Re: Java process killed by oom-killer in Ubuntu
I'm finding it hard to believe, but all points that the problem was the -Xms option of the Oracle (Sun) JVM. I originally set it to the same value as -Xmx, so that all memory for the heap is allocated when the JVM starts. This works fine in Solaris, but it is not working in Ubuntu. After removing that option, the JVM process memory usage seems to keep stable. I am using Sun JVM 1.6.0.26 -Jorge On Thu, Jun 7, 2012 at 11:38 PM, Pid * p...@pidster.com wrote: On 7 Jun 2012, at 23:03, Daniel Mikusa dmik...@vmware.com wrote: - Original Message - Only 52 java threads. It used to fluctuate more (we made some changes to the app to perform a task in a single thread rather than spawning multiple threads, but the crash still occurs) . The number of threads is always below 100. jstack -F 21370 | grep ^Thread | wc -l ps -T -p 21370 (This gives me 63) I don't seem to specify the -Xss option: In some applications with a large number of threads (particularly when running on 64-bit hardware) this setting can cause a problems. The default value is pretty large (I think it's 1M on 64-bit systems). Since most apps don't need that large of a value, an easy performance tuning step is to lower the value of -Xss. Since you don't have very many threads, it seems unlikely that this is causing your problem though. That being said, you could try explicitly setting a value for the thread stack size. Finding the right values takes some testing though. I usually start with something like 192k and run a few application tests. If I see any stack overflow exceptions then I increase the value and rerun the tests. Repeat until there are no stack overflow exceptions. On a different note, what is the specific version of the JVM that you are running? If it's not the latest, you could always try upgrading to the latest version. You need to hook up the VisualVM + Memory Pools plugin. This will show you where the memory is being consumed, if it's by the JVM. p Xms6g -Xmx6g -XX:NewSize=4G -XX:MaxNewSize=4G -XX:SurvivorRatio=6 -XX:MaxPermSize=512M -XX:-UseConcMarkSweepGC -XX:+UseStringCache -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/home/example/logs -Jorge On Thu, Jun 7, 2012 at 12:07 PM, Daniel Mikusa dmik...@vmware.com wrote: - Original Message - I am using MongoDB through the Java driver allowing up to 100 connections to the MongoDB server. I also use DBCP with a max size of 50 JDBC connections. My webapp uses about 150 JAR files. There is no native libraries loaded from my webapp as far as I know. All the app is pure Java code. (Nevertheless, Tomcat is using the Tomcat Native Library) Is there a way I can monitor the number of file descriptors in use by the app? I have monitored the number of threads, but I haven't seen anything unusual. How many threads have you observed? Total threads, not just threads for the connector. Also, what is the value you are using for thread stack size? -Xss Dan (but it could be that the burst is too fast to get catch by the monitoring tool) -Jorge On Thu, Jun 7, 2012 at 11:44 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jorge, On 6/6/12 5:33 PM, Jorge Medina wrote: The web application uses Spring/Postgres/Mongo. Are you using MongoDB in-process or anything weird like that? Or are you connecting through some socket-based (or other) API? It looks like a memory leak in native code, not java code; so my usual java toolset is not useful. If what you are observing is accurate (non-heap memory grows, heap stays reasonable) then it will definitely be more difficult to track-down. Tomcat runs behind nginx in a EC2 instance. The application uses Sun (now Oracle) JDK 1.6. Any suggestions on what should I look at? What do your Connectors look like? How many JDBC connections do you have in your connection pool (which you are hopefully using!)? How about the same equivalent for MongoDB? Does your webapp keep lots of files open? Do you have an unusually-large number of JAR files in your webapp? Do you have any native libraries in use within your webapp? What are all the non-default system properties that you are setting at JVM launch time (you can easily see this from a 'ps' list)? Two things that can eat-up native memory fast in a JVM are file descriptors and threads, so let's start there. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/Q9ooACgkQ9CaO5/Lv0PDPyQCfVtddxMDOgQbjmMGC3gvnK+Qq aZMAnjVu67+9Sm2bdYzAd91ZOrYo3DFI =r+vl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail
Re: Java process killed by oom-killer in Ubuntu
I found this interesting article about how Linux handles requests for memory, look at section 9.6 Overcommit and OOM: http://www.win.tue.nl/~aeb/linux/lk/lk-9.html I verified that our system runs with overcommit_memory = 0 and overcommit_ratio = 50. Which are the default values. This post suggest to change these settings to 2 and 80 respectively, but we may not be able to start any new processes if we run out of memory (and therefore we may not be able to connect to the machine). http://www.hskupin.info/2010/06/17/how-to-fix-the-oom-killer-crashe-under-l inux/ Since we pre-allocate all the java heap memory (by setting -Xmx and -Xms to the same value), we accelerate the OOM killing the process. Therefore, the leak that is causing the problem just occur faster than if we only set the max value of the heap with -Xmx. Before I had made the recommendation to run with -Xmx and -Xms equal to the same value, but I think this works well in Solaris but not in Linux. Removing the -Xms option may give us just for more time between the occurrences of running out of memory. Nevertheless, I am finding that after removing the -Xms option, the process memory usage stabilizes and stops growing. -Jorge On Mon, Jun 11, 2012 at 11:01 AM, Jorge Medina cerebrotecnolog...@gmail.com wrote: I'm finding it hard to believe, but all points that the problem was the -Xms option of the Oracle (Sun) JVM. I originally set it to the same value as -Xmx, so that all memory for the heap is allocated when the JVM starts. This works fine in Solaris, but it is not working in Ubuntu. After removing that option, the JVM process memory usage seems to keep stable. I am using Sun JVM 1.6.0.26 -Jorge On Thu, Jun 7, 2012 at 11:38 PM, Pid * p...@pidster.com wrote: On 7 Jun 2012, at 23:03, Daniel Mikusa dmik...@vmware.com wrote: - Original Message - Only 52 java threads. It used to fluctuate more (we made some changes to the app to perform a task in a single thread rather than spawning multiple threads, but the crash still occurs) . The number of threads is always below 100. jstack -F 21370 | grep ^Thread | wc -l ps -T -p 21370 (This gives me 63) I don't seem to specify the -Xss option: In some applications with a large number of threads (particularly when running on 64-bit hardware) this setting can cause a problems. The default value is pretty large (I think it's 1M on 64-bit systems). Since most apps don't need that large of a value, an easy performance tuning step is to lower the value of -Xss. Since you don't have very many threads, it seems unlikely that this is causing your problem though. That being said, you could try explicitly setting a value for the thread stack size. Finding the right values takes some testing though. I usually start with something like 192k and run a few application tests. If I see any stack overflow exceptions then I increase the value and rerun the tests. Repeat until there are no stack overflow exceptions. On a different note, what is the specific version of the JVM that you are running? If it's not the latest, you could always try upgrading to the latest version. You need to hook up the VisualVM + Memory Pools plugin. This will show you where the memory is being consumed, if it's by the JVM. p Xms6g -Xmx6g -XX:NewSize=4G -XX:MaxNewSize=4G -XX:SurvivorRatio=6 -XX:MaxPermSize=512M -XX:-UseConcMarkSweepGC -XX:+UseStringCache -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/home/example/logs -Jorge On Thu, Jun 7, 2012 at 12:07 PM, Daniel Mikusa dmik...@vmware.com wrote: - Original Message - I am using MongoDB through the Java driver allowing up to 100 connections to the MongoDB server. I also use DBCP with a max size of 50 JDBC connections. My webapp uses about 150 JAR files. There is no native libraries loaded from my webapp as far as I know. All the app is pure Java code. (Nevertheless, Tomcat is using the Tomcat Native Library) Is there a way I can monitor the number of file descriptors in use by the app? I have monitored the number of threads, but I haven't seen anything unusual. How many threads have you observed? Total threads, not just threads for the connector. Also, what is the value you are using for thread stack size? -Xss Dan (but it could be that the burst is too fast to get catch by the monitoring tool) -Jorge On Thu, Jun 7, 2012 at 11:44 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jorge, On 6/6/12 5:33 PM, Jorge Medina wrote: The web application uses Spring/Postgres/Mongo. Are you using MongoDB in-process or anything weird like that? Or are you connecting through some socket-based (or other) API? It looks like a memory leak in native code, not java code; so my usual java toolset is not useful. If what you are observing is accurate (non-heap memory grows, heap stays
Re: Java process killed by oom-killer in Ubuntu
The machine has 16 GB of memory with no swap space. The JVM was being started with -Xms and -Xmx equal to 6 GB, so I think 10GB extra would be enough for anything else. -Jorge On Mon, Jun 11, 2012 at 11:15 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Jorge Medina [mailto:cerebrotecnolog...@gmail.com] Subject: Re: Java process killed by oom-killer in Ubuntu Nevertheless, I am finding that after removing the -Xms option, the process memory usage stabilizes and stops growing. That would seem to indicate that your -Xmx value is simply too large for the system you're running in. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Java process killed by oom-killer in Ubuntu
There is not much running in the machine other than Tomcat. The JVM actually starts fine, using about 8GB (6GB of heap, + code + threads etc) but it keeps growing. In about 2 days it runs out of memory. (The JVM process has reached more than 15GB). -Jorge On Mon, Jun 11, 2012 at 11:40 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: David kerber [mailto:dcker...@verizon.net] Subject: Re: Java process killed by oom-killer in Ubuntu On 6/11/2012 2:30 PM, Jorge Medina wrote: The machine has 16 GB of memory with no swap space. The JVM was being started with -Xms and -Xmx equal to 6 GB, so I think 10GB extra would be enough for anything else. Does Xms/Xmx memory need to be contiguous? If so, maybe it just can't find a big-enough chunk? It needs to be contiguous in the virtual space of the process, not in RAM. The Xmx size of heap virtual space is allocated during JVM initialization, so if it gets past initialization, it's not a problem. The OOM killer only gets in the game when the real memory requirements of all processes combined exceed the amount of RAM plus swapfile. Again, it sure looks like -Xmx=6G is too large for the system, when combined with everything else going on in that process and the rest of the system. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Java process killed by oom-killer in Ubuntu
It seems my system is running with an relatively old version of the Tomcat Native Library and old versions of APR and OpenSSL. Tomcat Native 1.1.19 APR 1.3.8 OpenSSL 0.9.8k These are the latest versions available: Tomcat Native 1.1.23 APR 1.4.6 OpenSSL 1.0.1c I will try disabling the Tomcat Native Library to see if this solves the problem. Has anyone experience problems of Tomcat 7 running with these versions? -Jorge On Wed, Jun 6, 2012 at 2:33 PM, Jorge Medina cerebrotecnolog...@gmail.com wrote: Hello, I have an application that runs under Tomcat 7.0.23 that periodically crashes. The java process running tomcat keeps growing in memory until the Linux oom-killer kills the process. I do not get an OutOfMemoryError because the memory leak is not in the Java heap. In fact, it seems the heap is only using 4GB of the max 6GB specified in the -Xmx parameter. Nevertheless the total memory held by the java process keeps growing up to 16GB when the OS kills the process. I haven't been able to find the conditions to reproduce this problem, so I am not able to replicate it. Nevertheless it keeps occurring; sometimes at midnight with no user activity sometimes in the middle of a busy day. The web application uses Spring/Postgres/Mongo. I know this is not a Tomcat related problem, but some of you may have experience a similar problem and may have some suggestions on how to troubleshoot it. I already have read many of the links that come after searching the web for java invoked oom-killer but I still don't have any clue on what causes the problem and how to solve it. It looks like a memory leak in native code, not java code; so my usual java toolset is not useful. Tomcat runs behind nginx in a EC2 instance. The application uses Sun (now Oracle) JDK 1.6. Any suggestions on what should I look at? -Jorge Jun 4 16:02:49 ip-10-83-35-78 kernel: [1468800.179218] 3795110 pages non-shared Jun 5 06:50:07 ip-10-83-35-78 rsyslogd: [origin software=rsyslogd swVersion=4.2.0 x-pid=599 x-info=http://www.rsyslog.com;] rsyslogd was HUPed, type 'lightweight'. Jun 5 22:06:40 ip-10-83-35-78 kernel: [1576977.209487] java invoked oom-killer: gfp_mask=0x201da, order=0, oom_adj=0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209492] java cpuset=/ mems_allowed=0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209496] Pid: 15618, comm: java Not tainted 2.6.32-317-ec2 #36-Ubuntu Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209498] Call Trace: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209507] [8107cbbc] ? cpuset_print_task_mems_allowed+0x8c/0xc0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209513] [810b1723] oom_kill_process+0xe3/0x210 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209516] [810b18a0] __out_of_memory+0x50/0xb0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209519] [810b195f] out_of_memory+0x5f/0xc0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209523] [810b4641] __alloc_pages_slowpath+0x561/0x580 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209526] [810b47d1] __alloc_pages_nodemask+0x171/0x180 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209530] [810b76f7] __do_page_cache_readahead+0xd7/0x220 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209534] [810b785c] ra_submit+0x1c/0x20 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209536] [810b01fe] filemap_fault+0x3fe/0x450 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209541] [810cbef0] __do_fault+0x50/0x680 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209547] [8102afdb] ? __dequeue_entity+0x2b/0x50 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209550] [810cde30] handle_mm_fault+0x260/0x4f0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209555] [814b3ab7] do_page_fault+0x147/0x390 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209558] [814b18e8] page_fault+0x28/0x30 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209560] Mem-Info: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209561] DMA per-cpu: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209563] CPU 0: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209565] CPU 1: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209567] CPU 2: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209569] CPU 3: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209570] DMA32 per-cpu: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209572] CPU 0: hi: 155, btch: 38 usd: 44 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209574] CPU 1: hi: 155, btch: 38 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209575] CPU 2: hi: 155, btch: 38 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209577] CPU 3: hi: 155, btch: 38 usd: 0 Jun 5 22:06:41 ip-10
Re: Java process killed by oom-killer in Ubuntu
Thanks Martin, but the memory error is not in the Java heap. Basically my java process keeps growing far beyond the maximum java heap size allowed. -Jorge On Wed, Jun 6, 2012 at 5:57 PM, Martin Gainty mgai...@hotmail.com wrote: neceista empezar tomcat con JMX por ejemplo: $CATALINA_HOME/bin/java -Dcom.sun.management.jmxremote -jar bootstrap.jar entonces.. necesita monitorear heap y stack para proceso de TC durante la vida del proceso de tomcat con Jconsole por ejemplo $JAVA_HOME/bin/jconsole localhost:8080 http://docs.oracle.com/javase/1.5.0/docs/guide/management/jconsole.html Saludos Cordiales desde EEUU Martin Gainty __ Porfavor..no altere o disrupta esta communicacion..Gracias Date: Wed, 6 Jun 2012 14:33:22 -0700 Subject: Java process killed by oom-killer in Ubuntu From: cerebrotecnolog...@gmail.com To: users@tomcat.apache.org Hello, I have an application that runs under Tomcat 7.0.23 that periodically crashes. The java process running tomcat keeps growing in memory until the Linux oom-killer kills the process. I do not get an OutOfMemoryError because the memory leak is not in the Java heap. In fact, it seems the heap is only using 4GB of the max 6GB specified in the -Xmx parameter. Nevertheless the total memory held by the java process keeps growing up to 16GB when the OS kills the process. I haven't been able to find the conditions to reproduce this problem, so I am not able to replicate it. Nevertheless it keeps occurring; sometimes at midnight with no user activity sometimes in the middle of a busy day. The web application uses Spring/Postgres/Mongo. I know this is not a Tomcat related problem, but some of you may have experience a similar problem and may have some suggestions on how to troubleshoot it. I already have read many of the links that come after searching the web for java invoked oom-killer but I still don't have any clue on what causes the problem and how to solve it. It looks like a memory leak in native code, not java code; so my usual java toolset is not useful. Tomcat runs behind nginx in a EC2 instance. The application uses Sun (now Oracle) JDK 1.6. Any suggestions on what should I look at? -Jorge Jun 4 16:02:49 ip-10-83-35-78 kernel: [1468800.179218] 3795110 pages non-shared Jun 5 06:50:07 ip-10-83-35-78 rsyslogd: [origin software=rsyslogd swVersion=4.2.0 x-pid=599 x-info=http://www.rsyslog.com;] rsyslogd was HUPed, type 'lightweight'. Jun 5 22:06:40 ip-10-83-35-78 kernel: [1576977.209487] java invoked oom-killer: gfp_mask=0x201da, order=0, oom_adj=0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209492] java cpuset=/ mems_allowed=0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209496] Pid: 15618, comm: java Not tainted 2.6.32-317-ec2 #36-Ubuntu Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209498] Call Trace: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209507] [8107cbbc] ? cpuset_print_task_mems_allowed+0x8c/0xc0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209513] [810b1723] oom_kill_process+0xe3/0x210 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209516] [810b18a0] __out_of_memory+0x50/0xb0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209519] [810b195f] out_of_memory+0x5f/0xc0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209523] [810b4641] __alloc_pages_slowpath+0x561/0x580 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209526] [810b47d1] __alloc_pages_nodemask+0x171/0x180 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209530] [810b76f7] __do_page_cache_readahead+0xd7/0x220 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209534] [810b785c] ra_submit+0x1c/0x20 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209536] [810b01fe] filemap_fault+0x3fe/0x450 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209541] [810cbef0] __do_fault+0x50/0x680 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209547] [8102afdb] ? __dequeue_entity+0x2b/0x50 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209550] [810cde30] handle_mm_fault+0x260/0x4f0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209555] [814b3ab7] do_page_fault+0x147/0x390 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209558] [814b18e8] page_fault+0x28/0x30 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209560] Mem-Info: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209561] DMA per-cpu: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209563] CPU 0: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209565] CPU 1: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209567] CPU 2: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209569] CPU 3: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209570] DMA32 per-cpu: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209572] CPU 0: hi: 155, btch: 38
Re: Java process killed by oom-killer in Ubuntu
