Re: Error in stopping application tomcat !!
Hi Chris, Additionally when trying to stop running application, we are getting below error. Sat Jul 18 05:49:40 UTC 2020 ** * Stopping the Web Server ** Sat Jul 18 05:49:40 UTC 2020 ./wfc: line 28: /usr/local/nginx/nginx: No such file or directory ./wfc: line 233: /usr/local/nginx/nginx: No such file or directory Sat Jul 18 05:49:40 UTC 2020 * Nginx has been stopped ** * Shutdown the wfc Server gracefully ** # * # Tomcat shutdown with wait time: 30 # * Using CATALINA_BASE: /usr/local/xyz/tomcat Using CATALINA_HOME: /usr/local/xyz/tomcat Using CATALINA_TMPDIR: /usr/local/xyz/tomcat/temp Using JRE_HOME:/usr/local/xyz/jdk Using CLASSPATH: /usr/local/xyz/tomcat/bin/bootstrap.jar:/usr/local/xyz/tomcat/bin/tomcat-juli.jar Using CATALINA_PID:/usr/local/xyz/tomcat/tomcat.pid Tomcat did not stop in time. To aid diagnostics a thread dump has been written to standard out. Killing Tomcat with the PID: 4280 The Tomcat process has been killed. # * # Tomcat shutdown result: 0 # * Whereas below error that I mentioned earlier is coming when application is in INPROGRESS and not yet come into running state and when we stop the same it is throwing below error. On Sat, Jul 18, 2020 at 10:17 AM Kushagra Bindal wrote: > Hi Chris, > > To stop tomcat we are using the below command. > > bin/shutdown.sh -$sleeptime -force > > Where in our case sleeptime is set to 30. > > Please find the attached server.xml which we are using in our application. > > Also I have copy-paste the complete content below in this email as well. > > > > > >/> >SSLEngine="on" /> >className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> >className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> >className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> > >type="org.apache.catalina.UserDatabase" > description="User database that can be updated and saved" > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > pathname="conf/tomcat-users.xml" /> >type="javax.sql.DataSource" > username="db_username_stub" > password="db_password_stub" > factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" > url="READ_WRITE_URL_STUB" > driverClassName="com.edb.Driver" > initialSize="5" > maxWait="3" > maxActive="50" > maxIdle="20" > minIdle="5" > maxAge="720" > validationQuery="SELECT 1; COMMIT;" > initSQL="ALTER SESSION SET statement_timeout=360; ALTER SESSION SET > idle_in_transaction_session_timeout=366; COMMIT;" > poolPreparedStatements="true" > testWhileIdle="false" > testOnBorrow="true" > testOnReturn="false" > validationInterval="12" > timeBetweenEvictionRunsMillis="15000" > removeAbandonedTimeout="300" > removeAbandoned="false" > logAbandoned="false" > minEvictableIdleTimeMillis="12" > jmxEnabled="true" > > jdbcInterceptors="org.apache.tomcat.jdbc.pool.interceptor.ConnectionState; > > org.apache.tomcat.jdbc.pool.interceptor.StatementFinalizer; > > org.apache.tomcat.jdbc.pool.interceptor.StatementCache(max=4000)" /> >type="javax.sql.DataSource" > username="db_username_stub" > password="db_password_stub" > factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" > url="READ_ONLY_URL_STUB" > driverClassName="com.edb.Driver" > initialSize="5" > maxWait="3" > maxActive="50" > maxIdle="20" > minIdle="5" > defaultReadOnly="true" > validationQuery="SELECT 1; COMMIT;" > initSQL="ALTER SESSION SET statement_timeout=360; ALTER > SESSION SET idle_in_transaction_session_timeout=366; COMMIT;" > poolPreparedStatements="true" > testWhileIdle="false" > testOnBorrow="true" > testOnReturn="false" > validationInterval="12" > timeBetweenEvictionRunsMillis="15000" > removeAbandonedTimeout="300" > removeAbandoned="false" > logAbandoned="false" >
Re: Error in stopping application tomcat !!
