Re: SSL on Tomcat5
Hi, If you use APR, the private key certificate should be in PEM format as documented in http://tomcat.apache.org/tomcat-5.5-doc/apr.html#HTTPS *SSLCertificateFile* Name of the file that contains the server certificate. The format is PEM-encoded. SSLCertificateKeyFile Name of the file that contains the server private key. The format is PEM-encoded. The default value is the value of SSLCertificateFile and in this case both certificate and private key have to be in this file (NOT RECOMMENDED). On 11 May 2011 15:31, Lunita hoshi.uts...@gmail.com wrote: Hi again, I followed many docs, the Tomcat's official web was not clear enough for me. With SSLEngine=on I'm having this problem: SEVERE: Catalina.start LifecycleException: Protocol handler initialization failed: java.lang.Exception: Unable to load certificate key /opt/apache-tomcat-5.5.33/conf/xWiki.cer (error:0906D06C:PEM routines:PEM_read_bio:no start line) Does Tomcat support .cer certificates o must be PEM? Strange thing is that the cert. file is .cer, but the error complains about PEM. Thanx in advance. 2011/5/10 Konstantin Kolinko knst.koli...@gmail.com 2011/5/10 Lunita hoshi.uts...@gmail.com: Hi all! I amb trying to configure SSL for Tomcat Manager with APR. I have a weird problem, port 8443 is listening, but no HTTPS over there! 8080 and 8443 ports are open with HTTP I compiled tomcat native with this configure: --prefix=/opt/tomcat/ \ --with-apr=/opt/apr-1.4.2/ \ --with-ssl=/usr \ --with-java-home=/usr/java/jdk1.6.0_23/ \ --libdir=/usr/lib \ At startup, Tomcat load OK the library: INFO: Loaded APR based Apache Tomcat Native library 1.1.20. May 10, 2011 6:36:07 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. May 10, 2011 6:36:07 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 May 10, 2011 6:36:07 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 My config at server.xml looks OK ... Connector port=8443 maxHttpHeaderSize=8192 maxThreads=200 minSpareThreads=25 maxSpareThreads=75 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/opt/apache-tomcat-5.5.33/conf/tomcat.key.noPasswd SSLCertificateKeyFile=/opt/apache-tomcat-5.5.33/conf/XX.cer clientAuth=false SSLProtocol=TLSv1/ Any help? I'm really lost =( Configuration of APR/OpenSSL (aka native) connector with SSL is documented in http://tomcat.apache.org/tomcat-5.5-doc/apr.html#HTTPS Apparently you are missing SSLEngine=on Note, that Tomcat 5.5 does not warn about any unknown attributes etc. (Tomcat 6 and later do give warnings), so you should read the configuration docs carefully. What documentation you have followed? (Maybe something needs amendments / corrections there?) Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error Tomcat CLIENT-CERT autentication.
Hi Angel, I encountered the same problem as you with Tomcat 5.5.27, so I upgraded to latest Tomcat to get rid of the certification error. https://issues.apache.org/bugzilla/show_bug.cgi?id=37869 is bug report on certification error. Thank you. On 17 January 2011 22:14, amcereijo cereijo amcere...@gmail.com wrote: Hi, I´m trying to configure the tomcat for mutual authentication with server and client using certificate. I have a tomcat 5.5.26 and a java web application (web service) under JVM 1.5 I did the next: I generated two certificates with keytool, one for client and other for server. I created a cacerts importing for the server, the client certificate and for the client, importing the server certificate. In my web application (web service), I configure the web.xml like this ***security-constraint* * web-resource-collection* *web-resource-namewebservice**/** web-resource-name* * url-pattern/webservice**/**url-pattern* *http-methodPOST**/**http-method* * **/**web-resource-collection* * *** * auth-constraint* *role-namewebservice**/**role-name* * **/**auth-constraint* * *** * user-data-constraint* * transport-guaranteeCONFIDENTIAL**/** transport-guarantee* * **/**user-data-constraint* * *** * **/**security-constraint* * * * login-config* * **!-- auth-methodBASIC/auth-method --*** * auth-methodCLIENT-CERT**/**auth-method* * realm-namewebservice** /**realm-name* * **/**login-config* * * * security-role* * role-namewebservice**/**role-name* * **/**security-role* I configure the server.xml adding *Connector port=8443 maxHttpHeaderSize=8192* * protocol=HTTP/1.1* * SSLEnabled=true* * maxThreads=150 minSpareThreads=25 maxSpareThreads=75* * enableLookups=false disableUploadTimeout=true* * acceptCount=100 scheme=https secure=true* * clientAuth=true sslProtocol=TLS * * keystoreFile=C:\Archivos de programa\Apache Software Foundation\Tomcat 5.5\conf\tomcatserver.keystore* * keystorePass=tomcat* * keyAlias=tomcatcertlocalhost* * keypass=tomcat* * truststoreFile=C:\Archivos de programa\Apache Software Foundation\Tomcat 5.5\conf\tomcatservercacerts.keystore* * truststorePass=tomcat* */* I add in tomcat-users.xml the following *role rolename=webservice/* *user username=CN=client, OU=client, O=client, L=Madrid, ST=Madrid, C=ES password=null roles=webservice/* When I execute my client for call the webservice, I put the properties *System.setProperty(**javax.net.ssl.trustStore**,**C:/Program Files/Apache Software Foundation/Tomcat 5.5/conf/truststore.keystore**);*** * System.setProperty(**javax.net.ssl.trustStorePassword**,** tomcat**);*** * *** * System.setProperty(**javax.net.ssl.keyStore**, **C:/OpenSSL-Win32/bin/ssl/client/client1.p12**);*** * System.setProperty(** javax.net.ssl.keyStorePassword**,**tomcat**);*** * System.setProperty(** javax.net.ssl.keyStoreType**,**PKCS12**);* In server logs I get the error: *17-ene-2011 13:20:34 org.apache.coyote.http11.Http11Processor action* *ADVERTENCIA: Exception getting SSL attributes* *javax.net.ssl.SSLHandshakeException: null cert chain* * at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)* * at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)* * at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)* * at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)* * at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown Source)* * at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source) * * at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)* * at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)* * at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)* * at
