Re: Tomcat 8.5.28 SSL - Cannot store non-PrivateKeys

[Richard Tearle]

Hello

On 1 March 2018 at 23:31, George S.  wrote:

> I'm hitting the error:
>
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[HTTP/1.1-8443]]
> Caused by: org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> Caused by: java.lang.IllegalArgumentException: Cannot store
> non-PrivateKeys
>
> The connector is configured as:
>
>
>  address="10.0.0.62"
>maxThreads="150" SSLEnabled="true">
> 
>  certificateFile="conf/certificate.pem"
>  type="RSA" />
> 
> 
>
> I've verified the tomcat user can read the two files, and I've su'd to
> user tomcat and used:
>
> openssl rsa -in key.pem -text
>
> and the private key was dumped as expected. The key is not encrypted. The
> cert is self-signed and was generated by OpenSSL using CA.sh.
>
> I'm kind of at a loss here. The example server.xml entries show naming PEM
> files directly, and the connector docs seem to imply that pem files are
> supported.
>
> Can anyone give me a pointer on what to do here?
>
> --
> George S.
> *MH Software, Inc.*
> Voice: 303 438 9585
> http://www.mhsoftware.com
>


Are you using the Tomcat Native Library? I think that's required when using
PEM encoded certificates.

-- 

*Richard Tearle BSc(Hons) MCP*

Senior Consultant

*Northgate Public Services (NPS)*

Mobile: +44 (0)7738 888315

Email: richard.tea...@northgateps.com

Web: www.n orthgatepublicservices.co.uk

Please consider the environment before printing this e-mail

-- 
This email is sent on behalf of Northgate Public Services (UK) Limited and 
its associated companies including Rave Technologies (India) Pvt Limited 
(together "Northgate Public Services") and is strictly confidential and 
intended solely for the addressee(s). 
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use its 
contents in any way or you may be acting unlawfully;  (ii) contact 
Northgate Public Services immediately on +44(0)1442 768445 quoting the name 
of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that 
no viruses are contained in this email, but does not accept any 
responsibility once this email has been transmitted.  You should scan 
attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales 
under number 00968498 with a registered address of Peoplebuilding 2, 
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 
4NW.  Rave Technologies (India) Pvt Limited, registered in India under 
number 117068 with a registered address of 2nd Floor, Ballard House, Adi 
Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 41.

Re: Tomcat 8.5.28 SSL - Cannot store non-PrivateKeys

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

George,

On 3/1/18 6:31 PM, George S. wrote:
> I'm hitting the error:
> 
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] 
> org.apache.catalina.LifecycleException: Failed to initialize
> component [Connector[HTTP/1.1-8443]] Caused by:
> org.apache.catalina.LifecycleException: Protocol handler 
> initialization failed Caused by:
> java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
> 
> The connector is configured as:
> 
> 
>  protocol="org.apache.coyote.http11.Http11NioProtocol" 
> address="10.0.0.62" maxThreads="150" SSLEnabled="true"> 
>   certificateFile="conf/certificate.pem" type="RSA" /> 
>  
> 
> I've verified the tomcat user can read the two files, and I've su'd
> to user tomcat and used:
> 
> openssl rsa -in key.pem -text
> 
> and the private key was dumped as expected. The key is not
> encrypted. The cert is self-signed and was generated by OpenSSL
> using CA.sh.
> 
> I'm kind of at a loss here. The example server.xml entries show
> naming PEM files directly, and the connector docs seem to imply
> that pem files are supported.
> 
> Can anyone give me a pointer on what to do here?

