RE: OT: Question about TomcatX.exe files

[jonmcalexander]

Thank you Mark. I mainly wanted to have answers for when I will be invariably 
questioned about it. :-). I knew about the naming, but understand that these 
aren't recompiled for each release, so modifying the version wouldn't work. 
(file/properties)

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, September 28, 2022 1:57 PM
> To: users@tomcat.apache.org
> Subject: Re: OT: Question about TomcatX.exe files
> 
> On 28/09/2022 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Ok, this is a silly off-topic question, but is there an underlying reason 
> > that
> the wrapper exe files for Windows Tomcat do not reflect the same file
> version as the implementation version found in the manifest of the
> bootstrap.jar? That version info matching the release version of the Tomcat
> release? I understand if these wrappers aren't recompiled each release, but
> if they are, why not make the versions reflect the Tomcat release?
> >
> > This seems to throw a loop at 3rd party software discovery tools such as
> BigFix, ServiceNow, etc., as well as normalizations performed by vendors like
> Flexera.
> 
> Those files are renamed Procrun files from Commons Daemon.
> 
> The filesare never compiled as part of a Tomcat release (we use the binaries
> from Commons Daemon) but they can be renamed to anything you want but
> note the next point.
> 
> The file name reflects the default service name so you don't have to specify
> the service name every time you call the executables.
> 
> The default service name is TomcatX where X is the major version. This
> allows the service name to stay the same across minor and point release
> upgrades. Renaming the service every time you upgrade is likely to cause
> other issues - e.g. for software monitoring the service.
> 
> Other naming schemes are possible. The current scheme seems to provide a
> reasonable solution for the majority of users. That said, if the community
> disagrees, it can always be changed.
> 
> Mark
> 
> 
> >
> > Just curious.
> >
> > Thank you for your time.
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> >
> jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

OT: Question about TomcatX.exe files

[jonmcalexander]

Ok, this is a silly off-topic question, but is there an underlying reason that 
the wrapper exe files for Windows Tomcat do not reflect the same file version 
as the implementation version found in the manifest of the bootstrap.jar? That 
version info matching the release version of the Tomcat release? I understand 
if these wrappers aren't recompiled each release, but if they are, why not make 
the versions reflect the Tomcat release?

This seems to throw a loop at 3rd party software discovery tools such as 
BigFix, ServiceNow, etc., as well as normalizations performed by vendors like 
Flexera.

Just curious.

Thank you for your time.

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: [ANN] New committer: Han Li

[jonmcalexander]

Congratulations Han!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Tuesday, September 6, 2022 2:38 AM
> To: Tomcat Developers List ; Tomcat Users List
> 
> Subject: [ANN] New committer: Han Li
> Importance: High
> 
> On behalf of the Tomcat committers I am delighted to announce that Han Li
> (lihan) has been voted in as a new Tomcat committer.
> 
> Please join me in congratulating Han.
> 
> Kind regards,
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Simple SSL question

[jonmcalexander]

Thank you!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: l...@kreuser.name 
> Sent: Thursday, August 11, 2022 4:23 PM
> To: Tomcat Users List 
> Subject: Re: Simple SSL question
> 
> Jon,
> 
> I extracted a part of my test-server.xml. This for the JSSE Implementation.
> 
>protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> 
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementati
> on"
>   allowTrace="false"
>   maxThreads="150"
>   SSLEnabled="true"
>   compression="off"
>   scheme="https"
>   server="Apache Tomcat"
>   secure="true"
>   defaultSSLHostConfigName="name1.mydomain.com" >
> compression="on" />
>  hostName="name2.mydomain.com"
>  honorCipherOrder="true"
>  protocols="TLSv1.2+TLSv1.3"
> 
> ciphers="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TL
> S_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-
> CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-
> AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-
> AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-
> GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
> AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-
> SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-
> SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-
> SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> SHA:AES256-SHA:!DSS">
>certificateKeystoreFile="${catalina.base}/conf/ssl/name2.p12"
>certificateKeystorePassword="changeit"
>certificateKeyAlias="name2"
>type="RSA" />
>
>hostName="name1.mydomain.com"
>honorCipherOrder="true"
>protocols="TLSv1.2+TLSv1.3"
> 
> ciphers="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TL
> S_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-
> CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-
> AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-
> AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-
> GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
> AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-
> SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-
> SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-
> SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> SHA:AES256-SHA:!DSS">
>certificateKeystoreFile="${catalina.base}/conf/ssl/name1_ecc.p12"
>certificateKeystorePassword="changeit"
>certificateKeyAlias="name1_ecc"
>type="EC" />
>certificateKeystoreFile="${catalina.base}/conf/ssl/name1_rsa.p12"
>certificateKeystorePassword="changeit"
>certificateKeyAlias="name1"
>type="RSA" />
>
> 
> 
> If you have separate crt and key files in pem-format the Certificate-section
> looks like this:
> 
>   certificateFile="${catalina.base}/conf/ssl/name2.crt"
>  certificateChainFile="${catalina.base}/conf/ssl/chain.pem"
>  type="RSA" />
> 
> We could start from there - I have no "old style" config to match against.
> 
> 
> Peter
> 
> 
> 
> > Am 11.08.2022 um 23:10 schrieb jonmcalexan...@wellsfargo.com.invalid
> :
> >
> > Peter,
> >
> > Yes, that WOULD be a good thing. That and some examples of
> implementing the new COOL stuff like configure TLS virtual hosting with SNI,
> would be very helpful.
> >
> >
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not 

RE: Simple SSL question

[jonmcalexander]

Peter,

Yes, that WOULD be a good thing. That and some examples of implementing the new 
COOL stuff like configure TLS virtual hosting with SNI, would be very helpful.



Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Peter Kreuser 
> Sent: Thursday, August 11, 2022 4:00 PM
> To: Tomcat Users List 
> Subject: Re: Simple SSL question
> 
> 
> Jon and Chris,
> 
> 
> > Am 11.08.2022 um 19:33 schrieb Christopher Schultz
> :
> >
> > Jon,
> >
> >> On 8/11/22 12:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> I was just wondering if there was a vanity name for the "new" structure is
> all, to differentiate in documentation.
> >
> > *shrug*
> >
> > "New"?
> >
> > That kind of loses its lustre after a while. Today, that's just "the way 
> > you do
> it". So the "new" way is The Way and the old way is ... the Old Way.
> >
> > Use SSLHostConfig. I'm sure you'll sleep better at night after you've
> switched.
> >
> > -chris
> >
> >>> -Original Message-
> >>> From: Christopher Schultz 
> >>> Sent: Thursday, August 11, 2022 11:29 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Simple SSL question
> >>>
> >>> Jon,
> >>>
> >>> On 8/11/22 11:22, jonmcalexan...@wellsfargo.com.INVALID wrote:
>  Is there a "name" for the new connector style? The old is known as
>  the Coyote Connector.
> >>> Coyote is just the name of the connector itself, for whatever reason.
> >>> Both the new and old-style configuration is using the same connector
> >>> underneath. When you configure everything on the ,
> Tomcat
> >>> still creates an SSLHostConfig object under the covers and fills it
> >>> with that same data.
> >>>
> >>> Why should you bother migrating? Two reasons:
> >>>
> >>> 1. The new configuration is easier to read IMO. It separates the TLS
> >>> host/key/certificate and all that associated stuff from the more
> >>> basic socket- type stuff for the 
> >>>
> >>> 2. It allows for more options such as proper name-based
> >>> virtual-hosting with TLS. It also allows multiple types of keys and
> >>> certificates to be used. For example, you can configure both RSA and EC
> certificates for a single host.
> >>> That's just not possible with the one-attribute-to-rule-them-all
> >>> configuration where everything is on the  element.
> >>>
> 
> I have tried all the fancy new cert options and they are cool.
> 
> And I do agree that it's more readable.
> 
> What would be useful would be one sample how to transfer a simple "old"
> config to SSLHostConfig.
> That would take away the fear to get going. In another thread I said, that it
> may be a lot of work to migrate a lot of tomcat instances. But I guess most
> people would only need a single SSLHostConfig  to add to their one
> connector...
> 
> Peter
> >>> -chris
> >>>
> > -Original Message-
> > From: Mark Thomas 
> > Sent: Wednesday, August 10, 2022 2:43 PM
> > To: users@tomcat.apache.org
> > Subject: Re: Simple SSL question
> >
> > On 10/08/2022 19:22, jonmcalexan...@wellsfargo.com.INVALID
> wrote:
> >> Ok, I'm asking a rather simple, stupid (in my opinion) question,
> >> but here
> > goes:
> >>
> >> What is the best practice form of connector for SSL. Is it the
> >> old-school
> > coyote connector or the connector with the 
> section?
> >
> > 
> >
> > The old style isn't supported in Tomcat 10.0.x onwards.
> >
> >> Are the two interchangeable, or does the SSLHostConfig one rely
> >> on
> > openssl and won't work without it? The documentation is confusing
> > me on a hump day afternoon.
> >
> > They are interchangeable. However, if you want to configure TLS
> > virtual hosting with SNI you'll need to use SSLHostConfig.
> >
> > Both approaches can be used with JSSE and OpenSSL based TLS
> > implementations.
> >
> > Mark
> >
> >
> >
> >>
> >> Thanks,
> >>
> >> Dream * Excel * Explore * Inspire Jon McAlexander Senior
> >> Infrastructure Engineer Asst. Vice President He/His
> >>
> >> Middleware Product Engineering
> >> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>
> >> 8080 Cobblestone Rd | Urbandale, IA 50322
> >> MAC: F4469-010
> >> Tel 515-9

RE: Simple SSL question

[jonmcalexander]

Thanks Chris,

I was just wondering if there was a vanity name for the "new" structure is all, 
to differentiate in documentation.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Thursday, August 11, 2022 11:29 AM
> To: users@tomcat.apache.org
> Subject: Re: Simple SSL question
> 
> Jon,
> 
> On 8/11/22 11:22, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Is there a "name" for the new connector style? The old is known as the
> > Coyote Connector.
> Coyote is just the name of the connector itself, for whatever reason.
> Both the new and old-style configuration is using the same connector
> underneath. When you configure everything on the , Tomcat
> still creates an SSLHostConfig object under the covers and fills it with that
> same data.
> 
> Why should you bother migrating? Two reasons:
> 
> 1. The new configuration is easier to read IMO. It separates the TLS
> host/key/certificate and all that associated stuff from the more basic socket-
> type stuff for the 
> 
> 2. It allows for more options such as proper name-based virtual-hosting with
> TLS. It also allows multiple types of keys and certificates to be used. For
> example, you can configure both RSA and EC certificates for a single host.
> That's just not possible with the one-attribute-to-rule-them-all configuration
> where everything is on the  element.
> 
> -chris
> 
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Wednesday, August 10, 2022 2:43 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Simple SSL question
> >>
> >> On 10/08/2022 19:22, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> Ok, I'm asking a rather simple, stupid (in my opinion) question, but
> >>> here
> >> goes:
> >>>
> >>> What is the best practice form of connector for SSL. Is it the
> >>> old-school
> >> coyote connector or the connector with the  section?
> >>
> >> 
> >>
> >> The old style isn't supported in Tomcat 10.0.x onwards.
> >>
> >>> Are the two interchangeable, or does the SSLHostConfig one rely on
> >> openssl and won't work without it? The documentation is confusing me
> >> on a hump day afternoon.
> >>
> >> They are interchangeable. However, if you want to configure TLS
> >> virtual hosting with SNI you'll need to use SSLHostConfig.
> >>
> >> Both approaches can be used with JSSE and OpenSSL based TLS
> >> implementations.
> >>
> >> Mark
> >>
> >>
> >>
> >>>
> >>> Thanks,
> >>>
> >>> Dream * Excel * Explore * Inspire
> >>> Jon McAlexander
> >>> Senior Infrastructure Engineer
> >>> Asst. Vice President
> >>> He/His
> >>>
> >>> Middleware Product Engineering
> >>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>
> >>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>> MAC: F4469-010
> >>> Tel 515-988-2508 | Cell 515-988-2508
> >>>
> >>>
> >>
> jonmcalexan...@wellsfargo.com
> >>> This message may contain confidential and/or privileged information.
> >>> If you
> >> are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>>
> >>>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Simple SSL question

[jonmcalexander]

Is there a "name" for the new connector style? The old is known as the Coyote 
Connector.

Thanks again!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, August 10, 2022 2:43 PM
> To: users@tomcat.apache.org
> Subject: Re: Simple SSL question
> 
> On 10/08/2022 19:22, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Ok, I'm asking a rather simple, stupid (in my opinion) question, but here
> goes:
> >
> > What is the best practice form of connector for SSL. Is it the old-school
> coyote connector or the connector with the  section?
> 
> 
> 
> The old style isn't supported in Tomcat 10.0.x onwards.
> 
> > Are the two interchangeable, or does the SSLHostConfig one rely on
> openssl and won't work without it? The documentation is confusing me on a
> hump day afternoon.
> 
> They are interchangeable. However, if you want to configure TLS virtual
> hosting with SNI you'll need to use SSLHostConfig.
> 
> Both approaches can be used with JSSE and OpenSSL based TLS
> implementations.
> 
> Mark
> 
> 
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> >
> jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Simple SSL question

[jonmcalexander]

Thanks Mark!!!

> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, August 10, 2022 2:43 PM
> To: users@tomcat.apache.org
> Subject: Re: Simple SSL question
> 
> On 10/08/2022 19:22, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Ok, I'm asking a rather simple, stupid (in my opinion) question, but here
> goes:
> >
> > What is the best practice form of connector for SSL. Is it the old-school
> coyote connector or the connector with the  section?
> 
> 
> 
> The old style isn't supported in Tomcat 10.0.x onwards.
> 
> > Are the two interchangeable, or does the SSLHostConfig one rely on
> openssl and won't work without it? The documentation is confusing me on a
> hump day afternoon.
> 
> They are interchangeable. However, if you want to configure TLS virtual
> hosting with SNI you'll need to use SSLHostConfig.
> 
> Both approaches can be used with JSSE and OpenSSL based TLS
> implementations.
> 
> Mark
> 
> 
> 
> >
> > Thanks,





> >
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

Simple SSL question

[jonmcalexander]

Ok, I'm asking a rather simple, stupid (in my opinion) question, but here goes:

What is the best practice form of connector for SSL. Is it the old-school 
coyote connector or the connector with the  section?

Are the two interchangeable, or does the SSLHostConfig one rely on openssl and 
won't work without it? The documentation is confusing me on a hump day 
afternoon.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: Apache Tomcat 8.5.82 Release Date

[jonmcalexander]

Love it Chris!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, August 2, 2022 10:42 AM
> To: users@tomcat.apache.org
> Subject: Re: Apache Tomcat 8.5.82 Release Date
> 
> To whom it may concern,
> 
> On 8/2/22 01:28, Wai Siang, Chu wrote:
> > Dear Apache Tomcat Team,
> >
> > Based on the previous email reply,
> > may we have an update regarding the estimated release date for the
> > *Apache Tomcat 8.5.82* ?
> 
> I can accept payments via Venmo if you want to accelerate the release-date
> of Tomcat 8.5.82 as part of *my volunteer efforts* to support Apache
> Tomcat.
> 
> -chris
> 
> >> On 7/26/22 00:13, Wai Siang, Chu wrote:
> >>> Based on the previous email reply,
> >>> may we have an update regarding the estimated release date for the
> >> *Apache
> >>> Tomcat 8.5.82* ?
> >>
> >> I expect to begin the release process around 1 August (6 days from
> today).
> >>
> >> Please note that upgrading to Tomcat 8.5.82 once it is available
> >> should not provide any actual security protections in a production
> environment.
> >> If you have deployed the "examples" web application into production
> >> then you are already making a mistake, security-wise. Simply removing
> >> the application entirely mitigates the threat.
> >>
> >> -chris
> >>
> >>> On Wed, Jul 13, 2022 at 6:00 PM Mark Thomas 
> wrote:
> >>>
>  On 13/07/2022 10:46, Wai Siang, Chu wrote:
> > Dear Apache Tomcat Team,
> >
> > We are aware there is a vulnerability found in the latest 8.5.xx
> >> version.
> >
> > *Low: Apache Tomcat XSS in examples web application*
> > CVE-2022-34305
> >  bin/cvename.
> > cgi?name=CVE-2022-
> 34305__;!!F9svGWnIaVPGSwU!rx9QCvjLGtG5ixGUV3DTaQ
> > eud0k-HVJc5PPnJt_DVBXKG0UwriypMpfuzJYIU_QSduD-HHw2UM2-
> NeeahXqhpdLN
> > 4V7TXTDq$ >
> >
> > Hence, may we check is there an estimated timeline for the *Apache
> >> Tomcat
> > 8.5.82* release date?
> 
>  Why?
> 
>  Have you reviewed the vulnerability? It is a XSS in the examples app.
>  The examples app should never be deployed in a production
> environment.
>  Hence this vulnerability should be a non-issue for (nearly?) all users.
> 
>  Like all currently supported Tomcat versions, 8.5.x is released on
>  a roughly monthly cycle. The July release for 8.5.x hasn't started
>  yet so I'd expect the release later this month.
> 
>  If you want to follow release planning more closely, then that is
>  discussed on the dev list.
> 
>  Mark
> 
> 
> >
> >
> > Thank you.
> >
> > Regards,
> > Wai Siang
> >
> > D: -
> > M: (65) 9821 0409
> > T: (65) 6837 2822
> > F: (65) 6756 3839
> > E : waisi...@toppanecquaria.com
> >
> > 11 Toa Payoh Lorong 3
> > #02-31 Block C, Jackson Square
> > Singapore 319579
> >
> > Toppan Ecquaria Pte. Ltd.
> > Company Registration No: 199806305H
> >
> >
> https://urldefense.com/v3/__http://www.toppanecquaria.com__;!!F9sv
> > GWnIaVPGSwU!rx9QCvjLGtG5ixGUV3DTaQeud0k-
> HVJc5PPnJt_DVBXKG0UwriypMp
> > fuzJYIU_QSduD-HHw2UM2-NeeahXqhpdLN4UQR06YD$
> >
> >
> https://urldefense.com/v3/__https://www.linkedin.com/company/toppa
> > n-
> ecquaria/__;!!F9svGWnIaVPGSwU!rx9QCvjLGtG5ixGUV3DTaQeud0k-HVJc5P
> > PnJt_DVBXKG0UwriypMpfuzJYIU_QSduD-HHw2UM2-
> NeeahXqhpdLN4QcSE_fY$
> >
> >
> >
> >
> > STRICTLY CONFIDENTIAL - This message, its contents and any files
> > transmitted with it are intended SOLELY for the addressee(s) and
> > may be legally privileged and/or confidential. Access by any other
> > party is unauthorised without the expressed written permission of
> > the sender. If
>  you
> > have received this message in error, you may not copy or use the
>  contents,
> > attachments or information in any way. Please destroy it and
> > contact us immediately via e-mail return or by telephone at (65)
> > 68372822. This message has been prepared using information
> > believed by the author to
> >> be
> > reliable and accurate, but Toppan Ecquaria Pte. Ltd. and the
> > Toppan
> 

RE: TLS Weak Cipher Keys for Key Exchange.

[jonmcalexander]

To possibly answer my own question, it appears that this can be done on the 
java command line:

set the system property jdk.security.defaultKeySize with the algorithm and its 
desired default key size. For example, to test a DSA default keysize of 2048, 
specify
"‑Djdk.security.defaultKeySize=DSA:2048"

on the java command-line.

However, I will wait for the team consensus.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: jonmcalexan...@wellsfargo.com.INVALID
> 
> Sent: Wednesday, July 20, 2022 12:10 PM
> To: users@tomcat.apache.org
> Subject: TLS Weak Cipher Keys for Key Exchange.
> 
> Good afternoon.
> 
> Recently a new Qualys QID vulnerability was released, QID: 38863 -
> Cryptographically Weak Key Exchange Size, which deals with weak cipher key
> exchange key values. I know that we can add a cipher list in the TLS
> Connector in the server.xml, but is there a way to specify a Key size for the
> exchange?
> 
> Thanks,
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

TLS Weak Cipher Keys for Key Exchange.

[jonmcalexander]

Good afternoon.

Recently a new Qualys QID vulnerability was released, QID: 38863 - 
Cryptographically Weak Key Exchange Size, which deals with weak cipher key 
exchange key values. I know that we can add a cipher list in the TLS Connector 
in the server.xml, but is there a way to specify a Key size for the exchange?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[jonmcalexander]

Could this potentially be caused by 


But not using Tomcat Native?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Sent: Wednesday, July 13, 2022 11:28 AM
> To: Tomcat Users List 
> Subject: AW: [OT] issues with Tomcat to Siteminder communication post
> mod-proxy setup
> 
> Hello,
> 
> > -Ursprüngliche Nachricht-
> > Von: jonmcalexan...@wellsfargo.com.INVALID
> > 
> > Gesendet: Mittwoch, 13. Juli 2022 18:17
> > An: users@tomcat.apache.org
> > Betreff: RE: [OT] issues with Tomcat to Siteminder communication post
> > mod- proxy setup
> >
> > Here is the error we are getting. The login form, hosted by Tomcat,
> > does a POST to the /login/login.fcc for siteminder which is on the
> > HTTPD server and is not behind the proxypass or proxypassreverse.
> >
> > javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12
> > 13:12:49.399
> > PDT|SSLSocketImpl.java:1615|close the SSL connection (passive) 
> > PDT|12
> > Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
> > Unable to get Channel Secure Session: Unable to perform siteminder
> > handshake
> > java.lang.Exception: Unable to perform siteminder handshake
> >
> > Our SiteMinder team is telling us it's not their issue. Again, this
> > POST worked fine when using mod_jk and SSL wasn't enabled for
> connection on Tomcat.
> >
> > Thanks,
> >
> 
> This error message is most likely thrown by the application and not by
> tomcat.
> The underlying error would be important including the full stack below.
> Are there some "caused by" Exceptions below?
> Otherwise the siteminder application is hiding the underlying Exception.
> 
> 
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >
> > > -Original Message-
> > > From: jonmcalexan...@wellsfargo.com.INVALID
> > > 
> > > Sent: Tuesday, July 12, 2022 5:22 PM
> > > To: users@tomcat.apache.org
> > > Subject: RE: [OT] issues with Tomcat to Siteminder communication
> > > post
> > > mod- proxy setup
> > >
> > > I'm wondering if it is having to do with the SMSESSION cookie not
> > > getting passed correctly. Still trying to figure this one out.
> > >
> > > Thanks,
> > >
> > > Dream * Excel * Explore * Inspire
> > > Jon McAlexander
> > > Senior Infrastructure Engineer
> > > Asst. Vice President
> > > He/His
> > >
> > > Middleware Product Engineering
> > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > >
> > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > MAC: F4469-010
> > > Tel 515-988-2508 | Cell 515-988-2508
> > >
> > > jonmcalexan...@wellsfargo.com
> > > This message may contain confidential and/or privileged information.
> > > If you are not the addressee or authorized to receive this for the
> > > addressee, you must not use, copy, disclose, or take any action
> > > based on this message or any information herein. If you have
> > > received this message in error, please advise the sender immediately
> > > by reply e-mail and delete this message. Thank you for your cooperation.
> > >
> > > > -Original Message-
> > > > From: Christopher Schultz 
> > > > Sent: Tuesday, July 12, 2022 9:16 AM
> > > > To: users@tomcat.apache.org
> > > > Subject: Re: [OT] issues with Tomcat to Siteminder communication
> > > > post
> > > > mod- proxy setup
> > > >
> > > > Jon,
> > > >
> > > > On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > > > Chris,
> > > > >
> > > > > Moving this discussion to here. Yes, it appears that I broke
> > > > > something when
> > > > setting up the Tomcat Connector for the mod-proxy that is now
> > > > affecting, somehow, the SSL communication with the Site Minder
> > > > services. Here is the connector we added below.
> > > >
> > > > The only reason I can think of that would cause your Tomcat TLS
> > > > connector configuration to affect your SiteMinder thing 

RE: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[jonmcalexander]

Here is the error we are getting. The login form, hosted by Tomcat, does a POST 
to the /login/login.fcc for siteminder which is on the HTTPD server and is not 
behind the proxypass or proxypassreverse.

javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12 13:12:49.399 
PDT|SSLSocketImpl.java:1615|close the SSL connection (passive)
 12 Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
  Unable to get Channel Secure Session: Unable to perform siteminder 
handshake
java.lang.Exception: Unable to perform siteminder handshake

