Re: Request attributes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 3/16/18 3:14 PM, Mark A. Claassen wrote: > I recently discovered some request attributes that I was curious > about. Are these accurate across all connectors? Or are these the > defaults for using something like the NIO connector? Specifically > in my case, I am using the APR connector and openSSL. > > Example: > > Attribute 'org.apache.tomcat.util.net.secure_protocol_version' = > 'TLSv1.2' Attribute 'javax.servlet.request.key_size' = '256' > Attribute 'javax.servlet.request.cipher_suite' = > 'ECDHE-RSA-AES256-GCM-SHA384' Of those 3, the second and third are defined by the servlet specification (hence their namespaced attribute key names). The first of those is something I've been trying to get into the spec[1] but so far it has been ignored. :( I'd love some +1 votes on that issue if anyone would be willing to login and give a +1. Because it is not spec-defined, it has a Tomcat-scoped attribute key. I the future, I hope that the Tomcat-specific key will be replaced (probably not actually replaced, but just repeated) by a spec-defined request attribute key. - -chris [1] https://github.com/javaee/servlet-spec/issues/130 -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqtkOcACgkQHPApP6U8 pFgz+BAAqAIvZw2y70oJSKIzCBMTvFuGiZAxgculNu8tmDpoESf3dcH9wPKYp5lp OUgNH4E+8xsz1IPkMegGXdF5IUrjKe1ArWxoTfqLhHDeWjavuxGiDkMalA1zkB9Z 4gH6e3fFcdYKK+KvFXIP/TUYf5ojRwStsKhqTXuL6R6rY5SDULqRGSoYEf2qYwl0 mT0qWYQHy3FK70A0l0HN8Z5FOaon6guHVZJ31VEsVlHZ+Xm0Q59znvPZvVgE9gI3 CFpub3x8jyZdnSOu2H0Rnd74lfDVJR8hTifUbVu0UsGtfzTeOd6RvdTc+CFBvUoz tJhO6qrEZLER29KkvxWRgEU8qo4a0bN06BFnmws5+uX/GiDkJ8RTIjKok1P2Jw3b 5PrKxl/CIPo318aFh6lrDZ1azYQtySpvReOrcraVDA9njgxkw7ViI384K1w/e8lx H/w1N3BfHae3rVow/CvX6HonFtC4g9OPx4STk9C5upt1Z+9JNMS4GGcSLLRNdkkL 0c6w1tvZVcYOR28XIVHUedCg3L0Z5x9CQEsYh60fIujEhBD74DM5cghZ4rKHVEnp uNvxm7FY/r0PHUpg954SbJrh/5hbS7ot0jQW+25X6H3GCrCWJKkGSqQ0LI42xYOC U5dun25mNt2+hKHxADj/UTDGbRgPHEld2jRLjtW66Z/NdcF4MEQ= =PNJX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat's data-source issue with Fork Join Tasks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Priyam, On 3/17/18 12:10 AM, Priyam Srivastava wrote: > Many Thanks for your response. I was able to resolve this issue by > writing the below code just before JNDI Look Up: > > Thread l_thread = Thread.currentThread(); > l_thread.setContextClassLoader(this.getClass().getClassLoader()); > initialContext = new InitialContext(); Don't forget to "pop" the TCCL in a finally block after you do your work, or you may potentially confuse some code later down the pipeline. Tomcat will likely recover *its* own state so if control transfers back to Tomcat right away, you might not notice any problems. But it's a good practice (and essential in many situations) to restore the state of the TCCL if you are going to be making changes to it. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqtjIsACgkQHPApP6U8 pFgD/Q//UZQuNPk4368jDu6o2nszk7aqEQ2KSNsKkbVPYpptmBMzNX9K2iJ+I4Jd h2BgVXcH7hMu0lLtEiV67Ml57XMfWeySJy9kbrSnzlys9h0EETmmoPxS7ckdFZ/5 CB76l8xNYA/jN7w7XyLAyRRjP9SUdN6eBwcXuZHILNq1lM6Y8KomqT/TvBAwpr69 NFoL47qPnwktu+m60U3nlRZ6tqQft8NoJkGUp12bqlx3oWt5RybsHJJfjDcvWxXG jgntbqwjzRVwNANAkPL1NbwHKdZvMzozGxcsXazL1JQ/GtIfJ20lxPSqbe9f+dq9 wqJE7wn5gVy/Hgx2wMqcGMY3dHfch0bjBvX5/QpaVNTKGrsTAIw7lHt8eP4TDi6b 1syMIJ9kCe89fm01DxGnODlDxP2yKidQW709uzZ+kFRBB7aNhntO6JPtYRLjKGNX 3lB/PuQ1oF7GBPh8rjibee3bkMtcPDnOX5tK48xKXb7cpdFbb7eHK5kDevLb+hvJ wzOS51JYnrTaKsom3Mn5q54GO1r/IY09uc/wT7uIAlirdEISs/OR1904V+L/4nAq 4KjT1mEEjwhgvssELMwPEw498hxngwex/88HlC52v3hevDexkE6CNSvV9Tbl9Qhq Nqyk788uhmUbWmAqcri4wi3+cfCxwaxHRScv8tGlJP5Ubz951Z8= =9ar9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: I cant start Tomcat instances
