Might switching to Tomcat 9 solve this?

2024-08-15 Thread James H. H. Lampert
In the wake of my recently switching a customer over from 8.5 to 9.0, a question came up about another customer installation. They are quite possibly the most heavily loaded customer installation we have (and they also have a chronic problem with disk space). They have a chronic problem with

Re: Refresh my memory: Any "gotchas" in going from Tomcat 8.5 to Tomcat 9?

2024-08-15 Thread James H. H. Lampert
On 8/14/24 6:12 PM, Chuck Caldarale wrote: The blocking IO implementation (http11.Http11Protocol) was actually removed in 8.5, but if specified in the config, 8.5 would substitute the default non-blocking one (http11.Http11NioProtocol). In 9.0, this auto-substitution was removed, requiring a val

Re: Refresh my memory: Any "gotchas" in going from Tomcat 8.5 to Tomcat 9?

2024-08-14 Thread James H. H. Lampert
I ran into a "gotcha" that I probably ran into when we did our cloud box. 14-Aug-2024 19:19:31.245 SEVERE [main] org.apache.catalina.connector.Connector. Protocol handler instantiation failed java.lang.ClassNotFoundException: org.apache.coyote.http11.Http11Protocol I was just about ready to

Refresh my memory: Any "gotchas" in going from Tomcat 8.5 to Tomcat 9?

2024-08-12 Thread James H. H. Lampert
I know I have at least one Tomcat 9 installation running on an IBM Midrange box (namely our cloud box). But I can't remember whether there are any "gotchas" for going from 8.5 to 9, with Tomcat handling the HTTPS itself, using a Java Keystore, and opening Manager to specific IP addresses. --

Re: Tomcat deploying war file for every restart on Red Hat Linux 8.6

2024-08-02 Thread James H. H. Lampert
bapp completely afunctional. Honestly, I've never understood why the default is the way it is. Of course, if you've already set autoDeploy to false, and it's still redeploying with every Tomcat start, then the problem is something else. -- James H. H.

Re: Problems with the most problematic of our Tomcat installations on IBM Midrange (cross-posted to Midrange and Tomcat Lists)

2024-07-24 Thread James H. H. Lampert
So what jobs are in the subsystem? You said "the Catalina job and its associated JVM job" but to me those are just a single job/process. Are they separate things in the IBM world? Thanks for your insights, Mr. Schultz. And yours, too, Herr Hoffmann. On an IBM Midrange box (AS/400, iSeries, wha

Re: Problems with the most problematic of our Tomcat installations on IBM Midrange (cross-posted to Midrange and Tomcat Lists)

2024-07-23 Thread James H. H. Lampert
On 7/23/24 1:25 PM, Christopher Schultz wrote: Thomas, Uh, "James." Thomas was someone who answered earlier. 2. What has to fit into that 7GiB private memory pool? Does it include any OS, or is it just the JVM itself? On an IBM Midrange box, a private memory pool simply provides

Problems with the most problematic of our Tomcat installations on IBM Midrange (cross-posted to Midrange and Tomcat Lists)

2024-07-23 Thread James H. H. Lampert
Ladies and Gentlemen: We still have a chronic Tomcat crashing problem at one of our installations. The weirdest thing about this is that while this is certainly *one* of our heaviest-usage installations, it's not *the* heaviest. We already have Tomcat shutting down and restarting itself every

Re: Possible penetration attempt or DOS attack: any suggestions on what can be done?

2024-06-27 Thread James H. H. Lampert
On 6/27/24 8:01 AM, Christopher Schultz wrote: "100 404s in a minute per-IP" Actually, what I was seeing, once the webapp developer pointed me in the right direction, was several dozen 404s per *second* from a single IP. Not sure if Fail2ban would even work in this situation: like the overw

Re: Possible penetration attempt or DOS attack: any suggestions on what can be done?

2024-06-27 Thread James H. H. Lampert
On 6/27/24 8:01 AM, Christopher Schultz wrote: Why aren't you seeing the source-IP in your own logs? Because our webapp developer hadn't thought to put them into the log messages we generate. He did, however, direct us to the localhost_access_log files (where I quite frankly hadn't thought t

Re: Possible penetration attempt or DOS attack: any suggestions on what can be done?

2024-06-24 Thread James H. H. Lampert
On 6/24/24 12:03 PM, Tim Funk wrote: Conversely, this is a good time for the developers to review their server logging and tune it to be less verbose for these normal exceptions. As well as implementing logging frameworks and logging at the appropriate level (fatal through debug) Thanks for you

Possible penetration attempt or DOS attack: any suggestions on what can be done?

