Re: 8.5 - multiple host configuration question

[Chris Cheshire]

On Fri, Dec 8, 2017 at 11:25 AM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 12/7/17 2:08 PM, Chris Cheshire wrote:
>> On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultz
>>  wrote:

 What should the permissions, owner & group be set to for
 CATALINA_HOME if I am running separate instances per user?
>>>
>>> It doesn't really matter. You just need to make sure that your
>>> "users" can read the default config files -- especially
>>> conf/web.xml and conf/tomcat.xml which usually shouldn't be
>>> modified from their defaults anyway.
>>>
>>> I've always been irritated that the conf/ directory is only
>>> readable by the owner in the tarball. Maybe I'll agitate to get
>>> that changed, and only protect conf/server.xml and
>>> conf/tomcat-users.xml in that way.
>>>
>>
>> Resurrecting this 
>>
>> I'm doing some cleanup and upgrading to 8.5.24. Previously I had
>> copied the entire conf directory from HOME to BASE, and modifying
>> files as necessary. Now I removed from BASE files I hadn't touched
>> (web.xml, jaspic stuff etc), but subsequently get the following
>> message in catalina.out
>>
>> INFO ...
>> org.apache.catalina.startup.ContextConfig.getDefaultWebXmlFragment
>> No global web.xml found
>>
>> All other startup succeeds but nothing is accessible, I just get a
>> standard 404 when trying to access my web apps or even the manager
>> app. There are no actual ERROR level messages though.
>>
>> Permissions are as follows :
>>
>> /usr/local/apache-tomcat-8.5.24/conf [root@s3 conf]# ls -al total
>> 236 drwxr-x--- 2 root tomcat   4096 Nov 27 13:33 . drwxr-xr-x 9
>> root root 4096 Dec  7 16:30 .. -rw-r- 1 root tomcat  13824
>> Nov 27 13:33 catalina.policy -rw-r- 1 root tomcat   7376 Nov 27
>> 13:33 catalina.properties -rw-r- 1 root tomcat   1338 Nov 27
>> 13:33 context.xml -rw-r- 1 root tomcat   1149 Nov 27 13:33
>> jaspic-providers.xml -rw-r- 1 root tomcat   2313 Nov 27 13:33
>> jaspic-providers.xsd -rw-r- 1 root tomcat   3622 Nov 27 13:33
>> logging.properties -rw--- 1 root tomcat   7511 Nov 27 13:33
>> server.xml -rw--- 1 root tomcat   2164 Nov 27 13:33
>> tomcat-users.xml -rw-r- 1 root tomcat   2633 Nov 27 13:33
>> tomcat-users.xsd -rw-r- 1 root tomcat 169322 Nov 27 13:33
>> web.xml
>>
>> /home/sandbox1/tomcat/conf [sandbox1@s3 conf]$ ls -la total 32
>> drwxr-xr-x  3 sandbox1 sandbox1 4096 Dec  7 19:01 . drwxr-xr-x 10
>> sandbox1 sandbox1 4096 Dec  7 18:59 .. drwxr-xr-x  3 sandbox1
>> sandbox1 4096 Sep  7 16:50 Catalina -rw-r--r--  1 sandbox1 sandbox1
>> 7407 Nov  2 01:58 catalina.properties -rw-r--r--  1 sandbox1
>> sandbox1 1437 Sep  7 20:38 context.xml -rw-r--r--  1 sandbox1
>> sandbox1 3770 Dec  7 18:46 logging.properties -rw-r--r--  1
>> sandbox1 sandbox1 2522 Sep  7 20:29 server.xml
>>
>> My sandbox users belong to the 'tomcat' group (not using a
>> 'tomcat' user though). I can cat web.xml with a sandbox user. (I
>> tweaked the permissions from the defaults to allow sandbox users to
>> read the default config)
>>
>> If I copy web.xml from HOME/conf to BASE/conf everything works
>> again. So do I need to copy everything over from HOME/conf to
>> BASE/conf even if I am not changing anything?
>
> I checked, and my CATALINA_BASE/conf contains the following:
>
> server.xml (required)
> Catalina/ (and friends, optional)
> tomcat-users.xml (optional)
> web.xml (evidently required)
>
> We should probably allow web.xml to come from
> CATALINA_HOME/conf/web.xml if it's not present in CATALINA_BASE/conf/.
> I would have expected that to be allowed, but I guess it isn't.
>
> Can you file a BZ enhancement request?
>
> - -chris

Done. https://bz.apache.org/bugzilla/show_bug.cgi?id=61877

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5 - multiple host configuration question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 12/7/17 2:08 PM, Chris Cheshire wrote:
> On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultz 
>  wrote:
>>> 
>>> What should the permissions, owner & group be set to for 
>>> CATALINA_HOME if I am running separate instances per user?
>> 
>> It doesn't really matter. You just need to make sure that your
>> "users" can read the default config files -- especially
>> conf/web.xml and conf/tomcat.xml which usually shouldn't be
>> modified from their defaults anyway.
>> 
>> I've always been irritated that the conf/ directory is only
>> readable by the owner in the tarball. Maybe I'll agitate to get
>> that changed, and only protect conf/server.xml and
>> conf/tomcat-users.xml in that way.
>> 
> 
> Resurrecting this 
> 
> I'm doing some cleanup and upgrading to 8.5.24. Previously I had 
> copied the entire conf directory from HOME to BASE, and modifying 
> files as necessary. Now I removed from BASE files I hadn't touched 
> (web.xml, jaspic stuff etc), but subsequently get the following 
> message in catalina.out
> 
> INFO ...
> org.apache.catalina.startup.ContextConfig.getDefaultWebXmlFragment 
> No global web.xml found
> 
> All other startup succeeds but nothing is accessible, I just get a 
> standard 404 when trying to access my web apps or even the manager 
> app. There are no actual ERROR level messages though.
> 
> Permissions are as follows :
> 
> /usr/local/apache-tomcat-8.5.24/conf [root@s3 conf]# ls -al total
> 236 drwxr-x--- 2 root tomcat   4096 Nov 27 13:33 . drwxr-xr-x 9
> root root 4096 Dec  7 16:30 .. -rw-r- 1 root tomcat  13824
> Nov 27 13:33 catalina.policy -rw-r- 1 root tomcat   7376 Nov 27
> 13:33 catalina.properties -rw-r- 1 root tomcat   1338 Nov 27
> 13:33 context.xml -rw-r- 1 root tomcat   1149 Nov 27 13:33
> jaspic-providers.xml -rw-r- 1 root tomcat   2313 Nov 27 13:33
> jaspic-providers.xsd -rw-r- 1 root tomcat   3622 Nov 27 13:33
> logging.properties -rw--- 1 root tomcat   7511 Nov 27 13:33
> server.xml -rw--- 1 root tomcat   2164 Nov 27 13:33
> tomcat-users.xml -rw-r- 1 root tomcat   2633 Nov 27 13:33
> tomcat-users.xsd -rw-r- 1 root tomcat 169322 Nov 27 13:33
> web.xml
> 
> /home/sandbox1/tomcat/conf [sandbox1@s3 conf]$ ls -la total 32 
> drwxr-xr-x  3 sandbox1 sandbox1 4096 Dec  7 19:01 . drwxr-xr-x 10
> sandbox1 sandbox1 4096 Dec  7 18:59 .. drwxr-xr-x  3 sandbox1
> sandbox1 4096 Sep  7 16:50 Catalina -rw-r--r--  1 sandbox1 sandbox1
> 7407 Nov  2 01:58 catalina.properties -rw-r--r--  1 sandbox1
> sandbox1 1437 Sep  7 20:38 context.xml -rw-r--r--  1 sandbox1
> sandbox1 3770 Dec  7 18:46 logging.properties -rw-r--r--  1
> sandbox1 sandbox1 2522 Sep  7 20:29 server.xml
> 
> My sandbox users belong to the 'tomcat' group (not using a
> 'tomcat' user though). I can cat web.xml with a sandbox user. (I
> tweaked the permissions from the defaults to allow sandbox users to
> read the default config)
> 
> If I copy web.xml from HOME/conf to BASE/conf everything works
> again. So do I need to copy everything over from HOME/conf to
> BASE/conf even if I am not changing anything?

I checked, and my CATALINA_BASE/conf contains the following:

server.xml (required)
Catalina/ (and friends, optional)
tomcat-users.xml (optional)
web.xml (evidently required)

We should probably allow web.xml to come from
CATALINA_HOME/conf/web.xml if it's not present in CATALINA_BASE/conf/.
I would have expected that to be allowed, but I guess it isn't.

Can you file a BZ enhancement request?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloqvQ4dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgZPw/5AZZr1yfSnTLlOh6W
YVJXRPWnbXonNaVrPw0oBbwCv8c3EJuzKCwPdex8LW2ODCuCzveIqwNEh2KoKV0K
W6qENepo2Fws0DYdW4r24kfENV/L7EU6ysCPdyWytg03XzhMkV++6BvrKdbd8mBx
OvXH4QB1O4iuKs0fPei1QiOIhI51i4noyoswEDwYWEr77ES0kqedLf4E6TMxqbbc
R49WkovgxwiN1QsW8mHCoaManCdsXhbsRKcrqsHQORf+9Pv5uQNDKSlUFEvNOSf2
Pjc5qxJRkcflmmoSvMamwfWyCAoQIdLXeEzepb+ma5KnFyqk3AAs7PY8oj/dMLrI
VSXbQblBZaEMx8OZ14mnQncofGRuoVCNB2kDaFsgsrldpbDX6RO/j+pPcstO2K24
QctgptCeOL6b4IBSl1Fzj2ZxcHxhMQKgzPAjyEyqJiv9UbYkuUJwUFXTH9xb97wT
9EIQYf88F8yUDBmSIVjBOSvXQOIQAOUA5kp/PKsk/CgNGpNTZsbJHy/NzCF3XS7W
VPrzzonxTJG2s+7+tCrMFeK2fE76gASBv29IGtUffKvld1epdaLt6ktsT7tRUlXz
FVWZ0Nk2A5aHTrCfqdh3uQVQCV7UgGtrQswo8pzgUCxrFg8Eu7SN7L93WbxhlMzW
LIR6RflaGP4vL6x0QoJPIu5U9x0=
=mhYt
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5 - multiple host configuration question

[Chris Cheshire]

On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultz
 wrote:
>>
>> What should the permissions, owner & group be set to for
>> CATALINA_HOME if I am running separate instances per user?
>
> It doesn't really matter. You just need to make sure that your "users"
> can read the default config files -- especially conf/web.xml and
> conf/tomcat.xml which usually shouldn't be modified from their
> defaults anyway.
>
> I've always been irritated that the conf/ directory is only readable
> by the owner in the tarball. Maybe I'll agitate to get that changed,
> and only protect conf/server.xml and conf/tomcat-users.xml in that way.
>

Resurrecting this 

I'm doing some cleanup and upgrading to 8.5.24. Previously I had
copied the entire conf directory from HOME to BASE, and modifying
files as necessary. Now I removed from BASE files I hadn't touched
(web.xml, jaspic stuff etc), but subsequently get the following
message in catalina.out

INFO ... org.apache.catalina.startup.ContextConfig.getDefaultWebXmlFragment
No global web.xml found

All other startup succeeds but nothing is accessible, I just get a
standard 404 when trying to access my web apps or even the manager
app. There are no actual ERROR level messages though.

Permissions are as follows :

/usr/local/apache-tomcat-8.5.24/conf
[root@s3 conf]# ls -al
total 236
drwxr-x--- 2 root tomcat   4096 Nov 27 13:33 .
drwxr-xr-x 9 root root 4096 Dec  7 16:30 ..
-rw-r- 1 root tomcat  13824 Nov 27 13:33 catalina.policy
-rw-r- 1 root tomcat   7376 Nov 27 13:33 catalina.properties
-rw-r- 1 root tomcat   1338 Nov 27 13:33 context.xml
-rw-r- 1 root tomcat   1149 Nov 27 13:33 jaspic-providers.xml
-rw-r- 1 root tomcat   2313 Nov 27 13:33 jaspic-providers.xsd
-rw-r- 1 root tomcat   3622 Nov 27 13:33 logging.properties
-rw--- 1 root tomcat   7511 Nov 27 13:33 server.xml
-rw--- 1 root tomcat   2164 Nov 27 13:33 tomcat-users.xml
-rw-r- 1 root tomcat   2633 Nov 27 13:33 tomcat-users.xsd
-rw-r- 1 root tomcat 169322 Nov 27 13:33 web.xml

/home/sandbox1/tomcat/conf
[sandbox1@s3 conf]$ ls -la
total 32
drwxr-xr-x  3 sandbox1 sandbox1 4096 Dec  7 19:01 .
drwxr-xr-x 10 sandbox1 sandbox1 4096 Dec  7 18:59 ..
drwxr-xr-x  3 sandbox1 sandbox1 4096 Sep  7 16:50 Catalina
-rw-r--r--  1 sandbox1 sandbox1 7407 Nov  2 01:58 catalina.properties
-rw-r--r--  1 sandbox1 sandbox1 1437 Sep  7 20:38 context.xml
-rw-r--r--  1 sandbox1 sandbox1 3770 Dec  7 18:46 logging.properties
-rw-r--r--  1 sandbox1 sandbox1 2522 Sep  7 20:29 server.xml

My sandbox users belong to the 'tomcat' group (not using a 'tomcat'
user though). I can cat web.xml with a sandbox user. (I tweaked the
permissions from the defaults to allow sandbox users to read the
default config)

If I copy web.xml from HOME/conf to BASE/conf everything works again.
So do I need to copy everything over from HOME/conf to BASE/conf even
if I am not changing anything?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: 8.5 - multiple host configuration question

[Berneburg, Cris J. - US]

Chris and Chris (but not Chris)

-Original Message-
From: Chris Cheshire [mailto:yahoono...@gmail.com] 
Sent: Friday, September 08, 2017 9:16 PM
To: Tomcat Users List 
Subject: Re: 8.5 - multiple host configuration question

On Thu, Sep 7, 2017 at 5:29 PM, Christopher Schultz 
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 3:39 PM, Chris Cheshire wrote:
>> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>>> If I were king, I'd set things up like this:
>>>
>>> 1. Tomcat is installed in /usr/local/tomcat (or 
>>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is never 
>>> launched with CATALINA_BASE=/usr/local/tomcat 3. Each user has their 
>>> own CATALINA_BASE directory in their own home directory (or wherever 
>>> in the fs tree). No need to put anything in /usr/local which is 
>>> usually considered to be shared and read-only. CATALINA_BASE is just 
>>> a directory with the following directories in it: work/ logs/ conf/ 
>>> lib/ webapps/. Anything in there overrides anything in the 
>>> CATALINA_HOME where Tomcat is installed. I'd recommend using a 
>>> custom conf/server.xml and leaving everything else pretty much alone 
>>> except maybe a JDBC driver in CATALINA_BASE/lib that isn't necessary 
>>> for all the other Tomcats that will be running on the server.
>>>
>>> This gives you a LOT of flexibility:
>>>
>>> [SNIP]
>>>
> Thank you for the explanations, this helps considerably.

Ditto!  I saved a copy in my archives of accumulated Tomcat wisdom.  The 
problem is that the info is still stored in my computer and not in my brain.