I am using MongoDB through the Java driver allowing up to 100 connections to the MongoDB server. I also use DBCP with a max size of 50 JDBC connections. My webapp uses about 150 JAR files. There is no native libraries loaded from my webapp as far as I know. All the app is pure Java code. (Nevertheless, Tomcat is using the Tomcat Native Library) Is there a way I can monitor the number of file descriptors in use by the app? I have monitored the number of threads, but I haven't seen anything unusual. (but it could be that the burst is too fast to get catch by the monitoring tool) -Jorge On Thu, Jun 7, 2012 at 11:44 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jorge, On 6/6/12 5:33 PM, Jorge Medina wrote: The web application uses Spring/Postgres/Mongo. Are you using MongoDB in-process or anything weird like that? Or are you connecting through some socket-based (or other) API? It looks like a memory leak in native code, not java code; so my usual java toolset is not useful. If what you are observing is accurate (non-heap memory grows, heap stays reasonable) then it will definitely be more difficult to track-down. Tomcat runs behind nginx in a EC2 instance. The application uses Sun (now Oracle) JDK 1.6. Any suggestions on what should I look at? What do your Connectors look like? How many JDBC connections do you have in your connection pool (which you are hopefully using!)? How about the same equivalent for MongoDB? Does your webapp keep lots of files open? Do you have an unusually-large number of JAR files in your webapp? Do you have any native libraries in use within your webapp? What are all the non-default system properties that you are setting at JVM launch time (you can easily see this from a 'ps' list)? Two things that can eat-up native memory fast in a JVM are file descriptors and threads, so let's start there. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/Q9ooACgkQ9CaO5/Lv0PDPyQCfVtddxMDOgQbjmMGC3gvnK+Qq aZMAnjVu67+9Sm2bdYzAd91ZOrYo3DFI =r+vl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Java process killed by oom-killer in Ubuntu
Only 52 java threads. It used to fluctuate more (we made some changes to the app to perform a task in a single thread rather than spawning multiple threads, but the crash still occurs) . The number of threads is always below 100. jstack -F 21370 | grep ^Thread | wc -l ps -T -p 21370 (This gives me 63) I don't seem to specify the -Xss option: Xms6g -Xmx6g -XX:NewSize=4G -XX:MaxNewSize=4G -XX:SurvivorRatio=6 -XX:MaxPermSize=512M -XX:-UseConcMarkSweepGC -XX:+UseStringCache -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/home/example/logs -Jorge On Thu, Jun 7, 2012 at 12:07 PM, Daniel Mikusa dmik...@vmware.com wrote: - Original Message - I am using MongoDB through the Java driver allowing up to 100 connections to the MongoDB server. I also use DBCP with a max size of 50 JDBC connections. My webapp uses about 150 JAR files. There is no native libraries loaded from my webapp as far as I know. All the app is pure Java code. (Nevertheless, Tomcat is using the Tomcat Native Library) Is there a way I can monitor the number of file descriptors in use by the app? I have monitored the number of threads, but I haven't seen anything unusual. How many threads have you observed? Total threads, not just threads for the connector. Also, what is the value you are using for thread stack size? -Xss Dan (but it could be that the burst is too fast to get catch by the monitoring tool) -Jorge On Thu, Jun 7, 2012 at 11:44 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jorge, On 6/6/12 5:33 PM, Jorge Medina wrote: The web application uses Spring/Postgres/Mongo. Are you using MongoDB in-process or anything weird like that? Or are you connecting through some socket-based (or other) API? It looks like a memory leak in native code, not java code; so my usual java toolset is not useful. If what you are observing is accurate (non-heap memory grows, heap stays reasonable) then it will definitely be more difficult to track-down. Tomcat runs behind nginx in a EC2 instance. The application uses Sun (now Oracle) JDK 1.6. Any suggestions on what should I look at? What do your Connectors look like? How many JDBC connections do you have in your connection pool (which you are hopefully using!)? How about the same equivalent for MongoDB? Does your webapp keep lots of files open? Do you have an unusually-large number of JAR files in your webapp? Do you have any native libraries in use within your webapp? What are all the non-default system properties that you are setting at JVM launch time (you can easily see this from a 'ps' list)? Two things that can eat-up native memory fast in a JVM are file descriptors and threads, so let's start there. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/Q9ooACgkQ9CaO5/Lv0PDPyQCfVtddxMDOgQbjmMGC3gvnK+Qq aZMAnjVu67+9Sm2bdYzAd91ZOrYo3DFI =r+vl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Java process killed by oom-killer in Ubuntu
Hello, I have an application that runs under Tomcat 7.0.23 that periodically crashes. The java process running tomcat keeps growing in memory until the Linux oom-killer kills the process. I do not get an OutOfMemoryError because the memory leak is not in the Java heap. In fact, it seems the heap is only using 4GB of the max 6GB specified in the -Xmx parameter. Nevertheless the total memory held by the java process keeps growing up to 16GB when the OS kills the process. I haven't been able to find the conditions to reproduce this problem, so I am not able to replicate it. Nevertheless it keeps occurring; sometimes at midnight with no user activity sometimes in the middle of a busy day. The web application uses Spring/Postgres/Mongo. I know this is not a Tomcat related problem, but some of you may have experience a similar problem and may have some suggestions on how to troubleshoot it. I already have read many of the links that come after searching the web for java invoked oom-killer but I still don't have any clue on what causes the problem and how to solve it. It looks like a memory leak in native code, not java code; so my usual java toolset is not useful. Tomcat runs behind nginx in a EC2 instance. The application uses Sun (now Oracle) JDK 1.6. Any suggestions on what should I look at? -Jorge Jun 4 16:02:49 ip-10-83-35-78 kernel: [1468800.179218] 3795110 pages non-shared Jun 5 06:50:07 ip-10-83-35-78 rsyslogd: [origin software=rsyslogd swVersion=4.2.0 x-pid=599 x-info=http://www.rsyslog.com;] rsyslogd was HUPed, type 'lightweight'. Jun 5 22:06:40 ip-10-83-35-78 kernel: [1576977.209487] java invoked oom-killer: gfp_mask=0x201da, order=0, oom_adj=0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209492] java cpuset=/ mems_allowed=0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209496] Pid: 15618, comm: java Not tainted 2.6.32-317-ec2 #36-Ubuntu Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209498] Call Trace: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209507] [8107cbbc] ? cpuset_print_task_mems_allowed+0x8c/0xc0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209513] [810b1723] oom_kill_process+0xe3/0x210 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209516] [810b18a0] __out_of_memory+0x50/0xb0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209519] [810b195f] out_of_memory+0x5f/0xc0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209523] [810b4641] __alloc_pages_slowpath+0x561/0x580 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209526] [810b47d1] __alloc_pages_nodemask+0x171/0x180 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209530] [810b76f7] __do_page_cache_readahead+0xd7/0x220 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209534] [810b785c] ra_submit+0x1c/0x20 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209536] [810b01fe] filemap_fault+0x3fe/0x450 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209541] [810cbef0] __do_fault+0x50/0x680 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209547] [8102afdb] ? __dequeue_entity+0x2b/0x50 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209550] [810cde30] handle_mm_fault+0x260/0x4f0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209555] [814b3ab7] do_page_fault+0x147/0x390 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209558] [814b18e8] page_fault+0x28/0x30 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209560] Mem-Info: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209561] DMA per-cpu: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209563] CPU0: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209565] CPU1: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209567] CPU2: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209569] CPU3: hi: 0, btch: 1 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209570] DMA32 per-cpu: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209572] CPU0: hi: 155, btch: 38 usd: 44 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209574] CPU1: hi: 155, btch: 38 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209575] CPU2: hi: 155, btch: 38 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209577] CPU3: hi: 155, btch: 38 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209578] Normal per-cpu: Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209580] CPU0: hi: 155, btch: 38 usd: 32 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209582] CPU1: hi: 155, btch: 38 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209584] CPU2: hi: 155, btch: 38 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209585] CPU3: hi: 155, btch: 38 usd: 0 Jun 5 22:06:41 ip-10-83-35-78 kernel: [1576977.209590] active_anon:3513144 inactive_anon:29 isolated_anon:0 Jun 5 22:06:41 ip-10-83-35-78 kernel:
Re: Problems with mod_jk 1.2.31
Thanks Rainer, now I know where to direct the troubleshooting efforts. Seems I have some networking issue. On Thu, Oct 13, 2011 at 6:30 AM, Rainer Jung rainer.j...@kippdata.de wrote: On 13.10.2011 06:16, Jorge Medina wrote: I have Apache (2.2.20) in front of a single Tomcat (6.0.32) instance using mod_jk (1.2.31) with the AJP protocol. I am getting errors like the sample below frequently (a few hundred times a day). The server does not have a heavy load, it serves about 150 req/minute and average response time of 200 ms) [2011-10-12T23:27:00.644-0400] [20239:27] [info] ajp_service::jk_ajp_common.c (2543): (S1) sending request to tomcat failed (unrecoverable), because of client read error (attempt=1) [2011-10-12T23:27:00.654-0400] [20239:27] [info] service::jk_lb_worker.c (1388): service failed, worker S1 is in local error state [2011-10-12T23:27:00.655-0400] [20239:27] [info] service::jk_lb_worker.c (1407): unrecoverable error 400, request failed. Client failed in the middle of request, we can't recover to another instance. [2011-10-12T23:27:00.655-0400] [20239:27] [info] jk_handler::mod_jk.c (2620): Aborting connection for worker=wlb a) Could I get some help to interpret the messages above? The browser or whatever is talking to your webserverstarted a request, but didn't send the full request. Most likely it took too long to send the full POST body, but it could also happen during other requestread phases. b) What is being referred as Client ? The client originating the request or does mod_jk calls Client my Tomcat instance? (I guess I don't know if mod_jk establishes the connection to Tomcat or if Tomcat is establishing the channel to mod_jk) Client is the web server client, e.g. the browser or similar. c) Messages are logged as [info] rather than warning or errors...why? Should I not be concerned about these messages? Because typically there's nothing to fix on the server side. Only if this happens very frequently, you might have a network problem, or a lot of users with bad network connections. d) If that is a symptom of a problem, how do I fix it? (In fact, I am being reported that clients of my app are timing out waiting for a response, but my application logs don't have any indication of receiving the request, so I am trying to find out if the message above is an indication that the problem occurs in the Tomcat Connector, and therefor my web app running in Tomcat never got the request at all) It is a message concerning only communication between client and web server, no communication between web server and Tomcat is involved in the problem. If you want to debug, concentrate on the communication between client and web server and try to understand the request details for which it happens (GET or POST or something else; Content-Length set or chunked encoding for the request used etc.). You might need to sniff traffic. === workers.properties workers.tomcat_home=/opt/greatapp/tomcat workers.java_home=/opt/jdk/jdk6.0 ps=/ The above three are useless garbage. worker.list= wlb, jkwatch worker.wlb.type=lb worker.wlb.balance_workers=S1 worker.wlb.max_reply_timeouts=3 worker.jkwatch.type=status worker.jkwatch.read_only=True worker.jkwatch.mount=/private/admin/watch/jk worker.S1.type=ajp13 worker.S1.host=localhost worker.S1.port=6009 worker.S1.lbfactor=1 worker.S1.connection_pool_timeout=600 worker.S1.socket_keepalive=False worker.S1.socket_timeout=15 worker.S1.reply_timeout=30 worker.S1.recovery_options=27 === uriworkermap.properties /myapp=wlb /myapp/*=wlb /private/admin/watch/jk=jkwatch Not too bad :) For improvements look at the full exampleconfig contained in a recent source download of mod_jk.But as said: the problem is not with communication web server to tomcat. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problems with mod_jk 1.2.31
I have Apache (2.2.20) in front of a single Tomcat (6.0.32) instance using mod_jk (1.2.31) with the AJP protocol. I am getting errors like the sample below frequently (a few hundred times a day). The server does not have a heavy load, it serves about 150 req/minute and average response time of 200 ms) [2011-10-12T23:27:00.644-0400] [20239:27] [info] ajp_service::jk_ajp_common.c (2543): (S1) sending request to tomcat failed (unrecoverable), because of client read error (attempt=1) [2011-10-12T23:27:00.654-0400] [20239:27] [info] service::jk_lb_worker.c (1388): service failed, worker S1 is in local error state [2011-10-12T23:27:00.655-0400] [20239:27] [info] service::jk_lb_worker.c (1407): unrecoverable error 400, request failed. Client failed in the middle of request, we can't recover to another instance. [2011-10-12T23:27:00.655-0400] [20239:27] [info] jk_handler::mod_jk.c (2620): Aborting connection for worker=wlb a) Could I get some help to interpret the messages above? b) What is being referred as Client ? The client originating the request or does mod_jk calls Client my Tomcat instance? (I guess I don't know if mod_jk establishes the connection to Tomcat or if Tomcat is establishing the channel to mod_jk) c) Messages are logged as [info] rather than warning or errors...why? Should I not be concerned about these messages? d) If that is a symptom of a problem, how do I fix it? (In fact, I am being reported that clients of my app are timing out waiting for a response, but my application logs don't have any indication of receiving the request, so I am trying to find out if the message above is an indication that the problem occurs in the Tomcat Connector, and therefor my web app running in Tomcat never got the request at all) Thanks === workers.properties workers.tomcat_home=/opt/greatapp/tomcat workers.java_home=/opt/jdk/jdk6.0 ps=/ worker.list= wlb, jkwatch worker.wlb.type=lb worker.wlb.balance_workers=S1 worker.wlb.max_reply_timeouts=3 worker.jkwatch.type=status worker.jkwatch.read_only=True worker.jkwatch.mount=/private/admin/watch/jk worker.S1.type=ajp13 worker.S1.host=localhost worker.S1.port=6009 worker.S1.lbfactor=1 worker.S1.connection_pool_timeout=600 worker.S1.socket_keepalive=False worker.S1.socket_timeout=15 worker.S1.reply_timeout=30 worker.S1.recovery_options=27 === uriworkermap.properties /myapp=wlb /myapp/*=wlb /private/admin/watch/jk=jkwatch -Jorge - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems with mod_jk 1.2.31
Correcting some information: I am using Apache 2.2.13, mod_jk 1.2.30, Tomcat 6.0.32 On Thu, Oct 13, 2011 at 12:16 AM, Jorge Medina cerebrotecnolog...@gmail.com wrote: I have Apache (2.2.20) in front of a single Tomcat (6.0.32) instance using mod_jk (1.2.31) with the AJP protocol. I am getting errors like the sample below frequently (a few hundred times a day). The server does not have a heavy load, it serves about 150 req/minute and average response time of 200 ms) [2011-10-12T23:27:00.644-0400] [20239:27] [info] ajp_service::jk_ajp_common.c (2543): (S1) sending request to tomcat failed (unrecoverable), because of client read error (attempt=1) [2011-10-12T23:27:00.654-0400] [20239:27] [info] service::jk_lb_worker.c (1388): service failed, worker S1 is in local error state [2011-10-12T23:27:00.655-0400] [20239:27] [info] service::jk_lb_worker.c (1407): unrecoverable error 400, request failed. Client failed in the middle of request, we can't recover to another instance. [2011-10-12T23:27:00.655-0400] [20239:27] [info] jk_handler::mod_jk.c (2620): Aborting connection for worker=wlb a) Could I get some help to interpret the messages above? b) What is being referred as Client ? The client originating the request or does mod_jk calls Client my Tomcat instance? (I guess I don't know if mod_jk establishes the connection to Tomcat or if Tomcat is establishing the channel to mod_jk) c) Messages are logged as [info] rather than warning or errors...why? Should I not be concerned about these messages? d) If that is a symptom of a problem, how do I fix it? (In fact, I am being reported that clients of my app are timing out waiting for a response, but my application logs don't have any indication of receiving the request, so I am trying to find out if the message above is an indication that the problem occurs in the Tomcat Connector, and therefor my web app running in Tomcat never got the request at all) Thanks === workers.properties workers.tomcat_home=/opt/greatapp/tomcat workers.java_home=/opt/jdk/jdk6.0 ps=/ worker.list= wlb, jkwatch worker.wlb.type=lb worker.wlb.balance_workers=S1 worker.wlb.max_reply_timeouts=3 worker.jkwatch.type=status worker.jkwatch.read_only=True worker.jkwatch.mount=/private/admin/watch/jk worker.S1.type=ajp13 worker.S1.host=localhost worker.S1.port=6009 worker.S1.lbfactor=1 worker.S1.connection_pool_timeout=600 worker.S1.socket_keepalive=False worker.S1.socket_timeout=15 worker.S1.reply_timeout=30 worker.S1.recovery_options=27 === uriworkermap.properties /myapp=wlb /myapp/*=wlb /private/admin/watch/jk=jkwatch -Jorge - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems with mod_jk 1.2.31
and another piece of information: Tomcat and Apache are running in the same machine. On Thu, Oct 13, 2011 at 12:24 AM, Jorge Medina cerebrotecnolog...@gmail.com wrote: Correcting some information: I am using Apache 2.2.13, mod_jk 1.2.30, Tomcat 6.0.32 On Thu, Oct 13, 2011 at 12:16 AM, Jorge Medina cerebrotecnolog...@gmail.com wrote: I have Apache (2.2.20) in front of a single Tomcat (6.0.32) instance using mod_jk (1.2.31) with the AJP protocol. I am getting errors like the sample below frequently (a few hundred times a day). The server does not have a heavy load, it serves about 150 req/minute and average response time of 200 ms) [2011-10-12T23:27:00.644-0400] [20239:27] [info] ajp_service::jk_ajp_common.c (2543): (S1) sending request to tomcat failed (unrecoverable), because of client read error (attempt=1) [2011-10-12T23:27:00.654-0400] [20239:27] [info] service::jk_lb_worker.c (1388): service failed, worker S1 is in local error state [2011-10-12T23:27:00.655-0400] [20239:27] [info] service::jk_lb_worker.c (1407): unrecoverable error 400, request failed. Client failed in the middle of request, we can't recover to another instance. [2011-10-12T23:27:00.655-0400] [20239:27] [info] jk_handler::mod_jk.c (2620): Aborting connection for worker=wlb a) Could I get some help to interpret the messages above? b) What is being referred as Client ? The client originating the request or does mod_jk calls Client my Tomcat instance? (I guess I don't know if mod_jk establishes the connection to Tomcat or if Tomcat is establishing the channel to mod_jk) c) Messages are logged as [info] rather than warning or errors...why? Should I not be concerned about these messages? d) If that is a symptom of a problem, how do I fix it? (In fact, I am being reported that clients of my app are timing out waiting for a response, but my application logs don't have any indication of receiving the request, so I am trying to find out if the message above is an indication that the problem occurs in the Tomcat Connector, and therefor my web app running in Tomcat never got the request at all) Thanks === workers.properties workers.tomcat_home=/opt/greatapp/tomcat workers.java_home=/opt/jdk/jdk6.0 ps=/ worker.list= wlb, jkwatch worker.wlb.type=lb worker.wlb.balance_workers=S1 worker.wlb.max_reply_timeouts=3 worker.jkwatch.type=status worker.jkwatch.read_only=True worker.jkwatch.mount=/private/admin/watch/jk worker.S1.type=ajp13 worker.S1.host=localhost worker.S1.port=6009 worker.S1.lbfactor=1 worker.S1.connection_pool_timeout=600 worker.S1.socket_keepalive=False worker.S1.socket_timeout=15 worker.S1.reply_timeout=30 worker.S1.recovery_options=27 === uriworkermap.properties /myapp=wlb /myapp/*=wlb /private/admin/watch/jk=jkwatch -Jorge - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Log ownership when running Tomcat using jsvc
Right, I can't understand why the JULI files are owned by root. any ideas? If I remember correctly, Tomcat uses Java logging by default. I am trying to remember why I switched to JULI (maybe to rotate the logs), but I guess I can try to switch to log4j and see if I get a different outcome. On Thu, Aug 4, 2011 at 1:36 PM, Rainer Jung rainer.j...@kippdata.de wrote: On 04.08.2011 09:44, Mladen Turk wrote: On 08/03/2011 10:11 PM, Jorge Medina wrote: I run Tomcat in a Solaris 10 SPARC machine using jsvc through a init script. jsvc is started by root, but I specify the -user option to change to the application user. I use the option -outfile and -errfile to specify where to direct stdout and stderr, catalina.out and catalina.err in my environment. jsvc redirects stdout/stderr before setuid (changing to -user) thus the files are created by superuser. Actually that's the desired behavior; You have files writtable by -user during the application life-time but created and readable by root. He wasn't asking about stdout, stderr, but instead about the JULI files written by Tomcat. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Log ownership when running Tomcat using jsvc