Can you post the full stack trace?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpMncdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjjfxAAih2I3LYlq1CK/jr3
+kSQnlBd/A8jEG5DhgWHxNogc6kWRg06FhF/vahoAkcik/dP1378tf7J19M1uMRM
zjvoB9is69ndSWEZd4s6IRxuevgb41Z4f95vbkkoLINc66OdW8dkNy1dIiE2FU6I
zEePIpr0x+A00fIYHTn4MaTFp0KmthnfK1xpJ/8sfa07aWj61o1WoIhgZ947izN7
oEidKrpabsSyhTxRMJcOQRrOje6nHYpuSnSrOTAMpdTy9gx3jOrMgp4jdZGlkxSe
6WAWabYj9Vp3YEBABgRC6xBfA1OSF1pDWGL86KikTI7DgIjlDRuWsCxAWMKTRZts
Qhe30w6XVhb8oYqqsgnHcUl+7Y1bcoCp58bswmwyHAUpo8oSMD8l5+H7kzyKFyWl
Sr+lirwBZaFEaQcso0xjT5onUWcWmEnQCeDL+mEGbrBzhkzsgw3JnyY49piFxdPa
I9ITf1JIuzEzdgf/eb+X2aQFhsYdeYGQxjo1bR0i0FysNaa+bTDj+PzA2wmw/Jsr
MWsjsfUQywf+3JlMsxJTqoE5tsrMc1YHpcRSdekPPe0JTO/s/2noEwsJ6m6nyzUR
/s847U+GcrII/R6btN+4ZhgaxFlTLxZbNrKQyjGyY2EadaAoCOEBRqV2C7SaJIbi
IECm0k0MhI+BvHWTiBrguFKWabE=
=udOa
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 8.5.28

[Cheltenham, Chris]

Thank You Sir.

I will go through the wiki and try it out.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, March 2, 2018 11:55 AM
To: users@tomcat.apache.org
Subject: Re: tomcat 8.5.28

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Olaf,

On 3/2/18 9:30 AM, Olaf Kock wrote:
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
>> Sent: Friday, March 02, 2018 9:08 AM To: 'Tomcat Users List'
>>  Subject: tomcat 8.5.28
>>
>> Hello,
>>
>> Has anyone set up tomcat as a non-root use?
>>
>> I have set it up successfully however, I have to bound the non-root
>> user to port 8443.
>>
>> What is the best way to reroute 8443 through 443? There are several
>> options. Everything is set up at send to port 443 so I need to
>> reroute 8443 in and out of 443
>>
>> CentOS 7 by the way -
> "what is the best (TM)?" -> "It depends"
>
> Tomcat runs well on unprivileged ports, and depending on your OS,
> familiarity with configuring it, other infrastructure etc, you have
> different options. Are you familiar with them - as you mention that
> there are many?
>
> You can * use iptables redirection, * have a
> proxy/webserver/loadbalancer in front, * enable unprivileged binding
> to the port

You can also use jsvc which can:

* bind to privileged ports, then drop privileges
* monitor and restart dead Tomcat processes
* send a signal to rotate logs (like stdout!)

I use a reverse-proxy for everything (and I'd recommend that everyone doing 
anything in the "real world" do the same), so I don't need such things, but 
I think I'd probably want to use jsvc for this purpose because it's fairly 
self-contained PLUS you get the auto-restart capabilities should you want 
them.

> As we were discussing documentation in another thread these days:
> I've expected to find a solution to your question in the FAQ and
> wanted to link to it - but didn't find any entry there. There's a
> patch to go on my list, with no ETA though. Maybe a side-task during
> that Manchester Tomcat training.

It's in the Wiki, not the user's guide:
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_priv
ileges.3F

It doesn't even come up in Google, so it's no wonder that nobody can find 
it.