--
Cris Berneburg
CACI Lead Software Engineer

Re: 8.5 - multiple host configuration question

[Chris Cheshire]

On Thu, Sep 7, 2017 at 5:29 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 3:39 PM, Chris Cheshire wrote:
>> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>>> If I were king, I'd set things up like this:
>>>
>>> 1. Tomcat is installed in /usr/local/tomcat (or
>>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is
>>> never launched with CATALINA_BASE=/usr/local/tomcat 3. Each user
>>> has their own CATALINA_BASE directory in their own home directory
>>> (or wherever in the fs tree). No need to put anything in
>>> /usr/local which is usually considered to be shared and
>>> read-only. CATALINA_BASE is just a directory with the following
>>> directories in it: work/ logs/ conf/ lib/ webapps/. Anything in
>>> there overrides anything in the CATALINA_HOME where Tomcat is
>>> installed. I'd recommend using a custom conf/server.xml and
>>> leaving everything else pretty much alone except maybe a JDBC
>>> driver in CATALINA_BASE/lib that isn't necessary for all the
>>> other Tomcats that will be running on the server.
>>>
>>> This gives you a LOT of flexibility:
>>>
>>> 1. Users run their own JVMs as their own users. Filesystem
>>> permissions become simpler. Applications require less trust (e.g.
>>> apps are running at "cschultz" instead of "tomcat7"). 2. Users
>>> can select which version of Tomcat they want to use. Just change
>>> CATALINA_BASE and restart. (Roughly speaking. If you switch major
>>> versions, you'll likely have to update
>>> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all
>>> running x.y.z whether you like it or not".
>>
>>
>> Ok this helps a bit for upgrades. I would just expand the new
>> tarball in a similar place, update user level conf and restart each
>> instance when ready?
>
> Exactly. Your users can even decide when they want to switch to a new
> Tomcat version.
>
>>> 3. Users can start/stop their own Tomcat services. No more
>>> emailing an administrator and asking for a restart, and having to
>>> coordinate it with several other unrelated teams who weren't
>>> expecting a service restart in the middle of the day. 4. You
>>> (admin) don't have to babysit everyone's web applications. Users
>>> simply put their own apps in CATALINA_BASE/webapps and move on
>>> with their lives.
>>>
>>
>> This means I need to configure each server and connector element
>> with different ports for each user, correct?
>
> Yes. A regimented port assignment scheme is recommended. In my shared
> development environments, I assign every dev a number and their port
> numbers become:
>
> Tomcat AJP:   8[dev #][app #]5
> Tomcat shutdown:  8[dev #][app #]6
> Tomcat "Secure" port: 8[dev #][app #]7
>
> (the "secure" port is for loopback requests; we have those for certain
> applications)
>
> So for example, my primary app id is 1 and my dev id is 2:
>
> AJP:  8215
> Shutdown: 8216
> Secure:   8217
>
>> I am fronting tomcat with httpd using an ajp connector to handle
>> ssl certs. I use letsencrypt, and on a production server I can't
>> afford to bounce even the connector and lose connections. httpd
>> handles it a lot more gracefully. Can I have separate mod_jk.conf
>> and workers.properties files for mod_jk pointing to different ports
>> for separate connectors for tomcat?
>
> Absolutely. Using regimented port assignments allows you to set up
> everyone's port assignments in advance using a template worker and
> then a bunch of workers that all look the same except for the port
> numbers.
>
> Then you just need to map URLs (e.g. /dev1-app1) to the matching port
> numbers.
>
 What about file/directory permissions, assuming tomcat is
 running under the 'tomcat' user? I have root access to the
 machine, so changing groups, users, permissions is not an
 issue.
>>>
>>> Free yourself from the "tomcat user". It's one of the things I
>>> dislike most about the package-managed versions of Tomcat: they
>>> tend to run everything as a single user which is completely
>>> unnecessary.
>>>
>>
>> Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as
>> each user (sandbox1, sandbox2 etc)?
>
> Yes. You may see that as a Good Thing or a Bad Thing. I think it's Good.
>
>> Trying to assimilate all this, it sounds like :
>>
>> CATALINA_HOME=/usr/local/tomcat-x.y.z
>> CATALINA_BASE=/home/sandbox1/tc
>>
>> CATALINA_BASE/conf/server.xml has the entire configuration,
>> engine, connector, host etc for that one user.
>
> Yes.
>
>> Where do I set the variables for CATALINA_BASE/HOME? RUNNING.txt
>> says
>>
>> "The CATALINA_HOME and CATALINA_BASE variables cannot be configured
>> in the setenv script, because they are used to locate that file."
>
> You'll have to set CATALINA_HOME and CATALINA_BASE for the user in
> whatever way makes most sense. For example, ~/.profile works, but only
> for interactive logins.
>
>> Do I then need to create my own startup script that sets those,
>> then calls ${CATALINA_HO

Re: 8.5 - multiple host configuration question

[Chris Cheshire]

On Thu, Sep 7, 2017 at 5:30 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 4:42 PM, Chris Cheshire wrote:
>> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>>  wrote:
>>> If I were king, I'd set things up like this:
>>>
>>> 1. Tomcat is installed in /usr/local/tomcat (or
>>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
>>
>>
>> Looks like I do need to adjust default permissions on this if I
>> expand as root.
>>
>> The tarball leaves me with
>>
>> [root@host apache-tomcat-8.5.20]# ls -al total 124 drwxr-xr-x  9
>> root root  4096 Sep  5 20:31 . drwxr-xr-x 14 root root  4096 Sep  5
>> 20:31 .. -rw-r-  1 root root 57092 Aug  2 21:36 LICENSE
>> -rw-r-  1 root root  1723 Aug  2 21:36 NOTICE -rw-r-  1
>> root root  7064 Aug  2 21:36 RELEASE-NOTES -rw-r-  1 root root
>> 15946 Aug  2 21:36 RUNNING.txt drwxr-x---  2 root root  4096 Sep  5
>> 20:31 bin drwx--  2 root root  4096 Aug  2 21:36 conf
>> drwxr-x---  2 root root  4096 Sep  5 20:31 lib drwxr-x---  2 root
>> root  4096 Aug  2 21:35 logs drwxr-x---  2 root root  4096 Sep  5
>> 20:31 temp drwxr-x---  7 root root  4096 Aug  2 21:36 webapps
>> drwxr-x---  2 root root  4096 Aug  2 21:35 work
>>
>>
>> What should the permissions, owner & group be set to for
>> CATALINA_HOME if I am running separate instances per user?
>
> It doesn't really matter. You just need to make sure that your "users"
> can read the default config files -- especially conf/web.xml and
> conf/tomcat.xml which usually shouldn't be modified from their
> defaults anyway.
>
> I've always been irritated that the conf/ directory is only readable
> by the owner in the tarball. Maybe I'll agitate to get that changed,
> and only protect conf/server.xml and conf/tomcat-users.xml in that way.
>
> - -chris

Thanks,

I'm just wary of giving everyone read permission to something that starts out
without it, especially when installed by root. The only change I made to the
default config anyway was to remove tomcat-users.xml since I have a
JDBC realm for restricting access to the manager webapp.


Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5 - multiple host configuration question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 9/5/17 4:42 PM, Chris Cheshire wrote:
> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz 
>  wrote:
>> If I were king, I'd set things up like this:
>> 
>> 1. Tomcat is installed in /usr/local/tomcat (or 
>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
> 
> 
> Looks like I do need to adjust default permissions on this if I
> expand as root.
> 
> The tarball leaves me with
> 
> [root@host apache-tomcat-8.5.20]# ls -al total 124 drwxr-xr-x  9
> root root  4096 Sep  5 20:31 . drwxr-xr-x 14 root root  4096 Sep  5
> 20:31 .. -rw-r-  1 root root 57092 Aug  2 21:36 LICENSE 
> -rw-r-  1 root root  1723 Aug  2 21:36 NOTICE -rw-r-  1
> root root  7064 Aug  2 21:36 RELEASE-NOTES -rw-r-  1 root root
> 15946 Aug  2 21:36 RUNNING.txt drwxr-x---  2 root root  4096 Sep  5
> 20:31 bin drwx--  2 root root  4096 Aug  2 21:36 conf 
> drwxr-x---  2 root root  4096 Sep  5 20:31 lib drwxr-x---  2 root
> root  4096 Aug  2 21:35 logs drwxr-x---  2 root root  4096 Sep  5
> 20:31 temp drwxr-x---  7 root root  4096 Aug  2 21:36 webapps 
> drwxr-x---  2 root root  4096 Aug  2 21:35 work
> 
> 
> What should the permissions, owner & group be set to for
> CATALINA_HOME if I am running separate instances per user?

It doesn't really matter. You just need to make sure that your "users"
can read the default config files -- especially conf/web.xml and
conf/tomcat.xml which usually shouldn't be modified from their
defaults anyway.

I've always been irritated that the conf/ directory is only readable
by the owner in the tarball. Maybe I'll agitate to get that changed,
and only protect conf/server.xml and conf/tomcat-users.xml in that way.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZsbqPAAoJEBzwKT+lPKRY+bcQAI6I9VMV42xTiV/02XT1idic
GJQzfD6fpukZ2ZoCltzsQ9n9oygAb43QAnslGLwzG+xa4+Kon+TkgNLlckhpO0IK
yw65LAcEkG8x7iggX23l1I4u4c51GlPERqb8FXH4Sys8JNMFaM3r48/SMiBmVW3r
29ILYk3yHhUWovZGnHcqzosTECo9FBfCNMe8bp+v7vDCifODKPrRRVUtzmOFdN+a
4YAqG+aRIQVHZHqE/2h5lbnnER5PzERj7igfArjOuHwkR4W283y/VxasOaQVrNgL
R/r+Qb99KNH5djiNj3kvfpqLO9Jq3rrIpuc6zH6yrv8EJcgmEoy494bONixt7Eus
q8g/0XTzU9izPfG3wRaCQaPh7oV+ZurYOZAFeYz0eOj5a/AjZfWnwpFSfcTyP5qD
IIrfiaysH+j3NwGpTsT2B1q5Ecp1bugzuIiHHnoZDVDodncSI52XdgykL9tyrjN7
20d4pcepVEdQoTT1ABJKl6mONKMuG3NA+rvNYJQvIlq642LbUx/3rkA+dk+m7OeY
TkCquZZ128NBGzMhwEuEnNSEmBmGyF27vH4qi+2HKi8dsVDsdvRb+mnmFJWTeWVC
ndW3Px/xldEDyhdF84g5TzX8Y7fYjJLOC2EzjkDZmZmI0/l54e7Y/+aq6pThrIpC
q2SjSPEtuzmmlEh2OC1z
=Xei9
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5 - multiple host configuration question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 9/5/17 3:39 PM, Chris Cheshire wrote:
> On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
>> If I were king, I'd set things up like this:
>> 
>> 1. Tomcat is installed in /usr/local/tomcat (or 
>> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.). 2. Tomcat is
>> never launched with CATALINA_BASE=/usr/local/tomcat 3. Each user
>> has their own CATALINA_BASE directory in their own home directory
>> (or wherever in the fs tree). No need to put anything in 
>> /usr/local which is usually considered to be shared and
>> read-only. CATALINA_BASE is just a directory with the following
>> directories in it: work/ logs/ conf/ lib/ webapps/. Anything in
>> there overrides anything in the CATALINA_HOME where Tomcat is
>> installed. I'd recommend using a custom conf/server.xml and
>> leaving everything else pretty much alone except maybe a JDBC
>> driver in CATALINA_BASE/lib that isn't necessary for all the
>> other Tomcats that will be running on the server.
>> 
>> This gives you a LOT of flexibility:
>> 
>> 1. Users run their own JVMs as their own users. Filesystem
>> permissions become simpler. Applications require less trust (e.g.
>> apps are running at "cschultz" instead of "tomcat7"). 2. Users
>> can select which version of Tomcat they want to use. Just change
>> CATALINA_BASE and restart. (Roughly speaking. If you switch major
>> versions, you'll likely have to update 
>> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all 
>> running x.y.z whether you like it or not".
> 
> 
> Ok this helps a bit for upgrades. I would just expand the new
> tarball in a similar place, update user level conf and restart each
> instance when ready?

Exactly. Your users can even decide when they want to switch to a new
Tomcat version.

>> 3. Users can start/stop their own Tomcat services. No more
>> emailing an administrator and asking for a restart, and having to
>> coordinate it with several other unrelated teams who weren't
>> expecting a service restart in the middle of the day. 4. You
>> (admin) don't have to babysit everyone's web applications. Users
>> simply put their own apps in CATALINA_BASE/webapps and move on 
>> with their lives.
>> 
> 
> This means I need to configure each server and connector element
> with different ports for each user, correct?

Yes. A regimented port assignment scheme is recommended. In my shared
development environments, I assign every dev a number and their port
numbers become:

Tomcat AJP:   8[dev #][app #]5
Tomcat shutdown:  8[dev #][app #]6
Tomcat "Secure" port: 8[dev #][app #]7

(the "secure" port is for loopback requests; we have those for certain
applications)

So for example, my primary app id is 1 and my dev id is 2:

AJP:  8215
Shutdown: 8216
Secure:   8217

> I am fronting tomcat with httpd using an ajp connector to handle
> ssl certs. I use letsencrypt, and on a production server I can't
> afford to bounce even the connector and lose connections. httpd
> handles it a lot more gracefully. Can I have separate mod_jk.conf
> and workers.properties files for mod_jk pointing to different ports
> for separate connectors for tomcat?

Absolutely. Using regimented port assignments allows you to set up
everyone's port assignments in advance using a template worker and
then a bunch of workers that all look the same except for the port
numbers.

Then you just need to map URLs (e.g. /dev1-app1) to the matching port
numbers.

>>> What about file/directory permissions, assuming tomcat is
>>> running under the 'tomcat' user? I have root access to the
>>> machine, so changing groups, users, permissions is not an
>>> issue.
>> 
>> Free yourself from the "tomcat user". It's one of the things I
>> dislike most about the package-managed versions of Tomcat: they
>> tend to run everything as a single user which is completely
>> unnecessary.
>> 
> 
> Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as
> each user (sandbox1, sandbox2 etc)?

Yes. You may see that as a Good Thing or a Bad Thing. I think it's Good.

> Trying to assimilate all this, it sounds like :
> 
> CATALINA_HOME=/usr/local/tomcat-x.y.z 
> CATALINA_BASE=/home/sandbox1/tc
> 
> CATALINA_BASE/conf/server.xml has the entire configuration,
> engine, connector, host etc for that one user.

Yes.

> Where do I set the variables for CATALINA_BASE/HOME? RUNNING.txt
> says
> 
> "The CATALINA_HOME and CATALINA_BASE variables cannot be configured
> in the setenv script, because they are used to locate that file."

You'll have to set CATALINA_HOME and CATALINA_BASE for the user in
whatever way makes most sense. For example, ~/.profile works, but only
for interactive logins.

> Do I then need to create my own startup script that sets those,
> then calls ${CATALINA_HOME}/bin/startup.sh, or can I just set the
> variables in .bashrc?

Yeah, .bashrc will work, too, but .profile will be better because it
will effect non-bash shells, of course.

Once those variab

Re: 8.5 - multiple host configuration question

[Chris Cheshire]

On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
 wrote:
> If I were king, I'd set things up like this:
>
> 1. Tomcat is installed in /usr/local/tomcat (or
> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).


Looks like I do need to adjust default permissions on this if I expand as root.

The tarball leaves me with

[root@host apache-tomcat-8.5.20]# ls -al
total 124
drwxr-xr-x  9 root root  4096 Sep  5 20:31 .
drwxr-xr-x 14 root root  4096 Sep  5 20:31 ..
-rw-r-  1 root root 57092 Aug  2 21:36 LICENSE
-rw-r-  1 root root  1723 Aug  2 21:36 NOTICE
-rw-r-  1 root root  7064 Aug  2 21:36 RELEASE-NOTES
-rw-r-  1 root root 15946 Aug  2 21:36 RUNNING.txt
drwxr-x---  2 root root  4096 Sep  5 20:31 bin
drwx--  2 root root  4096 Aug  2 21:36 conf
drwxr-x---  2 root root  4096 Sep  5 20:31 lib
drwxr-x---  2 root root  4096 Aug  2 21:35 logs
drwxr-x---  2 root root  4096 Sep  5 20:31 temp
drwxr-x---  7 root root  4096 Aug  2 21:36 webapps
drwxr-x---  2 root root  4096 Aug  2 21:35 work


What should the permissions, owner & group be set to for CATALINA_HOME
if I am running separate instances per user?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5 - multiple host configuration question

[Chris Cheshire]

On Tue, Sep 5, 2017 at 2:07 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 9/5/17 10:54 AM, Chris Cheshire wrote:
>> I am migrating from 7 (yum repo installation) to 8.5 (direct from
>> apache) and looking to improve configuration where possible.
>>
>> Currently (on *nix) I have a machine that runs sandboxes for my
>> domain, call them sb1.dom.com and sb2.dom.com. They each have
>> their own (system) user and in tomcat's system.xml
>
> Nit: server.xml
>

Brain fart :)


>> I have a host for each :
>>
>> 
>>
>> 
>>
>> Each has access to the host-manager app via a hardlink to
>> manager.xml through
>> /usr/share/tomcat/conf/Catalina/${hostname}/manager.xml. Each user
>> belongs to the tomcat group, and has their webapps directory group
>> readable so Tomcat can deploy the apps. Each host may have multiple
>> contexts within it representing code branches. The env variables
>> have CATALINA_HOME and CATALINA_BASE pointing to
>> /usr/share/tomcat.
>>
>> Reading RUNNING.txt, it says that HOME and BASE can point to
>> different locations for a multi-user environment, which sounds like
>> what I am doing. How do I go about configuring it this way?
>
> It depends upon your goals. If you want to run a single JVM, then it
> really doesn't matter whether you have a "single" Tomcat where
> CATALINA_HOME == CATALINA_BASE. If you want to run multiple JVMs, it's
> pretty much required that you use a split configuration.
>
> I'd argue that you should always have a split configuration, because
> it allows you to upgrade/downgrade almost trivially without disturbing
> your application's (Tomcat) configuration.
>
>> Assume I put the tomcat installation in /usr/local, with a symlink
>> from /usr/local/tomcat to
>> /usr/local/tomcat/apache-tomcat-${version}
>>
>> Would it be better to put the webapps for each user under
>> /usr/local/tomcat/webapps and symlink to them from the users home
>> directory? What would the structure look like and what would I set
>> CATALINA_BASE and CATALINA_HOME to?
>
> If I were king, I'd set things up like this:
>
> 1. Tomcat is installed in /usr/local/tomcat (or
> /usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
> 2. Tomcat is never launched with CATALINA_BASE=/usr/local/tomcat
> 3. Each user has their own CATALINA_BASE directory in their own home
> directory (or wherever in the fs tree). No need to put anything in
> /usr/local which is usually considered to be shared and read-only.
> CATALINA_BASE is just a directory with the following directories in
> it: work/ logs/ conf/ lib/ webapps/. Anything in there overrides
> anything in the CATALINA_HOME where Tomcat is installed. I'd recommend
> using a custom conf/server.xml and leaving everything else pretty much
> alone except maybe a JDBC driver in CATALINA_BASE/lib that isn't
> necessary for all the other Tomcats that will be running on the server.
>
> This gives you a LOT of flexibility:
>
> 1. Users run their own JVMs as their own users. Filesystem permissions
> become simpler. Applications require less trust (e.g. apps are running
> at "cschultz" instead of "tomcat7").
> 2. Users can select which version of Tomcat they want to use. Just
> change CATALINA_BASE and restart. (Roughly speaking. If you switch
> major versions, you'll likely have to update
> CATALINA_BASE/conf/server.xml quite a bit). No more "we are all
> running x.y.z whether you like it or not".


