Re: APR connector questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Daniel, On 5/9/20 12:34, daniel@dell.com wrote: > We want to use APR to call openssl also do with native to support FIPS mode in tomcat. > > Software info Tomcat/9.0.34 libtcnative-1-0-1.2.23-15.30.x86_64 Where did you get that? Is it tcnative-1.2.23? What about your APR version? > configuration as below: > > connectionTimeout="6" maxKeepAliveRequests="150" > SSLCertificateFile="*" SSLCertificateChainFile="" > SSLCertificateKeyFile="*" compression="on" > compressibleMimeType="text/html,text/xml,text/css,text/javascript,applic ation/javascript" > port="${bio.https.port}" > protocol="org.apache.coyote.http11.Http11AprProtocol" > scheme="https" secure="true" sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2" URIEncoding="UTF-8"/> > > > When enable debug info in tomcat will see > > 09-May-2020 00:51:35.358 FINE [https-openssl-apr-8443-exec-1] org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.doClose Calling [org.apache.tomcat.util.net.AprEndpoint@4275c20c].closeSocket([org.apach e.tomcat.util.net.AprEndpoint$AprSocketWrapper@1efb5c3e:139622944367568] ) > 09-May-2020 00:51:35.367 FINE [https-openssl-apr-8443-Poller] org.apache.tomcat.util.net.AprEndpoint$Poller.removeFromPoller Attempting to remove [139,622,944,367,568] from poller Woah, that looks super weird. > 09-May-2020 00:51:35.367 FINER [https-openssl-apr-8443-Poller] org.apache.tomcat.util.net.AprEndpoint.destroySocketInternal Destroying socket [139,622,944,367,568] > java.lang.Exception at org.apache.tomcat.util.net.AprEndpoint.destroySocketInternal(AprEndpoint .java:758) > at org.apache.tomcat.util.net.AprEndpoint.access$200(AprEndpoint.java:81) > at org.apache.tomcat.util.net.AprEndpoint$Poller.run(AprEndpoint.java:1338) > at java.base/java.lang.Thread.run(Thread.java:834) Anything before that in the logs? I mean ... anything relevant? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl63KogACgkQHPApP6U8 pFjbuQ/+OZN86zV/0GY0KWYuEABogZi7JIhAOf+OWzyM12f55ka0fdVkO3PeAeQy yoxqdfvWIswgghNFkXivr3gzsjou1rHbSoCHEDJdBHxU/iuz5BxWjrJcibX2Bejh OKFNwvp3mq9lxSM/hActSATxXRJJ9p8CPph5qsjaFPmVB4Xnl6rn3295/rJ00kJ/ og4M7RfD4zaftcV9qWyqHTxgJ1xxYIr32Qmh6dVoL6nn/K0uiQeXIBseJAV8wZvs 7QBr3cAq+MSkGacP+64zAVYld/w0wpQt3a2+FiQbT1dNzUxoYG6B0SbJtHbda9on rT00MSTY1aNxZvc/h+zjuOdd9YmeM7iyeOfHkHymFtmZY/TnJv0Y9mQoA+8u5W9o /cFR69s1nRKqwLyEQss6MqeaDMbXPiycrz2xPJqqCr7SyzfmNetpOnBvyDuGRZuS U+rSDopVvFkyugm9HvoJkhCMqBTWaUZ53kwYuQysgObfJZTITuht+iOcidjRQZPC 5sM2dhUpgx6g0ClX6rVUlBzBEJneG/c0pRhA4nNcd90ymQkirti+du9DdLLVy6Sq UYOYOq2HJk0qQhOEDXjDI/Kx5S4KbaWLxIQH4131kS3QSA7rw123DRRH58fmFQrM 7m1felpLgCscMJqRkMOAr4o54yw7kUteq98hoMCL8s+E06KDiGs= =dWlU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR connector questions
We want to use APR to call openssl also do with native to support FIPS mode in tomcat. Software info Tomcat/9.0.34 libtcnative-1-0-1.2.23-15.30.x86_64 configuration as below: When enable debug info in tomcat will see 09-May-2020 00:51:35.358 FINE [https-openssl-apr-8443-exec-1] org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.doClose Calling [org.apache.tomcat.util.net.AprEndpoint@4275c20c].closeSocket([org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@1efb5c3e:139622944367568]) 09-May-2020 00:51:35.367 FINE [https-openssl-apr-8443-Poller] org.apache.tomcat.util.net.AprEndpoint$Poller.removeFromPoller Attempting to remove [139,622,944,367,568] from poller 09-May-2020 00:51:35.367 FINER [https-openssl-apr-8443-Poller] org.apache.tomcat.util.net.AprEndpoint.destroySocketInternal Destroying socket [139,622,944,367,568] java.lang.Exception at org.apache.tomcat.util.net.AprEndpoint.destroySocketInternal(AprEndpoint.java:758) at org.apache.tomcat.util.net.AprEndpoint.access$200(AprEndpoint.java:81) at org.apache.tomcat.util.net.AprEndpoint$Poller.run(AprEndpoint.java:1338) at java.base/java.lang.Thread.run(Thread.java:834) BRs Dan -Original Message- From: Christopher Schultz Sent: Friday, May 8, 2020 10:37 PM To: users@tomcat.apache.org Subject: Re: APR connector questions -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Daniel, On 5/8/20 04:25, daniel@dell.com wrote: > We are changing from Nio connector to APR connector to enable FIPS > mode in tomcat. But we hit tomcat hang issue, ssl handshake no > response when run long time. So many close_wait in netstat output. > Do you have any advises about that issue? Can you please post your configuration? Remember to remove any secrets that may be in there. You may be interested to know that FIPS is available through Java, though not through Sun's JSSE provider. https://stackoverflow.com/questions/5046482/which-jce-providers-are-fips - -140-2-compliant You may also be interested in the fact that FIPS mode doesn't really offer any additional security. In certain cases, it may reduce your security because of the various required-supported algorithms which, honestly, should never be used in production. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl61bnAACgkQHPApP6U8 pFjf2Q/+K/kHIF36pSJ3gzU1gkrRnmDOqLtNX4rAzJVguZrOqSDjVNyFjYlYPcDD A9szjfgdwd8PlTdgXJISpvdSqdvjGSadKbNswcN731VDptMlUz979R54+kRHeoWU lYdwZuNp/ACj+UXJnSDcxK0Q15UewlRLuTrtpFfoCkteS1uAXAH1OMStsZYFXrSt Jc3XmrmidTfAl8P24W8xNFxCTDPhkcnO7nJaNPKlGwdtjtxVfOaxyK9UtoKJW+te lANt3Fi8r5QlLbZIofK9A0BTyHsk17SmUseeETDPCUcqlEZ1z8KWN6NVlLl0O4Rk P/i3JUrsD8ZuCMghj1Jw6s4B4aWolLoSvxFYGLmNitqGNPGQnuUid5RV6LWLW7nH kMFDE6yGXHagZ/34GIWcPVJOmcobOdFGtGXb4SWRsf9xOU8U5g2ljpSIYA0xT4J+ lCWZLxkcxW0YdppfPWU7t7uKO8GPnCjBmBUgx7fSHRvNefrgof6CRSAjyKlMsU1w WSW8ZPblXSBToHy98JoT27wTrYUkhfDGzCDopkMxGH4QZZtvIVH+MNsBpWUWMhMc h/yo2ubKWwsrmPBhkd+Jjkon3FGsuBRpUdNQJx0+5G5CKGuDNFIIZYV5MDK0ovCu wmBN/6ZSwUj7ZqpOFekGHhM4DUee8R0kXmScDXd1nogkoIGIO20= =JFpT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR connector questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Daniel, On 5/8/20 04:25, daniel@dell.com wrote: > We are changing from Nio connector to APR connector to enable FIPS > mode in tomcat. But we hit tomcat hang issue, ssl handshake no > response when run long time. So many close_wait in netstat output. > Do you have any advises about that issue? Can you please post your configuration? Remember to remove any secrets that may be in there. You may be interested to know that FIPS is available through Java, though not through Sun's JSSE provider. https://stackoverflow.com/questions/5046482/which-jce-providers-are-fips - -140-2-compliant You may also be interested in the fact that FIPS mode doesn't really offer any additional security. In certain cases, it may reduce your security because of the various required-supported algorithms which, honestly, should never be used in production. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl61bnAACgkQHPApP6U8 pFjf2Q/+K/kHIF36pSJ3gzU1gkrRnmDOqLtNX4rAzJVguZrOqSDjVNyFjYlYPcDD A9szjfgdwd8PlTdgXJISpvdSqdvjGSadKbNswcN731VDptMlUz979R54+kRHeoWU lYdwZuNp/ACj+UXJnSDcxK0Q15UewlRLuTrtpFfoCkteS1uAXAH1OMStsZYFXrSt Jc3XmrmidTfAl8P24W8xNFxCTDPhkcnO7nJaNPKlGwdtjtxVfOaxyK9UtoKJW+te lANt3Fi8r5QlLbZIofK9A0BTyHsk17SmUseeETDPCUcqlEZ1z8KWN6NVlLl0O4Rk P/i3JUrsD8ZuCMghj1Jw6s4B4aWolLoSvxFYGLmNitqGNPGQnuUid5RV6LWLW7nH kMFDE6yGXHagZ/34GIWcPVJOmcobOdFGtGXb4SWRsf9xOU8U5g2ljpSIYA0xT4J+ lCWZLxkcxW0YdppfPWU7t7uKO8GPnCjBmBUgx7fSHRvNefrgof6CRSAjyKlMsU1w WSW8ZPblXSBToHy98JoT27wTrYUkhfDGzCDopkMxGH4QZZtvIVH+MNsBpWUWMhMc h/yo2ubKWwsrmPBhkd+Jjkon3FGsuBRpUdNQJx0+5G5CKGuDNFIIZYV5MDK0ovCu wmBN/6ZSwUj7ZqpOFekGHhM4DUee8R0kXmScDXd1nogkoIGIO20= =JFpT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR connector questions
Dear experts: Nowadays, we are changing from Nio connector to APR connector to enable FIPS mode in tomcat. But we hit tomcat hang issue, ssl handshake no response when run long time. So many close_wait in netstat output. Do you have any advises about that issue? BRs Dan
Re: APR libs present but not found
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 9/10/19 14:20, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > I needed to build the APR libs from source as there was no rpm in > yum, but the default directory where the libs were place was not > in the Java path, and so once I noticed that and added that > directory to the path in setenv.sh APR is found and used. AFAIK, all yum repos contain a package for libapr. You should not have had to build from source. Actually, most repos also include a package for libtcnative, so you can probably avoid building anything yourself. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl16hmAACgkQHPApP6U8 pFi/MQ//Q4bIF4pXYXiBSuqhptVrKli7JNZn9i4frW0ldK60e/0IowgLC36Ji9y0 bcohhinKy/Oq/Y/Buvr8LWyb4yDeS6uk8pcKbC54+Jd7BcUFI1X1qcftobpwnU0b 4B7ooMiNHAEudNiZN/FGGgXzyEVEIDtTQa6745DLDVT94kXpegCyb7qCVE6K2IgY eiwGMyPCNuGXNBN0emByWGSuy5W0FVsB/cTgdlnJrZZeX7CP9mgHnJ9kE0BQPy81 PO43go/4n+AQargnzdbzwGuVFB4k1AD4Q4l0JpdhBi+RiqrjGGbUBetTSQ+I55D1 tDw9fHjhBZrRSRfcT0AMc5MZQL3KS72mbPKrUNfZ5QxoltVv+1SfYOAt19D1T9Zd qcyJ6v9gTluuioxyQpIUPW7IQ5b+iFe6X/GI7nQUQh+U4gdOhxbQiZvw8rx1CCpO ADbXHBNGBc1E5s6optR9ad39xEujA+2O4zqVG8pwjSZ65ZBVyfrCg5LfCR81wdCg Su1K0n+r2y1QlOAABp50IjiEpIr7fmYqVGI+K74KvPmp8yC37KFI6+XkgOu6cEQr ebQcWjBuYir+TpCkZz+KBWpJ5QVM7TlDQTGFy5qOOyCitOHiEW7XAscc4w34+H5Q Pa26jNO8LWC/9fH+ckj0PmMdslojM3MXJwn/hKkOoky0cBHZfBQ= =SuNP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR libs present but not found
Hi Christopher, I needed to build the APR libs from source as there was no rpm in yum, but the default directory where the libs were place was not in the Java path, and so once I noticed that and added that directory to the path in setenv.sh APR is found and used. Thanks -John -Original Message- From: Christopher Schultz Sent: Friday, September 6, 2019 2:37 PM To: users@tomcat.apache.org Subject: Re: APR libs present but not found -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 9/6/19 16:51, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > Hello, > > I installed the following RPMs via Yum for OpenSSL support > > RHEL 7.4 apr.i686 > 1.4.8-3.el7_4.1 apr.x86_64 > 1.4.8-3.el7_4.1 apr-devel.i686 > 1.4.8-3.el7_4.1 apr-devel.x86_64 > 1.4.8-3.el7_4.1 > > When I test with Tomcat 7.x or 9.x the log notes the APR native libs > could not be found in the java library path, when they are in the java > library path located at /lib64 and /lib in the OS file system. > > What am I missing? Can you post the startup log where Tomcat says it "cannot find the APR library"? It should include the set of paths it's checking for those files. Note that both the APR connector AND the OpenSSL-based JSSE connector require both libtcnative and libapr in the library path. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1y0YMACgkQHPApP6U8 pFicOBAAgkpDPq3C805og14AZcCoZ/31VMT4S4YdYCfRMGabnECULuxvM015Lcdi 4o5IG1rDJVivHxyeY8PU2zLbpwL7b4nOuEDSYteJygfbb2xCEOedcSE2PeKBmyj1 nuTDj08bvtXFCN+5k8hv31/ffu2+ZjCffagfQkMxeDG7MmJuLVwN9WIfokO0pEFO Gq++EdBxTptYAB6UHKDdS9nulpSK6XU8fUP0KmYzCc6w0w2TTToAhHF0OkRiAjyq egPjBjarglhKUOJH+IADaS4g264qbEZ5Xbtgtws54jKmgEPpc9X8bcOt/EH9Tp0X 7CCCDViwVVjOxrDI7p17GYrEeTBq5qZx2QmhlGmsTTpR1O5C3BIBsPBaasioP6tC CYRJ3xX7FW+iUTQxqnU9KyzoyfnQ1C+rQjGN0q8vkx+UrmMgSW8CwQAlboiSuGIM OnqAXkOpfajNveLmBKORBcrxjzgIrHUkLiy3G3qI+qWQrHetbV6q3sE937lTFnhY lphohR55W0ZkjhWYsVbCa/zAcguKF3xIYjcY5ErD+BKDH/kRaWLKHkR8DbQkEzq5 bFNoO+v9izVMWr13qEERBYXENxQyGRnJOk9KvkW+rLeCVyKdWLHyeeuLGy91gu80 ou6Hzk5ZNwWV70E5Nl3M9I3dx+UOFlTs2YG2UpYHe5GrPmOiNW8= =PlDO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR libs present but not found
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 9/6/19 16:51, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > Hello, > > I installed the following RPMs via Yum for OpenSSL support > > RHEL 7.4 apr.i686 > 1.4.8-3.el7_4.1 apr.x86_64 > 1.4.8-3.el7_4.1 apr-devel.i686 > 1.4.8-3.el7_4.1 apr-devel.x86_64 > 1.4.8-3.el7_4.1 > > When I test with Tomcat 7.x or 9.x the log notes the APR native > libs could not be found in the java library path, when they are in > the java library path located at /lib64 and /lib in the OS file > system. > > What am I missing? Can you post the startup log where Tomcat says it "cannot find the APR library"? It should include the set of paths it's checking for those files. Note that both the APR connector AND the OpenSSL-based JSSE connector require both libtcnative and libapr in the library path. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1y0YMACgkQHPApP6U8 pFicOBAAgkpDPq3C805og14AZcCoZ/31VMT4S4YdYCfRMGabnECULuxvM015Lcdi 4o5IG1rDJVivHxyeY8PU2zLbpwL7b4nOuEDSYteJygfbb2xCEOedcSE2PeKBmyj1 nuTDj08bvtXFCN+5k8hv31/ffu2+ZjCffagfQkMxeDG7MmJuLVwN9WIfokO0pEFO Gq++EdBxTptYAB6UHKDdS9nulpSK6XU8fUP0KmYzCc6w0w2TTToAhHF0OkRiAjyq egPjBjarglhKUOJH+IADaS4g264qbEZ5Xbtgtws54jKmgEPpc9X8bcOt/EH9Tp0X 7CCCDViwVVjOxrDI7p17GYrEeTBq5qZx2QmhlGmsTTpR1O5C3BIBsPBaasioP6tC CYRJ3xX7FW+iUTQxqnU9KyzoyfnQ1C+rQjGN0q8vkx+UrmMgSW8CwQAlboiSuGIM OnqAXkOpfajNveLmBKORBcrxjzgIrHUkLiy3G3qI+qWQrHetbV6q3sE937lTFnhY lphohR55W0ZkjhWYsVbCa/zAcguKF3xIYjcY5ErD+BKDH/kRaWLKHkR8DbQkEzq5 bFNoO+v9izVMWr13qEERBYXENxQyGRnJOk9KvkW+rLeCVyKdWLHyeeuLGy91gu80 ou6Hzk5ZNwWV70E5Nl3M9I3dx+UOFlTs2YG2UpYHe5GrPmOiNW8= =PlDO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR 1.2.21 with Apache Tomcat 8.5.37
On 04/02/2019 09:37, M. Manna wrote: > Hello, > > Is it okay to replace 1.2.19 (packed with Tomcat 8.5.37 Windows 64 bit) > with the newly released version 1.2.21? Yes. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR/native error on tomcat 8.5.16
On 25/04/18 13:34, M. Manna wrote: > I needed to mask out certain information before I could send you the full > stack trace. Here is the full version: OK. That looks like a normal ClientAbortException. This doesn't look like Tomcat's logging. It looks like application logging. I think you need to look at the application's exception handling. Mark > > INFO | jvm 1| 2018/04/25 05:37:38 | > org.apache.catalina.connector.ClientAbortException: java.io.IOException: > Unexpected error [730,054] writing data to the APR/native socket > [953,181,632] with wrapper > [org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@3685e06d > :953181632]. > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:356) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.connector.OutputBuffer.flushByteBuffer(OutputBuffer.java:815) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:310) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:284) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.connector.CoyoteOutputStream.flush(CoyoteOutputStream.java:118) > INFO | jvm 1| 2018/04/25 05:37:38 | at > lsajdflslsjdfServlet.doPost(lsajdflslsjdfServlet.java:161) > INFO | jvm 1| 2018/04/25 05:37:38 | at > lsajdflslsjdfServlet.doGet(lsajdflslsjdfServlet.java:36) > INFO | jvm 1| 2018/04/25 05:37:38 | at > javax.servlet.http.HttpServlet.service(HttpServlet.java:635) > INFO | jvm 1| 2018/04/25 05:37:38 | at > javax.servlet.http.HttpServlet.service(HttpServlet.java:742) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > INFO | jvm 1| 2018/04/25 05:37:38 | at > lsajdflslsjdfFilter.doFilter(lsajdflslsjdfFilter.java:26) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2298) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > INFO | jvm 1| 2018/04/25 05:37:38 | at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > INFO | jvm 1| 2018/04/25 05:37:38 | at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > INFO | jvm 1| 2018/04/25 05:37:38 | at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > INFO | jvm 1| 2018/04/25 05:37:38 | at > java.lang.Thread.run(Thread.java:745) > INFO |
Re: APR/native error on tomcat 8.5.16
Hi Mark, Thanks for clarifying. Apologies as I truly meant to say "Client dropped the connection". So once again, thanks for pointing that out. I needed to mask out certain information before I could send you the full stack trace. Here is the full version: INFO | jvm 1| 2018/04/25 05:37:38 | org.apache.catalina.connector.ClientAbortException: java.io.IOException: Unexpected error [730,054] writing data to the APR/native socket [953,181,632] with wrapper [org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@3685e06d :953181632]. INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:356) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.connector.OutputBuffer.flushByteBuffer(OutputBuffer.java:815) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:310) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:284) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.connector.CoyoteOutputStream.flush(CoyoteOutputStream.java:118) INFO | jvm 1| 2018/04/25 05:37:38 | at lsajdflslsjdfServlet.doPost(lsajdflslsjdfServlet.java:161) INFO | jvm 1| 2018/04/25 05:37:38 | at lsajdflslsjdfServlet.doGet(lsajdflslsjdfServlet.java:36) INFO | jvm 1| 2018/04/25 05:37:38 | at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) INFO | jvm 1| 2018/04/25 05:37:38 | at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) INFO | jvm 1| 2018/04/25 05:37:38 | at lsajdflslsjdfFilter.doFilter(lsajdflslsjdfFilter.java:26) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2298) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) INFO | jvm 1| 2018/04/25 05:37:38 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) INFO | jvm 1| 2018/04/25 05:37:38 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) INFO | jvm 1| 2018/04/25 05:37:38 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) INFO | jvm 1| 2018/04/25 05:37:38 | at java.lang.Thread.run(Thread.java:745) INFO | jvm 1| 2018/04/25 05:37:38 | Caused by: java.io.IOException: Unexpected error [730,054] writing data to the APR/native socket [953,181,632] with wrapper [org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@3685e06d :953181632]. INFO |
Re: APR/native error on tomcat 8.5.16
On 25/04/18 11:18, M. Manna wrote: > Hello, > But from the above stack track it seems as though the > socket cannot handle the size of the data being transferred. That is not correct. What you are seeing is an I/O exception as a result of the client dropping the connection. > We did a controlled restart of individual servers to remove any possibility > for IO contention, but that didn't result into anything better. > > Has anyone seen this behaviour or remediated it ? Also, will this issue > occur with Tomcat 8.5.28 and APR 1.2.16 ? You should upgrade regardless. A later version may not log this exception by default but since you did not provide the full stack trace, we can't tell. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: apr
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 10/31/17 12:18 PM, Cheltenham, Chris wrote: > I will need some help here. > > How do I generate a stack trace? If you are getting an exception in the log file, I'd expect a stack trace to accompany it. Something that looks like this: org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform Caused by: java.foo.BarException on Foo.java line 25 on Bar.java line 52 ... It's possible that this particular error doesn't generate a stack trace. If that's the case, we might need to fix that and get you a custom version of Tomcat that produces more information. For example, from the error message, I have no idea what function is being attempted by that particular part of the code. > TCAT 8.5.23 Are you using Apache Tomcat or are you using TCAT server (a product from MuleSoft)? > Many times I rely on stackoverflow or some web site but too often > they are usually half assed explanations. Or quarter assed. Error code 70023 = APR_OS_START_ERROR (2) + APR_OS_ERRSPACE_SIZE (5) + 23 which is likely the "real error" here[1]. APR error 23 is "APR_EABOVEROOT" which has no documentation[2], but which points to this definition[3]: " #define APR_STATUS_IS_EABOVEROOT (s) ((s) == APR_EABOVEROOT) The given path was above the root path. " So... how about that configuration? > Listener is default assuming you are referring to server.xml. Hmm. Maybe the problem is with a TLS-enabled with some paths in it? Can you please post any APR-based s you have, with any secrets removed? > I do not think FIPS is necessary , no. Okay. > I believe that is some federal govt standard? Yes, it's a (mostly useless IMO) US federal standard that mandates the use of certain algorithms and also requires that the code being used be certified and self-certifying on startup. At first, I thought you might be having a problem entering FIPS mode, but that seems unlikely given what I uncovered above. - -chris [1] https://apr.apache.org/docs/apr/1.6/group__apr__errno.html#ga191894048b7 bd0cca3cf0bdff1eb695b and https://apr.apache.org/docs/apr/1.6/group__apr__errno.html#gadb8d97e6836 ccdc57b43b6119a5acccf [2] https://apr.apache.org/docs/apr/1.6/group___a_p_r___error.html#ga4828cc0 4f97dc7bed691456adf7c073e [3] https://apr.apache.org/docs/apr/1.6/group___a_p_r___s_t_a_t_u_s___i_s.ht ml#ga641527647de2537c1946a0b2ef07e411 -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6HeIACgkQHPApP6U8 pFhRcQ//VRoiHOKqltO7ePUzskqYa7T5DyQkz74OAHqoEK0CW18ktFWm/1gCkT5n OL2SS3v6ZW56ZxpabczjMkpSy3xu0ABBbgacYg8VXGUxqyjxipf0s6jE2r2VaH4Z eGkIWStrNe0LwgRp90MkREon+RW82JA5IQdnC2P6PZdwIA7k8JIgkmHYFyJpCDvT raoILhaAoCFE7hMccZFqFU4T4DpH8+MMQp5obj6gkFoBQlRptSRNXIsLVEDfpHEQ /WJ/TN040ASXLUpxy5uNx6nP7BzXtylOk3ce00zFZZUVlONZXpBmJkY27tVbfbAe pRq4osbTSpNI7yET0NdSd5aH+Z3pcUHVD6zdellpT+gL4bRuOkhzmMZMykAYftpj Hfh+VvdK0QqVKIy4WNHAcHPft96nFE6Cca43pwoydRc2OsstMs2fk2uekLym31KK 46b+BN+cJW4G2VLpZ0Z7H7UslZE04bn4gcX6z2Lm0Rd/+x1/07S1vWN9WcyGyGXJ kLrriEPVLq82zBELBe/c36VADrkqzGzfzQGouBXSIBlnhGKwZ717QqeiK/3u9goP 9cuu9htXVkghx5kCEThtJIZrWDI497+4vP6KXcmrggEya6odcotljUPOlFmzH2UI jNcu5vAPp2Yn8pPa+xv7n4MVXWNuXJLBGa/cQkFx6mLXEk2YZqA= =xpKi -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: apr
