Re: How to setup Apache web server for a Tomcat deployed Spring application

[Christopher Schultz]

Martin,

On 9/15/23 14:48, Martin Moore wrote:

I have a situation where I want to call an Tomcat deployed Spring
application remotely without adding the port number (8080), I had tried to
use 80 in Connector but wasn't able to connect to it when outside the LAN.


What's the motivation, here? It may allow for more flexible solutions. 
Are you trying to use non-8080, or are you trying to use non-secure, or 
both?



So I resorted to creating a proxy server using Apache2 Web Server (along
side the Tomcat application server).

Unfortunately when I call the app using name1.domain.com/app/login it times
out and fails.
Following are the configuration for Apache2 and Tomcat:
In server.xml (Tomcat V8)
 http://qadat.qfls.idealab.unical.it/>com"
proxyPort="80"
   />

httpd.conf (under conf/ in Apache2)
...
LoadModule proxy_module modules/mod_proxy.so
...
ServerName  name1.domain. com:80


ProxyPass /app/login http://localhost:8080/app/login

ProxyPassReverse /app/login http://localhost:8080/app/login




Looks good so far, except I would put trailing / symbols on here:

 ProxyPass /app/login/ http://localhost:8080/app/login/
 ProxyPassReverse /app/login/ http://localhost:8080/app/login/

Your email program seems to have put links into hostnames that makes 
this a little difficult to interpret.



To note that on the local machine tomcat returns the app through
http://localhost:8080/app/login 

How to make the app requests proxied so that name1.domain.
com/app/login works and calls the
localhost:8080/app/login to return the Tomcat Spring app

To note that DocumentRoot was added and then removed and that the app
resides in webapps/ROOT


If you are using the ROOT web app, then you should be proxying / and not 
/app/login/ (unless you really expect to proxy exactly one URL). Is the 
app called 'app' or 'qadat'?


If you want to refer to your application as /app/ then you should deploy 
it at webapps/app


What URL are you actually typing into the browser URL bar?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to setup Apache web server for a Tomcat deployed Spring application

[Martin Moore]

Hello,

I have a situation where I want to call an Tomcat deployed Spring
application remotely without adding the port number (8080), I had tried to
use 80 in Connector but wasn't able to connect to it when outside the LAN.
So I resorted to creating a proxy server using Apache2 Web Server (along
side the Tomcat application server).

Unfortunately when I call the app using name1.domain.com/app/login it times
out and fails.
Following are the configuration for Apache2 and Tomcat:
In server.xml (Tomcat V8)
http://qadat.qfls.idealab.unical.it/>com"
   proxyPort="80"
  />

httpd.conf (under conf/ in Apache2)
...
LoadModule proxy_module modules/mod_proxy.so
...
ServerName  name1.domain. com:80


   ProxyPass /app/login http://localhost:8080/app/login

   ProxyPassReverse /app/login http://localhost:8080/app/login



To note that on the local machine tomcat returns the app through
http://localhost:8080/app/login 

How to make the app requests proxied so that name1.domain.
com/app/login works and calls the
localhost:8080/app/login to return the Tomcat Spring app

To note that DocumentRoot was added and then removed and that the app
resides in webapps/ROOT

Thanks.

Re: Unexpected Cache-Control Header Transmission in Dual-Server API Setup

[Uday Kumar]

Okay Thanks 

On Sat, Jul 1, 2023, 00:42 Christopher Schultz 
wrote:

> Uday,
>
> On 6/30/23 06:57, Uday Kumar wrote:
> > *Hello,*
> >
> > *Observations:*
> > *1. Issue not replicated through integrated tomcat of Spring-boot when
> the
> > application was started in IntelliJ IDE*
> > *2. Issue was replicated by installing Tomcat 9 on my local machine and
> > building the corresponding war file.*
> >
> > *In both the above cases, I use the same code and the same HTTP Client (*
> > *java.net.HttpURLConnection**) for calling other API which is on another
> > server.*
> >
> > *I even tried using **org.springframework.web.client.RestTemplate *client
> > for calling other API, but the same observations were seen as mentioned
> > above.
>
> I'm not sure what else to tell you. When your code makes outgoing HTTP
> connections, no Tomcat code is involved *at all*. Tomcat does not change
> any JVM-wide settings. Tomcat does not intercept any outgoing
> connections for observation, modification, or adulteration.
>
> You should attach a debugger to your process to determine where the
> Cache-Control header is being added.
>
> It is not being added by Tomcat.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Unexpected Cache-Control Header Transmission in Dual-Server API Setup

[Christopher Schultz]

Uday,

On 6/30/23 06:57, Uday Kumar wrote:

*Hello,*

*Observations:*
*1. Issue not replicated through integrated tomcat of Spring-boot when the
application was started in IntelliJ IDE*
*2. Issue was replicated by installing Tomcat 9 on my local machine and
building the corresponding war file.*

*In both the above cases, I use the same code and the same HTTP Client (*
*java.net.HttpURLConnection**) for calling other API which is on another
server.*

*I even tried using **org.springframework.web.client.RestTemplate *client
for calling other API, but the same observations were seen as mentioned
above.


I'm not sure what else to tell you. When your code makes outgoing HTTP 
connections, no Tomcat code is involved *at all*. Tomcat does not change 
any JVM-wide settings. Tomcat does not intercept any outgoing 
connections for observation, modification, or adulteration.


You should attach a debugger to your process to determine where the 
Cache-Control header is being added.


It is not being added by Tomcat.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Unexpected Cache-Control Header Transmission in Dual-Server API Setup

[Uday Kumar]

*Hello,*

*Observations:*
*1. Issue not replicated through integrated tomcat of Spring-boot when the
application was started in IntelliJ IDE*
*2. Issue was replicated by installing Tomcat 9 on my local machine and
building the corresponding war file.*

*In both the above cases, I use the same code and the same HTTP Client (*
*java.net.HttpURLConnection**) for calling other API which is on another
server.*

*I even tried using **org.springframework.web.client.RestTemplate *client
for calling other API, but the same observations were seen as mentioned
above.

"Tomcat is not an HTTP client and provides no HTTP client API. You need
> to look at whatever code is issuing the request from Tomcat on Server1
> to Varnish on Server2. The one thing I can be certain of is that no
> Tomcat code is involved. "
>


Thanks & Regards,
Uday Kumar

Re: Unexpected Cache-Control Header Transmission in Dual-Server API Setup

[Mark Thomas]

On 28/06/2023 16:49, Uday Kumar wrote:

Hello Mark,

In continuation of my previous mail,
*Just in a while, I could replicate the issue on my local machine by
installing Tomcat 9 explicitly [Now, I could see cache-control headers are
being transmitted to Varnish of server2]*

*Point to note here,*
*Issue not replicated through integrated tomcat of Spring-boot*
*Issue replicated by installing Tomcat 9 on my local machine and building
corresponding war files.*

*I suspect, there is the configuration of Tomcat which is responsible for
setting Cache-control and pragma header by default to outgoing requests.*


This is absolutely, categorically NOT the case. Tomcat has NOTHING to do 
with outgoing HTTP requests. This is an issue with your configuration of 
whatever HTTP client llibrary you are using to make these requests.


*Kindly check and let me know if I am missing anything.*


This part of my previous reply:

"Tomcat is not an HTTP client and provides no HTTP client API. You need 
to look at whatever code is issuing the request from Tomcat on Server1 
to Varnish on Server2. The one thing I can be certain of is that no 
Tomcat code is involved. "


Mark




We have tried replicating the issue by using a local machine (spring-boot

application as an API-1 with integrated tomcat) to hit API-2 which is on
Server2, in this case, Cache-Control headers are *not being transmitted*
to Varnish of server2.



Thanks & Regards,
Uday Kumar



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Unexpected Cache-Control Header Transmission in Dual-Server API Setup

[Uday Kumar]

Hello Mark,

In continuation of my previous mail,
*Just in a while, I could replicate the issue on my local machine by
installing Tomcat 9 explicitly [Now, I could see cache-control headers are
being transmitted to Varnish of server2]*

*Point to note here,*
*Issue not replicated through integrated tomcat of Spring-boot*
*Issue replicated by installing Tomcat 9 on my local machine and building
corresponding war files.*

*I suspect, there is the configuration of Tomcat which is responsible for
setting Cache-control and pragma header by default to outgoing requests.*

*Kindly check and let me know if I am missing anything.*

We have tried replicating the issue by using a local machine (spring-boot
> application as an API-1 with integrated tomcat) to hit API-2 which is on
> Server2, in this case, Cache-Control headers are *not being transmitted*
> to Varnish of server2.
>

Thanks & Regards,
Uday Kumar

Re: Unexpected Cache-Control Header Transmission in Dual-Server API Setup

[Uday Kumar]

*Hi Mark,*

*You need to upgrade.*
*Noted!*


Will there be any default cache-control headers that are set (when they are
not set explicitly by API-1) by Tomcat when issuing a request from Tomcat
on Server1 to Varnish on Server2?

*You need to look at whatever code is issuing the request from Tomcat on
Server1 to Varnish on Server2*
We have tried replicating the issue by using a local machine (spring-boot
application as an API-1 with integrated tomcat) to hit API-2 which is on
Server2, in this case, Cache-Control headers are *not being transmitted* to
Varnish of server2.

Tomcat is not an HTTP client and provides no HTTP client API. You need
> to look at whatever code is issuing the request from Tomcat on Server1
> to Varnish on Server2. The one thing I can be certain of is that no
> Tomcat code is involved.
>

Thanks & Regards,
Uday Kumar

Re: Unexpected Cache-Control Header Transmission in Dual-Server API Setup

[Mark Thomas]

On 28/06/2023 14:23, Uday Kumar wrote:

Hello All,

Our application operates on a dual-server setup, where each server is
dedicated to running a distinct API.

*Technical specifications:*
Framework: Spring-boot v2.4 (Java 1.8)
Runtime Environment: Tomcat
Version: Apache Tomcat/7.0.42


Tomcat 7 reached End Of Life on 31 March 2021 - more than two years ago

https://tomcat.apache.org/tomcat-70-eol.html

You need to upgrade.



Server1 runs API-1 and Server2 runs API-2. Both servers are equipped with
an installed Varnish application. When either API is accessed, the request
is processed through the Varnish instance associated with the respective
server.

*Issue Description:*
In a typical scenario, a client (browser) sends a request to API-1, which
is handled by the Varnish instance on Server1. After initial processing,
API-1 makes a subsequent request to API-2 on Server2.

The Request Flow is as follows:
*Browser --> Varnish on Server1 --> Tomcat on Server1 --> Varnish on
Server2 --> Tomcat on Server2*

*Assuming, the request from Browser will be a miss at Server1 Varnish so
that the request reaches Tomcat(Backend) on server1.*

In cases where the browser *does not include any cache-control headers in
the request* (e.g., no-cache, max-age=0), the Server1 Varnish instance
correctly *does not receive any cache-control headers*.

*However, when API-1 calls API-2, we observe that a cache-control: no-cache
and p**ragma: no-cache headers are being transmitted to the Varnish
instance on Server2*, despite the following conditions:

1. We are not explicitly sending any cache-control header in our
application code during the call from API-1 to API-2.
2. Our application does not use the Spring-security dependency, which by
default might add such a header.
3. The cache-control header is not being set by the Varnish instance on
Server2.

This unexpected behavior of receiving a cache-control header at Server2's
Varnish instance when invoking API-2 from API-1 is the crux of our issue.

We kindly request your assistance in understanding the cause of this
unexpected behavior. Additionally, we would greatly appreciate any guidance
on how to effectively prevent this issue from occurring in the future.


Tomcat is not an HTTP client and provides no HTTP client API. You need 
to look at whatever code is issuing the request from Tomcat on Server1 
to Varnish on Server2. The one thing I can be certain of is that no 
Tomcat code is involved.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Unexpected Cache-Control Header Transmission in Dual-Server API Setup

[Uday Kumar]

Hello All,

Our application operates on a dual-server setup, where each server is
dedicated to running a distinct API.

*Technical specifications:*
Framework: Spring-boot v2.4 (Java 1.8)
Runtime Environment: Tomcat
Version: Apache Tomcat/7.0.42
Server1 runs API-1 and Server2 runs API-2. Both servers are equipped with
an installed Varnish application. When either API is accessed, the request
is processed through the Varnish instance associated with the respective
server.

*Issue Description:*
In a typical scenario, a client (browser) sends a request to API-1, which
is handled by the Varnish instance on Server1. After initial processing,
API-1 makes a subsequent request to API-2 on Server2.

The Request Flow is as follows:
*Browser --> Varnish on Server1 --> Tomcat on Server1 --> Varnish on
Server2 --> Tomcat on Server2*

*Assuming, the request from Browser will be a miss at Server1 Varnish so
that the request reaches Tomcat(Backend) on server1.*

In cases where the browser *does not include any cache-control headers in
the request* (e.g., no-cache, max-age=0), the Server1 Varnish instance
correctly *does not receive any cache-control headers*.

*However, when API-1 calls API-2, we observe that a cache-control: no-cache
and p**ragma: no-cache headers are being transmitted to the Varnish
instance on Server2*, despite the following conditions:

1. We are not explicitly sending any cache-control header in our
application code during the call from API-1 to API-2.
2. Our application does not use the Spring-security dependency, which by
default might add such a header.
3. The cache-control header is not being set by the Varnish instance on
Server2.

This unexpected behavior of receiving a cache-control header at Server2's
Varnish instance when invoking API-2 from API-1 is the crux of our issue.

We kindly request your assistance in understanding the cause of this
unexpected behavior. Additionally, we would greatly appreciate any guidance
on how to effectively prevent this issue from occurring in the future.

Thanks & Regards
Uday Kumar

Re: How to setup client certificate based authentication in Tomcat 9

[Christopher Schultz]

Omkar,

On 5/3/23 00:28, Patkar Omkar Anant wrote:
The server A where tomcat is running... it hosts a REST based 
application (BPMN based called Camunda ... it’s a 3rd party

application).

For e.g., when an application wants to trigger a workflow or BPMN
deployed in Camunda, then they will fire the appropriate request to URL
that looks something like this: -



https:///engine-rest/process-definition/key/

>

Now, the requirement is ..., there are several custom processes
deployed and multiple clients invoke multiple processes available with
Camunda,... hence the  is the dynamic
part here.

We want to apply client certificate authentication only for one of
the process that only Application B will invoke using the above URL.

This ^^^ is the important part.

Are you using a reverse-proxy, or are clients connecting directly to Tomcat?


Thus, we are looking at: -

1) Applying client certificate authentication to only a particular URL and not 
for all URLs.


In order to do this, you have to tell Tomcat to "ask" for the 
certificate but not require it. The configuration for this is in 
conf/server.xml in the [1] you use for you secure endpoint e.g.:



2) How to create the trust store ? How is it different from keystore?
can I use cacerts of the java that is used by tomcat as the trust
store ?
The only difference between key stores and trust stores is how you use 
them. Physically, on the disk, they are the same thing. Java can use JKS 
or PKCS12 keystores, which is just a way to put multiple keys and/or 
certificates into a single file.



3) Is enabling SSL mandatory for client certificate authentication ?
because we any ways will import the client certificate in the trust
store so is enabling SSL and sharing server certificate to client
required here ?
Yes. Client-certificate-based authentication is often called "mutual 
authentication" because the client authenticates the server (which is 
very common and what happens when you visit https://www.wikipedia.org/) 
and ALSO the server authenticates the client (which is less common, and 
really only used for private connections where the server knows all of 
the clients who might connect). The certificates are traded back and 
forth during the TLS handshake, so TLS is indeed required.


There is probably a way to use X.509 keys and certificates for mutual 
authentication that doesn't involve TLS but your server and client would 
have to invent a new way to do that and implement it on both sides of an 
unencrypted connection.


-chris


[1] https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to setup client certificate based authentication in Tomcat 9

[Patkar Omkar Anant]

Hi Christopher,



Thank you for your help. We really appreciate it  ... Apologies for late reply 
though, as I am communicating with my office email id, and we had leaves here I 
could only reply now.



I will provide some more information here so that it is possible to imagine our 
requirement: -



The server A where tomcat is running... it hosts a REST based application (BPMN 
based called Camunda ... it’s a 3rd party application).

For e.g., when an application wants to trigger a workflow or BPMN deployed in 
Camunda, then they will fire the appropriate request to URL that looks 
something like this: -



https:///engine-rest/process-definition/key//start<https://%3cServer%20A%20or%20machine%20where%20Camunda%20is%20deployed%20in%20tomcat%3e/engine-rest/process-definition/key/%3cname%20of%20the%20process%20to%20be%20invoked%3e/start>



Now, the requirement is ..., there are several custom processes deployed and 
multiple clients invoke multiple processes available with Camunda,... hence the 
 is the dynamic part here.

We want to apply client certificate authentication only for one of the process 
that only Application B will invoke using the above URL.

Thus, we are looking at: -

1) Applying client certificate authentication to only a particular URL and not 
for all URLs.

2) How to create the trust store ? How is it different from keystore ? can I 
use cacerts of the java that is used by tomcat as the trust store ?

3) Is enabling SSL mandatory for client certificate authentication ? because we 
any ways will import the client certificate in the trust store so is enabling 
SSL and sharing server certificate to client required here ?



Let me know if you need any more information.



Thanks and Regards

Omkar Patkar



-Original Message-
From: Christopher Schultz 
Sent: Wednesday, April 26, 2023 10:28 PM
To: users@tomcat.apache.org
Subject: Re: How to setup client certificate based authentication in Tomcat 9



Parkar,



On 4/26/23 10:34, Patkar Omkar Anant wrote:

> I am a bit newbie to this domain of client certificate-based

> authentication. We have two applications … A(server) and B(client).

>

> Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API based

> application). Application B invokes the rest api of application A.

>

> Now we want to introduce client certificate-based authentication

> between A and B.

Good for you. I wish more and more services would (a) offer this and (b) 
actually use it.



> So far based on information I have gathered from the internet all I

> have got is different pieces, but I am not able to connect the dots

> how to setup or configure tomcat (where A is hosted) to achieve this

> requirement. > I have been provided certificate by application B that

> is going to access our application A.

Good so far. You need to configure Application A (server) with a "trust store" 
which contains that certificate.



> But what are realms, how to map them with the certificate provided to

> us and configure that realm in tomcat, where to store the certificate

> provided by client, how to enforce webapp on system A to go for client

> certificate authentication etc…these dots I am not able to connect.

You are very unlikely to need a Realm at all.



Will you be requiring a client cert for every connection, or is it only for 
some users?



> It would be great and appreciated, if someone can guide me the correct

> sequence and steps I should follow ? … basically, help me to connect

> the dots. 

In order to get Tomcat to request and/or process a client's TLS certificate, 
you need to alter your  to include some of these:



(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support)



truststoreFile (points to the JKS or P12 (preferred) file that contains your 
trusted certificates)



certificateVerification (choose either "optional" for requesting but not 
requiring it for all clients or "required" to require a certificate to be 
presented by all clients)



If you just want to require all requests to present that certificate, then you 
need:



certificateVerification="required"

truststoreFile="mykeystore.p12"

truststorePassword="secret"



This should do all the checking you need. You should not even have to configure 
your web application to use CLIENT-CERT authentication unless you want to be 
able to identify the caller from within the application.