Hi Chris, To stop tomcat we are using the below command. bin/shutdown.sh -$sleeptime -force Where in our case sleeptime is set to 30. Please find the attached server.xml which we are using in our application. Also I have copy-paste the complete content below in this email as well. - Please suggest what needs to be done to resolve this issue. On Sat, Jul 18, 2020 at 12:47 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Kushagra, > > On 7/17/20 11:47, Kushagra Bindal wrote: > > Similar issues we are also facing in our environment. What could be > > the problem? > > > > On Fri, Jul 17, 2020 at 6:04 PM om tiwari > > wrote: > > > >> Hi, > >> > >> We have upgraded our tomcat version from 8.5.24 to 8.5.53 in > >> application. After upgrading we are facing issue while stopping > >> tomcat. Below is the stack-trace : > >> > >> Using CATALINA_BASE: /usr/local/kronos/tomcat Using > >> CATALINA_HOME: /usr/local/kronos/tomcat Using CATALINA_TMPDIR: > >> /usr/local/kronos/tomcat/temp Using JRE_HOME: > >> /usr/local/kronos/jdk Using CLASSPATH: > >> > >> /usr/local/kronos/tomcat/bin/bootstrap.jar:/usr/local/kronos/tomcat/b > in/tomcat-juli.jar > >> > >> > Using CATALINA_PID:/usr/local/kronos/tomcat/tomcat.pid > >> Jul 17, 2020 11:44:44 AM org.apache.catalina.startup.Catalina > >> stopServer SEVERE: Could not contact [localhost:8005]. Tomcat may > >> not be running. Jul 17, 2020 11:44:44 AM > >> org.apache.catalina.startup.Catalina stopServer SEVERE: > >> Catalina.stop: java.net.ConnectException: Connection refused > >> (Connection refused) at > >> java.net.PlainSocketImpl.socketConnect(Native Method) at > >> java.net > >> .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) > >> > >> > at java.net > >> .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.jav > a:206) > >> > >> > at java.net > >> .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) > >> > >> > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) > >> at java.net.Socket.connect(Socket.java:589) at > >> java.net.Socket.connect(Socket.java:538) at > >> java.net.Socket.(Socket.java:434) at > >> java.net.Socket.(Socket.java:211) at > >> org.apache.catalina.startup.Catalina.stopServer(Catalina.java:504) > >> > >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> at > >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. > java:62) > >> > >> > at > >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces > sorImpl.java:43) > >> > >> > at java.lang.reflect.Method.invoke(Method.java:498) > >> at > >> org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:389) > >> > >> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:479) > >> > >> Tomcat did not stop in time. To aid diagnostics a thread dump has > >> been written to standard out. Killing Tomcat with the PID: 21210 > >> The Tomcat process has been killed. > >> > >> - > - - > >> > >> > >> > At last the tomcat is stopped but we are not able to understand this > >> connection refused stack trace in this stop process. > >> > >> It also takes time in stopping the tomcat server now since > >> upgrade `10-15 sec. > >> > >> Can anyone help us in resolving this issue? > > Can you post your element from conf/server.xml? > > How do you stop Tomcat -- looks like using "catalina.sh stop" or similar > ? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8R9N4ACgkQHPApP6U8 > pFga8RAAws1xIkDJJQptsdTu/2T/jssbnnDVewrI4LXguNoavHBxncGzw8r3Jczw > Qkx7rJcpoP9KcBmvDjipLDimVMS/uqErAgzb1kS52qUD44gdL2HdKfTyvVmUnOGU > xqlVD6JrJjLhATxhHhomDp5omcy8dn+j5XHJD0bGbISjKMsH5SPNUHNI0x2NIWNX > u3qcQxNlKiCN5iZpniAPhjVOPA+EFW91W83H37LZkrA7YFV9q4Z/FuHbHit0DL+J > sJN7oW9afPeVco5Q80IKiT2EDQEhcLH2zUNRwYqGfktewsgOM5cWN8NSXmqqsZDz > B2Zq7OqhAGx3b/OV9OpVSO0v+Pv6G2GMmhdv35eFq/JTkJBwMhd8H9PEc8yDEbTF > 0VaKmzjWuxs4ALPvD7yQtyidZE0I8H1MQBg4E1ROC1vMNfEkQXT47ChVq4zvJJDv > J1h+6ZHCmY6uLkZLltOZQtUnkFUAS0qn6AY80Dm0FWmMcorBUY0XRQSSfY0Xzpmv > CafkAgx6TZKiFGTbmXH90JrSrHQBchBvm4GmOKDNp9W3U/ZV8QQoBH4JLsGu/2e4 > Cgq/TwBmc7VrjW4gYVg/fQ+mkF/4z2K1o9h2vAD/Di50TpARAIrRZbangqwvQxKN > b6IFIT965wW0MuhiaIO1leWc3nqLXzII8EEcg5xsduFx/aqrnKI= > =2Ey1 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
On 7/17/20 2:36 PM, jonmcalexan...@wellsfargo.com.INVALID wrote: This looks like a cipher, not an alias TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256 As I said, of course it's a cipher. I said up front that the lines were truncated, in order to fit in an email. I can't imagine why seeing the whole connector would make a difference, but if anybody wants to see it un-truncated, (albeit with the same redactions), it's now also on ServerFault, at https://serverfault.com/q/1025706/498231?sem=2 -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
On 7/17/20 2:36 PM, jonmcalexan...@wellsfargo.com.INVALID wrote: This looks like a cipher, not an alias TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256 It is. The lines are truncated at 72 characters for the email. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
This looks like a cipher, not an alias TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256 Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: James H. H. Lampert Sent: Friday, July 17, 2020 3:47 PM To: Tomcat Users List Subject: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled? Running two connectors seems to work just fine, but I'm having trouble getting one of them to only take TLS 1.2 In reply to my query: >> Given all this, is it possible to (1) have Tomcat listen on two >> separate HTTPS ports, and (2) have one of the ports require TLS 1.2, >> but the other accept something our AS/400 can use? On 7/17/20 10:03 AM, Mark Thomas wrote: > Yes. You need two Connector elements specifying different ports and > different protocols. They should be able to use the same certificate > configuration. I just ran a test on our development Amazon EC2 instance, and verified that I could listen on two different ports (existing 8443 and now 7443), and I limited (or so I thought) 8443 (to which I have 443 rerouted through iptables) to TLS 1.2. Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1! I commented out the connector for 8443 and restarted Tomcat, but it's still giving the same report from SSLLabs. The connector for 8443 in server.xml looks like this (lines truncated): > protocol="org.apache.coyote.http1$ > compression="on" compressionMinSize="2048" noCompressionUserAgents="goz$ >maxThreads="1000" socket.appReadBufSize="1024" socket.app$ >keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$ >TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$ >clientAuth="false" sslProtocol="TLSv1.2" /> The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7 installation on our most security-conscious customer's AS/400; this Tomcat is 8.5. Am I specifying it wrong? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat mod_jk rpm-build for CentOS-8 - exit with error.
Hi Klaus,
Am 06.07.2020 um 15:13 schrieb Klaus Tachtler:
> Hi,
>
> I'm trying to build a rpm package for CentOS-8 for mod_jk with the
> latest version 1.2.48. While building the rpm package, following error
> occurs:
>
>
> - %< -
>
> ...
