Re: SECURITY breach in Tomcat
I suggest removing all of the bundled web apps (in the webapps folder), including root, manager and host-manager. Also, upgrade your JVM to the latest 1.5.x version, which I think is 1.5.15 or something like that. Finally, scan your app/system for vulnerabilities with something like these: https://www.mcafeesecure.com http://www.alertsite.com/security.shtml http://www.qualys.com/index.php Qualys and Alertsite have free trials. I suggest you use them. They may also be able to find a hole in your own web apps as your problem may not be in Tomcat, the JVM or the OS. Brian From: Len Popp To: Tomcat Users List Sent: Thursday, January 22, 2009 10:27:31 AM Subject: Re: SECURITY breach in Tomcat This sounds like an attack that has been seen before: http://markmail.org/message/jrqw75yw3d3xh3p6 That message also has tips on tightening security. In those cases it seems that the security hole was a weak password for the manager webapp. -- Len On Thu, Jan 22, 2009 at 10:16, Toby Kurien wrote: > Hi, > I have a webapp for my company that has been running for several > years. Recently, we got infected by a trojan or virus and this has > been causing a lot of abnormal behavior. The trojan creates user > accounts in Windows and also creates web applications like safee.war > and zhu.war into the webapps folder of Tomcat and also shuts down > Tomcat. The trojan webapps have jsp and exe files which try to modify, > copy and delete files in the system and also try to access the > database. Symantec and Norton have not been able to rectify or detect > much. > I am totally at loss on what's going on and how to tighten or rectify > this. Anyone with any ideas is highly appreciated. > > Thanks, > -Toby > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SECURITY breach in Tomcat
What version of Tomcat are you using? What version of the JVM? What version of Windows? Are you up to date on your Windows patches? From: Toby Kurien To: users@tomcat.apache.org Sent: Thursday, January 22, 2009 9:16:46 AM Subject: SECURITY breach in Tomcat Hi, I have a webapp for my company that has been running for several years. Recently, we got infected by a trojan or virus and this has been causing a lot of abnormal behavior. The trojan creates user accounts in Windows and also creates web applications like safee.war and zhu.war into the webapps folder of Tomcat and also shuts down Tomcat. The trojan webapps have jsp and exe files which try to modify, copy and delete files in the system and also try to access the database. Symantec and Norton have not been able to rectify or detect much. I am totally at loss on what's going on and how to tighten or rectify this. Anyone with any ideas is highly appreciated. Thanks, -Toby - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Monitor Tomcat
I use Sun's Visual VM. https://visualvm.dev.java.net/ Brian From: Zaki Akhmad To: Tomcat Users List Sent: Tuesday, January 20, 2009 10:02:51 PM Subject: Monitor Tomcat Hello, I am deploying my web application on Tomcat. How do I monitor the tomcat performance? 1. If I am using GNU/Linux environment 2. If I am using Windows XP environment What F/OSS package/software I should install? -- Zaki Akhmad - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: "maxKeepAliveRequests" attribute configuration
Do you monitor your tomcat server(s) for memory and CPU use? I'd get some baseline measurements and then incrementally increase your maxKeepAliveRequests value until your problem goes away, all the while making sure you don't have memory or CPU issues. Brian Clark VP, IS Omeda On Jan 18, 2009, at 2:13 PM, Prakash Nathan1 wrote: Hello We are planning to define the "maxKeepAliveRequests" attribute in Tomcat server.xml As of now, this attribute is not defined and I believe the default value is 100. What is the preferred value to configure? please advise. Here are the environment details Apache Tomcat/4.1.27 JVM/JDK: 1.4.2_06 Platform: OS Red Hat Enterprise Linux AS release 3 (Taroon Update 5) The reason for the definition of the attribute is because we encounter high socket connection issues and we suspect improper HTTP Keep alive configuration could be the root cause. Please let me know if you need more details. Thanks Prakash -- View this message in context: http://www.nabble.com/%22maxKeepAliveRequests%22-attribute-configuration-tp21532375p21532375.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Accelerator - Front ending Tomcat
From: Rainer Jung To: Tomcat Users List Sent: Tuesday, October 14, 2008 9:46:56 AM Subject: Re: SSL Accelerator - Front ending Tomcat Mike Koponick schrieb: > Hello Everyone, > > I have not been a frequent administrator of Tomcat, but it seems that > I am becoming one! > > So, Here is my setup, I using an SSL accelerator in front of a Tomcat > server running two instances. When I try to access the website, the > webserver (rightfully so) redirects me to another page on the same > machine for the same instance. Thusly, I do not have the "https" URL > any longer, but have "http" instead, of course this kills the > connection. > > So, I was wondering if anyone has had any experience setting up this > type of environment. It seems to me that Tomcat doesn't know that > this is a secure connection. > > Any information is good information. So look at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html especially proxyName, proxyPort, scheme and secure. Regards, Rainer -- Anyone have success doing this? I am having lots of problems getting this to work, and in choosing the config directives to use to get it to work. For example, I set secure="true" and scheme="https" in the Connector block of my server.xml. In testing, However, when I call request.isSecure()it returns "false". When I call request.getScheme() it returns "http". I tested this with a simple page on my local instance of Tomcat--I accessed that page via http://localhost:8080. Shouldn't the secure and scheme directives override whatever connection the browser initiated and return the configured value? Am I missing something? Do I need to define the proxyName and proxyPort config directives? I tried that, and it didnt' seem to have an effect. I have the exact scenario (SSL accelerator in front of Tomcat) described above and am having problems forcing my apps to generate https URLs instead of http. (BTW: I'm running Tomcat 6.0.16 on Windows 2003) Thanks, Brian
Re: Optimizing Tomcat with Http11NioProtocol?
