Re: Issue while using SSL with Embedded Tomcat 6.0.37
Hi Chris, Thanks for the code,it helped a lot. Now,using that code on my server machine I found out that TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA is not even in the defaults ciphers for jdk1.6.0_39. Isn't this a strange behaviour? Server can only select available ciphers,I suppose. Thanks Chirag On Tuesday, 8 October 2013 9:10 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chirag, On 10/8/13 6:01 AM, Chirag Dewan wrote: > I am using Embedded Tomcat 6.0.37. I have a servlet which is > running over HTTPS using SSL Connector. I have a Java Keystore with > Customer Certificate imported in it. > > Now,there is a HTTP Client on the customers end which connects > with the servlet over HTTPS(I have very little information about > the customers client configuration) > > The problem we are facing is: > > For the first request from Client,the SSL handshaking fails. How, specifically? What do you observe on the server? What do you observe on the client? > From second request, handshaking is completed successfully and the > requests are processed. I have observed when Server selects > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA as the cipher suite, only then > the Server sends a reset to the client and the handshaking fails. > On second request, with same cipher suite,it works fine. So the first request and second request seem to both negotiate the same cipher suite (TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) but the first one fails? > Can anyone assist me in understanding why it is failing for the > first time? And is there any way I can force the Tomcat not to > select this cipher suite? Or any other way that I can resolve this > issue. See the Connector documentation, specifically the "cipherSuites" attribute. Unfortunately, Tomcat's cipherSuites configuration is only explicit... you can't say something like "defaults without TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA". See this thread in the archives for a short program that will dump-out the available cipher suites and indicates which ones are available by default in your environment (note that the results will change for every different version of Java you use): http://markmail.org/message/zn4namfhypyxum23 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVCdnAAoJEBzwKT+lPKRYM9cP/3GztDeXBYguwJ/Q+YBnNSea NzEQuJXFmaSJhhhCP4NMrHz0Fq4zZlKu9khxicK4gwcfGuCZ0i2BkNx1jZh9wgOF aedSeZinpXtF5L+EiWUCm9Xz2yPHuX40+VIaW9X4/TfG+DMcDVvFFAH1onjHQ5im KECrmK5ratXmVfm9o37SrXItoqNFLqk70mxcZlVec40fp7nu3Bn2ReMIKcSCSXcb Sr97cHlRD8yMBqTn42RNTSzfFfJ/5TFNzmwXzlrSJcWO+6mpKYmXXdbJc3voNd3W e+ZWmJQheJEVm6n86z2PMqwJyBtaiNFRxOxbeXHtU1BwemhSAP1EVPtZSUKQ5k+4 vHbZ4CfhuSgM6IaoTZjqqZkvch4POTLUWPArFJeEyOS8p9vayNoVhFectMtutR4O zHxanjckpCgJYp5w82jRaZ4Xs9SojTedHn6gSElxZK94fg9H4dL6g43h+zSpnuJC 0KF4U47FMklZJBikjDXbkcH3YY8Bd+e+5JMl2Uu+TyjG12Cj6wxyOKM4ubAF7pMO IZbs9WEgHx2Oj515RgFNQGF8uXLysLo4uBiCbTEvFQ3T/eGrSzvYi6kLKi/izPuc TbSYcS1UEAiRKABPMRbUKDqmD6IOTOjbR66lamwTzNFvsyH+BhoaB1RVHy9TUC2U YicDQSfyb9kfCnANiGwR =pYDx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
HOWTO Same web application serving UI / SOAP ?