Mark, It’s the openssl that comes with CentoOS 7 so I'm sure its old. RHEL is usually several version behind the bleeding edge. It is 1.0.2 k its relatively new and should be ok. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, October 31, 2017 12:47 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: apr On 31/10/17 14:41, Cheltenham, Chris wrote: > Thanks Mark , but where in the error logs do you see I am building > against 1.0.1? > 31-Oct-2017 10:40:15.250 SEVERE [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to > initialize the SSLEngine. > org.apache.tomcat.jni.Error: 70023: This function has not been > implemented on this platform That is what this suggests to me. I guess it is also possible that 1.0.2 has been compiled with non-default options that excludes features Tomcat needs. I haven't dug into the source to see. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: apr
On 31/10/17 14:41, Cheltenham, Chris wrote: > Thanks Mark , but where in the error logs do you see I am building against > 1.0.1? > 31-Oct-2017 10:40:15.250 SEVERE [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to > initialize the SSLEngine. > org.apache.tomcat.jni.Error: 70023: This function has not been implemented > on this platform That is what this suggests to me. I guess it is also possible that 1.0.2 has been compiled with non-default options that excludes features Tomcat needs. I haven't dug into the source to see. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: apr
Chris , I do not think FIPS is necessary , no. I believe that is some federal govt standard? Listener is default assuming you are referring to server.xml. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, October 31, 2017 11:48 AM To: users@tomcat.apache.org Subject: Re: apr -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 10/31/17 10:41 AM, Cheltenham, Chris wrote: > Thanks Mark , but where in the error logs do you see I am building > against 1.0.1? > > 31-Oct-2017 10:40:15.243 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded > APR based Apache Tomcat Native library [1.2.14] using APR version > [1.6.3]. Thanks for posting this. It was missing from your initial post. It's always best to confirm that the software agrees with your expectations : ) > 31-Oct-2017 10:40:15.243 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], > random [true]. 31-Oct-2017 10:40:15.248 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] > 31-Oct-2017 10:40:15.250 SEVERE [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to > initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: > This function has not been implemented on this platform Is there no stack trace? Are you expecting to use FIPS? What does your listener configuration look like? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln4m0MACgkQHPApP6U8 pFiHDA/+PjekATbmdHU37BPAFr6A9NkEQJfmIDPHq3+ZTQlo3Ukiphht4SU+TZVf bLoFTCWB83WBT2u76/Oh210p9yjOq9hgEP6uUWhjjIuNQ2BtWpiJLvGcf5j0HbDH ILpYt5gIsUvFWt50cu8HkiKXLbW0WtLlgthXQlNwfdwgowL4zj5wz8AXGTcl76uN vJZVjp6GVhmA/aLPc32emSlSU4kVbpaO+sXcSCaubMoiPgh9g7Esbd0vL4lmK2/i G0o7eZy0sNNvW1oBXY+VGvqhTTpNH/STjc1PJC86O9kl1uvdTRfSv5mTA+izH/p+ eLYBaz81nuLhRryXe9ZKiAtQ1EX2WzwZTEUso+Huar5Ri2kNy2x3ptsm9ZjY4BNv wiBoxjfz2K/QNijBsjeLWneBIEqDII2eQ3OB80yLtL6JRBksSI2VKZ+G1ELncUyN cprGwQgrOOXKBWndFBK6ijgA1K8W9ghsR0HIrR9A375k7TJGBqII7L7F51iGmkC3 DXYPa+9ldj04V1dVM0s0R9Kws7JIEKPLWbOPCNRqmwqLZVmXZR1bRFdGEp2lYujX yyxv+Lb0enpd1QLFcJk3OqCjt1qgiSZojBdCkXSrb3Bgldsi+MdCupOlDjrSRO5U EklDHVDWVY2UDcc6Yeap1oO3kthXIqPINyoMSankO1W3mMwDxCA= =9GjN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: apr
I will need some help here. How do I generate a stack trace? TCAT 8.5.23 Many times I rely on stackoverflow or some web site but too often they are usually half assed explanations. Or quarter assed. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, October 31, 2017 11:48 AM To: users@tomcat.apache.org Subject: Re: apr -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 10/31/17 10:41 AM, Cheltenham, Chris wrote: > Thanks Mark , but where in the error logs do you see I am building > against 1.0.1? > > 31-Oct-2017 10:40:15.243 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded > APR based Apache Tomcat Native library [1.2.14] using APR version > [1.6.3]. Thanks for posting this. It was missing from your initial post. It's always best to confirm that the software agrees with your expectations : ) > 31-Oct-2017 10:40:15.243 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], > random [true]. 31-Oct-2017 10:40:15.248 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] > 31-Oct-2017 10:40:15.250 SEVERE [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to > initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: > This function has not been implemented on this platform Is there no stack trace? Are you expecting to use FIPS? What does your listener configuration look like? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln4m0MACgkQHPApP6U8 pFiHDA/+PjekATbmdHU37BPAFr6A9NkEQJfmIDPHq3+ZTQlo3Ukiphht4SU+TZVf bLoFTCWB83WBT2u76/Oh210p9yjOq9hgEP6uUWhjjIuNQ2BtWpiJLvGcf5j0HbDH ILpYt5gIsUvFWt50cu8HkiKXLbW0WtLlgthXQlNwfdwgowL4zj5wz8AXGTcl76uN vJZVjp6GVhmA/aLPc32emSlSU4kVbpaO+sXcSCaubMoiPgh9g7Esbd0vL4lmK2/i G0o7eZy0sNNvW1oBXY+VGvqhTTpNH/STjc1PJC86O9kl1uvdTRfSv5mTA+izH/p+ eLYBaz81nuLhRryXe9ZKiAtQ1EX2WzwZTEUso+Huar5Ri2kNy2x3ptsm9ZjY4BNv wiBoxjfz2K/QNijBsjeLWneBIEqDII2eQ3OB80yLtL6JRBksSI2VKZ+G1ELncUyN cprGwQgrOOXKBWndFBK6ijgA1K8W9ghsR0HIrR9A375k7TJGBqII7L7F51iGmkC3 DXYPa+9ldj04V1dVM0s0R9Kws7JIEKPLWbOPCNRqmwqLZVmXZR1bRFdGEp2lYujX yyxv+Lb0enpd1QLFcJk3OqCjt1qgiSZojBdCkXSrb3Bgldsi+MdCupOlDjrSRO5U EklDHVDWVY2UDcc6Yeap1oO3kthXIqPINyoMSankO1W3mMwDxCA= =9GjN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: apr
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 10/31/17 10:41 AM, Cheltenham, Chris wrote: > Thanks Mark , but where in the error logs do you see I am building > against 1.0.1? > > 31-Oct-2017 10:40:15.243 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded > APR based Apache Tomcat Native library [1.2.14] using APR version > [1.6.3]. Thanks for posting this. It was missing from your initial post. It's always best to confirm that the software agrees with your expectations : ) > 31-Oct-2017 10:40:15.243 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], > random [true]. 31-Oct-2017 10:40:15.248 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > APR/OpenSSL configuration: useAprConnector [false], useOpenSSL > [true] 31-Oct-2017 10:40:15.250 SEVERE [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed > to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: > This function has not been implemented on this platform Is there no stack trace? Are you expecting to use FIPS? What does your listener configuration look like? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln4m0MACgkQHPApP6U8 pFiHDA/+PjekATbmdHU37BPAFr6A9NkEQJfmIDPHq3+ZTQlo3Ukiphht4SU+TZVf bLoFTCWB83WBT2u76/Oh210p9yjOq9hgEP6uUWhjjIuNQ2BtWpiJLvGcf5j0HbDH ILpYt5gIsUvFWt50cu8HkiKXLbW0WtLlgthXQlNwfdwgowL4zj5wz8AXGTcl76uN vJZVjp6GVhmA/aLPc32emSlSU4kVbpaO+sXcSCaubMoiPgh9g7Esbd0vL4lmK2/i G0o7eZy0sNNvW1oBXY+VGvqhTTpNH/STjc1PJC86O9kl1uvdTRfSv5mTA+izH/p+ eLYBaz81nuLhRryXe9ZKiAtQ1EX2WzwZTEUso+Huar5Ri2kNy2x3ptsm9ZjY4BNv wiBoxjfz2K/QNijBsjeLWneBIEqDII2eQ3OB80yLtL6JRBksSI2VKZ+G1ELncUyN cprGwQgrOOXKBWndFBK6ijgA1K8W9ghsR0HIrR9A375k7TJGBqII7L7F51iGmkC3 DXYPa+9ldj04V1dVM0s0R9Kws7JIEKPLWbOPCNRqmwqLZVmXZR1bRFdGEp2lYujX yyxv+Lb0enpd1QLFcJk3OqCjt1qgiSZojBdCkXSrb3Bgldsi+MdCupOlDjrSRO5U EklDHVDWVY2UDcc6Yeap1oO3kthXIqPINyoMSankO1W3mMwDxCA= =9GjN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: apr
Thanks Mark , but where in the error logs do you see I am building against 1.0.1? 31-Oct-2017 10:40:15.243 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.14] using APR version [1.6.3]. 31-Oct-2017 10:40:15.243 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 31-Oct-2017 10:40:15.248 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 31-Oct-2017 10:40:15.250 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, October 31, 2017 10:08 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: apr On 31/10/17 12:19, Cheltenham, Chris wrote: > Mark, > > I am not sure what you are saying. > > I tried apr 1.4.8 through 1.6.2 > With > Tnative 1.1.16 through 1.2.14 > > I get the same openssl error every time. > > I am using CentOS's install and its 1.0.2k FIPS > > I appreciate your help but I don't understand what you are trying to > tell me. It appears that you aren't building against the OpenSSL version you think you are. It looks like you are building against OpenSSL 1.0.1 or earlier. I can't think of any other reason for you to see the error message you are seeing. Other than that, concentrate on using the latest APR and Tomcat Native. Mark > > > > === > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, October 31, 2017 3:24 AM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: apr > > On 30/10/2017 17:49, Cheltenham, Chris wrote: >> Hello Everyone, >> >> Using OpenSSL 1.0.2k-fips >> >> I am trying to install the apr. >> >> I used several different versions of APR 1.4 through 1.6 >> >> Then I compiled tnative 1.1.16, 1.2.x > > The latest release of the 1.1.x line is 1.1.34. > > Given 1.2.x is a drop-in replacement for 1.1.x and that 1.1.x is > unlikely to see another release, everyone should be using 1.2.x at this > point. > > >> When I start tomcat I get the same message each time. >> >> 30-Oct-2017 12:51:14.602 INFO [main] >> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent >> APR/OpenSSL >> configuration: useAprConnector [false], useOpenSSL [true] >> >> 30-Oct-2017 12:51:14.605 SEVERE [main] >> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed >> to initialize the SSLEngine. >> >> org.apache.tomcat.jni.Error: 70023: This function has not been >> implemented on this platform > > That looks like an OpenSSL version prior to 1.0.2 is being used. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: apr
On 31/10/17 12:19, Cheltenham, Chris wrote: > Mark, > > I am not sure what you are saying. > > I tried apr 1.4.8 through 1.6.2 > With > Tnative 1.1.16 through 1.2.14 > > I get the same openssl error every time. > > I am using CentOS's install and its 1.0.2k FIPS > > I appreciate your help but I don't understand what you are trying to tell > me. It appears that you aren't building against the OpenSSL version you think you are. It looks like you are building against OpenSSL 1.0.1 or earlier. I can't think of any other reason for you to see the error message you are seeing. Other than that, concentrate on using the latest APR and Tomcat Native. Mark > > > > === > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, October 31, 2017 3:24 AM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: apr > > On 30/10/2017 17:49, Cheltenham, Chris wrote: >> Hello Everyone, >> >> Using OpenSSL 1.0.2k-fips >> >> I am trying to install the apr. >> >> I used several different versions of APR 1.4 through 1.6 >> >> Then I compiled tnative 1.1.16, 1.2.x > > The latest release of the 1.1.x line is 1.1.34. > > Given 1.2.x is a drop-in replacement for 1.1.x and that 1.1.x is unlikely > to see another release, everyone should be using 1.2.x at this point. > > >> When I start tomcat I get the same message each time. >> >> 30-Oct-2017 12:51:14.602 INFO [main] >> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent >> APR/OpenSSL >> configuration: useAprConnector [false], useOpenSSL [true] >> >> 30-Oct-2017 12:51:14.605 SEVERE [main] >> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to >> initialize the SSLEngine. >> >> org.apache.tomcat.jni.Error: 70023: This function has not been >> implemented on this platform > > That looks like an OpenSSL version prior to 1.0.2 is being used. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: apr
Mark, I am not sure what you are saying. I tried apr 1.4.8 through 1.6.2 With Tnative 1.1.16 through 1.2.14 I get the same openssl error every time. I am using CentOS's install and its 1.0.2k FIPS I appreciate your help but I don't understand what you are trying to tell me. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, October 31, 2017 3:24 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: apr On 30/10/2017 17:49, Cheltenham, Chris wrote: > Hello Everyone, > > Using OpenSSL 1.0.2k-fips > > I am trying to install the apr. > > I used several different versions of APR 1.4 through 1.6 > > Then I compiled tnative 1.1.16, 1.2.x The latest release of the 1.1.x line is 1.1.34. Given 1.2.x is a drop-in replacement for 1.1.x and that 1.1.x is unlikely to see another release, everyone should be using 1.2.x at this point. > When I start tomcat I get the same message each time. > > 30-Oct-2017 12:51:14.602 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > APR/OpenSSL > configuration: useAprConnector [false], useOpenSSL [true] > > 30-Oct-2017 12:51:14.605 SEVERE [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to > initialize the SSLEngine. > > org.apache.tomcat.jni.Error: 70023: This function has not been > implemented on this platform That looks like an OpenSSL version prior to 1.0.2 is being used. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: apr
On 30/10/2017 17:49, Cheltenham, Chris wrote: > Hello Everyone, > > Using OpenSSL 1.0.2k-fips > > I am trying to install the apr. > > I used several different versions of APR 1.4 through 1.6 > > Then I compiled tnative 1.1.16, 1.2.x The latest release of the 1.1.x line is 1.1.34. Given 1.2.x is a drop-in replacement for 1.1.x and that 1.1.x is unlikely to see another release, everyone should be using 1.2.x at this point. > When I start tomcat I get the same message each time. > > 30-Oct-2017 12:51:14.602 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL > configuration: useAprConnector [false], useOpenSSL [true] > > 30-Oct-2017 12:51:14.605 SEVERE [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to > initialize the SSLEngine. > > org.apache.tomcat.jni.Error: 70023: This function has not been > implemented on this platform That looks like an OpenSSL version prior to 1.0.2 is being used. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: apr
Ok this is NOT windows .. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: marcus presley [mailto:marcus_pres...@hotmail.com] Sent: Monday, October 30, 2017 3:17 PM To: users@tomcat.apache.org Subject: Re: apr Hi Chris, Did you recompile APR with FIPS? You must completely compile tcnative.dll. Marcus From: Cheltenham, Chris <ccheltenham-...@philasd.org> Sent: Monday, October 30, 2017 1:49 PM To: users@tomcat.apache.org Subject: apr Hello Everyone, Using OpenSSL 1.0.2k-fips I am trying to install the apr. I used several different versions of APR 1.4 through 1.6 Then I compiled tnative 1.1.16, 1.2.x When I start tomcat I get the same message each time. 30-Oct-2017 12:51:14.602 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 30-Oct-2017 12:51:14.605 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: apr
Hi Chris, Did you recompile APR with FIPS? You must completely compile tcnative.dll. Marcus From: Cheltenham, ChrisSent: Monday, October 30, 2017 1:49 PM To: users@tomcat.apache.org Subject: apr Hello Everyone, Using OpenSSL 1.0.2k-fips I am trying to install the apr. I used several different versions of APR 1.4 through 1.6 Then I compiled tnative 1.1.16, 1.2.x When I start tomcat I get the same message each time. 30-Oct-2017 12:51:14.602 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 30-Oct-2017 12:51:14.605 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571
Re: apr library
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Anibal, On 7/22/17 11:30 AM, Anibal Alvarez Alvarez wrote: > Hi. When I run a .jsp file, in the console I can read <[main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > La biblioteca nativa de Apache Tomcat basada en ARP que permite un > rendimiento óptimo en entornos de desarrollo no ha sido hallada en > java.library.path: > /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib>> > > How can I set this path *"/usr/share/apr/lib"* into the > *java.library.path*? > > I've tried to add it up at eclipse.ini like: ... -vm > -Djava.library.path="${workspace_loc:project}/lib;${env_var:PATH};/usr /local/apr/lib" > > ... > but I'm still getting the message above. > > I've read *this solution* at the attached file, but I don't want > to configure the build-path each time and every proyect. Your attachment was stripped from the list. > Is there any solution for all proyects permanently? If you build the tcnative library and put it into the right place (like ${workspace_loc:project}... whatever that turns out to be) it should work. For a development environment, I wouldn't bother with APR unless you really need your dev environment to exactly mirror your production environment AND you are using tcnative in production as well. These days, using NIO is probably better unless you need to use OpenSSL for crypto. You didn't mention your version, but Tomcat 8.5.x and later can use NIO+OpenSSL, so the APR connector is becoming less and less relevant. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZc3GxAAoJEBzwKT+lPKRYg9wP/jsY1aeQZMi6oMKZ7nrK1S2q 0aQCT/aORK3H7KMdn51SSfEyapKcr2L1CNcrXc+ln4IxklZlFoJaXSmSu0P2IZ5t td3SLdZE/2tH9u7cZHX9pLY5zN6hf0i7oSo72N6kKTP+hsgoBPSblUF9npWS7odU P5CxoYaRczONIpluQheJzVdCRu1tzx5hDpXBx8dvCTuAsJyayCg2ssBFghBGsPqx 7zV9+0ZLXIOGtVpEPFQoLNO/F39TXGqEVsbmd0NuU3n8IGX/zSw+UoZSH08wlkpN 0yv8AsBd6uGxBorMI1xyLzqm9bzmSJ5eI0Ckr2g8Bb3iue9e9SK0WjMsM5uphYfC AWYcniyZv02LuQYlbG71a4HatjK2KUCtSG6cHS1A0v5C+5/RuKBUceh5E2MXmvpp PMV4Gjb2TcLtNNW1JomZ/KtwMWl+AWzd6fi4SDLll5XYOveWloqh5cl1mhUSLvto KTS2D67REmpM0tZv8eK8VgtaoN8lrwHvMamG9bKw7kxs5mBBy/F/MDfBjU6u1Ac1 oeETD2VWubNSdn4dooUgKEkKDXsISjMr+9LgG7JmaRTldo72j4xOaVQ4JKUovIv/ oh16zzKvb/Eot48ImKrkf79XXl8HwA3P6+a03EKrHC/hPNT1r4QZek6i1Yccf8dg gj9p7lamqTVghvPC6LWo =+y/K -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Buffer NullPointer Error
On 20/05/2015 18:02, Maxim Neshcheret wrote: Dear All I am deploying application (Tomcat 8.0.22, JDK 1.7.79, Solaris, SPARC, APR 1.5.2) and observing multiple erros while its communicates with client software (error presented below). It looks like that error happens while application writes output buffer. Any suggestion what is going wrong? Might it be resources limitation on OS level (was configured based on Oracle recommendations already). Application trying to write to a response object that has already been closed? Mark java.lang.NullPointerException at org.apache.coyote.http11.InternalAprOutputBuffer.addToBB(InternalAprOutputBuffer.java:186) ~[tomcat-coyote.jar:8.0.21] at org.apache.coyote.http11.InternalAprOutputBuffer.access$000(InternalAprOutputBuffer.java:40) ~[tomcat-coyote.jar:8.0.21] at org.apache.coyote.http11.InternalAprOutputBuffer$SocketOutputBuffer.doWrite(InternalAprOutputBuffer.java:349) ~[tomcat-coyote.jar: at org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:116) ~[tomcat-coyote.jar:8.0.21] at org.apache.coyote.http11.AbstractOutputBuffer.doWrite(AbstractOutputBuffer.java:256) ~[tomcat-coyote.jar:8.0.21] at org.apache.coyote.Response.doWrite(Response.java:503) ~[tomcat-coyote.jar:8.0.21] at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:388) ~[catalina.jar:8.0.21] at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:426) ~[tomcat-util.jar:8.0.21] at org.apache.catalina.connector.OutputBuffer.realWriteChars(OutputBuffer.java:471) ~[catalina.jar:8.0.21] at org.apache.tomcat.util.buf.CharChunk.flushBuffer(CharChunk.java:393) ~[tomcat-util.jar:8.0.21] at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:339) ~[catalina.jar:8.0.21] at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:317) ~[catalina.jar:8.0.21] at org.apache.catalina.connector.CoyoteWriter.flush(CoyoteWriter.java:94) ~[catalina.jar:8.0.21] at se.highex.core.gw.GWSession.sendMsgs(GWSession.java:1568) ~[GWSession.class:?] at se.highex.core.gw.GWSession.takeNotifyQueue(GWSession.java:1668) ~[GWSession.class:?] BR, Maxim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR with PKCS11 support