Our SiteMinder team is telling us it's not their issue. Again, this POST worked 
fine when using mod_jk and SSL wasn't enabled for connection on Tomcat.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: jonmcalexan...@wellsfargo.com.INVALID
> 
> Sent: Tuesday, July 12, 2022 5:22 PM
> To: users@tomcat.apache.org
> Subject: RE: [OT] issues with Tomcat to Siteminder communication post mod-
> proxy setup
> 
> I'm wondering if it is having to do with the SMSESSION cookie not getting
> passed correctly. Still trying to figure this one out.
> 
> Thanks,
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> 
> > -Original Message-
> > From: Christopher Schultz 
> > Sent: Tuesday, July 12, 2022 9:16 AM
> > To: users@tomcat.apache.org
> > Subject: Re: [OT] issues with Tomcat to Siteminder communication post
> > mod- proxy setup
> >
> > Jon,
> >
> > On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > Chris,
> > >
> > > Moving this discussion to here. Yes, it appears that I broke
> > > something when
> > setting up the Tomcat Connector for the mod-proxy that is now
> > affecting, somehow, the SSL communication with the Site Minder
> > services. Here is the connector we added below.
> >
> > The only reason I can think of that would cause your Tomcat TLS
> > connector configuration to affect your SiteMinder thing is if you are
> > trying to specify the javax.net.ssl.trustStore system property for the
> > entire JVM, and allowing Tomcat to inherit that.
> >
> > > Temporarily have set certificateVerification to optional to see if
> > > it was something with the communication between HTTPD and Tomcat.
> > >
> > >   > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="100"
> > > compression="on" scheme="https" SSLEnabled="true" secure="true">
> > >
> > >   > certificateVerification="optional" truststoreFile="" truststorePassword=""
> > truststoreType="JKS"
> > >
> > > ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> >
> > Assuming truststoreFile is not actually _blank_, then this should be fine.
> >
> > >  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> > >  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> > >  TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> > >  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> > >  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> > >  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> > >  TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
> > >  TLS_DHE_RSA_WITH_AES_128_CCM,
> > >  TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> > >  TLS_DHE_RSA_WITH_AES_128_CCM_8,
> > >  TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> > >  
> > > TLS_

RE: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[jonmcalexander]

I'm wondering if it is having to do with the SMSESSION cookie not getting 
passed correctly. Still trying to figure this one out.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, July 12, 2022 9:16 AM
> To: users@tomcat.apache.org
> Subject: Re: [OT] issues with Tomcat to Siteminder communication post mod-
> proxy setup
> 
> Jon,
> 
> On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Chris,
> >
> > Moving this discussion to here. Yes, it appears that I broke something when
> setting up the Tomcat Connector for the mod-proxy that is now affecting,
> somehow, the SSL communication with the Site Minder services. Here is the
> connector we added below.
> 
> The only reason I can think of that would cause your Tomcat TLS connector
> configuration to affect your SiteMinder thing is if you are trying to specify 
> the
> javax.net.ssl.trustStore system property for the entire JVM, and allowing
> Tomcat to inherit that.
> 
> > Temporarily have set certificateVerification to optional to see if it
> > was something with the communication between HTTPD and Tomcat.
> >
> >   > protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="100"
> > compression="on" scheme="https" SSLEnabled="true" secure="true">
> >
> >   certificateVerification="optional" truststoreFile="" truststorePassword=""
> truststoreType="JKS"
> >
> > ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> 
> Assuming truststoreFile is not actually _blank_, then this should be fine.
> 
> >  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> >  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> >  TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> >  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> >  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> >  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> >  TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
> >  TLS_DHE_RSA_WITH_AES_128_CCM,
> >  TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> >  TLS_DHE_RSA_WITH_AES_128_CCM_8,
> >  TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> >  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> >  
> > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> >
> > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
> >
> >   > Type="RSA" certificateKeystoreFile=".pfx"
> > certificateKeystorePassword="" certificateKeystoreType="pkcs12" />
> 
> Note: none of the TLS_XXX_ECDSA_* cipher suites will do anything for you,
> since you are using only an RSA key.
> 
> Is your SiteMinder client code using its own special trust store and key 
> store?
> If you are getting a handshake failure (mentioned in your message to
> dev@httpd but not here yet: "javax.net.ssl.SSLHandshakeException:
> Received fatal alert: bad_certificate error"), you might want to start looking
> there. The problem is very unlikely to be your Tomcat configuration or
> anything related to it, unless you use the same key store and trust store for
> both.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[jonmcalexander]

Chris,

Moving this discussion to here. Yes, it appears that I broke something when 
setting up the Tomcat Connector for the mod-proxy that is now affecting, 
somehow, the SSL communication with the Site Minder services. Here is the 
connector we added below. Temporarily have set certificateVerification to 
optional to see if it was something with the communication between HTTPD and 
Tomcat.










Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: SSL handshake failure logs required for auditing purpose

[jonmcalexander]

Tre's Bueno!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Thursday, July 7, 2022 1:22 PM
> To: users@tomcat.apache.org
> Subject: Re: SSL handshake failure logs required for auditing purpose
> 
> The next release (9.0.65) will have a dedicated logger for TLS handshake
> failures. You will be able to configure it like any other logger - including
> directing it to a dedicated file.
> 
> Mark
> 
> 
> On 07/07/2022 17:11, Ragavendhiran Bhiman (rabhiman) wrote:
> > Hi All,
> >
> > I require your kind help in logging the SSl connection failure logs 
> > including iP
> in the tomcat, Is there any best way to do It without performance impact
> other than -Djava.net debugs in jdk, is there any direct way from tomcat? Or
> any way we can derive any class from JSSE extension classes and add
> HandShakeListener while using the connectors. All our SSL connections are
> going through connectors. So kindly need your help how to log those SSL
> connection auditing logs through best method.
> > Thanks a lot in advance.
> >
> > Regards,
> > Raghav
> >
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL]

[jonmcalexander]

Thank you as always Mark and all!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Friday, June 3, 2022 4:19 AM
> To: users@tomcat.apache.org
> Subject: Re: Question regarding Tomcat and Apache HTTPD Mod-proxy over
> SSL [EXTERNAL]
> 
> Jon,
> 
> If you want to secure the httpd <-> Tomcat link with mutually authenticated
> TLS then I believe it is possible based on reading the docs but a) haven't
> tested it and b) you are going to need to be careful to ensure Tomcat doesn't
> get confused about whether it is the actual client or the reverse proxy that 
> is
> authenticated.
> 
> The following are some pointers that should help. This is how I would go
> about things if I was doing this.
> 
> 1. Set up mod_proxy_http and get it working over http.
> 
> 2. Create and configure a server certificate for Tomcat.
> 
> 3. Switch to proxy over https.
> 
> 4. Use SSLProxyCACertifcate[File|Path] to configure httpd to authenticate
> Tomcat.
> 
> 5. Check you got 4 right by changing the Tomcat cert to a self-signed one and
> looking for the proxy connection to fail.
> 
> 6. Create a client cert for httpd.
> 
> 7. Configure Tomcat to require client cert authentication.
> 
> 8. Configure httpd using SSLProxyMachineCertificate[File|Path] to provide
> the certificate.
> 
> 9. Check you got 8 right by:
> a) using a JSP to view the presented certificate
> b) changing httpd to use a self-signed cert and check it fails
> 
> 
> The problem you have now is that Tomcat sees httpd as a TLS authenticated
> client and you really want Tomcat to see the authentication status of the real
> client.
> 
> I've looked at the SSLValve and it only sets request attributes if the 
> relevant
> headers from httpd are present. You would need to write an additional Valve
> that ran earlier in the pipeline and cleared those headers.
> 
> HTH,
> 
> Mark
> 
> 
> On 03/06/2022 00:13, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Ok, so in short ots not possible to mutually authenticate the
> > mod-proxy and a tomcat connector, correct? ­
> >
> > I'm needing to convert an ajp configuration to mod-proxy, but a security
> architect wants the other as well.
> >
> >
> > Thanks,
> >
> >
> > Sent with BlackBerry Work
> >
> (https://urldefense.com/v3/__http://www.blackberry.com__;!!F9svGWnIa
> VP
> > GSwU!oOENK5nJ9Bjo27NDwzO08hd73vpTk3jdwxUjQI6v10Xcd3-p-
> MGYhMB5ZZjpooe5o
> > iwCi-AthWdFVKAJcCg8cQ$ ) 
> > From: Christopher Schultz 
> > Sent: Jun 2, 2022 5:05 PM
> > To: users@tomcat.apache.org
> > Subject: Re: Question regarding Tomcat and Apache HTTPD Mod-proxy
> over
> > SSL [EXTERNAL]
> >
> > On 6/2/22 14:38, Beard, Shawn wrote:
> >   > I've never done this. But I think it would go something like this:
> >   > To make tomcat take advantages of Client Authentication, require three
> >   > certificates. i.e A Server Certificate for Tomcat, Client Certificate
> >   > for the browser/Apache and Certificate of the CA which will sign both
> >   > the above mentioned certificates.
> >
> > Stop. John: if you aren't using client TLS certs with your end-users,
> > then this is a rathole you don't want to go down.
> >
> > If you *do* need to use client-TLS-auth, then this is correct.
> >
> > -chris
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL]

[jonmcalexander]

Ok, so in short ots not possible to mutually authenticate the mod-proxy and a 
tomcat connector, correct? ­

I'm needing to convert an ajp configuration to mod-proxy, but a security 
architect wants the other as well.


Thanks,


Sent with BlackBerry Work (www.blackberry.com)

From: Christopher Schultz 
Sent: Jun 2, 2022 5:05 PM
To: users@tomcat.apache.org
Subject: Re: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL 
[EXTERNAL]

On 6/2/22 14:38, Beard, Shawn wrote:
 > I've never done this. But I think it would go something like this:
 > To make tomcat take advantages of Client Authentication, require three
 > certificates. i.e A Server Certificate for Tomcat, Client Certificate
 > for the browser/Apache and Certificate of the CA which will sign both
 > the above mentioned certificates.

Stop. John: if you aren't using client TLS certs with your end-users,
then this is a rathole you don't want to go down.

If you *do* need to use client-TLS-auth, then this is correct.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL]

[jonmcalexander]

That was my thought also, but wouldn’t that then require the end-users to also 
have certificates? Or would it just be Apache HTTPD? Basically the end users 
connection terminates at the proxy, and the proxy uses its own connection to 
pass it thru. Is that right?

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

From: Beard, Shawn 
Sent: Thursday, June 2, 2022 1:39 PM
To: Tomcat Users List 
Subject: RE: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL 
[EXTERNAL]

I've never done this. But I think it would go something like this:
To make tomcat take advantages of Client Authentication, require three 
certificates. i.e A Server Certificate for Tomcat, Client Certificate for the 
browser/Apache and Certificate of the CA which will sign both the above 
mentioned certificates.

Then you might need to import these into each others trust/keystore

Tomcat connector config would need to have something like this, note the 
cleintAuth="true"


​

Shawn

Beard

 • Sr. Systems Engineer


Middleware Engineering


[cid:image673978.png@4BD479EE.2F6A6ED7]

3840 109th Street

,

Urbandale

,

IA

50322


Phone: +1-515-564-2528

Email:

sbe...@wrberkley.com


Website: https://berkleytechnologyservices.com/





[cid:image749241.jpg@C8087C5D.3210F22C]


Technology Leadership Unleashing Business Potential








-Original Message-
From: 
jonmcalexan...@wellsfargo.com.INVALID
 
mailto:jonmcalexan...@wellsfargo.com.INVALID>>
Sent: Thursday, June 2, 2022 1:21 PM
To: users@tomcat.apache.org
Subject: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL 
[EXTERNAL]

** CAUTION: External message


I'm trying to figure out if there is a way to use certificates between Tomcat 
and Apache for mutual authentication of the mod-proxy connection to Tomcat. 
This would be similar as to how you can setup the WebSphere plugin to 
communicate with WebSphere over a mutually secured connection. Is this possible 
with Apache HTTPD and Tomcat over mod-proxy?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com>
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.

Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL

[jonmcalexander]

I'm trying to figure out if there is a way to use certificates between Tomcat 
and Apache for mutual authentication of the mod-proxy connection to Tomcat. 
This would be similar as to how you can setup the WebSphere plugin to 
communicate with WebSphere over a mutually secured connection. Is this possible 
with Apache HTTPD and Tomcat over mod-proxy?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: [ANN] ApacheCon NA 2022 in New Orleans, 3-6 Oct 2022, CFP is OPEN!

[jonmcalexander]

Ah, ok. I understand. :-) It may be something to consider for the future, for 
those of us with disabilities. :-)

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Monday, May 23, 2022 3:49 PM
> To: Tomcat Developers List ;
> jonmcalexan...@wellsfargo.com.INVALID; users@tomcat.apache.org;
> csuth...@apache.org
> Subject: Re: [ANN] ApacheCon NA 2022 in New Orleans, 3-6 Oct 2022, CFP is
> OPEN!
> Importance: High
> 
> Jon,
> 
> On 5/23/22 16:41, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Understood.
> >
> > I'm willing to give it a try if you want to sign me up, but I have to
> > do it virtual. Traveling is not possible for me.
> Oh. Sorry about that; it will need to be in-person. We don't have any set up
> to do pre-recorded or virtual presentations (that I know of) at the moment.
> 
> Thanks,
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [ANN] ApacheCon NA 2022 in New Orleans, 3-6 Oct 2022, CFP is OPEN!

[jonmcalexander]

Understood.

I'm willing to give it a try if you want to sign me up, but I have to do it 
virtual. Traveling is not possible for me.

Let me know please.

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Monday, May 23, 2022 3:36 PM
> To: Tomcat Developers List ;
> jonmcalexan...@wellsfargo.com.INVALID; users@tomcat.apache.org;
> csuth...@apache.org
> Subject: Re: [ANN] ApacheCon NA 2022 in New Orleans, 3-6 Oct 2022, CFP is
> OPEN!
> Importance: High
> 
> Jon,
> 
> On 5/23/22 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > I would really Love to have something, but I just don't have the time
> > to work on anything like this
> You could just talk about something you are already doing. It doesn't need to
> be ground-breaking work. Something along the lines of "we are using Tomcat
> feature X to solve problem Y at job Z". As long as it's not an advertisement 
> for
> your company/product.
> 
> I mean... most of the presentations given by committers are like "Here's how
> to do this fairly mundane thing like connect httpd -> Tomcat".
> 
> > nor do I feel confident enough yet.
> 
> I'm sure you'd do fine. It's not a hostile crowd.
> 
> > Chris keeps blowing holes in my understanding so now I think I need to
> > go and fine-tooth thru the documentation. I really feel I know proper
> > "instance" configuration, but now, not so sure. :-=) Maybe in an
> > upcoming year when I'm older, closer to retirement age. :-D
> The proper configuration it the one that's working for you... especially if 
> you
> understand it! If you don't understand youre configuration, you will be afraid
> to change anything for the better... or the worse. :)
> 
> If it takes you a while to figure something out, you are probably not alone.
> You could give a talk on "How I Learned to Stop Worrying and Love the
> Configuration" or whatever. Not everybody thinks the same way, and
> hearing it from you instead of (e.g.) me might be better for the audience.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional
> commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [ANN] ApacheCon NA 2022 in New Orleans, 3-6 Oct 2022, CFP is OPEN!

[jonmcalexander]

> -Original Message-
> From: Christopher Schultz 
> Sent: Monday, May 23, 2022 2:37 PM
> To: Tomcat Users List ; Coty Sutherland
> 
> Cc: Tomcat Developers List 
> Subject: Re: [ANN] ApacheCon NA 2022 in New Orleans, 3-6 Oct 2022, CFP is
> OPEN!
> Importance: High
> 
> Coty,
> 
> On 5/23/22 15:22, Coty Sutherland wrote:
> > On Fri, Apr 29, 2022 at 2:53 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> All,
> >>
> >> Please remember that the ApacheCon North American conference is still
> >> accepting presentations until 23 May 2022.
> >>
> >> The Tomcat track currently has *zero* proposals, and we were hoping
> >> to fill a 3-day track.
> >>
> >> So please, send in your ideas for presentations!
> >
> > How are we doing now? I just submitted one with the hopes of
> > submitting a second, but I think one is about all I can handle at the
> moment...
> 
> jfclere proposed 4 talks and it looks like remm added another 2. I guess yours
> is the 7th. (I can't actually see the submitter names right now).
> I haven't done any, yet (I was going to wait to see what else showed up).
> 
> The CFP is officially over today, so I'll probably drop 3a few in there, too.
> 
> I'm sad to see that no non-committers submitted anything. Maybe its just
> that people aren't ready to travel/conference quite yet.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
I would really Love to have something, but I just don't have the time to work 
on anything like this, nor do I feel confident enough yet. Chris keeps blowing 
holes in my understanding so now I think I need to go and fine-tooth thru the 
documentation. I really feel I know proper "instance" configuration, but now, 
not so sure. :-=) Maybe in an upcoming year when I'm older, closer to 
retirement age. :-D

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Encryption of Tomcat AJP

[jonmcalexander]

> -Original Message-
> From: Brian Eller 
> Sent: Thursday, May 19, 2022 9:29 AM
> To: Tomcat Users List 
> Subject: RE: Encryption of Tomcat AJP
> 
> TRADING PARTNER
> 
> Thank you Mark,
> 
> My vendor supports AJP but, I don't know if they support
> mod_http_proxy.  This is a embedded version of Tomcat 8.5 that is tightly
> coupled with the vendor's software and is an installed subcomponent from
> the vendor.
> 
> 
> Brian Eller  |  Senior System Administrator bel...@guidehouse.com
> 
> Ace Info Solutions (AceInfo), a Guidehouse company | aceinfosolutions.com
> 1200 South College Avenue, Suite 210 | Fort Collins, CO 80524 AceInfo is now
> a Guidehouse company
> 
> -Original Message-
> From: Mark H. Wood 
> Sent: Thursday, May 19, 2022 6:12 AM
> To: users@tomcat.apache.org
> Subject: Re: Encryption of Tomcat AJP
> 
> On Thu, May 19, 2022 at 07:09:59AM +, Hiran CHAUDHURI wrote:
> > CONFIDENTIAL & RESTRICTED
> >
> > From: Mark Thomas 
> > Subject: Re: Encryption of Tomcat AJP
> >
> > >On 19/05/2022 01:32, Brian Eller wrote:
> > >> TRADING PARTNER
> > >>
> > >> Hello,
> > >>
> > >>  I am working on a Tomcat install embedded inside a 
> > >> vendor
> product that uses Apache to pass traffic to Tomcat.  My cyber security group
> is asking if we can encrypt all connections.  Does the mod_jk protocol, AJP
> can be encrypted?
> > >
> > >No, AJP does not support encryption.
> > >
> > >If you want to encrypt traffic between the reverse proxy and the
> embedded Tomcat instance I'd recommend using mod_proxy_http and
> proxy everything over HTTPS. This requires a little more configuration to get
> things working.
> > >
> > >The main thing to keep in mind is to make sure that the Tomcat instance
> correctly identifies whether the client connection to the reverse proxy was
> over HTTP or HTTPS.
> > >
> > >Mark
> >
> > I totally agree this is an existing and sufficient mechanism already 
> > available.
> And I see it popping up in more and more locations.
> > But as you point out there are some caveats that potentially open security
> risks. On the contrary AJP - maybe because it cannot be configured with
> encryption - looks simple and straightforward.
> >
> > Would it make sense to create a solution with less caveats and up to date
> security requirements?
> 
> If the OP's cyber security group insists, then maybe they would care to give
> him their requirements and suggestions for setting up IPSEC.
> 
> --
> Mark H. Wood
> Lead Technology Analyst
> 
> University Library
> Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street
> Indianapolis, IN 46202
> 317-274-0749
> https://urldefense.com/v3/__http://www.ulib.iupui.edu__;!!F9svGWnIaVP
> GSwU!q7KubMJTlR76KeDOI97BQ9UwOqJiOdAl69CeN765EKZdJBB5Jqsu_D53
> SFMWtnXIeAMsiXm73xEklczYayDsQr_ecXcqi48$
> NOTICE: This communication is from Guidehouse Inc. or one of its
> subsidiaries. The details of the sender are listed above. This email, 
> including
> any attachments, is meant only for the intended recipient of the
> transmission and may contain confidential and/or privileged material. If you
> received this email in error, any review, distribution, dissemination or other
> use of this information is strictly prohibited. Please notify the sender
> immediately by return email and delete the messages from your systems. In
> addition, this communication is subject to, and incorporates by reference,
> additional disclaimers found in the “Disclaimers” section at
> https://urldefense.com/v3/__http://www.guidehouse.com__;!!F9svGWnIa
> VPGSwU!q7KubMJTlR76KeDOI97BQ9UwOqJiOdAl69CeN765EKZdJBB5Jqsu_D
> 53SFMWtnXIeAMsiXm73xEklczYayDsQr_eQxkSDm4$ .
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

Another thing to consider. If your Apache HTTPD server, or even IIS web server, 
are co-hosted on the same server, setup the AJP to listen and communicate on 
localhost (127.0.0.1) and you shouldn't have to even think about encryption at 
that point. Another possibility would be to port the traffic over a secure VPN 
between the servers, but that may be a costly alternative.

Otherwise, I agree with Mark and go with MOD-PROXY over HTTPS.

Just my .02 worth.



Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please adv

RE: [ANN] Apache Tomcat 9.0.63 available

[jonmcalexander]

Is there any news around 8.5 next release?­


Thanks,


Sent with BlackBerry Work (www.blackberry.com)

From: Rémy Maucherat 
Sent: May 16, 2022 7:41 AM
To: Tomcat Developers List ; Tomcat Users List 
; annou...@tomcat.apache.org; annou...@apache.org
Subject: [ANN] Apache Tomcat 9.0.63 available

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.63.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.63 is a bugfix and feature release. The notable
changes compared to 9.0.62 include:

- Provide a property source that sources values from Kubernetes service
   bindings. Provided by Sumit Kulhadia and Gareth Evans.

- The root cause of the Linux kernel duplicate accept bug has been
   identified along with the version of the kernel that includes the fix.
   The error message displayed when this bug occurs has been updated to
   reflect this new information and to advise users to update to a
   version of the OS that uses kernel 5.10 or later. Thanks to
   Christopher Gual for the research into this issue.

- Update the packaged version of the Tomcat Native Library to 1.2.33 to
   pick up Windows binaries built with OpenSSL 1.1.1o.

- Add support for encrypted PKCS#1 formatted private keys when configuring
   the internal, in memory key store.

Along with lots of other bug fixes and improvements.

Please refer to the change log for the complete list of changes:
https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-9.0-doc/changelog.html__;!!F9svGWnIaVPGSwU!suZVsLug6coHnWDZh3NuYVKl7NVOH3Dk0wljCay3MOSsUqI1fve264snDZCMAS815vxiJiTT610FFbZ0nQq8$


Downloads:
https://urldefense.com/v3/__https://tomcat.apache.org/download-90.cgi__;!!F9svGWnIaVPGSwU!suZVsLug6coHnWDZh3NuYVKl7NVOH3Dk0wljCay3MOSsUqI1fve264snDZCMAS815vxiJiTT610FFdpkRMvt$

Migration guides from Apache Tomcat 7.x and 8.x:
https://urldefense.com/v3/__https://tomcat.apache.org/migration.html__;!!F9svGWnIaVPGSwU!suZVsLug6coHnWDZh3NuYVKl7NVOH3Dk0wljCay3MOSsUqI1fve264snDZCMAS815vxiJiTT610FFcJdcDuL$

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: Tomcat ownership changed spontaneously

[jonmcalexander]

This is another reason why separating CATALINA_HOME from CATALINA_BASE is a 
good thing.