Hi Do any body have any Brain storming Ideas for the Following With single Web Application Installation Use a Web application for Web based - Browser Interface. Use the same Web application for exposing the SOAP based - Client Interface URL should be same and no changes either of Browser / Soap . * Web : http://:8080/App/jsp/abcd.jsp Soap : http://8080/App/services/abcd.wsdl * How to achieve the same -- View this message in context: http://tomcat.10.x6.nabble.com/HOWTO-Same-web-application-serving-UI-SOAP-tp5005925.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Bad Gateway
We are getting a "Bad Gateway" error when attempting to go to a web app in our test environment. As far as we know it has never worked in our test environment, but it is working in our production environment. I know this appears backwards, but we inherited this system as is. I hope there is not too much information below, but I wanted to provide as much as I could think of that might be relevant. If anybody has any ideas on what to check next, it would be very much appreciated, as we are stuck. We have compared as many configuration files as we know of between the two environments, and have found some differences and made changes so they match, and restarted Apache or Tomcat as appropriate, but we still get the error. Here is the error, as displayed by Internet Explorer 8: Bad Gateway The proxy server received an invalid response from an upstream server. Apache Server at Port 6443 We're using Apache 2.2.15 and Tomcat 6.0.35, installed on different servers (both HP-UX), which we will call server-A (Apache) and server-B (Tomcat). Apache is stand-alone and Tomcat is installed as part of another application. And here is the flow of control (the load balancer distributes to two Apache servers, but we only show one here): browser ->https-> load balancer ->https-> Apache server-A (6443)-> https-> Tomcat server-B (53309)->http-> other servers The only log file that contained an error was the Apache access_log on server-A: [error] (502): proxy: pass request body failed to xxx.xxx.xxx.xxx:53309 (server-B's FQDN) (where xxx.xxx.xxx.xxx is server-B's IP) The Apache's ssl.conf on server-A defines a virtual host that passes requests coming in on port 6443 to Tomcat on server-B port 53309. Here are a few details from the ssl.conf: Listen 0.0.0.0:6443 SSLEngine on SSLProtocol TLSv1 ProxyPass / https://server-B:53309/ We confirmed there is connectivity from server-A to port 53309 on server-B using telnet on server-A: [server-A]>telnet server-B 53309 Trying... Connected to server-B. Escape character is '^]'. telnet> quit Connection closed. [server-A]> We confirmed that server-B is listening on port 53309: netstat -a | grep 53309 tcp0 0 *.53309*.* LISTEN We confirmed that Tomcat on server-B is configured to handle port 53309, from this excerpt from its server.xml: We confirmed Tomcat was started successfully on server-B and listening on port 53309, from the application log: 2013-08-22 18:01:49,321 INFO : Succesfully started Apache Tomcat/6.0.35 @ Catalina:53309 Any ideas on what might be going on?
In Tomcat JULI, do the 'facility specific' loggers become per-webapp logger roots?
Please answer at Stackoverflow, and I'll report the results back to this list: http://stackoverflow.com/questions/19261727/in-tomcat-juli-do-the-facility-specific-loggers-become-per-webapp-logger-root This intent behind this question is very similar to that asked in 2011: "How to externalize a webapp's logging.properties?", but it was never adequately answered: http://marc.info/?l=tomcat-user&m=131831958930163&w=2 In general, I'm really grumpy when I have to unpack a WAR and fiddle with some files **each time** I deploy it. If there is some more-general mechanism for allowing a deployer (remember those things called 'roles' from the EJB 1.0 spec, anyone?) to override configuration settings which have unfortunately been embedded in the WAR file, I'd **love** to know about it. I haven't spotted anything about this in the Tomcat doco so far. thanks, *David Bullock*
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Hi, For this particular cipher, the server sends a RST to the client after the certificate exchange is done. And the handshaking fails,for the first time only. Second request onwards handshaking happens and the traffic flows as usual. What I understand is,I can provide a set of ciphers to the connector and the client will select from that particular set and can thus avoid the particular cipher. Can I do this in embedded tomcat? And what set of ciphers should I allow with that connector? Thanks! Chirag Sent from Yahoo! Mail on Android
Deploy web app with context version by tomcat-maven-plugin