actually all of them has X permissions -rwxr--r-- 1 root root 70 Mar 17 11:59 shutdown-instance0.sh -rwxr--r-- 1 root root 70 Mar 17 11:48 shutdown-instance1.sh -rwxr--r-- 1 root root 70 Mar 17 11:59 shutdown-instance2.sh -rwxr--r-- 1 root root 69 Mar 17 11:58 startup-instance0.sh -rwxr--r-- 1 tomcat root 69 Mar 17 11:46 startup-instance1.sh -rwxr--r-- 1 tomcat root 69 Mar 17 11:59 startup-instance2.sh On Sat, Mar 17, 2018 at 3:39 PM, Stefan Freiwrote: > check the permissons on the .sh files (chmod +x) > > 2018-03-17 14:16 GMT+01:00 Loai Abdallatif : > > Dear Colleagues > > I'm new to tomcat, I have successfully installed the service but when I > > tried to run three instances I coudnt due to error below > > > > : the this I did is copied the cataline Home to three instances tomcat0, > > tomcat1, and tomcat2 directories > > > > and in each directory I have configured the connectors ports, AJP port > and > > addresses . > > the tomcat main instance is working but I think the problem is that in > > CATALINA_BASE .but I dont know how to instruct the statup script > > > > > > root@appserver01:/opt/tomcat0# ./startup-instance0.sh > > ./startup-instance0.sh: line 3: ./startup.sh: No such file or directory > > root@appserver01:/opt/tomcat0# > > root@appserver01:/opt/tomcat0# > > root@appserver01:/opt/tomcat0# cat startup-instance0.sh > > export CATALINA_BASE=/opt/tomcat0 > > cd $CATALINA_HOME/bin > > ./startup.sh > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: I cant start Tomcat instances
Thanks Olaf so how to tell the tomcat the instance 0 to take its config from tomcat0 directory . On Sat, Mar 17, 2018 at 3:39 PM, Olaf Kockwrote: > > > On 17.03.2018 14:16, Loai Abdallatif wrote: > >> Dear Colleagues >> I'm new to tomcat, I have successfully installed the service but when I >> tried to run three instances I coudnt due to error below >> >> : the this I did is copied the cataline Home to three instances tomcat0, >> tomcat1, and tomcat2 directories >> >> and in each directory I have configured the connectors ports, AJP port and >> addresses . >> the tomcat main instance is working but I think the problem is that in >> CATALINA_BASE .but I dont know how to instruct the statup script >> >> >> root@appserver01:/opt/tomcat0# ./startup-instance0.sh >> ./startup-instance0.sh: line 3: ./startup.sh: No such file or directory >> root@appserver01:/opt/tomcat0# >> root@appserver01:/opt/tomcat0# >> root@appserver01:/opt/tomcat0# cat startup-instance0.sh >> export CATALINA_BASE=/opt/tomcat0 >> cd $CATALINA_HOME/bin >> ./startup.sh >> > > well, > > ./startup.sh: No such file or directory > > Did you see that you set CATALINA_BASE (note: BASE) and then cd to the > undefined CATALINA_HOME/bin (note: HOME)? You probably didn't intend this: > Both are typically undefined on a system level, so you're probably not > cding into the directory you intend. > > Olaf > > > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat stopped and Debug can't be done in Eclipse
/Hi! 2018-03-17 10:11 GMT+03:00 Karen Goh: > > I have added this in my JVM under the tomcat argument for remote debug > configuration : > > -Dcatalina.opts="-agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n" The above line is wrong. There is no system property "catalina.opts". Those arguments are for java (java.exe, javaw.exe). https://docs.oracle.com/javase/8/docs/technotes/tools/windows/java.html#BABDJJFI Note that "Remote" debugging means that you do two steps: 1. First, you start Tomcat as a normal "running" application. If you do it from within Eclipse, use "Run", not "Debug". See menu Run > Run Configurations... Add those options to its "Arguments" into "VM arguments" field (not "Program arguments") -agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n 2. Then, you start "Debug" separately. See menu Run > Debug Configurations... Create "Remote Java Application". Fill in "Project" (your project), "Port" (8000) fields and press "Debug" to start debugging. Eclipse will connect to Tomcat that has been started separately. > Below, it shows that Tomcat is started > > Mar 17, 2018 2:33:29 PM org.apache.tomcat.util.digester.SetPropertiesRule > begin > WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting > property 'source' to 'org.eclipse.jst.jee.server:Hi5S' did not find a > matching property. > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Server version:Apache Tomcat/8.5.24 > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Server