Hi Chris, I have attached the diff.let me know if its ok? Regards, Sanaullah On Fri, Nov 21, 2014 at 2:08 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 11/18/14 10:26 PM, Sanaullah wrote: Hi Chris, Engine is loaded Successfully. the issue is with tcnative. tcnative was not loading any engine and it was due to HAVE_ENGINE_LOAD_BUILTIN_ENGINES preprocessor which is unable to call ENGINE_load_builtin_engines. I made one change and in ssl.c of tomcat-native-1.1.31 original Preprocessor #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES Changed to #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup(); #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_load_builtin_engines(); #endif Can you give me a patch in diff -U form? I'd like to take a look at it formally. Thanks for doing the digging to figure out how to make this work. I don't have a non-standard engine available to play with. Thanks, - -chris On Wed, Nov 19, 2014 at 12:36 AM, Christopher Schultz ch...@christopherschultz.net wrote: Sanaullah, On 11/14/14 10:04 PM, Sanaullah wrote: The Engine name is correct its LunaCA3 Here is the code snippet from the openssl for the confirmation. openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID LunaCA3 I think the issue is with static and shared libraries of openssl. It could be. Since you are building on *NIX, you should probably be using dynamically-linked shared-libraries. But you have to be careful about the load-ordering if you are using an OpenSSL that is not the system default (e.g. in /usr/lib). if openssl build as shared then this LunaCA3 engine is not working for nodejs and even for Apache as well both required openssl to build static. Interesting... I tried to follow the Build document of tomcat native. Building statically linked library on Unixes To statically link apr and openssl dependencies use the following procedure. You will need to build static version of openssl library. ./config --prefix=~/natives/openssl no-shared -fPIC make make install_sw Apr by default builds both static and dynamic libraries. ./configure --prefix=~/natives/apr make make install After that edit the ~/natives/apr/lib/libapr-1.la file and comment or delete the following sections: dlname='...' and library_names='...' This is needed so that libtool picks the static version of the library. Build Tomcat native by executing ./configure --with-apr=~/natives/apr --with-ssl=~/natives/openssl --prefix=~/natives/tomcat make make install You're reaching the limits of my knowledge about building the whole bundle statically. I'll ping Rainer (CC'd here) who knows more than I do. here is something strange, Openssl successully build and install with -fPIC but tcnative still give me error. /usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value collect2: error: ld returned 1 exit status make[1]: *** [libtcnative-1.la] Error 1 make[1]: Leaving directory `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: *** [all-recursive] Error 1 I am not sure what to do here ? Hmm. Let's see if Rainer (or anyone else!) replies. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUblhaAAoJEBzwKT+lPKRY4Y4P/jz71yNBd5eqCoddMlRZ3ISV Zd5xFv2O42EKNb+Hh2ImbG+yC/PyNW/3K7vSFlMELcUOsvdjBht1GfEgMLba+dhm utoUiNj9ueavF/Ip7EC2dTgmcx1CYFjYlcPieRWQjU//i+oBBKw514lckBQUc+y/ ScSU2ReMPUuWQ3C3sHVUYZcKoJNRYLFqXkcCc7GzNn+leNHfp55OqB/lVwCU06AE BbGA+tVTBL2cjbTV8qGvDSY4UuGlZU7JoOMRaliAJhgsyDl20kIVyi7pTL52ieAV jmhU+K34RMGxiDp2XpsKf9lLnOTW2JdMmir+XrOsrEHn9ZQ3lYo3fKgUa0a38maR zH5+bJ3L5aDL3ifZdcg0bozs+6l3rxC52Itwzskh2ZfPWsIbZaT7NMXjrQQ1KoGB yFE+JUg/M1WxikWsgkkmTVEMY2/VqJqNIplk8KZohCC6SnXxz4rjNAVV1jZUnzSZ gpEjyc71ElUO7KqD7HMtK9fXTYvBdUmXCWCuSZQ+LW1Z37CfXTLfQd9/jQDe2OL2 ylseItc9mnyKiZ8X8dRUUjlqyiUIyOUCCBnI/Wm13sh8RQ7G0bvA63Lc0xhYbORf xQfmSguArnSDnMoNAswyl9taqHXUyZRtw+xSQVgBSDgww9KJc/SJzkrS++4xjs8o NUgaRzlaV134AyVsDxYb =1n83 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 304c304 #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES --- #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES 661c661 #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES --- #if
Re: APR with PKCS11 support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 12/1/14 6:09 AM, Sanaullah wrote: I have attached the diff [that allows external crypto decides to be used via tcnative). let me know if its ok? For reference, here's the diff: 304c304 #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES --- #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES 661c661 #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES --- #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES This looks like a /reverse/ diff, since you said you removed the HAVE_ENGINE_LOAD_BUILTIN_ENGINES and replaced it with 1. Other than that, it's about as compact as you can get! I think this would have been easier if you had just built tcnative like this: $ cd /path/to/tcnative/jni/native $ CFLAGS=-DHAVE_ENGINE_LOAD_BUILTIN_ENGINES ./configure ... $ CFLAGS=-DHAVE_ENGINE_LOAD_BUILTIN_ENGINES make Can you try re-downloading the source and re-building with the above CFLAGS set instead of patching the code? If that works, it will be a slightly safer way to build. I wonder why HAVE_ENGINE_LOAD_BUILTIN_ENGINES isn't usually set to 1. I'll do a bit of reading about it. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUfIh6AAoJEBzwKT+lPKRYbKgP/1K0FulX2YQmOLnlTupIqAye /d5+MXepk/kWCdKswP2aSjqpVRF4aCt6aQiWDI5oxpG45b5hkTFk0wAkC9q8MQiv Aq9RknauhbqExSLdXyS+krfZP+i3yFOEDGccxLyKg6svlIX6xsf3ywUtekBrx/G1 HdGhIXX3ipMKh36yYpfzJOlBNg3uTxdk8oADtQPBC4HsNR0ZGtE5tcAXbl0ZCN33 F5n/u5H6nYhOimlon6eFqpton6qqecjyyCNPhpoZFJFFgRJX9HrOuFkAPRyUc6GG +VgTHpH7J/RxtA3Ac2nk3U91WMIFgu+faJT7erh4KaSTT/+PaYdc7YUfctnjgUg+ R/O1/q5YN8GOItCpe/wfCZEIxRbcBiPAsLhe8Dlz5nqdc1aauAaezuqUDZu6lQKG mP/0YF5fg13L4YyEVcSM9MNzm/+vPABZ0QuZsD6QSlpAagOvbLQAX1saQeKo4ngF Yu7Xa1oo0J8Lg3cUMq3JbK6v3/A/wXmNXe85JSViR8otpWz+rM3eT6WD5kcIczko gPlF4c4bYL86i0JXJMm44Bv7ZNuOzYZk200IzlUe9ZBHiXX/UwbINawLisKcs5+G +5evf1YyGn6HvucMC7ENvszLNJAyLWk6sOguutO2COry9tyq5AL9pkATwUhH6mkL HPfFzWYVT+Kabcf7vvw/ =/JO0 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR with PKCS11 support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 11/18/14 10:26 PM, Sanaullah wrote: Hi Chris, Engine is loaded Successfully. the issue is with tcnative. tcnative was not loading any engine and it was due to HAVE_ENGINE_LOAD_BUILTIN_ENGINES preprocessor which is unable to call ENGINE_load_builtin_engines. I made one change and in ssl.c of tomcat-native-1.1.31 original Preprocessor #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES Changed to #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup(); #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_load_builtin_engines(); #endif Can you give me a patch in diff -U form? I'd like to take a look at it formally. Thanks for doing the digging to figure out how to make this work. I don't have a non-standard engine available to play with. Thanks, - -chris On Wed, Nov 19, 2014 at 12:36 AM, Christopher Schultz ch...@christopherschultz.net wrote: Sanaullah, On 11/14/14 10:04 PM, Sanaullah wrote: The Engine name is correct its LunaCA3 Here is the code snippet from the openssl for the confirmation. openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID LunaCA3 I think the issue is with static and shared libraries of openssl. It could be. Since you are building on *NIX, you should probably be using dynamically-linked shared-libraries. But you have to be careful about the load-ordering if you are using an OpenSSL that is not the system default (e.g. in /usr/lib). if openssl build as shared then this LunaCA3 engine is not working for nodejs and even for Apache as well both required openssl to build static. Interesting... I tried to follow the Build document of tomcat native. Building statically linked library on Unixes To statically link apr and openssl dependencies use the following procedure. You will need to build static version of openssl library. ./config --prefix=~/natives/openssl no-shared -fPIC make make install_sw Apr by default builds both static and dynamic libraries. ./configure --prefix=~/natives/apr make make install After that edit the ~/natives/apr/lib/libapr-1.la file and comment or delete the following sections: dlname='...' and library_names='...' This is needed so that libtool picks the static version of the library. Build Tomcat native by executing ./configure --with-apr=~/natives/apr --with-ssl=~/natives/openssl --prefix=~/natives/tomcat make make install You're reaching the limits of my knowledge about building the whole bundle statically. I'll ping Rainer (CC'd here) who knows more than I do. here is something strange, Openssl successully build and install with -fPIC but tcnative still give me error. /usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value collect2: error: ld returned 1 exit status make[1]: *** [libtcnative-1.la] Error 1 make[1]: Leaving directory `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: *** [all-recursive] Error 1 I am not sure what to do here ? Hmm. Let's see if Rainer (or anyone else!) replies. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUblhaAAoJEBzwKT+lPKRY4Y4P/jz71yNBd5eqCoddMlRZ3ISV Zd5xFv2O42EKNb+Hh2ImbG+yC/PyNW/3K7vSFlMELcUOsvdjBht1GfEgMLba+dhm utoUiNj9ueavF/Ip7EC2dTgmcx1CYFjYlcPieRWQjU//i+oBBKw514lckBQUc+y/ ScSU2ReMPUuWQ3C3sHVUYZcKoJNRYLFqXkcCc7GzNn+leNHfp55OqB/lVwCU06AE BbGA+tVTBL2cjbTV8qGvDSY4UuGlZU7JoOMRaliAJhgsyDl20kIVyi7pTL52ieAV jmhU+K34RMGxiDp2XpsKf9lLnOTW2JdMmir+XrOsrEHn9ZQ3lYo3fKgUa0a38maR zH5+bJ3L5aDL3ifZdcg0bozs+6l3rxC52Itwzskh2ZfPWsIbZaT7NMXjrQQ1KoGB yFE+JUg/M1WxikWsgkkmTVEMY2/VqJqNIplk8KZohCC6SnXxz4rjNAVV1jZUnzSZ gpEjyc71ElUO7KqD7HMtK9fXTYvBdUmXCWCuSZQ+LW1Z37CfXTLfQd9/jQDe2OL2 ylseItc9mnyKiZ8X8dRUUjlqyiUIyOUCCBnI/Wm13sh8RQ7G0bvA63Lc0xhYbORf xQfmSguArnSDnMoNAswyl9taqHXUyZRtw+xSQVgBSDgww9KJc/SJzkrS++4xjs8o NUgaRzlaV134AyVsDxYb =1n83 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR with PKCS11 support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 11/14/14 10:04 PM, Sanaullah wrote: The Engine name is correct its LunaCA3 Here is the code snippet from the openssl for the confirmation. openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID LunaCA3 I think the issue is with static and shared libraries of openssl. It could be. Since you are building on *NIX, you should probably be using dynamically-linked shared-libraries. But you have to be careful about the load-ordering if you are using an OpenSSL that is not the system default (e.g. in /usr/lib). if openssl build as shared then this LunaCA3 engine is not working for nodejs and even for Apache as well both required openssl to build static. Interesting... I tried to follow the Build document of tomcat native. Building statically linked library on Unixes To statically link apr and openssl dependencies use the following procedure. You will need to build static version of openssl library. ./config --prefix=~/natives/openssl no-shared -fPIC make make install_sw Apr by default builds both static and dynamic libraries. ./configure --prefix=~/natives/apr make make install After that edit the ~/natives/apr/lib/libapr-1.la file and comment or delete the following sections: dlname='...' and library_names='...' This is needed so that libtool picks the static version of the library. Build Tomcat native by executing ./configure --with-apr=~/natives/apr --with-ssl=~/natives/openssl --prefix=~/natives/tomcat make make install You're reaching the limits of my knowledge about building the whole bundle statically. I'll ping Rainer (CC'd here) who knows more than I do. here is something strange, Openssl successully build and install with -fPIC but tcnative still give me error. /usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value collect2: error: ld returned 1 exit status make[1]: *** [libtcnative-1.la] Error 1 make[1]: Leaving directory `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: *** [all-recursive] Error 1 I am not sure what to do here ? Hmm. Let's see if Rainer (or anyone else!) replies. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUa5+0AAoJEBzwKT+lPKRYBsoP/33HiFbBQpcM7SR+BQRyl/Tx DhA8AcP5jBQgkLkE3ZJy04QUgL6JWvX1vyxfQJxtMp1agmBtcMMgnkpUMIxLB7yP pOqy5mJJOsFL1hvg22n+MCfoT3+zAzFOhZvnTOXOp8OczVtJ35ZWcXl3oDaXHSyR mdkFCMXD8USwKVBv5PZm/OD+S5NEnv8PgxWiaFtNtSlfC38H+SLbf1JaMYvjhdAa PKcLpE2aI0efUX4tWG8bYK+hbzDkoL1D+3qEccCoKJ9DooMVHKiu+PB1Gf6oS5tD qS7ZblkqiBxwS5GOFBaoch29C+jQAB81Mrj9ndhD7BZ5o852NQUeIChWrKuX+QLw jWiPWaSU459uPdj1UZW0JibsN7U6N8V+hR1RvYNAL3kXRuJ9WjbHw5HmyiX0QeoF OwDAuKMOifXNnYsfxHtoNoNebB8smXntzMPA0b3mksywTDfI288vCOiAQm7XT44m u5MvyVIjpoWz/NZNm8t2Er1B1dceiRBpr9urO8HcljWY3oT8dMsfapEEDh2jlFV+ LZphHn3Cu3FzEwbclAhD4hCbb6kUVxpZnBm8eAD9BvDn8Ym+nfrs+dGBVBMhf7le 1t4ayKz0A2VAldPOa9WsOO/g8VUoLGW7cKaKSAJfOdJFcnnpg7pYPy0Pj5bcmJrn xIF9OeYjsCFOhml42lpV =j3PO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR with PKCS11 support
Hi Chris, Engine is loaded Successfully. the issue is with tcnative. tcnative was not loading any engine and it was due to HAVE_ENGINE_LOAD_BUILTIN_ENGINES preprocessor which is unable to call ENGINE_load_builtin_engines. I made one change and in ssl.c of tomcat-native-1.1.31 original Preprocessor #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES Changed to #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup(); #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_load_builtin_engines(); #endif Regards, Sanaullah On Wed, Nov 19, 2014 at 12:36 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 11/14/14 10:04 PM, Sanaullah wrote: The Engine name is correct its LunaCA3 Here is the code snippet from the openssl for the confirmation. openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID LunaCA3 I think the issue is with static and shared libraries of openssl. It could be. Since you are building on *NIX, you should probably be using dynamically-linked shared-libraries. But you have to be careful about the load-ordering if you are using an OpenSSL that is not the system default (e.g. in /usr/lib). if openssl build as shared then this LunaCA3 engine is not working for nodejs and even for Apache as well both required openssl to build static. Interesting... I tried to follow the Build document of tomcat native. Building statically linked library on Unixes To statically link apr and openssl dependencies use the following procedure. You will need to build static version of openssl library. ./config --prefix=~/natives/openssl no-shared -fPIC make make install_sw Apr by default builds both static and dynamic libraries. ./configure --prefix=~/natives/apr make make install After that edit the ~/natives/apr/lib/libapr-1.la file and comment or delete the following sections: dlname='...' and library_names='...' This is needed so that libtool picks the static version of the library. Build Tomcat native by executing ./configure --with-apr=~/natives/apr --with-ssl=~/natives/openssl --prefix=~/natives/tomcat make make install You're reaching the limits of my knowledge about building the whole bundle statically. I'll ping Rainer (CC'd here) who knows more than I do. here is something strange, Openssl successully build and install with -fPIC but tcnative still give me error. /usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value collect2: error: ld returned 1 exit status make[1]: *** [libtcnative-1.la] Error 1 make[1]: Leaving directory `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: *** [all-recursive] Error 1 I am not sure what to do here ? Hmm. Let's see if Rainer (or anyone else!) replies. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUa5+0AAoJEBzwKT+lPKRYBsoP/33HiFbBQpcM7SR+BQRyl/Tx DhA8AcP5jBQgkLkE3ZJy04QUgL6JWvX1vyxfQJxtMp1agmBtcMMgnkpUMIxLB7yP pOqy5mJJOsFL1hvg22n+MCfoT3+zAzFOhZvnTOXOp8OczVtJ35ZWcXl3oDaXHSyR mdkFCMXD8USwKVBv5PZm/OD+S5NEnv8PgxWiaFtNtSlfC38H+SLbf1JaMYvjhdAa PKcLpE2aI0efUX4tWG8bYK+hbzDkoL1D+3qEccCoKJ9DooMVHKiu+PB1Gf6oS5tD qS7ZblkqiBxwS5GOFBaoch29C+jQAB81Mrj9ndhD7BZ5o852NQUeIChWrKuX+QLw jWiPWaSU459uPdj1UZW0JibsN7U6N8V+hR1RvYNAL3kXRuJ9WjbHw5HmyiX0QeoF OwDAuKMOifXNnYsfxHtoNoNebB8smXntzMPA0b3mksywTDfI288vCOiAQm7XT44m u5MvyVIjpoWz/NZNm8t2Er1B1dceiRBpr9urO8HcljWY3oT8dMsfapEEDh2jlFV+ LZphHn3Cu3FzEwbclAhD4hCbb6kUVxpZnBm8eAD9BvDn8Ym+nfrs+dGBVBMhf7le 1t4ayKz0A2VAldPOa9WsOO/g8VUoLGW7cKaKSAJfOdJFcnnpg7pYPy0Pj5bcmJrn xIF9OeYjsCFOhml42lpV =j3PO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR with PKCS11 support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 10/29/14 9:54 AM, Sanaullah wrote: I again started working on SSLEngine with safenet and i need some help, how to enable the debugging? I configure the engine as LunaCA3. Listener class=org.apache.catalina.core.AprLifecycleListener SSLEngine=LunaCA3 / Here is error log after starting the server. Oct 29, 2014 1:40:21 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.31 using APR version 1.5.1. Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform So the error code 70023 is (at least on my Linux system) equal to the APR error code with the label APR_ENOTIMPL. I can see that in a few places in the native implementation of the initialize method: Starting on line native/src/ssl.c:679: if ((ee = ENGINE_by_id(J2S(engine))) == NULL (ee = ssl_try_load_engine(J2S(engine))) == NULL) err = APR_ENOTIMPL; else { if (strcmp(J2S(engine), chil) == 0) ENGINE_ctrl(ee, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0); if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL)) err = APR_ENOTIMPL; } Again, starting on native/src/ssl.c:711: SSL_TMP_KEYS_INIT(r); if (r) { TCN_FREE_CSTRING(engine); ssl_init_cleanup(NULL); tcn_ThrowAPRException(e, APR_ENOTIMPL); return APR_ENOTIMPL; } So, either the engine cannot be loaded, or we can't call ENGINE_set_default, or SSL_TMP_KEYS_INIT fails. I suspect it's not the key init that's failing, given that you are trying to use a special engine. Are you comfortable modifying the code for tcnative? If you are on a UNIX platform, (re-)compilation is pretty easy. You can add some code to dump-out the state of things while the code executes. I noticed at some point (re-reading the thread) that you were using SSLCryptoDevice LunaCA but then somehow you and I started using LunaCA3. Have you tried with LunaCA (without the 3)? When you can get httpd to do this for you, do you have to modify the LD_LIBRARY_PATH or put a library anywhere, or does OpenSSL already have whatever it needs in order to support the hardware crypto device? I'm wondering if the JVM doesn't have the appropriate library available for some reason. What do you get when you run openssl engine from your command-line without any other special circumstances? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUZreIAAoJEBzwKT+lPKRYbOEP/3ix/d/bWeQVWSjrimLGBosd XgyF7Z4PqC4oChGYguxfu6K/47JRXwizZ3gWe6hNvdxivRU+Rnzhpre86bU6qqyO glT6qO4qYrvnA35y0qj+bLAIjOekVTkEHS11HO4ZofUBn/mAHCcN98AJ8AH2M0v6 6G2Yx2rF2+Be7yPL7txCFObAagAXIwp20Bv22+zcswVo6YVlDAI1r1RpjUTafObg 9IR31BRCwY9P9oJZ3lDKzBOWX3bFU+12CxeKJjJDg1TA1eB8s0e7XVCWyKdPgafi UNI5Zv2dFZLgy37/jTmCySpE71MtxmH0IOrs3vJJHr2o27Axk8vMQkKxzXO1ddZ5 uYvk5KBaMhAUgaWaMvPFC69KBUOv+bTQo/+HujmuM6M2ogIDXYmSJYmI6qM7SGWR 7cguyOS9+rgJiiCdRktvQJMj3I9ukHi8px3VU+hZRDv7OYKc4FRaDWAYt2NpnP/o exKtjVl9gG8rX96Zhimik0S0sXeykF5mwFZeygno+6eIMdLeyz4R0yVaIJCRfX+z yDomd6BrHjjTTSVU2DygkCESUlMSJ1RsyLjAPN7GRLCefy0kFnk0RukF0txulrnB KoGlvVuY1moZrbMRmnL3zG8EX0zWkAjtjXk4Rd8mJ4aHQy1cMUgtZ7KCMTJYTfs5 rpPyrMcQZiYI5r3YjI0a =Ax7i -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR with PKCS11 support
Hi Chris, The Engine name is correct its LunaCA3 Here is the code snippet from the openssl for the confirmation. openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID LunaCA3 I think the issue is with static and shared libraries of openssl. if openssl build as shared then this LunaCA3 engine is not working for nodejs and even for Apache as well both required openssl to build static. I tried to follow the Build document of tomcat native. Building statically linked library on Unixes To statically link apr and openssl dependencies use the following procedure. You will need to build static version of openssl library. ./config --prefix=~/natives/openssl no-shared -fPIC make make install_sw Apr by default builds both static and dynamic libraries. ./configure --prefix=~/natives/apr make make install After that edit the ~/natives/apr/lib/libapr-1.la file and comment or delete the following sections: dlname='...' and library_names='...' This is needed so that libtool picks the static version of the library. Build Tomcat native by executing ./configure --with-apr=~/natives/apr --with-ssl=~/natives/openssl --prefix=~/natives/tomcat make make install here is something strange, Openssl successully build and install with -fPIC but tcnative still give me error. /usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value collect2: error: ld returned 1 exit status make[1]: *** [libtcnative-1.la] Error 1 make[1]: Leaving directory `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: *** [all-recursive] Error 1 I am not sure what to do here ? Regards, Sanaullah On Sat, Nov 15, 2014 at 7:16 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 10/29/14 9:54 AM, Sanaullah wrote: I again started working on SSLEngine with safenet and i need some help, how to enable the debugging? I configure the engine as LunaCA3. Listener class=org.apache.catalina.core.AprLifecycleListener SSLEngine=LunaCA3 / Here is error log after starting the server. Oct 29, 2014 1:40:21 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.31 using APR version 1.5.1. Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform So the error code 70023 is (at least on my Linux system) equal to the APR error code with the label APR_ENOTIMPL. I can see that in a few places in the native implementation of the initialize method: Starting on line native/src/ssl.c:679: if ((ee = ENGINE_by_id(J2S(engine))) == NULL (ee = ssl_try_load_engine(J2S(engine))) == NULL) err = APR_ENOTIMPL; else { if (strcmp(J2S(engine), chil) == 0) ENGINE_ctrl(ee, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0); if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL)) err = APR_ENOTIMPL; } Again, starting on native/src/ssl.c:711: SSL_TMP_KEYS_INIT(r); if (r) { TCN_FREE_CSTRING(engine); ssl_init_cleanup(NULL); tcn_ThrowAPRException(e, APR_ENOTIMPL); return APR_ENOTIMPL; } So, either the engine cannot be loaded, or we can't call ENGINE_set_default, or SSL_TMP_KEYS_INIT fails. I suspect it's not the key init that's failing, given that you are trying to use a special engine. Are you comfortable modifying the code for tcnative? If you are on a UNIX platform, (re-)compilation is pretty easy. You can add some code to dump-out the state of things while the code executes. I noticed at some point (re-reading the thread) that you were using SSLCryptoDevice LunaCA but then somehow you and I started using LunaCA3. Have you tried with LunaCA (without the 3)? When you can get httpd to do this for you, do you have to modify the LD_LIBRARY_PATH or put a library anywhere, or does OpenSSL already have whatever it needs in order to support the hardware crypto device? I'm wondering if the JVM doesn't have the appropriate library available for some reason. What do you get when you run openssl engine from your command-line without any other special circumstances? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUZreIAAoJEBzwKT+lPKRYbOEP/3ix/d/bWeQVWSjrimLGBosd