If you want that, reply and I can explain what happens next.



-chris



-

To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>

For additional commands, e-mail: 
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>

Re: How to setup client certificate based authentication in Tomcat 9

[Christopher Schultz]

Parkar,

On 4/26/23 10:34, Patkar Omkar Anant wrote:

I am a bit newbie to this domain of client certificate-based
authentication. We have two applications … A(server) and B(client).

Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API
based application). Application B invokes the rest api of application
A.

Now we want to introduce client certificate-based authentication
between A and B.
Good for you. I wish more and more services would (a) offer this and (b) 
actually use it.



So far based on information I have gathered from the internet all I
have got is different pieces, but I am not able to connect the dots
how to setup or configure tomcat (where A is hosted) to achieve this
requirement. >
I have been provided certificate by application B that is going to
access our application A.
Good so far. You need to configure Application A (server) with a "trust 
store" which contains that certificate.



But what are realms, how to map them with the certificate provided to
us and configure that realm in tomcat, where to store the certificate
provided by client, how to enforce webapp on system A to go for
client certificate authentication etc…these dots I am not able to
connect.

You are very unlikely to need a Realm at all.

Will you be requiring a client cert for every connection, or is it only 
for some users?



It would be great and appreciated, if someone can guide me the
correct sequence and steps I should follow ? … basically, help me to
connect the dots. 
In order to get Tomcat to request and/or process a client's TLS 
certificate, you need to alter your  to include some of these:


(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support)

truststoreFile (points to the JKS or P12 (preferred) file that contains 
your trusted certificates)


certificateVerification (choose either "optional" for requesting but not 
requiring it for all clients or "required" to require a certificate to 
be presented by all clients)


If you just want to require all requests to present that certificate, 
then you need:


certificateVerification="required"
truststoreFile="mykeystore.p12"
truststorePassword="secret"

This should do all the checking you need. You should not even have to 
configure your web application to use CLIENT-CERT authentication unless 
you want to be able to identify the caller from within the application.


If you want that, reply and I can explain what happens next.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to setup client certificate based authentication in Tomcat 9

[Patkar Omkar Anant]

Hi,

I am a bit newbie to this domain of client certificate-based authentication. We 
have two applications … A(server) and B(client).
Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API based 
application). Application B invokes the rest api of application A.

Now we want to introduce client certificate-based authentication between A and 
B. So far based on information I have gathered from the internet all I have got 
is different pieces, but I am not able to connect the dots how to setup or 
configure tomcat (where A is hosted) to achieve this requirement.

I have been provided certificate by application B that is going to access our 
application A.
But what are realms, how to map them with the certificate provided to us and 
configure that realm in tomcat, where to store the certificate provided by 
client, how to enforce webapp on system A to go for client certificate 
authentication etc…these dots I am not able to connect.

It would be great and appreciated, if someone can guide me the correct sequence 
and steps I should follow ? … basically, help me to connect the dots. 

Thanks and Regards
Omkar Patkar

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.71]

[Bill Stewart]

Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer executable:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

(Why an alternative installer for Windows? See the "Background" section in
the documentation for details.)

New in the 9.0.71 installer:

The installer now prompts before overwriting older and different files in
the conf directory when upgrading.

RE: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

[Yanhua Wusands]

> Is it true that all traffic seen by Tomcat must have been sent over TLS 
> between the user agent and AWS LB?

Yes, that is true, at least it is my understanding...

-Original Message-
From: Mark Thomas  
Sent: Wednesday, August 31, 2022 12:57 PM
To: users@tomcat.apache.org
Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

On 31/08/2022 17:39, Yanhua Wusands wrote:
> You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it 
> is passed that, tomcat is set up to listen 8080.
> If I understand you correctly, we will need to setup SSL in TOMCAT as well in 
> order to have HSTS working, is it right?

No. That is not correct.

There are several options at this point. We need more information to identify 
the best one.

Is it true that all traffic seen by Tomcat must have been sent over TLS between 
the user agent and AWS LB?

Mark

> 
> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, August 31, 2022 11:21 AM
> To: users@tomcat.apache.org
> Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in 
> TOMCAT
> 
> You don't have any TLS connectors configured so the HSTS filter isn't going 
> to do anything.
> 
> Given you access the server via port 443 but Tomcat is only listening on port 
> 8080 you must have a reverse proxy configured somewhere that is likely 
> terminating the TLS.
> 
> You need to configure HSTS wherever the TLS is being terminated.
> 
> As an aside, you need to be *very* careful proxying secure traffic to an HTTP 
> connector on Tomcat. I trust that you have the appropriate configuration in 
> place (typically the RemoteIpValve) to ensure that Tomcat can correctly 
> identify which traffic has been received via a secure channel and which via 
> an insecure channel.
> 
> Mark
> 
> 
> On 31/08/2022 16:10, Yanhua Wusands wrote:
>> >   acceptorThreadCount="2"
>>   acceptCount="20"
>>   maxConnections="200"
>>   maxThreads="200"
>>   minSpareThreads="10"
>>   scheme="https"
>>   proxyPort="443"
>>   redirectPort="8443"
>>/>
>>
>>   
>>   
>>   
>>   
>>   
>>   
>>
>>   
>>   
>>
>>
>>
>> -Original Message-
>> From: Mark Thomas 
>> Sent: Wednesday, August 31, 2022 11:03 AM
>> To: users@tomcat.apache.org
>> Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in 
>> TOMCAT
>>
>> On 31/08/2022 15:36, Yanhua Wusands wrote:
>>> We are using TOMCAT 9.0.40 on linux, and are trying setup 
>>> Strict-Transport-Security per requirement from our security team.
>>>
>>> We followed this note:
>>> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/
>>> a
>>> r
>>> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5
>>> i
>>> y
>>> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe
>>> 5
>>> h
>>> TO4K-UbrvgSvSAepZe_e-U8$
>>>
>>> Changed $CATALINA_HOME/conf/web.xml
>>>
>>> With:
>>>
>>>   
>>>
>>>httpHeaderSecurity
>>>
>>>
>>> org.apache.catalina.filters.HttpHeaderSecurityFilter>> f
>>> i
>>> lter-class>
>>>
>>>true
>>>
>>> 
>>>
>>> hstsEnabled
>>>
>>> true
>>>
>>> 
>>>
>>> 
>>>
>>> hstsMaxAgeSeconds
>>>
>>> 31556927
>>>
>>> 
>>>
>>>
>>>
>>> And uncommented:
>>>
>>>httpHeaderSecurity
>>>/*
>>>REQUEST
>>>
>>>
>>> After we restarted TOMCAT APACHE, we still couldn't see 
>>> Strict-Transport-Security using following curl cmd:
>>>
>>> curl -i -s
>>> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceau
>>> t
>>> o
>>> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!
>>> G
>>> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-
>>> U b rvgSvSAepLuScW-A$  | grep -i Strict-Transport-Security
>>>
>>> I am reaching out to see if there is any additional steps need to be done 
>>> for settin

Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

[Mark Thomas]

On 31/08/2022 17:39, Yanhua Wusands wrote:

You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it 
is passed that, tomcat is set up to listen 8080.
If I understand you correctly, we will need to setup SSL in TOMCAT as well in 
order to have HSTS working, is it right?


No. That is not correct.

There are several options at this point. We need more information to 
identify the best one.


Is it true that all traffic seen by Tomcat must have been sent over TLS 
between the user agent and AWS LB?


Mark



-Original Message-
From: Mark Thomas 
Sent: Wednesday, August 31, 2022 11:21 AM
To: users@tomcat.apache.org
Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

You don't have any TLS connectors configured so the HSTS filter isn't going to 
do anything.

Given you access the server via port 443 but Tomcat is only listening on port 
8080 you must have a reverse proxy configured somewhere that is likely 
terminating the TLS.

You need to configure HSTS wherever the TLS is being terminated.

As an aside, you need to be *very* careful proxying secure traffic to an HTTP 
connector on Tomcat. I trust that you have the appropriate configuration in 
place (typically the RemoteIpValve) to ensure that Tomcat can correctly 
identify which traffic has been received via a secure channel and which via an 
insecure channel.

Mark


On 31/08/2022 16:10, Yanhua Wusands wrote:



  
  
  
  
  
  

  
  



-Original Message-
From: Mark Thomas 
Sent: Wednesday, August 31, 2022 11:03 AM
To: users@tomcat.apache.org
Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in
TOMCAT

On 31/08/2022 15:36, Yanhua Wusands wrote:

We are using TOMCAT 9.0.40 on linux, and are trying setup 
Strict-Transport-Security per requirement from our security team.

We followed this note:
https://urldefense.com/v3/__https://knowledge.broadcom.com/external/a
r
ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5i
y
8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5
h
TO4K-UbrvgSvSAepZe_e-U8$

Changed $CATALINA_HOME/conf/web.xml

With:

  

   httpHeaderSecurity

   
org.apache.catalina.filters.HttpHeaderSecurityFilter
i
lter-class>

   true



hstsEnabled

true





hstsMaxAgeSeconds

31556927



   

And uncommented:
   
   httpHeaderSecurity
   /*
   REQUEST
   

After we restarted TOMCAT APACHE, we still couldn't see 
Strict-Transport-Security using following curl cmd:

curl -i -s
https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceaut
o
.cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!
G
A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-U
b rvgSvSAepLuScW-A$  | grep -i Strict-Transport-Security

I am reaching out to see if there is any additional steps need to be done for 
setting up this security flag.


Please provide the Connector element(s) (with sensitive data like passwords 
masked) from your $CATALINA_BASE/conf/server.xml file.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

[Yanhua Wusands]

You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it 
is passed that, tomcat is set up to listen 8080.
If I understand you correctly, we will need to setup SSL in TOMCAT as well in 
order to have HSTS working, is it right?

-Original Message-
From: Mark Thomas  
Sent: Wednesday, August 31, 2022 11:21 AM
To: users@tomcat.apache.org
Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

You don't have any TLS connectors configured so the HSTS filter isn't going to 
do anything.

Given you access the server via port 443 but Tomcat is only listening on port 
8080 you must have a reverse proxy configured somewhere that is likely 
terminating the TLS.

You need to configure HSTS wherever the TLS is being terminated.

As an aside, you need to be *very* careful proxying secure traffic to an HTTP 
connector on Tomcat. I trust that you have the appropriate configuration in 
place (typically the RemoteIpValve) to ensure that Tomcat can correctly 
identify which traffic has been received via a secure channel and which via an 
insecure channel.

Mark


On 31/08/2022 16:10, Yanhua Wusands wrote:
>   acceptorThreadCount="2"
>  acceptCount="20"
>  maxConnections="200"
>  maxThreads="200"
>  minSpareThreads="10"
>  scheme="https"
>  proxyPort="443"
>  redirectPort="8443"
>   />
> 
>  
>  
>  
>  
>  
>  
> 
>  
>  
> 
> 
> 
> -----Original Message-
> From: Mark Thomas 
> Sent: Wednesday, August 31, 2022 11:03 AM
> To: users@tomcat.apache.org
> Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in 
> TOMCAT
> 
> On 31/08/2022 15:36, Yanhua Wusands wrote:
>> We are using TOMCAT 9.0.40 on linux, and are trying setup 
>> Strict-Transport-Security per requirement from our security team.
>>
>> We followed this note:
>> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/a
>> r 
>> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5i
>> y 
>> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5
>> h
>> TO4K-UbrvgSvSAepZe_e-U8$
>>
>> Changed $CATALINA_HOME/conf/web.xml
>>
>> With:
>>
>>  
>>
>>   httpHeaderSecurity
>>
>>   
>> org.apache.catalina.filters.HttpHeaderSecurityFilter> i
>> lter-class>
>>
>>   true
>>
>> 
>>
>> hstsEnabled
>>
>> true
>>
>> 
>>
>> 
>>
>> hstsMaxAgeSeconds
>>
>> 31556927
>>
>> 
>>
>>   
>>
>> And uncommented:
>>   
>>   httpHeaderSecurity
>>   /*
>>   REQUEST
>>   
>>
>> After we restarted TOMCAT APACHE, we still couldn't see 
>> Strict-Transport-Security using following curl cmd:
>>
>> curl -i -s
>> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceaut
>> o 
>> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!
>> G 
>> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-U
>> b rvgSvSAepLuScW-A$  | grep -i Strict-Transport-Security
>>
>> I am reaching out to see if there is any additional steps need to be done 
>> for setting up this security flag.
> 
> Please provide the Connector element(s) (with sensitive data like passwords 
> masked) from your $CATALINA_BASE/conf/server.xml file.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

[Mark Thomas]

You don't have any TLS connectors configured so the HSTS filter isn't 
going to do anything.


Given you access the server via port 443 but Tomcat is only listening on 
port 8080 you must have a reverse proxy configured somewhere that is 
likely terminating the TLS.


You need to configure HSTS wherever the TLS is being terminated.

As an aside, you need to be *very* careful proxying secure traffic to an 
HTTP connector on Tomcat. I trust that you have the appropriate 
configuration in place (typically the RemoteIpValve) to ensure that 
Tomcat can correctly identify which traffic has been received via a 
secure channel and which via an insecure channel.


Mark


On 31/08/2022 16:10, Yanhua Wusands wrote:



 
 
 
 
 
 

 
 



-Original Message-
From: Mark Thomas 
Sent: Wednesday, August 31, 2022 11:03 AM
To: users@tomcat.apache.org
Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

On 31/08/2022 15:36, Yanhua Wusands wrote:

We are using TOMCAT 9.0.40 on linux, and are trying setup 
Strict-Transport-Security per requirement from our security team.

We followed this note:
https://urldefense.com/v3/__https://knowledge.broadcom.com/external/ar
ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5iy
8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5h
TO4K-UbrvgSvSAepZe_e-U8$

Changed $CATALINA_HOME/conf/web.xml

With:

 

  httpHeaderSecurity

  
org.apache.catalina.filters.HttpHeaderSecurityFilter
lter-class>

  true



hstsEnabled

true





hstsMaxAgeSeconds

31556927



  

And uncommented:
  
  httpHeaderSecurity
  /*
  REQUEST
  

After we restarted TOMCAT APACHE, we still couldn't see 
Strict-Transport-Security using following curl cmd:

curl -i -s
https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceauto
.cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!G
A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-Ub
rvgSvSAepLuScW-A$  | grep -i Strict-Transport-Security

I am reaching out to see if there is any additional steps need to be done for 
setting up this security flag.


Please provide the Connector element(s) (with sensitive data like passwords 
masked) from your $CATALINA_BASE/conf/server.xml file.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

[Yanhua Wusands]

-Original Message-
From: Mark Thomas  
Sent: Wednesday, August 31, 2022 11:03 AM
To: users@tomcat.apache.org
Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

On 31/08/2022 15:36, Yanhua Wusands wrote:
> We are using TOMCAT 9.0.40 on linux, and are trying setup 
> Strict-Transport-Security per requirement from our security team.
> 
> We followed this note:
> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/ar
> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5iy
> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5h
> TO4K-UbrvgSvSAepZe_e-U8$
> 
> Changed $CATALINA_HOME/conf/web.xml
> 
> With:
> 
> 
> 
>  httpHeaderSecurity
> 
>  
> org.apache.catalina.filters.HttpHeaderSecurityFilter lter-class>
> 
>  true
> 
> 
> 
> hstsEnabled
> 
> true
> 
> 
> 
> 
> 
> hstsMaxAgeSeconds
> 
> 31556927
> 
> 
> 
>  
> 
> And uncommented:
>  
>  httpHeaderSecurity
>  /*
>  REQUEST
>  
> 
> After we restarted TOMCAT APACHE, we still couldn't see 
> Strict-Transport-Security using following curl cmd:
> 
> curl -i -s 
> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceauto
> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!G
> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-Ub
> rvgSvSAepLuScW-A$  | grep -i Strict-Transport-Security
> 
> I am reaching out to see if there is any additional steps need to be done for 
> setting up this security flag.

Please provide the Connector element(s) (with sensitive data like passwords 
masked) from your $CATALINA_BASE/conf/server.xml file.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to setup Strict-Transport-Security in TOMCAT

[Mark Thomas]

On 31/08/2022 15:36, Yanhua Wusands wrote:

We are using TOMCAT 9.0.40 on linux, and are trying setup 
Strict-Transport-Security per requirement from our security team.

We followed this note:
https://knowledge.broadcom.com/external/article/226769/enable-http-strict-transport-security-hs.html

Changed $CATALINA_HOME/conf/web.xml

With:



 httpHeaderSecurity

 
org.apache.catalina.filters.HttpHeaderSecurityFilter

 true



hstsEnabled

true





hstsMaxAgeSeconds

31556927



 

And uncommented:
 
 httpHeaderSecurity
 /*
 REQUEST
 

After we restarted TOMCAT APACHE, we still couldn't see 
Strict-Transport-Security using following curl cmd:

curl -i -s 
https://finerp-apps-dev02.test.advanceauto.cloud/ords/apex_ext/r/advance-supplier-portal/home|
 grep -i Strict-Transport-Security

I am reaching out to see if there is any additional steps need to be done for 
setting up this security flag.


Please provide the Connector element(s) (with sensitive data like 
passwords masked) from your $CATALINA_BASE/conf/server.xml file.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to setup Strict-Transport-Security in TOMCAT

[Yanhua Wusands]

We are using TOMCAT 9.0.40 on linux, and are trying setup 
Strict-Transport-Security per requirement from our security team.

We followed this note:
https://knowledge.broadcom.com/external/article/226769/enable-http-strict-transport-security-hs.html

Changed $CATALINA_HOME/conf/web.xml

With:

   

httpHeaderSecurity


org.apache.catalina.filters.HttpHeaderSecurityFilter

true



hstsEnabled

true





hstsMaxAgeSeconds

31556927





And uncommented:

httpHeaderSecurity
/*
REQUEST


After we restarted TOMCAT APACHE, we still couldn't see 
Strict-Transport-Security using following curl cmd:

curl -i -s 
https://finerp-apps-dev02.test.advanceauto.cloud/ords/apex_ext/r/advance-supplier-portal/home|
 grep -i Strict-Transport-Security

I am reaching out to see if there is any additional steps need to be done for 
setting up this security flag.

Re: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[Christopher Schultz]

Jon,

On 7/13/22 12:16, jonmcalexan...@wellsfargo.com.INVALID wrote:

Here is the error we are getting. The login form, hosted by Tomcat, does a POST 
to the /login/login.fcc for siteminder which is on the HTTPD server and is not 
behind the proxypass or proxypassreverse.

javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12 13:12:49.399 
PDT|SSLSocketImpl.java:1615|close the SSL connection (passive)
 12 Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
  Unable to get Channel Secure Session: Unable to perform siteminder handshake
java.lang.Exception: Unable to perform siteminder handshake

Our SiteMinder team is telling us it's not their issue. Again, this POST worked 
fine when using mod_jk and SSL wasn't enabled for connection on Tomcat.


When you migrated from mod_jk -> mod_proxy, did you arrange to have all 
SSL information forwarded over the connection? mod_jk with the AJP 
connector handles a lot of that magic for you, but mod_proxy does not by 
default.