I run Tomcat in a Solaris 10 SPARC machine using jsvc through a init script. jsvc is started by root, but I specify the -user option to change to the application user. I use the option -outfile and -errfile to specify where to direct stdout and stderr, catalina.out and catalina.err in my environment. I am getting the following log files: # ls -l -rw--- 1 root root 0 Aug 3 15:23 admin.2011-08-03.log -rw--- 1 root root7606 Aug 3 15:26 catalina.2011-08-03.log -rw--- 1 root root 0 Aug 3 15:23 catalina.err -rw--- 1 root root 0 Aug 3 15:23 catalina.out -rw--- 1 root root 0 Aug 3 15:23 host-manager.2011-08-03.log -rw--- 1 root root 126 Aug 3 15:27 localhost.2011-08-03.log -rw--- 1 root root 0 Aug 3 15:23 manager.2011-08-03.log -rw-rw-r-- 1 application svcjava93760 Aug 3 15:27 servicelog As expected, catalina.out and catalina.err are owned by root. I minimize any output to these files. Also as I expected, the logs of my webapp (servicelog) is owned by the application user and it is created with permissions 664 (since I specify the umask 002) But, why are the other logs produced by Tomcat owned by root ? Isn't the whole JVM changing to the application user? Is there a way to have these logs also owned by application user whenever they get created? The only difference I am aware of is that Tomcat (catalina), the manager and host-manager webapps use JULI, while my web app uses Log4j. Is JULI running before jsvc switches to the application user? -Jorge - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Log ownership when running Tomcat using jsvc
Just in case is needed I use Tomcat 6.0.32 and jsvc 1.0.5 running under Java 1.6.0_24 On Wed, Aug 3, 2011 at 4:11 PM, Jorge Medina cerebrotecnolog...@gmail.com wrote: I run Tomcat in a Solaris 10 SPARC machine using jsvc through a init script. jsvc is started by root, but I specify the -user option to change to the application user. I use the option -outfile and -errfile to specify where to direct stdout and stderr, catalina.out and catalina.err in my environment. I am getting the following log files: # ls -l -rw--- 1 root root 0 Aug 3 15:23 admin.2011-08-03.log -rw--- 1 root root7606 Aug 3 15:26 catalina.2011-08-03.log -rw--- 1 root root 0 Aug 3 15:23 catalina.err -rw--- 1 root root 0 Aug 3 15:23 catalina.out -rw--- 1 root root 0 Aug 3 15:23 host-manager.2011-08-03.log -rw--- 1 root root 126 Aug 3 15:27 localhost.2011-08-03.log -rw--- 1 root root 0 Aug 3 15:23 manager.2011-08-03.log -rw-rw-r-- 1 application svcjava93760 Aug 3 15:27 servicelog As expected, catalina.out and catalina.err are owned by root. I minimize any output to these files. Also as I expected, the logs of my webapp (servicelog) is owned by the application user and it is created with permissions 664 (since I specify the umask 002) But, why are the other logs produced by Tomcat owned by root ? Isn't the whole JVM changing to the application user? Is there a way to have these logs also owned by application user whenever they get created? The only difference I am aware of is that Tomcat (catalina), the manager and host-manager webapps use JULI, while my web app uses Log4j. Is JULI running before jsvc switches to the application user? -Jorge - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat issue with DBCP connection pool
Are you sure it is due to the stored procedure? You can get that error if you don't close all database objects. Make sure you close resultsets, statements, etc in a finally block throughout all your code. On Mon, Mar 21, 2011 at 4:59 PM, Propes, Barry L barry.l.pro...@citi.com wrote: And to thisis it absolutely necessary to use the SYS_REFCURSOR in Oracle? I use several packages and procesures and never use this! Granted, I may have many less records than you in your DB table, but I was just wondering. Perhaps it is. BTW, my application calls a stored procedure which in turn uses an oracle SYS_REFCURSOR. As I know ref cursor can not be closed through code. How are you supposed to close that cursor, then? Did you mean you can't close it through Java code, or you can't even close it through PL/SQL? Once the error is encountered the application is not recovering until the application is restarted. Sounds like closing the connection and re-initializing it would probably do the job, too. Is it possible for you to detect the kinds of requests that will allocate these SYS_REFCURSORs and use a one-time connection instead of going through the pool? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2HYRkACgkQ9CaO5/Lv0PAOpQCfWY5OKJoRo1C8Ld//bOTpCC3x t/QAn2qdGxo0uXDU01rf6A+IElsrLDTq =40df -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Populating Oracle v$session.program from Tomcat Context.xml
What is the problem that you are trying to solve? On Mon, Mar 14, 2011 at 4:25 PM, Dan random.da...@gmail.com wrote: On Mon, Mar 14, 2011 at 11:25 AM, Dan random.da...@gmail.com wrote: On Mon, Mar 14, 2011 at 10:57 AM, chris derham ch...@derham.me.uk wrote: We have some working tomcat 6 instances that we'd like to identify Can you use the combination of machine and schema name to identify the instance? You didn't detail your environment, but if you have a cluster, then the machine name would uniquely identify the instance. If you have multiple different instances on the same machine, then surely the schema name would allow you to identify which user it is? This covers all possibilities unless you have different apps on the same machine in different tomcat instances talking to the same schema. Chris We are running all of our web-applications from two machines, and they all use the same schema/username, so unfortunately I need the program, client_info, module, etc field to identify them. We are running a RAC, and I'm querying gv$session which should get me all cluster member connections. As David said, this does work with the thin driver, but I need the service/load balancing functionality from OCI. Any more suggestions are welcome! Does anyone else have any additional thoughts on this? I'd sure appreciate more input. TIA, Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Memory Leak in Tomcat
I got a good laugh with your message. Security seems to be always in the hands of the wrong people. Once I asked for the algorithm used to hash the passwords (that happened to be HMAC SHA-1) into a database, if I was going to authenticate the users, I needed to use the same algorithm. I did not ask for the key used to salt the hash, I could put that as a parameter to be provided at install time and use any other key during development and testing. My request was rejected until authorized by a manager two levels up! sigh (All I needed to know was HMAC SHA-1!) On Mon, Feb 28, 2011 at 11:02 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 הילה, On 2/28/2011 5:17 AM, הילה wrote: How can I encrypt the password inside the xml file? 0. $file = conf/server.xml 1. Use your favorite encryption tool to encrypt the password and shove it into $file 2. Use that same tool in some code you hack-into Tomcat to read it back out. 3. Store the key to your favorite-tool encryption package in another file (say, s3cr3t.key) 4. $file = s3cr3t.key 5. Go to step 1. Repeat this process until you feel like you're safe. (Hint: you are still not safe). Scratch that: repeat this process until your boss or your auditor feel like they are safe. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1rxwwACgkQ9CaO5/Lv0PCtGQCgtxVxV9+N0AvRuYw0U6mi9ki1 ikgAn1xQNqRRtSKby531xKRHizxzEFwD =uuFd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble setting up ssl
Your Certificate Authority (The certificate used to sign your other certificates, in this case provided by your Windows CA Server) is not trusted by your clients. Are your clients internal or external to your company? If your clients are internal, you can add the certificate to the trusted roots on each client machine truststore or each user's truststore that Windows keeps in the registry. (I would assume that your Windows 2008 CA Server may have a way to push the certificate into your domain computers, but I have never used the product, so I don't know) If your clients are external, then you cannot expect them trust your certificate authority. You need to obtain a certificate from Verisign, Thawte or any other company providing certificates. On Sat, Feb 26, 2011 at 12:42 AM, Joseph L. Casale jcas...@activenetwerx.com wrote: I have setup a keystore as follows: keytool -genkey -alias tomcat -keyalg RSA -dname CN=server FQDN,OU=Company Name,O= Company Name ,L=city,ST=province,C=CA \ -keystore /path/keystore -keypass phrase -storepass phrase I then generated a CSR: keytool -certreq -keyalg RSA -alias tomcat -file /path/certreq.csr -keystore /path/keystore I signed the certificate on our Windows Server 2008 R2 CA Server: certreq.exe -attrib CertificateTemplate:WebServer c:\data\certreq.csr c:\data\certreq.cer I added the signed sert: keytool -import -alias tomcat2 -keystore /path/keystore -trustcacerts -file /path/certreq.cer Lastly I added the Base 64 encoded X.509 root ca from our active directory ca: keytool -keystore /path/keystore -keyalg RSA -import -trustcacerts -alias cacert -file /path/root-ca.crt This all completed w/o error, so I created the connector in the server.xml yet when domain clients connect to the ssl site, they are prompted with warnings suggesting the root cert is not trusted? Any pointers where I erred? Thanks! jlc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: programming question
If you use Oracle, some DBCP settings may not work and you may need to use Oracle connection pool classes. In particular, I was not able to use DBCP and have a loginTimeout when using Oracle. Using Oracle connection pool classes, the validation query does not work in the same way as in Apache DBCP. Apache DBCP tries to give you a valid connection if the query fails. Oracle will just test and throw an exception indicating the connection is stale (as opposed to just giving you the stale connection). So even with an Oracle RAC, the pool may return a stale connection or throw an exception. So, I use Oracle Connection Caching settings to grow a pool from 0 to n and discard any connection that has been idle more than T seconds. This was worked well in production environment. (without having to switch to Oracle UCP, which was our next option). On Fri, Feb 25, 2011 at 3:17 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 2/24/2011 12:08 PM, David Smith wrote: With tomcat's built-in database pooling, just adding a validation query to the resource config should be all that's necessary. On each borrow of a connection, the connection is tested and closed if the test fails. Failed connections are replaced with new ones. +1 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1oDkQACgkQ9CaO5/Lv0PB4ywCffleVFm8jZtJRcD3x2V3gCs6T DBUAoKUD6zJXXPURMoQLtm8SGecxQfqk =MkzS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't access tomcat manager
I hope one of you is right, you have just rule out any other cause by using all the remaining probabilityand it would be catastrophic for all the mathematicians. On Wed, Dec 1, 2010 at 6:03 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 12/1/2010 5:37 PM, André Warnier wrote: Markus Schönhaber wrote: role rolenmae=manager-gui/ -^^ and if it isn't the above, then with 0.999 probability, you have left XML comment brackets somewhere where you shouldn't. !-- some comment -- That leaves 0.001 probability that you aren't using the correct URL: http://host/manager/html - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz21D8ACgkQ9CaO5/Lv0PBJUACfZ7ouZ5VtbTyJzWog1+XBQg41 UfsAnAvC/X690HEnUghUaB0S1vmZan3N =ouIL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Modifying logging levels logged in catalina.out at runtime
I do that by scheduling a thread that every minute checks if my logging.properties file has changed. You may use the timestamp of the file or a change of its MD5 hash to determine that the file has changed. If the file has changed, then I reconfigure the logging library (log4j) with the new contents of the file. I schedule the task when the webapp gets loaded/started and stop the task when the webapp is unloaded/stopped via the ContextListener. It is very handy to change log levels or even enable another appender on the fly. On Wed, Dec 1, 2010 at 6:32 PM, Jason Pyeron jpye...@pdinc.us wrote: -Original Message- From: Mark Eggers [mailto:its_toas...@yahoo.com] Sent: Wednesday, December 01, 2010 15:20 To: Tomcat Users List Subject: Re: Modifying logging levels logged in catalina.out at runtime Hopefully you're not creating custom logging levels. Creating Nope, plain jane. custom logging levels is the classic way to create classloader leaks. See the following as an example: http://blogs.sun.com/fkieviet/entry/classloader_leaks_the_dreaded_java You can create a logging.properties file and place it in WEB-INF/classes. You can then change this file, rebuild your application, and redeploy it without taking down Tomcat. Good idea, whould still like to do it without taking down the webapp (that was the intention behind not restarting tomcat) You could also add a WatchedResource element to your Context and point it at WEB-INF/classes/logging.properties. When that file is changed, Tomcat will reload the application. See: http://tomcat.apache.org/tomcat-5.5-doc/config/context.html I'm not really sure you want to do the WatchedResource configuration in a production environment though . . . . . . . just my two cents. Our new applications are putting in a management console to adjust the logging setting, but legacy applications sometimes need to be debugged with out restarting them. Think about leaks where the problem shows up only after 3 months of running. - Original Message From: Jason Pyeron jpye...@pdinc.us To: Tomcat Users List users@tomcat.apache.org Sent: Wed, December 1, 2010 11:59:28 AM Subject: Modifying logging levels logged in catalina.out at runtime This may be slightly off-topic. I'll start off with I know how to do this from inside the webapp's code and how to do it by modifing properties files on the system at tomcat startup. But how can it be done from outside the webapp with out restarting tomcat? We are using java.util.logging on tomcat 5.5.23 using jdk 1.6.0_17. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Consultant
http://en.wikipedia.org/wiki/Application_server I am no expert, I have never used a J2EE container, so verify my words below: A web container (Tomcat) allows you to run servlets...(or JSPs that get compiled into servlets) A J2EE container or Application Server (Glassfish) can also manage EJBs, it will support message queues (JMS), it will allow you to manage database and JNDI resources, it can handle a transaction manager. You can probably use JMS, set up JNDI resources and use a transaction manager within your webapp in Tomcat but you have to add the features yourself; an application server should be able to help set up all that and help you manage it, in theory speeding up your development. An application server is also a web container, but it offers you many other features. http://download.oracle.com/javaee/1.4/tutorial/doc/Overview3.html On Sat, Sep 25, 2010 at 2:07 PM, Daniel Savard daniel.sav...@gmail.com wrote: Jorge, Could you explain further what's the difference between an app container and an app server? For me it seems pretty much the same. Regards, Daniel Savard 2010/9/24, Jorge Medina cerebrotecnolog...@gmail.com: Hey, you don't need a Big-5 consulting company. You need a a couple of experts: a networking guy and a Tomcat guy. But anyway, I'm sure a Fortune 500 have the money to overpay one of the Big-5. Now, from my understanding, Tomcat is only a web app container while Websphere is an application server. Therefore, depending on your application you may not be able to migrate it to Tomcat, but rather to Glassfish. Glassfish is also an application server. -Jorge On Fri, Sep 24, 2010 at 1:57 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 9/24/2010 1:25 PM, tdelesio wrote: My fortune 500 company is testing a pilot for switching over a J2EE web app over from Web Sphere application server to Tomcat and we are looking for a consultant to setup a crusted production instance of tomcat. Wait... are you testing it? If so, then you don't need anyone to set it up, do you? By crusted, did you mean trusted? Does anyone have any recommendations for a top notch consulting firm that could provide these services? I'm sure that any of the big-5 consulting companies would be very happy to take way more money than is necessary to set up an instance of Tomcat for you. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyc5o4ACgkQ9CaO5/Lv0PAjugCgiACwh5crjW+HXMKbzAWc+A27 dC4AoJjm6Dgs7FbMPrD3VBBdZl48VXas =vADj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- - Daniel Savard - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Consultant
Hey, you don't need a Big-5 consulting company. You need a a couple of experts: a networking guy and a Tomcat guy. But anyway, I'm sure a Fortune 500 have the money to overpay one of the Big-5. Now, from my understanding, Tomcat is only a web app container while Websphere is an application server. Therefore, depending on your application you may not be able to migrate it to Tomcat, but rather to Glassfish. Glassfish is also an application server. -Jorge On Fri, Sep 24, 2010 at 1:57 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 9/24/2010 1:25 PM, tdelesio wrote: My fortune 500 company is testing a pilot for switching over a J2EE web app over from Web Sphere application server to Tomcat and we are looking for a consultant to setup a crusted production instance of tomcat. Wait... are you testing it? If so, then you don't need anyone to set it up, do you? By crusted, did you mean trusted? Does anyone have any recommendations for a top notch consulting firm that could provide these services? I'm sure that any of the big-5 consulting companies would be very happy to take way more money than is necessary to set up an instance of Tomcat for you. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyc5o4ACgkQ9CaO5/Lv0PAjugCgiACwh5crjW+HXMKbzAWc+A27 dC4AoJjm6Dgs7FbMPrD3VBBdZl48VXas =vADj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Consultant
I should have copyrights on my name. LOL On Fri, Sep 24, 2010 at 3:49 PM, Brian bbprefix-m...@yahoo.com wrote: -Original Message- From: Jorge Medina [mailto:cerebrotecnolog...@gmail.com] Sent: Friday, September 24, 2010 02:43 PM To: Tomcat Users List Subject: Re: Tomcat Consultant Hey, you don't need a Big-5 consulting company. Esto si que sonó gracioso. Aca en Peru, Arthur Andersen (QEPD) tenia a unos 3 socios, uno de los cuales se llamaba JORGE MEDINA. :-D You need a a couple of experts: a networking guy and a Tomcat guy. But anyway, I'm sure a Fortune 500 have the money to overpay one of the Big-5. Now, from my understanding, Tomcat is only a web app container while Websphere is an application server. Therefore, depending on your application you may not be able to migrate it to Tomcat, but rather to Glassfish. Glassfish is also an application server. -Jorge On Fri, Sep 24, 2010 at 1:57 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 9/24/2010 1:25 PM, tdelesio wrote: My fortune 500 company is testing a pilot for switching over a J2EE web app over from Web Sphere application server to Tomcat and we are looking for a consultant to setup a crusted production instance of tomcat. Wait... are you testing it? If so, then you don't need anyone to set it up, do you? By crusted, did you mean trusted? Does anyone have any recommendations for a top notch consulting firm that could provide these services? I'm sure that any of the big-5 consulting companies would be very happy to take way more money than is necessary to set up an instance of Tomcat for you. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyc5o4ACgkQ9CaO5/Lv0PAjugCgiACwh5crjW+HXMKbzAWc+ A27 dC4AoJjm6Dgs7FbMPrD3VBBdZl48VXas =vADj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Client to communicate to SSL WebServices on tomcat
Is your server using a test certificate? If so, Have you tried setting the Java system property javax.net.ssl.trustStore? If your server is using a certificate signed by a certificate authority, then your certificate may have been signed using a intermediate certificate. Your server is responsible to provide the whole chain of certificates to get to a trusted root. (This file can be provided by the company who signed your server certificate) On Wed, Sep 22, 2010 at 5:51 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 9/22/2010 3:04 PM, aravidu wrote: but how? this is not a webclient The class is called WebService and the identified in your code is client. How is this not a client? nor is the client running on a webserver. That's not relevant. how can i do this? If you are using a web services API, read the API, or ask the people who wrote the API (not us). If you're written the code yourself, then you have to work with the Java API to properly configure a trust store for an outgoing HTTPS connection. i tried giving the client.keystore and client.truststore in VMARGS (of eclipse) but it wont work. I'm not familiar with those system properties. Are you sure they are meaningful? References to online documentation would be appropriate, here. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyaenkACgkQ9CaO5/Lv0PCHEACeLXwTtBhZ0lsT22GOOV00FK9V mmUAn0X+1qb+Mla51Q+9EMra6uPLTUtc =a2cE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Client to communicate to SSL WebServices on tomcat
