HttpSessions timeout too early
Hi.
I (still) have problems with HttpSessions that timeout too early in a secure
web-site.
We have a registration servlet that works in two stages:
1. Verify a one-time-password needed to enable registration.
If correct, put an object into the session by using
setAttribute("myObject",new MyObject()).
Genererate a form for registration. The form will be posted to myself.
2. Handle the post from the form, but only if there is an object stored in
the HttpSession , i.e. call getAttribute("myObject").
The problem is that when the users are done with the registration form, and
clicks the submit button, they have been timed out and have to start all
over again (and be quicker this time...)
This is very frustrating and makes it impossible to take the server into
production.
The premature timeouts seem to appear only with IE 5 or older. IE 5.5 and
Netscape seem to work.
I have set the shared="true" in my web-site.xml file (attached).
I have read some posting regarding this problem and tried the recommended
fixes without success.
Could someone please verify if this is known bug and if so, when we could
expect a fix.
/Regards,
Mattias Arbin
HttpSession session = req.getSession(true);
session.setAttribute("sessionInfo",new SessionInfo(oneTimePwd));
?xml version="1.0"?
!DOCTYPE web-site PUBLIC "Orion Web-site"
"http://www.orionserver.com/dtds/web-site.dtd"
web-site host="[ALL]" secure="true" port="443"
display-name="xxx" log-request-info="true"
!-- The default web-app for this site, bound to the root --
ssl-config keystore="/usr/local/orion/ssl/keystore"
keystore-password="xx"
needs-client-auth="false" /
default-web-app load-on-startup="true" application="knut"
name="knut-web" shared="true" /
access-log path="/var/log/orion/support-web-access.log" format="$host -
$user [$time] quot;$request
quot; $status $size quot;$refererquot; quot;$agentquot;" split="week"
suffix="ddMMyy"/
/web-site
Sessions (still) timeouts too early
Hi,
I have read some postings about http sessions that timeout too early and I
seem to have the same problem.
I have two web-sites, one with SSL and one without.
The first time one enters the SSL site, the timeout time seems to be about a
minute or less, even if I have set
session-config
session-timeout60/session-timeout
/session-config
in my web.xml and
default-web-app load-on-startup="true" application="knut" name="knut-web"
shared="true" /
in my xxx-web-site.xml
It seems like the premature timeout only occurs after the first time I call
the servlet that creates the session, i.e
...
HttpSession session = req.getSession(true);
session.setAttribute("myBean",new MyBean());
...
If I call the servlet one more time within one minute, then after that, the
session does not timeout too early.
/Mattias Arbin, C-takt AB
Re: Sessions (still) timeouts too early
It seems like the premature timeout only occurs after the first time I
call
the servlet that creates the session, i.e
...
HttpSession session = req.getSession(true);
session.setAttribute("myBean",new MyBean());
...
If I call the servlet one more time within one minute, then after that,
the
session does not timeout too early.
I just noticed that the above is not true. The sessions sporadically timeout
too soon even after a few requests.
Strange getAttribute behavior
Hi.
I have noticed strange behavior when storing objects in the HttpSession.
The code fragment below (from a servlet) sometimes prints out:
This should never happen: class knut.servlet.SessionInfo
How is this possible?
/Regards
Mattias Arbin
HttpSession session = req.getSession(true);
...
knut.servlet.SessionInfo info = null;
Object o = session.getAttribute("sessionInfo");
if (o!=null (o instanceof knut.servlet.SessionInfo)) {
info = (knut.servlet.SessionInfo)o;
System.err.println("Got sessionInfo: "+info.getUserId());
}
else {
System.err.println("No sessionInfo");
if (o!=null) {
// This should never happen, but it obviously does. Is this a bug in
Orion?
System.err.println("This should never happen :
"+o.getClass().toString());
}
}
Re: Help - SSL Usage in Production - is it really possbile?