We should probably roll some of this stuff into the user's guide so it's in 
a better place. The Wiki is ... not a great place to put things IMO.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqZgdgACgkQHPApP6U8
pFiGERAAoE7DTJUDhCMMTVT12j1tR5TS/0+TDltXlaT/CWFJ1ulCv2l8Oix4A7RH
oFALw0gYjZg9/WPZd73CEtN5dfKHSffll18mJcSIpaJ2uf2sx+nbcqMpGOxrkQ5x
osM9Vj/X7QTAXfBABwffAzw12kw5QpfwdxfapQS9KkK2U4gvtIB1oo1WCBL+yziA
rKA3mA6IBKIGWk8u9BhbHJeTnmL4mPaIZqLep+M5CgOykfAu7TYdvMViovOxWCTv
o5kB6xsuhZ88zdmkGJ2BGFokl0UzKtcYic3IN/s4KqcU2fM+2UJrSSHocpxW3Nfw
ppmHGp4XaKW6oAFu4VjDDnWjnP6nDs5lH1VLmIySDm8B7nXpqbC7ML/rBde1VFMZ
jVbUojbxJ+jIpXs6jg6nxTCRh/PssvWEQ/3e0Ank+xfJ3s4ay+kXYlP8M4IL8VFV
M8tsXY8pAmknh9BnGV2fz0R49+Ir8aJEBRrYm1TLKnC8L9O/hqqlOEftqikYajvD
qJlYKCmeZfDYdFkKR1TcgcC1kOpZkgdkSCc77NEBM0+y5ln/shDUCX5MkxrHe/zE
leqntUfdWVhsfeG84MR5zmFbcWcNYNVov6A/7cW6Sb5Rlv7PWIcruyTgTEIotqwd
DPFNk54910K3yy4UAyDgBgkiZTqz8k2eWx4W7FGaaMD2c9xCq50=
=9WCp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 8.5.28

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Olaf,

On 3/2/18 9:30 AM, Olaf Kock wrote:
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] 
>> Sent: Friday, March 02, 2018 9:08 AM To: 'Tomcat Users List'
>>  Subject: tomcat 8.5.28
>> 
>> Hello,
>> 
>> Has anyone set up tomcat as a non-root use?
>> 
>> I have set it up successfully however, I have to bound the
>> non-root user to port 8443.
>> 
>> What is the best way to reroute 8443 through 443? There are
>> several options. Everything is set up at send to port 443 so I
>> need to reroute 8443 in and out of 443
>> 
>> CentOS 7 by the way -
> "what is the best (TM)?" -> "It depends"
> 
> Tomcat runs well on unprivileged ports, and depending on your OS, 
> familiarity with configuring it, other infrastructure etc, you
> have different options. Are you familiar with them - as you mention
> that there are many?
> 
> You can * use iptables redirection, * have a
> proxy/webserver/loadbalancer in front, * enable unprivileged
> binding to the port

You can also use jsvc which can:

* bind to privileged ports, then drop privileges
* monitor and restart dead Tomcat processes
* send a signal to rotate logs (like stdout!)

I use a reverse-proxy for everything (and I'd recommend that everyone
doing anything in the "real world" do the same), so I don't need such
things, but I think I'd probably want to use jsvc for this purpose
because it's fairly self-contained PLUS you get the auto-restart
capabilities should you want them.

> As we were discussing documentation in another thread these days:
> I've expected to find a solution to your question in the FAQ and
> wanted to link to it - but didn't find any entry there. There's a
> patch to go on my list, with no ETA though. Maybe a side-task
> during that Manchester Tomcat training.

It's in the Wiki, not the user's guide:
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_priv
ileges.3F

It doesn't even come up in Google, so it's no wonder that nobody can
find it.

