Re: A question about mod_jk 1.2.28 configuration
Rainer is asking you a question, here. If you can work with him, I'm sure he'll be able to diagnose and possibly solve your problem. Sorry for my misunderstanding Rainer's question. I can surely work with him. Just tell me how and in which way. I will try my best. -- View this message in context: http://old.nabble.com/A-question-about-mod_jk-1.2.28-configuration-tp26264069p26421227.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A question about mod_jk 1.2.28 configuration
thomas2004 wrote: Rainer is asking you a question, here. If you can work with him, I'm sure he'll be able to diagnose and possibly solve your problem. Sorry for my misunderstanding Rainer's question. I can surely work with him. Just tell me how and in which way. I will try my best. Scroll back to Rainer's message dated 17/11/2009. There is a question there. The answer to that question is what Rainer is waiting for. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Location of properties file for web app in Tomcat
I had the same problem before. I didnt want to configure the location of the properties file at the tomcat instance level since i had more than one war file. What i ended up doing is add the properties file configuration on the application's context file. This meant each war file can point to its own properties file. Here is what i do. I add the following line in my META-INF/context.xml file. (The path can be anywhere on the system) Environment name=APP_PROPERTIES description=The APP Properties File override=false type=java.lang.String value=/u/misc/web/conf/app.properties / Then in my code i just access the path using the following code System.getenv(APP_PROPERTIES); Note: On a windows environment just change the path to the windows equivalent Thanks HTH On Wed, Nov 18, 2009 at 2:20 PM, hbhartee himanshubhar...@yahoo.co.ukwrote: Hi, There is a simple way of using properties file across different web applications in Tomcat. Jar the properties file (included in package folders) and drop it in jakarta-tomcat/common/lib directory If you do not want to jar, just drop the properties file (included in relevant package structure folders) to jakarta-tomcat/common/classes The properties file would be available to all web applications after Tomcat is restarted. R, -- View this message in context: http://old.nabble.com/Location-of-properties-file-for-web-app-in-Tomcat-tp21767095p26408179.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
per context access log
Hi,
I'm trying to configure access-logging per context
by using the AccessLogValve.
Actually I would like to produce one log-file per context
but avoid configuring it for each context separately.
Is there a possibility to place the Valve-Configuration
Valve className=org.apache.catalina.valves.AccessLogValve
prefix=${context?!} suffix=.log
pattern=combined/
into the default context.xml an chose a prefix such that
a separate file is generated for each context, not one common for all contexts?
Or is there
another possibility to reach the desired behaviour?
Best regards,
Ursula
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache-2.2.11 + mod_jk-1.2.28 + SSL
Hi, On Thu, Nov 19, 2009 at 12:50:44AM +0100, Rainer Jung wrote: On 18.11.2009 17:01, conrad-tomcat.users.2...@tivano.de wrote: As you can see, 24552 (=3 * 8184) bytes are received almost immediately, 8184 looks like the body size of one full AJP packet (protocol used by mod_jk and Tomcat). yep, that's what I thought, too. It looks like the last, partially filled AJP packet from the Tomcat response is not making it through the SSL layer, somehow. Or whatever signals end of response to the SSL layer. while the rest is only transferred after 5 seconds. Leaving -0 away from the curl command line, the complete result is received immediately. Requesting the same page via http instead of https, the complete result is received immediately. The 5-second-delay can be seen using wget instead of curl, too, so this is probably not a client problem. So far, the problem has only been seen on the production system. Due to the load conditions, it is infeasible to run mod_jk with significant logging output. To bad. mod_jk configuration is straightforward, timeouts are not defined (i. e. we use default values). That's not so nice but also likely not the cause of the problem. Can you run a network sniff (Wireshark et.al.) between Apache and Tomcat? No, that's infeasible due to the high traffic volume. the AJP protocol is pretty clear text, so you could verify, whether the 5 seconds are caused by Apache (in case the full content has beend delivered by Tomcat well before), or the reason is Tomcat or your webapp (in case the last response content packet really comes with the delay). The webapp behaviour (for this page) depends neither on the HTTP protocol version nor on the presence of SSL. So I'm certain that the webapp delivers the complete response immediately. Bye, Peter -- Peter Conrad Tivano Software GmbH Bahnhofstr. 18 63263 Neu-Isenburg Tel: 06102 / 8099070 Fax: 06102 / 8099071 HRB 11680, AG Offenbach/Main Geschäftsführer: Martin Apel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dedicated Thread Pool
Mohsen Saboorian wrote: I'm using Lambda Probe http://www.lambdaprobe.org/ to monitor threads of my Tomcat Connector. In the first few hours of Tomcat startup, threads were named http-8080-exec-1, http-8080-exec-2, etc. But now after two days, I cannot see those threads anymore. It currently has http-8080-exec-480, http-8080-exec-481, etc. How can a thread be removed from a thread pool? I can imagine a thread being suspended or waiting on a busy resource, but how can it be removed? Executors use dynamically sized thread pools. A thread can be removed by stopping the thread and removing it from the pool. Mark Mohsen On Sat, Nov 14, 2009 at 8:55 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Mohsen Saboorian [mailto:mohs...@gmail.com] Subject: Re: Dedicated Thread Pool Chuck, how can I bind the new Connector to a different webapp directory? You can't, unless you create an additional Service and Engine - which is likely more trouble than it's worth. Just use the alternate port when running the monitor app, and use the regular port for the other webapps. In this case, obscurity (not telling users about the alternate port) is probably sufficient. Again, JMX-based tools may well give you more and better information - such as being able to look at thread dumps on the fly. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache-2.2.11 + mod_jk-1.2.28 + SSL
On 19.11.2009 10:10, conrad-tomcat.users.2...@tivano.de wrote: Hi, On Thu, Nov 19, 2009 at 12:50:44AM +0100, Rainer Jung wrote: On 18.11.2009 17:01, conrad-tomcat.users.2...@tivano.de wrote: As you can see, 24552 (=3 * 8184) bytes are received almost immediately, 8184 looks like the body size of one full AJP packet (protocol used by mod_jk and Tomcat). yep, that's what I thought, too. It looks like the last, partially filled AJP packet from the Tomcat response is not making it through the SSL layer, somehow. Or whatever signals end of response to the SSL layer. while the rest is only transferred after 5 seconds. Leaving -0 away from the curl command line, the complete result is received immediately. Requesting the same page via http instead of https, the complete result is received immediately. The 5-second-delay can be seen using wget instead of curl, too, so this is probably not a client problem. So far, the problem has only been seen on the production system. Due to the load conditions, it is infeasible to run mod_jk with significant logging output. To bad. mod_jk configuration is straightforward, timeouts are not defined (i. e. we use default values). That's not so nice but also likely not the cause of the problem. Can you run a network sniff (Wireshark et.al.) between Apache and Tomcat? No, that's infeasible due to the high traffic volume. If the problem is easily reproducible, you can add another Apache instance which is not used by the main traffic in front of the same tomcat (simply clone your existing Apache, and when using different directories and ports, you can do that on the same machine), then switch that one to JkLogLevel trace and run your reproduction against that Apache. The webapp behaviour (for this page) depends neither on the HTTP protocol version nor on the presence of SSL. So I'm certain that the webapp delivers the complete response immediately. Your webapp might, the Tomcat connector might not. We need to find out, and the above way is an easy way to tell. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Sending messages via Tomcat to ActiveMQ