Have a look at this presentation, starting around slide 30: 
https://tomcat.apache.org/presentations.html#latest-migrate-ajp-http


If your users are using TLS client certs with httpd, they may not be 
sent-over to Tomcat and will therefore be unavailable for use from 
Tomcat -> SiteMinder. You can fix this with some 
SSLProxySomethingOrOther directives on the httpd side and the SSLValve 
on the Tomcat side. Note that if you aren't using SSLValve you probably 
are *also* not using RemoteIPValve, which you probably want to use.


-chris


-Original Message-
From: jonmcalexan...@wellsfargo.com.INVALID

Sent: Tuesday, July 12, 2022 5:22 PM
To: users@tomcat.apache.org
Subject: RE: [OT] issues with Tomcat to Siteminder communication post mod-
proxy setup

I'm wondering if it is having to do with the SMSESSION cookie not getting
passed correctly. Still trying to figure this one out.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.


-Original Message-
From: Christopher Schultz 
Sent: Tuesday, July 12, 2022 9:16 AM
To: users@tomcat.apache.org
Subject: Re: [OT] issues with Tomcat to Siteminder communication post
mod- proxy setup

Jon,

On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:

Chris,

Moving this discussion to here. Yes, it appears that I broke
something when

setting up the Tomcat Connector for the mod-proxy that is now
affecting, somehow, the SSL communication with the Site Minder
services. Here is the connector we added below.

The only reason I can think of that would cause your Tomcat TLS
connector configuration to affect your SiteMinder thing is if you are
trying to specify the javax.net.ssl.trustStore system property for the
entire JVM, and allowing Tomcat to inherit that.


Temporarily have set certificateVerification to optional to see if
it was something with the communication between HTTPD and Tomcat.

  
maxThreads="100"

compression="on" scheme="https" SSLEnabled="true" secure="true">

  
certificateVerification="optional" truststoreFile="" truststorePassword=""
truststoreType="JKS"


ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,


Assuming truststoreFile is not actually _blank_, then this should be fine.


  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
  TLS_DHE_RSA_WITH_AES_128_CCM,
  TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
  TLS_DHE_RSA_WITH_AES_128_CCM_8,
  TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">

 

AW: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

did you hijack that  topic or is it related to that?
If it’s a new topic, please start a new thread with an according subject.

Thanks!

> -Ursprüngliche Nachricht-
> Von: Jasmin Ćatić 
> Gesendet: Freitag, 15. Juli 2022 10:56
> An: Tomcat Users List 
> Betreff: Re: [OT] issues with Tomcat to Siteminder communication post mod-
> proxy setup
> 
> Hello,
> 
> Can someone please give me a step by step guide on how to make my
> tomcat webapp available online with a domain name.
> Thanks.
> 
> Regards,
> JC
> 
> sri, 13. srp 2022. u 18:31  napisao
> je:
> 
> > Could this potentially be caused by
> >  > className="org.apache.catalina.core.AprLifecycleListener"
> > SSLEngine="on" />
> >
> > But not using Tomcat Native?
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >
> > > -Original Message-
> > > From: Thomas Hoffmann (Speed4Trade GmbH)
> > > 
> > > Sent: Wednesday, July 13, 2022 11:28 AM
> > > To: Tomcat Users List 
> > > Subject: AW: [OT] issues with Tomcat to Siteminder communication
> > > post mod-proxy setup
> > >
> > > Hello,
> > >
> > > > -Ursprüngliche Nachricht-
> > > > Von: jonmcalexan...@wellsfargo.com.INVALID
> > > > 
> > > > Gesendet: Mittwoch, 13. Juli 2022 18:17
> > > > An: users@tomcat.apache.org
> > > > Betreff: RE: [OT] issues with Tomcat to Siteminder communication
> > > > post
> > > > mod- proxy setup
> > > >
> > > > Here is the error we are getting. The login form, hosted by
> > > > Tomcat, does a POST to the /login/login.fcc for siteminder which
> > > > is on the HTTPD server and is not behind the proxypass or
> proxypassreverse.
> > > >
> > > > javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12
> > > > 13:12:49.399
> > > > PDT|SSLSocketImpl.java:1615|close the SSL connection (passive)
> > > > PDT|
> > > > PDT|12
> > > > Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT:
> > > >  Unable to get Channel Secure Session: Unable to perform
> > > > siteminder handshake
> > > > java.lang.Exception: Unable to perform siteminder handshake
> > > >
> > > > Our SiteMinder team is telling us it's not their issue. Again,
> > > > this POST worked fine when using mod_jk and SSL wasn't enabled for
> > > connection on Tomcat.
> > > >
> > > > Thanks,
> > > >
> > >
> > > This error message is most likely thrown by the application and not
> > > by tomcat.
> > > The underlying error would be important including the full stack below.
> > > Are there some "caused by" Exceptions below?
> > > Otherwise the siteminder application is hiding the underlying Exception.
> > >
> > >
> > > > jonmcalexan...@wellsfargo.com
> > > > This message may contain confidential and/or privileged information.
> > > > If you are not the addressee or authorized to receive this for the
> > > > addressee, you must not use, copy, disclose, or take any action
> > > > based on this message or any information herein. If you have
> > > > received this message in error, please advise the sender
> > > > immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> > > >
> > > >
> > > > > -Original Message-
> > > > > From: jonmcalexan...@wellsfargo.com.INVALID
> > > > > 
> > > > > Sent: Tuesday, July 12, 2022 5:22 PM
> > > > > T

Re: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[Jasmin Ćatić]

Hello,

Can someone please give me a step by step guide on how to make my tomcat
webapp available online with a domain name.
Thanks.

Regards,
JC

sri, 13. srp 2022. u 18:31  napisao
je:

> Could this potentially be caused by
>  className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
>
> But not using Tomcat Native?
>
> Thanks,
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>
> > -Original Message-
> > From: Thomas Hoffmann (Speed4Trade GmbH)
> > 
> > Sent: Wednesday, July 13, 2022 11:28 AM
> > To: Tomcat Users List 
> > Subject: AW: [OT] issues with Tomcat to Siteminder communication post
> > mod-proxy setup
> >
> > Hello,
> >
> > > -Ursprüngliche Nachricht-
> > > Von: jonmcalexan...@wellsfargo.com.INVALID
> > > 
> > > Gesendet: Mittwoch, 13. Juli 2022 18:17
> > > An: users@tomcat.apache.org
> > > Betreff: RE: [OT] issues with Tomcat to Siteminder communication post
> > > mod- proxy setup
> > >
> > > Here is the error we are getting. The login form, hosted by Tomcat,
> > > does a POST to the /login/login.fcc for siteminder which is on the
> > > HTTPD server and is not behind the proxypass or proxypassreverse.
> > >
> > > javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12
> > > 13:12:49.399
> > > PDT|SSLSocketImpl.java:1615|close the SSL connection (passive) 
> > > PDT|12
> > > Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
> > > Unable to get Channel Secure Session: Unable to perform siteminder
> > > handshake
> > > java.lang.Exception: Unable to perform siteminder handshake
> > >
> > > Our SiteMinder team is telling us it's not their issue. Again, this
> > > POST worked fine when using mod_jk and SSL wasn't enabled for
> > connection on Tomcat.
> > >
> > > Thanks,
> > >
> >
> > This error message is most likely thrown by the application and not by
> > tomcat.
> > The underlying error would be important including the full stack below.
> > Are there some "caused by" Exceptions below?
> > Otherwise the siteminder application is hiding the underlying Exception.
> >
> >
> > > jonmcalexan...@wellsfargo.com
> > > This message may contain confidential and/or privileged information.
> > > If you are not the addressee or authorized to receive this for the
> > > addressee, you must not use, copy, disclose, or take any action based
> > > on this message or any information herein. If you have received this
> > > message in error, please advise the sender immediately by reply e-mail
> > > and delete this message. Thank you for your cooperation.
> > >
> > >
> > > > -Original Message-
> > > > From: jonmcalexan...@wellsfargo.com.INVALID
> > > > 
> > > > Sent: Tuesday, July 12, 2022 5:22 PM
> > > > To: users@tomcat.apache.org
> > > > Subject: RE: [OT] issues with Tomcat to Siteminder communication
> > > > post
> > > > mod- proxy setup
> > > >
> > > > I'm wondering if it is having to do with the SMSESSION cookie not
> > > > getting passed correctly. Still trying to figure this one out.
> > > >
> > > > Thanks,
> > > >
> > > > Dream * Excel * Explore * Inspire
> > > > Jon McAlexander
> > > > Senior Infrastructure Engineer
> > > > Asst. Vice President
> > > > He/His
> > > >
> > > > Middleware Product Engineering
> > > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > > >
> > > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > > MAC: F4469-010
> > > > Tel 515-988-2508 | 

RE: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[jonmcalexander]

Could this potentially be caused by 


But not using Tomcat Native?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Sent: Wednesday, July 13, 2022 11:28 AM
> To: Tomcat Users List 
> Subject: AW: [OT] issues with Tomcat to Siteminder communication post
> mod-proxy setup
> 
> Hello,
> 
> > -Ursprüngliche Nachricht-
> > Von: jonmcalexan...@wellsfargo.com.INVALID
> > 
> > Gesendet: Mittwoch, 13. Juli 2022 18:17
> > An: users@tomcat.apache.org
> > Betreff: RE: [OT] issues with Tomcat to Siteminder communication post
> > mod- proxy setup
> >
> > Here is the error we are getting. The login form, hosted by Tomcat,
> > does a POST to the /login/login.fcc for siteminder which is on the
> > HTTPD server and is not behind the proxypass or proxypassreverse.
> >
> > javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12
> > 13:12:49.399
> > PDT|SSLSocketImpl.java:1615|close the SSL connection (passive) 
> > PDT|12
> > Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
> > Unable to get Channel Secure Session: Unable to perform siteminder
> > handshake
> > java.lang.Exception: Unable to perform siteminder handshake
> >
> > Our SiteMinder team is telling us it's not their issue. Again, this
> > POST worked fine when using mod_jk and SSL wasn't enabled for
> connection on Tomcat.
> >
> > Thanks,
> >
> 
> This error message is most likely thrown by the application and not by
> tomcat.
> The underlying error would be important including the full stack below.
> Are there some "caused by" Exceptions below?
> Otherwise the siteminder application is hiding the underlying Exception.
> 
> 
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >
> > > -Original Message-
> > > From: jonmcalexan...@wellsfargo.com.INVALID
> > > 
> > > Sent: Tuesday, July 12, 2022 5:22 PM
> > > To: users@tomcat.apache.org
> > > Subject: RE: [OT] issues with Tomcat to Siteminder communication
> > > post
> > > mod- proxy setup
> > >
> > > I'm wondering if it is having to do with the SMSESSION cookie not
> > > getting passed correctly. Still trying to figure this one out.
> > >
> > > Thanks,
> > >
> > > Dream * Excel * Explore * Inspire
> > > Jon McAlexander
> > > Senior Infrastructure Engineer
> > > Asst. Vice President
> > > He/His
> > >
> > > Middleware Product Engineering
> > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > >
> > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > MAC: F4469-010
> > > Tel 515-988-2508 | Cell 515-988-2508
> > >
> > > jonmcalexan...@wellsfargo.com
> > > This message may contain confidential and/or privileged information.
> > > If you are not the addressee or authorized to receive this for the
> > > addressee, you must not use, copy, disclose, or take any action
> > > based on this message or any information herein. If you have
> > > received this message in error, please advise the sender immediately
> > > by reply e-mail and delete this message. Thank you for your cooperation.
> > >
> > > > -Original Message-
> > > > From: Christopher Schultz 
> > > > Sent: Tuesday, July 12, 2022 9:16 AM
> > > > To: users@tomcat.apache.org
> > > > Subject: Re: 

AW: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: jonmcalexan...@wellsfargo.com.INVALID
> 
> Gesendet: Mittwoch, 13. Juli 2022 18:17
> An: users@tomcat.apache.org
> Betreff: RE: [OT] issues with Tomcat to Siteminder communication post mod-
> proxy setup
> 
> Here is the error we are getting. The login form, hosted by Tomcat, does a
> POST to the /login/login.fcc for siteminder which is on the HTTPD server and
> is not behind the proxypass or proxypassreverse.
> 
> javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12 13:12:49.399
> PDT|SSLSocketImpl.java:1615|close the SSL connection (passive)  12
> Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
> Unable to get Channel Secure Session: Unable to perform siteminder
> handshake
> java.lang.Exception: Unable to perform siteminder handshake
> 
> Our SiteMinder team is telling us it's not their issue. Again, this POST 
> worked
> fine when using mod_jk and SSL wasn't enabled for connection on Tomcat.
> 
> Thanks,
> 

This error message is most likely thrown by the application and not by tomcat.
The underlying error would be important including the full stack below.
Are there some "caused by" Exceptions below?
Otherwise the siteminder application is hiding the underlying Exception.

 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> 
> 
> > -Original Message-
> > From: jonmcalexan...@wellsfargo.com.INVALID
> > 
> > Sent: Tuesday, July 12, 2022 5:22 PM
> > To: users@tomcat.apache.org
> > Subject: RE: [OT] issues with Tomcat to Siteminder communication post
> > mod- proxy setup
> >
> > I'm wondering if it is having to do with the SMSESSION cookie not
> > getting passed correctly. Still trying to figure this one out.
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> > > -Original Message-
> > > From: Christopher Schultz 
> > > Sent: Tuesday, July 12, 2022 9:16 AM
> > > To: users@tomcat.apache.org
> > > Subject: Re: [OT] issues with Tomcat to Siteminder communication
> > > post
> > > mod- proxy setup
> > >
> > > Jon,
> > >
> > > On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > > Chris,
> > > >
> > > > Moving this discussion to here. Yes, it appears that I broke
> > > > something when
> > > setting up the Tomcat Connector for the mod-proxy that is now
> > > affecting, somehow, the SSL communication with the Site Minder
> > > services. Here is the connector we added below.
> > >
> > > The only reason I can think of that would cause your Tomcat TLS
> > > connector configuration to affect your SiteMinder thing is if you
> > > are trying to specify the javax.net.ssl.trustStore system property
> > > for the entire JVM, and allowing Tomcat to inherit that.
> > >
> > > > Temporarily have set certificateVerification to optional to see if
> > > > it was something with the communication between HTTPD and Tomcat.
> > > >
> > > >   > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > maxThreads="100"
> > > > compression="on" scheme="https" SSLEnabled="true" secure="true">
> > > >
> > &g

RE: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[jonmcalexander]

Here is the error we are getting. The login form, hosted by Tomcat, does a POST 
to the /login/login.fcc for siteminder which is on the HTTPD server and is not 
behind the proxypass or proxypassreverse.

javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12 13:12:49.399 
PDT|SSLSocketImpl.java:1615|close the SSL connection (passive)
 12 Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
  Unable to get Channel Secure Session: Unable to perform siteminder 
handshake
java.lang.Exception: Unable to perform siteminder handshake

Our SiteMinder team is telling us it's not their issue. Again, this POST worked 
fine when using mod_jk and SSL wasn't enabled for connection on Tomcat.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: jonmcalexan...@wellsfargo.com.INVALID
> 
> Sent: Tuesday, July 12, 2022 5:22 PM
> To: users@tomcat.apache.org
> Subject: RE: [OT] issues with Tomcat to Siteminder communication post mod-
> proxy setup
> 
> I'm wondering if it is having to do with the SMSESSION cookie not getting
> passed correctly. Still trying to figure this one out.
> 
> Thanks,
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> 
> > -Original Message-
> > From: Christopher Schultz 
> > Sent: Tuesday, July 12, 2022 9:16 AM
> > To: users@tomcat.apache.org
> > Subject: Re: [OT] issues with Tomcat to Siteminder communication post
> > mod- proxy setup
> >
> > Jon,
> >
> > On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > Chris,
> > >
> > > Moving this discussion to here. Yes, it appears that I broke
> > > something when
> > setting up the Tomcat Connector for the mod-proxy that is now
> > affecting, somehow, the SSL communication with the Site Minder
> > services. Here is the connector we added below.
> >
> > The only reason I can think of that would cause your Tomcat TLS
> > connector configuration to affect your SiteMinder thing is if you are
> > trying to specify the javax.net.ssl.trustStore system property for the
> > entire JVM, and allowing Tomcat to inherit that.
> >
> > > Temporarily have set certificateVerification to optional to see if
> > > it was something with the communication between HTTPD and Tomcat.
> > >
> > >   > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="100"
> > > compression="on" scheme="https" SSLEnabled="true" secure="true">
> > >
> > >   > certificateVerification="optional" truststoreFile="" truststorePassword=""
> > truststoreType="JKS"
> > >
> > > ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> >
> > Assuming truststoreFile is not actually _blank_, then this should be fine.
> >
> > >  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> > >  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> > >  TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> > >  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>

RE: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[jonmcalexander]

I'm wondering if it is having to do with the SMSESSION cookie not getting 
passed correctly. Still trying to figure this one out.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, July 12, 2022 9:16 AM
> To: users@tomcat.apache.org
> Subject: Re: [OT] issues with Tomcat to Siteminder communication post mod-
> proxy setup
> 
> Jon,
> 
> On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Chris,
> >
> > Moving this discussion to here. Yes, it appears that I broke something when
> setting up the Tomcat Connector for the mod-proxy that is now affecting,
> somehow, the SSL communication with the Site Minder services. Here is the
> connector we added below.
> 
> The only reason I can think of that would cause your Tomcat TLS connector
> configuration to affect your SiteMinder thing is if you are trying to specify 
> the
> javax.net.ssl.trustStore system property for the entire JVM, and allowing
> Tomcat to inherit that.
> 
> > Temporarily have set certificateVerification to optional to see if it
> > was something with the communication between HTTPD and Tomcat.
> >
> >   > protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="100"
> > compression="on" scheme="https" SSLEnabled="true" secure="true">
> >
> >   certificateVerification="optional" truststoreFile="" truststorePassword=""
> truststoreType="JKS"
> >
> > ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> 
> Assuming truststoreFile is not actually _blank_, then this should be fine.
> 
> >  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> >  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> >  TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> >  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> >  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> >  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> >  TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
> >  TLS_DHE_RSA_WITH_AES_128_CCM,
> >  TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> >  TLS_DHE_RSA_WITH_AES_128_CCM_8,
> >  TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> >  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> >  
> > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> >
> > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
> >
> >   > Type="RSA" certificateKeystoreFile=".pfx"
> > certificateKeystorePassword="" certificateKeystoreType="pkcs12" />
> 
> Note: none of the TLS_XXX_ECDSA_* cipher suites will do anything for you,
> since you are using only an RSA key.
> 
> Is your SiteMinder client code using its own special trust store and key 
> store?
> If you are getting a handshake failure (mentioned in your message to
> dev@httpd but not here yet: "javax.net.ssl.SSLHandshakeException:
> Received fatal alert: bad_certificate error"), you might want to start looking
> there. The problem is very unlikely to be your Tomcat configuration or
> anything related to it, unless you use the same key store and trust store for
> both.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[Christopher Schultz]

Jon,

On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:

Chris,

Moving this discussion to here. Yes, it appears that I broke something when 
setting up the Tomcat Connector for the mod-proxy that is now affecting, 
somehow, the SSL communication with the Site Minder services. Here is the 
connector we added below.


The only reason I can think of that would cause your Tomcat TLS 
connector configuration to affect your SiteMinder thing is if you are 
trying to specify the javax.net.ssl.trustStore system property for the 
entire JVM, and allowing Tomcat to inherit that.