We use Hyperic HQ to monitor all of our production servers without any noticeable performance impact. Hyperic takes samples (remotely) from the Tomcat server at regular intervals--which is configurable--but no more than once per minute. That has been good enough for us to see when we have heap usage or thread usage issues. However, Mark makes a good point--your issue may not be heap usage or thread usage. It may be your app code. I suggest first seeing if you have a heap or thread usage problem because that is easier to diagnose and (sometimes) easier to fix. But if those aren't your problems, then you will probably need to use a profiler to find the problems. Yourkit seems to be the most popular. It is a commercial application, and we have used it and seen it have a significant impact on our production servers--as much as a 15% performance hit. We have also seen it cause stability issues on our servers. However, if you can afford to run it for 5 or 10 minutes, you can see what is going on in your code and possibly find your issue. Another lightweight profiler and troubleshooting tool is from Sun called VisualVM. I have found it very useful, and it's free. But it only works with JDK 1.6.x. It seems to have most of the features of LambdaProbe, Jmeter and Jconsole, as well as a bunch of others. https://visualvm.dev.java.net/ Brian From: Mark Thomas To: Tomcat Users List Sent: Tuesday, December 30, 2008 4:48:47 AM Subject: Re: Optimizing Tomcat with Http11NioProtocol? nodje wrote: > thanks again Brian. > > one last question about monitoring, have you bean able to use Hyperic HQ on > your production environment without significant performance reduction? > > We have identified Glassbox and LambdaProbe as potentially good tools but > never dared to put them on the production server. I have run LambdaProbe on production without issue in the past but I doubt it (or jconsole) is going to help you very much. The quickest way to track down a performance bottleneck, assuming your application logging isn't giving you enough data, is to use a profiler. A good profiler, like YourKit (I use it because they give free copies to Tomcat developers) will tell you how much time is spent in what code. It will place a little more load on the server but a little more load for 5 minutes to tell you where the real problem is will be worth it. Other techniques (access logs, jmeter, etc) should point you in the right direction but you'll need to do soem more work to figure out exactly where the bottleneck(s) is(are). Mark > > -nodje > > > Brian Clark-10 wrote: >> Glad to be of help. >> >> First, I don't think that APR has anything to do with thread management. I >> think the two things it does really well is to serve up static content and >> provide native SSL processing. Tomcat 6 and/or Java 6 may help with though >> (I would assume so, but I don't know for sure). >> >> Second, Tomcat 6 and Java 6 will provide performance >> enhancements--particularly from the newer hotspot compiler in Java 6. If >> using on 32-bit Windows, be sure to select the "server" version of the >> JVM, and not the "client" JVM. By default, Tomcat will select the client >> version on 32-bit Windows. On 64-bit Windows, there is only one version >> available, the server version. >> >> Also, as your original question started off with asking about the NIO >> protocol, according to the benchmarking done by the authors of the >> O'Reilly Tomcat book, the JIO connector is sometimes faster than the >> NIO connector. I recommend getting this book and reviewing the sections >> on performance tuning. >> >> Finally, I suggest using a tool to monitor your JVM and applications over >> a period of time. We use the free Hyperic HQ monitoring tool. It uses JMX >> to remotely monitor Java 6/Tomcat 6, and I have found it to be very >> valuable. There is a free and a commercial version. WE use the free >> version and it works great. Check it out at http://www.hyperic.com We use >> this tool to monitor heap usage and thread usage over time, so that we can >> tell if we are hitting our upper limits on either of these constraints. >> >> Brian >> >> >> >> >> >> From: nodje >> To: users@tomcat.apache.org >> Sent: Monday, December 29, 2008 9:10:05 PM >> Subject: Re: Optimizing Tomcat with Http11NioProtocol? >> >> >> Hi, thanks all for your answers. >> >> I have jconsole in place. I can monitor Tomcat and general JVM >> information. >> The think is it's not easy to understand statistics. >> >> - How much I
Re: Optimizing Tomcat with Http11NioProtocol?
