imagine your OS
has fixed the kernel problem by now. If you tell me which OS I can try
and see if it's fixed for you. I'd suggest that you try reducing your
Xss back to 256k and see if that shrinks your process size enough to
keep it off of oom-killer's radar.

> Is there a way to limit the total-vm or find out why its got so big?
> -XX:+DisableExplicitGC ??
>
> Standard tomcat install with apache/modjk.
>
> Cheers Greg

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



OCSP support in tomcat-native

2017-11-09 Thread Coty Sutherland
Hi,

I'm trying to determine whether or not we fully support OCSP in
tomcat-native 1.2.x on Linux. There isn't any documentation about it
other than some on the Downloads page that says it's experimental on
Windows:

"The Windows binaries are available in two variants. a) Default. This
is what people usually use. This version of library is included in
Apache Tomcat distributions. b) OCSP-enabled. This one has enabled
(experimental) support for verification of client SSL certificates via
OCSP protocol (45392)."

I see that it's enabled by default when building Linux, but for
Windows you have to enable it in the build.

Can anyone help me out here?



Thanks,
Coty

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TomcatCon Where (and when) next?

2017-10-02 Thread Coty Sutherland
On Fri, Sep 29, 2017 at 3:03 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mark,
>
> On 9/27/17 5:14 PM, Mark Thomas wrote:
>> All,
>>
>> TomcatCon London 2017 took place yesterday and was even more
>> successful than hoped. We sold 16 tickets for a full day of content
>> from 3 Tomcat committers.
>>
>> I'd like to take this opportunity to once again thank our
>> sponsors.
>>
>> Liferay generously provided the venue - including all the
>> associated organisation. This provided us with a very nice venue,
>> removed a significant amount of the organisational overhead and
>> also removed all of the financial risk to the PMC members
>> organising the event.
>>
>> c2b2 generously purchased 2 tickets and contributed towards the
>> other expenses (speaker travel expenses, buying a microphone so we
>> could record some of the sessions, name badges, etc,).
>>
>> We were able to record 4 out of the 6 sessions and these will be
>> uploaded to YouTube and linked from the Tomcat website hopefully by
>> the end of the week.
>>
>> As planned, the event generated a sufficient surplus to underwrite
>> the next event. With this in mind, thoughts are already turning to
>> future events.
>>
>> We are looking for suggestions for possible locations for the next
>> event. Please add your suggestions to this thread.
>>
>> Some points to keep in mind:
>>
>> - Events close to one or more Tomcat committters will generally
>> have lower overheads due to reduced travel costs. At this point
>> that probably means Europe if the event runs without sponsorship.
>>
>> - Sponsorship to cover speaker travel and/or to provide a venue
>> increases the options available with regard to location. I was
>> serious when I said in a previous thread that the next event could
>> be in India if a sponsor offered to provide a venue and cover
>> speaker travel.
>>
>> If you'd like to discuss sponsorship options privately, please feel
>> free to contact me off-list.
>>
>> With regards to timing, the aim is to try and organise one of
>> these events every couple of months. That probably means we need to
>> start thinking about event N+1 and N+2 in parallel.
>>
>> I look forward to your suggestions,
>
> Washington, DC would be a lovely place to have a TomcatCon. :)

+1, it's only an hour flight for me :)

> I'd be happy to organize the event. Not too many Tomcat committers in
> the area, but lots of ASF folks are here, including jimjag (though his
> schedule is sometimes awkward). We held a BarCampApache here in 2012
> on a Saturday and got ~45 attendees. Tomcat would probably have a
> smaller draw from that crowd, but there might be more locals who would
> be more interested in a more focused set of topics rather than the
> wide-ranging chaos that often accompanies a BarCamp.
>
> There are quite a few big internet companies with presences around
> here (e.g. Living Social, Facebook, etc.) but I'm not sure which ones
> utilize Tomcat within their technology stack. They may be willing to
> give us some meeting space, however, since most of those companies end
> up being "friends of open source" even if they aren't
> directly-benefiting from one particular tool.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnOmOcACgkQHPApP6U8
> pFjK4Q//a+0pdGDS0licweHyD7fjAlfKri9i8nhVM0qTDhi9UpuPKufWJ+mqs401
> OSCSDW4LbhKZhq2S2AQn28usHEXhdQFuuNDIlaOfNMSvoPdp8y4f7FBz2a1zYyAc
> RfMSoUl/S0npXvkaG2wHtIhuT4T3TBh7i7JnkDd9mtL5AD6bDYh4oKPHIiDtGebs
> FLhR4kK4EbGRGPJS+xH31xbQyKxIzC6Lf54BXHiYA89LCmXb3zs0ZU9IrCEl5NIj
> fTcsMaOu3rjxt4j6397keksmJy9fAtF47NLYGgk9US6p8hVZxnXEyUmE5un7s/RU
> iICNzkvuUFF3MxQXq2huPuoBCFy5nm0Q4msLNdE5l7pBBwvbklUzsNPghIS5CD0J
> lNlhdIFRZYFc7/JdrUOH4JHLg1187c6MrIEz9Yg9RteAE8oHj2u/KhBwGXk5kV2D
> I9Ug4+A0pobMUN5aYI56+3ln51u2rIKSta7s7iwdoFC3DpS7EZHCYaSA23gGuuPO
> LckRQR1XG5icdcLhKrs9abwKWsl97SzZ+G+eS15XlfP36ZMSquVctsC8RM/7y4cB
> UWZFhh0Caim9+bX7g9gvuf2FhOwS6JnCE0kW8+2R9zrSQ0Wy3LyHuPEgWUdVirUS
> UHcIQeiPsUqe5hhgG5XaLk0r9dnz7mgut6m0tCcOM/chg3XDVVk=
> =xJiL
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Re: Re: how to set Http11AprProtocol with embedded tomcat

2017-09-29 Thread Coty Sutherland
On Fri, Sep 29, 2017 at 10:38 AM, Wang, Jennifer
<jennifer.w...@bos.frb.org> wrote:
> NONCONFIDENTIAL // EXTERNAL
> Hi Coty,
>
> I got exactly the same error. Did you try to run it in windows? Do you need 
> other MS dlls other than tcnative-1.dll? Also I down load the link and got as 
> below. I updated tomcat to 8.5.20, below error is gone, but the no apr error 
> came back.

I haven't tried it on windows, but it should be the same.
Possibly...in addition to tomcat-native you need the APR and the
OpenSSL libraries (if you intend to use TLS). I'm not sure whether or
not the tomcat-native DLL includes those libraries or not on Windows
(it doesn't on linux). I have APR and OpenSSL in the java.library.path
directory that I use and after changing to 8.5.20, the quickstart
works for me and APR is running per the following INFO lines:

2017-09-29 11:07:10.617  INFO 1175 --- [   main]
o.a.coyote.http11.Http11AprProtocol  : Initializing
ProtocolHandler ["http-apr-8080"]
2017-09-29 11:07:10.623  INFO 1175 --- [   main]
o.a.coyote.http11.Http11AprProtocol  : Starting ProtocolHandler
["http-apr-8080"]

>
> Caused by: java.lang.NoClassDefFoundError: org/apache/juli/logging/LogFactory
> at 
> org.apache.catalina.core.AprLifecycleListener.(AprLifecycleListener.java:49)

Oops. That is my fault. I was using 8.0.36 in the quickstart which
requires org.apache.tomcat.embed.tomcat-embed-logging in that version.
JULI was moved into tomcat-embed-core now, so updating the pom to use
8.5.20 resolves the CNFE for LogFactory.

>
> Thanks!
>
> Jennifer
>
> -Original Message-
> From: Coty Sutherland [mailto:csuth...@redhat.com]
> Sent: Friday, September 29, 2017 8:43 AM
> To: Tomcat Users List
> Subject: [External] Re: Re: how to set Http11AprProtocol with embedded tomcat
>
> Here is a working quickstart (that I forgot to link yesterday) for APR in 
> Spring Boot:
> https://github.com/csutherl/tomcat-embedded-quickstarts/tree/master/springboot-apr-example
>
> On Thu, Sep 28, 2017 at 3:34 PM, Coty Sutherland <csuth...@redhat.com> wrote:
>> On Thu, Sep 28, 2017 at 12:27 PM, Wang, Jennifer
>> <jennifer.w...@bos.frb.org> wrote:
>>> NONCONFIDENTIAL // EXTERNAL
>>> Hi Coty,
>>>
>>> I download tcnative-1.dll from tomcat site. I am running on windows 7. I 
>>> did set " java.library.path" as below.
>>>
>>>
>>>
>>>
>>> @SpringBootApplication
>>> public class Application {
>>>
>>> public static void main(String[] args) {
>>>
>>> //try both of below
>>> System.setProperty("java.library.path", 
>>> "C:\\Temp\\tomcat-native-1.2.14-win32-bin\\bin\\x64\\tcnative-1.dll");
>>> //System.setProperty("java.library.path",
>>> "C:\\Temp\\tomcat-native-1.2.14-win32-bin\\bin\\x64");
>>
>> I think trying to set the library path in code is too late as the JVM
>> has already initialized. You'll need to set it in the JVM arguments
>> that start the Application. I got it working using the following
>> config snippet:
>>
>>  
>>  org.springframework.boot
>>  spring-boot-maven-plugin
>>  
>>  
>>  -Djava.library.path=/path/to/tomcat-native/
>>  
>>  
>>
>> and starting with `mvn spring-boot:run`. I also configured that the
>> System.setProperty call didn't work.
>>
>> HTH
>>
>>>
>>> SpringApplication.run(Application.class, args);
>>> }
>>> }
>>>
>>> Thanks!
>>>
>>> Jennifer
>>>
>>> -Original Message-
>>> From: Coty Sutherland [mailto:csuth...@redhat.com]
>>> Sent: Thursday, September 28, 2017 12:16 PM
>>> To: Tomcat Users List
>>> Subject: [External] Re: how to set Http11AprProtocol with embedded
>>> tomcat
>>>
>>> On Thu, Sep 28, 2017 at 11:32 AM, Wang, Jennifer 
>>> <jennifer.w...@bos.frb.org> wrote:
>>>> NONCONFIDENTIAL // EXTERNAL
>>>> How to set Http11AprProtocol with embedded tomcat in java spring boot app?
>>>>
>>>> I keep get below error.
>>>
>>> You don't have tomcat-native installed. Resolving the problem should be as 
>>> simple as installing tomcat-native (which deps on APR) via RPM (assuming 
>>> you're on linux) so that it's on your library path or u

Tomcat Embedded Quickstarts

2017-09-29 Thread Coty Sutherland
Hi all,

Sorry for cross posting, but I thought this pertinent to both lists.

I hear that there was lots of talk about quickstarts and/or the need
for quickstarts at the most recent TomcatCon. I've been working on
some off and on for a while now and rather enjoy creating them; I'd
like to formalize them into something that the Tomcat distribution can
utilize. While I'm working on that, does anyone out there already have
a collection of quickstarts that they'd like to share/contribute? Or
does anyone want to contribute to a quickstarts development
initiative? What sort of quickstarts would people like to see? And
lastly, where would they live (I don't see any repositories for
quickstarts on the Apache github)?

I have a small set of quickstarts here
https://github.com/csutherl/tomcat-embedded-quickstarts/ with a couple
listed TODO items that came from some questions in #tomcat on freenode
and other places that I plan to start expanding.

Thoughts?



Thanks!
-Coty

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Re: how to set Http11AprProtocol with embedded tomcat

2017-09-29 Thread Coty Sutherland
Here is a working quickstart (that I forgot to link yesterday) for APR
in Spring Boot:
https://github.com/csutherl/tomcat-embedded-quickstarts/tree/master/springboot-apr-example

On Thu, Sep 28, 2017 at 3:34 PM, Coty Sutherland <csuth...@redhat.com> wrote:
> On Thu, Sep 28, 2017 at 12:27 PM, Wang, Jennifer
> <jennifer.w...@bos.frb.org> wrote:
>> NONCONFIDENTIAL // EXTERNAL
>> Hi Coty,
>>
>> I download tcnative-1.dll from tomcat site. I am running on windows 7. I did 
>> set " java.library.path" as below.
>>
>>
>>
>>
>> @SpringBootApplication
>> public class Application {
>>
>> public static void main(String[] args) {
>>
>> //try both of below
>> System.setProperty("java.library.path", 
>> "C:\\Temp\\tomcat-native-1.2.14-win32-bin\\bin\\x64\\tcnative-1.dll");
>> //System.setProperty("java.library.path", 
>> "C:\\Temp\\tomcat-native-1.2.14-win32-bin\\bin\\x64");
>
> I think trying to set the library path in code is too late as the JVM
> has already initialized. You'll need to set it in the JVM arguments
> that start the Application. I got it working using the following
> config snippet:
>
>  
>  org.springframework.boot
>  spring-boot-maven-plugin
>  
>  
>  -Djava.library.path=/path/to/tomcat-native/
>  
>  
>
> and starting with `mvn spring-boot:run`. I also configured that the
> System.setProperty call didn't work.
>
> HTH
>
>>
>> SpringApplication.run(Application.class, args);
>> }
>> }
>>
>> Thanks!
>>
>> Jennifer
>>
>> -Original Message-
>> From: Coty Sutherland [mailto:csuth...@redhat.com]
>> Sent: Thursday, September 28, 2017 12:16 PM
>> To: Tomcat Users List
>> Subject: [External] Re: how to set Http11AprProtocol with embedded tomcat
>>
>> On Thu, Sep 28, 2017 at 11:32 AM, Wang, Jennifer <jennifer.w...@bos.frb.org> 
>> wrote:
>>> NONCONFIDENTIAL // EXTERNAL
>>> How to set Http11AprProtocol with embedded tomcat in java spring boot app?
>>>
>>> I keep get below error.
>>
>> You don't have tomcat-native installed. Resolving the problem should be as 
>> simple as installing tomcat-native (which deps on APR) via RPM (assuming 
>> you're on linux) so that it's on your library path or updating your JVM's 
>> -Djava.library.path system property to point to APR and tomcat-native so 
>> that tomcat can use it.
>>
>>> org.apache.catalina.LifecycleException: Failed to initialize component 
>>> [Connector[org.apache.coyote.http11.Http11AprProtocol-8443]]
>>>at 
>>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
>>>at 
>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:140)
>>>at 
>>> org.apache.catalina.core.StandardService.addConnector(StandardService.java:225)
>>>at 
>>> org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:250)
>>>at 
>>> org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:193)
>>>at 
>>> org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297)
>>>at 
>>> org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145)
>>>at 
>>> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:546)
>>>at 
>>> org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122)
>>>at 
>>> org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693)
>>>at 
>>> org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360)
>>>at 
>>> org.springframework.boot.SpringApplication.run(SpringApplication.java:303)
>>>at 
>>> org.springframework.boot.SpringApplication.run(SpringApplication.java:1118)
>>>at 
>>> org.springframework.boot.SpringApplication.run(SpringApplication.java:1107)
>>>at hello.Application.main(Application.java:13)
>>> Caused by: org.apache.catalina.LifecycleException: The configured
>>> protocol [org.apache.coyote.http11.Http11AprProtocol] requires the
>>> APR/native library which is not available
>>>
>>> Thanks!
>>>
>>> Jennifer
>>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Re: how to set Http11AprProtocol with embedded tomcat

2017-09-28 Thread Coty Sutherland
On Thu, Sep 28, 2017 at 12:27 PM, Wang, Jennifer
<jennifer.w...@bos.frb.org> wrote:
> NONCONFIDENTIAL // EXTERNAL
> Hi Coty,
>
> I download tcnative-1.dll from tomcat site. I am running on windows 7. I did 
> set " java.library.path" as below.
>
>
>
>
> @SpringBootApplication
> public class Application {
>
> public static void main(String[] args) {
>
> //try both of below
> System.setProperty("java.library.path", 
> "C:\\Temp\\tomcat-native-1.2.14-win32-bin\\bin\\x64\\tcnative-1.dll");
> //System.setProperty("java.library.path", 
> "C:\\Temp\\tomcat-native-1.2.14-win32-bin\\bin\\x64");

I think trying to set the library path in code is too late as the JVM
has already initialized. You'll need to set it in the JVM arguments
that start the Application. I got it working using the following
config snippet:

 
 org.springframework.boot
 spring-boot-maven-plugin
 
 
 -Djava.library.path=/path/to/tomcat-native/
 
 

and starting with `mvn spring-boot:run`. I also configured that the
System.setProperty call didn't work.