built: Nov 27 2017 13:05:30 UTC > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Server number: 8.5.24.0 > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: OS Name: Windows 10 > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: OS Version:10.0 > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Architecture: amd64 > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Java Home: C:\Program Files\Java\jre1.8.0_161 > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: JVM Version: 1.8.0_161-b12 > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: JVM Vendor:Oracle Corporation > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: CATALINA_BASE: > C:\Users\Karen.Goh\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp2 > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: CATALINA_HOME: C:\Program Files\Apache\apache-tomcat-8.5.24 > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Command line argument: > -agentlib:jdwp=transport=dt_socket,suspend=y,address=localhost:50906 Note the above line. A command line argument, logged by VersionLoggerListener . > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Command line argument: > -Dcatalina.base=C:\Users\Karen.Goh\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp2 > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Command line argument: -Dcatalina.home=C:\Program > Files\Apache\apache-tomcat-8.5.24 > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Command line argument: > -Dwtp.deploy=C:\Users\Karen.Goh\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp2\wtpwebapps > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Command line argument: -Djava.endorsed.dirs=C:\Program > Files\Apache\apache-tomcat-8.5.24\endorsed > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Command line argument: > -Dcatalina.opts=-agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n Note the above line. That is what you added. > Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log > INFO: Command line argument: -Dfile.encoding=UTF-8 > Mar 17, 2018 2:33:29 PM org.apache.catalina.core.AprLifecycleListener > lifecycleEvent > INFO: The APR based Apache Tomcat Native library which allows optimal > performance in production environments was not found on the > java.library.path: [C:\Program > Files\Java\jre1.8.0_161\bin;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;C:/Program > Files/Java/jre1.8.0_161/bin/server;C:/Program > Files/Java/jre1.8.0_161/bin;C:/Program > Files/Java/jre1.8.0_161/lib/amd64;C:\ProgramData\Oracle\Java\javapath;C:\Program > Files\MySQL\mysql-5.7.20-win32\bin;C:\Program > Files\Java\jdk1.8.0_151\bin;C:\Program Files (x86)\Eclipse JEE
Re: Tomcat shutdown, webapp vs database pools
Thanks for the info. I'll investigate further into the listeners. On Sat, Mar 17, 2018 at 4:27 AM, Mark Thomaswrote: > On 16/03/18 22:42, Alex O'Ree wrote: > > I have a war file that defines a context.xml file, some cxf based web > > services and a few other background tasks using quartz that are > initialized > > in a servlet context listener. > > > > When tomcat shuts down, it appears that tomcat stops the database > > connection pool before the cxf services or the quartz tasks. This causes > > huge amounts of log output. I'm a bit unclear as to how to adjust/change > > the shutdown order of the database pool vs the servlet listeners. > > > > The web app's web.xml does declare a resource-ref element that points at > > the jndi lookup name, but perhaps the configuration is wrong. > > > > I have looked at https://tomcat.apache.org/ > tomcat-8.0-doc/jndi-resources- > > howto.html#JDBC_Data_Sources and my configuration appears to be correct, > > however something is still not quite right. > > > > What am I doing wrong? > > Don't know. > > The listeners are stopped before the JNDI resources so I'm not sure what > is going on. Is it possible the listener isn't waiting for the cxf > services or the quartz tasks to complete before it exits the > contextDestroyed() method? > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: I cant start Tomcat instances
