RE: High cpu on Tomcat 8
From: Greg Huber [mailto:gregh3...@gmail.com] Subject: Re: High cpu on Tomcat 8 Have you set a pollerThreadCount? I have had a look and I cannot find where this is set. Is there any documentation on this? The pollerThreadCount applies only to the HTTP version of the Connector, not the AJP one. Red herring. When the CPU usage goes high, does the server actually slow down? I do not think so, it makes the server slowdown Sounds like you're contradicting yourself; you do not think it slows down, or it does slow down? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Officially released Apache tomcat version with CVE-2014-0230
Raghavendra Nilekani wrote: Hi I have an application where I currently use 6.0.20 version of Apache tomcat bundle from spring source. Now because of security vulnerabilities I have to migrate to newer latest version of Apache tomcat. I saw the latest version on Apace tomcat site is Apache Tomcat 6.0.43 where the highest CVE fixed is *CVE-2014-0227. * Now one more latest CVE *Apache Tomcat File Upload denial of service *has come. The fix for this problem is not officially released by Apache. I see applying a patch is able to eliminate this problem. The bugfix is ready for download at svn.apache.org. The vulnerability is also documented in the databases at X-Force (102131) and SecurityTracker (ID 1032079). From seclists.org, I heard this problem was identified as a partial DoS (non persistent, but you can very easily eat up all server ram) and assigned CVE-2014-0230 and then the person handling it left Red Hat and it didn't get processed properly. Can you please tell me, is there any official fix for this problem available and from where I can download the official fix for this CVE ? When will Apache tomcat site have a newer version of Apache tomcat with this CVE fixed ? Hi. I believe that you should first read this : http://tomcat.apache.org/security.html at least the first section, to get a general idea. Do not forget that Tomcat is an open-source, free software, that the people developing it and maintaining it do this on a voluntary base, and that their time is limited. Other organisations set it as their task to provide their own versions of Tomcat packages, and to guarantee that they are patched to the latest known security vulnerabilities. And they (rightly) charge a fee for that work. That does not mean that the developers of Apache Tomcat do not take security vulnerabilities seriously, and do not do their best to fix them as quickly as possible. But it does mean that there is not necessarily always a released version of Tomcat available on the official website, with patches for the latest vulnerabilities. So, probably the best you can do is : 1) look in the page above (Lists of security problems fixed in released versions of Apache Tomcat are available:) for your version of Tomcat, and uprade to a version indicated there if appropriate 2) otherwise, make pressure on your Tomcat package provider (whom you presumably pay for that), to provide the patch you need - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does the securePort for Cluster/Channel/Receiver work yet?
Hi Chris 2015-05-04 22:13 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : Pascal, On 5/4/15 10:56 AM, pascal wrote: This was all done with tomcat-7.0.27 (sorry for being behind) I just tried with 8.0.21 with the same result. I would even appreciate a don't bother trying response from someone with better insight into the code. I'm also not complaining about a missing feature, the only bug may be in the documentation :-) If possible, please repeat your tests with 7.0.latest. Tons of fixes have been made to the clustering components within Tomcat. Just tried with 7.0.61 with the same result. I expect to have a tomcat listening on the port I specify with securePort= as described here https://tomcat.apache.org/tomcat-7.0-doc/config/cluster-receiver.html#Common_Attributes I added this sole option to my working server.xml, restart tomcat and check with netstat Would you agree that I at least try it the right way? That being said, I don't believe there are any supported options for secure communications for clustering. Usually there are more SSL related settings like use key x, trust CA y, etc. So probably this is really not implemented. If you are using static membership, you could use stunnel or OpenVPN or something similar to encrypt your traffic. I'm not sure if OpenVPN can tunnel multicast, Yes, that was my plan B as well. I'd say static membership and stunnel or OpenVPN and multicast should work. Cheers Pascal
