encrypt the database password

[Bill Wang]

Hi All,

There is a tomcat server with some database setup.

cd apache-tomcat-6.0.29/conf
cat server.xml

  Resource auth=Container
driverClassName=oracle.jdbc.driver.OracleDriver

  factory=oracle.jdbc.pool.OracleDataSourceFactory
maxActive=20
  maxIdle=10 maxWait=-1 name=jdbc/abc password=abcADMIN
  type=oracle.jdbc.pool.OracleDataSource

url=jdbc:oracle:thin:@localhost:1521:mydb user=abc /


So which the plain password, end user may get the password directly.


How can create encrypted password within server.xml

Re: Tomcat user roles

[Bill Wang]

Thanks to all for the explanation.

I have a new question regarding the admin role.

With default setup, if I login as admin, I can start,stop, undeploy and
deploy the application. Now, because the admin password has been shared by
team, and I can't not share it with team.

So I plan to disable undeploy and deploy function from the web admin URL
for the admin account. If anyone need deploy new version, they have to
login the Unix box to do it manually. With that I can trace and have
records easily.

So I edit the file webapps/manager/WEB-INF/web.xml, and remove all the xml
sessions for remove, install, undeploy, deploy and save. But after I
restart the tomcat server, *I still can deploy and undeploy*.

Something I missed?

part of tomcat-users.xml

  role rolename=manager/
  role rolename=tomcat/
  role rolename=admin/
  role rolename=role1/
  role rolename=monitoring/
  user username=admin password=XXX roles=admin,manager/
  user username=monitoring password=XXX roles=monitoring/

Below are the lines I remove from the web.xml file.

  servlet-mapping
servlet-nameManager/servlet-name
  url-pattern/install/url-pattern
  /servlet-mapping
  servlet-mapping
servlet-nameManager/servlet-name
  url-pattern/remove/url-pattern
  /servlet-mapping
  servlet-mapping
servlet-nameManager/servlet-name
  url-pattern/deploy/url-pattern
  /servlet-mapping
  servlet-mapping
servlet-nameManager/servlet-name
  url-pattern/undeploy/url-pattern
  /servlet-mapping

  url-pattern/remove/url-pattern
  url-pattern/deploy/url-pattern
  url-pattern/undeploy/url-pattern
  url-pattern/reload/url-pattern

I don't find the admin part in web.xml.

Regards,
Bill

On Wed, Nov 30, 2011 at 5:25 AM, Mark Thomas ma...@apache.org wrote:

 On 29/11/2011 17:05, Christopher Schultz wrote:
  Mark,
 
  On 11/29/11 11:15 AM, ma...@apache.org wrote:
  Christopher Schultz ch...@christopherschultz.net wrote:
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  Bill,
 
  On 11/28/11 7:08 PM, Bill Wang wrote:
  Here I have the last question, what's the reload option, is
  it same as stop/start?
 
  According to markt (who is known to be occasionally
  trustworthy):
 
  reload = stop + start
 
  I'm pretty sure I didn't say that.
 
  Sorry, you said:
 
  On 11/25/11 12:47 PM, Mark Thomas wrote:
  There is no such command as restart. You'll need:
  url-pattern/html/stop/url-pattern
  url-pattern/html/start/url-pattern
 
  I drew my own (perhaps incorrect) conclusion from that.

 In short:
 reload != restart

 Fuller explanation below. There is a subtle but important difference.

 Mark

  Reload keeps the same Context object (and doesn't reread the
  Context config) but does re-read web.xml and allows Jars to be
  updated.
 
  Stop/start creates a new Context object (as well as re-reading
  web.xml) and is therefore is a full restart of the context.
  Reload is sort of half a restart. There is no single command
  equivalent to stop/start.
 
  Gotcha.
 
  -chris
 
  -
 
 
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat user roles

[Bill Wang]

Thanks for everyone who replied me. I successfully did it.

Now on-call team can stop/start the tomcat instances by themselves, but
with other action,such as deploy, undeploy, check server status, they will
get access denied .
*
*
That's perfect.