check the permissons on the .sh files (chmod +x) 2018-03-17 14:16 GMT+01:00 Loai Abdallatif: > Dear Colleagues > I'm new to tomcat, I have successfully installed the service but when I > tried to run three instances I coudnt due to error below > > : the this I did is copied the cataline Home to three instances tomcat0, > tomcat1, and tomcat2 directories > > and in each directory I have configured the connectors ports, AJP port and > addresses . > the tomcat main instance is working but I think the problem is that in > CATALINA_BASE .but I dont know how to instruct the statup script > > > root@appserver01:/opt/tomcat0# ./startup-instance0.sh > ./startup-instance0.sh: line 3: ./startup.sh: No such file or directory > root@appserver01:/opt/tomcat0# > root@appserver01:/opt/tomcat0# > root@appserver01:/opt/tomcat0# cat startup-instance0.sh > export CATALINA_BASE=/opt/tomcat0 > cd $CATALINA_HOME/bin > ./startup.sh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: I cant start Tomcat instances
On 17.03.2018 14:16, Loai Abdallatif wrote: Dear Colleagues I'm new to tomcat, I have successfully installed the service but when I tried to run three instances I coudnt due to error below : the this I did is copied the cataline Home to three instances tomcat0, tomcat1, and tomcat2 directories and in each directory I have configured the connectors ports, AJP port and addresses . the tomcat main instance is working but I think the problem is that in CATALINA_BASE .but I dont know how to instruct the statup script root@appserver01:/opt/tomcat0# ./startup-instance0.sh ./startup-instance0.sh: line 3: ./startup.sh: No such file or directory root@appserver01:/opt/tomcat0# root@appserver01:/opt/tomcat0# root@appserver01:/opt/tomcat0# cat startup-instance0.sh export CATALINA_BASE=/opt/tomcat0 cd $CATALINA_HOME/bin ./startup.sh well, ./startup.sh: No such file or directory Did you see that you set CATALINA_BASE (note: BASE) and then cd to the undefined CATALINA_HOME/bin (note: HOME)? You probably didn't intend this: Both are typically undefined on a system level, so you're probably not cding into the directory you intend. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
I cant start Tomcat instances
Dear Colleagues I'm new to tomcat, I have successfully installed the service but when I tried to run three instances I coudnt due to error below : the this I did is copied the cataline Home to three instances tomcat0, tomcat1, and tomcat2 directories and in each directory I have configured the connectors ports, AJP port and addresses . the tomcat main instance is working but I think the problem is that in CATALINA_BASE .but I dont know how to instruct the statup script root@appserver01:/opt/tomcat0# ./startup-instance0.sh ./startup-instance0.sh: line 3: ./startup.sh: No such file or directory root@appserver01:/opt/tomcat0# root@appserver01:/opt/tomcat0# root@appserver01:/opt/tomcat0# cat startup-instance0.sh export CATALINA_BASE=/opt/tomcat0 cd $CATALINA_HOME/bin ./startup.sh
Re: Tomcat shutdown, webapp vs database pools
On 16/03/18 22:42, Alex O'Ree wrote: > I have a war file that defines a context.xml file, some cxf based web > services and a few other background tasks using quartz that are initialized > in a servlet context listener. > > When tomcat shuts down, it appears that tomcat stops the database > connection pool before the cxf services or the quartz tasks. This causes > huge amounts of log output. I'm a bit unclear as to how to adjust/change > the shutdown order of the database pool vs the servlet listeners. > > The web app's web.xml does declare a resource-ref element that points at > the jndi lookup name, but perhaps the configuration is wrong. > > I have looked at https://tomcat.apache.org/tomcat-8.0-doc/jndi-resources- > howto.html#JDBC_Data_Sources and my configuration appears to be correct, > however something is still not quite right. > > What am I doing wrong? Don't know. The listeners are stopped before the JNDI resources so I'm not sure what is going on. Is it possible the listener isn't waiting for the cxf services or the quartz tasks to complete before it exits the contextDestroyed() method? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat's data-source issue with Fork Join Tasks