> make[1]: Entering directory
> '/root/rpmbuild/BUILD/tomcat-connectors-1.2.48-src/native/apache-2.0'
> /usr/lib64/apr-1/build/libtool --silent --mode=link gcc
> -I/usr/include/httpd -O2 -g -pipe -Wall -Werror=format-security
> -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
> -fstack-protector-strong -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
> -DHAVE_CONFIG_H -DUSE_APACHE_MD5 -I../common -I ../common -DLINUX
> -D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Werror=format-security
> -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
> -fstack-protector-strong -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
> -pthread -DHAVE_APR -I/usr/include/apr-1 -I/usr/include/apr-1 -O2 -g
> -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
> -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
> -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
> -DHAVE_CONFIG_H -O2 -g -pipe -Wall -Werror=format-security
> -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
> -fstack-protector-strong -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
> -I/usr/include/apr-1 -Wl,-z,relro,-z,now -Wl,-z,relro -Wl,-z,now
> -Wl,-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -o mod_jk.la -module
> -rpath /usr/lib64/httpd/modules -avoid-version mod_jk.lo
> ../common/jk_ajp12_worker.lo ../common/jk_connect.lo
> ../common/jk_msg_buff.lo ../common/jk_util.lo ../common/jk_ajp13.lo
> ../common/jk_pool.lo ../common/jk_worker.lo ../common/jk_ajp13_worker.lo
> ../common/jk_lb_worker.lo ../common/jk_sockbuf.lo ../common/jk_map.lo
> ../common/jk_uri_worker_map.lo ../common/jk_ajp14.lo
> ../common/jk_ajp14_worker.lo ../common/jk_md5.lo ../common/jk_shm.lo
> ../common/jk_ajp_common.lo ../common/jk_context.lo ../common/jk_url.lo
> ../common/jk_status.lo
> /usr/bin/ld: unrecognized option
> '-specs=/usr/lib/rpm/redhat/redhat-hardened-ld'
> /usr/bin/ld: use the --help option for usage information
> collect2: error: ld returned 1 exit status
> make[1]: *** [Makefile:83: mod_jk.la] Error 1
> make[1]: Leaving directory
> '/root/rpmbuild/BUILD/tomcat-connectors-1.2.48-src/native/apache-2.0'
> make: *** [Makefile:470: all-recursive] Error 1
> error: Bad exit status from /var/tmp/rpm-tmp.O4kRZI (%build)
>
> - >% -
Does it build without the specfile? I tried to reproduce it in a simple
Dockerfile. This works so far - can you show us your .spec-file?
Sample Dockerfile to build mod_jk on CentOS 8
FROM centos:8
ARG JK_VERSION=1.2.48
ARG
REMOTE_URL=https://downloads.apache.org/tomcat/tomcat-connectors/jk/tomcat-connectors-${JK_VERSION}-src.tar.gz
RUN yum --assumeyes --quiet update && \
yum --assumeyes --quiet install \
diffutils \
file \
gcc \
httpd-devel \
libtool \
make \
redhat-rpm-config && \
yum clean all
RUN cd /usr/src && \
curl --silent --remote-name ${REMOTE_URL} && \
tar -xzf tomcat-connectors-${JK_VERSION}-src.tar.gz && \
cd tomcat-connectors-${JK_VERSION}-src/native && \
./configure --with-apxs=/usr/bin/apxs && \
make && \
libtool --finish /usr/lib64/httpd/modules && \
make install
Regards,
Stefan
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] ApacheCon NA 2020 is virtual/online, completely free to attend, and call-for-presentations is CLOSED
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, While the CFP is officially closed for ApacheCon, there is still some space in the Tomcat track if anyone is still considering a presentation. Please email me privately if you'd like to submit a topic. Just put "apachecon" in the subject. (It's very likely to be selected!) All you need right now is a title and a one-paragraph explanation of what you'd like to present. Thanks, - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8SFfgACgkQHPApP6U8 pFg3+w/+LhgcRk4rhof5UzfwNNHPARpi6AH02uhvMfPYAlFEu26eBo9qht2QUdD3 gak3PZf3SKPQaxNpeX/Qvw76Oq89aLbSCWCXWFLZM+GkzN8J/JXqpleMyzs0hxKj 