Hello, My question is: how can I send messages to ActiveMQ via Tomcat. Is it possible? How can I write it? Any clues? I want to send messages to added example in ActiveMQ. Best regards, MK -- View this message in context: http://old.nabble.com/Sending-messages-via-Tomcat-to-ActiveMQ-tp26421298p26421298.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sending messages via Tomcat to ActiveMQ
2009/11/19 Kumako22 kumak...@gmail.com My question is: how can I send messages to ActiveMQ via Tomcat. Is it possible? How can I write it? Any clues? 1) Write a standalone Java program to send a message to ActiveMQ. Test it. Prove it works. 2) Paste that code into your web application code at the appropriate point. Tomcat does not provide facilities for sending messages to ActiveMQ, but it also does not prevent you from using your own code to do so. - Peter
Re: Newbie, tomcat performance tuning
Thanks Everyone who responded. Just great. OK, looks like I got lot of home work to do now; if I were to summarize, 1. Need to get JDK and not JRE, latest version of JDK and use the server version 2. Look at the connector pool 3. Need to modify the heap size, with 12GB ram and NO other application running I will allocate 6GB ram as Max and Min for JVM. do I need to look at the server threads? if yes then where to I set that option? read somewhere tomcat with 8 thread (8 core processor), how do I configure that option? Thanks Bruce On Thu, Nov 19, 2009 at 3:54 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bruce, On 11/18/2009 9:48 AM, Bruce Foster wrote: I'm new to the list and tomcat. Welcome! I have a web application deployed in tomcat 6. this application is quite CPU hungry and I would like to optimise the tomcat accordingly. I'm expecting to have 200 concurrent connections to the server at peak, not much for a standard web application but ours is imagery based and bit resource hungry. Can you be more specific about what resources your webapp is hungry for? If a typical request needs 10MiB of memory to process an image, then you'll need to make sure that 50MiB * 200 requests = 10GiB of heap space is available to your webapp. Can your webapp handle 200 simultaneous requests? Consider using a load-testing tool such as JMeter to see how your webapp performs under load. Watch heap usage (in the JVM! 'Task Manager' is not useful, here), CPU utilization, disk usage, etc. to see what appears to be your limiting resource(s) and then tackle those. You already know the number of concurrent requests you are expecting at peak (200), so you have sort of set that requirement already (though I might allocate 225 or 250 just in case you get some bursts in there). Memory (and GC behavior) is really the only thing you can tune at the JVM level. Generally speaking, more heap space is better if you're going to need it. Also, setting the min and max heap sizes to the same values will avoid heap re-sizing which just wastes time if you know you want that memory dedicated to the heap anyway. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksEUPEACgkQ9CaO5/Lv0PBqMwCfaTsem7ypj+aPTloqlDDKGI69 zXQAn1UjW0kB5q3RvppuLCjRwT9CJ6YT =t0x1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Thanks Bruce NSW Australia - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
64bit Tomcat for Windows
Hi List, I have another thread running and someone suggested to use 64bit JDK on my Windows 2003 server 64 bit. Wonder, if there is a 64 bit installer for Tomcat on Windows. I see my current tomcat is running x86 folder in 32 bit mode. -- Thanks Bruce NSW Australia - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Newbie, tomcat performance tuning
2009/11/19 Bruce Foster gis.fos...@gmail.com do I need to look at the server threads? if yes then where to I set that option? read somewhere tomcat with 8 thread (8 core processor), how do I configure that option? If you can find me that somewhere, I'll go and grumble at the author :-). It's very poor advice unless your web application is 100% CPU-bound, doing no I/O (including sending no output over HTTP) and no database accesses. For realistic loads, some will be waiting on I/O to database, sending data to the browser etc.. The actual number of threads you want is therefore higher, depending on your own web application - and the only way to find out is to profile. Setting the number of threads too high costs you a little bit of CPU (so the scheduler can account for them) and a little bit of RAM (for their stacks and other data structures). Setting the number of threads too low costs you failed requests from your users, up to and including the server appearing to be down because it's got backed up handling incoming requests, despite having enough RAM and CPU. If you're not sure what to do, keep the threads unchanged; if you *have* to alter it, prefer higher rather than lower unless you can demonstrate that it will cause RAM or CPU issues to do so. - Peter
Re: per context access log
Sorry - (AFAICT) there isn't a way to do that. You have to configure
each one.
-Tim
Ursula Walenciak wrote:
Hi,
I'm trying to configure access-logging per context
by using the AccessLogValve.
Actually I would like to produce one log-file per context
but avoid configuring it for each context separately.
Is there a possibility to place the Valve-Configuration
Valve className=org.apache.catalina.valves.AccessLogValve
prefix=${context?!} suffix=.log
pattern=combined/
into the default context.xml an chose a prefix such that
a separate file is generated for each context, not one common for all contexts?
Or is there
another possibility to reach the desired behaviour?
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 64bit Tomcat for Windows
On Thu, 19 Nov 2009 13:30:19 +0100, Bruce Foster gis.fos...@gmail.com wrote: Hi List, I have another thread running and someone suggested to use 64bit JDK on my Windows 2003 server 64 bit. Wonder, if there is a 64 bit installer for Tomcat on Windows. I see my current tomcat is running x86 folder in 32 bit mode. Tomcat isn't 64 or 32 bits. Tomcat just uses the JVM it is running on. Ronald. -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Some advice on apache tomcat
Hi, I have failed to come up with a solution to link Apache 2.2 and Tomcat 6 using mod_jk / mod_proxy_ajp in a way that satisfies my requirements. (Seamless form based authentication, CMS using wordpress etc.) I can get 98% there but the last 2% is the blocker and I am running out of options. I was very surprised that others have not done this before but then again I suppose every solution is different! (Many thanks to the replies for my earlier question, I don't think a non custom solution exists for it!) So to move forward I think that I will scrap putting the static content on apache and serve it all from tomcat. I might use apache to handle SSL and loadbalance. My question is what is the recommended wordpress replacement that I can use on Tomcat to provide content management via database as well as providing blogging capability? I looked at quercus php enabler for tomcat but it seems to have a commerical license. openCMS looks promising (but no blogging) any recommendations? Tony On Tue, 17 Nov 2009 10:02 +, Pid p...@pidster.com wrote: On 16/11/2009 22:07, André Warnier wrote: Anthony Jay wrote: My main issue now is about how the authentication works between Tomcat and Apache. That's the only one I can readily answer. It is extremely simple with mod_jk. If the user is authenticated at the Apache level, mod_jk will pass this on to the Tomcat server via AJP. The only thing to do, is set the 'tomcatAuthentication=false' attribute in Tomcat's AJP Connector, and Tomcat will just believe the user-id sent by Apache and mod_jk. I don't know if, or how, mod_proxy_ajp handles the same thing. In terms of authentication, which should I use, mod_auth_mysql and mod_auth_dbm (or mod_auth_form in future or something else?) and why? There are many many possibilities for this under Apache httpd. Just pick the one that you like best, on its own merits. They all basically in the end result in the HTTP request being authenticated at the Apache httpd level (iow to have a user-id), and that's what you want. What you then do with it under Tomcat is another story, but that is also your choice. In terms of single sign on how can I make the user experience seamless between static content-managed pages and jsp/servlets? Will mod_jk handle sso? This does not seem clear to me in all the pages I read. If I configure form based auth in a login.jsp page will this be relayed to apache after a redirect? No, but why would it be ? Ah, if you want to do the authentication in Tomcat rather than in Apache, but still use it in Apache ? There are ways, but you'll need to write your own Apache (httpd) authentication module. You could then define a dummy servlet in Tomcat, which just echoes the authenticated user-id (as gotten via getRemoteUser() e.g.). Then in Apache httpd, you would make a side-request (oherwise known as a sub-request) to this Tomcat webapp to get the user-id, and use it to authenticate the current request in Apache. But that is a complicated scheme, probably only worth it if you find some Tomcat authentication method that does not exist in Apache httpd, which is unlikely. What is best practise and what should I be doing? If there is some hard to find documentation out there with pointers and tips I would appreciate a few links. To read in the Apache httpd docs : http://httpd.apache.org/docs/2.2/howto/auth.html Also, personally I would recommend having a look around here : http://cpan.uwinnipeg.ca/search?query=apache%3A%3Aauthmode=dist This is the Perl library. Even if you do not intend to do anything with Perl, the documentation of many of these modules is a goldmine of information about how things work. Expert advice is appreciated. You just got it. ;-) There used to be a mod_auth_cookie module that had form auth capabilities, but it wasn't ever in the main distro, it was listed in the related modules site. I used a variant of it in a HTTPD 1.3 install many years ago, so I can't vouch for its current status. GIYF. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: 64bit Tomcat for Windows
