RE: Isolating the Root Cause of "Connection Refused"

2024-06-25 Thread Eric Robinson 
> What is impact on memory utilization if we increase the acceptCount value?
> There are 100 tomcat instances on the server. And would maxThreads have to
> be increased to accommodate the extra connections?

After reading more, I guess that's a dumb question.

I'm trying to prevent connections from being rejected. As I understand it, when 
the server hits the maxThreads limit, then additional connections queue up, 
until the acceptCount value is finally reached, and then new connections are 
rejected. Since I am seeing connection refusals, then it is possible that the 
acceptCount limit is being reached. If so, then it seems there are two ways to 
address this. I can either increase acceptCount, which gives the server more 
time to make threads are available, or I can increase maxThreads, in which case 
more requests can be handled concurrently and the acceptCount may not be 
reached. Both of these settings improve performance, but in different ways. 
maxThreads improves performance by allowing more requests to be processed 
concurrently, while acceptCount improves performance by preventing connections 
from being refused, which requires requests to be reissued by the client, and 
that is an expensive process.

Which of these approaches is correct? I tend to think increasing maxThreads is 
better if the server has enough memory and CPU. However, since the impact on 
memory and CPU depend on the characteristics of the app, that's not a question 
you can be expected to answer.

-Eric





Disclaimer : This email and any files transmitted with it are confidential and 
intended solely for intended recipients. If you are not the named addressee you 
should not disseminate, distribute, copy or alter this email. Any views or 
opinions presented in this email are solely those of the author and might not 
represent those of Physician Select Management. Warning: Although Physician 
Select Management has taken reasonable precautions to ensure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage arising from the use of this email or attachments.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Many CLOSE_WAIT connections causing the app not available

2024-06-25 Thread Stephen Stevie 
We are using Apache Tomcat 8.5.49 and sometimes in a day, we see the
application is going unresponsive though the service is up and running and
giving 503 (service unavailable error). When netstat for the port is run,
we see many CLOSE_WAIT connections. Once we restart the service, the
application is coming back and sometimes this comes back on its own.

We have not made any changes to Tomcat in recent times and it was working
fine until the start of this year. After that, it was once a month and now
every alternate day, we are seeing this. We're using 16GB RAM Web Server (2
servers) and can see 1k-1.5k users connected to the application in a day.

Requesting your support here.



-- 
Stephen

RE: Isolating the Root Cause of "Connection Refused"

2024-06-25 Thread Eric Robinson 
>
> No - Tomcat passes the acceptCount value to the TCP/IP stack of the OS as
> part of listener socket initialization.

I thought of that after I sent my previous message.

> the OS won't log this, since it's considered to be an application error.

Assuming the problem is the acceptCount value, then it's technically the app's 
fault for improperly initializing the socket listener. Nevertheless, it would 
make sense for the OS to log a neighborly message (perhaps optionally) along 
the lines of, "I rejected a connection attempt because of the acceptCount 
setting you told me to use." It would sure help with troubleshooting. As you 
pointed out, the app can't log errors it does not know about, so nothing is 
logged anywhere.

What is impact on memory utilization if we increase the acceptCount value? 
There are 100 tomcat instances on the server. And would maxThreads have to be 
increased to accommodate the extra connections?

-Eric





Disclaimer : This email and any files transmitted with it are confidential and 
intended solely for intended recipients. If you are not the named addressee you 
should not disseminate, distribute, copy or alter this email. Any views or 
opinions presented in this email are solely those of the author and might not 
represent those of Physician Select Management. Warning: Although Physician 
Select Management has taken reasonable precautions to ensure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage arising from the use of this email or attachments.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure Tomcat with a Managed Service Account when using LocalMachine certificates for TLS

2024-06-25 Thread Mark Thomas 

On 25/06/2024 14:27, Gavioto 🕵 wrote:

- how are are starting Tomcat?
  Tomcat is starting as a service with "Domain\account1$" (Managed Service 
Account)

- is Tomcat installed as a Windows service?
  Yes

- which account is Tomcat running under?
  "Domain\account1$" (Managed Service Account)


OK. That clarifies things. Thanks.




My actual configuration

Server version name:   Apache Tomcat/9.0.65
Server version number: 9.0.65.0
Server built:  Jul 14 2022 12:28:53 UTC


Getting on for two years old. There are known security vulnerabilities 
in that version. You definitely want to make sure they don't impact your 
environment and you may want to think about upgrading.






Attribute names are case-sensitive. You have serveral starting with an 
upper case 'K' when they should all be lower case.


