> -----Original Message----- > From: Brewer, Edward L [mailto:lee.bre...@vanderbilt.edu] > Sent: Tuesday, October 07, 2014 1:36 PM > To: Tomcat Users List > Subject: RE: Help with Apache Tomcat/7.0.53 SSL issue > > To all, > > > Oh... Here is the entry in our server.xml (probably the most important part) > > <Connector port="<Omitted>" address="<Omitted>" protocol="HTTP/1.1" > SSLEnabled="true" maxThreads="150" scheme="https" secure="true" > clientAuth="false" > ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_ > DHE_RSA_WITH_3DES_EDE_CBC_SHA" keyAlias="<omitted>" > keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks" > keystorePass="<omitted>" /> > > <Connector port="<omitted>" address="<omitted>" > protocol="org.apache.coyote.http11.Http11Protocol" maxthreads="150" > scheme="https" SSLEnabled="true" secure="true" clientAuth="want" > ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_ > DHE_RSA_WITH_3DES_EDE_CBC_SHA" keyAlias="<omitted>" > keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks" > keystorePass="<omitted>" /> > > Users connect directly to first listed connection.... The second SSL port is > not > currently used. > > Thanks, > Lee > > From: Brewer, Edward L [mailto:lee.bre...@vanderbilt.edu] > Sent: Tuesday, October 07, 2014 1:31 PM > To: users@tomcat.apache.org > Subject: Help with Apache Tomcat/7.0.53 SSL issue > > To all, > > I am using Apache Tomcat 7.0.53 and I am having an intermittent issue with > SSL. I am currently running three environments (Dev, UAT, and Prod. Prod > comprises 4 VMs (uname states version as "2.6.32-431.11.2.el6.x86_x86_64 > GNU/Linux" ) with each containing a local version of Java [ Java(TM) SE > Runtime Environment (build 1.7.0_55-b13) Java HotSpot(TM) 64-Bit Server > VM (build 24.55-b03, mixed mode) ] As well Tomcat and Java are owned by > the user running the app. The VMs are load balanced over two pair of LTMs > (LTM1 balances node 1 and node 2; LTM2 balances node 3 and node 4). The > test environment is scaled down to just one LTM with two nodes and > development is just a single VM. > > Now, when I deployed dev and test I did not have any issues with SSL.... > everything went as planned. When I deployed into production, I started to > get complaints about timeouts to the service. After much troubleshooting... > we were able to discern, using curl, that in production the LTM was not > getting a response back from the application (using TCPDUMP) > intermittently. Our LTMs are configured to server as a SSL proxy. On the > VM, TCPDUMP shows that traffic is being presented to the socket but there > is no response. As far as I can tell the three environments (TOMCAT and > JAVA) are the same. I find nothing in the logs from both access and > catalina.out. When I restart the servers the problem goes away for about > one hour then it comes back rapidly. Using top and sar I do not see any > issues with operating system performance. Also, by going done to one node > the problem persists. As well here are the options that are in setenv.sh > > export JAVA_OPTS="$JAVA_OPTS\ > -verbosegc\ > -Xms256m\ > -XX:+DisableExplicitGC\ > -Xmx2g" > > > Here is the error that I see from curl > > curl: (52) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 > > Help, > Lee Brewer
Lee, you say you checked the access & catalina logs, but did you check the stdout & stderr logs? Since the problem goes away for about an hour after you restart, could you be having memory issues? Those are usually reported in the stderr log. Is 2g a valid value for -Xmx? I've always specified it in terms of Megs, that is -Xmx2048m. Jeff --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