We should probably roll some of this stuff into the user's guide so
it's in a better place. The Wiki is ... not a great place to put
things IMO.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqZgdgACgkQHPApP6U8
pFiGERAAoE7DTJUDhCMMTVT12j1tR5TS/0+TDltXlaT/CWFJ1ulCv2l8Oix4A7RH
oFALw0gYjZg9/WPZd73CEtN5dfKHSffll18mJcSIpaJ2uf2sx+nbcqMpGOxrkQ5x
osM9Vj/X7QTAXfBABwffAzw12kw5QpfwdxfapQS9KkK2U4gvtIB1oo1WCBL+yziA
rKA3mA6IBKIGWk8u9BhbHJeTnmL4mPaIZqLep+M5CgOykfAu7TYdvMViovOxWCTv
o5kB6xsuhZ88zdmkGJ2BGFokl0UzKtcYic3IN/s4KqcU2fM+2UJrSSHocpxW3Nfw
ppmHGp4XaKW6oAFu4VjDDnWjnP6nDs5lH1VLmIySDm8B7nXpqbC7ML/rBde1VFMZ
jVbUojbxJ+jIpXs6jg6nxTCRh/PssvWEQ/3e0Ank+xfJ3s4ay+kXYlP8M4IL8VFV
M8tsXY8pAmknh9BnGV2fz0R49+Ir8aJEBRrYm1TLKnC8L9O/hqqlOEftqikYajvD
qJlYKCmeZfDYdFkKR1TcgcC1kOpZkgdkSCc77NEBM0+y5ln/shDUCX5MkxrHe/zE
leqntUfdWVhsfeG84MR5zmFbcWcNYNVov6A/7cW6Sb5Rlv7PWIcruyTgTEIotqwd
DPFNk54910K3yy4UAyDgBgkiZTqz8k2eWx4W7FGaaMD2c9xCq50=
=9WCp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

embedded tomcat (8.5.28) classloading issues when adding another war file and classes can be resolved via that webapp classloader and the bootstrap classloader

[Torsten Krah]

Hi,

i am using an embedded tomcat to e.g. start my wicket application in my
IDE.
This works fine so far - the whole classpath used and provided by
IntelliJ is used.

But adding e.g. a war file via setWebapp to start some additional
webapps i am running into some issues with that war files.

The intellij classpath does provide e.g. hibernate and this is going to
resolve classes when loading entities via associations.

Hibernate was loaded using classloader A (bootstrap one) and it does
even resolve that association class with A where it should have used the
ParallelWebappClassloader from my war file first when getting a request
for that war file.

So this is going havoc because bootstrap classloader is asked first here
where it does find that class (embedded tomcat - no extra classloader
stuff done).

https://tomcat.apache.org/tomcat-8.5-doc/class-loader-howto.html

So how is this supposed to work in case i want to load additional war
files in an embedded tomcat - any best practices, docs known how to
"reproduce" such an isolated environment for an embedded tomcat?

So minimal example would be:

1. The bootstrap class with "new Tomcat()" is in my test classpath of my
webapp in the IDE and can run the webapp from "src/main/webapp" as usual
- which works so far (one big fat classpath ...).

2. I want to add a webapp from a war file in the same Tomcat() instance
- but here it gets messy with the classes.

Suggestions welcome :)

kind regards

Torsten

PS: In the "real" tomcat this is going to work because the bootstrap
classloader does not know that class at all there - where in the webapp
one this is "mixed".



smime.p7s
Description: S/MIME cryptographic signature

RE: tomcat 8.5.28

[Cheltenham, Chris]

All,

I am not sure is this out of scope with Tomcat's policies?


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Friday, March 2, 2018 10:43 AM
To: Tomcat Users List 
Subject: RE: tomcat 8.5.28

Thanks My friend , I have tried that without success.


[root@cjc logs]# iptables -t nat -I PREROUTING -p tcp --dport 443 -j 
REDIRECT --to-port 8443 [root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused [root@cjc 
logs]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ] 
[root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused [root@cjc 
logs]# curl -k https://10.32.32.230:443
curl: (7) Failed connect to 10.32.32.230:443; Connection refused [root@cjc 
logs]#

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Johan Compagner [mailto:jcompag...@servoy.com]
Sent: Friday, March 2, 2018 10:23 AM
To: Tomcat Users List 
Subject: Re: tomcat 8.5.28

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
8080
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
8443

then you can save the iptables so they stick after reboot:

sudo service iptables save


On 2 March 2018 at 15:08, Cheltenham, Chris 
wrote:

> Hello,
>
>
>
> Has anyone set up tomcat as a non-root use?
>
>
>
> I have set it up successfully however, I have to bound the non-root
> user to port 8443.
>
>
>
> What is the best way to reroute 8443 through 443?
>
> There are several options.
>
> Everything is set up at send to port 443 so I need to reroute 8443 in
> and out of 443
>
>
>
> CentOS 7 by the way –
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>



--
Johan Compagner
Servoy

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 8.5.28

[Cheltenham, Chris]

Thanks My friend , I have tried that without success.