Dear tomcat experts, I am using Tomcat 7. In the manager html interface, there is a column named version in the list of applications table. I read the document here http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Naming to find the way to set version for my web application. I deploy my web application by tomcat-maven-plugin org.codehaus.mojo tomcat-maven-plugin 1.1 ${project.build.directory}/${project.build.finalName}.war http://myhostname.com:8080/manager/text / ##${project.version} tomcat xxx Please help me how can I set the version for my web app. If I manually deploy I just rename the war to ROOT#version.war. Thanks & best regards Phuoc Nguyen
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Chris, On 8.10.2013 17:40, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Can anyone assist me in understanding why it is failing for the first time? And is there any way I can force the Tomcat not to select this cipher suite? Or any other way that I can resolve this issue. See the Connector documentation, specifically the "cipherSuites" attribute. Unfortunately, Tomcat's cipherSuites configuration is only explicit... you can't say something like "defaults without TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA". I guess you mean "ciphers" (for BIO and NIO connectors) and "SSLCipherSuite" (for APR connector). Here are examples for both. E.g.1. ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" E.g.2. SSLCipherSuite="EDH+aRSA:3DES:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS" -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Log4J2 and Tomcat (Was: Override logging)
On 10/08/2013 12:27 PM, Christopher Schultz wrote: Interested in giving it a try? I wouldn't mind. I'm still poking at 1.2 a bit to see if I can make it work for this project, but yeah, I'm happy to give it a go. =) Warm Regards, Jordan Michaels - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Log4J2 and Tomcat (Was: Override logging)
On 10/08/2013 12:22 PM, Christopher Schultz wrote: Note that you are a few versions behind: log4j 1.2.x is currently at 1.2.17. I'm not sure if the differences between 1.2.9 and 1.2.17 affect you. - -chris Indeed. Thanks for pointing that out. =) Warm Regards, Jordan Michaels - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Log4J2 and Tomcat (Was: Override logging)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jordan, On 10/8/13 2:54 PM, Jordan Michaels wrote: > Interesting that you're bringing this up, I'm researching similar > things for a project. Specifically, I'm looking over the > documentaiton at the bottom of the page here regarding log4j: > http://tomcat.apache.org/tomcat-7.0-doc/logging.html > > ...and log4j 1.2.9 seems to work great. Has anyone tried this same > method with the upcoming log4j2? IE: would the current > tomcat-juli.jar, and tomcat-juli-adapters.jar work with log4j2? Probably not. I haven't looked at the auto-detection code that Tomcat's "full Apache Commons Logging implementation [which is] thus is able to discover the presense of log4j and configure itself" uses, but I suspect it will require some tweaks before you can switch. It will likely require the use of log4j-1.2-api.jar as well. Interested in giving it a try? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVFyLAAoJEBzwKT+lPKRYty4QAMtoONKoQOWkzAw8smyGTHJX GCpyqNsKnEQnkhnk+Vah7lcl0JAC51NW8riGCh2I2Yb08XJODhXN8qu5a5WsbloH 15GcXGlUKffhASWqmbHgTC+cRemTkVEKyp7fOZzIfI/vW0fG7lvYn1nKUhnhVNej 0C2ryHFxJxY3xffX5MwJGfM6hhVMPonopk9eoFKCBaJqxeDLsJVO9mti8oX07Vu4 tusI1gjWMGK0upXBwkFdu8mvQwehy94/W5ALt3tdmI5egm+i625Mwjlt92XA480f 0kSku45MD2l+EXd0p/Wg6rq3/FAxhspEcUEEfwF3ywJFzC5wSq48jhy7RoLKmB34 3zQyYuJARBgp/4Sj+7U1Iw1VSGu6qi6I4iq2AhxILExPAACSvW3IxsJH1bZDCOCp O8xDV9HHwSLqRUMvXalvs9tmSJ1DbQpmz3VPqTn2Lb6+toxJXaJZ2/yEu0VtngyR TyavmoBJ/odosIoOv7+mZ3yyVy+3M7II1Ro20bd9a3UxgEtnpKFsaLG4X5HSL2x0 AVFLzDryzkpwHzbNATql4gTg8Drb4r7D5OV6I6vLPwjoXqiJbyQA/T95tqFFzZLA w3MKxP2Fi/GcHeeJfzddQ/mA3VWsPB93ysgaUohHec3NbofQw6ylzyofvGxYZoa5 n/oNzWPvxpcUiEaxSU6S =hzJM -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT x 2] Log4J2 and Tomcat (Was: Override logging)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jordan, On 10/8/13 2:54 PM, Jordan Michaels wrote: > Interesting that you're bringing this up, I'm researching similar > things for a project. Specifically, I'm looking over the > documentaiton at the bottom of the page here regarding log4j: > http://tomcat.apache.org/tomcat-7.0-doc/logging.html > > ...and log4j 1.2.9 seems to work great. Has anyone tried this same > method with the upcoming log4j2? IE: would the current > tomcat-juli.jar, and tomcat-juli-adapters.jar work with log4j2? > > Just curious mostly, I'm pretty happy with log4j 1.2.9 as it is. > As usual, the Tomcat and log4j dev teams have done amazing work > there. Note that you are a few versions behind: log4j 1.2.x is currently at 1.2.17. I'm not sure if the differences between 1.2.9 and 1.2.17 affect you. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVFtcAAoJEBzwKT+lPKRYuYoP/jGvaOtLccQvXISM9zpOB5me Ik59a5vfB6WFsIk0u6T969b+223yWyddEQ5iKCjpjFEJrmy8dWONmQDeGFpQ/IS3 aJQmR49XHSeyn5tkM2kLip4Zvo7IFB5zrvvlzuAWYKsaj7j4Zb1AJ1hiITDmGPCf p+Pf5mtJiPVulMVGIQLYeYJJP7uqRKe4Zu/za7aUVpjcpCbBq4euC3LOIpKoQ/3B 2CP19KiCBuU31lMjFJ28CL1cRAdP85UvfxippkcFTnEX7KZp1SukrECUBy9aoemm qXanNldNUbEw8JeRWqj9q39W0Rv69ivdx/hSuojyxB8zrNqH2ptOpUsz2uRWHqlv zqVkJFrIcVBmZf8tqh6XdcZSTl2PsI86pEFKsYwZo4KgvWYajyIQlPqCMyfsi3Cr nNEFdM3XOnMfzFdvCMP6daXd6KHz9PxkaO+9QzUc8FUx+RU3vaLVaTNB/NmIZmz0 Ss/7zNoUe9qLgznax9/mTEW1JhDUeZAy9lbefMyrTaQEVj98fUACQtqTTGkvgg9X T/jM6RP58ebUSyP1Gw6djz/db3VbHT+8XmaTaQx6nAFWMTw4kfJJhXh71lRhSOM+ AhSl002JlM0aYbNJVgEEmbdUhIOsHnN+I+BLI+62RHXrq/T1NBhVWbHiFUqhcE2R pF9G43Ye8tCzdq17RBNC =yScl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Log4J2 and Tomcat (Was: Override logging)