Glad to be of help. First, I don't think that APR has anything to do with thread management. I think the two things it does really well is to serve up static content and provide native SSL processing. Tomcat 6 and/or Java 6 may help with though (I would assume so, but I don't know for sure). Second, Tomcat 6 and Java 6 will provide performance enhancements--particularly from the newer hotspot compiler in Java 6. If using on 32-bit Windows, be sure to select the "server" version of the JVM, and not the "client" JVM. By default, Tomcat will select the client version on 32-bit Windows. On 64-bit Windows, there is only one version available, the server version. Also, as your original question started off with asking about the NIO protocol, according to the benchmarking done by the authors of the O'Reilly Tomcat book, the JIO connector is sometimes faster than the NIO connector. I recommend getting this book and reviewing the sections on performance tuning. Finally, I suggest using a tool to monitor your JVM and applications over a period of time. We use the free Hyperic HQ monitoring tool. It uses JMX to remotely monitor Java 6/Tomcat 6, and I have found it to be very valuable. There is a free and a commercial version. WE use the free version and it works great. Check it out at http://www.hyperic.com We use this tool to monitor heap usage and thread usage over time, so that we can tell if we are hitting our upper limits on either of these constraints. Brian From: nodje To: users@tomcat.apache.org Sent: Monday, December 29, 2008 9:10:05 PM Subject: Re: Optimizing Tomcat with Http11NioProtocol? Hi, thanks all for your answers. I have jconsole in place. I can monitor Tomcat and general JVM information. The think is it's not easy to understand statistics. - How much I am using of Xmx is definitely something I want to know - how many thread are used in peak times is also something I need to know: if it reaches 150, the max, how much further can I push it? Would Http11NioProtocol help for this matter? - How can I detect if it's the application that takes time to process request or Tomcat that is at its max capacity? Number of threads and Heap memory usages are probably two good indicators right? More generally avout Http11NioProtocol, can it be less efficient than the std connector? Or is it suppose to be the next generation good-for-all connector? We are going to update to Tomcat 6 +APR anyways. Is the APR good only for static content? I thought it would help the thread management anyways. Thanks Brian for confirming memory usage! That's very good to know it's possible to use that much memory! cheers Brian Clark-10 wrote: > > Try using jconsole.exe (it is part of the Sun JDK) to review memory and > thread usage of your JVM. That should help you narrow down where the issue > is. One key thing to look at with Jconsole is the heap memory used figure. > You are setting your -Xmx, but how much of it are you actually using? Heap > memory used will tell you if you have a memory constraint or not. Also > look at how often you have garbage collections. You'll have more of them > if you have a memory constraint. One more thing, be sure your min and max > memory configurations are the same. It's more efficient that way. > > On 32-bit Windows, you should be able to use 1536MB as your -Xmx size. > That is what we are able to use, at least using JDK 1.6.x. Upgrading to > 64-bit Windows and a 64-bit JVM (and 64-bit Tomcat) will allow you to use > as much RAM as you have available. We have a 64-bit Windows system with 18 > GB of RAM allocated to Tomcat/Java. > > > Good luck, > Brian > > > > > > From: nodje > To: users@tomcat.apache.org > Sent: Monday, December 29, 2008 2:57:14 AM > Subject: Optimizing Tomcat with Http11NioProtocol? > > > Hi, > > we are still using 5.5.12 in production and our users are facing > increasing > delays with their requests (like way too long by now already). > While we are not entirely sure about what's causing this (database vs Java > application), we suppose it comes from the Java application (the database > server never seems to be under stress). > The CPU of the Tomcat machine doesn't seem too busy either. > > Providing it comes from the Java application side (by the way, any tips on > how to precisely identify that is more than welcome), and providing that > the > problems come from too many requests, would Http11NioProtocol help Tomcat > speed up the execution? > It seems worth trying Http11NioProtocol before going for clustering+load > balancing. Any advice on the matter? > > Also we think that request that cannot b served in the reasonable time > should b
Re: Hints on upgrading from 6.0.14 to 6.0.18 on production server
The only thing we found when going from 6.0.16 to 6.0.18 was an issue with some
of our JSP's. The fix is described by "jroller" here:
http://www.searchfull.net/1289260.html
Since I had a real hard time getting to this website, I'll copy and paste the
article here
Tomcat 6.0.18 includes a fix for JSP specification compliance as described in
Bug #45015. Unfortunately, that means a lot of your JSPs will fail with the
following exception:
org.apache.jasper.JasperException:
/WEB-INF/jsp/myPage.jsp(44,72) Attribute value is quoted with " which must be escaped when used within
the value
While I haven't found a way to automatically fix them, you can at least find
all of your JSPs ( *.jsp*) in need of an update with the following regular
expression (take a deep breath):
<\w+:[^>]+="[^<"]*<%=[^%]*"|<\w+:[^>]+='[^<']*<%=[^%]*'
Enjoy,
Brian
From: Alan Chaney
To: Tomcat Users List
Sent: Monday, December 29, 2008 11:54:56 AM
Subject: Hints on upgrading from 6.0.14 to 6.0.18 on production server
Hi
I have a 6.0.14 running with Apr 1.1.10 and I seem to be seeing instances of
CVE-2007-6286: Tomcat duplicate request processing vulnerability
(64-Bit Server VM (build 1.6.0_03-b05, mixed mode)
(Centos 5.0 - Linux 2.6.18-8.el5 x86_64 )
The obvious thing to do is to upgrade from 6.0.14 to 6.0.18. Firstly, are there
any changes in server.xml and web.xml in 6.0.18 that mean I can't just use the
existing ones in the new installation.