Ok this helps a bit for upgrades. I would just expand the new tarball
in a similar
place, update user level conf and restart each instance when ready?



> 3. Users can start/stop their own Tomcat services. No more emailing an
> administrator and asking for a restart, and having to coordinate it
> with several other unrelated teams who weren't expecting a service
> restart in the middle of the day.
> 4. You (admin) don't have to babysit everyone's web applications.
> Users simply put their own apps in CATALINA_BASE/webapps and move on
> with their lives.
>


This means I need to configure each server and connector element with different
ports for each user, correct?

I am fronting tomcat with httpd using an ajp connector to handle ssl
certs. I use
letsencrypt, and on a production server I can't afford to bounce even
the connector
and lose connections. httpd handles it a lot more gracefully. Can I
have separate
mod_jk.conf and workers.properties files for mod_jk pointing to
different ports for
separate connectors for tomcat?



>> What about file/directory permissions, assuming tomcat is running
>> under the 'tomcat' user? I have root access to the machine, so
>> changing groups, users, permissions is not an issue.
>
> Free yourself from the "tomcat user". It's one of the things I dislike
> most about the package-managed versions of Tomcat: they tend to run
> everything as a single user which is completely unnecessary.
>

Does this mean I launch tomcat (CATALINA_BASE/bin/startup.sh) as each
user (sandbox1, sandbox2 etc)?


Trying to

Re: 8.5 - multiple host configuration question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 9/5/17 10:54 AM, Chris Cheshire wrote:
> I am migrating from 7 (yum repo installation) to 8.5 (direct from 
> apache) and looking to improve configuration where possible.
> 
> Currently (on *nix) I have a machine that runs sandboxes for my 
> domain, call them sb1.dom.com and sb2.dom.com. They each have
> their own (system) user and in tomcat's system.xml

Nit: server.xml

> I have a host for each :
> 
> 
> 
> 
> 
> Each has access to the host-manager app via a hardlink to
> manager.xml through
> /usr/share/tomcat/conf/Catalina/${hostname}/manager.xml. Each user
> belongs to the tomcat group, and has their webapps directory group
> readable so Tomcat can deploy the apps. Each host may have multiple
> contexts within it representing code branches. The env variables
> have CATALINA_HOME and CATALINA_BASE pointing to 
> /usr/share/tomcat.
> 
> Reading RUNNING.txt, it says that HOME and BASE can point to
> different locations for a multi-user environment, which sounds like
> what I am doing. How do I go about configuring it this way?

It depends upon your goals. If you want to run a single JVM, then it
really doesn't matter whether you have a "single" Tomcat where
CATALINA_HOME == CATALINA_BASE. If you want to run multiple JVMs, it's
pretty much required that you use a split configuration.

I'd argue that you should always have a split configuration, because
it allows you to upgrade/downgrade almost trivially without disturbing
your application's (Tomcat) configuration.

> Assume I put the tomcat installation in /usr/local, with a symlink 
> from /usr/local/tomcat to
> /usr/local/tomcat/apache-tomcat-${version}
> 
> Would it be better to put the webapps for each user under 
> /usr/local/tomcat/webapps and symlink to them from the users home 
> directory? What would the structure look like and what would I set 
> CATALINA_BASE and CATALINA_HOME to?

If I were king, I'd set things up like this:

1. Tomcat is installed in /usr/local/tomcat (or
/usr/local/tomcat-x.y.z, or /opt/whatever, etc.).
2. Tomcat is never launched with CATALINA_BASE=/usr/local/tomcat
3. Each user has their own CATALINA_BASE directory in their own home
directory (or wherever in the fs tree). No need to put anything in
/usr/local which is usually considered to be shared and read-only.
CATALINA_BASE is just a directory with the following directories in
it: work/ logs/ conf/ lib/ webapps/. Anything in there overrides
anything in the CATALINA_HOME where Tomcat is installed. I'd recommend
using a custom conf/server.xml and leaving everything else pretty much
alone except maybe a JDBC driver in CATALINA_BASE/lib that isn't
necessary for all the other Tomcats that will be running on the server.

This gives you a LOT of flexibility:

1. Users run their own JVMs as their own users. Filesystem permissions
become simpler. Applications require less trust (e.g. apps are running
at "cschultz" instead of "tomcat7").
2. Users can select which version of Tomcat they want to use. Just
change CATALINA_BASE and restart. (Roughly speaking. If you switch
major versions, you'll likely have to update
CATALINA_BASE/conf/server.xml quite a bit). No more "we are all
running x.y.z whether you like it or not".
3. Users can start/stop their own Tomcat services. No more emailing an
administrator and asking for a restart, and having to coordinate it
with several other unrelated teams who weren't expecting a service
restart in the middle of the day.
4. You (admin) don't have to babysit everyone's web applications.
Users simply put their own apps in CATALINA_BASE/webapps and move on
with their lives.

> What about file/directory permissions, assuming tomcat is running 
> under the 'tomcat' user? I have root access to the machine, so 
> changing groups, users, permissions is not an issue.

Free yourself from the "tomcat user". It's one of the things I dislike
most about the package-managed versions of Tomcat: they tend to run
everything as a single user which is completely unnecessary.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZrufJAAoJEBzwKT+lPKRYFbwP/1IVYWj06JaPcgVebrJbsMa2
o1aOB47fWStEPsOshcBBswiSO07EPvshahoyvn9mWaYCCIN1/BND0sIZzkFc1Lb1
YWq1HWd2TbdeUMNMD7d9WgnzlCB5mGxxsklFvqQ/jWzG8bX98VtWDS4c95YcebPc
7yep1Oah+pSnvpfRzV6XpIF64xwc3HQHciOxezn6BFjMe6ZEd6R8w7OdEUrEy/g/
0UtS1XiKBdgUT3KdxkLYi7PbgigHyw8zGxp4d3ZkqIC8shCiF+teO8YhZ4qYGoVc
8GkV18QHs5cV7s9dQBtMXOzsVtCjmGBzEx2XgXZ5SroNjJCYUs4FskNLE9oiS0GS
FJcpLPXF8noEb6sYSbmdn2RK3qv62RjD8Atu65q4G7S/20HbwFFGDEFjBnLlzrsV
W4vk3YcMbLrDQWCybjpaGBiyLzBhUBtdMLvnHsBeShTwFZzlgZRbi8GuIn9TFgkk
AW75DLZQ83Z4aQxSTjJkfhf2qU7jQdzNEl30Qka7JE7K/SwFcaWe/w0aiJmxHgrq
gqpbpuc4suMSJ2sLj1oY2nOc+1+SlIpfBth66J1OWxNkxBxDVbbPYaAIV6skgUnL
Ys3ZJ6TFVug3BBrV5QM8LKaKvy2pYb1FDpgHU01dhSP3YjUONJJKpMUWBbHHVe+6
CsousuKimJ2WvoRJu8SP
=Auhe
-END PGP SIGNATURE-

8.5 - multiple host configuration question

[Chris Cheshire]

I am migrating from 7 (yum repo installation) to 8.5 (direct from
apache) and looking to improve configuration where possible.

Currently (on *nix) I have a machine that runs sandboxes for my
domain, call them sb1.dom.com and sb2.dom.com. They each have their
own (system) user and in tomcat's system.xml I have a host for each :






Each has access to the host-manager app via a hardlink to manager.xml
through /usr/share/tomcat/conf/Catalina/${hostname}/manager.xml. Each
user belongs to the tomcat group, and has their webapps directory
group readable so Tomcat can deploy the apps. Each host may have
multiple contexts within it representing code branches. The env
variables have CATALINA_HOME and CATALINA_BASE pointing to
/usr/share/tomcat.

Reading RUNNING.txt, it says that HOME and BASE can point to different
locations for a multi-user environment, which sounds like what I am
doing. How do I go about configuring it this way?

Assume I put the tomcat installation in /usr/local, with a symlink
from /usr/local/tomcat to /usr/local/tomcat/apache-tomcat-${version}

Would it be better to put the webapps for each user under
/usr/local/tomcat/webapps and symlink to them from the users home
directory? What would the structure look like and what would I set
CATALINA_BASE and CATALINA_HOME to?

What about file/directory permissions, assuming tomcat is running
under the 'tomcat' user? I have root access to the machine, so
changing groups, users, permissions is not an issue.

Thanks

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Context PreResources configuration question

[Mark Thomas]

On 03/03/2016 20:37, Mark Thomas wrote:
> On 03/03/2016 17:08, Philippe Busque wrote:
> 
> 
> 
>> Is it normal that the context is initialized BEFORE the host is started,
>> while expecting the host to create the structure, but failing because
>> the structure is not present?
>>
>> Should the expand be executed after the host created the proper
>> structure for the context to expand it wars?
> 
> Generally, the expectation is the the appBase already exists. I'm fairly
> sure I didn't test the case you describe and I can easily imagine it
> failing.
> 
> I'll take a look. It should be possible to get this fixed before the
> next release.

Fixed. Will be in the next releases of 9.0.x, 8.0.x and 7.0.x. 6.0.x
doesn;t have the "create missing appBase" feature.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Context PreResources configuration question

[Mark Thomas]

On 03/03/2016 17:08, Philippe Busque wrote:



> Is it normal that the context is initialized BEFORE the host is started,
> while expecting the host to create the structure, but failing because
> the structure is not present?
> 
> Should the expand be executed after the host created the proper
> structure for the context to expand it wars?

Generally, the expectation is the the appBase already exists. I'm fairly
sure I didn't test the case you describe and I can easily imagine it
failing.

I'll take a look. It should be possible to get this fixed before the
next release.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Context PreResources configuration question

[Philippe Busque]

The Wed, 02 Mar 2016 22:29:35, Mark Thomas wrote :

That was pretty much a perfect question. A clear problem statement. A
clear description of what you expected to happen vs. what actually
happened. A clear description of what you tried. If only all posts to
the users list were like this.

This is an easy fix. The problem is that with no docBase defined and a
path of "", tomcat is going to use a docBase of "ROOT". That means
Tomcat is going to look for these files in "work/example1/ROOT" not in
"work/example1".

Generally, I'd recommend a slightly different directory structure.
Something like:
webapps-example1/ROOT.war
which auto expands into
webapps-example1/ROOT

Mark

Thank you. I know how it is when someone stop at your desk for help, but not 
giving you any details on what the problem is :)



I followed your advices. I created separated webapps under our ${catalina.base} 
folder webapps-example1, webapps-example2 and so on, with a ROOT.war in each of 
them (what we usually do with single webapps deployment).

It work... partially. I'm getting random crash with the same error as when it 
couldn't find the libraries.

org.apache.jasper.JasperException: The absolute uri: 
 http://java.sun.com/jsp/jstl/core cannot be 
resolved in either web.xml or the jar files deployed with this application

I first thought it was browser cache, but after testing a few time with wget on 
Tomcat itself and still getting the error, I have the feeling I'm hitting a 
cache inside tomcat. Why it's random, I have no clue.



Next I tried the docBase approach I totally forgot about that setting  after we 
removed them when they got a behaviour change midway in Tomcat 7 and it was 
recommended not to used them.

With webapps-example1 and webapps-example2, everything and a configured 
docBase, everything worked. Multiple refresh did not cause random class not 
found without the docBase.  However, since I have a dozen webapps, leaving 12 
extra webapps folders under ${catalina.base} fell  a bit cumbersome.


So I tried again with the following directory structure :
webapps/example1/ROOT
webapps/example2/ROOT


It worked like a charm too, but I noticed something that may be a priority 
order issues between ContextConfig and HostConfig.

With this configuration:

--
   http://www.example1.com>" appBase="webapps/example1" 
unpackWARs="true" autoDeploy="false">
 
 
 
 
 
 
   
--


if I create ${catalina.base}/webapps and none of it's host appBase, I get the 
following error:

--
Mar 03, 2016 11:19:07 AM org.apache.catalina.startup.ContextConfig beforeStart
SEVERE: Exception fixing docBase for context []
java.io.IOException: Unable to create the directory 
[/vol0/home/cda/servers/CDA1/webapps/mediagrif/ROOT]
   at org.apache.catalina.startup.ExpandWar.expand(ExpandWar.java:115)
   at 
org.apache.catalina.startup.ContextConfig.fixDocBase(ContextConfig.java:617)
   at 
org.apache.catalina.startup.ContextConfig.beforeStart(ContextConfig.java:753)
   at 
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:307)
   at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)
   at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
   at 
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:394)
   at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:144)
   at 
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1408)
   at 
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1398)
   at java.util.concurrent.FutureTask.run(FutureTask.java:266)
   at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
   at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
   at java.lang.Thread.run(Thread.java:745)


   // Create the new document base directory
   if(!docBase.mkdir() && !docBase.isDirectory()) {
   throw new IOException(sm.getString("expandWar.createFailed", 
docBase));
   }

--

The source reveal that ExpandWar try to do a mkdir but not a mkdirs  . Since 
the parent is absent, it fail and crash.

BUT, some moment later, the HostConfig class is creating those exact parents, 
recursively.

-
   if (host.getCreateDirs()) {
   File[] dirs = new File[] 
{host.getAppBaseFile(),host.getConfigBaseFile()};
   for (int i=0; i (a org.apache.catalina.core.StandardHost)
   at 
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:339)
   - locked <0xa00e6120> (a org.apache.catalina.core.StandardHost)
   at 
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:933)
   - locked <0xa00e6120> (a org.apache.catalina.core.StandardHost)
   at 
org.apache.catalina.core.S

Re: Context PreResources configuration question

[Mark Thomas]

On 02/03/2016 22:12, Philippe Busque wrote:



> In short, Tomcat is deployed with a  bare minimum war containing the jar
> dependencies for the JSP  and the web.xml.  All the other content, we
> used a CMS do deploy inside the unpacked war webapps folder of a
> particular site.
> 
> The drawback of that approach was that, if I needed to redeploy a new
> war, I had to unpack it manually (as an automatic unpack would delete
> the files deployed through the CMS along with the file from the
> previously unpacked WAR).
> 
> With Tomcat 8, I was  hoping to use the new PreResources and
> PostResource to move the static content away from the webapps, into it's
> own droppath.
> 
> On my first attempt, I had this setup for my context
> --
>http://www.example1.com>"
> appBase="webapps/example1" unpackWARs="true" autoDeploy="false">
>  
>  
>  
>   className="org.apache.catalina.webresources.DirResourceSet" 
> readOnly="true" webAppMount="/"  base="/home/tomcat/CMS/example1.com" />
>  
>  
>
> ---
> 
> This worked fine to access static resources (images, css, js) deployed
> into "/home/tomcat/CMS/example1.com" .
> However, for some reason, any JSP file deployed inside that folder would
> crash, unable to access the dependencies Jar unpacked inside the
> appBase.  I thought, from reading the documentation, that the classpath
> from WEB-INF/lib and WEB-INF/class was always available. But from the
> NoClassDefFound errors, I got, it doesn't seem to be the case.