3qzih8U64IK0dP3CC1r4ii+wSLmuiH9pg4Peqf3SOnE9skX5xcTZHDAKyD0eqeOf mMNPSd87Si4T+xeJupZ3Fnj7vqX/nW6cunAoaxGzAAmOEyWFrlBUAPhRm00FEhGf dmXHBFfjIQT5r6anKbmY9/Rnky8Lye/d0UT/U2JyAnVrmcBUb5GqDHZYefrOC8Av 9XLX5hOedPqLB6BZl5sM6eB4jPzwEouwE6V5yYB4WrYD0asIvqMzk5FKVwk6b+H7 eu+MtxukZFD9tR7EfSAf/9Jh47z6PYjwqWbV1uqGiwuitCUgtg5BdguYtAC5cYmY thLGq9K8fzOq+PMRim4NCgiJJPbG7VoJBe6r4AwyjpLN33VkcEeltEUn7bi/2vem p6GlK75OUpwufiCxCZN9d7ShDN1jq6P0Vi2nRfaG78Nk8d07grqpNwF1AONprz/O IqRmGb81kdgM62p+hfA03TloLzCFGK+fOJcvze3jItQhL2G3jK35Sg3OC1mTH/1p KqmI3EIjfMH87pUy3guVaCAO+bozsQPuvDrG8ISIw9EPHVIxQ8Q= =yRIv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
Running two connectors seems to work just fine, but I'm having trouble getting one of them to only take TLS 1.2 In reply to my query: Given all this, is it possible to (1) have Tomcat listen on two separate HTTPS ports, and (2) have one of the ports require TLS 1.2, but the other accept something our AS/400 can use? On 7/17/20 10:03 AM, Mark Thomas wrote: Yes. You need two Connector elements specifying different ports and different protocols. They should be able to use the same certificate configuration. I just ran a test on our development Amazon EC2 instance, and verified that I could listen on two different ports (existing 8443 and now 7443), and I limited (or so I thought) 8443 (to which I have 443 rerouted through iptables) to TLS 1.2. Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1! I commented out the connector for 8443 and restarted Tomcat, but it's still giving the same report from SSLLabs. The connector for 8443 in server.xml looks like this (lines truncated): The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7 installation on our most security-conscious customer's AS/400; this Tomcat is 8.5. Am I specifying it wrong? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
It works quite well. Sorry for the top post, I only have outlook and it sucks in this respect. Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Mark Thomas Sent: Friday, July 17, 2020 12:03 PM To: users@tomcat.apache.org Subject: Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled? On 17/07/2020 17:55, James H. H. Lampert wrote: > I've got an issue here. > > On the one hand, we have a Tomcat server running on Amazon (in a > Beanstalk cluster). And we have an AS/400 running an old enough OS > that, so far as I'm aware, cannot be configured to use TLS 1.2 at the > current OS release level. And that AS/400 needs to access that Tomcat > server (which it does, using Scott Klement's open source HTTPAPI > product, which has become pretty much an industry standard for the purpose). > > And on the other hand, we are getting a security report from SSLLabs, > telling us that our security rating is capped at "B" because we allow > TLS 1.0 and 1.1. > > BUT, our entire office is on a static IP address, and we already know > how to open a port on our Amazon firewall to only accept traffic from > our office IP. > > Given all this, is it possible to (1) have Tomcat listen on two > separate HTTPS ports, and (2) have one of the ports require TLS 1.2, > but the other accept something our AS/400 can use? Yes. You need two Connector elements specifying different ports and different protocols. They should be able to use the same certificate configuration. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error in stopping application tomcat !!