From: Ronald Klop [mailto:ronald-mailingl...@base.nl] Subject: Re: 64bit Tomcat for Windows I have another thread running and someone suggested to use 64bit JDK on my Windows 2003 server 64 bit. Wonder, if there is a 64 bit installer for Tomcat on Windows. I see my current tomcat is running x86 folder in 32 bit mode. Tomcat isn't 64 or 32 bits. Tomcat just uses the JVM it is running on. Except for the service wrapper, which does come in both 32- and 64-bit versions; the one used must match the mode of the installed JVM. The 64-bit service wrapper can be found here: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/res/procrun/amd64/ Just replace the one that's in Tomcat's bin directory. Rename the executable to tomcat5.exe if you're still on the older level. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Newbie, tomcat performance tuning
From: Bruce Foster [mailto:gis.fos...@gmail.com] Subject: Re: Newbie, tomcat performance tuning 1. Need to get JDK and not JRE, latest version of JDK and use the server version Tomcat only needs the JRE, but the JDK contains some interesting tools that you may find useful. Make sure you get a 1.6 or later level of either. If you're running on a 64-bit platform, use the 64-bit JRE/JDK. If you do use a 64-bit JVM, only the server mode is available. 2. Look at the connector pool The above is ambiguous, since it could refer to either the HTTP/HTTPS connector, or database connections. 3. Need to modify the heap size, with 12GB ram and NO other application running I will allocate 6GB ram as Max and Min for JVM. You cannot set the heap anywhere near that large unless you're running on a 64-bit JVM. do I need to look at the server threads? if yes then where to I set that option? In the Connector or Executor elements in server.xml. read somewhere tomcat with 8 thread (8 core processor), how do I configure that option? Read Peter's response. You will need way more than 8 threads in any real-world environment. The JVM will use as many cores as are available. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Howto Socket (TCP / IP ) reading from a war application on Tomcat
Hi Can some body provide me a sample code for Socket (TCP / IP ) reading from a war application on Tomcat Can Listeners be made use of for the same? Reason: I need to Accept / Reply a XML File over the socket port from 3rd party application (as Client ) Also the Soap (Approached was not recommended for this existing application ) With regards Karthik
Re: Howto Socket (TCP / IP ) reading from a war application on Tomcat
On 19/11/2009 13:59, Karthik Nanjangude wrote: Hi Can some body provide me a sample code for Socket (TCP / IP ) reading from a war application on Tomcat Can Listeners be made use of for the same? Reason: I need to Accept / Reply a XML File over the socket port from 3rd party application (as Client ) Also the Soap (Approached was not recommended for this existing application ) You're asking us to write code for you? For free? p With regards Karthik - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Howto Socket (TCP / IP ) reading from a war application on Tomcat
Hi Not necessary, if any can provide me some idea's It would be wonderful With regards Karthik -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Thursday, November 19, 2009 7:36 PM To: Tomcat Users List Subject: Re: Howto Socket (TCP / IP ) reading from a war application on Tomcat On 19/11/2009 13:59, Karthik Nanjangude wrote: Hi Can some body provide me a sample code for Socket (TCP / IP ) reading from a war application on Tomcat Can Listeners be made use of for the same? Reason: I need to Accept / Reply a XML File over the socket port from 3rd party application (as Client ) Also the Soap (Approached was not recommended for this existing application ) You're asking us to write code for you? For free? p With regards Karthik - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Newbie, tomcat performance tuning
On Thu, Nov 19, 2009 at 4:27 AM, Bruce Foster gis.fos...@gmail.com wrote: 3. Need to modify the heap size, with 12GB ram and NO other application running I will allocate 6GB ram as Max and Min for JVM. Well, nothing exceeds like excess, but you might want to start a bit lower and increase as it seems necessary. Consider that you may need to do debugging, and with a 6GB JVM a heap dump will be ginormous - trying to load a 5+GB .hprof file on your desktop system to analyze can be awkward... /* Note: not a hypothetical issue: I just hit this with an 8GB server that OOM'd anyway :-) */ FWIW, -- Hassan Schroeder hassan.schroe...@gmail.com twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Howto Socket (TCP / IP ) reading from a war application on Tomcat
On Thu, 19 Nov 2009 14:59:16 +0100, Karthik Nanjangude karthik.nanjang...@xius-bcgi.com wrote: Hi Can some body provide me a sample code for Socket (TCP / IP ) reading from a war application on Tomcat Can Listeners be made use of for the same? Reason: I need to Accept / Reply a XML File over the socket port from 3rd party application (as Client ) Also the Soap (Approached was not recommended for this existing application ) With regards Karthik See here for some examples: http://tinyurl.com/ylq2zlj -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: 64bit Tomcat for Windows
Depends on your version of Tomcat. 5.5.28 will install to match your architecture. Not sure if there is a 6.0.x installer that will do the same yet. Mark? -Original Message- From: Bruce Foster [mailto:gis.fos...@gmail.com] Sent: Thursday, November 19, 2009 6:30 AM To: Tomcat Users List Subject: 64bit Tomcat for Windows Hi List, I have another thread running and someone suggested to use 64bit JDK on my Windows 2003 server 64 bit. Wonder, if there is a 64 bit installer for Tomcat on Windows. I see my current tomcat is running x86 folder in 32 bit mode. -- Thanks Bruce NSW Australia - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: 64bit Tomcat for Windows
From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Subject: RE: 64bit Tomcat for Windows 5.5.28 will install to match your architecture. Unfortunately, it matches the mode of the OS, not the mode of the JVM - which is what really matters. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Newbie, tomcat performance tuning
Caldarale, Charles R wrote: From: Bruce Foster [mailto:gis.fos...@gmail.com] Subject: Re: Newbie, tomcat performance tuning ... read somewhere tomcat with 8 thread (8 core processor), how do I configure that option? Read Peter's response. You will need way more than 8 threads in any real-world environment. The JVM will use as many cores as are available. For sure: I normally keep 30 to 50 working on a 4-core machine. A few are always waiting for something (disk write, http socket, etc) of course, but not for long. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Some advice on apache tomcat
On Thu, Nov 19, 2009 at 5:21 AM, Anthony Jay anthony...@fastmail.fm wrote: My question is what is the recommended wordpress replacement that I can use on Tomcat to provide content management via database as well as providing blogging capability? You do know that every time someone uses content management and WordPress in the same context, God kills a kitten, don't you? Anyway -- Blogging: Roller, Pebble, Blojsom. Try 'em out. (Sun Microsystems runs their corporate blogs on Roller, FWIW.) CMS: What do you *really* mean by CMS? There is a wide range of capabilities that get unfortunately lumped under that banner. -- Hassan Schroeder hassan.schroe...@gmail.com twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat / windows 2008 IIS 7 x64