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, April 5, 2022 4:57 PM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat ownership changed spontaneously
> 
> Joel,
> 
> On 4/5/22 10:33, Joel Griffith wrote:
> > I'm running a webapp under Tomcat 9 on Ubuntu 20.04.  We run Tomcat as
> > an ad-hoc system user who owns the Tomcat installation files.
> >
> > On Friday, the app stopped working.  Over the weekend, I determined
> > that the problem was that something had reset the ownership of the
> > Tomcat installation files to the 'tomcat' user so that the webapp no
> > longer had permission to access its own files.  I had to spend a
> > couple of days poring through my notes to figure out what ownership
> > was required for what files and then manually change everything that
> needed it back to our ad-hoc user.
> >
> > Since this change affected only Tomcat files, I can only guess that an
> > update from Tomcat altered the ownership of these files.  Did any
> > recent Tomcat update change file and folder ownership of the Tomcat
> > installation to force them to the 'tomcat' user?
> 
> The Tomcat distribution is just a tarball. When you untar it, you get the
> current-user as the owner of the files.
> 
> Tomcat has no installer for *NIX systems.
> 
> If you use a third-party package for Tomcat (e.g. apt-get), you may be seeing
> something coming from /them/. did you recently get any new updates from
> Ubuntu or any other repositories you use?
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Possibly Silly Question

[jonmcalexander]

Thanks for the info Konstantin!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Konstantin Kolinko 
> Sent: Monday, March 28, 2022 2:42 PM
> To: Tomcat Users List 
> Subject: Re: Possibly Silly Question
> 
> пт, 25 мар. 2022 г. в 19:17, Robert Hicks :
> >
> > Just looking the history page says:
> >
> > *Apache Tomcat 3.0.x*. Initial Apache Tomcat release.
> >
> > Wikipedia also mentions:
> > 2.0 1998 Tomcat started off in November 1998[16]
> >
>  > at*cite_note-
> 16__;Iw!!F9svGWnIaVPGSwU!7wFRCHgVSwx7q1UIN0mlrLG1Wh_PD1qB
> > H_d8ihNJKHH1H-w4bsXUOcUd6BXFPcI601KJlk8$ > as a servlet reference
> > implementation
> >  >
> mplementation_(computing)__;!!F9svGWnIaVPGSwU!7wFRCHgVSwx7q1UI
> N0mlrLG1Wh_PD1qBH_d8ihNJKHH1H-w4bsXUOcUd6BXFPcI633jjbLU$ > by
> James Duncan Davidson
>  n_Davidson__;!!F9svGWnIaVPGSwU!7wFRCHgVSwx7q1UIN0mlrLG1Wh_PD
> 1qBH_d8ihNJKHH1H-w4bsXUOcUd6BXFPcI6FFvmAP0$ >, a software architect
> at Sun Microsystems.
> > So that probably means it was "internal" only.
> 
> See also
> https://urldefense.com/v3/__https://tomcat.apache.org/heritage.html__;!!
> F9svGWnIaVPGSwU!7wFRCHgVSwx7q1UIN0mlrLG1Wh_PD1qBH_d8ihNJKHH
> 1H-w4bsXUOcUd6BXFPcI6ituQ9_8$
> 
> Best regards,
> Konstantin Kolinko
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Possibly Silly Question

[jonmcalexander]

Thanks as always Chris!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Monday, March 28, 2022 12:18 PM
> To: users@tomcat.apache.org
> Subject: Re: Possibly Silly Question
> 
> Jon,
> 
> On 3/25/22 13:18, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > That is what I thought, but I just wanted to make sure. Have some
> > dubious data from Flexera around Tomcat versions.
> You have to understand that Apache Tomcat wasn't always Apache Tomcat. I
> don't see this in the Wikipedia history[1] or anywhere else for that matter,
> but I distinctly remember playing around with something "Apache JServ"
> back in college (1999/2000). Not just the Apache JServ Protocol
> (AJP) but the Java server was definitely NOT called Tomcat, and there
> seemed to be some confusion over (a) its name and (b) whether or not it
> was a Sun product. So maybe that was during the transition from Sun ->
> Apache and nobody knew what was going on, yet.
> 
> Anyway, there was never a version 2.0 of Apache Tomcat (it wasn't at
> Apache, yet, when it got that version number).
> 
> There is also the "Coyote Connector" which seems to be stuck on version 1.
> -chris
> 
> [1]
> https://urldefense.com/v3/__https://en.wikipedia.org/wiki/Apache_Tomca
> t*History__;Iw!!F9svGWnIaVPGSwU!-
> 2YvUVQIf9zMxrqKUcgREZ627ItVkUmhD3dFpyQksT4aZsxKeeAvw8JQcKK-
> Ii1NxVdrpQA$
> 
> >> -Original Message-
> >> From: Robert Hicks 
> >> Sent: Friday, March 25, 2022 11:17 AM
> >> To: Tomcat Users List 
> >> Subject: Re: Possibly Silly Question
> >>
> >> Just looking the history page says:
> >>
> >> *Apache Tomcat 3.0.x*. Initial Apache Tomcat release.
> >>
> >> Wikipedia also mentions:
> >> 2.0 1998 Tomcat started off in November 1998[16]
> >>
>  >> c
> >> at*cite_note-16__;Iw!!F9svGWnIaVPGSwU!8a8yiOkctWgZbBLGpm-
> >> DSrOOtfGcHn27-IHh5EzsZTfD0BSouONgumeY1rD0uxdCe3Fw3yU$ > as a
> servlet
> >> reference implementation
> >>
>  >> im
> >>
> plementation_(computing)__;!!F9svGWnIaVPGSwU!8a8yiOkctWgZbBLGpm-
> >> DSrOOtfGcHn27-IHh5EzsZTfD0BSouONgumeY1rD0uxdCWo66CtI$ > by
> James
> >> Duncan Davidson
> >>
>  >> a
> >> n_Davidson__;!!F9svGWnIaVPGSwU!8a8yiOkctWgZbBLGpm-
> >> DSrOOtfGcHn27-IHh5EzsZTfD0BSouONgumeY1rD0uxdCkeFu21s$ >, a
> software
> >> architect at Sun Microsystems.
> >> So that probably means it was "internal" only.
> >>
> >> On Fri, Mar 25, 2022 at 11:45 AM
> >> 
> >> wrote:
> >>
> >>> Good morning,
> >>>
> >>> Doing some history research, but was there EVER a released version
> >>> 1x or 2x of Tomcat? IF so, what version numbers had been out there,
> >>> once upon a time ago?
> >>>
> >>> Thank you,
> >>>
> >>> Dream * Excel * Explore * Inspire
> >>> Jon McAlexander
> >>> Infrastructure Engineer
> >>> Asst Vice President
> >>> He/His
> >>>
> >>> Middleware Product Engineering
> >>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>
> >>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>> MAC: F4469-010
> >>> Tel 515-988-2508 | Cell 515-988-2508
> >>>
> >>>
> >>
> jonmcalexan...@wellsfargo.com
> >>> This message may contain confidential and/or privileged information.
> >>> If you are not the addressee or authorized to receive this for the
> >>> addressee, you must not use, copy, disclose, or take any action
> >>> based on this message or any information herein. If you have
> >>> received this message in error, please advise the sender immediately
> >>> by reply e-mail and delete this message. Thank you for your
> cooperation.
> >>>
> >>>
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Possibly Silly Question

[jonmcalexander]

That is what I thought, but I just wanted to make sure. Have some dubious data 
from Flexera around Tomcat versions.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Robert Hicks 
> Sent: Friday, March 25, 2022 11:17 AM
> To: Tomcat Users List 
> Subject: Re: Possibly Silly Question
> 
> Just looking the history page says:
> 
> *Apache Tomcat 3.0.x*. Initial Apache Tomcat release.
> 
> Wikipedia also mentions:
> 2.0 1998 Tomcat started off in November 1998[16]
>  at*cite_note-16__;Iw!!F9svGWnIaVPGSwU!8a8yiOkctWgZbBLGpm-
> DSrOOtfGcHn27-IHh5EzsZTfD0BSouONgumeY1rD0uxdCe3Fw3yU$ > as a
> servlet reference implementation
>  plementation_(computing)__;!!F9svGWnIaVPGSwU!8a8yiOkctWgZbBLGpm-
> DSrOOtfGcHn27-IHh5EzsZTfD0BSouONgumeY1rD0uxdCWo66CtI$ > by James
> Duncan Davidson
>  n_Davidson__;!!F9svGWnIaVPGSwU!8a8yiOkctWgZbBLGpm-
> DSrOOtfGcHn27-IHh5EzsZTfD0BSouONgumeY1rD0uxdCkeFu21s$ >, a
> software architect at Sun Microsystems.
> So that probably means it was "internal" only.
> 
> On Fri, Mar 25, 2022 at 11:45 AM 
> wrote:
> 
> > Good morning,
> >
> > Doing some history research, but was there EVER a released version 1x
> > or 2x of Tomcat? IF so, what version numbers had been out there, once
> > upon a time ago?
> >
> > Thank you,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Infrastructure Engineer
> > Asst Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> >
> jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >

Possibly Silly Question

[jonmcalexander]

Good morning,

Doing some history research, but was there EVER a released version 1x or 2x of 
Tomcat? IF so, what version numbers had been out there, once upon a time ago?

Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: Maybe a stupid (Windows related) question

[jonmcalexander]

> -Original Message-
> From: Rony G. Flatscher (Apache) 
> Sent: Tuesday, March 22, 2022 12:21 PM
> To: users@tomcat.apache.org
> Subject: Maybe a stupid (Windows related) question
> 
> For debugging purposes I downloaded the zip-version of Tomcat 10.0.18 and
> start it up using %CATALINA_HOME%\bin\startup.bat.
> 
> This will create by default a separate process (terminal, commandline
> window) in which Tomcat runs and dispatches all output including stdout and
> stderr output into that window.
> 
> By contrast the Windows service installation would redirect stdout and stderr
> by default to %CATALINA_HOME%\logs\ using "tomcat10-stderr.yyy-mm-
> dd.log" and "tomcat10-stdout.-mm-dd.log" as their name. The same
> would be desired for the "startup.bat" version of Tomcat 10.
> 
> Searched
>  doc/logging.html__;!!F9svGWnIaVPGSwU!73l7pAR1e6xCG3INKjeg0PnyhD7k
> yWl2kyHrFKAdlps4BB1jpO4ZbG-apDxsEvad_K823Jw$ > and
>  doc/setup.html__;!!F9svGWnIaVPGSwU!73l7pAR1e6xCG3INKjeg0PnyhD7ky
> Wl2kyHrFKAdlps4BB1jpO4ZbG-apDxsEvadogS4Vco$ > to no avail. Searching
> the Internet the best I could find was
>  ow-to-redirect-tomcat-console-log-to-files-tomcat-started-via-windows-
> bat__;!!F9svGWnIaVPGSwU!73l7pAR1e6xCG3INKjeg0PnyhD7kyWl2kyHrFKA
> dlps4BB1jpO4ZbG-apDxsEvadZtWA7FE$ > which indeed redirects the Tomcat
> startup information to %CATALINA_HOME%\logs\catalina.-mm-dd.log,
> but not stdout and stderr which do not get redirected.
> Using redirections directly in "startup.bat" or "catalina.bat" as suggested
> further down in the serverfault.com did not yield the desired redirection.
> 
> Probably I have been doing something wrong in the past hours and not
> seeing the forest for the trees anymore I kindly request help: what is needed
> to successfully redirect stderr and stdout to %CATALINA_HOME%\logs after
> unzipping Tomcat 10 and starting it on Windows using
> %CATALINA_HOME%\bin\startup.bat?
> 
> TIA for any help/pointer!
> 
> ---rony
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Would it not be best to use CATALINA_BASE instead of CATALINA_HOME? The idea 
being that HOME should be the binaries, and BASE is mobile Just my .02 
worth.

Thanks,



Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Duplicate accept detected. This is a known OS bug.

[jonmcalexander]

Thank you!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 9, 2022 2:09 PM
> To: users@tomcat.apache.org
> Subject: Re: Duplicate accept detected. This is a known OS bug.
> 
> On 09/02/2022 19:35, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Thanks Mark,
> >
> > This team is has Some of the apps running on PCF and also running both
> JAVA 8 and JAVA 11. This is using Oracle Java on RHEL 7.9.
> >
> > In reading through the activity log on the bug report, it appears that it's
> being seen on multiple Linux distros as well as on Windows. This feels like
> something at a fundamental root, but at what actual level?
> 
> Linux.
> 
> The Windows reports are false positives. I'm currently looking at how to 
> filter
> those out.
> 
> If you are using RHEL then I'd suggest:
> - use the C test case from that bug to confirm the issue with your OS
> - raising this as an issue with RedHat
> 
> Mark
> 
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Infrastructure Engineer
> > Asst Vice President
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Wednesday, February 9, 2022 12:02 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Duplicate accept detected. This is a known OS bug.
> >>
> >> On 09/02/2022 17:54, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> Hi all,
> >>>
> >>> I have an application team occasionally getting the following
> >>> exception with
> >> their application. They are currently using Tomcat 9.0.56. I'm not
> >> finding much on the intertubes in regards to this. Does anyone have any
> information?
> >>>
> >>> org.apache.tomcat.util.net.Acceptor run
> >>> SEVERE: Socket accept failed
> >>> java.io.IOException: Duplicate accept detected. This is a known OS
> >>> bug. Please consider reporting that you are affected:
> >>>
> >>
> https://urldefense.com/v3/__https://bugs.launchpad.net/ubuntu/*source
> >> /
> >>> linux/*bug/1924298__;Kys!!F9svGWnIaVPGSwU!-
> >> gTVrWxM1UlX26aYBCXFXX76_g8g
> >>> E1EwzxIvjtqNJZi6xecg6YS_HhNx3iwYnanI-GXZ-4Y$
> >>
> >> That bug and the Java issue linked from it should answer most questions.
> >> The linked Spring bug is generally interesting but doesn't shed much
> >> light on this issue.
> >>
> >> What do you want to know that they don't address?
> >>
> >> Mark
> >>
> >>
> >>>   at
> >> org.apache.tomcat.util.net.NioEndpoint.serverSocketAccept(NioEndpoint
> >> .ja
> >> va:545)
> >>>   at
> >> org.apache.tomcat.util.net.NioEndpoint.serverSocketAccept(NioEndpoint
> >> .ja
> >> va:78)
> >>>   at org.apache.tomcat.util.net.Acceptor.run(Acceptor.java:129)
> >>>   at java.base/java.lang.Thread.run(Thread.java:834)
> >>>
> >>>
> >>> Thanks,
> >>>
> >>> Dream * Excel * Explore * Inspire
> >>> Jon McAlexander
> >>> Infrastructure Engineer
> >>> Asst Vice President
> >>>
> >>> Middleware Product Engineering
> >>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>
> >>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>> MAC: F4469-010
> >>> Tel 515-988-2508 | Cell 515-988-2508
> >>>
> >>>
> >>
> jonmcalexan...@wellsfargo.com
> >>> This message may contain confidential and/or privileged information.
> >>> If you
> >> are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for

RE: Duplicate accept detected. This is a known OS bug.

[jonmcalexander]

Thanks Mark,

This team is has Some of the apps running on PCF and also running both JAVA 8 
and JAVA 11. This is using Oracle Java on RHEL 7.9. 

In reading through the activity log on the bug report, it appears that it's 
being seen on multiple Linux distros as well as on Windows. This feels like 
something at a fundamental root, but at what actual level?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 9, 2022 12:02 PM
> To: users@tomcat.apache.org
> Subject: Re: Duplicate accept detected. This is a known OS bug.
> 
> On 09/02/2022 17:54, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi all,
> >
> > I have an application team occasionally getting the following exception with
> their application. They are currently using Tomcat 9.0.56. I'm not finding 
> much
> on the intertubes in regards to this. Does anyone have any information?
> >
> > org.apache.tomcat.util.net.Acceptor run
> > SEVERE: Socket accept failed
> > java.io.IOException: Duplicate accept detected. This is a known OS
> > bug. Please consider reporting that you are affected:
> >
> https://urldefense.com/v3/__https://bugs.launchpad.net/ubuntu/*source/
> > linux/*bug/1924298__;Kys!!F9svGWnIaVPGSwU!-
> gTVrWxM1UlX26aYBCXFXX76_g8g
> > E1EwzxIvjtqNJZi6xecg6YS_HhNx3iwYnanI-GXZ-4Y$
> 
> That bug and the Java issue linked from it should answer most questions.
> The linked Spring bug is generally interesting but doesn't shed much light on
> this issue.
> 
> What do you want to know that they don't address?
> 
> Mark
> 
> 
> >  at
> org.apache.tomcat.util.net.NioEndpoint.serverSocketAccept(NioEndpoint.ja
> va:545)
> >  at
> org.apache.tomcat.util.net.NioEndpoint.serverSocketAccept(NioEndpoint.ja
> va:78)
> >  at org.apache.tomcat.util.net.Acceptor.run(Acceptor.java:129)
> >  at java.base/java.lang.Thread.run(Thread.java:834)
> >
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Infrastructure Engineer
> > Asst Vice President
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> >
> jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: clearReferencesThreads issues warning about 2 threads, spawned by JDK in printing components

[jonmcalexander]

Thanks Mark,

Unfortunately the URL in the error gets blocked by our security, so I looked it 
up on my home system now.



Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Monday, August 23, 2021 3:06 AM
> To: users@tomcat.apache.org
> Subject: Re: clearReferencesThreads issues warning about 2 threads,
> spawned by JDK in printing components
> 
> On 23/08/2021 08:10, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> 
> 
> 
> > Is there anything, the application can prevent this?
> 
> Yes. Call Thread.setContextClassLoader(ClassLoader) before calling the code
> that creates those threads, passing the common class loader.
> Afterwards, reset the TCCL back to the web application class loader.
> 
> > Should Tomcat maybe skip the warning if the thread is demonized?
> 
> No. The threads have the web app class loader as their TCCL so you have a
> potential memory leak. The warning is correct.
> 
> > Or maybe these threads should be ignored when checking for orphaned
> threads?
> 
> No, for the same reason.
> 
> > It was tested with Tomcat 9.0.52, Windows 10, Coretto-JDK 11.0.12_7.
> 
> You might want to consider raising a bug against the JDK. It could be argued
> that those threads should be created with a specific class loader to avoid
> memory leaks in container environments.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Duplicate accept detected. This is a known OS bug.

[jonmcalexander]

Hi all,

I have an application team occasionally getting the following exception with 
their application. They are currently using Tomcat 9.0.56. I'm not finding much 
on the intertubes in regards to this. Does anyone have any information?

org.apache.tomcat.util.net.Acceptor run
SEVERE: Socket accept failed
java.io.IOException: Duplicate accept detected. This is a known OS bug. Please 
consider reporting that you are affected: 
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1924298
at 
org.apache.tomcat.util.net.NioEndpoint.serverSocketAccept(NioEndpoint.java:545)
at 
org.apache.tomcat.util.net.NioEndpoint.serverSocketAccept(NioEndpoint.java:78)
at org.apache.tomcat.util.net.Acceptor.run(Acceptor.java:129)
at java.base/java.lang.Thread.run(Thread.java:834)


Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: Tomcat 9 cannot start on windows 10 as service

[jonmcalexander]

> -Original Message-
> From: W 
> Sent: Tuesday, February 8, 2022 10:36 PM
> To: users@tomcat.apache.org
> Subject: Tomcat 9 can not start on windows 10 as service
> 
> Hi,
> I install tomcat 9 using downloaded installation package. It was installed
> successfully. I made tomcat manager working. I deployed my application...
> Suddenly, tomcat stopped. Then I try to restart it using windows service. I 
> got
> error 5: access denied. I uninstalled tomcat and re-installed it. The same 
> thing
> happened. Now I can go to tomcat\bin directory run startup.bat. It works.
> What is wrong? How can I run it automatically using windows service? Please.
> Any information would be appreciated. Thanks in advance.

Hi W,

Kindly check which user is setup to run the Tomcat Service and make sure that 
that user has at least read/execute permissions to your CATALINA_HOME and 
CATALINA_BASE directory structures. (Note, this may be the same location 
depending on how you have configured Tomcat.) More than likely it's the Local 
System account.

You will want to make sure that at least the webapps, work, temp, and logs 
directory have Modify permissions at a minimum for that user.

Hope this helps,

RE: How to Upgrade tomcat from 8.5.23 to 8.5.73 | windows r2 2008 server

[jonmcalexander]

Hey, 
I look up to you, Mark, and Rémy. Just trying to make sure I understand, so 
that when I grow up I might be as good as you 3. :-)

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, February 8, 2022 6:10 PM
> To: users@tomcat.apache.org
> Subject: Re: How to Upgrade tomcat from 8.5.23 to 8.5.73 | windows r2 2008
> server
> 
> Jon,
> 
> On 2/7/22 18:24, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Monday, February 7, 2022 2:32 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: How to Upgrade tomcat from 8.5.23 to 8.5.73 | windows r2
> >> 2008 server
> >>
> >> Rakesh,
> >>
> >> On 2/6/22 14:52, rakesh meka wrote:
> >>> Greetings of the day. Hope you all are doing well.
> >>>
> >>> I am actually new to tomcat. I had required from the client that we
> >>> need to upgrade tomcat from 8.5.23 to 8.5.75 where there is an
> >>> application is deployed which makes sap 4.6c integration.
> >>>
> >>> So I need to upgrade from old version to new version without losing
> >>> any data/connections.
> >>>
> >>> I couldn't find the steps or proper tutorials on how to start upgrade.
> >>>
> >>> Should I need uninstall current version and then install new version
> >>> and deploy the application?
> >>>
> >>> Is there any better way that I can upgrade the current folder
> >>> structure to new version without uninstalling in thatcase what are
> >>> changes I
> >> need to do?
> >>>
> >>>
> >>> Please let me know. I would be eagerly waiting for the response from
> you.
> >>
> >> You might want to read this as you prepare your upgrade. It may help
> >> you upgrade in the future.
> >>
> >>
> https://urldefense.com/v3/__https://tomcat.apache.org/presentations.h
> >> tm
> >> l*latest-split-installation__;Iw!!F9svGWnIaVPGSwU!_3QCkBx-
> >>
> NIino7f9itTPG7wBGq2wsrrkmNc6fFLP8VbeMiJ7FAT4NN4ZsoMEbj32ZY1mVrg
> >> $
> >>
> >> -chris
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> > Chris,
> >
> > On slide 15, you mention makebase AFTER the other steps:
> > Configure Tomcat
> > – conf/server.xml, conf/web.xml,
> > conf/catalina.properties1, conf/tomcat-users1 ● Install web
> > applications in webapps/ ● CATALINA_HOME/bin/makebase.[sh|bat]
> >
> > Why run makebase AFTER you have already created your Instance
> (CATALINA_BASE) structure? Is this to create the setenv.sh? I'm just trying to
> understand your steps as I work on improving my understanding for support
> in my organization.
> 
> Yeah, I guess it makes sense to create CATALINA_BASE before you try to put
> files into it, eh? :) I'll review that and add errata as appropriate.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to Upgrade tomcat from 8.5.23 to 8.5.73 | windows r2 2008 server

[jonmcalexander]

> -Original Message-
> From: Christopher Schultz 
> Sent: Monday, February 7, 2022 2:32 PM
> To: users@tomcat.apache.org
> Subject: Re: How to Upgrade tomcat from 8.5.23 to 8.5.73 | windows r2 2008
> server
> 
> Rakesh,
> 
> On 2/6/22 14:52, rakesh meka wrote:
> > Greetings of the day. Hope you all are doing well.
> >
> > I am actually new to tomcat. I had required from the client that we
> > need to upgrade tomcat from 8.5.23 to 8.5.75 where there is an
> > application is deployed which makes sap 4.6c integration.
> >
> > So I need to upgrade from old version to new version without losing
> > any data/connections.
> >
> > I couldn't find the steps or proper tutorials on how to start upgrade.
> >
> > Should I need uninstall current version and then install new version
> > and deploy the application?
> >
> > Is there any better way that I can upgrade the current folder
> > structure to new version without uninstalling in thatcase what are changes I
> need to do?
> >
> >
> > Please let me know. I would be eagerly waiting for the response from you.
> 
> You might want to read this as you prepare your upgrade. It may help you
> upgrade in the future.
> 
> https://urldefense.com/v3/__https://tomcat.apache.org/presentations.htm
> l*latest-split-installation__;Iw!!F9svGWnIaVPGSwU!_3QCkBx-
> NIino7f9itTPG7wBGq2wsrrkmNc6fFLP8VbeMiJ7FAT4NN4ZsoMEbj32ZY1mVrg
> $
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Chris,

On slide 15, you mention makebase AFTER the other steps:
Configure Tomcat
– conf/server.xml, conf/web.xml, 
conf/catalina.properties1, conf/tomcat-users1
● Install web applications in webapps/
● CATALINA_HOME/bin/makebase.[sh|bat]

Why run makebase AFTER you have already created your Instance (CATALINA_BASE) 
structure? Is this to create the setenv.sh? I'm just trying to understand your 
steps as I work on improving my understanding for support in my organization.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to Upgrade tomcat from 8.5.23 to 8.5.73 | windows r2 2008 server

[jonmcalexander]

Note, this is if on Windows. Linux/Unix is similar without the service part.­


Thanks,


Sent with BlackBerry Work (www.blackberry.com)

From: jonmcalexan...@wellsfargo.com.INVALID
Sent: Feb 7, 2022 8:48 AM
To: users@tomcat.apache.org
Subject: RE: How to Upgrade tomcat from 8.5.23 to 8.5.73 | windows r2 2008 
server

The way I suggest ­is to do this:

First Time

1. Install new version side-by-side.
2. Separate CATALINA_BASE and CATALUNA_HOME.
3. Create a symbolic link for CATALINA_HOME.
4. Make the necessary changes to config files,  make sure the CATALINA_BASE lib 
only contains the jar files for your application. Keep all NATIVE jars in 
CATALINA_HOME lib.
5. Make necessary updates to registry as needed.
6. Stop service.
7. Start service.

Future times.

1. Install new binaries.
2. Update symbolic link for CATALINA_HOME to point to new releases.
3. Stop service.
4. Start service.

Note: may have to stop service before you can modify the sym-link.

Hope this helps.