I have Orion running with a "real" 40-bit cert from Thawte. I guess it does not matter which web-server you say you have. Probably it is for statistics. (I chose Java Webserver). You will be able to choose from a number of different formats when you download the cert. Here I chose "PKCS #7 Certificate Chain". Make sure that you save it in a file that ends with a new line before importing it to the keystore. Good luck. /Mattias - Original Message - From: "Mike Fontenot" [EMAIL PROTECTED] To: "Orion-Interest" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, August 18, 2000 10:50 PM Subject: Help - SSL Usage in Production - is it really possbile? orion users, I've been using the test certificate from Thawte, as both the orion docs. and the OrionSupport suggested. That has been working fine. However, I am now ready to move to production with our e-commerce system and I have run into some major snags that leads me to think NO one is using Orion in a production SSL environment. After going through the Thawte process for getting a server cert, the 'pick your web server' does not list Orion. After talking with Thawte support they suggested picking 'Apache SSL' as a choice. Ok, that seems fine to me. However, they also said I would need to pick the certificate type: x509v3. Since I've been using the 'SSL Chained CA Cert' for development, I wanted to try this out with a development cert to be sure it would work. I tried this using a X509v3 development cert but it will not work. Again, after getting back in touch with Thawte support regarding X509v3 not working, I said I will need to just use the 'SSL Chained CA Cert'. They then informed me that they no longer sell this type of certificate, and that I must go to Verisign to obtain this type of certificate. Well, my first question to Thawte was 'If you dont sell this type of certificate, why is it available on your developers cert pages?' Answer from Thawte: 'Yeah, I've been meaning to talk to our developers to take that off the website.'. Guess how much hair I've lost so far!? Now I am in the 'process' of getting a certificate from Verisign. Of course they do not have 'Orion Server' listed in their pick list of valid webservers. Since I just started this process today I really dont know if they can/cannot support the type of SSL certificate I will need to work with Orion. I'll be the first to admit I'm not real familiar with the Java 1.3 keytool, and different certificate meanings. But, if anyone has really obtained a valid production level SSL certificate, from any Certificate Authority, and successfully integrated this with Orion, please let me/us know how this was accomplished. The only docs I've see are related to development certs, and as I stated earlier, I've got this working fine. I now need to graduate to real e-commerce transactions. Please dont make me go back to Apache/JRun, I feel Orion is so much better but this is a real show-stopper. I have looked through the orion mail archives and it seems all discussions are related to trying to get the developer certs to work, not production certs. Thanks in advance, Mike Mike Fontenot - Object Systems Architect BrandMatrix, Ltd. Golden, Colorado
Re: Error starting HTTP-Server: Permission denied
Mattias Arbin wrote: I am trying to setup a linux user (Red Hat 6.2) to run orion. When starting Orion I get the error: Error starting HTTP-Server: Permission denied Orion/1.1.37 initialized Nothing in the logs. Any ideas? /Mattias Hi Mattias, Normally, that happens when you're trying to launch orion without root privileges. Ports below 1024 are reserved and can only be bound by root-owned programs. There are several solutions, but the easiest is to choose: 1 - You want Orion to listen to port 80 (the standard http port) and so you must launch it on a root prompt 2 - You don't mind if Orion does not listen to other port (say, for instance, 8080), but you want to launch it from an ordinary user account. In this case, you must edit the orion_path/config/default-web-site.xml and on the web-site ... tag, change the port from port="80" to port="8080". In theory either one of these solutions, will make the permission denied error go away Best Regards, Fábio Thanks. That explains the error. However, my problem was not that I could't start Orion. I have run it as root until now. I just thought that it might be good, for security reasons, to create a user with less priviliges than root, to run Orion. /Thanks, Mattias
Internal server error, but no logs
Sometimes when getting errors in JSPs, I get HTTP 500 error code, but I cannot find anything in the logs. Is this a bug? Shouldn´t there be anything in the server.log file? /Thanks, Mattias Arbin
Re: Internal server error, but no logs
One more thing. I dont even see any exception stack trace in the console window. /Mattias - Original Message - From: "Mattias Arbin" [EMAIL PROTECTED] To: "Orion-Interest" [EMAIL PROTECTED] Sent: Thursday, July 27, 2000 9:25 PM Subject: Internal server error, but no logs Sometimes when getting errors in JSPs, I get HTTP 500 error code, but I cannot find anything in the logs. Is this a bug? Shouldn´t there be anything in the server.log file? /Thanks, Mattias Arbin
SSL initialization time
The initialization of an SSL session is pretty slow, at least when using the default SSL provider. On my machine it sometimes takes seconds. Would it be possible to fix this? (I have read about doing tricks with the random seed generation) If so, are there any plans to do so? /Mattias
Re: Certificate from Thawte? How?