Is there any official documentation on how to setup Tomcat (ASPX/JSP java interpreter) on a Windows 2008 using IIS 7 (x64 platform) ? Thanks in advance, Eric Sabo Senior Windows Systems Engineer Information Technology Services - Operations California University of Pennsylvania Please note my new email address:eric.s...@calu.edu Notice: California University of Pennsylvania is changing its domain name from CUP.EDU to CALU.EDU, effective Aug. 14. Please make a note that all email addresses will change to use this domain name and record appropriate changes in your contact lists. The CUP.EDU address will continue to work in parallel for a short time and then will be discontinued. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat / windows 2008 IIS 7 x64
On 19/11/2009 16:38, Sabo, Eric wrote: Is there any official documentation on how to setup Tomcat (ASPX/JSP java interpreter) on a Windows 2008 using IIS 7 (x64 platform) ? Start by reading the docs: http://tomcat.apache.org/ p Thanks in advance, Eric Sabo Senior Windows Systems Engineer Information Technology Services - Operations California University of Pennsylvania Please note my new email address:eric.s...@calu.edu Notice: California University of Pennsylvania is changing its domain name from CUP.EDU to CALU.EDU, effective Aug. 14. Please make a note that all email addresses will change to use this domain name and record appropriate changes in your contact lists. The CUP.EDU address will continue to work in parallel for a short time and then will be discontinued. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dedicated Thread Pool
Then is it normal that an executor stops and removes a thread from the pool? Mohsen On Thu, Nov 19, 2009 at 1:24 PM, Mark Thomas ma...@apache.org wrote: Mohsen Saboorian wrote: I'm using Lambda Probe http://www.lambdaprobe.org/ to monitor threads of my Tomcat Connector. In the first few hours of Tomcat startup, threads were named http-8080-exec-1, http-8080-exec-2, etc. But now after two days, I cannot see those threads anymore. It currently has http-8080-exec-480, http-8080-exec-481, etc. How can a thread be removed from a thread pool? I can imagine a thread being suspended or waiting on a busy resource, but how can it be removed? Executors use dynamically sized thread pools. A thread can be removed by stopping the thread and removing it from the pool. Mark Mohsen On Sat, Nov 14, 2009 at 8:55 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Mohsen Saboorian [mailto:mohs...@gmail.com] Subject: Re: Dedicated Thread Pool Chuck, how can I bind the new Connector to a different webapp directory? You can't, unless you create an additional Service and Engine - which is likely more trouble than it's worth. Just use the alternate port when running the monitor app, and use the regular port for the other webapps. In this case, obscurity (not telling users about the alternate port) is probably sufficient. Again, JMX-based tools may well give you more and better information - such as being able to look at thread dumps on the fly. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dedicated Thread Pool
yes, if maxThreadsminSpareThreads, then threads will be killed off and the pool will shrink. and when traffic comes back, it creates new threads, with new names Filip On 11/19/2009 10:12 AM, Mohsen Saboorian wrote: Then is it normal that an executor stops and removes a thread from the pool? Mohsen On Thu, Nov 19, 2009 at 1:24 PM, Mark Thomasma...@apache.org wrote: Mohsen Saboorian wrote: I'm using Lambda Probehttp://www.lambdaprobe.org/ to monitor threads of my Tomcat Connector. In the first few hours of Tomcat startup, threads were named http-8080-exec-1, http-8080-exec-2, etc. But now after two days, I cannot see those threads anymore. It currently has http-8080-exec-480, http-8080-exec-481, etc. How can a thread be removed from a thread pool? I can imagine a thread being suspended or waiting on a busy resource, but how can it be removed? Executors use dynamically sized thread pools. A thread can be removed by stopping the thread and removing it from the pool. Mark Mohsen On Sat, Nov 14, 2009 at 8:55 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Mohsen Saboorian [mailto:mohs...@gmail.com] Subject: Re: Dedicated Thread Pool Chuck, how can I bind the newConnector to a different webapp directory? You can't, unless you create an additionalService andEngine - which is likely more trouble than it's worth. Just use the alternate port when running the monitor app, and use the regular port for the other webapps. In this case, obscurity (not telling users about the alternate port) is probably sufficient. Again, JMX-based tools may well give you more and better information - such as being able to look at thread dumps on the fly. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat / windows 2008 IIS 7 x64
Which doc would that be under? Can you be more specific? -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Thursday, November 19, 2009 11:57 AM To: users@tomcat.apache.org Subject: Re: Tomcat / windows 2008 IIS 7 x64 On 19/11/2009 16:38, Sabo, Eric wrote: Is there any official documentation on how to setup Tomcat (ASPX/JSP java interpreter) on a Windows 2008 using IIS 7 (x64 platform) ? Start by reading the docs: http://tomcat.apache.org/ p Thanks in advance, Eric Sabo Senior Windows Systems Engineer Information Technology Services - Operations California University of Pennsylvania Please note my new email address:eric.s...@calu.edu Notice: California University of Pennsylvania is changing its domain name from CUP.EDU to CALU.EDU, effective Aug. 14. Please make a note that all email addresses will change to use this domain name and record appropriate changes in your contact lists. The CUP.EDU address will continue to work in parallel for a short time and then will be discontinued. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat / windows 2008 IIS 7 x64
The Setup section of the docs describes basic Tomcat setup. Info about integrating with IIS is in the Tomcat Connectors docs: http://tomcat.apache.org/connectors-doc/ There's an IIS how-to in there. -- Len On Thu, Nov 19, 2009 at 12:54, Sabo, Eric eric.s...@calu.edu wrote: Which doc would that be under? Can you be more specific? -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Thursday, November 19, 2009 11:57 AM To: users@tomcat.apache.org Subject: Re: Tomcat / windows 2008 IIS 7 x64 On 19/11/2009 16:38, Sabo, Eric wrote: Is there any official documentation on how to setup Tomcat (ASPX/JSP java interpreter) on a Windows 2008 using IIS 7 (x64 platform) ? Start by reading the docs: http://tomcat.apache.org/ p Thanks in advance, Eric Sabo Senior Windows Systems Engineer Information Technology Services - Operations California University of Pennsylvania Please note my new email address: eric.s...@calu.edu Notice: California University of Pennsylvania is changing its domain name from CUP.EDU to CALU.EDU, effective Aug. 14. Please make a note that all email addresses will change to use this domain name and record appropriate changes in your contact lists. The CUP.EDU address will continue to work in parallel for a short time and then will be discontinued. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Subdomain vs. Subdirectory
Hello, I have a Tomcat6 server running behind an Apache2 server using JK mod. My Tomcat responds to www.myserver.com and www.myserver.com/api. I would like to make the server not respond to the latter and access the application under /api via api.myserver.com instead. Thank you, Sammy -- View this message in context: http://old.nabble.com/Subdomain-vs.-Subdirectory-tp26421421p26421421.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Grant access to files out of webapp context using SecurityManager
Hello all,
I have a webapp in the following location:
/apps/tomcat/webapps/mywebapp
I have files located at:
/files/images
They are on different partitions.
I need to grant mywebapp read,write,execute permissions to these images.
I am attempting to configure SecurityManager to allow this but am
having some difficulties.
here is a snippet of catalina.policy
grant codeBase file:${catalina.home}/webapps/mywebapp/WEB-INF/- {
permission java.security.AllPermission;
permission java.io.FilePermission /files/images/-,
read,write,execute;
};
also tried this:
grant codeBase file:${catalina.home}/webapps/mywebapp/WEB-INF/- {
permission java.security.AllPermission;
permission java.io.FilePermission file://files/images/-,
read,write,execute;
};
Am I correct in assuming that the additional FilePermission access
goes within the webapps grant statement?
Any ideas are appreciated.
Thanks in Advance.