2024-06-24 Thread James H. H. Lampert
Over the weekend, one of our customers got hit with what appears to have been either a penetration attempt or a DOS attack (or both). Their catalina.out file contains tens of thousands (probably over 100k) of lines reporting that our webapp received a request for a nonexistent server object, a

Re: Excluding specific files when creating WAR files?

2024-06-10 Thread James H. H. Lampert
On 6/10/24 11:02 AM, Sebastian Trost wrote: On 10.06.2024 19:47, James H. H. Lampert wrote: Danke, Herr Trost. Gern geschehen, Herr Lampert. Alas, it doesn't look like WAR file generation is something we're doing with Maven: while at least one of our Eclipse projects has a pom.xm

Re: Excluding specific files when creating WAR files?

2024-06-10 Thread James H. H. Lampert
On 6/10/24 10:23 AM, Sebastian Trost wrote: How do you generate your WAR files? With Maven? You should read the documentation at https://maven.apache.org/plugins/maven-war-plugin/examples/including-excluding-files-from-war.html Generally, WAR files are built on the ZIP file format. You can ope

Excluding specific files when creating WAR files?

2024-06-10 Thread James H. H. Lampert
Please forgive me if this is a RTFM issue, or if it's outside the scope of this List (and this isn't exactly the first time I've imposed upon the friendly nature of this List, knowing that it's a much more forgiving environment than a lot of StackExchange forums are). I've just been alerted th

Re: Vulnerabilities Patches

2023-11-06 Thread James H. H. Lampert
On 11/6/23 5:21 PM, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote: I am using Tomcat Apache Version 8.5.94 in Windows server 2012. Recently received following vulnerabilities alert to fix : Short answer: you're already there. And the latest Tomcat 8 (which I just bumped a customer up to) is

Re: Verifying Tomcat downloads

2023-11-03 Thread James H. H. Lampert
On 11/3/23 9:33 AM, Mark Thomas wrote: Alternatively, come along to the next Community Over Code conference, take part in the key signing party and join the web of trust (or just use this as the excuse to come to the conference). And as a final option (I've done it once in 20 years) you can a

Verifying Tomcat downloads

2023-11-03 Thread James H. H. Lampert
a few days, so he may be away). -- James H. H. Lampert - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org

I forget: does Tomcat have any problems with *not* having a ROOT context?

2023-09-25 Thread James H. H. Lampert
I probably asked the question before, but does Tomcat have any problems with not having a ROOT context? -- James H. H. Lampert Touchtone Corporation - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

2023-09-13 Thread James H. H. Lampert
Java Keystores work. And I don't find them especially difficult to work with (other than new formats not being backward-compatible with older JVMs, and as one who has made a comfortable living banging out code for IBM Midrange boxes for over a quarter century, I am quite familiar with a much wo

Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

2023-09-11 Thread James H. H. Lampert
Ladies and Gentlemen of Both Lists: Last Friday evening, I ran into a problem updating SSL/TLS keystores on two customer boxes, and spent three hours yesterday, finding the cause, doping out a way to salvage the certs they'd paid for, and doping out a solution to keep it from happening in the

Re: Strange problem involving the word "localhost"

2023-09-08 Thread James H. H. Lampert
On 9/8/23 8:34 AM, Ivano Luberti wrote: I had similar problem with mod_security installed on servers and apache used as proxy. mod_security intercept the request and if considers it suspicious generate a 403 error Found it. It's in the AWS WAF. A rule called "AWS#AWSManagedRulesCommonRuleS

Strange problem involving the word "localhost"

2023-09-08 Thread James H. H. Lampert
Yesterday, I discovered that our Tomcat-based webapp (running on a Amazon AWS) doesn't like the word "localhost." If I enter it in a text field, through the UI, it won't save the record, and if I feed it into our web services, it comes back with a 403:Forbidden. My primary hypothesis is that

RE: Tomcat 9.0.76 Memory leak with Java 17

2023-07-12 Thread James Boggs
Chris, Yes it is unintentional. Actually once we start it with the Windows service, and run through a few reports on the website, it stops in just ba few minutes. We will look at the java heap size settings. Regards, James Boggs -Original Message- From: Christopher Schultz Sent

RE: Tomcat 9.0.76 Memory leak with Java 17

2023-07-12 Thread James Boggs
Thanks for the input. I will forward the email to our developers to look at the heap size settings being different. We have a Windows service that is used to start/stop Tomcat. When this happens we find that the Windows service is no longer running. Thanks, James Boggs -Original Message

Tomcat 9.0.76 Memory leak with Java 17

2023-07-11 Thread James Boggs
35:40.989Z INFOStopping ProtocolHandler ["https-openssl-nio-10.2.251.132-443"] 2023-07-10T21:35:41.009Z INFODestroying ProtocolHandler ["https-openssl-nio-10.2.251.132-443"] -- end of logfile Regards, James Boggs |

RE: Apache Tomcat request smuggling in 9.0.68?

