Re: Test valve with tomcat-embed 9?

[Mark Thomas]

On 08/10/2021 11:43, Me Self wrote:

I would like to test a custom tomcat valve with tomcat-embed and junit. Is
that possible?

Found a few tomcat-embed samples on the web but most seem to only deal with
setting up a webapp - something along the lines:

@BeforeAll
public static void setup() throws LifecycleException {
   Tomcat tomcat = new Tomcat();
   tomcat.setPort(...);
   StandardContext ctx = (StandardContext) tomcat.addWebapp("/", new
File("src/main/webapp/").getAbsolutePath());

What would I need to do to add a valve? And btw. it's a maven project so
the valve is compiled to "target/classes".


https://github.com/apache/tomcat/tree/main/test/org/apache/catalina/valves

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Test valve with tomcat-embed 9?

[Me Self]

I would like to test a custom tomcat valve with tomcat-embed and junit. Is
that possible?

Found a few tomcat-embed samples on the web but most seem to only deal with
setting up a webapp - something along the lines:

@BeforeAll
public static void setup() throws LifecycleException {
  Tomcat tomcat = new Tomcat();
  tomcat.setPort(...);
  StandardContext ctx = (StandardContext) tomcat.addWebapp("/", new
File("src/main/webapp/").getAbsolutePath());

What would I need to do to add a valve? And btw. it's a maven project so
the valve is compiled to "target/classes".

Re: Tomcat ant test failure

[Mark Thomas]

On 23/03/2020 12:43, Udupa, Ankitha K wrote:
> Hi Mark,
> 
> We have resolved similar errors like
> "sun.security.validator.ValidatorException: PKIX path validation failed: 
> java.security.cert.CertPath
> ValidatorException: timestamp check failed"
> by downloading the certificates from latest tomcat source code 
> (https://github.com/apache/tomcat/tree/7.0.x/test/org/apache/tomcat/util/net).
> 
> Please let me know if there is any other way to resolve this issue without 
> downloading the latest certificate once they are expired.

Set the date on the server running the tests back far enough that the
certificates appear to be valid?

Mark


> 
> Thanks and Regards,
> Ankitha
> 
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org] 
> Sent: Monday, March 23, 2020 3:08 PM
> To: Tomcat Users List 
> Subject: Re: Tomcat ant test failure
> 
> On 23/03/2020 07:18, Udupa, Ankitha K wrote:
>> Hi,
>>
>> We are facing issue while triggering Ant Test with Tomcat 7.0.84
> 
> That version is over two years old and has a number of known security 
> vulnerabilities that are likely to apply to a typical installation.
> 
> The Tomcat community typically provides support on a "first update to the 
> latest release of a supported version (7.0.103 in this instance), then 
> recreate then problem, then we'll try and help" basis. The further you are 
> away from the latest version of a supported release, the less likely you are 
> to receive help.
> 
>> on HP UX IA/PA architecture with Java ( Java 7.0 in IA and Java 6.0 in PA).
>> Please kindly help me to resolve these failures.
> 
> Why? What are you trying to achieve by this?
> 
> Each test will have a dedicated log file. You'll need to provide the log 
> files associated with each failed test if you want us to try and help.
> 
> Best guess is that the async state errors are highlighting edge case bugs 
> that are fixed in a later release and the TLS bugs are probably due to 
> differences in the HP JVMs. No idea about the Comet errors.
> 
> Mark
> 
> 
>> TEST-org.apache.catalina.comet.TestCometProcessor.NIO.txt:ERROR:null
>> TEST-org.apache.catalina.comet.TestCometProcessor.NIO.txt:ERROR:null
>> TEST-org.apache.catalina.connector.TestCoyoteAdapter.BIO.txt:Exception 
>> in thread "testBug54928" java.lang.IllegalStateException: Calling 
>> [asyncComplete()] is not valid for a request with Async state 
>> [MUST_ERROR] 
>> TEST-org.apache.catalina.connector.TestCoyoteAdapter.NIO.txt:Exception 
>> in thread "testBug54928" java.lang.IllegalStateException: Calling 
>> [asyncComplete()] is not valid for a request with Async state 
>> [MUST_ERROR]
>> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an 
>> ERROR
>> TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an ERROR
>> TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
>> TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
>> TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
>> TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Caused an ERROR
>> TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:    Caused an ERROR
>> TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Caused an ERROR
>> TEST-org.apache.tomcat.websocket.TestWebSocketFrameClientSSL.BIO.txt:   
>> Caused an ERROR
>> TEST-org.apache.tomcat.websocket.

RE: Tomcat ant test failure

[Udupa, Ankitha K]

Hi Mark,

We have resolved similar errors like
"sun.security.validator.ValidatorException: PKIX path validation failed: 
java.security.cert.CertPath
ValidatorException: timestamp check failed"
by downloading the certificates from latest tomcat source code 
(https://github.com/apache/tomcat/tree/7.0.x/test/org/apache/tomcat/util/net).

Please let me know if there is any other way to resolve this issue without 
downloading the latest certificate once they are expired.

Thanks and Regards,
Ankitha

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Monday, March 23, 2020 3:08 PM
To: Tomcat Users List 
Subject: Re: Tomcat ant test failure

On 23/03/2020 07:18, Udupa, Ankitha K wrote:
> Hi,
> 
> We are facing issue while triggering Ant Test with Tomcat 7.0.84

That version is over two years old and has a number of known security 
vulnerabilities that are likely to apply to a typical installation.

The Tomcat community typically provides support on a "first update to the 
latest release of a supported version (7.0.103 in this instance), then recreate 
then problem, then we'll try and help" basis. The further you are away from the 
latest version of a supported release, the less likely you are to receive help.

> on HP UX IA/PA architecture with Java ( Java 7.0 in IA and Java 6.0 in PA).
> Please kindly help me to resolve these failures.

Why? What are you trying to achieve by this?

Each test will have a dedicated log file. You'll need to provide the log files 
associated with each failed test if you want us to try and help.

Best guess is that the async state errors are highlighting edge case bugs that 
are fixed in a later release and the TLS bugs are probably due to differences 
in the HP JVMs. No idea about the Comet errors.

Mark


> TEST-org.apache.catalina.comet.TestCometProcessor.NIO.txt:ERROR:null
> TEST-org.apache.catalina.comet.TestCometProcessor.NIO.txt:ERROR:null
> TEST-org.apache.catalina.connector.TestCoyoteAdapter.BIO.txt:Exception 
> in thread "testBug54928" java.lang.IllegalStateException: Calling 
> [asyncComplete()] is not valid for a request with Async state 
> [MUST_ERROR] 
> TEST-org.apache.catalina.connector.TestCoyoteAdapter.NIO.txt:Exception 
> in thread "testBug54928" java.lang.IllegalStateException: Calling 
> [asyncComplete()] is not valid for a request with Async state 
> [MUST_ERROR]
> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an 
> ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.websocket.TestWebSocketFrameClientSSL.BIO.txt:   
> Caused an ERROR
> TEST-org.apache.tomcat.websocket.TestWebSocketFrameClientSSL.NIO.txt:   
> Caused an ERROR
> TEST-org.apache.tomcat.websocket.TestWebSocketFrameClientSSL.NIO.txt:   
> Caused an ERROR
> TEST-org.apache.tomcat.websocket.TestWsWebSocketContainer.BIO.txt:  
> Caused an ERROR
> TEST-org.apache.tomcat.websocket.TestWsWebSocketContainer.NIO.txt:  
> Caused an ERROR
> 
> Thanks and Regards,
> Ankitha
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat ant test failure

[Mark Thomas]

On 23/03/2020 07:18, Udupa, Ankitha K wrote:
> Hi,
> 
> We are facing issue while triggering Ant Test with Tomcat 7.0.84

That version is over two years old and has a number of known security
vulnerabilities that are likely to apply to a typical installation.

The Tomcat community typically provides support on a "first update to
the latest release of a supported version (7.0.103 in this instance),
then recreate then problem, then we'll try and help" basis. The further
you are away from the latest version of a supported release, the less
likely you are to receive help.

> on HP UX IA/PA architecture with Java ( Java 7.0 in IA and Java 6.0 in PA).
> Please kindly help me to resolve these failures.

Why? What are you trying to achieve by this?

Each test will have a dedicated log file. You'll need to provide the log
files associated with each failed test if you want us to try and help.

Best guess is that the async state errors are highlighting edge case
bugs that are fixed in a later release and the TLS bugs are probably due
to differences in the HP JVMs. No idea about the Comet errors.

Mark


> TEST-org.apache.catalina.comet.TestCometProcessor.NIO.txt:ERROR:null
> TEST-org.apache.catalina.comet.TestCometProcessor.NIO.txt:ERROR:null
> TEST-org.apache.catalina.connector.TestCoyoteAdapter.BIO.txt:Exception in 
> thread "testBug54928" java.lang.IllegalStateException: Calling 
> [asyncComplete()] is not valid for a request with Async state [MUST_ERROR]
> TEST-org.apache.catalina.connector.TestCoyoteAdapter.NIO.txt:Exception in 
> thread "testBug54928" java.lang.IllegalStateException: Calling 
> [asyncComplete()] is not valid for a request with Async state [MUST_ERROR]
> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Caused an ERROR
> TEST-org.apache.tomcat.websocket.TestWebSocketFrameClientSSL.BIO.txt:   
> Caused an ERROR
> TEST-org.apache.tomcat.websocket.TestWebSocketFrameClientSSL.NIO.txt:   
> Caused an ERROR
> TEST-org.apache.tomcat.websocket.TestWebSocketFrameClientSSL.NIO.txt:   
> Caused an ERROR
> TEST-org.apache.tomcat.websocket.TestWsWebSocketContainer.BIO.txt:  
> Caused an ERROR
> TEST-org.apache.tomcat.websocket.TestWsWebSocketContainer.NIO.txt:  
> Caused an ERROR
> 
> Thanks and Regards,
> Ankitha
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat ant test failure

[Udupa, Ankitha K]

Hi,

We are facing issue while triggering Ant Test with Tomcat 7.0.84 on HP UX IA/PA 
architecture with Java ( Java 7.0 in IA and Java 6.0 in PA).
Please kindly help me to resolve these failures.


TEST-org.apache.catalina.comet.TestCometProcessor.NIO.txt:ERROR:null
TEST-org.apache.catalina.comet.TestCometProcessor.NIO.txt:ERROR:null
TEST-org.apache.catalina.connector.TestCoyoteAdapter.BIO.txt:Exception in 
thread "testBug54928" java.lang.IllegalStateException: Calling 
[asyncComplete()] is not valid for a request with Async state [MUST_ERROR]
TEST-org.apache.catalina.connector.TestCoyoteAdapter.NIO.txt:Exception in 
thread "testBug54928" java.lang.IllegalStateException: Calling 
[asyncComplete()] is not valid for a request with Async state [MUST_ERROR]
TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an ERROR
TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an ERROR
TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an ERROR
TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an ERROR
TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt: Caused an ERROR
TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an ERROR
TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an ERROR
TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an ERROR
TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an ERROR
TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt: Caused an ERROR
TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an ERROR
TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an ERROR
TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:  Caused an ERROR
TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an ERROR
TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an ERROR
TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:  Caused an ERROR
TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Caused an ERROR
TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Caused an ERROR
TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Caused an ERROR
TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Caused an ERROR
TEST-org.apache.tomcat.websocket.TestWebSocketFrameClientSSL.BIO.txt:   Caused 
an ERROR
TEST-org.apache.tomcat.websocket.TestWebSocketFrameClientSSL.NIO.txt:   Caused 
an ERROR
TEST-org.apache.tomcat.websocket.TestWebSocketFrameClientSSL.NIO.txt:   Caused 
an ERROR
TEST-org.apache.tomcat.websocket.TestWsWebSocketContainer.BIO.txt:      Caused 
an ERROR
TEST-org.apache.tomcat.websocket.TestWsWebSocketContainer.NIO.txt:  Caused 
an ERROR

Thanks and Regards,
Ankitha

RE: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Rhuberg,Anthony]

Hi,

-Original Message-
From: Mark Thomas 
Sent: Thursday, October 10, 2019 3:54 AM
To: users@tomcat.apache.org
Subject: Re: Performance test with Tomcat 9 shows increased cpu/disk usage 
because of repeated opening/closing of jars in WEB-INF/lib

On 09/10/2019 22:58, Rhuberg,Anthony wrote:
> StandardRoot.gc() unconditionally closes the web application jars in Tomcat 
> 9... every 10s by default or configurable by changing 
> backgroundProcessorDelay.
>
> So then the problem is Our web application is calling 
> class.getResourceAsStream() to read some static files... and this is causing 
> the jars to be read again?

It sounds like it.

> This was not a problem with Tomcat 7 because the jars were not closed if they 
> were read within the jarOpenInterval setting?

Or that the frequency that the JARs were closed was low enough that the 
performance impact was not noticed.

Mark


>
> Thanks,
> Tony
>
> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, October 09, 2019 5:32 PM
> To: users@tomcat.apache.org
> Subject: Re: Performance test with Tomcat 9 shows increased cpu/disk
> usage because of repeated opening/closing of jars in WEB-INF/lib
>
> On 09/10/2019 21:03, Rhuberg,Anthony wrote:
>> This seems to alleviate the issue... in context.xml (sc-test#sc.xml)
>> > swallowOutput="true" backgroundProcessorDelay="90">
>>
>> Not sure if this is the context reload trigger... i.e. the 
>> webappLoader.backgroundProcess method is triggered every 90 seconds...
>
> It isn't. It is StandardRoot.gc() that is unloading the cached JAR entries.
>
> Mark
>
> -

Here is an update as to the causes of the repeated reloads our web application 
jars. Some of the following may be "bad" practices (at least not optimal), but 
seem to be commonplace. In other cases, the behavior was unexpected and may 
warrant a change to WebResourceRoot to allow the jars to remain open or 
otherwise control that behavior.

Have 2 questions:
1. Could the WebResourceRoot be changed to provide a way to control when the 
jars are closed?
2. Any concerns with any of the solutions below? Has anyone used these in the 
past or currently and found any problems?

1. JAXP related factories
We frequently use DocumentBuilderFactory.newInstance() to obtain an instance of 
the factory implementation and others like TransformerFactory, XPathFactory, 
DatatypeFactory, and SAXParserFactory. This will trigger a jar reload when the 
service loader attempts to find the implementation class. We decided to set the 
applicable system properties to avoid the search and thus eliminate this reason 
for the jar reload. See below for the factories configured; this change reduced 
JVM CPU usage percentage in a load test by 26% (using Tomcat 7, so expect 
similar in Tomcat 9, plus the elimination of the jar reload).

2. SOAP web service endpoints
Each time we invoke a SOAP web service we are creating an instance of 
javax.xml.ws.Service and a client proxy that implements the applicable web 
service contract (Service.getPort). When these objects are created the service 
loader is used to find the implementation for the web service client. We are 
using the Apache CXF client 
(cxf-rt-frontend-jaxws/META-INF/services/javax.xml.ws.spi.Provider). In 
addition, the JAXB bindings are created. These actions occur every time we 
invoke a SOAP web service; this subsequently searches for the implementation 
classes triggering the web application jars to be reloaded.  We decided to 
create the service end-points once and reuse. Creating the objects once and 
reusing avoids the cost of repeatedly creating the instances. The CXF instances 
are thread safe 
(https://cxf.apache.org/faq.html#FAQ-AreJAX-WSclientproxiesthreadsafe?). 
Testing to verify the objects are thread safe is in progress.

3. When we invoke a REST web service, we create an instance of the Spring 
RestTemplate. The template then registers various mappers; the 
MappingJackson2HttpMessageConverter uses 
Jackson2ObjectMapperBuilder.registerWellKnownModulesIfAvailable() to register a 
few optional modules. Each time the template is created a classpath search is 
performed that can trigger the jars to be reloaded. See: 
https://github.com/spring-projects/spring-framework/search?utf8=%E2%9C%93=registerWellKnownModulesIfAvailable=.
 The optional modules include: Jdk7Module, Jdk8Module, and JavaModule. Adding 
these jars allows the classes to be found and then cached, thus preventing 
subsequent jar reloads: jackson-datatype-jsr310-2.10.1.jar
jackson-datatype-jdk7-2.6.7.jar,  and jackson-datatype-jdk8-2.10.1.jar.

4. When transforming XML documents, we repeatedly read the .xsl file using 
getResourceAsStream(sometransform.xsl). This is cached by default for 5 
seconds. We increased the 

RE: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Rhuberg,Anthony]

We continue to profile our application and have found instances of using 
TransformerFactory.newInstance().

The more concerning problem is third party dependencies that do this or 
something similar we could not fix.

Jar modified times are not changing - I did not mean to state or otherwise 
imply that.

-Original Message-
From: john.e.gr...@wellsfargo.com.INVALID 
Sent: Thursday, October 10, 2019 6:54 PM
To: users@tomcat.apache.org
Subject: RE: Performance test with Tomcat 9 shows increased cpu/disk usage 
because of repeated opening/closing of jars in WEB-INF/lib

Tony,


> -Original Message-
> From: Rhuberg,Anthony 
> Sent: Thursday, October 10, 2019 5:22 PM
> To: Tomcat Users List 
> Subject: RE: Performance test with Tomcat 9 shows increased cpu/disk
> usage because of repeated opening/closing of jars in WEB-INF/lib
>
> We are still investigating what specific classloader reads that would
> trigger the repeated reload of the web-inf/lib/*.jars.
>
> One example we found is the use of
> javax.xml.transform.TransformerFactory.newInstance(). One of its
> features is to determine the implementation by searching for the
> configuration specified by
> META-INF/services/javax.xml.transform.TransformerFactory in jars available to 
> the runtime.
>

Yep.  I was wondering about that.  I have no idea why this behavior would be 
different in Tomcat 9, though.  Did you change Java versions also?  Is the 
classpath longer?

I also have no idea about the jar modification date changes that you're seeing.

I do have first-hand experience with the performance of 
TransformerFactory.newInstance().  In general, anything that uses the service 
locator under the covers, such as TransformerFactory, DocumentBuilderFactory, 
etc, should be reused if possible.  Those XML factories are thread safe, though 
the things created by the factories are typically not thread safe.  You should 
create it once, configure it once, and use it as many times as necessary.  For 
example, you would create one TransformerFactory, then call newTransformer() as 
many times as necessary.

John
B CB  [  
X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]
 \X K ܙ B


CONFIDENTIALITY NOTICE This message and any included attachments are from 
Cerner Corporation and are intended only for the addressee. The information 
contained in this message is confidential and may constitute inside or 
non-public information under international, federal, or state securities laws. 
Unauthorized forwarding, printing, copying, distribution, or use of such 
information is strictly prohibited and may be unlawful. If you are not the 
addressee, please promptly delete this message and notify the sender of the 
delivery error by e-mail or you may call Cerner's corporate offices in Kansas 
City, Missouri, U.S.A at (+1) (816)221-1024.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[John.E.Gregg]

Tony,


> -Original Message-
> From: Rhuberg,Anthony 
> Sent: Thursday, October 10, 2019 5:22 PM
> To: Tomcat Users List 
> Subject: RE: Performance test with Tomcat 9 shows increased cpu/disk usage
> because of repeated opening/closing of jars in WEB-INF/lib
> 
> We are still investigating what specific classloader reads that would trigger
> the repeated reload of the web-inf/lib/*.jars.
> 
> One example we found is the use of
> javax.xml.transform.TransformerFactory.newInstance(). One of its features
> is to determine the implementation by searching for the configuration
> specified by META-INF/services/javax.xml.transform.TransformerFactory in
> jars available to the runtime.
> 

Yep.  I was wondering about that.  I have no idea why this behavior would be 
different in Tomcat 9, though.  Did you change Java versions also?  Is the 
classpath longer?

I also have no idea about the jar modification date changes that you're seeing.

I do have first-hand experience with the performance of 
TransformerFactory.newInstance().  In general, anything that uses the service 
locator under the covers, such as TransformerFactory, DocumentBuilderFactory, 
etc, should be reused if possible.  Those XML factories are thread safe, though 
the things created by the factories are typically not thread safe.  You should 
create it once, configure it once, and use it as many times as necessary.  For 
example, you would create one TransformerFactory, then call newTransformer() as 
many times as necessary.

John

RE: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Rhuberg,Anthony]

We are still investigating what specific classloader reads that would trigger 
the repeated reload of the web-inf/lib/*.jars.

One example we found is the use of 
javax.xml.transform.TransformerFactory.newInstance(). One of its features is to 
determine the implementation by searching for the configuration specified by 
META-INF/services/javax.xml.transform.TransformerFactory in jars available to 
the runtime.

It seems users of Tomcat 9 would need to understand the management of the jar 
resource handles when using the TransformerFactory class - assuming it is 
triggering the reload of all the related application jars - which if happening 
enough can cause the high cpu/disk usage as we observed in our performance 
tests.

Thanks

-Original Message-
From: Mark Thomas  
Sent: Thursday, October 10, 2019 3:54 AM
To: users@tomcat.apache.org
Subject: Re: Performance test with Tomcat 9 shows increased cpu/disk usage 
because of repeated opening/closing of jars in WEB-INF/lib

On 09/10/2019 22:58, Rhuberg,Anthony wrote:
> StandardRoot.gc() unconditionally closes the web application jars in Tomcat 
> 9... every 10s by default or configurable by changing 
> backgroundProcessorDelay.
> 
> So then the problem is Our web application is calling 
> class.getResourceAsStream() to read some static files... and this is causing 
> the jars to be read again?