Here I have the last question, what's the reload option, is it same as
stop/start?

If it is, maybe I just need assign /html/reload to on-call team

Regards,
Bill

On Sat, Nov 26, 2011 at 5:53 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Mark,

 On 11/25/11 12:47 PM, Mark Thomas wrote:
  There is no such command as restart. You'll need:
  url-pattern/html/stop/url-pattern
  url-pattern/html/start/url-pattern

 Whoops. Thanks for catching that.

  You'll probably want: url-pattern/html/list/url-pattern as
  well.

 +1

 - -chrs
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEUEARECAAYFAk7P5EAACgkQ9CaO5/Lv0PANjgCgt7PvxplfvSpeR3Z7TJF8+kHN
 S9QAl3kZqiTIxMiGyI27YJmz7zVZ11U=
 =OHNN
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat user roles

[Bill Wang]

Hi Mark,

Thanks, with your help, I find out this link:
http://onjava.com/onjava/2001/07/24/tomcat.html, seems you need me setup
MemoryRealm,  then setup security constraint
in webapps/manager/WEB-INF/web.xml

There is an exist role manager , I try to understand it and add a new
role restart in this web.xml, always get permission deny.

So could you please give some instruction on how to setup below URL to that
role restart only?

http://hostname:8181/manager/html/stop?path=/APPNAME
http://hostname:8181/manager/html/start?path=/APPNAME

Regards,
Bill
On Thu, Nov 24, 2011 at 7:06 PM, ma...@apache.org wrote:

 Bill Wang bw57...@gmail.com wrote:

 Hi Tomcat guru,
 
 I have questions for the tomcat user roles setup.
 
 On-call team (24*7 support)  need permission to restart one tomcat
 services, if they get call.  I think it is maybe possible to let them
 restart tomcat throught Tomcat Web Application Manager (the admin url
 http://server:port/manager)
 
 My request is, I can't give the admin username and password directly to
 on-call team, admin account can not only restart the application, it
 can
 deploy and undeploy applications, that's too dangerous.
 
 So how can I setup the tomcat-users.xml or other config file to let
 on-call
 team has only permission to restart that particular application, not
 else.
 
 Regards,
 Bill

 You can create a new role in web.xml called restart and limit it to the
 list, start and stop commands since each command is part of the URL. Then
 you assign that role to a new user in your Realm.

 I'm on my phone so can't give an exact example. If that isn't enough info,
 I'm sure someone else can fill in the gaps for you.

 Mark



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat user roles

[Bill Wang]

Hi Tomcat guru,

I have questions for the tomcat user roles setup.

On-call team (24*7 support)  need permission to restart one tomcat
services, if they get call.  I think it is maybe possible to let them
restart tomcat throught Tomcat Web Application Manager (the admin url
http://server:port/manager)

My request is, I can't give the admin username and password directly to
on-call team, admin account can not only restart the application, it can
deploy and undeploy applications, that's too dangerous.

So how can I setup the tomcat-users.xml or other config file to let on-call
team has only permission to restart that particular application, not else.

Regards,
Bill

Re: two questions about the session timeout in tomcat

[Bill Wang]

Hi Chris, Pid  Geroge,

Thanks to everyone who replied my mail. I try to answer your questions in
one mail.

1. I access the admin interface by manager app. I'd like to have exist
command to run and get the report easily, if there is no the command, I will
think to use wget | crul.

2. The application with sessions under 60 normally has no issue. But when
the session go up to 80 ~ 100, I start to get calls from the customer. It
happens many times at random time. Sometime I have to restart it, without
any changes, after restart, customer can continuous use it. This performance
issue is very annoying.

3. From Chris explanation, looks to change the timeout to 30 minutes will be
good idea, since I don't care of the end users to login the system
more frequently,  I need more stable system.  The server has other heavy
applications running, CPU load is always up to 10 ~ 20,  available physical
memory is not too much (10GB).