2023-07-05 Thread James Boggs
ion: https://rplans.army.mil/j6pnv4c5dp?j6pnv4c5dp=j6pnv4c5dp Date: Wed, 28 Jun 2023 01:37:09 GMT Connection: Keep-Alive ----- V/r, James Boggs | Senior DBA/SA | Mobile: 571-337-0535 “Trust, Integrity, Loyalty to Our Customers, Employees and Partner” VA Verified (SDVOSB) |

Apache Tomcat request smuggling in 9.0.68?

2023-07-05 Thread James Boggs
.0.73. Any insights on this? We have been told the proxy in use only supports HTTP1, so HTTP2 is not an option. V/r, James Boggs | Senior DBA/SA | Mobile: 571-337-0535 "Trust, Integrity, Loyalty to Our Customers, Employees and Partner" VA Verified (SDVOSB) | SBA Certified 8(a) | SB | SD

Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure

2023-06-22 Thread James H. H. Lampert
Funny thing: we recently needed to update a customer's Tomcat because they were complaining about a security issue that had prompted 8.5.88. And by the time we got the update request, 8.5.89 was already out, but we hadn't yet heard of CVE-2023-34981. So we'd already skipped over 8.5.88 before

keyPass and keystorePass

2023-05-23 Thread James H. H. Lampert
According to the Tomcat 7 configuration reference, keystorePass, if not specified, defaults to the value (specified or default) of keyPass. The Tomcat 8.5 configuration reference doesn't say this; is it still true? -- JHHL - T

Re: AW: Too many certificates in chain?!? Help!

2023-05-23 Thread James H. H. Lampert
On 5/23/23 10:02 AM, Rob Sargent wrote: Does pathLen:0 mean "no limit" or "no go"? Well given that the "Basic Constraints" are exactly the same, across the board, in *both* the keystores that worked fine and the keystore that blew up, I don't think that's a factor. And the fact that the keys

Re: AW: Too many certificates in chain?!? Help!

2023-05-23 Thread James H. H. Lampert
On 5/23/23 8:31 AM, Christopher Schultz wrote: Can you dump the whole cert (e.g. keytool -list -v -alias 'certname') for each cert and see if any of the certificates specify a maximum chain length somewhere? Evidently, it's an extension to the X.509 spec: Comparing one that worked with one tha

Re: AW: AW: Too many certificates in chain?!? Help!

2023-05-18 Thread James H. H. Lampert
On 5/18/23 1:57 PM, Thomas Hoffmann (Speed4Trade GmbH) wrote: So the error is raised not by tomcat but by the ibm JDK. Yes. The results reported in my latest email say as much. Those results also say that there's something different -- radically different, judging from the amount of red that

Re: AW: Too many certificates in chain?!? Help!

2023-05-18 Thread James H. H. Lampert
Weirder and weirder. (And hopefully, my previous email, with a catalina.out excerpt as an attachment, actually got distributed to the List.) I copied the cert and the unsigned keystore from my new Mac (M2 Mini, running Ventura) to my old Mac (2017 iMac, running Catalina), and signing and chai

Re: AW: Too many certificates in chain?!? Help!

2023-05-18 Thread James H. H. Lampert
On 5/18/23 12:18 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote: Which version of tomcat do you use? Is the stack trace truncated in your mail? Is there a "caused by ..." further down the stacktrace? It looks like the error is thrown deeper in SSLUtil when creating the ssl context. Maybe you can

Re: Too many certificates in chain?!? Help!

2023-05-17 Thread James H. H. Lampert
On 5/17/23 5:10 PM, Jason Tan wrote: Have a look at this. https://success.qualys.com/discussions/s/question/0D52L4To0DUSAZ/your-ssl-server-test-incorrectly-reports-an-incomplete-chain That's actually my own thread, from a few years ago. The problem here is not an incomplete chain, and nei

Too many certificates in chain?!? Help!