tomcat-embed-jasper vs tomcat-jasper
Hi, Could someone tell me what is the difference between tomcat-embed-jasper and tomcat-jasper? I have checked the both jars. tomcat-embed-jasper contains javax.servlet.jsp package. Is that the only difference between those 2? Thanks --
Re: tomcat-embed-jasper vs tomcat-jasper
On 05/05/2015 16:40, Thusitha Thilina Dayaratne wrote: Hi, Could someone tell me what is the difference between tomcat-embed-jasper and tomcat-jasper? I have checked the both jars. tomcat-embed-jasper contains javax.servlet.jsp package. Is that the only difference between those 2? Yes. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2014-0230: Apache Tomcat DoS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2014-0230 Denial of Service Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.8 - - Apache Tomcat 7.0.0 to 7.0.54 - - Apache Tomcat 6.0.0 to 6.0.43 Description: When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection. Note that this issue was accidentally disclosed by Red Hat Product Security on 9 April 2015 [4]. The Tomcat security team was made aware of this disclosure today (5 May 2015). The information released on 9 April 2015 contained a number of errors. For the sake of clarity: - - This issue is not limited to file upload. Any request with a body may be affected. - - This issue cannot be used to trigger excessive memory usage on the server. The additional data read from the response body is not retained - it is simply ignored. The intention was to embargo this issue until after the 6.0.44 release. Unfortunately that is no longer possible. The Tomcat team is working on a 6.0.44 release now and we hope to have one available by early next week. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.9 or later - - Upgrade to Apache Tomcat 7.0.55 or later - - Upgrade to Apache Tomcat 6.0.44 or later once released Credit: This issue was discovered by AntBean@secdig from the Baidu Security Team and was reported responsibly to the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html [4] http://www.openwall.com/lists/oss-security/2015/04/10/1 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVSUnRAAoJEBDAHFovYFnnxFgP/38LAZosd36MzvWvBNQSeJmi QRIm432bbUwVevjVXKKO27oxrL+DUBkesCc0XslGVu0N3gTqzhce2DJXIetpnl04 wV2S88F29jAfRatz65WEbj17gdlP6IobTWzFIyQlfjRxmY97AQQOwRdd/j6P2LMR vD+thwLccbs9kxTn+MVyQu6W9a1R1Hy3fARdMlfZVchj32jCn3kD37IXF/JLPFso btBZBt/jEqIb8uq0ZiVUDx5ErvVH5O/AAfxCEh9pfZdl4vIG7SU1KB2iTnyzdat9 Hz0jXc8WFIu3BKY9t2VI/1wUJzGHy8Xzxt4IGjTzy0EQKTI96pXAi6XsQ9AiaHVP IAtgnEtpjk89qi8YWYoeyLsmpdeUSkCqOTYImn8/2gnrJAtS96SzvE1nBdxpI4O4 f7s2cU4PAnvf9rRvO1SBIb67VYdwB3coAMMtuOodXmjES2xK2xniGVXpIB0RjAyf /ds/syVsbVZ2LK+LGOsxGR3Rz1dBIanlJ5Tm3fudp9XlfkLhr7Lo04iSRXKDjeIo ERXDu0zblaMs8KOfP4vg+kAz4Ih86R+vG7xVwQ9Zjoae/t/lAWqwqQeOewC2+esL qeyZc4J+TO6rcANQ099Iu1iBUN2T3Vd5t7ZPIFDtLSrDVSjnLz6hkltBHBD1lVOl 7nKmBsFyuQyGSHHZ4dN9 =AfA+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat-embed-jasper vs tomcat-jasper
Hi Could someone tell me what is the difference between tomcat-embed-jasper and tomcat-jasper? I have checked the both jars. tomcat-embed-jasper contains javax.servlet.jsp package. Is that the only difference between those 2? Yes. Thanks for quick reply. 1. If so why there are 2 jars? Is there a specific reason to have 2 jars? 2. I found that in tomcat-jsp-api is having the same javax.servlet.jsp package. So is it possible to use only the tomcat-embed-jasper since it contains all the packages in tomcat-jasper and tomcat-jsp-api? Thanks 2015-05-05 21:18 GMT+05:30 Mark Thomas ma...@apache.org: On 05/05/2015 16:40, Thusitha Thilina Dayaratne wrote: Hi, Could someone tell me what is the difference between tomcat-embed-jasper and tomcat-jasper? I have checked the both jars. tomcat-embed-jasper contains javax.servlet.jsp package. Is that the only difference between those 2? Yes. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --
Re: tomcat-embed-jasper vs tomcat-jasper
On 05/05/2015 16:55, Thusitha Thilina Dayaratne wrote: Hi Could someone tell me what is the difference between tomcat-embed-jasper and tomcat-jasper? I have checked the both jars. tomcat-embed-jasper contains javax.servlet.jsp package. Is that the only difference between those 2? Yes. Thanks for quick reply. 1. If so why there are 2 jars? Is there a specific reason to have 2 jars? Yes, there is a reason. The embedded packaging is designed to use the minimum number of JARs. JSP support is optional so all the classes are in a single JAR. 2. I found that in tomcat-jsp-api is having the same javax.servlet.jsp package. So is it possible to use only the tomcat-embed-jasper since it contains all the packages in tomcat-jasper and tomcat-jsp-api? Yes. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat-embed-jasper vs tomcat-jasper
Hi, Hi Could someone tell me what is the difference between tomcat-embed-jasper and tomcat-jasper? I have checked the both jars. tomcat-embed-jasper contains javax.servlet.jsp package. Is that the only difference between those 2? Yes. Thanks for quick reply. 1. If so why there are 2 jars? Is there a specific reason to have 2 jars? Yes, there is a reason. The embedded packaging is designed to use the minimum number of JARs. JSP support is optional so all the classes are in a single JAR. Thanks for the explanation. So if I need jsp support, rather than using 2 jars(tomct-jasper and tomcat-jsp-api) I can directly use only the tomcat-embed-jasper Please correct me if I'm wrong. Thanks 2015-05-05 21:31 GMT+05:30 Mark Thomas ma...@apache.org: On 05/05/2015 16:55, Thusitha Thilina Dayaratne wrote: Hi Could someone tell me what is the difference between tomcat-embed-jasper and tomcat-jasper? I have checked the both jars. tomcat-embed-jasper contains javax.servlet.jsp package. Is that the only difference between those 2? Yes. Thanks for quick reply. 1. If so why there are 2 jars? Is there a specific reason to have 2 jars? Yes, there is a reason. The embedded packaging is designed to use the minimum number of JARs. JSP support is optional so all the classes are in a single JAR. 2. I found that in tomcat-jsp-api is having the same javax.servlet.jsp package. So is it possible to use only the tomcat-embed-jasper since it contains all the packages in tomcat-jasper and tomcat-jsp-api? Yes. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --
Re: Officially released Apache tomcat version with CVE-2014-0230
On 05/05/2015 11:27, Raghavendra Nilekani wrote: Hi I have an application where I currently use 6.0.20 version of Apache tomcat bundle from spring source. Now because of security vulnerabilities I have to migrate to newer latest version of Apache tomcat. I saw the latest version on Apace tomcat site is Apache Tomcat 6.0.43 where the highest CVE fixed is *CVE-2014-0227. * Now one more latest CVE *Apache Tomcat File Upload denial of service *has come. The fix for this problem is not officially released by Apache. I see applying a patch is able to eliminate this problem. The bugfix is ready for download at svn.apache.org. The vulnerability is also documented in the databases at X-Force (102131) and SecurityTracker (ID 1032079). From seclists.org, I heard this problem was identified as a partial DoS (non persistent, but you can very easily eat up all server ram) and assigned CVE-2014-0230 and then the person handling it left Red Hat and it didn't get processed properly. Can you please tell me, is there any official fix for this problem available and from where I can download the official fix for this CVE ? When will Apache tomcat site have a newer version of Apache tomcat with this CVE fixed ? The limited information that has been published was released by RedHat in breach of the embargo that the Apache Tomcat team had placed on it. To say the Tomcat team is not happy with RedHat would be an understatement. This was fixed in 8.0.x in 8.0.9 onwards. This was fixed in 7.0.x in 7.0.55 onwards. This has been fixed in svn for 6.0.x and will be in 6.0.44 onwards. Expect the 6.0.44 release shortly. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: High cpu on Tomcat 8
Have you set a pollerThreadCount? If so, what is it? If not, you might want to consider setting it to 2, but probably not any higher, and see if it improves things. I have had a look and I cannot find where this is set. Is there any documentation on this? When the CPU usage goes high, does the server actually slow down? I do not think so, it makes the server slowdown (and all the fans come on) Cheers Greg On 4 May 2015 at 15:13, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Greg, On 5/4/15 7:13 AM, Greg Huber wrote: Thanks, I am going to up the memory. The profiler I used only highlighted the ajp-apr-8009-Poller as active. Terminating the thread stopped the high cpu. ... and probably killed your ability to process requests, unless you configured more than one Poller thread. Have you set a pollerThreadCount? If so, what is it? If not, you might want to consider setting it to 2, but probably not any higher, and see if it improves things. The Poller thread is responsible for handling all blocking-style I/O both into and out of your servlets. When your site gets busy, this thread will be doing a lot of work. When the CPU usage goes high, does the server actually slow down? - -chris On 4 May 2015 at 10:18, Mark Thomas ma...@apache.org wrote: On 03/05/2015 11:25, Greg Huber wrote: Hello, After an upgrade to Tomcat 8.0.21 and (Oracle jdk1.8.0_40) I seem to be having an erratic high cpu issue, often when the server gets busy. The application was OK tomcat 7 and has not been modified since the upgrade. Use ps to get the thread ID of the thread that is using the CPU. Take a thread dump and find what that thread is doing (you'll need to convert the thread ID from decimal to hex). It is the stack trace of that thread that will be interesting. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVR35yAAoJEBzwKT+lPKRYamAQAIYQMdBZLRueevXz71rqJxpA Ij1lEpK4FlXrY1hukAKEX0k/yyiLc2UkXeI0DZtstKNiDDyEo+KmsykvjlTjUmAt mvyhicQ3zhvlNaLIFYBwUIHNqzx+dBmgF/w75pkxKrDOj7MMx7gIFxPGXlTj2+XH 1tt8uWgvHhElKnROjG+jU2bG3/wqZyXfSnT+SsfNhQQE6r0W3MRqJh/0X808GgWO bSJdfk2Dz03/OksrEzK9cVV5/f4zB2Ggce/Uw+4qtZ0jj0jhRd9JXdaJlRFpPfbM EdjDeOVmsJz6oqP+IvSEvtJjQY9RR6iJB8SkyWph64stxRQeeOBFzUsBIDWLTK+d kB4/9HgGpnld8LaDEr3hrY2uXmtjEVwgkVzs1TKVpFipaACePuHG/3aa81/j0mMC wP1iLSzt3SrjI2Z0dXlOszcB5DlQIiInqFG3PpTD8Wfr63hjX7m43zEdepamTX7d eIjyu+TGX1Z+8yZabQzt+IPqGlk2uozafFiJOyxvwAbfBFqmF+rTKxOnYLMS67U7 nFx50rXx/Xq1TCCsWbX4L1s0Y7Gh1G3DAtVTCLFKI+O3oW5aSUTed0trwUcE+oEP VXYkRvSqDTcxJp+fXszz/yJGJxo3Yy46wfgX4WgGf9FZBdJ8XNchzOTPZp/qlqNa WrehBe11KsKgy21Hc+Lz =Hooe -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
typesafe-config reference.conf file not found in a .jar in WEB_INF/lib
typesafe config's loader isn't picking up my subproject's reference.conf from within a .jar file inside a .war file's WEB_INF/lib/ . typesafe config finds the .jar file outside of tomcat. It works fine from the .war file's WEB_INF/classes (my hacky fix). Typesafe config is finding the reference.conf files in other .jar files, like Loading config from URL jar:file:/opt/shrine/tomcat/webapps/shrine/WEB-INF/lib/akka-actor_2.11-2.3. 8.jar!/reference.conf from class loader WebappClassLoader The typesafe config developers suggested a class loader problem. Typesafe config¹s logging reports that it is using the org.apache.catalina.loader.StandardClassLoader when it finds the reference.conf in WEB_INF/classes. Specifically, I'm using a spray-based servlet, and tomcat isn't picking up the spray.servlet.boot-class . However, all the spray jars are in that same lib directory, on the classpath, and complaining about the missing property. Did I just miss a key piece of the documentation? Is there some extra step I need to do to help the WebappClassLoader find the reference.conf? Thanks, Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: typesafe-config reference.conf file not found in a .jar in WEB_INF/lib