Re: APR with PKCS11 support
I again started working on SSLEngine with safenet and i need some help, how to enable the debugging? I configure the engine as LunaCA3. Listener class=org.apache.catalina.core.AprLifecycleListener SSLEngine=LunaCA3 / Here is error log after starting the server. Oct 29, 2014 1:40:21 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.31 using APR version 1.5.1. Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Oct 29, 2014 1:40:22 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Oct 29, 2014 1:40:23 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8443] Oct 29, 2014 1:40:23 PM org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-apr-8443] java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has initialised cor$ at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) at org.apache.catalina.connector.Connector.initInternal(Connector.java:978) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5 routines) at org.apache.tomcat.jni.SSLContext.make(Native Method) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498) ... 16 more Regards, Sanaullah On Wed, Aug 6, 2014 at 5:12 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sunaullah, On 7/26/14, 4:50 AM, Sanaullah wrote: I tried that configuration but getting errrors. I just want you to know that you haven't been forgotten: I'm on vacation for a bit but I'd really like to take a look at this issue when I return. In the meantime, feel free to check out the tcnative code if you want to see what is going
Re: APR with PKCS11 support
Hi Chris, did you get any chance to take a look into the issue ? Regards, Sanaullah On Wed, Aug 6, 2014 at 5:12 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sunaullah, On 7/26/14, 4:50 AM, Sanaullah wrote: I tried that configuration but getting errrors. I just want you to know that you haven't been forgotten: I'm on vacation for a bit but I'd really like to take a look at this issue when I return. In the meantime, feel free to check out the tcnative code if you want to see what is going on, or someone else could chime-in and give an opinion (or -- *gasp* -- a proposed patch!). Thanks, - -chris NFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jul 23, 2014 3:06:40 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jul 23, 2014 3:06:40 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) On Fri, Jul 25, 2014 at 8:05 PM, Christopher Schultz ch...@christopherschultz.net wrote: Sanaullah, On 7/25/14, 9:16 AM, Sanaullah wrote: httpd is working with HSM with addition of parameter SSLCryptoDevice=LunaCA but when i try the same parameter in tomEE. TomEE don't recognized this parameters. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLCryptoDevice' to 'LunaCA3' did not find a matching property. Any Idea? Try setting SSLEngine=LunaCA3 instead of SSLEngine=on in your: Listener class=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / -chris On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz ch...@christopherschultz.net wrote: Sanaullah, On 7/10/14, 4:19 AM, Sanaullah wrote: is there a way i can use pkcs11 supported SmartCard/token when using APR based SSL Connector in tomcat ? PEM encoded certificates and keys are stored in smartcard. I know BIO/NIO connectors supported token/HSM but I am looking for APR based connectors? I'm no expert at such configurations, but since tcnative/APR uses OpenSSL for its crypto engine, then it can do anything OpenSSL can do. Have you been able to configure e.g. httpd to use this kind of setup? If so, there ought to be a way to make it happen using Tomcat's APR connector. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJT4XLjAAoJEBzwKT+lPKRYmFkP/2/C0lSRB17qjX3F3IC8CCUK 1ROyaFgdEMQHWtv6Ri9pKSTPhty60W69pDdz4WGTl7AYnrmkuzdaTA8OdG5RxrzM iEgmhrj9VRJE8qEwsXkbaVNytcxG1guesygUH8RODOdlA9yfbamkpR8wWqFjXwwp 8xiFbEr+I6cIMliznEAwD1rtry4u+usFRVPPG892v1h6TLOp0I//TSq/7G4Iwmhs 9wnK+1acNlC4rAIgNI1fgXv/Rgel3nn9KIQk3y4KM7HGx0BVVOBu+Hl335wMv9N6
Re: APR with PKCS11 support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sunaullah, On 7/26/14, 4:50 AM, Sanaullah wrote: I tried that configuration but getting errrors. I just want you to know that you haven't been forgotten: I'm on vacation for a bit but I'd really like to take a look at this issue when I return. In the meantime, feel free to check out the tcnative code if you want to see what is going on, or someone else could chime-in and give an opinion (or -- *gasp* -- a proposed patch!). Thanks, - -chris NFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jul 23, 2014 3:06:40 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jul 23, 2014 3:06:40 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) On Fri, Jul 25, 2014 at 8:05 PM, Christopher Schultz ch...@christopherschultz.net wrote: Sanaullah, On 7/25/14, 9:16 AM, Sanaullah wrote: httpd is working with HSM with addition of parameter SSLCryptoDevice=LunaCA but when i try the same parameter in tomEE. TomEE don't recognized this parameters. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLCryptoDevice' to 'LunaCA3' did not find a matching property. Any Idea? Try setting SSLEngine=LunaCA3 instead of SSLEngine=on in your: Listener class=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / -chris On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz ch...@christopherschultz.net wrote: Sanaullah, On 7/10/14, 4:19 AM, Sanaullah wrote: is there a way i can use pkcs11 supported SmartCard/token when using APR based SSL Connector in tomcat ? PEM encoded certificates and keys are stored in smartcard. I know BIO/NIO connectors supported token/HSM but I am looking for APR based connectors? I'm no expert at such configurations, but since tcnative/APR uses OpenSSL for its crypto engine, then it can do anything OpenSSL can do. Have you been able to configure e.g. httpd to use this kind of setup? If so, there ought to be a way to make it happen using Tomcat's APR connector. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJT4XLjAAoJEBzwKT+lPKRYmFkP/2/C0lSRB17qjX3F3IC8CCUK 1ROyaFgdEMQHWtv6Ri9pKSTPhty60W69pDdz4WGTl7AYnrmkuzdaTA8OdG5RxrzM iEgmhrj9VRJE8qEwsXkbaVNytcxG1guesygUH8RODOdlA9yfbamkpR8wWqFjXwwp 8xiFbEr+I6cIMliznEAwD1rtry4u+usFRVPPG892v1h6TLOp0I//TSq/7G4Iwmhs 9wnK+1acNlC4rAIgNI1fgXv/Rgel3nn9KIQk3y4KM7HGx0BVVOBu+Hl335wMv9N6 eNoQPe+v7/gfs6iADwG/ROPZcYU+4iRSzZeQjzu5E29NWJs7bD1/CtcxkPK9s9EW MsXJ7u3CP+OPomtriS/5Vcceb2rS28JtjWbAtnbyu6T4lJmEsLcX4YaTTfBwoWd3 F2X8olHB7P+gPCSKZurkt8uNXOVKdpQgljWfJeqFsEyvyXArwk1OBKYHDBgt8uTE ML9Jrcs5QDPFDi/3MXgU/QV/OKqCeNVdsntS51NJ8uVE9nTfqgy9e5fcQGJR7hYA
Re: APR with PKCS11 support
I tried that configuration but getting errrors. NFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jul 23, 2014 3:06:40 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jul 23, 2014 3:06:40 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) On Fri, Jul 25, 2014 at 8:05 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 7/25/14, 9:16 AM, Sanaullah wrote: httpd is working with HSM with addition of parameter SSLCryptoDevice=LunaCA but when i try the same parameter in tomEE. TomEE don't recognized this parameters. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLCryptoDevice' to 'LunaCA3' did not find a matching property. Any Idea? Try setting SSLEngine=LunaCA3 instead of SSLEngine=on in your: Listener class=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / - -chris On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz ch...@christopherschultz.net wrote: Sanaullah, On 7/10/14, 4:19 AM, Sanaullah wrote: is there a way i can use pkcs11 supported SmartCard/token when using APR based SSL Connector in tomcat ? PEM encoded certificates and keys are stored in smartcard. I know BIO/NIO connectors supported token/HSM but I am looking for APR based connectors? I'm no expert at such configurations, but since tcnative/APR uses OpenSSL for its crypto engine, then it can do anything OpenSSL can do. Have you been able to configure e.g. httpd to use this kind of setup? If so, there ought to be a way to make it happen using Tomcat's APR connector. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJT0nI3AAoJEBzwKT+lPKRYIA4P/3KOY/Tq+cLqR/i22DZijqUA 5mzghWY2UnV0U091piNteVgpQmLf+299//3g1V3E9xpLmuYMsID3bIURKCR3UZp8 rSO+IAIqs8hupN1uwM+ngQALGFd2BQ+AJWW2lMgzksCWV9OOuABnN2a0QqN1oQPK OOI5MjIMrl5O1eLW2IA9Iw/prwCSuvIaxl7v/BRCVYudfzh9unoNmOmhPHpXJ5/c KKf9dn3k3Fs2Y1WBzzPWK52YD2ooT6p6XaecsDwix01LNaJLS/sCmxz1riHxMxey nlJKY7AiTOYl/ynGeuZFBxy3okzf6ye/yxVMhw+LY/MKC8OpeBC86QWMBSaL/w2s 6uJPogprWaLqccuKS3Fs+qAr8i5cgREb/mSb5YxG49OGqtf1xqjQr1cvSu08/qx7 adfq26LjSZok7tnhDV6Fa/RiSJ0p3Be0jvU5XY4n5WMVAqJcc9Z1QomXpxpc+1oU KQzVLwIcMTeoyFwEfPKtxjU92Gyk+RlBR/lm/i2QreFXqO3MM2rOvYqKnjol4576 PRfiH3UbcUTlf6fWLCFB7G58HqTuWIp9eZK2GNY1zh+73pBFNAj7+GA3jnBk68MS NMJnu7gdgSviWEow9K2eDb2by3cPyXjHhmkmPkX+3B567ZPs4EPDHmYBu5FhtaNw E/iZZ+RLlTWGfUVk2DdJ =9d4n -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR with PKCS11 support
Hi Chris, httpd is working with HSM with addition of parameter SSLCryptoDevice=LunaCA but when i try the same parameter in tomEE. TomEE don't recognized this parameters. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLCryptoDevice' to 'LunaCA3' did not find a matching property. Any Idea? Regards, Sanaullah On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 7/10/14, 4:19 AM, Sanaullah wrote: is there a way i can use pkcs11 supported SmartCard/token when using APR based SSL Connector in tomcat ? PEM encoded certificates and keys are stored in smartcard. I know BIO/NIO connectors supported token/HSM but I am looking for APR based connectors? I'm no expert at such configurations, but since tcnative/APR uses OpenSSL for its crypto engine, then it can do anything OpenSSL can do. Have you been able to configure e.g. httpd to use this kind of setup? If so, there ought to be a way to make it happen using Tomcat's APR connector. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTvqXWAAoJEBzwKT+lPKRY91AP/0StCi50JhOl0/cWSKDLoIFp fB18Yp1W/M72Km0TktBgpB1vGJry3aEyjaZfqL6rUpkhMouuGLKT3gFw1nNLKzw4 g0b9ZbV7FJFIjyUNtEIIzD172TX6jf5Huh0dsPWpITqMpWiLdcrx825HGan9iUM1 pjkdy+NIUcSWveBi2pWlw2GuAe2lMmEPRyAn1E5TuO32RKmivoFAIoobpz9Eho/T IdvwKa2zTOhYqhti35Bx9lMFfFP/1j5vwV8DHb8z28xFts3JsK2fEYCSbvW4nbRP ASKen6ibIBDlHTqFQzxKjeImmn6m5u1/MPjoE1YOJATkf/HL8M6WQF0JCI10nSzh xAwgQYUO77H4B+r6aRAhn0YaPpy3XdOdsjxrQeCF6IRWzwwUOyqWcNroNgiNnXLd xgzhxoH5RcMAE2F8941CnrPzqUOsPA18lmqvQUCZ2Qv6hZ8Tfp2Qysciz5Wj7Zn+ QuFzAZQ85Vb0SbLK+JG9f6L5OUJQZcD2jeVwSHFXy333X0CgCwOQfkLRp13ugmOp DIt3Mbt5t1KpvWeNesmAAiAtcgbt9ubrcC+CsX4XE+egZMpc1Nl3uhW9n8GU+sgS eWXNVP0liJGQccehw7nHui8xDFcFbquhvWyAaSsDu+8RthL1sySSo+nVYEjni8WY eY83nmjfecWeS81bCvqu =44eq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR with PKCS11 support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 7/25/14, 9:16 AM, Sanaullah wrote: httpd is working with HSM with addition of parameter SSLCryptoDevice=LunaCA but when i try the same parameter in tomEE. TomEE don't recognized this parameters. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'SSLCryptoDevice' to 'LunaCA3' did not find a matching property. Any Idea? Try setting SSLEngine=LunaCA3 instead of SSLEngine=on in your: Listener class=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / - -chris On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz ch...@christopherschultz.net wrote: Sanaullah, On 7/10/14, 4:19 AM, Sanaullah wrote: is there a way i can use pkcs11 supported SmartCard/token when using APR based SSL Connector in tomcat ? PEM encoded certificates and keys are stored in smartcard. I know BIO/NIO connectors supported token/HSM but I am looking for APR based connectors? I'm no expert at such configurations, but since tcnative/APR uses OpenSSL for its crypto engine, then it can do anything OpenSSL can do. Have you been able to configure e.g. httpd to use this kind of setup? If so, there ought to be a way to make it happen using Tomcat's APR connector. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJT0nI3AAoJEBzwKT+lPKRYIA4P/3KOY/Tq+cLqR/i22DZijqUA 5mzghWY2UnV0U091piNteVgpQmLf+299//3g1V3E9xpLmuYMsID3bIURKCR3UZp8 rSO+IAIqs8hupN1uwM+ngQALGFd2BQ+AJWW2lMgzksCWV9OOuABnN2a0QqN1oQPK OOI5MjIMrl5O1eLW2IA9Iw/prwCSuvIaxl7v/BRCVYudfzh9unoNmOmhPHpXJ5/c KKf9dn3k3Fs2Y1WBzzPWK52YD2ooT6p6XaecsDwix01LNaJLS/sCmxz1riHxMxey nlJKY7AiTOYl/ynGeuZFBxy3okzf6ye/yxVMhw+LY/MKC8OpeBC86QWMBSaL/w2s 6uJPogprWaLqccuKS3Fs+qAr8i5cgREb/mSb5YxG49OGqtf1xqjQr1cvSu08/qx7 adfq26LjSZok7tnhDV6Fa/RiSJ0p3Be0jvU5XY4n5WMVAqJcc9Z1QomXpxpc+1oU KQzVLwIcMTeoyFwEfPKtxjU92Gyk+RlBR/lm/i2QreFXqO3MM2rOvYqKnjol4576 PRfiH3UbcUTlf6fWLCFB7G58HqTuWIp9eZK2GNY1zh+73pBFNAj7+GA3jnBk68MS NMJnu7gdgSviWEow9K2eDb2by3cPyXjHhmkmPkX+3B567ZPs4EPDHmYBu5FhtaNw E/iZZ+RLlTWGfUVk2DdJ =9d4n -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR with PKCS11 support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 7/10/14, 4:19 AM, Sanaullah wrote: is there a way i can use pkcs11 supported SmartCard/token when using APR based SSL Connector in tomcat ? PEM encoded certificates and keys are stored in smartcard. I know BIO/NIO connectors supported token/HSM but I am looking for APR based connectors? I'm no expert at such configurations, but since tcnative/APR uses OpenSSL for its crypto engine, then it can do anything OpenSSL can do. Have you been able to configure e.g. httpd to use this kind of setup? If so, there ought to be a way to make it happen using Tomcat's APR connector. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTvqXWAAoJEBzwKT+lPKRY91AP/0StCi50JhOl0/cWSKDLoIFp fB18Yp1W/M72Km0TktBgpB1vGJry3aEyjaZfqL6rUpkhMouuGLKT3gFw1nNLKzw4 g0b9ZbV7FJFIjyUNtEIIzD172TX6jf5Huh0dsPWpITqMpWiLdcrx825HGan9iUM1 pjkdy+NIUcSWveBi2pWlw2GuAe2lMmEPRyAn1E5TuO32RKmivoFAIoobpz9Eho/T IdvwKa2zTOhYqhti35Bx9lMFfFP/1j5vwV8DHb8z28xFts3JsK2fEYCSbvW4nbRP ASKen6ibIBDlHTqFQzxKjeImmn6m5u1/MPjoE1YOJATkf/HL8M6WQF0JCI10nSzh xAwgQYUO77H4B+r6aRAhn0YaPpy3XdOdsjxrQeCF6IRWzwwUOyqWcNroNgiNnXLd xgzhxoH5RcMAE2F8941CnrPzqUOsPA18lmqvQUCZ2Qv6hZ8Tfp2Qysciz5Wj7Zn+ QuFzAZQ85Vb0SbLK+JG9f6L5OUJQZcD2jeVwSHFXy333X0CgCwOQfkLRp13ugmOp DIt3Mbt5t1KpvWeNesmAAiAtcgbt9ubrcC+CsX4XE+egZMpc1Nl3uhW9n8GU+sgS eWXNVP0liJGQccehw7nHui8xDFcFbquhvWyAaSsDu+8RthL1sySSo+nVYEjni8WY eY83nmjfecWeS81bCvqu =44eq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR with PKCS11 support
Thanks chris, I haven't tried such configurations with httpd. I will explore now. Regards, Sanaullah On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 7/10/14, 4:19 AM, Sanaullah wrote: is there a way i can use pkcs11 supported SmartCard/token when using APR based SSL Connector in tomcat ? PEM encoded certificates and keys are stored in smartcard. I know BIO/NIO connectors supported token/HSM but I am looking for APR based connectors? I'm no expert at such configurations, but since tcnative/APR uses OpenSSL for its crypto engine, then it can do anything OpenSSL can do. Have you been able to configure e.g. httpd to use this kind of setup? If so, there ought to be a way to make it happen using Tomcat's APR connector. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTvqXWAAoJEBzwKT+lPKRY91AP/0StCi50JhOl0/cWSKDLoIFp fB18Yp1W/M72Km0TktBgpB1vGJry3aEyjaZfqL6rUpkhMouuGLKT3gFw1nNLKzw4 g0b9ZbV7FJFIjyUNtEIIzD172TX6jf5Huh0dsPWpITqMpWiLdcrx825HGan9iUM1 pjkdy+NIUcSWveBi2pWlw2GuAe2lMmEPRyAn1E5TuO32RKmivoFAIoobpz9Eho/T IdvwKa2zTOhYqhti35Bx9lMFfFP/1j5vwV8DHb8z28xFts3JsK2fEYCSbvW4nbRP ASKen6ibIBDlHTqFQzxKjeImmn6m5u1/MPjoE1YOJATkf/HL8M6WQF0JCI10nSzh xAwgQYUO77H4B+r6aRAhn0YaPpy3XdOdsjxrQeCF6IRWzwwUOyqWcNroNgiNnXLd xgzhxoH5RcMAE2F8941CnrPzqUOsPA18lmqvQUCZ2Qv6hZ8Tfp2Qysciz5Wj7Zn+ QuFzAZQ85Vb0SbLK+JG9f6L5OUJQZcD2jeVwSHFXy333X0CgCwOQfkLRp13ugmOp DIt3Mbt5t1KpvWeNesmAAiAtcgbt9ubrcC+CsX4XE+egZMpc1Nl3uhW9n8GU+sgS eWXNVP0liJGQccehw7nHui8xDFcFbquhvWyAaSsDu+8RthL1sySSo+nVYEjni8WY eY83nmjfecWeS81bCvqu =44eq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Connector questions
Ok, thanks for the advice. If it means removing one more layer of complexity, I'm all for it. Best, Alec On Fri, Sep 20, 2013 at 11:57 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alec, On 9/20/13 2:03 PM, Tomcat Random wrote: Chris, Thanks for correcting the misdirected reply. Do you mean it's not working under load, or you haven't yet tried it under load? I mean I haven't tested it under load yet. One of the main reasons for choosing APR is is that I was under the impression it's good at serving large static files. My site has some large swf files - one is ~8mb (it's a game site). The docs on APR say, When APR is enabled, the HTTP connector will use sendfile for handling large static files (all such files will be sent asynchronously using high performance kernel level calls), and will use a socket poller for keepalive, increasing scalability of the server. The NIO connector also supports sendfile, and avoids blocking I/O for keepalives. Your recommendation is NIO is comparable to APR in non-ssl performance (as above for large static files) and more stable, and it would be better to switch to that? I'm suggesting that NIO might be a comparable choice to APR with the added benefit of removing some complexity (that of installing a native library) to your deployment. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSPRk7AAoJEBzwKT+lPKRYv5oP/1JZhzlnNfhPI7LLPJKegf5T Nk1Hd5DDPLoa58ihhnntQ0le0dOK6x+6LcktoIr1qvP9q2IiBupwF2HRnW4okW9O Db3p4vr0/9IioRPCkHpEcG6J+JR0L93SEDucqFpLQCAaR6x9Yc/ziGqO241sPhJD 5BmEBPBi+Kl+OD+UNhrMpyzNKf/zdmzjJu7oMl97DS6kNmx6gf2rvEwBS2Iec6xV NgfzqQ/6faSIsFv5AseHIXmYkZcifyegUYemQt+ZtNs7z9C0rx7Gd1Hh6ls2mjlG WD4Y2yILg8WouDZXJXEhGU5Pq65iVCoYPTWTF4tvJS0aU4AYVx5opiSZNeZy6vGl UAsX7lpTDgQ/VXfEOHmslvZsHorkOnh6z9CcVDtjcZYf+mFouGy3CXJROTcUizJg pzwghiT4jX9xcUWaf13CjuqBMo5SwsSqkkf4HY2vFDBDfn70bIG8k+FdjjTjKjv1 hZwkGc4Ysc0h0b2vKCYgI78fwydDvdnoNEJ50IONP6coxo4fSdaFCaFCQ/gXKVLG puMVkbE5WAkgxFBcM0zms5U9oqAQ2ZnwlGMB6tM1/GvnIQYgAiqqDVgEwm/wbWct XYxPIHakMXtJZRPY5lECQzmbHMZX4HnJ/si53lKQ2JeT79JC+Pesox0fNobU2eD1 K5Wu5Y96NL5F+Frl3wOE =9/4N -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Connector questions