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Kushagra, On 7/17/20 11:47, Kushagra Bindal wrote: > Similar issues we are also facing in our environment. What could be > the problem? > > On Fri, Jul 17, 2020 at 6:04 PM om tiwari > wrote: > >> Hi, >> >> We have upgraded our tomcat version from 8.5.24 to 8.5.53 in >> application. After upgrading we are facing issue while stopping >> tomcat. Below is the stack-trace : >> >> Using CATALINA_BASE: /usr/local/kronos/tomcat Using >> CATALINA_HOME: /usr/local/kronos/tomcat Using CATALINA_TMPDIR: >> /usr/local/kronos/tomcat/temp Using JRE_HOME: >> /usr/local/kronos/jdk Using CLASSPATH: >> >> /usr/local/kronos/tomcat/bin/bootstrap.jar:/usr/local/kronos/tomcat/b in/tomcat-juli.jar >> >> Using CATALINA_PID:/usr/local/kronos/tomcat/tomcat.pid >> Jul 17, 2020 11:44:44 AM org.apache.catalina.startup.Catalina >> stopServer SEVERE: Could not contact [localhost:8005]. Tomcat may >> not be running. Jul 17, 2020 11:44:44 AM >> org.apache.catalina.startup.Catalina stopServer SEVERE: >> Catalina.stop: java.net.ConnectException: Connection refused >> (Connection refused) at >> java.net.PlainSocketImpl.socketConnect(Native Method) at >> java.net >> .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) >> >> at java.net >> .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.jav a:206) >> >> at java.net >> .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) >> >> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) >> at java.net.Socket.connect(Socket.java:589) at >> java.net.Socket.connect(Socket.java:538) at >> java.net.Socket.(Socket.java:434) at >> java.net.Socket.(Socket.java:211) at >> org.apache.catalina.startup.Catalina.stopServer(Catalina.java:504) >> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:62) >> >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:43) >> >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:389) >> >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:479) >> >> Tomcat did not stop in time. To aid diagnostics a thread dump has >> been written to standard out. Killing Tomcat with the PID: 21210 >> The Tomcat process has been killed. >> >> - - - >> >> >> At last the tomcat is stopped but we are not able to understand this >> connection refused stack trace in this stop process. >> >> It also takes time in stopping the tomcat server now since >> upgrade `10-15 sec. >> >> Can anyone help us in resolving this issue? Can you post your element from conf/server.xml? How do you stop Tomcat -- looks like using "catalina.sh stop" or similar ? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8R9N4ACgkQHPApP6U8 pFga8RAAws1xIkDJJQptsdTu/2T/jssbnnDVewrI4LXguNoavHBxncGzw8r3Jczw Qkx7rJcpoP9KcBmvDjipLDimVMS/uqErAgzb1kS52qUD44gdL2HdKfTyvVmUnOGU xqlVD6JrJjLhATxhHhomDp5omcy8dn+j5XHJD0bGbISjKMsH5SPNUHNI0x2NIWNX u3qcQxNlKiCN5iZpniAPhjVOPA+EFW91W83H37LZkrA7YFV9q4Z/FuHbHit0DL+J sJN7oW9afPeVco5Q80IKiT2EDQEhcLH2zUNRwYqGfktewsgOM5cWN8NSXmqqsZDz B2Zq7OqhAGx3b/OV9OpVSO0v+Pv6G2GMmhdv35eFq/JTkJBwMhd8H9PEc8yDEbTF 0VaKmzjWuxs4ALPvD7yQtyidZE0I8H1MQBg4E1ROC1vMNfEkQXT47ChVq4zvJJDv J1h+6ZHCmY6uLkZLltOZQtUnkFUAS0qn6AY80Dm0FWmMcorBUY0XRQSSfY0Xzpmv CafkAgx6TZKiFGTbmXH90JrSrHQBchBvm4GmOKDNp9W3U/ZV8QQoBH4JLsGu/2e4 Cgq/TwBmc7VrjW4gYVg/fQ+mkF/4z2K1o9h2vAD/Di50TpARAIrRZbangqwvQxKN b6IFIT965wW0MuhiaIO1leWc3nqLXzII8EEcg5xsduFx/aqrnKI= =2Ey1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
On 17/07/2020 17:55, James H. H. Lampert wrote: > I've got an issue here. > > On the one hand, we have a Tomcat server running on Amazon (in a > Beanstalk cluster). And we have an AS/400 running an old enough OS that, > so far as I'm aware, cannot be configured to use TLS 1.2 at the current > OS release level. And that AS/400 needs to access that Tomcat server > (which it does, using Scott Klement's open source HTTPAPI product, which > has become pretty much an industry standard for the purpose). > > And on the other hand, we are getting a security report from SSLLabs, > telling us that our security rating is capped at "B" because we allow > TLS 1.0 and 1.1. > > BUT, our entire office is on a static IP address, and we already know > how to open a port on our Amazon firewall to only accept traffic from > our office IP. > > Given all this, is it possible to (1) have Tomcat listen on two separate > HTTPS ports, and (2) have one of the ports require TLS 1.2, but the > other accept something our AS/400 can use? Yes. You need two Connector elements specifying different ports and different protocols. They should be able to use the same certificate configuration. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