G
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Migrating from Tomcat 5.5.25 to 6.0.22
On Solaris 10, using JDK 1.5.0_18-b02, I am trying to upgrade Tomcat from
5.5.25 to 6.0.22.
I have a script in /etc/init.d that starts/stops Tomcat and MySQL.
I'm getting a ClassNotFoundException for
org.apache.catalina.core.ApplicationContextFacade when I try to start
Tomcat.
When I call the script to stop everything (I need to stop MySQL after the
failure before trying again), I get a ClassNotFoundException for
org.apache.catalina.startup.Catalina.
As far as obvious things that I have tried:
The server.xml has the main library pointing to ${catalina.home}/lib.
The ${catalina.home}/lib directory does have the correct permissions for
getting to the .jar files there.
I tried removing my .war files (and the exploded directories for them), in
case there was a class file conflict there.
Does anyone have any ideas of where I can look to try to resolve this? Any
help would be appreciated.
The system is not accessible to the internet, so I would need to copy
anything from configuration files by hand in order to post them here.
-- Chris
RE: Migrating from Tomcat 5.5.25 to 6.0.22
From: Christopher Gross [mailto:cogr...@gmail.com]
Subject: Migrating from Tomcat 5.5.25 to 6.0.22
The server.xml has the main library pointing to ${catalina.home}/lib.
??? Really? A proper server.xml has no knowledge of (or interest in) Tomcat's
lib directory. You'll need to post it.
Does anyone have any ideas of where I can look to try to resolve this?
Post the actual stack traces from the log.
As a guess, it looks like the contents of Tomcat's bin directory (e.g., the
jars therein) are corrupted.
How did you install Tomcat 6.0.22? Note that the highest released level is
6.0.20...
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Migrating from Tomcat 5.5.25 to 6.0.22
On Thu, Nov 19, 2009 at 11:11 AM, Christopher Gross cogr...@gmail.com wrote: On Solaris 10, using JDK 1.5.0_18-b02, I am trying to upgrade Tomcat from 5.5.25 to 6.0.22. I have a script in /etc/init.d that starts/stops Tomcat and MySQL. I'm getting a ClassNotFoundException for org.apache.catalina.core.ApplicationContextFacade when I try to start Tomcat. As far as obvious things that I have tried: Uh, starting Tomcat with `$CATALINA_HOME/bin/catalina.sh run`? Does anyone have any ideas of where I can look to try to resolve this? Any help would be appreciated. The system is not accessible to the internet, so I would need to copy anything from configuration files by hand in order to post them here. NP, we're all over that mind-reading thing :-) -- Hassan Schroeder hassan.schroe...@gmail.com twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Subdomain vs. Subdirectory
On Thu, Nov 19, 2009 at 10:07 AM, picosam pico...@gmail.com wrote: I have a Tomcat6 server running behind an Apache2 server using JK mod. My Tomcat responds to www.myserver.com and www.myserver.com/api. I would like to make the server not respond to the latter and access the application under /api via api.myserver.com instead. So you want api.myserver.com to be a virtual host. There's a doc for that. :-) -- Hassan Schroeder hassan.schroe...@gmail.com twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Migrating from Tomcat 5.5.25 to 6.0.22
2009/11/19 Christopher Gross cogr...@gmail.com: When I call the script to stop everything (I need to stop MySQL after the failure before trying again), I get a ClassNotFoundException for org.apache.catalina.startup.Catalina. Please note, that you cannot copy 5.5 configuration files to Tomcat 6.0. You have to start with 6.0 files and make the necessary changes. ClassNotFoundException for org.apache.catalina.startup.Catalina is usually caused by wrong catalina.properties - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Migrating from Tomcat 5.5.25 to 6.0.22
Heh, a few typos on my part, sorry about that. It is 6.0.20, and the
library stuff is in the catalina.properties file.
I downloaded the core (not windows installer) from the Apache Tomcat site.
Should I try downloading it again and copying it over?
Here is the trace from when I start Tomcat:
java.lang.ClassNotFoundException:
org.apache.catalina.core.ApplicationContextFacade$1
at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader$1.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at
org.apache.catalina.security.SecurityClassLoad.loadCorePackage(SecurityClassLoad.java:53)
at
org.apache.catalina.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:40)
at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:210)
at org.apache.catalina.startup.Boostrap.main(Bootstrap.java:390)
I looked over the old configuration files for how things were set, but I did
use the new ones that come with 6.0.20. Are you aware of a listing of
settings that were removed, or do I need to go through them line by line and
compare the files to what Apache has up on the 6.x documentation pages?
-- Chris
On Thu, Nov 19, 2009 at 2:24 PM, Caldarale, Charles R
chuck.caldar...@unisys.com wrote:
From: Christopher Gross [mailto:cogr...@gmail.com]
Subject: Migrating from Tomcat 5.5.25 to 6.0.22
The server.xml has the main library pointing to ${catalina.home}/lib.
??? Really? A proper server.xml has no knowledge of (or interest in)
Tomcat's lib directory. You'll need to post it.
Does anyone have any ideas of where I can look to try to resolve this?
Post the actual stack traces from the log.
As a guess, it looks like the contents of Tomcat's bin directory (e.g., the
jars therein) are corrupted.
How did you install Tomcat 6.0.22? Note that the highest released level is
6.0.20...
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Migrating from Tomcat 5.5.25 to 6.0.22
From: Christopher Gross [mailto:cogr...@gmail.com] Subject: Re: Migrating from Tomcat 5.5.25 to 6.0.22 Should I try downloading it again and copying it over? Try downloading it just running it as is using startup.sh, without making any changes, just to verify that it's functional. java.lang.ClassNotFoundException: org.apache.catalina.core.ApplicationContextFacade$1 That class is in catalina.jar, so you've either messed up the system classpath, or corrupted catalina.properties, or you've got a bad jar. How are you starting Tomcat? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Writable JNDI Naming Context?
Hi, is there a way of having a writeable JNDI context in Tomcat? I need one to place dataSources in it, because I have a perfectly running DataSourceFactory that is used in other applications as well, so I'd prefer to use this one above everything else to avoid database configurations in multiple places. Or is there a way of telling hibernate to get connections from my DataSourceFactory, thus avoiding the JNDI hassle? Regards, Jens - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Grant access to files out of webapp context using SecurityManager
On 19/11/2009 18:13, g f wrote:
Hello all,
I have a webapp in the following location:
/apps/tomcat/webapps/mywebapp
I have files located at:
/files/images
They are on different partitions.
I need to grant mywebapp read,write,execute permissions to these images.
I am attempting to configure SecurityManager to allow this but am
having some difficulties.
here is a snippet of catalina.policy
grant codeBase file:${catalina.home}/webapps/mywebapp/WEB-INF/- {
permission java.security.AllPermission;
permission java.io.FilePermission /files/images/-,
read,write,execute;
};
also tried this:
grant codeBase file:${catalina.home}/webapps/mywebapp/WEB-INF/- {
permission java.security.AllPermission;
permission java.io.FilePermission file://files/images/-,
read,write,execute;
};
Am I correct in assuming that the additional FilePermission access
goes within the webapps grant statement?
Any ideas are appreciated.
Thanks in Advance.
G
First: does the user that is running Tomcat have the appropriate access
rights to manipulate files in the directory?