HTH

>
> SpringApplication.run(Application.class, args);
> }
> }
>
> Thanks!
>
> Jennifer
>
> -Original Message-
> From: Coty Sutherland [mailto:csuth...@redhat.com]
> Sent: Thursday, September 28, 2017 12:16 PM
> To: Tomcat Users List
> Subject: [External] Re: how to set Http11AprProtocol with embedded tomcat
>
> On Thu, Sep 28, 2017 at 11:32 AM, Wang, Jennifer <jennifer.w...@bos.frb.org> 
> wrote:
>> NONCONFIDENTIAL // EXTERNAL
>> How to set Http11AprProtocol with embedded tomcat in java spring boot app?
>>
>> I keep get below error.
>
> You don't have tomcat-native installed. Resolving the problem should be as 
> simple as installing tomcat-native (which deps on APR) via RPM (assuming 
> you're on linux) so that it's on your library path or updating your JVM's 
> -Djava.library.path system property to point to APR and tomcat-native so that 
> tomcat can use it.
>
>> org.apache.catalina.LifecycleException: Failed to initialize component 
>> [Connector[org.apache.coyote.http11.Http11AprProtocol-8443]]
>>at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
>>at 
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:140)
>>at 
>> org.apache.catalina.core.StandardService.addConnector(StandardService.java:225)
>>at 
>> org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:250)
>>at 
>> org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:193)
>>at 
>> org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297)
>>at 
>> org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145)
>>at 
>> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:546)
>>at 
>> org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122)
>>at 
>> org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693)
>>at 
>> org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360)
>>at 
>> org.springframework.boot.SpringApplication.run(SpringApplication.java:303)
>>at 
>> org.springframework.boot.SpringApplication.run(SpringApplication.java:1118)
>>at 
>> org.springframework.boot.SpringApplication.run(SpringApplication.java:1107)
>>at hello.Application.main(Application.java:13)
>> Caused by: org.apache.catalina.LifecycleException: The configured
>> protocol [org.apache.coyote.http11.Http11AprProtocol] requires the
>> APR/native library which is not available
>>
>> Thanks!
>>
>> Jennifer
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: how to set Http11AprProtocol with embedded tomcat

2017-09-28 Thread Coty Sutherland
On Thu, Sep 28, 2017 at 11:32 AM, Wang, Jennifer
 wrote:
> NONCONFIDENTIAL // EXTERNAL
> How to set Http11AprProtocol with embedded tomcat in java spring boot app?
>
> I keep get below error.

You don't have tomcat-native installed. Resolving the problem should
be as simple as installing tomcat-native (which deps on APR) via RPM
(assuming you're on linux) so that it's on your library path or
updating your JVM's -Djava.library.path system property to point to
APR and tomcat-native so that tomcat can use it.

> org.apache.catalina.LifecycleException: Failed to initialize component 
> [Connector[org.apache.coyote.http11.Http11AprProtocol-8443]]
>at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
>at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:140)
>at 
> org.apache.catalina.core.StandardService.addConnector(StandardService.java:225)
>at 
> org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:250)
>at 
> org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:193)
>at 
> org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297)
>at 
> org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145)
>at 
> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:546)
>at 
> org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122)
>at 
> org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693)
>at 
> org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360)
>at 
> org.springframework.boot.SpringApplication.run(SpringApplication.java:303)
>at 
> org.springframework.boot.SpringApplication.run(SpringApplication.java:1118)
>at 
> org.springframework.boot.SpringApplication.run(SpringApplication.java:1107)
>at hello.Application.main(Application.java:13)
> Caused by: org.apache.catalina.LifecycleException: The configured protocol 
> [org.apache.coyote.http11.Http11AprProtocol] requires the APR/native library 
> which is not available
>
> Thanks!
>
> Jennifer
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: tomcat7 eol date?

2017-09-25 Thread Coty Sutherland
On Sat, Sep 23, 2017 at 12:47 PM, Mark Thomas  wrote:
> On 23/09/17 13:15, Alex O'Ree wrote:
>> Is there an approximate or estimated date in which ASF will stop
>> supporting patches for Tomcat7?
>
> Best guess that is at least two to three years away.
>
>> I'm assuming that the tomcat major versions are tied to oracle's
>> support for the JRE, which implies that when oracle stops supporting
>> JRE7 that tomcat7 support will stop around the same time. Is that more
>> or less accurate?
>
> No.
>
> Tomcat major versions are tied to Java EE versions and we currently
> support 3 versions in parallel.
>
> Java EE 8 -> Tomcat 9
> Java EE 7 -> Tomcat 8
> Java EE 6 -> Tomcat 7
>
> Prior to Oracle's announcement of the Java EE donation to Eclipse, my
> answer would have been:
>
> Tomcat 10 will support Java EE 9. Once the release date for Java EE 9
> looks fairly certain, we'll announce EOL for Tomcat 7. We will give at
> least 12 months notice.
>
> Oracle's donation of Java EE to Eclipse the name of what Tomcat 10 will
> support is uncertain at this point. Timing wise things are also
> uncertain at this point. Based on previous Java EE timescales, at least
> 2-3 years looks likely.

Are we considering shorter lifecycles and more frequent Tomcat major
relases to keep up with the potential of faster major releases in java
per http://tomcat.10.x6.nabble.com/Moving-Java-Forward-Faster-td5067116.html
?

> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 7 giving java.lang.OutOfMemoryError: unable to create new native thread Exception in Catalina.out after upgrading to RHEL 7.4

2017-09-19 Thread Coty Sutherland
On Tue, Sep 19, 2017 at 9:53 AM, Suvendu Sekhar Mondal
 wrote:
> Radhika,
>
> On Tue, Sep 19, 2017 at 2:21 PM, Peddi, Radhika (Radhika)
>  wrote:
>> Hi,
>>
>> We have upgraded RHEL 7.2 to RHEL 7.4. After upgrade when we are running 
>> performance testing of our application we are seeing below error in 
>> catalina.out.
>>
>> java.lang.OutOfMemoryError: unable to create new native thread Exception in 
>> Catalina.out after upgrading to RHEL 7.4

As stated before, this is a limitation on the number of threads
spawned by the process imposed by the OS. In order to resolve it, you
need to either increase nproc/nofile or decrease the number of threads
that the Tomcat process is spawning. Check the ulimit for your user
and compare that to the number of threads that you have configured. If
you're on a 32-bit machine, it may be a problem with the process size,
but RHEL-7 is only on 64-bit AFAIK so that shouldn't be your issue :)

>
> This simply indicates that JVM was trying to create a new thread and
> OS can't create any new thread simply because native memory space was
> exhausted. This limit is very much platform dependent.
>
> Is your app opening too many threads? On my Windows 10 laptop with
> 32GB RAM and JDK 1.8, I can open 53+ threads before run into this
> OOM problem. You can find it by monitoring Tomcat instance. So far I
> ran into this problem one time - couple of years ago. We got away
> after adding some memory and by reducing thread stack size.
>
> Another thing can happen, you might have lost some OS setting(which
> was used to bump up the default OS limit) while upgrading from one
> version to another; which was preventing this issue from occurring so
> far - just speculating. And this is not a Tomcat's problem. :)
>
>> Attached is the thread dump.
>>
>> We are using Tomcat 7.0.69.
>>
>> As per REDHAT we have increased tomcat5 user which used to run Tomcat 
>> process in /etc/security/limits.d/20-nproc.conf like below
>>
>> * soft nproc 4096
>> root soft nproc unlimited
>> tomcat5 soft nproc 8192
>>
>> All the processes are used by Tomcat. If we increase the value to 16K or 32K 
>> all threads are consumed and they are in Waiting(Parking) state.
>>
>> "http-bio-8443-exec-56" #973 daemon prio=5 os_prio=0 tid=0x7efc8c029800 
>> nid=0x10e7b waiting on condition [0x7ef9bc7ee000]
>>java.lang.Thread.State: WAITING (parking)
>> at sun.misc.Unsafe.park(Native Method)
>> - parking to wait for  <0x0003c454c008> (a 
>> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
>> at 
>> java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
>> at 
>> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039)
>> at 
>> java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:442)
>> at 
>> org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:104)
>> at 
>> org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:32)
>> at 
>> java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
>> at 
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
>> at 
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at 
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> "http-bio-8443-exec-55" #972 daemon prio=5 os_prio=0 tid=0x7efc0401e000 
>> nid=0x10e7a waiting on condition [0x7ef9bc82f000]
>>java.lang.Thread.State: WAITING (parking)
>> at sun.misc.Unsafe.park(Native Method)
>> - parking to wait for  <0x0003c454c008> (a 
>> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
>> at 
>> java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
>> at 
>> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039)
>> at 
>> java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:442)
>> at 
>> org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:104)
>> at 
>> org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:32)
>> at 
>> java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
>> at 
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
>> at 
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at 
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> at 

Re: Setting PropertySourceVault programatically in o.a.t.util.digester.Digester

2017-09-11 Thread Coty Sutherland
On Mon, Sep 11, 2017 at 2:43 PM, Mark Thomas <ma...@apache.org> wrote:
> On 11/09/17 19:07, Coty Sutherland wrote:
>
>> So, my questions comes down to "Can I configure a PropertySource
>> instance and pass that to tomcat's Digester before tomcat starts?".
>
> No, because of the way it is currently coded.

I thought so.

>> Is this a silly question? If so, why?
>
> No. N/A.
>
> I can see the benefit in making it configurable.
>
> It looks like you'd need something along the lines of an
> addSource(IntrospectionUtils.PropertySource) method that added to the
> source array.

Hm. So I took a look at the Digester and having a way to add the
source there would be ideal, but I think that only solves the issue of
having tomcat's internal classes configure it, right? I don't see a
way to do something like tomcat.setDigester(myDigester) anywhere. As
far as the digester that loads the server.xml I just see
o.a.c.startup.Catalina.createStartDigester(). I've only had a second
to look at it, but I'd love to figure this out. Hints appreciated :)

I guess I should create an enhancement BZ for this?

> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Setting PropertySourceVault programatically in o.a.t.util.digester.Digester

2017-09-11 Thread Coty Sutherland
Hi all,

I'm fairly certain that there isn't a way to do this currently (I'm
not so good with Reflection, so there could be), but I have to ask
anyway. Let me explain my use case...

I'm using tomcat embedded (8.5.x/trunk) and have a need to
programmatically configure and use a PropertySource before starting
tomcat. Using an instance that way is easy. The problem falls when
users need to configure tomcat to also use the PropertySource
implementation to extract information from their application XMLs by
way of the Digester. The issue with this is that I cannot instantiate
two instances of the PropertySource implementation class that I'm
using because the library won't allow it and therefore Tomcat doesn't
correctly configure the PropertySource.

So, my questions comes down to "Can I configure a PropertySource
instance and pass that to tomcat's Digester before tomcat starts?". Is
this a silly question? If so, why?



Thanks,
Coty

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Unable to Access tomcat UI on restart of the server on Linux

2017-07-24 Thread Coty Sutherland
On Mon, Jul 24, 2017 at 9:57 AM, Chaitanya Sabbineni
 wrote:
> Hi All,
>
> I had a problem in accessing UI of the tomcat using http://:8081
>
> I tried changing the port to 8086 and 8088 and even i am not able to access
> the UI.
>
> I  checked using netstat -an | grep 8081 and only thing that is using this
> port is
>
> tcp0 0:::8081 :::*  Listen
>
> I uninstalled tomcat and installed again after installation i am able to
> access the UI and i copied few xml files in to
>  /opt/.../tomcat/b/conf/Catalina/localhost folder and i restarted the
> tomcat. Upon restart of the server i am not able to access UI and i am not
> able to access my application also.
>
> localhost folder contains only 4 xml files
>
> admin.xml
> manager.xml
> jnlp.xml
> App.xml   -> This contains all the libraries of my application.
>
>
> * After the installation of tomcat i am able to access tomcat UI **until i
>  restart tomcat **but i am not able to access application UI.*
>
>
>
> Below the content from *tomcat* log
>
>
> Java HotSpot(TM) 64-Bit Server VM warning: ignoring option
> MaxPermSize=256m; support was removed in 8.0
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with directory [/opt/View/OLC/lib], exists: [false],
> isDirectory: [false], canRead: [false]
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with JAR file [/var/opt/View/tmp/"/opt/View/java/OBc.jar],
> exists: [false], canRead: [false]
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with directory [/opt/View/java/OSe.jar"], exists: [false],
> isDirectory: [false], canRead: [false]
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with directory [/opt/View/java/tomcat/b/lib], exists:
> [false], isDirectory: [false], canRead: [false]
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with directory [/opt/View/java/tomcat/b/lib], exists:
> [false], isDirectory: [false], canRead: [false]
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with directory [/opt/View/OLC/lib], exists: [false],
> isDirectory: [false], canRead: [false]
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with JAR file [/var/opt/View/tmp/"/opt/View/java/OBc.jar],
> exists: [false], canRead: [false]
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with directory [/opt/View/java/OSe.jar"], exists: [false],
> isDirectory: [false], canRead: [false]
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with directory [/opt/View/java/tomcat/b/lib], exists:
> [false], isDirectory: [false], canRead: [false]
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with directory [/opt/View/java/tomcat/b/lib], exists:
> [false], isDirectory: [false], canRead: [false]
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with JAR file [/opt/View/java/dma-logging.jar], exists:
> [false], canRead: [false]
> Jul 24, 2017 4:18:34 PM org.apache.catalina.startup.ClassLoaderFactory
> validateFile
> WARNING: Problem with JAR file [/opt/View/java/dma-common.jar], exists:
> [false], canRead: [false]
> Jul 24, 2017 4:18:35 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'maxSpareThreads' to '75' did not find a matching property.
> Jul 24, 2017 4:18:35 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'maxSpareThreads' to '75' did not find a matching property.
> Jul 24, 2017 4:18:35 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'maxSpareThreads' to '75' did not find a matching property.
> Jul 24, 2017 4:18:35 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'maxSpareThreads' to '75' did not find a matching property.
> Jul 24, 2017 4:18:35 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'debug' to '0' did not find a matching property.
> Jul 24, 2017 4:18:35 PM org.apache.tomcat.util.digester.SetPropertiesRule
> begin
> WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> 'xmlValidation' to 'false' did not find a matching property.
> Jul 24, 2017 4:18:35 PM org.apache.tomcat.util.digester.SetPropertiesRule
> 