2023-05-17 Thread James H. H. Lampert
root and intermediate as the last good keystore. Can anybody shed any light on what went wrong? Tomorrow morning, I'm going to try plugging the keystore into a Tomcat server on an AS/400 in the office, to see if I can reproduce it. -- James H.

Re: catalina.out, was Re: Connector definitions

2023-03-08 Thread James H. H. Lampert
On 3/8/23 4:06 PM, Christopher Schultz wrote: SOP for systemd is to redirect stdout/stderr for the process into its own logs similar to syslog (but different, of course, because #systemd). This could also happen on Linux is you are using "jsvc" to launch Tomcat. If you use the standard shell s

Re: catalina.out, was Re: Connector definitions

2023-03-08 Thread James H. H. Lampert
On 3/8/23 1:34 PM, Zerro wrote: On the Linux box Tomcat is probably started by systemd, therefore no catalina.out Very likely, but can you elaborate on that? I'm much more of a DOS (to the point of having gone to great lengths to set up a refurbished vintage notebook as a functioning DOSbook

catalina.out, was Re: Connector definitions

2023-03-08 Thread James H. H. Lampert
On 3/8/23 11:35 AM, Mark Thomas wrote: Check logging.properties and/or how you have stdout redirected in your start-up scripts. Thanks. All I see different in logging.properties is that on the Midrange box (installed from the ZIP file from Apache's Tomcat site), it has "catalina.org.apache.j

Re: Connector definitions, Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9?

2023-03-08 Thread James H. H. Lampert
FYI: The operating system on IBM Midrange boxes ("AS/400," "iSeries," "IBM i," or whatever they're calling it this week) is "OS/400," "IBM i," or whatever they're calling the operating system this week. These machines are the descendants of the IBM S/3, which IBM Rochester developed in the l

Re: Connector definitions, Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9?

2023-03-07 Thread James H. H. Lampert
Dear Mesrs. Thomas, Schultz, et al.: Changing it to "org.apache.coyote.http11.Http11NioProtocol" did the trick. The Tomcat 9 server launched, on our cloud Midrange box, and both it and the webapp contexts we have running seem to be working. It will, of course, require a bit more exercise befor

RE: Connector definitions, Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9?

2023-03-07 Thread James Boggs
apache.org/tomcat-9.0-doc/ssl-howto.html -Original Message- From: James H. H. Lampert Sent: Monday, March 6, 2023 6:58 PM To: Tomcat Users List Subject: Re: Connector definitions, Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9? On 03/03/2023 17:44, I wrote: >> O

Re: Connector definitions, Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9?

2023-03-06 Thread James H. H. Lampert
On 03/03/2023 17:44, I wrote: Ok, another question: will Tomcat 9 accept a "legacy" connector definition in the form as shown below? protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/foo/tomcat/bar.ks" keyAlias="

Re: Connector definitions, Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9?

2023-03-03 Thread James H. H. Lampert
On 3/3/23 9:51 AM, Mark Thomas wrote: Yes. Thanks. That simplifies things. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org

Connector definitions, Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9?

2023-03-03 Thread James H. H. Lampert
On 3/2/23 3:50 PM, jonmcalexan...@wellsfargo.com.INVALID wrote: Yes, Tomcat9 runs under Java8 and above. Ok, another question: will Tomcat 9 accept a "legacy" connector definition in the form as shown below? protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="tr

Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9?

2023-03-02 Thread James H. H. Lampert
Am I correct in my understanding of the Tomcat 9 RUNNING.txt, that it will run under Java 8? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org

"Reach" blockchain dApps in a Tomcat webapp?

2023-02-23 Thread James H. H. Lampert
If you haven't heard of the "Reach" blockchain language, this probably isn't worth your time. But. Is there anybody here who has called a Reach dApp from a Tomcat webapp? And if so, what's the most practical way to do it? -- JHHL -

Re: Got a customer who's paranoid about Manager

2023-02-23 Thread James H. H. Lampert
On 2/23/23 9:17 AM, Mark Thomas wrote: You need to remove the error page entry for 404 errors from WEB-INF/web.xml rather than / as well as renaming / removing 404.jsp Delete (or comment out) these lines:       404     /WEB-INF/jsp/404.jsp   Thanks. I really wish certain other support

Re: Got a customer who's paranoid about Manager

2023-02-23 Thread James H. H. Lampert
On 2/22/23 9:23 AM, Mark Thomas wrote: Alternatively, you can use denyStatus="404" on the RemoteAddrValve. That attribute should be available in all versions of all currently supported Tomcat releases (it was added back in 2011). You can set it to any value valid for use with HttpServletRespon

Any successful SSL Implementation on Tomcat 9.0.69, Java 11, and Oracle ORDS 22.2?