Thanks,


Sent with BlackBerry Work 
(https://urldefense.com/v3/__http://www.blackberry.com__;!!F9svGWnIaVPGSwU!6529UupBpLyapE6zoORa1rdq6l5eMMjJ9gJ8ilP3AienjMQa-KqaQ--HS81zgVqOTP0p6G8$
 )

From: rakesh meka 
Sent: Feb 6, 2022 1:53 PM
To: Tomcat Users List 
Subject: How to Upgrade tomcat from 8.5.23 to 8.5.73 | windows r2 2008 server

Hi Team,

Greetings of the day. Hope you all are doing well.

I am actually new to tomcat. I had required from the client that we need to
upgrade tomcat from 8.5.23 to 8.5.75 where there is an application is
deployed which makes sap 4.6c integration.

So I need to upgrade from old version to new version without losing any
data/connections.

I couldn't find the steps or proper tutorials on how to start upgrade.

Should I need uninstall current version and then install new version and
deploy the application?

Is there any better way that I can upgrade the current folder structure to
new version without uninstalling in thatcase what are changes I need to do?


Please let me know. I would be eagerly waiting for the response from you.


Thanks and Regards,
Meka Rakesh.

RE: How to Upgrade tomcat from 8.5.23 to 8.5.73 | windows r2 2008 server

[jonmcalexander]

The way I suggest ­is to do this:

First Time

1. Install new version side-by-side.
2. Separate CATALINA_BASE and CATALUNA_HOME.
3. Create a symbolic link for CATALINA_HOME.
4. Make the necessary changes to config files,  make sure the CATALINA_BASE lib 
only contains the jar files for your application. Keep all NATIVE jars in 
CATALINA_HOME lib.
5. Make necessary updates to registry as needed.
6. Stop service.
7. Start service.

Future times.

1. Install new binaries.
2. Update symbolic link for CATALINA_HOME to point to new releases.
3. Stop service.
4. Start service.

Note: may have to stop service before you can modify the sym-link.

Hope this helps.

Thanks,


Sent with BlackBerry Work (www.blackberry.com)

From: rakesh meka 
Sent: Feb 6, 2022 1:53 PM
To: Tomcat Users List 
Subject: How to Upgrade tomcat from 8.5.23 to 8.5.73 | windows r2 2008 server

Hi Team,

Greetings of the day. Hope you all are doing well.

I am actually new to tomcat. I had required from the client that we need to
upgrade tomcat from 8.5.23 to 8.5.75 where there is an application is
deployed which makes sap 4.6c integration.

So I need to upgrade from old version to new version without losing any
data/connections.

I couldn't find the steps or proper tutorials on how to start upgrade.

Should I need uninstall current version and then install new version and
deploy the application?

Is there any better way that I can upgrade the current folder structure to
new version without uninstalling in thatcase what are changes I need to do?


Please let me know. I would be eagerly waiting for the response from you.


Thanks and Regards,
Meka Rakesh.

RE: log4j CVE general question

[jonmcalexander]

Ok, so I have been given clearance to share the stance that we are taking with 
log4j. We have contacted Apache Security and are awaiting a response.

Before making a final decision around log4j 1.x, consider the following:

-Initially, 1.x wasn’t assessed for the vulnerability, because, it is end of 
life, so many points of guidance did not assess it and exclude it from their 
advisories.  
-The situation with 1.x is morphing, modifications to the payload may result in 
RCE or server-side lookups, there are also circumstances were 1.x is vulnerable:
-Log4j 1.x may be impacted by CVE-2021-44228 in a number of conditions, such as 
when the configuration uses JNDI, which may have been enabled.
-It's possible to use the 1.x Appender to load strings from a remote server. If 
you sent TopicBindingName or TopicConnectionFactoryBindingName to values that 
JDNI can handle, which is a configuration issue that needs to be investigated 
by teams using 1.x, but a lower priority than the risk of 2.x exploitation 
which is not configuration-dependent.
-Log4j .x is End of Life, and has other security vulnerabilities that will not 
be fixed, i.e (CVE-2019-17571) that should be assessed when judging their risk.

Our recommendation is to migrate from 1.x as a P2 priority, behind your 2.x 
patching efforts. Migration guide: 
https://logging.apache.org/log4j/2.x/manual/migration.html

Thanks. Just trying to help and practice good stewardship in the Tomcat 
community. :-D

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: jonmcalexan...@wellsfargo.com.INVALID
> 
> Sent: Monday, December 13, 2021 11:48 AM
> To: users@tomcat.apache.org
> Subject: RE: log4j CVE general question
> 
> I understand Chris. I guess I was looking to see if he had contact info for
> anyone on that particular project. I know it's not like a "company".
> 
> Thanks though!
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Infrastructure Engineer
> Asst Vice President
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> 
> > -Original Message-
> > From: Christopher Schultz 
> > Sent: Monday, December 13, 2021 11:39 AM
> > To: users@tomcat.apache.org
> > Subject: Re: log4j CVE general question
> >
> > Jon,
> >
> > On 12/13/21 11:51, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > So, based on these entries on the log4j apache pages, I can't see
> > > that any 1x product is vulnerable. Mark, is there some message from
> > > Apache that we can share with those that need to know that for
> > > certain 1x log4j is NOT vulnerable?
> > This is not something the Tomcat team (or Mark, individually) can
> > really do for you.
> >
> > You should check for information from the log4j team.
> >
> > Unofficially, log4j 1.x does not seem to be affected. There were some
> > questions about configuring it for use with a JMS appender, but it
> > seems those issues would be limited to having a compromised JMS server
> > or an injection into JNDI from another (unrelated) exploit.
> >
> > -chris
> >
> >
> > >
> > >
> > > News
> > > CVE-2021-44228
> > >
> > > The Log4j team has been made aware of a security vulnerability,
> > > CVE-2021-
> > 44228, that has been addressed in Log4j 2.15.0.
> > >
> > > Log4j's JNDI support has not restricted what names could be resolved.
> > Some protocols are unsafe or can allow remote code execution. Log4j
> > now limits the protocols by default to only java, ldap, and ldaps and
> > limits the ldap protocols to only accessing Java primitive objects by
> > default served on the local host.
> > >
> > > One vector that allowed exposure to this vulnerability was Log4j's
> > allowance of Lookups to appear in log messages. As of Log4j 2.15.0
> > t

RE: log4j CVE general question

[jonmcalexander]

I understand Chris. I guess I was looking to see if he had contact info for 
anyone on that particular project. I know it's not like a "company". 

Thanks though!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Monday, December 13, 2021 11:39 AM
> To: users@tomcat.apache.org
> Subject: Re: log4j CVE general question
> 
> Jon,
> 
> On 12/13/21 11:51, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > So, based on these entries on the log4j apache pages, I can't see that
> > any 1x product is vulnerable. Mark, is there some message from Apache
> > that we can share with those that need to know that for certain 1x
> > log4j is NOT vulnerable?
> This is not something the Tomcat team (or Mark, individually) can really do
> for you.
> 
> You should check for information from the log4j team.
> 
> Unofficially, log4j 1.x does not seem to be affected. There were some
> questions about configuring it for use with a JMS appender, but it seems
> those issues would be limited to having a compromised JMS server or an
> injection into JNDI from another (unrelated) exploit.
> 
> -chris
> 
> 
> >
> >
> > News
> > CVE-2021-44228
> >
> > The Log4j team has been made aware of a security vulnerability, CVE-2021-
> 44228, that has been addressed in Log4j 2.15.0.
> >
> > Log4j's JNDI support has not restricted what names could be resolved.
> Some protocols are unsafe or can allow remote code execution. Log4j now
> limits the protocols by default to only java, ldap, and ldaps and limits the 
> ldap
> protocols to only accessing Java primitive objects by default served on the
> local host.
> >
> > One vector that allowed exposure to this vulnerability was Log4j's
> allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this
> feature is now disabled by default. While an option has been provided to
> enable Lookups in this fashion, users are strongly discouraged from enabling
> it.
> >
> > For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior
> can be mitigated by setting either the system property
> log4j2.formatMsgNoLookups or the environment variable
> LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and
> <=2.14.1, all PatternLayout patterns can be modified to specify the message
> converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9
> and <=2.10.0, the mitigation is to remove the JndiLookup class from the
> classpath: zip -q -d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class.
> >
> >
> > Fixed in Log4j 2.15.0
> >
> > CVE-2021-44228 bin/cvename.cgi?name=CVE-2021-
> 44228__;!!F9svGWnIaVPGSwU!74bXJbpgx_hbZXhDbugIcTGP5lu3n4862EH5m
> 3nzPf6zeN_vbTWY0WIHuhFmP_EenqW0-rM$ >: Apache Log4j2 JNDI
> features do not protect against attacker controlled LDAP and other JNDI
> related endpoints.
> >
> > Severity: Critical
> >
> > Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
> >
> > Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1
> >
> > Descripton: Apache Log4j <=2.14.1 JNDI features used in configuration, log
> messages, and parameters do not protect against attacker controlled LDAP
> and other JNDI related endpoints. An attacker who can control log messages
> or log message parameters can execute arbitrary code loaded from LDAP
> servers when message lookup substitution is enabled. From log4j 2.15.0, this
> behavior has been disabled by default.
> >
> > Mitigation: In releases >=2.10, this behavior can be mitigated by setting
> either the system property log4j2.formatMsgNoLookups or the environment
> variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7
> and <=2.14.1, all PatternLayout patterns can be modified to specify the
> message converter as %m{nolookups} instead of just %m. For releases
> >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class
> from the classpath: zip -q -d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class.
> >
> > Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security
> Team.
> >
> > References:
> >
> https://urldefense.com/v3/__https://issues.apache.org/jira/browse/LOG4
> > J2-
> 3201__;!!F9svGWnIaVPGSwU!74bXJbpgx_hbZXhDbugIcTGP5lu3n4862E

log4j CVE general question

[jonmcalexander]

So, based on these entries on the log4j apache pages, I can't see that any 1x 
product is vulnerable. Mark, is there some message from Apache that we can 
share with those that need to know that for certain 1x log4j is NOT vulnerable?


News
CVE-2021-44228

The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, 
that has been addressed in Log4j 2.15.0.

Log4j's JNDI support has not restricted what names could be resolved. Some 
protocols are unsafe or can allow remote code execution. Log4j now limits the 
protocols by default to only java, ldap, and ldaps and limits the ldap 
protocols to only accessing Java primitive objects by default served on the 
local host.

One vector that allowed exposure to this vulnerability was Log4j's allowance of 
Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now 
disabled by default. While an option has been provided to enable Lookups in 
this fashion, users are strongly discouraged from enabling it.

For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can 
be mitigated by setting either the system property log4j2.formatMsgNoLookups or 
the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases 
>=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the 
message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 
and <=2.10.0, the mitigation is to remove the JndiLookup class from the 
classpath: zip -q -d log4j-core-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class.


Fixed in Log4j 2.15.0

CVE-2021-44228: 
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and 
other JNDI related endpoints.

Severity: Critical

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1

Descripton: Apache Log4j <=2.14.1 JNDI features used in configuration, log 
messages, and parameters do not protect against attacker controlled LDAP and 
other JNDI related endpoints. An attacker who can control log messages or log 
message parameters can execute arbitrary code loaded from LDAP servers when 
message lookup substitution is enabled. From log4j 2.15.0, this behavior has 
been disabled by default.

Mitigation: In releases >=2.10, this behavior can be mitigated by setting 
either the system property log4j2.formatMsgNoLookups or the environment 
variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, 
all PatternLayout patterns can be modified to specify the message converter as 
%m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the 
mitigation is to remove the JndiLookup class from the classpath: zip -q -d 
log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security 
Team.

References: https://issues.apache.org/jira/browse/LOG4J2-3201 and 
https://issues.apache.org/jira/browse/LOG4J2-3198

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: Disable a library in Tomcat configuration

[jonmcalexander]

Thanks Mark­


Thanks,


Sent with BlackBerry Work (www.blackberry.com)

From: Mark Thomas 
Sent: Dec 11, 2021 2:23 AM
To: users@tomcat.apache.org
Subject: Re: Disable a library in Tomcat configuration

On 11/12/2021 02:02, jonmcalexan...@wellsfargo.com.INVALID wrote:
> Is there a way to forcibly prevent a library from loading in Tomcat during 
> startup that will also prevent an app from loading the library?
>
> Trying to find­ a way to block vulnerabilities.

Dependencies are rarely optional. Blocking a library from loading is
likely to break the application.

Tomcat does not provide such a feature.

You could probably do it with a custom web resources implementation but
that would be non-trivial and, as I said above, likely to break apps.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[jonmcalexander]

If you aren't able to get the "fixed" version of the jar that fixes the 
vulnerability, I would suggest adding this to your Java Options for Tomcat:

-Dlog4j2.formatMsgNoLookups=true

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: James H. H. Lampert 
> Sent: Friday, December 10, 2021 4:17 PM
> To: Tomcat Users List 
> Subject: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect
> Tomcat?
> 
> A customer brought this to my attention:
> 
> https://urldefense.com/v3/__https://www.randori.com/blog/cve-2021-
> 44228/__;!!F9svGWnIaVPGSwU!4F2Gxy74aEjsyAmQbarXs0sh-
> EMIt2eM6h6liBLnKEwxjqWAPfIMcp1Od6nSrgSx9n0rFIs$
> 
> I have no idea how (or if) Tomcat is affected. I have only the vaguest idea
> what this vulnerability even *is.*
> 
> Can anybody here shed any light?
> 
> --
> JHHL
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Disable a library in Tomcat configuration

[jonmcalexander]

Is there a way to forcibly prevent a library from loading in Tomcat during 
startup that will also prevent an app from loading the library?

Trying to find­ a way to block vulnerabilities.


Thanks,


Sent with BlackBerry Work (www.blackberry.com)

RE: Updating Tomcat on an Amazon Linux 2 EC2 instance?

[jonmcalexander]

I think it's going to come down to how the 8.5.58 was installed. Was it via an 
rpm or zip file? I have used both methods and you should be able to install the 
8.5.73 without affecting the 8.5.58. If you are using a separated CATALINA_BASE 
and CATALINA_HOME, then updating your configuration should be super simple, 
especially if using symbolic links to point to your Tomcat binaries.

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: James H. H. Lampert 
> Sent: Wednesday, December 8, 2021 11:40 AM
> To: Tomcat Users List 
> Subject: Updating Tomcat on an Amazon Linux 2 EC2 instance?
> 
> We have a Tomcat server running on an Amazon Linux 2 EC2 instance.
> 
> Off the top of my head, I don't remember how I originally installed it, but 
> it's
> currently at 8.5.58.
> 
> I'd like to update it to 8.5.73, but I don't quite know how to do this in 
> Amazon
> Linux 2 (now if somebody asked about installation or update on an IBM
> Midrange System, I could practically write a how-to manual).
> 
> Can somebody relieve my ignorance?
> 
> --
> JHHL
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to *properly* create and use a CATALINA_BASE installation

[jonmcalexander]

Yeah, we love our symbolic links here, Ix and Windows.


Thanks,


Sent with BlackBerry Work (www.blackberry.com)

From: Michael B Allen 
Sent: Nov 17, 2021 9:17 PM
To: Tomcat Users List 
Subject: Re: How to *properly* create and use a CATALINA_BASE installation

On Wed, Nov 17, 2021 at 9:05 PM Mark Eggers
mailto:its_toas...@yahoo.com.invalid>> wrote:
> CATALINA_HOME and CATALINA_BASE are links to an appropriate Tomcat
> installation, and one configured for that particular service.
>
> Then to upgrade to a new Tomcat, you do the following:
>
> 1. Unpack the new reference version of Tomcat somewhere which becomes
> CATALINA_HOME.
>
> 2. Create the new service-specific installation of Tomcat which becomes
> CATALINA_BASE.
>
> All of the above can be done without disturbing the existing service.
>
> To upgrade, do the following:
>
> 1. Shut down the service
> 2. Move the links
> 3. Start up the service
>
> If things blow up in your face, then the roll back is really easy:
>
> 1. Shut down the service
> 2. Restore the links
> 3. Start up the service

This makes me realize my proposed bin/run.sh method is not really
tuned for production. Indeed links could be used to great effect here.
Windows has mklink /d   which is essentially the same
as ln on *nix near as I can tell. Might help with issues like the
catalina.policy file path in the registry when using 
the Windows
service.

Mike

-
To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: 
users-h...@tomcat.apache.org

RE: How to *properly* create and use a CATALINA_BASE installation

[jonmcalexander]

Sorry about my bad reply order.  Mark, you do a lot of what I do, but most of 
our stuff isn't using initd. I like your use of links, best way to handle 
upgrades, imo.­


Thanks,


Sent with BlackBerry Work (www.blackberry.com)

From: Mark Eggers 
Sent: Nov 17, 2021 8:10 PM
To: users@tomcat.apache.org
Subject: Re: How to *properly* create and use a CATALINA_BASE installation


On 11/17/2021 5:28 PM, 
jonmcalexan...@wellsfargo.com.INVALID
 wrote:
> We export it. You have to make sure the setenv.sh is 
> calling setenv.sh. it works fine for me.­
>
>
> Thanks,
>
>
> Sent with BlackBerry Work (www.blackberry.com)
> 
> From: Michael B Allen mailto:iop...@gmail.com>>
> Sent: Nov 17, 2021 6:54 PM
> To: Tomcat Users List 
> mailto:users@tomcat.apache.org>>
> Subject: Re: How to *properly* create and use a CATALINA_BASE installation
>
> On Wed, Nov 17, 2021 at 11:04 AM 
> mailto:jonmcalexan...@wellsfargo.com.invalid>>
>  wrote:
>> I, in my opinion, find it far easier to set my BASE in the 
>> setenv.sh for the instance I'm using. As Chris said, you 
>> can have multiple instances (BASEs) on a server.
>
> Jon,
>
> If you mean you're setting $CATALINA_BASE in setenv.sh, I 
> don't think
> that will work because when you run 
> $CATALINA_BASE/bin/startup.sh,
> $CATALINA_BASE won't be set yet and so it's going to set
> $CATALINA_BASE to $CATALINA_HOME and then source the
> $CATALINA_HOME/bin/setenv.sh and not the $CATALINA_BASE 
> specific
> setenv.sh. I think that's what Chris was referring to in 
> his first
> reply to you.
>
> Although if I'm using a $CATALINA_BASE/bin/run.sh alternative 
> to
> startup.sh like in my previous post, I would probably just 
> put ALL the
> various environment variables (listed at the top of 
> bin/catalina.sh)
> in there too. Using setenv.sh at that point would just be 
> needlessly
> spreading config around.
>
> The documentation currently seems to be targeting installations shared
> by multiple different users where $CATALINA_HOME and $CATALINA_BASE
> get set in the users environment such that different users can have
> different bases but share a common installation like in /usr/local or
> some such. Then you *would* want to put base specific stuff in
> $CATALINA_BASE/bin/setenv.sh. But IMO that's kind of a late 
> 90's way
> of doing things. Nowadays, not only do people have their own machines,
> but they have multiple instances in VMs and private servers and docker
> and so on. So I think the self-contained 
> $CATALINA_BASE/bin/run.sh
> method is probably a little better for most cases (although I still
> need to study the Windows service use-case which is probably
> important).
>
> Mike
>
> --
> Michael B Allen
> Java Active Directory Integration
> https://urldefense.com/v3/__http://www.ioplex.com/__;!!F9svGWnIaVPGSwU!4iBjG2OA7erMr6vPvbqVyxiEd3LfwnDYJHJSyYeYUf-BvIj0XsTET3jr1g4QVb95_R5ATTc$
>  ;

On Linux with systemd, I put the following in the systemd file:

Environment=CATALINA_HOME=/home/tcadmin/Services/[sname]/CATALINA_HOME/
Environment=CATALINA_BASE=/home/tcadmin/Services/[sname]CATALINA_BASE/
Environment=CATALINA_PID=/var/run/tomcat/[sname].pid

where [sname] is the name of the service.

tcadmin is the unprivileged user that runs all the Tomcats on the system.

Everything else is set in
/home/tcadmin/Services/[sname]/CATALINA_BASE/bin/setenv.sh

For the old style init.d systems, I put everything in:

/etc/sysconfig/[tomcatx]/[sname]

where [tomcatx] is the base version of Tomcat, and [sname] is the
service name.

Then there is an init file for each service that reads the
appropriate /etc/sysconfig/[tomcatx]/[sname] file to set the up the
environment.

CATALINA_HOME and CATALINA_BASE are links to an appropriate Tomcat
installation, and one configured for that particular service.

Then to upgrade to a new Tomcat, you do the following:

1. Unpack the new reference version of Tomcat somewhere which becomes
CATALINA_HOME.

2. Create the new service-specific installation of Tomcat which becomes
CATALINA_BASE.

All of the above can be done without disturbing the existing service.

To upgrade, do the following:

1. Shut down the service
2. Move the links
3. Start up the service

If things blow up in your face, then the roll back is really easy:

1. Shut down the service
2. Restore the links
3. Start up the service

Since the CATALINA_BASE is linked to a version-specific directory,
you'll have log files to figure out why things didn't go according to
plan if you have to roll back.

Automate configuring your CATALINA_BASE setup with a couple of Ant
build.xml files, a couple of proper

RE: How to *properly* create and use a CATALINA_BASE installation

[jonmcalexander]

We export it. You have to make sure the setenv.sh is calling setenv.sh. it 
works fine for me.­


Thanks,


Sent with BlackBerry Work (www.blackberry.com)

From: Michael B Allen 
Sent: Nov 17, 2021 6:54 PM
To: Tomcat Users List 
Subject: Re: How to *properly* create and use a CATALINA_BASE installation

On Wed, Nov 17, 2021 at 11:04 AM  wrote:
> I, in my opinion, find it far easier to set my BASE in the setenv.sh for the 
> instance I'm using. As Chris said, you can have multiple instances (BASEs) on 
> a server.

Jon,

If you mean you're setting $CATALINA_BASE in setenv.sh, I don't think
that will work because when you run $CATALINA_BASE/bin/startup.sh,
$CATALINA_BASE won't be set yet and so it's going to set
$CATALINA_BASE to $CATALINA_HOME and then source the
$CATALINA_HOME/bin/setenv.sh and not the $CATALINA_BASE specific
setenv.sh. I think that's what Chris was referring to in his first
reply to you.

Although if I'm using a $CATALINA_BASE/bin/run.sh alternative to
startup.sh like in my previous post, I would probably just put ALL the
various environment variables (listed at the top of bin/catalina.sh)
in there too. Using setenv.sh at that point would just be needlessly
spreading config around.

The documentation currently seems to be targeting installations shared
by multiple different users where $CATALINA_HOME and $CATALINA_BASE
get set in the users environment such that different users can have
different bases but share a common installation like in /usr/local or
some such. Then you *would* want to put base specific stuff in
$CATALINA_BASE/bin/setenv.sh. But IMO that's kind of a late 90's way
of doing things. Nowadays, not only do people have their own machines,
but they have multiple instances in VMs and private servers and docker
and so on. So I think the self-contained $CATALINA_BASE/bin/run.sh
method is probably a little better for most cases (although I still
need to study the Windows service use-case which is probably
important).