I have had browsers (IE) that can establish an SSL (https) connection to a server even when the server did not provide the intermediate certificates. Other browsers (like Firefox) won't allow the connection to be established unless the intermediate certificates are provided. On Wed, Sep 22, 2010 at 8:50 PM, Jorge Medina cerebrotecnolog...@gmail.com wrote: Is your server using a test certificate? If so, Have you tried setting the Java system property javax.net.ssl.trustStore? If your server is using a certificate signed by a certificate authority, then your certificate may have been signed using a intermediate certificate. Your server is responsible to provide the whole chain of certificates to get to a trusted root. (This file can be provided by the company who signed your server certificate) On Wed, Sep 22, 2010 at 5:51 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 9/22/2010 3:04 PM, aravidu wrote: but how? this is not a webclient The class is called WebService and the identified in your code is client. How is this not a client? nor is the client running on a webserver. That's not relevant. how can i do this? If you are using a web services API, read the API, or ask the people who wrote the API (not us). If you're written the code yourself, then you have to work with the Java API to properly configure a trust store for an outgoing HTTPS connection. i tried giving the client.keystore and client.truststore in VMARGS (of eclipse) but it wont work. I'm not familiar with those system properties. Are you sure they are meaningful? References to online documentation would be appropriate, here. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyaenkACgkQ9CaO5/Lv0PCHEACeLXwTtBhZ0lsT22GOOV00FK9V mmUAn0X+1qb+Mla51Q+9EMra6uPLTUtc =a2cE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Connect the same Database from two different web application
I had a slightly similar problem using Oracle data sources with Oracle connection caching. In this case, I had defined my connection settings via JNDI in context.xml. (therefore they were common for both web apps) Since the classes were loaded by Tomcat and not by my webapps, a datasource was being created by each webapp, but the cache names were having collisions. The first application was able to create the cache, but the second would fail because a cache instance with the same name already existed. I was able to avoid the problem by not giving a name to the cache, Oracle would create a random name for each and two instances of the cache would be created, one for each application. Could you have a similar issue with C3PO? I have never used it. On Sat, Sep 18, 2010 at 7:17 AM, Rahul Deb Mohan ra...@zaloni.com wrote: Hello Everyone, I am using Hibernate to connect to my MySql Database using C3p0 connection pooling mechanism from my web application which is deployed in Tomcat. Eventually, now I need to develop a child application, using the same Database instance. So I have two application now : say Application A and Application B, and both will be deployed in a Tomcat Server and both has to use the same Database, let say my DB name is EmployeeDB. I defined Resource parameters separately for both of the application and have done all the settings that are required for the connectivity. Now when I deploy the applications, and try to run them, the first application ( it may be Application A or Application B) loads up properly, but the second application shows error as it could not connect to the Database. Whatever application I load first, it successfully connect to the Database, but second application fails to connect. I am guessing there must be some locking mechanism, provided by either Hibernate or the Tomcat, which is preventing me to do so. Please help me to overcome this issue as that is my fundamental requirement now. Thanks is advance. I am posting the stack trace hereby: [code]com.mchange.v2.cfg.BasicMultiPropertiesConfig: Properties object found at resource path [system properties] contains a value that is not a String: 25 Skipping... com.mchange.v2.cfg.BasicMultiPropertiesConfig: Properties object found at resource path [system properties] contains a value that is not a String: 25 Skipping... 921 [http-8990-4] ERROR org.hibernate.connection.C3P0ConnectionProvider - could not instantiate C3P0 connection pool java.lang.NullPointerException at java.util.Hashtable.put(Hashtable.java:394) at com.mchange.v2.c3p0.DataSources.pooledDataSource(DataSources.java:314) at org.hibernate.connection.C3P0ConnectionProvider.configure(C3P0ConnectionProvider.java:181) at org.hibernate.connection.ConnectionProviderFactory.newConnectionProvider(ConnectionProviderFactory.java:137) at org.hibernate.connection.ConnectionProviderFactory.newConnectionProvider(ConnectionProviderFactory.java:79) at org.hibernate.cfg.SettingsFactory.createConnectionProvider(SettingsFactory.java:448) at org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:89) at org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2101) at org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1325) at com.duke.zaloni.studentdb.server.hibernate.HibernateUtil.clinit(HibernateUtil.java:17) at com.duke.zaloni.studentdb.server.LoginServletImpl.doPost(LoginServletImpl.java:33) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:619) Hibernate Error:Initial SessionFactory creation failed.org.hibernate.HibernateException: Could not instantiate C3P0 connection pool org.hibernate.HibernateException: Could not instantiate C3P0 connection pool at
Re: Tomcat service only starts if
How do you start tomcat? What script gets executed? Probably your bash profile script for the tomcat account was setting the PATH and/or LD_LIBRARY_PATH for you. Review your startup script. On Tue, Sep 7, 2010 at 11:32 AM, Jeff Hubbs jhubbsl...@att.net wrote: Tomcat 5.5.23, sun-jdk 1.5.0_11, CentOS 4.8. Tomcat was built/installed from upstream. Tomcat service starts and runs normally if user tomcat's entry in /etc/passwd has /home/tomcat:/bin/bash but not if it has /dev/null:/sbin/nologin. Would rather have it work set to the latter, which seems to be the industrially correct thing to do. I discovered this when I was trying to fix the Tomcat service failing to start and I changed the tomcat user account to look like a normal user's so I could execute catalina.sh manually via su. I had to chmod +x some .sh files that the install script did not set and then executing catalina.sh could start and stop the instance, but now I can only start the service with the tomcat user account left like that. Thanks, - Jeff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configuring JSVC on a new installation
The following script requires that you have build the APR and APR-utils prior to building JSVC in 64-bit mode. You will need the paths where the APR and APR-utils get installed. I use this script to build jsvc in Linux and Solaris, so you also need to define some variables to define the path to your autoconf and make commands (that in my case, they live in different directories and the version I want to use is not always in the PATH) JSVC_PATH_SRC must point to the sources for Unix (something like ${tomcat.root}/bin/commons-daemon-${jsvc.version}-native-src/unix ) === buildjsvc.sh === #!/bin/sh if [ ${JAVA_HOME} = ] ; then echo JAVA_HOME is not defined exit 1 fi if [ ${CATALINA_HOME} = ] ; then echo CATALINA_HOME is not defined exit 1 fi if [ ${APR_DIR} = ] ; then echo APR_DIR not defined. exit 1 fi if [ ${APU_DIR} = ] ; then echo APU_DIR not defined. exit 1 fi if [ ${AUTOCONF_CMD} = ] ; then echo AUTOCONF_CMD not defined exit 1 fi if [ ${JSVC_PATH_SRC} = ] ; then echo JSVC_PATH_SRC not defined exit 1 fi if [ ${MAKE_CMD} = ] ; then echo MAKE_CMD not defined exit 1 fi # Kill me on all errors set -e CPPFLAGS=-m64 -O3 CXXFLAGS=-m64 -O3 CFLAGS=-m64 -O3 LDFLAGS=-m64 -O3 -L${APR_DIR}/lib -L${APU_DIR}/lib -L${JAVA_HOME}/jre/lib/amd64 -L${JAVA_HOME}/jre/lib/sparcv9 export CPPFLAGS CXXFLAGS CFLAGS LDFLAGS chmod u+x ${JSVC_PATH_SRC}/configure cd ${JSVC_PATH_SRC} ${AUTOCONF_CMD} ${JSVC_PATH_SRC}/configure --with-java=${JAVA_HOME} # This is a hack: The configure step does not configure the appropiate CPU on 64-bit systems cp ${JSVC_PATH_SRC}/Makedefs ${JSVC_PATH_SRC}/Makedefs-Original sed ' s:-DCPU=\\i386\\:-DCPU=\\amd64\\:g s:-DCPU=\\sparc\\:-DCPU=\\sparcv9\\:g' ${JSVC_PATH_SRC}/Makedefs-Original ${JSVC_PATH_SRC}/Makedefs ${MAKE_CMD} clean ${MAKE_CMD} cp ${JSVC_PATH_SRC}/jsvc ${CATALINA_HOME}/bin EXIT_CODE=$? exit $EXIT_CODE On Wed, Aug 11, 2010 at 3:22 PM, David Parks davidpark...@yahoo.com wrote: Are there any good step-by-steps on getting JSVC working with Tomcat 6 on Linux (Fedora)? The tomcat installation docs are outdated (JSVC isn’t even in /bin), and every guide I find seems to be 2 years old and wrong in some way. I trying downloading JSVC separately, but get make errors, and those docs aren’t terribly explicit about certain details either. Thanks, David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configuring Tomcat 6.0.28 with SSL
There are two ways to add SSL support to Tomcat a) Pure java support b) Using OpenSSL through the APR library For (b) you need to compile (or use a distribution with) the Tomcat Native Library. Configuring SSL using (a) is different than when using (b). You may now if your server is running the APR by looking at the logs, at startup you may find a line similar to: INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: After you have determined if you have the APR, look at how to configure SSL at http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html -Jorge On Tue, Aug 10, 2010 at 3:41 PM, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 jason.t.hansel@navy.mil wrote: I am abandoning the IIS/isapi_redirect.dll method of authenticating via SSL into our web application due to the authentication process taking a while, causing the web app to run abnormally slow. I am wanting to use our server certificate (PKCS12) as the keystore. I've been doing a lot of research and it seems that I need to import the root certificates into the keystore using OpenSSL. What I am not too clear on is how to edit the server.xml file to accommodate these configurations. Here is what I have thus far, however, SSL does not seem to be working. Copied from Notepad: !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=C:\Program Files\Apache Software Foundation\Tomcat 6.0\con\geo.pfx keystorePass=password keystoreType=pkcs12 clientAuth=false sslProtocol=TLS / - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Testing tomcat 6
Ohad, What do you want to test? I think that you need to rephrase your question. If you are trying to test your application running under Tomcat, then the test suite has to be specific to your application. If you want to bechmark Tomcat against other servlet containers, then you need to use the same application and apply the same test suite. -Jorge On Mon, Jun 14, 2010 at 9:52 AM, Ohad Shacham ohad.shac...@gmail.comwrote: Hi, I would like to run tomcat for testing, I am looking for test cases with aggressive workload. Could you please let me know whether there exists a testing/benchmarking suite for tomcat that I can use? Thanks, Best Regards, Ohad
Re: user cancels download attachment
I would be interested on the answer when the server is front-ended with httpd. I currently have a web services application (using SOAP with attachments) and I would also benefit from getting a IOException (like the Broken pipe) to terminate processing as soon as possible. On Thu, May 20, 2010 at 4:21 PM, Ðavîd Låndïs dlan...@gmail.com wrote: It is standalone. Thanks. On Thu, May 20, 2010 at 4:07 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Ðavîd Låndïs [mailto:dlan...@gmail.com] Subject: user cancels download attachment Tomcat 6.0.20 Java 1.6.0_20-b02 Linux 2.6.32-22 I can't answer your question (at least not yet), but one more piece of information is needed: do you have anything front-ending Tomcat, such as httpd, or is Tomcat running standalone? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat dies suddenly
There have been 144 messages on this thread...and you have spent already months trying to solve the problem...I think it will be more cost effective to replace the boxes, run a standard JVM from Sun..and close this thread! On Sat, Feb 13, 2010 at 6:11 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: [OT] Tomcat dies suddenly Maybe we should also investigate if the SegFaults are simultaneous with anyone specific entering the room where the servers are. Ah yes, the old nylon underwear problem... Or the pizza with plutonium toppings. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Unable to set loginTimeout on data sources defined in context.xml
Hi, I have the following Resource defined in context.xml Resource name=jdbc/MasterDB auth=Container driverClassName=oracle.jdbc.driver.OracleDriver type=oracle.jdbc.pool.OracleDataSource factory=oracle.jdbc.pool.OracleDataSourceFactory description=Database Master DB Instance maxActive=100 maxIdle=30 maxWait=5000 user=@@ORACLE_USER@@ password=@@ORACLE_USER_PASSWORD@@ loginTimeout=10 defaultAutoCommit=true url=@@ORACLE_URL@@ validationQuery=select sysdate from dual testOnBorrow=true testWhileIdle=true timeBetweenEvictionRunsMillis=30 minEvictableIdleTimeMillis=180 / where the user, password and url are all defined at install time and are not important for this issue. I use Hibernate on my application, and define my hibernate.master.cfg.xml as hibernate-configuration session-factory !-- The JNDI resource name for the Data Source defined in tomcat/conf/context.xml -- property name=hibernate.connection.datasourcejava:/comp/env/jdbc/MasterDB/property !-- The Hibernate Properties for this data source -- property name=hibernate.dialectorg.hibernate.dialect.Oracle10gDialect/property property name=hibernate.connection.autocommittrue/property property name=hibernate.cache.use_query_cachefalse/property !-- property name=hibernate.hbm2ddl.autovalidate/property -- property name=hibernate.jdbc.batch_size0/property property name=hibernate.cache.use_second_level_cachetrue/property property name=hibernate.current_session_context_classthread/property property name=hibernate.cache.provider_classnet.sf.ehcache.hibernate.EhCacheProvider/property property name=net.sf.ehcache.configurationResourceNameehcache.xml/property /session-factory /hibernate-configuration While the database is up an running, everything works fine in my web app (webservices implemented with Spring framework) But when the database is down, my clients timeout because my application takes a lot of time to realize that the database is down (several minutes). I want my web app to fail quickly if the DB is down (and either return some useful error to the user) I have been tried setting the property loginTimeout in my Resource, but it seems that Tomcat is ignoring the property. Originally I was using javax.sql.Datasource and the datasource factory was defaulting to the DBCP BasicDataSourceFactory in my Resource declaration. If I specified the loginTimeout property in the Resource with this factory, the application was just unable to get a connection. (I forgot the details, but this prompted me to use the oracle.jdbc.pool.OracleDataSourceFactory and the corresponding data source, oracle.jdbc.pool.OracleDataSource ). Is Tomcat ignoring the loginTimeout property? -Jorge
Re: Including a file into server.xml
I don't know of any inclusion tag. I had a similar problem with context.xml, I used an XSLT transformation to add new Resources entries during installation time depending on the number of databases a user wanted to configure. I used a dummy Resource entry and used XSLT to make a copy of it replacing a set of attributes with values provided by the user. At the end, I used another XSLT to remove the dummy Resource. On Fri, Jan 22, 2010 at 11:31 PM, Aryeh M. Friedman aryeh.fried...@gmail.com wrote: I have an Java based XML DB that keeps track of different configurations for various sites we host and it is trivial to have it spit out a Host entery compatible with server.xml for each site... the only problem we have is how to insert the output into server.xml without garbaging and/or having to parse the file... the solution I want to use is include file X here but I can not find any way of coding that into server.xml If it is compatible with standard XML inclusion tag's just let me know and I will figure out the rest if not is there a special tag or something? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat server start up without looking dependency jars
hi Ahmed, JAR files are not loaded by Tomcat. A jar file is just a container of classes, the classes are loaded by the JVM when the code makes reference to them. If you specify a Resource on your context.xml, then Tomcat will look for those classes (the driverClassName), but that does not mean that a connection to the database is established at that point in time. It only means that the driver has been loaded. Your application is responsible to ask for a connection whenever it wishes. On Sat, Dec 5, 2009 at 7:17 AM, ahmed kasim callka...@yahoo.com wrote: Hi, I have few jars which need to get loaded only when the war file is getting loaded or when the request comes, to be more clear I have some jar which is having connection to DB, if I specify in my context.xml file it is getting loaded when the server getting started up initially, so I want to avoid this and make it when my war file gets loaded the db connection should get loaded. Resource name=jdbc/DB2DS auth=Container type=javax.sql.DataSource driverClassName=com.ibm.db2.jcc.DB2Driver url=jdbc:db2://localhost:5/SPARK username=db2admin password=d...@dmin maxActive=20 maxIdle=10 maxWait=-1/ I have three jar file specified for Resource , if i place jar file it is getting loaded and server starts up looking for connection with db. How can I avoid server starting time look up and make it available only when I deploy the war file. many thanks, Kasim
Re: Manage log files in a cluster
Look at Hadoop Chukwa On Wed, Dec 2, 2009 at 3:09 AM, Paolo Santarsiero paolo.santarsi...@gmail.com wrote: thanks, this can be a good start point. 2009/12/1 Neil Aggarwal n...@jammconsulting.com I want to manage the log's files on a centralized basis Does this help? http://linux.die.net/man/1/mergelog Neil -- Neil Aggarwal, (281)846-8957, http://UnmeteredVPS.net Host your tomcat app on a CentOS VPS for only $25/month! Unmetered bandwidth, 7 day free trial, Google Checkout - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging into clustered enviroment
No, you don't want two -or more processes- writing to the same file. You have several options: a) Aggregate on demand. Keeps the log files independent, but only merge them when needed. b) Send the log records over the network to one or more logging servers This will merge your logs on the fly. For (b), you may use Log4j SocketAppender. Take a look at Apache Hadoop (Chukwa). On Fri, Nov 20, 2009 at 4:39 AM, Aleksandar Stoisavljevic stal...@gmail.com wrote: Hi all, I am preparing myself for my first commercial application in clustered Tomcat environment. One of requests that I have is to allow exposing logs that happened on either TomcatA or TomcatB aggregated in single report. TomcatA and TomcatB are behind Apache Server and load balancing should be used. Until now I developed web applications just for single Tomcat, or in case that Load Balancing is requested no-one asked for such kind of aggregated report. My guess is that some kind of central repository for Logging should be used (TomcatA and TomcatB can access to that central repository and write thier logs there) but I am wondering what about permissions? What is TomcatA is writing to log and TomcatB should log to same log his stuff? Any experience about this matter? Can You point me out some inet address, blog, book ? Thanks in advance ? -- Aleksandar dipl. ing. Stoisavljevic Software Developer mobile: +381 (0) 64 211 50 40 Web: http://www.staleksit.in.rs E-mail:stal...@gmail.com e-mail%3astal...@gmail.com e-mail%3astal...@gmail.com e-mail%253astal...@gmail.com Mail: Branislava Nusica 10, 21000 Novi Sad, Serbia
RE: How to set up tomcat and truststore
Doesn't accepting any certificate defeats the purpose of authentication? If you want to accept any certificate, then you are not doing any authentication. If you have written your own Realm, then do the verification on your realm against your dynamic truststore. -Original Message- From: more...@privasphere.com [mailto:more...@privasphere.com] On Behalf Of Luciana Moreira Sa de Souza Signed by - PrivaSphere AG Sent: Wednesday, November 11, 2009 10:25 AM To: users@tomcat.apache.org Cc: Ralf Hauser Subject: How to set up tomcat and truststore Hello, In the platform I am currently working on, we have to set up tomcat to require client certificate authentication. The main difference from the standard settings as described in (http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html) is that we wish to accept any client certificates, including self-signed ones. The main reason for that is that we perform a second verification on the application layer as our truststore is dynamic. We have a JAASRealm class extension which basically extends the hasResourcePermission method setting it to always return true. Bellow you can see the configuration we added to the server.xml Realm className=com.privasphere.privalope.security.auth.ClientCertInAppRealm debug=99/ Nevertheless, I believe this method is only called after the initial handshake and after the client certificate has been accepted or refused (this is a guess). In addition, I am not entirely sure of what I should put in the truststoreFile property. As we want to accept all certificates this file would probably be empty. Any suggestions or best practices for this problem? Best regards, Luciana Moreira -- This message has been signed by the PrivaSphere Mail Signature Service. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Of the dissemination, or globalisation, of Tomcat knowledge