Chris, Thanks for correcting the misdirected reply. Do you mean it's not working under load, or you haven't yet tried it under load? I mean I haven't tested it under load yet. One of the main reasons for choosing APR is is that I was under the impression it's good at serving large static files. My site has some large swf files - one is ~8mb (it's a game site). The docs on APR say, When APR is enabled, the HTTP connector will use sendfile for handling large static files (all such files will be sent asynchronously using high performance kernel level calls), and will use a socket poller for keepalive, increasing scalability of the server. Your recommendation is NIO is comparable to APR in non-ssl performance (as above for large static files) and more stable, and it would be better to switch to that? Thanks again, Alec On Thu, Sep 19, 2013 at 1:56 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, September 19, 2013 12:38 PM To: Tomcat Users List Cc: Tomcat Random Subject: Re: APR Connector questions -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alec, Please keep discussions on the mailing lists so others can benefit from them. On 9/19/13 12:01 PM, Tomcat Random wrote: The answer for am I going to be using SSL is maybe. It's not mandatory, but would be nice for an admin area of the site. I already built the tcnative stuff and APR is working, but not under load. Do you mean it's not working under load, or you haven't yet tried it under load? I'm using APR because it was my understanding there was a big performance increase when using Tomcat without a proxy/web server in front of it. I just have Tomcat with my IP tables redirecting 80-8080. APR and NIO performance are comparably to each other, SSL excepted. If you are talking about using SSL only for admin access (which is usually fairly limited in scope/traffic), then I wouldn't worry about the performance difference. One could argue that any site that requires login should be 100% SSL- protected, but I know nothing about your requirements. +1 2500 users might not require 2500- simultaneous connections. True, and it occurs to me, sort of noobishly, where would you look for reporting simultaneous connections? You can use JMX to get lots of information about the connectors. You'll have to probe periodically and build-up a trend graph to understand your actual traffic. http://wiki.apache.org/tomcat/FAQ/Monitoring And once you know that number, back to my original question, how many maxthreads/acceptCounts? The acceptCount is just the TCP backlog. Setting this higher than the default is only helpful if you have huge transaction volume bursts and your transactions are fairly short. If you can't handle 200 transactions waiting in the TCP accept queue pretty quickly, it's not going to help to raise that number to 1000. If you experience huge bursts of traffic that your app can handle with a short delay -- AND if you absolutely don't want to give any clients connection refused errors -- then raising the acceptCount is appropriate. I haven't seen a normal webapp that has ever required changing from the default, but my experience may not match the type of business you are in. As for maxThreads, that depends upon your load, the type of hardware you have, the length of your transactions, and the CPU load you expect will be required for your webapp. If your webapp is fairly CPU-bound (which I've found to be fairly rare) and you have a limited number of physical CPUs, raising the maxThreads limit buys you nothing: it may be worse than lowering it because you just end up running many threads at once and thrash the CPU. If you have a primarily I/O-bound app (most that I've seen... e.g. stuff that uses back-end databases for most requests) than raising the maxThreads can serve more requests... but then remember that your database must be able to handle the load as well. Having 1000 worker threads with a DB connection pool of size=10 means lots of waiting threads. Just how rare are the APR catastrophes? I don't have much data on frequency of occurrences just what I can see in BZ for the Tomcat Connectors project. Let's just say that over the past 8 or so years, I've yet to have it happen to me, and I am supporting dozens of Tomcat instances across a half-dozen systems with each Tomcat having 5 or 6 hosts each. Then again, I'm running under Windows and the tcnative is built for me by the good guys on the Tomcat Dev Team. Is it something a tomcat restart can fix? You don't have a choice: the JVM goes down immediately and you *must* restart Tomcat. That's what I meant by catastrophic. Yes, unfortunately, anything that causes a crash at the native code level
Re: APR Connector questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alec, On 9/20/13 2:03 PM, Tomcat Random wrote: Chris, Thanks for correcting the misdirected reply. Do you mean it's not working under load, or you haven't yet tried it under load? I mean I haven't tested it under load yet. One of the main reasons for choosing APR is is that I was under the impression it's good at serving large static files. My site has some large swf files - one is ~8mb (it's a game site). The docs on APR say, When APR is enabled, the HTTP connector will use sendfile for handling large static files (all such files will be sent asynchronously using high performance kernel level calls), and will use a socket poller for keepalive, increasing scalability of the server. The NIO connector also supports sendfile, and avoids blocking I/O for keepalives. Your recommendation is NIO is comparable to APR in non-ssl performance (as above for large static files) and more stable, and it would be better to switch to that? I'm suggesting that NIO might be a comparable choice to APR with the added benefit of removing some complexity (that of installing a native library) to your deployment. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSPRk7AAoJEBzwKT+lPKRYv5oP/1JZhzlnNfhPI7LLPJKegf5T Nk1Hd5DDPLoa58ihhnntQ0le0dOK6x+6LcktoIr1qvP9q2IiBupwF2HRnW4okW9O Db3p4vr0/9IioRPCkHpEcG6J+JR0L93SEDucqFpLQCAaR6x9Yc/ziGqO241sPhJD 5BmEBPBi+Kl+OD+UNhrMpyzNKf/zdmzjJu7oMl97DS6kNmx6gf2rvEwBS2Iec6xV NgfzqQ/6faSIsFv5AseHIXmYkZcifyegUYemQt+ZtNs7z9C0rx7Gd1Hh6ls2mjlG WD4Y2yILg8WouDZXJXEhGU5Pq65iVCoYPTWTF4tvJS0aU4AYVx5opiSZNeZy6vGl UAsX7lpTDgQ/VXfEOHmslvZsHorkOnh6z9CcVDtjcZYf+mFouGy3CXJROTcUizJg pzwghiT4jX9xcUWaf13CjuqBMo5SwsSqkkf4HY2vFDBDfn70bIG8k+FdjjTjKjv1 hZwkGc4Ysc0h0b2vKCYgI78fwydDvdnoNEJ50IONP6coxo4fSdaFCaFCQ/gXKVLG puMVkbE5WAkgxFBcM0zms5U9oqAQ2ZnwlGMB6tM1/GvnIQYgAiqqDVgEwm/wbWct XYxPIHakMXtJZRPY5lECQzmbHMZX4HnJ/si53lKQ2JeT79JC+Pesox0fNobU2eD1 K5Wu5Y96NL5F+Frl3wOE =9/4N -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Connector questions (was: ARP Connector questions)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alec, Changed subject: it's APR (Apache Portable Runtime), not ARP (which is something different). On 9/19/13 11:39 AM, Tomcat Random wrote: Tomcat 7.0.42, RHEL6 I've installed the APR connector and have my service.xml configured with the only enabled connector being: !--APR connector native installed -- Connector port=8080 maxHttpHeaderSize=8192 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=http secure=false SSLEnabled=false/ 1. I'm expecting about 2500 simultaneous visitors. Any thoughts on how much I might want to bump up the maxThreads and acceptCount? The better question is how many simultaneous /requests/ you expect. 2500 users might not require 2500- simultaneous connections. 2. Does the APR connector work within the Executor thread pools? I'm a little unclear on this. Currently the Executor node is commented out. Do I want a shared executor for the ARP connector? Yes, you can use an executor. If you don't specify one, a Connector will create a default Executor for itself. If you expect to have multiple connectors and you want them all to share a pool of worker threads, then you'll want to configure a single Executor and then reference that from each of your Connectors. Are you going to be using SSL? If not, you might have slightly better luck with the NIO connector (APR/OpenSSL has a performance advantage over JSSE), plus you won't have to build and babysit tcnative, etc. Problems that occur at the NIO level will likely throw exceptions while APR can bring-down the whole JVM. It's rare, but when it happens, it's catastrophic. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSOxwzAAoJEBzwKT+lPKRY2M8QAMqvN5KpOzmhBJbSlzQ770tr xP8WiIrtloormFI9+XpT6ZJ2c1v5fx/MjlhSjhXKQd6M54pC9MKIXmM4zrpaOtPh 6amiRh7dNJXnYsUXKylw5O8lI4frsxbCnBS5wtXL1zywXL7uXbj37w4GbEzaYkql 5hL7z65/pBIhk9QTCfeUE7gvk1MQNMhkfDgGEHanWmwH3rCBucNjF7O8aUn8OlZy 3guTpvfo2TpPiSA6tpEgTliqR7ZTg19KN8flXtiN1+M/L+OGips1ihOPRYxj4Osc A51pltqdEyv1cSR3oVyb4xYXCYHjO0kxoDNIpDr+HZp4Xw7bdb+VvXZamyffvOyP dgs8zRRGsmKpVaPXnKcjdhNlbtCGKppQFuMeYxz975/dVxpHXcr3xmPKg33H31Jd OnrYvyTjxeP6Y/cj1AYUZYwr+yzg3FBPv8S/O2POy1eZDTPVwr0uKfIlNYl6bzrr PiEizoq/UYuIK+wst9NZsztAIf70VWmCbN1lW5oz090tXR0yU2xxdFhh3P7yUV/j LxvQqGshX5uHW1sySGeznluof9t/RPd1938Sx0ML94EHmi+U7Mb+Y7u+jxy4skxT m58Q3vxTYZrv78ayEfXP7KTdDXGItNwVwbILMpLopQ6oJe0N7ay8bbO5tj29/aR4 oOuFKKtVOXjWpZ+nC1Om =AjzT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Connector questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alec, Please keep discussions on the mailing lists so others can benefit from them. On 9/19/13 12:01 PM, Tomcat Random wrote: The answer for am I going to be using SSL is maybe. It's not mandatory, but would be nice for an admin area of the site. I already built the tcnative stuff and APR is working, but not under load. Do you mean it's not working under load, or you haven't yet tried it under load? I'm using APR because it was my understanding there was a big performance increase when using Tomcat without a proxy/web server in front of it. I just have Tomcat with my IP tables redirecting 80-8080. APR and NIO performance are comparably to each other, SSL excepted. If you are talking about using SSL only for admin access (which is usually fairly limited in scope/traffic), then I wouldn't worry about the performance difference. One could argue that any site that requires login should be 100% SSL-protected, but I know nothing about your requirements. 2500 users might not require 2500- simultaneous connections. True, and it occurs to me, sort of noobishly, where would you look for reporting simultaneous connections? You can use JMX to get lots of information about the connectors. You'll have to probe periodically and build-up a trend graph to understand your actual traffic. http://wiki.apache.org/tomcat/FAQ/Monitoring And once you know that number, back to my original question, how many maxthreads/acceptCounts? The acceptCount is just the TCP backlog. Setting this higher than the default is only helpful if you have huge transaction volume bursts and your transactions are fairly short. If you can't handle 200 transactions waiting in the TCP accept queue pretty quickly, it's not going to help to raise that number to 1000. If you experience huge bursts of traffic that your app can handle with a short delay -- AND if you absolutely don't want to give any clients connection refused errors -- then raising the acceptCount is appropriate. I haven't seen a normal webapp that has ever required changing from the default, but my experience may not match the type of business you are in. As for maxThreads, that depends upon your load, the type of hardware you have, the length of your transactions, and the CPU load you expect will be required for your webapp. If your webapp is fairly CPU-bound (which I've found to be fairly rare) and you have a limited number of physical CPUs, raising the maxThreads limit buys you nothing: it may be worse than lowering it because you just end up running many threads at once and thrash the CPU. If you have a primarily I/O-bound app (most that I've seen... e.g. stuff that uses back-end databases for most requests) than raising the maxThreads can serve more requests... but then remember that your database must be able to handle the load as well. Having 1000 worker threads with a DB connection pool of size=10 means lots of waiting threads. Just how rare are the APR catastrophes? I don't have much data on frequency of occurrences just what I can see in BZ for the Tomcat Connectors project. Is it something a tomcat restart can fix? You don't have a choice: the JVM goes down immediately and you *must* restart Tomcat. That's what I meant by catastrophic. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSOzZ/AAoJEBzwKT+lPKRYL+0QAKMQIlr2crCQ35nbop8BvSGl GpxfNiVhmNdVLwzNIp68xoQQhpYHMcg/ukFLjwaGG6AORlxf39PLFizd0TMKJNtO EK2ZCRq6X4WXIwTPIaCb0ovbVp3HxIXPs+VxPVaDcxiHSCQN0FoaQFgP35E91rDR ymgATcj+XXbc8rH5DyRMSPExbzO/5SeBWM65uQLfa2iA/qLCFq8NsrZgvi6QxZjR O9JX+hWogL1nTPmgyyyXqY1YtIzTpB7F35itCCcccAkbmt4YePb7joQ4pPPX2jvT aAggfHg9YUWoUuRA4IwCRRBkZiWSc8vkQhwV6vBN7Bw7/pK7x0SmwsBtBeZFkYa2 kxP8BOAVbsZu7ahnqGVIY17ul8FF4lslfRWN2YY4qqNdShUXkcTMiOoQcCU8Y4FL zPgmIlqUQ2KRP8F9+9/66RCMCv+RS4bxo6Aq+IeEoz0B7peWVLDMLORNc5D6Y2s8 P/0ImtczB/wvEPdKpRVqB2uuDJfOBUD0vFGv3/TH8WXHIJyIiwK+Up3vtFlAEJjm DLgO7W18mmEum81hrfvt4JXFFCV9kqHhVpFHXXDcARL4qEwp4fI2DaEitj1e5fGk FIIA/EIx3gU0vjy3yjqccO9WjvHkbotgrJuWgrdPz25VA5ceGqqUaSWxKP4mEooy nZAhl1oF5Glv3rIyNkjN =7erg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR Connector questions
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, September 19, 2013 12:38 PM To: Tomcat Users List Cc: Tomcat Random Subject: Re: APR Connector questions -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alec, Please keep discussions on the mailing lists so others can benefit from them. On 9/19/13 12:01 PM, Tomcat Random wrote: The answer for am I going to be using SSL is maybe. It's not mandatory, but would be nice for an admin area of the site. I already built the tcnative stuff and APR is working, but not under load. Do you mean it's not working under load, or you haven't yet tried it under load? I'm using APR because it was my understanding there was a big performance increase when using Tomcat without a proxy/web server in front of it. I just have Tomcat with my IP tables redirecting 80-8080. APR and NIO performance are comparably to each other, SSL excepted. If you are talking about using SSL only for admin access (which is usually fairly limited in scope/traffic), then I wouldn't worry about the performance difference. One could argue that any site that requires login should be 100% SSL- protected, but I know nothing about your requirements. +1 2500 users might not require 2500- simultaneous connections. True, and it occurs to me, sort of noobishly, where would you look for reporting simultaneous connections? You can use JMX to get lots of information about the connectors. You'll have to probe periodically and build-up a trend graph to understand your actual traffic. http://wiki.apache.org/tomcat/FAQ/Monitoring And once you know that number, back to my original question, how many maxthreads/acceptCounts? The acceptCount is just the TCP backlog. Setting this higher than the default is only helpful if you have huge transaction volume bursts and your transactions are fairly short. If you can't handle 200 transactions waiting in the TCP accept queue pretty quickly, it's not going to help to raise that number to 1000. If you experience huge bursts of traffic that your app can handle with a short delay -- AND if you absolutely don't want to give any clients connection refused errors -- then raising the acceptCount is appropriate. I haven't seen a normal webapp that has ever required changing from the default, but my experience may not match the type of business you are in. As for maxThreads, that depends upon your load, the type of hardware you have, the length of your transactions, and the CPU load you expect will be required for your webapp. If your webapp is fairly CPU-bound (which I've found to be fairly rare) and you have a limited number of physical CPUs, raising the maxThreads limit buys you nothing: it may be worse than lowering it because you just end up running many threads at once and thrash the CPU. If you have a primarily I/O-bound app (most that I've seen... e.g. stuff that uses back-end databases for most requests) than raising the maxThreads can serve more requests... but then remember that your database must be able to handle the load as well. Having 1000 worker threads with a DB connection pool of size=10 means lots of waiting threads. Just how rare are the APR catastrophes? I don't have much data on frequency of occurrences just what I can see in BZ for the Tomcat Connectors project. Let's just say that over the past 8 or so years, I've yet to have it happen to me, and I am supporting dozens of Tomcat instances across a half-dozen systems with each Tomcat having 5 or 6 hosts each. Then again, I'm running under Windows and the tcnative is built for me by the good guys on the Tomcat Dev Team. Is it something a tomcat restart can fix? You don't have a choice: the JVM goes down immediately and you *must* restart Tomcat. That's what I meant by catastrophic. Yes, unfortunately, anything that causes a crash at the native code level is going to stop everything. A restart may not fix the problem, but you can usually at least recover to a normal state for a time. At least until whatever specific circumstances that caused the crash occur again. Jeff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR connector does not work with SSL for Java 6 clients?
How come Java 6 can connect to SSL running on Apache without this setting, but not to Tomcat running APR/SSL? On Aug 24, 2013, at 12:15 PM, Michael-O 1983-01...@gmx.net wrote: I had this problem months ago too. APR Connector ist fine. The problem with Java 6 is that the URLConnection -- JSSE -- sends a SSLv2Hello and this breaks everything. I have restricted this for Java 6 clients at work. Java 7 does not suffer from this because this is disabled by default.
Re: APR connector does not work with SSL for Java 6 clients?
Am 2013-08-25 14:21, schrieb Jesse Barnum: How come Java 6 can connect to SSL running on Apache without this setting, but not to Tomcat running APR/SSL? On Aug 24, 2013, at 12:15 PM, Michael-O 1983-01...@gmx.net wrote: I had this problem months ago too. APR Connector ist fine. The problem with Java 6 is that the URLConnection -- JSSE -- sends a SSLv2Hello and this breaks everything. I have restricted this for Java 6 clients at work. Java 7 does not suffer from this because this is disabled by default. First, do not top-post please. 1. Did you configure mod_ssl and APR Connector the same way? 2. Did you inspect the traffic with Wireshark? Help me a lot. Maybe you are running in a cypher mismatch too. What we do use is TLSv1 and HIGH:!ADH. Everything below TLSv1 is outdated and insecure. Though TLSv1 is (very) old too but it is the best match at the moment. Michael - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR connector does not work with SSL for Java 6 clients?
On Aug 25, 2013, at 9:58 AM, Michael-O 1983-01...@gmx.net wrote: 1. Did you configure mod_ssl and APR Connector the same way? I'm not sure how to make sure that they are configured identically. The syntax in server.xml is not identical to the syntax in apache2.conf. For example, in Apache's ssl.conf file, the directive: SSLProtocol all -SSLv2 Does not work the same way in server.xml. In my connector element, I tried setting an attribute SSLProtocol=all -SSLv2, but that wouldn't parse at startup. I've tried SSLProtocol=TLSv1+SSLv3 and SSLProtocol=ALL, and they all fail with a connection reset message on the client. I also tried setting SSLCipherSuite=HIGH:!ADH as you recommended, as well as HIGH:MEDIUM:!aNULL:!MD5 which is the way I have it in Apache (the default value), but that didn't make any difference. 2. Did you inspect the traffic with Wireshark? Help me a lot. I haven't used Wireshark, although I have called 'System.setProperty( javax.net.debug, all )' which seems to give the same results in the Java console. Maybe you are running in a cypher mismatch too. What we do use is TLSv1 and HIGH:!ADH. Everything below TLSv1 is outdated and insecure. Though TLSv1 is (very) old too but it is the best match at the moment. Michael --Jesse Barnum, President, 360Works http://www.360works.com Product updates and news on http://facebook.com/360Works (770) 234-9293 == Don't lose your data! http://360works.com/safetynet/ for FileMaker Server ==
Re: APR connector does not work with SSL for Java 6 clients?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jesse, On 8/25/13 1:08 PM, Jesse Barnum wrote: On Aug 25, 2013, at 9:58 AM, Michael-O 1983-01...@gmx.net wrote: 1. Did you configure mod_ssl and APR Connector the same way? I'm not sure how to make sure that they are configured identically. The syntax in server.xml is not identical to the syntax in apache2.conf. For example, in Apache's ssl.conf file, the directive: SSLProtocol all -SSLv2 Does not work the same way in server.xml. In my connector element, I tried setting an attribute SSLProtocol=all -SSLv2, but that wouldn't parse at startup. I've tried SSLProtocol=TLSv1+SSLv3 and SSLProtocol=ALL, and they all fail with a connection reset message on the client. I also tried setting SSLCipherSuite=HIGH:!ADH as you recommended, as well as HIGH:MEDIUM:!aNULL:!MD5 which is the way I have it in Apache (the default value), but that didn't make any difference. Try posting both your httpd.conf and server.xml configurations (i.e. the relevant stuff, not the whole thing). You might want to review http://tomcat.apache.org/tomcat-7.0-doc/config/http.html -- specifically the SSLProtocol attribute which lists the acceptable values. Hint: your attempts above are not supported. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSGkylAAoJEBzwKT+lPKRYQmIP/R08IFCNU7HqBWUjfBiWQY7u xT/25q8XALJSk/qe0JT3Cw2y+xtbknM4NFZMle/6SersuHZpM8w2FWr7Xesqj42n pUxhT8/7STtsJrqPgk6Y9HoY9iQOS2UgVBh2pg6001orjZJGhHlZ0I4kllu8MlSd 0AndQdAjolHKnC3E1azhx5jNNujnL7qfIZ5xUtg1v5iietcGcnThKzKeGex9coE2 msDJTBFjDOH0KwU7Kri5j9AoT4mrRihPGWTQoQC7ml5UgCc6nnq2V0x0iIIv2x3x QS6CXVRL5K2rIU9WnCNYX7HUT/PvreUu0/UKM6V+5YdxY6iCdp0iIgtRiLtq/1WK FJu5d/241tKaiaXw0cYdN1caU5crovFdM/gYf7dqmPntGM8rW3fnQQyCfH6epSaR JfhytitMnEBr2hI2EQRZUSFq6iM1qn/NHj8mVUhFK2YwSWOwMyvz+syEWzCAb/5D z4uL90UloK3etCQH/ep0dpHKCmISlyXRDprdqP42/qMCAa48ejr+3rLQH8Jp74Qv iqnEdNyccnnpwZp4fZXRxAoU/pSaFAQ1A527/Tjw4a8PkJwKgKoJGLDe/O0b6YHf ZnoOJqKzPjhyZw/WBs8eg0daJAjJHYsYfPpFSnLyFEIH7AxqTvA702WyDOrYaShH GoFWn67XT+MZpGocEtwP =Dvf8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR connector does not work with SSL for Java 6 clients?