I'd expect you to see some warnings in the logs on startup about 
unrecognised attributes.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Isolating the Root Cause of "Connection Refused"

2024-06-25 Thread Chuck Caldarale 

> On Jun 25, 2024, at 13:12, Eric Robinson  wrote:
> 
> I'm obviously not getting something. If I understand correctly, the purpose 
> of the acceptCount param is to allow tomcat to reject connections even after 
> the TCP stack has passed them to the java process. At that point, the request 
> has made it through the OS all the way to tomcat, so if tomcat rejects it, 
> then it should log a message... no?


No - Tomcat passes the acceptCount value to the TCP/IP stack of the OS as part 
of listener socket initialization. The accept queue is maintained entirely by 
the OS; Tomcat is not involved in the management thereof, other than taking 
requests off the accept queue with the listener thread for the . If 
connection requests arrive at the NIC fast enough to fill up the accept queue, 
excess ones are simply rejected by the OS.

  - Chuck

RE: Isolating the Root Cause of "Connection Refused"

2024-06-25 Thread Eric Robinson 
> -Original Message-
> From: Chuck Caldarale 
> Sent: Tuesday, June 25, 2024 11:01 AM
> To: Tomcat Users List 
> Subject: Re: Isolating the Root Cause of "Connection Refused"
>
>
> > On Jun 25, 2024, at 12:55, Eric Robinson 
> wrote:
> >
> >> You might still be running into the acceptCount limit on the
> >> . The default value is 100, so if more connection requests
> >> arrive in between the TCP/IP stack passing them on to the listening
> >> process, some could still be getting rejected.
> >
> > Presumably tomcat would log an error if it rejects a request due to the
> acceptCount limitation?
>
>
> Nope - again, this happens entirely in the TCP/IP stack of the OS, so Tomcat 
> is
> never informed that the acceptCount limit has been reached.
>

I'm obviously not getting something. If I understand correctly, the purpose of 
the acceptCount param is to allow tomcat to reject connections even after the 
TCP stack has passed them to the java process. At that point, the request has 
made it through the OS all the way to tomcat, so if tomcat rejects it, then it 
should log a message... no?

>   - Chuck

Disclaimer : This email and any files transmitted with it are confidential and 
intended solely for intended recipients. If you are not the named addressee you 
should not disseminate, distribute, copy or alter this email. Any views or 
opinions presented in this email are solely those of the author and might not 
represent those of Physician Select Management. Warning: Although Physician 
Select Management has taken reasonable precautions to ensure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage arising from the use of this email or attachments.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Isolating the Root Cause of "Connection Refused"

2024-06-25 Thread Chuck Caldarale 

> On Jun 25, 2024, at 12:55, Eric Robinson  wrote:
> 
>> You might still be running into the acceptCount limit on the . The
>> default value is 100, so if more connection requests arrive in between the
>> TCP/IP stack passing them on to the listening process, some could still be
>> getting rejected.
> 
> Presumably tomcat would log an error if it rejects a request due to the 
> acceptCount limitation?


Nope - again, this happens entirely in the TCP/IP stack of the OS, so Tomcat is 
never informed that the acceptCount limit has been reached.

  - Chuck

RE: Isolating the Root Cause of "Connection Refused"

2024-06-25 Thread Eric Robinson 


> -Original Message-
> From: Chuck Caldarale 
> Sent: Monday, June 24, 2024 2:51 PM
> To: Tomcat Users List 
> Subject: Re: Isolating the Root Cause of "Connection Refused"
>
>
> > On Jun 24, 2024, at 16:40, Eric Robinson 
> wrote:
> >
> > I wrote a script that checks the FD counts for every java pid on the server.
> Just looking at these results, I don't think we're hitting an FD limit at the
> moment, but I'll try it again tomorrow while the problem is presenting.
>
>
> Quite a wide variation in the numbers of used FDs.
>

Each tomcat is for a separate customer. Some customers have more users than 
others. The range could be between 15 and 800.

> You might still be running into the acceptCount limit on the . The
> default value is 100, so if more connection requests arrive in between the
> TCP/IP stack passing them on to the listening process, some could still be
> getting rejected.
>

Presumably tomcat would log an error if it rejects a request due to the 
acceptCount limitation?