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David, On 5/5/15 4:30 PM, Walend, David wrote: typesafe config's loader isn't picking up my subproject's reference.conf from within a .jar file inside a .war file's WEB_INF/lib/ . typesafe config finds the .jar file outside of tomcat. It works fine from the .war file's WEB_INF/classes (my hacky fix). Typesafe config is finding the reference.conf files in other .jar files, like Loading config from URL jar:file:/opt/shrine/tomcat/webapps/shrine/WEB-INF/lib/akka-actor_2.11 - -2.3. 8.jar!/reference.conf from class loader WebappClassLoader So your WAR file looks like this: /WEB-INF /WEB-INF/lib /WEB-INF/lib/akka-actor.2.11-2.3.8.jar (plus other stuff) Then, akka-actor.2.11-2.8.8.jar contains: /reference.conf (plus other stuff) Do I have that right? Is the URL you have above being used directly from within the web application itself? That is, do you have complete control over the URL, or is it built dynamically or something like that? Which exact version of Tomcat are you using? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVSSmFAAoJEBzwKT+lPKRYbAgP/iYZZy5TxEB/hO+3BYUnJMBr BOAp/hODsGRd3zd7exoBN204Yvd19TpFSLTkgFvHWitmeST4B0k0KAHm0IJCKXpy HuqcBJmG81eCKgSOQuP5MCDvQavDzBKoFE6vYKRQAwFLQRoWy9TM4kqT/VU/cUd1 dxQW2D4bpm2yOl1BnorKzfunb6XDRDKtN9o+3bkUyjm13A+tbFPjsNJKA7aMFCjt QMJspBXBk90hfwXyGAgvs4tX7wP15MNq0ZdsdkdZmjmBrLR1ZQcMO2s4ldhaTUPX YVp6ZP+JN6m2mYhmnLxq4elLno4tNTNKPv3E9oxVEwLYpWJANmIY+l5c5VcYBTnG LexXBmz1a84aZg2yjGLNN4b/eVw8QQAOftu7arecVOCwnIVThcN9QyT4BxoJOCGD ySZFcfuBIL1IuWyZ/RY2k0gHvSj+xKW6Sd+EyaYuciQYI12gdWzAS9K2vfCNgrl/ 1oX/Yk0hUG6AO2ClOHRVEr4LfQNFDMvL0Ta1GRbbr1/Y0LAHEP2Mt+isWioOZ93v yULGursHp7EolbRd2FAZSe7C6/i9fmABR88jOrdvaSL5/pcdteL8INy13iHXAqyE YE2IiIjDwQPNbw6+cH9jHlGJ0OpPFwaO4rmHhNu8DuBiNGABEyimP6sf3pj4cGfQ t9XwE7qxX3Sym9Puj1PU =u45b -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Officially released Apache tomcat version with CVE-2014-0230
Hi I have an application where I currently use 6.0.20 version of Apache tomcat bundle from spring source. Now because of security vulnerabilities I have to migrate to newer latest version of Apache tomcat. I saw the latest version on Apace tomcat site is Apache Tomcat 6.0.43 where the highest CVE fixed is *CVE-2014-0227. * Now one more latest CVE *Apache Tomcat File Upload denial of service *has come. The fix for this problem is not officially released by Apache. I see applying a patch is able to eliminate this problem. The bugfix is ready for download at svn.apache.org. The vulnerability is also documented in the databases at X-Force (102131) and SecurityTracker (ID 1032079). From seclists.org, I heard this problem was identified as a partial DoS (non persistent, but you can very easily eat up all server ram) and assigned CVE-2014-0230 and then the person handling it left Red Hat and it didn't get processed properly. Can you please tell me, is there any official fix for this problem available and from where I can download the official fix for this CVE ? When will Apache tomcat site have a newer version of Apache tomcat with this CVE fixed ? Thanks and Regards --- Raghavendra Neelekani
Re: Issue while Configuring SSL in tomcat6