It sounds like it.

> This was not a problem with Tomcat 7 because the jars were not closed if they 
> were read within the jarOpenInterval setting?

Or that the frequency that the JARs were closed was low enough that the 
performance impact was not noticed.

Mark


> 
> Thanks,
> Tony
> 
> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, October 09, 2019 5:32 PM
> To: users@tomcat.apache.org
> Subject: Re: Performance test with Tomcat 9 shows increased cpu/disk 
> usage because of repeated opening/closing of jars in WEB-INF/lib
> 
> On 09/10/2019 21:03, Rhuberg,Anthony wrote:
>> This seems to alleviate the issue... in context.xml (sc-test#sc.xml) 
>> > swallowOutput="true" backgroundProcessorDelay="90">
>>
>> Not sure if this is the context reload trigger... i.e. the 
>> webappLoader.backgroundProcess method is triggered every 90 seconds...
> 
> It isn't. It is StandardRoot.gc() that is unloading the cached JAR entries.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> CONFIDENTIALITY NOTICE This message and any included attachments are from 
> Cerner Corporation and are intended only for the addressee. The information 
> contained in this message is confidential and may constitute inside or 
> non-public information under international, federal, or state securities 
> laws. Unauthorized forwarding, printing, copying, distribution, or use of 
> such information is strictly prohibited and may be unlawful. If you are not 
> the addressee, please promptly delete this message and notify the sender of 
> the delivery error by e-mail or you may call Cerner's corporate offices in 
> Kansas City, Missouri, U.S.A at (+1) (816)221-1024.
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Mark Thomas]

On 09/10/2019 22:58, Rhuberg,Anthony wrote:
> StandardRoot.gc() unconditionally closes the web application jars in Tomcat 
> 9... every 10s by default or configurable by changing 
> backgroundProcessorDelay.
> 
> So then the problem is Our web application is calling 
> class.getResourceAsStream() to read some static files... and this is causing 
> the jars to be read again?

It sounds like it.

> This was not a problem with Tomcat 7 because the jars were not closed if they 
> were read within the jarOpenInterval setting?

Or that the frequency that the JARs were closed was low enough that the
performance impact was not noticed.

Mark


> 
> Thanks,
> Tony
> 
> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, October 09, 2019 5:32 PM
> To: users@tomcat.apache.org
> Subject: Re: Performance test with Tomcat 9 shows increased cpu/disk usage 
> because of repeated opening/closing of jars in WEB-INF/lib
> 
> On 09/10/2019 21:03, Rhuberg,Anthony wrote:
>> This seems to alleviate the issue... in context.xml (sc-test#sc.xml)
>> > swallowOutput="true" backgroundProcessorDelay="90">
>>
>> Not sure if this is the context reload trigger... i.e. the 
>> webappLoader.backgroundProcess method is triggered every 90 seconds...
> 
> It isn't. It is StandardRoot.gc() that is unloading the cached JAR entries.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> CONFIDENTIALITY NOTICE This message and any included attachments are from 
> Cerner Corporation and are intended only for the addressee. The information 
> contained in this message is confidential and may constitute inside or 
> non-public information under international, federal, or state securities 
> laws. Unauthorized forwarding, printing, copying, distribution, or use of 
> such information is strictly prohibited and may be unlawful. If you are not 
> the addressee, please promptly delete this message and notify the sender of 
> the delivery error by e-mail or you may call Cerner's corporate offices in 
> Kansas City, Missouri, U.S.A at (+1) (816)221-1024.
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Rhuberg,Anthony]

I have not seen the trace message for modified()... So my understanding of this 
is wrong.

-Original Message-
From: Paul Carter-Brown 
Sent: Wednesday, October 09, 2019 4:42 PM
To: Tomcat Users List 
Subject: Re: Performance test with Tomcat 9 shows increased cpu/disk usage 
because of repeated opening/closing of jars in WEB-INF/lib

Hi Anthony

Have you turned debug logging on to see what it is picking up as modified?

On Wed, 09 Oct 2019, 22:24 Rhuberg,Anthony, 
 wrote:

> Thanks for your responses.
>
> I understand that re-reading the static files is not optimal, but how
> does reading files from the jar affect them being reloaded... In
> Tomcat 7, that seemed to prevent the jars from being reloaded since
> the accessTime was changed; in Tomcat 8, it seems the modified()
> method uses the file modified time - not sure what we are doing to
> cause the modified time to change - the files on the filesystem are
> not changing - unless there is something happening in the classes folder.
>
> Thanks
>
> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, October 09, 2019 3:56 PM
> To: users@tomcat.apache.org
> Subject: Re: Performance test with Tomcat 9 shows increased cpu/disk
> usage because of repeated opening/closing of jars in WEB-INF/lib
>
> On 09/10/2019 20:08, Rhuberg,Anthony wrote:
> > On the other thread: Is this genuine class loading (in which case
> > the response below is correct) or is the application reading the
> > .class
> files as if they were resources (in which case a different answer applies)?
> > Mostly, we are talking about the default class loader; however, the
> application does read resources from the jar files - mostly static
> files that are stored within the package structure are read (for
> example: log4j, property files, other static content). Would this
> affect the reload of the jar files?
>
> If an application was reading the same resource from a JAR over and
> over again, that may have a performance impact. Increasing the TTL for
> cached resources would probably address that although, arguably, the
> better solution in that case would be to fix the app to load it once and 
> cache it.
>
> > -Original Message-
> > From: Rhuberg,Anthony
> > Sent: Wednesday, October 09, 2019 2:53 PM
> > To: Tomcat Users List 
> > Subject: RE: Performance test with Tomcat 9 shows increased cpu/disk
> > usage because of repeated opening/closing of jars in WEB-INF/lib
> >
> > Just noticed another thread on this topic: RE: Tomcat discards and
> reloads the jar files from the webapps folder.
> >
> > Setting the Engine attribute backgroundProcessorDelay to 90s does
> > reduce
> the open/close cycle of the jars.
>
> Thanks for the confirmation.
>
> > The other thread also mentioned a potential configuration to keep
> > the
> jars open longer by default. This could be helpful - not sure we need
> to close them at all.
>
> If the JARs aren't closed it can cause file locking issues. We could
> include a disable option if we did make the Jar unload frequency
> configurable.
>
> > Alternatively, would there be any gain to 'explode' the jars into
> > class
> files on the filesystem?
>
> Maybe. Best bet it to try it for your app and see.
>
> Mark
>
>
> > -Original Message-
> > From: Rhuberg,Anthony 
> > Sent: Wednesday, October 09, 2019 2:17 PM
> > To: users@tomcat.apache.org
> > Subject: Performance test with Tomcat 9 shows increased cpu/disk
> > usage because of repeated opening/closing of jars in WEB-INF/lib
> >
> > Background:
> > In the last few months we migrated our web application from Tomcat
> 7.0.55 to Tomcat 9.0.19 (26). That transition was relatively
> straightforward until we reviewed the results of our performance tests.
> Those tests showed an increase in CPU usage and disk I/O on our
> Windows
> 2012 server. When we switch back to Tomcat 7, the metrics for CPU/disk
> usage were significantly lower (similar to previous tests).
> >
> > As we investigated the cause of the increase in cpu/disk usage we
> > found
> the tomcat process was repeatedly opening and closing the jars of our
> web application. The process profile showed all the jars in
> WEB-INF/lib being closed and reopened within seconds while the
> application was processing requests (and to some extent when quite).
> Now we are trying to determine why.
> >
> > We have a general understanding that the WebappClassLoaderBase.java
> implementation changed in Tomcat 8.5. The Tomcat 7 implementation
> provided for the configuration of  jarOpenInterval (which we used the
> default = 90s). The latest implementati

RE: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Rhuberg,Anthony]

StandardRoot.gc() unconditionally closes the web application jars in Tomcat 
9... every 10s by default or configurable by changing backgroundProcessorDelay.

So then the problem is Our web application is calling 
class.getResourceAsStream() to read some static files... and this is causing 
the jars to be read again? This was not a problem with Tomcat 7 because the 
jars were not closed if they were read within the jarOpenInterval setting?

Thanks,
Tony

-Original Message-
From: Mark Thomas 
Sent: Wednesday, October 09, 2019 5:32 PM
To: users@tomcat.apache.org
Subject: Re: Performance test with Tomcat 9 shows increased cpu/disk usage 
because of repeated opening/closing of jars in WEB-INF/lib

On 09/10/2019 21:03, Rhuberg,Anthony wrote:
> This seems to alleviate the issue... in context.xml (sc-test#sc.xml)
>  swallowOutput="true" backgroundProcessorDelay="90">
>
> Not sure if this is the context reload trigger... i.e. the 
> webappLoader.backgroundProcess method is triggered every 90 seconds...

It isn't. It is StandardRoot.gc() that is unloading the cached JAR entries.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



CONFIDENTIALITY NOTICE This message and any included attachments are from 
Cerner Corporation and are intended only for the addressee. The information 
contained in this message is confidential and may constitute inside or 
non-public information under international, federal, or state securities laws. 
Unauthorized forwarding, printing, copying, distribution, or use of such 
information is strictly prohibited and may be unlawful. If you are not the 
addressee, please promptly delete this message and notify the sender of the 
delivery error by e-mail or you may call Cerner's corporate offices in Kansas 
City, Missouri, U.S.A at (+1) (816)221-1024.

Re: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Mark Thomas]

On 09/10/2019 21:03, Rhuberg,Anthony wrote:
> This seems to alleviate the issue... in context.xml (sc-test#sc.xml)
>  backgroundProcessorDelay="90">
> 
> Not sure if this is the context reload trigger... i.e. the 
> webappLoader.backgroundProcess method is triggered every 90 seconds...

It isn't. It is StandardRoot.gc() that is unloading the cached JAR entries.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Paul Carter-Brown]

Hi Anthony

Have you turned debug logging on to see what it is picking up as modified?

On Wed, 09 Oct 2019, 22:24 Rhuberg,Anthony,
 wrote:

> Thanks for your responses.
>
> I understand that re-reading the static files is not optimal, but how does
> reading files from the jar affect them being reloaded... In Tomcat 7, that
> seemed to prevent the jars from being reloaded since the accessTime was
> changed; in Tomcat 8, it seems the modified() method uses the file modified
> time - not sure what we are doing to cause the modified time to change -
> the files on the filesystem are not changing - unless there is something
> happening in the classes folder.
>
> Thanks
>
> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, October 09, 2019 3:56 PM
> To: users@tomcat.apache.org
> Subject: Re: Performance test with Tomcat 9 shows increased cpu/disk usage
> because of repeated opening/closing of jars in WEB-INF/lib
>
> On 09/10/2019 20:08, Rhuberg,Anthony wrote:
> > On the other thread: Is this genuine class loading (in which case the
> > response below is correct) or is the application reading the .class
> files as if they were resources (in which case a different answer applies)?
> > Mostly, we are talking about the default class loader; however, the
> application does read resources from the jar files - mostly static files
> that are stored within the package structure are read (for example: log4j,
> property files, other static content). Would this affect the reload of the
> jar files?
>
> If an application was reading the same resource from a JAR over and over
> again, that may have a performance impact. Increasing the TTL for cached
> resources would probably address that although, arguably, the better
> solution in that case would be to fix the app to load it once and cache it.
>
> > -Original Message-
> > From: Rhuberg,Anthony
> > Sent: Wednesday, October 09, 2019 2:53 PM
> > To: Tomcat Users List 
> > Subject: RE: Performance test with Tomcat 9 shows increased cpu/disk
> > usage because of repeated opening/closing of jars in WEB-INF/lib
> >
> > Just noticed another thread on this topic: RE: Tomcat discards and
> reloads the jar files from the webapps folder.
> >
> > Setting the Engine attribute backgroundProcessorDelay to 90s does reduce
> the open/close cycle of the jars.
>
> Thanks for the confirmation.
>
> > The other thread also mentioned a potential configuration to keep the
> jars open longer by default. This could be helpful - not sure we need to
> close them at all.
>
> If the JARs aren't closed it can cause file locking issues. We could
> include a disable option if we did make the Jar unload frequency
> configurable.
>
> > Alternatively, would there be any gain to 'explode' the jars into class
> files on the filesystem?
>
> Maybe. Best bet it to try it for your app and see.
>
> Mark
>
>
> > -Original Message-
> > From: Rhuberg,Anthony 
> > Sent: Wednesday, October 09, 2019 2:17 PM
> > To: users@tomcat.apache.org
> > Subject: Performance test with Tomcat 9 shows increased cpu/disk usage
> > because of repeated opening/closing of jars in WEB-INF/lib
> >
> > Background:
> > In the last few months we migrated our web application from Tomcat
> 7.0.55 to Tomcat 9.0.19 (26). That transition was relatively
> straightforward until we reviewed the results of our performance tests.
> Those tests showed an increase in CPU usage and disk I/O on our Windows
> 2012 server. When we switch back to Tomcat 7, the metrics for CPU/disk
> usage were significantly lower (similar to previous tests).
> >
> > As we investigated the cause of the increase in cpu/disk usage we found
> the tomcat process was repeatedly opening and closing the jars of our web
> application. The process profile showed all the jars in WEB-INF/lib being
> closed and reopened within seconds while the application was processing
> requests (and to some extent when quite). Now we are trying to determine
> why.
> >
> > We have a general understanding that the WebappClassLoaderBase.java
> implementation changed in Tomcat 8.5. The Tomcat 7 implementation provided
> for the configuration of  jarOpenInterval (which we used the default =
> 90s). The latest implementation appears to track the jar modification times
> with a hash map called jarModificationTimes, but we are unable to find a
> similar time-to-live configuration or what triggers the lifecycle listener
> to close the jars (what calls WebappClassLoaderBase.modified() or
> destroy()) - assuming we understand this lifecycle behavior.
> >
> > The server is configured mostly with defa

RE: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Rhuberg,Anthony]

Thanks for your responses.

I understand that re-reading the static files is not optimal, but how does 
reading files from the jar affect them being reloaded... In Tomcat 7, that 
seemed to prevent the jars from being reloaded since the accessTime was 
changed; in Tomcat 8, it seems the modified() method uses the file modified 
time - not sure what we are doing to cause the modified time to change - the 
files on the filesystem are not changing - unless there is something happening 
in the classes folder.

Thanks

-Original Message-
From: Mark Thomas  
Sent: Wednesday, October 09, 2019 3:56 PM
To: users@tomcat.apache.org
Subject: Re: Performance test with Tomcat 9 shows increased cpu/disk usage 
because of repeated opening/closing of jars in WEB-INF/lib

On 09/10/2019 20:08, Rhuberg,Anthony wrote:
> On the other thread: Is this genuine class loading (in which case the 
> response below is correct) or is the application reading the .class files as 
> if they were resources (in which case a different answer applies)?
> Mostly, we are talking about the default class loader; however, the 
> application does read resources from the jar files - mostly static files that 
> are stored within the package structure are read (for example: log4j, 
> property files, other static content). Would this affect the reload of the 
> jar files?

If an application was reading the same resource from a JAR over and over again, 
that may have a performance impact. Increasing the TTL for cached resources 
would probably address that although, arguably, the better solution in that 
case would be to fix the app to load it once and cache it.

> -Original Message-
> From: Rhuberg,Anthony
> Sent: Wednesday, October 09, 2019 2:53 PM
> To: Tomcat Users List 
> Subject: RE: Performance test with Tomcat 9 shows increased cpu/disk 
> usage because of repeated opening/closing of jars in WEB-INF/lib
> 
> Just noticed another thread on this topic: RE: Tomcat discards and reloads 
> the jar files from the webapps folder.
> 
> Setting the Engine attribute backgroundProcessorDelay to 90s does reduce the 
> open/close cycle of the jars.

Thanks for the confirmation.

> The other thread also mentioned a potential configuration to keep the jars 
> open longer by default. This could be helpful - not sure we need to close 
> them at all.

If the JARs aren't closed it can cause file locking issues. We could include a 
disable option if we did make the Jar unload frequency configurable.

> Alternatively, would there be any gain to 'explode' the jars into class files 
> on the filesystem? 

Maybe. Best bet it to try it for your app and see.

Mark


> -Original Message-
> From: Rhuberg,Anthony 
> Sent: Wednesday, October 09, 2019 2:17 PM
> To: users@tomcat.apache.org
> Subject: Performance test with Tomcat 9 shows increased cpu/disk usage 
> because of repeated opening/closing of jars in WEB-INF/lib
> 
> Background:
> In the last few months we migrated our web application from Tomcat 7.0.55 to 
> Tomcat 9.0.19 (26). That transition was relatively straightforward until we 
> reviewed the results of our performance tests. Those tests showed an increase 
> in CPU usage and disk I/O on our Windows 2012 server. When we switch back to 
> Tomcat 7, the metrics for CPU/disk usage were significantly lower (similar to 
> previous tests).
> 
> As we investigated the cause of the increase in cpu/disk usage we found the 
> tomcat process was repeatedly opening and closing the jars of our web 
> application. The process profile showed all the jars in WEB-INF/lib being 
> closed and reopened within seconds while the application was processing 
> requests (and to some extent when quite). Now we are trying to determine why.
> 
> We have a general understanding that the WebappClassLoaderBase.java 
> implementation changed in Tomcat 8.5. The Tomcat 7 implementation provided 
> for the configuration of  jarOpenInterval (which we used the default = 90s). 
> The latest implementation appears to track the jar modification times with a 
> hash map called jarModificationTimes, but we are unable to find a similar 
> time-to-live configuration or what triggers the lifecycle listener to close 
> the jars (what calls WebappClassLoaderBase.modified() or destroy()) - 
> assuming we understand this lifecycle behavior.
> 
> The server is configured mostly with default settings. The Context reloadable 
> property is NOT set. We have tried increasing the cache time of the Resources 
> cacheTtl property as the default of 5s seemed close to the time the jars were 
> reloaded. We have not been successful.
> 
> Question:
> What is the cause of the repeated reloading of our web application jars? What 
> can trigger the class loader to close all the file handles related to the 

RE: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Rhuberg,Anthony]

This seems to alleviate the issue... in context.xml (sc-test#sc.xml)


Not sure if this is the context reload trigger... i.e. the 
webappLoader.backgroundProcess method is triggered every 90 seconds... the 
reloadable property on Context is NOT set (default = false). So then how does 
modified() evaluate to true? 
The 
https://github.com/apache/tomcat/blob/65aec2ac7fb4980694291e66efd360195dfa8d73/java/org/apache/catalina/loader/WebappLoader.java...
/**
 * Execute a periodic task, such as reloading, etc. This method will be
 * invoked inside the classloading context of this container. Unexpected
 * throwables will be caught and logged.
 */
@Override
public void backgroundProcess() {
if (reloadable && modified()) {
try {
Thread.currentThread().setContextClassLoader
(WebappLoader.class.getClassLoader());
if (context != null) {
context.reload();
}
} finally {
if (context != null && context.getLoader() != null) {
Thread.currentThread().setContextClassLoader
(context.getLoader().getClassLoader());
}
}
}
}

I do not understand how modified = true. Why would the jar date/time be changed?
https://github.com/apache/tomcat/blob/8.5.x/java/org/apache/catalina/loader/WebappClassLoaderBase.java
/**
 * Have one or more classes or resources been modified so that a reload
 * is appropriate?
 * @return true if there's been a modification
 */
public boolean modified() {

if (log.isDebugEnabled())
log.debug("modified()");

for (Entry entry : resourceEntries.entrySet()) {
long cachedLastModified = entry.getValue().lastModified;
long lastModified = resources.getClassLoaderResource(
entry.getKey()).getLastModified();
if (lastModified != cachedLastModified) {
if( log.isDebugEnabled() )
log.debug(sm.getString("webappClassLoader.resourceModified",
entry.getKey(),
new Date(cachedLastModified),
new Date(lastModified)));
return true;
}
}

// Check if JARs have been added or removed
WebResource[] jars = resources.listResources("/WEB-INF/lib");
// Filter out non-JAR resources

int jarCount = 0;
for (WebResource jar : jars) {
if (jar.getName().endsWith(".jar") && jar.isFile() && 
jar.canRead()) {
jarCount++;
Long recordedLastModified = 
jarModificationTimes.get(jar.getName());
if (recordedLastModified == null) {
// Jar has been added
log.info(sm.getString("webappClassLoader.jarsAdded",
resources.getContext().getName()));
return true;
}
if (recordedLastModified.longValue() != jar.getLastModified()) {
// Jar has been changed
log.info(sm.getString("webappClassLoader.jarsModified",
resources.getContext().getName()));
return true;
}
}
}

if (jarCount < jarModificationTimes.size()){
log.info(sm.getString("webappClassLoader.jarsRemoved",
resources.getContext().getName()));
return true;
}


// No classes have been modified
return false;
}

-Original Message-
From: Rhuberg,Anthony 
Sent: Wednesday, October 09, 2019 3:08 PM
To: Tomcat Users List 
Subject: RE: Performance test with Tomcat 9 shows increased cpu/disk usage 
because of repeated opening/closing of jars in WEB-INF/lib

On the other thread: Is this genuine class loading (in which case the response 
below is correct) or is the application reading the .class files as if they 
were resources (in which case a different answer applies)?
Mostly, we are talking about the default class loader; however, the application 
does read resources from the jar files - mostly static files that are stored 
within the package structure are read (for example: log4j, property files, 
other static content). Would this affect the reload of the jar files?