Re: Tomcat7 APR Connectors Config: Unable to load certificate key conf/key1cert.pem
Hi Scott, My working HTTPS connector using APR settings as below: Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true maxThreads=150 scheme=https secure=true SSLCertificateFile=C:\usr\tomcat\tomcat.crt SSLCertificateKeyFile=C:\usr\tomcat\tomcat.key SSLPassword=123456 / Try to remove SSLEngine attribute and add protocol attribute, then re-start Tomcat. 2010/11/24 Scott Li scott...@gwghk.com Hi All, I followed the instruction below http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support to config Tomcat7's *APR Connectors *SSL, but get error: Error initializing endpoint java.lang.Exception: Unable to load certificate key conf/key1cert.pem (error:02001003:system library:fopen:No such process) and the steps as follow, step 1: D:\OpenSSL-Win32\binopenssl genrsa -des3 -out key1.pem 2048 enter pwd: test, to get a file : key1.pem step 2: req -new -x509 -key key1.pem -out key1cert.pem -days 1095 to get another file : key1cert.pem step 3: put these two files to apache-tomcat-7.0.4\conf step 4: update server.xml as follow: ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !--SSLEnabled=true protocol=org.apache.coyote.http11.Http11AprProtocol-- Service name=Catalina Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 SSLEnabled=true SSLEngine=on SSLCertificateFile=conf/key1.pem SSLCertificateKeyFile=conf/key1cert.pem SSLPassword=test / Connector port=8009 enableLookups=false redirectPort=443 protocol=AJP/1.3 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b resolveHosts=false/ /Host /Engine /Service /Server step 5: start tomcat, and result: 2010-11-24 16:21:13 org.apache.coyote.http11.Http11AprProtocol init 严重: Error initializing endpoint java.lang.Exception: Unable to load certificate key conf/key1cert.pem (error:02001003:system library:fopen:No such process) at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:501) at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:80) at org.apache.catalina.connector.Connector.initInternal(Connector.java:873) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:100) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:542) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:100) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:717) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:100) at org.apache.catalina.startup.Catalina.load(Catalina.java:544) at org.apache.catalina.startup.Catalina.load(Catalina.java:567) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:417) 2010-11-24 16:21:13 org.apache.catalina.core.StandardService initInternal 严重: Failed to initialize connector [Connector[HTTP/1.1-443]] LifecycleException: Protocol handler initialization failed: java.lang.Exception: Unable to load certificate key conf/key1cert.pem (error:02001003:system library:fopen:No such process) at org.apache.catalina.connector.Connector.initInternal(Connector.java:875)
Re: Tomcat7 APR Connectors Config: Unable to load certificate key conf/key1cert.pem
Hi Scott, The exception was caused by wrong setting in your original HTTPS connector settings... In Mark's email, you need to put conf/key1cert.pem in SSLCertificateFile attribute and conf/key1.pem in SSLCertificateKeyFile attribute. 2010/11/24 Scott Li scott...@gwghk.com thanks Mark Thomas and Goo Sam Kong I followed Goo Sam Kong 's config still have errors: Loaded APR based Apache Tomcat Native library 1.1.20. 2010-11-24 17:38:43 org.apache.catalina.core.AprLifecycleListener init 信息: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 2010-11-24 17:38:43 org.apache.coyote.http11.Http11AprProtocol init 严重: Error initializing endpoint java.lang.Exception: Unable to load certificate key D:\TDDownload\apache-tomcat-7.0.4\conf\key1cert.pem (error:0906D06C:PEM routines:PEM_read_bio:no start line) at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:501) at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:80) at org.apache.catalina.connector.Connector.initInternal(Connector.java:873) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:100) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:542) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:100) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:717) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:100) at org.apache.catalina.startup.Catalina.load(Catalina.java:544) at org.apache.catalina.startup.Catalina.load(Catalina.java:567) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:417) 2010-11-24 17:38:43 org.apache.catalina.core.StandardService initInternal 严重: Failed to initialize connector [Connector[HTTP/1.1-443]] LifecycleException: Protocol handler initialization failed: java.lang.Exception: Unable to load certificate key D:\TDDownload\apache-tomcat-7.0.4\conf\key1cert.pem (error:0906D06C:PEM routines:PEM_read_bio:no start line) at org.apache.catalina.connector.Connector.initInternal(Connector.java:875) update config as follow, Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false SSLEnabled=true protocol=org.apache.coyote.http11.Http11AprProtocol SSLCertificateFile=D:\TDDownload\apache-tomcat-7.0.4\conf\key1.pem SSLCertificateKeyFile=D:\TDDownload\apache-tomcat-7.0.4\conf\key1cert.pem SSLPassword=test / Connector port=8009 enableLookups=false redirectPort=443 protocol=AJP/1.3 / I find my SSLCertificateFile is *.pem, and Goo Sam Kong's crt, key, how do you create these files, not use OpenSSL? 