[root@cjc logs]# iptables -t nat -I PREROUTING -p tcp --dport 443 -j 
REDIRECT --to-port 8443
[root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused
[root@cjc logs]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@cjc logs]# curl -k https://10.32.32.230
curl: (7) Failed connect to 10.32.32.230:443; Connection refused
[root@cjc logs]# curl -k https://10.32.32.230:443
curl: (7) Failed connect to 10.32.32.230:443; Connection refused
[root@cjc logs]#

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Johan Compagner [mailto:jcompag...@servoy.com]
Sent: Friday, March 2, 2018 10:23 AM
To: Tomcat Users List 
Subject: Re: tomcat 8.5.28

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
8080
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
8443

then you can save the iptables so they stick after reboot:

sudo service iptables save


On 2 March 2018 at 15:08, Cheltenham, Chris 
wrote:

> Hello,
>
>
>
> Has anyone set up tomcat as a non-root use?
>
>
>
> I have set it up successfully however, I have to bound the non-root
> user to port 8443.
>
>
>
> What is the best way to reroute 8443 through 443?
>
> There are several options.
>
> Everything is set up at send to port 443 so I need to reroute 8443 in
> and out of 443
>
>
>
> CentOS 7 by the way –
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>



--
Johan Compagner
Servoy

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 8.5.28

[Johan Compagner]

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
8080
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
8443

then you can save the iptables so they stick after reboot:

sudo service iptables save


On 2 March 2018 at 15:08, Cheltenham, Chris 
wrote:

> Hello,
>
>
>
> Has anyone set up tomcat as a non-root use?
>
>
>
> I have set it up successfully however, I have to bound the non-root user
> to port 8443.
>
>
>
> What is the best way to reroute 8443 through 443?
>
> There are several options.
>
> Everything is set up at send to port 443 so I need to reroute 8443 in and
> out of 443
>
>
>
> CentOS 7 by the way –
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>



-- 
Johan Compagner
Servoy

RE: tomcat 8.5.28

[Cheltenham, Chris]

Thanks Andre.

People have nothing better to do I suppose.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Friday, March 2, 2018 9:49 AM
To: users@tomcat.apache.org
Subject: Re: tomcat 8.5.28

On 02.03.2018 15:41, Cheltenham, Chris wrote:
> Mark,
>
> Can you elaborate on what is going on there?
> What trolls?
> I don’t know what that means.

See : https://en.wikipedia.org/wiki/Internet_troll

>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
>
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org]
> Sent: Friday, March 2, 2018 9:39 AM
> To: Tomcat Users List ; Olaf Kock
> 
> Subject: Re: tomcat 8.5.28
>
> On 02/03/18 14:30, Olaf Kock wrote:
>>
>>
>> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>>> What?
>>
>> don't feed the trolls ;)
>
> Better still, unsubscribe them :)
>
> Just a reminder to everyone that the list does have moderators and we
> can be reached directly at users-owner@... should you need our help.
>
> I have unsubscribed this particular user.
>
> Mark
>
>
>>
>>> From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
>>> Sent: Friday, March 02, 2018 9:08 AM
>>> To: 'Tomcat Users List' 
>>> Subject: tomcat 8.5.28
>>>
>>> Hello,
>>>
>>> Has anyone set up tomcat as a non-root use?
>>>
>>> I have set it up successfully however, I have to bound the non-root
>>> user to port 8443.
>>>
>>> What is the best way to reroute 8443 through 443?
>>> There are several options.
>>> Everything is set up at send to port 443 so I need to reroute 8443
>>> in and out of 443
>>>
>>> CentOS 7 by the way -
>> "what is the best (TM)?"
>> -> "It depends"
>>
>> Tomcat runs well on unprivileged ports, and depending on your OS,
>> familiarity with configuring it, other infrastructure etc, you have
>> different options. Are you familiar with them - as you mention that
>> there are many?
>>
>> You can
>> * use iptables redirection,
>> * have a proxy/webserver/loadbalancer in front,
>> * enable unprivileged binding to the port
>>
>> I default to the second option, because there's an Apache httpd or
>> another loadbalancer anyways, and it tended to be best documented
>> with regards to all of the specific SSL settings you might want to
>> have (the cipher-cocktail of the day), plus easily get LetsEncrypt certs.
>>
>> The others are valid as well - none is better, they're just different.
>>
>> As we were discussing documentation in another thread these days:
>> I've expected to find a solution to your question in the FAQ and
>> wanted to link to it - but didn't find any entry there. There's a
>> patch to go on my list, with no ETA though. Maybe a side-task during
>> that Manchester Tomcat training.
>>
>> Olaf
>>
>>
>>
>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 8.5.28