-Original Message-
From: Rhuberg,Anthony
Sent: Wednesday, October 09, 2019 2:53 PM
To: Tomcat Users List 
Subject: RE: Performance test with Tomcat 9 shows increased cpu/disk usage 
because of repeated opening/closing of jars in WEB-INF/lib

Just noticed another thread on this topic: RE: Tomcat discards and reloads the 
jar files from the webapps folder.

Setting the Engine attribute backgroundProcessorDelay to 90s does red

Re: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Mark Thomas]

On 09/10/2019 20:08, Rhuberg,Anthony wrote:
> On the other thread: Is this genuine class loading (in which case the 
> response below is correct) or is the application reading the .class files as 
> if they were
> resources (in which case a different answer applies)?
> Mostly, we are talking about the default class loader; however, the 
> application does read resources from the jar files - mostly static files that 
> are stored within the package structure are read (for example: log4j, 
> property files, other static content). Would this affect the reload of the 
> jar files?

If an application was reading the same resource from a JAR over and over
again, that may have a performance impact. Increasing the TTL for cached
resources would probably address that although, arguably, the better
solution in that case would be to fix the app to load it once and cache it.

> -Original Message-
> From: Rhuberg,Anthony 
> Sent: Wednesday, October 09, 2019 2:53 PM
> To: Tomcat Users List 
> Subject: RE: Performance test with Tomcat 9 shows increased cpu/disk usage 
> because of repeated opening/closing of jars in WEB-INF/lib
> 
> Just noticed another thread on this topic: RE: Tomcat discards and reloads 
> the jar files from the webapps folder.
> 
> Setting the Engine attribute backgroundProcessorDelay to 90s does reduce the 
> open/close cycle of the jars.

Thanks for the confirmation.

> The other thread also mentioned a potential configuration to keep the jars 
> open longer by default. This could be helpful - not sure we need to close 
> them at all.

If the JARs aren't closed it can cause file locking issues. We could
include a disable option if we did make the Jar unload frequency
configurable.

> Alternatively, would there be any gain to 'explode' the jars into class files 
> on the filesystem? 

Maybe. Best bet it to try it for your app and see.

Mark


> -Original Message-
> From: Rhuberg,Anthony  
> Sent: Wednesday, October 09, 2019 2:17 PM
> To: users@tomcat.apache.org
> Subject: Performance test with Tomcat 9 shows increased cpu/disk usage 
> because of repeated opening/closing of jars in WEB-INF/lib
> 
> Background:
> In the last few months we migrated our web application from Tomcat 7.0.55 to 
> Tomcat 9.0.19 (26). That transition was relatively straightforward until we 
> reviewed the results of our performance tests. Those tests showed an increase 
> in CPU usage and disk I/O on our Windows 2012 server. When we switch back to 
> Tomcat 7, the metrics for CPU/disk usage were significantly lower (similar to 
> previous tests).
> 
> As we investigated the cause of the increase in cpu/disk usage we found the 
> tomcat process was repeatedly opening and closing the jars of our web 
> application. The process profile showed all the jars in WEB-INF/lib being 
> closed and reopened within seconds while the application was processing 
> requests (and to some extent when quite). Now we are trying to determine why.
> 
> We have a general understanding that the WebappClassLoaderBase.java 
> implementation changed in Tomcat 8.5. The Tomcat 7 implementation provided 
> for the configuration of  jarOpenInterval (which we used the default = 90s). 
> The latest implementation appears to track the jar modification times with a 
> hash map called jarModificationTimes, but we are unable to find a similar 
> time-to-live configuration or what triggers the lifecycle listener to close 
> the jars (what calls WebappClassLoaderBase.modified() or destroy()) - 
> assuming we understand this lifecycle behavior.
> 
> The server is configured mostly with default settings. The Context reloadable 
> property is NOT set. We have tried increasing the cache time of the Resources 
> cacheTtl property as the default of 5s seemed close to the time the jars were 
> reloaded. We have not been successful.
> 
> Question:
> What is the cause of the repeated reloading of our web application jars? What 
> can trigger the class loader to close all the file handles related to the 
> jars in the web application WEB-INF/lib directory - and then open them again 
> within a few seconds?
> 
> 
> 
> CONFIDENTIALITY NOTICE This message and any included attachments are from 
> Cerner Corporation and are intended only for the addressee. The information 
> contained in this message is confidential and may constitute inside or 
> non-public information under international, federal, or state securities 
> laws. Unauthorized forwarding, printing, copying, distribution, or use of 
> such information is strictly prohibited and may be unlawful. If you are not 
> the addressee, please promptly delete this message and notify the sender of 
> the delivery error by e-mail or you may call Cerner's corporate offices in 
&g

RE: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Rhuberg,Anthony]

On the other thread: Is this genuine class loading (in which case the response 
below is correct) or is the application reading the .class files as if they were
resources (in which case a different answer applies)?
Mostly, we are talking about the default class loader; however, the application 
does read resources from the jar files - mostly static files that are stored 
within the package structure are read (for example: log4j, property files, 
other static content). Would this affect the reload of the jar files?

-Original Message-
From: Rhuberg,Anthony 
Sent: Wednesday, October 09, 2019 2:53 PM
To: Tomcat Users List 
Subject: RE: Performance test with Tomcat 9 shows increased cpu/disk usage 
because of repeated opening/closing of jars in WEB-INF/lib

Just noticed another thread on this topic: RE: Tomcat discards and reloads the 
jar files from the webapps folder.

Setting the Engine attribute backgroundProcessorDelay to 90s does reduce the 
open/close cycle of the jars.

The other thread also mentioned a potential configuration to keep the jars open 
longer by default. This could be helpful - not sure we need to close them at 
all.

Alternatively, would there be any gain to 'explode' the jars into class files 
on the filesystem? 

-Original Message-
From: Rhuberg,Anthony  
Sent: Wednesday, October 09, 2019 2:17 PM
To: users@tomcat.apache.org
Subject: Performance test with Tomcat 9 shows increased cpu/disk usage because 
of repeated opening/closing of jars in WEB-INF/lib

Background:
In the last few months we migrated our web application from Tomcat 7.0.55 to 
Tomcat 9.0.19 (26). That transition was relatively straightforward until we 
reviewed the results of our performance tests. Those tests showed an increase 
in CPU usage and disk I/O on our Windows 2012 server. When we switch back to 
Tomcat 7, the metrics for CPU/disk usage were significantly lower (similar to 
previous tests).

As we investigated the cause of the increase in cpu/disk usage we found the 
tomcat process was repeatedly opening and closing the jars of our web 
application. The process profile showed all the jars in WEB-INF/lib being 
closed and reopened within seconds while the application was processing 
requests (and to some extent when quite). Now we are trying to determine why.

We have a general understanding that the WebappClassLoaderBase.java 
implementation changed in Tomcat 8.5. The Tomcat 7 implementation provided for 
the configuration of  jarOpenInterval (which we used the default = 90s). The 
latest implementation appears to track the jar modification times with a hash 
map called jarModificationTimes, but we are unable to find a similar 
time-to-live configuration or what triggers the lifecycle listener to close the 
jars (what calls WebappClassLoaderBase.modified() or destroy()) - assuming we 
understand this lifecycle behavior.

The server is configured mostly with default settings. The Context reloadable 
property is NOT set. We have tried increasing the cache time of the Resources 
cacheTtl property as the default of 5s seemed close to the time the jars were 
reloaded. We have not been successful.

Question:
What is the cause of the repeated reloading of our web application jars? What 
can trigger the class loader to close all the file handles related to the jars 
in the web application WEB-INF/lib directory - and then open them again within 
a few seconds?



CONFIDENTIALITY NOTICE This message and any included attachments are from 
Cerner Corporation and are intended only for the addressee. The information 
contained in this message is confidential and may constitute inside or 
non-public information under international, federal, or state securities laws. 
Unauthorized forwarding, printing, copying, distribution, or use of such 
information is strictly prohibited and may be unlawful. If you are not the 
addressee, please promptly delete this message and notify the sender of the 
delivery error by e-mail or you may call Cerner's corporate offices in Kansas 
City, Missouri, U.S.A at (+1) (816)221-1024.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Rhuberg,Anthony]

Just noticed another thread on this topic: RE: Tomcat discards and reloads the 
jar files from the webapps folder.

Setting the Engine attribute backgroundProcessorDelay to 90s does reduce the 
open/close cycle of the jars.

The other thread also mentioned a potential configuration to keep the jars open 
longer by default. This could be helpful - not sure we need to close them at 
all.

Alternatively, would there be any gain to 'explode' the jars into class files 
on the filesystem? 

-Original Message-
From: Rhuberg,Anthony  
Sent: Wednesday, October 09, 2019 2:17 PM
To: users@tomcat.apache.org
Subject: Performance test with Tomcat 9 shows increased cpu/disk usage because 
of repeated opening/closing of jars in WEB-INF/lib

Background:
In the last few months we migrated our web application from Tomcat 7.0.55 to 
Tomcat 9.0.19 (26). That transition was relatively straightforward until we 
reviewed the results of our performance tests. Those tests showed an increase 
in CPU usage and disk I/O on our Windows 2012 server. When we switch back to 
Tomcat 7, the metrics for CPU/disk usage were significantly lower (similar to 
previous tests).

As we investigated the cause of the increase in cpu/disk usage we found the 
tomcat process was repeatedly opening and closing the jars of our web 
application. The process profile showed all the jars in WEB-INF/lib being 
closed and reopened within seconds while the application was processing 
requests (and to some extent when quite). Now we are trying to determine why.

We have a general understanding that the WebappClassLoaderBase.java 
implementation changed in Tomcat 8.5. The Tomcat 7 implementation provided for 
the configuration of  jarOpenInterval (which we used the default = 90s). The 
latest implementation appears to track the jar modification times with a hash 
map called jarModificationTimes, but we are unable to find a similar 
time-to-live configuration or what triggers the lifecycle listener to close the 
jars (what calls WebappClassLoaderBase.modified() or destroy()) - assuming we 
understand this lifecycle behavior.

The server is configured mostly with default settings. The Context reloadable 
property is NOT set. We have tried increasing the cache time of the Resources 
cacheTtl property as the default of 5s seemed close to the time the jars were 
reloaded. We have not been successful.

Question:
What is the cause of the repeated reloading of our web application jars? What 
can trigger the class loader to close all the file handles related to the jars 
in the web application WEB-INF/lib directory - and then open them again within 
a few seconds?



CONFIDENTIALITY NOTICE This message and any included attachments are from 
Cerner Corporation and are intended only for the addressee. The information 
contained in this message is confidential and may constitute inside or 
non-public information under international, federal, or state securities laws. 
Unauthorized forwarding, printing, copying, distribution, or use of such 
information is strictly prohibited and may be unlawful. If you are not the 
addressee, please promptly delete this message and notify the sender of the 
delivery error by e-mail or you may call Cerner's corporate offices in Kansas 
City, Missouri, U.S.A at (+1) (816)221-1024.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Performance test with Tomcat 9 shows increased cpu/disk usage because of repeated opening/closing of jars in WEB-INF/lib

[Rhuberg,Anthony]

Background:
In the last few months we migrated our web application from Tomcat 7.0.55 to 
Tomcat 9.0.19 (26). That transition was relatively straightforward until we 
reviewed the results of our performance tests. Those tests showed an increase 
in CPU usage and disk I/O on our Windows 2012 server. When we switch back to 
Tomcat 7, the metrics for CPU/disk usage were significantly lower (similar to 
previous tests).

As we investigated the cause of the increase in cpu/disk usage we found the 
tomcat process was repeatedly opening and closing the jars of our web 
application. The process profile showed all the jars in WEB-INF/lib being 
closed and reopened within seconds while the application was processing 
requests (and to some extent when quite). Now we are trying to determine why.

We have a general understanding that the WebappClassLoaderBase.java 
implementation changed in Tomcat 8.5. The Tomcat 7 implementation provided for 
the configuration of  jarOpenInterval (which we used the default = 90s). The 
latest implementation appears to track the jar modification times with a hash 
map called jarModificationTimes, but we are unable to find a similar 
time-to-live configuration or what triggers the lifecycle listener to close the 
jars (what calls WebappClassLoaderBase.modified() or destroy()) - assuming we 
understand this lifecycle behavior.

The server is configured mostly with default settings. The Context reloadable 
property is NOT set. We have tried increasing the cache time of the Resources 
cacheTtl property as the default of 5s seemed close to the time the jars were 
reloaded. We have not been successful.

Question:
What is the cause of the repeated reloading of our web application jars? What 
can trigger the class loader to close all the file handles related to the jars 
in the web application WEB-INF/lib directory - and then open them again within 
a few seconds?



CONFIDENTIALITY NOTICE This message and any included attachments are from 
Cerner Corporation and are intended only for the addressee. The information 
contained in this message is confidential and may constitute inside or 
non-public information under international, federal, or state securities laws. 
Unauthorized forwarding, printing, copying, distribution, or use of such 
information is strictly prohibited and may be unlawful. If you are not the 
addressee, please promptly delete this message and notify the sender of the 
delivery error by e-mail or you may call Cerner's corporate offices in Kansas 
City, Missouri, U.S.A at (+1) (816)221-1024.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Test for tomcat native

[Mark Thomas]

On 04/07/2019 12:46, Markus Fömpe wrote:
> Hello,
> 
> I'm not sure if I'm on the right user mailing list or if my question belongs 
> more on the dev mailing list. If I am wrong here, please let me know.
> 
> Yesterday I got a notification that there is a new version of Tomcat Native 
> available. I work with macOS and install programs with homebrew. For the last 
> updates of Tomcat 9 I updated the Homebrew Formula and wanted to do the same 
> for Tomcat Native [1].
> 
> During the update of the formula I stumbled over the requirement that now a 
> test for the formula is necessary [2].
> Unfortunately, I have no idea how such a test could look like for the Tomcat 
> Native library. Is there someone on the mailing list who could give me a hint?

You need a JAVA_HOME to compile the library so compile the Java source
as well (a useful test in itself) and write a short Java class that:
- calls Library.initialize(null)
- checks the version number is correct

Mark


> 
> Best regards,
> Markus
> 
> [1] 
> https://github.com/mystygage/homebrew-core/commit/e28e93e3e90c3fa2273990a91c8643ca9c97d296
> [2] https://docs.brew.sh/Formula-Cookbook#add-a-test-to-the-formula
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Test for tomcat native

[Markus Fömpe]

Hello,

I'm not sure if I'm on the right user mailing list or if my question belongs 
more on the dev mailing list. If I am wrong here, please let me know.

Yesterday I got a notification that there is a new version of Tomcat Native 
available. I work with macOS and install programs with homebrew. For the last 
updates of Tomcat 9 I updated the Homebrew Formula and wanted to do the same 
for Tomcat Native [1].

During the update of the formula I stumbled over the requirement that now a 
test for the formula is necessary [2].
Unfortunately, I have no idea how such a test could look like for the Tomcat 
Native library. Is there someone on the mailing list who could give me a hint?

Best regards,
Markus

[1] 
https://github.com/mystygage/homebrew-core/commit/e28e93e3e90c3fa2273990a91c8643ca9c97d296
[2] https://docs.brew.sh/Formula-Cookbook#add-a-test-to-the-formula

Re: Tomcat 8.5 SPNEGO Active Directory stuck with a "Failed authenticate() test"

[Tommy Schneider]

Hi,

I turned on the logging as you recommended, this is what it get in the
catalina.out

Krb5Context setting mySeqNumber to: 441582303
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
13-Feb-2019 14:07:56.755 FINE [http-nio-8080-exec-3]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
authenticate() test
13-Feb-2019 14:07:56.816 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security
checking request GET /favicon.ico
13-Feb-2019 14:07:56.816 FINE [http-nio-8080-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[Tomcat SPNEGO Login Example]' against
GET /favicon.ico --> true
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[Tomcat SPNEGO Login Example]' against
GET /favicon.ico --> true
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling
hasUserDataPermission()
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data
constraint has no restrictions
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling
authenticate()
13-Feb-2019 14:07:56.818 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.SpnegoAuthenticator.doAuthenticate
No authorization header sent by client
13-Feb-2019 14:07:56.820 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
authenticate() test


The part with the "No authorization header sent by client" seems to be
new, however I don't know what to conclude from that information.

Kind regards,
Thomas

Am Mo., 11. Feb. 2019 um 10:24 Uhr schrieb Mark Thomas :
>
> On 08/02/2019 21:43, Michael Osipov wrote:
> > Am 2019-02-08 um 12:54 schrieb Tommy Schneider:
> >> Hello,
> >>
> >> I'm trying to set up Tomcat 8.5 with SPNEGO in the following environment:
> >>
> >> Tomcat: 8.5.37 built: Dec 12 2018 12:07:02 UTC
> >> Platform/OS:  AIX 7.2 ppc64
> >> Java: Eclipse OpenJ9 9-internal+0-adhoc.jenkins
> >>
> >>> From what I can see in the catalina log I think it's almost working
> >> (AD user is returned back correctly), but in the web application I
> >> always get stuck with a HTTP 401. No matter whether I'm using a JNDI
> >> realm or a simple JAAS realm. I also tried different approaches in the
> >> application's web.xml like using "*" as generic role name or
> >> specifiying a list of role names like they should come back from the
> >> AD). I'm starting to think the cause may still be somewhere in the
> >> SPNEGO/Kerberos stuff and not in my realm/application config.
> >>
> >> Currently I'm trying to use a simple JAAS realm (as I found a tutorial
> >> saying this is the simplest way to go when you just need the user name
> >> and no roles)
> >> snippet from server.xml
> >>   >> autoDeploy="true">
> >>  
> >> >> className="org.apache.catalina.authenticator.SpnegoAuthenticator"
> >> storeDelegatedCredential="true">
> >> >> className="org.apache.catalina.realm.JAASRealm"
> >> allRolesMode="strictAuthOnly" />
> >>  
> >>
> >> snippet from catalina.out:
> >>  Found KeyTab /opt/apache-tomcat-8.5/conf/tomcat.keytab for
> >> HTTP/mymachine.mycompany@mycompany.com
> >>  Found ticket for
> >> HTTP/mymachine.mycompany@mycompany.com to go to
> >> krbtgt/mycompany@mycompany.com expiring on Fri Feb 08 21:26:27 CET
> >> 2019
> >>  Entered Krb5Context.acceptSecContext with state=STATE_NEW
> >>  Looking for keys for:
> >> HTTP/mymachine.mycompany@mycompany.com
> >>  Added key: 17version: 15
> >>  Added key: 18version: 15
> >>  Added key: 23version: 15
> >>  Found unsupported keytype (3) for
> >> HTTP/mymachine.mycompany@mycompany.com
> >>  Found unsupported keytype (1) for
> >> HTTP/mymachine.mycompany@mycompany.com
> >>  >>> EType:
> >> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >>  Using builtin default etypes for permitted_enctypes
> >>  d

Re: Tomcat 8.5 SPNEGO Active Directory stuck with a "Failed authenticate() test"

[Mark Thomas]

On 08/02/2019 21:43, Michael Osipov wrote:
> Am 2019-02-08 um 12:54 schrieb Tommy Schneider:
>> Hello,
>>
>> I'm trying to set up Tomcat 8.5 with SPNEGO in the following environment:
>>
>> Tomcat: 8.5.37 built: Dec 12 2018 12:07:02 UTC
>> Platform/OS:  AIX 7.2 ppc64
>> Java: Eclipse OpenJ9 9-internal+0-adhoc.jenkins
>>
>>> From what I can see in the catalina log I think it's almost working
>> (AD user is returned back correctly), but in the web application I
>> always get stuck with a HTTP 401. No matter whether I'm using a JNDI
>> realm or a simple JAAS realm. I also tried different approaches in the
>> application's web.xml like using "*" as generic role name or
>> specifiying a list of role names like they should come back from the
>> AD). I'm starting to think the cause may still be somewhere in the
>> SPNEGO/Kerberos stuff and not in my realm/application config.
>>
>> Currently I'm trying to use a simple JAAS realm (as I found a tutorial
>> saying this is the simplest way to go when you just need the user name
>> and no roles)
>> snippet from server.xml
>>  > autoDeploy="true">
>>  
>>    > className="org.apache.catalina.authenticator.SpnegoAuthenticator"
>> storeDelegatedCredential="true">
>>    > className="org.apache.catalina.realm.JAASRealm"
>> allRolesMode="strictAuthOnly" />
>>  
>>
>> snippet from catalina.out:
>>  Found KeyTab /opt/apache-tomcat-8.5/conf/tomcat.keytab for
>> HTTP/mymachine.mycompany@mycompany.com
>>  Found ticket for
>> HTTP/mymachine.mycompany@mycompany.com to go to
>> krbtgt/mycompany@mycompany.com expiring on Fri Feb 08 21:26:27 CET
>> 2019
>>  Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>  Looking for keys for:
>> HTTP/mymachine.mycompany@mycompany.com
>>  Added key: 17version: 15
>>  Added key: 18version: 15
>>  Added key: 23version: 15
>>  Found unsupported keytype (3) for
>> HTTP/mymachine.mycompany@mycompany.com
>>  Found unsupported keytype (1) for
>> HTTP/mymachine.mycompany@mycompany.com
>>  >>> EType:
>> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>  Using builtin default etypes for permitted_enctypes
>>  default etypes for permitted_enctypes: 18 17 16 23.
>>  >>> EType:
>> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>  MemoryCache: add
>> 1549621587/000784/231A915D0FE70A039CF82095FC685C843F4D981D20A70F972015D8EB16D07CA5/myusern...@mycompany.com
>>
>> to myusern...@mycompany.com|
>> HTTP/mymachine.mycompany@mycompany.com
>>  >>> KrbApReq: authenticate succeed.
>>  >>> EType:
>> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>  >>>Delegated Creds have pname=myusern...@mycompany.com
>> sname=krbtgt/mycompany@mycompany.com authtime=null
>> starttime=20190208095329Z
>> endtime=20190208195235ZrenewTill=20190215095235Z
>>  Krb5Context setting peerSeqNumber to: 883655442
>>  >>> EType:
>> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>  Krb5Context setting mySeqNumber to: 318684000
>>  [Krb5LoginModule]: Entering logout
>>  [Krb5LoginModule]: logged out Subject
>>  08-Feb-2019 11:26:27.415 FINE [https-jsse-nio-443-exec-5]
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
>> authenticate() test
>>
>> I'm happy with the part where "myusern...@mycompany.com" is returned
>> back from the AD, so I think most of the stuff is configured correctly
>> so far. However I have no idea what the last 3 lines indicate. Is it
>> ok that the "logout" occurs here? What causes the authenticator to
>> fail? Is this still related to the SPNEGO stuff or is it caused by the
>> realm or an incorrect web.xml in the application (I tried different
>> variants here and it all seems to end up with a
>> "org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
>> authenticate() test".
>>
>> Let me know if you need more configuration details.
>> Any help would be greatly appreciated
> 
> We need more debug outp

Re: Tomcat 8.5 SPNEGO Active Directory stuck with a "Failed authenticate() test"

[Michael Osipov]

Am 2019-02-08 um 12:54 schrieb Tommy Schneider:

Hello,

I'm trying to set up Tomcat 8.5 with SPNEGO in the following environment:

Tomcat: 8.5.37 built: Dec 12 2018 12:07:02 UTC
Platform/OS:  AIX 7.2 ppc64
Java: Eclipse OpenJ9 9-internal+0-adhoc.jenkins


From what I can see in the catalina log I think it's almost working

(AD user is returned back correctly), but in the web application I
always get stuck with a HTTP 401. No matter whether I'm using a JNDI
realm or a simple JAAS realm. I also tried different approaches in the
application's web.xml like using "*" as generic role name or
specifiying a list of role names like they should come back from the
AD). I'm starting to think the cause may still be somewhere in the
SPNEGO/Kerberos stuff and not in my realm/application config.