在 2010年11月24日 下午5:10,Goo Sam Kong skgo...@gmail.com写道: Hi Scott, My working HTTPS connector using APR settings as below: Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true maxThreads=150 scheme=https secure=true SSLCertificateFile=C:\usr\tomcat\tomcat.crt SSLCertificateKeyFile=C:\usr\tomcat\tomcat.key SSLPassword=123456 / Try to remove SSLEngine attribute and add protocol attribute, then re-start Tomcat. -- Thanks Regards, Scott Li
Re: Client not able with perform client-cert authentication with Tomcat 6.0.29 on APR
Hi Mark, Thank you for the settings. I am not sure what is the APR/native connector version, I am using the default APR/native connector in 6.0.29 (I do not set/change APR on my Windows machine). I am not sure why the client certificate authentication failed when my client certificate was signed with SHA256 but client certificate authentication worked perfectly when client certificate was signed with SHA1. From http://old.nabble.com/SHA256-digest-windows-0.9.8k--td26123008.html, it mentioned developer required to include a call to OpenSSL_add_all_algorithms() instead calling SSL_library_init() which only adds the more commonly uses SSL algorithms. I am not sure where should I include this. Can you advice how to solve my problem? My APR connector settings: Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true maxThreads=150 scheme=https secure=true SSLCertificateFile=C:\usr\tomcat\tomcat.crt SSLCertificateKeyFile=C:\usr\tomcat\tomcat.key SSLVerifyClient=optional SSLVerifyDepth=1 SSLCipherSuite=AES128-SHA:DES-CBC3-SHA SSLCACertificateFile=C:\usr-files\client-cert-ca.crt / On 13 November 2010 00:38, Mark Thomas ma...@apache.org wrote: On 12/11/2010 16:27, Goo Sam Kong wrote: Hi I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP. APR/native connector version? SSL re-negotiation wasn't supported until recently and the CVE-2009-3555 fixes further complicate things. Connector SSLCACertificateFile=C:\usr-files\client-cert-ca.crt SSLCertificateFile=C:\usr\tomcat\tomcat.crt SSLCertificateKeyFile=C:\usr\tomcat\tomcat.key SSLCipherSuite=AES128-SHA:DES-CBC3-SHA SSLEnabled=true SSLEngine=on SSLVerifyClient=optional maxThreads=150 port=8443 protocol=HTTP/1.1 scheme=https secure=true sslProtocol=TLS / Is SSLEngine a valid attribute here? I don't see it in the Connector docs. SSLVerifyClient=optional can (should?) be removed. Is that SSLCipherSuite compatible with your client? Try removing that setting until everything else is working. The following settings are known to work: Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true maxThreads=150 scheme=https secure=true SSLCertificateFile=${catalina.base}/conf/tomcathost-cert.pem SSLCertificateKeyFile=${catalina.base}/conf/tomcathost-key.pem SSLCACertificateFile=${catalina.base}/conf/cacert.pem / Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Client not able with perform client-cert authentication with Tomcat 6.0.29 on APR
Hi I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP. I changed server.xml as below. ?xml version=1.0 encoding=UTF-8? Server port=8005 shutdown=SHUTDOWN !--APR library loader. Documentation at /docs/apr.html -- Listener SSLEngine=on className=org.apache.catalina.core.AprLifecycleListener / Listener className=org.apache.catalina.core.JasperListener / !-- Prevent memory leaks due to use of particular java/javax APIs-- Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / GlobalNamingResources Resource auth=Container description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase / /GlobalNamingResources Service name=Catalina Connector connectionTimeout=2 port=8080 protocol=HTTP/1.1 redirectPort=8443 / Connector SSLCACertificateFile=C:\usr-files\client-cert-ca.crt SSLCertificateFile=C:\usr\tomcat\tomcat.crt SSLCertificateKeyFile=C:\usr\tomcat\tomcat.key SSLCipherSuite=AES128-SHA:DES-CBC3-SHA SSLEnabled=true SSLEngine=on SSLVerifyClient=optional maxThreads=150 port=8443 protocol=HTTP/1.1 scheme=https secure=true sslProtocol=TLS / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase / Host appBase=webapps autoDeploy=true name=localhost unpackWARs=true xmlNamespaceAware=false xmlValidation=false Context docBase=cert path=/cert reloadable=true source=org.eclipse.jst.j2ee.server:cert / Context docBase=crl path=/crl reloadable=true source=org.eclipse.jst.j2ee.server:crl / Context docBase=tdci-2.5.0 path=/tdci-2.5.0 reloadable=true source=org.eclipse.jst.j2ee.server:tdci-2.5.0 / /Host /Engine /Service /Server *My **Java **XML-RPC client thrown exception below:* Exception in thread main java.net.SocketException: Software caused connection abort: socket write error at java.net.SocketOutputStream.socketWrite0(Native Method) at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92) at java.net.SocketOutputStream.write(SocketOutputStream.java:136) at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:283) at com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:272) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:666) at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:584) at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:698) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:624) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:839) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230) at org.apache.xmlrpc.DefaultXmlRpcTransport.sendXmlRpc(Unknown Source) at org.apache.xmlrpc.XmlRpcClientWorker.execute(Unknown Source) at org.apache.xmlrpc.XmlRpcClient.execute(Unknown Source) at TdciXmlRpcCertAuthClient.requestWebIssuanceKey(TdciXmlRpcCertAuthClient.java:166) at TdciXmlRpcCertAuthClient.main(TdciXmlRpcCertAuthClient.java:63) Please help. Thank you. SamKong Goo