I've got an issue here. On the one hand, we have a Tomcat server running on Amazon (in a Beanstalk cluster). And we have an AS/400 running an old enough OS that, so far as I'm aware, cannot be configured to use TLS 1.2 at the current OS release level. And that AS/400 needs to access that Tomcat server (which it does, using Scott Klement's open source HTTPAPI product, which has become pretty much an industry standard for the purpose). And on the other hand, we are getting a security report from SSLLabs, telling us that our security rating is capped at "B" because we allow TLS 1.0 and 1.1. BUT, our entire office is on a static IP address, and we already know how to open a port on our Amazon firewall to only accept traffic from our office IP. Given all this, is it possible to (1) have Tomcat listen on two separate HTTPS ports, and (2) have one of the ports require TLS 1.2, but the other accept something our AS/400 can use? -- James H. H. Lampert - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error in stopping application tomcat !!
Similar issues we are also facing in our environment. What could be the problem? On Fri, Jul 17, 2020 at 6:04 PM om tiwari wrote: > Hi, > > We have upgraded our tomcat version from 8.5.24 to 8.5.53 in > application. After upgrading we are facing issue while stopping > tomcat. > Below is the stack-trace : > > Using CATALINA_BASE: /usr/local/kronos/tomcat > Using CATALINA_HOME: /usr/local/kronos/tomcat > Using CATALINA_TMPDIR: /usr/local/kronos/tomcat/temp > Using JRE_HOME:/usr/local/kronos/jdk > Using CLASSPATH: > > /usr/local/kronos/tomcat/bin/bootstrap.jar:/usr/local/kronos/tomcat/bin/tomcat-juli.jar > Using CATALINA_PID:/usr/local/kronos/tomcat/tomcat.pid > Jul 17, 2020 11:44:44 AM org.apache.catalina.startup.Catalina stopServer > SEVERE: Could not contact [localhost:8005]. Tomcat may not be running. > Jul 17, 2020 11:44:44 AM org.apache.catalina.startup.Catalina stopServer > SEVERE: Catalina.stop: > java.net.ConnectException: Connection refused (Connection refused) > at java.net.PlainSocketImpl.socketConnect(Native Method) > at java.net > .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) > at java.net > .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) > at java.net > .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) > at java.net.Socket.connect(Socket.java:589) > at java.net.Socket.connect(Socket.java:538) > at java.net.Socket.(Socket.java:434) > at java.net.Socket.(Socket.java:211) > at > org.apache.catalina.startup.Catalina.stopServer(Catalina.java:504) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:389) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:479) > > Tomcat did not stop in time. > To aid diagnostics a thread dump has been written to standard out. > Killing Tomcat with the PID: 21210 > The Tomcat process has been killed. > > -- > > At last the tomcat is stopped but we are not able to understand this > connection refused stack trace in this stop process. > > It also takes time in stopping the tomcat server now since upgrade `10-15 > sec. > > Can anyone help us in resolving this issue? > -- Regards, Kushagra
Re: Faster Start Up
Hello Chris,
Yes, I do agree that / docs do not look very
clear. We after different test ended up with configurations like this one
(${CATALINA_BASE}/conf/context.xml)
or this other one (${CATALINA_BASE}/conf/catalina.properties)
tomcat.util.scan.StandardJarScanFilter.jarsToSkip=*.*
for disabling completely the jar scanning.