Currently I'm trying to use a simple JAAS realm (as I found a tutorial
saying this is the simplest way to go when you just need the user name
and no roles)
snippet from server.xml
 
 
   
   
 

snippet from catalina.out:
 Found KeyTab /opt/apache-tomcat-8.5/conf/tomcat.keytab for
HTTP/mymachine.mycompany@mycompany.com
 Found ticket for
HTTP/mymachine.mycompany@mycompany.com to go to
krbtgt/mycompany@mycompany.com expiring on Fri Feb 08 21:26:27 CET
2019
 Entered Krb5Context.acceptSecContext with state=STATE_NEW
 Looking for keys for: HTTP/mymachine.mycompany@mycompany.com
 Added key: 17version: 15
 Added key: 18version: 15
 Added key: 23version: 15
 Found unsupported keytype (3) for
HTTP/mymachine.mycompany@mycompany.com
 Found unsupported keytype (1) for
HTTP/mymachine.mycompany@mycompany.com
 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
 Using builtin default etypes for permitted_enctypes
 default etypes for permitted_enctypes: 18 17 16 23.
 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
 MemoryCache: add
1549621587/000784/231A915D0FE70A039CF82095FC685C843F4D981D20A70F972015D8EB16D07CA5/myusern...@mycompany.com
to myusern...@mycompany.com|
HTTP/mymachine.mycompany@mycompany.com
 >>> KrbApReq: authenticate succeed.
 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
 >>>Delegated Creds have pname=myusern...@mycompany.com
sname=krbtgt/mycompany@mycompany.com authtime=null
starttime=20190208095329Z
endtime=20190208195235ZrenewTill=20190215095235Z
 Krb5Context setting peerSeqNumber to: 883655442
 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
 Krb5Context setting mySeqNumber to: 318684000
 [Krb5LoginModule]: Entering logout
 [Krb5LoginModule]: logged out Subject
 08-Feb-2019 11:26:27.415 FINE [https-jsse-nio-443-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
authenticate() test

I'm happy with the part where "myusern...@mycompany.com" is returned
back from the AD, so I think most of the stuff is configured correctly
so far. However I have no idea what the last 3 lines indicate. Is it
ok that the "logout" occurs here? What causes the authenticator to
fail? Is this still related to the SPNEGO stuff or is it caused by the
realm or an incorrect web.xml in the application (I tried different
variants here and it all seems to end up with a
"org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
authenticate() test".

Let me know if you need more configuration details.
Any help would be greatly appreciated


We need more debug output. This doesn't really help. Please enable it, 
it will help. The Kerberos debug output you see is is just Sun-internal 
which has nothing to do with the Tomcat code.


The logout() is performed on the LoginContext required to obtain server 
credentials. The are released (hence logout performed) as soon as the 
security context has been established and the GSS src name has been 
obtained.


Michael


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 8.5 SPNEGO Active Directory stuck with a "Failed authenticate() test"

[Tommy Schneider]

Hello,

I'm trying to set up Tomcat 8.5 with SPNEGO in the following environment:

Tomcat: 8.5.37 built: Dec 12 2018 12:07:02 UTC
Platform/OS:  AIX 7.2 ppc64
Java: Eclipse OpenJ9 9-internal+0-adhoc.jenkins

>From what I can see in the catalina log I think it's almost working
(AD user is returned back correctly), but in the web application I
always get stuck with a HTTP 401. No matter whether I'm using a JNDI
realm or a simple JAAS realm. I also tried different approaches in the
application's web.xml like using "*" as generic role name or
specifiying a list of role names like they should come back from the
AD). I'm starting to think the cause may still be somewhere in the
SPNEGO/Kerberos stuff and not in my realm/application config.

Currently I'm trying to use a simple JAAS realm (as I found a tutorial
saying this is the simplest way to go when you just need the user name
and no roles)
snippet from server.xml


  
  


snippet from catalina.out:
Found KeyTab /opt/apache-tomcat-8.5/conf/tomcat.keytab for
HTTP/mymachine.mycompany@mycompany.com
Found ticket for
HTTP/mymachine.mycompany@mycompany.com to go to
krbtgt/mycompany@mycompany.com expiring on Fri Feb 08 21:26:27 CET
2019
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/mymachine.mycompany@mycompany.com
Added key: 17version: 15
Added key: 18version: 15
Added key: 23version: 15
Found unsupported keytype (3) for
HTTP/mymachine.mycompany@mycompany.com
Found unsupported keytype (1) for
HTTP/mymachine.mycompany@mycompany.com
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add
1549621587/000784/231A915D0FE70A039CF82095FC685C843F4D981D20A70F972015D8EB16D07CA5/myusern...@mycompany.com
to myusern...@mycompany.com|
HTTP/mymachine.mycompany@mycompany.com
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>Delegated Creds have pname=myusern...@mycompany.com
sname=krbtgt/mycompany@mycompany.com authtime=null
starttime=20190208095329Z
endtime=20190208195235ZrenewTill=20190215095235Z
Krb5Context setting peerSeqNumber to: 883655442
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 318684000
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
08-Feb-2019 11:26:27.415 FINE [https-jsse-nio-443-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
authenticate() test

I'm happy with the part where "myusern...@mycompany.com" is returned
back from the AD, so I think most of the stuff is configured correctly
so far. However I have no idea what the last 3 lines indicate. Is it
ok that the "logout" occurs here? What causes the authenticator to
fail? Is this still related to the SPNEGO stuff or is it caused by the
realm or an incorrect web.xml in the application (I tried different
variants here and it all seems to end up with a
"org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
authenticate() test".

Let me know if you need more configuration details.
Any help would be greatly appreciated

thx and kind regards,
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: test email

[Konstantin Kolinko]

2018-06-27 23:34 GMT+03:00 kevin ferguson :
> Hi Guys
>
> Please delete if received I send about 6 emails all bounced not sure why.
> The only think I can think is, the mailing list does not like photo
> atttachements.

There rules are specified here:
http://tomcat.apache.org/lists.html#tomcat-users

See #7. in that list (no HTML, no attachments).

Usually attachments are silently stripped.

HTML formatting may cause the message to be treated as spam and be bounced.


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

test email

[kevin ferguson]

Hi Guys

Please delete if received I send about 6 emails all bounced not sure why.
The only think I can think is, the mailing list does not like photo
atttachements.

Kevin

Re: configuring ciphers for SSL Labs server test

[logo]

Hi Baron,


Am 12.05.2018 05:36, schrieb Baron Fujimoto:

Hmm, I'm now getting an A grade using:



If I'm sufficiently motivated next week, I'll see if I can sort out 
exactly what

the deal was. But for now, it's Friday and pau hana time...

(yes, tomcat 8.5.x and Java 1.8_x)

On Fri, May 11, 2018 at 07:39:25AM +0100, Mark Thomas wrote:

On 11/05/18 03:35, Baron Fujimoto wrote:
Yes, the host is behind an F5 load balacer, but AFAIK it should be 
passing

all the TLS/SSL directly to the real host to handle.


You don't say which Tomcat version is being used. I assume one of the
8.5.x versions since the 8.5.x docs are referenced.

8.5.x should get an A from SSLLabs with the default configuration:
https://wiki.apache.org/tomcat/Security/Ciphers

I recently updated that page but 8.5.x was getting a A two years ago 
as

well.

Are you sure Java 8 is being used?

Mark




On Thu, May 10, 2018 at 11:23:44PM +, Scott Hoenigman wrote:

Are you using a load balancer?



Sent from my T-Mobile 4G LTE Device


 Original message 
From: David Wall <d.w...@computer.org>
Date: 5/10/18 6:15 PM (GMT-06:00)
To: users@tomcat.apache.org
Subject: Re: configuring ciphers for SSL Labs server test

We're doing good with this:




On 5/10/18 2:45 PM, Baron Fujimoto wrote:
I'm trying to improve our grade on SSL Labs SSL server test[1] for 
our
Tomcat configuraton. Currently, their report caps our grade at B 
because,
"This server does not support Authenticated encryption (AEAD) 
cipher

suites". They report that we support the following cipher suites:

# TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

# TLS 1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

I'm not sure why SSL Labs is seeing such a limited set of ciphers. 
We are

using Java 1.8.0_162, and I believe we have the Java Cryptography
Extension (JCE) properly installed. I have the following connector
defined (this version explicitly lists ciphers I think should 
satisfy the

AEAD cipher requirement[2]):

 protocol="org.apache.coyote.http11.Http11NioProtocol"

address="0.0.0.0"
port="8443"
maxThreads="500"
maxPostSize="10"
scheme="https" secure="true"
defaultSSLHostConfigName="foo.example.edu"
SSLEnabled="true" >
 
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK

:!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
:!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
:!TLS_DHE_RSA_WITH_AES_256_CBC_SHA

:!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

:!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

:!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

:!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

:!TLS_RSA_WITH_AES_128_CBC_SHA
:!TLS_RSA_WITH_AES_256_CBC_SHA
:!TLS_RSA_WITH_AES_128_CBC_SHA256
:!TLS_RSA_WITH_AES_256_CBC_SHA256
:!TLS_RSA_WITH_AES_128_GCM_SHA256
:!TLS_RSA_WITH_AES_256_GCM_SHA384

:!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

:!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

:TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

:TLS_DHE_RSA_WITH_AES_128_CBC_SHA
:TLS_DHE_RSA_WITH_AES_256_CBC_SHA

:TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

:TLS_DHE_RSA_WITH_AES_256_CBC_

Re: configuring ciphers for SSL Labs server test

[Baron Fujimoto]

Hmm, I'm now getting an A grade using:



If I'm sufficiently motivated next week, I'll see if I can sort out exactly what
the deal was. But for now, it's Friday and pau hana time...

(yes, tomcat 8.5.x and Java 1.8_x)

On Fri, May 11, 2018 at 07:39:25AM +0100, Mark Thomas wrote:
>On 11/05/18 03:35, Baron Fujimoto wrote:
>> Yes, the host is behind an F5 load balacer, but AFAIK it should be passing
>> all the TLS/SSL directly to the real host to handle.
>
>You don't say which Tomcat version is being used. I assume one of the
>8.5.x versions since the 8.5.x docs are referenced.
>
>8.5.x should get an A from SSLLabs with the default configuration:
>https://wiki.apache.org/tomcat/Security/Ciphers
>
>I recently updated that page but 8.5.x was getting a A two years ago as
>well.
>
>Are you sure Java 8 is being used?
>
>Mark
>
>
>> 
>> On Thu, May 10, 2018 at 11:23:44PM +, Scott Hoenigman wrote:
>>> Are you using a load balancer?
>>>
>>>
>>>
>>> Sent from my T-Mobile 4G LTE Device
>>>
>>>
>>>  Original message 
>>> From: David Wall <d.w...@computer.org>
>>> Date: 5/10/18 6:15 PM (GMT-06:00)
>>> To: users@tomcat.apache.org
>>> Subject: Re: configuring ciphers for SSL Labs server test
>>>
>>> We're doing good with this:
>>>
>>> >> protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"
>>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
>>> >
>>>
>>>
>>> On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>>>> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
>>>> Tomcat configuraton. Currently, their report caps our grade at B because,
>>>> "This server does not support Authenticated encryption (AEAD) cipher
>>>> suites". They report that we support the following cipher suites:
>>>>
>>>> # TLS 1.2
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>>
>>>> # TLS 1.1
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>>
>>>> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
>>>> using Java 1.8.0_162, and I believe we have the Java Cryptography
>>>> Extension (JCE) properly installed. I have the following connector
>>>> defined (this version explicitly lists ciphers I think should satisfy the
>>>> AEAD cipher requirement[2]):
>>>>
>>>>  >>> address="0.0.0.0"
>>>> port="8443"
>>>> maxThreads="500"
>>>> maxPostSize="10"
>>>> scheme="https" secure="true"
>>>> defaultSSLHostConfigName="foo.example.edu"
>>>> SSLEnabled="true" >
>>>>  >>> protocols="TLSv1.1+TLSv1.2+TLS1.3"
>>>> certificateVerification="none"
>>>> honorCipherOrder="true"
>>>> 
>>>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>>>> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>>>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>>>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>>> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>>> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>

RE: configuring ciphers for SSL Labs server test

[charlie arehart]

Also, Baron, about the URL you're testing on your site via by SSLLabs: is that 
really one being served by Tomcat's web server? That's whose connector you're 
showing here. 

If instead you are fronting/proxying Tomcat with Apache or IIS, then my 
understanding is that the SSL support is handled by that web server, not Tomcat 
(and the connector handling that would be one with a protocol="AJP/1.3" or the 
like), and you'd then be wanting to really resolve the poor grades via 
configuration of those instead.

I am open to being corrected by you or others here, of course.

/charlie

>> On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>>> I'm trying to improve our grade on SSL Labs SSL server test[1] for 
>>> our Tomcat configuraton. Currently, their report caps our grade at B 
>>> because, "This server does not support Authenticated encryption 
>>> (AEAD) cipher suites". They report that we support the following cipher 
>>> suites:
>>>

>>>
>>>  >> address="0.0.0.0"
>>> port="8443"
>>> maxThreads="500"
>>> maxPostSize="10"
>>> scheme="https" secure="true"
>>> defaultSSLHostConfigName="foo.example.edu"
>>> SSLEnabled="true" >
>>>  



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: configuring ciphers for SSL Labs server test

[Mark Thomas]

On 11/05/18 03:35, Baron Fujimoto wrote:
> Yes, the host is behind an F5 load balacer, but AFAIK it should be passing
> all the TLS/SSL directly to the real host to handle.

You don't say which Tomcat version is being used. I assume one of the
8.5.x versions since the 8.5.x docs are referenced.

8.5.x should get an A from SSLLabs with the default configuration:
https://wiki.apache.org/tomcat/Security/Ciphers

I recently updated that page but 8.5.x was getting a A two years ago as
well.

Are you sure Java 8 is being used?

Mark


> 
> On Thu, May 10, 2018 at 11:23:44PM +, Scott Hoenigman wrote:
>> Are you using a load balancer?
>>
>>
>>
>> Sent from my T-Mobile 4G LTE Device
>>
>>
>>  Original message 
>> From: David Wall <d.w...@computer.org>
>> Date: 5/10/18 6:15 PM (GMT-06:00)
>> To: users@tomcat.apache.org
>> Subject: Re: configuring ciphers for SSL Labs server test
>>
>> We're doing good with this:
>>
>> > protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"
>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
>> >
>>
>>
>> On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>>> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
>>> Tomcat configuraton. Currently, their report caps our grade at B because,
>>> "This server does not support Authenticated encryption (AEAD) cipher
>>> suites". They report that we support the following cipher suites:
>>>
>>> # TLS 1.2
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>
>>> # TLS 1.1
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>
>>> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
>>> using Java 1.8.0_162, and I believe we have the Java Cryptography
>>> Extension (JCE) properly installed. I have the following connector
>>> defined (this version explicitly lists ciphers I think should satisfy the
>>> AEAD cipher requirement[2]):
>>>
>>>  >> address="0.0.0.0"
>>> port="8443"
>>> maxThreads="500"
>>> maxPostSize="10"
>>> scheme="https" secure="true"
>>> defaultSSLHostConfigName="foo.example.edu"
>>> SSLEnabled="true" >
>>>  >> protocols="TLSv1.1+TLSv1.2+TLS1.3"
>>> certificateVerification="none"
>>> honorCipherOrder="true"
>>> 
>>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>>> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>>> :!TLS_RSA_WITH_AES_128_CBC_SHA
>>> :!TLS_RSA_WITH_AES_256_CBC_SHA
>>> :!TLS_RSA_WITH_AES_128_CBC_SHA256
>>> :!TLS_RSA_WITH_AES_256_CBC_SHA256
>>> :!TLS_RSA_WITH_AES_128_GCM_SHA256
>>> :!TLS_RSA_WITH_AES_256_GCM_SHA384
>>> :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>> :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>&

Re: configuring ciphers for SSL Labs server test

[Baron Fujimoto]

Yes, the host is behind an F5 load balacer, but AFAIK it should be passing
all the TLS/SSL directly to the real host to handle.

On Thu, May 10, 2018 at 11:23:44PM +, Scott Hoenigman wrote:
> Are you using a load balancer?
>
>
>
>Sent from my T-Mobile 4G LTE Device
>
>
> Original message 
>From: David Wall <d.w...@computer.org>
>Date: 5/10/18 6:15 PM (GMT-06:00)
>To: users@tomcat.apache.org
>Subject: Re: configuring ciphers for SSL Labs server test
>
>We're doing good with this:
>
> protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"
>ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
>TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
> >
>
>
>On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
>> Tomcat configuraton. Currently, their report caps our grade at B because,
>> "This server does not support Authenticated encryption (AEAD) cipher
>> suites". They report that we support the following cipher suites:
>>
>> # TLS 1.2
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>
>> # TLS 1.1
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>
>> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
>> using Java 1.8.0_162, and I believe we have the Java Cryptography
>> Extension (JCE) properly installed. I have the following connector
>> defined (this version explicitly lists ciphers I think should satisfy the
>> AEAD cipher requirement[2]):
>>
>>  > address="0.0.0.0"
>> port="8443"
>> maxThreads="500"
>> maxPostSize="10"
>> scheme="https" secure="true"
>> defaultSSLHostConfigName="foo.example.edu"
>> SSLEnabled="true" >
>>  > protocols="TLSv1.1+TLSv1.2+TLS1.3"
>> certificateVerification="none"
>> honorCipherOrder="true"
>> 
>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>> :!TLS_RSA_WITH_AES_128_CBC_SHA
>> :!TLS_RSA_WITH_AES_256_CBC_SHA
>> :!TLS_RSA_WITH_AES_128_CBC_SHA256
>> :!TLS_RSA_WITH_AES_256_CBC_SHA256
>> :!TLS_RSA_WITH_AES_128_GCM_SHA256
>> :!TLS_RSA_WITH_AES_256_GCM_SHA384
>> :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>> :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>> :TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
>> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> :TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>> :TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>> 

Re: configuring ciphers for SSL Labs server test

[Scott Hoenigman]

 Are you using a load balancer?