On Mon, May 4, 2015 at 8:35 PM, jairaj kamal jairaj.ka...@gmail.com wrote: First, please stop top posting. Reply inline or at the bottom. It's the convention followed on this list. Hello, when I checked with below command I find my keystore created type as JKS and we are using tool Keytool. Initially we received 2 certificates TestRoot.cer Test.cer, when found things not working, we are now trying to import certs of PKCS#12 format (.pfk) via Keytool The format of your keystore is *not* the problem. If it were the problem, you would see an exception in Tomcat. The problem you're seeing is different. *#Testing Keystore type* *D:\Program Files (x86)\Java\jdk1.6.0_27\binkeytool -list -v -keystore C:\Users\* *svcr2wadmin\nedr2wqajob1\Test.keystore* *Enter keystore password:* *Keystore type: JKS* *Keystore provider: SUN* *#Earlier tried steps:* keytool -genkey -alias report2web -keyalg RSA -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore keytool -certreq -keyalg RSA -alias report2web -file C:\Users\svcr2wadmin\nedr2wqajob1\Test.csr -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore keytool -import -alias root -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -trustcacerts -file C:\Users\svcr2wadmin\nedr2wqajob1\TestRoot.cer keytool -import -alias *nedr2wqajob1 *-keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file C:\Users\svcr2wadmin\nedr2wqajob1\Test.cer Then also did below keytool -import -alias nedr2wjob1_non_prod_p7b -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file C:\Users\svcr2wadmin\nedr2wqajob1\Test.pfx # But Below is the error coming while importing the latest .pfx certificated shared D:\Program Files (x86)\Java\jdk1.6.0_27\binkeytool -import -alias nedr2wjob1QAJob1 -keystore C:\Users\svcr2wadmin\nedr2wqajob1\Test.keystore -file C:\Users\svcr2wadmin\nedr2wqajob1\*Test.pfx* Enter keystore password: *keytool error: java.lang.Exception: Input not an X.509 certificate* #Certificate status as observed in the browser 1. nedr2wqajob1 is the alias name of certificate Test.cer - It shows for non Root certificate as Your connection to *nedr2wqajob1 *is encrypted with obsolete cryptography, The connections uses TLS 1.0. The connection uses AES_128_CBC with SHA1 for message authentication and DHE_RSA as the key exchange mechanism. You might need to a.) check what crypto is supported by your version of the JVM and b.) configure it to not use certain known insecure crypto. More on this here: http://wiki.apache.org/tomcat/HowTo/SSLCiphers 2. Error message showing in chrome browser as below “This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.” Who did you purchase your certificate from? Dan Let me know what to do to resolve this ? *Jairaj Kamal* On Mon, May 4, 2015 at 6:51 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jairaj, On 5/4/15 5:35 PM, jairaj kamal wrote: Attached find the error coming in browser,looks to be issue with Root certificate. This list strips attachments. Please copy/paste any messages into the text of your post. Also we tried PKCS#12 format certs but getting below Error The keystore format won't change what gets sent to the client. D:\Program Files (x86)\Java\jdk1.6.0_27\binkeytool -import -alias nedr2wjob1_no n_prod_p7b -keystore C:\Users\svcr2wadmin\nedr2wqajob1\QA_Job1_report2web.keysto re -file C:\Users\svcr2wadmin\nedr2wqajob1\nedr2wjob1_non_prod.p7b Enter keystore password: *keytool error: java.lang.Exception: Input not an X.509 certificate* If you really have a PKCS12 keystore, they you'll need to specify the keystore type on the command-line. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVSAYcAAoJEBzwKT+lPKRYLREQAMPD6shOiwK7On4wTmMbsuJR ifabn95GXN4ia+L80IlvqyY17Mjfe1VzMYsVhLgpJRiEQmSMoy3ChxbeD+2h3Pzc 38GXZWg8anBHaHqceQDhaiHW2HYNW1HV7IzG22gYDlfi0zwv8JYbpxqQXr7Kf+9q CtO8sUt4hTxWW9zYl5mTa2xB7vXr7jl5k0UTTCF7nNuraXGhFBWifebYZ1AxFJEp aP6n80rglMC9/K4SVCGRaGjGbHKcN7fiJX1InswWNnGzfWgIvt4HxlZeQwNFrQaa N35MGu9pINQ/iofrW/7M5Vp1oqQNMWRSRpU6t9QK3FO6crfNpIuNxmwf46oeEiQh 7HKF+sBmWlWC4QTdpdMiHNg1Ux2XhZrOzpo657QdrLKPKKLHAqtqcmrlJDTCs6Bs lI7NvQXMpMyc466Q0EvemQPkjoyeYr2uRJo8pcscATrvPPqD+chqEstgc6UjHDsZ NQqgDIPxPjKrZf1RUj3oEM693ezMCcvTICAMWbcjzTXrrDBFRPFgrM7gSrGjd/ib 17XsI5+cO3Rc4Ai3d6ss+uMf2HI7/DRQwYEs1h4dUu4Ug1WmRTOEEXV4nFkDUGBS AkoQqx77phGcy3XiASB0Dc96CrkbkVXCtmPYf2RH5OXivzkIztn78WSexWv4q01L sP/r1a2F394bEExnUXIX =7onF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org