Temporarily have set certificateVerification to optional to see if 
it was something with the communication between HTTPD and Tomcat.


 

 

Assuming truststoreFile is not actually _blank_, then this should be fine.


 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
 TLS_DHE_RSA_WITH_AES_128_CCM,
 TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
 TLS_DHE_RSA_WITH_AES_128_CCM_8,
 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">

 


Note: none of the TLS_XXX_ECDSA_* cipher suites will do anything for 
you, since you are using only an RSA key.


Is your SiteMinder client code using its own special trust store and key 
store? If you are getting a handshake failure (mentioned in your message 
to dev@httpd but not here yet: "javax.net.ssl.SSLHandshakeException: 
Received fatal alert: bad_certificate error"), you might want to start 
looking there. The problem is very unlikely to be your Tomcat 
configuration or anything related to it, unless you use the same key 
store and trust store for both.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[jonmcalexander]

Chris,

Moving this discussion to here. Yes, it appears that I broke something when 
setting up the Tomcat Connector for the mod-proxy that is now affecting, 
somehow, the SSL communication with the Site Minder services. Here is the 
connector we added below. Temporarily have set certificateVerification to 
optional to see if it was something with the communication between HTTPD and 
Tomcat.










Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

AW: AW: Request for SSL Setup

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Manibharathi R 
> Gesendet: Dienstag, 28. Juni 2022 08:56
> An: Tomcat Users List 
> Betreff: Re: AW: Request for SSL Setup
> 
> Thanks for your prompt response.
> 
> Could you please send me the procedure that how can we generate
> certficates files?
> 
> -Original Message-
> From: Thomas Hoffmann (Speed4Trade GmbH)
> Sent: Tuesday, June 28, 2022 12:13 PM
> To: Tomcat Users List
> Subject: AW: Request for SSL Setup
> 
> This email came from an external source. Please do not click links or open
> attachments unless you recognize the sender.
> 
> 
> Hello,
> 
> > -Ursprüngliche Nachricht-
> > Von: Manibharathi R 
> > Gesendet: Dienstag, 28. Juni 2022 07:16
> > An: users@tomcat.apache.org
> > Betreff: Request for SSL Setup
> >
> > Dear Team,
> >
> > Greetings,
> >
> > I have done keystore generation, import key features and changes done
> > in server.xm. But still I am unable to access throught https.
> >
> > Kindly send me the causes of this issue
> >
> > Regards,
> > R.Manibharathi,
> > AM,Android Mobile App Developer
> >
> > 
> >
> 
> Could you please check all logfiles if there are some errors shown?
> Any stacktraces, warnings or errors visible?
> Is there a line like "org.apache.coyote.AbstractProtocol.start Starting
> ProtocolHandler ["https-openssl-nio-443"]" ?
> 
> Greetings, Thomas
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> Regards,
> R.Manibharathi,
> AM,Android Mobile App Developer
> 

You can do it e.g. with keytool:
https://stackoverflow.com/questions/42541356/how-to-create-a-self-signed-ssl-certificate-for-use-with-tomcat
This generates a self-signed certificate which is suitable for development and 
testing purposes.

Another method is using OpenSSL but this involves multiple steps:
https://www.baeldung.com/openssl-self-signed-cert

If you need a public signed certificate, you can generate a CSR with OpenSSL 
and send it to a certificate authority to get it signed.

Background information:
For using SSL you always need a matching keypair, this is a public and a 
private key. The private key is signed.
The clients needs to trust the signature (with the corresponding signatures 
public key).
A jks-file can store both keys. Alternatively you can use two separate files 
(e.g. in PEM-format) and configure the tomcat-connector to use both files.

Greetings, Thomas



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Request for SSL Setup

[Manibharathi R]

Thanks for your prompt response.

Could you please send me the procedure that how can we generate certficates
files?

-Original Message-
From: Thomas Hoffmann (Speed4Trade GmbH)
Sent: Tuesday, June 28, 2022 12:13 PM
To: Tomcat Users List
Subject: AW: Request for SSL Setup

This email came from an external source. Please do not click links or open
attachments unless you recognize the sender.


Hello,


-Ursprüngliche Nachricht-
Von: Manibharathi R 
Gesendet: Dienstag, 28. Juni 2022 07:16
An: users@tomcat.apache.org
Betreff: Request for SSL Setup

Dear Team,

Greetings,

I have done keystore generation, import key features and changes done in
server.xm. But still I am unable to access throught https.

Kindly send me the causes of this issue

Regards,
R.Manibharathi,
AM,Android Mobile App Developer





Could you please check all logfiles if there are some errors shown?
Any stacktraces, warnings or errors visible?
Is there a line like "org.apache.coyote.AbstractProtocol.start Starting
ProtocolHandler ["https-openssl-nio-443"]" ?

Greetings, Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Regards,
R.Manibharathi,
AM,Android Mobile App Developer




This email and its attachments may contain confidential, proprietary or legally 
privileged information and is intended solely for the use of the individual or 
entity to whom it is addressed. If you have erroneously received this message, 
please delete it immediately and notify the sender. Any unauthorized review, 
use, disclosure, dissemination, forwarding, printing or copying of this email 
or any action taken in reliance on this e-mail is strictly prohibited and may 
be unlawful. E-mail transmission cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, destroyed, 
incomplete or contain viruses and any views expressed in this message are those 
of the individual sender and no binding nature of the message shall be implied 
or assumed unless the sender does so expressly with due authority of Suguna 
Foods Private Limited, its associates/subsidiaries.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Request for SSL Setup

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Manibharathi R 
> Gesendet: Dienstag, 28. Juni 2022 07:16
> An: users@tomcat.apache.org
> Betreff: Request for SSL Setup
> 
> Dear Team,
> 
> Greetings,
> 
> I have done keystore generation, import key features and changes done in
> server.xm. But still I am unable to access throught https.
> 
> Kindly send me the causes of this issue
> 
> Regards,
> R.Manibharathi,
> AM,Android Mobile App Developer
> 
> 
> 

Could you please check all logfiles if there are some errors shown?
Any stacktraces, warnings or errors visible?
Is there a line like "org.apache.coyote.AbstractProtocol.start Starting 
ProtocolHandler ["https-openssl-nio-443"]" ?

Greetings, Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Request for SSL Setup

[Manibharathi R]

Dear Team,

Greetings,

I have done keystore generation, import key features and changes done in 
server.xm. But still I am unable to access throught https.

Kindly send me the causes of this issue

Regards,
R.Manibharathi,
AM,Android Mobile App Developer



This email and its attachments may contain confidential, proprietary or legally 
privileged information and is intended solely for the use of the individual or 
entity to whom it is addressed. If you have erroneously received this message, 
please delete it immediately and notify the sender. Any unauthorized review, 
use, disclosure, dissemination, forwarding, printing or copying of this email 
or any action taken in reliance on this e-mail is strictly prohibited and may 
be unlawful. E-mail transmission cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, destroyed, 
incomplete or contain viruses and any views expressed in this message are those 
of the individual sender and no binding nature of the message shall be implied 
or assumed unless the sender does so expressly with due authority of Suguna 
Foods Private Limited, its associates/subsidiaries.

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.50]

[Bill Stewart]

Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer executable:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.48]

[Bill Stewart]

Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer executable:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.46]

[Bill Stewart]

 Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer executable:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.45]

[Bill Stewart]

 Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer executable:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.44]

[Bill Stewart]

Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about TLS/SSL setup and SSLHostConfig or not

[Alex]

On 02.03.21 23:50, Peter Kreuser wrote:

Alex,


Am 02.03.2021 um 23:19 schrieb Alex :

Hi.


On 02.03.21 23:14, John Larsen wrote:
I usually let the apache webserver or nginx handle the SSL while proxying
to the tomcat.



Unless you need some really fancy rewriting or caching, Tomcat is absolutely 
capable to handle this. Even static files are OK nowadays.



To use tomcat's built in server you'll need to import the
SSL certificate into the keystore via your jdk.


That’s not the case anymore. Tomcat 8.5.x perfectly speaks PEM-files and 
openssl config. (See below)

Even dynamic reloading of SSL configs can be achieved with the jmxproxy.



Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to
the backend, in this case tomcat.


John Larsen

On Tue, Mar 2, 2021 at 3:06 PM Alex  wrote:
Hi.

I try to make a "good" tomcat config and read the docs.

Now in the Connector doc is the following statement.

http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support

Each secure connector must define at least one SSLHostConfig.

But when I look into the SSL/TLS Configuration How-To is the snipplet
without SSLHostConfig. What's now the "best" way to setup TLS/SSL
with tomcat. I would prefer to put SSLHostConfig but I'm not sure if
it's the way how the developer think to setup the TLS in tomcat?

I use JSSE as implementation.

http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html

```


```



You should move this to SSLHostConfig.


Thank you for the clarification, I will do it.


 
   
 

HTH

Peter


What's your suggestion and opinion to configure the tomcat in a
proper way to use TLS also for the future versions.

Regards
Alex



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about TLS/SSL setup and SSLHostConfig or not

[Peter Kreuser]

Alex,

> Am 02.03.2021 um 23:19 schrieb Alex :
> 
> Hi.
> 
>> On 02.03.21 23:14, John Larsen wrote:
>> I usually let the apache webserver or nginx handle the SSL while proxying
>> to the tomcat.


Unless you need some really fancy rewriting or caching, Tomcat is absolutely 
capable to handle this. Even static files are OK nowadays.


>> To use tomcat's built in server you'll need to import the
>> SSL certificate into the keystore via your jdk.

That’s not the case anymore. Tomcat 8.5.x perfectly speaks PEM-files and 
openssl config. (See below)

Even dynamic reloading of SSL configs can be achieved with the jmxproxy.

> 
> Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to
> the backend, in this case tomcat.
> 
>> John Larsen
>>> On Tue, Mar 2, 2021 at 3:06 PM Alex  wrote:
>>> Hi.
>>> 
>>> I try to make a "good" tomcat config and read the docs.
>>> 
>>> Now in the Connector doc is the following statement.
>>> 
>>> http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
>>> http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support
>>> 
>>> Each secure connector must define at least one SSLHostConfig.
>>> 
>>> But when I look into the SSL/TLS Configuration How-To is the snipplet
>>> without SSLHostConfig. What's now the "best" way to setup TLS/SSL
>>> with tomcat. I would prefer to put SSLHostConfig but I'm not sure if
>>> it's the way how the developer think to setup the TLS in tomcat?
>>> 
>>> I use JSSE as implementation.
>>> 
>>> http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
>>> http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html
>>> 
>>> ```
>>> 
>>> >> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>> port="8443" maxThreads="200"
>>> scheme="https" secure="true" SSLEnabled="true"
>>> keystoreFile="${user.home}/.keystore" keystorePass="changeit"
>>> clientAuth="false" sslProtocol="TLS"/>
>>> ```
>>> 

You should move this to SSLHostConfig.


  


HTH

Peter

>>> What's your suggestion and opinion to configure the tomcat in a
>>> proper way to use TLS also for the future versions.
>>> 
>>> Regards
>>> Alex
>>> 
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>> 
>>> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about TLS/SSL setup and SSLHostConfig or not

[Alex]

Hi.

On 02.03.21 23:14, John Larsen wrote:

I usually let the apache webserver or nginx handle the SSL while proxying
to the tomcat.  To use tomcat's built in server you'll need to import the
SSL certificate into the keystore via your jdk.


Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to
the backend, in this case tomcat.


John Larsen



On Tue, Mar 2, 2021 at 3:06 PM Alex  wrote:


Hi.

I try to make a "good" tomcat config and read the docs.

Now in the Connector doc is the following statement.

http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support

Each secure connector must define at least one SSLHostConfig.

But when I look into the SSL/TLS Configuration How-To is the snipplet
without SSLHostConfig. What's now the "best" way to setup TLS/SSL
with tomcat. I would prefer to put SSLHostConfig but I'm not sure if
it's the way how the developer think to setup the TLS in tomcat?

I use JSSE as implementation.

http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html

```


```

What's your suggestion and opinion to configure the tomcat in a
proper way to use TLS also for the future versions.

Regards
Alex

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about TLS/SSL setup and SSLHostConfig or not

[John Larsen]

I usually let the apache webserver or nginx handle the SSL while proxying
to the tomcat.  To use tomcat's built in server you'll need to import the
SSL certificate into the keystore via your jdk.


John Larsen



On Tue, Mar 2, 2021 at 3:06 PM Alex  wrote:

> Hi.
>
> I try to make a "good" tomcat config and read the docs.
>
> Now in the Connector doc is the following statement.
>
> http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
> http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support
>
> Each secure connector must define at least one SSLHostConfig.
>
> But when I look into the SSL/TLS Configuration How-To is the snipplet
> without SSLHostConfig. What's now the "best" way to setup TLS/SSL
> with tomcat. I would prefer to put SSLHostConfig but I'm not sure if
> it's the way how the developer think to setup the TLS in tomcat?
>
> I use JSSE as implementation.
>
> http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
> http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html
>
> ```
> 
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="8443" maxThreads="200"
> scheme="https" secure="true" SSLEnabled="true"
> keystoreFile="${user.home}/.keystore" keystorePass="changeit"
> clientAuth="false" sslProtocol="TLS"/>
> ```
>
> What's your suggestion and opinion to configure the tomcat in a
> proper way to use TLS also for the future versions.
>
> Regards
> Alex
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Question about TLS/SSL setup and SSLHostConfig or not

[Alex]

Hi.

I try to make a "good" tomcat config and read the docs.

Now in the Connector doc is the following statement.

http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support

Each secure connector must define at least one SSLHostConfig.

But when I look into the SSL/TLS Configuration How-To is the snipplet
without SSLHostConfig. What's now the "best" way to setup TLS/SSL
with tomcat. I would prefer to put SSLHostConfig but I'm not sure if
it's the way how the developer think to setup the TLS in tomcat?

I use JSSE as implementation.

http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html

```


```

What's your suggestion and opinion to configure the tomcat in a
proper way to use TLS also for the future versions.

Regards
Alex

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.43]

[Bill Stewart]

Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

See installer source file for release notes:

https://github.com/Bill-Stewart/ApacheTomcatSetup/blob/master/ApacheTomcat.iss

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Manager setup in Tomcat 8

[James H. H. Lampert]

On 12/22/20 10:51 AM, Christopher Schultz wrote:

I would try to lock-down that IP range as much as you can, rather than 
either removing the Valve (which would allow connections from anywhere) 
or specifying something like ".*" in the "allow" attribute (which is a 
regular expression which will be applied to the remote-user's IP 
address, either IPv4 or IPv6 as the case may be).


Dear Mr. Schultz:

Thanks. Very much applicable to the EC2 instance (and I recall doing 
just that, although I'd have to look at what I did to recall exactly 
how), and to most customer boxes, but not necessarily so much for this 
particular customer: they've got everything locked down in the tightest 
VPN I've ever seen.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Manager setup in Tomcat 8

[Christopher Schultz]

James,

On 12/22/20 13:39, James H. H. Lampert wrote:
A few months back, as I recall, I ran into some "gotchas" in connection 
with the manager context, while setting up Tomcat 8.5 on one of our AWS 
EC2 instances. As I recall, I had to do something special, somthing I 
don't have to do with Tomcat 7, in order to make the manager context 
reachable from the outside.


Very shortly, I'll be setting up Tomcat 8.5 for the first time on an 
AS/400, and like the EC2, it can't exactly browse itself, so it, too, 
will need to have the manager context reachable from the outside world.


Can somebody remind me of what it is I had to do, that I don't have to 
do for Tomcat 7?


It was probably changing the default RemoteAddrValve to allow non-local 
IP addreses. You can find that in the manager's META-INF/context.xml file.


I would try to lock-down that IP range as much as you can, rather than 
either removing the Valve (which would allow connections from anywhere) 
or specifying something like ".*" in the "allow" attribute (which is a 
regular expression which will be applied to the remote-user's IP 
address, either IPv4 or IPv6 as the case may be).


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Manager setup in Tomcat 8

[James H. H. Lampert]

A few months back, as I recall, I ran into some "gotchas" in connection 
with the manager context, while setting up Tomcat 8.5 on one of our AWS 
EC2 instances. As I recall, I had to do something special, somthing I 
don't have to do with Tomcat 7, in order to make the manager context 
reachable from the outside.


Very shortly, I'll be setting up Tomcat 8.5 for the first time on an 
AS/400, and like the EC2, it can't exactly browse itself, so it, too, 
will need to have the manager context reachable from the outside world.


Can somebody remind me of what it is I had to do, that I don't have to 
do for Tomcat 7?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.41]

[Bill Stewart]

Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.40]

[Brian Wolfe]

Rob,
It looks like this installer is specific to windows and from a brief glance
at documentation it mostly helps setting it up as a windows service and
helps with upgrades. As far as linux distributions go installation and
upgrade via the rpm packages should take care of most of that. At least
setting up the systemctl services and the user/groups necessary for it to
run. I'm not sure I see a need for something similar for linux. Anything
more would be specific to your use case.

On Tue, Dec 1, 2020 at 6:08 PM Rob Sargent  wrote:

> Is there something similar for embedded tomcat on linux?
>
> On 12/1/20 3:58 PM, Bill Stewart wrote:
> > Documentation and installer source:
> >
> > https://github.com/Bill-Stewart/ApacheTomcatSetup
> >
> > Download installer:
> >
> > https://github.com/Bill-Stewart/ApacheTomcatSetup/releases
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>


-- 
Thanks,
Brian Wolfe
https://www.linkedin.com/in/brian-wolfe-3136425a/

Re: ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.40]

[Rob Sargent]

Is there something similar for embedded tomcat on linux?

On 12/1/20 3:58 PM, Bill Stewart wrote:

Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.40]

[Bill Stewart]

Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.39]

[Bill Stewart]

Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.38]

[Bill Stewart]

Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.37]

[Bill Stewart]

Documentation and installer source:

https://github.com/Bill-Stewart/ApacheTomcatSetup

Download installer:

https://github.com/Bill-Stewart/ApacheTomcatSetup/releases

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.36]

[Bill Stewart]

Please see here:

https://github.com/Bill-Stewart/ApacheTomcatSetup

The Setup executable is available on the Releases tab.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.35]

[Bill Stewart]

Please see here:

https://github.com/Bill-Stewart/ApacheTomcatSetup

The Setup executable is available on the Releases tab.

Bill

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.34]

[Bill Stewart]

Please see here:

https://github.com/Bill-Stewart/ApacheTomcatSetup

The Setup executable is available on the Releases tab.

Bill

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.31]

[Bill Stewart]

Please see here:

https://github.com/Bill-Stewart/ApacheTomcatSetup

The Setup executable for Tomcat 9.0.31 is available on the Releases tab.

Bill

Re: SameSite Cookie Setup Not Working

[M. Manna]

Apologies, but got this resolved. the httpOly attribute was missing from
one of the apps. I have now set it globally for all my apps.