Mike

--
Michael B Allen
Java Active Directory Integration
https://urldefense.com/v3/__http://www.ioplex.com/__;!!F9svGWnIaVPGSwU!4iBjG2OA7erMr6vPvbqVyxiEd3LfwnDYJHJSyYeYUf-BvIj0XsTET3jr1g4QVb95_R5ATTc$

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [ANN] Apache Tomcat 8.5.73 available

[jonmcalexander]

Please ignore this

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: jonmcalexan...@wellsfargo.com.INVALID
> 
> Sent: Wednesday, November 17, 2021 4:35 PM
> To: d...@tomcat.apache.org; users@tomcat.apache.org
> Cc: annou...@tomcat.apache.org; annou...@apache.org
> Subject: RE: [ANN] Apache Tomcat 8.5.73 available
> Importance: High
> 
> https://urldefense.com/v3/__http://tomcat.apache.org/tomcat-8.5-
> doc/changelog.html__;!!F9svGWnIaVPGSwU!93daTIhZydgRkeOLLwvrekOfB
> dPqKtwM1UV7UQee40_sA2Xh0zUwQe44ktUV8k4bsyJifVo$
> 
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Infrastructure Engineer
> Asst Vice President
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> 
> 
> > -Original Message-
> > From: Christopher Schultz 
> > Sent: Wednesday, November 17, 2021 1:46 PM
> > To: Tomcat Users List 
> > Cc: Tomcat Developers List ;
> > annou...@tomcat.apache.org; annou...@apache.org
> > Subject: [ANN] Apache Tomcat 8.5.73 available
> > Importance: High
> >
> > The Apache Tomcat team announces the immediate availability of Apache
> > Tomcat 8.5.73.
> >
> > Apache Tomcat 8 is an open source software implementation of the Java
> > Servlet, JavaServer Pages, Java Unified Expression Language, Java
> > WebSocket and Java Authentication Service Provider Interface for
> > Containers technologies.
> >
> > Apache Tomcat 8.5.73 is a bugfix and feature release. The notable
> > changes compared to 8.5.72 include:
> >
> > - Improvements to native/APR including avoiding a JVM crash if APR fails
> >  to properly initialize and improving error handling.
> >
> > - Improve robustness of JNDIRealm for exceptions occurring when getting
> >  the connection.
> >
> > Along with lots of other bug fixes and improvements.
> >
> > Please refer to the change log for the complete list of changes:
> > https://urldefense.com/v3/__http://tomcat.apache.org/tomcat-8.5-
> >
> doc/changelog.html__;!!F9svGWnIaVPGSwU!6M_AzW35z0_d9hp6uZCdKi23
> > uNop4D_uAulQBHDVeyUkeZvY043ysooWNnR0kJBwhnndkws$
> >
> > Downloads:
> > https://urldefense.com/v3/__http://tomcat.apache.org/download-
> >
> 80.cgi__;!!F9svGWnIaVPGSwU!6M_AzW35z0_d9hp6uZCdKi23uNop4D_uAul
> > QBHDVeyUkeZvY043ysooWNnR0kJBwbBI0P0A$
> >
> > Migration guides from Apache Tomcat 7.x and 8.0.x:
> >
> https://urldefense.com/v3/__http://tomcat.apache.org/migration.html__;!!
> >
> F9svGWnIaVPGSwU!6M_AzW35z0_d9hp6uZCdKi23uNop4D_uAulQBHDVeyU
> > keZvY043ysooWNnR0kJBwOGUnpqA$
> >
> > Enjoy!
> >
> > - The Apache Tomcat team
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For
> > additional commands, e-mail: dev-h...@tomcat.apache.org
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For
> > additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [ANN] Apache Tomcat 8.5.73 available

[jonmcalexander]

http://tomcat.apache.org/tomcat-8.5-doc/changelog.html


Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Wednesday, November 17, 2021 1:46 PM
> To: Tomcat Users List 
> Cc: Tomcat Developers List ;
> annou...@tomcat.apache.org; annou...@apache.org
> Subject: [ANN] Apache Tomcat 8.5.73 available
> Importance: High
> 
> The Apache Tomcat team announces the immediate availability of Apache
> Tomcat 8.5.73.
> 
> Apache Tomcat 8 is an open source software implementation of the Java
> Servlet, JavaServer Pages, Java Unified Expression Language, Java
> WebSocket and Java Authentication Service Provider Interface for Containers
> technologies.
> 
> Apache Tomcat 8.5.73 is a bugfix and feature release. The notable changes
> compared to 8.5.72 include:
> 
> - Improvements to native/APR including avoiding a JVM crash if APR fails
>  to properly initialize and improving error handling.
> 
> - Improve robustness of JNDIRealm for exceptions occurring when getting
>  the connection.
> 
> Along with lots of other bug fixes and improvements.
> 
> Please refer to the change log for the complete list of changes:
> https://urldefense.com/v3/__http://tomcat.apache.org/tomcat-8.5-
> doc/changelog.html__;!!F9svGWnIaVPGSwU!6M_AzW35z0_d9hp6uZCdKi23
> uNop4D_uAulQBHDVeyUkeZvY043ysooWNnR0kJBwhnndkws$
> 
> Downloads:
> https://urldefense.com/v3/__http://tomcat.apache.org/download-
> 80.cgi__;!!F9svGWnIaVPGSwU!6M_AzW35z0_d9hp6uZCdKi23uNop4D_uAul
> QBHDVeyUkeZvY043ysooWNnR0kJBwbBI0P0A$
> 
> Migration guides from Apache Tomcat 7.x and 8.0.x:
> https://urldefense.com/v3/__http://tomcat.apache.org/migration.html__;!!
> F9svGWnIaVPGSwU!6M_AzW35z0_d9hp6uZCdKi23uNop4D_uAulQBHDVeyU
> keZvY043ysooWNnR0kJBwOGUnpqA$
> 
> Enjoy!
> 
> - The Apache Tomcat team
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional
> commands, e-mail: dev-h...@tomcat.apache.org
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional
> commands, e-mail: dev-h...@tomcat.apache.org

RE: How to *properly* create and use a CATALINA_BASE installation

[jonmcalexander]

Michael, 
-Original Message-
> From: Christopher Schultz 
> Sent: Wednesday, November 17, 2021 9:43 AM
> To: users@tomcat.apache.org
> Subject: Re: How to *properly* create and use a CATALINA_BASE installation
> 
> Michael,
> 
> On 11/16/21 17:05, Michael B Allen wrote:
> >>
> https://urldefense.com/v3/__https://people.apache.org/*schultz/presen
> >>
> tations/ApacheCon*20NA*202020/Splitting*20Your*20Tomcat*20Installatio
> >> n.pdf__;fiUlJSUl!!F9svGWnIaVPGSwU!_kcg_WiI54imo-
> Pk9CgIH3DFhNeZ6MiQRzP
> >> vO3TKe8Um2xd0TTEljpBc1_gS2D0FwomA3A0$
> >
> > Thanks. That's what I'm looking for.
> >
> > Slightly related: Instead of setting environment variables in your
> > profile and running $CATALINA_HOME/bin/startup.sh, is there any reason
> > why we should not create a $CATALINA_BASE/bin/startup.sh like the
> > following?
> >
> > #!/bin/sh
> > export JRE_HOME=/path/to/jre/
> > export CATALINA_HOME=/path/to/tomcat/
> > export CATALINA_BASE=/path/to/tomcat-base/
> > ${CATALINA_HOME}/bin/catalina.sh run "$@"
> >
> > and use this instead?
> >
> > It seems to me this would completely separate the installation from
> > the host and environment.
> 
> I would not set CATALINA_BASE in my profile for a number of reasons -- the
> primary one being that I run multiple applications in separate Tomcats, so
> there is no one single CATALINA_BASE that I could set.
> 
> What you have above is, IMO, the "right" way to do things, except that I
> wouldn't use startup.sh -- I'd use a different script as not to 
> conflict/confuse
> with the one that comes from Tomcat.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

This is why I use the setenv.sh file on Unix/Linux, setenv.bat on Windows, when 
not using as a services. If setup as a service on windows, I add the 
CATALINA_BASE to the JAVA OPTIONS section.

I, in my opinion, find it far easier to set my BASE in the setenv.sh for the 
instance I'm using. As Chris said, you can have multiple instances (BASEs) on a 
server.

Thanks,

RE: How to *properly* create and use a CATALINA_BASE installation

[jonmcalexander]

Thanks for the info Chris!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Wednesday, November 17, 2021 9:41 AM
> To: users@tomcat.apache.org
> Subject: Re: How to *properly* create and use a CATALINA_BASE installation
> 
> Jon,
> 
> On 11/16/21 12:55, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > I meant the other configuration files. I guess I haven't dug deep enough,
> but DOES Tomcat handle the catalina.properties, catalina.policy,
> logging.properties, etc. files hierarchically similar to how Microsoft handles
> web.config files? CATALINA_HOME being the parent and Instances
> automatically inheriting from the Parent unless overridden at the instance
> level in its conf folder?
> >
> > Basically can I publish a parent catalina.policy file and NOT include one in
> the instance?
> 
> My presentation says you need your own if you want to use the security
> manager. Looking at catalina.sh, it always uses CATALINA_BASE for that
> purpose, but it could be detected at runtime. Patches are welcome.
> 
> When using the Windows Service runner, the path to the catalina.policy file is
> captured in the Windows Registry, so you can't detect it on the fly. That path
> must be passed-into the launching JVM, so by the time Tomcat gets chance
> to observe the situation, it's too late to make any changes.
> 
> So if you were to change this in catalina.sh|bat, you'd want to make a similar
> change to service.bat to auto-detect the (current) situation and store the
> appropriate path in the registry, understanding that any change to the file-
> layout would require a refresh of that stored-info.
> 
> -chris
> 
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Tuesday, November 16, 2021 11:39 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: How to *properly* create and use a CATALINA_BASE
> >> installation
> >>
> >> Jon,
> >>
> >> On 11/16/21 08:55, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> I too would like to know more of what Chris is sa­ying in regards to
> >>> the conf
> >> folder.
> >>
> >> You mean conf/[engine]/[host]/[webapp].xml? This is just "standard"
> >> deployment descriptor stuff:
> >> https://urldefense.com/v3/__http://tomcat.apache.org/tomcat-8.5-
> >> doc/config/context.html*Naming__;Iw!!F9svGWnIaVPGSwU!-
> >> J4ClOAv1FBlpqrYFufoMLwNKP7MYp1SNF2n56QIN2gbaVLDGedI1-
> >> _HG16mI1aNMIUDsoU$
> >>
> >> -chris
> >>
> >>>
> >>>
> >>> Thanks,
> >>>
> >>> Sent with BlackBerry Work
> >>>
> >>
> (https://urldefense.com/v3/__http://www.blackberry.com__;!!F9svGWnIa
> >> VP
> >>> GSwU!-
> J4ClOAv1FBlpqrYFufoMLwNKP7MYp1SNF2n56QIN2gbaVLDGedI1-
> >> _HG16mI1aNO
> >>> XCqE2Q$ ) 
> >>> From: Michael B Allen 
> >>> Sent: Nov 15, 2021 4:24 PM
> >>> To: Tomcat Users List 
> >>> Subject: Re: How to *properly* create and use a CATALINA_BASE
> >>> installation
> >>>
> >>> On Mon, Nov 15, 2021 at 4:31 PM Christopher Schultz
> >>>  wrote:
> > conf
> > All of the conf files.
> 
>  Specifically, you'll want server.xml and web.xml. You can also
>  choose to customize context.xml, and put any
>  [engine]/[host]/[webapp].xml deployment descriptors there.
> >>>
> >>> Hi chros,
> >>>
> >>> Ok, so then the minimum required is server.xml and web.xml?
> >>>
> >>> And then there are optional files like context.xml? Are all of the
> >>> other files also optional and completely overwrite settings like
> >>> tomcat-users.xml or only some?
> >>>
> >>> I have confirmed that adding only web.xml alone resolves the issue
> >>> completely. I no longer get 404's and the application works. But I
> >>> would like to further understand this as much as possible to
> >>> document it for my customers.
> >>>
> >>> Thanks,
> >>> Mike
> >>>
> >>> --
> >>> Michael B Allen
> >>> Java Active Directory Integration
> >>>
> >>
> https://urldefense.com/v3/__http://www.ioplex.com/__;!!F9svGWnIaVPG
> >> SwU
> >>> !7AZZQCO9WJpNEOtenm9YTmcUeIkzx380FbL8mx5PyVGCQ-
> >> EBXRwRiA3AwP2ZQheJHlz-1
> >>> L4$
> >>>
> >>> 
> >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >>>
> >>
> >> ---

RE: How to *properly* create and use a CATALINA_BASE installation

[jonmcalexander]

I meant the other configuration files. I guess I haven't dug deep enough, but 
DOES Tomcat handle the catalina.properties, catalina.policy, 
logging.properties, etc. files hierarchically similar to how Microsoft handles 
web.config files? CATALINA_HOME being the parent and Instances automatically 
inheriting from the Parent unless overridden at the instance level in its conf 
folder?

Basically can I publish a parent catalina.policy file and NOT include one in 
the instance?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, November 16, 2021 11:39 AM
> To: users@tomcat.apache.org
> Subject: Re: How to *properly* create and use a CATALINA_BASE installation
> 
> Jon,
> 
> On 11/16/21 08:55, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > I too would like to know more of what Chris is sa­ying in regards to the 
> > conf
> folder.
> 
> You mean conf/[engine]/[host]/[webapp].xml? This is just "standard"
> deployment descriptor stuff:
> https://urldefense.com/v3/__http://tomcat.apache.org/tomcat-8.5-
> doc/config/context.html*Naming__;Iw!!F9svGWnIaVPGSwU!-
> J4ClOAv1FBlpqrYFufoMLwNKP7MYp1SNF2n56QIN2gbaVLDGedI1-
> _HG16mI1aNMIUDsoU$
> 
> -chris
> 
> >
> >
> > Thanks,
> >
> > Sent with BlackBerry Work
> >
> (https://urldefense.com/v3/__http://www.blackberry.com__;!!F9svGWnIa
> VP
> > GSwU!-J4ClOAv1FBlpqrYFufoMLwNKP7MYp1SNF2n56QIN2gbaVLDGedI1-
> _HG16mI1aNO
> > XCqE2Q$ ) 
> > From: Michael B Allen 
> > Sent: Nov 15, 2021 4:24 PM
> > To: Tomcat Users List 
> > Subject: Re: How to *properly* create and use a CATALINA_BASE
> > installation
> >
> > On Mon, Nov 15, 2021 at 4:31 PM Christopher Schultz
> >  wrote:
> >>> conf
> >>> All of the conf files.
> >>
> >> Specifically, you'll want server.xml and web.xml. You can also choose
> >> to customize context.xml, and put any [engine]/[host]/[webapp].xml
> >> deployment descriptors there.
> >
> > Hi chros,
> >
> > Ok, so then the minimum required is server.xml and web.xml?
> >
> > And then there are optional files like context.xml? Are all of the
> > other files also optional and completely overwrite settings like
> > tomcat-users.xml or only some?
> >
> > I have confirmed that adding only web.xml alone resolves the issue
> > completely. I no longer get 404's and the application works. But I
> > would like to further understand this as much as possible to document
> > it for my customers.
> >
> > Thanks,
> > Mike
> >
> > --
> > Michael B Allen
> > Java Active Directory Integration
> >
> https://urldefense.com/v3/__http://www.ioplex.com/__;!!F9svGWnIaVPG
> SwU
> > !7AZZQCO9WJpNEOtenm9YTmcUeIkzx380FbL8mx5PyVGCQ-
> EBXRwRiA3AwP2ZQheJHlz-1
> > L4$
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to *properly* create and use a CATALINA_BASE installation

[jonmcalexander]

Hey Michael,

I too would like to know more of what Chris is sa­ying in regards to the conf 
folder.


Thanks,

Sent with BlackBerry Work (www.blackberry.com)

From: Michael B Allen 
Sent: Nov 15, 2021 4:24 PM
To: Tomcat Users List 
Subject: Re: How to *properly* create and use a CATALINA_BASE installation

On Mon, Nov 15, 2021 at 4:31 PM Christopher Schultz
 wrote:
> > conf
> > All of the conf files.
>
> Specifically, you'll want server.xml and web.xml. You can also choose to
> customize context.xml, and put any [engine]/[host]/[webapp].xml
> deployment descriptors there.

Hi chros,

Ok, so then the minimum required is server.xml and web.xml?

And then there are optional files like context.xml? Are all of the
other files also optional and completely overwrite settings like
tomcat-users.xml or only some?

I have confirmed that adding only web.xml alone resolves the issue
completely. I no longer get 404's and the application works. But I
would like to further understand this as much as possible to document
it for my customers.

Thanks,
Mike

--
Michael B Allen
Java Active Directory Integration
https://urldefense.com/v3/__http://www.ioplex.com/__;!!F9svGWnIaVPGSwU!7AZZQCO9WJpNEOtenm9YTmcUeIkzx380FbL8mx5PyVGCQ-EBXRwRiA3AwP2ZQheJHlz-1L4$

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to *properly* create and use a CATALINA_BASE installation

[jonmcalexander]

Files Required in CATALINA_BASE:

bin
Only shell scripts or batch files. Make sure that setenv.sh or 
setenv.bat sets and passes the CATALINA_BASE and CATALINA_HOME locations 
properly.

conf
All of the conf files.

lib
Only .jar files needed by your Instance, not necessarily the 
application(s), and definitely not any of the jars from CATALINA_HOME

logs (if in this location)

webapps (if in this location)

temp and work

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Michael B Allen 
> Sent: Monday, November 15, 2021 2:16 PM
> To: users@tomcat.apache.org
> Subject: How to *properly* create and use a CATALINA_BASE installation
> 
> Hi,
> 
> What $CATALINA_HOME/conf/ files should be copied into
> $CATALINA_BASE?
> 
> RUNNING.txt just says:
> 
> * conf - Server configuration files (including server.xml)
> 
> So it's multiple fileS but not necessarily all if server.xml is explicitly 
> included?
> 
> Ideally I would think it should be only files that need to be modified since
> that seems to be the point of using $CATALINA_BASE. Is this correct?
> 
> I'm trying to use $CATALINA_BASE just because it seems like the proper way
> to setup Tomcat in general.
> 
> Without $CATALINA_BASE everything works as near as I can tell.
> 
> But if I change $CATALINA_BASE to be different from $CATALINA_HOME in
> my startup bat like:
> 
> $CATALINA_HOME/bin/xstart.bat:
> SETLOCAL
> 
> set JRE_HOME=%ProgramFiles%\Java\jre1.8.0_311
> set CATALINA_HOME=C:\path\to\tomcat
> set CATALINA_BASE=C:\path\to\tomcat-base
> 
> "%CATALINA_HOME%\bin\catalina.bat" run %1 %2 %3 %4 %5 %6 %7 %8 %9
> 
> And then in tomcat-base I have:
> 
> bin\tomcat-juli.jar
> conf\keystore.jks
> conf\server.xml
> 
> The server.xml is stock except for the following:
> 
>  port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> scheme="https"
> secure="true"
> SSLEnabled="true">
> 
>  certificateKeystoreFile="conf/keystore.jks"
> certificateKeystorePassword="as1busiw19"/>
> 
> 
> 
> conf\tomcat-users.xml
> conf\Catalina\localhost\manager.xml
> logs\localhost_access_log.2021-11-15.txt
> temp\
> webapps\myapp\
> 
> Note: There is no myapp\WEB-INF\context.xml
> 
> webapps\manager\
> 
> Tomcat starts up ok and Tomcat Manager works. I can see myapp in the
> manager which claims it's deployed and running.
> 
> But trying to access /myapp results in:
> 
> 404 Not Found: The origin server did not find a current representation for
> the target resource or is not willing to disclose that one exists.
> 
> I can un-deploy /myapp and re-deploy it through the manager and again,
> nothing but 404.
> 
> Doesn't work under HTTPS either (and HTTPS works without using
> $CATALINA_BASE).
> 
> What could be the problem here?
> 
> I used the following to create a symbolic link to the tomcat directory:
> 
> cmd>mklink /d tomcat apache-tomcat-9.0.54
> 
> Is this ok?
> 
> I'm using Tomcat 9.0.54 32 bit on Windows Server 2016 64 bit. The native
> runtime DLL fails to load because it's built for 32bit. But this seems to 
> fallback
> to the Java runtime just fine. Is this somehow a problem?
> 
> Do I need a deployment context xml?
> 
> I'm a little stumped by this. I don't normally use Tomcat but I just wanted to
> create an "Application Note" about how to properly use my product with
> Tomcat. So I'm really interested in how this all is supposed to work and not 
> so
> much just seeing it work.
> 
> Thanks,
> 
> Mike
> --
> Michael B Allen
> Java Active Directory Integration
> https://urldefense.com/v3/__http://www.ioplex.com/__;!!F9svGWnIaVPG
> SwU!_6VQfOm0BicBKqHX5YRO8TPWj-
> CbBzOJLHUmvYMkxoFKta0WfhOFzKojClKr8XG5MwyZgig$
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Strange Oracle JDBC Driver error on Application Deployment

[jonmcalexander]

Thanks Mark E.!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Eggers 
> Sent: Tuesday, November 2, 2021 5:55 PM
> To: users@tomcat.apache.org
> Subject: Re: Strange Oracle JDBC Driver error on Application Deployment
> 
> Jon,
> 
> On 11/2/2021 3:26 PM, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > I have an application team that is getting the following stack trace while
> starting Tomcat 8.5.70. I've done some searching but can't find anything. In
> looking at their context.xml it appears that they have jmxEnabled="false" in
> each of the resources.
> >
> > Any assistance would be grand.
> >
> > Thanks,
> >
> >  Stack Trace 
> >
> > 02-Nov-2021 13:01:45.809 SEVERE [localhost-startStop-1]
> org.apache.tomcat.jdbc.pool.DataSource.registerJmx Unable to register
> JDBC pool with JMX
> >  java.lang.NullPointerException
> >  at
> org.apache.tomcat.jdbc.pool.DataSource.registerJmx(DataSource.java:129)
> >  at
> org.apache.tomcat.jdbc.pool.DataSource.preRegister(DataSource.java:98)
> >  at
> org.apache.tomcat.util.modeler.BaseModelMBean.preRegister(BaseModel
> MBean.java:927)
> >  at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.preRegister(Defa
> ultMBeanServerInterceptor.java:1007)
> >  at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerDynamic
> MBean(DefaultMBeanServerInterceptor.java:919)
> >  at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerObject(De
> faultMBeanServerInterceptor.java:900)
> >  at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(D
> efaultMBeanServerInterceptor.java:324)
> >  at
> com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanSer
> ver.java:522)
> >  at
> org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:6
> 37)
> >  at
> org.apache.catalina.core.NamingContextListener.addResource(NamingCont
> extListener.java:1014)
> >  at
> org.apache.catalina.core.NamingContextListener.createNamingContext(Na
> mingContextListener.java:552)
> >  at
> org.apache.catalina.core.NamingContextListener.lifecycleEvent(NamingCont
> extListener.java:245)
> >  at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:1
> 23)
> >  at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.jav
> a:5130)
> >  at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> >  at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java
> :753)
> >  at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727)
> >  at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:695)
> >  at
> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1016)
> >  at
> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1903
> )
> >  at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> >  at
> java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >  at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.jav
> a:1149)
> >  at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.ja
> va:624)
> >  at
> > java.lang.Thread.run(Thread.java:748)
> > 02-Nov-2021 13:01:46.066 SEVERE [localhost-startStop-1]
> org.apache.tomcat.jdbc.pool.DataSource.registerJmx Unable to register
> JDBC pool with JMX
> >  java.lang.NullPointerException
> >  at
> org.apache.tomcat.jdbc.pool.D

RE: Strange Oracle JDBC Driver error on Application Deployment

[jonmcalexander]

Hmmm...strange. I've gone thru their configuration and modified it to match up 
with our strategy of using separate HOME and BASE locations. I've had them get 
rid of duplicate jar files from BASE that are in HOME. Only 1-off is the Oracle 
JDBC jar. I do need to see if they have "cleared cache" and then startup clean 
to see if there is something stashed in work. 

Thanks for the info, I'll keep digging in with them.

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, November 3, 2021 3:00 AM
> To: users@tomcat.apache.org
> Subject: Re: Strange Oracle JDBC Driver error on Application Deployment
> 
> On 02/11/2021 22:26, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > I have an application team that is getting the following stack trace while
> starting Tomcat 8.5.70. I've done some searching but can't find anything. In
> looking at their context.xml it appears that they have jmxEnabled="false" in
> each of the resources.
> 
> Jon,
> 
> The line numbers listed in the stack trace aren't consistent with the version
> number quoted above. I've tried stepping back through old 8.5.x versions
> and I can't find a match unless I go back 10 years (before Tomcat 8.5.x and
> even 8.0.x existed).
> 
> It looks like you are seeing this issue:
> https://urldefense.com/v3/__https://bz.apache.org/bugzilla/show_bug.cgi?
> id=54194__;!!F9svGWnIaVPGSwU!6k1ftwyDgYK6qpbm3iwHXp5P_Q0rgz_ZO
> pjJJoDVGQMBXS5ELDnmXD1Mo0GiFpB48176YTE$
> 
> Possible explanations:
> 
> - the application is packaged with a (very) old version of Tomcat's
>jdbc-pool and is using that rather than the version provided by Tomcat
> 
> - The Tomcat instances are running a much older Tomcat version than
>8.5.70
> 
> - The Tomcat instances are using some form of custom patch
> 
> - Something else.
> 
> HTH,
> 
> Mark
> 
> >
> > Any assistance would be grand.
> >
> > Thanks,
> >
> >  Stack Trace 
> >
> > 02-Nov-2021 13:01:45.809 SEVERE [localhost-startStop-1]
> org.apache.tomcat.jdbc.pool.DataSource.registerJmx Unable to register
> JDBC pool with JMX
> >  java.lang.NullPointerException
> >  at
> org.apache.tomcat.jdbc.pool.DataSource.registerJmx(DataSource.java:129)
> >  at
> org.apache.tomcat.jdbc.pool.DataSource.preRegister(DataSource.java:98)
> >  at
> org.apache.tomcat.util.modeler.BaseModelMBean.preRegister(BaseModel
> MBean.java:927)
> >  at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.preRegister(Defa
> ultMBeanServerInterceptor.java:1007)
> >  at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerDynamic
> MBean(DefaultMBeanServerInterceptor.java:919)
> >  at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerObject(De
> faultMBeanServerInterceptor.java:900)
> >  at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(D
> efaultMBeanServerInterceptor.java:324)
> >  at
> com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanSer
> ver.java:522)
> >  at
> org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:6
> 37)
> >  at
> org.apache.catalina.core.NamingContextListener.addResource(NamingCont
> extListener.java:1014)
> >  at
> org.apache.catalina.core.NamingContextListener.createNamingContext(Na
> mingContextListener.java:552)
> >  at
> org.apache.catalina.core.NamingContextListener.lifecycleEvent(NamingCont
> extListener.java:245)
> >  at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:1
> 23)
> >  at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.jav
> a:5130)
> >  at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> >  at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java
> :753)
> >

Strange Oracle JDBC Driver error on Application Deployment

[jonmcalexander]

I have an application team that is getting the following stack trace while 
starting Tomcat 8.5.70. I've done some searching but can't find anything. In 
looking at their context.xml it appears that they have jmxEnabled="false" in 
each of the resources.