Re: Tomcat crashed after servicing too many HTTPS connection
Hi Chuck, I do not have a choice on my server because I can not upgrade the Tomcat and JVM. The server is a proprietary security hardware, no way to upgrade except the hardware vendor release new patch for that. Thank you for your reply, :-). On 6 July 2010 20:44, Caldarale, Charles R chuck.caldar...@unisys.comwrote: From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: Re: Tomcat crashed after servicing too many HTTPS connection I did the same test on Tomcat 5.5.16 with JDK 1.5.0 update 7 on Windows XP Why are you mucking around with versions of Tomcat that are over four years old? Many, many serious fixes - some critical - have gone in since then. Move up. You might want to upgrade your JVM as well - it's pretty ancient. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat crashed after servicing too many HTTPS connection
I am using Tomcat 5.5.15 with JDK 1.5.0 update 7 on RedHat Enterprise. I tested my web application by refreshing a page many times, the Tomcat server crashed and thrown exception below: Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket SEVERE: Endpoint [SSL: ServerSocket[addr= 0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored exception: java.net.SocketException: Too many open files java.net.SocketException: Too many open files at java.net.PlainSocketImpl.socketAccept(Native Method) at java.net.PlainSocketImpl.accept(PlainSocketImpl.java:384) at java.net.ServerSocket.implAccept(ServerSocket.java:450) at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:259) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:110) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket WARNING: Reinitializing ServerSocket Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket SEVERE: Endpoint null ignored exception: java.io.FileNotFoundException: /usr-files/ssl-truststore (Too many open files) java.io.FileNotFoundException: /usr-files/ssl-truststore (Too many open files) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.init(FileInputStream.java:106) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:279) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:256) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(JSSE14SocketFactory.java:174) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:468) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket WARNING: Restarting endpoint Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket SEVERE: Endpoint null shutdown due to exception: java.io.FileNotFoundException: /.keystore (Too many open files) java.io.FileNotFoundException: /.keystore (Too many open files) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.init(FileInputStream.java:106) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:279) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:222) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:141) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:480) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.threads.ThreadPool$ControlRunnable run SEVERE: Caught exception (java.lang.ThreadDeath) executing org.apache.tomcat.util.net.leaderfollowerworkerthr...@117a4c6, terminating thread Jul 6, 2010 11:21:41 AM org.apache.naming.resources.FileDirContext list WARNING: Could not get dir listing for /usr/local/apache-tomcat-5.5.16/webapps/windtalker/WEB-INF/lib Jul 6, 2010 11:21:41 AM org.apache.catalina.loader.WebappClassLoader modified INFO: Additional JARs have been added Jul 6, 2010 11:21:41 AM org.apache.catalina.core.StandardContext reload INFO: Reloading this Context has started
Re: Tomcat crashed after servicing too many HTTPS connection
Hi Pid, Around 50 times, I press the refresh button on browser manually. I do not want to see Tomcat crash. I did the same test on Tomcat 5.5.16 with JDK 1.5.0 update 7 on Windows XP, Tomcat is running fine without any issue. On 6 July 2010 17:11, Pid p...