> So I tried adding the folder of my appBase manually as a PostResources.
> 
> ---
>http://www.example1.com>"
> appBase="webapps/example1" unpackWARs="true" autoDeploy="false">
>  
>  
>  
>   className="org.apache.catalina.webresources.DirResourceSet" 
> readOnly="true" webAppMount="/"  base="/home/tomcat/CMS/example1.com" />
>   className="org.apache.catalina.webresources.DirResourceSet"
> readOnly="true" webAppMount="/" base="${catalina.base}/webapps/example1" />
>  
>  
>
> ---
> 
> 
> With this setup, the JSP deployed inside /home/tomcat/CMS/example1.com
> are able to access the web.xml and library from the appBase,  I would no
> longer receive the error and the pages would display.
> 
> However, Tomcat is validating the Resources *BEFORE* unpacking the War
> file into the appBase. As a result, if I start Tomcat from an undeployed
> state  (example1.war exists under ${catalina.base}/webapps/), tomcat
> crash saying that the folder "${catalina.base}/webapps/example1" does
> not exist.  If I create the folder and deploy the war manually, tomcat
> work.  But that leave me to the same point as I was with Tomcat 7: I
> need to manually unpack my war.



> At this point, I'm not sure where to look. I don't know why my
> PreResources JSP are not seeing the lib from my appBase, nor how to
> configure Tomcat to set them without a manual intervention,.
> 
> 
> Tomcat Version 8.0.32
> OS: Red Had 6.5
> Java 1.8.0_65
> 
> Thanks

That was pretty much a perfect question. A clear problem statement. A
clear description of what you expected to happen vs. what actually
happened. A clear description of what you tried. If only all posts to
the users list were like this.

This is an easy fix. The problem is that with no docBase defined and a
path of "", tomcat is going to use a docBase of "ROOT". That means
Tomcat is going to look for these files in "work/example1/ROOT" not in
"work/example1".

Generally, I'd recommend a slightly different directory structure.
Something like:
webapps-example1/ROOT.war
which auto expands into
webapps-example1/ROOT

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Context PreResources configuration question

[Philippe Busque]

Hello,

I've been struggling with use case which I could use some advice.
I'm migrating a multi domain, CDS published static file instance.

In short, Tomcat is deployed with a  bare minimum war containing the jar 
dependencies for the JSP  and the web.xml.  All the other content, we used a 
CMS do deploy inside the unpacked war webapps folder of a particular site.

The drawback of that approach was that, if I needed to redeploy a new war, I 
had to unpack it manually (as an automatic unpack would delete the files 
deployed through the CMS along with the file from the previously unpacked WAR).

With Tomcat 8, I was  hoping to use the new PreResources and PostResource to 
move the static content away from the webapps, into it's own droppath.

On my first attempt, I had this setup for my context
--
   http://www.example1.com>" appBase="webapps/example1" 
unpackWARs="true" autoDeploy="false">
 
 
 
 
 
 
   
---

This worked fine to access static resources (images, css, js) deployed into 
"/home/tomcat/CMS/example1.com" .
However, for some reason, any JSP file deployed inside that folder would crash, 
unable to access the dependencies Jar unpacked inside the appBase.  I thought, 
from reading the documentation, that the classpath from WEB-INF/lib and 
WEB-INF/class was always available. But from the NoClassDefFound errors, I got, 
it doesn't seem to be the case.

---
SEVERE: Servlet.service() for servlet [jsp] in context with path [] threw 
exception [The absolute uri: http://java.sun.com/jsp/jstl/core cannot be 
resolved in either web.xml or the jar files deploy
ed with this application] with root cause
org.apache.jasper.JasperException: The absolute uri: 
http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the 
jar files deployed with this application
---


So I tried adding the folder of my appBase manually as a PostResources.

---
   http://www.example1.com>" appBase="webapps/example1" 
unpackWARs="true" autoDeploy="false">
 
 
 
 
 
 
 
   
---


With this setup, the JSP deployed inside /home/tomcat/CMS/example1.com are able 
to access the web.xml and library from the appBase,  I would no longer receive 
the error and the pages would display.

However, Tomcat is validating the Resources *BEFORE* unpacking the War file into the 
appBase. As a result, if I start Tomcat from an undeployed state  (example1.war exists 
under ${catalina.base}/webapps/), tomcat crash saying that the folder 
"${catalina.base}/webapps/example1" does not exist.  If I create the folder and 
deploy the war manually, tomcat work.  But that leave me to the same point as I was with 
Tomcat 7: I need to manually unpack my war.

---
SEVERE: A child container failed during start
java.util.concurrent.ExecutionException: org.apache.catalina.LifecycleException: 
Failed to initialize component 
[StandardEngine[Catalina].StandardHost[www.example1.com].StandardContext[]]

Caused by: java.lang.IllegalArgumentException: The directory specified by base 
and internal path [/home/tomcat/apache-tomcat-8.0.32/webapps/example1]/[] does 
not exist.
   at 
org.apache.catalina.webresources.DirResourceSet.checkType(DirResourceSet.java:253)
   at 
org.apache.catalina.webresources.AbstractFileResourceSet.initInternal(AbstractFileResourceSet.java:145)
   at 
org.apache.catalina.webresources.DirResourceSet.initInternal(DirResourceSet.java:261)
   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
   ... 12 more

---

At this point, I'm not sure where to look. I don't know why my PreResources JSP 
are not seeing the lib from my appBase, nor how to configure Tomcat to set them 
without a manual intervention,.


Tomcat Version 8.0.32
OS: Red Had 6.5
Java 1.8.0_65

Thanks

--

Philippe Busque
, rue St-Charles Ouest,
Tour Est, bureau 255
Longueuil (Québec) Canada J4K 5G4
Tél. : 450-449-0102 ext. 3017
Télec. : 450-449-8725

Ce message et les fichiers d’accompagnement transmis avec celui-ci s’adressent 
expressément au(x) destinataire(s) et peuvent contenir des renseignements 
confidentiels et privilégiés. Si vous recevez ce message par erreur, veuillez 
en aviser immédiatement l’expéditeur par courrier électronique. Veuillez 
également ne pas en prendre connaissance et en supprimer toutes les copies 
immédiatement. Technologies Interactives Mediagrif Inc. et ses filiales 
n’acceptent aucune responsabilité à l’égard des opinions exprimées dans le 
message ou des conséquences de tout virus informatique qui pourrait être 
transmis avec ce message. Ce message fait également l’objet d’un copyright. Il 
est interdit d’en reproduire, adapter ou transmettre quelque partie que ce soit 
sans le consentement écrit d

RE: Configuration question

[Jeffrey Janner]

> -Original Message-
> From: Mark Murphy [mailto:jmarkmur...@gmail.com]
> Sent: Thursday, April 17, 2014 9:01 AM
> To: Tomcat Users List
> Subject: Re: Configuration question
> 
> Here is the configuration, as you can see the default host is set and
> the IP is not aliased.
> 
> in server.xml
> ...
> connectionTimeout="2"
>redirectPort="443" />
> ...
> port="443"
>scheme="https" secure="true" SSLEnabled="true"
>keystoreFile="xxx.keystore"
>keystorePass="xxx" keyAlias="xxx"
>clientAuth="false" sslProtocol="TLS" /> ...
>  defaultHost="www.torquewrenchrecalibration.com">
> ...
>unpackWARs="true" autoDeploy="false"
> xmlValidation="false" xmlNamespaceAware="false">
> www.torque-wrench-recalibration.com
> www.myerstorquetracker.com
>   
> ...
> 
> in web.xml
> ...
> 
>   
> Entire App
> /*
>   
>   
> CONFIDENTIAL
>   
> 
> ...
> 
> 
> 
Well, with that configuration, any traffic sent to your IP address will be 
directed to your default host, i.e. your app, so that settles the question 
about the IP or DNS name generating the "error" on the WSS.  Both should return 
the same result.  So, either the WSS doesn't know what it's talking about, or 
you're not getting the message because of the connection to your login page. I 
don't see any reference to any Tomcat-initiated authentication defined here, so 
perhaps it’s a problem with the WSS, or as Terrence pointed out, do you have 
the "manager" app deployed?  By default, it uses Basic Auth and non-SSL.  You 
might need to spruce up the security on it a bit.
Jeff 

Re: Configuration question

[Terence M. Bandoian]

On 4/17/2014 9:01 AM, Mark Murphy wrote:

Here is the configuration, as you can see the default host is set and the
IP is not aliased.

in server.xml
...
 
...
 
...
 
...
   
 www.torque-wrench-recalibration.com
 www.myerstorquetracker.com
   
...

in web.xml
...
 
   
 Entire App
 /*
   
   
 CONFIDENTIAL
   
 
...



On Thu, Apr 17, 2014 at 9:42 AM, Jeffrey Janner 
wrote:

-Original Message-
From: Mark Murphy [mailto:jmarkmur...@gmail.com]
Sent: Wednesday, April 16, 2014 12:42 PM
To: Tomcat Users List
Subject: Configuration question

How do I prevent Tomcat 6 from responding to a request to an IP
address, that is I only want my Tomcat server to respond to requests to
www.mydomain.com vs. 10.1.1.1.

Is this possible?


To address the question asked:
The easiest way may be to create a dummy  entry with an 
entry for the IP Address. Do not allocate any contexts to the host, or
perhaps one that points to an empty directory.  Haven't tested it, just a
thought.
However read rest of answer.


The problem is that our web security scanner is reporting "Web Server
Uses Basic Authentication Without HTTPS", and the infrastructure guys
think it is because Tomcat allows connection to the IP address.

Does this make sense?

No this does not make sense.  If the IP isn't returning HTTPS, then your
DNS name probably isn't either. Tomcat doesn't care about the supplied
name, except to match it to the  entry in server.xml.  You didn't
post your config, but I'm assuming that the default host is set to
www.mydomain.com, and the IP address isn't aliased. If it is not that
way, you should either correctly set your default host, or add an 
entry for the IP address to you  config.

You'd definitely get this response if your default host was still set at
the default of "localhost", instead of your  entry's name value,
there was no  entry for the IP, and the security tester was testing
against IP as well as name (though one would expect the report to indicate
this).



Is the manager app deployed?

-Terence Bandoian


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Configuration question

[Mark Murphy]

No frameworks, no standard configurations, it is so bad that the only way
to deploy changes is to manually find the file that needs replacing, and
replace it. I can't even use a war file to deploy. If I was in charge, I
would probably rewrite even if it was still Java, though I might be able to
keep some of the components.


On Thu, Apr 17, 2014 at 11:44 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mark,
>
> On 4/17/14, 11:01 AM, Mark Murphy wrote:
> > Yes, I inherited this mess part time when the original developer
> > left, and am trying to keep it alive, and fix problems as they
> > arise. There are a lot of issues, some cosmetic, and others not so
> > much. The current staff is planning to rewrite using an environment
> > that they are more familiar with, probably .NET. In the meantime I
> > need to keep this thing on life support.
>
> Ugh, that's too bad. I've seen that kind of thing happen many times: a
> new group comes in and re-writes everything, rather than getting a
> group of people who can do a better job with what they've got.
>
> It doesn't matter to me that Java is being abandoned for .NET -- .NET
> is a great environment as I understand -- but the fact that a whole
> lot of work is being trashed just seems like a waste.
>
> Then again, if the pages are that bad, perhaps the code is just as awful.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTT/bxAAoJEBzwKT+lPKRYwesP/izl1jMic5+HMr9zv3TVoPCq
> NAoAyGtJWA3trXte3M6y2ap5plBec/HEFVTyVQO1a5cJxd2aEBy3X5oEg5FQgDCx
> EmPB+pi4JWcEH/UGJwQBiRtzyu6mrJJZPzPNm60J2ipBUCaII+iVKoU49it5iwBL
> a2BRus1xR1SvBHm9svEOPDqwebCnLFhzdUn1+HMUmR3B9aMM4Dt6vtnR8ugATUhB
> HBfOcX0ulHhKC5eAsD2E0UYxp/Ys2uA93gVoX/LSTza/i3vKJrjlEMNer6Ep6AbN
> 6UCvnjQF80b4+MK2ssLrcqpKbm1R+d5jt0YnO20xcV63zwP+UqwfYjtRn/srIodW
> 1SZa3mZFEGFKlVxkPpsBFYFu5KJa/FY4T4WGNdIXTYkS5MplROFtJr/p8yP/gglb
> MqOLfLoEhp6jHZpZF2YsbchYfe9yPbFJj/SMxUwO8SAKUqwEUXae8q9bg6cB0HWX
> Be5q8pq1bOqxnAnOltZ0nN9BWT1fTwfXpDq628a0VTa9M0WVsCD93GKuJ6JOmqhi
> XeiSpUq5GFOCx71IlOISeia0CinIq3FF6R8SSGPBm9uKvGrXYzErmXzsxB5JYyVZ
> FqmRhy6aMww5cjPlzOcAoZPsHIb49yTpAemLg4bV7ymveu6FlEyrSKqKbhnHgpLg
> jR1JHs5U9nCukAbk2e4t
> =1HT+
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: [OT] Configuration question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 4/17/14, 11:01 AM, Mark Murphy wrote:
> Yes, I inherited this mess part time when the original developer
> left, and am trying to keep it alive, and fix problems as they
> arise. There are a lot of issues, some cosmetic, and others not so
> much. The current staff is planning to rewrite using an environment
> that they are more familiar with, probably .NET. In the meantime I
> need to keep this thing on life support.

Ugh, that's too bad. I've seen that kind of thing happen many times: a
new group comes in and re-writes everything, rather than getting a
group of people who can do a better job with what they've got.

It doesn't matter to me that Java is being abandoned for .NET -- .NET
is a great environment as I understand -- but the fact that a whole
lot of work is being trashed just seems like a waste.

Then again, if the pages are that bad, perhaps the code is just as awful.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTT/bxAAoJEBzwKT+lPKRYwesP/izl1jMic5+HMr9zv3TVoPCq
NAoAyGtJWA3trXte3M6y2ap5plBec/HEFVTyVQO1a5cJxd2aEBy3X5oEg5FQgDCx
EmPB+pi4JWcEH/UGJwQBiRtzyu6mrJJZPzPNm60J2ipBUCaII+iVKoU49it5iwBL
a2BRus1xR1SvBHm9svEOPDqwebCnLFhzdUn1+HMUmR3B9aMM4Dt6vtnR8ugATUhB
HBfOcX0ulHhKC5eAsD2E0UYxp/Ys2uA93gVoX/LSTza/i3vKJrjlEMNer6Ep6AbN
6UCvnjQF80b4+MK2ssLrcqpKbm1R+d5jt0YnO20xcV63zwP+UqwfYjtRn/srIodW
1SZa3mZFEGFKlVxkPpsBFYFu5KJa/FY4T4WGNdIXTYkS5MplROFtJr/p8yP/gglb
MqOLfLoEhp6jHZpZF2YsbchYfe9yPbFJj/SMxUwO8SAKUqwEUXae8q9bg6cB0HWX
Be5q8pq1bOqxnAnOltZ0nN9BWT1fTwfXpDq628a0VTa9M0WVsCD93GKuJ6JOmqhi
XeiSpUq5GFOCx71IlOISeia0CinIq3FF6R8SSGPBm9uKvGrXYzErmXzsxB5JYyVZ
FqmRhy6aMww5cjPlzOcAoZPsHIb49yTpAemLg4bV7ymveu6FlEyrSKqKbhnHgpLg
jR1JHs5U9nCukAbk2e4t
=1HT+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Configuration question

[Mark Murphy]

Yes, I inherited this mess part time when the original developer left, and
am trying to keep it alive, and fix problems as they arise. There are a lot
of issues, some cosmetic, and others not so much. The current staff is
planning to rewrite using an environment that they are more familiar with,
probably .NET. In the meantime I need to keep this thing on life support.


