Re: Log format access logs standard

2022-06-06 Thread Mark Thomas 

On 07/06/2022 07:06, rinilnath r wrote:

Hi,

What's the meaning of this?
%>s


If that appears in the pattern attribute of an AccessLogValve then it is 
an error and you'll see the following in the access log:


???>???s

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Log format access logs standard

2022-06-06 Thread rinilnath r 
Hi,

What's the meaning of this?
%>s

Thanks and Regards,
Rinilnath
Mobile#9786285451

RE: enabling ssl debug on tomcat [EXTERNAL]

2022-06-06 Thread Beard, Shawn 
Is there a way to isolate this to only debug a specific client connection URL? 
There is really only one that’s throwing socket errors and having debug for 
everything is filling up log to fast and generating to much noise.


Shawn​  Beard
Sr. Systems Engineer |
BTS
Middleware Engineering   |  +1-515-564-2528 |  
sbe...@wrberkley.com


-Original Message-
From: l...@kreuser.name 
Sent: Monday, June 6, 2022 4:06 PM
To: Tomcat Users List 
Subject: Re: enabling ssl debug on tomcat [EXTERNAL]

** CAUTION: External message


Shawn,


> Am 06.06.2022 um 22:49 schrieb Beard, Shawn :
>
> Im adding this -Djavax.net.debug=ssl:handshake:verbose 
> SSLSocketClientWithClientAuth
>

I assume that you copied this from the SSL-Samples App (where the class file is 
SSLSocketClientWithClientAuth).

You have to add only -Djavax.net.debug=ssl:handshake:verbose to CATALINA_OPTS 
(or JAVA_OPTS).

Peter

> To the java options of Tomcat, however the SSLSocketClientWithClientAuth is 
> causing tomcat not start saying it cant find the 
> SSLSocketClientWithClientAuth class. I need to debug socket issues on a ssl 
> client connection. Any ideas?
>
>
>
>
> Shawn Beard • Sr. Systems Engineer
> Middleware Engineering
>
>
> 3840 109th Street Urbandale, IA 50322
> Phone: +1-515-564-2528
> Email: sbe...@wrberkley.com 
> Website: berkleytechnologyservices.com 
> 
> Technology Leadership Unleashing Business Potential
>
>
>
> Shawn​ Beard
> Sr. Systems Engineer |
> BTS
> Middleware Engineering | +1-515-564-2528  | 
> sbe...@wrberkley.com 
>
>
> CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
> private, privileged and confidential information belonging to the sender. The 
> information therein is solely for the use of the addressee. If your receipt 
> of this transmission has occurred as the result of an error, please 
> immediately notify us so we can arrange for the return of the documents. In 
> such circumstances, you are advised that you may not disclose, copy, 
> distribute or take any other action in reliance on the information 
> transmitted.

CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.

Re: enabling ssl debug on tomcat

2022-06-06 Thread logo 
Shawn,


> Am 06.06.2022 um 22:49 schrieb Beard, Shawn :
> 
> Im adding this -Djavax.net.debug=ssl:handshake:verbose 
> SSLSocketClientWithClientAuth
>  

I assume that you copied this from the SSL-Samples App (where the class file is 
SSLSocketClientWithClientAuth).

You have to add only -Djavax.net.debug=ssl:handshake:verbose to CATALINA_OPTS 
(or JAVA_OPTS).

Peter

> To the java options of Tomcat, however the SSLSocketClientWithClientAuth is 
> causing tomcat not start saying it cant find the 
> SSLSocketClientWithClientAuth class. I need to debug socket issues on a ssl 
> client connection. Any ideas?
>  
>  
>  
>  
> Shawn Beard • Sr. Systems Engineer
> Middleware Engineering
> 
> 
>  3840 109th Street Urbandale, IA 50322
>  Phone: +1-515-564-2528
>  Email: sbe...@wrberkley.com 
>  Website: berkleytechnologyservices.com 
> 
> Technology Leadership Unleashing Business Potential
>  
>  
> 
> Shawn​Beard
> Sr. Systems Engineer   | 
> BTS
> Middleware Engineering |  +1-515-564-2528
>  |  sbe...@wrberkley.com 
> 
>  
> CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
> private, privileged and confidential information belonging to the sender. The 
> information therein is solely for the use of the addressee. If your receipt 
> of this transmission has occurred as the result of an error, please 
> immediately notify us so we can arrange for the return of the documents. In 
> such circumstances, you are advised that you may not disclose, copy, 
> distribute or take any other action in reliance on the information 
> transmitted.