Re: Server giving 404 since upgrade to Tomcat7

2017-07-24 Thread Coty Sutherland
On Mon, Jul 24, 2017 at 6:57 AM, Mark Thomas  wrote:
> On 24/07/17 11:12, Flynn, Peter wrote:
>> I have a CentOS7 server running Apache and Tomcat serving the Cocoon 
>> application which handles lots of research project XML pages. It's been 
>> running fine for years, through Tomcat and Apache updates. My system owners 
>> updated the server to Tomcat7 over the weekend and all Tomcat pages re now 
>> coming up as 404 Not Found. As a temporary fix we have restored service from 
>> backup on another VM.
>>
>> The update was done using the version of Tomcat from the CentOS7 repos 
>> because it is the policy to use the repos only, and I can't change it. It's 
>> never been a problem before: Cocoon is the only webapp in use, and we have 
>> been running this configuration successfully since the days of Red Hat and 
>> Cocoon 1.
>
> Running from a package tends to limit the members of this that are
> available to help to those that understand the packaging on the platform
> in question.
>
> If you could provide exact Tomcat versions for before and after the
> upgrade that would help.
>
>> 404 implies that Tomcat simply can't find the files/directories, but it's a 
>> plain Tomcat error page, not an application error, and there is no 
>> indication of where it looked to find stuff. As it's a Tomcat error, not a 
>> Cocoon error, and it's the same error for every page, I am assuming it is a 
>> config error and that Tomcat can't actually find anything at all.
>>
>> The previous config files are all correctly in place in /etc/tomcat, and the 
>> user data is all untouched, and the Cocoon application is where it always 
>> was at /var/lib/tomcat/webapps.
>>
>> The tomcat user account (in /etc/passwd) has its home at /usr/share/tomcat 
>> (I know, don't ask), and there are (correctly) soft links to webapps, work, 
>> lib, logs, temp, and conf all pointing to the right places.
>
> Tomcat needs allowLinking to be correctly set if that path to a web
> application (or the web application itself) uses symlinks. I don't think
> that has changed between 6.0.x and 7.0.x.
>
>> I went through the upgrade document at 
>> https://tomcat.apache.org/migration-7.html  and applied the changes to 
>> attributes on  and  but after a restart there was no change. 
>> As this is a single instance, single application, and no bells or whistles, 
>> and Tomcat clearly starts up OK (Catalina.out says so :-) I am naively 
>> assuming that it's "just" a configuration issue.
>>
>> However, in tomcat.conf there is a setting for 
>> TOMCATS_BASE="/var/lib/tomcats" (plural), which I have never used (it was 
>> there in earlier versions too). That directory is empty. The comment above 
>> the setting says:
>>
>> # In new-style instances, if CATALINA_BASE isn't specified, it will
>> # be constructed by joining TOMCATS_BASE and NAME.
>
> Those last two variables are package specific.
>
>> However, it fails to specify what NAME is or should be. There is no 
>> CATALINA_BASE in this file (nor was there in earlier versions: where is it 
>> defined?). Declaring CATALINA_BASE="/var/lib/tomcat" and restarting Tomcat 
>> changes the error message to the Apache one-liner "temporarily unable to 
>> service your request", and the Apache logs for the virtual hosts we serve do 
>> indeed show lots of these:
>>
>> (111)Connection refused: AH00957: AJP: attempt to connect to 127.0.0.1:8009 
>> (localhost) failed
>> AH00959: ap_proxy_connect_backend disabling worker for (localhost) for 60s
>> [proxy_ajp:error] [pid 15285] [client aaa.bbb.ccc.ddd:16543] AH00896: failed 
>> to make connection to backend: localhost
>>
>> I'm now going to start trawling the logs for hints as to why Tomcat has lost 
>> track of where it should look for the application. Any suggestions would be 
>> warmly received.

In my experience, a 404 after an update (with no other application
changes) suggests that the application failed deployment. Can you
verify that you don't see any exceptions in your log?

> The Tomcat logs should at least tell you what - if anything - Tomcat is
> deploying.
>
>> (Yes, I know we should be installing Tomcat from source: I have been arguing 
>> this case unsuccessfully for many years :-( but this is a state-funded 
>> university, so we don't have corporate levels of funding or people to be 
>> able to hand-build everything.)
>
> There are pros and cons to every installation method. Installing from
> the OS packages usually makes things easier but it can make it a little
> harder to get help when things go wrong.
>
> There is no one 'right' way to install Tomcat. Pick the one that works
> best for you (and be prepared to try an alternative if you hit problems).

+1 :)

>
>
>>
>> ///Peter
>>
>>
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


Re: Tomcat is stopping on its own even though stop script is not executed

2017-07-21 Thread Coty Sutherland
On Thu, Jul 20, 2017 at 3:05 PM, Chaitanya Sabbineni
 wrote:
> Hi,
>
> just to explain you what exactly is happening. We are taking back up of the
> server at 12:00 AM daily.which is a type of offline backup.After backup
> server is running fine for 2 hours and exactly at 2:00am server is stopping
> on its own. This issue of stopping is not occurring daily.And when ever
> this issue occur it is at 2:00 AM.

Always stopping at 2:00 AM is very suspicious. As you're on linux and
I've seen user experience similar things before before, please verify
that you don't have a cronjob that's killing/restarting the service in
addition to the previous suggestion to check for logrotate. You said
it doesn't stop daily, but does it stop weekly or every N days? I'm
sure that there's some sort of pattern to this in addition to stopping
at a specific time.

> In order to check more logs we tried to increase the logging level from
> Fine to Finest and upon changing of the logging level ,server is not
> stopping on its own.
>
> when I listed the top command in Linux which will return all the running or
> active process it's not listing tomcat which means its stopped.
>
> I checked the available memory at that time and its 139mb.
>
> From the error log can anyone help in pointing to the timer task that is
> preventing the jvm to stop.
>
> Thanks in advance
>
> On Thu, 20 Jul 2017 11:37 pm Mark Eggers, 
> wrote:
>
>> Chaitanya,
>>
>> This will be long and somewhat speculative.
>>
>> On 7/20/2017 9:00 AM, Christopher Schultz wrote:
>> > Chaitanya,
>> >
>> > On 7/20/17 11:03 AM, Chaitanya Sabbineni wrote:
>> >> Stop script in the sense it's Catalina script only but we usually
>> >> stop tomcat using the command Catalina.sh stop. But in our case we
>> >> are not manually executing this script to stop tomcat and tomcat is
>> >> stopping on its own.
>> >
>> >> our main problem here us tomcat is stopping on its own and it needs
>> >> a restart.
>> >
>> > Right.
>> >
>> >> If I understand you correct you are telling TimerThread that does
>> >> not stop when the application is shut down. Can you let me know
>> >> what actually the timer thread mean. And moreover if the timer
>> >> thread didn't stop ideally tomcat shouldn't stop but in our case
>> >> it's stopping.
>> >
>> > Tomcat is stopping but the JVM is not. If your application were to
>> > shut-down cleanly, then the JVM would exit as well. This is unrelated
>> > to your real problem (unexpected Tomcat shutdown), but you might want
>> > to look into fixing that, because it makes your application impossible
>> > to reload without risking serious heap space problems.
>> >
>> >> Yes my question is why Tomcat is being shut down at all.
>> >
>> >> Yes when ever tomcat is stopping on own(not daily) it stops at
>> >> 02:00 . You mentioned that your  guess is that we are using a
>> >> service runner that is configured to bounce your services at
>> >> 02:00.Can let me know what this service runner is and how to check
>> >> it.
>> >
>> > I know nothing about your environment. Until you mentioned
>> > "catalina.sh stop" above, I didn't even know you were on a UNIX-like
>> > environment. Honestly, I assumed you were on Windows because
>> > "mysterious service stoppage" has Microsoft Windows behavior written
>> > all over it.
>> >
>> > There are two ways to trigger a Tomcat shut down:
>> >
>> > 1. Send a TERM signal to the process
>> > 2. Connect to Tomcat's shutdown listener (default: port 8005) and give
>> > the shutdown command (default: "SHUTDOWN")
>> >
>> > You can eliminate one of those possibilities by setting the shutdown
>> > port in server.xml to "" (empty) which will disable this type of shutdow
>> > n:
>> >
>> > > >
>> > You cannot disable the other type of shutdown... any user on the
>> > system who can send a TERM signal to your process could terminate Tomcat
>> > .
>> >
>> > As for catching whoever is shutting down your Tomcat, you may want to
>> > look at who has administrative access to your server, and who has
>> > access to the user running your Tomcat server.
>> >
>> > Check your syslog to find sudo and cron events that might be
>> > automatically shutting-down Tomcat.
>> >
>> > If you want to catch a TCP connection, you will likely have to enable
>> > tcpwrappers, iptables, ipfw, etc. to log connections to port 8005.
>> > Those logs will only tell you that the command is being sent, not who
>> > is sending it.
>> >
>> > -chris
>>
>> I am going to go out on a limb here and try to explain things. Please
>> note that this is all based upon reading between the lines, and may not
>> at all reflect what is actually going on.
>>
>> Overview
>> 
>>
>> I suspect the following:
>>
>> 1. Logrotate of catalina.out at 2 AM
>> 2. Tomcat JVM fails to exit, then restart
>>
>> Detail
>> --
>>
>> 1. Logrotate (or other log rotation utility)
>>
>> There are several ways that one can use to rotate catalina.out. See the
>> 

Re: tomcat 7, null tag attributes

2017-06-15 Thread Coty Sutherland
ed on a version
>>> over a year old I suspect that the changes of this being quick
>>> are very low.
>>>
>>> None of those options look ideal. I'd probably go with 1 but my
>>> familiarity with Tomcat is such that I usually prefer to work
>>> with an ASF distribution rather than a downstream one anyway.
>>> YMMV.
>>>
>>> Mark
>>>
>>>
>>> [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=43285
>>>
>>>
>>>
>> Mark,
>>
>> Thanks for the investigation into this.
>>
>> You are right in that (1) is the best option. Finding time to
>> translate the ASF distribution into one with appropriate run
>> scripts and configs, along with a mechanism for in-place updating
>> is tough. Having RPMs for that saves me a lot of time which is why
>> I stuck with 7.x for so long. In the meantime I'll figure out the
>> cleanest ugly workaround I can. I definitely won't lobby for any
>> non-security fixes in a product that is 2+ generations old and is
>> probably approaching EOL in the not too distant future.
>
> Coty Sutherland is the package maintainer for RedHat's Tomcat package.

I'm glad I was reading this thread :)

> Perhaps he could be persuaded to create a tomcat85 package. Try
> posting a new question to the list about a Tomcat 8.5 package for
> RHEL/CentOS and see if you can get his attention.

Actually I already produced a COPR build of tomcat 8.5 in Fedora
(https://copr.fedorainfracloud.org/coprs/csutherl/tomcat/) for a
couple of versions of Fedora (24 and 25). I did something with the
sub-packages that I want to revert in that version (it's not a
functional thing), but it is a working build. I can rebase to the
latest and rebuild for epel-7 if you'd like to use it, just let me
know. Also note that these COPR builds are provided as-is (I do some
basic testing), but if they're useful to the community I don't mind
fixing bugs if any; I think you'd just have to contact me directly or
use some facility other than BZ.

> Even if it's not an "official RPM" maybe he can help build one.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllBgXkACgkQHPApP6U8
> pFh/kQ/+OMAiqr8UV7qRw5FazoOxvLM3f7sVpJz6QMEMWiwgmy1jwI0zFuyE3ZSg
> lVCFQo2EIoEiHDxxvaDPicfeROrB30W6hn3b3T0RxFICIBNxdMJKrvN5ahoW5IE0
> UWPHB06eiwVI0KlTrnm3XKsGY1RyT9yaEd9JQqJo5JDqCQSpSTNROgBRZUxsMZa2
> 2URKzhS6h8brv2TMTiywZf71zrcKGBGEuALqLJo+jPii1Cf5TrCwtHPM8EVG6dvF
> 5wzCwEPUK3Z1jZKVyWh0IZbSVU751DHxRNMSUR5qBDEmOzEXthuZ2AeHSDeN5hPe
> KOwSvgEHiV3nrKrEwgSManbfKuobKsdMrPSXCy1W199qBCiMcdP/VR/X4rpiD0cw
> ylA+VGzicqHZC/BA1y1MFvatSbEuq6hQ3HmyMajyZDdvd/y29W6kB9POcMuwS5BM
> cgQdQLUshkyk0XqE+p4xgBPLVi3LUYhX2RIbWZ2QnubQ0l4STUGEqlN2dj+sUmU1
> mQ23y4ugXepXBBLBtujXuVmDhweWwww4Fe/iLzVlUNoTOLw1SxQA2re0MCZwB8Th
> 9JtX2o4YpNLX5PssOrIgrRAkp4q1KlCv9W4avidCd9GXexWtq5zxXevIhs/2hl4y
> RLFiqw9zAy3MnEIMDR6zFb0GIfznEAoPC108OoYfz/77VCpTNXY=
> =h6mP
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Under system account, Tomcat starts even with shutdown port conflict

2017-06-08 Thread Coty Sutherland
On Thu, Jun 8, 2017 at 11:21 AM, Tou Vue  wrote:
> Hello,
>
> I have a question regarding how Tomcat starts up under the system account
> and local user account in Windows. I had a Tomcat service that would start
> fine under the system account, but once I configured it to start under the
> local user account, I received a JVM_Bind exception. I looks like the
> Tomcat was not able to access the shutdown port configured.
>
> I figured it was a port conflict, another service was using the same port.
> So, I changed the port so there was no conflict, and Tomcat started up okay
> again. But I'm still wondering why Tomcat was able to start up with the
> system account even with the same port conflict.