@pidster.com wrote: On 06/07/2010 09:48, Goo Sam Kong wrote: I am using Tomcat 5.5.15 with JDK 1.5.0 update 7 on RedHat Enterprise. I tested my web application by refreshing a page many times, the Tomcat server crashed and thrown exception below: How many times? Was your test automated? What did you expect would happen? p Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket SEVERE: Endpoint [SSL: ServerSocket[addr= 0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored exception: java.net.SocketException: Too many open files java.net.SocketException: Too many open files at java.net.PlainSocketImpl.socketAccept(Native Method) at java.net.PlainSocketImpl.accept(PlainSocketImpl.java:384) at java.net.ServerSocket.implAccept(ServerSocket.java:450) at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:259) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:110) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket WARNING: Reinitializing ServerSocket Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket SEVERE: Endpoint null ignored exception: java.io.FileNotFoundException: /usr-files/ssl-truststore (Too many open files) java.io.FileNotFoundException: /usr-files/ssl-truststore (Too many open files) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.init(FileInputStream.java:106) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:279) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:256) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(JSSE14SocketFactory.java:174) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:468) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket WARNING: Restarting endpoint Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket SEVERE: Endpoint null shutdown due to exception: java.io.FileNotFoundException: /.keystore (Too many open files) java.io.FileNotFoundException: /.keystore (Too many open files) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.init(FileInputStream.java:106) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:279) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:222) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:141) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:480) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) Jul 6, 2010 11:21:38 AM org.apache.tomcat.util.threads.ThreadPool$ControlRunnable run SEVERE: Caught exception (java.lang.ThreadDeath) executing org.apache.tomcat.util.net.leaderfollowerworkerthr...@117a4c6, terminating thread Jul 6, 2010 11:21:41 AM org.apache.naming.resources.FileDirContext list WARNING: Could not get dir listing for /usr/local/apache-tomcat-5.5.16/webapps/windtalker/WEB-INF/lib Jul 6, 2010 11:21
Re: Convert a certificate from IIS (.PFX) into a (.keystore) for Apache Tomcat v 6.x
Hi Ian, Take a look on this http://tp.its.yale.edu/pipermail/cas/2005-July/001337.html. Hope it helps. On 24 June 2010 06:41, Konstantin Kolinko knst.koli...@gmail.com wrote: 2010/6/24 Mark Eggers its_toas...@yahoo.com: Google is your friend? http://www.cb1inc.com/2007/04/30/converting-pfx-certificates-to-java-keystores/ Please note that I have not tried this. Your mileage may vary. Noticing the PKCS #12 hint form the above page, I can find this Sun article: http://java.sun.com/developer/technicalArticles/J2SE/security/#4 Import and Export PKCS#12 Keystores how to chain the CA's intermediate certificates It looks that the method described in the Sun article imports the whole keystore, and from description of the format it looks that the one from Jetty also does so. Disclaimer: I have not tried them. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Logging Requirement in Tomcat 5.5.16
Hi, I am using Log4j logging in Tomcat 5.5.16 with JDK 1.5.0 update 7 on RedHat Linux server. I followed the instructions on http://tomcat.apache.org/tomcat-5.5-doc/logging.html to copy the commons-logging-1.0.4.jar and log4j.jar into $CATALINA_HOME/common/lib directory. and created log4j.properties in $CATALINA_HOME/common/classes directory as below: log4j.rootLogger=info, CATALINA log4j.appender.CATALINA=org.apache.log4j.DailyRollingFileAppender log4j.appender.CATALINA.DatePattern='.'-MM-dd log4j.appender.CATALINA.File=${catalina.home}/logs/catalina.out log4j.appender.CATALINA.threshold=info log4j.appender.CATALINA.layout=org.apache.log4j.PatternLayout log4j.appender.CATALINA.layout.ConversionPattern=%d:%p %c{2} - %m%n After couple of days, I saw some catalina.out files suffix with .x.gz, where x is number range from 1 to 30. May I know to get rid of these files? I only want log4j to handle the file rotation as configured in log4j.properties. Thank you. Regards, SamKong Goo
Re: Logging Requirement in Tomcat 5.5.16
I want catalina.out to be rotate daily but Tomcat give me extra files (catalina.out.1.gz, catalina.out.2.gz...catalina.out.30.gz). I don't those extra files. Any chance to disable that? On 21 April 2010 16:26, Pid p...@pidster.com wrote: On 21/04/2010 09:07, Goo Sam Kong wrote: Hi, I am using Log4j logging in Tomcat 5.5.16 with JDK 1.5.0 update 7 on RedHat Linux server. I followed the instructions on http://tomcat.apache.org/tomcat-5.5-doc/logging.html to copy the commons-logging-1.0.4.jar and log4j.jar into $CATALINA_HOME/common/lib directory. and created log4j.properties in $CATALINA_HOME/common/classes directory as below: log4j.rootLogger=info, CATALINA log4j.appender.CATALINA=org.apache.log4j.DailyRollingFileAppender log4j.appender.CATALINA.DatePattern='.'-MM-dd log4j.appender.CATALINA.File=${catalina.home}/logs/catalina.out log4j.appender.CATALINA.threshold=info log4j.appender.CATALINA.layout=org.apache.log4j.PatternLayout log4j.appender.CATALINA.layout.ConversionPattern=%d:%p %c{2} - %m%n After couple of days, I saw some catalina.out files suffix with .x.gz, where x is number range from 1 to 30. May I know to get rid of these files? I only want log4j to handle the file rotation as configured in log4j.properties. You've configured a DailyRollingFileAppender with DatePattern DatePattern set to .-MM-dd so the log files are being rotated daily. What were you intending it to do? p Thank you. Regards, SamKong Goo
Re: Logging Requirement in Tomcat 5.5.16