enabling ssl debug on tomcat

2022-06-06 Thread Beard, Shawn 
Im adding this -Djavax.net.debug=ssl:handshake:verbose 
SSLSocketClientWithClientAuth


To the java options of Tomcat, however the SSLSocketClientWithClientAuth is 
causing tomcat not start saying it cant find the SSLSocketClientWithClientAuth 
class. I need to debug socket issues on a ssl client connection. Any ideas?





Shawn Beard • Sr. Systems Engineer
Middleware Engineering

[cid:image085436.PNG@fbcb1466.43bb3916]

 3840 109th Street Urbandale, IA 50322
 Phone: +1-515-564-2528
 Email: sbe...@wrberkley.com
 Website: 
berkleytechnologyservices.com

Technology Leadership Unleashing Business Potential



Shawn​  Beard
Sr. Systems Engineer |
BTS
Middleware Engineering   |  +1-515-564-2528 |  
sbe...@wrberkley.com


CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.

Re: Constant errors in Tomcat logs

2022-06-06 Thread Mark Thomas 

On 06/06/2022 16:28, Alan F wrote:

HI I have a Tomcat clustered pair running, I see this 3 times a minute in the 
logs. I don't see this IP in server.xml I do have a DEV Tomcat pair is this 
somehow interfering?


Possibly.

Does that IP match once of the servers in the dev pair?

Are the two pairs on the same subnet?

Are both pairs using multicast?

Is each pair configured to use a separate domain?

Mark




06-Jun-2022 11:15:18.836 WARNING [Catalina-utility-2] 
org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.performBasicCheck
 Member added, even though we weren't 
notified:[org.apache.catalina.tribes.membership.MemberImpl[tcp://{192, 168, 
217, 57}:4102,{192, 168, 217, 57},4102, alive=3547745427, securePort=-1, UDP 
Port=-1, id={-119 -107 23 88 119 -39 74 -49 -118 57 -61 -49 -28 -91 11 43 }, 
payload={}, command={}, domain={}]]

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Constant errors in Tomcat logs

2022-06-06 Thread Alan F 
HI I have a Tomcat clustered pair running, I see this 3 times a minute in the 
logs. I don't see this IP in server.xml I do have a DEV Tomcat pair is this 
somehow interfering? 

06-Jun-2022 11:15:18.836 WARNING [Catalina-utility-2] 
org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.performBasicCheck
 Member added, even though we weren't 
notified:[org.apache.catalina.tribes.membership.MemberImpl[tcp://{192, 168, 
217, 57}:4102,{192, 168, 217, 57},4102, alive=3547745427, securePort=-1, UDP 
Port=-1, id={-119 -107 23 88 119 -39 74 -49 -118 57 -61 -49 -28 -91 11 43 }, 
payload={}, command={}, domain={}]]

RE: [External] Re: SSL Handshake Failure - Logging Level

2022-06-06 Thread Amit Pande 
I mean this log is helpful troubleshooting issues in production systems. We 
can't have Tomcat log level set to DEBUG in this case.
And debugging on local/development environments. Agree, in this case, we could 
change the Tomcat logging configuration and get this log.

Thanks,
Amit

-Original Message-
From: Mark Thomas  
Sent: Saturday, June 4, 2022 6:13 AM
To: users@tomcat.apache.org
Subject: Re: [External] Re: SSL Handshake Failure - Logging Level

On 03/06/2022 21:29, Amit Pande wrote:
> Thank you, Mark.
> 
> I agree changing the log level to error could cause problems you mentioned.
> But option like logHandshakeFailuresAtError will be useful to 
> troubleshooting/debugging assuming DoS attacks are handled differently.