Interesting that you're bringing this up, I'm researching similar things for a project. Specifically, I'm looking over the documentaiton at the bottom of the page here regarding log4j: http://tomcat.apache.org/tomcat-7.0-doc/logging.html ...and log4j 1.2.9 seems to work great. Has anyone tried this same method with the upcoming log4j2? IE: would the current tomcat-juli.jar, and tomcat-juli-adapters.jar work with log4j2? Just curious mostly, I'm pretty happy with log4j 1.2.9 as it is. As usual, the Tomcat and log4j dev teams have done amazing work there. Warm Regards, Jordan Michaels On 10/08/2013 07:00 AM, Geoff Meakin wrote: I've been asked to host a couple of tomcat thirdparty webapps which all have either logging.properties or log4j configurations (internally). My question is, as a sysadmin who only gets to run the tomcat container, can I override all the logging configurations of my apps. For example, I dont use disks to log, I use syslog, and want to force all tomcat logs to go over syslog. I've read all the docs on JULI and log4j, and my head has exploded, and I appreciate there are ways to do this in the properties file of the app itself. However, I can't change the apps, and want to override all at the container level. Is this possible? I can't imagine that it wouldn't be. Hope this isn't too much of a n00b question. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SpnegoAuthenticator gives GSSException (Desired initLifetime) wih IBM JDK
Am 2013-10-08 10:39, schrieb Chawla, Rachit: Hi All, I am struggling on SSO configuration using SPENGO mechanism on Tomcat 7.0.42 but not able to get it working. We tried on 7.0.29 version too. Since I get Login Successful in logs, I assume Kerberos login was successful. Its SpnegoAuthentication that is failing. Exception: java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Desired initLifetime zero or less Used http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html as reference. On decompiling SpnegoAuthenticator code, we saw that we are using GSSCredential.DEFAULT_LIFETIME in createCredential method, which might be the reason for the exception. final PrivilegedExceptionAction action = new PrivilegedExceptionAction() { @Override public GSSCredential run() throws GSSException { return manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, new Oid("1.3.6.1.5.5.2"), GSSCredential.ACCEPT_ONLY); } }; Hi, I am using the same source code for my SpnegoAuthenticator with an Oracle JVM on Windows and a HP VM on HP-UX. Something must be different/wrong with the JGSS Provider from IBM. What you could do is download my source [1], change the lifetime to GSSCredential.INDEFINITE_LIFETIME and see whether it fixes the problem. Michael [1] http://tomcatspnegoad.sourceforge.net/download.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Override logging
2013/10/8 André Warnier : > Geoff Meakin wrote: >> >> I've been asked to host a couple of tomcat thirdparty webapps which all >> have either logging.properties or log4j configurations (internally). >> >> My question is, as a sysadmin who only gets to run the tomcat container, >> can I override all the logging configurations of my apps. For example, I >> dont use disks to log, I use syslog, and want to force all tomcat logs to >> go over syslog. >> >> I've read all the docs on JULI and log4j, and my head has exploded, and I >> appreciate there are ways to do this in the properties file of the app >> itself. However, I can't change the apps, and want to override all at the >> container level. Is this possible? I can't imagine that it wouldn't be. >> > > +1 > > >> Hope this isn't too much of a n00b question. >> > > No, it isn't. It is a very good question, very relevant to people such as > you (and I) who mostly have to manage tomcats rather than developing apps > for tomcat. > > Did you happen to try something with sl4j ? That would be my first try : get all application logging to sl4j and then manage it as I want. I don't even know if it is possible at all, and you will probably have to touch the web app to replace the libraries used by sl4j bridge. I'm also greatly interested if you find something usable. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does maxActive limit the size of threadpool?