Oops, type too fast. I want catalina.out to be rotate daily but Tomcat give me extra files (catalina.out.1.gz, catalina.out.2.gz...catalina. out.30.gz). I don't want those extra files. Any chance to disable that? The extra files are generated by Tomcat by default? I do not specify those file rotation anywhere. On 21 April 2010 16:32, Goo Sam Kong skgo...@gmail.com wrote: I want catalina.out to be rotate daily but Tomcat give me extra files (catalina.out.1.gz, catalina.out.2.gz...catalina.out.30.gz). I don't those extra files. Any chance to disable that? On 21 April 2010 16:26, Pid p...@pidster.com wrote: On 21/04/2010 09:07, Goo Sam Kong wrote: Hi, I am using Log4j logging in Tomcat 5.5.16 with JDK 1.5.0 update 7 on RedHat Linux server. I followed the instructions on http://tomcat.apache.org/tomcat-5.5-doc/logging.html to copy the commons-logging-1.0.4.jar and log4j.jar into $CATALINA_HOME/common/lib directory. and created log4j.properties in $CATALINA_HOME/common/classes directory as below: log4j.rootLogger=info, CATALINA log4j.appender.CATALINA=org.apache.log4j.DailyRollingFileAppender log4j.appender.CATALINA.DatePattern='.'-MM-dd log4j.appender.CATALINA.File=${catalina.home}/logs/catalina.out log4j.appender.CATALINA.threshold=info log4j.appender.CATALINA.layout=org.apache.log4j.PatternLayout log4j.appender.CATALINA.layout.ConversionPattern=%d:%p %c{2} - %m%n After couple of days, I saw some catalina.out files suffix with .x.gz, where x is number range from 1 to 30. May I know to get rid of these files? I only want log4j to handle the file rotation as configured in log4j.properties. You've configured a DailyRollingFileAppender with DatePattern DatePattern set to .-MM-dd so the log files are being rotated daily. What were you intending it to do? p Thank you. Regards, SamKong Goo
Re: Logging Requirement in Tomcat 5.5.16
Hi Pid, My answer below. I saw the same file names in another server (not implement log4j yet), that server is running on default logging (Tomcat Juli). I think Tomcat by default created those extra zip files, I would like to know how to disable that. On 21 April 2010 17:00, Pid p...@pidster.com wrote: On 21/04/2010 09:49, Pid wrote: On 21/04/2010 09:35, Goo Sam Kong wrote: Oops, type too fast. I want catalina.out to be rotate daily but Tomcat give me extra files (catalina.out.1.gz, catalina.out.2.gz...catalina. out.30.gz). I don't want those extra files. Any chance to disable that? Sorry, my mistake, I misread your email. Also: http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/DailyRollingFileAppender.html seems to say that DailyRollingFileAppender isn't a good choice. The extra files are generated by Tomcat by default? I do not specify those file rotation anywhere. Tomcat doesn't tar gzip files by default. How are you starting Tomcat, using a script like /etc/init.d/tomcat? (I need a coffee.) So, I'm not asking the right questions here. To recap: 1. What log files *are* being generated? Are you getting catalina.2010-04-01.log, catalina.2010-04-02.log etc? Sam: Yes 2. If so, are they in addition to the catalina.1.tar.gz type files? Sam: The file name is catalina.out.1.gz and so on 3. How big are is the compressed tar.gz and and how big is the file when it's unpacked? Sam: Same contents as catalina.out..mm.dd 4. Did you post the entire log4j.properties or are there other parts to it? E.g. Are there MaxBackupIndex and MaxFileSize settings? If not, try adding one set to -1 and 0. Sam: I posted entire log4j.properties in my previous email. p On 21 April 2010 16:32, Goo Sam Kong skgo...@gmail.com mailto:skgo...@gmail.com wrote: I want catalina.out to be rotate daily but Tomcat give me extra files (catalina.out.1.gz, catalina.out.2.gz...catalina.out.30.gz). I don't those extra files. Any chance to disable that? On 21 April 2010 16:26, Pid p...@pidster.com mailto:p...@pidster.com wrote: On 21/04/2010 09:07, Goo Sam Kong wrote: Hi, I am using Log4j logging in Tomcat 5.5.16 with JDK 1.5.0 update 7 on RedHat Linux server. I followed the instructions on http://tomcat.apache.org/tomcat-5.5-doc/logging.html to copy the commons-logging-1.0.4.jar and log4j.jar into $CATALINA_HOME/common/lib directory. and created log4j.properties in $CATALINA_HOME/common/classes directory as below: log4j.rootLogger=info, CATALINA log4j.appender.CATALINA=org.apache.log4j.DailyRollingFileAppender log4j.appender.CATALINA.DatePattern='.'-MM-dd log4j.appender.CATALINA.File=${catalina.home}/logs/catalina.out log4j.appender.CATALINA.threshold=info log4j.appender.CATALINA.layout=org.apache.log4j.PatternLayout log4j.appender.CATALINA.layout.ConversionPattern=%d:%p %c{2} - %m%n After couple of days, I saw some catalina.out files suffix with .x.gz, where x is number range from 1 to 30. May I know to get rid of these files? I only want log4j to handle the file rotation as configured in log4j.properties. You've configured a DailyRollingFileAppender with DatePattern DatePattern set to .-MM-dd so the log files are being rotated daily. What were you intending it to do? p Thank you. Regards, SamKong Goo
Re: Logging Requirement in Tomcat 5.5.16
Thanks Andre, I saw there is a script doing zip in /etc. I am new to Linux, :-). On 21 April 2010 17:45, André Warnier a...@ice-sa.com wrote: Goo Sam Kong wrote: Hi Pid, My answer below. I saw the same file names in another server (not implement log4j yet), that server is running on default logging (Tomcat Juli). I think Tomcat by default created those extra zip files, I would like to know how to disable that. Tomcat does not create gzipped logfiles. I would venture that the most likely candidate for this is that you have a logrotate script which runs under cron from time to time, and which does it. If you are under Linux, start with the /etc directory and look for anything that mentions logrotate, maybe starting in the /etc/cron.* directories. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Having difficulty using keytool -genkey to get a key with blank OU (instead of unknown)