If the purpose of this is debugging / troubleshooting they why not just enable 
debug logging when needed?

Why does this need to be separately configurable?

Mark


> 
> Thinking if this could be a connector level attribute or attribute at SSL 
> host config level in "server.xml".
> 
> Thanks,
> Amit
> 
> -Original Message-
> From: Mark Thomas 
> Sent: Friday, June 3, 2022 12:24 PM
> To: users@tomcat.apache.org
> Subject: [External] Re: SSL Handshake Failure - Logging Level
> 
> 
> 
> On 03/06/2022 15:33, Amit Pande wrote:
>> Hello,
>>
>> First, thank you to Mark for adding the access logs in case of SSL handshake 
>> failures 
>> (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fcommit%2Facf6076d7118571ebc881984b96792f861b72bb2%23&data=05%7C01%7CAmit.Pande%40veritas.com%7C4a3b22cfe34644c1530508da461b3fe9%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C637899380101620149%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZUT9Z1PWQBYpJPWZgAgVX93SJkhDnq%2BQxXJv8BanV9o%3D&reserved=0).
>>  Really useful enhancement.
>>
>> On a related note, I am trying to understand if we can log the SSL handshake 
>> failure at ERROR level instead of current DEBUG level.
>>
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
>> h 
>> ub.com%2Fapache%2Ftomcat%2Fblob%2Fmain%2Fjava%2Forg%2Fapache%2Ftomcat
>> % 
>> 2Futil%2Fnet%2FNio2Endpoint.java&data=05%7C01%7CAmit.Pande%40veri
>> t 
>> as.com%7Cc90c525c37304f89d53e08da4586d120%7Cfc8e13c0422c4c55b3eaca318
>> e 
>> 6cac32%7C0%7C0%7C637898742608266230%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
>> C 
>> 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C
>> % 
>> 7C&sdata=beoiMNczfYunL9CN7I8mJCLwNsyXr%2FjlGRzDy1ZHEmg%3D&res
>> e
>> rved=0
>>
>> if (log.isDebugEnabled()) {
>>   
>> log.debug(sm.getString("endpoint.err.handshake"), x); }
>>
>> Are there any issues logging this at error level?
> 
> Yes. We generally don't log user triggerable exceptions above debug level as 
> that can expose the server to a potential DoS - either by filling the disk 
> with log messages or the performance impact of triggering the exceptions.
> 
> I guess we could make the log level for that message configurable.
> logHandshakeFailuresAtError or something.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: LDAPS Configuration with Tomcat

2022-06-06 Thread Mark Thomas 

On 06/06/2022 14:54, rakesh meka wrote:

Hi All,

Greetings! Hope you are doing well.

Currently we are using an internal application which is deployed on windows
server. And we use http which means we didn't configure SSL or TLS setup
with application. The current application is using LDAP for user
authentication which checks with active directory for verification .

Can any one let me know how we can configure LDAPS now ?

Should we need to configure the application with https before we enable
LDAPS ?


No. TLS configuration for clients using HTTP to communicate with Tomcat 
is independent of whether Tomcat uses TLS to communicate with the LDAP 
server.



I tried changing the port to 636 but not successful. So need help if we can
directly generate the certificate and place in somewhere in Tomcat
directory ?


You should not need to generate a certificate for Tomcat (unless the 
LDAP server is using mutual TLS authentication which seems unlikely).


There are lots of things that can go wrong with TLS. It is hard to 
suggest what the problem might be without any error message. Do you have 
an error message from the logs you could share?


Thanks,

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

LDAPS Configuration with Tomcat

2022-06-06 Thread rakesh meka 
Hi All,

Greetings! Hope you are doing well.

Currently we are using an internal application which is deployed on windows
server. And we use http which means we didn't configure SSL or TLS setup
with application. The current application is using LDAP for user
authentication which checks with active directory for verification .

Can any one let me know how we can configure LDAPS now ?

Should we need to configure the application with https before we enable
LDAPS ?

I tried changing the port to 636 but not successful. So need help if we can
directly generate the certificate and place in somewhere in Tomcat
directory ?


Thanks & Best Regards,
Meka Rakesh.