>   - Chuck
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Disclaimer : This email and any files transmitted with it are confidential and 
intended solely for intended recipients. If you are not the named addressee you 
should not disseminate, distribute, copy or alter this email. Any views or 
opinions presented in this email are solely those of the author and might not 
represent those of Physician Select Management. Warning: Although Physician 
Select Management has taken reasonable precautions to ensure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage arising from the use of this email or attachments.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to configure Tomcat with a Managed Service Account when using LocalMachine certificates for TLS

2024-06-25 Thread Gavioto 🕵 
Finally I got Tomcat working with Machine Certificate Storage.

Finally, I got a configuration that works with Certificate Storage. It is very 
specific, and I couldn't find any other until date.
It works, but in our environment there is a required manual step yet. I think 
it should be configured in Windows and is common for all programs requesting 
private key not special for Tomcat.
A dialog of Windows Security is shown asking to allow access, similar to UAC 
but for certificates.
[cid:7f0b2dfc-8c60-492c-8c42-24d84e6c7917]
The server.xml configuration used is








I continue my research trying to use different ciphers and properties, because 
I won't be able to use the standard without the . It is clear for me, that 
different internals libraries are used in Tomcat, so when I use the only the it 
doesn't work and it won't find the key in the storage.
For the purpose of the initial question, I consider this solutions as valid, as 
Tomcat is able to work with the Windows Local Machine Certificate Storage.
Solution versions:

  *   JDK 11.0.20+ or JDK version with fixed bug 
https://bugs.openjdk.org/browse/JDK-8286790
  *   Tested with Tomcat 9.0.63
  *   Tested in Windows 2019

Thank you for your support. Hope this information is useful to crate a Use Case 
in the wiki.

Some doubts are in the air yet, but it is essentially possible for Tomcat to 
work with this.

Two questions thats remaining for the future:

  *
How to disable or bypass the Windows Security dialog? Is it possible to disable 
for specific Users/Services?
  *
Why if I use keyStoreType="windows-my-localmachine" directly in  it 
doesn't find the certificate?


De: Gavioto 🕵 
Enviado: martes, 25 de junio de 2024 15:27
Para: users@tomcat.apache.org 
Asunto: RE: How to configure Tomcat with a Managed Service Account when using 
LocalMachine certificates for TLS

- how are are starting Tomcat?
  Tomcat is starting as a service with "Domain\account1$" (Managed Service 
Account)

- is Tomcat installed as a Windows service?
  Yes

- which account is Tomcat running under?
  "Domain\account1$" (Managed Service Account) It is not a normal domain 
account used for the service.  Secure group managed service accounts - 
Microsoft Entra | Microsoft 
Learn

Regarding the mean of "user" I'm referring to the user who is running the 
Tomcat Service. In this case, the Managed Service Account.


De: Mark Thomas 
Enviado: martes, 25 de junio de 2024 12:51
Para: users@tomcat.apache.org 
Asunto: Re: How to configure Tomcat with a Managed Service Account when using 
LocalMachine certificates for TLS

A few questions:

- how are are starting Tomcat?

- is Tomcat installed as a Windows service?

- which account is Tomcat running under?

There are a few references to "user" in your question. It is not clear
if this is:
- the user administering a Tomcat service
- a user that is starting Tomcat from the command line
- the user that the Tomcat service is running as
- something else

Mark


On 25/06/2024 11:30, Alberto Corral wrote:
> Hello!
>
> After some research, docs, and test, I didn't found an answer to my issue.
>
> I'm writing to the list  because I have to configure a probably not very 
> common Tomcat configuration and didn't found correct configuration of if it 
> is posible to do it.
> Also I didn't find previous information or examples on internet and the wiki.
>
> There is a similar question in Server Fault 
> https://serverfault.com/questions/1161457/can-i-use-certificates-in-the-local-machine-from-a-managed-service-account,
>  but not solved yet.
>
> The configuration has been also involved with a JDK recent bug-fix (but 10 
> years old), but this part is fixed using latest available JDK versions.
> So I think it would be valuable to document an Use Case based on real 
> experience that can be both, tested in future versions, and also useful for 
> future users, available in the wiki or official docs :-)
>
> May be what's I'm trying to do is not really possible, but need to know if 
> this is a Tomcat limitation or a Windows one.
>
> My actual configuration
>
> Server version name:   Apache Tomcat/9.0.65
> Server version number: 9.0.65.0
> Server built:  Jul 14 2022 12:28:53 UTC
> Architecture:  amd64
> OS Version:10.0
> OS Name:   Windows Server 2019
> JVM Vendor:Eclipse Adoptium
> JVM Version:   11.0.23+9
> Java Home: 
> C:\OpenJDK11U-jdk_x64_windows_hotspot_11.0.23_9\jdk-11.0.23+9
>
> Actual secure configuration used:
>
>  server="Unknown"
> maxThreads="150" scheme="https" secure="true"
>   enableLookups="true"
>   KeystoreType="Windows-MY-LOCALMACHINE"
> clientAuth="false" sslProtocol="TLS"
> KeystoreFile=""
> KeyAlias="tomcat" />
>
>
> Configuration:
> - The certificate is i