My current installation has $TOMCAT_HOME pointing to /usr/local/tomcat
My intended upgrade sequence is:
1. opy down 6.0.18 and untar it int /usr/local/tomcat18 (after checking
signatures)
2. copy over the jars that I have placed in the old $TOMCAT_HOME/lib (eg
postgres jdbc jar) to /usr/local/tomcat18/lib
3. copy over my webapp wars from $TOMCAT_HOME/webapps to the new webapps folder.
4. as I am using jsvc to control tomcat, copy over the 'tomcat' file from the
$TOMCAT_HOME ('tomcat' is actually a shell script which sets up
all the environment variables for jsvc.) jsvc is in /usr/lib/tcnative/jsvc so
it should be unaffected by the move. However
I do need to copy over the $TOMCAT_HOME/bin/commons-daemon.jar.
5. stop the old server and rename its directory to /usr/local/tomcat.old
6. rename the directory of the new server to that of the current the new server.
7. restart the server.
Am I missing anything? What have I overlooked? I need this to go as smoothly as
possible as there is quite a lot of traffic on this site.
Thanks in advance
Alan Chaney
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Optimizing Tomcat with Http11NioProtocol?
Try using jconsole.exe (it is part of the Sun JDK) to review memory and thread usage of your JVM. That should help you narrow down where the issue is. One key thing to look at with Jconsole is the heap memory used figure. You are setting your -Xmx, but how much of it are you actually using? Heap memory used will tell you if you have a memory constraint or not. Also look at how often you have garbage collections. You'll have more of them if you have a memory constraint. One more thing, be sure your min and max memory configurations are the same. It's more efficient that way. On 32-bit Windows, you should be able to use 1536MB as your -Xmx size. That is what we are able to use, at least using JDK 1.6.x. Upgrading to 64-bit Windows and a 64-bit JVM (and 64-bit Tomcat) will allow you to use as much RAM as you have available. We have a 64-bit Windows system with 18 GB of RAM allocated to Tomcat/Java. Good luck, Brian From: nodje To: users@tomcat.apache.org Sent: Monday, December 29, 2008 2:57:14 AM Subject: Optimizing Tomcat with Http11NioProtocol? Hi, we are still using 5.5.12 in production and our users are facing increasing delays with their requests (like way too long by now already). While we are not entirely sure about what's causing this (database vs Java application), we suppose it comes from the Java application (the database server never seems to be under stress). The CPU of the Tomcat machine doesn't seem too busy either. Providing it comes from the Java application side (by the way, any tips on how to precisely identify that is more than welcome), and providing that the problems come from too many requests, would Http11NioProtocol help Tomcat speed up the execution? It seems worth trying Http11NioProtocol before going for clustering+load balancing. Any advice on the matter? Also we think that request that cannot b served in the reasonable time should be refused. Taking into account the described behaviour with the default maxThreads=150 and acceptCount =100 values, shouldn't we decrease the acceptCount? Moreover the CPU on the Tomcat machine doesn't seem too busy. Is it a sign that we can increase maxThreads? Tomcat is on a Windows 32bits machine, so even though the machine has 4Gb of RAM, the MAX -Xmx size that we can be used seems to be around 1200Mb. Would a 64bits OS automatically allows for more memory usage? A lot of questions I know, but facing big problems like we are now, we want to try anything possible to quickly relieve the pain from using the application! thanks to anyone providing advice -nodje -- View this message in context: http://www.nabble.com/Optimizing-Tomcat-with-Http11NioProtocol--tp21200419p21200419.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Accelerator - Front ending Tomcat
I don't know if this will actually help Mike do what he wants to do. I don't think he needs to know about Tomcat SSL configuration. I think we do exactly what Mike wants to do...we have a network load balancer with SSL accelerator in front of all of our Tomcat instances. All of our incoming SSL connections terminate on the load balancer. The load balancer acts as a sort of reverse proxy to Tomcat. The Tomcat instances do not have any SSL configuration whatsoever--communications between the load balancer and Tomcat is via HTTP. Some load balancers support re-encrypting traffic between the load balancer and the web/app server. You could setup your environment like this, and it might solve your problem. We didn't do it this way though. To make this work in our environment, we had to engineer our applications to be SSL-aware, even though Tomcat wasn't. To do this, we did two major pieces of engineering effort: 1) Used relative links in our apps as much as possible. If you could make all of your URL's relative, then you wouldn't have any problems, as there would never be any miscommunication between the browser, the load balancer and Tomcat. 