On Thu, Apr 17, 2014 at 10:40 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mark,
>
> On 4/17/14, 10:01 AM, Mark Murphy wrote:
> > Here is the configuration, as you can see the default host is set
> > and the IP is not aliased.
> >
> > in server.xml ...  > connectionTimeout="2" redirectPort="443" /> ...  > protocol="org.apache.coyote.http11.Http11NioProtocol" port="443"
> > scheme="https" secure="true" SSLEnabled="true"
> > keystoreFile="xxx.keystore" keystorePass="xxx"
> > keyAlias="xxx" clientAuth="false" sslProtocol="TLS" /> ...
> >  > defaultHost="www.torquewrenchrecalibration.com"> ...  > name="www.torquewrenchrecalibration.com"  appBase="webapps"
>
>
> Just for the heck of it, I visited this site. The markup there is
> horrendous. It's not well-formed, does not conform to the HTML spec,
> and has a bunch of totally superfluous Javascript.
>
> Did your security vendor complain that the server responds with
> "Server: Apache-Coyote/1.1"? They often do, even though it makes no
> difference whatsoever IMHO.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTT+fyAAoJEBzwKT+lPKRY6qsP/RfClbLB57VT7G5eyDaCeMQI
> WeuTRi1du39GP3C1zSgqy7iz2ifgM740znKLi7hFkOSAA/Sb0G3iN2gPg/IX7uku
> ItGNi0GRYa+k6NqXuwxegGGdUSvMqD2dkmohutJMAC+ANXtOXELO29GLYT5dJk+V
> ROH3f0wci73t1jMgf/zuhWiHLyB32jlC2tHXRLhnD+yofMWS3iz4/5pcRk7JRm9f
> NjdndQK/mV15P2ZrFMBRaK29bd591VtWZIvCvXnp3RzYesjfDAEqnp6kGZrq+zBe
> sbWhigh7Lz1d0O7vjGMc2PMqq+uLckxfNRRcbsmve9qfezNgwLxGh20AiK57Bda3
> 3X5RUlGUh6KgkRuXqFa0BOzsEt3GcpyFDGoTWDwszA5P2l2mkx+n2cq1fGTEk69k
> kZjC9i2CbeZ4Bj1gTVGpMP/lpB0QH/TNVVhaaqt19RrFWWrknzVOjcrDvbfDL/du
> KYTAfMWJvezdXErLULddczDZ+Yk9hHfllNHg2+DEtmT7Q2DSEf8gYLn1lDgw3Hha
> PfirjJAVIQ+i4vpa7zFrDuzvtX33KnEfDx+6Jtif+4XbHBqhD7dPUsW0Vzvcl9o2
> 6SEcvxscqgiWTRYTJZ/jZ7GGY3MdJknYzMJolZ4Jx8qqWMxSYT0M3Xg7H+6+gEvf
> uW/+8ke4TsnxZPwWGqkT
> =jhbr
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: [OT] Configuration question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 4/17/14, 10:01 AM, Mark Murphy wrote:
> Here is the configuration, as you can see the default host is set
> and the IP is not aliased.
> 
> in server.xml ...  connectionTimeout="2" redirectPort="443" /> ...  protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" 
> scheme="https" secure="true" SSLEnabled="true" 
> keystoreFile="xxx.keystore" keystorePass="xxx"
> keyAlias="xxx" clientAuth="false" sslProtocol="TLS" /> ... 
>  defaultHost="www.torquewrenchrecalibration.com"> ...  name="www.torquewrenchrecalibration.com"  appBase="webapps"


Just for the heck of it, I visited this site. The markup there is
horrendous. It's not well-formed, does not conform to the HTML spec,
and has a bunch of totally superfluous Javascript.

Did your security vendor complain that the server responds with
"Server: Apache-Coyote/1.1"? They often do, even though it makes no
difference whatsoever IMHO.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTT+fyAAoJEBzwKT+lPKRY6qsP/RfClbLB57VT7G5eyDaCeMQI
WeuTRi1du39GP3C1zSgqy7iz2ifgM740znKLi7hFkOSAA/Sb0G3iN2gPg/IX7uku
ItGNi0GRYa+k6NqXuwxegGGdUSvMqD2dkmohutJMAC+ANXtOXELO29GLYT5dJk+V
ROH3f0wci73t1jMgf/zuhWiHLyB32jlC2tHXRLhnD+yofMWS3iz4/5pcRk7JRm9f
NjdndQK/mV15P2ZrFMBRaK29bd591VtWZIvCvXnp3RzYesjfDAEqnp6kGZrq+zBe
sbWhigh7Lz1d0O7vjGMc2PMqq+uLckxfNRRcbsmve9qfezNgwLxGh20AiK57Bda3
3X5RUlGUh6KgkRuXqFa0BOzsEt3GcpyFDGoTWDwszA5P2l2mkx+n2cq1fGTEk69k
kZjC9i2CbeZ4Bj1gTVGpMP/lpB0QH/TNVVhaaqt19RrFWWrknzVOjcrDvbfDL/du
KYTAfMWJvezdXErLULddczDZ+Yk9hHfllNHg2+DEtmT7Q2DSEf8gYLn1lDgw3Hha
PfirjJAVIQ+i4vpa7zFrDuzvtX33KnEfDx+6Jtif+4XbHBqhD7dPUsW0Vzvcl9o2
6SEcvxscqgiWTRYTJZ/jZ7GGY3MdJknYzMJolZ4Jx8qqWMxSYT0M3Xg7H+6+gEvf
uW/+8ke4TsnxZPwWGqkT
=jhbr
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuration question

[Mark Murphy]

Here is the configuration, as you can see the default host is set and the
IP is not aliased.

in server.xml
...

...

...

...
  
www.torque-wrench-recalibration.com
www.myerstorquetracker.com
  
...

in web.xml
...

  
Entire App
/*
  
  
CONFIDENTIAL
  

...



On Thu, Apr 17, 2014 at 9:42 AM, Jeffrey Janner  wrote:

> > -Original Message-
> > From: Mark Murphy [mailto:jmarkmur...@gmail.com]
> > Sent: Wednesday, April 16, 2014 12:42 PM
> > To: Tomcat Users List
> > Subject: Configuration question
> >
> > How do I prevent Tomcat 6 from responding to a request to an IP
> > address, that is I only want my Tomcat server to respond to requests to
> > www.mydomain.com vs. 10.1.1.1.
> >
> > Is this possible?
> >
> To address the question asked:
> The easiest way may be to create a dummy  entry with an 
> entry for the IP Address. Do not allocate any contexts to the host, or
> perhaps one that points to an empty directory.  Haven't tested it, just a
> thought.
> However read rest of answer.
>
> > The problem is that our web security scanner is reporting "Web Server
> > Uses Basic Authentication Without HTTPS", and the infrastructure guys
> > think it is because Tomcat allows connection to the IP address.
> >
> > Does this make sense?
> No this does not make sense.  If the IP isn't returning HTTPS, then your
> DNS name probably isn't either. Tomcat doesn't care about the supplied
> name, except to match it to the  entry in server.xml.  You didn't
> post your config, but I'm assuming that the default host is set to
> www.mydomain.com, and the IP address isn't aliased. If it is not that
> way, you should either correctly set your default host, or add an 
> entry for the IP address to you  config.
>
> You'd definitely get this response if your default host was still set at
> the default of "localhost", instead of your  entry's name value,
> there was no  entry for the IP, and the security tester was testing
> against IP as well as name (though one would expect the report to indicate
> this).
>

RE: Configuration question

[Jeffrey Janner]

> -Original Message-
> From: Mark Murphy [mailto:jmarkmur...@gmail.com]
> Sent: Wednesday, April 16, 2014 12:42 PM
> To: Tomcat Users List
> Subject: Configuration question
> 
> How do I prevent Tomcat 6 from responding to a request to an IP
> address, that is I only want my Tomcat server to respond to requests to
> www.mydomain.com vs. 10.1.1.1.
> 
> Is this possible?
> 
To address the question asked:
The easiest way may be to create a dummy  entry with an  entry for 
the IP Address. Do not allocate any contexts to the host, or perhaps one that 
points to an empty directory.  Haven't tested it, just a thought.
However read rest of answer.

> The problem is that our web security scanner is reporting "Web Server
> Uses Basic Authentication Without HTTPS", and the infrastructure guys
> think it is because Tomcat allows connection to the IP address.
> 
> Does this make sense?
No this does not make sense.  If the IP isn't returning HTTPS, then your DNS 
name probably isn't either. Tomcat doesn't care about the supplied name, except 
to match it to the  entry in server.xml.  You didn't post your config, 
but I'm assuming that the default host is set to www.mydomain.com, and the IP 
address isn't aliased. If it is not that way, you should either correctly set 
your default host, or add an  entry for the IP address to you  
config.

You'd definitely get this response if your default host was still set at the 
default of "localhost", instead of your  entry's name value, there was no 
 entry for the IP, and the security tester was testing against IP as 
well as name (though one would expect the report to indicate this).

Re: Configuration question

[Daniel Mikusa]

On Apr 16, 2014, at 1:42 PM, Mark Murphy  wrote:

> How do I prevent Tomcat 6 from responding to a request to an IP address,
> that is I only want my Tomcat server to respond to requests to
> www.mydomain.com vs. 10.1.1.1.

Just an idea, but you could probably do this with a filter or a valve.  You 
could try looking at request.getServerName() (or just the host header) and 
using that to approve or deny the request.

Tomcat has a valve that you can sub class to make this easier (if you go with a 
valve).

  
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/RequestFilterValve.java?view=markup

an example of this is the RemoteHostValve.

  
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/RemoteHostValve.java?view=markup

> 
> Is this possible?
> 
> The problem is that our web security scanner is reporting "Web Server Uses
> Basic Authentication Without HTTPS”,

Is basic auth enabled (look through your application’s web.xml files for 
"auth-method” set to “BASIC”)?  If so, is disabling it an option?  If not, you 
should look at setting a "transport-guarantee” of “CONFIDENTIAL” in web.xml so 
that the application will redirect to HTTPS (or worst case use a filter like 
the UrlRewriteFilter to force HTTPS).

> and the infrastructure guys think it is because Tomcat allows connection to 
> the IP address.

I not sure how this is expected to help.  I suppose if the scanner was sending 
requests using the IP address and not the host, you could filter and block 
those requests.  That might trick the scanner into thinking the server is not 
accepting basic authentication.  I’m not sure how it would address the issue 
mentioned by the scanner though (assuming the scanner is not at fault here).

Dan
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Configuration question

[Mark Murphy]

How do I prevent Tomcat 6 from responding to a request to an IP address,
that is I only want my Tomcat server to respond to requests to
www.mydomain.com vs. 10.1.1.1.

Is this possible?

The problem is that our web security scanner is reporting "Web Server Uses
Basic Authentication Without HTTPS", and the infrastructure guys think it
is because Tomcat allows connection to the IP address.

Does this make sense?

AW: Configuration question for 2500 simultaneous users.

[Stadelmann Josef]

I would also read about "how to scale up web applications" !
Also you may talk to those which have their web apps already in the cloud ! 
In a cloud, adding more CPU's, adding more memory, adding more data storage 
space is easy.
And what about communication and data band width and related equipment ? 
any clues about how large or small your request/reply packages are ?
It is a difference if 5000 users download a streaming movie in real-time, or 
streaming music in real-time, or streaming compressed stock market data in even 
better real time or books or any other sort of compound documents in 8 to 10 
minutes down load time,; so what are the demands from a user perspective to 
reach a high quality of service?
Josef Stadelmann

-Ursprüngliche Nachricht-
Von: Mark Eggers [mailto:its_toas...@yahoo.com] 
Gesendet: Mittwoch, 31. Juli 2013 00:18
An: Tomcat Users List
Betreff: Re: Configuration question for 2500 simultaneous users.

On 7/30/2013 1:17 PM, Tomcat Random wrote:
> Thanks Mark, I will give it a close read.
>
> As far as profiling, are you using any tools that are worth mentioning?
>

Nothing outstanding, since currently all of our applications are pretty 
lightweight. That may change if we redo the architecture.

JMeter / Selenium in combination can generate a lot of traffic. Generate a 
selenium test script, export to JUnit, couple with HTMLUnit, and hammer away.

There are several ways to watch what goes on with your application:

JConsole
VisualVM

The Tomcat Wiki page has more:

http://wiki.apache.org/tomcat/FAQ/Monitoring

For lighter weight profiling (usually to figure out where the application 
bottlenecks are), I run the project under NetBeans and instrument the project.

Access logs are usually a good first source for generating JMeter tests.

In general, people can only give you guidelines concerning sizing, profiling, 
and benchmarking. The particulars depend on your particular application.

. . . . just my two cents.
/mde/

PS - Please don't top post.

> Best,
> A
>
>
>
> On Tue, Jul 30, 2013 at 4:02 PM, Mark Eggers  wrote:
>
>> On 7/30/2013 12:42 PM, Tomcat Random wrote:
>>
>>> The project I'm working on has 5000 simultaneous users average. I 
>>> have two physical servers both running an instance of Tomcat 7.0. 
>>> They're behind a physical load balancer with sticky, least 
>>> connections balancing. Nothing in front of the Tomcats. Port 80 to 
>>> is routed to them by iptables.
>>>
>>> Anyone out there willing to offer some tips (or point me to them) on 
>>> configuration for this amount of traffic?
>>>
>>> Environment is:
>>> DELL PowerEdge R720 - 32 GB DELL RAM, GB Memory: 32 Single Socket 
>>> Six Core Intel Xeon E5-2640 2.5GHz, #Processors: 1, #Cores per Proc: 
>>> 6 RHEL 6
>>>
>>> TIA,
>>> Alec
>>>
>>>
>> A great overview, and a solid outline of the process you should follow:
>>
>> http://people.apache.org/~**markt/presentations/2009-04-**
>> 01-TomcatTuning.pdf<http://people.apache.org/~markt/presentations/200
>> 9-04-01-TomcatTuning.pdf>
>>
>> That, plus profiling your application with real-world traffic to 
>> understand bottlenecks and use cases . . .
>>
>> . . . just my two cents.
>> /mde/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuration question for 2500 simultaneous users.

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alec,

On 8/1/13 6:08 PM, Tomcat Random wrote:
> Thanks Mark, I've been getting up to speed on JMeter. I've used
> selenium before. "The particulars depend on your particular
> application" - agreed. That part I can work out myself by looking
> at bottlenecks, generally timing areas of the application with more
> and more granularity, in places where the app behaves slowly.

Just remember that you can't really benchmark your application with a
single client. There are behaviors that only emerge under some kind of
load. For instance, uncontended object monitors (i.e. synchronized
methods, blocks, etc.) in the JVM can be obtained very quickly. So, if
you have a resource that requires serialized access (e.g. db
connection pool), it may perform very well under an isolated test: you
find that your most time-consuming request/response pair takes, say,
850ms.

That's great: you do the math and say that you can handle 1.18 req/sec
on average and with users expected to make 1 request every 10 seconds,
that means that you can handle ~12 simultaneous users with no apparent
slow-down.

Then you get contended locks, which are slower. Instead of roughly
zero time to obtain an object lock, let's say it takes 50ms (that's
grossly overstating the amount of time required to obtain an object
lock, but somewhat instructive). So now you're up to 900ms for your
transaction and you can handle 1.11 req/sec with no slowdown and you
can only handle 11 simultaneous users.

Multiply those effects by a lot (lots of transactions, lots of users,
lots of multi-threaded conflicts) and you can find that you really can
only handle 91% of the traffic you thought you could.

If you use JMeter, your software will get better: you will be able to
identify those transactions that don't perform well and focus your
optimization efforts in those places, instead of just reading code,
changing StringBuffer to StringBuilder and new Integer() to
Integer.valueOf() and convincing yourself that you now have an
optimized piece of software.

With a load-testing suite, you can prove to yourself (and, perhaps
more importantly, your boss) that your software can handle the load
you expect. It also helps with resource planning: if you know that a
single instance of Tomcat on X hardware can handle Y load and you
expect Z actual load, then you know you need Z / Y pieces of X
hardware to run properly. Then multiply by some fudge factor (say 20%)
and take the ceiling of that (so you always have an extra server...
just in case). So maybe it's more like [ Z * 1.2 / Y ]. Oh, and
remember that Z needs to represent *peak load* and not average load.
If you have an online flower shop, you need to plan for the week of
Valentine's Day during business hours, not the following Saturday in
the middle of the night.

Gather a ton of data and look at it. Graph it. You will learn a lot.

Oh, and if you're using httpd (you didn't say), you might want to look
into the "event" MPM: it won't waste connections waiting around for
KeepAlive requests that never come from clients. The default MPM for
httpd 2.4 on *NIX is "event" when supported by the OS and prefork for
httpd 2.2. I believe "event" is stable on 2.2 -- just not the default.
Benchmark with and without it and see if it makes a difference. With
JMeter, your tests might be distorted because of how the tests run
(e.g. constantly). You might have to fiddle with the JMeter
configuration to get it to act more like a "real" browser by leaving
connections open for a few seconds after making all the requests for a
page. Then you may notice a difference.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJR/HgrAAoJEBzwKT+lPKRYkR8P/R5W8g/vnfEH/QxFfsQMCJnT
TDv4oZecfNZ2PDZjGj+KpAJv6OoDe9wQLlAR4VWZMmnI3qJPqVwWg04ZSnEszf22
XkiuvnbPQXwt95bTXk/zPp5lcb4kuLAwvokAyMQQo7P941SYOmvA+xEADmlE8Vfc
AgxnQY7GnifBU1wLZtzXrDnUWOzYwEL2vsec1bmlasbBg5NpxsQ9IyAq3DcPmDtO
hQUbET12JTjka51Ub6TG5gP2O+ZzYz50XyVtUWcn86u4acZYmvfCtFq/XilZXv4G
962bNxXinf9GmoeCokCOejJ/Ob8XC7UpXtTXTJlzx64Gn8EDNKYyZxg6wt6MLktq
xppytGQ+FfsxEFRtn9a0UM5Am0+7L4OpQWXesm5IcdypGNWn9Ng4bg2YI3c+P//O
Q0eyS7WN19oFMvq60tbKHfhCv7QFYQatKnxiAChDsFoA53u6xZIlzmz5h/0G2kCH
h7u57zUh2sSiBkSEs7QOxYNHS2tfTAAO2d5CMTuiAnIYk0joo0gOZ7u50DpAXaoR
lnxcimpO+wy5Qc3AEfZtYlmco+EhjJ4hHZyCvcE3MRkGdrWODHZkV1+B9TB0TH3M
sp1MEr3dlKeMDTj9jwB7mny8BY8lmIsPjWLl1s0wW+IST4Z4ax2t5eDvFDwtgtHy
t9b2VNjEizaTBrp88r7T
=iVJy
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuration question for 2500 simultaneous users.