Ich kann nicht alles verstehen. Mein deutche ist night zu gut. Could you provide the translation? -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, November 10, 2009 11:01 AM To: Tomcat Users List Subject: [OT] Of the dissemination, or globalisation, of Tomcat knowledge Mark, Nach der Mittagspause stellte Mark Thomas im Tomcat-Track die Neuerungen in Tomcat 7 vor. Die neue Tomcat-Version wird die Servlet-3.0-API unterstützen. Die API-Implementierung ist weit fortgeschritten - soweit die API-Definition selbst schon stabil ist. Zu den neuen Funktionen gehört unter anderem die asynchronene Requestverarbeitung. Diese erlaubt neue Kommunikationsformen in Webanwendungen etwa im AJAX-Umfeld. Der Tomcat Manager, über den neue Applikationen deployed werden können, wurde vor allem im Hinblick auf Sicherheit überarbeitet. Mit embedded Tomcat hat man eine Möglichkeit geschaffen, Tomcat sehr einfach in Java Code zu instanziieren und integriert mit der Applikation auszuliefern. Embedded Tomcat ist sehr leichtgewichtig und weist nur wenige Bibliotheksabhängigkeiten auf. Waow ! You really did say all that ? Tomcat rocks ! :-) Borrowed from the Lucene forum, and more directly from http://www.heise.de/open/artikel/ApacheCon-2009-Lucene-Hadoop-und-mehr-852929.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Connect tomcat to Active Directory with jndi
Is that a typo on the role name? role-nameActive-directory-Group-Name/role-name Should it be Active-Directory-Group-Name ? You may ask in Spanish at http://groups.google.com/group/javasos -Jorge -Original Message- From: A A [mailto:masvalesolo...@yahoo.es] Sent: Tuesday, November 10, 2009 11:20 AM To: users@tomcat.apache.org Subject: Connect tomcat to Active Directory with jndi Hi, (Sorry for my english) Im trying to authenticate an application using Windows Active Directory, with jndi realm connector. Looking for information Ive seen that the realm jndi configuration is able to set up at the server.xml, or in the context.xml aplication and web.xml.In my case I want just to authenticate an aplication so I use context.xml and web.xml. When I go to the aplication url, A popup ask me for user and password, I write my Active Directory User, and password, but returns me this message: Apache Tomcat/5.5.25 - Informe de Errortype Informe de estado mensaje descripción Este requerimiento requiere autenticación HTTP (). Apache Tomcat/5.5.25 I can´t see any information at catalina.out nor aplication.log. How can I see what is going wrong?Can I enable any jndi log?? Am I wrong with any parameter or format?What is the best way to do it?? Any suggestion will be welcome. Im trying this configuration without any results: Thanks in advance. context.xml ?xml version=1.0 encoding=UTF-8? Context docBase=${catalina.home}/webapps/pfirma Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap://oid.prpmalaga.es:389; UserPattern=uid={0},ou=Users,dc=prpmalaga,dc=es roleBase=ou=Groups,dc=prpmalaga,dc=es roleName=cn roleSearch=(uniqueMember={0}) / /Context -- WEB-INF/web.xml !-- Security definitions -- !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameContext-aplication-name/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameActive-Directory-Group-Name/role-name /auth-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameActive-Directory-User/realm-name /login-config !-- Security roles referenced by this web application -- security-role descriptionDescription /description role-nameActive-directory-Group-Name/role-name /security-role - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Identifying Clients via SSL Certificates
OpenSSL hashes the subject name. This is used in OpenSSL to form an index to allow certificates in a directory to be looked up by subject name. but that seems weak. http://www.openssl.org/docs/apps/x509.html#http://www.openssl.org/docs/apps/verify.html# -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, November 09, 2009 2:06 PM To: Tomcat Users List Subject: Identifying Clients via SSL Certificates -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I've been playing around with client SSL certificates, not for authentication per se, but as a gateway to a relaxed authentication mechanism for one of our webapps. I have a client SSL cert working (see my previous thread mod_jk Client SSL Certificates) and successfully verifying the signature of the client cert by the server. I'd like to be able to uniquely identify the client certificate being used to authenticate via SSL, but I'm a newbie at this sort of thing and I'd appreciate some suggestions as to how to do that. A few ideas I've had are: 1. Use a directory-style 'CN' attribute like UID=myuniqueid 2. Use the fingerprint of the client certificate 3. Use the full text of the client certificate All 3 of the above can be used to then link to appropriate records in the database for limited authentication. Does anyone have any suggestions or preferred techniques? Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr4aBwACgkQ9CaO5/Lv0PDIFgCfb69oibXH3GAwQ1R4z40eux+w lQcAoL5rFQHQX2rSWjh1LVoptUHXCQLt =gPOY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: WebappClassLoader and undeploy
Does the JVM perform class unloading by default? I usually add the option -XX:+CMSClassUnloadingEnabled so that classes also get garbage collected. (Otherwise I was running into out of PermGen memory space) Would that solve your problem? -Original Message- From: Elli Albek [mailto:e...@sustainlane.com] Sent: Monday, November 09, 2009 5:53 PM To: Tomcat Users List Subject: Re: WebappClassLoader and undeploy Managing class loaders is done in the JVM. Tomcat cannot force the JVM to garbage collect class loaders, in the same way that it cannot force the JVM to garbage collect any object. If the class loader is unreachable, and all other objects that this class loader provided are also unreachable, then the JVM can garbage collect it like any other object. This garbage collection is heavier than simple object reference. I assume the JVM will do it only in major garbage collections and maybe even not in every major one. If your test app is not doing anything, there is no reason for the JVM to actually do something about it since memory is not consumed. If you try to force major garbage collections, eventually it should happen. If you run a load test, which will force tomcat to consume memory, then you will eventually get to a major garbage collection. This can take much longer than what you would think. If the code is simple (like JSP page and hello world type of servlet) it can be optimized by the JVM to consume memory on a local stack based heap (per thread), and not use the JVM main heaps. If you keep a reference to one object that was created from this class loader, then the Class object of this object is reachable, and the class loader is reachable via the Class. Since it is reachable, it cannot be garbage collected. WebappLoader is a class that has the code to manage a webapp lifecycle. It is not a class loader. The JVM to track references to it like any other simple object (String). In addition, it is an internal tomcat object, so it is a lot simpler to keep track of references to it in the tomcat code. It is not visible to the webapps or exposed to user code that can leak it. WebappClassLoader is the opposite: It is a real class loader. Garbage collecting it is not a simple matter. My guess is that: 1. If you constantly load the memory, then eventually it will be garbage collected. 2. If it is not garbage collected in that case, there is a reference leak, something is keeping a reference to either the class loader or to an object that was loaded by from it. Tomcat is releasing references to objects on its side, but the user code can do other things. If the web app contains one servlet and one JSP page, that should be easy to follow. Tomcat keeps references to those objects (both should be servlets), but also releases them when you redeploy. You can verify that the objects are gone. The actual instances should be gone very quickly since they are simple objects. JSP page is turned into a class, you should see it in the memory management tool. Notice that if the web app is reloaded, the new class loader will load the same classes again, so they will have the same class name, but they will have separate Class instances. You will have two objects that have the same class name, but are different class. Other possible reference leaks from the webapp to the outside: Threads that are left running JNDI Sessions Thread local Any library in a class loader above the webapp (in class loaders app, system, common and shared, possibly even in Catalina but less likely) Logging and reflection libraries always star as favorite leakers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem forward HTTP / Soap request using mod_jk
Did you add a load blancer worker to your workers.properties? Below is what I use to perform load balancing over two Tomcat servers. I have a similar scenario: Apache in front of two (or more Tomcats). Apache forwards the requests using mod_jk. My client is sending SOAP requests using Axis2. worker.list= wlb, jkwatch ## # Defining a load balancer worker ## worker.wlb.type=lb worker.wlb.balance_workers=tomcatserver1, tomcatserver2 worker.wlb.max_reply_timeouts=3 # worker.wlb.retries=2 # worker.wlb.retry_interval=100 # worker.wlb.sticky_session=True # worker.wlb.sticky_session_force=False # worker.wlb.method=Request # worker.wlb.lock=Optimistic ## # Defining the status workers ## # A read-only status worker worker.jkwatch.type=status worker.jkwatch.read_only=True worker.jkwatch.mount=/private/admin/watch/jk # A managing status worker # worker.jkmanage.type=status # worker.jkmanage.mount=/private/admin/manage/jk ## ## Balanced Workers (Tomcat Workers) ## ## # Tomcat Worker (tomcatserver1) ## worker.tomcatserver1.type=ajp13 worker.tomcatserver1.host=localhost worker.tomcatserver1.port=8009 worker.tomcatserver1.lbfactor=1 # Connection pool timeout is set in seconds. (10 minutes). If you modify this # value, you need to modify the AJP connector in the Tomcat server.xml to # match this value. Note that the value in Tomcat must be specified in milliseconds. worker.tomcatserver1.connection_pool_timeout=600 worker.tomcatserver1.socket_keepalive=True worker.tomcatserver1.socket_timeout=60 ## worker.tomcatserver1.socket_connect_timeout=60 # # Apache will wait 30 seconds (30,000 ms) for Tomcat to respond, otherwise # it will return error 504 - Gateway timeout to the client worker.tomcatserver1.reply_timeout=3 # # This recovery_options attribute is a bit mask. # The following bits are allowed: # 1: don't recover if Tomcat failed after getting the request # 2: don't recover if Tomcat failed after sending the headers to client # 4: close the connection to Tomcat, if we detect an error when writing back the answer to the client (browser) # 8: always recover requests for HTTP method HEAD (even if Bits 1 or 2 are set) # 16: always recover requests for HTTP method GET (even if Bits 1 or 2 are set) # We will set it to 27, equivalent to the binary 11011 worker.tomcatserver1.recovery_options=27 ## # Tomcat Worker (tomcatserver2) ## worker.tomcatserver2.type=ajp13 worker.tomcatserver2.host=localhost worker.tomcatserver2.port=7009 worker.tomcatserver2.lbfactor=1 # Connection pool timeout is set in seconds. (10 minutes). If you modify this # value, you need to modify the AJP connector in the Tomcat server.xml to # match this value. Note that the value in Tomcat must be specified in milliseconds. worker.tomcatserver2.connection_pool_timeout=600 worker.tomcatserver2.socket_keepalive=True worker.tomcatserver2.socket_timeout=60 ## worker.tomcatserver2.socket_connect_timeout=60 # # Apache will wait 30 seconds (30,000 ms) for Tomcat to respond, otherwise # it will return error 504 - Gateway timeout to the client worker.tomcatserver2.reply_timeout=3 # # This recovery_options attribute is a bit mask. # The following bits are allowed: # 1: don't recover if Tomcat failed after getting the request # 2: don't recover if Tomcat failed after sending the headers to client # 4: close the connection to Tomcat, if we detect an error when writing back the answer to the client (browser) # 8: always recover requests for HTTP method HEAD (even if Bits 1 or 2 are set) # 16: always recover requests for HTTP method GET (even if Bits 1 or 2 are set) # We will set it to 27, equivalent to the binary 11011 worker.tomcatserver2.recovery_options=27 -Original Message- From: breako [mailto:alex.stave...@fineos.com] Sent: Tuesday, November 03, 2009 1:35 PM To: users@tomcat.apache.org Subject: Problem forward HTTP / Soap request using mod_jk Hi, I have two tomcat servers and I can make them talk to each other using soap / http no problem. However, when I put Apache infront of one my tomcat servers and set it up to forward http requests to the tomcat server it doesn't get any requests. I am using the mod_jk to achieve the forwarding. I have tested other types of http
RE: Problem forward HTTP / Soap request using mod_jk
Your uriworkermap.properties must send the requests to the laod balancer worker Here is a sample uriworkermap.properties -Jorge # This file provides mapping for the wlb worker # defined in workers.properties. # The general syntax for this file is: # [URL]=[Worker name] /yourappcontext=wlb /yourappcontext/*=wlb # Lets also define an URI to access the status workers /private/admin/watch/jk=jkwatch #/private/admin/manage/jk=jkmanage -Original Message- From: Jorge Medina [mailto:jmed...@e-dialog.com] Sent: Wednesday, November 04, 2009 3:15 PM To: Tomcat Users List Subject: RE: Problem forward HTTP / Soap request using mod_jk Did you add a load blancer worker to your workers.properties? Below is what I use to perform load balancing over two Tomcat servers. I have a similar scenario: Apache in front of two (or more Tomcats). Apache forwards the requests using mod_jk. My client is sending SOAP requests using Axis2. worker.list= wlb, jkwatch ## # Defining a load balancer worker ## worker.wlb.type=lb worker.wlb.balance_workers=tomcatserver1, tomcatserver2 worker.wlb.max_reply_timeouts=3 # worker.wlb.retries=2 # worker.wlb.retry_interval=100 # worker.wlb.sticky_session=True # worker.wlb.sticky_session_force=False # worker.wlb.method=Request # worker.wlb.lock=Optimistic ## # Defining the status workers ## # A read-only status worker worker.jkwatch.type=status worker.jkwatch.read_only=True worker.jkwatch.mount=/private/admin/watch/jk # A managing status worker # worker.jkmanage.type=status # worker.jkmanage.mount=/private/admin/manage/jk ## ## Balanced Workers (Tomcat Workers) ## ## # Tomcat Worker (tomcatserver1) ## worker.tomcatserver1.type=ajp13 worker.tomcatserver1.host=localhost worker.tomcatserver1.port=8009 worker.tomcatserver1.lbfactor=1 # Connection pool timeout is set in seconds. (10 minutes). If you modify this # value, you need to modify the AJP connector in the Tomcat server.xml to # match this value. Note that the value in Tomcat must be specified in milliseconds. worker.tomcatserver1.connection_pool_timeout=600 worker.tomcatserver1.socket_keepalive=True worker.tomcatserver1.socket_timeout=60 ## worker.tomcatserver1.socket_connect_timeout=60 # # Apache will wait 30 seconds (30,000 ms) for Tomcat to respond, otherwise # it will return error 504 - Gateway timeout to the client worker.tomcatserver1.reply_timeout=3 # # This recovery_options attribute is a bit mask. # The following bits are allowed: # 1: don't recover if Tomcat failed after getting the request # 2: don't recover if Tomcat failed after sending the headers to client # 4: close the connection to Tomcat, if we detect an error when writing back the answer to the client (browser) # 8: always recover requests for HTTP method HEAD (even if Bits 1 or 2 are set) # 16: always recover requests for HTTP method GET (even if Bits 1 or 2 are set) # We will set it to 27, equivalent to the binary 11011 worker.tomcatserver1.recovery_options=27 ## # Tomcat Worker (tomcatserver2) ## worker.tomcatserver2.type=ajp13 worker.tomcatserver2.host=localhost worker.tomcatserver2.port=7009 worker.tomcatserver2.lbfactor=1 # Connection pool timeout is set in seconds. (10 minutes). If you modify this # value, you need to modify the AJP connector in the Tomcat server.xml to # match this value. Note that the value in Tomcat must be specified in milliseconds. worker.tomcatserver2.connection_pool_timeout=600 worker.tomcatserver2.socket_keepalive=True worker.tomcatserver2.socket_timeout=60 ## worker.tomcatserver2.socket_connect_timeout=60 # # Apache will wait 30 seconds (30,000 ms) for Tomcat to respond, otherwise # it will return error 504 - Gateway timeout to the client worker.tomcatserver2.reply_timeout=3 # # This recovery_options attribute is a bit mask. # The following bits are allowed: # 1: don't recover if Tomcat failed after getting the request # 2: don't recover if Tomcat failed after sending the headers to client # 4: close the connection to Tomcat, if we detect an error when writing back the answer to the client (browser) # 8: always recover requests for HTTP method HEAD (even if Bits 1 or 2 are set) # 16: always recover requests for HTTP method GET (even if Bits 1
RE: Problem forward HTTP / Soap request using mod_jk
No, you don't need the load balancer if you only have one Tomcat behind your Apache server. The status worker is not needed either, but it allows you to monitor the state of the load balancer and the workers from a browser. (You can even enable/disable workers) -Original Message- From: breaks [mailto:astave...@yahoo.com] Sent: Wednesday, November 04, 2009 4:57 PM To: users@tomcat.apache.org Subject: RE: Problem forward HTTP / Soap request using mod_jk Thanks to all. I am at home now but will try your suggestions tomorrow. I was just wondering why I would need a load balancer, uriproperties file or a status worker just because it is a HTTP POST SOAP request? I am able to get all other http requests forwarded to my tomcat server without the above... -- View this message in context: http://old.nabble.com/Problem-forward-HTTP---Soap-request-using-mod_jk-tp26160709p26204973.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Apache/Tomcat with SSL
Hola Miguel, did you set up SSL in Apache ? Or did you do it in Tomcat ? Or in both ? I am assuming that you want Apache to be the exposed server, therefore SSL must be configured in Apache. You must also have configured Apache to forward the requests to Tomcat by using the Apache modules mod_jk or mod_proxy -Jorge -Original Message- From: Miguel Ortiz [mailto:miguel.or...@macneillgroup.com] Sent: Monday, September 28, 2009 8:32 AM To: users@tomcat.apache.org Subject: Apache/Tomcat with SSL I recently setup a SSL cert on our Apache/Tomcat server. When I load our page, I can see the lock in my browser with all the SSL info, but the page only loads as a the jsp script and not the full page. Is there some configuration setting that I have missed. I can provide snippets from the server.xml, httpd.conf, and ssl.conf. Thanks in advance. Miguel Ortiz Network Engineer x4818 wk: 954-331-4818 bbry: 954-649-1863 miguel.or...@macneillgroup.com This email and any files transmitted with it are the confidential property of Focus Holdings, LLC and its subsidiaries, and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Apache/Tomcat with SSL
Also, in order to configure Apache with SSL you must have the module mod_ssl -Original Message- From: Jorge Medina [mailto:jmed...@e-dialog.com] Sent: Monday, September 28, 2009 10:40 AM To: Tomcat Users List Subject: RE: Apache/Tomcat with SSL Hola Miguel, did you set up SSL in Apache ? Or did you do it in Tomcat ? Or in both ? I am assuming that you want Apache to be the exposed server, therefore SSL must be configured in Apache. You must also have configured Apache to forward the requests to Tomcat by using the Apache modules mod_jk or mod_proxy -Jorge -Original Message- From: Miguel Ortiz [mailto:miguel.or...@macneillgroup.com] Sent: Monday, September 28, 2009 8:32 AM To: users@tomcat.apache.org Subject: Apache/Tomcat with SSL I recently setup a SSL cert on our Apache/Tomcat server. When I load our page, I can see the lock in my browser with all the SSL info, but the page only loads as a the jsp script and not the full page. Is there some configuration setting that I have missed. I can provide snippets from the server.xml, httpd.conf, and ssl.conf. Thanks in advance. Miguel Ortiz Network Engineer x4818 wk: 954-331-4818 bbry: 954-649-1863 miguel.or...@macneillgroup.com This email and any files transmitted with it are the confidential property of Focus Holdings, LLC and its subsidiaries, and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Apache/Tomcat with SSL