On 17/03/18 04:10, Priyam Srivastava wrote: > Hi Mark, > > Many Thanks for your response. I was able to resolve this issue by writing > the below code just before JNDI Look Up: > > Thread l_thread = Thread.currentThread(); > l_thread.setContextClassLoader(this.getClass().getClassLoader()); > initialContext = new InitialContext(); > > > > I have a questions based on the discussions on the thread link you provided: > > If this is something to do with ForkJoin Pool, then why it is happening > only in Tomcat why not in other application servers as I mentioned in my > initial post. Because of the way Tomcat implements the memory leak protection for the problem described in bug 60620. I can't speak for the other containers as I don't know how their internals are coded. Mark > > Regards, > Priyam > > On Sat, Mar 17, 2018 at 2:22 AM, Mark Thomaswrote: > >> On 16/03/18 12:06, Priyam Srivastava wrote: >>> I have a scenario where we have to run some random number of independent >>> tasks to load data from DB. So I am using Java's fork Join framework to >>> create those task and then invoke them. >> >> See: >> https://bz.apache.org/bugzilla/show_bug.cgi?id=60620 and the various >> threads linked from there. >> >> Mark >> >> >>> >>> Each task opens its own connection using datasource and closes it. >>> >>> But in Tomcat, I am getting below error at line: >>> >>> initialContext = new InitialContext(); >>> >>> javax.naming.NoInitialContextException: Cannot instantiate class: >>> org.apache.naming.java.javaURLContextFactory >>> at javax.naming.spi.NamingManager.getInitialContext(Unknown Source) >>> ~[?:1.8.0_161] >>> at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source) >>> ~[?:1.8.0_161] >>> at javax.naming.InitialContext.init(Unknown Source) ~[?:1.8.0_161] >>> at javax.naming.InitialContext.(Unknown Source) ~[?:1.8.0_161] >>> at com.dummy.test.TestClass.compute(TestClass.java:71) [classes/:?] >>> at java.util.concurrent.RecursiveAction.exec(Unknown Source) >> [?:1.8.0_161] >>> at java.util.concurrent.ForkJoinTask.doExec(Unknown Source) >> [?:1.8.0_161] >>> at java.util.concurrent.ForkJoinPool$WorkQueue.execLocalTasks(Unknown >>> Source) [?:1.8.0_161] >>> at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(Unknown Source) >>> [?:1.8.0_161] >>> at java.util.concurrent.ForkJoinPool.runWorker(Unknown Source) >> [?:1.8.0_161] >>> at java.util.concurrent.ForkJoinWorkerThread.run(Unknown Source) >>> [?:1.8.0_161] >>> Caused by: java.lang.ClassNotFoundException: >>> org.apache.naming.java.javaURLContextFactory >>> >>> This error seems to be coming only in Tomcat and when I run the same code >>> in Wildfly/Glassfish or JBOSS EAP, everything works fine. >>> >>> On the other hand if I change my code and run these tasks using Thread >>> instead of Fork Join framework, I don't face this issue in Tomcat. >>> >>> So why this error is coming in Tomcat only? >>> >>> Note: I am getting this error after deploying in Tomcat and hitting app >> URL >>> from Postman. The so called missing class is already there in >>> jar catalina.jar present inside /lib >>> >>> Environment Details: >>> >>> Java Version: 1.8 >>> Tomcat Version: 8.5, 9.0.6 >>> OS: Windows 10 Pro 64 bit >>> Database: Oracle 11g and MySQL 5.7 >>> >>> I have uploaded a dummy code to simulate this issue in Git. Please refer >> to >>> the readme.txt for full details there. >>> >>> Git URL: >>> https://github.com/wambling/my-project.git >>> >>> Regards, >>> Priyam >>> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS certificate for Tomcat client authentication