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alec,

On 8/1/13 6:14 PM, Tomcat Random wrote:
> I'm expecting 5000 simultaneous users, with a physical load
> balancer to two physical app servers. So ~2500 per machine, each
> running an instance of tomcat not fronted by httpd or any proxy
> server. (i.e., using Tomcat to serve a few static assets along with
> the webapp).

Again, how many simultaneous /connections/ -- or requests -- do you
expect to handle? The number of simultaneous users is really only
relevant if you use sessions and then it comes down to memory (heap)
and failover (replication) if you want it.

What's much more important is the transaction rate. For instance, if
you expect 5000 users (really ~2500 per instance) and they each make a
request once per minute, than that's 2500 requests per minute or ~40
req/sec. If your average transaction takes longer than 1/40 sec
(250ms), then you are in trouble because you will not be able to keep
up with demand.

If your users make 2 transactions per minute, then you need to have
average transaction time down to 1/80 sec (125ms) or you will not be
able to keep up.

What happens if one host fails and the other one picks up *all* the
traffic? That means you need to do the average transaction in 1/160
sec (62ms) or you will not be able to keep up.

You might consider using a hot-spare or 3 instances.

> "are you just interested in speculative performance tuning?" That's
> correct - with just one user (myself) testing it everything is
> wonderful. I've just got that uneasy feeling the servers will
> explode when we flip over from our old host/codebase and get all
> the traffic.

JMeter is your friend. Put in the time to build workflow simulations.
It will pay you back manifold. You can even use your JMeter load tests
to do quick smoke-testing in production after a release just to make
sure you didn't miss anything.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJR/GnEAAoJEBzwKT+lPKRYx68QAJPE1VHVN4tX+cmssoaO3Qhr
4zjRtYYmpYna8L4EfAjPX8E3/owXilFj5bLBEpl6eYJg+i+RF+8+zlut45OXqrMO
1s5pvgwglq6kzZw70Wt8PavxP9ppcp2kwy82rNQbDLaskfkGcsV2o9QnJzcNgIIC
1Kr7jf1iqF7qJC8/F9F3cg3YBvzz2fozdaX1nWigdus9QsXq00ZRjByR1rd43ePH
gLEoJVzD95djWYP/JRiv65ZTqdDY6dMMsHwlfSfFPa9/w2uoZsjFaJmg8Eoj0K9o
4f2RHzIioizY9pLPWqRh4D3rOBOlTKMZyiRrYh4gdVpYWfS6D0Ae5zZx67r0VFje
MdVM3AUUyADwsHIE3+MBRu/OAeYnMDHIMHRlXON/YNXwYpRYMI9deS2y+kkYcxhY
ttl+B88UBRD0MR5twmCJ2OAAMe5WNtq0jlhuAGTnPJpDHSSd6fa/sm8Csoj1gdqr
ZSTh0JUy6RlECePeVHW+FCEBDPsWfM05pHY8p73KZrS3c4QWPXsH5GmnxGOcOuQh
Az1agFN4gqebFTG6l1K40CBSf7DWw38aYw+sFZWLJLM5/eSQtIaYgKhMwOu1N0Cp
oVgtwRVWQ0x/l3B4WNfgMHDq5xigD+ElGcvhPhRepzHPH4dZJxLYlpHDSV31o6k+
Myi3cewJzt+JVL4KN1yf
=u5fy
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuration question for 2500 simultaneous users.

[Tomcat Random]

Hey Chris,

I'm expecting 5000 simultaneous users, with a physical load balancer to two
physical app servers. So ~2500 per machine, each running an instance of
tomcat not fronted by httpd or any proxy server. (i.e., using Tomcat to
serve a few static assets along with the webapp).

"are you just interested in speculative performance tuning?" That's correct
- with just one user (myself) testing it everything is wonderful. I've just
got that uneasy feeling the servers will explode when we flip over from our
old host/codebase and get all the traffic.

Best,
Alec



On Wed, Jul 31, 2013 at 11:09 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alec,
>
> On 7/30/13 3:42 PM, Tomcat Random wrote:
> > The project I'm working on has 5000 simultaneous users average. I
> > have two physical servers both running an instance of Tomcat 7.0.
> > They're behind a physical load balancer with sticky, least
> > connections balancing. Nothing in front of the Tomcats. Port 80 to
> > is routed to them by iptables.
> >
> > Anyone out there willing to offer some tips (or point me to them)
> > on configuration for this amount of traffic?
> >
> > Environment is: DELL PowerEdge R720 - 32 GB DELL RAM, GB Memory:
> > 32 Single Socket Six Core Intel Xeon E5-2640 2.5GHz, #Processors:
> > 1, #Cores per Proc: 6 RHEL 6
>
> Are you experiencing any problems, or are you just interested in
> speculative performance tuning?
>
> Tomcat's default configuration is quite reasonable. How many
> simultaneous /connections/ do you expect?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.14 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJR+SisAAoJEBzwKT+lPKRYXfQP/AvnWo09Ucm7xSr4zIaQgVtX
> PP0Uw7EV0valZEXlVsdRBJY6fFn2m3e43zpC6dsZidflUzS5ITZ0R7S5JShNZnLJ
> LpBDf8KQG6OrHuNsZ7iLvuSXWHBOvLqdHvXvrRH4vcj5xleMtZzm4FA5GyG/bS4P
> wvSltjkUkOtcaXg4kf50iXKNXtMrZPPuTBgdZxT6uHuM3x8Ux2sLPAufJ06Rf+Wx
> N/uAyylthDlI367G3ZrBRuzP5nbrdKjZNKHpd3uHVq0TkO9QtGn3/baa7+6SeFfP
> M3KycT9yjbOiiKFcpFCZ9OdJDQpSOXZhjGQZckqsyqN5lD1FL2fppDj9uWUdOgPT
> A73Hsy2Bu+rzfw6QIf5okVLy1PzF7dRv8/moGwN5fsNDY5nX7ccWua245X1irCwv
> z0Hw3jQWtVUTnbFu8oR9cEYuly+Hv5oFoc94vQ78/an44pAJgP3FNWU9lv5oE4YR
> RCPrPElyb50KNNeCfu4SEBO/DVo1XJSMb6Xi6k70oehac3mmeNlqRQBOJ9/BfrA+
> pwU1JY3Q5V+yXTaGyzv1gLDViFoj0kIPtlch/WH4sfsQeZvS0oI/ol6U3rtb8PdO
> eKIsnOzynud7KDkWf+LO+C+GCcrcqeBl2XFirt4pd227VV36jHZgx5Zf5Epf9v04
> o4etXLrcpbB6wgGkWR5K
> =FKB4
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Configuration question for 2500 simultaneous users.

[Tomcat Random]

Thanks Mark, I've been getting up to speed on JMeter. I've used selenium
before. "The particulars depend on your particular application" - agreed.
That part I can work out myself by looking at bottlenecks, generally timing
areas of the application with more and more granularity, in places where
the app behaves slowly.

Best,
Alec


On Tue, Jul 30, 2013 at 6:17 PM, Mark Eggers  wrote:

> On 7/30/2013 1:17 PM, Tomcat Random wrote:
>
>> Thanks Mark, I will give it a close read.
>>
>> As far as profiling, are you using any tools that are worth mentioning?
>>
>>
> Nothing outstanding, since currently all of our applications are pretty
> lightweight. That may change if we redo the architecture.
>
> JMeter / Selenium in combination can generate a lot of traffic. Generate a
> selenium test script, export to JUnit, couple with HTMLUnit, and hammer
> away.
>
> There are several ways to watch what goes on with your application:
>
> JConsole
> VisualVM
>
> The Tomcat Wiki page has more:
>
> http://wiki.apache.org/tomcat/**FAQ/Monitoring
>
> For lighter weight profiling (usually to figure out where the application
> bottlenecks are), I run the project under NetBeans and instrument the
> project.
>
> Access logs are usually a good first source for generating JMeter tests.
>
> In general, people can only give you guidelines concerning sizing,
> profiling, and benchmarking. The particulars depend on your particular
> application.
>
>
> . . . . just my two cents.
> /mde/
>
> PS - Please don't top post.
>
>  Best,
>> A
>>
>>
>>
>> On Tue, Jul 30, 2013 at 4:02 PM, Mark Eggers 
>> wrote:
>>
>>  On 7/30/2013 12:42 PM, Tomcat Random wrote:
>>>
>>>  The project I'm working on has 5000 simultaneous users average. I have
 two
 physical servers both running an instance of Tomcat 7.0. They're behind
 a
 physical load balancer with sticky, least connections balancing. Nothing
 in
 front of the Tomcats. Port 80 to is routed to them by iptables.

 Anyone out there willing to offer some tips (or point me to them) on
 configuration for this amount of traffic?

 Environment is:
 DELL PowerEdge R720 - 32 GB DELL RAM, GB Memory: 32
 Single Socket Six Core Intel Xeon E5-2640 2.5GHz, #Processors: 1, #Cores
 per Proc: 6
 RHEL 6

 TIA,
 Alec


  A great overview, and a solid outline of the process you should follow:
>>>
>>> http://people.apache.org/~markt/presentations/2009-04-**
>>> 01-TomcatTuning.pdf>> presentations/2009-04-01-**TomcatTuning.pdf
>>> >
>>>
>>>
>>> That, plus profiling your application with real-world traffic to
>>> understand bottlenecks and use cases . . .
>>>
>>> . . . just my two cents.
>>> /mde/
>>>
>>
>
> --**--**-
> To unsubscribe, e-mail: 
> users-unsubscribe@tomcat.**apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Configuration question for 2500 simultaneous users.

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alec,

On 7/30/13 3:42 PM, Tomcat Random wrote:
> The project I'm working on has 5000 simultaneous users average. I
> have two physical servers both running an instance of Tomcat 7.0.
> They're behind a physical load balancer with sticky, least
> connections balancing. Nothing in front of the Tomcats. Port 80 to
> is routed to them by iptables.
> 
> Anyone out there willing to offer some tips (or point me to them)
> on configuration for this amount of traffic?
> 
> Environment is: DELL PowerEdge R720 - 32 GB DELL RAM, GB Memory:
> 32 Single Socket Six Core Intel Xeon E5-2640 2.5GHz, #Processors:
> 1, #Cores per Proc: 6 RHEL 6

Are you experiencing any problems, or are you just interested in
speculative performance tuning?

Tomcat's default configuration is quite reasonable. How many
simultaneous /connections/ do you expect?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJR+SisAAoJEBzwKT+lPKRYXfQP/AvnWo09Ucm7xSr4zIaQgVtX
PP0Uw7EV0valZEXlVsdRBJY6fFn2m3e43zpC6dsZidflUzS5ITZ0R7S5JShNZnLJ
LpBDf8KQG6OrHuNsZ7iLvuSXWHBOvLqdHvXvrRH4vcj5xleMtZzm4FA5GyG/bS4P
wvSltjkUkOtcaXg4kf50iXKNXtMrZPPuTBgdZxT6uHuM3x8Ux2sLPAufJ06Rf+Wx
N/uAyylthDlI367G3ZrBRuzP5nbrdKjZNKHpd3uHVq0TkO9QtGn3/baa7+6SeFfP
M3KycT9yjbOiiKFcpFCZ9OdJDQpSOXZhjGQZckqsyqN5lD1FL2fppDj9uWUdOgPT
A73Hsy2Bu+rzfw6QIf5okVLy1PzF7dRv8/moGwN5fsNDY5nX7ccWua245X1irCwv
z0Hw3jQWtVUTnbFu8oR9cEYuly+Hv5oFoc94vQ78/an44pAJgP3FNWU9lv5oE4YR
RCPrPElyb50KNNeCfu4SEBO/DVo1XJSMb6Xi6k70oehac3mmeNlqRQBOJ9/BfrA+
pwU1JY3Q5V+yXTaGyzv1gLDViFoj0kIPtlch/WH4sfsQeZvS0oI/ol6U3rtb8PdO
eKIsnOzynud7KDkWf+LO+C+GCcrcqeBl2XFirt4pd227VV36jHZgx5Zf5Epf9v04
o4etXLrcpbB6wgGkWR5K
=FKB4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuration question for 2500 simultaneous users.

[Mark Eggers]

On 7/30/2013 1:17 PM, Tomcat Random wrote:

Thanks Mark, I will give it a close read.

As far as profiling, are you using any tools that are worth mentioning?



Nothing outstanding, since currently all of our applications are pretty 
lightweight. That may change if we redo the architecture.


JMeter / Selenium in combination can generate a lot of traffic. Generate 
a selenium test script, export to JUnit, couple with HTMLUnit, and 
hammer away.


There are several ways to watch what goes on with your application:

JConsole
VisualVM

The Tomcat Wiki page has more:

http://wiki.apache.org/tomcat/FAQ/Monitoring

For lighter weight profiling (usually to figure out where the 
application bottlenecks are), I run the project under NetBeans and 
instrument the project.


Access logs are usually a good first source for generating JMeter tests.

In general, people can only give you guidelines concerning sizing, 
profiling, and benchmarking. The particulars depend on your particular 
application.


. . . . just my two cents.
/mde/

PS - Please don't top post.


Best,
A



On Tue, Jul 30, 2013 at 4:02 PM, Mark Eggers  wrote:


On 7/30/2013 12:42 PM, Tomcat Random wrote:


The project I'm working on has 5000 simultaneous users average. I have two
physical servers both running an instance of Tomcat 7.0. They're behind a
physical load balancer with sticky, least connections balancing. Nothing
in
front of the Tomcats. Port 80 to is routed to them by iptables.

Anyone out there willing to offer some tips (or point me to them) on
configuration for this amount of traffic?

Environment is:
DELL PowerEdge R720 - 32 GB DELL RAM, GB Memory: 32
Single Socket Six Core Intel Xeon E5-2640 2.5GHz, #Processors: 1, #Cores
per Proc: 6
RHEL 6

TIA,
Alec



A great overview, and a solid outline of the process you should follow:

http://people.apache.org/~**markt/presentations/2009-04-**
01-TomcatTuning.pdf

That, plus profiling your application with real-world traffic to
understand bottlenecks and use cases . . .

. . . just my two cents.
/mde/



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuration question for 2500 simultaneous users.

[Tomcat Random]

Thanks Mark, I will give it a close read.

As far as profiling, are you using any tools that are worth mentioning?

Best,
A



On Tue, Jul 30, 2013 at 4:02 PM, Mark Eggers  wrote:

> On 7/30/2013 12:42 PM, Tomcat Random wrote:
>
>> The project I'm working on has 5000 simultaneous users average. I have two
>> physical servers both running an instance of Tomcat 7.0. They're behind a
>> physical load balancer with sticky, least connections balancing. Nothing
>> in
>> front of the Tomcats. Port 80 to is routed to them by iptables.
>>
>> Anyone out there willing to offer some tips (or point me to them) on
>> configuration for this amount of traffic?
>>
>> Environment is:
>> DELL PowerEdge R720 - 32 GB DELL RAM, GB Memory: 32
>> Single Socket Six Core Intel Xeon E5-2640 2.5GHz, #Processors: 1, #Cores
>> per Proc: 6
>> RHEL 6
>>
>> TIA,
>> Alec
>>
>>
> A great overview, and a solid outline of the process you should follow:
>
> http://people.apache.org/~**markt/presentations/2009-04-**
> 01-TomcatTuning.pdf
>
> That, plus profiling your application with real-world traffic to
> understand bottlenecks and use cases . . .
>
> . . . just my two cents.
> /mde/
>
> --**--**-
> To unsubscribe, e-mail: 
> users-unsubscribe@tomcat.**apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Configuration question for 2500 simultaneous users.