On Tue, Oct 8, 2013 at 10:14 AM, Daniel Mikusa wrote: > On Oct 8, 2013, at 12:31 PM, John Rellis wrote: > >> Hi, >> >> Tomcat : 7.0.33 >> Java : 6 >> JDBC Pool : 1.0.9.3 >> Grails : 1.3.9 >> >> I am having difficulty understanding some of the documentation for the >> tomcat JDBC thread pool and I was hoping somebody could clarify. >> >> If I have maxActive set to 100, does this mean that the size of the pool is >> limited to 100, so 50 idle + 50 active for example? > > That's my understanding of how it works. > >> Or can I have 100 >> active connections and 100 idle connections if I so wished, meaning the >> size could be 200 with maxActive set to 100? > > No, maxActive should limit the size of the pool not just "active" connections. > >> The reason I ask is we have an app with maxActive set to 100 and it stopped >> handling connections when size reached 100. > > This sounds like the expected behavior. Are you expecting to hit the limit, > in other words do you legitimately have 100 connections in use? > > As a side note, usually the pool will output some helpful logging when you > hit a situation like this. You'll see a "PoolExhaustedException" with some > additional information. Do you happen to have those log records? > > Lastly, have you tried a more recent version of the pool? Can you try the > pool that ships with the latest download of Tomcat 7. > > > http://search.maven.org/#artifactdetails|org.apache.tomcat|tomcat-jdbc|7.0.42|jar > > Dan > > >> >> Some debug output from when it died : >> >> Initial Size : 100 >> Active Connection : 28 >> Idle Connection : 0 >> Size : 100 >> >> Max Active Connections : 100 >> Max Age : 0 >> Max Idle : 100 >> Min Idle : 80 >> Max Wait : 5000 >> >> Log Abandoned : true >> Remove Abandoned : true >> Remove Abandoned Timeout : 300 >> >> timeBetweenEvictionRunsMillis : 6 >> minEvictableIdleTimeMillis : 360 >> >> Validation Query : SELECT 1 >> >> Thanks, >> John >> >> -- >> John Rellis > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > Hey Daniel, Thanks for the clarification. We shouldn't legitimately see 100 connections but we are trying to debug issues with our application that may be leaking connections, we are seeing strange behaviour that I will reference in a different post as to not confuse things. I will also try to get our app running on the latest version of tomcat if you think that will help Now that we know that maxActive dictates the overall size we can adjust our setting, thanks again! John -- John Rellis - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does maxActive limit the size of threadpool?
On Oct 8, 2013, at 12:31 PM, John Rellis wrote: > Hi, > > Tomcat : 7.0.33 > Java : 6 > JDBC Pool : 1.0.9.3 > Grails : 1.3.9 > > I am having difficulty understanding some of the documentation for the > tomcat JDBC thread pool and I was hoping somebody could clarify. > > If I have maxActive set to 100, does this mean that the size of the pool is > limited to 100, so 50 idle + 50 active for example? That's my understanding of how it works. > Or can I have 100 > active connections and 100 idle connections if I so wished, meaning the > size could be 200 with maxActive set to 100? No, maxActive should limit the size of the pool not just "active" connections. > The reason I ask is we have an app with maxActive set to 100 and it stopped > handling connections when size reached 100. This sounds like the expected behavior. Are you expecting to hit the limit, in other words do you legitimately have 100 connections in use? As a side note, usually the pool will output some helpful logging when you hit a situation like this. You'll see a "PoolExhaustedException" with some additional information. Do you happen to have those log records? Lastly, have you tried a more recent version of the pool? Can you try the pool that ships with the latest download of Tomcat 7. http://search.maven.org/#artifactdetails|org.apache.tomcat|tomcat-jdbc|7.0.42|jar Dan > > Some debug output from when it died : > > Initial Size : 100 > Active Connection : 28 > Idle Connection : 0 > Size : 100 > > Max Active Connections : 100 > Max Age : 0 > Max Idle : 100 > Min Idle : 80 > Max Wait : 5000 > > Log Abandoned : true > Remove Abandoned : true > Remove Abandoned Timeout : 300 > > timeBetweenEvictionRunsMillis : 6 > minEvictableIdleTimeMillis : 360 > > Validation Query : SELECT 1 > > Thanks, > John > > -- > John Rellis - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Does maxActive limit the size of threadpool?