2023-02-22 Thread James Boggs
h makes it seem like both Tomcat and ORDS require PKCS#12 but the company only provides me a PKCS7, and any attempts to convert it to PKCS#12 don't work as a keyfile is not provided to us. Thanks for any help, James. James Boggs | Senior DBA/SA | Mobile: 571-337-0535 "Trust, Integ

Re: Got a customer who's paranoid about Manager

2023-02-22 Thread James H. H. Lampert
On 2/22/23 9:23 AM, Mark Thomas wrote: Fire them and hire a security consultant with a proper understanding of risk? Pardon my Yiddish, but "Fun dayn moyl in Gots oyern." (From your mouth to God's ears. Such a colorful language.) But just because you're paranoid doesn't mean they're not out

Got a customer who's paranoid about Manager

2023-02-22 Thread James H. H. Lampert
We've got a customer -- the same one that was our first test of a working RemoteAddrValve -- whose security consultant is complaining that a potential intruder can confirm the *existence* of the manager context (because it returns a 403, as opposed to, say, a 404). Any ideas? -- JHHL ---

Re: AW: AW: Having trouble with Tomcat crashes. Interesting memory numbers in Manager

2023-02-09 Thread James H. H. Lampert
Naturally, I thought about this about 5 seconds after I clicked "Send": It doesn't happen very often, and it usually happens *after* a substantial portion of the heap has been idle for some time. Maybe there's something in there that works somewhat like a disk defragmenter. And when it gets a

Re: AW: AW: Having trouble with Tomcat crashes. Interesting memory numbers in Manager

2023-02-09 Thread James H. H. Lampert
It would be unusual for the OS to reclaim any of that memory from the JVM process. Are you looking at OS heap usage, or "JVM heap" usage? From your description above, it's tough to tell. The tool is called WRKJVMJOB so presumably it knows what the heck a JVM is, so maybe you were getting the ex

Re: AW: AW: Having trouble with Tomcat crashes. Interesting memory numbers in Manager

2023-02-09 Thread James H. H. Lampert
I've obtained some heap and CPU numbers, taking data at 15 minute intervals, heap from WRKJVMJOB and CPU from WRKACTJOB. In two days of this, I didn't witness any crashes; I did witness a near-miss, in which heap-in-use hit 5011.938M (out of 5120). In discussion with our webapp developer (to w

Re: AW: AW: Having trouble with Tomcat crashes. Interesting memory numbers in Manager

2023-02-07 Thread James H. H. Lampert
Monitored the thing all day, taking the CPU usage (via a WRKACTJOB) and the current heap size and heap-in-use (via option 5 of a WRKJVMJOB) every 15 minutes. Heap size was 4925.375M (out of a maximum of 5120M) at 08:45, and the OS took heap away over the course of the day, until it was down to

Re: AW: Having trouble with Tomcat crashes. Interesting memory numbers in Manager

2023-02-06 Thread James H. H. Lampert
Thanks, Herr Hoffmann. Your questions were most helpful in determining what information to gather and share. And thanks in advance to anybody else who has any insights. First, I will note that the seemingly non-sequitur nursery-survivor numbers aren't just what we see during a crash; they're w

Having trouble with Tomcat crashes. Interesting memory numbers in Manager

2023-02-03 Thread James H. H. Lampert
One of our customers, one who basically pushes our Tomcat webapp to the limit, is having trouble with crashes. Some interesting numbers are showing up in Server Status, in Manager: nursery-allocate has initial 512M, total 1152M, maximum 1152M, used 587.05M. nursery-survivor has initial 512M, t

Re: Message from a security scan

2023-02-02 Thread James H. H. Lampert
That I was "shot down in flames" when I tried to get in from my Chromebook, through the hotspot on my cell phone, makes it unlikely that Tomcat is seeing a proxy IP, especially given that (as I understand it) I would have had to authorize the proxy IP to get in from my office IP, and I have no

Re: Message from a security scan

2023-02-01 Thread James H. H. Lampert
On 2/1/23 12:06 PM, Mark Thomas wrote: The pen tester requested "/app/..;/manager" The proxy passed that as is to Tomcat since it starts with "/app" Thanks. As it happens, this particular customer was the first one in which I tried putting the only IP addresses with any business accessing ma

Message from a security scan

2023-02-01 Thread James H. H. Lampert
We got this from a customer who did a security scan: A Tomcat Manager login panel was discovered via path normalization. Normalizing a path involves modifying the string that identifies a path or file so that it conforms to a valid path on the target operating system. QID Detection Logic: This

Re: Tomcat for Apple silicon coming soon?