Thanks,

On Tue, 22 Oct 2019 at 15:34, M. Manna  wrote:

> Hello,
>
> As per the official documentation, I setup my same site cookie using
> Rfc62665CookieProcessor and set everything in "strict" mode.
>
> However, when I restarted my server, I only see httpOnly, secure - but not
> SameSite checked under browser's developer console.
>
> Could someone please help me understand whether something has been missed
> at my side? And yes, I am using tomcat 8.5.45 (as I read that it's been
> since 8.5.42). Otherwise, cataina bootstrapping would simply say that
> there's no samesitecookies attribute.
>
> Regards,
>

SameSite Cookie Setup Not Working

[M. Manna]

Hello,

As per the official documentation, I setup my same site cookie using
Rfc62665CookieProcessor and set everything in "strict" mode.

However, when I restarted my server, I only see httpOnly, secure - but not
SameSite checked under browser's developer console.

Could someone please help me understand whether something has been missed
at my side? And yes, I am using tomcat 8.5.45 (as I read that it's been
since 8.5.42). Otherwise, cataina bootstrapping would simply say that
there's no samesitecookies attribute.

Regards,

Re: confusions with conf/tomcat-users.xml setup

[Hu, Zhiliang [AN S]]

Thank you for the hint.  I got it to work.  __ZL


On 07/24/2019, 11:12 PM,  wrote:

I would recommend reading the role settings from here first:

https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html

Also, if everything is okay for you try using comma-separated roles e.g.
roles=“manager-gui,admin”. Even better, try to create new roles and assign
them correctly.

See if that works for you.

Thanks,


On Thu, 25 Jul 2019 at 12:35, Hu, Zhiliang [AN S]  wrote:

> I have Apache Tomcat/7.0.94 installed and running.  However I had a hard
> time to get to the ManagerApp and Host Manager to work properly.  Briefly:
>
> If I set up "conf/tomcat-users.xml" as in:
> 
> 
> 
> 
> -- The "/manager/html/" can get connected and "/host-manager/html" gets
> "404 Access Denied";
>
> If I set up "conf/tomcat-users.xml" as in:
> 
> 
> 
> 
> -- The "/manager/html/" gets "404 Access Denied" and "/host-manager/html"
> can get connected;
>
> If I set up "conf/tomcat-users.xml" as in:
> 
> 
> 
>
> 
> 
> 
> -- The "/manager/html/" can get connected and "/host-manager/html" gets
> "404 Access Denied" -- obviously the second "rolename" overrides the first
> one.
>
> How can I get both to work?
>
> Thanks in advance,
>
> ZL
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: confusions with conf/tomcat-users.xml setup

[M. Manna]

I would recommend reading the role settings from here first:

https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html

Also, if everything is okay for you try using comma-separated roles e.g.
roles=“manager-gui,admin”. Even better, try to create new roles and assign
them correctly.

See if that works for you.

Thanks,


On Thu, 25 Jul 2019 at 12:35, Hu, Zhiliang [AN S]  wrote:

> I have Apache Tomcat/7.0.94 installed and running.  However I had a hard
> time to get to the ManagerApp and Host Manager to work properly.  Briefly:
>
> If I set up "conf/tomcat-users.xml" as in:
> 
> 
> 
> 
> -- The "/manager/html/" can get connected and "/host-manager/html" gets
> "404 Access Denied";
>
> If I set up "conf/tomcat-users.xml" as in:
> 
> 
> 
> 
> -- The "/manager/html/" gets "404 Access Denied" and "/host-manager/html"
> can get connected;
>
> If I set up "conf/tomcat-users.xml" as in:
> 
> 
> 
>
> 
> 
> 
> -- The "/manager/html/" can get connected and "/host-manager/html" gets
> "404 Access Denied" -- obviously the second "rolename" overrides the first
> one.
>
> How can I get both to work?
>
> Thanks in advance,
>
> ZL
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

confusions with conf/tomcat-users.xml setup

[Hu, Zhiliang [AN S]]

I have Apache Tomcat/7.0.94 installed and running.  However I had a hard time 
to get to the ManagerApp and Host Manager to work properly.  Briefly:

If I set up "conf/tomcat-users.xml" as in:




-- The "/manager/html/" can get connected and "/host-manager/html" gets "404 
Access Denied";

If I set up "conf/tomcat-users.xml" as in:




-- The "/manager/html/" gets "404 Access Denied" and "/host-manager/html" can 
get connected;

If I set up "conf/tomcat-users.xml" as in:







-- The "/manager/html/" can get connected and "/host-manager/html" gets "404 
Access Denied" -- obviously the second "rolename" overrides the first one.

How can I get both to work?

Thanks in advance,

ZL



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Proper way to set up tomcat 8.5 (autostart and service setup)

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

John,

On 1/8/19 12:49, John Dale wrote:
> I'm using init.d and a custom script complete with single command 
> deploy using git hooks.
> 
> git push  master pushes, builds, and  bounces Tomcat. I
> like it very much .. building and deploying can be such a pain.
> 
> Is systemd something that is available on debian wheezy?
> 
> Is init.d going out of style?

Most systemd-based systems still have scripts in /etc/init.d and they
just point to the systemd-esque scripts/binaries. So if, like me, your
fingers automatically type "sudo /etc/init.d/servicename [action]",
they generally still all work.

systemd makes a great operating system, but only if you install all of
its packages and it completely replaces the kernel.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlw2CzgACgkQHPApP6U8
pFiqEQ//UlIb7Y3UWYJZA0Vv7Gw+CXbs80NUe45Bric4xJOJRGunqpacA07rhoip
Bel6rQUUgJFFU09ey6iO3D38fO0clk6o3UlGAbDDwl5m6sgjmhbKrn93VFBHlgS7
AkWN8mmJzxbBMeVTedZS+HAkjBQGudue+frrLNZVeLi+9pNyohkfn+23lZxcau0L
IT9dQgYjrIViSpLLd5tan3huWAbWS2jlT0ayAi3Uy7y50u33hdsl7aC2RFqg1Fs5
NDB9YUqKLJxTOygT2geBA6tdm13N48KTjNzoQl6X4sOBFGdKNqli9eYQCd1CzFZt
jOKs2pXFivh/ULENZby1lNcRfe/ZjNj5l3GlNFlh87E0fc69Gy4YZiUKz1CaWe1i
mNKwUMOQl8hoE2xW/AHbJglmK+8jeLU8BemhV1xTdKRhBzHCHayIS/k/n+HEZ6bu
rDR3pwGV5p220qQ57y/lGoMC0q6NbHUhwWXqS7DALtIx0ueooGHlKOxAmCf6ibOH
OagVOLo8jdw/LkJ2lAP39Fg15nxCBYU9Op9FUfDqnvqhyykLpNC5fy8UJEsDYW5W
dpxIwFBnCHwH6ztnkr/XlyqqHuhp2M7nDJsywFiFIOw98nimjdka8lM35TkGPxcS
MAF5JZzJKyRUVeHNP1STAordhdQpSVuxyxwFKxZtm9IYt5AbZJ4=
=PA9s
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Proper way to set up tomcat 8.5 (autostart and service setup)

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Joel,

On 1/8/19 12:01, Joel Saunders wrote:
> I just installed Tomcat 8.5 on RedHat.

Which flavor?

Are you using the package-managed version, or one directly from ASF?

The yum package-maintainer for Tomcat is a member of this list, so he
should be able to weigh-in on any problems you may be having with it.

In the past, one could rely on package-managed versions of Tomcat to
be hideously out of date and a pain in the neck to use, but AIUI, the
current yum packages for Tomcat 8.5 and Tomcat 9 are fairly up-to-date
and will probably work the way you want the to in the "Red Hat Way".

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlw2CpwACgkQHPApP6U8
pFigFg//XuGl5laKWYldGYwkF993PSivoRfJANpDlBMaLZrA+jwD6wryXAfuPITz
/dYuSonFncczM2I1Yjynw2exclumLFZ1O1yqXg69+H+V7UddQ1/6ICfRiWHx26wW
pkncGETHnL+m47mOKr2pUzq20kBMv1peKtRuttXZzBsYQvBfjJ1X6DilW1vvES47
5po7PXU92LEwejlAdWkQracUWErprGrjoaf505srkEV/Y57vV2ivnRIVs/nrDH7P
vTwcXTrJLIotth8nOQjo3otqdBxNKQc9H+3b3HYrnQww3HXwwXFaeWbe4RJ5+6B/
n5ajnRzf7j7aOJqKLEn0M34i89KKVResp1k6qLBTz0Q7GmYEeZoWRYzc+f5vdy3l
BDG3IBY47hF8xiLZre/5ETOCAXnzYukX4Scw+tVmp9IcDC03lrDmKD6KtOihXc7T
4LHjhHgsWcTbLaQNQqppohaZTdGaYH/rpfqpt8hEBk5ZGHCdeowU/dnvy+Z1sA6K
DYP8dU1sWzqKhnINcVPljB/dj96FsKdbmGkDGcW3XXZd4UJkYsVsdx/DynzUd8JT
Oq0a6erncQlQ1++7NuUrip1ilJ/q3ZyM9k5WcOZK4xlV+XLs5MDePuqzLvPy11YY
jwddeP/QXMS8iubFTzPEQzg99EBdLj5tRx7msZYwo61AFl63pFY=
=TheV
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Proper way to set up tomcat 8.5 (autostart and service setup)

[Roger Marquis]

Igal Sapir wrote:
John Larsen wrote:

Setup an init script.

On modern Linux systems you should really use systemd instead of the old
init scripts.


Depends on your definition of modern.  Most Docker containers, many
versions of Linux and all versions of Unix use init scripts.  Docker at
least is modern in most uses of the term.  It is also a platform whose
market share has been growing at least in part due to most container's
lack of systemd.  Systemd also supports init scripts last I checked.
Don't know about anyone else but I value cross-platform compatibility.

Joel Saunders wrote:

Lastly, I'd like the logs to go to /var/log/tomcat8 if possible.


This is something I'd like to see changed in Tomcat.  Would also be good
for cross-platform compatibility.  /var is meant to be mutable and
/var/log is meant for logs.  That's why nearly all software packages
write logs there.  Would save many hassles and provisioning issues if
Tomcat (dist and packages) created /var/log/tomcat and, if necessary,
symlinked $TOMCAT_HOME/logs.  At least that way you could be assured of
not having an unwritable log directory.

Roger Marquis

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Proper way to set up tomcat 8.5 (autostart and service setup)

[Joel Saunders]

Unfortunately, I inherited this system from someone who hacked it together 
before he left, so I'm just trying to use a quick/minimal approach.

I think that tomcat6 was setup with the init.d approach and would like to keep 
v8 similar if at all possible.

I'm not bad with scripting and init stuff, but not that strong as a Linux Admin 
and all of the options available to Linux Admin/developers.

I do appreciate all of your comments though, but I just want something easy to 
cut and paste at this time so I can be done with this and get back to my other 
(also demanding) projects.

Thanks,,

Joel

-Original Message-
From: Igal Sapir [mailto:i...@lucee.org] 
Sent: Tuesday, January 08, 2019 1:12 PM
To: Tomcat Users List
Subject: Re: Proper way to set up tomcat 8.5 (autostart and service setup)

On Tue, Jan 8, 2019 at 9:58 AM John Dale  wrote:

> I'm using init.d and a custom script complete with single command
> deploy using git hooks.
>
> git push  master pushes, builds, and  bounces Tomcat. I like
> it very much .. building and deploying can be such a pain.
>
> Is systemd something that is available on debian wheezy?
>

It can be enabled on "Wheezy" (Debian 7, c. 2013, these names only add to
the confusion, I had to look it up), but that was the last Debian version
to use init.d.  Debian 8 (Jessie) already came with systemd in 2015 [1].

Is init.d going out of style?
>

Yes, for the better part of 5 years now.


> I've been using it since .. I can't even remember.  1998 maybe on Fedora?
>

That might be the issue ;)

Igal

[1] 
https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_Debian-5Fversion-5Fhistory-23Debian-5F7-5F-28Wheezy-29=DwIFaQ=bFSfV3JDZVFjkVdrOg1Bnsgwku-x_EGNRi2KNxwvClI=WG-pl0WpwyPk-r6oNnUhsoAUBdVNpC8ryokTG8RkffA=uGtSlmXLamNsmi4gn9t69I5ulozMuYWznu3bdceQS3A=2LQygApob8_-Xjdffqqj3RI6PQE_6kvv-DI928BXDYs=




>
>
> On 1/8/19, John Larsen  wrote:
> > I simply tie systemd with the init script. Our servers host around 20-30
> > tomcat instances. I found it easier do it this way.
> >
> >
> > John Larsen
> >
> >
> >
> > On Tue, Jan 8, 2019 at 10:26 AM Igal Sapir  wrote:
> >
> >> On Tue, Jan 8, 2019 at 9:08 AM John Larsen 
> >> wrote:
> >>
> >> > Setup an init script.
> >> >
> >>
> >> On modern Linux systems you should really use systemd instead of the old
> >> init scripts.
> >>
> >> I've written in the past a script that can be used as a systemd
> template,
> >> so it allowed for multiple services to be run on different ports with
> >> different settings.  I can't find it easily ATM though.
> >>
> >> I think that it'd be good if Tomcat came with such a script so that it's
> >> easy to install as a systemd service.
> >>
> >> Igal
> >>
> >>
> >> > This is similar to how I do it.
> >> > https://urldefense.proofpoint.com/v2/url?u=https-3A__gist.github.com_katesclau_0ff6e41fd698e94eb43c=DwIFaQ=bFSfV3JDZVFjkVdrOg1Bnsgwku-x_EGNRi2KNxwvClI=WG-pl0WpwyPk-r6oNnUhsoAUBdVNpC8ryokTG8RkffA=uGtSlmXLamNsmi4gn9t69I5ulozMuYWznu3bdceQS3A=CidLbiu7JPR90A9E2dbdPGBb1aF0BtO99NxJo9OJ4s0=
> >> >
> >> > John Larsen
> >> >
> >> >
> >> >
> >> > On Tue, Jan 8, 2019 at 10:01 AM Joel Saunders <
> joel.saund...@zones.com>
> >> > wrote:
> >> >
> >> > > All,
> >> > >
> >> > >
> >> > >
> >> > > I just installed Tomcat 8.5 on RedHat.
> >> > >
> >> > >
> >> > >
> >> > > The previous tomcat6 install was setup so that I could use the linux
> >> > > service command to start and stop.
> >> > >
> >> > >   I’d like to take that feature away from the tomcat6
> >> install
> >> > > and add it for the new tomcat85 install.
> >> > >
> >> > >
> >> > >
> >> > > I’d also like for tomcat85 to be able to autostart upon reboots.
> >> > >
> >> > >
> >> > >
> >> > > Lastly, I’d like the logs to go to /var/log/tomcat8 if possible.
> >> > >
> >> > >
> >> > >
> >> > > Can anyone point me to the correct way to accomplish these
> >> requirements?
> >> > >
> >> > >
> >> > >
> >> > > Thanks in advance for your cooperation.
> >> > >
> >> > >
> >> > >
> >> > > … Joel
> >> > &

Re: Proper way to set up tomcat 8.5 (autostart and service setup)

[John Dale]

Not having an issue, but if I upgrade I will it seems .. bo!

init.d is so engraved in my neural patterns it will be a shame to have
such a useless deep groove.

I hate the names, too .. that's what happens when you give marketing
people too much leash.  Not only do they seem to forget how to math,
they forget how to number.

:)

On 1/8/19, Igal Sapir  wrote:
> On Tue, Jan 8, 2019 at 9:58 AM John Dale  wrote:
>
>> I'm using init.d and a custom script complete with single command
>> deploy using git hooks.
>>
>> git push  master pushes, builds, and  bounces Tomcat. I like
>> it very much .. building and deploying can be such a pain.
>>
>> Is systemd something that is available on debian wheezy?
>>
>
> It can be enabled on "Wheezy" (Debian 7, c. 2013, these names only add to
> the confusion, I had to look it up), but that was the last Debian version
> to use init.d.  Debian 8 (Jessie) already came with systemd in 2015 [1].
>
> Is init.d going out of style?
>>
>
> Yes, for the better part of 5 years now.
>
>
>> I've been using it since .. I can't even remember.  1998 maybe on Fedora?
>>
>
> That might be the issue ;)
>
> Igal
>
> [1] https://en.wikipedia.org/wiki/Debian_version_history#Debian_7_(Wheezy)
>
>
>
>
>>
>>
>> On 1/8/19, John Larsen  wrote:
>> > I simply tie systemd with the init script. Our servers host around
>> > 20-30
>> > tomcat instances. I found it easier do it this way.
>> >
>> >
>> > John Larsen
>> >
>> >
>> >
>> > On Tue, Jan 8, 2019 at 10:26 AM Igal Sapir  wrote:
>> >
>> >> On Tue, Jan 8, 2019 at 9:08 AM John Larsen 
>> >> wrote:
>> >>
>> >> > Setup an init script.
>> >> >
>> >>
>> >> On modern Linux systems you should really use systemd instead of the
>> >> old
>> >> init scripts.
>> >>
>> >> I've written in the past a script that can be used as a systemd
>> template,
>> >> so it allowed for multiple services to be run on different ports with
>> >> different settings.  I can't find it easily ATM though.
>> >>
>> >> I think that it'd be good if Tomcat came with such a script so that
>> >> it's
>> >> easy to install as a systemd service.
>> >>
>> >> Igal
>> >>
>> >>
>> >> > This is similar to how I do it.
>> >> > https://gist.github.com/katesclau/0ff6e41fd698e94eb43c
>> >> >
>> >> > John Larsen
>> >> >
>> >> >
>> >> >
>> >> > On Tue, Jan 8, 2019 at 10:01 AM Joel Saunders <
>> joel.saund...@zones.com>
>> >> > wrote:
>> >> >
>> >> > > All,
>> >> > >
>> >> > >
>> >> > >
>> >> > > I just installed Tomcat 8.5 on RedHat.
>> >> > >
>> >> > >
>> >> > >
>> >> > > The previous tomcat6 install was setup so that I could use the
>> >> > > linux
>> >> > > service command to start and stop.
>> >> > >
>> >> > >   I’d like to take that feature away from the tomcat6
>> >> install
>> >> > > and add it for the new tomcat85 install.
>> >> > >
>> >> > >
>> >> > >
>> >> > > I’d also like for tomcat85 to be able to autostart upon reboots.
>> >> > >
>> >> > >
>> >> > >
>> >> > > Lastly, I’d like the logs to go to /var/log/tomcat8 if possible.
>> >> > >
>> >> > >
>> >> > >
>> >> > > Can anyone point me to the correct way to accomplish these
>> >> requirements?
>> >> > >
>> >> > >
>> >> > >
>> >> > > Thanks in advance for your cooperation.
>> >> > >
>> >> > >
>> >> > >
>> >> > > … Joel
>> >> > >
>> >> > >
>> >> > >
>> >> > > *JOEL SAUNDERS*
>> >> > >
>> >> > >
>> >> > >
>> >> > > SR. DBA/ARCHITECT, MANAGED SERVICES | Zones, Inc.
>> >> > >
>> >> > > W: 518-652-4089| C: 518-265-0771
>> >> > > joel.saund...@zones.com | zones.com <https://nfrastructure.com/>
>> >> > >
>> >> > > <http://zones.com/>
>> >> > >
>> >> > >
>> >> > >
>> >> > > <https://www.facebook.com/nfrastructure/>
>> >> > > <https://www.linkedin.com/company/nfrastructure/>
>> >> > > <https://twitter.com/nfrastructure>
>> >> > > <https://www.youtube.com/user/nfrastructure1992>
>> >> > >
>> >> > >
>> >> > >
>> >> >
>> >>
>> >
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Proper way to set up tomcat 8.5 (autostart and service setup)

[Igal Sapir]

On Tue, Jan 8, 2019 at 9:58 AM John Dale  wrote:

> I'm using init.d and a custom script complete with single command
> deploy using git hooks.
>
> git push  master pushes, builds, and  bounces Tomcat. I like
> it very much .. building and deploying can be such a pain.
>
> Is systemd something that is available on debian wheezy?
>

It can be enabled on "Wheezy" (Debian 7, c. 2013, these names only add to
the confusion, I had to look it up), but that was the last Debian version
to use init.d.  Debian 8 (Jessie) already came with systemd in 2015 [1].