Are you sure it was a port conflict and that the port wasn't somehow
protected by the OS?

> Any suggestions would be appreciated.
>
> Thank You,
> Tou Vue

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomact 7.x - Subscription

2017-06-08 Thread Coty Sutherland
Hello,

On Thu, Jun 8, 2017 at 9:10 AM, Mahajan, Arvind 
wrote:

> Hi
>
>
>
> I am new to tomcat , considering evaluation of Tomcat vs. JBOSS EAP in my
> new application hosting requirement.
>
> My application vendor support both (Tomcat & JBOSS) middle ware
>
>
>
> Operating system - RHEL *6.9 and 7.3* on which Tomcat 7 will be installed
> (refer below screen shot)
>
>
>
> *Questions *
>
> · Does tomcat 7.x works on RHEL *6.9 and 7.3* (see below yellow
> mark)?
>
Yes

> · Pls share Operating support matrix for tomcat.
>
There is no operating system support matrix for Tomcat. It is written in
Java, which is platform agnostic, so as long as it has the required Java
version (which can be found at http://tomcat.apache.org/whichversion.html for
each Tomcat version) it will work. The only part of Tomcat that has any
platform dependencies other than Java is tomcat-native, which requires APR
and OpenSSL (if you use TLS).

> · Help me to know do I have to pay money for subscription to get
> your support on configuration , installation, get vulnerabilities fixes ,
> troubleshooting in problem ?
>
> · Benefit of Subscription ?
>
There is no subscription to use Apache Tomcat as it is Free and Open Source
Software. Support for Apache Tomcat from the community is provided by
volunteers via this users list and/or IRC, but responses are not always
immediate. If you wanted to pay for support (which guarantees support
whenever you need it), then you could use the Tomcat package provided by
your Linux distribution (in the case of RHEL).

>
>
> [image: cid:image001.png@01D2E069.9D6A4120]
>
>
>
> Arvind Mahajan
>
> Manager –IT
>
> Volkswagen Finance Private Limited
>
> Silver Utopia, 3rd Floor
>
> Cardinal Gracious Road
>
> Chakala, Andheri East
>
> Mumbai – 400099
>
>
>
> Desk: +91 22 3952 1102 <+91%2022%203952%201102>
>
> Mobile: +91 9619935570 <+91%2096199%2035570>
>
>
>
> *Confidentiality notice:* This mail, including any attachments contains
> confidential and privileged information for the sole use of the
> addressee(s). If you are not the intended recipient, please notify the
> sender by e-mail and delete the original message. Any unauthorized review,
> use, disclosure, dissemination, forwarding, printing or copying of this
> email or any action taken in belief on this e-mail is strictly prohibited
> and are unlawful. VWFPL has taken every reasonable precaution to minimize
> this risk. Before opening the e-mail or attachment, you should carry out
> your own virus checks. VWFPL reserves the right to record, monitor, and
> inspect all email communications through its internal and external networks.
>


Re: TomcatCon Meetup (UPDATE)

2017-05-18 Thread Coty Sutherland
Aw, I missed the picture :( maybe I'll have my wife Photoshop me in

On May 18, 2017 4:19 PM, "Leon Rosenberg" <rosenberg.l...@gmail.com> wrote:

> Awesome, thanks!
>
> Sent from my iPhone
>
> > On 18. May 2017, at 14:58, Huxing Zhang <hux...@apache.org> wrote:
> >
> > Hi All,
> >
> > The pic for the meetup yesterday can be found here:
> >
> > https://www.dropbox.com/s/vu02lnrs77up5mc/IMG_0591.JPG
> >
> >> On Wed, May 17, 2017 at 8:46 PM, Coty Sutherland <csuth...@redhat.com>
> wrote:
> >> Sorry I had to run off, hopefully you guys had a productive meeting :)
> >>
> >>> On May 17, 2017 7:02 PM, "Coty Sutherland" <csuth...@redhat.com>
> wrote:
> >>>
> >>> We're sitting next to the pool. The room is occupied :(
> >>>
> >>> On May 17, 2017 9:12 AM, "Christopher Schultz" <
> >>> ch...@christopherschultz.net> wrote:
> >>>
> >>>> All,
> >>>>
> >>>> Let's move the Meetup to "immediately following the Lightning Talks",
> >>>> since that is a popular event at the conference.
> >>>>
> >>>> -chris
> >>>>
> >>>>>
> >>>>> All,
> >>>>>
> >>>>> For those of you at ApacheCon in Miami, here are the details for the
> >>>> Tomcat Meetup. Come and meet fellow members of the community,
> committers,
> >>>> and new friends.
> >>>>>
> >>>>> Time: 18:00 EDT
> >>>>> Place: Escorial Conference Room (where all TomcatCon sessions are
> being
> >>>> held)
> >>>>>
> >>>>> All are welcome to the meetup, and also the inevitable dinner and
> >>>> drinks to follow.
> >>>>>
> >>>>> Thanks,
> >>>>> -chris
> >>>>>
> >>>>>
> >>>>> 
> -
> >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>>
> >>>>
> >>>>
> >>>> -
> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>
> >>>>
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: TomcatCon Meetup (UPDATE)

2017-05-17 Thread Coty Sutherland
Sorry I had to run off, hopefully you guys had a productive meeting :)

On May 17, 2017 7:02 PM, "Coty Sutherland" <csuth...@redhat.com> wrote:

> We're sitting next to the pool. The room is occupied :(
>
> On May 17, 2017 9:12 AM, "Christopher Schultz" <
> ch...@christopherschultz.net> wrote:
>
>> All,
>>
>> Let's move the Meetup to "immediately following the Lightning Talks",
>> since that is a popular event at the conference.
>>
>> -chris
>>
>> >
>> > All,
>> >
>> > For those of you at ApacheCon in Miami, here are the details for the
>> Tomcat Meetup. Come and meet fellow members of the community, committers,
>> and new friends.
>> >
>> > Time: 18:00 EDT
>> > Place: Escorial Conference Room (where all TomcatCon sessions are being
>> held)
>> >
>> > All are welcome to the meetup, and also the inevitable dinner and
>> drinks to follow.
>> >
>> > Thanks,
>> > -chris
>> >
>> >
>> > -
>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> > For additional commands, e-mail: users-h...@tomcat.apache.org
>> >
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>


Re: TomcatCon Meetup (UPDATE)

2017-05-17 Thread Coty Sutherland
We're sitting next to the pool. The room is occupied :(

On May 17, 2017 9:12 AM, "Christopher Schultz" 
wrote:

> All,
>
> Let's move the Meetup to "immediately following the Lightning Talks",
> since that is a popular event at the conference.
>
> -chris
>
> >
> > All,
> >
> > For those of you at ApacheCon in Miami, here are the details for the
> Tomcat Meetup. Come and meet fellow members of the community, committers,
> and new friends.
> >
> > Time: 18:00 EDT
> > Place: Escorial Conference Room (where all TomcatCon sessions are being
> held)
> >
> > All are welcome to the meetup, and also the inevitable dinner and drinks
> to follow.
> >
> > Thanks,
> > -chris
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: TomcatCon Meetup

2017-05-16 Thread Coty Sutherland
\o/

On May 16, 2017 10:35 PM, "Christopher Schultz" <
ch...@christopherschultz.net> wrote:

> All,
>
> For those of you at ApacheCon in Miami, here are the details for the
> Tomcat Meetup. Come and meet fellow members of the community, committers,
> and new friends.
>
> Time: 18:00 EDT
> Place: Escorial Conference Room (where all TomcatCon sessions are being
> held)
>
> All are welcome to the meetup, and also the inevitable dinner and drinks
> to follow.
>
> Thanks,
> -chris
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: [OT] ApacheCon anyone?

2017-05-12 Thread Coty Sutherland
On Fri, May 12, 2017 at 1:25 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Leon,
>
> On 5/12/17 6:04 AM, Leon Rosenberg wrote:
>> Just wondering if there are any plans for an informal get-together
>> at the apache con in Miami next week? I know that Mark, Christopher
>> and some others are there as speakers, so maybe an informal meetup,
>> where non-commiters buy commiters a pizza or burger and have some
>> chat?
>
> Wait... you are coming and not giving a talk on MosKito?!?
>
> Anyway, we usually organize something in advance, but  it seems
> nobody has taken the lean on that yet. Let me see what the meet-up
> schedule looks like and if we can get a time that won't interfere with
> other meet-ups.

Thanks for looking into this Chris! There have been a few inquiries
about a meetup on #tomcat, so +1 for this :)

> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJZFe/yAAoJEBzwKT+lPKRYXSYP/i5a/eBY103GrKnrYD/5s2+y
> YGNsqI48pQ5h8bK1IDCJXlu66gvsLk4WD/KUW5ma32mk/i3gK1E1CsWXnKacBs+k
> 4nNnXDqu5Qawr1L5iKaDVa0fvtavcdsduxaYbdJnkp1Us9wqfbrzy3Y6Iraz/OEF
> E4WZgJaP9j4Om0Q/DaV0BY40saf2M6CRDs8dyEwHsLxSnuJ6kXP3IFOGCgl9FgsF
> o6AhJ2ANm0kNHpbAFgn0FJi4zRb/K0U/PnZ1jSxSOKFB6JZL5B6NPm1hPPsbTIBf
> D9wu6/cKQ9wpNwqehk4k8YX9fjz5WK/Qi/jDDU33z2E1I+lCsRuPKXY5ka7W4J82
> c3BlLg8x2LYEgg+wNXljw6jvCm4sXpBONmNjkhP0QoQOh3IIzKKSTAy0mG3aKBlI
> kM0lJ5gDRU149fxVwt79j2xT0LhTQoaUoc0Xxd3utRHFzZ1/+vuJXV1GU55exOnm
> Hcm9R7hN6oOPEkRi042txHWXAzcG1hIyn98QyiCeZtNorZNkgmyT1GQt8752iTSD
> ihKcMrfheMuJ0aww0q3AMCP+sRVsVIBidw1BbiuBxZnVwq8qmT9qMYwGA3NS0zj8
> xyYK8naxE4ErpIFWPhPqIUcsvrDQZlBwKMhe81w17+lbqQJb0qgmRY33yUs57gE+
> XedmoVjOVFbli7QPx3jM
> =MzET
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: tomcat management interface gives 403 forbidden error

2017-05-08 Thread Coty Sutherland
On Fri, May 5, 2017 at 12:13 PM, Tim Dunphy  wrote:
> I've had to configure two tomcat servers recently. I've setup one tomcat
> server using using version 8.5.13 and that works fine. I can access Server
> Status, Manager App and Host Manager web interfaces with no problem.
>
> But when I tried setting up a new tomcat server running tomcat version
> 8.5.14 by copying the same configs from the from the 8.5.13 server I'd
> built I get access denied 403 on the Server Status and Manager app. But
> oddly only the Host Manager web interface works correctly. I can access
> that.
>
> I need to figure out why the same configs that work on the first server,
> give me 403 denied on the second server.
>
> This is what I have on each:
>
> Working server Java:
>
> java version "1.8.0_121"
> Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
>
> Non working server have a newer java:
>
> java version "1.8.0_131"
> Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
> Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)
>
> Everything else is identical in terms of configuration.
>
> Both have java and tomcat variables setup in /etc/profile:
>
> JAVA_HOME='/usr/lib/jvm'
> CATALINA_HOME='/usr/local/tomcat'
>
> export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL JAVA_HOME
> CATALINA_HOME
>
> Both servers have the same config files, copied from the 1st working server
> to the 2nd non working server.
>
> Tomcat users config:
>
> cat /usr/local/tomcat/conf/tomcat-users.xml
> 
>  roles="manager-gui,admin-gui"/>
> 
>
> The context configuration file has this:
>
>  cat /usr/local/tomcat/conf/context.xml
> 
> 
> 
> 
> 
> 
>
>
> And the webapps context.xml config for both tomcats has this:
>
> cat /usr/local/tomcat/webapps/host-manager/META-INF/context.xml
> 
> 
> 
> 
> 
>
> Why is tomcat server 1 (version 8.5.13) working and the newer tomcat
> version (8.5.14) on server 2 not working?
>
> Thanks in advance!

I responded to your post on SO,
http://stackoverflow.com/questions/43765049/tomcat-management-interface-gives-403-forbidden-error,
a couple days ago. You can answer the questions here or there :)

> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TomcatCon @ ApacheCon

2017-02-06 Thread Coty Sutherland
OK, I submitted a proposal for the linux packaging talk here
http://events.linuxfoundation.org/cfp/proposals/14925/13455 . I can't
update the Confluence page though.

On Fri, Feb 3, 2017 at 2:31 PM, Coty Sutherland <csuth...@redhat.com> wrote:
> Hi Emmanuel,
>
>> If you already have a draft of your presentation you can send it to me
>> and I'll insert a few slides about Debian.
>
> I haven't even started yet :( I need to block out some time to submit
> the abstract and start the presentation soon. If you can just give me
> a few slides on the basic layout of the debian distro I can add them
> to the presentation I create and then send it to you to review. If
> you'd rather add to my presentation yourself, I'll just send it over
> when I start working on it and we can go from there.
>
> On Fri, Feb 3, 2017 at 9:44 AM, Emmanuel Bourg <ebo...@apache.org> wrote:
>> Le 1/02/2017 à 20:20, Coty Sutherland a écrit :
>>> I'm still planning to submit for the linux packaging talk (though I
>>> haven't heard anything else form the other distro maintainers), just
>>> haven't done it yet. I suppose I could volunteer for one of the
>>> others, I'll check the list.
>>
>> Hi Coty,
>>
>> If you already have a draft of your presentation you can send it to me
>> and I'll insert a few slides about Debian.
>>
>> Emmanuel Bourg
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TomcatCon @ ApacheCon

2017-02-03 Thread Coty Sutherland
Hi Emmanuel,

> If you already have a draft of your presentation you can send it to me
> and I'll insert a few slides about Debian.

I haven't even started yet :( I need to block out some time to submit
the abstract and start the presentation soon. If you can just give me
a few slides on the basic layout of the debian distro I can add them
to the presentation I create and then send it to you to review. If
you'd rather add to my presentation yourself, I'll just send it over
when I start working on it and we can go from there.

On Fri, Feb 3, 2017 at 9:44 AM, Emmanuel Bourg <ebo...@apache.org> wrote:
> Le 1/02/2017 à 20:20, Coty Sutherland a écrit :
>> I'm still planning to submit for the linux packaging talk (though I
>> haven't heard anything else form the other distro maintainers), just
>> haven't done it yet. I suppose I could volunteer for one of the
>> others, I'll check the list.
>
> Hi Coty,
>
> If you already have a draft of your presentation you can send it to me
> and I'll insert a few slides about Debian.
>
> Emmanuel Bourg
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TomcatCon @ ApacheCon

2017-02-01 Thread Coty Sutherland
I'm still planning to submit for the linux packaging talk (though I
haven't heard anything else form the other distro maintainers), just
haven't done it yet. I suppose I could volunteer for one of the
others, I'll check the list.