Any assistance would be grand.

Thanks,

 Stack Trace 

02-Nov-2021 13:01:45.809 SEVERE [localhost-startStop-1] 
org.apache.tomcat.jdbc.pool.DataSource.registerJmx Unable to register JDBC pool 
with JMX
java.lang.NullPointerException
at 
org.apache.tomcat.jdbc.pool.DataSource.registerJmx(DataSource.java:129)
at 
org.apache.tomcat.jdbc.pool.DataSource.preRegister(DataSource.java:98)
at 
org.apache.tomcat.util.modeler.BaseModelMBean.preRegister(BaseModelMBean.java:927)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.preRegister(DefaultMBeanServerInterceptor.java:1007)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerDynamicMBean(DefaultMBeanServerInterceptor.java:919)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerObject(DefaultMBeanServerInterceptor.java:900)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:324)
at 
com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:522)
at 
org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:637)
at 
org.apache.catalina.core.NamingContextListener.addResource(NamingContextListener.java:1014)
at 
org.apache.catalina.core.NamingContextListener.createNamingContext(NamingContextListener.java:552)
at 
org.apache.catalina.core.NamingContextListener.lifecycleEvent(NamingContextListener.java:245)
at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5130)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753)
at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727)
at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:695)
at 
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1016)
at 
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1903)
at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at 
java.util.concurrent.FutureTask.run(FutureTask.java:266)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
02-Nov-2021 13:01:46.066 SEVERE [localhost-startStop-1] 
org.apache.tomcat.jdbc.pool.DataSource.registerJmx Unable to register JDBC pool 
with JMX
java.lang.NullPointerException
at 
org.apache.tomcat.jdbc.pool.DataSource.registerJmx(DataSource.java:129)
at 
org.apache.tomcat.jdbc.pool.DataSource.preRegister(DataSource.java:98)
at 
org.apache.tomcat.util.modeler.BaseModelMBean.preRegister(BaseModelMBean.java:927)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.preRegister(DefaultMBeanServerInterceptor.java:1007)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerDynamicMBean(DefaultMBeanServerInterceptor.java:919)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerObject(DefaultMBeanServerInterceptor.java:900)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:324)
at 
com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:522)
at 
org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:637)
at 
org.apache.catalina.core.NamingContextListener.addResource(NamingContextListener.java:1014)
at 
org.apache.catalina.core.NamingCont

RE: Tomcat 8.5.37 is automatically redeploying apps on every Saturday

[jonmcalexander]

> -Original Message-
> From: Shekhar Naidu 
> Sent: Friday, October 15, 2021 7:45 AM
> To: users@tomcat.apache.org
> Subject: Tomcat 8.5.37 is automatically redeploying apps on every Saturday
> 
> Hi all,
> 
> > We are seeing a weird behavior in our new Linux environments. Since we
> >> migrated from RHEL6 to 8, we started seeing issue with tomcat. Tomcat
> >> is auto redeploying our apps on every Saturday around 12:20AM.
> >> We don’t have any schedulers running on our machines. We verified
> >> localhost_access.log and found no request to the tomcat manager to do
> >> the redeploy.
> >>
> >> The Catalina.out prints that “ContainerBackgroundProcessor” is doing
> >> the undeploy and deploy of our app.
> >> It does not print any other details like why it is doing that.
> >>
> >> We are basically out of Ideas as where to look as we have looked
> >> everything on the Linux side, crion jobs etc..
> >>
> >> Appreciate your help with this. Thank you in advance.
> >>
> >> Thank you
> >> Shekar
> >>
> > --
> Shekhar
> simplysek...@gmail.com
> shekharna...@gmail.com

Are you possibly running these in some sort of container, Kubernetes or Docker, 
etc. Just wondering based on the ContainerBackgroundProcessor you mentioned? 
Anything external to your Tomcat instances that could be triggering this?

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: Interesting log capability request

[jonmcalexander]

> -Original Message-
> From: Robert Hicks 
> Sent: Thursday, October 7, 2021 2:23 PM
> To: Tomcat Users List 
> Subject: Re: Interesting log capability request
> 
> The catalina.out log should capture that information already, right?
> 
> This is what I see when I shutdown my barebones Tomcat:
> 
> 07-Oct-2021 15:19:03.276 INFO [main]
> org.apache.catalina.core.StandardServer.await A valid shutdown command
> was received via the shutdown port. Stopping the Server instance.
> 07-Oct-2021 15:19:03.277 INFO [main]
> org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["http-
> nio-8080"]
> 07-Oct-2021 15:19:03.546 INFO [main]
> org.apache.catalina.core.StandardService.stopInternal Stopping service
> [Catalina]
> 07-Oct-2021 15:19:03.599 INFO [main]
> org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-
> nio-8080"]
> 07-Oct-2021 15:19:03.647 INFO [main]
> org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler
> ["http-nio-8080"]
> 
> If you have webapps going it should take a little longer of course.
> 
> --
> Bob
> 
> On Thu, Oct 7, 2021 at 3:05 PM 
> wrote:
> 
> > I have an app team that wants to know if it's possible to capture how
> > long the Tomcat Shutdown takes? I don't think there is without
> > modifying something in the Catalina.sh under the Stop section, but
> > wondering if there is something already built in.
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Infrastructure Engineer
> > Asst Vice President
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> >
> jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >


I think they are looking for something similar to this:

Oct 07, 2021 3:21:13 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in [54655] milliseconds

But for shutdown instead. :-)

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

Interesting log capability request

[jonmcalexander]

I have an app team that wants to know if it's possible to capture how long the 
Tomcat Shutdown takes? I don't think there is without modifying something in 
the Catalina.sh under the Stop section, but wondering if there is something 
already built in.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: UserDatabaseRealm and DIGEST

[jonmcalexander]

Thank you Chris!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Thursday, August 26, 2021 1:49 PM
> To: users@tomcat.apache.org
> Subject: Re: UserDatabaseRealm and DIGEST
> 
> Jon,
> 
> On 8/24/21 19:51, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Chris,
> >
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Tuesday, August 24, 2021 5:52 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: UserDatabaseRealm and DIGEST
> >>
> >> Jon,
> >>
> >> On 8/24/21 12:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
>  -Original Message-
>  From: Mark Thomas 
>  Sent: Tuesday, August 24, 2021 11:41 AM
>  To: users@tomcat.apache.org
>  Subject: Re: UserDatabaseRealm and DIGEST
> 
>  On 24/08/2021 17:28, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Ok, so I've been reading thru the documentation on DIGEST but not
>  entirely sure I have it right. What is the best practice for DIGEST
>  and what algorithms are allowed, such as is sha-256 allowed?
> 
>  First, a question of clarification.
> 
>  Do you mean HTTP DIGEST authentication or do you mean storing
>  password hashes rather than the actual passwords in the
> >> UserDatabaseRealm?
> 
>  Mark >
> >>> I mean the Password Hashes rather than the actual password for the
> >> UserDatabaseRealm.
> >>
> >> You can use any algorithm that Java's MessageDigest supports.
> >>
> >> I would recommend against using "Digest" credential storage and
> >> instead use something more secure such as PBKDF2, which Tomcat also
> supports.
> >>
> >> You might find this informative:
> >>
> https://urldefense.com/v3/__https://tomcat.apache.org/presentations.h
> >> tm
> >> l*latest-credential-
> >>
> security__;Iw!!F9svGWnIaVPGSwU!7c3eGMZdJEU_EmV4XmOqEiivhaDIfji3A
> >> sGbXN4DAVlFM-pSfYgsX93DDHm6520mF1wBLNc$
> >>
> >> -chris
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> > In this case I am wanting to know the proper way to use DIGEST as we have
> some folks with vendor applications that Use Tomcat that insist on using the
> UserDatabaseRealm. I agree that using LDAP or something other is the better
> way to go. We typically do NOT allow the use of the UserDatabaseRealm
> unless the passwords are hashed with DIGEST. I just want to make sure that
> when we check for compliance, we are approving the various means.
> 
> You can use any of those credential handlers with the UserDatabaseRealm.
> For example PBKDF2 is perfectly usable. You just need to get user
> passwords, run them through PBKDF2, and copy/paste them into tomcat-
> users.xml (or wherever you have them).
> 
> There is a "digest.sh" script that comes with your Tomcat distribution.
> Run it and you'll see the options. You can ask that to generate a stored-
> credential for any plaintext password you want to use, and it should work
> with a similarly-configured UserDatabaseRealm (and child
> CredentialHandler).
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: UserDatabaseRealm and DIGEST

[jonmcalexander]

Chris,

> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, August 24, 2021 5:52 PM
> To: users@tomcat.apache.org
> Subject: Re: UserDatabaseRealm and DIGEST
> 
> Jon,
> 
> On 8/24/21 12:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Tuesday, August 24, 2021 11:41 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: UserDatabaseRealm and DIGEST
> >>
> >> On 24/08/2021 17:28, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> Ok, so I've been reading thru the documentation on DIGEST but not
> >> entirely sure I have it right. What is the best practice for DIGEST
> >> and what algorithms are allowed, such as is sha-256 allowed?
> >>
> >> First, a question of clarification.
> >>
> >> Do you mean HTTP DIGEST authentication or do you mean storing
> >> password hashes rather than the actual passwords in the
> UserDatabaseRealm?
> >>
> >> Mark >
> > I mean the Password Hashes rather than the actual password for the
> UserDatabaseRealm.
> 
> You can use any algorithm that Java's MessageDigest supports.
> 
> I would recommend against using "Digest" credential storage and instead use
> something more secure such as PBKDF2, which Tomcat also supports.
> 
> You might find this informative:
> https://urldefense.com/v3/__https://tomcat.apache.org/presentations.htm
> l*latest-credential-
> security__;Iw!!F9svGWnIaVPGSwU!7c3eGMZdJEU_EmV4XmOqEiivhaDIfji3A
> sGbXN4DAVlFM-pSfYgsX93DDHm6520mF1wBLNc$
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

In this case I am wanting to know the proper way to use DIGEST as we have some 
folks with vendor applications that Use Tomcat that insist on using the 
UserDatabaseRealm. I agree that using LDAP or something other is the better way 
to go. We typically do NOT allow the use of the UserDatabaseRealm unless the 
passwords are hashed with DIGEST. I just want to make sure that when we check 
for compliance, we are approving the various means.

Thanks,



Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: UserDatabaseRealm and DIGEST

[jonmcalexander]

> -Original Message-
> From: Mark Thomas 
> Sent: Tuesday, August 24, 2021 11:41 AM
> To: users@tomcat.apache.org
> Subject: Re: UserDatabaseRealm and DIGEST
> 
> On 24/08/2021 17:28, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Ok, so I've been reading thru the documentation on DIGEST but not
> entirely sure I have it right. What is the best practice for DIGEST and what
> algorithms are allowed, such as is sha-256 allowed?
> 
> First, a question of clarification.
> 
> Do you mean HTTP DIGEST authentication or do you mean storing password
> hashes rather than the actual passwords in the UserDatabaseRealm?
> 
> Mark
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

I mean the Password Hashes rather than the actual password for the 
UserDatabaseRealm. 

Thank you,

Jon McAlexander

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

UserDatabaseRealm and DIGEST

[jonmcalexander]

Ok, so I've been reading thru the documentation on DIGEST but not entirely sure 
I have it right. What is the best practice for DIGEST and what algorithms are 
allowed, such as is sha-256 allowed?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: Question for verification

[jonmcalexander]

Doh

Thanks!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: calder 
> Sent: Friday, August 6, 2021 9:45 AM
> To: Tomcat Users List 
> Subject: Re: Question for verification
> 
> On Fri, Aug 6, 2021, 09:31  wrote:
> 
> > Verifying an assumption.
> >
> > All modern versions of Tomcat (8.5 and above) are compatible with Java 11.
> >
> 
> GIYF
> 
> https://urldefense.com/v3/__https://tomcat.apache.org/whichversion.html
> __;!!F9svGWnIaVPGSwU!5OACMZ6S7VZsWNYMAuLJ-
> v0iUP2_CFdYOeHUf01bhLejkLIIgrlwgUt2wyjXaqPnsNkjYP8$

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question for verification

[jonmcalexander]

Verifying an assumption.

All modern versions of Tomcat (8.5 and above) are compatible with Java 11.

Thanks in advance

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: Tomcat 8.5.68 failing on takeoff!

[jonmcalexander]

I'm no expert, especially on AS400's, but make sure that your Java 8 is good. 
Saw someone on CentOS having a similar issue and it was a bad Java.

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: James H. H. Lampert 
> Sent: Monday, August 2, 2021 6:31 PM
> To: Tomcat Users List 
> Subject: Tomcat 8.5.68 failing on takeoff!
> 
> This is beyond my pay grade, I'm afraid. Hopefully somebody here has a clue
> what went wrong.
> 
> I installed Tomcat 8.5.68 on an AS/400 with Java 8, that had been running
> Tomcat 7 for years with no problems.
> 
> On launching Tomcat 8, if I try to connect to "manager" (the only context
> currently in Webapps), right after:
> 
> 02-Aug-2021 18:15:11.655 INFO [main]
> org.apache.catalina.startup.Catalina.load Initialization processed in
> 3271 ms
> 
> I'm getting
> 
> 02-Aug-2021 18:15:11.707 WARNING [main]
> org.apache.catalina.users.MemoryUserDatabase.open Exception configuring
> digester to permit java encoding names in XML files. Only IANA encoding
> names will be supported.
> org.xml.sax.SAXNotRecognizedException: Feature:
> https://urldefense.com/v3/__http://apache.org/xml/features/allow-java-
> encodings__;!!F9svGWnIaVPGSwU!9FyRcl2TpIK2uUGhl8znN39ty5Z8hd7W3z
> MEHabLBNJauJFSdGQX9Qyj1azOxNKQgopT690$
>   at
> org.apache.crimson.parser.XMLReaderImpl.setFeature(XMLReaderImpl.java
> :213)
>   at
> org.apache.crimson.jaxp.SAXParserImpl.setFeatures(SAXParserImpl.java:143
> )
>   at
> org.apache.crimson.jaxp.SAXParserImpl.(SAXParserImpl.java:126)
>   at
> org.apache.crimson.jaxp.SAXParserFactoryImpl.newSAXParserImpl(SAXPars
> erFactoryImpl.java:113)
>   at
> org.apache.crimson.jaxp.SAXParserFactoryImpl.setFeature(SAXParserFactor
> yImpl.java:141)
>   at
> org.apache.tomcat.util.digester.Digester.setFeature(Digester.java:526)
>   at
> org.apache.catalina.users.MemoryUserDatabase.open(MemoryUserDatabas
> e.java:440)
>   at
> org.apache.catalina.users.MemoryUserDatabaseFactory.getObjectInstance(
> MemoryUserDatabaseFactory.java:105)
>   at
> org.apache.naming.factory.FactoryBase.getObjectInstance(FactoryBase.java
> :96)
>   at
> javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:
> 332)
>   at
> org.apache.naming.NamingContext.lookup(NamingContext.java:847)
>   at
> org.apache.naming.NamingContext.lookup(NamingContext.java:157)
>   at
> org.apache.naming.NamingContextBindingsEnumeration.nextElementIntern
> al(NamingContextBindingsEnumeration.java:115)
>   at
> org.apache.naming.NamingContextBindingsEnumeration.next(NamingConte
> xtBindingsEnumeration.java:69)
>   at
> org.apache.naming.NamingContextBindingsEnumeration.next(NamingConte
> xtBindingsEnumeration.java:32)
>   at
> org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBean
> s(GlobalResourcesLifecycleListener.java:131)
>   at
> org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBean
> s(GlobalResourcesLifecycleListener.java:105)
>   at
> org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.lifecycleEvent
> (GlobalResourcesLifecycleListener.java:80)
>   at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:1
> 23)
>   at
> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423
> )
>   at
> org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
>   at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:7
> 63)
>   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>   at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>   at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:90)
>   at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:55)
>   at java.lang.reflect.Method.invoke(Method.java:508)
>   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345)
>   at org.apache.catalina.startup.Bootstrap.main(Bootstrap

RE: Strange incomplete response/truncation with Tomcat 9.0.48 AND 9.0.50 [OT]

[jonmcalexander]

Thank you Chris!!!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Monday, July 26, 2021 4:23 PM
> To: Tomcat Users List ; Mark Thomas
> 
> Subject: Re: Strange incomplete response/truncation with Tomcat 9.0.48
> AND 9.0.50 [OT]
> 
> All,
> 
> On 7/23/21 11:27, Mark Thomas wrote:
> > On 23/07/2021 15:49, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> Is there an estimated target date for release of 9.0.51
> >
> > Normally I'd say early August, some time in the first 2 weeks. But as
> > we are entering vacation season it might slip. It largely depends on
> > the release manager's availabaility.
> 
> I happen to be on vacation myself, but was still planning to do the
> 8.5.70 release around the first of the month.
> 
> If neither Mark nor Rémy are available, I could attempt to do the 9.0.51
> release as well.
> 
> -chris
> 
> >>> -Original Message-
> >>> From: Mark Thomas 
> >>> Sent: Friday, July 23, 2021 2:56 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Strange incomplete response/truncation with Tomcat
> >>> 9.0.48 AND 9.0.50
> >>>
> >>> On 22/07/2021 22:06, jonmcalexan...@wellsfargo.com.INVALID wrote:
>  I have a team that is running into issues since version 9.0.48
>  where they are receiving incomplete message responses from Tomcat
>  when the request was made from WebLogic.
> >>>
> >>> Incomplete responses from 9.0.48 onwards. That sounds like a
> >>> recently fixed regression. That issue happened with TLS.
> >>>
> >>> 
> >>>
>  *adrum.js:27 Error: Loading chunk 28 failed.*
> 
>  (timeout:
>  https://.../.5af0fea300ccf52ff152.js)
> >>>
> >>> That looks like TLS is being used which is consistent with the
> >>> suspected root cause.
> >>>
> >>> 
> >>>
>  *_Network level_* we are seeing *TCP Window Full* intermittently
>  when this file transfer.
> >>>
> >>> This is also consistent with the likely root cause. The regression
> >>> was in the handling of incomplete writes.
> >>>
> >>> 
> >>>
>  After some additional research we assume this issue is related to
>  one of the known bugs listed in RedHat TC release notes
>   >>>
> doc/changelog.html__;!!F9svGWnIaVPGSwU!69FyojmXXQigaRKpGDiwpMgS
> >>> sgODh4HrEhdK9d8ZbHZsJjpqNcD2ZmKprbbGjevCxxzKTSc$ >.
> 
>  Fix:  Expand the unit tests for HttpServlet.doHead()
> >>>
> >>> Not an unreasonable guess but it looks to be an incorrect one.
> >>>
> >>> I always recommend looking at the open bugs and the changelog from
> >>> the CI system to see if the issue being observed has already been
> >>> reported (and possibly fixed).
> >>>
> >>> https://urldefense.com/v3/__https://ci.apache.org/projects/tomcat/to
> >>> mcat
> >>> -
> >>>
> 9.0.x/docs/changelog.html__;!!F9svGWnIaVPGSwU!69FyojmXXQigaRKpGDi
> >>> wpMgSsgODh4HrEhdK9d8ZbHZsJjpqNcD2ZmKprbbGjevC8PK9tLQ$
> >>>
> >>> This looks much more like bug 65448 to me:
> >>>
> https://urldefense.com/v3/__https://bz.apache.org/bugzilla/show_bug.cgi?
> >>>
> id=65448__;!!F9svGWnIaVPGSwU!69FyojmXXQigaRKpGDiwpMgSsgODh4HrE
> >>> hdK9d8ZbHZsJjpqNcD2ZmKprbbGjevCqMV6SbI$
> >>>
> >>> 
> >>>
>  Any help?
> >>>
> >>> The fix will be in 9.0.51.
> >>>
> >>> Snapshots (NOT formal releases) are available for testing from:
> >>> https://urldefense.com/v3/__https://repository.apache.org/content/gr
> >>> oup
> >>> s/snapshots/org/apache/tomcat/tomcat/9.0-
> >>>
> SNAPSHOT/__;!!F9svGWnIaVPGSwU!69FyojmXXQigaRKpGDiwpMgSsgODh4
> >>> HrEhdK9d8ZbHZsJjpqNcD2ZmKprbbGjevCZcMI2B0$
> >>>
> >>> Usual caveats apply. These aren't releases. Use them entirely at
> >>> your own risk.
> >>>
> >>> In terms of a workaround, switching from NIO to NIO2 should avoid
> >>> the issue.
> >>>
> >>> Mark
> >>>
> >>> 
> >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >> -
> >> To unsubscr

RE: Strange incomplete response/truncation with Tomcat 9.0.48 AND 9.0.50

[jonmcalexander]

Thanks Mark!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Friday, July 23, 2021 10:27 AM
> To: users@tomcat.apache.org
> Subject: Re: Strange incomplete response/truncation with Tomcat 9.0.48
> AND 9.0.50
> 
> On 23/07/2021 15:49, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Is there an estimated target date for release of 9.0.51
> 
> Normally I'd say early August, some time in the first 2 weeks. But as we are
> entering vacation season it might slip. It largely depends on the release
> manager's availabaility.
> 
> Mark
> 
> 
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Infrastructure Engineer
> > Asst Vice President
> >
> > Middleware Product Engineering
> > Enterprise CIO | Platform Services | Middleware | Infrastructure
> > Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> >
> > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020,
> > 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020,
> 12/29/2020, 12/30/2020, 12/31/2020 This message may contain confidential
> and/or privileged information. If you are not the addressee or authorized to
> receive this for the addressee, you must not use, copy, disclose, or take any
> action based on this message or any information herein. If you have received
> this message in error, please advise the sender immediately by reply e-mail
> and delete this message. Thank you for your cooperation.
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Friday, July 23, 2021 2:56 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Strange incomplete response/truncation with Tomcat
> >> 9.0.48 AND 9.0.50
> >>
> >> On 22/07/2021 22:06, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> I have a team that is running into issues since version 9.0.48 where
> >>> they are receiving incomplete message responses from Tomcat when
> the
> >>> request was made from WebLogic.
> >>
> >> Incomplete responses from 9.0.48 onwards. That sounds like a recently
> >> fixed regression. That issue happened with TLS.
> >>
> >> 
> >>
> >>> *adrum.js:27 Error: Loading chunk 28 failed.*
> >>>
> >>> (timeout:
> >>> https://.../.5af0fea300ccf52ff152.js)
> >>
> >> That looks like TLS is being used which is consistent with the
> >> suspected root cause.
> >>
> >> 
> >>
> >>> *_Network level_* we are seeing *TCP Window Full* intermittently
> >>> when this file transfer.
> >>
> >> This is also consistent with the likely root cause. The regression
> >> was in the handling of incomplete writes.
> >>
> >> 
> >>
> >>> After some additional research we assume this issue is related to
> >>> one of the known bugs listed in RedHat TC release notes
> >>>  >>
> doc/changelog.html__;!!F9svGWnIaVPGSwU!69FyojmXXQigaRKpGDiwpMgS
> >> sgODh4HrEhdK9d8ZbHZsJjpqNcD2ZmKprbbGjevCxxzKTSc$ >.
> >>>
> >>> Fix:  Expand the unit tests for HttpServlet.doHead()
> >>
> >> Not an unreasonable guess but it looks to be an incorrect one.
> >>
> >> I always recommend looking at the open bugs and the changelog from
> >> the CI system to see if the issue being observed has already been
> >> reported (and possibly fixed).
> >>
> >>
> https://urldefense.com/v3/__https://ci.apache.org/projects/tomcat/tom
> >> cat
> >> -
> >>
> 9.0.x/docs/changelog.html__;!!F9svGWnIaVPGSwU!69FyojmXXQigaRKpGDi
> >> wpMgSsgODh4HrEhdK9d8ZbHZsJjpqNcD2ZmKprbbGjevC8PK9tLQ$
> >>
> >> This looks much more like bug 65448 to me:
> >>
> https://urldefense.com/v3/__https://bz.apache.org/bugzilla/show_bug.cgi?
> >>
> id=65448__;!!F9svGWnIaVPGSwU!69FyojmXXQigaRKpGDiwpMgSsgODh4HrE
> >> hdK9d8ZbHZsJjpqNcD2ZmKprbbGjevCqMV6SbI$
> >>
> >> 
> >>
> >>> Any help?
> >>
> >> The fix will be in 9.0.51.
> >>
> >> Snapshots (NOT formal releases) are available for testing from:
> >> https://urldefense.com/v3/__https://repository.apache.org/content/gro
> >> up
> >> s/snapshots/org/apache/tomcat/tomcat/9.0-
> >>
> SNAPSHOT/__;!!F9svGWnIaVPGSwU