2023-01-18 Thread James H. H. Lampert
On 1/18/23 3:11 PM, Christopher Schultz wrote: Tomcat is pure-Java (okay, except for tcnative, which you evidently don't need) and therefore should run on either x86-84 Java via Rosetta 2 or aarch64 Java natively. You do not need any special distribution of Tomcat to run on native aarch64. It

Re: "You don't have permission to access this resource." message on manager

2022-11-15 Thread James H. H. Lampert
On 11/15/22 9:50 AM, Mark Thomas wrote: . . . Is this from Tomcat, or is it from something else? Lots of guess work here. I think, something else. . . . It *is* from something else. I'd completely forgotten that on that particular box, Tomcat was behind Apache HTTPD, and the relevant .conf

"You don't have permission to access this resource." message on manager

2022-11-15 Thread James H. H. Lampert
We have Tomcat running on an AWS EC2 linux box. I can get into manager from the office IP address, with the usual prompt for user and password, but the boss, working from home, gets "You don't have permission to access this resource." Is this from Tomcat, or is it from something else? Lookin

Strange timeout: is it Tomcat, or is it some intermediate stage?

2022-10-10 Thread James H. H. Lampert
Lately, we've been getting this response to a web service call. The web service is our own, running under Tomcat on an Amazon "beanstalk"; the client is also our own, running on a customer's IBM Midrange box. 504 Gateway Time-out 504 Gateway Time-out nginx/1.20.0 It's a long-

Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"

2022-08-10 Thread James H. H. Lampert
On 8/10/22 6:50 AM, Brian Wolfe wrote: You can disable the protocols at the java level in the java.security file jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, TLSv1, TLSv1.1 I think that's exactly what I did on "Customer Box #1" (and forgot to document having done). Bec

Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"

2022-08-10 Thread James H. H. Lampert
On 8/10/22 8:52 AM, Jason Hall wrote: If you have another network device in front of your server - that could be what is trumping the app server's settings. I'd planned on investigating that as well. But it *looks* like the cert I'm seeing matches the cert in the keystore their Tomcat is usi

Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"

2022-08-10 Thread James H. H. Lampert
Interesting. The new "protocols" parameter. Does this work with the traditional syntax? Can "protocols" and "sslProtocol" coexist in the same Connector? All our customer installations use JSSE security with a Java Keystore; I've never configured a successful IBM Midrange installation any othe

SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"

2022-08-09 Thread James H. H. Lampert
I think this may have come up before, but I don't recall how it was resolved. On customer box #1, I have: address="" maxThreads="400" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/tomcat/wttomcat.ks" keyAlias="" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SH

TCP timestamp vulnerability -- any insights on how this relates to Tomcat?

2022-08-05 Thread James H. H. Lampert
Today is the first time I heard of such a thing as a "TCP timestamp vulnerability." It seems a bit overblown to me, especially for a Tomcat server running on an AS/400. Can anybody share any insights about how this vulnerability relates to Tomcat?

Re: Help with deploying multiple .WAR files in Tomcat

2022-08-04 Thread James H. H. Lampert
Multiple WAR files work fine for us. But we don't simply "drop [the WAR files] in the webapps folder (and for the most part, that *doesn't* work for us, even with *only one* webapp). We always deploy through the Manager webapp (which we always customize to increase the allowable WAR file size

Re: Tomcat 8.5.73 not coming up on customer box. "Bind failed."

2022-04-15 Thread James H. H. Lampert
In response to my question about what could cause a system to disregard its own host table, On 4/15/22 11:31 AM, Jack Woehr (of the Midrange List) wrote: Which order the search happens, DNS or hosts table first, is an option in IBM i TCP configuration. CFGTCP option 12. Fascinating. I can't b

Re: Tomcat 8.5.73 not coming up on customer box. "Bind failed."

2022-04-15 Thread James H. H. Lampert
On 4/15/22 10:37 AM, Christopher Schultz (of the Tomcat Users' List) wrote: . . . Try specifying the "address" attribute of along with the port. Give it a concrete IP address instead of "localhost" and see if that improves things. . . . My Dear Mr. Schultz: That did it! Not knowing whether

Re: Tomcat 8.5.73 not coming up on customer box. "Bind failed."