Re: How to configure Tomcat with a Managed Service Account when using LocalMachine certificates for TLS

2024-06-25 Thread Bill Stewart 
On Tue, Jun 25, 2024 at 9:14 AM david w wrote:

I've had the same experience, but with a regular AD service account, not an
> MSA.
> The account needs to have local administrator rights for the certificate
> to be found and used; setting ACL on the keystores is not enough.
>

1) The standard on this mailing list is not to top-post.

2)  Local administrator rights for the Tomcat service account is an
unacceptable security risk IMO. Tomcat should not run with a privileged
account on any OS. I would definitely recommend an alternative approach.

Bill

Re: How to configure Tomcat with a Managed Service Account when using LocalMachine certificates for TLS

2024-06-25 Thread david w 
I've had the same experience, but with a regular AD service account, not an MSA.
The account needs to have local administrator rights for the certificate to be 
found and used; setting ACL on the keystores is not enough.


David

From: Gavioto 🕵 
Sent: Tuesday, June 25, 2024 3:27:12 PM
To: users@tomcat.apache.org 
Subject: RE: How to configure Tomcat with a Managed Service Account when using 
LocalMachine certificates for TLS

- how are are starting Tomcat?
  Tomcat is starting as a service with "Domain\account1$" (Managed Service 
Account)

- is Tomcat installed as a Windows service?
  Yes

- which account is Tomcat running under?
  "Domain\account1$" (Managed Service Account) It is not a normal domain 
account used for the service.  Secure group managed service accounts - 
Microsoft Entra | Microsoft 
Learn

Regarding the mean of "user" I'm referring to the user who is running the 
Tomcat Service. In this case, the Managed Service Account.


De: Mark Thomas 
Enviado: martes, 25 de junio de 2024 12:51
Para: users@tomcat.apache.org 
Asunto: Re: How to configure Tomcat with a Managed Service Account when using 
LocalMachine certificates for TLS

A few questions:

- how are are starting Tomcat?

- is Tomcat installed as a Windows service?

- which account is Tomcat running under?

There are a few references to "user" in your question. It is not clear
if this is:
- the user administering a Tomcat service
- a user that is starting Tomcat from the command line
- the user that the Tomcat service is running as
- something else

Mark


On 25/06/2024 11:30, Alberto Corral wrote:
> Hello!
>
> After some research, docs, and test, I didn't found an answer to my issue.
>
> I'm writing to the list  because I have to configure a probably not very 
> common Tomcat configuration and didn't found correct configuration of if it 
> is posible to do it.
> Also I didn't find previous information or examples on internet and the wiki.
>
> There is a similar question in Server Fault 
> https://serverfault.com/questions/1161457/can-i-use-certificates-in-the-local-machine-from-a-managed-service-account,
>  but not solved yet.
>
> The configuration has been also involved with a JDK recent bug-fix (but 10 
> years old), but this part is fixed using latest available JDK versions.
> So I think it would be valuable to document an Use Case based on real 
> experience that can be both, tested in future versions, and also useful for 
> future users, available in the wiki or official docs :-)
>
> May be what's I'm trying to do is not really possible, but need to know if 
> this is a Tomcat limitation or a Windows one.
>
> My actual configuration
>
> Server version name:   Apache Tomcat/9.0.65
> Server version number: 9.0.65.0
> Server built:  Jul 14 2022 12:28:53 UTC
> Architecture:  amd64
> OS Version:10.0
> OS Name:   Windows Server 2019
> JVM Vendor:Eclipse Adoptium
> JVM Version:   11.0.23+9
> Java Home: 
> C:\OpenJDK11U-jdk_x64_windows_hotspot_11.0.23_9\jdk-11.0.23+9
>
> Actual secure configuration used:
>
>  server="Unknown"
> maxThreads="150" scheme="https" secure="true"
>   enableLookups="true"
>   KeystoreType="Windows-MY-LOCALMACHINE"
> clientAuth="false" sslProtocol="TLS"
> KeystoreFile=""
> KeyAlias="tomcat" />
>
>
> Configuration:
> - The certificate is in the LOCALMACHINE Windows Storage and allows read 
> access to the user "account1$" which is an AD Managed Service Account.
> -
>
> Facts:
> - If the user have read access but not local admin, then the previous stack 
> trace is generated.
> - If I give local Admin rights to the service account, it seems can access to 
> the Certificate Storage, in other case, the previous Stack Trace is generated.
> - Unless I gave local Admin rights, apache opens port 8443, but doesn't 
> respond to requests on 8443 when testing and no error in logs appears.
>
> What is the question is "How to configure Tomcat with a Managed Service 
> Account when using LocalMachine certificates for TLS"
>
> Notes:
> - JDK 11.0.20+ is required due a well known bug that has been backported from 
> JDK 21  [JDK-6782021] It is not possible to read local computer certificates 
> with the SunMSCAPI provider - Java Bug System 
> (openjdk.org) 
> (https://bugs.openjdk.org/browse/JDK-6782021) and [JDK-8303520] It is not 
> possible to read local computer certificates with the SunMSCAPI provider - 
> Java Bug System (openjdk.org) 
> (https://bugs.openjdk.org/browse/JDK-8303520)
>
> Next program can help to check different configurations, and it works when 
> the certificate has read permission for the user who is running it.
>
> // JDK8313367test.java - Simple test case to demonstrate OpenJDK defect 
> JDK-8313367
> //