Hi Eric, Try to put the subject DN (with OU equal to blank) in -dname field as below. keytool -genkey -keystore keystoreFile -storepass password -alias keyAlias -dname CN=your cn,OU=,O=your company,C=SG On 9 April 2010 06:51, Eric DuToit eric.dut...@gmail.com wrote: I need to generate a keypair with the OU having a NULL value / blank (instead of Unknown). If I leave the field blank, it results in an unknown value. I've googled several different things but I may just not be using the right search. Any help is appreciated. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: smartcards for tomcat webapps
Yes, I imported the issuer of client certificate, (the issuer can self-signed or signed by others) into the trust store using Java keytool command. Below is the web.xml settings... security-constraint web-resource-collection web-resource-name Protected Area /web-resource-name url-pattern/private/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config On 7 April 2010 20:50, Michael Dockery dockeryjava...@yahoo.com wrote: Thank you. So did you load the ca root cert (self-signed top of chain) into the truststorefile? via keytool? also does your web app's web.xml have the following? login-config auth-methodCLIENT-CERT/auth-method /login-config and security-constraint ... user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint From: Goo Sam Kong skgo...@gmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Tue, April 6, 2010 10:21:49 PM Subject: Re: smartcards for tomcat webapps On 6 April 2010 20:39, dockeryjava...@yahoo.com wrote: Anyone using smartcards for auth? If so, have specific example code excerpt and server.xml? Minimum configuration changes required for HTTPS connector in server.xml is to add attributes below and amend value of clientAuth attribute from false to true or want. 1. truststoreFile 2. truststorePass 3. truststoreType !-- Define a SSL HTTP/1.1 Connector on port 8443 connectionTimeout=15000 -- Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=want/true sslProtocol=TLS truststoreFile= truststorePass=xxx truststoreType=xxx / No code change required in server side. Refer to http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html for SSL configuration in server.xml. Sent from my Verizon Wireless BlackBerry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: smartcards for tomcat webapps
On 6 April 2010 20:39, dockeryjava...@yahoo.com wrote: Anyone using smartcards for auth? If so, have specific example code excerpt and server.xml? Minimum configuration changes required for HTTPS connector in server.xml is to add attributes below and amend value of clientAuth attribute from false to true or want. 1. truststoreFile 2. truststorePass 3. truststoreType !-- Define a SSL HTTP/1.1 Connector on port 8443 connectionTimeout=15000 -- Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=want/true sslProtocol=TLS truststoreFile= truststorePass=xxx truststoreType=xxx / No code change required in server side. Refer to http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html for SSL configuration in server.xml. Sent from my Verizon Wireless BlackBerry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can't seem to migrate this app over to a new server
Hi John, You need to enable HTTPS connector, refer to SSL Support section in http://tomcat.apache.org/tomcat-5.5-doc/config/http.html to enable SSL in server.xml. On 24 March 2010 14:22, joon yoo jyoo1...@gmail.com wrote: We're in the process of extricating ourselves from a host who developed and managed our app through their own hosted server. In attempting to move the app over to a server under our control: Tomcat 5.5.28 w/ admin package java 1.5.0_28 Windows 2003 R2 all they gave me was a zipped up directory under their webapps dir and the JKS file for SSL. Do I need anything other than the JKS file to transfer the SSL cert over to our new tomcat server? Also, in trying to setup the app, I installed tomcat and unzipped it under webapps. and subsequently when i try to connect to the app through localhost/ourapp it gives up an error: Firefox can't establish a connection to the server at localhost:8443 I know very little about tomcat and java, so please at the very least, any answers that can be fully googleable, I would greatly appreciate. Thanks, John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Force Tomcat 5.5.16 to close SSL session upon every request
Hi Ben, Do you know why Tomcat take some time to close the connection? Is it predictable? My Java client is authenticate with Tomcat server using USB based security token through client certificate authentication. Even though I removed the token, Java client still able to run until some times, then force authentication will happen. Thank you. On 23 March 2010 10:37, Ben Stringer b...@burbong.com wrote: Hi, Take a look at the documentation for maxKeepAliveRequests on this page: http://tomcat.apache.org/tomcat-5.5-doc/config/http.html If you set this to 1 for your SSL connector, I believe it will do what you want. Cheers, Ben Hi Is it possible Tomcat close SSL session upon every HTTP request? I am running Tomcat 5.5.16 on JDK 1.5.0 update 7 on RedHat Enterprise. Thank you. Regards, SamKong Goo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Force Tomcat 5.5.16 to close SSL session upon every request
