Re: TOMCAT CERTIFICATE RENEWAL
Prabu, On 2/19/24 02:40, Ganesan, Prabu wrote: Thanks for your information - its jks file do we have any specific command to pass them for renew the certificate? If you aren't sure how to do this, maybe you aren't the right person to try to do this. -chris _ PrabuGanesan Consultant|MS-Nordics capgemini India Pvt. Ltd. | Bangalore Contact: +91 8526554535 Email: prabhu.c.gane...@capgemini.com www.capgemini.com People matter, results count. __ Connect with Capgemini: Please consider the environment and do not print this email unless absolutely necessary. Capgemini encourages environmental awareness. -Original Message- From: Thomas Hoffmann (Speed4Trade GmbH) Sent: Monday, February 19, 2024 12:49 PM To: Tomcat Users List Subject: AW: TOMCAT CERTIFICATE RENEWAL **This mail has been sent from an external source. Do not reply to it, or open any links/attachments unless you are sure of the sender's identity.** Hello Ganesan, Von: Ganesan, Prabu Gesendet: Montag, 19. Februar 2024 08:07 An: Tomcat Users List Betreff: TOMCAT CERTIFICATE RENEWAL Priorität: Hoch Hi Guys, How to renew the certificate in Tomcat Can anyone provide with steps as we have Our tomcat certificate is about to expire in Next week, Anybody can help with renew steps: Tomcat version : 8.5.5.0 Thanks & Regards, _ PrabuGanesan Consultant|MS-Nordics capgemini India Pvt. Ltd. | Bangalore Contact: +91 8526554535 Take a look at the server.xml and inspect the https connector. There should be a reference to the key file and certificate-file. Depending on the used format (pem, jks etc) you need to update these files. Greetings, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSO SPNEGO GSS API CheckSum Failed Error
Please don't respond to this email. I was able to figure out the issue. The server hosting devexample.domain.com was using a canonicalized hostname. This was throwing tomcat off when reading over the token and keytab file. I only wish there was a better way for this error to pick up on that. On Fri, Feb 23, 2024 at 11:36 AM Thomas Delaney wrote: > > > Hi all, > > I have a redhat 9.2 server hosting a web application on 5 seperate > instances of Apache Tomcat. I have configured SPNEGO on instances 1,2,3 and > 4. These instances are behind an apache proxy load balancer on version > 2.4.57. Instance 1,2, and 3 are load balanced. While 4 and 5 are not. The > application is hosted on Tomcat 9.0.54. > > Domain: domain.com > Site: devexample.domain.com > > URL hit: https://devexample.domain.com/webclient_devex/exclient.jsp > > *I keep getting this when accessing the application on instance 5:* > HTTP Status 500 – Internal Server Error > Type Exception Report > > Message GSSException: Failure unspecified at GSS-API level (Mechanism > level: Checksum failed) > Description The server encountered an unexpected condition that prevented > it from fulfilling the request. > Exception > javax.servlet.ServletException: GSSException: Failure unspecified at > GSS-API level (Mechanism level: Checksum failed) > net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:287) > Root Cause > GSSException: Failure unspecified at GSS-API level (Mechanism level: > Checksum failed) > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > > net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) > > net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) > net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) > Root Cause > KrbException: Checksum failed > sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown > Source) > sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown > Source) > sun.security.krb5.EncryptedData.decrypt(Unknown Source) > sun.security.krb5.KrbApReq.authenticate(Unknown Source) > sun.security.krb5.KrbApReq.(Unknown Source) > sun.security.jgss.krb5.InitSecContextToken.(Unknown Source) > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > > net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) > > net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) > net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) > Root Cause > java.security.GeneralSecurityException: Checksum failed > sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(Unknown Source) > sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(Unknown Source) > sun.security.krb5.internal.crypto.Aes256.decrypt(Unknown Source) > sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown > Source) > sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown > Source) > sun.security.krb5.EncryptedData.decrypt(Unknown Source) > sun.security.krb5.KrbApReq.authenticate(Unknown Source) > sun.security.krb5.KrbApReq.(Unknown Source) > sun.security.jgss.krb5.InitSecContextToken.(Unknown Source) > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > > net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) > > net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) > net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) > > > In the catalina logs: > Entered SpNegoContext.acceptSecContext with state=STATE_NEW > SpNegoContext.acceptSecContext: re
No classes have been predefined during the image build to load from bytecodes at runtime