Re: PKCS#8 encryption algorithm unrecognized

2024-06-25 Thread Timothy Resh 
In the
 SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"

we defined a Class to convert the Encrypted password  and set the following
properties:
public class MyPropertySource implements
org.apache.tomcat.util.IntrospectionUtils.PropertySource
...
 public String getProperty(String arg0) {
if (arg0.contains("KSENC(")) {

System.setProperty("javax.net.ssl.keyStore",
keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword",
clearText);
System.setProperty("javax.net.ssl.trustStore",
trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",
clearText);
 }
...
}
This class will set the following properties at the beginning of Tomcat init

In my debugging I found that it could not determine the store properly.
So, I tried putting in the keystoreType="PKCS12 and now it works.

I hope this helps.  I'm still set up for debugging if you need something
looked at.

Thanks


On Tue, Jun 11, 2024 at 2:14 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Mark,
>
> On 6/10/24 14:56, Timothy Resh wrote:
> > After much debugging, I have found the issue in my situation. In the
> > server.xml file, you must put keystoreType="PKCS12" for it to recognize
> the
> > keystore properly.
>
> That doesn't make any sense to me. Not a single one of your previous
> posts has been using a keystore file at all for Tomcat. You did show how
> you assembled a (rather complicated) PKCS12 keystore file using a
> combination of openssl and keytool in your message from 25 March but
> this is the only place in your configuration file I see that file:
>
>  SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"
>
> I have *no idea* what you are doing in there, but I assumed that
> keystore contained some kind of password and not a certificate or RSA key.
>
> -chris
>
> > On Fri, Apr 5, 2024 at 4:27 AM Roberto Benedetti <
> > roberto.benede...@dedalus.eu> wrote:
> >
> >>> I got the Object ID and version straight out of the Certificate using
> >>> Keystore Explorer.  I'm not sure why there is a difference.
> >>
> >> Keystore Explorer uses Bouncy Castle (https://www.bouncycastle.org/) as
> >> provider for JCE.
> >>
> >> If your JRE/JDK does not provide some algorithm you could use Bouncy
> >> Castle as well.
> >>
> >> Regards,
> >> Roberto
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: How to configure Tomcat with a Managed Service Account when using LocalMachine certificates for TLS

2024-06-25 Thread Gavioto 🕵 
- how are are starting Tomcat?
  Tomcat is starting as a service with "Domain\account1$" (Managed Service 
Account)

- is Tomcat installed as a Windows service?
  Yes

- which account is Tomcat running under?
  "Domain\account1$" (Managed Service Account) It is not a normal domain 
account used for the service.  Secure group managed service accounts - 
Microsoft Entra | Microsoft 
Learn

Regarding the mean of "user" I'm referring to the user who is running the 
Tomcat Service. In this case, the Managed Service Account.


De: Mark Thomas 
Enviado: martes, 25 de junio de 2024 12:51
Para: users@tomcat.apache.org 
Asunto: Re: How to configure Tomcat with a Managed Service Account when using 
LocalMachine certificates for TLS

A few questions:

- how are are starting Tomcat?