As suggested by André, you may want to join the Apache User's list and ask there your question. You need to configure SSL in your Apache web server. To configure SSL Apache Web server, the first thing you need to do is to verify that the module mod_ssl is available. You may want to consider posting sections of your httpd.conf file (or any relevant file included by the Include directive) (Remove any sensitive information when posting your question) -Jorge -Original Message- From: Miguel Ortiz [mailto:miguel.or...@macneillgroup.com] Sent: Monday, September 28, 2009 3:19 PM To: 'Tomcat Users List'; 'Tomcat Users List' Subject: RE: Apache/Tomcat with SSL André, That is what I did and it still came up with server not found. If you would like to verify. Our site is http://fun.macneillgroup.com. The site we are currently testing is http://fun.macneillgroup.com/focus/common/Index.jsp. This page works, however the https form doesn't seem to produce the desired results. Miguel Ortiz Network Engineer x4818 wk: 954-331-4818 bbry: 954-649-1863 miguel.or...@macneillgroup.com -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, September 28, 2009 3:02 PM To: Tomcat Users List Subject: Re: Apache/Tomcat with SSL Miguel Ortiz wrote: André, This server was configured by our web development contractors. I was only tasked with setting up the SSL. When I go to the specified URL, firefox throws a server not found. When I mentioned the URL http://your-hostname/ROOT/WEB-INF/web.xml I meant for you to replace the your-hostname part by your own host's name. :-) Also, basically I think that this discussion belongs more to the Apache user's list, than Tomcat's, because it seems that the SSL part is done at the Apache httpd level, not at Tomcat's level. It is also not easy to just add SSL to an Apache httpd, if this Apache httpd uses VirtualHosts. In the first responses to your first post, some very relevant questions were asked, which I don't think you have answered fully yet. It is difficult for someone to help you with the partial information you have supplied so far. Tell us : - on which platform (OS) this is running - how Apache httpd and Tomcat are connected together (using mod_jk, mod_proxy_ajp, or mod_proxy_http?) - is (was) your Apache httpd configured with multiple VirtualHost sections ? - can you append your main Apache httpd configuration file (httpd.conf or apache2.conf, depending on platform). Don't put it as an attachment, because chances are this list will strip it. Paste it right into your message. - what exactly did you add, and where, to add the SSL capability ? Miguel Ortiz Network Engineer x4818 wk: 954-331-4818 bbry: 954-649-1863 miguel.or...@macneillgroup.com -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, September 28, 2009 11:25 AM To: Tomcat Users List Subject: Re: Apache/Tomcat with SSL Miguel Ortiz wrote: ... [u...@localhost conf.d]# tail -f /var/log/httpd/ssl_error_log [Mon Sep 28 08:51:41 2009] [error] [client xxx.xxx.xxx.xxx] File does not exist: /var/lib/tomcat5/webapps/favicon.ico [Mon Sep 28 08:51:44 2009] [error] [client xxx.xxx.xxx.xxx] File does not exist: /var/lib/tomcat5/webapps/favicon.ico [Mon Sep 28 09:03:04 2009] [error] [client xxx.xxx.xxx.xxx] Directory index forbidden by Options directive: /var/lib/tomcat5/webapps/ Nothing to, I think, with your problem, but it would seem from the above that you have configured your Apache front-end with something like DocumentRoot /var/lib/tomcat5/webapps which, in principle, is not a good idea. What do you get in your browser when you request http://your-hostname/ROOT/WEB-INF/web.xml (or with https:// as the case may be) ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/28/09 05:51:00 This email and any files transmitted with it are the confidential property of Focus Holdings, LLC and its subsidiaries, and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands,
RE: Tomcat 5.5 Trust Stores and Client Authentication
I have not used client certificates, but in order to use SSL with self-generated certificates you need to add your server self-signed certificate to the trusted roots of your Windows account or computer account. Use the Certificates plug-in on an MMC console to perform the operation. The operation above guarantees that IE can verify the identity of your server. When using client-certificates, you need to guarantee the opposite too: your server needs to be able to verify the identity of the client. After installing the client certificate on IE, you also need to install the client-certificate -or the CA root of the client certificate- into the store used by Tomcat. I would assume that Tomcat uses the JVM trust store, so you would need to specify: CATALINA_OPTS=-Djavax.net.ssl.trustStore=your_path_to/cacerts.jks -Djavax.net.ssl.trustStorePassword=your_password But the documentation indicates to use the attributes: truststoreFile=C:/cacerts.jks truststorePass=changeit truststoreType=JKS ...that you already have tried. So, try setting the variables above. -Jorge -Original Message- From: Ron Perkins [mailto:ronperkins...@googlemail.com] Sent: Monday, April 20, 2009 4:14 AM To: users@tomcat.apache.org Subject: Tomcat 5.5 Trust Stores and Client Authentication Hi All, I have done the following to create a Trust Store for Tomcat to use: Created a keystore with new certificate: keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore keystore.jks -storepass changeit Exported certificate: keytool -export -alias mycert -file mycert.cer -keystore keystore.jks -storepass changeit Imported certificate into trust store: keytool -import -v -trustcacerts alias mycert -keypass changeit -file mycert.cer -keystore cacerts.jks -storepass changeit Added the following Connector into server.xml to allow Client Authentication: Connector port=443 scheme=https secure=true keystoreFile=C:/keystore.jks keystorePass=changeit keystoreType=JKS keyAlias=mykey truststoreFile=C:/cacerts.jks truststorePass=changeit truststoreType=JKS sslProtocol=TLS maxSpareThreads=75 maxThreads=350 uRIEncoding=UTF-8 minSpareThreads=25 clientAuth=true /Connector After starting Tomcat up, using netstat I can see that port 443 is listening... When using IE to test the connection to the https default page I get IE's no communication web page displayed. If I use Firefox this gives me the following error: SSL peer cannot verify your certificate (Error code: ssl_error_bad_cert_alert) I was expecting a message to say that the client needs a client certificate? I then installed the client certificate mycert.cer into the client browsers, but has no effect and I still recevie the same error messages. To check that I have SSL correctly installed, if I change clientAuth=true to clientAuth=false then default Tomcatwebpage is displayed within the browsers. What have I done wrong? I am thinking that it is the way that I have created the Trust store that is the problem? Thanks for any help in advance... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to share JVM for both tomcat and RMI server
(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:578) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) at com.proactivenet.server.EmbedTomcatThread.run(PlatformFactoryImpl.java :980) Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'com.bmc.sas.ngp.service.component.NGPComponentMetricsDataService' is defined at org.springframework.beans.factory.support.DefaultListableBeanFactory.get BeanDefinition(DefaultListableBeanFactory.java:387) at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedL ocalBeanDefinition(AbstractBeanFactory.java:971) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean( AbstractBeanFactory.java:246) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(Ab stractBeanFactory.java:185) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(Ab stractBeanFactory.java:164) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.re solveReference(BeanDefinitionValueResolver.java:269) ... 35 more ERROR 04/16 11:07:00 Stderr 700100 Apr 16, 2009 11:07:00 AM org.apache.catalina.core.StandardContext start SEVERE: Error listenerStart But if i start tomcat using startup.sh then every thing is working fine. On Wed, Apr 15, 2009 at 7:56 PM, Jorge Medina jmed...@e-dialog.comwrote: I guess you can start one from the other no matter what direction you choose. If you can package your RMI server as a webapp, just could start your RMI server from a context listener. If you prefer to start Tomcat from your RMI server, just look at the catalina.sh script, starting Tomcat is just a matter of calling the bootstraping class. Use the same class within your code. -Original Message- From: siranjeevi krishnan [mailto:siranjee...@gmail.com] Sent: Wednesday, April 15, 2009 1:49 AM To: users@tomcat.apache.org Subject: Need to share JVM for both tomcat and RMI server Hi I want to know about the possibility of sharing JVM for both tomcat and RMI server. Any ways to start tomcat from my RMI server. How to programatically start tomcat like how startup.sh is doing? Is it possible to start my RMI server inside tomcat? Regards Siranjeevi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Regards Siranjeevi -- Regards Siranjeevi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to share JVM for both tomcat and RMI server
I guess you can start one from the other no matter what direction you choose. If you can package your RMI server as a webapp, just could start your RMI server from a context listener. If you prefer to start Tomcat from your RMI server, just look at the catalina.sh script, starting Tomcat is just a matter of calling the bootstraping class. Use the same class within your code. -Original Message- From: siranjeevi krishnan [mailto:siranjee...@gmail.com] Sent: Wednesday, April 15, 2009 1:49 AM To: users@tomcat.apache.org Subject: Need to share JVM for both tomcat and RMI server Hi I want to know about the possibility of sharing JVM for both tomcat and RMI server. Any ways to start tomcat from my RMI server. How to programatically start tomcat like how startup.sh is doing? Is it possible to start my RMI server inside tomcat? Regards Siranjeevi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JK 1.2.28 - load balancer worker fails on startup with one worker down ?
Your workers.properties looks fine. What is the content of uriworkermap.proeprties ? -Original Message- From: swbrads...@gmail.com [mailto:swbrads...@gmail.com] On Behalf Of Scott Bradshaw Sent: Wednesday, April 15, 2009 3:51 PM To: users@tomcat.apache.org Subject: JK 1.2.28 - load balancer worker fails on startup with one worker down ? I apologize if this a silly question, but I can't figure it out! I've looked over the documentation and I'm stumped. I have 5 load balanced workers defined. I have them setup and configured correctly. workers.properties file (partial - not including all the individual workers) --- worker.mygpgby02.type=ajp13 worker.mygpgby02.host=mygpgby02.mycompany.com worker.mygpgby02.port=8009 worker.loadbalancerprod.type=lb worker.loadbalancerprod.balance_workers=mygpgby02,mygpgby03,mygpgby04,my gpgby05,mygpgby06 worker.list=loadbalancerprod --- Now, here is the problem - one of those hosts(mygpgby06) is currently down for maintenence. Whenever I startup IIS, the ISAPI proxy won't work. The ISAPI log file shows this: (please note mycompany.com is not the actual url - i changed it) [Wed Apr 15 14:22:00.463 2009] [4208:2848] [error] jk_ajp_common.c (2526): worker mygpgby06 can't resolve tomcat address mygpgby06.mycompany.com [Wed Apr 15 14:22:00.463 2009] [4208:2848] [error] jk_worker.c (163): validate failed for mygpgby06 [Wed Apr 15 14:22:00.463 2009] [4208:2848] [error] jk_lb_worker.c (1599): Failed creating worker mygpgby06 [Wed Apr 15 14:22:00.479 2009] [4208:2848] [error] jk_lb_worker.c (1647): NULL parameters [Wed Apr 15 14:22:00.479 2009] [4208:2848] [error] jk_worker.c (163): validate failed for loadbalancerprod [Wed Apr 15 14:22:00.479 2009] [4208:2848] [error] jk_worker.c (262): failed to create worker loadbalancerprod [Wed Apr 15 14:22:00.479 2009] [4208:2848] [error] jk_uri_worker_map.c (506): Could not find worker with name 'loadbalancerprod' in uri map post processing. If I take this worker out of the balance_workers list, everything starts up fine. If I leave it in, my loadbalancerprod worker is completely dead.. According to the documentation, When starting up, the web server plugin with instantiate the workers whose name appears in the worker.list property... So - one worker in the load balancer won't start so the whole load balancer is considered a failed worker. Is there a property I'm missing to make this work ? Scott - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: clustering error
Yes, you can test clustering using two tomcats on the same machine. -Original Message- From: supareno [mailto:reno.rkc...@free.fr] Sent: Saturday, April 11, 2009 7:12 AM To: Tomcat Users List Subject: clustering error hello, we 're trying to do some tomcat clustering but i think that our implementation is not really good we have 2 tomcats on the same machine and we configured the clustering (same multicast port and ip and differents tcplistenport) the problem is that we have a lots of errors in each tomcat log (multicast error) so my question is: is it possible to test the clusterng with two tomcats on the same machine? regards supareno - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Migration from Tomcat 4.1 to 6.0
http://httpd.apache.org/docs/2.2/ Read Compiling and Installing section You will need to undertand the modules and directives of several modules. You will find in the Apache site instructions for mod_proxy, but if you decide mod_jk then here are the instructions http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html http://www.linuxjournal.com/article/8561 Can you please provide me step by step instruction... Don't expect the people in the list to do your work. Research, read, experiment! Then come back with specific questions. -Jorge -Original Message- From: Rashid Malik [mailto:rma...@dhmh.state.md.us] Sent: Wednesday, April 08, 2009 10:48 AM To: Tomcat Users List Subject: Re: Migration from Tomcat 4.1 to 6.0 Urgent Chris/Chuck, You are probably right about httpd. Please see the attached images for details. The reason why I thought I had a 2.2 application is because whenever I shutdown the 2.2 service, the main web site running on port 80 would not launch. Please excuse my naiveness about our configuration. I just recently inherited this system and was not provide any documentation.. so I am trying to figure it all out. Anyway, I only need to keep the tomcat 6.0 version of the tomcat. Can you please explain how I should configure httpd to work with the tomcat 6.0 version of the application, not 4.1. Chris provided me with the following instructions. It seems like I have to use mod_proxy_http or mod_proxy_ajp. Can you please provide me step by step instruction on how I should change my existing configuration to work with the newer application? Thank you so so much. God Bless... Rashid, On 4/7/2009 5:08 PM, Rashid Malik wrote: Hi, I changed port 8080 to 80 and I get page not found error. Please note that I have another website that is running on an older version of tomcat. Aah, you didn't mention that. Only one process may bind to a particular interface/port combination. In your case, port 80 is already taken (by Tomcat 4.1). If you want both Tomcat 4.1 ans 6.0 to appear to be using port 80, you will need to put another piece of software out in front in order to play traffic cop and properly route the requests to the appropriate server (app on TC4.1 versus app on TC6.0). Apache httpd is a popular choice for accomplishing this. You will have to: 1. Change Tomcat 4.1's configuration so that the HTTP port is something /other/ than port 80 (8080 is a popular choice) 2. Change Tomcat 6.0's configuration so that the HTTP port is something /other/ than port 80 and 8080 (8081?) 3. Install Apache httpd and have it listen on port 80 4. Configure httpd to send the appropriate requests to the appropriate back-end server To accomplish #4, you will need to use either mod_proxy_http, mod_proxy_ajp (both built-into Apache httpd 2.2.x) or mod_jk (which is a separate download). There is a lot of documentation for using mod_jk here: http://tomcat.apache.org/connectors-doc/ If you use mod_proxy_http, you'll need to do: ProxyPass /appA http://localhost:8080/appA ProxyPass /appB http://localhost:8081/appB That should be enough to get you started. - -chris Christopher Schultz ch...@christopherschultz.net 4/7/2009 6:03:42 pm -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rashid, On 4/7/2009 5:45 PM, Rashid Malik wrote: What I mean here is that I have three 3 installations of tomcat not 2. How many total web applications do you have? Do any of them have any requirements for which Tomcat version on which they are running? It sounds like the answer is I have 3 webapps and at least one of them requires Tomcat 6.0. If there are no other constraints, then just move all your webapps to Tomcat 6.0, uninstall Tomcat 4.1, and change Tomcat 6.0's Connector to port=80 as I said previously. There is tomcat 2.2 application (using port 80) As Chuck suggests, that is probably Apache httpd, which might actually make things easier. If this is the case, you have not correctly configured httpd to support your new application. Go into httpd's configuration and find out where your other application is configured. Read and /understand/ the configuration before you start changing things. Reading that configuration plus the config reference I already posted should clear a lot of things up. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknbzb4ACgkQ9CaO5/Lv0PCgngCeJLFU7QsoPwisTu7EVwvLHJ+g 3aEAoKgI0amw4JfW1BU0+5fbmG1rRO4G =1bQY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6 Cluster with Apache 2.2.9 issues
Remove your tomcat workers from the worker.list, you only need to reference the balance worker here: worker.list=loadbalancer your load balancer worker then refers to the tomcat workers: worker.loadbalancer.balanced_workers=tomcat1,tomcat2,tomcat3 -Jorge -Original Message- From: nohacks [mailto:philipfwil...@gmail.com] Sent: Wednesday, April 08, 2009 4:11 PM To: users@tomcat.apache.org Subject: Re: Tomcat 6 Cluster with Apache 2.2.9 issues This is my workers.properties file too. Thanks Phil # workers.properties ps=/ # list the workers by name worker.list=tomcat1,tomcat2,tomcat3,loadbalancer # # Specifies the load balance factor when used with # a load balancing worker. # Note: # lbfactor must be 0 # Low lbfactor means less work done by the worker. # # First tomcat server # worker.tomcat1.port=18009 worker.tomcat1.host=192.168.70.101 worker.tomcat1.type=ajp13 worker.tomcat1.lbfactor=33 # # Second tomcat server # worker.tomcat2.port=19009 worker.tomcat2.host=192.168.70.102 worker.tomcat2.type=ajp13 worker.tomcat2.lbfactor=33 # # Third tomcat server # worker.tomcat3.port=20009 worker.tomcat3.host=192.168.70.103 worker.tomcat3.type=ajp13 worker.tomcat3.lbfactor=33 # --- # Load Balancer worker # # # The loadbalancer (type lb) worker performs weighted round-robin # load balancing with sticky sessions. # Note: # If a worker dies, the load balancer will check its state #once in a while. Until then all work is redirected to peer #worker. worker.loadbalancer.type=lb worker.loadbalancer.balanced_workers=tomcat1,tomcat2,tomcat3 # # END workers.properties # -- View this message in context: http://www.nabble.com/Tomcat-6-Cluster-with-Apache-2.2.9-issues-tp229579 94p22958289.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat 6 session replication issues
What is your multicast address and port used by Tomcat to discover members of the cluster? Your sever.xml has a note [10.x.x.x]. This does not look like a multicast address. http://tldp.org/HOWTO/Multicast-HOWTO-2.html From: Jimmy Phillips [mailto:jimmy.phillip...@yahoo.com] Sent: Thursday, April 02, 2009 11:21 AM To: users@tomcat.apache.org Subject: tomcat 6 session replication issues Hi, I've been having issues with tomcat session replication. I have a number of tomcat servers running in a cluster mode, behind an Apache load balancer. The tomcat version is 6.0.18 on CentOS 5.1. Running the cluster using the DeltaManager seems to be working fine, however when I try to use the BackupManager for session replication, I get the following entries in the logs: Apr 1, 2009 3:28:42 AM org.apache.catalina.tribes.transport.nio.NioReceiver socketTimeouts WARNING: Channel key is registered, but has had no interest ops for the last 3000 ms. (cancelled:false):sun.nio.ch.selectionkeyi...@62af9d74 last access:2009-04-01 03:28:35.969 Apr 1, 2009 3:28:42 AM org.apache.catalina.tribes.transport.nio.NioReceiver socketTimeouts WARNING: Channel key is registered, but has had no interest ops for the last 3000 ms. (cancelled:false):sun.nio.ch.selectionkeyi...@4c4947d3 last access:2009-04-01 03:28:35.969 Apr 1, 2009 3:29:04 AM org.apache.catalina.tribes.group.interceptors.TcpFailureDetector memberDisappeared INFO: Received memberDisappeared[org.apache.catalina.tribes.membership.MemberImpl[tcp:/ /{10, 99, 86, 47}:4000,{10, 99, 86, 47},4000, alive=1380182,id={-121 25 -2 -7 81 -1 76 3 -92 -20 122 69 67 102 -31 -15 }, payload={}, command={}, domain={}, ]] message. Will verify. Apr 1, 2009 3:29:04 AM org.apache.catalina.tribes.group.interceptors.TcpFailureDetector memberDisappeared INFO: Verification complete. Member still alive[org.apache.catalina.tribes.membership.MemberImpl[tcp://{10, 99, 86, 47}:4000,{10, 99, 86, 47},4000, alive=1380182,id={-121 25 -2 -7 81 -1 76 3 -92 -20 122 69 67 102 -31 -15 }, payload={}, command={}, domain={}, ]] Apr 1, 2009 3:29:04 AM org.apache.catalina.tribes.tipis.AbstractReplicatedMap heartbeat SEVERE: Unable to send AbstractReplicatedMap.ping message org.apache.catalina.tribes.ChannelException: Operation has timed out(6 ms.).; Faulty members:tcp://{10, 99, 86, 47}:4000; at org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(P arallelNioSender.java:97) at org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessag e(PooledParallelSender.java:53) at org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage( ReplicationTransmitter.java:80) at org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelC oordinator.java:78) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(Chan nelInterceptorBase.java:75) at org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor.send Message(ThroughputInterceptor.java:61) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(Chan nelInterceptorBase.java:75) at org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor .sendMessage(MessageDispatchInterceptor.java:73) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(Chan nelInterceptorBase.java:75) at org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMes sage(TcpFailureDetector.java:87) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(Chan nelInterceptorBase.java:75) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:216 ) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:175 ) at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:89) at org.apache.catalina.tribes.tipis.AbstractReplicatedMap.ping(AbstractRepl icatedMap.java:253) at org.apache.catalina.tribes.tipis.AbstractReplicatedMap.heartbeat(Abstrac tReplicatedMap.java:793) at org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.jav a:153) at org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(GroupC hannel.java:661) Of course the above entry is just one of many, for the different hosts. Searching the mailing lists, I found this post http://markmail.org/message/jv4dykh7fdhr4mvp which looks like the same problem I am having. The outcome of that thread states that the problem is fixed by a patch in revision 618823, so I compiled a version of the current 6.x trunk (rev 759722) and deployed it to all the servers. However, the problem is still appearing. I've attached a copy of the current server.xml ( it is common to all tomcat instances ). I've done a thread dump on one of the servers when these errors started appearing, and the output is attached, thread_dump.txt (removed threads that were running by our