Hi, Tomcat : 7.0.33 Java : 6 JDBC Pool : 1.0.9.3 Grails : 1.3.9 I am having difficulty understanding some of the documentation for the tomcat JDBC thread pool and I was hoping somebody could clarify. If I have maxActive set to 100, does this mean that the size of the pool is limited to 100, so 50 idle + 50 active for example? Or can I have 100 active connections and 100 idle connections if I so wished, meaning the size could be 200 with maxActive set to 100? The reason I ask is we have an app with maxActive set to 100 and it stopped handling connections when size reached 100. Some debug output from when it died : Initial Size : 100 Active Connection : 28 Idle Connection : 0 Size : 100 Max Active Connections : 100 Max Age : 0 Max Idle : 100 Min Idle : 80 Max Wait : 5000 Log Abandoned : true Remove Abandoned : true Remove Abandoned Timeout : 300 timeBetweenEvictionRunsMillis : 6 minEvictableIdleTimeMillis : 360 Validation Query : SELECT 1 Thanks, John -- John Rellis
Re: Issue while using SSL with Embedded Tomcat 6.0.37
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chirag, On 10/8/13 6:01 AM, Chirag Dewan wrote: > I am using Embedded Tomcat 6.0.37. I have a servlet which is > running over HTTPS using SSL Connector. I have a Java Keystore with > Customer Certificate imported in it. > > Now,there is a HTTP Client on the customers end which connects > with the servlet over HTTPS(I have very little information about > the customers client configuration) > > The problem we are facing is: > > For the first request from Client,the SSL handshaking fails. How, specifically? What do you observe on the server? What do you observe on the client? > From second request, handshaking is completed successfully and the > requests are processed. I have observed when Server selects > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA as the cipher suite, only then > the Server sends a reset to the client and the handshaking fails. > On second request, with same cipher suite,it works fine. So the first request and second request seem to both negotiate the same cipher suite (TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) but the first one fails? > Can anyone assist me in understanding why it is failing for the > first time? And is there any way I can force the Tomcat not to > select this cipher suite? Or any other way that I can resolve this > issue. See the Connector documentation, specifically the "cipherSuites" attribute. Unfortunately, Tomcat's cipherSuites configuration is only explicit... you can't say something like "defaults without TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA". See this thread in the archives for a short program that will dump-out the available cipher suites and indicates which ones are available by default in your environment (note that the results will change for every different version of Java you use): http://markmail.org/message/zn4namfhypyxum23 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVCdnAAoJEBzwKT+lPKRYM9cP/3GztDeXBYguwJ/Q+YBnNSea NzEQuJXFmaSJhhhCP4NMrHz0Fq4zZlKu9khxicK4gwcfGuCZ0i2BkNx1jZh9wgOF aedSeZinpXtF5L+EiWUCm9Xz2yPHuX40+VIaW9X4/TfG+DMcDVvFFAH1onjHQ5im KECrmK5ratXmVfm9o37SrXItoqNFLqk70mxcZlVec40fp7nu3Bn2ReMIKcSCSXcb Sr97cHlRD8yMBqTn42RNTSzfFfJ/5TFNzmwXzlrSJcWO+6mpKYmXXdbJc3voNd3W e+ZWmJQheJEVm6n86z2PMqwJyBtaiNFRxOxbeXHtU1BwemhSAP1EVPtZSUKQ5k+4 vHbZ4CfhuSgM6IaoTZjqqZkvch4POTLUWPArFJeEyOS8p9vayNoVhFectMtutR4O zHxanjckpCgJYp5w82jRaZ4Xs9SojTedHn6gSElxZK94fg9H4dL6g43h+zSpnuJC 0KF4U47FMklZJBikjDXbkcH3YY8Bd+e+5JMl2Uu+TyjG12Cj6wxyOKM4ubAF7pMO IZbs9WEgHx2Oj515RgFNQGF8uXLysLo4uBiCbTEvFQ3T/eGrSzvYi6kLKi/izPuc TbSYcS1UEAiRKABPMRbUKDqmD6IOTOjbR66lamwTzNFvsyH+BhoaB1RVHy9TUC2U YicDQSfyb9kfCnANiGwR =pYDx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Override logging
Geoff Meakin wrote: I've been asked to host a couple of tomcat thirdparty webapps which all have either logging.properties or log4j configurations (internally). My question is, as a sysadmin who only gets to run the tomcat container, can I override all the logging configurations of my apps. For example, I dont use disks to log, I use syslog, and want to force all tomcat logs to go over syslog. I've read all the docs on JULI and log4j, and my head has exploded, and I appreciate there are ways to do this in the properties file of the app itself. However, I can't change the apps, and want to override all at the container level. Is this possible? I can't imagine that it wouldn't be. +1 Hope this isn't too much of a n00b question. No, it isn't. It is a very good question, very relevant to people such as you (and I) who mostly have to manage tomcats rather than developing apps for tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Override logging
I've been asked to host a couple of tomcat thirdparty webapps which all have either logging.properties or log4j configurations (internally). My question is, as a sysadmin who only gets to run the tomcat container, can I override all the logging configurations of my apps. For example, I dont use disks to log, I use syslog, and want to force all tomcat logs to go over syslog. I've read all the docs on JULI and log4j, and my head has exploded, and I appreciate there are ways to do this in the properties file of the app itself. However, I can't change the apps, and want to override all at the container level. Is this possible? I can't imagine that it wouldn't be. Hope this isn't too much of a n00b question.