Is init.d going out of style?
>

Yes, for the better part of 5 years now.


> I've been using it since .. I can't even remember.  1998 maybe on Fedora?
>

That might be the issue ;)

Igal

[1] https://en.wikipedia.org/wiki/Debian_version_history#Debian_7_(Wheezy)




>
>
> On 1/8/19, John Larsen  wrote:
> > I simply tie systemd with the init script. Our servers host around 20-30
> > tomcat instances. I found it easier do it this way.
> >
> >
> > John Larsen
> >
> >
> >
> > On Tue, Jan 8, 2019 at 10:26 AM Igal Sapir  wrote:
> >
> >> On Tue, Jan 8, 2019 at 9:08 AM John Larsen 
> >> wrote:
> >>
> >> > Setup an init script.
> >> >
> >>
> >> On modern Linux systems you should really use systemd instead of the old
> >> init scripts.
> >>
> >> I've written in the past a script that can be used as a systemd
> template,
> >> so it allowed for multiple services to be run on different ports with
> >> different settings.  I can't find it easily ATM though.
> >>
> >> I think that it'd be good if Tomcat came with such a script so that it's
> >> easy to install as a systemd service.
> >>
> >> Igal
> >>
> >>
> >> > This is similar to how I do it.
> >> > https://gist.github.com/katesclau/0ff6e41fd698e94eb43c
> >> >
> >> > John Larsen
> >> >
> >> >
> >> >
> >> > On Tue, Jan 8, 2019 at 10:01 AM Joel Saunders <
> joel.saund...@zones.com>
> >> > wrote:
> >> >
> >> > > All,
> >> > >
> >> > >
> >> > >
> >> > > I just installed Tomcat 8.5 on RedHat.
> >> > >
> >> > >
> >> > >
> >> > > The previous tomcat6 install was setup so that I could use the linux
> >> > > service command to start and stop.
> >> > >
> >> > >   I’d like to take that feature away from the tomcat6
> >> install
> >> > > and add it for the new tomcat85 install.
> >> > >
> >> > >
> >> > >
> >> > > I’d also like for tomcat85 to be able to autostart upon reboots.
> >> > >
> >> > >
> >> > >
> >> > > Lastly, I’d like the logs to go to /var/log/tomcat8 if possible.
> >> > >
> >> > >
> >> > >
> >> > > Can anyone point me to the correct way to accomplish these
> >> requirements?
> >> > >
> >> > >
> >> > >
> >> > > Thanks in advance for your cooperation.
> >> > >
> >> > >
> >> > >
> >> > > … Joel
> >> > >
> >> > >
> >> > >
> >> > > *JOEL SAUNDERS*
> >> > >
> >> > >
> >> > >
> >> > > SR. DBA/ARCHITECT, MANAGED SERVICES | Zones, Inc.
> >> > >
> >> > > W: 518-652-4089| C: 518-265-0771
> >> > > joel.saund...@zones.com | zones.com <https://nfrastructure.com/>
> >> > >
> >> > > <http://zones.com/>
> >> > >
> >> > >
> >> > >
> >> > > <https://www.facebook.com/nfrastructure/>
> >> > > <https://www.linkedin.com/company/nfrastructure/>
> >> > > <https://twitter.com/nfrastructure>
> >> > > <https://www.youtube.com/user/nfrastructure1992>
> >> > >
> >> > >
> >> > >
> >> >
> >>
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Proper way to set up tomcat 8.5 (autostart and service setup)

[Igal Sapir]

On Tue, Jan 8, 2019 at 9:39 AM John Larsen  wrote:

> I simply tie systemd with the init script. Our servers host around 20-30
> tomcat instances. I found it easier do it this way.
>

It's easier for you because you're more familiar with the init scripts, but
tying a modern system into an older one just to make it easy is a hack IMO,
and while it can be OK under some circumstances when maintaining an older
system, I would advise strongly against that when setting up a new system.

Igal


>
>
> John Larsen
>
>
>
> On Tue, Jan 8, 2019 at 10:26 AM Igal Sapir  wrote:
>
> > On Tue, Jan 8, 2019 at 9:08 AM John Larsen 
> > wrote:
> >
> > > Setup an init script.
> > >
> >
> > On modern Linux systems you should really use systemd instead of the old
> > init scripts.
> >
> > I've written in the past a script that can be used as a systemd template,
> > so it allowed for multiple services to be run on different ports with
> > different settings.  I can't find it easily ATM though.
> >
> > I think that it'd be good if Tomcat came with such a script so that it's
> > easy to install as a systemd service.
> >
> > Igal
> >
> >
> > > This is similar to how I do it.
> > > https://gist.github.com/katesclau/0ff6e41fd698e94eb43c
> > >
> > > John Larsen
> > >
> > >
> > >
> > > On Tue, Jan 8, 2019 at 10:01 AM Joel Saunders  >
> > > wrote:
> > >
> > > > All,
> > > >
> > > >
> > > >
> > > > I just installed Tomcat 8.5 on RedHat.
> > > >
> > > >
> > > >
> > > > The previous tomcat6 install was setup so that I could use the linux
> > > > service command to start and stop.
> > > >
> > > >   I’d like to take that feature away from the tomcat6
> > install
> > > > and add it for the new tomcat85 install.
> > > >
> > > >
> > > >
> > > > I’d also like for tomcat85 to be able to autostart upon reboots.
> > > >
> > > >
> > > >
> > > > Lastly, I’d like the logs to go to /var/log/tomcat8 if possible.
> > > >
> > > >
> > > >
> > > > Can anyone point me to the correct way to accomplish these
> > requirements?
> > > >
> > > >
> > > >
> > > > Thanks in advance for your cooperation.
> > > >
> > > >
> > > >
> > > > … Joel
> > > >
> > > >
> > > >
> > > > *JOEL SAUNDERS*
> > > >
> > > >
> > > >
> > > > SR. DBA/ARCHITECT, MANAGED SERVICES | Zones, Inc.
> > > >
> > > > W: 518-652-4089| C: 518-265-0771
> > > > joel.saund...@zones.com | zones.com <https://nfrastructure.com/>
> > > >
> > > > <http://zones.com/>
> > > >
> > > >
> > > >
> > > > <https://www.facebook.com/nfrastructure/>
> > > > <https://www.linkedin.com/company/nfrastructure/>
> > > > <https://twitter.com/nfrastructure>
> > > > <https://www.youtube.com/user/nfrastructure1992>
> > > >
> > > >
> > > >
> > >
> >
>

Re: Proper way to set up tomcat 8.5 (autostart and service setup)

[John Dale]

I'm using init.d and a custom script complete with single command
deploy using git hooks.

git push  master pushes, builds, and  bounces Tomcat. I like
it very much .. building and deploying can be such a pain.

Is systemd something that is available on debian wheezy?

Is init.d going out of style?

I've been using it since .. I can't even remember.  1998 maybe on Fedora?


On 1/8/19, John Larsen  wrote:
> I simply tie systemd with the init script. Our servers host around 20-30
> tomcat instances. I found it easier do it this way.
>
>
> John Larsen
>
>
>
> On Tue, Jan 8, 2019 at 10:26 AM Igal Sapir  wrote:
>
>> On Tue, Jan 8, 2019 at 9:08 AM John Larsen 
>> wrote:
>>
>> > Setup an init script.
>> >
>>
>> On modern Linux systems you should really use systemd instead of the old
>> init scripts.
>>
>> I've written in the past a script that can be used as a systemd template,
>> so it allowed for multiple services to be run on different ports with
>> different settings.  I can't find it easily ATM though.
>>
>> I think that it'd be good if Tomcat came with such a script so that it's
>> easy to install as a systemd service.
>>
>> Igal
>>
>>
>> > This is similar to how I do it.
>> > https://gist.github.com/katesclau/0ff6e41fd698e94eb43c
>> >
>> > John Larsen
>> >
>> >
>> >
>> > On Tue, Jan 8, 2019 at 10:01 AM Joel Saunders 
>> > wrote:
>> >
>> > > All,
>> > >
>> > >
>> > >
>> > > I just installed Tomcat 8.5 on RedHat.
>> > >
>> > >
>> > >
>> > > The previous tomcat6 install was setup so that I could use the linux
>> > > service command to start and stop.
>> > >
>> > >   I’d like to take that feature away from the tomcat6
>> install
>> > > and add it for the new tomcat85 install.
>> > >
>> > >
>> > >
>> > > I’d also like for tomcat85 to be able to autostart upon reboots.
>> > >
>> > >
>> > >
>> > > Lastly, I’d like the logs to go to /var/log/tomcat8 if possible.
>> > >
>> > >
>> > >
>> > > Can anyone point me to the correct way to accomplish these
>> requirements?
>> > >
>> > >
>> > >
>> > > Thanks in advance for your cooperation.
>> > >
>> > >
>> > >
>> > > … Joel
>> > >
>> > >
>> > >
>> > > *JOEL SAUNDERS*
>> > >
>> > >
>> > >
>> > > SR. DBA/ARCHITECT, MANAGED SERVICES | Zones, Inc.
>> > >
>> > > W: 518-652-4089| C: 518-265-0771
>> > > joel.saund...@zones.com | zones.com <https://nfrastructure.com/>
>> > >
>> > > <http://zones.com/>
>> > >
>> > >
>> > >
>> > > <https://www.facebook.com/nfrastructure/>
>> > > <https://www.linkedin.com/company/nfrastructure/>
>> > > <https://twitter.com/nfrastructure>
>> > > <https://www.youtube.com/user/nfrastructure1992>
>> > >
>> > >
>> > >
>> >
>>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Proper way to set up tomcat 8.5 (autostart and service setup)

[John Larsen]

I simply tie systemd with the init script. Our servers host around 20-30
tomcat instances. I found it easier do it this way.


John Larsen



On Tue, Jan 8, 2019 at 10:26 AM Igal Sapir  wrote:

> On Tue, Jan 8, 2019 at 9:08 AM John Larsen 
> wrote:
>
> > Setup an init script.
> >
>
> On modern Linux systems you should really use systemd instead of the old
> init scripts.
>
> I've written in the past a script that can be used as a systemd template,
> so it allowed for multiple services to be run on different ports with
> different settings.  I can't find it easily ATM though.
>
> I think that it'd be good if Tomcat came with such a script so that it's
> easy to install as a systemd service.
>
> Igal
>
>
> > This is similar to how I do it.
> > https://gist.github.com/katesclau/0ff6e41fd698e94eb43c
> >
> > John Larsen
> >
> >
> >
> > On Tue, Jan 8, 2019 at 10:01 AM Joel Saunders 
> > wrote:
> >
> > > All,
> > >
> > >
> > >
> > > I just installed Tomcat 8.5 on RedHat.
> > >
> > >
> > >
> > > The previous tomcat6 install was setup so that I could use the linux
> > > service command to start and stop.
> > >
> > >   I’d like to take that feature away from the tomcat6
> install
> > > and add it for the new tomcat85 install.
> > >
> > >
> > >
> > > I’d also like for tomcat85 to be able to autostart upon reboots.
> > >
> > >
> > >
> > > Lastly, I’d like the logs to go to /var/log/tomcat8 if possible.
> > >
> > >
> > >
> > > Can anyone point me to the correct way to accomplish these
> requirements?
> > >
> > >
> > >
> > > Thanks in advance for your cooperation.
> > >
> > >
> > >
> > > … Joel
> > >
> > >
> > >
> > > *JOEL SAUNDERS*
> > >
> > >
> > >
> > > SR. DBA/ARCHITECT, MANAGED SERVICES | Zones, Inc.
> > >
> > > W: 518-652-4089| C: 518-265-0771
> > > joel.saund...@zones.com | zones.com <https://nfrastructure.com/>
> > >
> > > <http://zones.com/>
> > >
> > >
> > >
> > > <https://www.facebook.com/nfrastructure/>
> > > <https://www.linkedin.com/company/nfrastructure/>
> > > <https://twitter.com/nfrastructure>
> > > <https://www.youtube.com/user/nfrastructure1992>
> > >
> > >
> > >
> >
>

Re: Proper way to set up tomcat 8.5 (autostart and service setup)

[Igal Sapir]

On Tue, Jan 8, 2019 at 9:08 AM John Larsen  wrote:

> Setup an init script.
>

On modern Linux systems you should really use systemd instead of the old
init scripts.

I've written in the past a script that can be used as a systemd template,
so it allowed for multiple services to be run on different ports with
different settings.  I can't find it easily ATM though.

I think that it'd be good if Tomcat came with such a script so that it's
easy to install as a systemd service.

Igal


> This is similar to how I do it.
> https://gist.github.com/katesclau/0ff6e41fd698e94eb43c
>
> John Larsen
>
>
>
> On Tue, Jan 8, 2019 at 10:01 AM Joel Saunders 
> wrote:
>
> > All,
> >
> >
> >
> > I just installed Tomcat 8.5 on RedHat.
> >
> >
> >
> > The previous tomcat6 install was setup so that I could use the linux
> > service command to start and stop.
> >
> >   I’d like to take that feature away from the tomcat6 install
> > and add it for the new tomcat85 install.
> >
> >
> >
> > I’d also like for tomcat85 to be able to autostart upon reboots.
> >
> >
> >
> > Lastly, I’d like the logs to go to /var/log/tomcat8 if possible.
> >
> >
> >
> > Can anyone point me to the correct way to accomplish these requirements?
> >
> >
> >
> > Thanks in advance for your cooperation.
> >
> >
> >
> > … Joel
> >
> >
> >
> > *JOEL SAUNDERS*
> >
> >
> >
> > SR. DBA/ARCHITECT, MANAGED SERVICES | Zones, Inc.
> >
> > W: 518-652-4089| C: 518-265-0771
> > joel.saund...@zones.com | zones.com <https://nfrastructure.com/>
> >
> > <http://zones.com/>
> >
> >
> >
> > <https://www.facebook.com/nfrastructure/>
> > <https://www.linkedin.com/company/nfrastructure/>
> > <https://twitter.com/nfrastructure>
> > <https://www.youtube.com/user/nfrastructure1992>
> >
> >
> >
>

Re: Proper way to set up tomcat 8.5 (autostart and service setup)

[John Larsen]

Setup an init script.
This is similar to how I do it.
https://gist.github.com/katesclau/0ff6e41fd698e94eb43c

John Larsen



On Tue, Jan 8, 2019 at 10:01 AM Joel Saunders 
wrote:

> All,
>
>
>
> I just installed Tomcat 8.5 on RedHat.
>
>
>
> The previous tomcat6 install was setup so that I could use the linux
> service command to start and stop.
>
>   I’d like to take that feature away from the tomcat6 install
> and add it for the new tomcat85 install.
>
>
>
> I’d also like for tomcat85 to be able to autostart upon reboots.
>
>
>
> Lastly, I’d like the logs to go to /var/log/tomcat8 if possible.
>
>
>
> Can anyone point me to the correct way to accomplish these requirements?
>
>
>
> Thanks in advance for your cooperation.
>
>
>
> … Joel
>
>
>
> *JOEL SAUNDERS*
>
>
>
> SR. DBA/ARCHITECT, MANAGED SERVICES | Zones, Inc.
>
> W: 518-652-4089| C: 518-265-0771
> joel.saund...@zones.com | zones.com <https://nfrastructure.com/>
>
> <http://zones.com/>
>
>
>
> <https://www.facebook.com/nfrastructure/>
> <https://www.linkedin.com/company/nfrastructure/>
> <https://twitter.com/nfrastructure>
> <https://www.youtube.com/user/nfrastructure1992>
>
>
>

Proper way to set up tomcat 8.5 (autostart and service setup)

[Joel Saunders]

All,

I just installed Tomcat 8.5 on RedHat.

The previous tomcat6 install was setup so that I could use the linux service 
command to start and stop.
  I'd like to take that feature away from the tomcat6 install and 
add it for the new tomcat85 install.

I'd also like for tomcat85 to be able to autostart upon reboots.

Lastly, I'd like the logs to go to /var/log/tomcat8 if possible.

Can anyone point me to the correct way to accomplish these requirements?

Thanks in advance for your cooperation.

... Joel

JOEL SAUNDERS

SR. DBA/ARCHITECT, MANAGED SERVICES | Zones, Inc.
W: 518-652-4089| C: 518-265-0771
joel.saund...@zones.com<mailto:joel.saund...@zones.com> | 
zones.com<https://nfrastructure.com/>

[cid:image001.jpg@01D4A749.D0A5B940]<http://zones.com/>


[cid:image002.jpg@01D4A749.D0A5B940]<https://www.facebook.com/nfrastructure/> 
[cid:image003.jpg@01D4A749.D0A5B940] 
<https://www.linkedin.com/company/nfrastructure/>  
[cid:image004.jpg@01D4A749.D0A5B940] <https://twitter.com/nfrastructure>  
[cid:image005.jpg@01D4A749.D0A5B940] 
<https://www.youtube.com/user/nfrastructure1992>

Tomcat JMS Setup

[Rajendra]

Hi,

I am trying to integrate ActiveMQ with Tomcat. I have defined a queue, Topic 
and Connection Factory in Tomcat server.xml and Context.xml file as below. 

Server.xml
===










Context.xml:




Do I need to create the JMS resources using ActiveMQ console as well in order 
to use the JMS resources? Please let me know.

Thanks !

Rajendra

Re: not able to setup tomcat 7 to use port 8443

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Masber,

On 11/30/18 22:45, masber masber wrote:
> Dear tomcat community,
> 
> I am trying to setup tomcat 7.0.69.0 on port 8443 but for some
> reason no service is listening that port after tomcat is
> rebooted.> I uncommented the following part in server.xml
> 
> 
>  protocol="org.apache.coyote.http11.Http11Protocol"
> 
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> 
> clientAuth="false" sslProtocol="TLS" />
> 
> And then just rebooted tomcat but sudo ss -nolpt | grep 8443 shows
> nothing
> 
> what am I doing wrong?

Where is your certificate configuration? You can't use SSL without a
keystore and stuff like that.

What do the logs say?