Hi Chris, On Tue, Feb 27, 2018 at 1:56 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Igor, > > On 2/23/18 5:47 PM, Igor Cicimov wrote: > > On Sat, Feb 24, 2018 at 7:52 AM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > >> > >> Igor, > >> > >> On 2/23/18 4:45 AM, Igor Cicimov wrote: > >>> Hi all, > >>> > >>> I have the following setup in the tomcat default file on > >>> Ubunntu-14.04: > >>> > >>> JAVA_OPTS="$JAVA_OPTS > >>> -Djavax.net.ssl.keyStore=/opt/encompass/keystore/keystore.jks" > >>> JAVA_OPTS="$JAVA_OPTS > >>> -Djavax.net.ssl.trustStore=/opt/encompass/keystore/truststore.jks" > >>> > >>> > >>> > The keystore.jks holds dozen of SSL keys our app uses to > >>> authenticate to various web services. One of these > >>> certificates expired and I used openssl to create new private > >>> key (key.pem) and CSR, that the other side signed and sent back > >>> (cert.pem). Then I concatenated the certificate and the private > >>> key into single file: > >>> > >>> $ cat cert.pem key.pem > cert2.pem > >>> > >>> and imported the file into the existing keystore using > >>> keytool: > >>> > >>> $ keytool -delete -alias client-cert -keystore keystore.jks > >>> -storepass $ keytool -import -alias client-cert -file > >>> cert2.pem -keystore keystore.jks -storepass > >>> > >>> The signing root CA and the intermediate certificate already > >>> exist in the truststore.jks keystore. > >>> > >>> Does this procedure sound sane? Is there a better (or maybe > >>> proper) way of doing it? > >> > >> Are you just sanity-checking your process for importing certs > >> into a JKS bundle? > >> > > > > I'm just sanity-checking the process in terms of keystore > > functionality and any possible issues for the JVM using and finding > > the cert and the key in the store. > > > > The reason being after importing the new cert our access does not > > work any more and the issuer has a limited (as they say, *sigh*) > > troubleshooting capability on their side. Not sure how is that > > possible having in mind that they have designed and are in control > > of the authentication (ssl client certs) and authorization > > (username/password) system (Tivoli Axis2 app if that matters). > > Building something and then not being able to tell clients if their > > access is denied due to bad/missing certificate or bad/missing > > credentials is just unbelievable. They even claim they can't even > > see our side connecting at all to their web service although in our > > logs I can see: > > > > Invalid Content-Type:text/html. Is this an error message instead of > > a SOAP response? > > > > response coming back but as html error message instead of SOAP > > response. > > You could try my ssltest tool. It supports client TLS authentication. > Maybe just a sanity-check that there isn't anything wrong with your > own Java client: > > https://github.com/ChristopherSchultz/ssltest > > Also, since you have the original (separate) key and (signed) > certificate files, definitely give this a try: > > $ openssl s_client \ > -showcerts \ > -cert cert.pem \ > -key key.pem \ > -connect [endpoint] > > If you can't connect using that, then either the cert or the key is > not correct. OpenSSL should tell you if the key doesn't match the > cert, or if the password is wrong. > > If you remove the -cert and -key arguments and try to connect, the > service ought to tell you which certificates are acceptable. It will > probably tell you that anything signed by a particular certificate is > okay and not your particular certificate (otherwise, they'd have a > million certs they trust). > > Once you can confirm that the crypto material you have (key, certs), > then you can use ssltest above to see if you have packaged those bits > into the keystore properly. You might want to use a separate keystore > for this testing purpose, just in case something else is interfering. > > Theoretically, as long as your keystore contains: > > 1. The signing (or, more likely, the "intermediate") certificate > 2. The signed certificate > 3. The signed certificate's private key > > You ought to be able to connect. You don't really even need a > certificate "alias", though things "seem" to work better when they are > present. > > >> Does the process result in the items you expected to be in the > >> keystore? > >> > > > >> From what I can see all the bits are there. I have enabled the > >> java ssl > > debugging and can see the cert being loaded on startup and > > exchanged during SSL handshake and no errors can be seen in the > > process, like the usual PKIX error when matching cert can not be > > found etc. > > > > Any ideas what can be possibly wrong? > > Lots of things: > > 1. Wrong cert in the store (unsigned versus signed, though if you are > using openssl for everything you usually don't have an unsigned > cert... only