4.  We are doing the troubleshooting on this application recently and don't
find too much can be done. Check with network and DBA team, they all report
me there is no issue. Contacted with Developers who maintain the tomcat app
codes, they said the code running in their testing environment is fine. I am
planned to do some load testing,  but it is just in plan.

5. @ Pid:

Can you explain me more detail on how to do with your suggestion, I am not
developer, don't write codes, my role in this project is to setup the
webserver, tomcat service and make it running and stable.

***
The session count per application can be read via a JMX connection and
a request to the appropriate MBean.
***
6. @ Geroge

Sorry, I don't understand your question.  We DO have Oracle Database in the
backend.
***
Are you storing objects on the session, in particular JDBC connections
or result sets?
***

Regards
Bill
On Sat, Oct 8, 2011 at 1:23 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Bill,

 On 10/6/2011 7:20 PM, Bill Wang wrote:
  Recently one of Tomcat application has performance issue, which get
  slow respond with high sessions.

 Can you give us some numbers? At what point do things slow down, and
 by how much do they slow down?

  One team member recommend me to adjust the  session timeout from 60
  minutes to 30 minutes.  I will do that, but before change it, I'd
  like to understand how the performance related with the expire
  session timeout.
 
  session-timeout60/session-timeout

 I'm not sure performance will change at all when changing the session
 timeout. Tomcat runs session-expiration tasks periodically, and the
 performance of that has more to do with the number of total sessions
 than the timeout itself.

 If you have lots of sessions that must timeout instead of being
 explicitly invalidated (i.e. people close their browsers instead of
 logging-out), then you will have a lot of wasted memory that may
 prevent the garbage collector from working efficiently. It's best to
 destroy sessions as soon as they are not needed, so short session
 timeouts can help with that. On the other hand, you want to give users
 a reasonable amount of time to get a cup of coffee, etc. without
 forcing them to re-login every time.

 You'll have to determine what is an appropriate amount of time for
 your users.

 There is another option: selectively extend the session timeout for
 certain sessions, or for certain operations. If a user enters a flow
 that is expected to take a long time or the consequences of having the
 session time out are frustrating (i.e. you have to re-enter tons of
 data), you can change the session timeout for that one session to be
 longer than the default. When the flow is over, you can re-set it back
 to the default. We do that for a number of tasks in our webapp, for
 instance.

  Second, currently I monitor the session count by login the admin
  interface,

 Do you mean using the manager app?

  the manual way is not efficiency, can I run some commands to get
  the sessions number? With that I can set a cronjob and generate the
  session report easily.

 If you have the manager app deployed, you can use the text or XML
 interfaces from the command-line instead of the HTML interface. Simple
 use of wget, curl, etc. should allow you to do this kind of thing.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAk6PC2gACgkQ9CaO5/Lv0PBo3gCgvV7dAylXSz1vz3jRX2jmr1lE
 E9kAoMKnHUgOC5MEx31lz121tXT1aV8J
 =CGz3
 -END PGP SIGNATURE

two questions about the session timeout in tomcat

[Bill Wang]

Hi Tomcat Guru,

Recently one of Tomcat application has performance issue, which get slow
respond with high sessions.

One team member recommend me to adjust the  session timeout from 60 minutes
to 30 minutes.  I will do that, but before change it, I'd like to understand
how the performance related with the expire session timeout.

 session-timeout60/session-timeout

Second, currently I monitor the session count by login the admin interface,
the manual way is not efficiency, can I run some commands to get the
sessions number? With that I can set a cronjob and generate the session
report easily.

Regards,
Bill

tomcat code in version control

[Bill Wang]

Hi Tomcat expert,

We have one tomcat application install in our tomcat server
(apache-tomcat-6.0.29 + jre1.6.0_22)

it is successfully deployed. Now we are thinking to source version control
on it.

Do I need import all below folders and files to version control, or some of
them?

bash-3.00$ ls
META-INF  WEB-INF   help  imagesjsp   scripts   src   styles
   work

For my understand, work folder is generated automatically, and no need
source control. Any others can be excluded?