Sent from my T-Mobile 4G LTE Device


 Original message 
From: David Wall <d.w...@computer.org>
Date: 5/10/18 6:15 PM (GMT-06:00)
To: users@tomcat.apache.org
Subject: Re: configuring ciphers for SSL Labs server test

We're doing good with this:

 


On 5/10/18 2:45 PM, Baron Fujimoto wrote:
> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
> Tomcat configuraton. Currently, their report caps our grade at B because,
> "This server does not support Authenticated encryption (AEAD) cipher
> suites". They report that we support the following cipher suites:
>
> # TLS 1.2
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>
> # TLS 1.1
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>
> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
> using Java 1.8.0_162, and I believe we have the Java Cryptography
> Extension (JCE) properly installed. I have the following connector
> defined (this version explicitly lists ciphers I think should satisfy the
> AEAD cipher requirement[2]):
>
>   address="0.0.0.0"
> port="8443"
> maxThreads="500"
> maxPostSize="10"
> scheme="https" secure="true"
> defaultSSLHostConfigName="foo.example.edu"
> SSLEnabled="true" >
>   protocols="TLSv1.1+TLSv1.2+TLS1.3"
> certificateVerification="none"
> honorCipherOrder="true"
> 
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> :!TLS_RSA_WITH_AES_128_CBC_SHA
> :!TLS_RSA_WITH_AES_256_CBC_SHA
> :!TLS_RSA_WITH_AES_128_CBC_SHA256
> :!TLS_RSA_WITH_AES_256_CBC_SHA256
> :!TLS_RSA_WITH_AES_128_GCM_SHA256
> :!TLS_RSA_WITH_AES_256_GCM_SHA384
> :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> :TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> :TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> :TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> :TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> :TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" >
> 
> certificateKeystoreFile="/home/cas/keystore/foo.pkcs12.keystore" >
>  
>  
>  
>
> I've mapped the cipher suite names using the OpenSSL cipher suite name
> list[3]. I originally started with
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same
> result, so subsequently tried adding the specific ciphers shown above. The
> tomcat SSLHostConfig docs state that either the OpenSSL or

Re: configuring ciphers for SSL Labs server test

[David Wall]

We're doing good with this:

    protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"

ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
    >


On 5/10/18 2:45 PM, Baron Fujimoto wrote:

I'm trying to improve our grade on SSL Labs SSL server test[1] for our
Tomcat configuraton. Currently, their report caps our grade at B because,
"This server does not support Authenticated encryption (AEAD) cipher
suites". They report that we support the following cipher suites:

# TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

# TLS 1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
using Java 1.8.0_162, and I believe we have the Java Cryptography
Extension (JCE) properly installed. I have the following connector
defined (this version explicitly lists ciphers I think should satisfy the
AEAD cipher requirement[2]):

 
 
 
 
 
 

I've mapped the cipher suite names using the OpenSSL cipher suite name
list[3]. I originally started with
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same
result, so subsequently tried adding the specific ciphers shown above. The
tomcat SSLHostConfig docs state that either the OpenSSL or JSSE cipher
names may be used[4].

Any suggestions on what I may be doing wrong or for further troubleshooting?

References:
[1] <https://www.ssllabs.com/ssltest/analyze.html>
[2] 
<https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites>
[3] 
<https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES>
[4] 
<https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig>




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

configuring ciphers for SSL Labs server test

[Baron Fujimoto]

I'm trying to improve our grade on SSL Labs SSL server test[1] for our
Tomcat configuraton. Currently, their report caps our grade at B because,
"This server does not support Authenticated encryption (AEAD) cipher
suites". They report that we support the following cipher suites:

# TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

# TLS 1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
using Java 1.8.0_162, and I believe we have the Java Cryptography
Extension (JCE) properly installed. I have the following connector
defined (this version explicitly lists ciphers I think should satisfy the
AEAD cipher requirement[2]):








I've mapped the cipher suite names using the OpenSSL cipher suite name
list[3]. I originally started with
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same
result, so subsequently tried adding the specific ciphers shown above. The
tomcat SSLHostConfig docs state that either the OpenSSL or JSSE cipher
names may be used[4].

Any suggestions on what I may be doing wrong or for further troubleshooting?

References:
[1] <https://www.ssllabs.com/ssltest/analyze.html>
[2] 
<https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites>
[3] 
<https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES>
[4] 
<https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig>

-- 
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Beginner help setting up test vertical cluster

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Keiichi,

On 11/1/17 3:28 AM, Keiichi Fujino wrote:
> Hi Dave.
> 
> Your Interceptor settings are as follows.
> 
> 
>>  > className="org.apache.catalina.tribes.group. 
>> interceptors.TcpFailureDetector"> > className="org.apache.catalina.tribes.group. 
>> interceptors.ThroughputInterceptor" /> > className="org.apache.catalina.tribes.group. 
>> interceptors.StaticMembershipInterceptor"> > className="org.apache. catalina.tribes.membership.StaticMember"
>> domain="clustertest" 
>> uniqueId="{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}">
>>
>> 
> domain="clustertest" host="xxx.xxx.xxx.xxx" port="4001"
>> securePort="-1" 
>> uniqueId="{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,0}"> 
>>  > className="org.apache.catalina.tribes.group. 
>> interceptors.DomainFilterInterceptor"> > className="org.apache.catalina.tribes.group. 
>> interceptors.MessageDispatchInterceptor">
>> 
>> 
>> 
> You specified domain="clustertest" in , but
> DomainFilterInterceptor does not have a domain setting. If you want
> to filter by domain, you have to set domain="clustertest" to 
> DomainFilterInterceptor. if you do not want to filter by domain,
> you have to remove domain="clustertest" from   or remove
> DomainFilterInterceptor.
> 
> Also, if you use DomainFilterInterceptor with static membership,
> you must list it above StaticMembershipInterceptor.
> 
> e.g. 
> TcpPingInterceptor->TcpFailureDetector->DomainFilterInterceptor->Stati
cMembershipInterceptor
>
> 
or
> DomainFilterInterceptor->TcpPingInterceptor->TcpFailureDetector->Stati
cMembershipInterceptor

Would
> 
it be appropriate for Tomcat to sanity-check some of the
settings above to catch this kind of oversight? Or are there too many
possibilities of valid configuration that it's not possible to
validate in this way?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6Ht8ACgkQHPApP6U8
pFhr6hAAtLVR0j+C5UorKkIJv1EIBZJcTS+ZDr/69U89ELLf91OKz0K+6mqmgXl/
TGpkKjKPAhDsmR+1uGh7SR89i0jZVMc29plo1qjd0XIYMJtgViGzA841XFN53Ndh
XI2vIVh+XdunxKO4kWzWaAXdUPVmYkKiZ9A8Sc+c5hYkJA9Pa3PzMZoXWBfhcKHM
hbmGyd1wsFCN+1iWrj2Hd9QAIG9v+gNfJvRQ9e773EOorQz3YMrgjIBUSPy5amC9
E/tng/el9x6jv7FaWIHTH2a12OGZAGSldzDV25w3a3tLq5dIzBGzQytYCPUkPpVr
JOaQewjLLEGgfw39v5EwI4Z/WJAzOP+vozmdYRFyxPgvOwHOkWP7CuXEvHszZD9T
Tggir4TLninyU9Hotq6mzsYeWnaF63OHAPECowOhxro7plZjHdBEqEy+kcn2/r+F
CiGhZI4B7B+RqjK62sx2VNIxNPjiPZycSlt7zXkljkBCRQRWSip1JKcXmQjJgeCB
16mB4rYHSDsAezfvD+/3G20V0j1evl5MPSrn/f9bOj4blOIhMi48m1zEGSyihFr3
SiocXLgje+vXWRXX82IoqH6lR2rcGOwvrGfvO5qzQzT7G7OCRShMZNEBqgWclMOh
tqy/ernLtrp7BuGpJpRn0twqK8qlhGlMyr4kYZ7GIcZEdq7hG/0=
=fSTg
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Beginner help setting up test vertical cluster

[Keiichi Fujino]

Hi Dave.

Your Interceptor settings are as follows.


> 
> 
> 
> 
>uniqueId="{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}">
>className="org.apache.catalina.tribes.membership.StaticMember"
> domain="clustertest" host="xxx.xxx.xxx.xxx" port="4001" securePort="-1"
> uniqueId="{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,0}">
> 
> 
> 
>
>
>
You specified domain="clustertest" in , but DomainFilterInterceptor
does not have a domain setting.
If you want to filter by domain, you have to set domain="clustertest" to
DomainFilterInterceptor.
if you do not want to filter by domain, you have to remove
domain="clustertest" from   or remove DomainFilterInterceptor.

Also, if you use DomainFilterInterceptor with static membership, you must
list it above StaticMembershipInterceptor.

e.g.
TcpPingInterceptor->TcpFailureDetector->DomainFilterInterceptor->StaticMembershipInterceptor
or
DomainFilterInterceptor->TcpPingInterceptor->TcpFailureDetector->StaticMembershipInterceptor


-- 
Keiichi.Fujino

Re: Beginner help setting up test vertical cluster

[Dave Ford]

On Mon, 2017-10-30 at 09:15 -0400, Christopher Schultz wrote:
> Dave,
> 
> Can you please post your  and associated elements from
> conf/server.xml -- minus any secrets that may have crept in there?
> Also, what does your network look like? Any intermediates such as
> load
> balancers/firewalls? What about software firewalls?

Hi Chris - thanks for responding. 

This is all running withing a single machine with no firewall, so
nothing should be getting in the way network wise. 

Here's the my server.xml from one of the instances, with the comments
removed and IPs and Hostnames removed also. The IPs/Hostnames are the
same on the other server.xml, with just the Member and StaticMember
UniqueIDs and port number entries appropriately reversed. 

Dave

--


  
  
  
  
  
  

  
  



  

  
  

  
  


  





  
  



  
  
  
  
  


  

  

Re: Beginner help setting up test vertical cluster

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dave,

On 10/30/17 6:19 AM, Dave Ford wrote:
> Hello,
> 
> I should apologise in advance as I'm very new to Tomcat and, I'm
> sure, will be making some daft mistakes and silly errors. I hope
> this question and any that follow it aren't too dumb.
> 
> I've recently started a new job and have inherited a half-finished 
> tomcat cluster on solaris.
> 
> While I'm not going to immediately try and finish that cluster, I
> would like to try setting up some test instances to ensure I know
> what to expect - but I'm having trouble doing even this.
> 
> I've gotten my head round how to set up individual instances of
> Tomcat 8.5.23 running from different sub folders of a common
> CATALINA_HOME folder, and now I'm trying to get the two instances
> to talk to each other using StaticMember on specific ports rather
> than the automatic multicasting.
> 
> But instances start up, and the logs at least suggest they're aware
> of each other. But one server takes forever to start, and I'm not 
> convinced they're talking to each other properly.  For example, in
> the catalina.out logs I'm seeing messages such as:
> 
> 
> 30-Oct-2017 09:28:29.632 INFO [MyHost-startStop-1] 
> org.apache.catalina.ha.session.DeltaManager.getAllClusterSessions 
> Manager [/sample], requesting session state from 
> [org.apache.catalina.tribes.membership.StaticMember[tcp://my.ip.addr:4
0
>
> 
01,my.ip.addr,4001, alive=0, securePort=-1, UDP Port=-1, id={1 2 3 4 5
> 6 7 8 9 10 11 12 13 14 15 0 }, payload={}, command={}, domain={99
> 108 117 115 116 101 114 116 101 ...(11)}, ]]. This operation will
> timeout if no session state has been received within [60] seconds. 
> 30-Oct-2017 09:28:34.111 WARNING
> [Tribes-Task-Receiver[MyHost-Channel]- 2] 
> org.apache.catalina.tribes.group.interceptors.DomainFilterInterceptor.
m
>
> 
essageReceived Received message from
> cluster[org.apache.catalina.tribes.membership.MemberImpl[tcp://{my,
> ip, nn, nn}:4001,{my, ip, nn, nn},4001, alive=1509355714104,
> securePort=- 1, UDP Port=-1, id={1 2 3 4 5 6 7 8 9 10 11 12 13 14
> 15 0 }, payload={}, command={}, domain={99 108 117 115 116 101 114
> 116 101 ...(11)}, ]] was refused.
> 
> Which does not seem encouraging.  Yet on the other instance, I'm 
> seeing:
> 
> 30-Oct-2017 09:28:34.105 INFO
> [GroupChannel-Heartbeat[MyHost-Channel]- 1]
> org.apache.catalina.ha.tcp.SimpleTcpCluster.memberAdded
> Replication member 
> added:[org.apache.catalina.tribes.membership.StaticMember[tcp://my.ip.
a
>
> 
ddr:4000,my.ip.addr,4000, alive=0, securePort=-1, UDP Port=-1, id={0 1
> 2 3 4 5 6 7 8 9 10 11 12 13 14 15 }, payload={}, command={},
> domain={99 108 117 115 116 101 114 116 101 ...(11)}, ]] 30-Oct-2017
> 09:28:34.105 INFO [GroupChannel-Heartbeat[MyHost-Channel]- 1] 
> org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.perfo
r
>
> 
mBasicCheck Suspect member, confirmed
> alive.[org.apache.catalina.tribes.membership.StaticMember[tcp://my.ip.
a
>
> 
ddr:4000,my.ip.addr,4000, alive=0, securePort=-1, UDP Port=-1, id={0 1
> 2 3 4 5 6 7 8 9 10 11 12 13 14 15 }, payload={}, command={},
> domain={99 108 117 115 116 101 114 116 101 ...(11)}, ]]
> 
> Which seems better... But then I see back on instance one,
> 
> 30-Oct-2017 09:32:30.178 INFO [main] 
> org.apache.catalina.startup.Catalina.start Server startup in 241109
> ms
> 
> Which seems really bad.
> 
> I've installed the 'examples' app on both instances, have added 
> '' to both's web.xml file.
> 
> I can see on one instance a message such as
> 
> 30-Oct-2017 09:35:22.600 INFO [http-nio-8081-exec-7] 
> org.apache.catalina.core.ApplicationContext.log SessionListener: 
> sessionCreated('C2C3720879E72D558EEF4B0655188EBD.beta') 30-Oct-2017
> 09:35:26.912 INFO [http-nio-8081-exec-8] 
> org.apache.catalina.core.ApplicationContext.log SessionListener: 
> attributeAdded('C2C3720879E72D558EEF4B0655188EBD.beta', 'foo',
> 'bar')
> 
> When I play with the sessions example code. But nothing on the
> other instance that would suggest this is being replicated.
> 
> Before I make this post too long and post my server.xml code,
> could someone advise me as to what I should be looking for, or what
> these messages suggest?  Any pointers at this stage would be
> grateful as I'm unsure even what a working cluster should look
> like.

Can you please post your  and associated elements from
conf/server.xml -- minus any secrets that may have crept in there?
Also, what does your network look like? Any intermediates such as load
balancers/firewalls? What about software firewalls?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://w

Beginner help setting up test vertical cluster

[Dave Ford]

Hello, 

I should apologise in advance as I'm very new to Tomcat and, I'm sure,
will be making some daft mistakes and silly errors. I hope this
question and any that follow it aren't too dumb.

I've recently started a new job and have inherited a half-finished
tomcat cluster on solaris.

While I'm not going to immediately try and finish that cluster, I would
like to try setting up some test instances to ensure I know what to
expect - but I'm having trouble doing even this. 

I've gotten my head round how to set up individual instances of Tomcat
8.5.23 running from different sub folders of a common CATALINA_HOME
folder, and now I'm trying to get the two instances to talk to each
other using StaticMember on specific ports rather than the automatic
multicasting.

But instances start up, and the logs at least suggest they're aware of
each other. But one server takes forever to start, and I'm not
convinced they're talking to each other properly.  For example, in the
catalina.out logs I'm seeing messages such as:


30-Oct-2017 09:28:29.632 INFO [MyHost-startStop-1]
org.apache.catalina.ha.session.DeltaManager.getAllClusterSessions
Manager [/sample], requesting session state from
[org.apache.catalina.tribes.membership.StaticMember[tcp://my.ip.addr:40
01,my.ip.addr,4001, alive=0, securePort=-1, UDP Port=-1, id={1 2 3 4 5
6 7 8 9 10 11 12 13 14 15 0 }, payload={}, command={}, domain={99 108
117 115 116 101 114 116 101 ...(11)}, ]]. This operation will timeout
if no session state has been received within [60] seconds.
30-Oct-2017 09:28:34.111 WARNING [Tribes-Task-Receiver[MyHost-Channel]-
2]
org.apache.catalina.tribes.group.interceptors.DomainFilterInterceptor.m
essageReceived Received message from
cluster[org.apache.catalina.tribes.membership.MemberImpl[tcp://{my, ip,
nn, nn}:4001,{my, ip, nn, nn},4001, alive=1509355714104, securePort=-
1, 
UDP Port=-1, id={1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 }, payload={},
command={}, domain={99 108 117 115 116 101 114 116 101 ...(11)}, ]] was
refused.

Which does not seem encouraging.  Yet on the other instance, I'm
seeing:

30-Oct-2017 09:28:34.105 INFO [GroupChannel-Heartbeat[MyHost-Channel]-
1] org.apache.catalina.ha.tcp.SimpleTcpCluster.memberAdded Replication
member
added:[org.apache.catalina.tribes.membership.StaticMember[tcp://my.ip.a
ddr:4000,my.ip.addr,4000, alive=0, securePort=-1, UDP Port=-1, id={0 1
2 3 4 5 6 7 8 9 10 11 12 13 14 15 }, payload={}, command={}, domain={99
108 117 115 116 101 114 116 101 ...(11)}, ]]
30-Oct-2017 09:28:34.105 INFO [GroupChannel-Heartbeat[MyHost-Channel]-
1]
org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.perfor
mBasicCheck Suspect member, confirmed
alive.[org.apache.catalina.tribes.membership.StaticMember[tcp://my.ip.a
ddr:4000,my.ip.addr,4000, alive=0, securePort=-1, UDP Port=-1, id={0 1
2 3 4 5 6 7 8 9 10 11 12 13 14 15 }, payload={}, command={}, domain={99
108 117 115 116 101 114 116 101 ...(11)}, ]]

Which seems better... But then I see back on instance one, 

30-Oct-2017 09:32:30.178 INFO [main]
org.apache.catalina.startup.Catalina.start Server startup in 241109 ms

Which seems really bad. 

I've installed the 'examples' app on both instances, have added
'' to both's web.xml file. 

I can see on one instance a message such as 

30-Oct-2017 09:35:22.600 INFO [http-nio-8081-exec-7]
org.apache.catalina.core.ApplicationContext.log SessionListener:
sessionCreated('C2C3720879E72D558EEF4B0655188EBD.beta')
30-Oct-2017 09:35:26.912 INFO [http-nio-8081-exec-8]
org.apache.catalina.core.ApplicationContext.log SessionListener:
attributeAdded('C2C3720879E72D558EEF4B0655188EBD.beta', 'foo', 'bar')

When I play with the sessions example code. But nothing on the other
instance that would suggest this is being replicated. 

Before I make this post too long and post my server.xml code, could
someone advise me as to what I should be looking for, or what these
messages suggest?  Any pointers at this stage would be grateful as I'm
unsure even what a working cluster should look like.

Thanks 
Dave
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Join WebEx meeting in progress: Test v2

[Mark Thomas]

On 03/08/17 12:09, Mark Thomas wrote:
> Hello,
> My WebEx meeting is in progress.

Sorry folks. PLease ignore this.

Mark


> 
>  
> 
> *Test v2*
> Thursday, 3 August 2017
> 12:09  |  GMT Summer Time (London, GMT+01:00)  |  1 hr
> 
> Meeting number: 314 070 218
> 
>  
> Join Meeting
> <https://pivotal.webex.com/pivotal/e.php?MTID=mf67360b0c9cb219d96a2000a2fcfd729>
> 
> 
>   
>  
> 
>  
> 
>  
> 
> Can't join the meeting? <https://help.webex.com/docs/DOC-5412>
> 
>  
> 
> IMPORTANT NOTICE: Please note that this WebEx service allows audio and
> other information sent during the session to be recorded, which may be
> discoverable in a legal matter. By joining this session, you
> automatically consent to such recordings. If you do not consent to being
> recorded, discuss your concerns with the host or do not join the session.
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Join WebEx meeting in progress: Test v2

[Mark Thomas]

Hello,
My WebEx meeting is in progress.



Test v2
Thursday, 3 August 2017
12:09  |  GMT Summer Time (London, GMT+01:00)  |  1 hr
Meeting number: 314 070 218 


Join Meeting
https://pivotal.webex.com/pivotal/e.php?MTID=mf67360b0c9cb219d96a2000a2fcfd729


Can't join the meeting?
https://help.webex.com/docs/DOC-5412


IMPORTANT NOTICE: Please note that this WebEx service allows audio and other 
information sent during the session to be recorded, which may be discoverable 
in a legal matter. By joining this session, you automatically consent to such 
recordings. If you do not consent to being recorded, discuss your concerns with 
the host or do not join the session.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat ant test failure due to java exception.

[Mark Thomas]

On 02/05/2017 04:24, Arjit Gupta wrote:
> Hi Mark,
> 
> Below is the full stack trace of errors.
> 
> java.lang.AssertionError: Option not found
> at sun.nio.ch.Net.setSocketOption(Net.java:352)
> at
> sun.nio.ch.SocketChannelImpl.setOption(SocketChannelImpl.java:179)
> at sun.nio.ch.SocketAdaptor.setIntOption(SocketAdaptor.java:305)
> at sun.nio.ch.SocketAdaptor.setTrafficClass(SocketAdaptor.java:405)

That method is part of the public API for java.net.Socket and has been
since Java 1.4.

The only documented exceptions are SocketException and
IllegalArgumentException.

AssertionError should not be thrown there. That is a JRE bug and should
be reported to your JRE vendor.



> at
> org.apache.catalina.tribes.transport.nio.NioSender.configureSocket(NioSender.java:146)

Since this is happening during the tests, you can exclude the failing
tests use the test.exclude property. See BUILDING.txt for details.