On Wed, Feb 1, 2017 at 2:13 PM, Mark Thomas  wrote:
> On 01/02/2017 19:09, Christopher Schultz wrote:
>> All,
>>
>> On 1/17/17 5:04 PM, Mark Thomas wrote:
>>> On 09/01/2017 11:57, Mark Thomas wrote:
>>
>>> 
>>
 I look forward to hearing your topic ideas.
>>
>>> Thanks for all the great ideas so far. I've tried to pull them all
>>> together here:
>>> https://cwiki.apache.org/confluence/display/TOMCAT/TomcatCon+NA+2017
>>
>>>  I'm waiting to hear back from the ApacheCon folks as to how this
>>> would work. I'll update this thread with info as I get it.
>>
>> Only 10 more days before the CFP closes:
>>
>> http://events.linuxfoundation.org/events/apachecon-north-america/program
>> /cfp
>>
>> I haven't seen anyone specifically mention that they had submitted a
>> proposal. I'm just really hoping that it's not markt and me
>> tag-teaming a whole day of presentations (again).
>
> It won't be that. It might be three days with you, me and jfclere...
>
>> I am certainly willing to help someone get started if they'd like to
>> do a presentation and aren't sure how to proceed.
>
> I've probably got slide decks for a couple.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Apache Tomcat/7.0.39 crashed with fatal error

2017-01-27 Thread Coty Sutherland
> # Problematic frame:
> # J  
> org.apache.http.impl.cookie.BestMatchSpec.formatCookies(Ljava/util/List;)Ljava/util/List;

Generally a crash in a java frame is a JVM bug. A quick google search
of the problematic frame yields the following first result,
https://github.com/rholder/jvm-loop-unswitching-bug. Looking at the
java7 bug linked on the page
(http://bugs.java.com/view_bug.do?bug_id=8025398) and further details
from the bug that the fix was backported from
(http://bugs.java.com/view_bug.do?bug_id=8021898) shows evidence that
this is likely your issue. You'll need to update your JDK or use the
suggested workaround to prevent future occurrences.

On Thu, Jan 26, 2017 at 4:40 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Aurélien,
>
> On 1/26/17 4:31 PM, Aurélien Terrestris wrote:
>> maybe you're just sending cookies with non-compliant characters.
>> Please check what you're sending if you can reproduce this problem
>> yourself
>>
>> RFC 6265 says  :
>>
>> cookie-value  = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
>> cookie-octet  = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ;
>> US-ASCII characters excluding CTLs, ; whitespace DQUOTE, comma,
>> semicolon, ; and backslash
>
> Even if the client is sending a malformed HTTP header (or cookie,
> specifically), it shouldn't crash the JVM.
>
> - -chris
>
>> 2017-01-26 22:22 GMT+01:00 Satish Chhatpar 02
>> :
>>
>>> Yes all of them failed in the same way.
>>>
>>>
>>> # Problematic frame: # J
>>> org.apache.http.impl.cookie.BestMatchSpec.formatCookies(
>>> Ljava/util/List;)Ljava/util/List;
>>>
>>>
>>>
>>> Regards
>>>
>>> Satish Chhatpar
>>>
>>>
>>>  From: Christopher Schultz
>>>  Sent: Friday, January 27, 2017
>>> 2:44:54 AM To: Tomcat Users List Subject: Re: Apache
>>> Tomcat/7.0.39 crashed with fatal error
>>>
>> Satish,
>>
>> On 1/26/17 3:42 PM, Satish Chhatpar 02 wrote:
> Thanks Chris. I appreciate your help.
>
> All 4 tomcats are on diff machines. One on each, with same
> tomcat version, same java version and same OS for all.
>>
>> Did they all fail in the same way (JVM crash @
>> org.apache.http.impl.cookie.BestMatchSpec.formatCookies)?
>>
> Tomcats are not in cluster.
>>
>> I would highly recommend upgrading the JVM on one of those servers
>> to 1.7.latest to see if everything still works. If things go well,
>>  upgrade all of them.
>>
>> Then deploy the 1.8.latest to one of them. Tomcat shouldn't have
>> any compatibility issues with Java 8, but you will definitely want
>> to test everything in your application of course.
>>
>> -chris
>>
>  From: Christopher Schultz
>  Sent: Friday, January 27, 2017
> 1:52:47 AM To: Tomcat Users List Subject: Re: Apache
> Tomcat/7.0.39 crashed with fatal error
>
> Satish,
>
> On 1/26/17 2:28 PM, Satish Chhatpar 02 wrote:
>> we are using Apache Tomcat/7.0.39 for our java
>> application.
>
> I highly recommend an upgrade for both Tomcat and Java.
> There are published vulnerabilities for both product versions
> you are using.
>
>> There are 4 tomcat instances using same tomcat version and
>> java version. yesterday all 4 tomcats crashed with below
>> error in hs_err_pid log file.
>
> All on the same hardware? Or separate machines?
>
>> This log file was created for all 4 tomcats.
>
>> Its very peculiar behaviour that all 4 crashed around same
>> time.
>
> If they are in a cluster, one going down could cause the
> load on the others to go up, increasing the chances of a
> problem.
>
>> Any information can help us to mitigate this incident.
>
>> Apache Tomcat/7.0.39
>
> Unless this is a package-managed version of Tomcat with an
> unfortunately inaccurate version number, that version of
> Tomcat is nearly 3 years old. The current version in the
> 7.0.x line is 7.0.75 (released yesterday).
>
>> java version "1.7.0_21" Java(TM) SE Runtime Environment
>> (build 1.7.0_21-b11) Java HotSpot(TM) 64-Bit Server VM
>> (build 23.21-b01, mixed mode)
>
> That version of Java is also nearly 3 years old. Latest 1.7
> build is 1.7.0_80 release nearly 3 years ago. Note that Java
> 7 is no longer supported unless you have a long-term support
> contract with Oracle, in which case the latest version is
> 1.7.0_131, released earlier this month.
>
>> OS used
>
>
>> Red Hat Enterprise Linux Server release 6.3 (Santiago)
>
> Ouch! 5 years old!
>
>> # # A fatal error has been detected by the Java Runtime
>> Environment: # #  SIGSEGV (0xb) at pc=0x7fed24ecfe9e,
>> pid=21352, tid=140656275650304 # # JRE version: 7.0_21-b11
>> # Java VM: Java HotSpot(TM) 64-Bit 

Re: Tomcat maintainer's ApacheCon NA presentation

2017-01-23 Thread Coty Sutherland
Hi Emmanuel,

Thanks for the input and I'm glad the idea is so being well received.
I'd love for you to share some slides with me on the Debian/Ubuntu
distribution as I have very limited experience with them and tomcat
(I've used Raspbian and Kali a good bit, but mostly use Fedora) :)
Also if you have any resources that you can point me to to help me
learn about tomcat on those distros that would help me better support
users in #tomcat on freenode (I get a good amount of distro-specific
questions there).



Thanks again!

On Mon, Jan 23, 2017 at 4:08 AM, Emmanuel Bourg <ebo...@apache.org> wrote:
> Hi Coty,
>
> This is an excellent idea. I won't be able to attend ApacheCon NA but
> I'll be happy to provide some input for your presentation and contribute
> a few slides to describe the Tomcat packaging in Debian/Ubuntu.
>
> Emmanuel Bourg
>
> Le 19/01/2017 à 19:26, Coty Sutherland a écrit :
>> Hi all,
>>
>> My name is Coty and I'm the maintainer for RHEL tomcat and a
>> co-maintainer for Fedora/EPEL tomcat. I'm reaching out to you all in
>> response to the tomcat users list thread (subject: TomcatCon @
>> ApacheCon) to see if you're interested in doing a talk with me about
>> linux packaging at the upcoming ApacheCon NA conference. Is anyone
>> interested? Do you know any of the maintainers for other linux
>> distributions that may be interested?
>>
>> As far as the talk goes, I figure it could be a panel discussion; we
>> can take some topics/slides on how each distro packages tomcat
>> differently and why we do that, then get the audience engaged to
>> solicit some feedback on how we can better provide tomcat in our
>> respective distros. We could also use this as a forum to bring up
>> tomcat backwards compatibility issues, as I've gotten lots of
>> complaints about that in the past :( The other tomcat committers seem
>> to be pretty open to these discussions, so I'd love to include other
>> distros in the conversation to get all the different perspectives we
>> can.
>>
>>
>>
>> Thanks!
>> Coty
>>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TomcatCon @ ApacheCon

2017-01-19 Thread Coty Sutherland
> That's a reasonable position to take IMO, it's just not the position
> that the Tomcat team took.

I think so ;)

> The result was Tomcat 8.5 which is essentially the best of both
> worlds. One could argue that Tomcat 9 should have become Tomcat 10 and
> Tomcat 8.5 should have instead been Tomcat 9.0, but our
> versioning-scheme has generally followed the Servlet-spec version, so
> that Tomcat X+1 supports the spec version following the one that
> Tomcat X supported.

When you explain it that way it makes total sense, but users outside
of the tomcat development circles (read maintainers/consumers of that
distro's package, like freeipa) didn't know that so they assumed that
it was just a regular 8.x release (and were probably confused where
the 5 came from). I've been explaining that it's a fork of 9, etc but
that isn't always well received which is understandable IMO.

> It's important that the Tomcat team understands these outside
> perspectives. We may have made a different decision given that kind of
> input. I'm glad that more maintainers, etc. are becoming a part of
> this community. I think it's going to improve things for everyone.

I agree, which is why I'm here being vocal about it. Hopefully sharing
my viewpoint will help us prevent future issues like this, or at least
minimize them.

> I'm looking forward to meeting you in Miami!

Likewise! And thanks for the great explanation, it'll help my
arguments with consumers of the tomcat package later :)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Tomcat maintainer's ApacheCon NA presentation

2017-01-19 Thread Coty Sutherland
Hi all,

My name is Coty and I'm the maintainer for RHEL tomcat and a
co-maintainer for Fedora/EPEL tomcat. I'm reaching out to you all in
response to the tomcat users list thread (subject: TomcatCon @
ApacheCon) to see if you're interested in doing a talk with me about
linux packaging at the upcoming ApacheCon NA conference. Is anyone
interested? Do you know any of the maintainers for other linux
distributions that may be interested?

As far as the talk goes, I figure it could be a panel discussion; we
can take some topics/slides on how each distro packages tomcat
differently and why we do that, then get the audience engaged to
solicit some feedback on how we can better provide tomcat in our
respective distros. We could also use this as a forum to bring up
tomcat backwards compatibility issues, as I've gotten lots of
complaints about that in the past :( The other tomcat committers seem
to be pretty open to these discussions, so I'd love to include other
distros in the conversation to get all the different perspectives we
can.



Thanks!
Coty

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TomcatCon @ ApacheCon

2017-01-19 Thread Coty Sutherland
> How about this: submit a topic to the Call for Papers[1] and choose
> "Panel Discussion" for the "Submission Type". If you can get some
> other maintainers coordinated, you can choose to prepare some slides
> (maybe 5 mins each) and/or come with some conversation questions to
> get things started with a panel. Open up to the audience as well. I
> suspect you'll get a good conversation going. I'll certainly be there
> unless I must be elsewhere.

That sounds good to me. I'll put something together and submit as soon
as I can after checking with other maintainers to see if they're
interested.

> I know that some of the APR and httpd folks are absolutely rabid about
> not breaking backwards-compatibility. Perhaps we could bring them into
> the discussion to hear some of the things that they look for when
> maintaining compatibility.

That would be interesting. I'll try and chase up some of the
complaints that I've heard recently to see if I can bring them to the
list and sort them out.

> That's a new major release of Tomcat, though. We ought to be able to
> break whatever we want, there. I think complaints about lack of
> backward-compatibility are unwarranted in this particular case.

I'm not sure I agree with that (and I'm positive that other groups
don't because I've heard complaints). It's the same major version (8),
just a minor version update so the general expectation is that there
aren't any breaking changes. If we were talking about the difference
between 8 and 9, then sure we can do whatever is necessary as long as
things were properly deprecated, etc.

On Thu, Jan 12, 2017 at 3:30 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Coty,
>
> On 1/11/17 12:24 PM, Coty Sutherland wrote:
>> On Tue, Jan 10, 2017 at 3:14 PM, Christopher Schultz
>> <ch...@christopherschultz.net> wrote:
>>> +1
>>
>> I'm glad someone is interested :)
>>
>>> Perhaps we could have some representatives from the various
>>> distributions give a joint presentation.
>>
>> That would be great. I'd love to meet the other distro
>> maintainers.
>
> [snip]
>
>>> I think it would be a good idea to use some of that time to
>>> solicit feedback from the audience about what the distros could
>>> do to make things easier...
>>
>> +1, definitely. I will to do anything that we can to drive adoption
>> of tomcat up (distro-specific versions or ASF).
>
> How about this: submit a topic to the Call for Papers[1] and choose
> "Panel Discussion" for the "Submission Type". If you can get some
> other maintainers coordinated, you can choose to prepare some slides
> (maybe 5 mins each) and/or come with some conversation questions to
> get things started with a panel. Open up to the audience as well. I
> suspect you'll get a good conversation going. I'll certainly be there
> unless I must be elsewhere.
>
>> The biggest concern that I've heard from various of the involved
>> people (and may be a reason why other distros don't consume
>> updates as frequently) is that tomcat is not that great at
>> maintaining backwards compatibility;
>
> Understood.
>
>> I hear this complaint a lot and I get push back from packages that
>> have dependencies on tomcat when I do push our new revision
>> updates.
>
> I know that some of the APR and httpd folks are absolutely rabid about
> not breaking backwards-compatibility. Perhaps we could bring them into
> the discussion to hear some of the things that they look for when
> maintaining compatibility. In the Java world, there is no
> binary-compatibility, for instance, but API compatibility is of course
> essential.
>
>> I don't have any specific examples that I can think of right now
>> other than the update from 8.0 to 8.5 removing BIO.
>
> That's a new major release of Tomcat, though. We ought to be able to
> break whatever we want, there. I think complaints about lack of
> backward-compatibility are unwarranted in this particular case.
>
> For the most part, Tomcat devs tend to feel free to modify
> completely-internal APIs as necessary, but will make an effort to
> maintain backward-compatibility for semi-internal APIs. It might be a
> good exercise to identify which parts of Tomcat should be considered
> (publicly) stable and which parts are okay to modify.
> Backward-compatibility is relatively easy in Java for certain things.
> Major refactorings usually don't happen in a point-release.
>
> - -chris
>
> [1]
> http://events.linuxfoundation.org/events/apachecon-north-america/program
> /cfp
>
>
> -BEGIN PGP SIGNATU

Re: Tcnative.dll apr-1.5.2-win32-src - unable to compile with openssl-1.0.2j-fips-x86_64

2017-01-12 Thread Coty Sutherland
Can you provide the output of the failure so that we can see what's
happening? And are you trying to build tomcat-native 1.2.x or 1.1.x?