[tomcat]

On 02.03.2018 15:41, Cheltenham, Chris wrote:

Mark,

Can you elaborate on what is going on there?
What trolls?
I don’t know what that means.


See : https://en.wikipedia.org/wiki/Internet_troll




===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Friday, March 2, 2018 9:39 AM
To: Tomcat Users List ; Olaf Kock

Subject: Re: tomcat 8.5.28

On 02/03/18 14:30, Olaf Kock wrote:



On 02.03.2018 15:22, Cheltenham, Chris wrote:

What?


don't feed the trolls ;)


Better still, unsubscribe them :)

Just a reminder to everyone that the list does have moderators and we can be
reached directly at users-owner@... should you need our help.

I have unsubscribed this particular user.

Mark





From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Friday, March 02, 2018 9:08 AM
To: 'Tomcat Users List' 
Subject: tomcat 8.5.28

Hello,

Has anyone set up tomcat as a non-root use?

I have set it up successfully however, I have to bound the non-root
user to port 8443.

What is the best way to reroute 8443 through 443?
There are several options.
Everything is set up at send to port 443 so I need to reroute 8443 in
and out of 443

CentOS 7 by the way -

"what is the best (TM)?"
-> "It depends"

Tomcat runs well on unprivileged ports, and depending on your OS,
familiarity with configuring it, other infrastructure etc, you have
different options. Are you familiar with them - as you mention that
there are many?

You can
* use iptables redirection,
* have a proxy/webserver/loadbalancer in front,
* enable unprivileged binding to the port

I default to the second option, because there's an Apache httpd or
another loadbalancer anyways, and it tended to be best documented with
regards to all of the specific SSL settings you might want to have
(the cipher-cocktail of the day), plus easily get LetsEncrypt certs.

The others are valid as well - none is better, they're just different.

As we were discussing documentation in another thread these days: I've
expected to find a solution to your question in the FAQ and wanted to
link to it - but didn't find any entry there. There's a patch to go on
my list, with no ETA though. Maybe a side-task during that Manchester
Tomcat training.

Olaf






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 8.5.28

[Cheltenham, Chris]

Mark,

Can you elaborate on what is going on there?
What trolls?
I don’t know what that means.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Friday, March 2, 2018 9:39 AM
To: Tomcat Users List ; Olaf Kock 

Subject: Re: tomcat 8.5.28

On 02/03/18 14:30, Olaf Kock wrote:
>
>
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> What?
>
> don't feed the trolls ;)

Better still, unsubscribe them :)

Just a reminder to everyone that the list does have moderators and we can be 
reached directly at users-owner@... should you need our help.

I have unsubscribed this particular user.