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwFeacACgkQHPApP6U8
pFg7kRAAsFCe/mxf46iv0LpIyGgyqKfrR5DHrs0kipR0ITpOo1tNDFew65z50jgA
HZO1PWiQ5sQZofkqaqALs66Ohfd1ajAemaQqDB8UzelpWMq4+mCx9Yn6CU8zeRbf
kD1PU+WJvZ0AHYrgCFk63wJCyryMXnLUf6SU/pdTBaPD3M3p6gSD8i4rFDVGoUc0
vn203ZP1oEr0QZq+tjAbquXpbY7HCLnl3YVCERgx99FUVd3mGkooo/smProrIWfe
hHYHw81acbRaXPeyYUBc81tyQ7o0Bs2tyBgWqGbvQzBEHbgQv4Jf4cBQeywLg+Yo
nrvYi3eepV0qGUbg5JXM1d0fvMICG/mWzh31MVvgMj4dVzmZixVO07vefJeSZfZb
w9/zAVd6HyoCzcv4k/16dyV+QCy4r8/yRG8BBVCxI0MANI5oKxmLHxnIUvLFMCku
BPXiYwAzsZd9OPVWm/eSsWxgNgxPyNcyKzoIPbtHBOhVx7NLqK539HzV7unGChlx
TVH1t0aqp8P4ZiT3+gWHiF2f8U3SJ8SlTgoWQJpdGyRbEzt8G49kmR9l5aAPyZ7Z
9fyBsH3V09Gl5a+03YfJxJ25aPzTE0HHwUki7y1K/7boJj/9gQGclDZTSuE8DfXW
2v/XgY73umitCR0W/7oM6wDlKt69C5ijZK/Oo/QWaMYULIPGQJE=
=EVA4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: not able to setup tomcat 7 to use port 8443

[tomcat]

On 01.12.2018 06:26, masber masber wrote:

ok,

forcing NIO implementation makes tomcat service to listen port 8443 but now I 
do a test using curl and the client does not get response from the server.


$ curl -I 'https://X:8443/authentication' -H 'Authorization: Basic 
X' -H 'Content-Type: application/json' -H 'Accept: */*' -v

*   Trying XXX.XXX.XXX.XXX...

* TCP_NODELAY set

* Connected to dev.retex.global (XXX.XXX.XXX.XXX) port 8443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

*   CAfile: /etc/ssl/cert.pem

   CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):


any thoughts?


Yes : look at the Tomcat logs.  They usually contain useful information.






From: masber masber 
Sent: Saturday, 1 December 2018 14:45
To: users@tomcat.apache.org
Subject: not able to setup tomcat 7 to use port 8443

Dear tomcat community,

I am trying to setup tomcat 7.0.69.0 on port 8443 but for some reason no 
service is listening that port after tomcat is rebooted.

I uncommented the following part in server.xml


 

And then just rebooted tomcat but sudo ss -nolpt | grep 8443 shows nothing

what am I doing wrong?






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: not able to setup tomcat 7 to use port 8443

[masber masber]

ok,

forcing NIO implementation makes tomcat service to listen port 8443 but now I 
do a test using curl and the client does not get response from the server.


$ curl -I 'https://X:8443/authentication' -H 'Authorization: Basic 
X' -H 'Content-Type: application/json' -H 'Accept: */*' -v

*   Trying XXX.XXX.XXX.XXX...

* TCP_NODELAY set

* Connected to dev.retex.global (XXX.XXX.XXX.XXX) port 8443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

*   CAfile: /etc/ssl/cert.pem

  CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):


   any thoughts?




From: masber masber 
Sent: Saturday, 1 December 2018 14:45
To: users@tomcat.apache.org
Subject: not able to setup tomcat 7 to use port 8443

Dear tomcat community,

I am trying to setup tomcat 7.0.69.0 on port 8443 but for some reason no 
service is listening that port after tomcat is rebooted.

I uncommented the following part in server.xml




And then just rebooted tomcat but sudo ss -nolpt | grep 8443 shows nothing

what am I doing wrong?

not able to setup tomcat 7 to use port 8443

[masber masber]

Dear tomcat community,

I am trying to setup tomcat 7.0.69.0 on port 8443 but for some reason no 
service is listening that port after tomcat is rebooted.

I uncommented the following part in server.xml




And then just rebooted tomcat but sudo ss -nolpt | grep 8443 shows nothing

what am I doing wrong?

Re: tomcat 8.5.29 AJP connector setup

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jose,

On 10/28/18 04:19, Jose Torres wrote:
> I hit enter too soon, but I want to know what other people use
> when configuring tomcat AJP connector, I provided an example of
> what I use. I am running following, tomcat 8.5.29 / apache 2.4.29 /
> mod_jk/1.2.41.
> 
> Thanks
> 
> On Sun, Oct 28, 2018 at 4:14 AM Jose Torres 
> wrote:
> 
>> Hello,
>> 
>> I am running with configuration below, I like to know what
>> parameters can be use with tomcat AJP for a H.A. configuration.
>> 
>> 
>> 
>> 
>>  > port="8009" protocol="AJP/1.3" redirectPort="443" 
>> maxThreads="4096" minSpareThreads="256" enableLookups="false"
>> acceptCount="100" connectionTimeout="2" />
>> 

Are you experiencing any particular problem, or are you just looking
for "general advice"?

Since you are using Tomcat 8.5 and not 6.0 or below, you probably want
to use an explicit  because you will have better control
over resource-allocations -- specifically, threads.

4096 threads is a lot of threads. Have you instrumented your
environment to see how many threads you are actually using?

If you really want "high availability" I might actually set the TCP
backlog (acceptcount) to zero. This will allow a reverse-proxy to send
traffic to a server which isn't full and clients will likely receive a
faster response.

Other than that, there really is no "configuration for H.A.". If there
were some other configuration that was better, Tomcat would ship with
it as the default.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvXEjgACgkQHPApP6U8
pFg/bhAAw/T9opaihXisKjh9cWP4GArjPL4kjmyBTvfe314YU8gxiOsMUX9fRLh2
zCZWwxHE20SNVJhi0rvoyHpUZWfnzc+FIYeF9gHzK4QFTQ3a/3KaltJo4g5jH4x8
wZ5dSWOIXSQXevZ55Z0+nhDEagOB9woLbExq+5IifPPMJxZZAl6HBMb9EEEvp9Mv
rHSc1jNsk4Biwz0CPaAhhbgE/KWxQezGheY8ZVL4JqU+bKKWoHk8gCadicasbCUE
9QV11cLm3LPanOOfn8J/5w0o2eq35GSrxzVLyVC34DF4mCnBiqAs9tJxmrO2d3uO
rln5+UMHtDZUwDd3mfIH9Qzczme7RS8U6slSiTOc0ikK0lSZO0aR851EtwDqzx1j
zaZWPO4ixLAx0M3vRUS0aYmTnjwvLEtYeCswrfTCbKUaijj3JtLYQZmnHTKkdLc0
JUWCCyrnfLFXkEvVepTPlAHS7hlLU2gbQ71yf8LWWXjI2v7eoEXo3dBy5JUGKfP9
zhR30iPpcPDG9yPlaCr6pL2Kz2FeJ7358u3YJRIbNX4RUey+p3lN/109abHphAgN
hMC5hEjr6arEt/jZm8IX3uAbK+FJ05tlxY22Of21c8BZcXjw8SZW64DDvbzwZFlN
QqJystr3dB8063q3fB993aM18j20yHVXu6wymsI0/1DPQTQ4fOU=
=f++s
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 8.5.29 AJP connector setup

[Jose Torres]

I hit enter too soon, but I want to know what other people use when
configuring tomcat AJP connector, I provided an example of what I use. I am
running following, tomcat 8.5.29 / apache 2.4.29 / mod_jk/1.2.41.

Thanks

On Sun, Oct 28, 2018 at 4:14 AM Jose Torres  wrote:

> Hello,
>
> I am running with configuration below, I like to know what parameters can
> be use with tomcat AJP for a H.A. configuration.
>
>
>
>
> 
>   maxThreads="4096" minSpareThreads="256"
>  enableLookups="false" acceptCount="100"
>  connectionTimeout="2" />
>
>

tomcat 8.5.29 AJP connector setup

[Jose Torres]

Hello,

I am running with configuration below, I like to know what parameters can
be use with tomcat AJP for a H.A. configuration.

Re: Apache 2.4 tomcat 8 setup problem

[tomcat]

Hi.
.. hmm, where to begin ? ...

Maybe first :
In your case, it looks like you may be more familiar with the configuration of Apache 
httpd, than with the configuration of mod_jk and of tomcat.

So just as a possible tip : there is an alternative, at the Apache httpd level, 
to mod_jk.
See here : http://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html
The advantage is
a) that the configuration of the mod_proxy_ajp module is entirely in the httpd.conf 
configuration file, and requires no additional mod_jk specific files
b) that it avoids the usage of all these "Jk*" commands, which are often a bit less easy 
to use, in terms of how they combine with the other Apache httpd configuration directives.
c) that the mod_proxy_ajp configuration is much the same as for any other Apache httpd 
proxy module
d) that the mod_proxy_ajp is a part of the standard Apache httpd package, so you do not 
need to install anything extra. (mod_jk can be more difficult to get under some Linux 
versions).


Second, and only if you still prefer to use mod_jk :

1) from the configuration that you show below (and particularly the commented-out bits), 
it looks like you may have copied (or referred to) some pretty old documentation about how 
to do this, and that this documentation referred to very old (and probably outdated) 
versions of tomcat and/or mod_jk.


The correct and up-to-date documentation about mod_jk should be consulted here :
top : https://tomcat.apache.org/connectors-doc/
and in particular for you : 
https://tomcat.apache.org/connectors-doc/reference/apache.html

2) this is probably wrong :
>  JkMount /dimitros-apartments.gr/* ajp13_worker
>  JkMount /dimitros-apartments.gr ajp13_worker

The "dimitros-apartments.gr" part is the hostname, and should not be a part of the URIs 
which you proxy to tomcat via JkMount.
So if you really want, under Apache httpd, to proxy "everything" to the back-end tomcat, 
the following would be better and sufficient :


> JkMount /* ajp13_worker

(assuming that "ajp13_worker" is correctly defined and configured in a 
"workers.properties" file.)


3) it becomes a bit more complicated if you want to have some things delegated to tomcat, 
but you also want tome other things to be served directly by your front-end Apache httpd.


But maybe let's start with the beginning, and make the appropriate choice for you between 
mod_jk and mod_proxy_ajp.


In any case, when you post your configuration again, make it easier for the people here, 
and remove the commented-out configuration lines. It is a bit difficult to read now, with 
all the comments.
(But thank you for posting the versions of Apache httpd and tomcat, and explaining the 
context and what you want to achieve; that really helps).





On 27.08.2018 11:03, Χριστόφορος Κορυφίδης wrote:

I have an apache 2.4 on Debian Jessie and I host several sites as virtual hosts.
On of these sites is running on jsp so I hav installed tomcat 8 and I
use mod_jk.

My virtual host configuration file for apache is:

 
 AllowOverride None
 Require all denied
 

 
 ServerName dimitros-apartments.gr
 ServerAlias www.dimitros-apartments.gr
 #
 #JkUriSet worker ajp13:localhost:8009
 #
 JkMount /dimitros-apartments.gr/* ajp13_worker
 JkMount /dimitros-apartments.gr ajp13_worker

 DocumentRoot /var/www/dimitros-apartments.gr/web
 #DocumentRoot /var/lib/tomcat8/webapps/dimitros-apartments.gr
 #   ApJServMount /servlet /ROOT
 #   
 #   Options None
 #   Deny from all
 #   
 ServerAdmin ad...@dimitros-apartments.gr
 ErrorLog /var/log/ispconfig/httpd/dimitros-apartments.gr/error.log
 Alias /error/ "/var/www/dimitros-apartments.gr/web/error/"
 ErrorDocument 400 /error/400.html
 ErrorDocument 401 /error/401.html
 ErrorDocument 403 /error/403.html
 ErrorDocument 404 /error/404.html
 ErrorDocument 405 /error/405.html
 ErrorDocument 500 /error/500.html
 ErrorDocument 502 /error/502.html
 ErrorDocument 503 /error/503.html

 
 

 
 # Clear PHP settings of this website
 
 SetHandler None
 
 Options +FollowSymLinks +Indexes
 AllowOverride None
 Require all granted


 # Clear PHP settings of this website
 
 SetHandler None

Apache 2.4 tomcat 8 setup problem

[Χριστόφορος Κορυφίδης]

I have an apache 2.4 on Debian Jessie and I host several sites as virtual hosts.
On of these sites is running on jsp so I hav installed tomcat 8 and I
use mod_jk.

My virtual host configuration file for apache is:


AllowOverride None
Require all denied



ServerName dimitros-apartments.gr
ServerAlias www.dimitros-apartments.gr
#
#JkUriSet worker ajp13:localhost:8009
#
JkMount /dimitros-apartments.gr/* ajp13_worker
JkMount /dimitros-apartments.gr ajp13_worker

DocumentRoot /var/www/dimitros-apartments.gr/web
#DocumentRoot /var/lib/tomcat8/webapps/dimitros-apartments.gr
#   ApJServMount /servlet /ROOT
#   
#   Options None
#   Deny from all
#   
ServerAdmin ad...@dimitros-apartments.gr
ErrorLog /var/log/ispconfig/httpd/dimitros-apartments.gr/error.log
Alias /error/ "/var/www/dimitros-apartments.gr/web/error/"
ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 502 /error/502.html
ErrorDocument 503 /error/503.html





# Clear PHP settings of this website

SetHandler None

Options +FollowSymLinks +Indexes
AllowOverride None
Require all granted
   
   
# Clear PHP settings of this website

SetHandler None

 Options +FollowSymLinks +Indexes
AllowOverride None
Require all granted





# suexec enabled

SuexecUserGroup web12 client1

# php as fast-cgi enabled
# For config options see:
http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html

FcgidIdleTimeout 300
FcgidProcessLifeTime 3600
# FcgidMaxProcesses 1000
FcgidMaxRequestsPerProcess 5000
FcgidMinProcessesPerClass 0
FcgidMaxProcessesPerClass 10
FcgidConnectTimeout 3
FcgidIOTimeout 600
FcgidBusyTimeout 3600
FcgidMaxRequestLen 1073741824

#
#   
#   SetHandler fcgid-script
#   
#   FCGIWrapper
/var/www/php-fcgi-scripts/web12/.php-fcgi-starter .php
#   FCGIWrapper
/var/www/php-fcgi-scripts/web12/.php-fcgi-starter .php3
#   FCGIWrapper
/var/www/php-fcgi-scripts/web12/.php-fcgi-starter .php4
#   FCGIWrapper
/var/www/php-fcgi-scripts/web12/.php-fcgi-starter .php5
#   Options +ExecCGI
#   AllowOverride All
#
Require all granted
#   
#
#   
#   SetHandler fcgid-script
#   
#   FCGIWrapper
/var/www/php-fcgi-scripts/web12/.php-fcgi-starter .php
#   FCGIWrapper
/var/www/php-fcgi-scripts/web12/.php-fcgi-starter .php3
#   FCGIWrapper
/var/www/php-fcgi-scripts/web12/.php-fcgi-starter .php4
#   FCGIWrapper
/var/www/php-fcgi-scripts/web12/.php-fcgi-starter .php5
#   Options +ExecCGI
#   AllowOverride All
#   Require all granted
#   
# add support for apache mpm_itk

AssignUserId web12 client1

Re: Clarification on Apache Tribes setup docs

[Mark Thomas]

On 03/03/18 05:50, Arumugam, Santhosh wrote:
> Hey there,
> 
> We are planning to implement Apache Tribes(on our Tomcat-7) in our network 
> for server to server communication.
> 
> I am looking at https://tomcat.apache.org/tomcat-7.0-doc/tribes/setup.html to 
> learn more about Apache Tribes, but seems documentation is not yet published. 
> Please correct me if am looking at wrong place or is there anything material 
> available to learn more about it
> 
> Appreciate your help on this!
> 
> Thanks & Regards,
> Santhosh A

You are looking in the right place. There isn't really any standalone
tribes documentation. The best information available at the moment is to
look at the Tomcat source code and see how it use used to support
clustering.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Clarification on Apache Tribes setup docs

[Arumugam, Santhosh]

Hey there,

We are planning to implement Apache Tribes(on our Tomcat-7) in our network for 
server to server communication.

I am looking at https://tomcat.apache.org/tomcat-7.0-doc/tribes/setup.html to 
learn more about Apache Tribes, but seems documentation is not yet published. 
Please correct me if am looking at wrong place or is there anything material 
available to learn more about it

Appreciate your help on this!

Thanks & Regards,
Santhosh A

Possibility of simplifying a UI vs services war setup

[Alex O'Ree]

Hi everyone, yet another email. I'm not too sure who to ask but I figured
the tomcat crew would be a good place to start. Maybe SO is more
appropriate

I have a two web app (war files) system, one containing just the UI and the
other containing a collection of CXF soap services and some rest services
and a web socket endpoint.

The UI basically contains a bunch of JSP files and web service clients
(mostly soap/jaxws) and talks to the services war. This basically means the
UI can reconnected to the same tomcat server and reauthenticate the same
user session.

Design decisions that got me to the setup
- i wanted the ability to run without the user interface
- i wanted to be able to run multiple service wars on multiple servers to
maintain high availability
- i wanted to be able to run the ui on a different server and use
application code to support failover/balancing between multiple instances
of the services war.

I'm open to revising/revisiting of these design decisions but at the time
they made sense. Anyhow, if you've made it this far, I did have a few
questions.

>From the UI war, is there a way I can somehow get a reference to the
service implementation classes in the services war? It would save me the
time and expense of serializing xml and yet another authentication
challenge and tcp socket overhead. As far as I know, this shouldn't be
possible due to class loader isolation but maybe there is some other JNDI
based thing that would work.

I'm not sure how common of a problem this is but if anyone has a similar
setup, i'd be interested to see how you solved it. I also have the added
complexity of supporting both http client cert and username/password
setups, but that can be saved for another conversation.