Thank you, Mark On 23 March 2010 16:31, Mark Thomas ma...@apache.org wrote: On 23/03/2010 06:58, Goo Sam Kong wrote: Hi Ben, Do you know why Tomcat take some time to close the connection? Is it predictable? Tomcat does close the connection. My Java client is authenticate with Tomcat server using USB based security token through client certificate authentication. Even though I removed the token, Java client still able to run until some times, then force authentication will happen. Closing the connection does not terminate the session. That capability will be available in Tomcat 7. In Tomcat 6 you can control the session timeout. Look for the sessionTimeout connector property. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Force Tomcat 5.5.16 to close SSL session upon every request
Hi Is it possible Tomcat close SSL session upon every HTTP request? I am running Tomcat 5.5.16 on JDK 1.5.0 update 7 on RedHat Enterprise. Thank you. Regards, SamKong Goo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Thank you very much Mark, I will try it tomorrow. On 17 March 2010 16:40, Mark Thomas ma...@apache.org wrote: On 17/03/2010 00:49, Goo Sam Kong wrote: May I know how to set the SSL session timeout in Tomcat 5.5.16. I am running JDK 1.5.0 update 7 on RedHat Enterprise. 1. Upgrade to the latest 6.0.x 2. Read the docs: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Hi Mark, Thank you for the solution, it working for me now. I noticed there is a error in Tomcat documentation (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html), the correct attribute for session cache timeout should be sessionCacheTimeout instead of sessionTimeout in HTTPS connector. Thank you. On 17 March 2010 17:32, Goo Sam Kong skgo...@gmail.com wrote: Thank you very much Mark, I will try it tomorrow. On 17 March 2010 16:40, Mark Thomas ma...@apache.org wrote: On 17/03/2010 00:49, Goo Sam Kong wrote: May I know how to set the SSL session timeout in Tomcat 5.5.16. I am running JDK 1.5.0 update 7 on RedHat Enterprise. 1. Upgrade to the latest 6.0.x 2. Read the docs: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Hi Chuck, OIC, so when the code will be fixed? On 18 March 2010 11:07, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 I noticed there is a error in Tomcat documentation (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html), the correct attribute for session cache timeout should be sessionCacheTimeout instead of sessionTimeout in HTTPS connector. Actually, it looks like the code should be fixed, not the doc. The timeout value has nothing to do with the SSL session cache, and the related methods in javax.net.ssl.SSLSessionContext are all for sessionTimeout; there's no mention of a sessionCacheTimeout in that interface. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Hi Mark, Will apache.org correct the Tomcat documentation or fix the code? Thank you. On 18 March 2010 11:16, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 OIC, so when the code will be fixed? No idea - I'm not a committer. It will get more attention if you file a Bugzilla entry for it: http://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%206 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to set SSL session timeout in Tomcat 5.5.16
May I know how to set the SSL session timeout in Tomcat 5.5.16. I am running JDK 1.5.0 update 7 on RedHat Enterprise. Thank you. Regards, SamKong Goo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Hi Chuck, I am referring to invalidate SSL session. My application is using client certificate authentication, the XML-RPC client is using USB token as a keystore during SSL session, we want to force client to re-authenticate with my application on every XML-RPC request to prevent user remove the token during the client execution. The client will run infinitely. From the client, I noticed it cached first authenticated SSL session and reuse it for the subsequent calls... Can I invalidate the SSL session on server side? Thank you. Regards, SamKong Goo On 17 March 2010 09:20, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: How to set SSL session timeout in Tomcat 5.5.16 May I know how to set the SSL session timeout in Tomcat 5.5.16. The session timeout value is independent of the session security, and set by the session-timeout value in the webapp's WEB-INF/web.xml file or programatically. See the servlet spec for details. BTW, your tomcat version is four years old - you should seriously consider moving up to a newer version that contains numerous fixes, including security-related ones. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set SSL session timeout in Tomcat 5.5.16
Hi Chuck, I attempted that, that is HTTP Session not SSL session. I modified XML-RPC client to include code below to terminate client's SSL session, it worked but we preferred server to terminate SSL session instead. SSLContext.getClientSessionContext().setSessionTimeout(seconds); Do you know how to do/configure to invalidate SSL session? Thank you. Regards, SamKong Goo On 17 March 2010 10:30, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Goo Sam Kong [mailto:skgo...@gmail.com] Subject: Re: How to set SSL session timeout in Tomcat 5.5.16 Can I invalidate the SSL session on server side? Look at the servlet API doc: http://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpSession.html#invalidate() Again, whether the session was established via HTTP or HTTPS is not pertinent here. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org