I have. The only problem I had was when importing the certificate response. Keytool seems to be very sensitive to white charactersat the end of the certificate files. It wouldnt import my certificate response until I added a returnat the end of the file. But that, of course, has nothing to do with Thawte. I sent an email to Thawte about Orion not beeing on the list, but I havent got any answer. So Iselected Java WebServer. (I guess they will be surprised that somenone still uses that one...). I am pretty sure that it doesnt really matter which one you select. I guess it is for statistics. When you fetch your certifiacate you can choose from a number of types and formats. I chose PKCS#7 Certificate Chain. Good luck. /Mattias - Original Message - From: Steven Punte To: Orion-Interest Sent: Monday, July 24, 2000 11:38 PM Subject: Certificate from Thawte? How? Has anyone walked through the process of getting a real certificate from Thawte? Any advice? In particular, Thawte asks what type of web server one is running, but Orion is not listed. What have people been selecting? Thanks in Advance: STeve Puntee-Business Software ArchitectTechnologent Inc[EMAIL PROTECTED]
Re: Importing a cert from Thawte
I just solved my problem. Keytool seems to be very sensitive to white
characters in the end of the certificate files. I _added_ a trailing return
in my file and now it works. (Somewere on Thawtes site I read that you
should _remove_ all blanks ...)
A tip to people with the same problems as I had: Try adding/deleting
trailing blanks/returns in your certificate reply file.
/Mattias Arbin
- Original Message -
From: "Mattias Arbin" [EMAIL PROTECTED]
To: "Orion-Interest" [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, July 21, 2000 5:58 PM
Subject: Importing a cert from Thawte
I have now got a valid certificate from Thawte, (i.e a real one, not a
test
cert). I am now trying to import it into my keystore without success.
I genereated my certificate request like this:
keytool -genkey -keyalg "RSA" -alias myalias -keystore keystore -dname
"cn=www.[mydomain].com, ou=[MyCompany], o=[My Company], c=SE, S=[Mystate],
l=[mycity]" -validity 360
keytool -certreq -keyalg "RSA" -alias myalias -file
www.[mycompany].com.csr -keystore keystore
The only thing that differs from the Orion docs is that I use an alias
'myalias' instead of the default 'mykey'.
When getting my certificate from Thawte I could choose from a number of
formats. The two that seems to fit is
'Standard Certificate Format' (BASE64 encoded, DER encoded X.509v3 cert.)
'PKCS #7 Certificate Chain' ("Newer servers and development toolkits
support
"certificate chains". This format allows Thawte to deliver a full
certificate chain to you, which in turn makes for superior key management
and flexibility.")
When trying to import either one of the above I get:
keytool -import -keystore keystore -file mythawtecert.cer -keyalg
"RSA" -alias myalias -trustcacerts
Enter keystore password: mypassword
keytool error: java.lang.Exception: Input not an X.509 certificate
After reading the docs on keytool, I am still not completely sure if to
use
"-alias myalias" so I tried that too:
keytool -import -keystore keystore -file mythawtecert.cer -keyalg
"RSA" -trustcacerts
Enter keystore password: mypassword
keytool error: java.security.cert.CertificateException: Unsupported
encoding
Does anybody have any idea what is going wrong here?
Thanks,
Mattias Arbin
Importing a cert from Thawte
I have now got a valid certificate from Thawte, (i.e a real one, not a test
cert). I am now trying to import it into my keystore without success.