RE: Session Replication in Cluster
Are your logs Apache logs? Mod_jk logs? If it is Apache, the question would probably better answer in the Apache mailing list. Anyway, What does your LogFormat string looks like? I bet what you see in the logs is the concatenation of the session ID and the worker name. I doubt two servers would generate the same hex digits for the session. Therefore, your server must be working as expected, you are just interpreting the logs incorrectly. -Original Message- From: Roy McMorran [mailto:mcmor...@mdibl.org] Sent: Thursday, April 02, 2009 10:59 AM To: Tomcat Users List Subject: Session Replication in Cluster Hello all, I've built a very simple 2-member Tomcat cluster for testing, but I am unable to get the session replication quite right. The problem is when I fail one member of the cluster. The behavior I was expecting is that the other cluster member would take over the session ids for the failed member. However it is appending it's own jvmRoute value to the session id, and thus setting a new cookie. Details: I have 2 cluster members, itchy and scratchy, running on the same physical server, and CATALINA_BASE is /var/tomcat/itchy and /var/tomcat/scratchy respectively. Tomcat 6.0.18 binaries, etc. are at /usr/local/tomcat. Using mod_jk 1.2.27 on Apache 2.2.11 (Apache is also on the same server). I am using sticky sessions. Here are the access logs for the 2 members from a short failover experiment (note I'm including the session ID in the 2nd field). The session starts on scratchy. From scratchy_access_log.2009-04-02.txt: 192.168.200.177 E5BF3FFA9AEE1E3AB0DD4A96BA5E4011.scratchy - [02/Apr/2009:10:19:55 -0400] GET / HTTP/1.1 200 14612 192.168.200.177 E5BF3FFA9AEE1E3AB0DD4A96BA5E4011.scratchy - [02/Apr/2009:10:20:14 -0400] GET /about/ HTTP/1.1 200 19507 At 10:21:39 AM I do a kill -9 on the scratchy instance. Now the traffic goes to the other cluster member as expected. From itchy_access_log.2009-04-02.txt: 192.168.200.177 E5BF3FFA9AEE1E3AB0DD4A96BA5E4011.itchy - [02/Apr/2009:10:22:11 -0400] GET /about/publications/ HTTP/1.1 200 18263 192.168.200.177 E5BF3FFA9AEE1E3AB0DD4A96BA5E4011.itchy - [02/Apr/2009:10:22:32 -0400] GET /about/changes/ HTTP/1.1 200 12736 Note however that the new member's jvmRoute value is now appended to the session id. I thought is was supposed to stay exactly the same after failover. Additional details can be found as follows: server.xml for itchy - see: http://gillnet.mdibl.org/~mcmorran/itchy-server.xml.txt server.xml for scratchy - see: http://gillnet.mdibl.org/~mcmorran/scratchy-server.xml.txt context.xml (identical) - see: https://gillnet.mdibl.org/~mcmorran/context.xml.txt workers.properties: https://gillnet.mdibl.org/~mcmorran/workers.properties I've also included the catalina.out file for both, from startup and through the test at: https://gillnet.mdibl.org/~mcmorran/itchy-catalina.out https://gillnet.mdibl.org/~mcmorran/scratchy-catalina.out I'd appreciate any advice on where I went wrong. Thanks and best wishes, Roy -- Roy McMorran Systems Administrator MDI Biological Laboratory mcmor...@mdibl.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: mod_jk : recovery_options
Danke schön Rainer! Yes, all my transaction requests use POST. We only allow GET to get a couple of static files. -Jorge -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Tuesday, March 31, 2009 3:24 AM To: Tomcat Users List Subject: Re: mod_jk : recovery_options On 30.03.2009 22:24, Jorge Medina wrote: I did not get any response to my questions, but from previous messages (posted by Rainer Jung) I believe that using the default values for retry and recovery_options may produce the unexpected result I was having. I changed the recovery_options on my AJP workers to value 27. So far I have not seen the tests failing again. If mod_jk retried a request which might have resulted in duplicate transactions, then you should find info level log messages about that in your mod_jk log. If your application doesn't prevent against duplicate transaction execution, setting the recovery_options to 3 is recommended. Your value of 27 is save, in case duplicate GETs and HEADs are fine for you. One example would be, if you always use POST for requesting changes you don't want to see duplicate. The official semantics of GET and HEAD require them to be idempotent, so with this assumption 27 is fine. Many apps do not satisfy this condition though and for them 3 would be better. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: mod_jk : recovery_options
I did not get any response to my questions, but from previous messages (posted by Rainer Jung) I believe that using the default values for retry and recovery_options may produce the unexpected result I was having. I changed the recovery_options on my AJP workers to value 27. So far I have not seen the tests failing again. -Jorge -Original Message- From: Jorge Medina [mailto:jmed...@e-dialog.com] Sent: Friday, March 27, 2009 4:16 PM To: users@tomcat.apache.org Subject: mod_jk : recovery_options Hi, I have an automated test of a web services application running on Tomcat (6.0.18) behind Apache (2.2.11) We use mod_jk (1.2.27) Our test suite runs a client against the Apache server on a system where we have a single Tomcat instance behind Apache. So far so good, all test passed. Now, I tried using Apache as a load balancer; using two Tomcat instances behind Apache. All of my tests passed, except for one that failed on a strange way. The test does the following: deleteAllItems createItem (A) createItem (B) createItem (C) list = getAllItems() at this point we verify that we get 3 items on the list, but instead of 3, the list returned 4 items!! This was the only test that failed from a test suite of about 400. I ran the same test suite again and the error did not occur again. So, could it be related to the configuration of the mod_jk module in Apache? Currently we don't specify the recovery_options for the Tomcat worker (therefore it defaults to 0) in workers.properties. We do not specify the retries either, so it defaults to 2. I was wondering if in the test above, a createItem call was resent to a Tomcat instance due to some communication error, and therefore 4 items were created in the database instead of the 3 we expected. I would appreciate if someone could shed more light on the recovery_options from what it is found in the documentation. Below is what I found on the documentation http://tomcat.apache.org/connectors-doc/reference/workers.html#Advanced% 20Worker%20Directives Thanks a lot. -Jorge -- recovery_options -- Worker Type: AJP,SUB Default value: 0 Recovery options influence, how we should handle retries, in case we detect a problem with Tomcat. How often we will retry is controlled by the attribute retries. This attribute is a bit mask. The following bits are allowed: 1: don't recover if Tomcat failed after getting the request 2: don't recover if Tomcat failed after sending the headers to client 4: close the connection to Tomcat, if we detect an error when writing back the answer to the client (browser) 8: always recover requests for HTTP method HEAD (even if Bits 1 or 2 are set) 16: always recover requests for HTTP method GET (even if Bits 1 or 2 are set) This features has been added in jk 1.2.6. Option 4 has been added in version 1.2.16, options 8 and 16 in version 1.2.24. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
mod_jk : recovery_options
Hi, I have an automated test of a web services application running on Tomcat (6.0.18) behind Apache (2.2.11) We use mod_jk (1.2.27) Our test suite runs a client against the Apache server on a system where we have a single Tomcat instance behind Apache. So far so good, all test passed. Now, I tried using Apache as a load balancer; using two Tomcat instances behind Apache. All of my tests passed, except for one that failed on a strange way. The test does the following: deleteAllItems createItem (A) createItem (B) createItem (C) list = getAllItems() at this point we verify that we get 3 items on the list, but instead of 3, the list returned 4 items!! This was the only test that failed from a test suite of about 400. I ran the same test suite again and the error did not occur again. So, could it be related to the configuration of the mod_jk module in Apache? Currently we don't specify the recovery_options for the Tomcat worker (therefore it defaults to 0) in workers.properties. We do not specify the retries either, so it defaults to 2. I was wondering if in the test above, a createItem call was resent to a Tomcat instance due to some communication error, and therefore 4 items were created in the database instead of the 3 we expected. I would appreciate if someone could shed more light on the recovery_options from what it is found in the documentation. Below is what I found on the documentation http://tomcat.apache.org/connectors-doc/reference/workers.html#Advanced% 20Worker%20Directives Thanks a lot. -Jorge -- recovery_options -- Worker Type: AJP,SUB Default value: 0 Recovery options influence, how we should handle retries, in case we detect a problem with Tomcat. How often we will retry is controlled by the attribute retries. This attribute is a bit mask. The following bits are allowed: 1: don't recover if Tomcat failed after getting the request 2: don't recover if Tomcat failed after sending the headers to client 4: close the connection to Tomcat, if we detect an error when writing back the answer to the client (browser) 8: always recover requests for HTTP method HEAD (even if Bits 1 or 2 are set) 16: always recover requests for HTTP method GET (even if Bits 1 or 2 are set) This features has been added in jk 1.2.6. Option 4 has been added in version 1.2.16, options 8 and 16 in version 1.2.24. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need Help With Clustered Tomcat Sessions
Are you maintaining session stickyness? Did you configure Tomcat to replicate the sessions? -Original Message- From: Alston, Brian (US SSA) [mailto:brian.als...@baesystems.com] Sent: Thursday, March 19, 2009 1:40 PM To: users@tomcat.apache.org Subject: Need Help With Clustered Tomcat Sessions Hello All I am having trouble with my Tomcat cluster that I hope you can help with. First my setup: Apache Load Balancer: Windows Server 2003 - Apache 2.2.11 - 192.168.1.100 Tomcat Server 1: Windows Server 2003 - Tomcat 6.0.18 - 192.168.1.110 Tomcat Server 2: Windows Server 2003 - Tomcat 6.0.18 - 192.168.1.120 When I go to the Apache load balancer (http://192.168.1.100) the page comes up fine. When I go to the Java examples (http://192.168.1.100/examples/) and click on Servlets Examples and then on Sessions - Execute the page also comes up fine. It is here when I start to have problems. First, let me explain how I know I have problems. Here is another setup I have: Apache Load Balancer: RedHat Enterprise Linux 5 - Apache 2.2.3 - 192.168.2.100 Tomcat Server 1: Windows Server 2003 - Tomcat 6.0.18 - 192.168.2.110 Tomcat Server 2: Windows Server 2003 - Tomcat 6.0.18 - 192.168.2.120 When I go to my Linux load-balanced cluster and enter Name/Value Session Attributes into the Sessions Servlet Examples, they accumulate and I maintain the exact same Session ID. For example: Session ID: CCAE9F2E90A5311166E7B67CE003A727.tomcat1 The following data is in your session: color-sky = blue color-grass = green color-firetruck = red color-cloud = white No matter what I enter, I get an additional Name/Value Session Attribute pair and the exact same Session ID. Now, back to my Windows Server 2003 load-balanced cluster. Whenever I enter any Name/Value Session Attribute pairs, the new name/value pair always replaces the old, and I end up with an entirely new Session ID to boot: Session ID: .tomcat1 Session ID: .tomcat2 Session ID: .tomcat1 Session ID: .tomcat2 Session ID: .tomcat1 Session ID: .tomcat1 . . . I am hoping that there is a simple fix for this because I have no clue. My Apache httpd.conf file and Tomcat server.xml files are exactly the same between the Linux load-balanced cluster and the Windows Server 2003 load-balanced cluster, so I assume that cannot be the cause. Any help will be greatly appreciated. Thanks for reading and have a good day. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tcnative-1.dll
Check catalina.out (or whatever file your Tomcat is logging to). I get the following in Unix when not using the APR, you should get a similar message in Windows or a message indicating that the APR was found and loaded. INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /opt/pdsdk/openssl/lib:/opt/pdsdk/apr/lib:/opt/pdsdk/apr-util/lib::/usr/ java/jdk1.6.0_07/jre/lib/amd64/server:/usr/java/jdk1.6.0_07/jre/lib/amd6 4:/usr/java/packages/lib/amd64:/lib:/usr/lib Mar 12, 2009 1:42:40 PM org.apache.coyote.http11.Http11Protocol init -Jorge -Original Message- From: markov.ya...@neftochim.bg [mailto:markov.ya...@neftochim.bg] Sent: Friday, March 13, 2009 10:44 AM To: users@tomcat.apache.org Subject: tcnative-1.dll Hi, all How can I tell for sure that tcnative-1.dll is used by tomcat ? System is Windows 2003 SP2, Tomcat 5.5.20, JDK 1.5.0_11, tcnative-1.dll used is 1.1.12 Tomcat is started as a service. File tcnative-1.dll is placed in directory mentioned within -Djava.library.path =... in registry. If it's not in this directory there is a warning in stdout.log(which is the only one used for logging). (can't find... tcnative-1.dll... ), but when it's placed in the directory, there is no message about it's loading (as stated in http://tomcat.apache.org/native-doc/). Difference in version behaviour, or...? Best Regards, YANKO MARKOV LTS BULGARIA - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tribes
Is there a way to get more documentation on the Tribes package ? I would like to reuse the dynamic membership discovery feature of Tribes, but many of the links are not working on the page http://tomcat.apache.org/tomcat-6.0-doc/tribes/introduction.html Thanks -Jorge
RE: Apache Tom Cat in a VM as VMWARE or Red Hat Virtualization
There are no issues on running Tomcat in a VM. Tomcat is unaware of where it is running. Performance depends on the host running your VM. If you compare a VM running application A on host H compared to application A running directly on host H, you will notice that running on the real server is faster. This is true for any application, not just Tomcat. -Original Message- From: acacio costa [mailto:acaciofco...@yahoo.com.br] Sent: Wednesday, February 18, 2009 2:33 PM To: users@tomcat.apache.org Subject: Apache Tom Cat in a VM as VMWARE or Red Hat Virtualization Hi, Does anyone use Apache Tom Cat in a VM as VMWARE or Red Hat Virtualization? i apreciate to know if you have issues and a tips to go on. Other things to know, Performance comparative with a real server? as the same? better? What the parameters you perceive as better than other environment and what cause as you move Tom Cat to VM. Thanks in advance, Acacio Costa Veja quais são os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat in-memory (session) cookie
Hi Makaira, I also found hard to understand the concept of sessions and its relation to cookies. After all, HTTP is a stateless protocol, right? Well, a servlet engine (as stated in the Servlet Engine specification pointed by Charles) must provide a way to provide some state. This is done by a special cookie with the name JSESSIONID. This value is passed back and forth between the client (a browser) and the server. If the request has the cookie JSESSIONID, then the server looks for the active sessions and joins the request to that session. My confusion came from the fact that through the HttpSession object, you can access the cookies with methods that names then Attributes (getAttribute/setAttribute). It was unclear -to me- that it is the same stuff as a cookie. The JSESSION attribute is handled by Tomcat, you don't have to set it. It is enough to add the attribute(s) you will later use. By the way, cookies are stored -as files- by the browser just to persist them and made them available later on; but a cookie is not neccesarily a file; certainly, you won't find them in the server filesystem, they live only in the Tomcat memory. -Jorge -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, February 17, 2009 11:59 AM To: Tomcat Users List Subject: RE: Tomcat in-memory (session) cookie From: makaira nigricans [mailto:liame.e...@yahoo.com] Subject: Tomcat in-memory (session) cookie As I understood (maybe I understood wrongly) You did. with every GET and POST request Tomcat generates cookie which it do not write on hard drive (so it cannot be seen in browser cookie manager). You seem to be referring to HttpSession objects, which are not cookies. Session objects are created when a user is authenticated or when a webapp chooses to create a session. An identifier (JSESSIONID) for the Session is passed back to the client (browser) either via a cookie or as part of the URLs embedded in the response. Whether or not the browser chooses to accept or persist the cookie is up to the browser, not Tomcat. What are JSESSIONID, session, are those cookies? Sounds like you need some basic education; try the servlet spec first: http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html Wikipedia has definitions and examples of standard computing terms such as cookie. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Re: Trouble with cluster and JMX
To get more verbose messages, the documentation mentions to use the key org.apache.catalina.tribes.MESSAGES I am currently trying it... -Jorge -Original Message- From: news [mailto:n...@ger.gmane.org] On Behalf Of Eric B. Sent: Wednesday, February 11, 2009 11:55 PM To: users@tomcat.apache.org Subject: Re: Trouble with cluster and JMX Filip Hanik - Dev Lists devli...@hanik.com wrote in message news:49937f4b.9050...@hanik.com... sure turn on org.apache.catalina.ha.level = FINE org.apache.catalina.tribes.level = FINE in logging.properties however, regular membership discovery over multicast show up even without these entries did you mark your webapp distributable/ Crap. Now that you mention it, I think I forgot to do that. Will have to check up on that tomorrow. However, after a bunch of fiddling around, putting the Manager within the context element got session replication working, even if it isn't marked as distributable /. Would that be expected behaviour by putting the Manager in the context? Will check tomorrow and post findings. Thanks, Eric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Re: Trouble with cluster and JMX
I did not manage to get more logging from the tribes package. Did you? I am using the default tomcat-juli configuration, I didn't get any ouput about sessions replicating other than the initial startup messages. -Original Message- From: Jorge Medina [mailto:jmed...@e-dialog.com] Sent: Thursday, February 12, 2009 10:44 AM To: Tomcat Users List Subject: RE: Re: Trouble with cluster and JMX To get more verbose messages, the documentation mentions to use the key org.apache.catalina.tribes.MESSAGES I am currently trying it... -Jorge -Original Message- From: news [mailto:n...@ger.gmane.org] On Behalf Of Eric B. Sent: Wednesday, February 11, 2009 11:55 PM To: users@tomcat.apache.org Subject: Re: Trouble with cluster and JMX Filip Hanik - Dev Lists devli...@hanik.com wrote in message news:49937f4b.9050...@hanik.com... sure turn on org.apache.catalina.ha.level = FINE org.apache.catalina.tribes.level = FINE in logging.properties however, regular membership discovery over multicast show up even without these entries did you mark your webapp distributable/ Crap. Now that you mention it, I think I forgot to do that. Will have to check up on that tomorrow. However, after a bunch of fiddling around, putting the Manager within the context element got session replication working, even if it isn't marked as distributable /. Would that be expected behaviour by putting the Manager in the context? Will check tomorrow and post findings. Thanks, Eric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Oracle connection pooling