On Thu, Jan 12, 2017 at 1:56 PM, marcus presley
 wrote:
> Forum,
>
>
> I have been unsuccessful, trying to compile 'tcnative.dll' with Visual Studio 
> 2015.
>
>
> I have used several online forums including the instructions on Apache 
> website (https://tomcat.apache.org/download-native.cgi).
>
>
> I have been able to compile openssl-1.0.2j with FIPS, but I receive LNK Error 
> when the tcnative.dll is being copiled.
>
>
> Marcus
>
> Apache Tomcat® - Tomcat Native 
> Downloads
> tomcat.apache.org
> Use the links below to download the Apache Tomcat ® Native software from one 
> of our mirrors. You must verify the integrity of the downloaded files using 
> ...
>
>
>
>
> Thanks,
>
> Marcus J. Presley
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat compatibility based on OS

2017-01-12 Thread Coty Sutherland
> Can you also confirm that same logic applies to REDHAT provide Tomcat the 
> JBoss Enterprise Web Server?

The answer to that is a 'maybe' because of the Red Hat distribution's
tomcat-native builds which are included in the zip distribution. To
get a real (official) answer though you need to open a support case
instead of mailing the community list.

> While downloading tomcat from RedHat portal ,
> Web Server 2.1.0  show the option to download tomcat 7 for "RHEL 5"
>
> But I need tomcat 8, so in Redhat portal it don't give any option to download 
> "tomcat 8 for RHEL 5" but it do show the option to download "tomcat 8 for 
> RHEL 6/7"  x86_64.

That's because Red Hat only build RPMs for rhel-6 and rhel-7 and the
zip distribution includes tomcat-native built for the specific OS. If
you download the zip and remove the tomcat-native then tomcat itself
can run wherever though :) Whether or not that's a supported
configuration is up to Red Hat, which is why I suggest a case to get
an official answer.

> So you mean even if I download the Redhat provided Tomcat 8 for RHEL6/7, it 
> will work with RHEL5 as well?

Yep, as long as it's running on at least java 7.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TomcatCon @ ApacheCon

2017-01-11 Thread Coty Sutherland
On Tue, Jan 10, 2017 at 3:14 PM, Christopher Schultz
 wrote:
> +1

I'm glad someone is interested :)

> Perhaps we could have some representatives from the various
> distributions give a joint presentation.

That would be great. I'd love to meet the other distro maintainers.

> Coty, are you in any way
> involved with the RHEL package-management of Tomcat? Emmanuel Bourg
> appears to be involved with the Debian package-managed distributions
> of Tomcat.

Yep. I maintain tomcat for RHEL and am a co-maintainer of tomcat for
Fedora/Fedora EPEL. I've seen quite a few of Emmanuel's posts to the
list.

> The speakers might want to come prepared to be hit with a few
> tomatoes, since distro-specific weirdness is something of a popular
> topic. Often "install the official ASF distribution" seems to fix many
> issues posted here.

Yeah...I get that all the time :( I've only been the maintainer for
about a year and can't make any functional changes (just maintenance
updates mostly), but I have been working with BZ owners and folks on
freenode to try and remedy the concerns that they voice. I honestly
think it's quite a mess at the moment too, so I'm all for cleaning
things up. The biggest problem is probably users not understanding how
the distro chops up the tomcat distribution to make it modular. When
you install tomcat, you get the tomcat core code, the API
implementations, and that's it. If you want to use the ROOT webapp or
admin webapps, you have to install them, etc. This allows for the
minimum required packages to be installed and for users to add
whatever else they need. It also allows for you to install individual
things (like the servlet API, for example) without installing the
whole tomcat distribution. There is a lot of outdated reasons for
things being the way that they are (which I keep stumbling onto, so I
should probably start a document somewhere and explain the structure
as I see it.

> I think it would be a good idea to use some of that time to solicit
> feedback from the audience about what the distros could do to make
> things easier...

+1, definitely. I will to do anything that we can to drive adoption of
tomcat up (distro-specific versions or ASF).

> and perhaps what Tomcat could to to make things
> easier for the distros. Package-managed versions of Tomcat always seem
> to be hideously out-of-date, for example. Perhaps that's due to our
> distribution style (new version) which is quite different from httpd's
> style (patches + occasional new versions).

You're right. We had the same problem in Fedora until I started
pushing for updates when new releases and CVE fixes were released to
get them incorporated into Fedora as quickly as possible, so I don't
think that this problem exists there. I've also been helping with
updates for tomcat-native. The biggest concern that I've heard from
various of the involved people (and may be a reason why other distros
don't consume updates as frequently) is that tomcat is not that great
at maintaining backwards compatibility; I hear this complaint a lot
and I get push back from packages that have dependencies on tomcat
when I do push our new revision updates. I don't have any specific
examples that I can think of right now other than the update from 8.0
to 8.5 removing BIO. That has presented a huge issue for the FreeIPA
folks because Debian updated to 8.5 (I haven't updated Fedora yet
because of this and a couple of stability concerns) and the removal of
BIO makes it incompatible with dogtag via tomcatjss (a tomcat
interface to NSS for crypto instead of OpenSSL). Granted they've known
for a while that they needed to update, we removed a feature from
tomcat in the same major release. This same group is asking for
documentation regarding a policy on backwards compatibility; do we
have that somewhere?

Thanks!!

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TomcatCon @ ApacheCon

2017-01-09 Thread Coty Sutherland
Would anyone be interested (and is it within the guidelines) to talk
about the differences in some tomcat distributions? Like the
difference in the Red Hat linux and Debian tomcat distributions, for
example. I know it isn't 100% ASF Tomcat, but I get a lot of inquiries
about where to find stuff on freenode so it might be a helpful
conversation for the community to have. On the other hand I don't want
to blur the lines between where responsibilities lie, where people
should ask questions, etc...

On Mon, Jan 9, 2017 at 12:06 PM, Igal @ Lucee.org  wrote:
> On 1/9/2017 3:57 AM, Mark Thomas wrote:
>>
>> "What topic(s) need to be covered in a Tomcat conference to make it as
>> easy as possible to get your employer to pay for you to attend?"
>
>
> load balancing
> performance
> security
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Problem configuring a resource link after Fixed CVE-2016-6797

2016-12-22 Thread Coty Sutherland
> It's possible that there was an imperfect patch released by Debian.

Yep, they're missing r1763236 in wheezy; it was added to Jessie on
12/8 (commit 49e4e30b8c12ffc28378075545f413b725ad5cd9). Please notify
your maintainer to have it fixed :)

On Thu, Dec 22, 2016 at 1:48 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Per,
>
> On 12/22/16 11:45 AM, Per Newgro wrote:
>> no we don't see the same problems with a 7.0.64 installation. But
>> what can we do with our debian version. I think it shall be
>> possible to configure the datasource somehow.
>
> It's possible that there was an imperfect patch released by Debian.
>
> I don't believe I've heard anyone else complain yet, but that may just
> be dumb luck.
>
> - -chris
>
>> On 16 December 2016 09:12:24 GMT+00:00, Per Newgro
>>  wrote:
 Hello,

 i've just updated my debian server with a update for tomcat
 7.0.28-4+deb7u6 to 7.0.28-4+deb7u7.
>>> Do you see the same problem with the latest 7.0.x obtained
>>> directly from the ASF?
>>>
>>> Mark
>>>
>>>
 In the release notes
 (https://packages.qa.debian.org/t/tomcat7/news/20161201T223017Z.html
> )
 i found

> * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit
> web
 application
> access to global JNDI resources to those resources
> explicitly
 linked to the
> web application. Therefore, it was possible for a web
> application
 to access
> any global JNDI resource whether an explicit ResourceLink
> had
 been
> configured or not.
 I configured the the resource and resource link as described in
 the tomcat-howtos. So far it worked. But after the update my
 webapp can not determine the appropriate datasource.

 I couldn't find any advice in the web how to configure the
 resource accordingly. Can someone please give me an advice how
 to solve this. Thanks Per

  conf/server.xml  
  
 >>> type="org.apache.catalina.UserDatabase" description="User
 database that can be updated and saved"
 factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
 pathname="conf/tomcat-users.xml" />

 >>> type="javax.sql.DataSource" description="Foo Datasource"
 username="foo" password="bar"
 url="jdbc:sqlserver://11.211.255.3;databaseName=FOO;"
 driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver"
 intitalSize="5" maxWait="5000" maxActive="120" maxIdle="5"
 validationQuery="select 1" poolPrepareStatements="true" />
  


 webapps/foo/META-INF/context.xml   >>> className="org.apache.catalina.loader.VirtualWebappLoader"
 virtualClasspath="${catalina.base}/conf/application/foo" />

 >>> type="javax.sql.DataSource"/> 

 webapps/foo/WEB-INF/web.xml

  DB Connection
 jdbc/foo
 javax.sql.DataSource  Container 

 Spring configuration public @Bean(destroyMethod="") DataSource
 applicationDb( @Value("${database.driver}") String
 driverClassName, @Value("${database.url}") String url,
 @Value("${database.username}") String username,
 @Value("${database.password}") String password) throws
 NamingException { InitialContext ctx = new InitialContext();
 DataSource ds = (DataSource)
 ctx.lookup("java:comp/env/jdbc/foo"); // this logs a
 BasicDataSource instance LOG.debug("Datasource=" + ds); return
 ds == null ? devDataSource(driverClassName, url, username,
 password) : ds; }

 Exception stack at
 org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean.c
> reateNativeEntityManagerFactory(LocalContainerEntityManagerFactoryBean.j
> ava:343)



> at
 org.springframework.orm.jpa.AbstractEntityManagerFactoryBean.afterPr
> opertiesSet(AbstractEntityManagerFactoryBean.java:318)



> at
 org.springframework.beans.factory.support.AbstractAutowireCapableBea
> nFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1637)



> at
 org.springframework.beans.factory.support.AbstractAutowireCapableBea
> nFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1574)



> ... 40 more
 Dez 16, 2016 10:08:06 AM
 org.apache.catalina.core.StandardContext listenerStart
 SCHWERWIEGEND: Exception sending context initialized event to
 listener instance of class
 org.springframework.web.context.ContextLoaderListener
 org.springframework.beans.factory.BeanCreationException: Error
 creating bean with name 'supportedLocaleDao': Injection of
 persistence dependencies failed; nested exception is
 org.springframework.beans.factory.BeanCr eationException: Error
 creating bean with name 'applicationEntityManagerFactory'
 defined in class de.itcompany.config.AppctxJeeHb: Invocation of
 init method failed; nested exception is
 org.hibernate.HibernateExcepti on: 

Re: Upgrade to 8.5.8/9

2016-12-19 Thread Coty Sutherland
Hm, errno=111 is a connection refusal. Are you sure that your new
instance has an adequate number of threads available for httpd to
proxy to? Do you see any errors in your tomcat logging? If you do have
sufficient threads in the pool, then maybe there is something (like GC
pauses) hanging your requests that wasn't before and therefore
exhausting the pool causing rejections.

On Mon, Dec 19, 2016 at 4:47 AM, Greg Huber  wrote:
> Hello,
>
> I am currently running tomcat 8.0.32 and have tried to upgrade to 8.5.8 and
> 8.5.9 without success.  I use mod_jk to connect apache to tomcat running on
> centos 5.11 with Apache 2.2.3.
>
> I have installed openSSL 1.0.2.j to compile the native tomcat-native-1.2.10
> using apr-1.5.2 and tomcat-connectors-1.2.42 for the mod_jk.
>
> The problem is that tomcat seems to start but fails sometimes to connect
> correctly to apache and causes apache to hang.  If I stop tomcat, apache
> starts working again.  I have been through the logs with little indication
> of the problem.  If I revet back to 8.0.32 everything works OK.
>
>
> All I can find is this in the mod_jk.log:
>
>
> [Sat Dec 17 06:11:48 2016][3212:47280261211024] [info] init_jk::mod_jk.c
> (3595): mod_jk/1.2.42 initialized
> [Sat Dec 17 06:11:50 2016][3254:47280261211024] [info]
> jk_open_socket::jk_connect.c (817): connect to 127.0.0.1:8009 failed
> (errno=111)
> [Sat Dec 17 06:11:50 2016][3254:47280261211024] [info]
> ajp_connect_to_endpoint::jk_ajp_common.c (1068): (worker1) Failed opening
> socket to (127.0.0.1:8009) (errno=111)
> [Sat Dec 17 06:11:50 2016][3254:47280261211024] [error]
> ajp_send_request::jk_ajp_common.c (1728): (worker1) connecting to backend
> failed. Tomcat is probably not started or is listening on the wrong port
> (errno=111)
> [Sat Dec 17 06:11:50 2016][3254:47280261211024] [info]
> ajp_service::jk_ajp_common.c (2778): (worker1) sending request to tomcat
> failed (recoverable), because of error during request sending (attempt=1)
> [Sat Dec 17 06:11:50 2016][3254:47280261211024] [info]
> jk_open_socket::jk_connect.c (817): connect to 127.0.0.1:8009 failed
> (errno=111)
> [Sat Dec 17 06:11:50 2016][3254:47280261211024] [info]
> ajp_connect_to_endpoint::jk_ajp_common.c (1068): (worker1) Failed opening
> socket to (127.0.0.1:8009) (errno=111)
> [Sat Dec 17 06:11:50 2016][3254:47280261211024] [error]
> ajp_send_request::jk_ajp_common.c (1728): (worker1) connecting to backend
> failed. Tomcat is probably not started or is listening on the wrong port
> (errno=111)
> [Sat Dec 17 06:11:50 2016][3254:47280261211024] [info]
> ajp_service::jk_ajp_common.c (2778): (worker1) sending request to tomcat
> failed (recoverable), because of error during request sending (attempt=2)
> [Sat Dec 17 06:11:50 2016][3254:47280261211024] [error]
> ajp_service::jk_ajp_common.c (2799): (worker1) connecting to tomcat failed
> (rc=-3, errors=1, client_errors=0).
> [Sat Dec 17 06:11:50 2016][3254:47280261211024] [info] jk_handler::mod_jk.c
> (2995): Service error=-3 for worker=worker1
>
> Any ideas on what I should check?
>
> Cheers

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Trigger sessionDestroyed event from custom ManagerBase

2016-10-03 Thread Coty Sutherland
I set Gokul here from #tomcat on freenode :) Just for a bit more
information (since it was excluded):

 Good UGT, i'm using java - 1.8.0_74, tomcat - 8.0.32, os - win 7

On Mon, Oct 3, 2016 at 12:38 PM, GOKULA KRISHNAN  wrote:
> Hi,
>
> I want to trigger the sessionDestroyed event from custom implementation of
> ManagerBase. sessionDestroyed is not called when session expires but called
> during session invalidate. I need to call sessionDestroyed  during session
> time out.
>
> The class starts like this.
>
> *public class CustomRequestSessionManager extends ManagerBase implements
> Lifecycle*
> {...
> ..}
>
> Please help me ASAP, since this is an urgent need.
>
> Thanks,
> Gokul.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Using hashes in tomcat-users.xml

2016-09-16 Thread Coty Sutherland
You could also take a look at tomcat-vault
(https://github.com/picketbox/tomcat-vault).