2) Whenever we generated full URL's inside of an SSL-enabled application, we had to make sure that our code generated an HTTPS URL, and not an HTTP URL. You don't normally have to do this, as Tomcat can do it for you. But since Tomcat isn't aware that the connection is SSL-enabled, you have to write code to force the kind of URL that you want. For our HTTP apps, we had to make sure that HTTP URL's were generated. Hope this helps. Brian - Original Message From: Martin Gainty <[EMAIL PROTECTED]> To: Tomcat Users List Sent: Monday, October 13, 2008 7:20:48 PM Subject: RE: SSL Accelerator - Front ending Tomcat all your connections are all defined in $TOMCAT_HOME/conf/server.xml if you provide information on who/what/why/how specific security features you want your website to implement we can be of point you in the right direction check out http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html also pay attention to redirectPort of the NON-ssl connector *usually 8443* a very simple primer located here http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/ Martin __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. > From: [EMAIL PROTECTED] > Subject: SSL Accelerator - Front ending Tomcat > Date: Mon, 13 Oct 2008 15:53:35 -0700 > To: users@tomcat.apache.org > > Hello Everyone, > > I have not been a frequent administrator of Tomcat, but it seems that > I am becoming one! > > So, Here is my setup, I using an SSL accelerator in front of a Tomcat > server running two instances. When I try to access the website, the > webserver (rightfully so) redirects me to another page on the same > machine for the same instance. Thusly, I do not have the "https" URL > any longer, but have "http" instead, of course this kills the > connection. > > So, I was wondering if anyone has had any experience setting up this > type of environment. It seems to me that Tomcat doesn't know that > this is a secure connection. > > Any information is good information. > > Thanks! > > Mike > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > _ Want to do more with Windows Live? Learn “10 hidden secrets” from Jamie. http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
Re: jstack and Tomcat 6 on Windows
Thanks again for all of our suggestions. The Eclipse Memory Analyzer Tool looks very interesting and helpful. It also calls out the JAVA_OPT -XX:+HeapDumpOnOutOfMemoryError to auto generate a heap dump for me. I was originally looking for a way to automatically generate a thread dump, but this will be extremely helpful as well. Another alternative to JHAT is Sun's new free tool, Visual VM. I think JHAT is part of its underlying technology. Visual VM now ships with Sun JDK 1.6.0_07 and later, and is available via download separately from https://visualvm.dev.java.net/ I believe that VisualVM will eventually replace Sun's Jconsole, as it has all of Jconsole's functionality as well as heap dump, thread dump, and basic profiler functionality. It seems to have some of the functionality that is in Eclipse MAT. Not sure of the pro's and con's of one vs. the other though. I plan on looking at both. Thanks again, Brian - Original Message From: Surendrakumar Viswanathan -X (suviswan - HCL at Cisco) To: Surendrakumar Viswanathan -X (suviswan - HCL at Cisco) Tomcat Users List Sent: Monday, September 22, 2008 4:56:05 AM Subject: RE: jstack and Tomcat 6 on Windows OOPS It's alternate to JHAT and not JMAP. Suren > -Original Message- > From: Surendrakumar Viswanathan -X (suviswan - HCL at Cisco) > Sent: Monday, September 22, 2008 3:25 PM > To: 'Tomcat Users List' > Subject: RE: jstack and Tomcat 6 on Windows > > Check Eclipse Memory Analyzer Tool www.eclipse.org/mat/. This > is alternate to JMAP, but it can parse the hprof file faster > and have a very visual GUI. > > Thanks > Suren > > > -Original Message- > > From: Johnny Kewl [mailto:[EMAIL PROTECTED] > > Sent: Saturday, September 20, 2008 4:40 PM > > To: Tomcat Users List > > Subject: Re: jstack and Tomcat 6 on Windows > > > > >> Thanks everyone for their suggestions. > > >> > > >> Unfortunately, that doesn't help me with my particular > > issue. I have > > >> a memory leak in one of my apps, and when the system runs out of > > >> memory, it stops responding to new requests. I have a > script that > > >> will detect this condition and automatically restart > Tomcat. I was > > >> hoping to add a jstack command to this script to give me > a thread > > >> dump prior to restarting Tomcat to give me better > troubleshooting > > >> information. Your solution would work under normal > > circumstances, but > > >> I don't know how to script a > > >> ctrl+break. ;-) > > > > > > > > > > OK... I couldnt resist giving it a little go... JHat is > exactly what > > you looking for... > > http://weblogs.java.net/blog/jfarcand/archive/2006/02/using_mu > > stangs.html > > > > Well done Sun... its exactly what I've been looking for... > > > > Let the server run a little do a dump, run the server and then > > from the browser to the HIST option... > > > > The highest non Sun class... webapp class... is going to be the bad > > guy ;) > > > > Damn thats nice... > > > > -- > > - > > HARBOR : http://www.kewlstuff.co.za/index.htm > > The most powerful application server on earth. > > The only real POJO Application Server. > > See it in Action : > > http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm > > --
Re: jstack and Tomcat 6 on Windows
Thanks everyone for their suggestions. Unfortunately, that doesn't help me with my particular issue. I have a memory leak in one of my apps, and when the system runs out of memory, it stops responding to new requests. I have a script that will detect this condition and automatically restart Tomcat. I was hoping to add a jstack command to this script to give me a thread dump prior to restarting Tomcat to give me better troubleshooting information. Your solution would work under normal circumstances, but I don't know how to script a ctrl+break. ;-) - Original Message From: Johnny Kewl <[EMAIL PROTECTED]> If you need thread dumps Start TC from the BAT file. When you need a dump... press ctrl + break from term window... easier than Jstack...
jstack and Tomcat 6 on Windows
Hello, I run Tomcat 6.0.x as a service on Windows 2003, using Sun JDK 1.6. I was trying to use the jstack program, part of the JDK, to get a stack dump from Tomcat/Java on my server. However, I ran into a problem. First of all, Tomcat on Windows seems to "hide" the JVM instance. Java doesn't show up in my process listing. I tried running jstack against the Tomcat PID but it errored out. Any idea how to make jstack work with Tomcat running as a service on Win2k3? BTW: I can get a stack dump using a tool like Sun's VisualVM, but I wanted to use jstack as part of a script, which I obviously can't do with VisualVM. Thanks, Brian
Re: Non-Heap Memory always increasing during deployment for TC 5.5.26/Solaris/JVM 1.5.0_16
I think you need to add one more line to your CATALINA_OPTS statement: -Dcom.sun.management.jmxremote=true If that does not help you, I'd try using port 6969 (the default) instead of . It should not matter, but I would at least give it a try as part of the troubleshooting process. You could also check to make sure you have access to the system on port , and that there are no firewalls (or iptables) in between you and the system preventing access to this port. Brian - Original Message From: emerson cargnin <[EMAIL PROTECTED]> To: Tomcat Users List Sent: Tuesday, September 16, 2008 8:40:59 AM Subject: Re: Non-Heap Memory always increasing during deployment for TC 5.5.26/Solaris/JVM 1.5.0_16 Correcting, in windows I wasn't actually connected to tomcat. For some reason it wouldn't allow me to choose a port with the following appended to catalina.bat set CATALINA_OPTS="-Dcom.sun.management.jmxremote.port= -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false" Anyone knows why? regards emerson 2008/9/16 emerson cargnin <[EMAIL PROTECTED]>: > Hi > > I tried to find about this in the tomcat faq, google, but still > haven't found the reason for this strange behaviour. > Every time I hot-deploy an application, the non-heap memory goes up. > This ends up breaking the tomcat server with the message: > "Exception in thread "RMI TCP Connection(13)-12.169.193.2" > java.lang.OutOfMemoryError: PermGen space" > > I profiled it and got the result in the image: > http://home.zenly.co.uk/emerson/Console.png > I tested in two different solaris servers witht he same behaviour. > > Even after I undeployed the application via manager app the memory > didn't go down. > I know I can get this non-heap memory up using -XX:MaxPermSize but > shouldn't the memory go down after the undeployment? > > My Configuration: > JVM: JVM 1.5.0_16 > Server: SunOS boxname 5.10 Generic_120011-14 sun4v sparc SUNW,Sun-Fire-T200 > Tomcat: 5.5.26 > > > I just did the same test on windows and I couldn't see the non-heap > memory going mad. > > Thanks a lot > Emerson > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Fw: Tomcat Patch Management
"So, do you think Automatic windows patch management and manual tomcat patch management would ideal as patch releases from Tomcat is very rare?" Yes, that's the way we do it. We use WSUS for Windows patch management, and manually upgrade Tomcat as needed. This has not been an issue for us, as Tomcat is only updated a few times per year, not once per month like Windows is. If your environment is standardized enough, you could probably build your own MSI installer for Tomcat to make the upgrade process even easier. I've not done this, but there are inexpensive tools that you can get to help you do it. Brian
Re: Tomcat logging properties