Mark


> 
> Arjit Kumar
> 
> On Sun, Apr 30, 2017 at 4:36 PM, Mark Thomas <ma...@apache.org> wrote:
> 
>> On 29/04/17 03:47, Arjit Gupta wrote:
>>> Hi,
>>>
>>> I am building tomcat 7.0.77 with java7 on HP-UX(OS) itanium(IA64)
>> processor.
>>> After building it successful I am running *ant test*.
>>> Multiple tests are failing due to below exception.
>>>
>>> *Exception in thread "Thread-18" java.lang.AssertionError: Option not
>> found*
>>
>> Full stack trace for one of those errors?
>>
>> Mark
>>
>>
>>>
>>> Fail test cases are:-
>>> 175
>>>  TEST-org.apache.catalina.tribes.group.TestGroupChannelSenderConnecti
>> ons.BIO.txt:Tests
>>> run: 3, Failures: 3, Errors: 0, Time elapsed: 9.213 sec
>>> 176
>>>  TEST-org.apache.catalina.tribes.group.TestGroupChannelSenderConnecti
>> ons.NIO.txt:Tests
>>> run: 3, Failures: 3, Errors: 0, Time elapsed: 9.572 sec
>>> 183
>>>  TEST-org.apache.catalina.tribes.group.interceptors.
>> TestNonBlockingCoordinator.BIO.txt:Tests
>>> run: 2, Failures: 2, Errors: 0, Time elapsed: 43.762 sec
>>> 184
>>>  TEST-org.apache.catalina.tribes.group.interceptors.
>> TestNonBlockingCoordinator.NIO.txt:Tests
>>> run: 2, Failures: 2, Errors: 0, Time elapsed: 43.897 sec
>>> 185
>>>  TEST-org.apache.catalina.tribes.group.interceptors.
>> TestOrderInterceptor.BIO.txt:Tests
>>> run: 2, Failures: 2, Errors: 0, Time elapsed: 30.797 sec
>>> 186
>>>  TEST-org.apache.catalina.tribes.group.interceptors.
>> TestOrderInterceptor.NIO.txt:Tests
>>> run: 2, Failures: 2, Errors: 0, Time elapsed: 31.078 sec
>>> 187
>>>  TEST-org.apache.catalina.tribes.group.interceptors.
>> TestTcpFailureDetector.BIO.txt:Tests
>>> run: 3, Failures: 2, Errors: 0, Time elapsed: 27.097 sec
>>> 188
>>>  TEST-org.apache.catalina.tribes.group.interceptors.
>> TestTcpFailureDetector.NIO.txt:Tests
>>> run: 3, Failures: 2, Errors: 0, Time elapsed: 33.172 sec
>>> 359  TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt:Tests run:
>> 5,
>>> Failures: 0, Errors: 5, Time elapsed: 7.45 sec
>>> 360  TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt:Tests run:
>> 5,
>>> Failures: 0, Errors: 5, Time elapsed: 8.081 sec
>>> 361  TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:Tests run: 3,
>>> Failures: 0, Errors: 3, Time elapsed: 7.54 sec
>>> 362  TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:Tests run: 3,
>>> Failures: 0, Errors: 3, Time elapsed: 8.156 sec
>>> 363  TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Tests run: 4,
>>> Failures: 0, Errors: 3, Time elapsed: 8.117 sec
>>> 364  TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Tests run: 4,
>>> Failures: 0, Errors: 3, Time elapsed: 8.933 sec
>>>
>>> Arjit Kumar
>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat ant test failure due to java exception.

[Arjit Gupta]

Hi Mark,

Below is the full stack trace of errors.

java.lang.AssertionError: Option not found
at sun.nio.ch.Net.setSocketOption(Net.java:352)
at
sun.nio.ch.SocketChannelImpl.setOption(SocketChannelImpl.java:179)
at sun.nio.ch.SocketAdaptor.setIntOption(SocketAdaptor.java:305)
at sun.nio.ch.SocketAdaptor.setTrafficClass(SocketAdaptor.java:405)
at
org.apache.catalina.tribes.transport.nio.NioSender.configureSocket(NioSender.java:146)
at
org.apache.catalina.tribes.transport.nio.NioSender.connect(NioSender.java:247)
at
org.apache.catalina.tribes.transport.nio.ParallelNioSender.connect(ParallelNioSender.java:201)
at
org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:78)
at
org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:54)
at
org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:81)
at
org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:79)
at
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:79)
at
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:79)
at
org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:93)
at
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:79)
at
org.apache.catalina.tribes.group.interceptors.NonBlockingCoordinator.sendElectionMsg(NonBlockingCoordinator.java:255)
at
org.apache.catalina.tribes.group.interceptors.NonBlockingCoordinator.startElection(NonBlockingCoordinator.java:222)
at
org.apache.catalina.tribes.group.interceptors.NonBlockingCoordinator.memberDisappeared(NonBlockingCoordinator.java:545)
at
org.apache.catalina.tribes.group.ChannelInterceptorBase.memberDisappeared(ChannelInterceptorBase.java:100)
at
org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.memberDisappeared(TcpFailureDetector.java:158)
at
org.apache.catalina.tribes.group.ChannelInterceptorBase.memberDisappeared(ChannelInterceptorBase.java:100)
at
org.apache.catalina.tribes.group.interceptors.DomainFilterInterceptor.memberDisappeared(DomainFilterInterceptor.java:84)
at
org.apache.catalina.tribes.group.ChannelInterceptorBase.memberDisappeared(ChannelInterceptorBase.java:100)
at
org.apache.catalina.tribes.group.ChannelCoordinator.memberDisappeared(ChannelCoordinator.java:267)
at
org.apache.catalina.tribes.membership.McastService.memberDisappeared(McastService.java:562)
at
org.apache.catalina.tribes.membership.McastServiceImpl$1.run(McastServiceImpl.java:376)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)


Arjit Kumar

On Sun, Apr 30, 2017 at 4:36 PM, Mark Thomas <ma...@apache.org> wrote:

> On 29/04/17 03:47, Arjit Gupta wrote:
> > Hi,
> >
> > I am building tomcat 7.0.77 with java7 on HP-UX(OS) itanium(IA64)
> processor.
> > After building it successful I am running *ant test*.
> > Multiple tests are failing due to below exception.
> >
> > *Exception in thread "Thread-18" java.lang.AssertionError: Option not
> found*
>
> Full stack trace for one of those errors?
>
> Mark
>
>
> >
> > Fail test cases are:-
> > 175
> >  TEST-org.apache.catalina.tribes.group.TestGroupChannelSenderConnecti
> ons.BIO.txt:Tests
> > run: 3, Failures: 3, Errors: 0, Time elapsed: 9.213 sec
> > 176
> >  TEST-org.apache.catalina.tribes.group.TestGroupChannelSenderConnecti
> ons.NIO.txt:Tests
> > run: 3, Failures: 3, Errors: 0, Time elapsed: 9.572 sec
> > 183
> >  TEST-org.apache.catalina.tribes.group.interceptors.
> TestNonBlockingCoordinator.BIO.txt:Tests
> > run: 2, Failures: 2, Errors: 0, Time elapsed: 43.762 sec
> > 184
> >  TEST-org.apache.catalina.tribes.group.interceptors.
> TestNonBlockingCoordinator.NIO.txt:Tests
> > run: 2, Failures: 2, Errors: 0, Time elapsed: 43.897 sec
> > 185
> >  TEST-org.apache.catalina.tribes.group.interceptors.
> TestOrderInterceptor.BIO.txt:Tests
> > run: 2, Failures: 2, Errors: 0, Time elapsed: 30.797 sec
> > 186
> >  TEST-org.apache.catalina.tribes.group.interceptors.
> TestOrderInterceptor.NIO.txt:Tests
> > run: 2, Failures: 2, Errors: 0, Time elapsed: 31.078 sec
> > 187
> >  TEST-org.apache.catalina.tribes.group.interceptors.
> TestTcpFailureDetector.BIO.txt:Tests
&

Re: tomcat ant test failure due to java exception.

[Mark Thomas]

On 29/04/17 03:47, Arjit Gupta wrote:
> Hi,
> 
> I am building tomcat 7.0.77 with java7 on HP-UX(OS) itanium(IA64) processor.
> After building it successful I am running *ant test*.
> Multiple tests are failing due to below exception.
> 
> *Exception in thread "Thread-18" java.lang.AssertionError: Option not found*

Full stack trace for one of those errors?

Mark


> 
> Fail test cases are:-
> 175
>  
> TEST-org.apache.catalina.tribes.group.TestGroupChannelSenderConnections.BIO.txt:Tests
> run: 3, Failures: 3, Errors: 0, Time elapsed: 9.213 sec
> 176
>  
> TEST-org.apache.catalina.tribes.group.TestGroupChannelSenderConnections.NIO.txt:Tests
> run: 3, Failures: 3, Errors: 0, Time elapsed: 9.572 sec
> 183
>  
> TEST-org.apache.catalina.tribes.group.interceptors.TestNonBlockingCoordinator.BIO.txt:Tests
> run: 2, Failures: 2, Errors: 0, Time elapsed: 43.762 sec
> 184
>  
> TEST-org.apache.catalina.tribes.group.interceptors.TestNonBlockingCoordinator.NIO.txt:Tests
> run: 2, Failures: 2, Errors: 0, Time elapsed: 43.897 sec
> 185
>  
> TEST-org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.BIO.txt:Tests
> run: 2, Failures: 2, Errors: 0, Time elapsed: 30.797 sec
> 186
>  
> TEST-org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.NIO.txt:Tests
> run: 2, Failures: 2, Errors: 0, Time elapsed: 31.078 sec
> 187
>  
> TEST-org.apache.catalina.tribes.group.interceptors.TestTcpFailureDetector.BIO.txt:Tests
> run: 3, Failures: 2, Errors: 0, Time elapsed: 27.097 sec
> 188
>  
> TEST-org.apache.catalina.tribes.group.interceptors.TestTcpFailureDetector.NIO.txt:Tests
> run: 3, Failures: 2, Errors: 0, Time elapsed: 33.172 sec
> 359  TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt:Tests run: 5,
> Failures: 0, Errors: 5, Time elapsed: 7.45 sec
> 360  TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt:Tests run: 5,
> Failures: 0, Errors: 5, Time elapsed: 8.081 sec
> 361  TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:Tests run: 3,
> Failures: 0, Errors: 3, Time elapsed: 7.54 sec
> 362  TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:Tests run: 3,
> Failures: 0, Errors: 3, Time elapsed: 8.156 sec
> 363  TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Tests run: 4,
> Failures: 0, Errors: 3, Time elapsed: 8.117 sec
> 364  TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Tests run: 4,
> Failures: 0, Errors: 3, Time elapsed: 8.933 sec
> 
> Arjit Kumar
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

tomcat ant test failure due to java exception.

[Arjit Gupta]

Hi,

I am building tomcat 7.0.77 with java7 on HP-UX(OS) itanium(IA64) processor.
After building it successful I am running *ant test*.
Multiple tests are failing due to below exception.

*Exception in thread "Thread-18" java.lang.AssertionError: Option not found*

Fail test cases are:-
175
 
TEST-org.apache.catalina.tribes.group.TestGroupChannelSenderConnections.BIO.txt:Tests
run: 3, Failures: 3, Errors: 0, Time elapsed: 9.213 sec
176
 
TEST-org.apache.catalina.tribes.group.TestGroupChannelSenderConnections.NIO.txt:Tests
run: 3, Failures: 3, Errors: 0, Time elapsed: 9.572 sec
183
 
TEST-org.apache.catalina.tribes.group.interceptors.TestNonBlockingCoordinator.BIO.txt:Tests
run: 2, Failures: 2, Errors: 0, Time elapsed: 43.762 sec
184
 
TEST-org.apache.catalina.tribes.group.interceptors.TestNonBlockingCoordinator.NIO.txt:Tests
run: 2, Failures: 2, Errors: 0, Time elapsed: 43.897 sec
185
 
TEST-org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.BIO.txt:Tests
run: 2, Failures: 2, Errors: 0, Time elapsed: 30.797 sec
186
 
TEST-org.apache.catalina.tribes.group.interceptors.TestOrderInterceptor.NIO.txt:Tests
run: 2, Failures: 2, Errors: 0, Time elapsed: 31.078 sec
187
 
TEST-org.apache.catalina.tribes.group.interceptors.TestTcpFailureDetector.BIO.txt:Tests
run: 3, Failures: 2, Errors: 0, Time elapsed: 27.097 sec
188
 
TEST-org.apache.catalina.tribes.group.interceptors.TestTcpFailureDetector.NIO.txt:Tests
run: 3, Failures: 2, Errors: 0, Time elapsed: 33.172 sec
359  TEST-org.apache.tomcat.util.net.TestClientCert.BIO.txt:Tests run: 5,
Failures: 0, Errors: 5, Time elapsed: 7.45 sec
360  TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt:Tests run: 5,
Failures: 0, Errors: 5, Time elapsed: 8.081 sec
361  TEST-org.apache.tomcat.util.net.TestCustomSsl.BIO.txt:Tests run: 3,
Failures: 0, Errors: 3, Time elapsed: 7.54 sec
362  TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt:Tests run: 3,
Failures: 0, Errors: 3, Time elapsed: 8.156 sec
363  TEST-org.apache.tomcat.util.net.TestSsl.BIO.txt:Tests run: 4,
Failures: 0, Errors: 3, Time elapsed: 8.117 sec
364  TEST-org.apache.tomcat.util.net.TestSsl.NIO.txt:Tests run: 4,
Failures: 0, Errors: 3, Time elapsed: 8.933 sec

Arjit Kumar

Re: Tomcat not scaling under load - Tsung v Apache Bench test

[tomcat]

Thanks for feedback.

On 29.11.2016 15:43, Szymon Czaja wrote:

Hi Andre,
I have not run all my tests yet but it looks like you were correct. The
Amazon load balancer appears to have been the culprit. I will let you know
if it turns out otherwise.

Thank you for pushing me to take the load balancer out.

Cheers!
Szymon

On 28 November 2016 at 13:45, Szymon Czaja <szymonpiotrcz...@gmail.com>
wrote:


Completely agree. I am in the process of setting up a direct connection to
Tomcat bypassing load balancer. Will give an update soon.

Szymon

On 28 November 2016 at 13:40, André Warnier (tomcat) <a...@ice-sa.com>
wrote:


On 28.11.2016 14:10, Szymon Czaja wrote:


I will run a test in the meantime to check but this is very much
unlikely,
I can see on the Amazon console that the load balancer CPU is hardly
doing
anything with peaks at 2%. Let's assume load balancer is not an issue.



I am not saying that the proxy cannot handle it. But maybe it is limiting
the number of connections that it forwards, if they are all coming from the
same client IP ?
(Avoid DoS attacks, that kind of thing..)
Still a guess. But netstat on both sides may be telling you more.

If it is tomcat that could not handle the load, then you'd probably still
see the same number of connections on the tomcat server side, at the TCP
level.
That tomcat would be able to "service" these connections is another
matter, but the connections themselves should be there.




Szymon

On 28 November 2016 at 12:29, André Warnier (tomcat) <a...@ice-sa.com>
wrote:

On 28.11.2016 12:52, Szymon Czaja wrote:


Hi,

I have updated my question on SO. I have noticed that the number of
ESTABLISHED connections goes up on the client after few minutes. I
expected
the same on the server which does not seem to be the case. Any ideas?



Just a guess without looking very deep into your data : you say
somewhere
that the requests go through a proxy. Maybe the client "established" TCP
connections are with that proxy, while the ones you see on the tomcat
server are the connections from the proxy ?
(In other words, it is the proxy that is the bottleneck ?)




Szymon


On 28 November 2016 at 10:05, Mark Thomas <ma...@apache.org> wrote:

On 28/11/2016 09:53, Szymon Czaja wrote:



Hi,

I have asked the question on StackOverflow but I am not getting much
response:

http://stackoverflow.com/questions/40793335/why-tomcat-
does-not-pass-a-tsung-performance-test-at-40-requests-per-second

Could anyone help me understand why is Tomcat unable to keep up with
the
processing when running Tsung yet Apache Bench tests do not relveal
any
scalability issues?



I'd recommend taking some thread dumps and looking at netstat output
to
try and figure out what is going on.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org









-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat not scaling under load - Tsung v Apache Bench test

[Szymon Czaja]

Hi Andre,
I have not run all my tests yet but it looks like you were correct. The
Amazon load balancer appears to have been the culprit. I will let you know
if it turns out otherwise.

Thank you for pushing me to take the load balancer out.

Cheers!
Szymon

On 28 November 2016 at 13:45, Szymon Czaja <szymonpiotrcz...@gmail.com>
wrote:

> Completely agree. I am in the process of setting up a direct connection to
> Tomcat bypassing load balancer. Will give an update soon.
>
> Szymon
>
> On 28 November 2016 at 13:40, André Warnier (tomcat) <a...@ice-sa.com>
> wrote:
>
>> On 28.11.2016 14:10, Szymon Czaja wrote:
>>
>>> I will run a test in the meantime to check but this is very much
>>> unlikely,
>>> I can see on the Amazon console that the load balancer CPU is hardly
>>> doing
>>> anything with peaks at 2%. Let's assume load balancer is not an issue.
>>>
>>
>> I am not saying that the proxy cannot handle it. But maybe it is limiting
>> the number of connections that it forwards, if they are all coming from the
>> same client IP ?
>> (Avoid DoS attacks, that kind of thing..)
>> Still a guess. But netstat on both sides may be telling you more.
>>
>> If it is tomcat that could not handle the load, then you'd probably still
>> see the same number of connections on the tomcat server side, at the TCP
>> level.
>> That tomcat would be able to "service" these connections is another
>> matter, but the connections themselves should be there.
>>
>>
>>
>>> Szymon
>>>
>>> On 28 November 2016 at 12:29, André Warnier (tomcat) <a...@ice-sa.com>
>>> wrote:
>>>
>>> On 28.11.2016 12:52, Szymon Czaja wrote:
>>>>
>>>> Hi,
>>>>> I have updated my question on SO. I have noticed that the number of
>>>>> ESTABLISHED connections goes up on the client after few minutes. I
>>>>> expected
>>>>> the same on the server which does not seem to be the case. Any ideas?
>>>>>
>>>>>
>>>> Just a guess without looking very deep into your data : you say
>>>> somewhere
>>>> that the requests go through a proxy. Maybe the client "established" TCP
>>>> connections are with that proxy, while the ones you see on the tomcat
>>>> server are the connections from the proxy ?
>>>> (In other words, it is the proxy that is the bottleneck ?)
>>>>
>>>>
>>>>
>>>>
>>>> Szymon
>>>>>
>>>>> On 28 November 2016 at 10:05, Mark Thomas <ma...@apache.org> wrote:
>>>>>
>>>>> On 28/11/2016 09:53, Szymon Czaja wrote:
>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>> I have asked the question on StackOverflow but I am not getting much
>>>>>>> response:
>>>>>>>
>>>>>>> http://stackoverflow.com/questions/40793335/why-tomcat-
>>>>>>> does-not-pass-a-tsung-performance-test-at-40-requests-per-second
>>>>>>>
>>>>>>> Could anyone help me understand why is Tomcat unable to keep up with
>>>>>>> the
>>>>>>> processing when running Tsung yet Apache Bench tests do not relveal
>>>>>>> any
>>>>>>> scalability issues?
>>>>>>>
>>>>>>>
>>>>>> I'd recommend taking some thread dumps and looking at netstat output
>>>>>> to
>>>>>> try and figure out what is going on.
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>
>>>>>> -
>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>> -
>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: Tomcat not scaling under load - Tsung v Apache Bench test

[Szymon Czaja]

Completely agree. I am in the process of setting up a direct connection to
Tomcat bypassing load balancer. Will give an update soon.

Szymon

On 28 November 2016 at 13:40, André Warnier (tomcat) <a...@ice-sa.com> wrote:

> On 28.11.2016 14:10, Szymon Czaja wrote:
>
>> I will run a test in the meantime to check but this is very much unlikely,
>> I can see on the Amazon console that the load balancer CPU is hardly doing
>> anything with peaks at 2%. Let's assume load balancer is not an issue.
>>
>
> I am not saying that the proxy cannot handle it. But maybe it is limiting
> the number of connections that it forwards, if they are all coming from the
> same client IP ?
> (Avoid DoS attacks, that kind of thing..)
> Still a guess. But netstat on both sides may be telling you more.
>
> If it is tomcat that could not handle the load, then you'd probably still
> see the same number of connections on the tomcat server side, at the TCP
> level.
> That tomcat would be able to "service" these connections is another
> matter, but the connections themselves should be there.
>
>
>
>> Szymon
>>
>> On 28 November 2016 at 12:29, André Warnier (tomcat) <a...@ice-sa.com>
>> wrote:
>>
>> On 28.11.2016 12:52, Szymon Czaja wrote:
>>>
>>> Hi,
>>>> I have updated my question on SO. I have noticed that the number of
>>>> ESTABLISHED connections goes up on the client after few minutes. I
>>>> expected
>>>> the same on the server which does not seem to be the case. Any ideas?
>>>>
>>>>
>>> Just a guess without looking very deep into your data : you say somewhere
>>> that the requests go through a proxy. Maybe the client "established" TCP
>>> connections are with that proxy, while the ones you see on the tomcat
>>> server are the connections from the proxy ?
>>> (In other words, it is the proxy that is the bottleneck ?)
>>>
>>>
>>>
>>>
>>> Szymon
>>>>
>>>> On 28 November 2016 at 10:05, Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>> On 28/11/2016 09:53, Szymon Czaja wrote:
>>>>
>>>>>
>>>>> Hi,
>>>>>> I have asked the question on StackOverflow but I am not getting much
>>>>>> response:
>>>>>>
>>>>>> http://stackoverflow.com/questions/40793335/why-tomcat-
>>>>>> does-not-pass-a-tsung-performance-test-at-40-requests-per-second
>>>>>>
>>>>>> Could anyone help me understand why is Tomcat unable to keep up with
>>>>>> the
>>>>>> processing when running Tsung yet Apache Bench tests do not relveal
>>>>>> any
>>>>>> scalability issues?
>>>>>>
>>>>>>
>>>>> I'd recommend taking some thread dumps and looking at netstat output to
>>>>> try and figure out what is going on.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>> -
>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat not scaling under load - Tsung v Apache Bench test

[tomcat]

On 28.11.2016 14:10, Szymon Czaja wrote:

I will run a test in the meantime to check but this is very much unlikely,
I can see on the Amazon console that the load balancer CPU is hardly doing
anything with peaks at 2%. Let's assume load balancer is not an issue.