Re: Tomcat stopped and Debug can't be done in Eclipse
On Wed, 2/21/18, Konstantin Kolinkowrote: Subject: Re: Tomcat stopped and Debug can't be done in Eclipse To: "Karen Goh" Cc: "Tomcat Users List" Date: Wednesday, February 21, 2018, 5:43 AM 2018-02-20 17:57 GMT+03:00 Karen Goh : > > Hi Konstantin, > > Can you point me some useful resources where I can learn about setting the Tomcat launch configuration. 1. On the topic of debugging, see the following page: https://wiki.apache.org/tomcat/FAQ/Developing The following two items on that page should be interesting for you: a) "Official Eclipse IDE Web Tools FAQ for Tomcat" with links to Eclipse documentation b) "How do I configure Tomcat to support remote debugging?" This is for the use case when you start Tomcat separately and attach a debugger to an already running Tomcat. 2. On a topic of simply running Tomcat (not debugging), official documentation is "RUNNING.txt" file. There is also http://tomcat.apache.org/tomcat-8.5-doc/setup.html Environment variables used by launch scripts are documented in a comment at the top of those scripts (catalina.bat, catalina.sh). I have added this in my JVM under the tomcat argument for remote debug configuration : -Dcatalina.opts="-agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n" Below, it shows that Tomcat is started Mar 17, 2018 2:33:29 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'source' to 'org.eclipse.jst.jee.server:Hi5S' did not find a matching property. Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Server version:Apache Tomcat/8.5.24 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Server built: Nov 27 2017 13:05:30 UTC Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Server number: 8.5.24.0 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: OS Name: Windows 10 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: OS Version:10.0 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Architecture: amd64 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Java Home: C:\Program Files\Java\jre1.8.0_161 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: JVM Version: 1.8.0_161-b12 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: JVM Vendor:Oracle Corporation Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: CATALINA_BASE: C:\Users\Karen.Goh\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp2 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: CATALINA_HOME: C:\Program Files\Apache\apache-tomcat-8.5.24 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -agentlib:jdwp=transport=dt_socket,suspend=y,address=localhost:50906 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dcatalina.base=C:\Users\Karen.Goh\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp2 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dcatalina.home=C:\Program Files\Apache\apache-tomcat-8.5.24 Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dwtp.deploy=C:\Users\Karen.Goh\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp2\wtpwebapps Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Djava.endorsed.dirs=C:\Program Files\Apache\apache-tomcat-8.5.24\endorsed Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dcatalina.opts=-agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n Mar 17, 2018 2:33:29 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dfile.encoding=UTF-8 Mar 17, 2018 2:33:29 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [C:\Program Files\Java\jre1.8.0_161\bin;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;C:/Program Files/Java/jre1.8.0_161/bin/server;C:/Program Files/Java/jre1.8.0_161/bin;C:/Program Files/Java/jre1.8.0_161/lib/amd64;C:\ProgramData\Oracle\Java\javapath;C:\Program