Second: what 'trouble' are you haveing?
p
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Migrating from Tomcat 5.5.25 to 6.0.22
The machine that I run Tomcat on isn't on the internet, and it isn't a local machine. I can try to copy it over again, it will just take some time to do that. If there are other methods that may work, I'd like to try them first. I start Tomcat by running a script -- unfortunately sudo is misconfigured and I can't get to it now to see what the call is to start Tomcat. Hopefully that will be fixed soon, and I can provide you with that information. I tried just running the startup.sh script, and I get the same error as I posted before (ClassNotFoundException for ApplicationContextFacade). -- Chris On Thu, Nov 19, 2009 at 2:50 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Christopher Gross [mailto:cogr...@gmail.com] Subject: Re: Migrating from Tomcat 5.5.25 to 6.0.22 Should I try downloading it again and copying it over? Try downloading it just running it as is using startup.sh, without making any changes, just to verify that it's functional. java.lang.ClassNotFoundException: org.apache.catalina.core.ApplicationContextFacade$1 That class is in catalina.jar, so you've either messed up the system classpath, or corrupted catalina.properties, or you've got a bad jar. How are you starting Tomcat? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Importing CERTIFICATE into Java Keystore
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen, On 11/19/2009 2:42 AM, Stephen . wrote: My JAVA folder has 3 different locations which contain the command KEYTOOL I don't even know which of them is supposed to hold the certificate. None of those hold any certificates: they are just programs that operate on files called keystores. A keystore is a specially-formatted file that contains one or more certificates and keys. You can create a new one or use an existing one. Typically, your JVM has a system-level keystore installed that contains all of the special top-level certificates from the big guys like VeriSign and Thawte. That allows your JVM to trust certificates signed by those certificate authorities. X.509 (which is what all this stuff is defined as) is built on a tree of trust where a small number of implicitly-trusted entities (VeriSign, Thawte, etc.) are allowed to dictate who is and who is not trusted on the web via these certificates. It's a great racket. Yesterday, just to be on the safe side, I imported my certificate into ALL 3 locations (under 3 different aliases) The real question was which keystore you were operating on. From the 'keytool' manual page: Each keytool command has a -keystore option for specifying the name and location of the persistent keystore file for the keystore managed by keytool. The keystore is by default stored in a file named .keystore in the user's home directory, as determined by the user.home system property. So, do you have a file in ~/.keystore? If so, it's likely to be the place where all the certificates you are (re-)importing are going. You need to configure this keystore to be the one that is used for your JNDI connection. How are you configuring your JNDI resource? Please post the configuration (minus any passwords, of course) and tell us where that configuration appears. Then I found yet another command online which says that, it's not enough to import the certificate into keystore. It needs to be imported directly into the CACERT file. That sounds like malarkey. To make matters even worse, I found yet another advice in Tomcat's documentation, saying : before importing the certificate, you need to first import a so-called TRUST CHAIN. That may be possible. See... the big guys like VeriSign don't have just a single certificate/key that they use to sign your certificate(s): they have dozens. That is, in the tree of trust, there are many branches. There are many reasons for that which I won't go into, here. Basically, VeriSign's top-level cert (and they have more than one) trusts VeriSign's mid-level certs, which in turn trust VeriSign's lowest-level cert, which trusts you. If you want the JVM to trust your certificate, you need to provide your certificate (duh!) plus the 2 intervening (chain) certificates to bridge the chain of trust from your cert to the top-level VeriSign cert that ships with the JVM. In some places, it says you need this trust chain if the certificate was applied for by yourself. That statement is a bit ambiguous. is it: *keytool -import -file tomcatCert.crt -trustcacerts -alias tomcat -keystore c:/apps/jdk/jre/lib/security/cacerts -storepass changeit* or is it : * keytool -import -alias root -keystore your_keystore_filename -trustcacerts -file filename_of_the_chain_certificate* It's both, or neither :) Usually, you don't want to modify the keystore that came with the JVM (that's c:/apps/jdk/jre/lib/security/cacerts). Why? Because if you upgrade your JVM, then you're trusted certs will appear to vanish because the new JVM ships with a new cacerts file which doesn't include your changes. What would be best is something like this (the \s in here are a *NIX-style command continues on the next line convention... they are not intended to be actually entered on the command line, but indicate that you shouldn't press ENTER at the end of each line of text): keytool -import \ -file chain-1-cert.crt \ -trustcacerts\ -alias chain-1 \ -keystore path\to\my\keystore (then enter the password when prompted) This will import one of the chain certificates you may need to import for whoever signed your certificate. Who did sign it, by the way? Repeat that command for each chain certificate you have to import. Now, import your own certificate: keytool -import \ -file your-cert.crt \ -trustcacerts\ -alias my-jndi-certificate \ -keystore path\to\my\keystore (then enter the password when prompted) This should get all your necessary certificates in one place: the file indicated by path\to\my\keystore. Please let us know where you intend to place this file. Now, to actually /use/ that keystore depends on how you are configuring your JNDI resource. Once we see that, we can help you point your configuration at this file. And what is the
Re: Fwd: Servlet MessageBrokerServlet is not available on Ubuntu AMD64
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Raja, On 11/18/2009 11:07 PM, R. S. Patil wrote: The repository Install of Tomcat has the problem. *Please report this issue to the Ubuntu folks*. I'd really prefer if we didn't always have to tell people having your type of problems that everything will be fine if you uninstall the package-managed version of Tomcat and install a 'real' Tomcat from tomcat.apache.org. It gets kind of tiresome doing that, and also it would be nice if the package-managed versions actually did work properly. The problem is that people come here for help and we don't know all the weird conventions of each package manager's file layout, etc. so we can't give decent help to those who need it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksFqb0ACgkQ9CaO5/Lv0PBAnACfXHvaJ+516JTiuUXKqu0MLtMk bM0AoIFYN4BcXqLV8zKmWGywYOvPetOW =hP22 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Grant access to files out of webapp context using SecurityManager
I recently activated SecurityManager and had no previous issues with this.
Yes they do have permissions on that directory.
I am getting many errors regarding this here is a snippet of the stack:
SEVERE: StandardWrapper.Throwable
java.security.AccessControlException: access denied
(java.io.FilePermission /files/images read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkRead(Unknown Source)
at java.io.File.exists(Unknown Source)
.
.
Does my syntax look correct?
I did also try the following:
grant codeBase file:/files/images/- {
permission java.security.AllPermission;
};
Thanks.
On Thu, Nov 19, 2009 at 2:03 PM, Pid p...@pidster.com wrote:
On 19/11/2009 18:13, g f wrote:
Hello all,
I have a webapp in the following location:
/apps/tomcat/webapps/mywebapp
I have files located at:
/files/images
They are on different partitions.
I need to grant mywebapp read,write,execute permissions to these images.
I am attempting to configure SecurityManager to allow this but am
having some difficulties.
here is a snippet of catalina.policy
grant codeBase file:${catalina.home}/webapps/mywebapp/WEB-INF/- {
permission java.security.AllPermission;
permission java.io.FilePermission /files/images/-,
read,write,execute;
};
also tried this:
grant codeBase file:${catalina.home}/webapps/mywebapp/WEB-INF/- {
permission java.security.AllPermission;
permission java.io.FilePermission file://files/images/-,
read,write,execute;
};
Am I correct in assuming that the additional FilePermission access
goes within the webapps grant statement?
Any ideas are appreciated.
Thanks in Advance.
G
First: does the user that is running Tomcat have the appropriate access
rights to manipulate files in the directory?
Second: what 'trouble' are you haveing?
p
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Grant access to files out of webapp context using SecurityManager
On 19/11/2009 20:38, g f wrote:
I recently activated SecurityManager and had no previous issues with this.
Yes they do have permissions on that directory.
I am getting many errors regarding this here is a snippet of the stack:
SEVERE: StandardWrapper.Throwable
java.security.AccessControlException: access denied
(java.io.FilePermission /files/images read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkRead(Unknown Source)
at java.io.File.exists(Unknown Source)
.
.