Yep, read through that, but it didn't tell me what those directives actually mean. Anyone have anything else? - Original Message From: Yassine <[EMAIL PROTECTED]> To: Tomcat Users List Sent: Wednesday, September 10, 2008 8:17:01 PM Subject: Re: Tomcat logging properties have a look here if you still need more info http://tomcat.apache.org/tomcat-6.0-doc/logging.html On Thu, Sep 11, 2008 at 2:10 AM, Brian Clark <[EMAIL PROTECTED]> wrote: > At the bottom of my Tomcat 6.0.16 logging.properties file, I have the > following entries: > #org.apache.catalina.startup.ContextConfig.level = FINE > #org.apache.catalina.startup.HostConfig.level = FINE > #org.apache.catalina.session.ManagerBase.level = FINE > #org.apache.catalina.core.AprLifecycleListener.level=FINE > > Aside from being commented out at the moment, I don't really know what these > do. I couldn't find any documentation on them. Can someone point me to > something that explains what these things might log? I'm struggling with an > application issue, and my current logs and logging levels aren't showing me > much. > > Thanks, > Brian > > > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat logging properties
At the bottom of my Tomcat 6.0.16 logging.properties file, I have the following entries: #org.apache.catalina.startup.ContextConfig.level = FINE #org.apache.catalina.startup.HostConfig.level = FINE #org.apache.catalina.session.ManagerBase.level = FINE #org.apache.catalina.core.AprLifecycleListener.level=FINE Aside from being commented out at the moment, I don't really know what these do. I couldn't find any documentation on them. Can someone point me to something that explains what these things might log? I'm struggling with an application issue, and my current logs and logging levels aren't showing me much. Thanks, Brian
Problems with running 64-bit Tomcat 6 as a Windows service
Hello, I am trying to get Tomcat 6.0.18 to run on my Win2k3 x64 edition server. I basically did the same thing talked about here: http://markmail.org/message/kptleixb6duxgwhm but it didn't work for me. I didn't use the service.bat install though. I installed the service manually with the sc.exe command. I am using the 64-bit 1.6.0_06 JDK. I don't get any Windows errors, the service start process just times out. My catalina and jakarta logs don't have anything useful. The logs seem to indicate that Tomcat started up fine--only it didn't. When I start up Tomcat from the command line, it works fine. I did have to check the box in tomcat6w.exe to allow the service to interact with the desktop to run it from the command line though. That seemed a little weird. Anyone successful in running Tomcat 6 as a 64-bit service? Thanks, Brian
Re: Tomcat Native library for Windows
Thanks for the suggestions. I just re-downloaded the file and now it works. I guess it was corrupted during the original download or something. Go figure. Brian - Original Message From: "Caldarale, Charles R" <[EMAIL PROTECTED]> To: Tomcat Users List Sent: Tuesday, September 2, 2008 7:19:32 PM Subject: RE: Tomcat Native library for Windows > From: Brian Clark [mailto:[EMAIL PROTECTED] > Subject: Re: Tomcat Native library for Windows > > Hmmm...on Windows, what is the difference between > java.library.path and the Windows environmental variable PATH? By default, none. > I have my Java Classpath set to this, which contains > my bootstrap.jar. Hopefully that's what shows in the tomcat6w.exe program, not something you're setting in the system environment variables. (If you do have a CLASSPATH environment variable, get rid of it - it will only break things.) > Should I just set, via JAVA_OPTS, my java.library.path to the > same directory, since that's where I put my tcnative-1.dll file? > -Djava.library.path=C:\Program Files\Apache Software > Foundation\Tomcat 6.0\bin Don't bother, the JVM is already looking there, as shown by the INFO message. > I don't want to break anything. Setting the java.library.path > won't make Tomcat stop looking at other libraries in other > locations (like the built-in /lib directory) will it? No, it won't break anything, but it's also not going to make it work. The java.library.path is used for native library DLLs only, not for classes. Check for ownership and access permissions on the file - insure that the account the Tomcat service is running under can access the DLL. By any chance, is this a 64-bit version of Windows Server? If so, and you're using a 64-bit JVM, you'll need the 64-bit version of the DLL. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Native library for Windows