[Mark Eggers]

On 7/30/2013 12:42 PM, Tomcat Random wrote:

The project I'm working on has 5000 simultaneous users average. I have two
physical servers both running an instance of Tomcat 7.0. They're behind a
physical load balancer with sticky, least connections balancing. Nothing in
front of the Tomcats. Port 80 to is routed to them by iptables.

Anyone out there willing to offer some tips (or point me to them) on
configuration for this amount of traffic?

Environment is:
DELL PowerEdge R720 - 32 GB DELL RAM, GB Memory: 32
Single Socket Six Core Intel Xeon E5-2640 2.5GHz, #Processors: 1, #Cores
per Proc: 6
RHEL 6

TIA,
Alec



A great overview, and a solid outline of the process you should follow:

http://people.apache.org/~markt/presentations/2009-04-01-TomcatTuning.pdf

That, plus profiling your application with real-world traffic to 
understand bottlenecks and use cases . . .


. . . just my two cents.
/mde/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Configuration question for 2500 simultaneous users.

[Tomcat Random]

The project I'm working on has 5000 simultaneous users average. I have two
physical servers both running an instance of Tomcat 7.0. They're behind a
physical load balancer with sticky, least connections balancing. Nothing in
front of the Tomcats. Port 80 to is routed to them by iptables.

Anyone out there willing to offer some tips (or point me to them) on
configuration for this amount of traffic?

Environment is:
DELL PowerEdge R720 - 32 GB DELL RAM, GB Memory: 32
Single Socket Six Core Intel Xeon E5-2640 2.5GHz, #Processors: 1, #Cores
per Proc: 6
RHEL 6

TIA,
Alec

Re: WebDav Configuration Question

[Mark Thomas]

On 12/03/2011 22:07, Scott Dudley wrote:
> 
> I'm running Tomcat 6.0.24 on Ubuntu 10.04.2 LTS.

Best if you upgrade to 6.0.32 / 7.0.11. There have been lots of fixes
since then.

> I'm trying to
> configure WebDav and limit access to a single folder, a subdirectory of
> my applications www folder... i.e. www/myapp/subdir.  I want to limit
> access only to subdir and disable the clients ability to create any new
> directories.  I've perused all config info that I found but was unclear
> on either point.

You prevent creation of directories by securing the MKCOL http method.
You should review the http methods to see if you wish to limit any others.

The WebDAV servlet is designed to provide access to the entire context
at whatever path you map it to. For example, if you map it to
/webdavedit/* content you view via
http://host:port/contextpath/content.html is editable via
http://host:port/contextpath/webdavedit/content.html

To get the behaviour you want, you should map the webdav servlet to /*
in a separate sub-context.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

WebDav Configuration Question

[Scott Dudley]

I'm running Tomcat 6.0.24 on Ubuntu 10.04.2 LTS.  I'm trying to 
configure WebDav and limit access to a single folder, a subdirectory of 
my applications www folder... i.e. www/myapp/subdir.  I want to limit 
access only to subdir and disable the clients ability to create any new 
directories.  I've perused all config info that I found but was unclear 
on either point.


I've added the following to the applications web.xml and WebDav works 
however, the client "can" create new directories and they're currently 
landing in my www/myapp folder (where all html, jsp, js, etc. files are 
located).


Any assistance/direction appreciated.


webdav
org.apache.catalina.servlets.WebdavServlet

debug
0


listings
true


readonly
false




webdav
/webdav/*




WebDav Login Resources
/webdav/*


tomcat




BASIC
default



tomcat


--
Scott Dudley
Senior Developer

Telesoft Corp. | 1661 E. Camelback Rd., Suite 300 | Phoenix, AZ, 85016

*o:* (602) 308-1115**| *f:* (602) 308-1300 | *w:* www.telesoft.com 

IIS ->Tomcat Configuration Question

[Frank Zappa]

Hello,

Our group is using IIS as a gateway server to Tomcat. 
(Unfortunately Apache can't be used for this project) 

Our system uses smart cards, so a pki certificate is passed from the browser to 
the gateway server. Does anyone know how to configure IIS to pass the 
user's certificate through IIS to Tomcat?

Thank you kindly!

Hans


  

Re: SSL Configuration Question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Liav,

On 11/14/2009 4:32 AM, Liav Ezer wrote:
> The section about importing a certificate issued by a CA begins with:
> 
> Download a Chain Certificate from the Certificate Authority you obtained the
> Certificate from.

[snip]
> What is a Chain Certificate? What do i do with it? What product does it
> produce (which file type)?

A "chain certificate" is a certificate that goes into a chain of
certificates that all trust each other. If "a -> b" means "a trusts b",
then you have something like this (VeriSign is only used as an example):

Tomcat -> VeriSign master cert
VeriSign master cert -> VeriSign signing certs
VeriSign signing cert -> VeriSign's XYZ signing cert
VeriSign's XYZ cert -> your cert

Often, Tomcat only trusts the "master cert" of any given certificate
authority (CA), and so you have to provide the entire "chain of trust"
by importing not only /your/ certificate, but also the two certs (in my
example) that are in the chain of trust between yours and the master cert.

> Also, I might need to skip this stage since i already have a certificate at
> hand (.cer) as Christofer implied in the previouse thread.

Your earlier message didn't say that you had anyone else's certificates.
The process is easy:

1. Import your own certificate into the keystore file you want to use
2. Import any other chain certs into the keystore file you want to use
3. Point Tomcat at that keystore file

> AnyWay - i'm stuck with 4 different files which appearantly look like a
> finalized & ready to launch certificate but i don't know how to configure
> the connector attributes in order to support it.

Once you have the keystore file ready with all your stuff, just set
keystoreFile="/path/to/your/keystore/file" and
keystorePass="password-to-keystore-file" and you should be good to go.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksAGLcACgkQ9CaO5/Lv0PBSCgCdErMyiEYsRoNk6hN6QvgYX4i8
/sAAnjV6JTXRuepN7ssZVENzGNMK7h6W
=OLaF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: SSL Configuration Question

[Liav Ezer]

Hi Charles,

The reason i'm looking in the forum is beacause the toturial wasn't clear to
me.

The section about importing a certificate issued by a CA begins with:

Download a Chain Certificate from the Certificate Authority you obtained the
Certificate from.
For Verisign.com commercial certificates go to:
http://www.verisign.com/support/install/intermediate.html
For Verisign.com trial certificates go to:
http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
For Trustcenter.de go to:
http://www.trustcenter.de/certservices/cacerts/en/en.htm#server
For Thawte.com go to: http://www.thawte.com/certs/trustmap.html
Import the Chain Certificate into your keystore 

Waht is a Chain Certificate? What do i do with it? What product does it
produce (which file type)?

Also, I might need to skip this stage since i already have a certificate at
hand (.cer) as Christofer implied in the previouse thread.

AnyWay - i'm stuck with 4 different files which appearantly look like a
finalized & ready to launch certificate but i don't know how to configure
the connector attributes in order to support it.

Thanks.

Caldarale, Charles R wrote:
> 
>> From: Liav Ezer [mailto:liav.e...@gmail.com]
>> Subject: Re: SSL Configuration Question
>> 
>> So my only wish is to know what to write in those two attributes:
>> keystoreFile - Which of the 4 files i have do i need to point to (my
>> guess is the xxx.domainname.com.key )?
>> keystorePass - What do i write in this attribute? When i issue my own
>> certificate (using keytool) it was the password i used creating the
>> certificate itself.
> 
> Have you read the Tomcat doc, in particular the "Configuration" and
> "Installing a Certificate from a Certificate Authority" sections?
> 
> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
> 
>  - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: 
http://old.nabble.com/SSL-Configuration-Question-tp26338693p26348488.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Configuration Question

[Bill Barker]

"Christopher Schultz"  wrote in message 
news:4afdb50c.70...@christopherschultz.net...
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Liav,
>
> On 11/13/2009 10:48 AM, Liav Ezer wrote:
>> I need help configuring my http connector to be a secure one via SSL.
>
> Are you expecting to use tcnative in order to use an "APR" connector, or
> do you want to use the plain-old Java HTTP connector? If you don't know
> what I'm talking about, you want the Java one. It's important to
> differentiate because the configurations are done differently.
>
>> I have the purchased certificate's (from a CA which i don't know who is)
>> products in 4 different files:
>>
>> xxx.domainname.com.cer   -> I don't know what is this file..
>
> Neither do I. Look at the date stamps to see if it's relevant.
>
>> xxx.domainname.com.key   -> I believe this is the encrypted key for the
>> certificate
>
> Hopefully, you created this file yourself and haven't given it to
> anyone. It should be a /private/ RSA key.
>
>> xxx.domainname.com.csr   -> I believe this is the request
>
> .csr files are typically "certificate request" files, so yet, that seems
> reasonable.
>
>> xxx.domainname.com.crt   -> I believe this is the actual certificate 
>> issed
>> by the CA
>
> Generally, .crt files are the actual certificates. They are usually
> encrypted with a passphrase and can be unlocked using the .key file above.
>

Urm, usually the .crt files are not encrypted (since they are sent to 
anybody that asks for them by the web server).  They are usually base64 
encoded (since the actual data is binary).

>> 1. What should i write at the keystoreFile? - Which of the 4 files i have 
>> do
>> i need to point to?
>> 2. What do i write in the keystorePass attribute?
>
> That depends on whether you are using APR or not. See above.
>
>> 3. What should i do with the rest of those 4 files?
>
> xxx.domainname.com.key - keep this in a safe place, preferably /not/ on
> your production server.
>
> xxx.domainname.com.csr - You can probably discard this file, but it
> might be worth keeping around alongside your .key file.
>
> xxx.domainname.com.cer - It depends on what this file is. It might even
> be a certificate file that has no password (which would be useful if you
> were using Apache httpd, but you didn't mention that so I suspect it's
> not useful to have such a certificate laying around).
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkr9tQwACgkQ9CaO5/Lv0PBsYwCguvk35Bo0kLXB1UYrYr2iIAX7
> JKYAnjViDJDfcUrz4BeYnr351+v4i8us
> =BPyj
> -END PGP SIGNATURE- 




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: SSL Configuration Question

[Caldarale, Charles R]

> From: Liav Ezer [mailto:liav.e...@gmail.com]
> Subject: Re: SSL Configuration Question
> 
> So my only wish is to know what to write in those two attributes:
> keystoreFile - Which of the 4 files i have do i need to point to (my
> guess is the xxx.domainname.com.key )?
> keystorePass - What do i write in this attribute? When i issue my own
> certificate (using keytool) it was the password i used creating the
> certificate itself.

Have you read the Tomcat doc, in particular the "Configuration" and "Installing 
a Certificate from a Certificate Authority" sections?

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Configuration Question

[Liav Ezer]

Hi Christopher,

Thanks for your elaborated reply.

Regarding your first question: 

No, i don't use the APR connector (port #443 i assume) & the tomcat-native
jar. I do use the plain old HTTP connector in server.xml.

So my only wish is to know what to write in those two attributes:
keystoreFile - Which of the 4 files i have do i need to point to (my guess
is the xxx.domainname.com.key )?
keystorePass - What do i write in this attribute? When i issue my own
certificate (using keytool) it was the password i used creating the
certificate itself.

I googled this & came across many sites. All explained the steps to initiate
a request & import the certificate, BUT i think that i'm over those steps
due to the fact that i have the .cer file at hand & all that is rest to do
is to configure the connector.

Thanks.


Christopher Schultz-2 wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Liav,
> 
> On 11/13/2009 10:48 AM, Liav Ezer wrote:
>> I need help configuring my http connector to be a secure one via SSL.
> 
> Are you expecting to use tcnative in order to use an "APR" connector, or
> do you want to use the plain-old Java HTTP connector? If you don't know
> what I'm talking about, you want the Java one. It's important to
> differentiate because the configurations are done differently.
> 
>> I have the purchased certificate's (from a CA which i don't know who is)
>> products in 4 different files:
>> 
>> xxx.domainname.com.cer   -> I don't know what is this file..
> 
> Neither do I. Look at the date stamps to see if it's relevant.
> 
>> xxx.domainname.com.key   -> I believe this is the encrypted key for the
>> certificate 
> 
> Hopefully, you created this file yourself and haven't given it to
> anyone. It should be a /private/ RSA key.
> 
>> xxx.domainname.com.csr   -> I believe this is the request
> 
> .csr files are typically "certificate request" files, so yet, that seems
> reasonable.
> 
>> xxx.domainname.com.crt   -> I believe this is the actual certificate
>> issed
>> by the CA
> 
> Generally, .crt files are the actual certificates. They are usually
> encrypted with a passphrase and can be unlocked using the .key file above.
> 
>> 1. What should i write at the keystoreFile? - Which of the 4 files i have
>> do
>> i need to point to?
>> 2. What do i write in the keystorePass attribute?
> 
> That depends on whether you are using APR or not. See above.
> 
>> 3. What should i do with the rest of those 4 files?
> 
> xxx.domainname.com.key - keep this in a safe place, preferably /not/ on
> your production server.
> 
> xxx.domainname.com.csr - You can probably discard this file, but it
> might be worth keeping around alongside your .key file.
> 
> xxx.domainname.com.cer - It depends on what this file is. It might even
> be a certificate file that has no password (which would be useful if you
> were using Apache httpd, but you didn't mention that so I suspect it's
> not useful to have such a certificate laying around).
> 
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkr9tQwACgkQ9CaO5/Lv0PBsYwCguvk35Bo0kLXB1UYrYr2iIAX7
> JKYAnjViDJDfcUrz4BeYnr351+v4i8us
> =BPyj
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: 
http://old.nabble.com/SSL-Configuration-Question-tp26338693p26343682.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Configuration Question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Liav,

On 11/13/2009 10:48 AM, Liav Ezer wrote:
> I need help configuring my http connector to be a secure one via SSL.

Are you expecting to use tcnative in order to use an "APR" connector, or
do you want to use the plain-old Java HTTP connector? If you don't know
what I'm talking about, you want the Java one. It's important to
differentiate because the configurations are done differently.

> I have the purchased certificate's (from a CA which i don't know who is)
> products in 4 different files:
> 
> xxx.domainname.com.cer   -> I don't know what is this file..

Neither do I. Look at the date stamps to see if it's relevant.

> xxx.domainname.com.key   -> I believe this is the encrypted key for the
> certificate 

Hopefully, you created this file yourself and haven't given it to
anyone. It should be a /private/ RSA key.

> xxx.domainname.com.csr   -> I believe this is the request

.csr files are typically "certificate request" files, so yet, that seems
reasonable.

> xxx.domainname.com.crt   -> I believe this is the actual certificate issed
> by the CA

Generally, .crt files are the actual certificates. They are usually
encrypted with a passphrase and can be unlocked using the .key file above.

> 1. What should i write at the keystoreFile? - Which of the 4 files i have do
> i need to point to?
> 2. What do i write in the keystorePass attribute?

That depends on whether you are using APR or not. See above.

> 3. What should i do with the rest of those 4 files?

xxx.domainname.com.key - keep this in a safe place, preferably /not/ on
your production server.

xxx.domainname.com.csr - You can probably discard this file, but it
might be worth keeping around alongside your .key file.

xxx.domainname.com.cer - It depends on what this file is. It might even
be a certificate file that has no password (which would be useful if you
were using Apache httpd, but you didn't mention that so I suspect it's
not useful to have such a certificate laying around).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkr9tQwACgkQ9CaO5/Lv0PBsYwCguvk35Bo0kLXB1UYrYr2iIAX7
JKYAnjViDJDfcUrz4BeYnr351+v4i8us
=BPyj
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL Configuration Question

[Liav Ezer]

Hi,

I need help configuring my http connector to be a secure one via SSL.

I have the purchased certificate's (from a CA which i don't know who is)
products in 4 different files:

xxx.domainname.com.cer   -> I don't know what is this file..
xxx.domainname.com.key   -> I believe this is the encrypted key for the
certificate 
xxx.domainname.com.csr   -> I believe this is the request
xxx.domainname.com.crt   -> I believe this is the actual certificate issed
by the CA

Basically my question is:
In server.xml i open the SSL connector at port 8443 as below:

1. What should i write at the keystoreFile? - Which of the 4 files i have do
i need to point to?
2. What do i write in the keystorePass attribute?
3. What should i do with the rest of those 4 files?