Re: minIdle not being respected (tomcat thread pool)
On Oct 7, 2013, at 11:14 PM, John Rellis wrote: > Hi, > > Tomcat : 7.0.33 > Java : 6 > JDBC Pool : 1.0.9.3 > Grails : 1.3.9 > > We are running a grails app that is using the tomcat JDBC thread pool, what > we are seeing is the idle connections falling below minIdle and then > continuously heading towards zero over the course of a few hours. > > I think I understand that if validation fails on a connection or a > connection becomes abandoned, it will be removed from the pool but > shouldn't the pool attempt to climb back up to minIdle > every timeBetweenEvictionRunsMillis?? We are not seeing this behaviour at > all. I don't believe so. The pool cleaner checks for abandoned and idle connections. It first looks at the number of idle connections and checks to see if there are too many idle connections hanging around. If there are, it checks to see if it can release any connections. Then if configured to, it validates idle connections. The important thing to note is that it only removes connections, it won't add new ones. If you want to take a look check out the PoolCleaner class here. https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/ConnectionPool.java > I am really confused by the behaviour I am seeing so any help that stops > our connections tending towards zero is greatly appreciated! It sounds like your connections might be failing validation. Since you're validation query looks good, perhaps the connections are being disconnected from the server or a firewall in between your Tomcat server and database server. Does your database server have it have a connection timeout? If there is a firewall, does it restrict how long connections can remain open and idle? Dan > > > The Grails WAR contains -- > > com.springsource.org.apache.juli.extras-6.0.24.jar > com.springsource.org.apache.tomcat.jdbc-1.0.9.3.jar > > - Datasource parameters -- > * > * > * * maxActive = 100 >maxIdle = 100 >minIdle = 80 >initialSize = 100 >maxWait = 5000 >validationQuery = 'SELECT 1' >validationInterval = 3//validate at most every 30 seconds >testWhileIdle = true >logAbandoned = true >removeAbandoned = true >removeAbandonedTimeout = 300//seconds >timeBetweenEvictionRunsMillis = 6//run evictor every minute >minEvictableIdleTimeMillis = 360//anything idle for more than > an hour, evict, I am assuming validation means they will not be idle > > > -- Debug Print out to the log > > Pool Name : Tomcat Connection Pool[1-882332278] > Initial Size : 100 > Active Connection : 1 > Idle Connection : 66 > Size : 81 > > Max Active Connections : 100 > Max Age : 0 > Max Idle : 100 > Min Idle : 80 > Max Wait : 5000 > > Log Abandoned : true > Remove Abandoned : true > Remove Abandoned Timeout : 300 > > timeBetweenEvictionRunsMillis : 6 > minEvictableIdleTimeMillis : 360 > > Validation Query : SELECT 1 > > > -- > John Rellis - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Chirag Dewan wrote: Hi All, I am using Embedded Tomcat 6.0.37. I have a servlet which is running over HTTPS using SSL Connector. I have a Java Keystore with Customer Certificate imported in it. I cannot answer your question, but I think that in order to be helped faster, it would be a good idea to paste here your Tomcat SSL configuration : ... Now,there is a HTTP Client on the customers end which connects with the servlet over HTTPS(I have very little information about the customers client configuration) The problem we are facing is: For the first request from Client,the SSL handshaking fails. From second request,handshaking is completed successfully and the requests are processed. I have observed when Server selects TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA as the cypher suite,only then the Server sends a reset to the client and the handshaking fails. On second request,with same cypher suite,it works fine. Can anyone assist me in understanding why it is failing for the first time? And is there any way I can force the Tomcat not to select this cypher suite? Or any other way that I can resolve this issue. Thanks a lot. Chirag Dewan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Issue while using SSL with Embedded Tomcat 6.0.37
Hi All, I am using Embedded Tomcat 6.0.37. I have a servlet which is running over HTTPS using SSL Connector. I have a Java Keystore with Customer Certificate imported in it. Now,there is a HTTP Client on the customers end which connects with the servlet over HTTPS(I have very little information about the customers client configuration) The problem we are facing is: For the first request from Client,the SSL handshaking fails. From second request,handshaking is completed successfully and the requests are processed. I have observed when Server selects TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA as the cypher suite,only then the Server sends a reset to the client and the handshaking fails. On second request,with same cypher suite,it works fine. Can anyone assist me in understanding why it is failing for the first time? And is there any way I can force the Tomcat not to select this cypher suite? Or any other way that I can resolve this issue. Thanks a lot. Chirag Dewan
SpnegoAuthenticator gives GSSException (Desired initLifetime) wih IBM JDK
Hi All, I am struggling on SSO configuration using SPENGO mechanism on Tomcat 7.0.42 but not able to get it working. We tried on 7.0.29 version too. Since I get Login Successful in logs, I assume Kerberos login was successful. Its SpnegoAuthentication that is failing. Exception: java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Desired initLifetime zero or less Used http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html as reference. On decompiling SpnegoAuthenticator code, we saw that we are using GSSCredential.DEFAULT_LIFETIME in createCredential method, which might be the reason for the exception. final PrivilegedExceptionAction action = new PrivilegedExceptionAction() { @Override public GSSCredential run() throws GSSException { return manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, new Oid("1.3.6.1.5.5.2"), GSSCredential.ACCEPT_ONLY); } }; Environment detail are: OS: AIX Java: java version "1.6.0" Java(TM) SE Runtime Environment (build pap3260sr11-20120806_01(SR11)) IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr11-20120801_118201 (JIT enabled, AOT enabled) J9VM - 20120801_118201 JIT - r9_20120608_24176ifx1 GC - 20120516_AA) JCL - 20120713_01 Tomcat Version : 7.0.42 I tried with Java 6 (SR9), 7 (SR1,SR5), but I always get stuck on below error. java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Desired initLifetime zero or less We get following output from catalina/log. [JGSS_DBG_CRED] JAAS config: debug=true [JGSS_DBG_CRED] JAAS config: credsType=accept only [JGSS_DBG_CRED] config: useDefaultCcache=false (default) [JGSS_DBG_CRED] config: useCcache=null [JGSS_DBG_CRED] config: useDefaultKeytab=false [JGSS_DBG_CRED] config: useKeytab=file:/home/qauser1/racTemp/apache-tomcat-7.0.29/conf/qafalcon.keytab [JGSS_DBG_CRED] JAAS config: forwardable=false (default) [JGSS_DBG_CRED] JAAS config: renewable=false (default) [JGSS_DBG_CRED] JAAS config: proxiable=false (default) [JGSS_DBG_CRED] JAAS config: noAddress=false (default) [JGSS_DBG_CRED] JAAS config: tryFirstPass=false (default) [JGSS_DBG_CRED] JAAS config: useFirstPass=false (default) [JGSS_DBG_CRED] JAAS config: moduleBanner=false (default) [JGSS_DBG_CRED] JAAS config: interactive login? no [JGSS_DBG_CRED] Retrieving Kerberos creds from keytab for principal=null [JGSS_DBG_CRED] No Kerberos creds in keytab : java.io.BufferedInputStream@28502850 [JGSS_DBG_CRED] Done retrieving Kerberos creds from keytab [JGSS_DBG_CRED] Login successful [JGSS_DBG_CRED] HTTP/a...@zzz.net added to Subject [JGSS_DBG_CRED] Attempting to add 1 Kerberos key(s) to Subject for HTTP/a...@zzz.net [JGSS_DBG_CRED] added key of type rc4-hmac [JGSS_DBG_CRED] Successfully added 1 keys to Subject. [JGSS_DBG_PROV] Number of system providers=9 [JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2 [JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2 [JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2 [JGSS_DBG_PROV] 3 system providers found/added [JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2 [JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2 [JGSS_DBG_PROV] getMechs: Mechanism(s) supported by provider IBMJGSSProvider [JGSS_DBG_PROV] 1.3.6.1.5.5.2 [JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2 [JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2 [JGSS_DBG_PROV] getMechs: Mechanism(s) supported by provider IBMJGSSProvider [JGSS_DBG_PROV] 1.2.840.113554.1.2.2 [JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2 [JGSS_DBG_PROV] getMechs: Mechanism(s) supported by provider IBMSPNEGO [JGSS_DBG_PROV] 1.3.6.1.5.5.2 [JGSS_DBG_PROV] getMechs: 2 unique mechanism(s) found [JGSS_DBG_PROV] [0]: 1.3.6.1.5.5.2 [JGSS_DBG_PROV] [1]: 1.2.840.113554.1.2.2 [JGSS_DBG_CRED] Creating mech cred for null, mech 1.3.6.1.5.5.2, usage accept only [JGSS_DBG_PROV] Provider Entry: provider: IBMJGSSProvider, mechanism: 1.3.6.1.5.5.2 get Factory for mech: 1.3.6.1.5.5.2 caller:-1 [JGSS_DBG_PROV] Created new (empty) factory list (size=1) for provider IBMJGSSProvider version 1.6 [JGSS_DBG_PROV] Loading factory [JGSS_DBG_PROV] Factory class name for provider IBMJGSSProvider version 1.6 is com.ibm.security.jgss.mech.spnego.SPNEGOMechFactory [JGSS_DBG_PROV] Prior to load [JGSS_DBG_PROV] Done to load [JGSS_DBG_PROV] Loaded factory for provider IBMJGSSProvider ver