Hmmm...on Windows, what is the difference between java.library.path and the Windows environmental variable PATH? I am not sure I understand your suggestion. I have my Java Classpath set to this, which contains my bootstrap.jar. C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\bootstrap.jar Should I just set, via JAVA_OPTS, my java.library.path to the same directory, since that's where I put my tcnative-1.dll file? -Djava.library.path=C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin I don't want to break anything. Setting the java.library.path won't make Tomcat stop looking at other libraries in other locations (like the built-in /lib directory) will it? Thanks, Brian - Original Message From: Martin Gainty <[EMAIL PROTECTED]> To: Tomcat Users List Sent: Tuesday, September 2, 2008 5:59:10 PM Subject: RE: Tomcat Native library for Windows AprLifecycleListener reads java.library.path so either start Java with -Djava.library.path java -Djava.library.path=LocationOfBinary bootstrap.jar (easier to place -Djava.library.path into JAVA_OPTS) OR set LD_LIBRARY_PATH=LocationOfBinary YMMV/ Martin __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. > Date: Tue, 2 Sep 2008 23:38:45 +0100 > From: [EMAIL PROTECTED] > To: users@tomcat.apache.org > Subject: Re: Tomcat Native library for Windows > > Brian Clark wrote: > > Hello, > > > > I am getting the following error when starting up Tomcat 6.0.16 on Windows > > 2003: > > > > "Sep 2, 2008 4:18:13 PM org.apache.catalina.core.AprLifecycleListener init > > INFO: The APR based Apache Tomcat > > Native library which allows optimal performance in production > > environments was not found on the java.library.path: C:\Program > > Files\Apache Software Foundation\Tomcat > > 6.0\bin;.;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;D:\Perl\bin;C:\Perl\bin;C:\WINDOWS\system32;C:\WINDOWS" > > > > Here's > > the catch, I do have the library installed in the bin directory (the > > very same bin referenced in the PATH above). I downloaded version 1.1.14.0 > > from http://tomcat.heanet.ie/native/1.1.14/binaries/win32/ and tried to > > just "drop it in" the bin directory. I don't know why it > > doesn't work. I also tried putting it in my windows\system32 directory, > > but with the same result. > > > > I've done a lot of research on the > > 'net, and found lots of other people that have this problem. However, > > most seem to have the problem resolved by putting the library in the > > right place, such as described in this earlier mailing list posting: > > http://www.mail-archive.com/users@tomcat.apache.org/msg29111.html > > > > Any ideas on what is going on here? > > Which file did you download. What is its current name? > > Mark > > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > _ Get ideas on sharing photos from people like you. Find new ways to share. http://www.windowslive.com/explore/photogallery/posts?ocid=TXT_TAGLM_WL_Photo_Gallery_082008
Re: Tomcat Native library for Windows
I downloaded the file http://tomcat.heanet.ie/native/1.1.14/binaries/win32/tcnative-1.dll I didn't change the name. - Original Message From: Mark Thomas <[EMAIL PROTECTED]> To: Tomcat Users List Sent: Tuesday, September 2, 2008 5:38:45 PM Subject: Re: Tomcat Native library for Windows Brian Clark wrote: > Hello, > > I am getting the following error when starting up Tomcat 6.0.16 on Windows > 2003: > > "Sep 2, 2008 4:18:13 PM org.apache.catalina.core.AprLifecycleListener init > INFO: The APR based Apache Tomcat > Native library which allows optimal performance in production > environments was not found on the java.library.path: C:\Program > Files\Apache Software Foundation\Tomcat > 6.0\bin;.;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;D:\Perl\bin;C:\Perl\bin;C:\WINDOWS\system32;C:\WINDOWS" > > Here's > the catch, I do have the library installed in the bin directory (the > very same bin referenced in the PATH above). I downloaded version 1.1.14.0 > from http://tomcat.heanet.ie/native/1.1.14/binaries/win32/ and tried to just > "drop it in" the bin directory. I don't know why it > doesn't work. I also tried putting it in my windows\system32 directory, > but with the same result. > > I've done a lot of research on the > 'net, and found lots of other people that have this problem. However, > most seem to have the problem resolved by putting the library in the > right place, such as described in this earlier mailing list posting: > http://www.mail-archive.com/users@tomcat.apache.org/msg29111.html > > Any ideas on what is going on here? Which file did you download. What is its current name? Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat Native library for Windows
Hello, I am getting the following error when starting up Tomcat 6.0.16 on Windows 2003: "Sep 2, 2008 4:18:13 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin;.;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;D:\Perl\bin;C:\Perl\bin;C:\WINDOWS\system32;C:\WINDOWS" Here's the catch, I do have the library installed in the bin directory (the very same bin referenced in the PATH above). I downloaded version 1.1.14.0 from http://tomcat.heanet.ie/native/1.1.14/binaries/win32/ and tried to just "drop it in" the bin directory. I don't know why it doesn't work. I also tried putting it in my windows\system32 directory, but with the same result. I've done a lot of research on the 'net, and found lots of other people that have this problem. However, most seem to have the problem resolved by putting the library in the right place, such as described in this earlier mailing list posting: http://www.mail-archive.com/users@tomcat.apache.org/msg29111.html Any ideas on what is going on here? Brian Clark