I am not saying that the proxy cannot handle it. But maybe it is limiting the number of 
connections that it forwards, if they are all coming from the same client IP ?

(Avoid DoS attacks, that kind of thing..)
Still a guess. But netstat on both sides may be telling you more.

If it is tomcat that could not handle the load, then you'd probably still see the same 
number of connections on the tomcat server side, at the TCP level.
That tomcat would be able to "service" these connections is another matter, but the 
connections themselves should be there.




Szymon

On 28 November 2016 at 12:29, André Warnier (tomcat) <a...@ice-sa.com> wrote:


On 28.11.2016 12:52, Szymon Czaja wrote:


Hi,
I have updated my question on SO. I have noticed that the number of
ESTABLISHED connections goes up on the client after few minutes. I
expected
the same on the server which does not seem to be the case. Any ideas?



Just a guess without looking very deep into your data : you say somewhere
that the requests go through a proxy. Maybe the client "established" TCP
connections are with that proxy, while the ones you see on the tomcat
server are the connections from the proxy ?
(In other words, it is the proxy that is the bottleneck ?)





Szymon

On 28 November 2016 at 10:05, Mark Thomas <ma...@apache.org> wrote:

On 28/11/2016 09:53, Szymon Czaja wrote:



Hi,
I have asked the question on StackOverflow but I am not getting much
response:

http://stackoverflow.com/questions/40793335/why-tomcat-
does-not-pass-a-tsung-performance-test-at-40-requests-per-second

Could anyone help me understand why is Tomcat unable to keep up with the
processing when running Tsung yet Apache Bench tests do not relveal any
scalability issues?



I'd recommend taking some thread dumps and looking at netstat output to
try and figure out what is going on.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat not scaling under load - Tsung v Apache Bench test

[Szymon Czaja]

I will run a test in the meantime to check but this is very much unlikely,
I can see on the Amazon console that the load balancer CPU is hardly doing
anything with peaks at 2%. Let's assume load balancer is not an issue.

Szymon

On 28 November 2016 at 12:29, André Warnier (tomcat) <a...@ice-sa.com> wrote:

> On 28.11.2016 12:52, Szymon Czaja wrote:
>
>> Hi,
>> I have updated my question on SO. I have noticed that the number of
>> ESTABLISHED connections goes up on the client after few minutes. I
>> expected
>> the same on the server which does not seem to be the case. Any ideas?
>>
>
> Just a guess without looking very deep into your data : you say somewhere
> that the requests go through a proxy. Maybe the client "established" TCP
> connections are with that proxy, while the ones you see on the tomcat
> server are the connections from the proxy ?
> (In other words, it is the proxy that is the bottleneck ?)
>
>
>
>
>> Szymon
>>
>> On 28 November 2016 at 10:05, Mark Thomas <ma...@apache.org> wrote:
>>
>> On 28/11/2016 09:53, Szymon Czaja wrote:
>>>
>>>> Hi,
>>>> I have asked the question on StackOverflow but I am not getting much
>>>> response:
>>>>
>>>> http://stackoverflow.com/questions/40793335/why-tomcat-
>>>> does-not-pass-a-tsung-performance-test-at-40-requests-per-second
>>>>
>>>> Could anyone help me understand why is Tomcat unable to keep up with the
>>>> processing when running Tsung yet Apache Bench tests do not relveal any
>>>> scalability issues?
>>>>
>>>
>>> I'd recommend taking some thread dumps and looking at netstat output to
>>> try and figure out what is going on.
>>>
>>> Mark
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat not scaling under load - Tsung v Apache Bench test

[tomcat]

On 28.11.2016 12:52, Szymon Czaja wrote:

Hi,
I have updated my question on SO. I have noticed that the number of
ESTABLISHED connections goes up on the client after few minutes. I expected
the same on the server which does not seem to be the case. Any ideas?


Just a guess without looking very deep into your data : you say somewhere that the 
requests go through a proxy. Maybe the client "established" TCP connections are with that 
proxy, while the ones you see on the tomcat server are the connections from the proxy ?

(In other words, it is the proxy that is the bottleneck ?)




Szymon

On 28 November 2016 at 10:05, Mark Thomas <ma...@apache.org> wrote:


On 28/11/2016 09:53, Szymon Czaja wrote:

Hi,
I have asked the question on StackOverflow but I am not getting much
response:

http://stackoverflow.com/questions/40793335/why-tomcat-
does-not-pass-a-tsung-performance-test-at-40-requests-per-second

Could anyone help me understand why is Tomcat unable to keep up with the
processing when running Tsung yet Apache Bench tests do not relveal any
scalability issues?


I'd recommend taking some thread dumps and looking at netstat output to
try and figure out what is going on.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat not scaling under load - Tsung v Apache Bench test

[Szymon Czaja]

Hi,
I have updated my question on SO. I have noticed that the number of
ESTABLISHED connections goes up on the client after few minutes. I expected
the same on the server which does not seem to be the case. Any ideas?

Szymon

On 28 November 2016 at 10:05, Mark Thomas <ma...@apache.org> wrote:

> On 28/11/2016 09:53, Szymon Czaja wrote:
> > Hi,
> > I have asked the question on StackOverflow but I am not getting much
> > response:
> >
> > http://stackoverflow.com/questions/40793335/why-tomcat-
> > does-not-pass-a-tsung-performance-test-at-40-requests-per-second
> >
> > Could anyone help me understand why is Tomcat unable to keep up with the
> > processing when running Tsung yet Apache Bench tests do not relveal any
> > scalability issues?
>
> I'd recommend taking some thread dumps and looking at netstat output to
> try and figure out what is going on.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat not scaling under load - Tsung v Apache Bench test

[Mark Thomas]

On 28/11/2016 09:53, Szymon Czaja wrote:
> Hi,
> I have asked the question on StackOverflow but I am not getting much
> response:
> 
> http://stackoverflow.com/questions/40793335/why-tomcat-
> does-not-pass-a-tsung-performance-test-at-40-requests-per-second
> 
> Could anyone help me understand why is Tomcat unable to keep up with the
> processing when running Tsung yet Apache Bench tests do not relveal any
> scalability issues?

I'd recommend taking some thread dumps and looking at netstat output to
try and figure out what is going on.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat not scaling under load - Tsung v Apache Bench test

[Szymon Czaja]

Hi,
I have asked the question on StackOverflow but I am not getting much
response:

http://stackoverflow.com/questions/40793335/why-tomcat-
does-not-pass-a-tsung-performance-test-at-40-requests-per-second

Could anyone help me understand why is Tomcat unable to keep up with the
processing when running Tsung yet Apache Bench tests do not relveal any
scalability issues?

Thank you,
Szymon

Re: Performance degrades on tomcat7 for the same runs of a sample performance 60 user test

[Christopher Schultz]

Dimple,

On 11/9/15 3:46 AM, dimple ranka wrote:
> Some help is really appreciated, atleast it will be good to hear if some
> one else is also facing slowness with the tomcat7 server.
> 
> I did some more investigation here and as mentioned earlier saw the
> slowness with tomcat7 is more reproducible when there are some
> cryptographic signature verifications.

I was going to ask about the crypto. One of the only threads actually
doing anything in the thread dump you showed was showing a TLS
handshake. Java's crypto is not very fast compared to native crypto. IF
you are handling TLS from Tomcat, you might want to consider a faster
solution if you do a lot of transactions.

If you have a shortage of entropy on the server, generating new crypto
keys can really slow things down. That could certainly explain the
"first run is fast, later runs are slower" observation. But this has
absolutely nothing to do with Tomcat -- it's all within the JVM so you
shouldn't have noticed a change with a Tomcat upgrade.

> Turning on the StuckThreadDetectionValve with 1 second threshold as
> shown below revealed that there are warning logs with threads stuck
> showing up in the next run of the test. This clearly shows that the
> slowness is due to the threads getting into the blocked state. More
> are in the signature verification but few are in other areas too.
> 
>   className="org.apache.catalina.valves.StuckThreadDetectionValve"
> threshold="1" />
> 
> NOTE - the above test was performed on a low end windows machine. Since the
> granularity of the valve threshold is in seconds was finding it hard to
> reproduce the valve to spit out some logs on the high end server. But the
> test shows that in the second run of the performance test which was run on
> another machine, only then i see the warning logs on the tomcat server.
>
> [snip]
>

> WARNING: Thread "http-nio-8443-exec-55" (id=83) has been active for 1,397
> milliseconds (since 11/7/15 11:06 AM) to serve the same request for
> https://10.55.198.52:8443/Signature/authenticate and may be stuck
> (configured threshold for this StuckThreadDetectionValve is 1 seconds).
> There is/are 1 thread(s) in total that are monitored by this Valve and may
> be stuck.
> java.lang.Throwable
> at sun.security.ec.ECDSASignature.verifySignedDigest(Native Method)
> at sun.security.ec.ECDSASignature.engineVerify(ECDSASignature.java:309)
> at java.security.Signature$Delegate.engineVerify(Signature.java:1192)
> at java.security.Signature.verify(Signature.java:626)
> at signature.SignatureEndPoint.verifyECDSASignature(Unknown Source)
> at signature.SignatureEndPoint.verifySignature(Unknown Source)
> at sun.reflect.GeneratedMethodAccessor51.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> at
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:205)
> at
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> at
> com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
> at
> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
> at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> at
> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
> at
> com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
> at
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
> at
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at org.ap

Re: Performance degrades on tomcat7 for the same runs of a sample performance 60 user test

[Dimple Ranka]

On Mon, Nov 9, 2015 at 8:34 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Dimple,
>
> On 11/9/15 3:46 AM, dimple ranka wrote:
> > Some help is really appreciated, atleast it will be good to hear if some
> > one else is also facing slowness with the tomcat7 server.
> >
> > I did some more investigation here and as mentioned earlier saw the
> > slowness with tomcat7 is more reproducible when there are some
> > cryptographic signature verifications.
>
> I was going to ask about the crypto. One of the only threads actually
> doing anything in the thread dump you showed was showing a TLS
> handshake. Java's crypto is not very fast compared to native crypto. IF
> you are handling TLS from Tomcat, you might want to consider a faster
> solution if you do a lot of transactions.
>
> If you have a shortage of entropy on the server, generating new crypto
> keys can really slow things down. That could certainly explain the
> "first run is fast, later runs are slower" observation. But this has
> absolutely nothing to do with Tomcat -- it's all within the JVM so you
> shouldn't have noticed a change with a Tomcat upgrade.
>
> ==> We have configured the secure random source as below to avoid the
entropy issue -
securerandom.source=file:/dev/./urandom

> Turning on the StuckThreadDetectionValve with 1 second threshold as
> > shown below revealed that there are warning logs with threads stuck
> > showing up in the next run of the test. This clearly shows that the
> > slowness is due to the threads getting into the blocked state. More
> > are in the signature verification but few are in other areas too.
> >
> >   > className="org.apache.catalina.valves.StuckThreadDetectionValve"
> > threshold="1" />
> >
> > NOTE - the above test was performed on a low end windows machine. Since
> the
> > granularity of the valve threshold is in seconds was finding it hard to
> > reproduce the valve to spit out some logs on the high end server. But the
> > test shows that in the second run of the performance test which was run
> on
> > another machine, only then i see the warning logs on the tomcat server.
> >
> > [snip]
> >
>
> > WARNING: Thread "http-nio-8443-exec-55" (id=83) has been active for 1,397
> > milliseconds (since 11/7/15 11:06 AM) to serve the same request for
> > https://10.55.198.52:8443/Signature/authenticate and may be stuck
> > (configured threshold for this StuckThreadDetectionValve is 1 seconds).
> > There is/are 1 thread(s) in total that are monitored by this Valve and
> may
> > be stuck.
> > java.lang.Throwable
> > at sun.security.ec.ECDSASignature.verifySignedDigest(Native Method)
> > at sun.security.ec.ECDSASignature.engineVerify(ECDSASignature.java:309)
> > at java.security.Signature$Delegate.engineVerify(Signature.java:1192)
> > at java.security.Signature.verify(Signature.java:626)
> > at signature.SignatureEndPoint.verifyECDSASignature(Unknown Source)
> > at signature.SignatureEndPoint.verifySignature(Unknown Source)
> > at sun.reflect.GeneratedMethodAccessor51.invoke(Unknown Source)
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:606)
> > at
> >
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> > at
> >
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:205)
> > at
> >
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> > at
> >
> com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
> > at
> >
> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
> > at
> >
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> > at
> >
> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
> > at
> >
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
> > at
> >
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
> > at
> >
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
> > at
> >
> com.sun.jersey.server.impl.application.WebApplicationI

Re: Performance degrades on tomcat7 for the same runs of a sample performance 60 user test

[dimple ranka]

Hi all,

Some help is really appreciated, atleast it will be good to hear if some
one else is also facing slowness with the tomcat7 server.

I did some more investigation here and as mentioned earlier saw the
slowness with tomcat7 is more reproducible when there are some
cryptographic signature verifications.  Turning on the
StuckThreadDetectionValve with 1 second threshold as shown below revealed
that there are warning logs with threads stuck showing up in the next run
of the test. This clearly shows that the slowness is due to the threads
getting into the blocked state. More are in the signature verification but
few are in other areas too.

 


NOTE - the above test was performed on a low end windows machine. Since the
granularity of the valve threshold is in seconds was finding it hard to
reproduce the valve to spit out some logs on the high end server. But the
test shows that in the second run of the performance test which was run on
another machine, only then i see the warning logs on the tomcat server.

CATALINA.out contents showing the stuck threads ===>

Nov 07, 2015 11:01:13 AM org.apache.catalina.startup.HostConfig undeploy
INFO: Undeploying context [/host-manager]
Nov 07, 2015 11:01:13 AM org.apache.catalina.startup.HostConfig undeploy
INFO: Undeploying context [/docs]
Nov 07, 2015 11:01:13 AM org.apache.catalina.startup.HostConfig undeploy
INFO: Undeploying context []
Nov 07, 2015 11:01:13 AM org.apache.catalina.startup.HostConfig undeploy
INFO: Undeploying context [/Signature]
Nov 07, 2015 11:01:13 AM org.apache.catalina.startup.HostConfig undeploy
INFO: Undeploying context [/examples]
Nov 07, 2015 11:01:13 AM org.apache.catalina.startup.HostConfig undeploy
INFO: Undeploying context [/manager]
Nov 07, 2015 11:01:13 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive
D:\apache-tomcat-7.0.64\webapps\Signature.war
Nov 07, 2015 11:01:16 AM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable
debug logging for this logger for a complete list of JARs that were scanned
but no TLDs were found in them. Skipping unneeded JARs during scanning can
improve startup time and JSP compilation time.
Nov 07, 2015 11:01:17 AM
com.sun.jersey.api.core.servlet.WebAppResourceConfig init
INFO: Scanning for root resource and provider classes in the Web app
resource paths:
  /WEB-INF/lib
  /WEB-INF/classes
Nov 07, 2015 11:01:18 AM com.sun.jersey.api.core.ScanningResourceConfig
logClasses
INFO: Root resource classes found:
  class signature.NullEndPoint
  class signature.SignatureEndPoint
Nov 07, 2015 11:01:18 AM com.sun.jersey.api.core.ScanningResourceConfig
logClasses
INFO: Provider classes found:
  class org.codehaus.jackson.jaxrs.JsonMappingExceptionMapper
  class org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider
  class org.codehaus.jackson.jaxrs.JacksonJsonProvider
  class org.codehaus.jackson.jaxrs.JsonParseExceptionMapper
Nov 07, 2015 11:01:18 AM
com.sun.jersey.server.impl.application.WebApplicationImpl _initiate
INFO: Initiating Jersey application, version 'Jersey: 1.17 01/17/2013 03:31
PM'
Nov 07, 2015 11:01:19 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deployment of web application archive
D:\apache-tomcat-7.0.64\webapps\Signature.war has finished in 5,871 ms
Nov 07, 2015 11:01:19 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
D:\apache-tomcat-7.0.64\webapps\docs
Nov 07, 2015 11:01:19 AM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable
debug logging for this logger for a complete list of JARs that were scanned
but no TLDs were found in them. Skipping unneeded JARs during scanning can
improve startup time and JSP compilation time.
Nov 07, 2015 11:01:19 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deployment of web application directory
D:\apache-tomcat-7.0.64\webapps\docs has finished in 140 ms
Nov 07, 2015 11:01:19 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
D:\apache-tomcat-7.0.64\webapps\examples
Nov 07, 2015 11:01:19 AM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable
debug logging for this logger for a complete list of JARs that were scanned
but no TLDs were found in them. Skipping unneeded JARs during scanning can
improve startup time and JSP compilation time.
Nov 07, 2015 11:01:19 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deployment of web application directory
D:\apache-tomcat-7.0.64\webapps\examples has finished in 445 ms
Nov 07, 2015 11:01:19 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
D:\apache-tomcat-7.0.64\webapps\host-manager
Nov 07, 2015 11:01:19 AM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scan

Re: Performance degrades on tomcat7 for the same runs of a sample performance 60 user test

[dimple ranka]

Looks like attachments are not allowed so only sharing the contents of
threadDump3.out

2015-11-04 22:55:58
Full thread dump Java HotSpot(TM) 64-Bit Server VM (24.79-b02 mixed mode):

"http-nio-8443-exec-147" daemon prio=10 tid=0x7f5c1c005000 nid=0x6241
runnable [0x7f5bd30ef000]
   java.lang.Thread.State: RUNNABLE
at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
at sun.nio.ch.IOUtil.read(IOUtil.java:192)
at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:379)
- locked <0xfc2d9498> (a java.lang.Object)
at
org.apache.tomcat.util.net.SecureNioChannel.read(SecureNioChannel.java:443)
at
org.apache.coyote.http11.InternalNioInputBuffer.readSocket(InternalNioInputBuffer.java:436)
at
org.apache.coyote.http11.InternalNioInputBuffer.fill(InternalNioInputBuffer.java:795)
at
org.apache.coyote.http11.InternalNioInputBuffer.parseRequestLine(InternalNioInputBuffer.java:227)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:993)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1760)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1719)
- locked <0x875077f0> (a
org.apache.tomcat.util.net.SecureNioChannel)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

   Locked ownable synchronizers:
- <0x88a613f0> (a java.util.concurrent.ThreadPoolExecutor$Worker)

"http-nio-8443-exec-146" daemon prio=10 tid=0x7f5c18020800 nid=0x6240
waiting on condition [0x7f5c6e271000]
   java.lang.Thread.State: TIMED_WAITING (parking)
at sun.misc.Unsafe.park(Native Method)
- parking to wait for  <0x86b7a088> (a
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:226)
at
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2082)
at
java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:467)
at org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:86)
at org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:32)
at
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1068)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

   Locked ownable synchronizers:
- None

"http-nio-8443-exec-145" daemon prio=10 tid=0x7f5c18037000 nid=0x623f
waiting on condition [0x7f5c6e372000]
   java.lang.Thread.State: TIMED_WAITING (parking)
at sun.misc.Unsafe.park(Native Method)
- parking to wait for  <0x86b7a088> (a
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:226)
at
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2082)
at
java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:467)
at org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:86)
at org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:32)
at
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1068)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

   Locked ownable synchronizers:
- None

"http-nio-8443-exec-144" daemon prio=10 tid=0x7f5c1802f800 nid=0x623e
waiting on condition [0x7f5c6c89c000]
   java.lang.Thread.State: TIMED_WAITING (parking)
at sun.misc.Unsafe.park(Native Method)
- parking to wait for  <0x86b7a088> (a
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:226)
at
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2082)
at
java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:467)
at org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:86)
at org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:32)
at
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1068)
at

Re: Performance degrades on tomcat7 for the same runs of a sample performance 60 user test

[dimple ranka]

Hi Chris,

I captured 3 threadumps with the below requests/second when the server is
already slow. We were using BIO before and had observed slowness even with
that. We switched to using NIO since it seemed a recommendation for
production environment.
--
*WITH NIO*
*--*
*RUN1 (threadDump1.out)*
Requests/second = 18849.1606557377

*RUN2 **(threadDump2.out)*
Requests/second = 18943.43606557377

*RUN3 **(threadDump3.out)*
Requests/second = 18894.21241830065
--

The issue we are trying to address why does performance degrade by 50% with
subsequent runs.