Mark


>
>> From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
>> Sent: Friday, March 02, 2018 9:08 AM
>> To: 'Tomcat Users List' 
>> Subject: tomcat 8.5.28
>>
>> Hello,
>>
>> Has anyone set up tomcat as a non-root use?
>>
>> I have set it up successfully however, I have to bound the non-root
>> user to port 8443.
>>
>> What is the best way to reroute 8443 through 443?
>> There are several options.
>> Everything is set up at send to port 443 so I need to reroute 8443 in
>> and out of 443
>>
>> CentOS 7 by the way -
> "what is the best (TM)?"
> -> "It depends"
>
> Tomcat runs well on unprivileged ports, and depending on your OS,
> familiarity with configuring it, other infrastructure etc, you have
> different options. Are you familiar with them - as you mention that
> there are many?
>
> You can
> * use iptables redirection,
> * have a proxy/webserver/loadbalancer in front,
> * enable unprivileged binding to the port
>
> I default to the second option, because there's an Apache httpd or
> another loadbalancer anyways, and it tended to be best documented with
> regards to all of the specific SSL settings you might want to have
> (the cipher-cocktail of the day), plus easily get LetsEncrypt certs.
>
> The others are valid as well - none is better, they're just different.
>
> As we were discussing documentation in another thread these days: I've
> expected to find a solution to your question in the FAQ and wanted to
> link to it - but didn't find any entry there. There's a patch to go on
> my list, with no ETA though. Maybe a side-task during that Manchester
> Tomcat training.
>
> Olaf
>
>
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 8.5.28

[Mark Thomas]

On 02/03/18 14:30, Olaf Kock wrote:
> 
> 
> On 02.03.2018 15:22, Cheltenham, Chris wrote:
>> What?
> 
> don't feed the trolls ;)

Better still, unsubscribe them :)

Just a reminder to everyone that the list does have moderators and we
can be reached directly at users-owner@... should you need our help.

I have unsubscribed this particular user.

Mark


> 
>> From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
>> Sent: Friday, March 02, 2018 9:08 AM
>> To: 'Tomcat Users List' 
>> Subject: tomcat 8.5.28
>>
>> Hello,
>>
>> Has anyone set up tomcat as a non-root use?
>>
>> I have set it up successfully however, I have to bound the non-root user
>> to port 8443.
>>
>> What is the best way to reroute 8443 through 443?
>> There are several options.
>> Everything is set up at send to port 443 so I need to reroute 8443 in and
>> out of 443
>>
>> CentOS 7 by the way -
> "what is the best (TM)?"
> -> "It depends"
> 
> Tomcat runs well on unprivileged ports, and depending on your OS,
> familiarity with configuring it, other infrastructure etc, you have
> different options. Are you familiar with them - as you mention that
> there are many?
> 
> You can
> * use iptables redirection,
> * have a proxy/webserver/loadbalancer in front,
> * enable unprivileged binding to the port
> 
> I default to the second option, because there's an Apache httpd or
> another loadbalancer anyways, and it tended to be best documented with
> regards to all of the specific SSL settings you might want to have (the
> cipher-cocktail of the day), plus easily get LetsEncrypt certs.
> 
> The others are valid as well - none is better, they're just different.
> 
> As we were discussing documentation in another thread these days: I've
> expected to find a solution to your question in the FAQ and wanted to
> link to it - but didn't find any entry there. There's a patch to go on
> my list, with no ETA though. Maybe a side-task during that Manchester
> Tomcat training.
> 
> Olaf
> 
> 
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 8.5.28

[Olaf Kock]

On 02.03.2018 15:22, Cheltenham, Chris wrote:

What?


don't feed the trolls ;)


From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Friday, March 02, 2018 9:08 AM
To: 'Tomcat Users List' 
Subject: tomcat 8.5.28

Hello,

Has anyone set up tomcat as a non-root use?

I have set it up successfully however, I have to bound the non-root user
to port 8443.

What is the best way to reroute 8443 through 443?
There are several options.
Everything is set up at send to port 443 so I need to reroute 8443 in and
out of 443

CentOS 7 by the way -

"what is the best (TM)?"
-> "It depends"

Tomcat runs well on unprivileged ports, and depending on your OS, 
familiarity with configuring it, other infrastructure etc, you have 
different options. Are you familiar with them - as you mention that 
there are many?