I genereated my certificate request like this:
keytool -genkey -keyalg "RSA" -alias myalias -keystore keystore -dname
"cn=www.[mydomain].com, ou=[MyCompany], o=[My Company], c=SE, S=[Mystate],
l=[mycity]" -validity 360
keytool -certreq -keyalg "RSA" -alias myalias -file
www.[mycompany].com.csr -keystore keystore
The only thing that differs from the Orion docs is that I use an alias
'myalias' instead of the default 'mykey'.
When getting my certificate from Thawte I could choose from a number of
formats. The two that seems to fit is
'Standard Certificate Format' (BASE64 encoded, DER encoded X.509v3 cert.)
'PKCS #7 Certificate Chain' ("Newer servers and development toolkits support
"certificate chains". This format allows Thawte to deliver a full
certificate chain to you, which in turn makes for superior key management
and flexibility.")
When trying to import either one of the above I get:
keytool -import -keystore keystore -file mythawtecert.cer -keyalg
"RSA" -alias myalias -trustcacerts
Enter keystore password: mypassword
keytool error: java.lang.Exception: Input not an X.509 certificate
After reading the docs on keytool, I am still not completely sure if to use
"-alias myalias" so I tried that too:
keytool -import -keystore keystore -file mythawtecert.cer -keyalg
"RSA" -trustcacerts
Enter keystore password: mypassword
keytool error: java.security.cert.CertificateException: Unsupported encoding
Does anybody have any idea what is going wrong here?
Thanks,
Mattias Arbin
SSL-Certificates
I have now got SSL working with a testcert from Thawte. However, after reading about "SSL Chained CA Certs" it doesn't seem to be the kind of certificate I want for a single server. Has anybody bought a "real" SSL cert and got it to work with the defult SSL setup on Orion (JSSE and keystore)? If so, what is the price for a single server cert? On most CA sites, they keep a list of servers theay support and how to install certs. It would be nice if the Orion team could provide a list of SSL certs that work with Orion. Thanks, Mattias Arbin
Re: SSL-problems (was SSL-100% CPU)
I noticed that there is a 1.1.9 version. Tried that. Now I get another message: E:\java\orionjava -jar orion.jar Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled. Orion/1.1.9 initialized Seems like the new release changed something. It would be really great to have a comment from the Orion team about this. I also have a question: How does Orion know which of the certificates in the keystore to use? It seems like it gets confused if you have more than one entry in the keystore. /Mattias - Original Message - From: "Mattias Arbin" [EMAIL PROTECTED] To: "Orion-Interest" [EMAIL PROTECTED] Sent: Tuesday, July 04, 2000 10:14 AM Subject: SSL-problems (was SSL-100% CPU) I have tried to dig deeper into the SSL problem, while it is a major showstopper right now and a problem that has to be solved before I can use Orion in my project. I have made to bat files for the certificate generation to be able to play around a little faster: step1.bat: keytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dname "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 654321 -validity 360 keytool -certreq -keyalg "RSA" -alias testalias -file localhost.csr -storepass 123456 -keypass 654321 -keystore mykeystore rem Go to thawte and copy the contents of localhost.csr. start https://www.thawte.com/cgi/server/test.exe step2.bat rem Before running this, save the output from Thawte into localhost.cer keytool -import -trustcacerts -file localhost.cer -keystore mykeystore -storepass 123456 -keypass 654321 Output when running the scripts: E:\testjava -version java version "1.3.0" Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C) Java HotSpot(TM) Server VM (build 2.0fcs-E, mixed mode) E:\teststep1 E:\testkeytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dna me "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 6543 21 -validity 360 E:\testkeytool -certreq -keyalg "RSA" -alias testalias -file localhost.csr -sto repass 123456 -keypass 654321 -keystore mykeystore E:\teststart https://www.thawte.com/cgi/server/test.exe E:\teststep2 E:\testkeytool -import -trustcacerts -file localhost.cer -keystore mykeystore -storepass 123456 -keypass 654321 Owner: CN=My Name, OU=MyCompany, O=MyCompany, C=SE Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FO R TESTING PURPOSES ONLY, C=ZA Serial number: 488d5a Valid from: Tue Jul 04 09:55:28 GMT+02:00 2000 until: Fri Aug 04 09:55:28 GMT+02 :00 2000 Certificate fingerprints: MD5: AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 SHA1: D1:98:C0:C7:DA:D5:DB:D5:D1:E3:C6:A1:39:A0:59:34:0A:8F:DC:99 