RE: Strange incomplete response/truncation with Tomcat 9.0.48 AND 9.0.50

[jonmcalexander]

Is there an estimated target date for release of 9.0.51

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Friday, July 23, 2021 2:56 AM
> To: users@tomcat.apache.org
> Subject: Re: Strange incomplete response/truncation with Tomcat 9.0.48
> AND 9.0.50
> 
> On 22/07/2021 22:06, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > I have a team that is running into issues since version 9.0.48 where
> > they are receiving incomplete message responses from Tomcat when the
> > request was made from WebLogic.
> 
> Incomplete responses from 9.0.48 onwards. That sounds like a recently fixed
> regression. That issue happened with TLS.
> 
> 
> 
> > *adrum.js:27 Error: Loading chunk 28 failed.*
> >
> > (timeout:
> > https://.../.5af0fea300ccf52ff152.js)
> 
> That looks like TLS is being used which is consistent with the suspected root
> cause.
> 
> 
> 
> > *_Network level_* we are seeing *TCP Window Full* intermittently when
> > this file transfer.
> 
> This is also consistent with the likely root cause. The regression was in the
> handling of incomplete writes.
> 
> 
> 
> > After some additional research we assume this issue is related to one
> > of the known bugs listed in RedHat TC release notes
> >  doc/changelog.html__;!!F9svGWnIaVPGSwU!69FyojmXXQigaRKpGDiwpMgS
> sgODh4HrEhdK9d8ZbHZsJjpqNcD2ZmKprbbGjevCxxzKTSc$ >.
> >
> > Fix:  Expand the unit tests for HttpServlet.doHead()
> 
> Not an unreasonable guess but it looks to be an incorrect one.
> 
> I always recommend looking at the open bugs and the changelog from the CI
> system to see if the issue being observed has already been reported (and
> possibly fixed).
> 
> https://urldefense.com/v3/__https://ci.apache.org/projects/tomcat/tomcat
> -
> 9.0.x/docs/changelog.html__;!!F9svGWnIaVPGSwU!69FyojmXXQigaRKpGDi
> wpMgSsgODh4HrEhdK9d8ZbHZsJjpqNcD2ZmKprbbGjevC8PK9tLQ$
> 
> This looks much more like bug 65448 to me:
> https://urldefense.com/v3/__https://bz.apache.org/bugzilla/show_bug.cgi?
> id=65448__;!!F9svGWnIaVPGSwU!69FyojmXXQigaRKpGDiwpMgSsgODh4HrE
> hdK9d8ZbHZsJjpqNcD2ZmKprbbGjevCqMV6SbI$
> 
> 
> 
> > Any help?
> 
> The fix will be in 9.0.51.
> 
> Snapshots (NOT formal releases) are available for testing from:
> https://urldefense.com/v3/__https://repository.apache.org/content/group
> s/snapshots/org/apache/tomcat/tomcat/9.0-
> SNAPSHOT/__;!!F9svGWnIaVPGSwU!69FyojmXXQigaRKpGDiwpMgSsgODh4
> HrEhdK9d8ZbHZsJjpqNcD2ZmKprbbGjevCZcMI2B0$
> 
> Usual caveats apply. These aren't releases. Use them entirely at your own
> risk.
> 
> In terms of a workaround, switching from NIO to NIO2 should avoid the
> issue.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Strange incomplete response/truncation with Tomcat 9.0.48 AND 9.0.50

[jonmcalexander]

I have a team that is running into issues since version 9.0.48 where they are 
receiving incomplete message responses from Tomcat when the request was made 
from WebLogic. Here is the data I was provided:


it is breaking application files by truncating the files from source to 
destination which similar to our issue JS (javascript) file from App Server to 
App F5 to Web server. It is giving below error and it is working fine with 
9.0.46 when we revert and not working with 9.0.48/9.0.50 versions.


adrum.js:27 Error: Loading chunk 28 failed.
(timeout: https://.../.5af0fea300ccf52ff152.js)
at c (app.bundle.5af0fea300ccf52ff152.js:1)
at app.bundle.5af0fea300ccf52ff152.js:1
(anonymous) @ adrum.js:27
eu @ app.bundle.5af0fea300ccf52ff152.js:56
n.callback @ app.bundle.5af0fea300ccf52ff152.js:56
pa @ app.bundle.5af0fea300ccf52ff152.js:56
au @ app.bundle.5af0fea300ccf52ff152.js:56
dc @ app.bundle.5af0fea300ccf52ff152.js:56
t.unstable_runWithPriority @ app.bundle.5af0fea300ccf52ff152.js:64
Wo @ app.bundle.5af0fea300ccf52ff152.js:56
pc @ app.bundle.5af0fea300ccf52ff152.js:56
Xu @ app.bundle.5af0fea300ccf52ff152.js:56
(anonymous) @ app.bundle.5af0fea300ccf52ff152.js:56

Network level we are seeing TCP Window Full intermittently when this file 
transfer.

We also have this information:
Detailed Problem:
Tomcat version 9.0.48 started to cause production issues in A and W apps (and 
possibly others).

After some additional research we assume this issue is related to one of the 
known bugs listed in RedHat TC release 
notes.
[Fix:] Expand the unit tests for HttpServlet.doHead() and correct the flushing 
of the response buffer. The buffer used to behave as if it was one byte smaller 
than the configured size. The buffer was flushed (and the response committed if 
required) when the buffer was full. The buffer is now flushed (and the response 
committed if required) if the buffer is full and there is more data to write. 
(markt)



As stated above, 9.0.46 appears to work, but .48 and .50 are both broke.

Any help?

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: [SECURITY] CVE-2021-30639 Apache Tomcat DoS

[jonmcalexander]

Corrected Numbers. Subtract 3667 desktops from the 8.5.64 numbers.



8.5.64
DISCOVERED_VERSION

(Multiple Items)

ASSET_CLAS_DS

DESKTOP





Row Labels

Count of CI_NM_HOST

(blank)

3667

Grand Total

3667




Distributed Servers:
DISCOVERED_VERSION

(Multiple Items)

ASSET_CLAS_DS

DISTRIBUTED SERVERS


Row Labels

Count of CI_NM_HOST

CICCT-IVR-TECH

2

COMMONCHANNELINFRASTRUCTURE

6

CSG-DISTRIBUTEDSUPPORT

4

EFT-PLATMGMT-HROPERATIONSUPPOR

3

EFT-SPECSVCS-FINANCIALS;FST-SYSTEMARCHITECTURE

1

EIS-IPT-INFRACRYPTO;PLATMGMT-MWS-SERVICES

1

EPA-EBSPRODUCTIONAVAIL

1

FST-SYSTEMARCHITECTURE

1

NOMIDDLEWARE

110

NOMIDDLEWARE;PLATMGMT-MWS-SERVICES

1

PAC2000DEVELOPMENT

31

PAC2000-PLATFORMSUPPORT

1

PLATMGMT-MWS-SERVICES

52

PLATMGMT-MWS-SERVICES;ITECH-DOCUMENTUMSERVICES

9

QUALITYASSURANCE-INFRA

1

WFFISTHIRDPARTYAPPS

3

WHLSEQFINFOLEASE

1

WHLSTECHFXENGINEERING

7

WHLSTECHWMSMWSPECIALTYSVCS

1

WHLSWFGATEWAY

3

WHLSWFSCACHESERVICES

2

WHLSWFSPLANTMWSERVICES

1

(blank)

30

Grand Total

272








9.0.44

0 desktops



Distributed Servers:
DISCOVERED_VERSION

(Multiple Items)

ASSET_CLAS_DS

DISTRIBUTED SERVERS


Row Labels

Count of CI_NM_HOST

EFT-SPECSVCS-FINANCIALS;FST-SYSTEMARCHITECTURE

4

EIS-IPT-INFRACRYPTO;PLATMGMT-MWS-SERVICES

2

EPR-TECH-TOOLS

4

FST-SYSTEMARCHITECTURE

2

INTERNET.BANKING

119

INTERNET.BANKING;NOMIDDLEWARE

2

ISD-CONFIGURATIONMANAGEMENT

124

NOMIDDLEWARE

38

NOMIDDLEWARE;INTERNET.BANKING

2

PLATMGMT-MWS-SERVICES

16

WHLSTECHCRISP

1

WHLSWFSCACHESERVICES

3

WHLSWFSFIDATASERVICES

1

(blank)

8

Grand Total

326




Dream * Excel * Explore * Inspire

Jon McAlexander

Infrastructure Engineer

Asst Vice President



Middleware Product Engineering

Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions



8080 Cobblestone Rd | Urbandale, IA 50322

MAC: F4469-010

Tel 515-988-2508 | Cell 515-988-2508



jonmcalexan...@wellsfargo.com



Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020

This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.



> -Original Message-

> From: Mark Thomas 

> Sent: Monday, July 12, 2021 8:03 AM

> To: Tomcat Users List 

> Cc: annou...@tomcat.apache.org; annou...@apache.org; Tomcat

> Developers List 

> Subject: [SECURITY] CVE-2021-30639 Apache Tomcat DoS

> Importance: High

>

> CVE-2021-30639 Denial of Service

>

> Severity: Important

>

> Vendor: The Apache Software Foundation

>

> Versions Affected:

> Apache Tomcat 10.0.3 to 10.0.4

> Apache Tomcat 9.0.44

> Apache Tomcat 8.5.64

>

> Description:

> An error introduced as part of a change to improve error handling during

> non-blocking I/O meant that the error flag associated with the Request

> object was not reset between requests. This meant that once a non-blocking

> I/O error occurred, all future requests handled by that request object would

> fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a

> connection, thereby creating the possibility of triggering a DoS.

> Applications that do not use non-blocking I/O are not exposed to this

> vulnerability.

>

> Mitigation:

> Users of the affected versions should apply one of the following

> mitigations:

> - Upgrade to Apache Tomcat 10.0.5 or later

> - Upgrade to Apache Tomcat 9.0.45 or later

> - Upgrade to Apache Tomcat 8.5.65 or later

>

> History:

> 2021-07-12 Original advisory

>

> References:

> [1] 
> https://urldefense.com/v3/__https://tomcat.apache.org/security-

> 10.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-

> p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHTxMsAPk$

> [2] 
> https://urldefense.com/v3/__https://tomcat.apache.org/security-

> 9.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-

RE: CATALINA_OPTS vs JAVA_OPTS

[jonmcalexander]

Thanks Chris!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Wednesday, June 16, 2021 3:48 PM
> To: users@tomcat.apache.org
> Subject: Re: CATALINA_OPTS vs JAVA_OPTS
> Importance: Low
> 
> Jon,
> 
> On 6/16/21 14:31, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Ok, so this is a really good explanation. However, when setting up in
> > Windows as a Service, does the JAVA_OPTIONS in the Registry go in as
> > JAVA_OPTS or CATALINA_OPTS? Is there a way to have separate
> > CATALINA_OPTS for Tomcat Windows Services?
> 
> It's more complicated than you are making it seem.
> 
> If you use service.bat to create your Windows Service definition, then the
> effective CATALINA_OPTS and JAVA_OPTS environment variable values
> within the shell at the time you call bin\service.bat will have the intended
> effect: they will combine and set the values which go into the registry for
> that Service. When you launch the service, the (current) values of
> CATALINA_OPTS and JAVA_OPTS, if they exist, are completely ignored
> because the Service definition captured them at creation-time.
> 
> If you want to alter them, you can either set their values again, and
> delete/re-create the service using bin\service.bat or you can use
> tomcatXw.exe to edit the service values directly.
> 
> You have to remember that Windows, while supporting environment
> variables nearly through-and-through, essentially encourages all self-
> respecting Windows admins to ignore those environment variables.
> Everything is done through the registry and so the Tomcat config scripts
> attempt to bridge the gap between the gray beard UNIX admins who are
> used to things like CATALINA_OPTS and JAVA_OPTS and whatnot and the
> Windows admins who have an entirely different mental-model of system
> services.
> 
> It's a neat little hack IMHO: let the CLI warriors set environment variables 
> and
> create a Service. The Service captures those values into the more
> Windowsey paradigm, and off you go. And none of the Windows admins
> have to bother themselves with environment variables.
> 
> -chris
> 
> >> -Original Message- From: Christopher Schultz
> >>  Sent: Wednesday, June 16, 2021 11:14
> >> AM To: users@tomcat.apache.org Subject: Re: CATALINA_OPTS vs
> >> JAVA_OPTS
> >>
> >> Noelette,
> >>
> >> On 6/16/21 11:29, Noelette Stout wrote:
> >>> Thanks! I was mostly trying to figure out if there was precedence or
> >>> if it was additive (i.e. 2GB to tomcat itself and another 2GB to the
> >>> apps). We're having some resource issues on one of our servers, so I
> >>> wanted to make sure I understood how the resources were being
> >> allocated.
> >>
> >> No additivity at all: the last one on the command-line wins. There is
> >> no heap separation between Tomcat and the applications: it's
> >> one(ish) big, happy heap. :)
> >>
> >> A note about CATALINA_OPTS versus JAVA_OPTS: when you use the
> various
> >> scripts provided by Tomcat, CATALINA_OPTS is only used when launching
> >> a Tomcat instance. JAVA_OPTS is used when launching *any* Java
> >> process. There are many Java processes those scripts will launch that
> >> aren't actually launching Tomcat. Examples include:
> >>
> >> 1. catalina.sh configtest 2. catalina.sh stop (also shutdown.sh) 3.
> >> catalina.sh version 4. tool-wrapper.sh [anything]
> >>
> >> In all of those cases, JAVA_OPTS will be passed to the JVM.
> >>
> >> Do you really need a 2 gig heap to send a "shutdown" command to a
> >> running server? Probably not.
> >>
> >> -chris
> >>
> >>> On Wed, Jun 16, 2021 at 9:17 AM Rob Sargent 
> >> wrote:
> >>>
> 
> 
>  On 6/16/21 9:06 AM, Noelette Stout wrote:
> > openjdk version "1.8.0_292"
> >
> >
> > On Wed, Jun 16, 2021 at 9:04 AM Rob Sargent
> > 
>  wrote:
> >
> >
>  Both as for the same minimum so you should get 2G at start up.
>  I'm not sure which has precedency but I would be on java opt.
>  I don't have a catalina env, but you can see how CATALINA_OPTS is
>  used in relationship with JAVA_OPTS
> 
> 
>  

RE: CATALINA_OPTS vs JAVA_OPTS

[jonmcalexander]

Yes, but ultimately it is running Java, so was curious. Is there even a need of 
both when running as a Windows service? These are probably "duh" questions, but 
just want to fully "get it".

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Olaf Kock 
> Sent: Wednesday, June 16, 2021 1:45 PM
> To: users@tomcat.apache.org
> Subject: Re: CATALINA_OPTS vs JAVA_OPTS
> 
> Service configurations are service configurations. You won't run the other
> options as service, so those are for the JVM that is used for the service. And
> I'm not aware that a service is stopped as the command line version. At least
> I'd hope so - a standard JVM would be good enough, if the start/stop
> mechanism not handled in the windows executable anyway.
> 
> Note: This is dangerous half-knowledge. I haven't been on Windows for
> ages, just read about it still being around from time to time.
> 
> CATALINA_OPTS is utilized by the startup batch/script file, which is not used
> for services /at all/.
> 
> Olaf
> 
> On 16.06.21 20:31, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Ok, so this is a really good explanation. However, when setting up in
> Windows as a Service, does the JAVA_OPTIONS in the Registry go in as
> JAVA_OPTS or CATALINA_OPTS? Is there a way to have separate
> CATALINA_OPTS for Tomcat Windows Services?
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Infrastructure Engineer
> > Asst Vice President
> >
> > Middleware Product Engineering
> > Enterprise CIO | Platform Services | Middleware | Infrastructure
> > Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> >
> > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020,
> > 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020,
> 12/29/2020, 12/30/2020, 12/31/2020 This message may contain confidential
> and/or privileged information. If you are not the addressee or authorized to
> receive this for the addressee, you must not use, copy, disclose, or take any
> action based on this message or any information herein. If you have received
> this message in error, please advise the sender immediately by reply e-mail
> and delete this message. Thank you for your cooperation.
> >
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Wednesday, June 16, 2021 11:14 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: CATALINA_OPTS vs JAVA_OPTS
> >>
> >> Noelette,
> >>
> >> On 6/16/21 11:29, Noelette Stout wrote:
> >>> Thanks! I was mostly trying to figure out if there was precedence or
> >>> if it was additive (i.e. 2GB to tomcat itself and another 2GB to the
> >>> apps). We're having some resource issues on one of our servers, so I
> >>> wanted to make sure I understood how the resources were being
> >> allocated.
> >>
> >> No additivity at all: the last one on the command-line wins. There is
> >> no heap separation between Tomcat and the applications: it's one(ish)
> >> big, happy heap. :)
> >>
> >> A note about CATALINA_OPTS versus JAVA_OPTS: when you use the
> various
> >> scripts provided by Tomcat, CATALINA_OPTS is only used when launching
> >> a Tomcat instance. JAVA_OPTS is used when launching *any* Java
> process.
> >> There are many Java processes those scripts will launch that aren't
> >> actually launching Tomcat. Examples include:
> >>
> >> 1. catalina.sh configtest
> >> 2. catalina.sh stop (also shutdown.sh) 3. catalina.sh version 4.
> >> tool-wrapper.sh [anything]
> >>
> >> In all of those cases, JAVA_OPTS will be passed to the JVM.
> >>
> >> Do you really need a 2 gig heap to send a "shutdown" command to a
> >> running server? Probably not.
> >>
> >> -chris
> >>
> >>> On Wed, Jun 16, 2021 at 9:17 AM Rob Sargent 
> >> wrote:
> 
>  On 6/16/21 9:06 AM, Noelette Stout wrote:
> > openjdk version "1.8.0_292"
> >
> >
> > On Wed, Jun 16, 2021 at 9:04 AM Rob Sargent
> > 
>  wrote:
> >
>  Both as for the same minimum so you should get 2G at start up.  I'm
>  not

RE: CATALINA_OPTS vs JAVA_OPTS

[jonmcalexander]

Ok, so this is a really good explanation. However, when setting up in Windows 
as a Service, does the JAVA_OPTIONS in the Registry go in as JAVA_OPTS or 
CATALINA_OPTS? Is there a way to have separate CATALINA_OPTS for Tomcat Windows 
Services?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Wednesday, June 16, 2021 11:14 AM
> To: users@tomcat.apache.org
> Subject: Re: CATALINA_OPTS vs JAVA_OPTS
> 
> Noelette,
> 
> On 6/16/21 11:29, Noelette Stout wrote:
> > Thanks! I was mostly trying to figure out if there was precedence or
> > if it was additive (i.e. 2GB to tomcat itself and another 2GB to the
> > apps). We're having some resource issues on one of our servers, so I
> > wanted to make sure I understood how the resources were being
> allocated.
> 
> No additivity at all: the last one on the command-line wins. There is no heap
> separation between Tomcat and the applications: it's one(ish) big, happy
> heap. :)
> 
> A note about CATALINA_OPTS versus JAVA_OPTS: when you use the various
> scripts provided by Tomcat, CATALINA_OPTS is only used when launching a
> Tomcat instance. JAVA_OPTS is used when launching *any* Java process.
> There are many Java processes those scripts will launch that aren't actually
> launching Tomcat. Examples include:
> 
> 1. catalina.sh configtest
> 2. catalina.sh stop (also shutdown.sh)
> 3. catalina.sh version
> 4. tool-wrapper.sh [anything]
> 
> In all of those cases, JAVA_OPTS will be passed to the JVM.
> 
> Do you really need a 2 gig heap to send a "shutdown" command to a running
> server? Probably not.
> 
> -chris
> 
> > On Wed, Jun 16, 2021 at 9:17 AM Rob Sargent 
> wrote:
> >
> >>
> >>
> >> On 6/16/21 9:06 AM, Noelette Stout wrote:
> >>> openjdk version "1.8.0_292"
> >>>
> >>>
> >>> On Wed, Jun 16, 2021 at 9:04 AM Rob Sargent 
> >> wrote:
> >>>
> >>>
> >> Both as for the same minimum so you should get 2G at start up.  I'm
> >> not sure which has precedency but I would be on java opt.  I don't
> >> have a catalina env, but you can see how CATALINA_OPTS is used in
> >> relationship with JAVA_OPTS
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Strange connection error

[jonmcalexander]

Is it a cypher issue? (noting the handshake issue). Did you also upgrade the 
Java at the same time?

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark A. Claassen 
> Sent: Thursday, June 10, 2021 10:38 AM
> To: users@tomcat.apache.org
> Subject: Strange connection error
> 
> I just upgraded from 9.0.12 to 9.0.46.  Everything seemed to go pretty
> smoothly, but I am getting a strange connection error from certain
> connections
> 
> We have several different things that connect to the webserver.  Browsers
> connect fine.  We have a monitoring script in Perl that works fine.  However,
> a Java program, which worked fine under the old version of tomcat, can no
> longer connect.
> 
> The access log prints out very odd information.  Right now it is configured 
> as:
> pattern="%{-MM-dd HH:mm:ss}t %H %h %m "%U"
> "%q" STATUS(%s) BYTES(%b) "%{User-Agent}i"
> "%{Referer}i& quot; %I"/>
> 
> However the output for this failed connection is:
>   2021-06-10 11:21:19 null [[Actual IP address]] null "null" ""
> STATUS(400) BYTES(-) "-" "-" null All other connections show in the access log
> as I would expect.
> 
> Does anyone have any idea what is going on here?
> -
> Extra Information:
> - I am using the APR connector and OpenSSL.
> - I did not recompile any of the native libraries; they are still using the 
> ones
> from 9.0.12.
> - We have an Apache webserver we use as a reverse proxy.  When
> connecting through that, things work.
> 
> - Wireshark has this to say about the failure:
> 
>   TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake
> Failure)
>   Content Type: Alert (21)
>   Length: 2
>   Alert Message
>   Level: Fatal (2)
>   Description: Handshake Failure (40)
> Thanks for your time,
> Mark
> 
> ---
> Mark Claassen
> Senior Software Engineer
> 
> Donnell Systems, Inc.
> 130 South Main Street
> Leighton Plaza Suite 375
> South Bend, IN  46601
> E-mail: mailto:mclaas...@ocie.net
> Voice: (574)232-3784
> Fax: (574)232-4014
> 
> Disclaimer:
> The opinions provided herein do not necessarily state or reflect those of
> Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal
> liability or responsibility for the posting.
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question about encrypting database passwords in the context.xml file - Tomcat 9

[jonmcalexander]

And when that isn't good enough for your senior management, take a look at the 
Tomcat Vault in GITHUB. :-)

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: xcorpius 
> Sent: Monday, April 26, 2021 8:36 AM
> To: users@tomcat.apache.org
> Subject: Re: Question about encrypting database passwords in the
> context.xml file - Tomcat 9
> 
> Thanks Olaf
> 
>  Mensaje original 
> On 26 abr. 2021 14:02, Olaf Kock escribió:
> 
> > On 26.04.21 13:10, xcorpius wrote:
> >> Hi,
> >>
> >> I wanted to ask about how to encrypt database passwords in the
> context.xml file in Tomcat 9.
> >>
> > Hi,
> >
> > please check this article:
> >
> https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/
> TOMCAT/Password__;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-
> FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$
> >
> > It covers the topic once and for all...
> >
> > Olaf
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 9.0

[jonmcalexander]

Tomcat 9.0.45 was released on 4/6/2021.