- is Tomcat installed as a Windows service?

- which account is Tomcat running under?

There are a few references to "user" in your question. It is not clear
if this is:
- the user administering a Tomcat service
- a user that is starting Tomcat from the command line
- the user that the Tomcat service is running as
- something else

Mark


On 25/06/2024 11:30, Alberto Corral wrote:
> Hello!
>
> After some research, docs, and test, I didn't found an answer to my issue.
>
> I'm writing to the list  because I have to configure a probably not very 
> common Tomcat configuration and didn't found correct configuration of if it 
> is posible to do it.
> Also I didn't find previous information or examples on internet and the wiki.
>
> There is a similar question in Server Fault 
> https://serverfault.com/questions/1161457/can-i-use-certificates-in-the-local-machine-from-a-managed-service-account,
>  but not solved yet.
>
> The configuration has been also involved with a JDK recent bug-fix (but 10 
> years old), but this part is fixed using latest available JDK versions.
> So I think it would be valuable to document an Use Case based on real 
> experience that can be both, tested in future versions, and also useful for 
> future users, available in the wiki or official docs :-)
>
> May be what's I'm trying to do is not really possible, but need to know if 
> this is a Tomcat limitation or a Windows one.
>
> My actual configuration
>
> Server version name:   Apache Tomcat/9.0.65
> Server version number: 9.0.65.0
> Server built:  Jul 14 2022 12:28:53 UTC
> Architecture:  amd64
> OS Version:10.0
> OS Name:   Windows Server 2019
> JVM Vendor:Eclipse Adoptium
> JVM Version:   11.0.23+9
> Java Home: 
> C:\OpenJDK11U-jdk_x64_windows_hotspot_11.0.23_9\jdk-11.0.23+9
>
> Actual secure configuration used:
>
>  server="Unknown"
> maxThreads="150" scheme="https" secure="true"
>   enableLookups="true"
>   KeystoreType="Windows-MY-LOCALMACHINE"
> clientAuth="false" sslProtocol="TLS"
> KeystoreFile=""
> KeyAlias="tomcat" />
>
>
> Configuration:
> - The certificate is in the LOCALMACHINE Windows Storage and allows read 
> access to the user "account1$" which is an AD Managed Service Account.
> -
>
> Facts:
> - If the user have read access but not local admin, then the previous stack 
> trace is generated.
> - If I give local Admin rights to the service account, it seems can access to 
> the Certificate Storage, in other case, the previous Stack Trace is generated.
> - Unless I gave local Admin rights, apache opens port 8443, but doesn't 
> respond to requests on 8443 when testing and no error in logs appears.
>
> What is the question is "How to configure Tomcat with a Managed Service 
> Account when using LocalMachine certificates for TLS"
>
> Notes:
> - JDK 11.0.20+ is required due a well known bug that has been backported from 
> JDK 21  [JDK-6782021] It is not possible to read local computer certificates 
> with the SunMSCAPI provider - Java Bug System 
> (openjdk.org) 
> (https://bugs.openjdk.org/browse/JDK-6782021) and [JDK-8303520] It is not 
> possible to read local computer certificates with the SunMSCAPI provider - 
> Java Bug System (openjdk.org) 
> (https://bugs.openjdk.org/browse/JDK-8303520)
>
> Next program can help to check different configurations, and it works when 
> the certificate has read permission for the user who is running it.
>
> // JDK8313367test.java - Simple test case to demonstrate OpenJDK defect 
> JDK-8313367
> // References:
> // * https://bugs.java.com/bugdatabase/view_bug?bug_id=JDK-8313367
> // * 
> https://stackoverflow.com/questions/75255985/java-keystore-type-windows-my-root-localmachine-requires-administrator-permissio
>
> /*
> Here is the command line to run the test using JDK 11.0.20+,  17.0.20+ or 
> 20.0.2+
> java --add-modules=jdk.crypto.mscapi 
> --add-exports=jdk.crypto.mscapi/sun.security.mscapi=ALL-UNNAMED 
> JDK8313367test.java
> */
>
> import java.i

Re: How to configure Tomcat with a Managed Service Account when using LocalMachine certificates for TLS

2024-06-25 Thread Mark Thomas 

A few questions:

- how are are starting Tomcat?

- is Tomcat installed as a Windows service?

- which account is Tomcat running under?

There are a few references to "user" in your question. It is not clear 
if this is:

- the user administering a Tomcat service
- a user that is starting Tomcat from the command line
- the user that the Tomcat service is running as
- something else

Mark


On 25/06/2024 11:30, Alberto Corral wrote:

Hello!