You can
* use iptables redirection,
* have a proxy/webserver/loadbalancer in front,
* enable unprivileged binding to the port

I default to the second option, because there's an Apache httpd or 
another loadbalancer anyways, and it tended to be best documented with 
regards to all of the specific SSL settings you might want to have (the 
cipher-cocktail of the day), plus easily get LetsEncrypt certs.


The others are valid as well - none is better, they're just different.

As we were discussing documentation in another thread these days: I've 
expected to find a solution to your question in the FAQ and wanted to 
link to it - but didn't find any entry there. There's a patch to go on 
my list, with no ETA though. Maybe a side-task during that Manchester 
Tomcat training.


Olaf






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 8.5.28

[Cheltenham, Chris]

What?

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 


-Original Message-
From: THOMAS, NEFERTA C [mailto:nt1...@att.com] 
Sent: Friday, March 2, 2018 9:16 AM
To: Tomcat Users List 
Cc: ccheltenham-...@philasd.org
Subject: RE: tomcat 8.5.28

Please paused on all your attempts none of this sounds above board so many
issues and no one has a point of contact to talk to or  whom to  I should
go to please don't proceed until I have spoken to a software specialist.




From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Friday, March 02, 2018 9:08 AM
To: 'Tomcat Users List' 
Subject: tomcat 8.5.28

Hello,

Has anyone set up tomcat as a non-root use?

I have set it up successfully however, I have to bound the non-root user
to port 8443.

What is the best way to reroute 8443 through 443?
There are several options.
Everything is set up at send to port 443 so I need to reroute 8443 in and
out of 443

CentOS 7 by the way -


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat 8.5.28

[THOMAS, NEFERTA C]

Please paused on all your attempts none of this sounds above board so many 
issues and no one has a point of contact to talk to or  whom to  I should go to 
please don't proceed until I have spoken to a software specialist.




From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Friday, March 02, 2018 9:08 AM
To: 'Tomcat Users List' 
Subject: tomcat 8.5.28

Hello,

Has anyone set up tomcat as a non-root use?

I have set it up successfully however, I have to bound the non-root user to 
port 8443.

What is the best way to reroute 8443 through 443?
There are several options.
Everything is set up at send to port 443 so I need to reroute 8443 in and out 
of 443

CentOS 7 by the way -


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

tomcat 8.5.28

[Cheltenham, Chris]

Hello,

 

Has anyone set up tomcat as a non-root use?

 

I have set it up successfully however, I have to bound the non-root user
to port 8443.

 

What is the best way to reroute 8443 through 443?

There are several options.

Everything is set up at send to port 443 so I need to reroute 8443 in and
out of 443

 

CentOS 7 by the way -

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

Tomcat 8.5.28 SSL - Cannot store non-PrivateKeys

[George S.]

I'm hitting the error:

SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component 
[Connector[HTTP/1.1-8443]]
Caused by: org.apache.catalina.LifecycleException: Protocol handler 
initialization failed
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys

The connector is configured as:




   



I've verified the tomcat user can read the two files, and I've su'd to user 
tomcat and used:

openssl rsa -in key.pem -text

and the private key was dumped as expected. The key is not encrypted. The cert 
is self-signed and was generated by OpenSSL using CA.sh.

I'm kind of at a loss here. The example server.xml entries show naming PEM 
files directly, and the connector docs seem to imply that pem files are 
supported.

Can anyone give me a pointer on what to do here?

--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

[ANN] Apache Tomcat 8.5.28 available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.28.

Tomcat 8.x users should be using 8.5.x releases in preference to 8.0.x
releases.

Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and Java Authentication Service Provider Interface for
Containers technologies.

Apache Tomcat 8.5.x is intended to replace 8.0.x and includes new
features pulled forward from the 9.0.x branch. The notable changes since
8.5.27 include:

- Fix truncated request input streams when using NIO2 with TLS.

- Improved error handling and reporting for TLS configuration.

- Enhance the JMX support for jdbc-pool in order to expose
  PooledConnection and JdbcInterceptors.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-8.5-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-80.cgi

Migration guides from Apache Tomcat 7.x and 8.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org