Regards,
Bill

Re: Accident: After app in one tomcat is deleted, the same app in another tomcat is disappeared.

[Bill Wang]

Hi Konstantin  Pid,

Thank you for your reply. My tomcat is apache-tomcat-6.0.14, I start tomcat
by bin/startup.sh and stop by bin/shutdown.sh

There is no conf/Catalina/localhost/myapp.xml

I find the folder Catalina/localhost under $CATALINE_HOME/work, but I don't
find any xml file under it. There are some folders with same app name under
webapp.

As you recommend, I will check the log file, if I found anything, will let
you know.

Regards,
Bill

On Fri, Dec 3, 2010 at 9:38 PM, Pid p...@pidster.com wrote:

 On 12/3/10 5:23 AM, Konstantin Kolinko wrote:
  2010/12/3 Bill Wang bw57...@gmail.com:
  Is it possible?
 
  I do not think that it is possible.
 
  Maybe you are running more than 2 tomcat instances (e.g. failed to
  stop some old one properly).
 
 
  Maybe one of them runs with wrong $CATALINA_HOME or wrong
  $CATALINA_BASE. Maybe one of them runs with root (nobody should
  configure their tomcats like that, but mention here for completeness).
 
  What are your exact Tomcat versions? What connectors do you use? How
  do you start them? (jsvc, scripts; are those versions from
  tomcat.apache.org, or repacked ones).
 
  Maybe you had symlinks somewhere. Maybe you deleted the xml files from
  ${catalina.base}/conf/Catalina/localhost. That also will cause
  undeployment.
 
 
  Anyway, when Tomcat autodeploys or undeploys a webapp, it prints
  relevant messages in its logs.


 What was the docBase in ${catalina.base}/conf/Catalina/localhost/myapp.xml?

 If you had a full path to the file in both, then both servers could have
 been loading the same .war, rather than the copy in the other location.

 This might cause both apps to unload, but it wouldn't delete .war files.


 p

Accident: After app in one tomcat is deleted, the same app in another tomcat is disappeared.

[Bill Wang]

Hi All,

Let me explain the situation.

We got running tomcat with application ABC in
/export/home/xyz/apache-tomcat/webapp/ABC, applicaiton ABC is deployed by
ABC.war, and owner is xyz

We plan to migrate to /opt/tomcat/apache-tomcat/webapp/ABC, so I install the
second tomcat under /opt/tomcat, owner is tcadmin, Idid the adjust such as
java path, catalina home path or others.

account xyz and tcadmin are in different groups.

Today, with the new tomcat running, I accident delete the war file under
/opt/tomcat/apache-tomcat/webapp, then /opt/tomcat/apache-tomcat/webapp/ABC
is disappeared. It is fine, I shouldn't clean war file when the services is
running, then I'd like to copy the folder
/export/home/xyz/apache-tomcat/webapp/ABC
to /opt/tomcat/apache-tomcat/webapp/ABC.

Then the strange thing happened. the old
app: /export/home/xyz/apache-tomcat/webapp/ABC is disappeared.

Is it possible? I have checked history, all commands running in both
account: xyz and tcadmin. There is no any rm command running by xyz. So I
need your help to give me the suggestion.

Regards,
Bill

Re: Any tools to detect tomcat services failure, and start it again automatically?

[Bill Wang]

Thanks everyone, I simplify the problem with my own request.

In our real env,  only one application deployed in one apache-tomcat server.
 And application will always have its name under opt folder as:

/opt/tomcat/APP_NAME/tomcat-VERSION/webapp/APP_NAME

tomcat version: 5.5, 6.0.18, 6.0.29
Unix env:Solaris 8/10

I wrote a small script to detect the application status easily.


$ cat tomcat_status

instance=$1
status=$(/usr/ucb/ps -auwwwx |nawk '$1=$1' OFS=\n |nawk -F \/ -v
s=$instance '/Dcatalina.home=/($4==s)')
if [[ $status ==  ]]; then
  echo Application $instance is NOT running. 
  exit 0
else
  echo Application $instance is running. 
  exit 1
fi


With that, I can detect the exit ID in cronjob, if find any application is
not running, the cronjob will try to start it.