On Wed, Sep 14, 2016 at 5:37 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Brian,
>
> On 9/14/16 3:40 PM, Paquin, Brian wrote:
>> I was able to setup Tomcat 8.0.35 to use a SHA hashed password in
>> tomcat-users.xml (trying to secure the Manager app a bit more),
>> but the same setup does not work on 8.5.5.
>>
>> Is there something I need to change to get this to work again?
>
> Yes.
>
>> server.xml engine: > defaultHost="localhost"> > className="org.apache.catalina.realm.LockOutRealm" failureCount="3"
>> lockOutTime="600" cacheSize="1000" cacheRemovalWarningTime="3600">
>> > resourceName="UserDatabase"/>  > appBase="webapps" unpackWARs="true" autoDeploy="true"
>> deployXML="true"> > className="org.apache.catalina.realm.MemoryRealm" digest="SHA" />
>> > directory="logs" prefix="localhost_access_log" suffix=".txt"
>> pattern="%h %l %u %t %r %s %b" />
>>
>> Command to generate hash that was used as the user’s password in
>> tomcat-users.xml: /usr/local/tomcat/bin/digest.sh -a SHA
>> my_password
>>
>> In 8.5.5, I can login to Manager if I replace the SHA hash with
>> the plaintext version of the password…
>>
>> I read through
>> https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html, but
>> still can’t get it to work.
>
> Have a look at http://tomcat.apache.org/migration-85.html,
> specifically http://tomcat.apache.org/migration-85.html#Internal_APIs
>
> Note that SHA passwords are no better than plaintext passwords. If you
> want to *actually* add some security, you need to at least use salted
> passwords. Better yet, use a PBKDF.
>
> You might want to have a look at this presentation:
> http://people.apache.org/~schultz/ApacheCon%20NA%202016/Seamless%20Upgra
> des%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJX2cL/AAoJEBzwKT+lPKRYm7AP/jW9ux3JM/zsSJjPymE/xPMw
> /mpI1Jh2kCViRA+wF9vWcuuHN/T/ib5MwinYdZnqwvtddRQUoBY5jKKcjieJWhFo
> UwdSZGmXGHOtJMyB+9DPIo17HuuSmxMNXDILCAaMd8pXvKZgsPJv4x9/lPC5uHyJ
> SpSJ9vcc6NKDzQq8AV/F9Q17HCaGPkl1Vi2d+Sbpvcm5vdqgKcDlGcOe6exUlIWP
> pMiOkvo+hEG77WpGKz1E2C0gBz3O1vs2AKwzWP3gmh10NinUNvfzPY9iqAylFNAq
> c5Mk+rvliCcQWss+O54IfbVO2dYElbcy3hktn4X7h1UOxSuw6qGJ3HeKsUBKlIho
> 5rL9J8nwkF+lechxVgdh4Q8CWJVZ5AsicmwMnd88o00TG8fO0XAb3oM496I0meLg
> xeiOTexg8S0RPLVFnCQ8mckaeTVzooLzuezJLAXO4YUnEZJHPrehR+ZL8Oblk6Fa
> 102AA+LFpCkW1L0JEFMrpCzmEc3Ue6VMVPeNorfTv/u2MBFfM+hpR0kmeDURUoA8
> C+i0Z4GHxRVL7M96ba2Irxs4eNkCV2v9IvCsgnz3LTXKuAggd/6dCTEPYEkE2sTO
> Tju+To9xWVudj6gwmya7SfNeKxb4PECBP4NgD5uRoljNDJNW1Eu80m7C2cxRGao8
> LXmKRsuWXsrTt6OOA9wZ
> =2Z2D
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat8 on CentOS - Session-Tomcat

2016-08-30 Thread Coty Sutherland
Just following up on our IRC conversation (which happened after this
email) so others can see my response. I was able to find a description
of the session-timeout setting in the XSD here:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/javax/servlet/resources/web-common_3_1.xsd?view=markup#l865

The description there states the following:

"If the timeout is 0 or less, the container ensures the default
behaviour of sessions is never to time out."

So if you set it lower than zero, you're letting the session live
forever (even after the browser closes).

On Tue, Aug 30, 2016 at 1:26 PM, Jonathan Carpenter
 wrote:
>  I have a Tomcat8 (CentOS 7) question. In web.xml under 
> -->  I seen a post on stackoverflow that you can set this
> to -1 to keep the session open until the browser is closed. However I
> cannot find this in the documentation. Can anyone verify this or point me
> in the correct direction for a documented solution. The issue is after 30
> minutes the session times out as configured, but anything over 30 does not
> work.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Trouble setting TOMCAT_USER

2016-08-30 Thread Coty Sutherland
Based on your usage of /etc/tomcat/tomcat.conf you must be running the
Fedora/EPEL or RHEL-7/CentOS-7 distribution of tomcat. Firstly, the
TOMCAT_USER is tomcat by default; this is configured in the init
script. For tomcat to start and be owned by a user other than tomcat,
you should just need to set TOMCAT_USER in the conf or sysconfig file.
However, given that I don't know what version you're using there could
be some bug preventing this from occurring. Another thing that you
need to ensure is that the new user that you're using has the correct
permissions to view config, write to logs, etc. If it's failing to
start because of those reasons, you should see it in the
service/systemctl output, or the init log (depending on which distro
you're using).

Typically distribution issues (this isn't a problem with core tomcat)
aren't discussed on this list, however if you find me (csutherl) on
freenode (typically in #tomcat) I can help you along with any Red Hat
distributions of tomcat.

On Mon, Aug 29, 2016 at 4:28 PM, Jorge Alfonso  wrote:
> My Apologies again
>
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Monday, August 29, 2016 4:28 PM
> To: users@tomcat.apache.org
> Subject: Re: Trouble setting TOMCAT_USER
>
> Jorge,
> 1) don't top-post
>
> On 29.08.2016 21:50, Jorge Alfonso wrote:
>> In order to setup the users for Tomcat you have to edit the file
>>
>> tomcat-users.xml
>>
>> 
>>   
>>
>>
>>
>>
>>
>> 
>>
>> Once the users are set, and you could have set several users depending
>> your need, shutdown and startup again your Tomcat and you would be
>> able to see it running for your user and managing it.
>>
>
> 2) this has nothing to do with the user under which Tomcat is running.
>
>>
>
> Rebecca,
>
>> -Original Message-
>> From: Maxfield, Rebecca A [mailto:rmaxf...@providence.edu]
>> Sent: Monday, August 29, 2016 2:20 PM
>> To: users@tomcat.apache.org
>> Subject: Trouble setting TOMCAT_USER
>>
>> Hi there!
>>
>> In order to resolve an issue with a Tomcat web app, I'm trying to run
>> Tomcat as a user other than the default user. Following other advice,
>> I looked in the conf file (/etc/tomcat/tomcat.conf) for TOMCAT_USER
>> and saw that it wasn't set; however, my efforts to set it haven't
>> seemed to result in any change.
>>
>> I wrote:
>> TOMCAT_USER="myusername"
>> which is the same syntax as the other variables in the file, JAVA_HOME
>> and so on. (Incidentally, these don't echo in the command line, but
>> Tomcat does seem to be running.) I then restarted, but a look at the
>> process list showed that it was still running as default user "tomcat"
>> rather than as myusername.
>>
>> What am I missing and how can I run Tomcat as another user?
>>
>
> You do not say so, but from the above it is a valid guess that you are
> running tomcat under some flavor of Linux, and that you installed it from
> the package provided by that Linux distribution.
>
> Unfortunately, without more information, it is difficult to know how you are
> really starting tomcat, and what influence that "TOMCAT_USER" line really
> has in the big scheme of things.
>
> Try to be more explicit and provide some details, such as which Linux, what
> command you use to start/restart tomcat, what version of Tomcat that is,
> etc..
> We don't have a crystal ball here, so we don't know those things.
>
>
>
>> Thanks!
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Question on tomcat-native upgrade from 1.1.34 to 1.2.8

2016-08-16 Thread Coty Sutherland
Hello,

I'd like to upgrade the tomcat-native package in Fedora from 1.1.34 to
1.2.8 and wanted to ask if anyone knew of any changes to any ABI/API
that would cause a breakage in doing so. I checked the changelog, etc
and everything looks good to me. It is also noteworthy that the tomcat
version is 8.0.32 presently and is being updated to 8.0.36. I'm just
trying to be overly cautious in pushing out updates that have a minor
version change.



Thanks,
Coty

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: More, Re: Question about vulnerability report

2016-08-08 Thread Coty Sutherland
Vulnerability scanners are always iffy when it comes to finding actual
issues IMO. They're good for running a quick scan to get an overall
feel for weaknesses, but the effectiveness varies from tool to tool
(some only check versions, etc). I think that the best way to test if
you're vulnerable to POODLE is to try and connect via SSLv3, as you've
already done, or with s_client (openssl s_client -ssl3 -connect
$HOST:$PORT). If that fails to connect, then you're good. As far as
the TLS issues, TLSv1.0 is vulnerable to BEAST
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3389) so you
may want to consider disabling CBC ciphers, or even upgrading to java7
if that's causing your audit to fail.

On Mon, Aug 8, 2016 at 2:31 PM, James H. H. Lampert
 wrote:
> Hmm. This is interesting.
>
> pentest-tools.com says that neither our server nor the customer server is
> vulnerable to POODLE.
>
> But Site24x7.com says ours IS vulnerable to POODLE. Then (when I click "View
> Result") it says it isn't. Then (when I actually run the test again) it once
> again says it is. (I haven't tested the customer site because results are
> posted on the test home page, which would compromise the customer's
> privacy.)
>
> Some other POODLE test sites don't appear to work at all. Others say we're
> not vulerable.
>
> Manually testing both servers with
>>
>> curl -v3 -X HEAD https://www.example.com
>
> from a BASH session on my Mac, as per
> 
>
> comes back with the desired "failed handshake" message on both servers.
>
>
> --
> JHHL
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: More, Re: Question about vulnerability report

2016-08-08 Thread Coty Sutherland
So you've already mitigated POODLE and the scanner is just complaining
about your TLS version. Unfortunately, TLSv1.0 is the only TLS
protocol version available on java6, unless your on u111 (from
https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https).
If you need TLSv1.2, then you'll have to update to java7+.

On Mon, Aug 8, 2016 at 1:13 PM, James H. H. Lampert
<jam...@touchtonecorp.com> wrote:
> On 8/8/16, 9:59 AM, Coty Sutherland wrote:
>>
>> To mitigate POODLE you must disable SSLv3 and only use TLS. Please
>> visit the wiki page for more info:
>> https://wiki.apache.org/tomcat/Security/POODLE
>
>
> Actually, I found that on my own, only a few minutes after I posted my
> question.
>
> So would the existing
> . . .
>>
>>  clientAuth="false" sslProtocol="TLS" />
>
>
> become this?
> . . .
>>
>>  clientAuth="false" sslProtocol="TLS"
>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"  />
>
>
> But what I currently get in an SSLLabs scan is
>>
>> The server supports only older protocols, but not the current best TLS
>> 1.2. Grade capped to C.
>
> . . .
>>
>> Protocols
>> TLS 1.2 No
>> TLS 1.1 No
>> TLS 1.0 Yes
>> SSL 3   No
>> SSL 2   No
>
>
> from which I gather that (1) SSLLabs seems to think SSLv3 is already
> disabled, and (2) TLSv1.1 and TLSv1.2 are unavailable.
>
> Something doesn't make sense here.
>
>
> --
> JHHL
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: More, Re: Question about vulnerability report

2016-08-08 Thread Coty Sutherland
> Except for one. It seems that whoever is doing the customer's security audit 
> is concerned with POODLE vulnerability.

To mitigate POODLE you must disable SSLv3 and only use TLS. Please
visit the wiki page for more info:
https://wiki.apache.org/tomcat/Security/POODLE

On Mon, Aug 8, 2016 at 12:35 PM, James H. H. Lampert
 wrote:
> On 7/27/16, 11:59 AM, Mark Thomas wrote:
>
>> ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"
>
>
> Ladies and Gentlemen:
>
> Thanks, Mark; that raises the SSLLabs rating from "F" to "C," and seems to
> have dealt with most of the concerns raised by the customer.
>
> Except for one. It seems that whoever is doing the customer's security audit
> is concerned with POODLE vulnerability.
>
> Can this be dealt with in Tomcat 7 under Java 6? If so, how?
>
> --
> JHHL
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat7 jsp compilation error with java1.8

2016-08-03 Thread Coty Sutherland
The problem is with java8 support in ECJ, not tomcat directly. You
need at least JDT 4.4 in order to have full java8 support in my
experiences. I just tested with 7.0.27 built from sources and the
issue is present with the 3.7.2 version that it depends on. If I
upgrade to ecj-4.4.2.jar (retrieved from a later build of tomcat7)
then JSPs will compile and everything works.

On Wed, Aug 3, 2016 at 12:46 PM, D, Dwarakesh  wrote:
> Running on Java 1.8.0_45.
>
> Thanks,
> Dwarak
>
> 
> From: Mark Thomas [ma...@apache.org]
> Sent: Wednesday, August 03, 2016 10:58 AM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat7 jsp compilation error with java1.8
>
> On 3 August 2016 08:39:34 GMT-07:00, "D, Dwarakesh"  
> wrote:
>>Dear Tomcat Support,
>>
>>I have compiled and build one of our application using java 1.8.0_45. I
>>have deployed the war file in tomcat-7.0.27
>
> Running on what version of Java?
>
> Mark
>
>
>> and am getting the below
>>exception.
>>Is this error because of the java version? Does tomcat-7.0.27 supports
>>java1.8.0_45 or do I need to use Java1.7? Please advise.
>>exception
>>org.apache.jasper.JasperException: Unable to compile class for JSP:
>>
>>An error occurred at line: 1 in the generated java file
>>The type java.util.Map$Entry cannot be resolved. It is indirectly
>>referenced from required .class files
>>
>>Stacktrace:
>>org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandler.java:102)
>>org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:331)
>>org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:469)
>>org.apache.jasper.compiler.Compiler.compile(Compiler.java:378)
>>
>>
>>
>>
>>Thanks,
>>Dwarak
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: No binary distribution for mod_jk?