RE: tomcat ssl setup

[John Ellis]

John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: Peter Kreuser [mailto:l...@kreuser.name] 
Sent: Wednesday, September 27, 2017 3:43 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: tomcat ssl setup

John,


> Am 27.09.2017 um 18:08 schrieb John Ellis <john.el...@lsgsolutions.com>:
> 
> 
> 
> John Ellis
> 
> 405.285.2500 office
> 
> 
> 
> 
> http://biz-e.io
> 
> 
> -Original Message-
> From: l...@kreuser.name [mailto:l...@kreuser.name] 
> Sent: Tuesday, September 26, 2017 3:26 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: tomcat ssl setup
> 
> John,
> 
> 
> 
>> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>:
>> 
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
>> what Jira and/or Confluence would use so I did that and it worked fine on 
>> http port of 8080. I then edited the server.xml file again for the SSL port 
>> and got the same result as before; never gets to a webpage login using the 
>> secure port of 8443 but I can still get the webpage on port 8080. When I 
>> look at the Tomcat 8 Catalina log file I see several lines where it says- 
>> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
>> googling that error and found a couple of posts saying to change from JKS to 
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
>> for the algorithm. Can someone provide me with the proper keytool commands 
>> that I need to use to create an SSL certificate for Tomcat?   
>> 
>> John Ellis
>> 
>> 405.285.2500 office
>> 
>> 
> 
> 
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride 
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
> 
> So my setup is as follows:
> 
> server.xml:
> 
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>allowTrace="false"
>maxThreads="150"
>SSLEnabled="true"
>compression="off"
>scheme="https"
>server="Apache Tomcat"
>secure="true"
>defaultSSLHostConfigName=“ localhost” >
>hostName="localhost"
>honorCipherOrder="true"
>certificateVerification="none"
>protocols="TLSv1.2"
>
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
>  certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
>  certificateKeystorePassword="changeit"
>  certificateKeyAlias="tomcat"
>  type="RSA" />
>
>  
> 
> https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
>  
> <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl>
> 
> I use openssl to create the certs (as let’s encrypt for an official cert will 
> generate the same structure) and then convert to JKS:
> 
> openssl genrsa -aes256 -out server.key 4096 -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512  -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
> #there is more to it to get SAN extensions, but that’s not necessary to get 
> it running
> 
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out 
> server.crt # you may need your own ca and a signing-process to make this work 
> in all browsers
> 
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
> 
> openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts 
> -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit
> 
> 
> Hope this helps for a start.
> 
> Re

RE: tomcat ssl setup

[John Ellis]

John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: Peter Kreuser [mailto:l...@kreuser.name] 
Sent: Wednesday, September 27, 2017 3:43 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: tomcat ssl setup

John,


> Am 27.09.2017 um 18:08 schrieb John Ellis <john.el...@lsgsolutions.com>:
> 
> 
> 
> John Ellis
> 
> 405.285.2500 office
> 
> 
> 
> 
> http://biz-e.io
> 
> 
> -Original Message-
> From: l...@kreuser.name [mailto:l...@kreuser.name] 
> Sent: Tuesday, September 26, 2017 3:26 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: tomcat ssl setup
> 
> John,
> 
> 
> 
>> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>:
>> 
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
>> what Jira and/or Confluence would use so I did that and it worked fine on 
>> http port of 8080. I then edited the server.xml file again for the SSL port 
>> and got the same result as before; never gets to a webpage login using the 
>> secure port of 8443 but I can still get the webpage on port 8080. When I 
>> look at the Tomcat 8 Catalina log file I see several lines where it says- 
>> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
>> googling that error and found a couple of posts saying to change from JKS to 
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
>> for the algorithm. Can someone provide me with the proper keytool commands 
>> that I need to use to create an SSL certificate for Tomcat?   
>> 
>> John Ellis
>> 
>> 405.285.2500 office
>> 
>> 
> 
> 
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride 
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
> 
> So my setup is as follows:
> 
> server.xml:
> 
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>allowTrace="false"
>maxThreads="150"
>SSLEnabled="true"
>compression="off"
>scheme="https"
>server="Apache Tomcat"
>secure="true"
>defaultSSLHostConfigName=“ localhost” >
>hostName="localhost"
>honorCipherOrder="true"
>certificateVerification="none"
>protocols="TLSv1.2"
>
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
>  certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
>  certificateKeystorePassword="changeit"
>  certificateKeyAlias="tomcat"
>  type="RSA" />
>
>  
> 
> https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
>  
> <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl>
> 
> I use openssl to create the certs (as let’s encrypt for an official cert will 
> generate the same structure) and then convert to JKS:
> 
> openssl genrsa -aes256 -out server.key 4096 -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512  -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
> #there is more to it to get SAN extensions, but that’s not necessary to get 
> it running
> 
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out 
> server.crt # you may need your own ca and a signing-process to make this work 
> in all browsers
> 
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
> 
> openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts 
> -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit
> 
>

RE: tomcat ssl setup

[John Ellis]

John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: Peter Kreuser [mailto:l...@kreuser.name] 
Sent: Wednesday, September 27, 2017 3:43 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: tomcat ssl setup

John,


> Am 27.09.2017 um 18:08 schrieb John Ellis <john.el...@lsgsolutions.com>:
> 
> 
> 
> John Ellis
> 
> 405.285.2500 office
> 
> 
> 
> 
> http://biz-e.io
> 
> 
> -Original Message-
> From: l...@kreuser.name [mailto:l...@kreuser.name] 
> Sent: Tuesday, September 26, 2017 3:26 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: tomcat ssl setup
> 
> John,
> 
> 
> 
>> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>:
>> 
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
>> what Jira and/or Confluence would use so I did that and it worked fine on 
>> http port of 8080. I then edited the server.xml file again for the SSL port 
>> and got the same result as before; never gets to a webpage login using the 
>> secure port of 8443 but I can still get the webpage on port 8080. When I 
>> look at the Tomcat 8 Catalina log file I see several lines where it says- 
>> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
>> googling that error and found a couple of posts saying to change from JKS to 
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
>> for the algorithm. Can someone provide me with the proper keytool commands 
>> that I need to use to create an SSL certificate for Tomcat?   
>> 
>> John Ellis
>> 
>> 405.285.2500 office
>> 
>> 
> 
> 
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride 
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
> 
> So my setup is as follows:
> 
> server.xml:
> 
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>allowTrace="false"
>maxThreads="150"
>SSLEnabled="true"
>compression="off"
>scheme="https"
>server="Apache Tomcat"
>secure="true"
>defaultSSLHostConfigName=“ localhost” >
>hostName="localhost"
>honorCipherOrder="true"
>certificateVerification="none"
>protocols="TLSv1.2"
>
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
>  certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
>  certificateKeystorePassword="changeit"
>  certificateKeyAlias="tomcat"
>  type="RSA" />
>
>  
> 
> https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
>  
> <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl>
> 
> I use openssl to create the certs (as let’s encrypt for an official cert will 
> generate the same structure) and then convert to JKS:
> 
> openssl genrsa -aes256 -out server.key 4096 -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512  -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
> #there is more to it to get SAN extensions, but that’s not necessary to get 
> it running
> 
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out 
> server.crt # you may need your own ca and a signing-process to make this work 
> in all browsers
> 
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
> 
> openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts 
> -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit
> 
> 
> Hope this helps for a start.
> 
> 

Re: tomcat ssl setup

[Peter Kreuser]

John,


> Am 27.09.2017 um 18:08 schrieb John Ellis <john.el...@lsgsolutions.com>:
> 
> 
> 
> John Ellis
> 
> 405.285.2500 office
> 
> 
> 
> 
> http://biz-e.io
> 
> 
> -Original Message-
> From: l...@kreuser.name [mailto:l...@kreuser.name] 
> Sent: Tuesday, September 26, 2017 3:26 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: tomcat ssl setup
> 
> John,
> 
> 
> 
>> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>:
>> 
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
>> what Jira and/or Confluence would use so I did that and it worked fine on 
>> http port of 8080. I then edited the server.xml file again for the SSL port 
>> and got the same result as before; never gets to a webpage login using the 
>> secure port of 8443 but I can still get the webpage on port 8080. When I 
>> look at the Tomcat 8 Catalina log file I see several lines where it says- 
>> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
>> googling that error and found a couple of posts saying to change from JKS to 
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
>> for the algorithm. Can someone provide me with the proper keytool commands 
>> that I need to use to create an SSL certificate for Tomcat?   
>> 
>> John Ellis
>> 
>> 405.285.2500 office
>> 
>> 
> 
> 
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride 
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
> 
> So my setup is as follows:
> 
> server.xml:
> 
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>allowTrace="false"
>maxThreads="150"
>SSLEnabled="true"
>compression="off"
>scheme="https"
>server="Apache Tomcat"
>secure="true"
>defaultSSLHostConfigName=“ localhost” >
>hostName="localhost"
>honorCipherOrder="true"
>certificateVerification="none"
>protocols="TLSv1.2"
>
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
>  certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
>  certificateKeystorePassword="changeit"
>  certificateKeyAlias="tomcat"
>  type="RSA" />
>
>  
> 
> https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
>  
> <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl>
> 
> I use openssl to create the certs (as let’s encrypt for an official cert will 
> generate the same structure) and then convert to JKS:
> 
> openssl genrsa -aes256 -out server.key 4096 -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512  -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
> #there is more to it to get SAN extensions, but that’s not necessary to get 
> it running
> 
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out 
> server.crt # you may need your own ca and a signing-process to make this work 
> in all browsers
> 
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
> 
> openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts 
> -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit
> 
> 
> Hope this helps for a start.
> 
> Regards
> 
> Peter
> 
> Peter I have never seen entries in the "" part of the 
> server.xml file. Does that have to be in there for SSL to work in Tomcat?
> 
That's the way you define one Connector on one port with different certificates 
in TC 8.5 and 9.0.
I guess that's one of the important new features!
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat ssl setup

[John Ellis]

John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: l...@kreuser.name [mailto:l...@kreuser.name] 
Sent: Tuesday, September 26, 2017 3:26 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: tomcat ssl setup

John,



> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>:
> 
> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
> what Jira and/or Confluence would use so I did that and it worked fine on 
> http port of 8080. I then edited the server.xml file again for the SSL port 
> and got the same result as before; never gets to a webpage login using the 
> secure port of 8443 but I can still get the webpage on port 8080. When I look 
> at the Tomcat 8 Catalina log file I see several lines where it says- 
> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
> googling that error and found a couple of posts saying to change from JKS to 
> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
> for the algorithm. Can someone provide me with the proper keytool commands 
> that I need to use to create an SSL certificate for Tomcat?   
> 
> John Ellis
> 
> 405.285.2500 office
> 
> 


We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride a 
dead horse, also SSL setup has changed quite a bit in 8.5/9.0.

So my setup is as follows:

server.xml:

 

 

  

https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
 
<https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl>

I use openssl to create the certs (as let’s encrypt for an official cert will 
generate the same structure) and then convert to JKS:

openssl genrsa -aes256 -out server.key 4096 -subj 
"/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
openssl req -new -key server.key -out server.csr -sha512  -subj 
"/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
#there is more to it to get SAN extensions, but that’s not necessary to get it 
running

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out 
server.crt # you may need your own ca and a signing-process to make this work 
in all browsers

#Verify Server Cert
openssl x509 -in server.crt -text -noout

openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts -name 
tomcat keytool -list -v -keystore jssecacerts -storepass changeit


Hope this helps for a start.

Regards

Peter

Peter I have never seen entries in the "" part of the 
server.xml file. Does that have to be in there for SSL to work in Tomcat?












-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat ssl setup

[Konstantin Kolinko]

2017-09-27 2:52 GMT+03:00 John Ellis :
> Mark I don't see where you wrote anything in this reply?

The rules:
http://tomcat.apache.org/lists.html#tomcat-users
-> 6. Top-posting is bad.

Mark posted a link to Webinar video on Youtube, from 2016 webinar series,
"TLS key/certificate generation"

Also available here:
http://tomcat.apache.org/presentations.html


>
> https://youtu.be/I6TbMqH9WFg
>
> Mark
>

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat ssl setup

[John Ellis]

Mark I don't see where you wrote anything in this reply?

John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Tuesday, September 26, 2017 5:49 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: RE: tomcat ssl setup

On 26 September 2017 20:26:58 BST, John Ellis <john.el...@lsgsolutions.com> 
wrote:
>Yesterday my boss suggested setting up Tomcat vers. 8 as he thought 
>this is what Jira and/or Confluence would use so I did that and it 
>worked fine on http port of 8080. I then edited the server.xml file 
>again for the SSL port and got the same result as before; never gets to 
>a webpage login using the secure port of 8443 but I can still get the 
>webpage on port 8080. When I look at the Tomcat 8 Catalina log file I 
>see several lines where it says- "java.security.KeyStoreException:
>Cannot store non-PrivateKeys". I have been googling that error and 
>found a couple of posts saying to change from JKS to JCEKS but when I 
>ran the commands I didn't have JKS in the command; only RSA for the 
>algorithm. Can someone provide me with the proper keytool commands that
>I need to use to create an SSL certificate for Tomcat?   
>
>John Ellis
>
>405.285.2500 office
>
>
>
>
>http://biz-e.io
>
>-Original Message-
>From: Mark Thomas [mailto:ma...@apache.org]
>Sent: Friday, September 22, 2017 2:20 PM
>To: Tomcat Users List <users@tomcat.apache.org>
>Subject: Re: tomcat ssl setup
>
>On 22/09/17 16:44, John Ellis wrote:
>> I have installed Tomcat 9.0.0.M27 on this test server but I still get
>the same result; when I try to connect to Tomcat on the secure port of
>8443 it just sits there and has a spinner up at the top of the browser 
>window but if I try to connect to it back on the non-secure port of
>8080 it works fine. Here is a Dropbox link to the server.xml file that 
>I edited-
>> 
>> https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0
>> 
>> Here is a Dropbox link to the Catalina log file-
>> 
>>
>https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0
>> 
>> Thanks,
>> 
>> John Ellis
>
>How did you generate the key and certificate files?
>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

https://youtu.be/I6TbMqH9WFg

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat ssl setup

[Mark Thomas]

On 26 September 2017 20:26:58 BST, John Ellis <john.el...@lsgsolutions.com> 
wrote:
>Yesterday my boss suggested setting up Tomcat vers. 8 as he thought
>this is what Jira and/or Confluence would use so I did that and it
>worked fine on http port of 8080. I then edited the server.xml file
>again for the SSL port and got the same result as before; never gets to
>a webpage login using the secure port of 8443 but I can still get the
>webpage on port 8080. When I look at the Tomcat 8 Catalina log file I
>see several lines where it says- "java.security.KeyStoreException:
>Cannot store non-PrivateKeys". I have been googling that error and
>found a couple of posts saying to change from JKS to JCEKS but when I
>ran the commands I didn't have JKS in the command; only RSA for the
>algorithm. Can someone provide me with the proper keytool commands that
>I need to use to create an SSL certificate for Tomcat?   
>
>John Ellis
>
>405.285.2500 office
>
>
>
>
>http://biz-e.io
>
>-Original Message-
>From: Mark Thomas [mailto:ma...@apache.org] 
>Sent: Friday, September 22, 2017 2:20 PM
>To: Tomcat Users List <users@tomcat.apache.org>
>Subject: Re: tomcat ssl setup
>
>On 22/09/17 16:44, John Ellis wrote:
>> I have installed Tomcat 9.0.0.M27 on this test server but I still get
>the same result; when I try to connect to Tomcat on the secure port of
>8443 it just sits there and has a spinner up at the top of the browser
>window but if I try to connect to it back on the non-secure port of
>8080 it works fine. Here is a Dropbox link to the server.xml file that
>I edited-
>> 
>> https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0
>> 
>> Here is a Dropbox link to the Catalina log file-
>> 
>>
>https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0
>> 
>> Thanks,
>> 
>> John Ellis
>
>How did you generate the key and certificate files?
>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

https://youtu.be/I6TbMqH9WFg

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat ssl setup

[John Ellis]

Yes I have run into that. I'm using an xml editor to check my work.

John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: l...@kreuser.name [mailto:l...@kreuser.name] 
Sent: Tuesday, September 26, 2017 3:32 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: tomcat ssl setup

G, I hate formatting in Mails...

Beware of “ when copying source code!

> Am 26.09.2017 um 22:25 schrieb l...@kreuser.name:
> 
> John,
> 
> 
> 
>> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>:
>> 
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
>> what Jira and/or Confluence would use so I did that and it worked fine on 
>> http port of 8080. I then edited the server.xml file again for the SSL port 
>> and got the same result as before; never gets to a webpage login using the 
>> secure port of 8443 but I can still get the webpage on port 8080. When I 
>> look at the Tomcat 8 Catalina log file I see several lines where it says- 
>> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
>> googling that error and found a couple of posts saying to change from JKS to 
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
>> for the algorithm. Can someone provide me with the proper keytool commands 
>> that I need to use to create an SSL certificate for Tomcat?   
>> 
>> John Ellis
>> 
>> 405.285.2500 office
>> 
>> 
> 
> 
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride 
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
> 
> So my setup is as follows:
> 
> server.xml:
> 
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>allowTrace="false"
>maxThreads="150"
>SSLEnabled="true"
>compression="off"
>scheme="https"
>server="Apache Tomcat"
>secure="true"
   defaultSSLHostConfigName=“localhost” > 
> 
>hostName="localhost"
>honorCipherOrder="true"
>certificateVerification="none"
>protocols="TLSv1.2"
>
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
>  certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
>  certificateKeystorePassword="changeit"
>  certificateKeyAlias="tomcat"
>  type="RSA" />
>
>  
> 
> https://stackoverflow.com/questions/10175812/how-to-create-a-self-sign
> ed-certificate-with-openssl 
> <https://stackoverflow.com/questions/10175812/how-to-create-a-self-sig
> ned-certificate-with-openssl>
> 
> I use openssl to create the certs (as let’s encrypt for an official cert will 
> generate the same structure) and then convert to JKS:
> 
> openssl genrsa -aes256 -out server.key 4096 -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512  -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
> #there is more to it to get SAN extensions, but that’s not necessary 
> to get it running
> 
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key 
> -out server.crt # you may need your own ca and a signing-process to 
> make this work in all browsers
> 
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
> 
> openssl pkcs12 -export -in server.crt -inkey server.key -out 
> jssecacerts -name tomcat keytool -list -v -keystore jssecacerts 
> -storepass changeit
> 
> 
> Hope this helps for a start.
> 
> Regards
> 
> Peter
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat ssl setup

[logo]

G, I hate formatting in Mails...

Beware of “ when copying source code!

> Am 26.09.2017 um 22:25 schrieb l...@kreuser.name:
> 
> John,
> 
> 
> 
>> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>:
>> 
>> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is 
>> what Jira and/or Confluence would use so I did that and it worked fine on 
>> http port of 8080. I then edited the server.xml file again for the SSL port 
>> and got the same result as before; never gets to a webpage login using the 
>> secure port of 8443 but I can still get the webpage on port 8080. When I 
>> look at the Tomcat 8 Catalina log file I see several lines where it says- 
>> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been 
>> googling that error and found a couple of posts saying to change from JKS to 
>> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA 
>> for the algorithm. Can someone provide me with the proper keytool commands 
>> that I need to use to create an SSL certificate for Tomcat?   
>> 
>> John Ellis
>> 
>> 405.285.2500 office
>> 
>> 
> 
> 
> We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride 
> a dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
> 
> So my setup is as follows:
> 
> server.xml:
> 
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>allowTrace="false"
>maxThreads="150"
>SSLEnabled="true"
>compression="off"
>scheme="https"
>server="Apache Tomcat"
>secure="true"
   defaultSSLHostConfigName=“localhost” > 
> 
>hostName="localhost"
>honorCipherOrder="true"
>certificateVerification="none"
>protocols="TLSv1.2"
>
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
>  certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
>  certificateKeystorePassword="changeit"
>  certificateKeyAlias="tomcat"
>  type="RSA" />
>
>  
> 
> https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
>  
> <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl>
> 
> I use openssl to create the certs (as let’s encrypt for an official cert will 
> generate the same structure) and then convert to JKS:
> 
> openssl genrsa -aes256 -out server.key 4096 -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
> openssl req -new -key server.key -out server.csr -sha512  -subj 
> "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
> #there is more to it to get SAN extensions, but that’s not necessary to get 
> it running
> 
> openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out 
> server.crt
> # you may need your own ca and a signing-process to make this work in all 
> browsers
> 
> #Verify Server Cert
> openssl x509 -in server.crt -text -noout
> 
> openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts 
> -name tomcat
> keytool -list -v -keystore jssecacerts -storepass changeit
> 
> 
> Hope this helps for a start.
> 
> Regards
> 
> Peter
> 
> 
> 
> 
> 
> 
> 
> 
> 
>