Try ds = (DataSource)context.lookup(java:/comp/env/jdbc/GFDataSource); -Original Message- From: Hamacher, Eric [mailto:eric_hamac...@gallup.com] Sent: Thursday, February 12, 2009 3:52 PM To: users@tomcat.apache.org Subject: Oracle connection pooling Hello: I am in a bind. I am getting: javax.naming.NameNotFoundException: Name jdbc is not bound in this Context at org.apache.naming.NamingContext.lookup(NamingContext.java:770) at org.apache.naming.NamingContext.lookup(NamingContext.java:153) at org.apache.naming.SelectorContext.lookup(SelectorContext.java:137) at javax.naming.InitialContext.lookup(InitialContext.java:351) at survey.db.SurveyConnection.getConnection(SurveyConnection.java:66) at util.LoadDropdownListener.loadAllCodes(LoadDropdownListener.java:137) at util.LoadDropdownListener.contextInitialized(LoadDropdownListener.java:7 8) when I add: Resource name=jdbc/GFDataSource auth=Container type=oracle.jdbc.pool.OracleDataSource factory=oracle.jdbc.pool.OracleDataSourceFactory connectionCachingEnabled=true maxActive=30 maxIdle=2 maxWait=1000 username=GLP_S password=gideupstg driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@server::SID/ to either server.xml (under Server), config/context.xml (under Context), or in META-INF/context.xml. Here's what these files look like when I place Resource in them: ** SERVER.XML *** Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / Resource name=jdbc/GFDataSource auth=Container type=oracle.jdbc.pool.OracleDataSource factory=oracle.jdbc.pool.OracleDataSourceFactory connectionCachingEnabled=true maxActive=30 maxIdle=2 maxWait=1000 username=username password=password driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@server::SID/ /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false /Host /Engine /Service /Server *** CONFIG/CONTEXT.XML *** Context Resource name=jdbc/GFDataSource auth=Container type=oracle.jdbc.pool.OracleDataSource factory=oracle.jdbc.pool.OracleDataSourceFactory connectionCachingEnabled=true maxActive=30 maxIdle=2 maxWait=1000 username=username password=password driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@server::SID/ WatchedResourceWEB-INF/web.xml/WatchedResource /Context *** META-INF/CONTEXT.XML *** Context Resource name=jdbc/GFDataSource auth=Container type=oracle.jdbc.pool.OracleDataSource factory=oracle.jdbc.pool.OracleDataSourceFactory connectionCachingEnabled=true maxActive=30 maxIdle=2 maxWait=1000 username=username password=password driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@server::SID/ /Context Here is the offending code: Context context = new InitialContext(); DataSource pds = null; pds = (DataSource)context.lookup(jdbc/GFDataSource); Connection conn = pds.getConnection(); context.close(); I have tried java:comp/env/jdbc/GFDataSource as well. I am using ojdbc14dms.jar and dms.jar. J. ERIC HAMACHER Software Application Developer
RE: Oracle connection pooling
Is your Oracle database port and is the name of your SID SID? We use Oracle jdbc driver with Oracle 10g. I set the attributes on the resource to: type=javax.sql.DataSource driverClassName=oracle.jdbc.OracleDriver and no factory -Original Message- From: Hamacher, Eric [mailto:eric_hamac...@gallup.com] Sent: Thursday, February 12, 2009 3:52 PM To: users@tomcat.apache.org Subject: Oracle connection pooling Hello: I am in a bind. I am getting: javax.naming.NameNotFoundException: Name jdbc is not bound in this Context at org.apache.naming.NamingContext.lookup(NamingContext.java:770) at org.apache.naming.NamingContext.lookup(NamingContext.java:153) at org.apache.naming.SelectorContext.lookup(SelectorContext.java:137) at javax.naming.InitialContext.lookup(InitialContext.java:351) at survey.db.SurveyConnection.getConnection(SurveyConnection.java:66) at util.LoadDropdownListener.loadAllCodes(LoadDropdownListener.java:137) at util.LoadDropdownListener.contextInitialized(LoadDropdownListener.java:7 8) when I add: Resource name=jdbc/GFDataSource auth=Container type=oracle.jdbc.pool.OracleDataSource factory=oracle.jdbc.pool.OracleDataSourceFactory connectionCachingEnabled=true maxActive=30 maxIdle=2 maxWait=1000 username=GLP_S password=gideupstg driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@server::SID/ to either server.xml (under Server), config/context.xml (under Context), or in META-INF/context.xml. Here's what these files look like when I place Resource in them: ** SERVER.XML *** Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / Resource name=jdbc/GFDataSource auth=Container type=oracle.jdbc.pool.OracleDataSource factory=oracle.jdbc.pool.OracleDataSourceFactory connectionCachingEnabled=true maxActive=30 maxIdle=2 maxWait=1000 username=username password=password driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@server::SID/ /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false /Host /Engine /Service /Server *** CONFIG/CONTEXT.XML *** Context Resource name=jdbc/GFDataSource auth=Container type=oracle.jdbc.pool.OracleDataSource factory=oracle.jdbc.pool.OracleDataSourceFactory connectionCachingEnabled=true maxActive=30 maxIdle=2 maxWait=1000 username=username password=password driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@server::SID/ WatchedResourceWEB-INF/web.xml/WatchedResource /Context *** META-INF/CONTEXT.XML *** Context Resource name=jdbc/GFDataSource auth=Container type=oracle.jdbc.pool.OracleDataSource factory=oracle.jdbc.pool.OracleDataSourceFactory connectionCachingEnabled=true maxActive=30 maxIdle=2 maxWait=1000 username=username password=password driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@server::SID/ /Context Here is the offending code: Context context = new InitialContext(); DataSource pds = null; pds = (DataSource)context.lookup(jdbc/GFDataSource); Connection conn = pds.getConnection();
Clustering: Session replication
Hi, I am trying to configure session replication using the Cluster object. The documentation says: The IP broadcasted is java.net.InetAddress.getLocalHost().getHostAddress() (make sure you don't broadcast 127.0.0.1, this is a common error) I just wrote a small java program to see what my system return for java.net.InetAddress.getLocalHost().getHostAddress() It returns 127.0.0.1 Is this something that needs to be changed by modifying the network configuration of the box? -Jorge - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
FW: Clustering: Session replication
According to the Javadoc, InetAddress.getLocalHost() returns the loopback address. So...how do I control the broadcasting address ? -Original Message- From: Jorge Medina Sent: Tuesday, February 10, 2009 3:38 PM To: 'users@tomcat.apache.org' Subject: Clustering: Session replication Hi, I am trying to configure session replication using the Cluster object. The documentation says: The IP broadcasted is java.net.InetAddress.getLocalHost().getHostAddress() (make sure you don't broadcast 127.0.0.1, this is a common error) I just wrote a small java program to see what my system return for java.net.InetAddress.getLocalHost().getHostAddress() It returns 127.0.0.1 Is this something that needs to be changed by modifying the network configuration of the box? -Jorge - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Clustering: Session replication
I am using a virtual environment. My machine did not have an entry for its IP address in /etc/hosts I added the IP address with the name returned by the shell command `hostname` I think this probably would be resolved via DNS in a regular envionment...but for now I am set. Thanks -Jorge -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, February 10, 2009 4:34 PM To: Tomcat Users List Subject: RE: Clustering: Session replication From: Jorge Medina [mailto:jmed...@e-dialog.com] Subject: FW: Clustering: Session replication According to the Javadoc, InetAddress.getLocalHost() returns the loopback address. No, it doesn't; the sentence in question reads: If the operation is not allowed, an InetAddress representing the loopback address is returned. You seem to have ignored the first clause in the sentence. InetAddress.getLocalHost().getHostAddress() gets me an external IP address on every system I can find. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem with mod_jk and Tomcat Native Connectors on Solaris
Hallo Rainer! Danke für dein Hilfe. I will follow your recommendation on upgrading, and I will need to learn how to configure a more verbose log and interpret them. I found out the following: - My client code (a java Axis2 client) had a timeout (I found it was 30 sec, I was under the assumption the default was 60s). When the client timeoust I would get a message Read timed out - The above timeout was too short, the client would timeout before Apache (mod_jk) had a chance to retry the request to Tomcat. I played with both timeouts, making sure the client timeout was always larger than the mod_jk reply_timeout for at least a factor of 2. This works pefectly in RedHat, but not in Solaris 10 (I tried sparc and x86, both compiled in 64-bit) In Solaris, I think the Tomcat Native library just loses some requests. No matter how I configured the timeouts and retries, I always get some sporadic 504 Gateway timeout. Disabling the Tomcat Native library and keeping everything in mod_jk the same works fine. So, for now I just disabled the Tomcat Native Library. Thanks again for your response. -Jorge -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Friday, February 06, 2009 11:38 AM To: Tomcat Users List Subject: Re: Problem with mod_jk and Tomcat Native Connectors on Solaris On 02.02.2009 20:01, Jorge Medina wrote: I am having problems with the mod_jk module 1.2.26 and Tomcat Native connectors running in Solaris 10. The problem occurs in both processors x86 (64-bit) and sparc (64-bit). (The problem does not occur on RedHat EL5 64-bit). On the mod_jk workers.properties file I am specifying a value for reply_timeout: worker.localworker.reply_timeout=1(10 seconds) I am anticipating that some requests would need more time, so I decided to run my test suite just increasing the value to 3. Oddly, with this value and running the same set of tests I get sporadic errors. The mod_jk log shows the following message when this occurs: [error] ajp_get_reply::jk_ajp_common.c (1730) : (localworker) Timeout with waiting reply from tomcat. Tomcat is down, stopped or nertwork problems (errno=145) I am using the following components: Apache Web Server 2.2.11 APR 1.3.3 APR-util 1.3.4 openssl-0.9.8 mod_jk1.2.26 Before debugging a problem you might consider switching to 1.2.27, because once everything works, you'll most likely not do the upgrade ;) Tomcat 6.0.16 Tomcat Native Connectors 1.1.12 (using same APR version as Apache) Please update to 1.1.16. There have been a couple of fixes in tcnative. jsvc Sun Java JDK 1.6 I also found that the problem only occurs if the Tomcat Native Connectors is enabled in Tomcat. I can't figure why increasing the reply timeout would actually produce the errors it is supposed to prevent!! I don't really understand: why do you think the timeout produces the problem? Setting the timeout means, that any reply taking longer than the timeout will be interrupted inside Apache and logged. So setting no timeout will not produce any log statements (by default the timeout is off), but I expect that you will still have long running requests. To find out about the response times and the requests with long response times, add %D to your Apache LogFormat (response times in microseconds) and activate an access log in tomcat too, with a pattern that also contains %D 8response times in milliseconds). That way you can control during your tests, what tomcat resp. Apache think the response time actually was. After verifying that Tomcat actually needs to long for some requests, you need to start to analse why (locking in application, waiting for backend or database, etc.). You can use Java thread dumps for this (kill -QUIT). Any help is appreciated. I would like to benefit from the Tomcat Native Connectors, but I can't figure what I am configuring wrong. Try 1.1.16. --- Below is my workers.properties ... --- worker.list= wlb, jkwatch, jkmanage # Properties for worker: localworker worker.localworker.type=ajp13 worker.localworker.host=localhost worker.localworker.port=8009 worker.localworker.lbfactor=1 worker.localworker.connection_pool_timeout=600 worker.localworker.socket_keepalive=True worker.localworker.socket_timeout=60 ### this parameter causes trouble if increased to 3 worker.localworker.reply_timeout=1 # # Defining a load balancer (with a single worker, the local worker) worker.wlb.type=lb worker.wlb.balance_workers=localworker worker.wlb.max_reply_timeouts=3 I would add cping/cpong
RE: Can Tomcat accomplish this?
Maybe an ESB ? (like Mule) -Original Message- From: Christopher Long [mailto:kord...@gmail.com] Sent: Friday, February 06, 2009 2:19 PM To: users@tomcat.apache.org Subject: Can Tomcat accomplish this? Hello: I was just wondering if Tomcat is able to do something similar to what I've described below. If not, does anyone have any recommendations on a Web Server that can? I'm attempting to find a web server that can basically act as a hub. Say if someone attempts to send a SOAP request to http://1.1.1.1/message1 it will redirect the message to the appropriate tool to handle it, whether it be a Java program or maybe even another web server. This next part is optional, but ideal. After the message is passed off to the appropriate handler, the web server then waits for the response and will then forward it to the original sender. So does anyone know if Tomcat is able to handle this, or of any other web server (open source) that can? Thanks, Chris Long - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Classloaders
In server.xml , a Server may contain multiple Service elements. Each Service can define multiple Connectors but a single Engine. Each Engine can define multiple Hosts. How does this relate to the classloaders -if at all- ? I couldn't find any reference about it on: http://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html Would Tomcat create a classloader per each Host ? Engine ? or Service? If I define two Services, are they isolated by different classloaders? -Jorge
RE: mod_jk
1) As far as I know, no, mod_jk does not read workers.properties dynamically. 2) Yes and no, it will not send a request unless communication has been established with the worker, it may happen that the worker fails, or someone shut it down. Depending on how you configure the workers and the number of workers, it can retry the request and/or try a different worker. Mod_jk will mark the worker on error when it does not respond, and it will try again after a configurable time -but it tries again with an actual request-. -Original Message- From: Mohit Anchlia [mailto:mohitanch...@gmail.com] Sent: Thursday, February 05, 2009 11:53 AM To: Tomcat Users List Subject: mod_jk Couple of questions regarding mod_jk: 1. Does apache read worker.properties dynamically? So if I change worker.property would it be dynamically read by mod_jk. 2. Does mod_jk check if the system is up and running before forwarding that request to the server configured in worker.properties file? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat memory leak problem
The problem may be in your web application and not in Tomcat itself. Duplicate your environment and use a memory profiler. (like the one included with Netbeans) Or use the extended JVM options to produce a HeapDump -Original Message- From: fcxjp [mailto:fc...@163.com] Sent: Thursday, February 05, 2009 11:14 AM To: users@tomcat.apache.org Subject: tomcat memory leak problem My system environment is: Windows 2000 Server. JDK 1.5, tomcat 5.5, Oracle 9 The problems are: 1. After tomcat was started, the memory of the tomcat was normal, about 200M-300M. But after a certain time(this time was not set), the memory began to grow, and the growing speed was so fast that in about 5 minites the maximum would be reached. The difference of this problem with other problems I've checked is, in other problems, the memory growing speed is continual and not so fast, while in our problem the memory didn't grow at the beginning, but after a certain time instead. 2. There is another strange phenomenon here. We restarted tomcat at 23:30 last night. We checked the log at 8:00 this morning and found out the system was not used by anyone during this time. But the memory of tomcat had reached to 1.5G, which is the maximun of tomcat's memory. Later, after some users began to use this system, tomcat' memory dropped to 500M+. How and why was the memory collected? By the way, we have cheched the code for any optimization, including StringBuffer, Vector, datasource connections, etc., which only resulted with a faster response speed for users, not any influence for the memory problem. -- View this message in context: http://www.nabble.com/tomcat-memory-leak-problem-tp21855110p21855110.htm l Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
mod_jk sporadic errors
I am running Apache with mod_jk 1.2.26 module (on Solaris) In the same machine, I am running Tomcat 6.0.16 with the Tomcat Native Library 1.1.12 (linked to APR 1.3.3) I am getting sporadic errors on the mod_jk log as the shown below: [Tue Feb 03 08:48:29.367 2009] [13821:22] [error] ajp_get_reply::jk_ajp_common.c (1730): (localworker) Timeout with waiting reply from tomcat. Tomcat is down, stopped or network problems (errno=145) [Tue Feb 03 08:48:31.377 2009] [13821:22] [info] ajp_service::jk_ajp_common.c (2186): (localworker) sending request to tomcat failed (recoverable), because of reply timeout (attempt=1) It seems that some of the requests (from Apache to Tomcat) just get lost by the Tomcat Native Library, Apache then resends the request. If that request does not produce any Tomcat response again, Apache responds to my client with 504 Gateway timeout but sometimes my client just timeouts before getting any response from Apache. Does anybody has experienced this problem? Any solution (other than disabling the Tomcat Native Library)? -Jorge - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
What are the benefits of using Tomcat Native when using AJP connector?
Does anybody know what significantly means on the following paragraph of the Tomcat Native library? When APR is enabled, the AJP connector will use a socket poller for keepalive, increasing scalability of the server. As AJP is designed around a pool of persistent (or almost persistent) connections, this will reduce significantly the amount of processing threads needed by Tomcat. Unlike the HTTP connector, the AJP connector cannot use sendfile to optimize static file processing. Taken from : http://tomcat.apache.org/tomcat-5.5-doc/apr.html -Jorge - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problem with mod_jk and Tomcat Native Connectors on Solaris
Hi I am having problems with the mod_jk module 1.2.26 and Tomcat Native connectors running in Solaris 10. The problem occurs in both processors x86 (64-bit) and sparc (64-bit). (The problem does not occur on RedHat EL5 64-bit). On the mod_jk workers.properties file I am specifying a value for reply_timeout: worker.localworker.reply_timeout=1(10 seconds) I am anticipating that some requests would need more time, so I decided to run my test suite just increasing the value to 3. Oddly, with this value and running the same set of tests I get sporadic errors. The mod_jk log shows the following message when this occurs: [error] ajp_get_reply::jk_ajp_common.c (1730) : (localworker) Timeout with waiting reply from tomcat. Tomcat is down, stopped or nertwork problems (errno=145) I am using the following components: Apache Web Server 2.2.11 APR 1.3.3 APR-util 1.3.4 openssl-0.9.8 mod_jk1.2.26 Tomcat 6.0.16 Tomcat Native Connectors 1.1.12 (using same APR version as Apache) jsvc Sun Java JDK 1.6 I also found that the problem only occurs if the Tomcat Native Connectors is enabled in Tomcat. I can't figure why increasing the reply timeout would actually produce the errors it is supposed to prevent!! Any help is appreciated. I would like to benefit from the Tomcat Native Connectors, but I can't figure what I am configuring wrong. --- Below is my workers.properties ... --- worker.list= wlb, jkwatch, jkmanage # Properties for worker: localworker worker.localworker.type=ajp13 worker.localworker.host=localhost worker.localworker.port=8009 worker.localworker.lbfactor=1 worker.localworker.connection_pool_timeout=600 worker.localworker.socket_keepalive=True worker.localworker.socket_timeout=60 ### this parameter causes trouble if increased to 3 worker.localworker.reply_timeout=1 # # Defining a load balancer (with a single worker, the local worker) worker.wlb.type=lb worker.wlb.balance_workers=localworker worker.wlb.max_reply_timeouts=3 --- ... and here is the segment of server.xml --- Connector port=8009 protocol=AJP/1.3 connectionTimeout=60 enableLookups=false bufferSize=32768 maxThreads=3000/ - Jorge - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org