Thanks alot!
-- 
View this message in context: 
http://old.nabble.com/SSL-Configuration-Question-tp26338693p26338693.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat configuration question

[Mark Thomas]

Neil B. Cohen wrote:

Hi,

I changed the server.xml file and changed the various ports from 8005 -> 
9005, 8080->9090 etc.
When I start Tomcat (using startup.sh) I get the following in the 
catalina.out file:



May 13, 2008 7:36:59 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal 
performanc
e in production environments was not found on the java.library.path: 
/usr/java/j
dk1.6.0_02/jre/lib/i386/server:/usr/java/jdk1.6.0_02/jre/lib/i386:/usr/java/jdk1 


.6.0_02/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
May 13, 2008 7:36:59 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9292
May 13, 2008 7:36:59 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9090
May 13, 2008 7:36:59 AM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
java.io.FileNotFoundException: /home/ncohen/.keystore (No such file or 
directory)

at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(FileInputStream.java:106)
etc. etc. etc.
===

It looks like it is looking for a security certificate - but this 
doesn't happen when I start the same Tomcat software on my desktop 
(testing) machine. Can someone give me a hint as to what it is looking 
for, why it is looking for it, and what I need to do to get the system 
running? Later in the log file, it seems that my .war file gets unpacked 
and started correctly, but I can't connect to it at port 9090 - it just 
hangs there forever


Looks like you have configured one of your connectors to be secure. If you 
post the connector elements from your server.xml, someone should be able to 
help.


Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat configuration question

[Neil B. Cohen]

Hi,

I changed the server.xml file and changed the various ports from 8005 -> 
9005, 8080->9090 etc.
When I start Tomcat (using startup.sh) I get the following in the 
catalina.out file:



May 13, 2008 7:36:59 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal 
performanc
e in production environments was not found on the java.library.path: 
/usr/java/j

dk1.6.0_02/jre/lib/i386/server:/usr/java/jdk1.6.0_02/jre/lib/i386:/usr/java/jdk1
.6.0_02/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
May 13, 2008 7:36:59 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9292
May 13, 2008 7:36:59 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9090
May 13, 2008 7:36:59 AM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
java.io.FileNotFoundException: /home/ncohen/.keystore (No such file or 
directory)

at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(FileInputStream.java:106)
etc. etc. etc.
===

It looks like it is looking for a security certificate - but this 
doesn't happen when I start the same Tomcat software on my desktop 
(testing) machine. Can someone give me a hint as to what it is looking 
for, why it is looking for it, and what I need to do to get the system 
running? Later in the log file, it seems that my .war file gets unpacked 
and started correctly, but I can't connect to it at port 9090 - it just 
hangs there forever


Thanks,

nbc


Mark Thomas wrote:

Neil B. Cohen wrote:
I have written a web app that I want to install on the same machine, 
but for various reasons (commercial, political, version-related) I 
need to run it on a new (and different) instance of Tomcat.
I can install the latest Tomcat in a directory where it does not 
conflict with the existing s/w. I know I have to edit the server.xml 
file and change the shutdown port (8005) and the default connection 
port (8080). I will probably change the secure connection port (8443) 
as well, although I won't be using that one at the moment.


My question is - is that sufficient to allow me to run both instances 
of Tomcat on the same machine without conflict? Are there other lines 
in the server.xml file that need to be changed? Are there other 
config files I need to look at?


That should be sufficient. The only other thing to be aware of is if 
any relevant environment variables are set for the old install that 
may impact the new one.


Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat configuration question

[Neil B. Cohen]

Mark Thomas wrote:

Neil B. Cohen wrote:
I have written a web app that I want to install on the same machine, 
but for various reasons (commercial, political, version-related) I 
need to run it on a new (and different) instance of Tomcat.
I can install the latest Tomcat in a directory where it does not 
conflict with the existing s/w. I know I have to edit the server.xml 
file and change the shutdown port (8005) and the default connection 
port (8080). I will probably change the secure connection port (8443) 
as well, although I won't be using that one at the moment.


My question is - is that sufficient to allow me to run both instances 
of Tomcat on the same machine without conflict? Are there other lines 
in the server.xml file that need to be changed? Are there other 
config files I need to look at?


That should be sufficient. The only other thing to be aware of is if 
any relevant environment variables are set for the old install that 
may impact the new one.
No overlapping env variables either - the two instances will be run by 
different users in completely separate filesystems...


thanks!

nbc


Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat configuration question

[Mark Thomas]

Neil B. Cohen wrote:
I have written a web app that I want to install on the same machine, but 
for various reasons (commercial, political, version-related) I need to 
run it on a new (and different) instance of Tomcat.
I can install the latest Tomcat in a directory where it does not 
conflict with the existing s/w. I know I have to edit the server.xml 
file and change the shutdown port (8005) and the default connection port 
(8080). I will probably change the secure connection port (8443) as 
well, although I won't be using that one at the moment.


My question is - is that sufficient to allow me to run both instances of 
Tomcat on the same machine without conflict? Are there other lines in 
the server.xml file that need to be changed? Are there other config 
files I need to look at?


That should be sufficient. The only other thing to be aware of is if any 
relevant environment variables are set for the old install that may impact 
the new one.


Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat configuration question

[Neil B. Cohen]

Caldarale, Charles R wrote:

From: Neil B. Cohen [mailto:[EMAIL PROTECTED]
Subject: Tomcat configuration question

I know I have to edit the server.xml file and change
the shutdown port (8005) and the default connection
port (8080). I will probably change the secure connection
port (8443) as well



Yes, that should be sufficient, as long as the other directories of
interest (logs, work, temp,  appBase, etc.) do not overlap with
the prior Tomcat instance.  As long as you leave them at the defaults,
they go under the Tomcat installation directory, so they shouldn't need
attention.
  


That is correct - there is no overlap on any of the other files. Thanks 
for the confirmation...


nbc


 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Tomcat configuration question

[Caldarale, Charles R]

> From: Neil B. Cohen [mailto:[EMAIL PROTECTED] 
> Subject: Tomcat configuration question
> 
> I know I have to edit the server.xml file and change 
> the shutdown port (8005) and the default connection 
> port (8080). I will probably change the secure connection
> port (8443) as well

Yes, that should be sufficient, as long as the other directories of
interest (logs, work, temp,  appBase, etc.) do not overlap with
the prior Tomcat instance.  As long as you leave them at the defaults,
they go under the Tomcat installation directory, so they shouldn't need
attention.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat configuration question

[Neil B. Cohen]

Hi,

I am running a commercial program which has a (n older) version of 
tomcat embedded in it. The target machines are running AIX or Linux 
(RHEL4, usually).


I have written a web app that I want to install on the same machine, but 
for various reasons (commercial, political, version-related) I need to 
run it on a new (and different) instance of Tomcat.
I can install the latest Tomcat in a directory where it does not 
conflict with the existing s/w. I know I have to edit the server.xml 
file and change the shutdown port (8005) and the default connection port 
(8080). I will probably change the secure connection port (8443) as 
well, although I won't be using that one at the moment.


My question is - is that sufficient to allow me to run both instances of 
Tomcat on the same machine without conflict? Are there other lines in 
the server.xml file that need to be changed? Are there other config 
files I need to look at?


My application is quite simple and my testing has been done on a machine 
where I simply installed the latest Tomcat tar file (6.0.16) and started 
it running, so I don't need any fancy configuration for my application.


Thanks very much,

nbc


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat 5.5 Configuration Question

[Christopher Schultz]

James,

I think you can't use auto-deploy for this: you need to do this:



signature.asc
Description: OpenPGP digital signature

Tomcat 5.5 Configuration Question

[James Howe]

I'm trying to set up Tomcat 5.5 to run an internally developed web  
application.  The machine on which Tomcat is installed will only ever run  
this one application.  I would like to install the application in such a  
way that when a URL such as:


http://localhost:8080/

is entered, the user will be running my web application.  Right now the  
'default' application brings me to the Tomcat page which has items on it  
which allow me to manage the server.  I would like this application to be  
located somewhere other than as the root application.  Also, I realize  
that I could rename my .war file to be ROOT.war and it would likely expand  
into ROOT and become the default application, but I want the application  
to be stored in appname.war.


I've been running this application with Resin and in Resin I can configure  
the root application in the resin.conf configuration file.  I've looked at  
the various Tomcat configuration files and I can't figure out how, where  
or if there is a way to do this.  Any tips on how I might go about doing  
this would be greatly appreciated.


Thanks!

--
James Howe

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: DataSourceRealm Configuration Question (5.5.15)

[James Reynolds]

Thanks to all! 

-Original Message-
From: Parsons Technical Services [mailto:[EMAIL PROTECTED]

Sent: Thursday, March 02, 2006 7:49 PM
To: Tomcat Users List
Subject: Re: DataSourceRealm Configuration Question (5.5.15)

As other's have noted, both. The difference is that "in the context"
will limit to just that app being able to access it and "in the server"
is global so that all apps can access it.

Doug


- Original Message -
From: "James Reynolds" <[EMAIL PROTECTED]>
To: "Tomcat Users List" 
Sent: Thursday, March 02, 2006 5:44 PM
Subject: DataSourceRealm Configuration Question (5.5.15)



Can a JNDI DataSourceRealm be defined in my web app's context.xml file,
or must it be in the container's server.xml file?

Thanks


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: DataSourceRealm Configuration Question (5.5.15)

[Parsons Technical Services]

As other's have noted, both. The difference is that "in the context" will 
limit to just that app being able to access it and "in the server" is global 
so that all apps can access it.


Doug


- Original Message - 
From: "James Reynolds" <[EMAIL PROTECTED]>

To: "Tomcat Users List" 
Sent: Thursday, March 02, 2006 5:44 PM
Subject: DataSourceRealm Configuration Question (5.5.15)



Can a JNDI DataSourceRealm be defined in my web app's context.xml file,
or must it be in the container's server.xml file?

Thanks


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: DataSourceRealm Configuration Question (5.5.15)

[Tim Lucia]

It can be either.  The recommended way, 5.0 and later, is in the war's
context.xml.  If you have a global resource, that is defined in server.xml,
and referenced from each context wishing to make use of it.

Tim


-Original Message-
From: Alex Jalali [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 02, 2006 5:39 PM
To: Tomcat Users List
Subject: Re: DataSourceRealm Configuration Question (5.5.15)

It can be in the context. I have mine within the 
> Can a JNDI DataSourceRealm be defined in my web app's context.xml file,
> or must it be in the container's server.xml file?
>
> Thanks
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: DataSourceRealm Configuration Question (5.5.15)

[Alex Jalali]

It can be in the context. I have mine within the 
> Can a JNDI DataSourceRealm be defined in my web app's context.xml file,
> or must it be in the container's server.xml file?
>
> Thanks
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DataSourceRealm Configuration Question (5.5.15)

[James Reynolds]

Can a JNDI DataSourceRealm be defined in my web app's context.xml file,
or must it be in the container's server.xml file?

Thanks


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this achievable with TC? - A domain-subdomain configuration question

[Parsons Technical Services]

Yes, it is achievable. But may not be worth it. Only you can decide that. 
Take a look at the Host element. There is a feature called alias that allow 
you to point all subdomains to the same application. From there it is up to 
you to parse out the information to determine the appropriate response.



- Original Message - 
From: "Edouard Dalla-Costa" <[EMAIL PROTECTED]>

To: "Tomcat Users List" 
Sent: Wednesday, February 08, 2006 4:26 AM
Subject: Re: Is this achievable with TC? - A domain-subdomain configuration 
question



Hello,

I was wondering if you were able to solve your problem because I also need
to handle severals virtual hosts with a single application using tomcat
without apache. And I can't find any solution.
Hope you can help me, thanks in advance

Edouard



On 1/2/06, Wei Wei <[EMAIL PROTECTED]> wrote:


I am working on starting a new project: an application for various
locations (think of a chain store). The business logic is the same for all
locations while the data can vary for one location to another. I would 
like

to have the following domain structure:

www.mydomain.com -  a user can select one location on the home page
location1.mydomain.com - all user interaction data only applied to this
location
location2.mydomain.com - ...

I have done some reseach on this topic at the TC site and haven't found
any direct inforamtion. The virtual host configuration is only applied for
multiple applications, but not for multiple subdomain with a single
application.

Thanks for any inputs in advance.

w.

--
___

Search for businesses by name, location, or phone number.  -Lycos Yellow
Pages


http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this achievable with TC? - A domain-subdomain configuration question

[Edouard Dalla-Costa]

Hello,

I was wondering if you were able to solve your problem because I also need
to handle severals virtual hosts with a single application using tomcat
without apache. And I can't find any solution.
Hope you can help me, thanks in advance

Edouard



On 1/2/06, Wei Wei <[EMAIL PROTECTED]> wrote:
>
> I am working on starting a new project: an application for various
> locations (think of a chain store). The business logic is the same for all
> locations while the data can vary for one location to another. I would like
> to have the following domain structure:
>
> www.mydomain.com -  a user can select one location on the home page
> location1.mydomain.com - all user interaction data only applied to this
> location
> location2.mydomain.com - ...
>
> I have done some reseach on this topic at the TC site and haven't found
> any direct inforamtion. The virtual host configuration is only applied for
> multiple applications, but not for multiple subdomain with a single
> application.
>
> Thanks for any inputs in advance.
>
> w.
>
> --
> ___
>
> Search for businesses by name, location, or phone number.  -Lycos Yellow
> Pages
>
>
> http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

Re: Configuration Question

[Hassan Schroeder]

Scott Purcell wrote:

> So when a user hits my site like so: http://www.xxx.com
> it calls the site and all is good. But here is my problem. On some
> search engines for whatever reason, the url shows this:
> http://xxx.com leaving out the www. It still brings open the site,
> but there is a problem. My site runs all https, and when I registered
> my ssl certificate, it is under the http://www.xxx.com. And when the
> user hits the site without the 'www' it brings up a invalid
> certificate. It shows the lock, but it says it is not certified by
> verisign.
> 
> Any ideas why this is occuring, and any ideas to redirect the bad url
> to the good one?

My configuration is the opposite -- the cert is for "example.com",
not "www.example.com". But I use a Filter to redirect any requests
for the "wrong" address to the preferred one.

HTH!
-- 
Hassan Schroeder - [EMAIL PROTECTED]
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

  dream.  code.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Configuration Question

[David Delbecq]

Le Mercredi 4 Janvier 2006 15:10, Scott Purcell a écrit :
> I am running Tomcat 5.5x on a Win2000 box.
> 
> I purchased a DNS name, and I have that configurated in the server.xml. So 
when a user hits my site like so: http://www.xxx.com it calls the site and 
all is good. But here is my problem. On some search engines for whatever 
reason, the url shows this: http://xxx.com leaving out the www. It still 
brings open the site, but there is a problem. My site runs all https, and 
when I registered my ssl certificate, it is under the http://www.xxx.com. And 
when the user hits the site without the 'www' it brings up a invalid 
certificate. It shows the lock, but it says it is not certified by verisign.
> 
> Any ideas why this is occuring, and any ideas to redirect the bad url to the 
good one?
> 
Adult sites run on tomcat now? :p

It is possible the search bots were misled by some header found in your 
response. Is you tomcat service configured for www.xxx.com host or simply for 
anyhost (in which case it might add a content-location of xxx.com in response 
as it is tomcat's computer hostname).

Go to http://www.xxx.com/admin/, fill in username/password of admin and modify 
the default host to respond only to alias www.xxx.com

Of course, requests in the form http(s)://xxx.com will not be responded 
anymore. You could also, on a temporary basis, put a second Host entry for 
alias xxx.com which will send a 'moved permanently' response.


> Many thanks,
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 

-- 
David Delbecq
Royal Meteorological Institute of Belgium

-
Pingouins dans les champs, hiver méchant

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Configuration Question

[Scott Purcell]

I am running Tomcat 5.5x on a Win2000 box.

I purchased a DNS name, and I have that configurated in the server.xml. So when 
a user hits my site like so: http://www.xxx.com it calls the site and all is 
good. But here is my problem. On some search engines for whatever reason, the 
url shows this: http://xxx.com leaving out the www. It still brings open the 
site, but there is a problem. My site runs all https, and when I registered my 
ssl certificate, it is under the http://www.xxx.com. And when the user hits the 
site without the 'www' it brings up a invalid certificate. It shows the lock, 
but it says it is not certified by verisign.

Any ideas why this is occuring, and any ideas to redirect the bad url to the 
good one?

Many thanks,



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Is this achievable with TC? - A domain-subdomain configuration question

[Wei Wei]

I am working on starting a new project: an application for various locations 
(think of a chain store). The business logic is the same for all locations 
while the data can vary for one location to another. I would like to have the 
following domain structure: 

www.mydomain.com -  a user can select one location on the home page
location1.mydomain.com - all user interaction data only applied to this location
location2.mydomain.com - ...

I have done some reseach on this topic at the TC site and haven't found any 
direct inforamtion. The virtual host configuration is only applied for multiple 
applications, but not for multiple subdomain with a single application.

Thanks for any inputs in advance.

w.   

-- 
___

Search for businesses by name, location, or phone number.  -Lycos Yellow Pages

http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]