2022-04-15 Thread James H. H. Lampert
On 4/15/22 10:37 AM, Christopher Schultz (on the Tomcat Users' List) wrote: . . . if "localhost" doesn't resolve to 127.0.0.1 on your system, you may get this error. Can you quickly check it's not a DNS resolution failure? THIS is interesting. If I look at the host table entries, I see ::1

Re: Tomcat 8.5.73 not coming up on customer box. "Bind failed."

2022-04-15 Thread James H. H. Lampert
On 4/15/22 9:54 AM, Jim Oberholtzer wrote: On a modern system if you're contemplating stopping/starting TCP you might just as well IPL. Seems like using a nuke when a 100# bomb might work though. Looking at the QSYSOPR messages, I see that the system was taken down to restricted condition at

Re: Tomcat 8.5.73 not coming up on customer box. "Bind failed."

2022-04-15 Thread James H. H. Lampert
On 4/15/22 9:39 AM, Jack Woehr wrote: Not sure about the particular pathology in this instance, but it's the Java runtime itself telling you something already has hold of the socket, and it's not lying. But it could be deluded into *thinking* something already has hold of the socket. WRKTCPS

Re: Tomcat 8.5.73 not coming up on customer box. "Bind failed."

2022-04-15 Thread James H. H. Lampert
On 4/15/22 9:24 AM, James H. H. Lampert wrote: This morning, I arrived at work to find that a customer was complaining about their Tomcat server (running on an IBM Midrange box). It had locked up last night, while being shut down, and now, if you try to start it, it fails . . . I tried

Tomcat 8.5.73 not coming up on customer box. "Bind failed."

2022-04-15 Thread James H. H. Lampert
y insights as to what could be happening? -- James H. H. Lampert Touchtone Corporation - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org

Stuff in the "temp" directory within the Tomcat directory

2022-02-10 Thread James H. H. Lampert
I'm doing some cleanup on a customer box, removing a previous version of Tomcat 8.5 that I'd replaced some time ago, and I'm finding huge amounts of "stuff" in the "temp" directory within the Tomcat directory. Is that stuff Tomcat itself left behind, or stuff our webapp left behind, or both? A

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

2021-12-13 Thread James H. H. Lampert
Thanks. I think I understand now. All except for one thing: I can *barely* wrap my mind around the idea of getting executable code from an RMI server, but what legitimate purpose could be served by allowing a *logger* to resolve executable code? -- JHHL (And I have a fair amount of experienc

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

2021-12-13 Thread James H. H. Lampert
On 12/13/21 10:53 AM, Mark Thomas wrote: Log4j2 supports a log message format syntax that includes JNDI lookups. Log4j2 processes log messages repeatedly until it doesn't find any more format strings. This means the output of one format string can insert a new format string. . . . Thanks. It

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

2021-12-13 Thread James H. H. Lampert
The thing I'm still utterly unclear about is how simply logging traffic could, by itself, create a vulnerability. In our case, the log entries are not even viewable unless you are signed on to a command line session on the server (ssh for headless Linux; a physical Twinax terminal, or a 5250 e

CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

2021-12-10 Thread James H. H. Lampert
A customer brought this to my attention: https://www.randori.com/blog/cve-2021-44228/ I have no idea how (or if) Tomcat is affected. I have only the vaguest idea what this vulnerability even *is.* Can anybody here shed any light? -- JHHL -

Re: Odd messages in catalina.out

2021-12-10 Thread James H. H. Lampert
On 12/10/21 8:38 AM, Mark Thomas wrote: . . . The messages are there to warn you that you might have a malicious actor trying a brute force attack on your server. Can anybody point me to a good tutorial for constructing a regular expression for RemoteAddrValve? allow="127\.\d+\.\d+\.\d+|::1

Odd messages in catalina.out

2021-12-10 Thread James H. H. Lampert
Could anybody here shed some light on this message? A whole bunch of them appeared in catalina.out. WARNING [https-jsse-nio-443-exec-29] org.apache.catalina.realm.LockOutRealm.filterLockedAccounts An attempt was made to authenticate the locked user [user] -- JHHL ---

One other thing, Re: Updating Tomcat on an Amazon Linux 2 EC2 instance?

2021-12-08 Thread James H. H. Lampert
Also, based on what "yum check-update" returned, it appears that at the moment, I can only go as far as 8.5.72, rather than 8.5.73. Is there a way to go all the way to 8.5.73 without fundamentally changing how Tomcat is installed on that instance? -- JHHL -

Re: Updating Tomcat on an Amazon Linux 2 EC2 instance?