Thanks,
Dimple

On Thu, Nov 5, 2015 at 1:31 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Dimple,
>
> On 11/3/15 11:24 PM, dimple ranka wrote:
> > Also forgot to mention that setting maxKeepAliveRequests to -1 did not
> > help. As expected from the connector documentation the default value for
> > this attribute is 100 and we have a 60 user test set up.
> >
> > On Wed, Nov 4, 2015 at 8:18 AM, dimple ranka <dimplekra...@gmail.com>
> wrote:
> >
> >> Hi Mark,
> >>
> >> Another observation to be noted here is that system CPU usage shoots up
> >> for subsequent runs, especially for later runs.
> >>
> >> We have been looking into this issue for couple of weeks now and it is
> >> clear in the same environment with the same setup it doesn't reproduce
> on
> >> tomcat6. The moment we deploy the web application in a tomcat7 container
> >> the slowness with subsequent runs shows up.
>
> Can you take some thread dumps to find out what Tomcat is doing? High
> CPU usage and lower request throughput sounds like a Poller problem
> since you are using NIO.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Performance degrades on tomcat7 for the same runs of a sample performance 60 user test

[Christopher Schultz]

Dimple,

On 11/3/15 11:24 PM, dimple ranka wrote:
> Also forgot to mention that setting maxKeepAliveRequests to -1 did not
> help. As expected from the connector documentation the default value for
> this attribute is 100 and we have a 60 user test set up.
> 
> On Wed, Nov 4, 2015 at 8:18 AM, dimple ranka <dimplekra...@gmail.com> wrote:
> 
>> Hi Mark,
>>
>> Another observation to be noted here is that system CPU usage shoots up
>> for subsequent runs, especially for later runs.
>>
>> We have been looking into this issue for couple of weeks now and it is
>> clear in the same environment with the same setup it doesn't reproduce on
>> tomcat6. The moment we deploy the web application in a tomcat7 container
>> the slowness with subsequent runs shows up.

Can you take some thread dumps to find out what Tomcat is doing? High
CPU usage and lower request throughput sounds like a Poller problem
since you are using NIO.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Performance degrades on tomcat7 for the same runs of a sample performance 60 user test

[Mark Thomas]

On 03/11/2015 06:17, dimple ranka wrote:



> ##
> On tomcat7 number of requests fullfilled per second
> ##
> * RUN1 ** ==> **  38128.97704918033 runs/sec*
>  *RUN2 ==> **  19040.35947712418 runs/sec*
>  *RUN3 ==> ** 19043.7908496732**  runs/sec*
> * RUN4 ==> ** 19001.71568627451 runs/sec*
> ##

Every performance test I have ever done with Tomcat, the first run has
had poorer performance while the system warms up (threads started,
caches filled, session ID generators initialised etc.) and subsequent
tests have performed better.

The results above suggest something about the test is broken.

First of all, thank you for the detailed information. It helps a lot.

Your server side test code won't run on Tomcat without additional
libraries and configuration that you haven't specified. That makes it
harder for people to reproduce your results. I'd recommend using a
simple servlet for testing in the first instance and only when any
issues have been resolved, move to your test.

20k requests/s is rather low. I'd expect those sorts of numbers from a
single threaded test on reasonable hardware. With 8*2 threads to play
with on the server I'd expect that number to be a lot higher.

My experience of JMeter is that the results are unreliable as you
approach the point where the overhead per request for JMeter approaches
the overhead per request for Tomcat. You would probably get better
results if you switched to a lower overhead test client. I tend to use
ab for these sorts of tests.

It is not clear from your original e-mail if the test client is running
on the same machine as the server or not.
If not, the network can have a significant impact. With this test a
gigabit network should be fine but we have seen network saturation in
performance tests for larger static files so do keep an eye on the
network utilisation just to be safe.

The higher the throughput, the greater the impact of HTTP keep-alive. I
have frequently observed strange test results caused by the system
running out of free ports due to the churn rate of connections. netstat
is your friend. I'd recommend exploring the impact of different settings
for maxKeepAliveRequests. You almost certainly want something
significantly higher than the default of 100. A quick test would be to
set it to -1 and see what impact that has.

HTH,

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Performance degrades on tomcat7 for the same runs of a sample performance 60 user test

[dimple ranka]

Hi Mark,

The test client is running on another machine.

The server side test code is written using jersey 1.17.

Will try out with playing with maxKeepAliveRequests.

My only concern is that if jmeter is doing spoofy things then why it doesnt
show up on tomcat6.

Thanks,
Dimple

On Tue, Nov 3, 2015 at 2:27 PM, Mark Thomas <ma...@apache.org> wrote:

> On 03/11/2015 06:17, dimple ranka wrote:
>
> 
>
> > ##
> > On tomcat7 number of requests fullfilled per second
> > ##
> > * RUN1 ** ==> **  38128.97704918033 runs/sec*
> >  *RUN2 ==> **  19040.35947712418 runs/sec*
> >  *RUN3 ==> ** 19043.7908496732**  runs/sec*
> > * RUN4 ==> ** 19001.71568627451 runs/sec*
> > ##
>
> Every performance test I have ever done with Tomcat, the first run has
> had poorer performance while the system warms up (threads started,
> caches filled, session ID generators initialised etc.) and subsequent
> tests have performed better.
>
> The results above suggest something about the test is broken.
>
> First of all, thank you for the detailed information. It helps a lot.
>
> Your server side test code won't run on Tomcat without additional
> libraries and configuration that you haven't specified. That makes it
> harder for people to reproduce your results. I'd recommend using a
> simple servlet for testing in the first instance and only when any
> issues have been resolved, move to your test.
>
> 20k requests/s is rather low. I'd expect those sorts of numbers from a
> single threaded test on reasonable hardware. With 8*2 threads to play
> with on the server I'd expect that number to be a lot higher.
>
> My experience of JMeter is that the results are unreliable as you
> approach the point where the overhead per request for JMeter approaches
> the overhead per request for Tomcat. You would probably get better
> results if you switched to a lower overhead test client. I tend to use
> ab for these sorts of tests.
>
> It is not clear from your original e-mail if the test client is running
> on the same machine as the server or not.
> If not, the network can have a significant impact. With this test a
> gigabit network should be fine but we have seen network saturation in
> performance tests for larger static files so do keep an eye on the
> network utilisation just to be safe.
>
> The higher the throughput, the greater the impact of HTTP keep-alive. I
> have frequently observed strange test results caused by the system
> running out of free ports due to the churn rate of connections. netstat
> is your friend. I'd recommend exploring the impact of different settings
> for maxKeepAliveRequests. You almost certainly want something
> significantly higher than the default of 100. A quick test would be to
> set it to -1 and see what impact that has.
>
> HTH,
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Performance degrades on tomcat7 for the same runs of a sample performance 60 user test

[dimple ranka]

Hi Mark,

Another observation to be noted here is that system CPU usage shoots up for
subsequent runs, especially for later runs.

We have been looking into this issue for couple of weeks now and it is
clear in the same environment with the same setup it doesn't reproduce on
tomcat6. The moment we deploy the web application in a tomcat7 container
the slowness with subsequent runs shows up.

Thanks,
Dimple

On Tue, Nov 3, 2015 at 2:36 PM, dimple ranka <dimplekra...@gmail.com> wrote:

> Hi Mark,
>
> The test client is running on another machine.
>
> The server side test code is written using jersey 1.17.
>
> Will try out with playing with maxKeepAliveRequests.
>
> My only concern is that if jmeter is doing spoofy things then why it
> doesnt show up on tomcat6.
>
> Thanks,
> Dimple
>
> On Tue, Nov 3, 2015 at 2:27 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 03/11/2015 06:17, dimple ranka wrote:
>>
>> 
>>
>> > ##
>> > On tomcat7 number of requests fullfilled per second
>> > ##
>> > * RUN1 ** ==> **  38128.97704918033 runs/sec*
>> >  *RUN2 ==> **  19040.35947712418 runs/sec*
>> >  *RUN3 ==> ** 19043.7908496732**  runs/sec*
>> > * RUN4 ==> ** 19001.71568627451 runs/sec*
>> > ##
>>
>> Every performance test I have ever done with Tomcat, the first run has
>> had poorer performance while the system warms up (threads started,
>> caches filled, session ID generators initialised etc.) and subsequent
>> tests have performed better.
>>
>> The results above suggest something about the test is broken.
>>
>> First of all, thank you for the detailed information. It helps a lot.
>>
>> Your server side test code won't run on Tomcat without additional
>> libraries and configuration that you haven't specified. That makes it
>> harder for people to reproduce your results. I'd recommend using a
>> simple servlet for testing in the first instance and only when any
>> issues have been resolved, move to your test.
>>
>> 20k requests/s is rather low. I'd expect those sorts of numbers from a
>> single threaded test on reasonable hardware. With 8*2 threads to play
>> with on the server I'd expect that number to be a lot higher.
>>
>> My experience of JMeter is that the results are unreliable as you
>> approach the point where the overhead per request for JMeter approaches
>> the overhead per request for Tomcat. You would probably get better
>> results if you switched to a lower overhead test client. I tend to use
>> ab for these sorts of tests.
>>
>> It is not clear from your original e-mail if the test client is running
>> on the same machine as the server or not.
>> If not, the network can have a significant impact. With this test a
>> gigabit network should be fine but we have seen network saturation in
>> performance tests for larger static files so do keep an eye on the
>> network utilisation just to be safe.
>>
>> The higher the throughput, the greater the impact of HTTP keep-alive. I
>> have frequently observed strange test results caused by the system
>> running out of free ports due to the churn rate of connections. netstat
>> is your friend. I'd recommend exploring the impact of different settings
>> for maxKeepAliveRequests. You almost certainly want something
>> significantly higher than the default of 100. A quick test would be to
>> set it to -1 and see what impact that has.
>>
>> HTH,
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: Performance degrades on tomcat7 for the same runs of a sample performance 60 user test

[dimple ranka]

Also forgot to mention that setting maxKeepAliveRequests to -1 did not
help. As expected from the connector documentation the default value for
this attribute is 100 and we have a 60 user test set up.

On Wed, Nov 4, 2015 at 8:18 AM, dimple ranka <dimplekra...@gmail.com> wrote:

> Hi Mark,
>
> Another observation to be noted here is that system CPU usage shoots up
> for subsequent runs, especially for later runs.
>
> We have been looking into this issue for couple of weeks now and it is
> clear in the same environment with the same setup it doesn't reproduce on
> tomcat6. The moment we deploy the web application in a tomcat7 container
> the slowness with subsequent runs shows up.
>
> Thanks,
> Dimple
>
> On Tue, Nov 3, 2015 at 2:36 PM, dimple ranka <dimplekra...@gmail.com>
> wrote:
>
>> Hi Mark,
>>
>> The test client is running on another machine.
>>
>> The server side test code is written using jersey 1.17.
>>
>> Will try out with playing with maxKeepAliveRequests.
>>
>> My only concern is that if jmeter is doing spoofy things then why it
>> doesnt show up on tomcat6.
>>
>> Thanks,
>> Dimple
>>
>> On Tue, Nov 3, 2015 at 2:27 PM, Mark Thomas <ma...@apache.org> wrote:
>>
>>> On 03/11/2015 06:17, dimple ranka wrote:
>>>
>>> 
>>>
>>> > ##
>>> > On tomcat7 number of requests fullfilled per second
>>> > ##
>>> > * RUN1 ** ==> **  38128.97704918033 runs/sec*
>>> >  *RUN2 ==> **  19040.35947712418 runs/sec*
>>> >  *RUN3 ==> ** 19043.7908496732**  runs/sec*
>>> > * RUN4 ==> ** 19001.71568627451 runs/sec*
>>> > ##
>>>
>>> Every performance test I have ever done with Tomcat, the first run has
>>> had poorer performance while the system warms up (threads started,
>>> caches filled, session ID generators initialised etc.) and subsequent
>>> tests have performed better.
>>>
>>> The results above suggest something about the test is broken.
>>>
>>> First of all, thank you for the detailed information. It helps a lot.
>>>
>>> Your server side test code won't run on Tomcat without additional
>>> libraries and configuration that you haven't specified. That makes it
>>> harder for people to reproduce your results. I'd recommend using a
>>> simple servlet for testing in the first instance and only when any
>>> issues have been resolved, move to your test.
>>>
>>> 20k requests/s is rather low. I'd expect those sorts of numbers from a
>>> single threaded test on reasonable hardware. With 8*2 threads to play
>>> with on the server I'd expect that number to be a lot higher.
>>>
>>> My experience of JMeter is that the results are unreliable as you
>>> approach the point where the overhead per request for JMeter approaches
>>> the overhead per request for Tomcat. You would probably get better
>>> results if you switched to a lower overhead test client. I tend to use
>>> ab for these sorts of tests.
>>>
>>> It is not clear from your original e-mail if the test client is running
>>> on the same machine as the server or not.
>>> If not, the network can have a significant impact. With this test a
>>> gigabit network should be fine but we have seen network saturation in
>>> performance tests for larger static files so do keep an eye on the
>>> network utilisation just to be safe.
>>>
>>> The higher the throughput, the greater the impact of HTTP keep-alive. I
>>> have frequently observed strange test results caused by the system
>>> running out of free ports due to the churn rate of connections. netstat
>>> is your friend. I'd recommend exploring the impact of different settings
>>> for maxKeepAliveRequests. You almost certainly want something
>>> significantly higher than the default of 100. A quick test would be to
>>> set it to -1 and see what impact that has.
>>>
>>> HTH,
>>>
>>> Mark
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
>

Performance degrades on tomcat7 for the same runs of a sample performance 60 user test

[dimple ranka]

Hi all,

I am doing some performance data collection on tomcat7 on a 8 processor
high end machine with CentOS release 6.7 (Final) operating system and i am
observing slowness with subsequent runs of the same jmeter test. Here are
the version and specfication details followed by the endpoint source and
the problem statement finally.

##
Tomcat7 Version  ==>
##
Server version: Apache Tomcat/7.0.64
Server built:   Aug 19 2015 17:18:06 UTC
Server number:*  7.0.64.0*
OS Name:Linux
OS Version: 2.6.32-573.3.1.el6.x86_64
Architecture:   amd64
JVM Version:1.7.0_79-b15
JVM Vendor: Oracle Corporation
##


##
Connector configurations
##

##


##
Machine Specifications
##
Architecture:  x86_64
CPU op-mode(s):32-bit, 64-bit
Byte Order:Little Endian
CPU(s):8
On-line CPU(s) list:   0-7
Thread(s) per core:2
Core(s) per socket:4
Socket(s): 1
NUMA node(s):  1
Vendor ID: GenuineIntel
CPU family:6
Model: 58
Stepping:  9
CPU MHz:   1600.000
BogoMIPS:  7000.55
Virtualization:VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache:  256K
L3 cache:  8192K
NUMA node0 CPU(s): 0-7
##


##
Source code of the endpoint being performance tested
##
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;


@Path("/null")
public class NullEndPoint {
public static final String UTF_8 = "UTF-8";
public static final String JSON_CONTENT_TYPE = MediaType.APPLICATION_JSON +
"; charset=" + UTF_8;
@POST
@Consumes(JSON_CONTENT_TYPE)
@Produces(JSON_CONTENT_TYPE)
public Response verify(String params) {
return Response.ok("{ \"status\":\"success\"}").build();
}

}
##


##
Jmeter Test Plan - 60 users test for 1200 seconds duration
##


  

  
  false
  false
  

  
  


  
continue
${__P(users,60)}
0
10
0
30
10
1
${__P(duration,1200)}
5

  false
  -1

  
  

  

  Content-Type
  application/json

  



  

  userNameUUID
  user_${__UUID
  =


  host
  ${__P(myhost,XXX.XX.XX.XX)}
  =


  port
  8443
  =


  protocol
  https
  =


  pathPrefix
  /null
  =

  



  true
  

  
false
{
}
=
  

  
  ${host}
  ${port}
  
  
  ${protocol}
  
  ${pathPrefix}
  POST
  true
  false
  true
  false
  false
  



  false
  
saveConfig

  true
  true
  true
  true
  true
  true
  true
  true
  true
  false
  true
  true
  false
  false
  false
  false
  false
  false
  false

false
  0
  true

  
  


  

  

##


##
On tomcat7 number of requests fullfilled per second
##
* RUN1 ** ==> **  38128.97704918033 runs/sec*
 *RUN2 ==> **  19040.35947712418 runs/sec*
 *RUN3 ==> ** 19043.7908496732**  runs/sec*
* RUN4 ==> ** 19001.71568627451 runs/sec*
##

##
*PRO

Re: SPNEGO test configuration with Manager webapp

[Mark Thomas]

On 14/05/2015 22:29, Mark Thomas wrote:
 On 14/05/2015 21:11, Mark Thomas wrote:
 On 29/03/2015 23:13, André Warnier wrote:
 David Marsh wrote:
 I've tested all the following public JDKs
 jdk-7u45-windows-i586.exe
 jdk-7u65-windows-i586.exe
 jdk-7u75-windows-i586.exe
 jdk-8-windows-i586.exe
 jdk-8u5-windows-i586.exe
 jdk-8u11-windows-i586.exe
 jdk-8u20-windows-i586.exe
 jdk-8u25-windows-i586.exe
 jdk-8u31-windows-i586.exe
 jdk-8u40-windows-i586.exe -- Only this one fails SPNEGO / Bad GSS Token

 Seems a recent fix must broken it.

 That is really great info.  Thanks.

 As promised I have found some time to look into this. It appears that
 this fix in 8u40 onwards broke SPNEGO.

 https://bugs.openjdk.java.net/browse/JDK-8048194

 The fix that was applied wasn't the one suggested in the bug report.

 I've spent some time looking at the code but I haven't found a way
 around this yet.
 
 Good news (sort of). I have an *extremely* dirty hack that fixes this on
 my test instance by moving some of the data about in the token that the
 client sends. It works with 8u20 and 8u45.
 
 At the moment the hack is extremely fragile. I need to make it more
 robust and make it optional. I should be able to get that done tomorrow
 and have it included in the next Tomcat 8 release.

Fix applied to trunk (for 9.0.x), 8.0.x (for 8.0.23 onwards) and 7.0.x
(for 7.0.63 onwards).

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SPNEGO test configuration with Manager webapp

[Mark Thomas]

On 29/03/2015 23:13, André Warnier wrote:
 David Marsh wrote:
 I've tested all the following public JDKs
 jdk-7u45-windows-i586.exe
 jdk-7u65-windows-i586.exe
 jdk-7u75-windows-i586.exe
 jdk-8-windows-i586.exe
 jdk-8u5-windows-i586.exe
 jdk-8u11-windows-i586.exe
 jdk-8u20-windows-i586.exe
 jdk-8u25-windows-i586.exe
 jdk-8u31-windows-i586.exe
 jdk-8u40-windows-i586.exe -- Only this one fails SPNEGO / Bad GSS Token

 Seems a recent fix must broken it.
 
 That is really great info.  Thanks.

As promised I have found some time to look into this. It appears that
this fix in 8u40 onwards broke SPNEGO.

https://bugs.openjdk.java.net/browse/JDK-8048194

The fix that was applied wasn't the one suggested in the bug report.

I've spent some time looking at the code but I haven't found a way
around this yet.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SPNEGO test configuration with Manager webapp

[Mark Thomas]

On 14/05/2015 21:11, Mark Thomas wrote:
 On 29/03/2015 23:13, André Warnier wrote:
 David Marsh wrote:
 I've tested all the following public JDKs
 jdk-7u45-windows-i586.exe
 jdk-7u65-windows-i586.exe
 jdk-7u75-windows-i586.exe
 jdk-8-windows-i586.exe
 jdk-8u5-windows-i586.exe
 jdk-8u11-windows-i586.exe
 jdk-8u20-windows-i586.exe
 jdk-8u25-windows-i586.exe
 jdk-8u31-windows-i586.exe
 jdk-8u40-windows-i586.exe -- Only this one fails SPNEGO / Bad GSS Token

 Seems a recent fix must broken it.

 That is really great info.  Thanks.
 
 As promised I have found some time to look into this. It appears that
 this fix in 8u40 onwards broke SPNEGO.
 
 https://bugs.openjdk.java.net/browse/JDK-8048194
 
 The fix that was applied wasn't the one suggested in the bug report.
 
 I've spent some time looking at the code but I haven't found a way
 around this yet.

Good news (sort of). I have an *extremely* dirty hack that fixes this on
my test instance by moving some of the data about in the token that the
client sends. It works with 8u20 and 8u45.

At the moment the hack is extremely fragile. I need to make it more
robust and make it optional. I should be able to get that done tomorrow
and have it included in the next Tomcat 8 release.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ant test on Tomcat 7.0.59 is failing due to exceptions

[Arjit Gupta]

Hi Tomcat Community,

I have downloaded latest certificates from
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/net/
And now test are passing.
Thanks Tomcat community :)


Arjit Kumar

On Thu, May 7, 2015 at 9:39 AM, Arjit Gupta arjitk.gu...@gmail.com wrote:

 Thanks Tomcat Community for the quick reply.

 As answer provided by Mark the test certificate used by unit tests have
 been expired, So please provide me any link where I could download the
 certificates in order to test these unit tests successful.

 Thanks in Advance.

 Arjit Kumar


 On Wed, May 6, 2015 at 5:33 PM, