Possible Apache Tomcat workshop after ApacheCon 2014
Cross-posted to users and dev list. Please reply on the users list. All, There is the possibility of holding a Tomcat specific summit/workshop after ApacheCon 2014 [1] (i.e. Thursday 10th). If there is interest, I am happy to take the lead to organise this. My current thinking is for a workshop that is organised along the lines of a BarCamp [2] with a theme similar to that of the Tomcat users list so each session is a discussion about an issue one or more users is having. If space is available I'd like to follow this up on the Friday with a hackathon where the primary focus is fixing any bugs identified on Thursday and implementing any useful new features that were identified. Before I approach the conference organisers, I'd like to know if there is interest in this event and if folks are likely to attend. I'd expect the BarCamp/Hackathon to be free but I don't know for sure at this stage. Please reply to this thread if you would be interested in attending such an event. Also, if you have ideas on how to might be improved please reply with those too. Thanks, Mark [1] http://events.linuxfoundation.org/events/apachecon-north-america [2] http://en.wikipedia.org/wiki/BarCamp - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Oracle Application Server 10g R3 works fine with RK-1048 codepage but Tomcat 7.0.47 does not.
On 1/16/2014 7:23 PM, Тимур Кулибаев wrote: > Hello, Chris ! Thank you for your response. Below are answers to your > questions. > > +++If the data is correctly-stored in the database (as verified by some > +++other means), does the fetched-data display correctly in your web pages? > > Yes, data is displayed correctly in web-pages. Only problem is that with Tomcat 7 > Kazakh letters are not displayed correctly. But with Oracle Application Server > all data including Kazakh letters are displayed correctly. > > +++If it's not displaying correctly, please tell us what the Content-Type > +++HTTP response header is for the page (specifically, the character > +++encoding). > > For Tomcat 7: lang="ru-RU", content="Oracle UIX", charset="UTF-8" type="text/css" > inside of pages I can see that all user data is in UTF-8 - we need force Tomcat works > in Windows-1251 > > For Oracle AS: lang="ru",content="Oracle UIX", charset="UTF-8" type="text/css" > inside of pages I can see that all user data is in Windows-1251 that is correct. > > I don't know from where servlet takes charset="UTF-8" as its web.xml sets Windows-1251 > as servlet default codepage. Looking through servlet source code there is not explicit > HttpServletResponse.setContentType(). May be it comes from UIX configuration tables > residing in database, I'll ask developers about it and let you know. > > +++Also, please tell us what the character encoding is for the > +++/database connection/ to Oracle (the one made from your application to Oracle). > Database has CL8MSWIN1251 as default codepage and character encoding for the database > connection to Oracle is also CL8MSWIN1251. > > +++Finally, how are you connecting to Oracle? Are you using a > +++Tomcat-configured DataSource or is your web application configuring > +++things on its own? > > DataSource is not used. My web-application reads jdbc-connection string from web.xml: > > kz.ft.uix.app.driver > jdbc:oracle:thin:@10.1.102.124:1526:fb > > > > +++I can see that when you attempt to use user.language=ru and > +++user.country=kz, you get this error from Oracle's driver: > > +++> org.apache.catalina.core.ApplicationContext log MESSAGE = > +++> ORA-00604: error occurred at recursive SQL level 1 ORA-12705: > +++> invalid or unknown NLS parameter value specified , ERRORCODE = 604 > > +++Can you give us the whole stack trace from that? > > First I generated list of all available locales based on java-code given here http://www.avajava.com/tutorials/lessons/how-do-i-display-all-available-locales.html;jsessionid=0F8CED6D22D750F6C83FD9477A3A874D > see attached available locales list and one does not contain "kz" > so driver cannot understand this incorrect setting. When set "-Duser.language=ru > -Duser.country=RU" than no errors, all is ok, only Kazakh letters displayed > incorrectly. Tomcat 7 and Oracle AS uses the same jdbc-driver ojdbc14.jar from > Oracle AS. Operation systems of hosts have the same configuration. > > Oracle AS works in Windows-1251, it sends user data from database to browser in > Windows-1251. Tomcat 7 works in UTF-8 , it sends user data from database to browser in UTF-8, > t's the root of the trouble. How to make Tomcat 7 works in Windows-1251 ? > > Thank you, > wating for your answer, > Timur Hi, Timur- To send a response using the Windows 1251 character set, the character encoding of the response should be set somewhere. Information about the setContentType method of HttpServletResponse, which may be used to set the character encoding of the response, may be found here: http://docs.oracle.com/javaee/7/api/javax/servlet/ServletResponse.html Information about the JSP page directive, which may also be used to set the character encoding of the response, may be found in the JavaServer Pages Specification. As an aside, there doesn't appear to be a body element in your HTML. It won't solve your problem, but, for more information, see: http://www.w3.org/TR/html401/struct/global.html -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Stopping/pausing a Connector
Hi, I'm running embedded tomcat (unfortunately still using the deprecated classes and not the newer Tomcat class) and I'm trying to configure my connector at runtime to reject requests. If I use connector.pause(), any requests just hang until I call connector.resume(). If I use connector.stop(), the first request gets a 503 service unavailable, but any subsequent requests just hang for some reason until I start it again. Is the latter behaviour expected? And what would be the best way for me to get the 503 service unavailable (or some error) every time? Tomcat7, by the way.
Re: Oracle Application Server 10g R3 works fine with RK-1048 codepage but Tomcat 7.0.47 does not.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Тимур, On 1/16/14, 8:23 PM, Тимур Кулибаев wrote: > Hello, Chris ! Thank you for your response. Below are answers to > your questions. > > +++If the data is correctly-stored in the database (as verified by > some +++other means), does the fetched-data display correctly in > your web pages? > > Yes, data is displayed correctly in web-pages. Only problem is > that with Tomcat 7 Kazakh letters are not displayed correctly. But > with Oracle Application Server all data including Kazakh letters > are displayed correctly. So... data is displayed correctly in web pages or data is not displayed correctly in web pages? You said both above. > +++If it's not displaying correctly, please tell us what the > Content-Type +++HTTP response header is for the page (specifically, > the character +++encoding). > > For Tomcat 7: lang="ru-RU", content="Oracle UIX", > charset="UTF-8" type="text/css" inside of pages I can see that all > user data is in UTF-8 - we need force Tomcat works in > Windows-1251. If you are indeed setting the charset to UTF-8, then the page character encoding should be in UTF-8. You don't want to advertise UTF-8 and then use Windows-1251. > For Oracle AS: lang="ru", content="Oracle UIX", charset="UTF-8" > type="text/css" inside of pages I can see that all user data is in > Windows-1251 that is correct. If the server is advertising the character set as UTF-8 but using Windows-1251 then that is a big bug. I suspect you are not sure what character encoding is being used, but you know that the characters you expect to "work" are not working. > I don't know from where servlet takes charset="UTF-8" as its > web.xml Stop right there: charset=UTF-8 has nothing to do with web.xml. > sets Windows-1251 as servlet default codepage There is nothing called "servlet default codepage". > Looking through servlet source code there is not explicit > HttpServletResponse.setContentType(). May be it comes from > UIX configuration tables residing in database, I'll ask developers > about it and let you know. You will need to check that out. UIX is an Oracle technology and can do whatever it wants to do. > +++Also, please tell us what the character encoding is for the > +++/database connection/ to Oracle (the one made from your > application +++to Oracle). > Database has CL8MSWIN1251 as default codepage and character > encoding for the database connection to Oracle is also > CL8MSWIN1251. Can you confirm that is the case? When setting user.country=kz, it causes the connection to fail to connect because the locale isn't supported. That makes me think that you will have to explicitly set the charset of the connection in order for things to work. For my money, I'd set the connection charset to UTF-8 because things just tend to work when you use UTF-8. > +++Finally, how are you connecting to Oracle? Are you using a > +++Tomcat-configured DataSource or is your web application > configuring +++things on its own? > > DataSource is not used. My web-application reads jdbc-connection > string from web.xml: > kz.ft.uix.app.driver > > jdbc:oracle:thin:@10.1.102.124:1526:fb > > > > +++I can see that when you attempt to use user.language=ru and > +++user.country=kz, you get this error from Oracle's driver: > > +++> org.apache.catalina.core.ApplicationContext log MESSAGE = +++> > ORA-00604: error occurred at recursive SQL level 1 ORA-12705: +++> > invalid or unknown NLS parameter value specified , ERRORCODE = 604 > > +++Can you give us the whole stack trace from that? > > First I generated list of all available locales based on java-code > given here > http://www.avajava.com/tutorials/lessons/how-do-i-display-all-available-locales.html;jsessionid=0F8CED6D22D750F6C83FD9477A3A874D > > see attached available locales list and one does not contain "kz" > so driver cannot understand this incorrect setting. If the driver is choking on that setting, I think it's clear that some character set is being set by whatever "kz.ft.uix.app.driver" does. > +++Can you give us the whole stack trace from that? > > [No, I can't give you that for some reason] > When set "-Duser.language=ru -Duser.country=RU" than no errors, > all is ok, only Kazakh letters displayed incorrectly. Tomcat 7 and > Oracle AS uses the same jdbc-driver ojdbc14.jar from Oracle AS. > Operation systems of hosts have the same configuration. > > Oracle AS works in Windows-1251, it sends user data from database > to browser in Windows-1251. Tomcat 7 works in UTF-8 , it sends user > data from database to browser in UTF-8, t's the root of the > trouble. How to make Tomcat 7 works in Windows-1251 ? The character set used between the server and the browser should not be an issue as long as: a. The characters are not already corrupted, and any java.lang.String values have correct characters b. The page's character encoding can support the character in question c. The server sends an accurate charac
Re: SSL certificates
Christopher Schultz wrote: :) Give me OpenSSL any day of the week. ;) Dunno. Can't recall ever having any experience with it at all. Just DCM (for securing IBM-proprietary servers, like their Secured Telnet [NOT ssh] server and their various proprietary web-serving products), and Keytool (for securing Tomcat, and [if I remember right] for prepping jar-signing keys). -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 1/16/14, 6:18 PM, James H. H. Lampert wrote: > Christopher Schultz wrote: >> That is always true. But you don't need a certificate to create a >> CSR. > If Keytool and the Java Keystore format even recognize any > difference between the concepts of "keypair" and "self-signed > certificate," it would be news to me. > > Speaking of one who regularly installs (and secures) Tomcat on > AS/400s (in fact, that's the only platform I can recall EVER > personally installing it on, because I have colleagues who know how > to do it on other platforms): The messes people can make for > themselves by misunderstanding the subtleties of Keytool are > nothing, compared to the mess people can make for themselves trying > to use IBM's Digital Certificate Manager to secure Tomcat on their > 400s (hint: DCM and Tomcat are completely incompatible with each > other). :) Give me OpenSSL any day of the week. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2GrbAAoJEBzwKT+lPKRYe4AP/i12by+gfG8QzkITOr/Pr5My kKLSmXad3+Cw0Fl1gRjei6hRsZnX7gdvye4MBAVW//z8JhzejXFp20KJmdUDsNE4 EFn/oT7SOTF/Dmga28u/qte8212KIktkxziIMCigoXiXVbQ9Ym4eBdBxlqEtiouc 5lMuGuLfCshGP9xd8NigghLtWS4B06YG6Rc9I8BWPeXj1aPAB8naaHeLlrQvAGeb /urAPZn9R+3Kow0Hs06OqIC06FN4VCIujq6aZ2pIBCe2apQkUC2ftBP50xYkwN5e f9PohTuhE9Sk2H9VzxZqCumy6vEIfTfZtrjw0gbF8e/x9brUOfZ1clIoyyYrjNCa A4a84uGBFrX4wHwLQRT/0biXYz9X61AaMmRBOF3Dvargf5Q+u99PYXBcTWcUTPJA byv8OpywtCBaRcR5DbSSN999JFf8kYOn6DFzcj8xEN/auWQ0AJdLZLZdeNEszwZi WcnDHH9MAFPj4a042sue3en9JAtFT/GA2zlgpx9UW/hzv//MvTxE5UO8Ap7GDw/0 1sHsOk+1yNt21o2LQ/bS3Zn0e9Ad76hiTbdWeoBj80eUpsOH1h6xd+vZ7glYd617 CBlexfEMdifTcVh320gYM2b+NUuN+jtPspp+f9KQSZtti5OnWqQylrBMXVbvUIWE keGqbCCKZlqfQfe485Bf =OZem -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7 with APR connector on ubuntu
Mubeen,
On 16 January 2014 08:53, Mubeen Shah wrote:
> Thank you Brett for your comments.
>
> You're welcome.
However as per list convention, please do not top post (
http://tomcat.apache.org/lists.html)
> Here is tomcat startup script (/etc/init.d/tomcat7)
>
> #!/bin/bash
> # tomcat start/stop script
>
> export JAVA_HOME=/usr/lib/jvm/java-7-oracle
> export CATALINA_HOME=/opt/tomcat7
>
> start() {
>su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/startup.sh
> }
>
> stop() {
>su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/shutdown.sh
> }
>
> case $1 in
> start|stop) $1;;
> restart) stop; start;;
> *) echo "Run as $0 "; exit 1;;
> esac
>
> I made slight change in "startup.sh" file too (replaced old exec line):
> exec authbind --deep "$PRGDIR"/"$EXECUTABLE" start "$@"
>
Which version of authbind is being used?
What does your element in server.xml look like?
Are there any other elements in server.xml?
>
> my setenv.sh file:
> CATALINA_OPTS="-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true
> -Xmx512m -XX:+UseConcMarkSweepGC"
> export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/usr/local/apr/lib"
>
You might need to add -Djava.library.path=/usr/local/apr/lib into
CATALINA_OPTS as well
I take it you compiled libtcnative locally?
>
> I installed authbind previously and executed following lines:
> sudo touch /etc/authbind/byport/80
> sudo chmod 500 /etc/authbind/byport/80
> sudo chown tomcat7 /etc/authbind/byport/80
> When I am removing APR connector from server.xml, tomcat working fine with
> tomcat7 user.
>
Leaving the authbind call in place, can you test with your APR connector at
port > 1024 (e.g. the default 8080).
Does Tomcat start? If not, what is the error?
>
> Regards,
> Mubeen
>
> On Thu, Jan 16, 2014 at 5:41 AM, Brett Delle Grazie <
> brett.dellegra...@gmail.com> wrote:
>
> > Hi,
> >
> > See interleaved.
> >
> >
> > On 15 January 2014 16:53, Mubeen Shah wrote:
> >
> > > Hello,
> > >
> > > I am trying to configure tomcat 7 on ubuntu machine and wanted to run
> it
> > as
> > > non-root on port 80, Here is what I did so far:
> > >
> > > OS (Ubuntu 12.04 LTS):
> > >
> > > - installed oracle JDK 1.7.0_45 using "apt-get"
> > > - downloaded and extracted tomcat 7.0.50 (.gz format)
> > > - created ubuntu user 'tomcat' and granted 'chown -R CATALINA_HOME' to
> > this
> > > user
> > > - changed tomcat default port to 80 in server.xml
> > > - installed and configured authbind tool
> > > - created sh script "/etc/init.d/tomcat7" to start tomcat as tomcat
> user.
> > >
> >
> > What was in this script?
> >
> >
> > > - tomcat 7 was working as expected on 80 port as non-root user.
> > >
> >
> > That is surprising, see further below.
> >
> >
> > > - later I configured APR 1.5.0 and tried to run tomcat again, I got
> this
> > > error:
> > >
> > > Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
> > init
> > > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
> > > version 1.5.0.
> > > Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
> > init
> > > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
> > > [false], random [true].
> > > Jan 15, 2014 6:24:46 AM org.apache.catalina.core.AprLifecycleListener
> > > initializeSSL
> > > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
> > > Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
> > > INFO: Initializing ProtocolHandler ["http-apr-80"]
> > > Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
> > > SEVERE: Failed to initialize end point associated with ProtocolHandler
> > > ["http-apr-80"]
> > > java.lang.Exception: Socket bind failed: [13] Permission denied
> > > at
> org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:430)
> > > at
> > >
> >
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
> > > at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
> > > at
> > >
> org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
> > > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> > > at
> > >
> >
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
> > > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> > > at
> > >
> >
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
> > > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> > > at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
> > > at org.apache.catalina.startup.Catalina.load(Catalina.java:664)
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > at
> > >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > > at
> > >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > at java.lang.reflect.Meth
Re: SSL certificates
Christopher Schultz wrote: That is always true. But you don't need a certificate to create a CSR. If Keytool and the Java Keystore format even recognize any difference between the concepts of "keypair" and "self-signed certificate," it would be news to me. Speaking of one who regularly installs (and secures) Tomcat on AS/400s (in fact, that's the only platform I can recall EVER personally installing it on, because I have colleagues who know how to do it on other platforms): The messes people can make for themselves by misunderstanding the subtleties of Keytool are nothing, compared to the mess people can make for themselves trying to use IBM's Digital Certificate Manager to secure Tomcat on their 400s (hint: DCM and Tomcat are completely incompatible with each other). -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.47 using JmxRemoteLifecycleListener with SSL
the latest commons-daemon 1.0.15 makes the libcap error go away but does not fix the CommunicationException On Thu, Jan 16, 2014 at 4:32 PM, Erik Engstrom wrote: > I think it is due to this bug in commons-daemon > https://issues.apache.org/jira/browse/DAEMON-246 but it did not seem to > keep the service from running properly. I will try with the latest version > that is supposed to have a fix for it but I don't think it will help this > problem. > > > > On Thu, Jan 16, 2014 at 3:45 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Erik, >> >> On 1/16/14, 4:37 PM, Erik Engstrom wrote: >> > I can get SSL working without JmxRemoteLifecycleListener, and I can >> > get JmxRemoteLifecycleListener to work correctly without SSL. >> > However if I try to use both I get the following error in >> > catalina.out: >> > >> > failed loading capabilities library -- /usr/lib/libcap.so: cannot >> > open shared object file: No such file or directory. Jan 16, 2014 >> > 4:34:20 PM org.apache.catalina.mbeans.JmxRemoteLifecycleListener >> > createServer SEVERE: The JMX connector server could not be created >> > or failed to start for the Platform server java.io.IOException: >> > Cannot bind to URL [rmi://localhost:1900/jmxrmi]: >> > javax.naming.CommunicationException [Root exception is >> > java.rmi.ConnectIOException: non-JRMP server at remote endpoint] >> > at >> > javax.management.remote.rmi.RMIConnectorServer.newIOException(Unknown >> > >> > >> Source) >> > at javax.management.remote.rmi.RMIConnectorServer.start(Unknown >> > Source) at >> > >> org.apache.catalina.mbeans.JmxRemoteLifecycleListener.createServer(JmxRemoteLifecycleListener.java:304) >> > >> > >> at >> > >> org.apache.catalina.mbeans.JmxRemoteLifecycleListener.lifecycleEvent(JmxRemoteLifecycleListener.java:258) >> > >> > >> at >> > >> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) >> > >> > >> at >> > >> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) >> > >> > >> at >> > >> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) >> > >> > >> at >> > org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:347) >> > >> > >> at >> > >> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:725) >> > >> > >> at >> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) >> > >> > >> at org.apache.catalina.startup.Catalina.start(Catalina.java:691) >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at >> > sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at >> > java.lang.reflect.Method.invoke(Unknown Source) at >> > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322) at >> > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at >> > sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at >> > java.lang.reflect.Method.invoke(Unknown Source) at >> > >> org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:243) >> > >> > >> Caused by: javax.naming.CommunicationException [Root exception is >> > java.rmi.ConnectIOException: non-JRMP server at remote endpoint] at >> > com.sun.jndi.rmi.registry.RegistryContext.bind(Unknown Source) at >> > com.sun.jndi.toolkit.url.GenericURLContext.bind(Unknown Source) at >> > javax.naming.InitialContext.bind(Unknown Source) at >> > javax.management.remote.rmi.RMIConnectorServer.bind(Unknown >> > Source) ... 20 more Caused by: java.rmi.ConnectIOException: >> > non-JRMP server at remote endpoint at >> > sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source) >> > at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source) >> > at sun.rmi.server.UnicastRef.newCall(Unknown Source) at >> > sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source) ... 24 >> > more >> > >> > the ports still get opened but I can not connect via jconsole using >> > ssl or not. If I set com.sun.management.jmxremote.ssl=true I can >> > connect properly without ssl. >> > >> > The relevant configuration from server.xml: >> > >> > > > className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" >> > rmiRegistryPortPlatform="1900" rmiServerPortPlatform="11900" /> >> > >> > and java properties: >> > >> > -Djavax.net.ssl.keyStore=$KEYSTORE >> > -Djavax.net.ssl.keyStorePassword=$KEY_PASS >> > -Dcom.sun.management.jmxremote.ssl.need.client.auth=true >> > -Djavax.net.ssl.trustStore=$TRUSTSTORE >> > -Djavax.net.ssl.trustStorePassword=$TRUST_PASS >> > -Dcom.sun.management.jmxremote.registry.ssl=true >> > -Dcom.sun.management.jmxremote >> > -Dcom.sun.management.jmxremote.authenticate=false >> > -Djava.rmi.server.hostname=$HOST_IP >> > -Dcom.sun.management.jmxremote.ssl=true >> > >> > Is it supported to use these together? If
Re: tomcat 7 with APR connector on ubuntu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brett, On 1/16/14, 5:44 PM, Brett Delle Grazie wrote: > Christopher, > > On 16 January 2014 22:28, Christopher Schultz > wrote: > > Brett, > > On 1/15/14, 7:41 PM, Brett Delle Grazie wrote: On 15 January 2014 16:53, Mubeen Shah wrote: > Hello, > > I am trying to configure tomcat 7 on ubuntu machine and > wanted to run it as non-root on port 80, Here is what I did > so far: > > OS (Ubuntu 12.04 LTS): > > - installed oracle JDK 1.7.0_45 using "apt-get" - > downloaded and extracted tomcat 7.0.50 (.gz format) - > created ubuntu user 'tomcat' and granted 'chown -R > CATALINA_HOME' to this user - changed tomcat default port > to 80 in server.xml - installed and configured authbind > tool - created sh script "/etc/init.d/tomcat7" to start > tomcat as tomcat user. > What was in this script? > - tomcat 7 was working as expected on 80 port as non-root > user. > That is surprising, see further below. > > [snip] > Linux will not allow anything but root to bind on ports < 1024. Usually the process starts as root, binds to the port and then drops it's privileges back to the desired user. > > Note that the OP is using authbind (or at least attempting to do > so). > > >> Yes I missed that in the original message, thank you for pointing >> it out. > > > You'll need to use jsvc to start Tomcat and drop privileges. > > Um... authbind? > > >> Noted. > > > > Perhaps authbind doesn't work with Java and/or Tomcat/APR but this > is precisely what authbind was designed to do. > > >> The OP looks like they've locally compiled APR. I wonder if >> that's the root cause. Possibly. I seem to recall someone complaining about tcnative not working properly with a new APR version (but I think it was 2.0, not 1.5). It's possible that libapr 1.5.0 has some incompatibility or something. It's also possible that authbind (I've never used it) requires some configuration specifically against the libapr/libtcnative/etc. and not just against Java itself. That might explain why the BIO connector works on port 80 but not APR. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2GInAAoJEBzwKT+lPKRYIkMP/R90tuLvVLjHFXK9Am/+6P9Z NjCyH5eT0FN5y6yoJdwQSaw7Tj8Z0pU806ATcWnjyU+YSUiHZIt6nFt+C+dB3+NE dLzNybNEiZkIl/1Z05zwpG77M3/pgFz5xh2z5jolMOQe1RED8+ga6rH6t433AztL tjSW4GcrzlhM3Ml/NgteDeQr30CCwQaeFA+m6WVJwgM5BE9LG7pK4DXOgN5abWLq 5zKGVy/YrdPMCuALZsAVr8o6bzUDoUPYwmVcn0ti81qentyiq418mtmTYkRYIWzW UqVznlL499wws1tCoRktbYW7jssg6H8OAqC11Wrb6f0LOAY/kFoQPxzM9y5YyEZ3 w35so9GWagbTJM1DuHMbvRpPye5mZHZOIxt+h+Xk+U+S2PAVXJFfMVXIZX04BPmR DceAyIPDng0IHUoLgdYNesTZqPmzF73th+AaYR+JvY15dIjuG14g53DJ7vbu7lwG meXaYL4AvbQt6hX4y5FbABGfnpJI7KlUVLOH9c06c7tNm6yD3KqAJwzBzGMzLOKG Cm2x+5IkRzFC4IzzacCnLYz/2z0m8Sx6yW/l8Ve2NILXcr8f1MRIKT+rbLeQZc43 kODxkDQnoOfo44vAVAM8yKYbMVQSccTqzlux9kNVqz0blHU0fNHYzQURTW9EL59r bRYMgAPCny2YB8a4lHNi =h6au -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7 with APR connector on ubuntu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mubeen, On 1/16/14, 5:33 PM, Mubeen Shah wrote: > Hello, > > I am able to run tomcat with jsvc daemon on port 80, but I can see > "jsvc.exec" process twice with different pid (one with root and > other with non-root): > > root 28890 0.0 0.0 jsvc.exec -java-home > /usr/lib/jvm/java-7-oracle -user tomcat7 -pidfile > /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile > /opt/tomcat7/logs/catalina-daemon.out -errfile &1 -classpath > /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar > > - -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xmx512m > -XX:+UseConcMarkSweepGC -Djava.endorsed.dirs= > -Dcatalina.base=/opt/tomcat7 -Dcatalina.home=/opt/tomcat7 > -Djava.io.tmpdir=/opt/tomcat7/temp > org.apache.catalina.startup.Bootstrap > > tomcat7 28891 3.1 4.6 jsvc.exec -java-home > /usr/lib/jvm/java-7-oracle -user tomcat7 -pidfile > /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile > /opt/tomcat7/logs/catalina-daemon.out -errfile &1 -classpath > /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar > > - -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xmx512m > -XX:+UseConcMarkSweepGC -Djava.endorsed.dirs= > -Dcatalina.base=/opt/tomcat7 -Dcatalina.home=/opt/tomcat7 > -Djava.io.tmpdir=/opt/tomcat7/temp > org.apache.catalina.startup.Bootstrap > > while process with "root" not consuming memory or cpu, so is it > normal jsvc behavior or I missed something? You missed something: http://commons.apache.org/proper/commons-daemon/jsvc.html#How_jsvc_works - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2GGkAAoJEBzwKT+lPKRYw5IP/RO2ibHL+gM5YK3m1f2brZNm dCarMBnV3ptmY5Zjx5mEDwRkPcYs8zdGLnl9l/OXOXczUKEJRwwEFomwyEnF2qhp +YL6K8lVMBuUirILdViGIGAKBfNnl5s6vUrua+Fp1zQ687xM9/zGn9Wdpv8Jf0Z4 98A+SZ+Nb/w/1eQhszW8LV0DKEtxbViaTJ3i343b47VLWb35Za+e27gge8tolyU3 4zhmhn+rPWA/It15/5+4+SmZA+N/Zwwwjwj5BYZAz2+V1WHHjenHNzs5/YsTAzup aEzaEngwEP8xyDcnGJIgr/9U52qBCQFJi8kHQMZ4n8eiB85Pi+/Wt9s33xpokS76 uLzrcJrmiW07fupQ+F3hmRVsv7xr3yzw/wlnKqF1yKNcTOV/0FfR0rvdpVAo6SIz U4wmtY4tGOEaxQXed96hdn+K1qqMApXFW88aphkKw0vvaeB8FTOxtTxsU+5cDyoI TkMweuFnRUwB7g16ssuBtXAGhyVHw8qhl2kc3x15dyvTKNPfOOQ6QwRr0BP4G/oJ svMRUx/WGLA7uZAAX3Lop5ePKpQiLZ/1s//Tb4h+Z22LzsU7ln4eZL3GLCcpe2vN Ek/romlUNlS3AbECsPvD52JPokvxY0sfuklUXdhgIeEObjNGhrakrRHLwMOnBdRI l/zJXItaOlnmwargVlG2 =8m9c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7 with APR connector on ubuntu
Christopher, On 16 January 2014 22:28, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Brett, > > On 1/15/14, 7:41 PM, Brett Delle Grazie wrote: > > On 15 January 2014 16:53, Mubeen Shah > > wrote: > > > >> Hello, > >> > >> I am trying to configure tomcat 7 on ubuntu machine and wanted to > >> run it as non-root on port 80, Here is what I did so far: > >> > >> OS (Ubuntu 12.04 LTS): > >> > >> - installed oracle JDK 1.7.0_45 using "apt-get" - downloaded and > >> extracted tomcat 7.0.50 (.gz format) - created ubuntu user > >> 'tomcat' and granted 'chown -R CATALINA_HOME' to this user - > >> changed tomcat default port to 80 in server.xml - installed and > >> configured authbind tool - created sh script > >> "/etc/init.d/tomcat7" to start tomcat as tomcat user. > >> > > > > What was in this script? > > > > > >> - tomcat 7 was working as expected on 80 port as non-root user. > >> > > > > That is surprising, see further below. > > [snip] > > > Linux will not allow anything but root to bind on ports < 1024. > > Usually the process starts as root, binds to the port and then > > drops it's privileges back to the desired user. > > Note that the OP is using authbind (or at least attempting to do so). > Yes I missed that in the original message, thank you for pointing it out. > > > You'll need to use jsvc to start Tomcat and drop privileges. > > Um... authbind? Noted. > > Perhaps authbind doesn't work with Java and/or Tomcat/APR but this is > precisely what authbind was designed to do. > The OP looks like they've locally compiled APR. I wonder if that's the root cause. > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJS2F0JAAoJEBzwKT+lPKRYuVsQALp+Hbtc/SjgszPUeTgc9aJ7 > 0UEg4S3cHqozrXVgn45V+zAXYqsCfzoge0nS9VK4ar/RJiF0mVMLG3TUm6+0fget > l7O1YDZU+VgNEBd/ci/25BmZwZIJ4e9d53N24mJ2Et7FuWuhFOK8FrtcfFmyZPRa > j0xndOJCNg7Yeub6kYLRWDXIuLdRkzwWMtqGnQ4kb15pyM1TdMiaL4BvYDfECjC8 > uwwU0jipJE+2JPTqwzn+MgUolcVEmJRoL0MfGyMT1kE4smLXFOGPuDFL7cmJtikx > Elmr7BvTMc9POY4BzXEkVwCfHcA+dqKJNzeELfJffzVD2qKvM2m3Ivp4vZglukKE > Joho1PWeN1dRasU+ncZI+EiDtnE8tI114kHrehBBTYjdM0q9zQnYGewycBVQMIrU > /TbxbOdUB8rBM3yIN1JRA6psE+r9jVxg/6sva+qN8gww7eQJFtvVI8oRViHT4sya > dMI162eRDYhN9L2ZZv51UV6LBHTaKybL1WZQRahJw3rFysQQk51DXGPuOiKruzyF > FwcrMVxvyaANGRsr4YpjfKg9sKBxjXbO+AhCX6loY8SUWHufy7nAT8+LGayRirjR > LlDYQqcaMWzxZCPYOLl1VcjkUuGSJQP7th2xXdiHSGwZPj9W31RFsZHp0pQESBkD > /7vB2xDCfrJk2zKbPKa0 > =o6Wu > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Kind regards, Brett
Re: serialization and newest tomcat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ray,
On 1/12/14, 8:45 AM, Ray Holme wrote:
> [S]erialization causes some problems in apache-tomcat-7.0.35
>
> I have several applications and run on fedora linux. I have used
> many releases of fedora and tomcat.
>
> My applications are characterized by a) all use a DB (firebird) b)
> all use both jsp and java servlets c) all use transient java beans
> for a "round" of interaction (user request - user response) d) all
> have 1 or more session java beans for each user (login - logout) e)
> all have 1 or more application beans (initialized at startup, can
> refresh, passed around) f) all have an application specific jar and
> share a common code jar
>
> Long ago I added serialization to almost all of the java beans to
> stop tomcat whining in the catalina.out file. This worked just fine
> until the most recent tomcat release.
>
> On my development machine, java changes build new jars and
> apache/tomcat must be restarted to work right. Starting with the
> new release, problems with connections happened.
>
> After research, I discovered that the applications were going nuts
> with connection requests and xinetd was shutting down the
> connection factory service. It took a 30 minute wait (or reboot) to
> fix this problem. My guess is that the application wide beans were
> not only being made fresh as always happens (they use one
> connection each to initialize), but that the serialized versions
> were coming back up and trying to refresh causing lots of strange
> connections to be created (if one is not passed, one is made and
> there are many routines each needing a connection).
>
> To solve this problem, I stopped serialization. This solved the
> problem.
>
> From the notes I got from others (thanks Mark and ...):
>
> serialization can be stopped by putting this in many places - here
> is one: appname/META-INF/context.xml
>
>
Can I venture a guess as to one other important detail you have left
out? It sounds like some of the objects you are putting into the
user's session (HttpSession: the stuff getting serialized to disk
across web application reload or Tomcat stop/start) may have
references to those application-scoped objects. Here's an example of
what I mean:
public class GlobalBean
implements Serializable
{
}
public class UserBean
implements Serializable
{
private GlobalBean _global;
public UserBean(GlobalBean gb)
{
_global = gb;
}
}
... in your webapp's ServletContextListener:
init() {
...
ServletContext application = getServletContext();
application.setAttribute("globalBean" new GlobalBean());
...
}
... in your servlet:
doGet() {
...
ServletContext application = getServletContext();
GlobalBean gb = (GlobalBean)application.getAttribute("globalBean");
HttpSession session = request.getSession();
session.setAttribute("userBean", new UserBean(gb));
...
}
If the above are all happening, then when you de-serialize the
UserBeans, they will de-serialize the GlobalBean instance along with
themselves. If your GlobalBean has to do a bunch of db access or
whatever to initialize itself, it will either have to do that on
deserialization to make itself sane, or it will be in a non-sane
state. In either case, you won't get the newly-created GlobalBean from
your ServletContextListener (or similar) and things may get ... weird.
If this is the case, and you don't really care about the user's
session info, then by all means: disable session serialization and be
done with it. If you need this to work -- or if you need your web
application's sessions to be distributable -- then you are necessarily
going to have to change something with your architecture in order to
get this kind of thing to work in a sane way. My recommendation would
be to pass a GlobalBean into any method on the UserBean that needs to
access it, rather than keeping a reference of any kind. It's kind of
like IOC except ... not really anything like that ;)
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJS2GDqAAoJEBzwKT+lPKRYOZcQAKEqbjKbJ3zYm8c6pShgltSj
IzJ0NwWEredE19MEB39p1JXRMP7AyfaPogyHLATQUyEcJWIP0MrWVDptRWXNlEYU
kbo3ybmJZGGn7MydLSzctzVZsLlgG58E+cta4WkShLtc72tTJq3Zv3T0XlH6RVaS
8LPuLluYwIGJ6OSPR4tH2/QDd26W6psIJdmqabh0Jbbw5rKaqr1l1+Ib2Yhj0XV1
W+LwAdZYc5RpHDvxKSsJd2lrql3yG2aRXAn2/BHxx0trO8ag25oBq9gfmezDOeyP
AwBWQI4ralPGr6cYDDKkgz5uILUsKWeoIneLXxeH9lN5qARm3le59waWPMnL/jjC
Md0BTIoLP8o1GAFboChDpVJWbLC029p4iLE7bzR1zzuz/g9dvsqcmKsT1mEEtdPi
usZ8sKg9X67KcYYfq2T0nKFtQTZF8YXUPjoUOPeC04p4VQsdi2saYLYJ7X2JPHDJ
A8odCpEm27u3aH7wUCb0EbQFqOce2KwCN3B9YPe0MBb709jBXmcb3Z00yQiZVecW
RaIC8/IU6seeOYG8PJTyLvNNLbcrRYU41mufmt+gx48EMZMPZe33yWa3mh4CBzaX
lTdscmOnRS4doOIjpA1n5wZgtUjcO91Q8rp23fov3WAE/FmC+OiQjBfUJ6UbcO21
1LsZanvSMh9ns8I8lgAU
=qSiT
-END PGP SIGNATURE-
-
To unsubscribe
Re: Tomcat 7.0.47 using JmxRemoteLifecycleListener with SSL
I think it is due to this bug in commons-daemon https://issues.apache.org/jira/browse/DAEMON-246 but it did not seem to keep the service from running properly. I will try with the latest version that is supposed to have a fix for it but I don't think it will help this problem. On Thu, Jan 16, 2014 at 3:45 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Erik, > > On 1/16/14, 4:37 PM, Erik Engstrom wrote: > > I can get SSL working without JmxRemoteLifecycleListener, and I can > > get JmxRemoteLifecycleListener to work correctly without SSL. > > However if I try to use both I get the following error in > > catalina.out: > > > > failed loading capabilities library -- /usr/lib/libcap.so: cannot > > open shared object file: No such file or directory. Jan 16, 2014 > > 4:34:20 PM org.apache.catalina.mbeans.JmxRemoteLifecycleListener > > createServer SEVERE: The JMX connector server could not be created > > or failed to start for the Platform server java.io.IOException: > > Cannot bind to URL [rmi://localhost:1900/jmxrmi]: > > javax.naming.CommunicationException [Root exception is > > java.rmi.ConnectIOException: non-JRMP server at remote endpoint] > > at > > javax.management.remote.rmi.RMIConnectorServer.newIOException(Unknown > > > > > Source) > > at javax.management.remote.rmi.RMIConnectorServer.start(Unknown > > Source) at > > > org.apache.catalina.mbeans.JmxRemoteLifecycleListener.createServer(JmxRemoteLifecycleListener.java:304) > > > > > at > > > org.apache.catalina.mbeans.JmxRemoteLifecycleListener.lifecycleEvent(JmxRemoteLifecycleListener.java:258) > > > > > at > > > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) > > > > > at > > > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) > > > > > at > > > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) > > > > > at > > org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:347) > > > > > at > > > org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:725) > > > > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > > > > at org.apache.catalina.startup.Catalina.start(Catalina.java:691) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > > sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at > > java.lang.reflect.Method.invoke(Unknown Source) at > > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322) at > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > > sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at > > java.lang.reflect.Method.invoke(Unknown Source) at > > > org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:243) > > > > > Caused by: javax.naming.CommunicationException [Root exception is > > java.rmi.ConnectIOException: non-JRMP server at remote endpoint] at > > com.sun.jndi.rmi.registry.RegistryContext.bind(Unknown Source) at > > com.sun.jndi.toolkit.url.GenericURLContext.bind(Unknown Source) at > > javax.naming.InitialContext.bind(Unknown Source) at > > javax.management.remote.rmi.RMIConnectorServer.bind(Unknown > > Source) ... 20 more Caused by: java.rmi.ConnectIOException: > > non-JRMP server at remote endpoint at > > sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source) > > at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source) > > at sun.rmi.server.UnicastRef.newCall(Unknown Source) at > > sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source) ... 24 > > more > > > > the ports still get opened but I can not connect via jconsole using > > ssl or not. If I set com.sun.management.jmxremote.ssl=true I can > > connect properly without ssl. > > > > The relevant configuration from server.xml: > > > > > className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" > > rmiRegistryPortPlatform="1900" rmiServerPortPlatform="11900" /> > > > > and java properties: > > > > -Djavax.net.ssl.keyStore=$KEYSTORE > > -Djavax.net.ssl.keyStorePassword=$KEY_PASS > > -Dcom.sun.management.jmxremote.ssl.need.client.auth=true > > -Djavax.net.ssl.trustStore=$TRUSTSTORE > > -Djavax.net.ssl.trustStorePassword=$TRUST_PASS > > -Dcom.sun.management.jmxremote.registry.ssl=true > > -Dcom.sun.management.jmxremote > > -Dcom.sun.management.jmxremote.authenticate=false > > -Djava.rmi.server.hostname=$HOST_IP > > -Dcom.sun.management.jmxremote.ssl=true > > > > Is it supported to use these together? If so what am I doing > > wrong? > > Why is libcap.so (not) being loaded? > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJS2FLjAAoJEBzwKT+lPKRYs5oQAIjwUrNfi
Re: tomcat 7 with APR connector on ubuntu
Hello,
I am able to run tomcat with jsvc daemon on port 80, but I can see
"jsvc.exec" process twice with different pid (one with root and other with
non-root):
root 28890 0.0 0.0 jsvc.exec -java-home /usr/lib/jvm/java-7-oracle
-user tomcat7 -pidfile /opt/tomcat7/logs/catalina-daemon.pid -wait 10
-outfile /opt/tomcat7/logs/catalina-daemon.out -errfile &1 -classpath
/opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar
-Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xmx512m
-XX:+UseConcMarkSweepGC -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7
-Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp
org.apache.catalina.startup.Bootstrap
tomcat7 28891 3.1 4.6 jsvc.exec -java-home /usr/lib/jvm/java-7-oracle
-user tomcat7 -pidfile /opt/tomcat7/logs/catalina-daemon.pid -wait 10
-outfile /opt/tomcat7/logs/catalina-daemon.out -errfile &1 -classpath
/opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar
-Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xmx512m
-XX:+UseConcMarkSweepGC -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7
-Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp
org.apache.catalina.startup.Bootstrap
while process with "root" not consuming memory or cpu, so is it normal jsvc
behavior or I missed something?
Regards,
Mubeen
On Thu, Jan 16, 2014 at 1:53 PM, Mubeen Shah wrote:
> Thank you Brett for your comments.
>
> Here is tomcat startup script (/etc/init.d/tomcat7)
>
> #!/bin/bash
> # tomcat start/stop script
>
> export JAVA_HOME=/usr/lib/jvm/java-7-oracle
> export CATALINA_HOME=/opt/tomcat7
>
> start() {
>su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/startup.sh
> }
>
> stop() {
>su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/shutdown.sh
> }
>
> case $1 in
> start|stop) $1;;
> restart) stop; start;;
> *) echo "Run as $0 "; exit 1;;
> esac
>
> I made slight change in "startup.sh" file too (replaced old exec line):
> exec authbind --deep "$PRGDIR"/"$EXECUTABLE" start "$@"
>
> my setenv.sh file:
> CATALINA_OPTS="-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true
> -Xmx512m -XX:+UseConcMarkSweepGC"
> export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/usr/local/apr/lib"
>
> I installed authbind previously and executed following lines:
> sudo touch /etc/authbind/byport/80
> sudo chmod 500 /etc/authbind/byport/80
> sudo chown tomcat7 /etc/authbind/byport/80
>
> When I am removing APR connector from server.xml, tomcat working fine with
> tomcat7 user.
>
> Regards,
> Mubeen
>
> On Thu, Jan 16, 2014 at 5:41 AM, Brett Delle Grazie <
> brett.dellegra...@gmail.com> wrote:
>
>> Hi,
>>
>> See interleaved.
>>
>>
>> On 15 January 2014 16:53, Mubeen Shah wrote:
>>
>> > Hello,
>> >
>> > I am trying to configure tomcat 7 on ubuntu machine and wanted to run
>> it as
>> > non-root on port 80, Here is what I did so far:
>> >
>> > OS (Ubuntu 12.04 LTS):
>> >
>> > - installed oracle JDK 1.7.0_45 using "apt-get"
>> > - downloaded and extracted tomcat 7.0.50 (.gz format)
>> > - created ubuntu user 'tomcat' and granted 'chown -R CATALINA_HOME' to
>> this
>> > user
>> > - changed tomcat default port to 80 in server.xml
>> > - installed and configured authbind tool
>> > - created sh script "/etc/init.d/tomcat7" to start tomcat as tomcat
>> user.
>> >
>>
>> What was in this script?
>>
>>
>> > - tomcat 7 was working as expected on 80 port as non-root user.
>> >
>>
>> That is surprising, see further below.
>>
>>
>> > - later I configured APR 1.5.0 and tried to run tomcat again, I got this
>> > error:
>> >
>> > Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
>> init
>> > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
>> > version 1.5.0.
>> > Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
>> init
>> > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
>> > [false], random [true].
>> > Jan 15, 2014 6:24:46 AM org.apache.catalina.core.AprLifecycleListener
>> > initializeSSL
>> > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
>> > Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
>> > INFO: Initializing ProtocolHandler ["http-apr-80"]
>> > Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
>> > SEVERE: Failed to initialize end point associated with ProtocolHandler
>> > ["http-apr-80"]
>> > java.lang.Exception: Socket bind failed: [13] Permission denied
>> > at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:430)
>> > at
>> >
>> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
>> > at
>> org.apache.coyote.AbstractProtocol.init(Abstr
Re: Would a developer please add this mime type to the distro?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 1/13/14, 5:36 PM, Jeffrey Janner wrote: >> -Original Message- From: Konstantin Kolinko >> [mailto:knst.koli...@gmail.com] Sent: Friday, January 10, 2014 >> 9:04 PM To: Tomcat Users List Subject: Re: Would a developer >> please add this mime type to the distro? >> >> 2014/1/11 Jeffrey Janner : >>> Tomcat 7 did a good job of collecting all the new Microsoft >>> mime >> types into the standard web.xml file, but missed the mapping for >> the ".one" file type for OneNote, even though that's fully >> documented on the Microsoft Mime Types page. >> >> 1. What page, exactly? >> > > The one on Microsoft's TechNet: > http://technet.microsoft.com/en-us/library/ee309278(v=office.12).aspx > > My guess is whomever transcribed this list into HTTPD, accidently > skipped this one entry. This is the page I built the entries in my > web.xml from years ago. > >>> The entry is: >>> >>> one >>> application/onenote >>> >>> I know I can always add it to my local web.xml, but it's now >>> the only >> one I need and I figured that others might like to have it >> available as a default as well. >> >> 2. The list of mime types in Tomcat is kept in sync with the >> similar list in Apache HTTPD. >> >> If I look at HTTPD trunk, that mime-type is mapped to extensions >> "onetoc" "onetoc2" "onetmp" "onepkg". >> >> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/mime.types?vie >> >> w=markup#l159 >> >> 3. IMHO "application/onenote" is not a valid mime type on the >> Internet, as it is not registered with IANA. >> >> http://www.iana.org/assignments/media-types/media- >> types.xhtml#application >> > > What? You expect Microsoft to do things the generally accepted > and/or correct way? > >> 4. Formally, a way to go is to file an enhancement request. >> > And I do that how? Bugzilla: https://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%207 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2F2jAAoJEBzwKT+lPKRY1VMP/ii2AfLqCjwIdGWlF4qOcLEt YxvLnNiz8vFv/0hC9xfGEo8TVKI7WhYSO4W/rkdX3lTEOHSHARTUt09rWpz7IXVQ Nn14DcbrV3fX/nVrH2TSgR4bo0h3MVH/PNCIr7BQxF4Erj3bsPYo48kj1+ULxN/5 WLnG5hfo+7KQPnCto21vDQhsDDU4x3Oi2Fbdt24EE8kKnL+X2RhtSEfLIMicgS7k FoA3Xp/3ZwiyJiFMpLtvgLE0vVMp2Mh29WKP+8s0l6qs8oc2ITTD6tcdgyQn6t3e JByTGAwh4BirlCKid7WRIIxDNK7rRjqbrTRuB2eL6IlOi5KLRvp0DcJwkoNMhDFx hNVgoR3SpcJX+aOCcE5NXsDzd7MalaQr23U6i5kdF5iqkPgtg0R+Qvp3F1LsCZja 1TelJmeeYuGKYvnym/N+dhrmU7RbFSVBxz/vQ7aGNipOYMyek7/goXRtsbrUzGCq cuqmmLETBgWVPFc4CbdirnJHarBdEo9ndR9uQW4IuTrCSELbB621SMuuJhKN9Okw xESnTXtS95p58OMdWi0mP+pcvyUBibDSMFb8/BQqOb/Pj1yETdWhwqPIvxYGTuo6 g84t8UKZpbUyTtgeJsgaE05JqmwsLPabjT5asIAlVmwVlgnhKShy8hurTe5UzPE2 ULcRUcDYVJBNYouaCp79 =Qr2q -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7 with APR connector on ubuntu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brett, On 1/15/14, 7:41 PM, Brett Delle Grazie wrote: > On 15 January 2014 16:53, Mubeen Shah > wrote: > >> Hello, >> >> I am trying to configure tomcat 7 on ubuntu machine and wanted to >> run it as non-root on port 80, Here is what I did so far: >> >> OS (Ubuntu 12.04 LTS): >> >> - installed oracle JDK 1.7.0_45 using "apt-get" - downloaded and >> extracted tomcat 7.0.50 (.gz format) - created ubuntu user >> 'tomcat' and granted 'chown -R CATALINA_HOME' to this user - >> changed tomcat default port to 80 in server.xml - installed and >> configured authbind tool - created sh script >> "/etc/init.d/tomcat7" to start tomcat as tomcat user. >> > > What was in this script? > > >> - tomcat 7 was working as expected on 80 port as non-root user. >> > > That is surprising, see further below. [snip] > Linux will not allow anything but root to bind on ports < 1024. > Usually the process starts as root, binds to the port and then > drops it's privileges back to the desired user. Note that the OP is using authbind (or at least attempting to do so). > You'll need to use jsvc to start Tomcat and drop privileges. Um... authbind? Perhaps authbind doesn't work with Java and/or Tomcat/APR but this is precisely what authbind was designed to do. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2F0JAAoJEBzwKT+lPKRYuVsQALp+Hbtc/SjgszPUeTgc9aJ7 0UEg4S3cHqozrXVgn45V+zAXYqsCfzoge0nS9VK4ar/RJiF0mVMLG3TUm6+0fget l7O1YDZU+VgNEBd/ci/25BmZwZIJ4e9d53N24mJ2Et7FuWuhFOK8FrtcfFmyZPRa j0xndOJCNg7Yeub6kYLRWDXIuLdRkzwWMtqGnQ4kb15pyM1TdMiaL4BvYDfECjC8 uwwU0jipJE+2JPTqwzn+MgUolcVEmJRoL0MfGyMT1kE4smLXFOGPuDFL7cmJtikx Elmr7BvTMc9POY4BzXEkVwCfHcA+dqKJNzeELfJffzVD2qKvM2m3Ivp4vZglukKE Joho1PWeN1dRasU+ncZI+EiDtnE8tI114kHrehBBTYjdM0q9zQnYGewycBVQMIrU /TbxbOdUB8rBM3yIN1JRA6psE+r9jVxg/6sva+qN8gww7eQJFtvVI8oRViHT4sya dMI162eRDYhN9L2ZZv51UV6LBHTaKybL1WZQRahJw3rFysQQk51DXGPuOiKruzyF FwcrMVxvyaANGRsr4YpjfKg9sKBxjXbO+AhCX6loY8SUWHufy7nAT8+LGayRirjR LlDYQqcaMWzxZCPYOLl1VcjkUuGSJQP7th2xXdiHSGwZPj9W31RFsZHp0pQESBkD /7vB2xDCfrJk2zKbPKa0 =o6Wu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Oracle Application Server 10g R3 works fine with RK-1048 codepage but Tomcat 7.0.47 does not.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Тимур, Let's start over again: you are providing WAY too much extra information all at once. We don't need to see your web.xml file. We don't need to see your HTML files. I looked at your "comparison" but there was no indication of where the files were different. I can read neither Russian nor Kazakh. What you do need to do is answer the questions we are asking to try to help you. Please answer this simple question: If the data is correctly-stored in the database (as verified by some other means), does the fetched-data display correctly in your web pages? If it's not displaying correctly, please tell us what the Content-Type HTTP response header is for the page (specifically, the character encoding). Also, please tell us what the character encoding is for the /database connection/ to Oracle (the one made from your application to Oracle). Finally, how are you connecting to Oracle? Are you using a Tomcat-configured DataSource or is your web application configuring things on its own? I can see that when you attempt to use user.language=ru and user.country=kz, you get this error from Oracle's driver: > org.apache.catalina.core.ApplicationContext log MESSAGE = > ORA-00604: error occurred at recursive SQL level 1 ORA-12705: > invalid or unknown NLS parameter value specified , ERRORCODE = 604 Can you give us the whole stack trace from that? It's clear from that error that the default localization settings are being used to make the database connection. You may have to override them in order to force the use of the CL8MSWIN1251 code page in the driver. If the driver is using the correct character encoding, then Java should get the correct String value. Generating a web page containing the proper characters should be trivial: just make sure you send the proper character encoding to the client in your Content-Type response header. After you get character-display working, we can tacking character *input* which is more complicated. Let's make sure we can get data out, first. Otherwise, you'll never know if you can get the data *in* correctly. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2FsDAAoJEBzwKT+lPKRYu84QALcPPMlvjL6RIMoOL4mFOARa tq8sQXRPt7zWEI0N+dGcmJyvPnAPnvqjWhOsvVSgOd74W/GYXnJ7iw00d/ETW8qK wlIeLwBAeeHvC5qIPAJUVuMAq4YAIK11+eofKdRM67GuHy8QCK8xAh80E574uwcs X6zl1/C3jFec2jz0CQskz6YBEAjBK82h9sgZrfNcR+5QOuzqU8bH6CgHLwdJyLiP 2stBT5TJTIHhvUVlB+249GL75fdZHgv4122G8D+mZcpKJkRN44ZlKZF24CrXuPzv 2fhmfShoGLa4ylJM7ZgQy0jnqjuuxYmJGSLRviH69Gtd6xk5ha9lcTXwmME0Z/Qt C5krjLumfVariSdspNvqvaLWjMAGh7gEMzOyp/wzy3GVXdABwwZEDC00ENt3CxzO 5R2pdxHaXr53THufxbJMc7YzX+ZtV2kMh2FfNR5cW1UY9ABF9Ljx/z2qjcMqWINK o0edm4VpEVNeg5ms6nvoI1o6cjfaheDfRMaeRoXCbp/uC6JfH/l+p5RF0Vcuhe/h aVZ9yd6LYY1EmHjEypHmBaXQSKVfdEZUfz60Xm5SZn2GdCyh9QRbVW1vN0+v1gto c5v7TcwazpY+1ZM25qcPB307/o+73qqJGJlGq4PnnskOLKIelcJ7XCGi9WypQbRw VvEP9yTXdeX53JQ6R2ij =dFj8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 1/16/14, 5:04 PM, James H. H. Lampert wrote: > On 1/16/14 1:49 PM, Christopher Schultz wrote: >> Why are you self-signing a certificate if you are going to get >> it signed by a CA? > > A newly-created keypair in a Java keystore is, by definition, a > self-signed certificate. That's probably one of the reasons I'm continually confused by using keytool... generating an RSA key pair should never require the creation of a certificate. *shrugs* > And you can't create a CSR without having a keypair from which to > create it. That is always true. But you don't need a certificate to create a CSR. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2FuBAAoJEBzwKT+lPKRYSq8QALpnk2BWQnxBN1ouVZY4B3RJ Xvx7kQOtgk6hhduwpWtvGbnEH6qjjWFo1rexoFZ/9XM0ig5zgIZ9dxnD1H3G20KU eNrmnVEx6t6wREDXJdbVQ6xYfcx2iQwGcoa4fcA9/SwUb3T17fnOVeFDcaR8wexF z04FgoQkRWY0bfD0N1mwmsqgqsjGFYrrWxryRM8SaiHkouJb2a0Ly+xLMIHa5/4d GAqb5/MVGL3NzBUU5S+8K4k0/AtQ7D0wj4tvH+LYpgvNtfWT6D4lXVBk3JVgBOWE k1Znkx2kjE45NcB9Oq/lknv1yixwsSMojTuimKYtjWLGgUNFMxt5wPM30NdQG+0d 245GkrBc873onHufIJtqiPzLXMx9SqCCsXVVn5ArVhuJ26Zd/qAVGXvxIhFmkjZD 0OvtgWzNoPrGAVyUXGbwXuDIF7UVotjwePcA7V2aUtOI3QntK9TcJ5icxp4rEbj/ SXxkZ4iDQduL5UFWtfTilK9eZ76BvcJWeU68NsLXm6oA44gYdXO73dDIpsUPtJRh q0q502GtUgZkpVqDoo0V75R8nZhVoIf7hW/Z1lIh38q4e2V5o+ndfEvMYTWGpyH8 HQ3Cj8Jc/wByt7ub5h+HFj47M8ysLwcF9U1fh4EuiqG5rdtP0ejMnPdsYDIBk8uG k9Bw/gOfegL5SM4yMA48 =ifdp -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
On 1/16/14 1:49 PM, Christopher Schultz wrote: Why are you self-signing a certificate if you are going to get it signed by a CA? A newly-created keypair in a Java keystore is, by definition, a self-signed certificate. And you can't create a CSR without having a keypair from which to create it. One suggestion: If you haven't done this dozens of times, or don't do it several times a year, or haven't done it for a particular CA, MAKE AT LEAST ONE BACKUP COPY OF YOUR KEYSTORE BEFORE YOU SUBMIT YOUR CSR TO THE CA! That way (and I've been there a number of times) if you screw up your keystore while trying to install the signed certificate, you can try again. You really don't want to pay the fee to the CA, and then find out you've screwed up something that you have no way of unscrewing. Also: if by any chance you're running Tomcat on an AS/400, you want to do this whole process on something else entirely, and then FTP your keystore into place on the 400. Keytool does NOT work well on AS/400s, and I haven't the slightest idea why. -- James H. H. Lampert - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Miten, On 1/16/14, 12:09 PM, Miten Mehta wrote: > Hi, > > Adding more clarification for ease below. > > 1) create keystore.jks with self signed cert (alias tomcat). Why are you self-signing a certificate if you are going to get it signed by a CA? > 2) generate old.csr and send for signing to CA 3) get back new.cer > (signed certificate) and root.cer (root certificate) 4) delete > existing cert from keystore.jks (alias tomcat) 5) import root cert > (alias root) 6) import new cert (alias tomcat) You should be able to create a server key, then a CSR. I happen to hate keytool (and Java key stores in general) so I avoid it whenever possible but I'd be surprised if you couldn't create a CSR without creating a self-signing certificate in the process. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2FQDAAoJEBzwKT+lPKRY/cwP/jQc9t1QkhKwyzUxw2yZNVjx fk0fHIucw+EkxMRa9Xue/DouZPpGRbdvzMRVn8Jr7wzBPIqUNmNITfCSYduJVNWu 8atVHG9CwRK0HVLnN/CESjm1Ex46jOn9BiAzH9n1AZ9UfY+a3MS6z/9XjS/NMxmJ yhRkkltYUHdtjHEoFCehhormbHcS44CAR9uxkPXW+MeJCwWu2JXL0dxu/BGVY/Rj 7niOd9kk5ziKcN1NfYWXSClOV81AuxlW6vJnaP8+ZzW9JZRE/9Od1Hx3Ie+WmxG+ 9y+x2j4WwS7xyN4nD1Sfg5bK0lUFe4HFsexmnMEbUcsY4SbvgjhaTuBaqam+JZgx 31e9hTcZKaQ0042qRk8dOYNM9vi7Wje9pYuUca3yIOPDorIXBSU2dK2rW9hF5ZJ7 HiBhLHRa88b9tWX79y3hOAOuYnTxBVttrXXlGs4U+iiheynwhGYUrx+vpPyMY1mm GyZEln8RiTOZhpMOzcYAsHvG4pUjHFs7sSPBOjA3sMTVC7/6EH5AHzsPgLyIXUHZ 00XoQgsWs4LNQ4NyfekChtotX8VeIJR2KZRNlVU++sTpkGdkYx03LMnFC201th0K A+1VH1lE6ii6mfVCH6impeN0P1GFMLHn+bqVREvPgEnMT9lIS0xBak7gvnDOd0dN qDg299ebMIvnMMDsi483 =0XWS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why does Tomcat take so long to start? how can I monitor status?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dan, On 1/16/14, 3:41 PM, Daniel Mikusa wrote: > On Jan 16, 2014, at 3:04 PM, Bradley Rogers > wrote: > >> I have an application where Tomcat under Centos linux takes about >> 4 minutes to be "online" from the time it starts. > > My initial thought is that it's probably the application. This is > true most of the time. Occasionally there can be JAR scanning > issues though or an issue with entropy. See here for more info. > > https://wiki.apache.org/tomcat/HowTo/FasterStartUp > >> i dont know what its doing but wonder if there is a way to ping >> something in the tomcat to check status? > > My first thought would be to just watch the logs (increasing the > log levels if necessary) and see what it's doing. If it sits for a > long time in one place or you see no output, take a few thread > dump, 10 - 15 seconds apart (kill -3 ) and investigate > further. I don't like using kill -3 because the thread dump goes to stdout (usually catalina.out, kinda polluting it). I like using "jstack" better because it goes to the terminal running jstack and not to the JVM's stdout. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2FM6AAoJEBzwKT+lPKRYttoP/Rp91A/yYCRxV9orAAVYcXot QOAsToZbSHNwMPSpHyPQZw1hWB/Hox9ATkFElFpqEJB8vluijr+9lCPXgPs+lJKi AfKfOCwPzygmCnMxn2khWsmEdzG6O0m6L+vhDZu+bfijD02y+LELFcd1tZ4CJGfR zWeEZEnSQhTmSRNBiywEYyYO7WTp9pxXFGxsKAo2h/xwMOr9i/IbS7VQncSb+Z2R tn3sXgw3got+aSku5rxqQaV0L9Co4LSgT+cGE+ndoLVRSwNAQx/M4WOZAn3sFUpU ziB+Gg4DhG+XeSmfFTyeobUBvP6T2Qy/st6Q1wLzXbtrq8I1vEgOcsKxBGFgelb4 H5y946ip7cRbH4lqgdNwHjpalfhc2EfgnJIp4nAi64INnpOvf/8uNd4srcFALRmw aY9KtlX59dxxhT753zkq7EZItitE/Acu3UyrIL+rhwB1naNNmHmjfKQbdEgg6AKR Sajs0oBhY766YkvRbIYZQuf6U668vYfJKefgWosabUAz13w5zJ6nUtpH1Y3WaL/P 8MxFTr3JNRufuEyvGMmCEsECpZXAJaBssvJJkOEQLHkNrpIYxvFO5Y6Orj9FgKSS YhwNF2I16YkryiS0kgqFyEJ8eFFO29pn/hECqNJKJfdHkl7kMyRPgMBYeRfUWDzX 78qM4tPanNuhLh/+8xHC =1tAu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.47 using JmxRemoteLifecycleListener with SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Erik, On 1/16/14, 4:37 PM, Erik Engstrom wrote: > I can get SSL working without JmxRemoteLifecycleListener, and I can > get JmxRemoteLifecycleListener to work correctly without SSL. > However if I try to use both I get the following error in > catalina.out: > > failed loading capabilities library -- /usr/lib/libcap.so: cannot > open shared object file: No such file or directory. Jan 16, 2014 > 4:34:20 PM org.apache.catalina.mbeans.JmxRemoteLifecycleListener > createServer SEVERE: The JMX connector server could not be created > or failed to start for the Platform server java.io.IOException: > Cannot bind to URL [rmi://localhost:1900/jmxrmi]: > javax.naming.CommunicationException [Root exception is > java.rmi.ConnectIOException: non-JRMP server at remote endpoint] > at > javax.management.remote.rmi.RMIConnectorServer.newIOException(Unknown > > Source) > at javax.management.remote.rmi.RMIConnectorServer.start(Unknown > Source) at > org.apache.catalina.mbeans.JmxRemoteLifecycleListener.createServer(JmxRemoteLifecycleListener.java:304) > > at > org.apache.catalina.mbeans.JmxRemoteLifecycleListener.lifecycleEvent(JmxRemoteLifecycleListener.java:258) > > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) > > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) > > at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) > > at > org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:347) > > at > org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:725) > > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at org.apache.catalina.startup.Catalina.start(Catalina.java:691) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at > sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at > java.lang.reflect.Method.invoke(Unknown Source) at > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322) at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at > sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at > java.lang.reflect.Method.invoke(Unknown Source) at > org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:243) > > Caused by: javax.naming.CommunicationException [Root exception is > java.rmi.ConnectIOException: non-JRMP server at remote endpoint] at > com.sun.jndi.rmi.registry.RegistryContext.bind(Unknown Source) at > com.sun.jndi.toolkit.url.GenericURLContext.bind(Unknown Source) at > javax.naming.InitialContext.bind(Unknown Source) at > javax.management.remote.rmi.RMIConnectorServer.bind(Unknown > Source) ... 20 more Caused by: java.rmi.ConnectIOException: > non-JRMP server at remote endpoint at > sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source) > at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source) > at sun.rmi.server.UnicastRef.newCall(Unknown Source) at > sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source) ... 24 > more > > the ports still get opened but I can not connect via jconsole using > ssl or not. If I set com.sun.management.jmxremote.ssl=true I can > connect properly without ssl. > > The relevant configuration from server.xml: > > className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" > rmiRegistryPortPlatform="1900" rmiServerPortPlatform="11900" /> > > and java properties: > > -Djavax.net.ssl.keyStore=$KEYSTORE > -Djavax.net.ssl.keyStorePassword=$KEY_PASS > -Dcom.sun.management.jmxremote.ssl.need.client.auth=true > -Djavax.net.ssl.trustStore=$TRUSTSTORE > -Djavax.net.ssl.trustStorePassword=$TRUST_PASS > -Dcom.sun.management.jmxremote.registry.ssl=true > -Dcom.sun.management.jmxremote > -Dcom.sun.management.jmxremote.authenticate=false > -Djava.rmi.server.hostname=$HOST_IP > -Dcom.sun.management.jmxremote.ssl=true > > Is it supported to use these together? If so what am I doing > wrong? Why is libcap.so (not) being loaded? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2FLjAAoJEBzwKT+lPKRYs5oQAIjwUrNfiSKII5mto5mRFhmf g7qMBbZAkVBPFAR1AAyrulNRHDk4UXwiXF16I4zWfmqEvsGa0g63Swdcp3SdydbM 9pruhSnUxoD/V9n6WgiwPNKCg4mkJcKBTTxMDaTXbyR+BA604e6ZFFfNo/Pxgb/l R1mo10H6ucCglRTftEN0zGT9D6ust9TCeFpVZdtnMUWKsz1NZk5ipKegSwcucktr AuYuV8AEuLFTH9Cc6OPjAVCDPWrmA3jhAImbX1je4dpqM9GgoYmcSemQkx7fSAdT nvfVRTpc3s4N/gsir3wWQvttjGea6e+21lkEm1KgnLohsFXV/omb61lkTnxVktDz ejMuizVJ0fYCSJhKdW2GtubDAfJclP4GTxFFsEZSLroaNbV5BX6XqiiYdEJFM5qV /BszNs9CMVFLtQCL8t3nkZBtYLf0r3T+Y3bpf+cOUvq1ftCmRoG5/9qrqmoAd//C RcfrQ3uKRmLZy4fbB3gF1vQX5inJ6UM99WqKLUbb5jnsTGI6NWHVnmvz8AbjvapE WYSiwYz1Fe6vqfiIVcPpMuPGadTex4wdAy2Q9Se3j3ZYFsyHr43
Tomcat 7.0.47 using JmxRemoteLifecycleListener with SSL
I can get SSL working without JmxRemoteLifecycleListener, and I can get JmxRemoteLifecycleListener to work correctly without SSL. However if I try to use both I get the following error in catalina.out: failed loading capabilities library -- /usr/lib/libcap.so: cannot open shared object file: No such file or directory. Jan 16, 2014 4:34:20 PM org.apache.catalina.mbeans.JmxRemoteLifecycleListener createServer SEVERE: The JMX connector server could not be created or failed to start for the Platform server java.io.IOException: Cannot bind to URL [rmi://localhost:1900/jmxrmi]: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: non-JRMP server at remote endpoint] at javax.management.remote.rmi.RMIConnectorServer.newIOException(Unknown Source) at javax.management.remote.rmi.RMIConnectorServer.start(Unknown Source) at org.apache.catalina.mbeans.JmxRemoteLifecycleListener.createServer(JmxRemoteLifecycleListener.java:304) at org.apache.catalina.mbeans.JmxRemoteLifecycleListener.lifecycleEvent(JmxRemoteLifecycleListener.java:258) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:347) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:725) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.startup.Catalina.start(Catalina.java:691) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:243) Caused by: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: non-JRMP server at remote endpoint] at com.sun.jndi.rmi.registry.RegistryContext.bind(Unknown Source) at com.sun.jndi.toolkit.url.GenericURLContext.bind(Unknown Source) at javax.naming.InitialContext.bind(Unknown Source) at javax.management.remote.rmi.RMIConnectorServer.bind(Unknown Source) ... 20 more Caused by: java.rmi.ConnectIOException: non-JRMP server at remote endpoint at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source) at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source) at sun.rmi.server.UnicastRef.newCall(Unknown Source) at sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source) ... 24 more the ports still get opened but I can not connect via jconsole using ssl or not. If I set com.sun.management.jmxremote.ssl=true I can connect properly without ssl. The relevant configuration from server.xml: and java properties: -Djavax.net.ssl.keyStore=$KEYSTORE -Djavax.net.ssl.keyStorePassword=$KEY_PASS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Djavax.net.ssl.trustStore=$TRUSTSTORE -Djavax.net.ssl.trustStorePassword=$TRUST_PASS -Dcom.sun.management.jmxremote.registry.ssl=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=$HOST_IP -Dcom.sun.management.jmxremote.ssl=true Is it supported to use these together? If so what am I doing wrong? Thanks, Erik
Re: [tomcat7] rhel 6 - init.d script works; does not start on reboot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Eddie, On 1/15/14, 11:01 AM, Bush, Eddie wrote: > > > -Original Message- From: Daniel Mikusa > [mailto:dmik...@gopivotal.com] Sent: Wednesday, January 15, 2014 > 9:54 AM To: Tomcat Users List Subject: Re: [tomcat7] rhel 6 - > init.d script works; does not start on reboot > > On Jan 15, 2014, at 10:32 AM, "Bush, Eddie" > wrote: > >> Howdy, List! >> >> I'm in a bit of a pickle here. I'm a senior dev, and quite good >> at that, but for my new client I'm also charged with configuring >> our machines. We're running on Tomcat 7, so I grabbed the tgz and >> installed it per the instructions. >> >> Everything works great! ... until I reboot the server :) At that >> point, everything else comes up, but tomcat does not. >> >> I have removed all logs and rebooted and see nothing notable in >> any of the tomcat logs (because, of course, it did not start), >> nor can I find anything in syslog or messages. The chkconfig >> command reports that the script is configured to run for runlevel >> 2-5, and I've even inspected the links in rc.d/rc*.d and they are >> linked to the init.d script (which is the same danged script that >> works interactively via "service tomcat start/stop"!) > > Dan> Where did you get the init script from? EB> Off the net > somewhere, initially. I tweaked it to use sudo to change user to > tomcat:tomcat though, and I changed the chkconfig declaration to be > extremely similar to what nginx uses, since that works fine. > chkconfig likes the script, and sets it up in what looks to be > perfect form (comparing to other things). These are pretty standard > scripts though, yes? They basically just delegate to the scripts > distributed with tomcat, which all end up calling catalina.sh :-) Note that you shouldn't have to use "sudo" in init.d scripts: only root should be running those in the first place. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2FBlAAoJEBzwKT+lPKRYQ+kP/R/FPKYQSwZTR87T4R7fJi9V kgD6dD/6wzOsvlWwCbebsWMisJlARAV2vAYJIfeh5+RdL8DLllmQk0Bj/mpQ8a2e lsKRBInQLOg08HM1hKzb2F9R/AvGkO9aPuc8LesVKVoUGUdiGKoKf2knPx2TT7dp 4myJWniEzhyHIHzKg/MBraLrs1CoLk9Ud4T7hwrvJ6KPrC/MaNUFOH6PpnJqpQCj smUyPDsHRuoRq7ZYpJkl6LV/H4bJW7AAVa9Pgbt9ykEvuwYlV8UlwIzA7nf8mOBv nCr661b/HLU3R6Frpop+9nkkUqGlNsQVzy60n6ADWrZasgBfP1y8r7CN5MBpE8D2 IvlrfnivmaCpfmYbHaKLojiT7/hd2oYFtL2OMzNGJrEFDIdwDNwg0FthK1dZ7PA2 QxRwO2yXK1dV4F/LV5XJsxvbRlNlIXYK8KGKxeBAVY+NMj0pllUl1ciDBFXhG0hW 73P46/7sP29Ct0d1x3jblYK9UlVatP2U8uxmR+jW0i39hzQvkwNJJFwuNfeVymvl MmnXHwU89v0LR2eCYTGN2DmAcKaOlof8D1rD9S6iyyaT0FxzbQ5dE/tAoIoQnWh/ 3zDV/8xXCBSxSalH4qv8wu2/xNLG4NLGvOmuO4QZTKI1S4zQfpGSA37ToRiukUJ4 7Fwzy7ou9H9hN7HMmc7z =zA2t -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to validate or parse HTTP request headers ( tomcat version 6.0.18 )
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Kalasareddy, On 1/15/14, 1:12 AM, kalasareddy lingaraja wrote: > yes i did it, but thing is that after parsing request in filter: if > it is success then i should redirect the request to web service > which running in embedded tomcat instance, > > could you help me how to shift control to web service from filter Read the Javadoc for javax.servlet.Filter. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS2E/PAAoJEBzwKT+lPKRY2MUP/0RtFBnpOkydN4RcqfPMEs5K qzS8j55y11eMsur7mKzWqqLwjblKGS3hmMCwRHxJ4aPIiNhIXxKmlzQqqZIYl81p LK6FRoC+axBz0Fy5sOS9Oy8WW4atP2BLwZ/XhOrrWUhx07vRh9CK5AFo8R5AC7SE 8Y/H2TVQ8M+F5k9ldaD0oiy+ugS+ljILepYKCgOnk+WrK4LHTBHGe7jQiCpLCeXQ 4bYF0cyCUkNStQLchp8X8QPmhiVyVv4PxE1kmQ37O0YdFJ9i3PY8J1MDHQbDqKvZ 7mo5nz7BxICYXb3bOHwRT/bWRFoJsk/kA+SKgPQ6axlJ7fhV5oWPLfV0EoHQvwS3 N+eXrXtz6SK7yYo2ys8pZ4A0d+7WJJiVaw8ZwnDzW4J/0JiCPfbo4rvULQn6i1fu 6N11zaRY+ebFcqVfmRgI08k/1tjXVWcff8OgsvdfipdwlY32eWzX/gzZaxulaMcK Rtrz9PKL5iEWG8nU0AUIAEBvj3TtbO+RwKB9vvvCXCURQcXuRUbylcA/xRi2E2Yt jxSJJVYkO2tViP4Ox09YZ13SBdqImHaI8Y7uetv7V4qhtl4ZRfxLVYc18iXTsZYF WRBCN1NkXkuKssiQC8Y01fP1lfS4pBOuRk8/tckfsOJisp4iV2uq/qDENf5+wkKB D2yAcBEMPLcZI4RQxK8O =AlPE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why does Tomcat take so long to start? how can I monitor status?
On Jan 16, 2014, at 3:04 PM, Bradley Rogers wrote: > I have an application where Tomcat under Centos linux takes about 4 minutes > to be "online" from the time it starts. My initial thought is that it's probably the application. This is true most of the time. Occasionally there can be JAR scanning issues though or an issue with entropy. See here for more info. https://wiki.apache.org/tomcat/HowTo/FasterStartUp > i dont know what its doing but wonder if there is a way to ping something in > the tomcat to check status? My first thought would be to just watch the logs (increasing the log levels if necessary) and see what it's doing. If it sits for a long time in one place or you see no output, take a few thread dump, 10 - 15 seconds apart (kill -3 ) and investigate further. Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Why does Tomcat take so long to start? how can I monitor status?
I have an application where Tomcat under Centos linux takes about 4 minutes to be "online" from the time it starts. i dont know what its doing but wonder if there is a way to ping something in the tomcat to check status?