Does my syntax look correct?
I did also try the following:
grant codeBase file:/files/images/- {
permission java.security.AllPermission;
};
(That won't work.)
Try specifying the FilePermission like this:
permission java.io.FilePermission /files/images, read
p
On Thu, Nov 19, 2009 at 2:03 PM, Pidp...@pidster.com wrote:
On 19/11/2009 18:13, g f wrote:
Hello all,
I have a webapp in the following location:
/apps/tomcat/webapps/mywebapp
I have files located at:
/files/images
They are on different partitions.
I need to grant mywebapp read,write,execute permissions to these images.
I am attempting to configure SecurityManager to allow this but am
having some difficulties.
here is a snippet of catalina.policy
grant codeBase file:${catalina.home}/webapps/mywebapp/WEB-INF/- {
permission java.security.AllPermission;
permission java.io.FilePermission /files/images/-,
read,write,execute;
};
also tried this:
grant codeBase file:${catalina.home}/webapps/mywebapp/WEB-INF/- {
permission java.security.AllPermission;
permission java.io.FilePermission file://files/images/-,
read,write,execute;
};
Am I correct in assuming that the additional FilePermission access
goes within the webapps grant statement?
Any ideas are appreciated.
Thanks in Advance.
G
First: does the user that is running Tomcat have the appropriate access
rights to manipulate files in the directory?
Second: what 'trouble' are you haveing?
p
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Writable JNDI Naming Context?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 11/19/2009 2:59 PM, Jens Greven wrote: is there a way of having a writeable JNDI context in Tomcat? I need one to place dataSources in it, because I have a perfectly running DataSourceFactory that is used in other applications as well, so I'd prefer to use this one above everything else to avoid database configurations in multiple places. Or is there a way of telling hibernate to get connections from my DataSourceFactory, thus avoiding the JNDI hassle? What about using Tomcat's Resource configuration in context.xml which results in putting a DataSource into the JNDI context. Is there a compelling reason to use your own DataSourceFactory? If so, I believe you can configure Resource to use that. See http://tomcat.apache.org/tomcat-6.0-doc/jndi-resources-howto.html for more information. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksFv+YACgkQ9CaO5/Lv0PAJIgCgvrT1QD3g46pgYAuQitD5sc1t dUQAn1xoH+KeZSe+SROKPVEMExtE/nHp =bgnL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Writable JNDI Naming Context?
Christopher Schultz schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 11/19/2009 2:59 PM, Jens Greven wrote: is there a way of having a writeable JNDI context in Tomcat? I need one to place dataSources in it, because I have a perfectly running DataSourceFactory that is used in other applications as well, so I'd prefer to use this one above everything else to avoid database configurations in multiple places. Or is there a way of telling hibernate to get connections from my DataSourceFactory, thus avoiding the JNDI hassle? What about using Tomcat's Resource configuration in context.xml which results in putting a DataSource into the JNDI context. Is there a compelling reason to use your own DataSourceFactory? If so, I believe you can configure Resource to use that. See http://tomcat.apache.org/tomcat-6.0-doc/jndi-resources-howto.html for more information. - -chris Chris, The main reason for using my own DataSourceFactory is to have all configuration in one place so in case of any changes to configuration only one class has to be updated no matter what application uses the DSF. As we have quite a heterogenous infrastructure, it currently contains connection information for 7 Databases with individual ConnectionCustomizers etc. (and changes appear quite frequently...). I will try with the lt;Resourcegt;, thanks a lot for the hint ;-) Jens - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Writable JNDI Naming Context?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 11/19/2009 5:22 PM, Jens Greven wrote: Christopher Schultz schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 11/19/2009 2:59 PM, Jens Greven wrote: is there a way of having a writeable JNDI context in Tomcat? I need one to place dataSources in it, because I have a perfectly running DataSourceFactory that is used in other applications as well, so I'd prefer to use this one above everything else to avoid database configurations in multiple places. Or is there a way of telling hibernate to get connections from my DataSourceFactory, thus avoiding the JNDI hassle? What about using Tomcat's Resource configuration in context.xml which results in putting a DataSource into the JNDI context. Is there a compelling reason to use your own DataSourceFactory? If so, I believe you can configure Resource to use that. See http://tomcat.apache.org/tomcat-6.0-doc/jndi-resources-howto.html for more information. - -chris Chris, The main reason for using my own DataSourceFactory is to have all configuration in one place so in case of any changes to configuration only one class has to be updated no matter what application uses the DSF. As we have quite a heterogenous infrastructure, it currently contains connection information for 7 Databases with individual ConnectionCustomizers etc. (and changes appear quite frequently...). I will try with the lt;Resourcegt;, thanks a lot for the hint ;-) I believe you can set shared configuration either in conf/context.xml (the default context.xml for all webapps, and will therefore be inherited by all deployed webapps) or you can put Resource elements into server.xml under GlobalNamingResources and then map them to each webapp you deploy. See http://tomcat.apache.org/tomcat-6.0-doc/config/globalresources.html for more information, here. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksFxngACgkQ9CaO5/Lv0PD/AgCbBeMCJoInrc2vsiTVnLPaeXx2 dUIAoJ2DQqrFLwRpVqfwaoyive3CrjTZ =ZQut -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: java.lang.ClassNotFoundException: org.apache.catalina.realm.CombinedRealm
Worked like a charm. However I don't seem to be able to add multiple
role-name's to my web.xml (application).
Isn't it as simple as this?
web.xml
within security constraint:
auth-constraint
!-- NOTE: This role is not present in the default users file --
role-nameCN=AD Group,OU=BLAh,DC=blah/role-name
role-nameCN=AD user account,OU=Blah,DC=blah/role-name
/auth-constraint
and
within security-role:
role-nameCN=AD Group,OU=BLAh,DC=blah/role-name
role-nameCN=AD user account,OU=Blah,DC=blah/role-name
The first AD group works, but the second line, user account doesn't have
access??
My CombinedRealms are:
Realm className=org.apache.catalina.realm.CombinedRealm
Realm className=org.apache.catalina.realm.JNDIRealm
DEBUG=99
connectionName=CN=svc,OU=blah,OU=blah,blah
connectionPassword=*
connectionURL=ldap://dc:port;
referrals=follow
roleBase=OU=where AD Group is located,OU=blah,DC=blah
roleName=distinguishedName
roleSearch=member={0}
roleSubtree=false
userBase=DC=blah
userSearch=sAMAccountName={0}
userSubtree=true
/
Realm className=org.apache.catalina.realm.JNDIRealm
DEBUG=99
connectionName=CN=svc,OU=blah,DC=blah
connectionPassword=**
connectionURL=ldap://dc:port;
referrals=follow
roleBase=OU=AD group where user account is
located,OU=blah,DC=blah
roleName=distinguishedName
roleSearch=member={0}
roleSubtree=false
userBase=DC=blah
userSearch=sAMAccountName={0}
userSubtree=true
/
/Realm
Thanks for all your help guys.
Konstantin Kolinko wrote:
Use the latest version.
CombinedRealm was added in 6.0.20. (or in 6.0.19, but that version was
never released)
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
Best regards,
Konstantin Kolinko
--
View this message in context:
http://old.nabble.com/java.lang.ClassNotFoundException%3A-org.apache.catalina.realm.CombinedRealm-tp26402852p26421510.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Writable JNDI Naming Context?
