So you're saying the change via JMX would update in-memory representation of the server.xml conf, and be using the update credentials, but if and when restarted it would use the credentials present in the actual server.xml?
-John -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, May 13, 2015 1:28 PM To: Tomcat Users List Subject: Re: Tomcat 7 JNDI Realm credential password update availability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark, On 5/13/15 2:45 PM, Mark Thomas wrote: > On 13/05/2015 19:13, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK > INFORMATION INC at Cisco) wrote: >> Hello, >> >> We have a Tomcat 7 server running on Linux that must use LDAP over >> SSL to connect to an AD server for user authentication. >> This configuration we have working. The issue is the credentials used >> to connect to the AD server must have the password updated every 180 >> days, and therefore updated in the JNDI Realm configuration. Is there >> a way to update the password in server.xml that would allow it to be >> recognized as changed without restarting the Tomcat server. Or some >> other configuration what ever it may be that would achieve this. The >> goal is to update the password and have it recognized as updated with >> no down time for the application running on the server. >> >> Any thoughts would be appreciated. > > server.xml changes require a restart. Can you update it via JMX as > well? (That should work but I am going from memory rather than testing > it / looking at the source). - From *my* memory, modifying things that come from server.xml via JMX often does nothing, because the component itself doesn't get re-initialized. You basically just change the in-memory representation of the configuration, but the component (Realm, in this case), just keeps doing what it was doing. A good example is the <Connector>s, though in that case, the "Connector" is just configuration that gets used to generate a Protocol+Endpoint so maybe I'm just thinking of this special case. Ultimately, JMX is the *right* way to do this, provided that the Realm notices that the configuration has changed and actually uses that configuration. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVU7PVAAoJEBzwKT+lPKRYOJwQAMrZi9Pu+MuG25bnTbgMCBtm gTAdkheI/ovuG2H2hjCAqUJo6x0B1piG71uOV7S0lTatTIdclUIeDR67mheZlLXx yY0oy4pFWSsH1UJE14LnTyqXUWQWGFTD1tAMmgGrXhMhkIVlltaFkBP9fxis33xN sjhJh8QL27jK80QL19PuVNhDLWJbAAAGhDlxHDqeCRZaxu9mC/9imWr4juTw/4vu l1xcy4Q8+G+nwpYjKlAv3ttpgMipfOKRlYSLVpxZO45yEbJmCZWJef51CSLL4Ib/ 0qxONW+aKndUJ1ZhAgc6ZSQL4N9Z+stNphD/IQhKK8I9SCdVuJrTrsdUjurpuMXZ d89uIduDKVLsIqnUyHH019M4zWa9xs26pJ/JJv9yyTZvkCfH2X5YAAO8tJE7kTm3 HTZA8hIWD09n4VZ0P0BZurmRt2aI/pTq6+aVhig0uEC0POA5MME5WWKidTVAat09 vRqKtQYgVWP0iBB7Cd2IVcpb2sE6ZpRgsF6K4Nw+brfr68uTk/FvD6kb/7JrpTYd Thkfyh102WQBVZxeTXOo952v1CKv0tAWdxx9/t1boRbCM9cNvDnsjKGzMgRkJ+0r Zx0/A19ORdC7uBn87+uW8Q9CgUIuN+NQuR89OS+nQSZdhnDU8pQgLZR1hoEuYCpO yRmNoIOIMQFnrKKPAqGC =psQ4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