2021-12-08 Thread James H. H. Lampert
On 12/8/21 9:46 AM, jonmcalexan...@wellsfargo.com.INVALID wrote: I think it's going to come down to how the 8.5.58 was installed. Was it via an rpm or zip file? I have used both methods and you should be able to install the 8.5.73 without affecting the 8.5.58. If you are using a separated CATALIN

Updating Tomcat on an Amazon Linux 2 EC2 instance?

2021-12-08 Thread James H. H. Lampert
We have a Tomcat server running on an Amazon Linux 2 EC2 instance. Off the top of my head, I don't remember how I originally installed it, but it's currently at 8.5.58. I'd like to update it to 8.5.73, but I don't quite know how to do this in Amazon Linux 2 (now if somebody asked about instal

Re: [SECURITY] CVE-2021-42340 Apache Tomcat DoS

2021-12-06 Thread James H. H. Lampert
On 10/14/21 7:12 AM, Mark Thomas wrote: The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could le

Question about serving a 404

2021-09-10 Thread James H. H. Lampert
Our Tomcat team has been struggling with this issue for a few days: If a request comes in for https://foo.com/bar.html, which doesn't exist, then a 404 is returned, and we see a standard Tomcat 404 page. But if a request comes in for https://foo.com/bar.jsp, which also doesn't exist, then our

200 response and redirect for ".../test.jsp"

2021-08-24 Thread James H. H. Lampert
I could have sworn I asked about this over a year ago, but I can't find any record of having done so. We've got a low-priority complaint about a security scan looking for "test.jsp" on one of our installations, expecting a 404 response, and instead getting a 200 response and a redirect to our

Getting some peculiar TLS results in Tomcat 7

2021-08-13 Thread James H. H. Lampert
While we've been systematically updating our customer boxes, a few of our customer boxes are still on Tomcat 7. I've got the following Connector tag set up in server.xml: compressableMimeType="text/html,text/xml,text/plain,text/css, text/javascript,text/json,application/x-javascript,

Re: More information, Re: Tomcat 8.5.68 failing on takeoff!

2021-08-09 Thread James H. H. Lampert
On 8/9/21 11:33 AM, Mark Thomas wrote: The fix will be in the September releases. Thanks. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org

Re: More information, Re: Tomcat 8.5.68 failing on takeoff!

2021-08-09 Thread James H. H. Lampert
On 8/9/21 10:24 AM, Mark Thomas wrote: Future versions of Tomcat won't see this issue but if the customer is prepared to update Tomcat to fix this issue then they might as well just update Java (assuming that is indeed sufficient to fix this). Given that they currently seem to be happy as clam

Re: More information, Re: Tomcat 8.5.68 failing on takeoff!

2021-08-09 Thread James H. H. Lampert
On 8/6/21 9:17 AM, Konstantin Kolinko wrote: Try to find what *.jar file in your system contains the above classes. E.g. searching for string "crimson" in *.jar files. That string will be visible in the archive file as it is a name of a directory. I've learned that QShell (a *nix-like shell t

Re: More information, Re: Tomcat 8.5.68 failing on takeoff!

2021-08-06 Thread James H. H. Lampert
Searching JAR files for "crimson" would likely be an exercise in futility on an AS/400. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org

Re: More information, Re: Tomcat 8.5.68 failing on takeoff!

2021-08-06 Thread James H. H. Lampert
On 8/6/21 1:40 AM, Mark Thomas wrote: Tomcat 7 doesn't have JASPIC support so you'll never see this issue in Tomcat 7. What's a JASPIC? And as to configuration, Mr. Schultz, my usual procedure is to (after commenting out the default 8080 unsecured connector) copy and paste the active secure

More information, Re: Tomcat 8.5.68 failing on takeoff!

2021-08-05 Thread James H. H. Lampert
I finally had a chance to switch the customer back to the failing Tomcat 8.5.68, and this is what the browser error page shows (with a 500 error): Type Exception Report Message AuthConfigFactory error: java.lang.reflect.InvocationTargetException Description The server encountered an unexpecte

Re: Tomcat 8.5.68 failing on takeoff!

2021-08-03 Thread James H. H. Lampert
Mssrs. Kolinko and Schultz said: 2. The stack trace starts with "Bootstrap.main". I.e. it is the thread that starts Tomcat. I.e. this occurs when Tomcat starts up and has nothing to do with your attempt to access the Manager web application. 3. The stack trace contains "org.apache.crimson".

  1   2   3   4   5   6   7   8   >