By reference to the AOT support guide, https://tomcat.apache.org/tomcat-9.0-doc/graal.html, I built a spring framework 6.x based web application into a native image. I'm using GraalVM for JDK17. When finally ran the native image, it gave following error message: INFO: Initializing Spring root WebApplicationContext Feb 23, 2024 4:04:24 PM org.apache.catalina.core.StandardContext listenerStart SEVERE: Exception sending context initialized event to listener instance of class [org.springframework.web.context.ContextLoaderListener] com.oracle.svm.core.jdk.UnsupportedFeatureError: No classes have been predefined during the image build to load from bytecodes at runtime. at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.VMError.unsupportedFeature(VMError.java:92) at org.graalvm.nativeimage.builder/com.oracle.svm.core.hub.PredefinedClassesSupport.throwNoBytecodeClasses(PredefinedClassesSupport.java:76) at org.graalvm.nativeimage.builder/com.oracle.svm.core.hub.PredefinedClassesSupport.loadClass(PredefinedClassesSupport.java:130) at java.base@17.0.10 /java.lang.ClassLoader.defineClass(ClassLoader.java:294) The web application is running well in terms of WAR on Tomcat10.x, and tomcat-stuffed-1.0.jar also running well. Could you please confirm whether a spring framework 6.x web application is also applicable to the AOT support approach? And I would appreciate your insights on above native image runtime errors. Best regards, Jun
SSO SPNEGO GSS API CheckSum Failed Error
Hi all, I have a redhat 9.2 server hosting a web application on 5 seperate instances of Apache Tomcat. I have configured SPNEGO on instances 1,2,3 and 4. These instances are behind an apache proxy load balancer on version 2.4.57. Instance 1,2, and 3 are load balanced. While 4 and 5 are not. The application is hosted on Tomcat 9.0.54. Domain: domain.com Site: devexample.domain.com URL hit: https://devexample.domain.com/webclient_devex/exclient.jsp *I keep getting this when accessing the application on instance 5:* HTTP Status 500 – Internal Server Error Type Exception Report Message GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) Description The server encountered an unexpected condition that prevented it from fulfilling the request. Exception javax.servlet.ServletException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:287) Root Cause GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) Root Cause KrbException: Checksum failed sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source) sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source) sun.security.krb5.EncryptedData.decrypt(Unknown Source) sun.security.krb5.KrbApReq.authenticate(Unknown Source) sun.security.krb5.KrbApReq.(Unknown Source) sun.security.jgss.krb5.InitSecContextToken.(Unknown Source) sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) Root Cause java.security.GeneralSecurityException: Checksum failed sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(Unknown Source) sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(Unknown Source) sun.security.krb5.internal.crypto.Aes256.decrypt(Unknown Source) sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source) sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source) sun.security.krb5.EncryptedData.decrypt(Unknown Source) sun.security.krb5.KrbApReq.authenticate(Unknown Source) sun.security.krb5.KrbApReq.(Unknown Source) sun.security.jgss.krb5.InitSecContextToken.(Unknown Source) sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) In the catalina logs: Entered SpNegoContext.acceptSecContext with state=STATE_NEW SpNegoContext.acceptSecContext: receiving token = a0 82 07 f1 30 82 07 ed a0 30 30 2e 06 09 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a 2b 06 01 04 01 82 37 02 02 1e 06 0a 2b 06 01 04 01 82 37 02 02 0a a2 82 07 b7 04 82 07 b3 60 82 07 af 06 09 2a 86 48 86 f7 12 01 02 02 01 00 6e 82 07 9e 30 82 07 9a a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 05 a4 61 82 05 a0 30 82 05 9c a0 03 02 01 05 a1 15 1b 13 52 45 41 4c 4c 59 47 4f 4f 44 53 54 55 46 46 2e 43 4f 4d a2 30 30 2e a0 03 02 01 02 a1 27 30 25 1b 04 48 54 54 50 1b 1d 72
A curious case of Tomcat 10.1.x NIO(1) acceptor not stopping clearly on some setups
Hi, I've encountered an issue where the acceptor doesn't stop cleanly when shutting Tomcat down on some machines. I'm using tomcat-embed-core 10.1.19, I've tested it on Ubuntu 22.04 and MacOs Sonoma 14.3.1. Here is a minimum reproducible example (also available here https://github.com/lared/tomcat-acceptor-not-stopping-cleanly): ``` import org.apache.catalina.LifecycleException; import org.apache.catalina.connector.Connector; import org.apache.catalina.startup.Tomcat; class SlowStop { public static void main(String[] args) throws LifecycleException { var connector = new Connector("org.apache.coyote.http11.Http11NioProtocol"); connector.setPort(0); Tomcat tomcat = new Tomcat(); tomcat.getService().addConnector(connector); tomcat.start(); tomcat.stop(); } } ``` Whenever I run this code on setup as listed above, shutdown of the ProtocolHandler times out when trying to stop the acceptor. Here is an excerpt from logs: ``` Feb 23, 2024 4:42:34 PM org.apache.coyote.AbstractProtocol stop INFO: Stopping ProtocolHandler ["http-nio-8080"] Feb 23, 2024 4:42:44 PM org.apache.tomcat.util.net.Acceptor stop WARNING: The acceptor thread [http-nio-8080-Acceptor] did not stop cleanly ``` This can be traced down to `NioEndpoint` stopping, particularly stopping the acceptor: https://github.com/apache/tomcat/blob/10.1.x/java/org/apache/tomcat/util/net/NioEndpoint.java#L308 https://github.com/apache/tomcat/blob/10.1.x/java/org/apache/tomcat/util/net/Acceptor.java#L180 This issue is not reproducible on every setup (see github actions run on the linked repo), and it only affects NIO - NIO2 works as expected. I've encountered this issue when Spring Boot got upgraded to 3.2.x line (switch from Tomcat 9 to 10.1.x). Could you please advise me where I can go from here? This is particularly annoying in our testing setup, where timely teardown of the Tomcat is very appreciated (even if disruptive). Unfortunately I'm a fair bit out of my depth here when it comes to troubleshooting this further. It is rather surprising that even though people were not able to reproduce it on some of their setups (like MacOs 13.6.4), but I actually was able to reproduce it on two machines I own, my colleagues at work have the same issue. Thanks, Michał - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org