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mohamed Eliyas Abdul Kadar 
> Sent: Wednesday, April 7, 2021 7:24 PM
> To: users@tomcat.apache.org
> Subject: Tomcat 9.0
> 
> Hi All
> I am planning to use Tomcat for my development server. Initially we planned
> to go with version Tomcat 9.0.41. Now I see newer versions are release on
> top of that and see the latest version is Tomcat 9.0.45. Please let me know if
> there is any major fix of Tomcat 9.0.41 made on higher versions or we are
> good with Tomcat 9.0.44 as Tomcat 9.0.45 is not having any release date.
> 
> Regards
> Eliyas
> This communication and its attachments contain confidential information and
> is intended only for the named addressee. If you are not the named
> addressee you should not disseminate, distribute or copy this
> communication. Please notify the sender immediately if you have received
> this communication by mistake and delete or destroy this communication.
> Communications cannot be guaranteed to be secured or error-free as
> information could be intercepted, corrupted, lost, destroyed, arrive late or
> incomplete, or contain viruses. The sender therefore does not accept liability
> for any errors or omissions in the contents of this communication which arise
> as a result of transmission. If verification is required please request a 
> hard-
> copy version. NeoGenomics Laboratories, 12701 Commonwealth Dr, Fort
> Myers, FL 33913,
> https://urldefense.com/v3/__http://www.neogenomics.com__;!!F9svGWnI
> aVPGSwU!-AkpZzxZPuQUL60dCm7hELiY0GltGFPS-
> uLpndY22TTi2oX1GQy3NNmqZqniOmqShaV3wFQ$  (2021)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Looking for useless information. :-)

[jonmcalexander]

Thanks everyone!!!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Greg Huber 
> Sent: Saturday, March 6, 2021 2:16 AM
> To: users@tomcat.apache.org
> Subject: Re: Looking for useless information. :-)
> 
> According to my Wrox Professional Apache Tomcat c2002,
> 
> The first version of Tomcat was the 3.x series, and it served as the reference
> implementations of the Servlet 2.2 and JSP 1.1 specifications.  The Tomcat 3.x
> series was descended from the original code Sun provided to the ASF in 1999.
> 
> In 2001, Tomcat 4.0 (codenamed Catalina) was releases, and was a complete
> redesign of the Tomcat architecture and had a new code base. The Tomcat
> 4.x series, is the reference implementation of the Servlet
> 2.3 and JSP 1.2 specifications.
> 
> ...Seems like yesterday ;-)
> 
> On 05/03/2021 21:59, Gavin McDonald wrote:
> > Back then, as part of the Jakarta project, I believe it was 19th April
> > 2000
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Looking for useless information. :-)

[jonmcalexander]

Hi All.

I have a team hounding me for the release date of Tomcat 3.1 and I'm not able 
to find it so far. Anyone remember this ancient history?

Thanks,


Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: [ANN] Apache Tomcat 7.0.108 released

[jonmcalexander]

We are getting the firewall error again like we did once last year, stating 
that its blacklisted.

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Violeta Georgieva 
> Sent: Monday, February 8, 2021 3:21 AM
> To: Tomcat Users List ; Tomcat Developers List
> ; annou...@tomcat.apache.org;
> annou...@apache.org
> Subject: [ANN] Apache Tomcat 7.0.108 released
> Importance: High
> 
> The Apache Tomcat team announces the immediate availability of Apache
> Tomcat 7.0.108.
> 
> Apache Tomcat is an open source software implementation of the Java Servlet,
> JavaServer Pages, Java Expression Language and Java WebSocket technologies.
> 
> This release contains a number of bug fixes and improvements compared to
> version 7.0.107. The notable changes since 7.0.107 include:
> 
> 
> - Fix a potential file descriptor leak when WebSocket connections are
>   attempted and fail. Patch provided by Maurizio Adami.
> 
> 
> Please refer to the change log for the complete list of changes:
> http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
> 
> Apache Tomcat website:
> http://tomcat.apache.org
> 
> Downloads:
> http://tomcat.apache.org/download-70.cgi
> 
> Migration guides from Apache Tomcat 5.5.x and 6.0.x:
> http://tomcat.apache.org/migration.html
> 
> Enjoy
> 
> The Apache Tomcat team

RE: Tomcat end-point Client certificate issue

[jonmcalexander]

­They responded they are not using TLS session tickets, not to their knowledge.


Sent with BlackBerry Work (www.blackberry.com)

From: Mark Thomas 
Sent: Feb 6, 2021 2:39 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat end-point Client certificate issue

On 05/02/2021 22:47, jonmcalexan...@wellsfargo.com.INVALID wrote:
> Hey everybody,
>
> Anyone run into an error or warning like this before? App team is using 
> Tomcat 9.0.37.
>
> 
>
> [05/02/2021 14:34:14:702 ] [] WARN  
> com...xxx.SearchCriteriaEnhancedController 
> SearchCriteriaEnhancedAction::actionExecute CAS Query WS returned Fault. 
> Details:   FaultCode='Server.InternalError' FaultReasonText='Unable to CAAPI 
> validate certificate - array null' FaultActor='1CAV' AdviceText='null' 
> FaultSubcode='null' 
> TechnicalText='org.apache.commons.httpclient.auth.AuthenticationException: 
> Unable to CAAPI validate certificate - array null' Severity='ERROR' 
> FaultType='SYSTEM' EmbeddedException='null'

If this is an error message logged on Tomcat from a CAS installation
that failed to validate a client certificate I'd guess that the client
certificate chain wasn't available. Maybe because TLS session tickets
were being used?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat end-point Client certificate issue

[jonmcalexander]

I will check with the development team. 

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Saturday, February 6, 2021 2:38 AM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat end-point Client certificate issue
> 
> On 05/02/2021 22:47, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hey everybody,
> >
> > Anyone run into an error or warning like this before? App team is using 
> > Tomcat
> 9.0.37.
> >
> > 
> >
> > [05/02/2021 14:34:14:702 ] [] WARN
> com...xxx.SearchCriteriaEnhancedController
> SearchCriteriaEnhancedAction::actionExecute CAS Query WS returned Fault.
> Details:   FaultCode='Server.InternalError' FaultReasonText='Unable to CAAPI
> validate certificate - array null' FaultActor='1CAV' AdviceText='null'
> FaultSubcode='null'
> TechnicalText='org.apache.commons.httpclient.auth.AuthenticationException:
> Unable to CAAPI validate certificate - array null' Severity='ERROR'
> FaultType='SYSTEM' EmbeddedException='null'
> 
> If this is an error message logged on Tomcat from a CAS installation that 
> failed
> to validate a client certificate I'd guess that the client certificate chain 
> wasn't
> available. Maybe because TLS session tickets were being used?
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat end-point Client certificate issue

[jonmcalexander]

Hey everybody,

Anyone run into an error or warning like this before? App team is using Tomcat 
9.0.37.



[05/02/2021 14:34:14:702 ] [] WARN  
com...xxx.SearchCriteriaEnhancedController 
SearchCriteriaEnhancedAction::actionExecute CAS Query WS returned Fault. 
Details:   FaultCode='Server.InternalError' FaultReasonText='Unable to CAAPI 
validate certificate - array null' FaultActor='1CAV' AdviceText='null' 
FaultSubcode='null' 
TechnicalText='org.apache.commons.httpclient.auth.AuthenticationException: 
Unable to CAAPI validate certificate - array null' Severity='ERROR' 
FaultType='SYSTEM' EmbeddedException='null'

Thanks,


Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com

Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: random 400 errors

[jonmcalexander]

Thank you! I will pass this on to the app team.


Sent with BlackBerry Work (www.blackberry.com)

From: Mark Thomas 
Sent: Nov 24, 2020 3:14 AM
To: users@tomcat.apache.org
Subject: Re: random 400 errors

On 24/11/2020 04:04, jonmcalexan...@wellsfargo.com.INVALID wrote:



> *9. **If-None-Match: *
>
> W/"1898-1605014636000"-gzip

That etag is not valid. It should be:

W/"1898-1605014636000-gzip"

Do you know what component is generating that? A compression filter maybe?

I did wonder if it was Tomcat but I haven't found any code where Tomcat
appends "-gzip" to an existing etag but I am still looking.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

random 400 errors

[jonmcalexander]

Hi Guru's

I have an application team having a strange issue post upgrade to Tomcat 8.5.58 
and/or 8.5.59 (Happens with both) from Tomcat 8.5.57. See below:

"We are seeing issue in our application, where after upgrading from Tomcat 
8.5.57 to 8.5.58 or 8.5.59, it randomly throws 400 error for below URL. There 
are no changes except the upgrade and it works some time and sometime it does 
not and throws 400. Switching back to 8.5.57 ensure it works fine all the time.

logo.png

>From changelog on 8.5.58 I see below

[*]   Improve the validation of entity tags provided with conditional 
requests. Requests with headers that contain invalid entity tags will be 
rejected with a 400 response code. Improve the matching algorithm used to 
compare entity tags in conditional requests with the entity tag for the 
requested resource. Based on a pull request by Sergey Ponomarev. (markt)
"

I have removed most of the name of the item giving the 400 error, but it's an 
image. Some additional information:  NOTE: Some information "redacted" for 
safety.

Header for good and bad one below.
Good one:
1.   -logo.png
2. Request Method:
GET
3. Status Code:
200
4. Remote Address:
:443
5. Referrer Policy:
strict-origin-when-cross-origin
2. Response Headersview source
1. Accept-Ranges:
bytes
2. Access-Control-Allow-Origin:

3. Cache-Control:
max-age=604800
4. Connection:
Keep-Alive
5. Content-Encoding:
gzip
6. Content-Type:
image/png
7. Date:
Mon, 23 Nov 2020 23:30:57 GMT
8. ETag:
W/"1898-1605014636000"-gzip
9. Keep-Alive:
timeout=15, max=100
10.   Last-Modified:
Tue, 10 Nov 2020 13:23:56 GMT
11.   Strict-Transport-Security:
max-age=31536000; includeSubDomains
12.   Transfer-Encoding:
chunked
13.   Vary:
Accept-Encoding
14.   X-Content-Type-Options:
nosniff
15.   X-Frame-Options:
SAMEORIGIN
16.   X-Xss-Protection:
1; mode=block
3. Request Headersview source
1. Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
2. Accept-Encoding:
gzip, deflate, br
3. Accept-Language:
en-US,en;q=0.9
4. Cache-Control:
max-age=0
5. Connection:
keep-alive
6. Cookie:
PS_DEVICEFEATURES=width:1920 height:1080 pixelratio:1 touch:0 geolocation:1 
websockets:1 webworkers:1 datepicker:1 dtpicker:1 timepicker:1 dnd:1 
sessionstorage:1 localstorage:1 history:1 canvas:1 svg:1 postmessage:1 hc:0 
maf:0; 
=!zmR+O5lInwZQScXFysvE+ZLmn/jZYOMljJRe6zpgTCqT1vq+Nsi6whR90o96mjEzY6eOCcA5+5bBMok=;
 
TS018aedd4=01f75e3a42044ffe4dec9dc58b085c5a587774d7d2291f65cc51c81218d60ff777ac912d6f4623836387cb50a5a4efe34d97b8ea8db7d92d4565c18fd52b1e5ae176edaa99;
 =!heE/SoIWn1XzFTnFysvE+ZLmn/jZYPwJaUx/NLmU09FX5SfwbV5ltQ7zTaDlkj3KsURmBocfo4UBEA==
7. Host:
.com
8. Sec-Fetch-Dest:
document
9. Sec-Fetch-Mode:
navigate
10.   Sec-Fetch-Site:
none
11.   Sec-Fetch-User:
?1
12.   Upgrade-Insecure-Requests:
1
13.   User-Agent:
Mozilla/5.0 (Windows NT 1

Failed one:
1.   -logo.png
2. Request Method:
GET
3. Status Code:
400
4. Remote Address:
:443
5. Referrer Policy:
strict-origin-when-cross-origin
2. Response Headersview source
1. Access-Control-Allow-Origin:

2. Cache-Control:
max-age=604800
3. Content-Language:
en
4. Content-Length:
762
5. Content-Type:
text/html;charset=utf-8
6. Date:
Mon, 23 Nov 2020 23:30:06 GMT
7. Strict-Transport-Security:
max-age=31536000; includeSubDomains
8. Vary:
Accept-Encoding
9. X-Cnection:
close
10.   X-Content-Type-Options:
nosniff
11.   X-Frame-Options:
SAMEORIGIN
12.   X-Xss-Protection:
1; mode=block
3. Request Headersview source
1. Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
2. Accept-Encoding:
gzip, deflate, br
3. Accept-Language:
en-US,en;q=0.9
4. Cache-Control:
max-age=0
5. Connection:
keep-alive
6. Cookie:
PS_DEVICEFEATURES=width:1920 height:1080 pixelratio:1 touch:0 geolocation:1 
websockets:1 webworkers:1 datepicker:1 dtpicker:1 timepicker:1 dnd:1 
sessionstorage:1 localstorage:1 history:1 canvas:1 svg:1 postmessage:1 hc:0 
maf:0; 
=!zmR+O5lInwZQScXFysvE+ZLmn/jZYOMljJRe6zpgTCqT1vq+Nsi6whR90o96mjEzY6eOCcA5+5bBMok=;
 
TS018aedd4=01f75e3a42044ffe4dec9dc58b085c5a587774d7d2291f65cc51c81218d60ff777ac912d6f4623836387cb50a5a4efe34d97b8ea8db7d92d4565c18fd52b1e5ae176edaa99;
 =!heE/SoIWn1XzFTnFysvE+ZLmn/jZYPwJaUx/NLmU09FX5SfwbV5ltQ7zTaDlkj3KsURmBocfo4UBEA==
7. Host:
wellsfargo.com
8. If-Modified-Since:
Tue, 10 Nov 2020 13:23:56 GMT
9. If-None-Match:
W/"1898-1605014636000"-gzip
10.   Sec-Fetch-Dest:
document
11.   Sec-Fetch-Mode:
navigate
12.   Sec-Fetch-Site:
none
13.   Sec-Fetch-User:
?1
14.   Upgrade-Insecure-Requests:
1
15.   User-Agent:
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/86.0.4240.183 Saf


Any assistance would be greatly appreciated.

RE: Tomcat Windows Service

[jonmcalexander]

Yes, something isn't working right. I should be able to get eyed on it Monday. 
Thanks for confirming my initial thought.


Sent with BlackBerry Work (www.blackberry.com)

From: Bill Stewart 
Sent: Nov 20, 2020 12:39 PM
To: Tomcat Users List 
Subject: Re: Tomcat Windows Service

On Fri, Nov 20, 2020 at 10:59 AM jonmcalexander wrote:

> When adding an instance as a service and using a domain service account to 
> run Tomcat,
> what additional user rights assignments does the service account need?

The account will need at least SeServiceLogonRight ("Log on as a
service"). Do you mean in addition to that?

Is something not working? Can you provide more detail about what's
provoking the question?

Bill

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat Windows Service

[jonmcalexander]

Question,
When adding an instance as a service and using a domain service account to run 
Tomcat, what additional user rights assignments does the service account need?

Thanks!


Sent with BlackBerry Work (www.blackberry.com)

RE: Default Application questions

[jonmcalexander]

Thank you! This answered my question.


Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Mark Thomas  
Sent: Tuesday, October 27, 2020 4:49 AM
To: users@tomcat.apache.org
Subject: Re: Default Application questions

On 26/10/2020 19:37, jonmcalexan...@wellsfargo.com.INVALID wrote:
> I'm doing some documentation cleanup. When was the balancer app, if it 
> existed, removed from the ootb tomcat applications?

It was in 5.0.x (5.0.15 onwards) and 5.5.x.
http://tomcat.apache.org/tomcat-5.5-doc/balancer-howto.html

> Was there ever a webdav app, or just the WebdavServlet class?

Yes there was a webdav app. It was present in 4.0.x, 4.1.x, 5.0.x, and 5.5.x.

I couldn't find a reference in the change log for their removal.

Mark


> 
> Thanks,
> 
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Infrastructure Engineer
> Asst Vice President
> 
> Middleware Product Engineering
> Enterprise CIO | Platform Services | Middleware | Infrastructure 
> Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> 
> 
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Default Application questions

[jonmcalexander]

I'm doing some documentation cleanup. When was the balancer app, if it existed, 
removed from the ootb tomcat applications? Was there ever a webdav app, or just 
the WebdavServlet class?

Thanks,


Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: Question regarding Invoker

[jonmcalexander]

Thank you!


Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

-Original Message-
From: Mark Thomas  
Sent: Monday, October 26, 2020 1:06 PM
To: users@tomcat.apache.org
Subject: Re: Question regarding Invoker

On 26/10/2020 17:46, jonmcalexan...@wellsfargo.com.INVALID wrote:
> I believe I have read that the Invoker Servlet was deprecated in Tomcat 6 and 
> removed entirely in Tomcat 7 and above. Can someone confirm that this is 
> correct? I couldn't find any announcement of this on tomcat.apache.org.

Correct.

See the Tomcat 6.0.x changelog:

http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Mark


> 
> Thanks,
> 
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Infrastructure Engineer
> Asst Vice President
> 
> Middleware Product Engineering
> Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> 
> 
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question regarding Invoker

[jonmcalexander]

I believe I have read that the Invoker Servlet was deprecated in Tomcat 6 and 
removed entirely in Tomcat 7 and above. Can someone confirm that this is 
correct? I couldn't find any announcement of this on tomcat.apache.org.

Thanks,


Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

RE: Virtual event focussed on Tomcat Security

[jonmcalexander]

I really like the idea of this. Something similar to the ApacheCon, or a series 
of ZOOM meetings or such.


Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Mark Thomas  
Sent: Tuesday, September 29, 2020 6:26 AM
To: Tomcat Users List 
Subject: Virtual event focussed on Tomcat Security

Hi all,

We (the Tomcat community) have some funding from Google to help us improve 
Tomcat security. Our original plan was to use the funding to support an 
in-person security focussed hackathon. As you would expect, those plans are on 
hold for now. We would, therefore, like to explore the possibility of doing 
something virtually.

The purpose of this email is to gather input from the community about what such 
an event should look like. With that input we can put together a plan for the 
event. So, over to you. What would your ideal virtual event focussed on Tomcat 
Security look like?

Thanks,

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Any update on 9.0.38 release plan

[jonmcalexander]

Sounds like it could be any day now.


Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

-Original Message-
From: Arshiya Shariff  
Sent: Monday, September 14, 2020 9:55 AM
To: Tomcat Users List 
Subject: Any update on 9.0.38 release plan

Hi All,
Can we please get a tentative release date for 9.0.38 .

Thanks and Regards
Arshiya Shariff

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat v9 - Insecure transport vulnerability reported by Qualys

[jonmcalexander]

What is the URL they are testing? Is there a reason there is a 9443 port open? 
How about adding a blank page with a redirect, or use the rewrite valve to 
rewrite to https?


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Christopher Schultz  
Sent: Wednesday, August 26, 2020 2:56 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat v9 - Insecure transport vulnerability reported by Qualys

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/26/20 13:59, Mark Thomas wrote:
> On 26/08/2020 17:50, Christopher Schultz wrote:
>> On 8/26/20 05:27, Mark Thomas wrote:
>>> On 26/08/2020 08:14, Martin Grigorov wrote:
 Hi,

 On Wed, Aug 26, 2020 at 7:53 AM Pratik Shrestha 
  wrote:

> Thanks for reply,
>
> Hi Peter - it complains on port 8443 which belongs to Tomcat.
>
> Hi Mark - Yes. making HTTP request on HTTPS is wrong. But this 
> security vulnerability is given to us by Qualys scan.
> It tries to post plain HTTP request on HTTPS port and then gets 
> error message "Bad Request. This combination of host and port 
> requires TLS." which is security loop hole for Qualys.
>>
>>> On what basis?
>>
>>> I fail to see any security issue here other than "Qualys says so" 
>>> which is not a valid description of a security vulnerability.
>>
>> My guess is that this is some form of "server fingerprinting"
>> that they are claiming, like "Zomg! It says Server:
>> Apache-Coyote/1.1! You are $uper vulnerable to 0days, now!".
>
> The entire response, including headers is,
>
> = HTTP/1.1 400 Content-Type: text/plain;charset=UTF-8
> Connection: close
>
> Bad Request This combination of host and port requires TLS. =
>
>> Pratik, can you please be very clear about what the actual complaint 
>> is? Are they objecting to one or more of the
>> following:
>>
>> 0. Any legible response at all (meaning they just want a 
>> connection-drop response) 1. Server: Apache-Coyote/1.1 response 
>> header 2. Predictable / stock text (e.g. "Bad Request. This 
>> combination of host and port requires TLS." identifies the server as 
>> Tomcat v.x.y or later) 3. Actual Tomcat version number in response
>>
>>> Absent a description of how this can be exploited (and I'll be very 
>>> surprised if this can be exploited), there is no security issue here 
>>> and Tomcat will not be making any changes.
>>
>> It seems reasonable to (configurably) strip-out version information 
>> if there is anything in there... which there probably is not.
>
> Correct, there isn't.
>
>> I'm interested in having Tomcat be able to pass these (admittedly 
>> stupid) security requirements,
>
> I have no interest in adding bloat to Tomcat so it can pass so called 
> security requirements that have no relevance to actual security. Those 
> sort of changes are the sort that get me starting to think about using 
> a veto.

Understood. But what does the OP have in terms of options at this point?

1. Ignore the complaint (probably not possible) 2. Request a waiver for this 
issue (probably not possible, or at least would require 10 years of red tape) 
3. Front the server with httpd + "ErrorDocument 400" (which ... I think will 
*also* reply with a plaintext response, right?) 4. Switch to Jetty

I'm trying to avoid "the easiest thing" which is probably to switch to Jetty. I 
know our "customers" don't pay for Tomcat, but losing a "customer" sucks.

>> so maybe we could have a setting on the  that can allow 
>> ERR_EMPTY_RESP to be sent if the handshake fails due to 
>> probably-not-encrypted just like older versions of Tomcat> did.
>
> That sounds suspiciously like bloat to me.

How about being able to specify the response text, possibly blank?

I think "ErrorDocument 400" with nothing else might mean the same thing as 
[[ErrorDocument 400 ""]] meaning that the response will include NO CONTENT. 
Maybe that's what Qualys is looking for.

> I've never been particularly convinced by the fingerprinting argument. 
> Either you are running a version without any published security 
> vulnerabilities that affect you (in which case fingerprinting doesn't 
> help the attacker) or you are running a version with published 
> security vulnerabilities that do affect you and you are relying on 
> security by obscurity - which is no security

RE: Tomcat v9 - Insecure transport vulnerability reported by Qualys

[jonmcalexander]

Did Qualsys include a QID with their report?


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

-Original Message-
From: Mark Thomas  
Sent: Wednesday, August 26, 2020 12:59 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat v9 - Insecure transport vulnerability reported by Qualys

On 26/08/2020 17:50, Christopher Schultz wrote:
> On 8/26/20 05:27, Mark Thomas wrote:
>> On 26/08/2020 08:14, Martin Grigorov wrote:
>>> Hi,
>>>
>>> On Wed, Aug 26, 2020 at 7:53 AM Pratik Shrestha 
>>>  wrote:
>>>
 Thanks for reply,

 Hi Peter - it complains on port 8443 which belongs to Tomcat.

 Hi Mark - Yes. making HTTP request on HTTPS is wrong. But this 
 security vulnerability is given to us by Qualys scan. It tries to 
 post plain HTTP request on HTTPS port and then gets error message 
 "Bad Request. This combination of host and port requires TLS." 
 which is security loop hole for Qualys.
> 
>> On what basis?
> 
>> I fail to see any security issue here other than "Qualys says so"
>> which is not a valid description of a security vulnerability.
> 
> My guess is that this is some form of "server fingerprinting" that 
> they are claiming, like "Zomg! It says Server: Apache-Coyote/1.1! You 
> are $uper vulnerable to 0days, now!".

The entire response, including headers is,

=
HTTP/1.1 400
Content-Type: text/plain;charset=UTF-8
Connection: close

Bad Request
This combination of host and port requires TLS.
=

> Pratik, can you please be very clear about what the actual complaint 
> is? Are they objecting to one or more of the following:
> 
> 0. Any legible response at all (meaning they just want a 
> connection-drop response) 1. Server: Apache-Coyote/1.1 response header 
> 2. Predictable / stock text (e.g. "Bad Request. This combination of 
> host and port requires TLS." identifies the server as Tomcat v.x.y or 
> later) 3. Actual Tomcat version number in response
> 
>> Absent a description of how this can be exploited (and I'll be very 
>> surprised if this can be exploited), there is no security issue here 
>> and Tomcat will not be making any changes.
> 
> It seems reasonable to (configurably) strip-out version information if 
> there is anything in there... which there probably is not.

Correct, there isn't.

> I'm interested in having Tomcat be able to pass these (admittedly
> stupid) security requirements,

I have no interest in adding bloat to Tomcat so it can pass so called security 
requirements that have no relevance to actual security. Those sort of changes 
are the sort that get me starting to think about using a veto.

> so maybe we could have a setting on the  that can allow 
> ERR_EMPTY_RESP to be sent if the handshake fails due to 
> probably-not-encrypted just like older versions of Tomcat> did.

That sounds suspiciously like bloat to me.

I've never been particularly convinced by the fingerprinting argument.
Either you are running a version without any published security vulnerabilities 
that affect you (in which case fingerprinting doesn't help the attacker) or you 
are running a version with published security vulnerabilities that do affect 
you and you are relying on security by obscurity - which is no security at all.

> IMO, being able to reply in plaintext like this is a *feature* (one 
> that I personally and specifically lobbied to have added to Tomcat) 
> and shouldn't be removed. If it's not the end of the world to add an 
> option to disable it, though, I think we ought to do it.

I'm not (yet) convinced of the benefits of such an option.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org