Cheers,
Luis
ps: finally we decided to disable the jar scanning just for the jars that
we were adding ourselves in our custom tomcat image (keycloak for SSO,
jolokia for monitoring and some utilities). Our colleague Thomas added
below shell kung-fu to our Dockerfile
RUN jars_to_skip_in_tld_search=$(find ${CATALINA_BASE}/lib/* -printf "%f,")
\
&& line_number_of_beginning_of_skip_list=$(sed -n
'/tomcat.util.scan.StandardJarScanFilter.jarsToSkip=\\/='
${CATALINA_BASE}/conf/catalina.properties) \
&& comment_to_insert="# Note: The first line of the list (and this
comment) was inserted while\n# building the image to skip TLD scanning of
our own jars." \
&& sed -i
"${line_number_of_beginning_of_skip_list}a\\${jars_to_skip_in_tld_search}"
${CATALINA_BASE}/conf/catalina.properties \
&& sed -i
"${line_number_of_beginning_of_skip_list}i\\${comment_to_insert}"
${CATALINA_BASE}/conf/catalina.properties \
&& echo "Will skip jars: ${jars_to_skip_in_tld_search}"
pps: BTW: thanks Thomas, it works!
El mié., 15 jul. 2020 a las 18:51, Christopher Schultz (<
ch...@christopherschultz.net>) escribió:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> All,
>
> On 7/15/20 10:14, Christopher Schultz wrote:
> > Reading the documentation for / it
> > looks like maybe this would work:
> >
> >
> >
>
> With the above configuration, I still see this INFO log in my log file:
>
> INFO: At least one JAR was scanned for TLDs yet contained no TLDs.
> Enable debug logging for this logger for a complete list of JARs that
> were scanned but no TLDs were found in them. Skipping unneeded JARs
> during scanning can improve startup time and JSP compilation time.
>
> > Or maybe:
> >
> >
> >
>
> Looks like this gets the job done.
>
> I'm curious: why does tldScan="" not work?
>
> > If I specify one of the above, will the JAR scan still occur
> > (meaning, enumerate the list of JAR files and run through them) but
> > no JAR files will actually be opened? Or will the scanning process
> > be skipped entirely if the JarScanner sees that its configuration
> > implies it will never do any work?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8PNBAACgkQHPApP6U8
> pFhkkBAAl1MLW79GuyPRC8QP/ZeWwFJcpDL52JgS7NR/xulENkybpFtqCjzfXdzv
> w8jMKDN6AkcFzVo6oNnGkuMn4hUKSVHE8y44kMNW49YNGn7xSnqXt8iXDOUVkrqv
> kP1S82Yjc3UZxfQ8CZrGU/VV8qCwGgbRwbNLJp6VdS0tedJCku9MI1KpVu1tKCi0
> uSV+39j6DRAnWgdnaCaxRPBROm0R7d5TB2fR+C/uzfxXnxaL+kihGp9hDlenbeFS
> JhQigxP2+U6o9J2GtDKSk2v2+yre01ZWDwPKG0SIU0hvZfIxo2mxjkt2Pze9P7yT
> UC8lNaZ/asL1PQW3+6rWep7Pp4XEYGz929HQdOZFhIoGpzPvVwDVFiJ22bib41SB
> +/oiRWoly2xwwBHN+U30SS2TMsqvBxvXZKb07riK7BeOB/Ep42Wh/LDFw5W0ZKRs
> jDW3to0JaqdcLkBftRKmdJT1zwn/3KcIVWcLioyx/lr+kQpykEfMCeeZ5BWonEWp
> OP86c6ofbwv32h5qkFT4DPRd8tNDFDI8S9UpNnGcmnTMDbJEkA5sIsdgx8AvOGwp
> 5CAr1ME6TeAmmx8yZsCHv2wSkNsuKEAggq5MOW7V3VdS37ChV8TBW86Kl3n2OXn/
> T1s+P1RGg1T0nBUf7bA7zecUmD2urH/HYg/ncoysshA5XjjPQ7g=
> =hvr2
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