This simple script has fixed my current problem, I will think to write
another script, which will detect the application service status by error
logs.

Happy to share it to everyone, if you have any question regarding this
script,  just ask.

Regards,
Bill

On Fri, Nov 12, 2010 at 4:17 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Pid,

 On 11/11/2010 3:40 AM, Pid wrote:
  You could set CATALINA_PID and check that the process ID* contained in
  the file is active.

 That is one way of doing things, but Tomcat might not be healthy even
 though the process is running. For instance, I can imagine the following
 scenarios where the process would be running, but not considered healthy:

 1. Database connection pool is exhausted - possibly permanently
 2. Request processing thread pool is exhausted - possibly permanently
 3. JVM has experienced an OOME and parts of Tomcat may be unstable

 That last one is very difficult to detect. ;)

 In these cases, a Tomcat bounce might be the best action to take.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAkzcJUMACgkQ9CaO5/Lv0PBwwgCgky9a2BYJuKrPLUMMSLp9vSZ/
 0bMAni/grbihuKLgPMG070pKJdBL5/Te
 =3jNj
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Any tools to detect tomcat services failure, and start it again automatically?

[Bill Wang]

Thanks to Christopher , Rainer, and Rainer again. I will try to understand
the jsvc.

But for SMF, because we don't run tomcat as root, I am not sure if SMF can
be set and run by normal user. I need check that first.

My idea is, for most applications, normally I get three options: start, stop
and status. But tomcat's catalina.sh has only two choices, startup and
shutdown.  I can't find exist command/script to show the tomcat status. If I
can show the status, I can write the script to start the tomcat, when its
status show tomcat service is down.

So is it possible to ask tomcat develop team to write a general script or
tool to detect tomcat status directly?

Regards,
Bill

Christopher Schultz
-BEGIN PGP SIGNE

On Sat, Nov 6, 2010 at 6:59 AM, Rainer Jung rainer.j...@kippdata.de wrote:

 On 05.11.2010 16:17, Rainer Frey wrote:

 On Friday 05 November 2010 12:51:25 Bill Wang wrote:

 Hi All,

 I am searching the tool (or script) to be used for my tomcat env, that it
 can keep running as daemon in background, detect the tomcat services
 (several versions of tomcat). If it found the services don't run, or have
 failure, it will start it again automatically.

 I think I can put the script in cronjob, and run every 5 minutes, or by
 other way, please recommend.

  My env is: Solaris 10 with Apache-tomcat 6.0.29 or Jakarta-tomcat 6.0.18


 Doesn't the Solaris 10 Service Management Framework provide that feature?
 You'd have to create an appropriate service script for tomcat though.
 Unforunately I only heard about the SMF from advertising, never used it
 myself.


 +1, if you primarily want to detect crashes, SMF is the way to go, at least
 if you like using what your platform provides. If you are looking for a more
 platform independent way jsvc is often used.

 Regards,


 Rainer

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Any tools to detect tomcat services failure, and start it again automatically?

[Bill Wang]

Hi All,

I am searching the tool (or script) to be used for my tomcat env, that it
can keep running as daemon in background, detect the tomcat services
(several versions of tomcat). If it found the services don't run, or have
failure, it will start it again automatically.

I think I can put the script in cronjob, and run every 5 minutes, or by
other way, please recommend.

 My env is: Solaris 10 with Apache-tomcat 6.0.29 or Jakarta-tomcat 6.0.18

Regards,
Bill

How to stop tomcat to be run more than two times.

[Bill Wang]

Hi all,

I have installed apache-tomcat-6.0.29 on my solaris box, then i start the
tomcat services succsfully.

But my question is, when the tomcat services is running, I try to start it
again, the script (startup.sh) don't stop me, and start the second tomcat
services.

So how can I let tomcat to check, if there are exist tomcat services, do not
start?

Regards,
Bill