After some research, docs, and test, I didn't found an answer to my issue.

I'm writing to the list  because I have to configure a probably not very common 
Tomcat configuration and didn't found correct configuration of if it is posible 
to do it.
Also I didn't find previous information or examples on internet and the wiki.

There is a similar question in Server Fault 
https://serverfault.com/questions/1161457/can-i-use-certificates-in-the-local-machine-from-a-managed-service-account,
 but not solved yet.

The configuration has been also involved with a JDK recent bug-fix (but 10 
years old), but this part is fixed using latest available JDK versions.
So I think it would be valuable to document an Use Case based on real 
experience that can be both, tested in future versions, and also useful for 
future users, available in the wiki or official docs :-)

May be what's I'm trying to do is not really possible, but need to know if this 
is a Tomcat limitation or a Windows one.

My actual configuration

Server version name:   Apache Tomcat/9.0.65
Server version number: 9.0.65.0
Server built:  Jul 14 2022 12:28:53 UTC
Architecture:  amd64
OS Version:10.0
OS Name:   Windows Server 2019
JVM Vendor:Eclipse Adoptium
JVM Version:   11.0.23+9
Java Home: 
C:\OpenJDK11U-jdk_x64_windows_hotspot_11.0.23_9\jdk-11.0.23+9

Actual secure configuration used:




Configuration:
- The certificate is in the LOCALMACHINE Windows Storage and allows read access to the 
user "account1$" which is an AD Managed Service Account.
-

Facts:
- If the user have read access but not local admin, then the previous stack 
trace is generated.
- If I give local Admin rights to the service account, it seems can access to 
the Certificate Storage, in other case, the previous Stack Trace is generated.
- Unless I gave local Admin rights, apache opens port 8443, but doesn't respond 
to requests on 8443 when testing and no error in logs appears.

What is the question is "How to configure Tomcat with a Managed Service Account when 
using LocalMachine certificates for TLS"

Notes:
- JDK 11.0.20+ is required due a well known bug that has been backported from JDK 21  
[JDK-6782021] It is not possible to read local computer certificates with the SunMSCAPI 
provider - Java Bug System (openjdk.org) 
(https://bugs.openjdk.org/browse/JDK-6782021) and [JDK-8303520] It is not possible to read 
local computer certificates with the SunMSCAPI provider - Java Bug System 
(openjdk.org) (https://bugs.openjdk.org/browse/JDK-8303520)

Next program can help to check different configurations, and it works when the 
certificate has read permission for the user who is running it.

// JDK8313367test.java - Simple test case to demonstrate OpenJDK defect 
JDK-8313367
// References:
// * https://bugs.java.com/bugdatabase/view_bug?bug_id=JDK-8313367
// * 
https://stackoverflow.com/questions/75255985/java-keystore-type-windows-my-root-localmachine-requires-administrator-permissio

/*
Here is the command line to run the test using JDK 11.0.20+,  17.0.20+ or 
20.0.2+
java --add-modules=jdk.crypto.mscapi 
--add-exports=jdk.crypto.mscapi/sun.security.mscapi=ALL-UNNAMED 
JDK8313367test.java
*/

import java.io.*;
import java.security.KeyStore;
import java.security.Security;
import java.util.Enumeration;
import sun.security.mscapi.SunMSCAPI;

public class JDK8313367test {
 public static void main(String[] args) {
 try {
 Security.addProvider(new SunMSCAPI());
 KeyStore keyStore = 
KeyStore.getInstance("Windows-My-LOCALMACHINE");
 // When running as non-elevated, the SunMSCAPI provider, enhanced 
with JDK-6782021, incorrectly
   // triggers system error 5 "Access is denied" when 
attempting to load the keystore when invoking the following method:
   keyStore.load(null, null);
 Enumeration aliases = keyStore.aliases();
   // Print Friendly Names, a.k.a. aliases, of each certificate 
in the keystore
 for (int i = 0 ; aliases.hasMoreElements() ; i++) {
 System.out.println( aliases.nextElement() );
 }
 } catch (Exception e) {
 throw new RuntimeException(e);
 }
 }
}

Pending tests:
- What I haven't tested, but it is an idea to test, is to launch this code from 
Tomcat and validate if it works (It isn't possible to run a CLI program using a 
Managed Service Acc

How to configure Tomcat with a Managed Service Account when using LocalMachine certificates for TLS

2024-06-25 Thread Alberto Corral 
Hello!