2016-07-21 Thread Coty Sutherland
> Actually my requirement is not that complex.  All I need to do is host TomEE 
> (a Tomcat 7 superset), Bugzilla and phpBB (forum software) on the same 
> server.  It is my understanding the I need httpd to do this.

TomEE can run outside of a web server (its it's on web container), but
Bugzilla and phpBB seem to require a webserver to run, so you're
correct there. If you install Bugzilla and phpBB in httpd, then it
should be accessible via http://host/bugzilla (or whatever the path
is). Tomcat would be accessible via http://host:8080/. If you wanted
tomcat to be accessible via http://host/tomcat, then you'd have to
proxy to it.

> It is also my understanding that I needed mod_jk to have the httpd route to 
> TomEE (Tomcat 7).  I have TomEE running on the server now.

Unless you only have an AJP connector on TomEE (which isn't likely)
it's probably easier/less work for you to use mod_proxy (or
mod_proxy_ajp even if you want AJP traffic) instead of mod_jk. It's
provided by the httpd package that's likely already installed. You
just need to setup ProxyPass[Reverse] rules as documented here:
https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass.
I'd also suggest setting proxyName and proxyPort on your connector so
that any links generated by your application don't try and bypass the
proxy (see: 
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Common_Attributes).

> But TomEE gets all http traffic to the server as the architecture stands now.

Did you bind the HTTP connector in TomEE to port 80?

On Thu, Jul 21, 2016 at 1:40 PM, Paul Roubekas <paul@orthogroup.holdings> wrote:
> Actually my requirement is not that complex.  All I need to do is host TomEE
> (a Tomcat 7 superset), Bugzilla and phpBB (forum software) on the same
> server.  It is my understanding the I need httpd to do this.  It is also my
> understanding that I needed mod_jk to have the httpd route to TomEE (Tomcat
> 7).  I have TomEE running on the server now.  But TomEE gets all http
> traffic to the server as the architecture stands now.
>
>
> On 7/21/2016 1:32 PM, Coty Sutherland wrote:
>
> Is there some reason that you can't use mod_proxy_balancer instead of
> mod_cluster (if you don't want to be vulnerable to the known CVEs)? I
> assume that you're looking for some specific logic offered by
> mod_cluster, but since you're considering mod_jk I'm not so sure. If
> you're going to learn to build something, why not build mod_cluster
> instead of mod_jk (again, assuming that you need the mod_cluster
> smarts)?
>
> On Thu, Jul 21, 2016 at 12:15 PM, Paul Roubekas
> <paul@orthogroup.holdings> wrote:
>
> I can not use mod_cluster.  I was having some issues and posted this
> (https://ask.fedoraproject.org/en/question/91235/module-mod_proxy_balancer-is-loaded-it-must-be-removed-in-order-for-mod_proxy_cluster-to-function-properly/)
> question on the Fedora forums.
>
> See the reply I got below.
> Please, do not use mod_cluster 1.2.6. It contains severe CVEs, performance
> and functional issues. If you would like to see mod_cluster updated in
> Fedora, express the demand on this
> (https://bugzilla.redhat.com/show_bug.cgi?id=1247243) existing bug feature
> request.
>
> And as per Christopher Schultz 's reply I will have build mod_jk myself.
> Since I have never done any such thing I am not looking forward it.
>
>
> On 7/21/2016 11:51 AM, Christopher Schultz wrote:
>
> Paul,
>
> On 7/20/16 12:12 PM, Paul Roubekas wrote:
>
> I am trying to install the mod_jk on httpd for my tomcat 7.0.68
> (TomEE) server.
>
> I am reading this
> https://tomcat.apache.org/connectors-doc/webserver_howto/apache.html
>
> documentation which points to this
>
> http://tomcat.apache.org/download-connectors.cgi download page.
> But there is no binary download for *unix, just source?
>
> That's right: the ASF provides source, not binaries (in general). You
> will have to build mod_jk yourself on *NIX. The good news is that it's
> fairly easy to build yourself.
>
> -chris
>
> - >
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional
> commands, e-mail: users-h...@tomcat.apache.org >
>
> --
> The people that bring you Usque <http://Usque.software/>.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> --
> The people that bring you Usque.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: No binary distribution for mod_jk?

2016-07-21 Thread Coty Sutherland
Is there some reason that you can't use mod_proxy_balancer instead of
mod_cluster (if you don't want to be vulnerable to the known CVEs)? I
assume that you're looking for some specific logic offered by
mod_cluster, but since you're considering mod_jk I'm not so sure. If
you're going to learn to build something, why not build mod_cluster
instead of mod_jk (again, assuming that you need the mod_cluster
smarts)?

On Thu, Jul 21, 2016 at 12:15 PM, Paul Roubekas
 wrote:
> I can not use mod_cluster.  I was having some issues and posted this
> (https://ask.fedoraproject.org/en/question/91235/module-mod_proxy_balancer-is-loaded-it-must-be-removed-in-order-for-mod_proxy_cluster-to-function-properly/)
> question on the Fedora forums.
>
> See the reply I got below.
> Please, do not use mod_cluster 1.2.6. It contains severe CVEs, performance
> and functional issues. If you would like to see mod_cluster updated in
> Fedora, express the demand on this
> (https://bugzilla.redhat.com/show_bug.cgi?id=1247243) existing bug feature
> request.
>
> And as per Christopher Schultz 's reply I will have build mod_jk myself.
> Since I have never done any such thing I am not looking forward it.
>
>
> On 7/21/2016 11:51 AM, Christopher Schultz wrote:
>
> Paul,
>
> On 7/20/16 12:12 PM, Paul Roubekas wrote:
>> I am trying to install the mod_jk on httpd for my tomcat 7.0.68
>> (TomEE) server.
>
>> I am reading this
>> https://tomcat.apache.org/connectors-doc/webserver_howto/apache.html
>
>
> documentation which points to this
>> http://tomcat.apache.org/download-connectors.cgi download page.
>> But there is no binary download for *unix, just source?
>
> That's right: the ASF provides source, not binaries (in general). You
> will have to build mod_jk yourself on *NIX. The good news is that it's
> fairly easy to build yourself.
>
> -chris
>
>> > - >
>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For 
>> > additional
>> > commands, e-mail: users-h...@tomcat.apache.org >
>
> --
> The people that bring you Usque .
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat graceful shutdown inquiry

2016-06-28 Thread Coty Sutherland
Fantastic. Thanks! :)

On Tue, Jun 28, 2016 at 2:43 PM, Mark Thomas <ma...@apache.org> wrote:
> On 28/06/2016 19:39, Coty Sutherland wrote:
>> Hello all,
>>
>> I've been poking around with the Fedora distribution of tomcat and
>> noticed that systemd isn't allowing tomcat to gracefully shutdown (it
>> sends an immediate SIGKILL after the Boostrap stop is called). That
>> isn't your issue, but in trying to mediate the issue so that session
>> persistence works as expected, I found that SIGTERM causes tomcat to
>> gracefully shutdown. Looking at the code of the
>> org.apache.catalina.startup.Bootstrap.stop() method, I can see that it
>> hands off to Server.stop() and stops the server by initiating the
>> shutdown hook, etc. When you send a SIGTERM to tomcat the
>> org.apache.catalina.core.StandardServer.stopInternal() method is what
>> handles shutdown and appears to be gracefully stopping the server,
>> though it goes about the process a bit differently.
>>
>> My question is, can anyone readily tell me the functional difference
>> between gracefully handling a SIGTERM and utilizing Bootstrap.stop()?
>
> None.
>
>> I'm sure that the Bootstrap.stop() is the preferred method,
>
> Not really.
>
>> but is there any major harm in using SIGTERM?
>
> No.
>
>> I've compared FINE level
>> logging on org.apache and both methods seem to get the same result (a
>> graceful stop).
>
> They are equivalent. If you disable the shutdown port, SIGTERM is the
> only way to gracefully shut down Tomcat.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Tomcat graceful shutdown inquiry

2016-06-28 Thread Coty Sutherland
Hello all,

I've been poking around with the Fedora distribution of tomcat and
noticed that systemd isn't allowing tomcat to gracefully shutdown (it
sends an immediate SIGKILL after the Boostrap stop is called). That
isn't your issue, but in trying to mediate the issue so that session
persistence works as expected, I found that SIGTERM causes tomcat to
gracefully shutdown. Looking at the code of the
org.apache.catalina.startup.Bootstrap.stop() method, I can see that it
hands off to Server.stop() and stops the server by initiating the
shutdown hook, etc. When you send a SIGTERM to tomcat the
org.apache.catalina.core.StandardServer.stopInternal() method is what
handles shutdown and appears to be gracefully stopping the server,
though it goes about the process a bit differently.

My question is, can anyone readily tell me the functional difference
between gracefully handling a SIGTERM and utilizing Bootstrap.stop()?
I'm sure that the Bootstrap.stop() is the preferred method, but is
there any major harm in using SIGTERM? I've compared FINE level
logging on org.apache and both methods seem to get the same result (a
graceful stop).



TIA,
Coty

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 8.5 and TLS

2016-04-07 Thread Coty Sutherland
I'm glad I was able to help, Thad. Good luck! Let me know if you have any
other questions regarding the connectors (or anything else, in a separate
thread please).

On Wed, Apr 6, 2016 at 3:58 PM, Thad Humphries <thad.humphr...@gmail.com>
wrote:

> On Wed, Apr 6, 2016 at 12:17 PM, Coty Sutherland <csuth...@redhat.com>
> wrote:
>
> > Hi Thad,
> >
> > Hopefully I can help clear up some confusion here. I'd also suggest
> > watching the 8.5 connector video that markt presented here
> > <https://www.youtube.com/watch?v=LBSWixIwMmU> for more information on
> the
> > connector changes introduced by 8.5. I found the bits on the SSL change
> > particularly informative as it was my first exposure to how tomcat9
> handles
> > TLS, if you're interested in moving to the way that tomcat 9 handles SSL
> > with the upgrade to 8.5. Otherwise, you can use the same Connector tags
> > that you had before without change (I think).
> >
> > In any case, I'll reply to your last inquiries in line below. I'm using
> > Tomcat 8.5.0.Beta and OpenJDK 8.
> >
> > > Are you saying that to make the second  work I must remove
> > either clientAuth or sslProtocol? (No, I must be mistaken--remove
> either/or
> > and Tomcat still fails to start).
> >
> > Yes; you should remove _both_ of them and move that configuration into
> the
> > SSLHostConfig. You can find the replacements for them in the docs for
> > clientAuth and sslProtocol here
> > <
> >
> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2
> > >;
> > I've tested this and it works for me. I believe that the reason behind
> this
> > (although I am no expert) is that tomcat is taking the old Connector
> > configuration that you have in place and creating a default SSLHostConfig
> > behind the scenes; this action causes a conflict with your defined
> > SSLHostConfig hence the exception about the multiple non-unique host
> names
> > and such.
> >
> > > "BTW sslProtocol is really useless." does make sense. If so, I think
> I'm
> > hearing
> > that I should not use the sslProtocol="TLS" attribute or the
> >  element. Is that right?
> >
> > You don't need the sslProtocol attribute because you're just setting the
> > default value for TLS. As far as the SSLHostConfig goes, I think that's
> up
> > to you. For now, tomcat will take your old Connector configuration and
> > translate it behind the scenes into what it needs to function. If you do
> > use the SSLHostConfig tag, then you'll need to move all of the attributes
> > from the Connector to the SSLHostConfig that belong there; this is
> > basically upgrading your connector from the tomcat 8.0 syntax to tomcat
> 9's
> > syntax.
> >
> > > This confuses me. The 8.5 server.xml uses  in its
> > commented examples while the 8.0 server.xml does not. And if SSL*
> > attributes are going away, why is  now the example?
> >
> > Tomcat 8.5 was forked from tomcat/trunk (tomcat9), which is where that
> > comes from. I think that the example was left there to encourage movement
> > to the tomcat 9 syntax because the older connector syntax will eventually
> > be removed. I do notice that the ssl-howto docs still refer to the
> tomcat8
> > syntax, so it doesn't seem like there is a unified message regarding
> which
> > one is the preferred method (they're both still correct and will work
> when
> > the hosts don't conflict).
> >
> > > And without SSL*, how do I specify the certificates in an APR connector
> > like this one (which is the first I got working):
> >
> > All of the SSL* attributes from the connector were migrated to the
> > SSLHostConfig and it's new tags.
> >
> > Let me know if any of my response was vague and I'll try and clarify.
> >
>
> Thank you, Coty. I think that answered my questions (the video was useful,
> too).
>
> So, for the record--and I hope I've labeled them correctly--I have gotten
> the configurations below to come up on Mac OSX 10.10.5 with Java 1.8.0_77.
> My OpenSSL is 1.0.2g 1 Mar 2016, and my Tomcat native library is 1.2.5,
> both installed with Homebrew.
>
>   
>protocol="org.apache.coyote.http11.Http11NioProtocol"
>  maxThreads="200" SSLEnabled="true" compression="on"
>  scheme="https" secure="true">
> 
> 
>   certificateKeystorePassword="changeit"
>certificateKeyAlias="tomcat"

Re: Tomcat 8.5 and TLS

2016-04-06 Thread Coty Sutherland
java:1783)
> > > at
> > >
> > >
> >
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2970)
> > > at
> > >
> > >
> >
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
> > > at
> > >
> > >
> >
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
> > > at
> > >
> > >
> >
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
> > > at
> > >
> > >
> >
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
> > > at
> > >
> > >
> >
> com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
> > > at
> > >
> > >
> >
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
> > > at
> > >
> > >
> >
> com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
> > > at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
> > > at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
> > > at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > at
> > >
> > >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > > at
> > >
> > >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > at java.lang.reflect.Method.invoke(Method.java:498)
> > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> > > Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
> > > elements were provided for the host name [_default_]. Host names must
> be
> > > unique.
> > > at
> > >
> > >
> >
> org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:201)
> > > at
> > >
> > >
> >
> org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:398)
> > > at
> > >
> > >
> >
> org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:876)
> > > ... 26 more
> > >
> > >
> > > --
> > > "Hell hath no limits, nor is circumscrib'd In one self-place; but where
> > we
> > > are is hell, And where hell is, there must we ever be" --Christopher
> > > Marlowe, *Doctor Faustus* (v. 121-24)
> > >
> >
>
>
>
> --
> "Hell hath no limits, nor is circumscrib'd In one self-place; but where we
> are is hell, And where hell is, there must we ever be" --Christopher
> Marlowe, *Doctor Faustus* (v. 121-24)
>



-- 
Coty Sutherland, RHCSA, RHCE, JBCAA
Senior Software Engineer @ Red Hat, Inc.
100 East Davie Street
Raleigh, NC 27606

Email: c...@redhat.com
IRC Nickname: coty
Office: 919-890-8303