Am 2013-08-24 18:10, schrieb Jesse Barnum: I am trying to use SSL with Tomcat and an APR connector. This is hosted on Ubuntu 13.04. I can make changes to the server, but not to the existing Java client. For some reason, whenever a Java 6 client connects to the Tomcat server using SSL, it is not able to connect - the connection is reset by the server. However, the exact same Java code can connect to the same server on a different port hosted by Apache with SSL. In addition, non-Java code (like curl) can connect to the Tomcat SSL connection. I also tested with Java 7 and it works. I have gotten this to work in Java 6 by forcing the Java client to use the TLSv1 protocol (-Dhttps.protocols=TLSv1). However, this is not a practical solution, because I cannot release an update at this time for our Java clients. Since this works with Apache on the server, it seems to me that I should be able to make some sort of configuration change on the server to also work with Tomcat, without needing to change the Java clients. In summary: * Java 6 connecting to Tomcat APR with SSL = FAIL * Java 7 connecting to Tomcat APR with SSL = good * curl connecting to Tomcat APR with SSL = good * Java 6 connecting to Apache SSL = good * Java 7 connecting to Apache SSL = good * curl connecting to Apache SSL = good [...] I had this problem months ago too. APR Connector ist fine. The problem with Java 6 is that the URLConnection -- JSSE -- sends a SSLv2Hello and this breaks everything. I have restricted this for Java 6 clients at work. Java 7 does not suffer from this because this is disabled by default. Michael - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR does not understand this error code: proxy: read response failed
Hi Jakob I'm experiencing exact same problem. Could you help me with the solution ? Since the thread is older I'm assuming that you may have nailed it and found a solution. Regards, Gaurav Jakob Ericsson wrote: Hi, We are experiencing issues with AJP-communication between the httpd and Tomcat 6. This is communication between httpd and tomcat on localhost. Most of the requests work great in our performance tests but quite randomly we see this error in httpd error.log: ... [Wed Mar 18 21:47:09 2009] [error] (70014)End of file found: ajp_ilink_receive() can't receive header [Wed Mar 18 21:47:09 2009] [error] ajp_read_header: ajp_ilink_receive failed [Wed Mar 18 21:47:09 2009] [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:40010 (localhost) ... This result in a 500 (or sometimes 503) response code to the user. As you can see in our log (larger log excerpt further down in mail), it occurs quite randomly. There are no traces of error in our Tomcat logs. Any idea what kind of error this is? Can we tune; httpd, tomcat or Windows to get rid of this problem? Our setup Sun JVM 1.6.0.12 (64-bit) Windows 2003 Server 64-bit (no firewall) Apache 2.2.11 (64-bit) Tomcat 6.0.18 (Native tomcat lib installed) Interesting stuff in httpd.conf ServerRoot D:/Apache/Apache2.2 PidFile logs/httpd.pid Timeout 3600 KeepAlive On MaxKeepAliveRequests 600 KeepAliveTimeout 15 IfModule mpm_winnt.c ThreadsPerChild 1000 MaxRequestsPerChild 0 /IfModule Listen 80 LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ... ProxyRequests Off ProxyPass /server-status ! ProxyPass /s/ ! ProxyPass /favicon.ico ! ProxyPass / ajp://localhost:40010/ min=20 smax=30 ttl=120 max=199 timeout=60 Log from our latest performance test [Wed Mar 18 18:42:09 2009] [error] (70014)End of file found: ajp_ilink_receive() can't receive header [Wed Mar 18 18:42:09 2009] [error] ajp_read_header: ajp_ilink_receive failed [Wed Mar 18 18:42:09 2009] [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:40010 (localhost) [Wed Mar 18 18:55:55 2009] [error] (70014)End of file found: ajp_ilink_receive() can't receive header [Wed Mar 18 18:55:55 2009] [error] ajp_read_header: ajp_ilink_receive failed [Wed Mar 18 18:55:55 2009] [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:40010 (localhost) [Wed Mar 18 19:08:09 2009] [error] (70014)End of file found: ajp_ilink_receive() can't receive header [Wed Mar 18 19:08:09 2009] [error] ajp_read_header: ajp_ilink_receive failed [Wed Mar 18 19:08:09 2009] [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:40010 (localhost) [Wed Mar 18 19:29:50 2009] [error] (70014)End of file found: ajp_ilink_receive() can't receive header [Wed Mar 18 19:29:50 2009] [error] ajp_read_header: ajp_ilink_receive failed [Wed Mar 18 19:29:50 2009] [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:40010 (localhost) [Wed Mar 18 20:00:26 2009] [error] (70014)End of file found: ajp_ilink_receive() can't receive header [Wed Mar 18 20:00:26 2009] [error] ajp_read_header: ajp_ilink_receive failed [Wed Mar 18 20:00:26 2009] [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:40010 (localhost) [Wed Mar 18 20:47:46 2009] [error] (70014)End of file found: ajp_ilink_receive() can't receive header [Wed Mar 18 20:47:46 2009] [error] ajp_read_header: ajp_ilink_receive failed [Wed Mar 18 20:47:46 2009] [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:40010 (localhost) [Wed Mar 18 21:07:13 2009] [error] (70014)End of file found: ajp_ilink_receive() can't receive header [Wed Mar 18 21:07:13 2009] [error] ajp_read_header: ajp_ilink_receive failed [Wed Mar 18 21:07:13 2009] [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:40010 (localhost) [Wed Mar 18 21:42:03 2009] [error] (70014)End of file found: ajp_ilink_receive() can't receive header [Wed Mar 18 21:42:03 2009] [error] ajp_read_header: ajp_ilink_receive failed [Wed Mar 18 21:42:03 2009] [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:40010 (localhost) [Wed Mar 18 21:47:09 2009] [error] (70014)End of file found: ajp_ilink_receive() can't receive header [Wed Mar 18 21:47:09 2009] [error] ajp_read_header: ajp_ilink_receive failed [Wed Mar 18 21:47:09 2009] [error] (120006)APR does not understand this error code: proxy: read response failed from 127.0.0.1:40010 (localhost)
Re: APR SSL error: Socket bind failed: [98] Address already in use
On 21 Nov 2011, at 02:44, Eric Kemp cruisingat90...@gmail.com wrote: Below is my entire server.xml (minus commented lines) ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SecretCommand Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 URIEncoding=UTF-8 redirectPort=8443 / !-- Adding the connector below causes the Socket bind failed: [98] Address already in use error to appear in catalina.out... and https does not work. -- What happens if you use 8444 instead? p Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEnabled=true SSLCertificateKeyFile=/etc/apache2/ssl/myDomain.com.key SSLCACertificateFile=/etc/apache2/ssl/myDomain.com.ca.crt / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false /Host /Engine /Service /Server Thanks On Sun, Nov 20, 2011 at 4:18 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Eric Kemp [mailto:cruisingat90...@gmail.com] Subject: Re: APR SSL error: Socket bind failed: [98] Address already in use Any other ideas would still be appreciated. As others have noted, the conflict is likely on some port other than 8443. Post your entire server.xml, preferably with comments removed, so we can see all of the ports declared there. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR SSL error: Socket bind failed: [98] Address already in use
2011/11/21 Eric Kemp cruisingat90...@gmail.com: Below is my entire server.xml (minus commented lines) Good to know. Can you post the logs? (catalina.date.log file). Clear them first then try starting Tomcat. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR SSL error: Socket bind failed: [98] Address already in use
I understand you want to use APR, but just for troubleshooting purposes, try using the same server.xml but changing the SSL connector from protocol=org.apache.coyote.http11.Http11AprProtocol to protocol=org.apache.coyote.http11.Http11NioProtocol If that works, then your problem is with APR, most likely with the installation rather than a bug in APR itself. I'd try recompiling APR (and installing the recompiled version). =Jeremy= On Sun, Nov 20, 2011 at 6:44 PM, Eric Kemp cruisingat90...@gmail.comwrote: Below is my entire server.xml (minus commented lines) ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SecretCommand Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / [snip] Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 URIEncoding=UTF-8 redirectPort=8443 / !-- Adding the connector below causes the Socket bind failed: [98] Address already in use error to appear in catalina.out... and https does not work. -- Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEnabled=true SSLCertificateKeyFile=/etc/apache2/ssl/myDomain.com.key SSLCACertificateFile=/etc/apache2/ssl/myDomain.com.ca.crt / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false /Host /Engine /Service /Server Thanks
Re: APR SSL error: Socket bind failed: [98] Address already in use
Problem resolved! Thanks so much for all the helpful hints. I had been going to the end of the catalina.out file and seeing this error message in the last ~60 lines of text, and thought it represented the latest restart errors. What I failed to notice, was that there WERE previous errors above the clean looking lines. They indicated tomcat was unable to read the certificate files. A quick chmod fixed that, and now SSL works. Clear them first was what got me to see what I had been missing. Thanks again. On Mon, Nov 21, 2011 at 5:54 AM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2011/11/21 Eric Kemp cruisingat90...@gmail.com: Below is my entire server.xml (minus commented lines) Good to know. Can you post the logs? (catalina.date.log file). Clear them first then try starting Tomcat. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR SSL error: Socket bind failed: [98] Address already in use
On 19 Nov 2011, at 18:44, Eric Kemp cruisingat90...@gmail.com wrote: Summary: I'm looking for ideas on how to resolve this Address already in use error when configuring SSL in Tomcat APR. Environment: Running Apache Tomcat/6.0.24 on OS is Ubuntu 10.04.2 LTS with JVM 1.7.0_01-b08 // // Prior to configuring SSL, and after starting Tomcat I run netstat -tulpn and see that port 8443 is not used: // Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 29002/mysqld tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2136/sshd tcp6 0 0 127.0.0.1:8005 :::* LISTEN 12796/java tcp6 0 0 :::8080 :::* LISTEN 12796/java tcp6 0 0 :::22 :::* LISTEN 2136/sshd udp0 0 0.0.0.0:68 0.0.0.0:* 2087/dhclient3 // // I stop Tomcat, and add the following to my server.xml file: // Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEnabled=true SSLCertificateKeyFile=/etc/apache2/ssl/myUniqueDomain.com.key SSLCACertificateFile=/etc/apache2/ssl/myUniqueDomain.com.ca.crt / // // I restart Tomcat, and see the following in the catalina.out file: How are you start/stop/restarting Tomcat - bin/script or service? After calling stop, are you sure Tomcat has actually stopped? p // SEVERE: Error starting endpoint java.lang.Exception: Socket bind failed: [98] Address already in use at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:646) at org.apache.tomcat.util.net.AprEndpoint.start(AprEndpoint.java:753) at org.apache.coyote.http11.Http11AprProtocol.start(Http11AprProtocol.java:137) at org.apache.catalina.connector.Connector.start(Connector.java:1080) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Nov 19, 2011 11:35:19 AM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: service.getName(): Catalina; Protocol handler start failed: java.lang.Exception: Socket bind failed: [98] Address already in use at org.apache.catalina.connector.Connector.start(Connector.java:1087) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) // // Running netstat -tulpn I see that port 8443 is now being used: // Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 29002/mysqld tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2136/sshd tcp6 0 0 127.0.0.1:8005 :::* LISTEN 10696/java tcp6 0 0 :::8080 :::* LISTEN 10696/java tcp6 0 0 :::22 :::* LISTEN 2136/sshd tcp6 0 0 :::8443 :::* LISTEN 10696/java udp0 0 0.0.0.0:68 0.0.0.0:* 2087/dhclient3 If I change Connector port=8443 to Connector port=8445, I get the same error message, and netstat -tulpn shows: tcp6 0 0 :::8445 :::* LISTEN 10696/java I have also tried adding the following to my server.xml as an attribute to Connector and still get the same error:
Re: APR SSL error: Socket bind failed: [98] Address already in use
Isnt 8005 shutdown port for tomcat? I can see sshd bound to that port already. On Nov 20, 2011 6:33 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2011/11/19 Eric Kemp cruisingat90...@gmail.com: Summary: I'm looking for ideas on how to resolve this Address already in use error when configuring SSL in Tomcat APR. Environment: Running Apache Tomcat/6.0.24 That one is old. Maybe you can upgrade to 6.0.33? on OS is Ubuntu 10.04.2 LTS with JVM 1.7.0_01-b08 There were severe issues with 1.7.0, such as Loop unroll optimization causes incorrect result. I do not know whether all of them are fixed in 7u1. http://tomcat.markmail.org/thread/oghpdg2whkrpnk7w Anyway, maybe you can try running with Java 6? // // I restart Tomcat, and see the following in the catalina.out file: // SEVERE: Error starting endpoint java.lang.Exception: Socket bind failed: [98] Address already in use at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:646) at org.apache.tomcat.util.net.AprEndpoint.start(AprEndpoint.java:753) at org.apache.coyote.http11.Http11AprProtocol.start(Http11AprProtocol.java:137) at org.apache.catalina.connector.Connector.start(Connector.java:1080) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) What INFO messages are before this one? Maybe you can post your entire server.xml (without comments and passwords)? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR SSL error: Socket bind failed: [98] Address already in use
On 20 Nov 2011, at 12:49, Igor Cicimov icici...@gmail.com wrote: Isnt 8005 shutdown port for tomcat? I can see sshd bound to that port already. I think that's the line above... There is a java process holding 8005 On Nov 20, 2011 6:33 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2011/11/19 Eric Kemp cruisingat90...@gmail.com: Summary: I'm looking for ideas on how to resolve this Address already in use error when configuring SSL in Tomcat APR. Environment: Running Apache Tomcat/6.0.24 That one is old. Maybe you can upgrade to 6.0.33? on OS is Ubuntu 10.04.2 LTS with JVM 1.7.0_01-b08 There were severe issues with 1.7.0, such as Loop unroll optimization causes incorrect result. I do not know whether all of them are fixed in 7u1. http://tomcat.markmail.org/thread/oghpdg2whkrpnk7w Anyway, maybe you can try running with Java 6? // // I restart Tomcat, and see the following in the catalina.out file: // SEVERE: Error starting endpoint java.lang.Exception: Socket bind failed: [98] Address already in use at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:646) at org.apache.tomcat.util.net.AprEndpoint.start(AprEndpoint.java:753) at org.apache.coyote.http11.Http11AprProtocol.start(Http11AprProtocol.java:137) at org.apache.catalina.connector.Connector.start(Connector.java:1080) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) What INFO messages are before this one? Maybe you can post your entire server.xml (without comments and passwords)? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR SSL error: Socket bind failed: [98] Address already in use
Changing from jdk1.7.0_01 to 1.6.0_20 still results in the same error. I use the following commands to stop and start Tomcat: sudo /etc/init.d/tomcat6 stop sudo /etc/init.d/tomcat6 start I have verified that the Tomcat process DOES shut down when initiating a stop command via ps -ef | grep java only showing the current grep command. Ubuntu's apt-get put me at this current level (of Tomcat 6.0.24 and APR from 1.1.19-1) which I assumed would be fine. I'll see about trying to upgrade to Tomcat 6.0.33 and possibly APR 1.1.20-1. Any other ideas would still be appreciated. Thanks On Sun, Nov 20, 2011 at 5:09 AM, Pid * p...@pidster.com wrote: On 19 Nov 2011, at 18:44, Eric Kemp cruisingat90...@gmail.com wrote: Summary: I'm looking for ideas on how to resolve this Address already in use error when configuring SSL in Tomcat APR. Environment: Running Apache Tomcat/6.0.24 on OS is Ubuntu 10.04.2 LTS with JVM 1.7.0_01-b08 // // Prior to configuring SSL, and after starting Tomcat I run netstat -tulpn and see that port 8443 is not used: // Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 29002/mysqld tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2136/sshd tcp6 0 0 127.0.0.1:8005 :::* LISTEN 12796/java tcp6 0 0 :::8080 :::* LISTEN 12796/java tcp6 0 0 :::22 :::* LISTEN 2136/sshd udp 0 0 0.0.0.0:68 0.0.0.0:* 2087/dhclient3 // // I stop Tomcat, and add the following to my server.xml file: // Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEnabled=true SSLCertificateKeyFile=/etc/apache2/ssl/myUniqueDomain.com.key SSLCACertificateFile=/etc/apache2/ssl/myUniqueDomain.com.ca.crt / // // I restart Tomcat, and see the following in the catalina.out file: How are you start/stop/restarting Tomcat - bin/script or service? After calling stop, are you sure Tomcat has actually stopped? p // SEVERE: Error starting endpoint java.lang.Exception: Socket bind failed: [98] Address already in use at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:646) at org.apache.tomcat.util.net.AprEndpoint.start(AprEndpoint.java:753) at org.apache.coyote.http11.Http11AprProtocol.start(Http11AprProtocol.java:137) at org.apache.catalina.connector.Connector.start(Connector.java:1080) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Nov 19, 2011 11:35:19 AM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: service.getName(): Catalina; Protocol handler start failed: java.lang.Exception: Socket bind failed: [98] Address already in use at org.apache.catalina.connector.Connector.start(Connector.java:1087) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) // // Running netstat -tulpn I see that port 8443 is now being used: // Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 29002/mysqld tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2136/sshd tcp6 0 0
RE: APR SSL error: Socket bind failed: [98] Address already in use
From: Eric Kemp [mailto:cruisingat90...@gmail.com] Subject: Re: APR SSL error: Socket bind failed: [98] Address already in use Any other ideas would still be appreciated. As others have noted, the conflict is likely on some port other than 8443. Post your entire server.xml, preferably with comments removed, so we can see all of the ports declared there. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR SSL error: Socket bind failed: [98] Address already in use
Below is my entire server.xml (minus commented lines) ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SecretCommand Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 URIEncoding=UTF-8 redirectPort=8443 / !-- Adding the connector below causes the Socket bind failed: [98] Address already in use error to appear in catalina.out... and https does not work. -- Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEnabled=true SSLCertificateKeyFile=/etc/apache2/ssl/myDomain.com.key SSLCACertificateFile=/etc/apache2/ssl/myDomain.com.ca.crt / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false /Host /Engine /Service /Server Thanks On Sun, Nov 20, 2011 at 4:18 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Eric Kemp [mailto:cruisingat90...@gmail.com] Subject: Re: APR SSL error: Socket bind failed: [98] Address already in use Any other ideas would still be appreciated. As others have noted, the conflict is likely on some port other than 8443. Post your entire server.xml, preferably with comments removed, so we can see all of the ports declared there. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR SSL error: Socket bind failed: [98] Address already in use
Looks like you have another service (not necessarily Tomcat) running on port 98. On 2011-11-19, at 1:44 PM, Eric Kemp wrote: Summary: I'm looking for ideas on how to resolve this Address already in use error when configuring SSL in Tomcat APR. Environment: Running Apache Tomcat/6.0.24 on OS is Ubuntu 10.04.2 LTS with JVM 1.7.0_01-b08 // // Prior to configuring SSL, and after starting Tomcat I run netstat -tulpn and see that port 8443 is not used: // Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 29002/mysqld tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2136/sshd tcp6 0 0 127.0.0.1:8005 :::* LISTEN 12796/java tcp6 0 0 :::8080 :::* LISTEN 12796/java tcp6 0 0 :::22 :::* LISTEN 2136/sshd udp0 0 0.0.0.0:68 0.0.0.0:* 2087/dhclient3 // // I stop Tomcat, and add the following to my server.xml file: // Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEnabled=true SSLCertificateKeyFile=/etc/apache2/ssl/myUniqueDomain.com.key SSLCACertificateFile=/etc/apache2/ssl/myUniqueDomain.com.ca.crt / // // I restart Tomcat, and see the following in the catalina.out file: // SEVERE: Error starting endpoint java.lang.Exception: Socket bind failed: [98] Address already in use at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:646) at org.apache.tomcat.util.net.AprEndpoint.start(AprEndpoint.java:753) at org.apache.coyote.http11.Http11AprProtocol.start(Http11AprProtocol.java:137) at org.apache.catalina.connector.Connector.start(Connector.java:1080) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Nov 19, 2011 11:35:19 AM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: service.getName(): Catalina; Protocol handler start failed: java.lang.Exception: Socket bind failed: [98] Address already in use at org.apache.catalina.connector.Connector.start(Connector.java:1087) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) // // Running netstat -tulpn I see that port 8443 is now being used: // Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 29002/mysqld tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2136/sshd tcp6 0 0 127.0.0.1:8005 :::* LISTEN 10696/java tcp6 0 0 :::8080 :::* LISTEN 10696/java tcp6 0 0 :::22 :::* LISTEN 2136/sshd tcp6 0 0 :::8443 :::* LISTEN 10696/java udp0 0 0.0.0.0:68 0.0.0.0:* 2087/dhclient3 If I change Connector port=8443 to Connector port=8445, I get the same error message, and netstat -tulpn shows: tcp6 0 0 :::8445 :::* LISTEN 10696/java I have also tried adding the following to my server.xml as an attribute to Connector and still get the same error: SSLCertificateFile=/etc/apache2/ssl/domain.com.crt It appears as if
Re: APR SSL error: Socket bind failed: [98] Address already in use
I've seen several places where people say [98] is the error message number - not the port number. Also, I'm not doing anything with port 98. Thanks On Sat, Nov 19, 2011 at 8:03 PM, Talal Rabaa ara...@gmail.com wrote: Looks like you have another service (not necessarily Tomcat) running on port 98. On 2011-11-19, at 1:44 PM, Eric Kemp wrote: Summary: I'm looking for ideas on how to resolve this Address already in use error when configuring SSL in Tomcat APR. Environment: Running Apache Tomcat/6.0.24 on OS is Ubuntu 10.04.2 LTS with JVM 1.7.0_01-b08 // // Prior to configuring SSL, and after starting Tomcat I run netstat -tulpn and see that port 8443 is not used: // Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 29002/mysqld tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2136/sshd tcp6 0 0 127.0.0.1:8005 :::* LISTEN 12796/java tcp6 0 0 :::8080 :::* LISTEN 12796/java tcp6 0 0 :::22 :::* LISTEN 2136/sshd udp 0 0 0.0.0.0:68 0.0.0.0:* 2087/dhclient3 // // I stop Tomcat, and add the following to my server.xml file: // Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLEnabled=true SSLCertificateKeyFile=/etc/apache2/ssl/myUniqueDomain.com.key SSLCACertificateFile=/etc/apache2/ssl/myUniqueDomain.com.ca.crt / // // I restart Tomcat, and see the following in the catalina.out file: // SEVERE: Error starting endpoint java.lang.Exception: Socket bind failed: [98] Address already in use at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:646) at org.apache.tomcat.util.net.AprEndpoint.start(AprEndpoint.java:753) at org.apache.coyote.http11.Http11AprProtocol.start(Http11AprProtocol.java:137) at org.apache.catalina.connector.Connector.start(Connector.java:1080) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Nov 19, 2011 11:35:19 AM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: service.getName(): Catalina; Protocol handler start failed: java.lang.Exception: Socket bind failed: [98] Address already in use at org.apache.catalina.connector.Connector.start(Connector.java:1087) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) // // Running netstat -tulpn I see that port 8443 is now being used: // Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 29002/mysqld tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2136/sshd tcp6 0 0 127.0.0.1:8005 :::* LISTEN 10696/java tcp6 0 0 :::8080 :::* LISTEN 10696/java tcp6 0 0 :::22 :::* LISTEN 2136/sshd tcp6 0 0 :::8443 :::* LISTEN 10696/java udp 0 0 0.0.0.0:68 0.0.0.0:* 2087/dhclient3 If I change Connector port=8443 to Connector port=8445, I get the same error message, and netstat -tulpn shows: tcp6 0 0 :::8445