Re: SSL certificates
? will existing become redundant ? NO, the SIGNED certificate will, at least in effect, be MERGED with the original certificate. Deleting the original certificate from the keystore before importing the signed one will render the signed certificate WORTHLESS. -- James H. H. Lampert - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificates
Hi, Step #4 is not correct; if you delete the existing certificate you would have lost everything. Please follow the instruction given by James H. H. Lampert. Thanks, Ike From: Miten Mehta To: users@tomcat.apache.org, Date: 01/16/2014 11:09 AM Subject:Re: SSL certificates Hi, Adding more clarification for ease below. 1) create keystore.jks with self signed cert (alias tomcat). 2) generate old.csr and send for signing to CA 3) get back new.cer (signed certificate) and root.cer (root certificate) 4) delete existing cert from keystore.jks (alias tomcat) 5) import root cert (alias root) 6) import new cert (alias tomcat) >From server.xml now in connector entry for ssl use alias tomcat to refer to it. Earlier when there was only tomcat (no root) the alias might not have been needed but now since there are two cert we need alias. Regards, Miten. On Thu, Jan 16, 2014 at 10:31 PM, Miten Mehta wrote: > Hi, > > I am understanding SSL for tomcat using > http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. > 1)I create jks using self signed certificate using keytool. > 2) I generate CSR from that keystore/certificate. > 3) I get it signed by CA who gives me root certificate and signed > certificate. > 4) I need to delete the existing certificate from keystore and then import > root and signed one ? > > The docs do not mention to delete the existing certificate then if I > import it for same alias will not it complain ? > Do I need to keep existing certificate and import new one under new alias > ? will existing become redundant ? > > Regards, > > Miten > >
Re: SSL certificates
Hi, Adding more clarification for ease below. 1) create keystore.jks with self signed cert (alias tomcat). 2) generate old.csr and send for signing to CA 3) get back new.cer (signed certificate) and root.cer (root certificate) 4) delete existing cert from keystore.jks (alias tomcat) 5) import root cert (alias root) 6) import new cert (alias tomcat) >From server.xml now in connector entry for ssl use alias tomcat to refer to it. Earlier when there was only tomcat (no root) the alias might not have been needed but now since there are two cert we need alias. Regards, Miten. On Thu, Jan 16, 2014 at 10:31 PM, Miten Mehta wrote: > Hi, > > I am understanding SSL for tomcat using > http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. > 1)I create jks using self signed certificate using keytool. > 2) I generate CSR from that keystore/certificate. > 3) I get it signed by CA who gives me root certificate and signed > certificate. > 4) I need to delete the existing certificate from keystore and then import > root and signed one ? > > The docs do not mention to delete the existing certificate then if I > import it for same alias will not it complain ? > Do I need to keep existing certificate and import new one under new alias > ? will existing become redundant ? > > Regards, > > Miten > >
Re: SSL certificates
On 1/16/14 9:01 AM, Miten Mehta wrote: Hi, I am understanding SSL for tomcat using http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. 1)I create jks using self signed certificate using keytool. 2) I generate CSR from that keystore/certificate. 3) I get it signed by CA who gives me root certificate and signed certificate. So far, so good. 4) I need to delete the existing certificate from keystore and then import root and signed one ? NO! ABSOLUTELY NOT! You import the signed certificate into THE SAME KEYSTORE, UNDER THE SAME ALIAS, *ON TOP OF* THE UNSIGNED CERTIFICATE! Not only will it not "complain"; it is the ONLY way to apply the CSR reply. -- James H. H. Lampert Touchtone Corporation - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL certificates
Hi, I am understanding SSL for tomcat using http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. 1)I create jks using self signed certificate using keytool. 2) I generate CSR from that keystore/certificate. 3) I get it signed by CA who gives me root certificate and signed certificate. 4) I need to delete the existing certificate from keystore and then import root and signed one ? The docs do not mention to delete the existing certificate then if I import it for same alias will not it complain ? Do I need to keep existing certificate and import new one under new alias ? will existing become redundant ? Regards, Miten
Re: [ANN] Apache Tomcat 7.0.50 released
2014/1/12 David Law > > Thanks for that. :-) > > You might like to correct this Typo under Tomcat 7.0.50 / Catalina: > "Streamline handling of WebSocket messages whe..." > to "when" or "where" for example. Thanks for pointing that. I fixed it with r1558789. Regards Violeta > All the best, > DaveLaw > > > On 12/01/2014 11:15, Violeta Georgieva wrote: >> >> The Apache Tomcat team announces the immediate availability of Apache >> Tomcat 7.0.50. >> >> Apache Tomcat is an open source software implementation of the Java >> Servlet, JavaServer Pages and Java Expression Language technologies. >> >> This release contains a number of bug fixes and improvements compared to >> version 7.0.47. >> >> Please refer to the change log for the complete list of changes: >> http://tomcat.apache.org/tomcat-7.0-doc/changelog.html >> >> Note: This version has 4 zip binaries: a generic one and >>three bundled with Tomcat native binaries for Windows operating >>systems running on different CPU architectures. >> >> Note: Use of the JSR-356 Java WebSocket 1.0 implementation requires Java 7. >> >> Note: If you use the APR/native AJP or HTTP connector you *must* upgrade >>to version 1.1.29 or later of the APR/native library. >> >> Downloads: >> http://tomcat.apache.org/download-70.cgi >> >> Migration guides from Apache Tomcat 5.5.x and 6.0.x: >> http://tomcat.apache.org/migration.html >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Re: Adding another schema to the web.xml
Blaise Gervais wrote:
Hello,
I have a webapp named "portal" who gather informations about other webapps
("modules") running on the same Tomcat instance. The "portal" use JMX to
list all the webapps and then parse the web.xml to extract the "module" 's
name and description. So I can create a page with a link to all those
"module"s (Like the Tomcat manager).
But now, some "module"s expects parameters and I would like to be able to
ask for those parameters to the user before sending them to the "module".
To keep everything in a single place, I would like to create a schema who
describe those parameters and use it inside the web.xml.
The app is intended to be deployed only on our tomcat who don't validate
the web.xml. Does that seems to be a good idea ?
Personal subjective comments only :
This sounds like a question a bit out of scope for this Tomcat Users list, and is more a
question of generic application design.
About the idea : it sounds nice as a "proof of concept" kind of app.
But I get the impression that you are making it a bit more complicated that it ought to
be. That your portal app would gather info about the other apps and present it in a nice
page with links, sounds nice.
But then, when the user chooses an application, why do you just not re-direct them to the
corresponding application, which already knows how to ask for and handle its own parameters ?
(There are probably also quite a bit of security issues and other complexities involved
otherwise)(independently of coherence, maintenance, webapp separation etc.)
All in all, it sounds to me as a bit "over-engineered", if you get my meaning.
Only my 2 cent, as M.E. would say.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Adding another schema to the web.xml
Hello,
I have a webapp named "portal" who gather informations about other webapps
("modules") running on the same Tomcat instance. The "portal" use JMX to
list all the webapps and then parse the web.xml to extract the "module" 's
name and description. So I can create a page with a link to all those
"module"s (Like the Tomcat manager).
But now, some "module"s expects parameters and I would like to be able to
ask for those parameters to the user before sending them to the "module".
To keep everything in a single place, I would like to create a schema who
describe those parameters and use it inside the web.xml.
The app is intended to be deployed only on our tomcat who don't validate
the web.xml. Does that seems to be a good idea ?
Thanks
Re: jasper2 doesn't support the "validateXml" attribute
Gernot wrote: 2014/1/15 Mark Thomas Gernot wrote: Hi, I did an upgrade from tomcat 7.0.29 to 7.0.50. In 7.0.50 jasper2 ant task quits with error 'jasper2 doesn't support the "validateXml" attribute' Here's the mentioned code: I havn't found any information about this in tomcat's changelog. Is this a bug? Or a feature? What's the suggested way to handle this error? Thanks It got renamed to validateTld to better describe what it actually does as part of the XML work in 7.0.48 (which wasn't released until 7.0.50). I see at least one place in the docs where this wasn't changed. I'll get that fixed for the next release. If this turns out to be a problem for folks we can add support for the old name as well. Mark In my opinion it's not a good idea to break api in minor version upgrade. And why isn't there any comment in the changelog? Please document changes in the changelog! In the principle, you are probably right. But regarding the tone, the appropriate answer here would probably be : how much are you willing to pay for this ? In other words, maybe it temporarily slipped your mind that Tomcat is Open Source and Free, and that the people who contribute to it are doing this on a voluntary base ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7 with APR connector on ubuntu
Thank you Brett for your comments.
Here is tomcat startup script (/etc/init.d/tomcat7)
#!/bin/bash
# tomcat start/stop script
export JAVA_HOME=/usr/lib/jvm/java-7-oracle
export CATALINA_HOME=/opt/tomcat7
start() {
su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/startup.sh
}
stop() {
su tomcat7 -s /bin/sh -c $CATALINA_HOME/bin/shutdown.sh
}
case $1 in
start|stop) $1;;
restart) stop; start;;
*) echo "Run as $0 "; exit 1;;
esac
I made slight change in "startup.sh" file too (replaced old exec line):
exec authbind --deep "$PRGDIR"/"$EXECUTABLE" start "$@"
my setenv.sh file:
CATALINA_OPTS="-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true
-Xmx512m -XX:+UseConcMarkSweepGC"
export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/usr/local/apr/lib"
I installed authbind previously and executed following lines:
sudo touch /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80
sudo chown tomcat7 /etc/authbind/byport/80
When I am removing APR connector from server.xml, tomcat working fine with
tomcat7 user.
Regards,
Mubeen
On Thu, Jan 16, 2014 at 5:41 AM, Brett Delle Grazie <
brett.dellegra...@gmail.com> wrote:
> Hi,
>
> See interleaved.
>
>
> On 15 January 2014 16:53, Mubeen Shah wrote:
>
> > Hello,
> >
> > I am trying to configure tomcat 7 on ubuntu machine and wanted to run it
> as
> > non-root on port 80, Here is what I did so far:
> >
> > OS (Ubuntu 12.04 LTS):
> >
> > - installed oracle JDK 1.7.0_45 using "apt-get"
> > - downloaded and extracted tomcat 7.0.50 (.gz format)
> > - created ubuntu user 'tomcat' and granted 'chown -R CATALINA_HOME' to
> this
> > user
> > - changed tomcat default port to 80 in server.xml
> > - installed and configured authbind tool
> > - created sh script "/etc/init.d/tomcat7" to start tomcat as tomcat user.
> >
>
> What was in this script?
>
>
> > - tomcat 7 was working as expected on 80 port as non-root user.
> >
>
> That is surprising, see further below.
>
>
> > - later I configured APR 1.5.0 and tried to run tomcat again, I got this
> > error:
> >
> > Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
> init
> > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
> > version 1.5.0.
> > Jan 15, 2014 6:24:45 AM org.apache.catalina.core.AprLifecycleListener
> init
> > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
> > [false], random [true].
> > Jan 15, 2014 6:24:46 AM org.apache.catalina.core.AprLifecycleListener
> > initializeSSL
> > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
> > Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
> > INFO: Initializing ProtocolHandler ["http-apr-80"]
> > Jan 15, 2014 6:24:46 AM org.apache.coyote.AbstractProtocol init
> > SEVERE: Failed to initialize end point associated with ProtocolHandler
> > ["http-apr-80"]
> > java.lang.Exception: Socket bind failed: [13] Permission denied
> > at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:430)
> > at
> >
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
> > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
> > at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> > at
> >
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
> > at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> > at
> >
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
> > at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:664)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:606)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
> >
>
> This is expected.
>
>
> >
> > If I am removing out this line from server.xml:
> > > SSLEngine="on" />
> >
> > Tomcat working on 80 port as non-root user and starting "http-bio-80"
> > properly.
> >
> > Another thing is if I am trying to run tomcat as "root" along with APR
> > support, its working just fine.
> >
> > Any advise why its working on "http-bio-80" while throwing bind exception
> > on "http-apr-80"??
> >
>
> Linux will not allow anything but root to bind on ports < 1024.
> Usually the process starts as root, binds to the port and then drops it's
> privileges back to the desired user.
> You'll need to use jsvc to start Tomcat and drop privileges. It is simply
> apache commons dae