Trust this certificate? [no]: yes Certificate was added to keystore E:\testkeystore -list -keystore mykeystore 'keystore' is not recognized as an internal or external command, operable program or batch file. E:\testkeytool -list -keystore mykeystore Enter keystore password: 123456 Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries: mykey, Tue Jul 04 09:53:14 GMT+02:00 2000, trustedCertEntry, Certificate fingerprint (MD5): AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 testalias, Tue Jul 04 09:51:48 GMT+02:00 2000, keyEntry, Certificate fingerprint (MD5): BE:ED:A9:00:04:5D:A6:F4:9A:92:40:25:0C:AB:9C:EC OK. Now I start Orion (I have tried it with 1.0, 1.1.4, 1.1.8 with the same result): E:\java\orionjava -jar orion.jar Error starting HttpServer: Unable to intialize SSLServerSocketFactory 'com.evermind.ssl.JSSESSLServerSocketFactory': Unrecoverable key error: Cannot recover key Now to something interesting: I delete the key with the alias 'testalias': E:\testkeytool -delete -alias testalias -keystore mykeystore Enter keystore password: 123456 E:\testkeytool -list -keystore mykeystore Enter keystore password: 123456 Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry: mykey, Tue Jul 04 09:53:14 GMT+02:00 2000, trustedCertEntry, Certificate fingerprint (MD5): AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 Now I start Orion again: E:\java\orionjava -jar orion.jar Orion/1.1.8 initialized Orion initializes, but takes about 100% CPU and accessing https://localhost:443 fails. Does anybody have a clue? /Thanks, Mattias Arbin, Ctakt AB My secure-web-site.xml: ?xml version="1.0"? !DOCTYPE web-site PUBLIC "Orion Web-site" "http://www.orionserver.com/dtds/web-site.dtd" web-site host="[ALL]" secure="true" port="443" display-name="Default Orion WebSite" !-- The default web-app for this site, bound to the root -- ssl-config keystore="../../../test/mykeystore" keystore-password="12
Re: SSL - 100% CPU
Hi, I now use 1.1.9 and get: E:\java\orionjava -jar orion.jar Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled. Orion/1.1.9 initialized What could be bad with my certificate? I have done exactly what is told in the documentation. (See my previous post) How do I know which "SSL cipher suites" that "are enabled"? How does Orion know which certificate in the keystore to use? When I have several entries in the keystore, I get: Error starting HttpServer: Unable to intialize SSLServerSocketFactory 'com.evermind.ssl.JSSESSLServerSocketFactory': Unrecoverable key error: Cannot recover key I feel pretty frustrated. SSL is a must in my case and right now these problems makes it impossible to use Orion in our project. Too bad, because Orion seems very nice. Could somebody that has a working SSL configuration confirm that it is possible to make it work. /Thanks, Mattias - Original Message - From: "Karl Avedal" [EMAIL PROTECTED] To: "Orion-Interest" [EMAIL PROTECTED] Cc: "Orion-Interest" [EMAIL PROTECTED]; "Orion Bugs" [EMAIL PROTECTED] Sent: Wednesday, July 05, 2000 11:16 AM Subject: Re: SSL - 100% CPU Hello, Yes, we have found a bug related to the 100 % CPU thing. It seems that when a bad certificate was used, IOException's get thrown in the ServerSocket accept() call immediately, which is not the usual behaviour of a ServerSocket. We are now taking care of that problem in a nicer way, and hopefully you should not get that behaviour in 1.1.9 which is available. If you do, please let us know. Regards, Karl Avedal Klaus Thiele wrote: Hi Mattias, Have you found any solution to the SSL problem? I have tried for days now without success. me too :( i've read your posting and i tried your steps without success. step1.bat:keytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dname "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 654321 -validity 360 how did you do that? my keytool does not accept this parameters. i have to remove -alias, -storepass, -keypass and -validity from the commandline and then it works!?! step2.bat: i got following error keytool error: java.lang.Exception: Failed to establish chain from reply after removing the initial keystore the import works!?! Output when running the scripts: same as yours. == https://my_ip_addr == SSL - 100% CPU :(( i tried with WinNT and Linux, jdk 1.2.2, 1.3 and IBM-jdk1.3 all the same result. perhaps anyone from the orion-team looks for this bug(?) this is one of the last "kock-out" points which must be cleared before we will purchase orion. bye klaus -- Klaus Thiele - Personal Informatik AG mailto:[EMAIL PROTECTED] "There's got to be more to life than compile-and-go."
SSL-problems (was SSL-100% CPU)
I have tried to dig deeper into the SSL problem, while it is a major showstopper right now and a problem that has to be solved before I can use Orion in my project. I have made to bat files for the certificate generation to be able to play around a little faster: step1.bat: keytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dname "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 654321 -validity 360 keytool -certreq -keyalg "RSA" -alias testalias -file localhost.csr -storepass 123456 -keypass 654321 -keystore mykeystore rem Go to thawte and copy the contents of localhost.csr. start https://www.thawte.com/cgi/server/test.exe step2.bat rem Before running this, save the output from Thawte into localhost.cer keytool -import -trustcacerts -file localhost.cer -keystore mykeystore -storepass 123456 -keypass 654321 Output when running the scripts: E:\testjava -version java version "1.3.0" Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C) Java HotSpot(TM) Server VM (build 2.0fcs-E, mixed mode) E:\teststep1 E:\testkeytool -genkey -keyalg "RSA" -alias testalias -keystore mykeystore -dna me "cn=My Name, ou=MyCompany, o=MyCompany, c=SE" -storepass 123456 -keypass 6543 21 -validity 360 E:\testkeytool -certreq -keyalg "RSA" -alias testalias -file localhost.csr -sto repass 123456 -keypass 654321 -keystore mykeystore E:\teststart https://www.thawte.com/cgi/server/test.exe E:\teststep2 E:\testkeytool -import -trustcacerts -file localhost.cer -keystore mykeystore -storepass 123456 -keypass 654321 Owner: CN=My Name, OU=MyCompany, O=MyCompany, C=SE Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FO R TESTING PURPOSES ONLY, C=ZA Serial number: 488d5a Valid from: Tue Jul 04 09:55:28 GMT+02:00 2000 until: Fri Aug 04 09:55:28 GMT+02 :00 2000 Certificate fingerprints: MD5: AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 SHA1: D1:98:C0:C7:DA:D5:DB:D5:D1:E3:C6:A1:39:A0:59:34:0A:8F:DC:99 Trust this certificate? [no]: yes Certificate was added to keystore E:\testkeystore -list -keystore mykeystore 'keystore' is not recognized as an internal or external command, operable program or batch file. E:\testkeytool -list -keystore mykeystore Enter keystore password: 123456 Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries: mykey, Tue Jul 04 09:53:14 GMT+02:00 2000, trustedCertEntry, Certificate fingerprint (MD5): AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 testalias, Tue Jul 04 09:51:48 GMT+02:00 2000, keyEntry, Certificate fingerprint (MD5): BE:ED:A9:00:04:5D:A6:F4:9A:92:40:25:0C:AB:9C:EC OK. Now I start Orion (I have tried it with 1.0, 1.1.4, 1.1.8 with the same result): E:\java\orionjava -jar orion.jar Error starting HttpServer: Unable to intialize SSLServerSocketFactory 'com.evermind.ssl.JSSESSLServerSocketFactory': Unrecoverable key error: Cannot recover key Now to something interesting: I delete the key with the alias 'testalias': E:\testkeytool -delete -alias testalias -keystore mykeystore Enter keystore password: 123456 E:\testkeytool -list -keystore mykeystore Enter keystore password: 123456 Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry: mykey, Tue Jul 04 09:53:14 GMT+02:00 2000, trustedCertEntry, Certificate fingerprint (MD5): AE:C8:43:16:A5:FC:15:70:6A:A6:2D:D8:7F:8F:8C:87 Now I start Orion again: E:\java\orionjava -jar orion.jar Orion/1.1.8 initialized Orion initializes, but takes about 100% CPU and accessing https://localhost:443 fails. Does anybody have a clue? /Thanks, Mattias Arbin, Ctakt AB My secure-web-site.xml: ?xml version="1.0"? !DOCTYPE web-site PUBLIC "Orion Web-site" "http://www.orionserver.com/dtds/web-site.dtd" web-site host="[ALL]" secure="true" port="443" display-name="Default Orion WebSite" !