Christopher Schultz schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 11/19/2009 5:22 PM, Jens Greven wrote: Christopher Schultz schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 11/19/2009 2:59 PM, Jens Greven wrote: is there a way of having a writeable JNDI context in Tomcat? I need one to place dataSources in it, because I have a perfectly running DataSourceFactory that is used in other applications as well, so I'd prefer to use this one above everything else to avoid database configurations in multiple places. Or is there a way of telling hibernate to get connections from my DataSourceFactory, thus avoiding the JNDI hassle? What about using Tomcat's Resource configuration in context.xml which results in putting a DataSource into the JNDI context. Is there a compelling reason to use your own DataSourceFactory? If so, I believe you can configure Resource to use that. See http://tomcat.apache.org/tomcat-6.0-doc/jndi-resources-howto.html for more information. - -chris Chris, The main reason for using my own DataSourceFactory is to have all configuration in one place so in case of any changes to configuration only one class has to be updated no matter what application uses the DSF. As we have quite a heterogenous infrastructure, it currently contains connection information for 7 Databases with individual ConnectionCustomizers etc. (and changes appear quite frequently...). I will try with the lt;Resourcegt;, thanks a lot for the hint ;-) I believe you can set shared configuration either in conf/context.xml (the default context.xml for all webapps, and will therefore be inherited by all deployed webapps) or you can put Resource elements into server.xml under GlobalNamingResources and then map them to each webapp you deploy. See http://tomcat.apache.org/tomcat-6.0-doc/config/globalresources.html for more information, here. My problem is that I do not only deal with web applications, but also common desktop applications using JDBC connections and partly hibernate. If it were only for webapps I would certainly use the Tomcat context ;-) My approach was to create my own DSF as mentioned above, for the desktop applications using hibernate I initialize the DataSources and bind them to a JNDI context, so I can access them for JDBC access as well as use them with my hibernate SessionFactory (which uses DataSources from JNDI context as well, of course). It worked well so far, just when I wanted to initialize the DataSources in my web app, I became aware of the fact that the Tomcat JNDI context is read only... Which explains my fist approach (as you can find in the subject ;-) to replace it with a writeable JNDI context. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Writable JNDI Naming Context?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens, On 11/19/2009 5:44 PM, Jens Greven wrote: My problem is that I do not only deal with web applications, but also common desktop applications using JDBC connections and partly hibernate. If it were only for webapps I would certainly use the Tomcat context ;-) This just sounds like a deployment issue: if you're building a non-webapp, provide the configuration and your own DataSource bundled together to populate the JNDI context. If you are building a webapp, provide the same configuration inside META-INF/context.xml. In either case, the code always locates the DataSource within the JNDI context. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksFy3AACgkQ9CaO5/Lv0PDrdACgiroN4lBNgqatvOugrqEG067F sT8An15HhDcewXSTA1v0iIxqSC8CegBI =/439 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 6 on Windows Vista 64bit
Anyone has succesfully installed Tomcat 64 bit on Windows Vista Business 64bit OS? Thanks. Tuan
RE: Howto Socket (TCP / IP ) reading from a war application on Tomcat
Hi This is not Fun dude... I know how to write a SOCKET Programming for Standalone, How do I write a socket Listener for WEB Application running over TOMCAT when the application is up and running.? Please be serious...I asked for some help or ideas :( With regards KArthik -Original Message- From: Ronald Klop [mailto:ronald-mailingl...@base.nl] Sent: Thursday, November 19, 2009 9:06 PM To: Tomcat Users List Subject: Re: Howto Socket (TCP / IP ) reading from a war application on Tomcat On Thu, 19 Nov 2009 14:59:16 +0100, Karthik Nanjangude karthik.nanjang...@xius-bcgi.com wrote: Hi Can some body provide me a sample code for Socket (TCP / IP ) reading from a war application on Tomcat Can Listeners be made use of for the same? Reason: I need to Accept / Reply a XML File over the socket port from 3rd party application (as Client ) Also the Soap (Approached was not recommended for this existing application ) With regards Karthik See here for some examples: http://tinyurl.com/ylq2zlj -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Importing CERTIFICATE into Java Keystore
Chris, thank you for your reply. And thank you so much for taking the time and trouble to explain all this to me. I really don't know much about JNDI. I don't even know where and how it is configured. But, I am going to try your suggestions, and see if it works out. If you want, I could keep you posted on this. Thanks again. Regards Stephen Date: Thu, 19 Nov 2009 15:22:07 -0500 From: ch...@christopherschultz.net To: marr...@hotmail.com CC: users@tomcat.apache.org Subject: Re: Importing CERTIFICATE into Java Keystore -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen, On 11/19/2009 2:42 AM, Stephen . wrote: My JAVA folder has 3 different locations which contain the command KEYTOOL I don't even know which of them is supposed to hold the certificate. None of those hold any certificates: they are just programs that operate on files called keystores. A keystore is a specially-formatted file that contains one or more certificates and keys. You can create a new one or use an existing one. Typically, your JVM has a system-level keystore installed that contains all of the special top-level certificates from the big guys like VeriSign and Thawte. That allows your JVM to trust certificates signed by those certificate authorities. X.509 (which is what all this stuff is defined as) is built on a tree of trust where a small number of implicitly-trusted entities (VeriSign, Thawte, etc.) are allowed to dictate who is and who is not trusted on the web via these certificates. It's a great racket. Yesterday, just to be on the safe side, I imported my certificate into ALL 3 locations (under 3 different aliases) The real question was which keystore you were operating on. From the 'keytool' manual page: Each keytool command has a -keystore option for specifying the name and location of the persistent keystore file for the keystore managed by keytool. The keystore is by default stored in a file named .keystore in the user's home directory, as determined by the user.home system property. So, do you have a file in ~/.keystore? If so, it's likely to be the place where all the certificates you are (re-)importing are going. You need to configure this keystore to be the one that is used for your JNDI connection. How are you configuring your JNDI resource? Please post the configuration (minus any passwords, of course) and tell us where that configuration appears. Then I found yet another command online which says that, it's not enough to import the certificate into keystore. It needs to be imported directly into the CACERT file. That sounds like malarkey. To make matters even worse, I found yet another advice in Tomcat's documentation, saying : before importing the certificate, you need to first import a so-called TRUST CHAIN. That may be possible. See... the big guys like VeriSign don't have just a single certificate/key that they use to sign your certificate(s): they have dozens. That is, in the tree of trust, there are many branches. There are many reasons for that which I won't go into, here. Basically, VeriSign's top-level cert (and they have more than one) trusts VeriSign's mid-level certs, which in turn trust VeriSign's lowest-level cert, which trusts you. If you want the JVM to trust your certificate, you need to provide your certificate (duh!) plus the 2 intervening (chain) certificates to bridge the chain of trust from your cert to the top-level VeriSign cert that ships with the JVM. In some places, it says you need this trust chain if the certificate was applied for by yourself. That statement is a bit ambiguous. is it: *keytool -import -file tomcatCert.crt -trustcacerts -alias tomcat -keystore c:/apps/jdk/jre/lib/security/cacerts -storepass changeit* or is it : * keytool -import -alias root -keystore your_keystore_filename -trustcacerts -file filename_of_the_chain_certificate* It's both, or neither :) Usually, you don't want to modify the keystore that came with the JVM (that's c:/apps/jdk/jre/lib/security/cacerts). Why? Because if you upgrade your JVM, then you're trusted certs will appear to vanish because the new JVM ships with a new cacerts file which doesn't include your changes. What would be best is something like this (the \s in here are a *NIX-style command continues on the next line convention... they are not intended to be actually entered on the command line, but indicate that you shouldn't press ENTER at the end of each line of text): keytool -import \ -file chain-1-cert.crt \ -trustcacerts\ -alias chain-1 \ -keystore path\to\my\keystore (then enter the password when prompted) This will import one of the chain certificates you may need to import for whoever signed your certificate. Who did sign it, by the way? Repeat that command for each