After some research, docs, and test, I didn't found an answer to my issue.

I'm writing to the list  because I have to configure a probably not very common 
Tomcat configuration and didn't found correct configuration of if it is posible 
to do it.
Also I didn't find previous information or examples on internet and the wiki.

There is a similar question in Server Fault 
https://serverfault.com/questions/1161457/can-i-use-certificates-in-the-local-machine-from-a-managed-service-account,
 but not solved yet.

The configuration has been also involved with a JDK recent bug-fix (but 10 
years old), but this part is fixed using latest available JDK versions.
So I think it would be valuable to document an Use Case based on real 
experience that can be both, tested in future versions, and also useful for 
future users, available in the wiki or official docs :-)

May be what's I'm trying to do is not really possible, but need to know if this 
is a Tomcat limitation or a Windows one.

My actual configuration

Server version name:   Apache Tomcat/9.0.65
Server version number: 9.0.65.0
Server built:  Jul 14 2022 12:28:53 UTC
Architecture:  amd64
OS Version:10.0
OS Name:   Windows Server 2019
JVM Vendor:Eclipse Adoptium
JVM Version:   11.0.23+9
Java Home: 
C:\OpenJDK11U-jdk_x64_windows_hotspot_11.0.23_9\jdk-11.0.23+9

Actual secure configuration used:




Configuration:
- The certificate is in the LOCALMACHINE Windows Storage and allows read access 
to the user "account1$" which is an AD Managed Service Account.
-

Facts:
- If the user have read access but not local admin, then the previous stack 
trace is generated.
- If I give local Admin rights to the service account, it seems can access to 
the Certificate Storage, in other case, the previous Stack Trace is generated.
- Unless I gave local Admin rights, apache opens port 8443, but doesn't respond 
to requests on 8443 when testing and no error in logs appears.

What is the question is "How to configure Tomcat with a Managed Service Account 
when using LocalMachine certificates for TLS"

Notes:
- JDK 11.0.20+ is required due a well known bug that has been backported from 
JDK 21  [JDK-6782021] It is not possible to read local computer certificates 
with the SunMSCAPI provider - Java Bug System 
(openjdk.org) 
(https://bugs.openjdk.org/browse/JDK-6782021) and [JDK-8303520] It is not 
possible to read local computer certificates with the SunMSCAPI provider - Java 
Bug System (openjdk.org) 
(https://bugs.openjdk.org/browse/JDK-8303520)

Next program can help to check different configurations, and it works when the 
certificate has read permission for the user who is running it.

// JDK8313367test.java - Simple test case to demonstrate OpenJDK defect 
JDK-8313367
// References:
// * https://bugs.java.com/bugdatabase/view_bug?bug_id=JDK-8313367
// * 
https://stackoverflow.com/questions/75255985/java-keystore-type-windows-my-root-localmachine-requires-administrator-permissio

/*
Here is the command line to run the test using JDK 11.0.20+,  17.0.20+ or 
20.0.2+
java --add-modules=jdk.crypto.mscapi 
--add-exports=jdk.crypto.mscapi/sun.security.mscapi=ALL-UNNAMED 
JDK8313367test.java
*/

import java.io.*;
import java.security.KeyStore;
import java.security.Security;
import java.util.Enumeration;
import sun.security.mscapi.SunMSCAPI;

public class JDK8313367test {
public static void main(String[] args) {
try {
Security.addProvider(new SunMSCAPI());
KeyStore keyStore = KeyStore.getInstance("Windows-My-LOCALMACHINE");
// When running as non-elevated, the SunMSCAPI provider, enhanced 
with JDK-6782021, incorrectly
  // triggers system error 5 "Access is denied" when attempting 
to load the keystore when invoking the following method:
  keyStore.load(null, null);
Enumeration aliases = keyStore.aliases();
  // Print Friendly Names, a.k.a. aliases, of each certificate 
in the keystore
for (int i = 0 ; aliases.hasMoreElements() ; i++) {
System.out.println( aliases.nextElement() );
}
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}

Pending tests:
- What I haven't tested, but it is an idea to test, is to launch this code from 
Tomcat and validate if it works (It isn't possible to run a CLI program using a 
Managed Service Account as per my knowledge). In case this test succeeds, it 
would mean the program flow in tomcat side is doing something different with 
ACL or something.
Thank you in advance for your support.
Please, send me back any question or clarification about the Use Case I could 
miss.
/Gavioto