-- The default web-app for this site, bound to the root -- ssl-config keystore="../../../test/mykeystore" keystore-password="123456" / default-web-app application="default" name="defaultWebApp" / !-- Uncomment this to activate the news app -- !-- web-app application="news" name="news-web" root="/news" / -- !-- Access Log, where requests are logged to -- access-log path="../log/default-web-access.log" / /web-site My server.xml: ?xml version="1.0"? !DOCTYPE application-server PUBLIC "Orion Application Server Config" "http://www.orionserver.com/dtds/application-server.dtd" application-server application-directory="../applications" deployment-directory="../application-deployments" rmi-config path="./rmi.xml" / !-- JMS-server config link, uncomment to activate the JMS service -- !-- jms-config path="./jms.xml" / -- principals path="
Re: SSL - 100% CPU
I had the same pb when intializing, very very long and 100%CPU and this was due to the random generator!!! to solve this pb, I just provided a seed for the random generator I don't know if this will help but it helps me a lot ;-) Sorry, but how do you do that? /Mattias
SSL - 100% CPU
At last my generation of the server certificate worked. Unfortunately, when I start Orion with SSL turned on, the java process takes all the CPU time. Seems like Orion gets stuck in an endless loop. I have tried this on both Orion 1.0 and 1.1.4 I followed the instruction for setting up a secure site in the dokumentation. Has anybody experienced something similar? /Mattias Arbin Here is my server.xml: ?xml version="1.0"? !DOCTYPE application-server PUBLIC "Orion Application Server Config" "http://www.orionserver.com/dtds/application-server.dtd" application-server application-directory="../applications" deployment-directory="../application-deployments" rmi-config path="./rmi.xml" / !-- JMS-server config link, uncomment to activate the JMS service -- !-- jms-config path="./jms.xml" / -- principals path="./principals.xml" / log file path="../log/server.log" / /log global-application name="default" path="application.xml" / global-web-app-config path="global-web-application.xml" / !-- I have tried with or without the comment below -- !-- web-site path="./default-web-site.xml" / -- web-site path="./secure-web-site.xml" / !-- Compiler, activate this to specify an alternative compiler such as jikes for EJB/JSP compiling. -- !-- compiler executable="jikes" classpath="/myjdkdir/jre/lib/rt.jar" / -- /application-server ..and here is the secure-web-site.xml ?xml version="1.0"? !DOCTYPE web-site PUBLIC "Orion Web-site" "http://www.orionserver.com/dtds/web-site.dtd" web-site host="[ALL]" secure="true" port="81" display-name="Default Orion WebSite" !-- The default web-app for this site, bound to the root -- ssl-config keystore="../../../test/mykeystore" keystore-password="123456" / default-web-app application="default" name="defaultWebApp" / !-- Uncomment this to activate the news app -- !-- web-app application="news" name="news-web" root="/news" / -- !-- Access Log, where requests are logged to -- access-log path="../log/default-web-access.log" / /web-site