Re: APR SSL error: Socket bind failed: [98] Address already in use
2011/11/19 Eric Kemp cruisingat90...@gmail.com: Summary: I'm looking for ideas on how to resolve this Address already in use error when configuring SSL in Tomcat APR. Environment: Running Apache Tomcat/6.0.24 That one is old. Maybe you can upgrade to 6.0.33? on OS is Ubuntu 10.04.2 LTS with JVM 1.7.0_01-b08 There were severe issues with 1.7.0, such as Loop unroll optimization causes incorrect result. I do not know whether all of them are fixed in 7u1. http://tomcat.markmail.org/thread/oghpdg2whkrpnk7w Anyway, maybe you can try running with Java 6? // // I restart Tomcat, and see the following in the catalina.out file: // SEVERE: Error starting endpoint java.lang.Exception: Socket bind failed: [98] Address already in use at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:646) at org.apache.tomcat.util.net.AprEndpoint.start(AprEndpoint.java:753) at org.apache.coyote.http11.Http11AprProtocol.start(Http11AprProtocol.java:137) at org.apache.catalina.connector.Connector.start(Connector.java:1080) at org.apache.catalina.core.StandardService.start(StandardService.java:531) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) What INFO messages are before this one? Maybe you can post your entire server.xml (without comments and passwords)? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR connector pollTime defaults are strange in tomcat6/7
My goal with this thread was to rise awareness with APR connector poll time defaults, as some users will not really bother investigating why their servers have such high context switches / timer interrupts. There is no problem here as Tomcat is working fine with defaults. There should be no harm by setting it to 100 microseconds, as NIO connectors are using 1000ms as default selectorTimeout ( same epoll inside ) and working just fine. Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Darius, On 7/18/2011 2:23 PM, Darius D. wrote: Does Tomcat APR really needs pollTime set so low by default? I thought timeout is meant for some sort of book keeping, where is all connections in FD set are idle, no events come for timeout period - you force timeout and do bookkeeping - on a busy system you will get events anyway cause of socket traffic. Also connection timeout is 60s by default, so ending connection @ 2ms precision is not enhancing latency in any way. Seems like a reasonable question. P.S. There exists perfect workaround in latest Tomcat7, using protocol=org.apache.coyote.http11.Http11NioProtocol and protocol=org.apache.coyote.ajp.AjpNioProtocol for AJP will do away with all unneeded context switches. Yes, switching from APR connector to another one certainly does alleviate any issues you are experiencing by using the APR connector. This isn't really a workaround. :) On the other hand, a better workaround would be to set these values appropriately for your environment. What's stopping you from setting the pollTime to, as you suggest, 10 microseconds? That isn't really a workaround, either: it's proper configuration. It's probably worth discussing what the defaults should be, but there's a perfectly reasonable course of action for you at this point: change the configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4tw8UACgkQ9CaO5/Lv0PDJ2ACeNAYeMDPWDw9jyjtXz2J82O9z 5b0An0a1E4LPyrIVcREaBqt+deRvVsOa =bJY5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/APR-connector-pollTime-defaults-are-strange-in-tomcat6-7-tp32085364p32173790.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR connector pollTime defaults are strange in tomcat6/7
Does Tomcat APR really needs pollTime set so low by default? Anyone care to comment on this point? I'm interested in this discussion as a user of Linux+APR connectors. While we don't yet run on a tickless kernel, I'm considering trying to measure the impact on our systems as well, but some insight on the rationale for the defaults would be helpful. M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR connector pollTime defaults are strange in tomcat6/7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Darius, On 7/18/2011 2:23 PM, Darius D. wrote: Does Tomcat APR really needs pollTime set so low by default? I thought timeout is meant for some sort of book keeping, where is all connections in FD set are idle, no events come for timeout period - you force timeout and do bookkeeping - on a busy system you will get events anyway cause of socket traffic. Also connection timeout is 60s by default, so ending connection @ 2ms precision is not enhancing latency in any way. Seems like a reasonable question. P.S. There exists perfect workaround in latest Tomcat7, using protocol=org.apache.coyote.http11.Http11NioProtocol and protocol=org.apache.coyote.ajp.AjpNioProtocol for AJP will do away with all unneeded context switches. Yes, switching from APR connector to another one certainly does alleviate any issues you are experiencing by using the APR connector. This isn't really a workaround. :) On the other hand, a better workaround would be to set these values appropriately for your environment. What's stopping you from setting the pollTime to, as you suggest, 10 microseconds? That isn't really a workaround, either: it's proper configuration. It's probably worth discussing what the defaults should be, but there's a perfectly reasonable course of action for you at this point: change the configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4tw8UACgkQ9CaO5/Lv0PDJ2ACeNAYeMDPWDw9jyjtXz2J82O9z 5b0An0a1E4LPyrIVcREaBqt+deRvVsOa =bJY5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR connector pollTime defaults are strange in tomcat6/7
Darius D. wrote: Does Tomcat APR really needs pollTime set so low by default? I thought timeout is meant for some sort of book keeping, where is all connections in FD set are idle, no events come for timeout period - you force timeout and do bookkeeping - on a busy system you will get events anyway cause of socket traffic. Also connection timeout is 60s by default, so ending connection @ 2ms precision is not enhancing latency in any way. I think defaults should be increased to something reasonable like 100ms (pollTime =10) to avoid unneeded wakeups (and wakeups are bad, cause they cause context switch, and context switches pollute caches, TLB buffers and on modern servers burn electricity by forcing CPUs from low C states ) I guess there is no interest in efficiency and reducing overhead with APR connectors? Overhead is quite substantial. Consider the following - on a lightly loaded system we were seeing ~1.8k timer interrups and context switches with Linux 2.6.39 kernel and latest Tomcat 7 + 1.20 TCNative + APR. And its easy to see where from they are coming - 3 connector (AJP 8009, HTTP, HTTPS) , all APR, all 2000 microseconds PollTime. So we were getting ~500x3 context switches from all those epoll_wait(...,2ms) calls. And they were just burning CPU and polluting caches. After switching to NIO connectors on same system and same load CS and interrupts are down to ~600. ( note that to reproduce this you need a system with NO_HZ kernel and HPET to actually get a epoll_wait timeout of 2000us instead of ~1/HZ (10ms on 100HZ kernel ) minimum on normal kernels ) I have attached screenshot from munin irq stats display. http://old.nabble.com/file/p32115035/irqstats-week.png irqstats-week.png So results are pretty obviuos. -- View this message in context: http://old.nabble.com/APR-connector-pollTime-defaults-are-strange-in-tomcat6-7-tp32085364p32115035.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Native library on tomcat 6
Hello. I have the same problem, except that in the log it is not specified what library is needed. This are the messages in the log: 30-jun-2011 15:13:03 org.apache.coyote.http11.Http11Protocol pause INFO: Pausing Coyote HTTP/1.1 on http-8080 30-jun-2011 15:13:04 org.apache.catalina.core.StandardService stop INFO: Parando servicio Catalina 30-jun-2011 15:13:04 org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-8080 30-jun-2011 15:13:04 org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: Failed shutdown of Apache Portable Runtime 30-jun-2011 15:16:01 org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/jdk1.6/jre/lib/i386/server:/usr/java/jdk1.6/jre/lib/i386:/usr/java/jdk1.6/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib 30-jun-2011 15:16:01 org.apache.coyote.http11.Http11Protocol init INFO: Inicializando Coyote HTTP/1.1 en puerto http-8080 30-jun-2011 15:16:01 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 281 ms 30-jun-2011 15:16:02 org.apache.catalina.core.StandardService start INFO: Arrancando servicio Catalina 30-jun-2011 15:16:02 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.0 30-jun-2011 15:16:02 org.apache.catalina.core.StandardHost start INFO: Desactivada la validación XML 30-jun-2011 15:16:02 org.apache.catalina.loader.WebappClassLoader validateJarFile INFO: validateJarFile(/opt/tomcat6/webapps/Recaudacion/WEB-INF/lib/servlet-api.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class 30-jun-2011 15:16:02 org.apache.coyote.http11.Http11Protocol start INFO: Arrancando Coyote HTTP/1.1 en puerto http-8080 30-jun-2011 15:16:02 org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 30-jun-2011 15:16:02 org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/41 config=null 30-jun-2011 15:16:02 org.apache.catalina.startup.Catalina start INFO: Server startup in 847 ms The bolded part of the message is the error I have. Besides, I'm trying to use tomcat 6 with a Project that was compiled on tomcat 5.5.7, I can't see the jsp pages. Could you help me with this plis? Thankyou! Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 lmk, On 6/19/2009 9:59 AM, lmk wrote: I complied apr sources, I dont used binnaries. If you compiled apr, you're not done: you actually need libtcnative-1.so as well as apr. The APR connector is a little misleading in its naming because it's libtcnative.so that is required, not libapr.so. You can find tcnative in your Tomcat distro under CATALINA_HOME/bin/tomcat-native.tar.gz - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAko/1BAACgkQ9CaO5/Lv0PCangCbBvsOD69tpdPieboAxoOgcEK2 TdwAoKWtCfA1oRaoFE2iOffyzJ/d4EwB =uhFj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/APR-Native-library-on-tomcat-6-tp24107914p31967678.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Native library on tomcat 6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 6/30/2011 4:21 PM, ccastle wrote: I have the same problem [where APR won't load], except that in the log it is not specified what library is needed. You don't need to read the logs to see what library is needed, you need to read the documentation: http://tomcat.apache.org/tomcat-7.0-doc/apr.html This are the messages in the log: The bolded part of the message is the error I have. Text styles do not come across plain text mailing list posts. I don't see any error messages at all. Perhaps you are talking about this INFO message: INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/jdk1.6/jre/lib/i386/server:/usr/java/jdk1.6/jre/lib/i386:/usr/java/jdk1.6/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib Are you actually intending to use APR? If you are trying to use APR and it's not working, then you should tell us what you have done so far. If you don't care about APR or have no idea what I'm talking about and are only posting to the list because of the above message, you can safely ignore the message or disable the AprLifecycleListener in server.xml to get rid of that message. Besides, I'm trying to use tomcat 6 with a Project that was compiled on tomcat 5.5.7, I can't see the jsp pages. Please post to the list under a separate subject if you have another, unrelated problem. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4M3WIACgkQ9CaO5/Lv0PD6IgCgom3sUXhIKdrHQCFKHWmH5tc1 URQAnjEU4JTDwTi+11NdtmpzzbD9igMa =mFx7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR and async request
OK; I've got it... when I change the Connector from HTTP/1.1 to org.apache.coyote.http11.Http11NioProtocol is works. Sounds a bit logical (Non-Blocking and async) but can someone please explain? Thank you when I disable APR by removing the tcnative-1.dll or by removing the APR listener from server.xml async requests do not work anymore. I get immediately after the request an empty response body with status 200. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR and async request
On 21/12/2010 13:07, spr...@gmx.eu wrote: OK; I've got it... when I change the Connector from HTTP/1.1 to org.apache.coyote.http11.Http11NioProtocol is works. Sounds a bit logical (Non-Blocking and async) but can someone please explain? You'll need to explain what you mean by async requests before anyone can answer that. Mark Thank you when I disable APR by removing the tcnative-1.dll or by removing the APR listener from server.xml async requests do not work anymore. I get immediately after the request an empty response body with status 200. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR and async request
I mean the new servlet 3.0 capabilities: startAsync() and the resulting AsyncContext: request.startAsync() AsyncContext#getResponse() sample: HttpServletResponse res = (HttpServletResponse)ac.getResponse(); res.setStatus(200); res.setHeader(X-Foo, bar); res.setContentType(application/xml); PrintWriter w = res.getWriter(); w.println(foo/); w.flush(); ac.complete(); It seem that the response object is some what damaged, the code does not fail, but the client only receives status 200, no body and no custom headers send via Response#setHeader(X-..., ...). Thank you! -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Dienstag, 21. Dezember 2010 14:10 To: Tomcat Users List Subject: Re: APR and async request On 21/12/2010 13:07, spr...@gmx.eu wrote: OK; I've got it... when I change the Connector from HTTP/1.1 to org.apache.coyote.http11.Http11NioProtocol is works. Sounds a bit logical (Non-Blocking and async) but can someone please explain? You'll need to explain what you mean by async requests before anyone can answer that. Mark Thank you when I disable APR by removing the tcnative-1.dll or by removing the APR listener from server.xml async requests do not work anymore. I get immediately after the request an empty response body with status 200. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR and async request
On 21/12/2010 15:09, spr...@gmx.eu wrote: I mean the new servlet 3.0 capabilities: startAsync() and the resulting AsyncContext: request.startAsync() AsyncContext#getResponse() sample: HttpServletResponse res = (HttpServletResponse)ac.getResponse(); res.setStatus(200); res.setHeader(X-Foo, bar); res.setContentType(application/xml); PrintWriter w = res.getWriter(); w.println(foo/); w.flush(); ac.complete(); It seem that the response object is some what damaged, the code does not fail, but the client only receives status 200, no body and no custom headers send via Response#setHeader(X-..., ...). That should work with all connectors and there are a fair number of test cases that check that it does. If you have a simple, reproducible test case then please open a bugzilla issue. Mark Thank you! -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Dienstag, 21. Dezember 2010 14:10 To: Tomcat Users List Subject: Re: APR and async request On 21/12/2010 13:07, spr...@gmx.eu wrote: OK; I've got it... when I change the Connector from HTTP/1.1 to org.apache.coyote.http11.Http11NioProtocol is works. Sounds a bit logical (Non-Blocking and async) but can someone please explain? You'll need to explain what you mean by async requests before anyone can answer that. Mark Thank you when I disable APR by removing the tcnative-1.dll or by removing the APR listener from server.xml async requests do not work anymore. I get immediately after the request an empty response body with status 200. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR/Native: when to use it?
David Dabbs wrote: Would it provide better performance for AJP connector processing? Not at all. The comparison you have been pointed to refers to HTTP connectors. AJP is another (different) protocol, and has a different connector. Thanks, David -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Thursday, December 02, 2010 3:09 PM To: Tomcat Users List Subject: RE: APR/Native: when to use it? From: Aggarwal, Ajay [mailto:ajay.aggar...@stratus.com] Subject: APR/Native: when to use it? Is it always advisable to use APR if tomcat is the main web server? No. Does it provide better performance for core tomcat engine or do you need to write code to take advantage of it? That's not really an or situation. Depending on your circumstances, it may or may not provide better performance (also dependent on what you happen to mean by performance). You never need to write code to take advantage of it. What are the pros and cons of using it? Are there cons? Look here: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#Connector%20Compari son Will it provide better performance for SSL connectors? Pretty much always. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR/Native: when to use it?
On 03/12/2010 09:35, André Warnier wrote: David Dabbs wrote: Would it provide better performance for AJP connector processing? Not at all. The comparison you have been pointed to refers to HTTP connectors. AJP is another (different) protocol, and has a different connector. The AJP connector comes in two flavours. BIO and APR. Is there a performance difference? Yes. What will it be in your environment? No idea, you;'ll have to test it. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR/Native: when to use it?
From: Aggarwal, Ajay [mailto:ajay.aggar...@stratus.com] Subject: APR/Native: when to use it? Is it always advisable to use APR if tomcat is the main web server? No. Does it provide better performance for core tomcat engine or do you need to write code to take advantage of it? That's not really an or situation. Depending on your circumstances, it may or may not provide better performance (also dependent on what you happen to mean by performance). You never need to write code to take advantage of it. What are the pros and cons of using it? Are there cons? Look here: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#Connector%20Comparison Will it provide better performance for SSL connectors? Pretty much always. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR/Native: when to use it?
Thanks for your quick response, but I still don't know when should I use APR. That comparison table doesn't help me much (perhaps my ignorance here). -Original Message- Is it always advisable to use APR if tomcat is the main web server? No. Does it provide better performance for core tomcat engine or do you need to write code to take advantage of it? That's not really an or situation. Depending on your circumstances, it may or may not provide better performance (also dependent on what you happen to mean by performance). You never need to write code to take advantage of it. What are the pros and cons of using it? Are there cons? Look here: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#Connector%20Com parison Will it provide better performance for SSL connectors? Pretty much always. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR based tomcat native library not found
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 10/12/2010 11:00 AM, efftronics wrote: I am running apache tomcat 6.0.18 , java 1.6 on windows xp platform. I copied tcnative-1.dll and openssl.exe(1.1.14 version) in C:\apache-tomcat-6.0.18\bin . But i when i run startup.bat it showing that APR based tcnative library not found. It should also dump the value for the system property java.library.path. What value does it show there? Note that Tomcat 6.0.18 is over 2 years old. Consider upgrading to the latest. I also tried with 1.1.8,1.1.0,1.1.19,1.1.20 APR libraries but there is no use.Plaease help me.Which version i have to use.Please provide the link. http://tomcat.apache.org/tomcat-6.0-doc/apr.html Note the following, directly from the above link: Windows binaries are provided for tcnative-1, which is a statically compiled .dll which includes OpenSSL and APR. That means you don't need openssl.exe at all unless you have chosen to use separate, dynamically linked .dll files. It looks like you're doing a little of both. If you use separate .dlls, you need: tcnative.dll, apr.dll, and some kind of openssl library (it's unclear if you need openssl.exe or something else). The binaries I find for 1.1.20 say they were built against APR 1.3.9 and OpenSSL 0.9.8k. So, it sounds like you need to: 1. Use the OpenSSL version that is expected (0.9.8k instead of whatever 1.1.14 is) 2. Add the APR .dll 3. Double-check your java.library.path and make sure the .dll files are in there somewhere (or change your java.library.path) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAky1/LQACgkQ9CaO5/Lv0PDOnwCfciNI61IEMvq4g7dzDbt0bYDg 1NkAnj3qT3rTNL/6n8/KTMZI9kmpK72y =sWhT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Tomcat...
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale, On 7/19/2010 7:42 PM, Dale Ogilvie wrote: Reasons to use httpd being what? Here are a few ideas: 1. Load balancing 2. Use of mixed Java and non-Java webapps (PHP, Perl, etc.) 3. Use of multiple Tomcat instances behind a single web server If I thought about it, I could come up with a few more. 4. Imperative/beneficial use of one of the multiple Apache built-in or add-on modules which exist for Apache, and where comparable ready-made Tomcat valves, filters, applications do not (yet) exist or are not as mature. (ref : http://httpd.apache.org/docs/2.2/mod/) 5. Situations where running java webapps under a servlet engine is not the main focus/purpose/interest of a website, but things like 2. above are. I'll enclose in that the situations where the main area of competence of the people developing or managing the website is not Java. To round this off, I'd say that the right tool for a job does not depend only on the intrinsic qualities of the tool itself. It also depends on many other local circumstances, of which the availability of people with the appropriate competences is probably the most important. From a relative outsider's point of view, I would compare Apache httpd and Tomcat as follows : To achieve anything other than relatively trivial with Tomcat, at some point you'll need to become very competent with Java. Being competent with Java is a lifetime occupation, not because of the language itself, but because achieving anything worthwhile with it requires learning about many, many class libraries and their API's. (Anyone challenging the above ?) In comparison Apache httpd has, built-in, many features that just require configuration, and already has many ready-to-use add-on modules which just require to be plugged-in and configured, without having to do any programming at all. This may suit sysadmins types better than developer types. In both cases, some knowledge of the HTTP protocol is a must, and a good knowledge of HTTP is a tremendous help. To achieve a certain goal, if you have a choice, choose whatever you are more comfortable with. Technically, I think that Christopher's earlier benchmarks showed that Tomcat can serve simple static content at least as well as Apache httpd. Using Apache httpd as a front-end to Tomcat introduces some overhead, but with a correct configuration this overhead will be insignificant in most real-world situations, compared to what can be achieved (in terms of unnecessary overhead) by bad coding in the applications themselves, whether they are running under Tomcat or under Apache. To connect Apache with Tomcat, you can use either mod_jk or mod_proxy_ajp (or just mod_proxy_http). Again, each one has its advantages and inconvenients, and you should mainly choose whichever you feel more comfortable with. The difference in performance between these solutions will likely be insignificant, compared to the mistakes in configuration and in the applications. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Tomcat...
On 19/07/2010 22:21, Tony Anecito wrote: Hi Pid First off I get a little red x in the upper left hand corner of the web page. Excellent technical description of the problem. Is it the response status 404 or a 500, I wonder? Yep I agree maybe an upgrade to the latest Tomcat and APR might accomplish fixing the problem but silly me I like to understand an issue before I upgrade. I didn't say it would, but silly me I like to advise people to stay current, to gain the benefit of bug and security fixes. APR==httpd at least that is what the Apache Web site says and the acronym I put up on the title page is about. The Apache Web server group disavow any knowledge of APR since they say the Tomcat Group developed to to replace Apache Web Server. It's been explained elsewhere in the thread that this is incorrect, but I'm curious to know where you read that the HTTPD 'group' disavowed APR? What little info I could find seems to indicate APR uses the ROOT directory under Webapps for html based apps. I will probably go back to Apache Web server as a separate tier. I was trying to get better performance using APR + Tomcat and saw some but not enough to justify the advantages of a seperate tier. I can't seem to see whether your original problem has actually been resolved or not, did you manage to determine what was happening or not? p Best Regards, -Tony - Original Message From: Pid p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Mon, July 19, 2010 3:05:41 PM Subject: Re: APR Tomcat... On 19/07/2010 19:44, Tony Anecito wrote: Hi All, I have been having odd issues with APR Tomcat (6.0.20) since I set it up a while ago. I am seeing: Time for an upgrade. 1. Sometimes on the first try to get images from a page where the images are assigned a sub domain via a host tag I get a red x. Hitting refresh seems to retrieve the images. The images are in a subfolder off of the ROOT folder of tomcat. Can you reproduce the problem? What does the client actually see? You can use a browser tool to find out, e.g. Firebug in Firefox. Fiddler, ieHttpHeaders in IE, the built-in developer tools in Safari/Chrome. What does the server actually send? You didn't state your OS (tsk) but there are tools available for most OS which will allow you to monitor network traffic at the server. (e.g. Wireshark). 2. I get a file not found off of another folder where the file is a jnlp file. So is there any type of directory tag (allow, deny ect) I should be using for the sub folders off or ROOT? When I used Apache Web server I set those up but then I was not using a Host tag either. But for APR I did not set up any type directory tags. No there isn't. Tomcat != Apache HTTPD. Security permissions are set in the ROOT/WEB-INF/web.xml, as per the Servlet Spec. p If I need the directory tags where would I put them? Thanks, -Tony - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
Re: APR Tomcat...
The red x is the standard way in an html page to indicate something is wrong but no 404 or other status code is displayed otherwise I would have mentioned it. Simple google indicated many reasons why it might occur. As I mentioned in another email I plan to switch back to Apache Web Server and there recently has been very good explantions on this email group why to do so. As I mentioned I used APR for performance which it did a good job for me but other considerations come into play at this point so no need to drag up old emails from the Apache group regarding APR. Regards, -Tony - Original Message From: Pid p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Tue, July 20, 2010 10:11:39 AM Subject: Re: APR Tomcat... On 19/07/2010 22:21, Tony Anecito wrote: Hi Pid First off I get a little red x in the upper left hand corner of the web page. Excellent technical description of the problem. Is it the response status 404 or a 500, I wonder? Yep I agree maybe an upgrade to the latest Tomcat and APR might accomplish fixing the problem but silly me I like to understand an issue before I upgrade. I didn't say it would, but silly me I like to advise people to stay current, to gain the benefit of bug and security fixes. APR==httpd at least that is what the Apache Web site says and the acronym I put up on the title page is about. The Apache Web server group disavow any knowledge of APR since they say the Tomcat Group developed to to replace Apache Web Server. It's been explained elsewhere in the thread that this is incorrect, but I'm curious to know where you read that the HTTPD 'group' disavowed APR? What little info I could find seems to indicate APR uses the ROOT directory under Webapps for html based apps. I will probably go back to Apache Web server as a separate tier. I was trying to get better performance using APR + Tomcat and saw some but not enough to justify the advantages of a seperate tier. I can't seem to see whether your original problem has actually been resolved or not, did you manage to determine what was happening or not? p Best Regards, -Tony - Original Message From: Pid p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Mon, July 19, 2010 3:05:41 PM Subject: Re: APR Tomcat... On 19/07/2010 19:44, Tony Anecito wrote: Hi All, I have been having odd issues with APR Tomcat (6.0.20) since I set it up a while ago. I am seeing: Time for an upgrade. 1. Sometimes on the first try to get images from a page where the images are assigned a sub domain via a host tag I get a red x. Hitting refresh seems to retrieve the images. The images are in a subfolder off of the ROOT folder of tomcat. Can you reproduce the problem? What does the client actually see? You can use a browser tool to find out, e.g. Firebug in Firefox. Fiddler, ieHttpHeaders in IE, the built-in developer tools in Safari/Chrome. What does the server actually send? You didn't state your OS (tsk) but there are tools available for most OS which will allow you to monitor network traffic at the server. (e.g. Wireshark). 2. I get a file not found off of another folder where the file is a jnlp file. So is there any type of directory tag (allow, deny ect) I should be using for the sub folders off or ROOT? When I used Apache Web server I set those up but then I was not using a Host tag either. But for APR I did not set up any type directory tags. No there isn't. Tomcat != Apache HTTPD. Security permissions are set in the ROOT/WEB-INF/web.xml, as per the Servlet Spec. p If I need the directory tags where would I put them? Thanks, -Tony - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Tomcat...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 7/19/2010 11:50 PM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: APR Tomcat... My tests show that use of sendFile is dramatically faster than without. Was that vs BIO or NIO? As I recall, there is no sendFile capability in BIO, so both NIO and APR should beat that. BIO = JIO, right? Too many TLAs. The NIO and APR connectors support sendFile, but the blocking, vanilla Java connector does not. sendFile, in both the NIO and APR connectors, gives a significant performance improvement. So, you're right, it's not APR's magic, but the magic of sendFile in either case. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxF4mYACgkQ9CaO5/Lv0PDnAQCggQqYH8rZ4MgWs96fAaoI0KXW NPsAoLkQepKjXBNJ4RdzYnGjt5m8Eh/j =rEM7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Tomcat...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tony, On 7/20/2010 12:35 AM, Tony Anecito wrote: Interesting. I saw that when a static file was around 21K or below a dramatic improvement in recorded time in the log for APR. I have not tried with regular Apache Web Server to see what I get. I should get off my ass and publish my benchmarking results. These Tomcat knuckleheads keep releasing new versions, and I feel like I should repeat my tests with the latest version. :( Soon. Maybe. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxF4qQACgkQ9CaO5/Lv0PCaEgCfePU71YPyDFCPi8dhXyQa+WWZ haIAn3x04yVH94WKjRyRvaAlFis3C+QV =E0HG -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Tomcat...
Do not worry my friends did not believe me till I sent the before/after logs even then they argued about physics and the speed of light :-) Where is Einstein when you need him? -Tony - Original Message From: Christopher Schultz ch...@christopherschultz.net To: Tomcat Users List users@tomcat.apache.org Sent: Tue, July 20, 2010 11:53:40 AM Subject: Re: APR Tomcat... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tony, On 7/20/2010 12:35 AM, Tony Anecito wrote: Interesting. I saw that when a static file was around 21K or below a dramatic improvement in recorded time in the log for APR. I have not tried with regular Apache Web Server to see what I get. I should get off my ass and publish my benchmarking results. These Tomcat knuckleheads keep releasing new versions, and I feel like I should repeat my tests with the latest version. :( Soon. Maybe. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxF4qQACgkQ9CaO5/Lv0PCaEgCfePU71YPyDFCPi8dhXyQa+WWZ haIAn3x04yVH94WKjRyRvaAlFis3C+QV =E0HG -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR Tomcat...
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: APR Tomcat... Was that vs BIO or NIO? As I recall, there is no sendFile capability in BIO, so both NIO and APR should beat that. BIO = JIO, right? Too many TLAs. The Tomcat doc refers to the original Connector implementation as BIO, not JIO. Using JIO is ambiguous, since both BIO and JIO are pure Java. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: APR Tomcat...
On 19/07/2010 19:44, Tony Anecito wrote: Hi All, I have been having odd issues with APR Tomcat (6.0.20) since I set it up a while ago. I am seeing: Time for an upgrade. 1. Sometimes on the first try to get images from a page where the images are assigned a sub domain via a host tag I get a red x. Hitting refresh seems to retrieve the images. The images are in a subfolder off of the ROOT folder of tomcat. Can you reproduce the problem? What does the client actually see? You can use a browser tool to find out, e.g. Firebug in Firefox. Fiddler, ieHttpHeaders in IE, the built-in developer tools in Safari/Chrome. What does the server actually send? You didn't state your OS (tsk) but there are tools available for most OS which will allow you to monitor network traffic at the server. (e.g. Wireshark). 2. I get a file not found off of another folder where the file is a jnlp file. So is there any type of directory tag (allow, deny ect) I should be using for the sub folders off or ROOT? When I used Apache Web server I set those up but then I was not using a Host tag either. But for APR I did not set up any type directory tags. No there isn't. Tomcat != Apache HTTPD. Security permissions are set in the ROOT/WEB-INF/web.xml, as per the Servlet Spec. p If I need the directory tags where would I put them? Thanks, -Tony - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
Re: APR Tomcat...
Hi Pid First off I get a little red x in the upper left hand corner of the web page. Yep I agree maybe an upgrade to the latest Tomcat and APR might accomplish fixing the problem but silly me I like to understand an issue before I upgrade. APR==httpd at least that is what the Apache Web site says and the acronym I put up on the title page is about. The Apache Web server group disavow any knowledge of APR since they say the Tomcat Group developed to to replace Apache Web Server. What little info I could find seems to indicate APR uses the ROOT directory under Webapps for html based apps. I will probably go back to Apache Web server as a separate tier. I was trying to get better performance using APR + Tomcat and saw some but not enough to justify the advantages of a seperate tier. Best Regards, -Tony - Original Message From: Pid p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Mon, July 19, 2010 3:05:41 PM Subject: Re: APR Tomcat... On 19/07/2010 19:44, Tony Anecito wrote: Hi All, I have been having odd issues with APR Tomcat (6.0.20) since I set it up a while ago. I am seeing: Time for an upgrade. 1. Sometimes on the first try to get images from a page where the images are assigned a sub domain via a host tag I get a red x. Hitting refresh seems to retrieve the images. The images are in a subfolder off of the ROOT folder of tomcat. Can you reproduce the problem? What does the client actually see? You can use a browser tool to find out, e.g. Firebug in Firefox. Fiddler, ieHttpHeaders in IE, the built-in developer tools in Safari/Chrome. What does the server actually send? You didn't state your OS (tsk) but there are tools available for most OS which will allow you to monitor network traffic at the server. (e.g. Wireshark). 2. I get a file not found off of another folder where the file is a jnlp file. So is there any type of directory tag (allow, deny ect) I should be using for the sub folders off or ROOT? When I used Apache Web server I set those up but then I was not using a Host tag either. But for APR I did not set up any type directory tags. No there isn't. Tomcat != Apache HTTPD. Security permissions are set in the ROOT/WEB-INF/web.xml, as per the Servlet Spec. p If I need the directory tags where would I put them? Thanks, -Tony - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Tomcat...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tony, On 7/19/2010 5:21 PM, Tony Anecito wrote: First off I get a little red x in the upper left hand corner of the web page. For the whole page? I thought this was an image problem. Yep I agree maybe an upgrade to the latest Tomcat and APR might accomplish fixing the problem but silly me I like to understand an issue before I upgrade. Upgrading is a good idea, but is unlikely to magically fix everything. I'm unaware of any huge bugs in Tomcat 6.0.20 like web server doesn't work at all. APR==httpd at least that is what the Apache Web site says and the acronym I put up on the title page is about. The Apache Web server group disavow any knowledge of APR since they say the Tomcat Group developed to to replace Apache Web Server. APR != httpd The Tomcat Group neither developed APR nor did they do it to undercut anything the httpd group is doing. On the contrary, libapr is a project to help many other projects, including httpd itself. http://apr.apache.org/ http://apr.apache.org/projects.html http://en.wikipedia.org/wiki/Apache_Portable_Runtime What little info I could find seems to indicate APR uses the ROOT directory under Webapps for html based apps. APR does nothing of the sort. APR essentially provides two major capabilities to Tomcat: 1. SSL services using OpenSSL library instead of Java-based SSL 2. Sendfile services to serve static content directly from disk-to-socket with minimal overhead Both of these features are configured on a Connector in Tomcat and will work with any webapp deployed into the container. It has nothing to do with ROOT or any other specific webapp. I will probably go back to Apache Web server as a separate tier. I was trying to get better performance using APR + Tomcat and saw some but not enough to justify the advantages of a seperate tier. Apache httpd + Tomcat will always be slower than simply using Tomcat + APR/sendfile because of the overhead involved in forwarding the requests back and forth. The only exception might be a site which is almost exclusively static content and only one or two dynamic resources. In that case, I might ask why that person was using Java in the first place ;) There certainly are reasons to use Apache httpd out in front of Tomcat, but performance isn't one of them. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxEyOAACgkQ9CaO5/Lv0PD+ngCdGoi80vMKrjB7UMP9kQKyLaS3 X/UAnjslqqAnc7796Xr14ic5cDEckPYl =vtNH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Tomcat...
For each image I would get a small red x. When I hit refresh and it then display them. Comments like this on Confluence web site for example explain: After a bit of Googling came across this: Apache Portable Runtime to provide superior scalability, performance for Tomcat 6. There are comments that when using the APR Tomcat will server static content on par with Apache (httpd) server speeds - though I haven't been able to personally verify this just yet. Or from the Tomcat site itself http://tomcat.apache.org/tomcat-5.5-doc/apr.html: Tomcat can use the Apache Portable Runtime to provide superior scalability, performance, and better integration with native server technologies. The Apache Portable Runtime is a highly portable library that is at the heart of Apache HTTP Server 2.x. APR has many uses, including access to advanced IO functionality (such as sendfile, epoll and OpenSSL), OS level functionality (random number generation, system status, etc), and native process handling (shared memory, NT pipes and Unix sockets). These features allows making Tomcat a general purpose webserver, will enable much better integration with other native web technologies, and overall make Java much more viable as a full fledged webserver platform rather than simply a backend focused technology. So as to say the Tomcat group did not want to compete why build the APR? In either case it does not matter for me but I do appreciate the feedback. Regards, -Tony - Original Message From: Christopher Schultz ch...@christopherschultz.net To: Tomcat Users List users@tomcat.apache.org Sent: Mon, July 19, 2010 3:51:28 PM Subject: Re: APR Tomcat... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tony, On 7/19/2010 5:21 PM, Tony Anecito wrote: First off I get a little red x in the upper left hand corner of the web page. For the whole page? I thought this was an image problem. Yep I agree maybe an upgrade to the latest Tomcat and APR might accomplish fixing the problem but silly me I like to understand an issue before I upgrade. Upgrading is a good idea, but is unlikely to magically fix everything. I'm unaware of any huge bugs in Tomcat 6.0.20 like web server doesn't work at all. APR==httpd at least that is what the Apache Web site says and the acronym I put up on the title page is about. The Apache Web server group disavow any knowledge of APR since they say the Tomcat Group developed to to replace Apache Web Server. APR != httpd The Tomcat Group neither developed APR nor did they do it to undercut anything the httpd group is doing. On the contrary, libapr is a project to help many other projects, including httpd itself. http://apr.apache.org/ http://apr.apache.org/projects.html http://en.wikipedia.org/wiki/Apache_Portable_Runtime What little info I could find seems to indicate APR uses the ROOT directory under Webapps for html based apps. APR does nothing of the sort. APR essentially provides two major capabilities to Tomcat: 1. SSL services using OpenSSL library instead of Java-based SSL 2. Sendfile services to serve static content directly from disk-to-socket with minimal overhead Both of these features are configured on a Connector in Tomcat and will work with any webapp deployed into the container. It has nothing to do with ROOT or any other specific webapp. I will probably go back to Apache Web server as a separate tier. I was trying to get better performance using APR + Tomcat and saw some but not enough to justify the advantages of a seperate tier. Apache httpd + Tomcat will always be slower than simply using Tomcat + APR/sendfile because of the overhead involved in forwarding the requests back and forth. The only exception might be a site which is almost exclusively static content and only one or two dynamic resources. In that case, I might ask why that person was using Java in the first place ;) There certainly are reasons to use Apache httpd out in front of Tomcat, but performance isn't one of them. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxEyOAACgkQ9CaO5/Lv0PD+ngCdGoi80vMKrjB7UMP9kQKyLaS3 X/UAnjslqqAnc7796Xr14ic5cDEckPYl =vtNH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR Tomcat...
Reasons to use httpd being what? We historically have used httpd and mod_proxy_ajp, but less being more I'm considering a tomcat only setup. The reason we used httpd in the past was httpd serves static content better. One other reason that comes to mind is httpd url rewrite support, assuming tomcat can't help in this area. Any others? Dale /still hoping my tomcat download license doesn't get revoked before tomcat 7 is released/ -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, 20 July 2010 9:51 a.m. To: Tomcat Users List Subject: Re: APR Tomcat... There certainly are reasons to use Apache httpd out in front of Tomcat, but performance isn't one of them. - -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Tomcat...
I used APR for performance reasons. I was running Apache Web Server and Tomcat on the same physical windows server. I mentioned what configuration might be faster and was told APR native with Tomcat and it was faster. I might have gone from 1.5 to 1.0 milliseconds for JAXWS requests. The disadvantages are such as when Tomcat is taken down so does your static content. Apache Web Server is probably updated more frequently than APR Native. I am guessing better security for Apache Web Server versus APR and probably more that the Tomcat and Apache Web Server teams can agree upon such as load balancing. So APR Native was an experiment for me not a final solution. Time to go back to reality. Thanks, -Tony - Original Message From: Dale Ogilvie dale.ogil...@trimble.co.nz To: Tomcat Users List users@tomcat.apache.org Sent: Mon, July 19, 2010 5:42:39 PM Subject: RE: APR Tomcat... Reasons to use httpd being what? We historically have used httpd and mod_proxy_ajp, but less being more I'm considering a tomcat only setup. The reason we used httpd in the past was httpd serves static content better. One other reason that comes to mind is httpd url rewrite support, assuming tomcat can't help in this area. Any others? Dale /still hoping my tomcat download license doesn't get revoked before tomcat 7 is released/ -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, 20 July 2010 9:51 a.m. To: Tomcat Users List Subject: Re: APR Tomcat... There certainly are reasons to use Apache httpd out in front of Tomcat, but performance isn't one of them. - -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR Tomcat...
Next experiment can be Varnish in front of Tomcat with APR :) I'm having a lot of fun with it with mostly stateless apps and to optimize some test projects, but haven't had an opportunity to deploy it in any large configuration. It provides a lot of great features and can really be used to tune the heck out of static and semi-static content! -- Richard Maynard -Original Message- From: Tony Anecito [mailto:adanec...@yahoo.com] Sent: Monday, July 19, 2010 7:42 PM To: Tomcat Users List Subject: Re: APR Tomcat... I used APR for performance reasons. I was running Apache Web Server and Tomcat on the same physical windows server. I mentioned what configuration might be faster and was told APR native with Tomcat and it was faster. I might have gone from 1.5 to 1.0 milliseconds for JAXWS requests. The disadvantages are such as when Tomcat is taken down so does your static content. Apache Web Server is probably updated more frequently than APR Native. I am guessing better security for Apache Web Server versus APR and probably more that the Tomcat and Apache Web Server teams can agree upon such as load balancing. So APR Native was an experiment for me not a final solution. Time to go back to reality. Thanks, -Tony - Original Message From: Dale Ogilvie dale.ogil...@trimble.co.nz To: Tomcat Users List users@tomcat.apache.org Sent: Mon, July 19, 2010 5:42:39 PM Subject: RE: APR Tomcat... Reasons to use httpd being what? We historically have used httpd and mod_proxy_ajp, but less being more I'm considering a tomcat only setup. The reason we used httpd in the past was httpd serves static content better. One other reason that comes to mind is httpd url rewrite support, assuming tomcat can't help in this area. Any others? Dale /still hoping my tomcat download license doesn't get revoked before tomcat 7 is released/ -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, 20 July 2010 9:51 a.m. To: Tomcat Users List Subject: Re: APR Tomcat... There certainly are reasons to use Apache httpd out in front of Tomcat, but performance isn't one of them. - -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at ab...@rackspace.com, and delete the original message. Your cooperation is appreciated. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR Tomcat...
From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: Re: APR Tomcat... So as to say the Tomcat group did not want to compete why build the APR? Tomcat people did not create it - APR has been around for years. It's part of many products (e.g., subversion). What the Tomcat group did was provide a JNI interface to APR to allow its use with Tomcat directly, primarily because OpenSSL is much faster than the pure Java SSE equivalent. APR provides no significant benefits for unencrypted content. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR Tomcat...
From: Dale Ogilvie [mailto:dale.ogil...@trimble.co.nz] Subject: RE: APR Tomcat... Reasons to use httpd being what? Serving PHP and as a poor man's load balancer, for starters. The reason we used httpd in the past was httpd serves static content better. Which hasn't been true for some years. One other reason that comes to mind is httpd url rewrite support, The equivalent for Tomcat is here: http://www.tuckey.org/urlrewrite/ /still hoping my tomcat download license doesn't get revoked before tomcat 7 is released/ Too late: Tomcat 7 has been released - albeit still beta. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR Tomcat...
From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: Re: APR Tomcat... The disadvantages are such as when Tomcat is taken down so does your static content. So why are you taking Tomcat down? Doctor, doctor, it hurts when I do this! I am guessing better security for Apache Web Server versus APR You're right - you're guessing. There's no evidence to support that conjecture. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Tomcat...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 7/19/2010 9:57 PM, Caldarale, Charles R wrote: From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: Re: APR Tomcat... So as to say the Tomcat group did not want to compete why build the APR? Tomcat people did not create it - APR has been around for years. It's part of many products (e.g., subversion). What the Tomcat group did was provide a JNI interface to APR to allow its use with Tomcat directly, primarily because OpenSSL is much faster than the pure Java SSE equivalent. APR provides no significant benefits for unencrypted content. My tests show that use of sendFile is dramatically faster than without. I did not benchmark SSL. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxFGgYACgkQ9CaO5/Lv0PCMCQCgt4f7Banncs4EqYkSE23Uk7CA k58An1LIVEB4vtipQpkLdkvIfjuzi50y =1ya/ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR Tomcat...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale, On 7/19/2010 7:42 PM, Dale Ogilvie wrote: Reasons to use httpd being what? Here are a few ideas: 1. Load balancing 2. Use of mixed Java and non-Java webapps (PHP, Perl, etc.) 3. Use of multiple Tomcat instances behind a single web server If I thought about it, I could come up with a few more. We historically have used httpd and mod_proxy_ajp, but less being more I'm considering a tomcat only setup. Tomcat-only is a great setup when you have a non-complicated environment. If you can do it, I'd say go for it. Fewer attack vectors, fewer packages to keep up-to-date, etc. Just remember to use APR+sendFile ;) Or even NIO+sendFile. The reason we used httpd in the past was httpd serves static content better. That reason is no longer valid with a proper configuration. One other reason that comes to mind is httpd url rewrite support, assuming tomcat can't help in this area. Any others? tuckey's urlrewrite, though mod_rewrite is much more chainsawy than urlrewrite. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxFGwIACgkQ9CaO5/Lv0PAtCgCfQhy1SRwitWFe/YIcPYLLhp/G l3EAn1Xl0vj98K8+uLCR/XBN5W5fGs7Q =+w6j -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: APR Tomcat...
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: APR Tomcat... My tests show that use of sendFile is dramatically faster than without. Was that vs BIO or NIO? As I recall, there is no sendFile capability in BIO, so both NIO and APR should beat that. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.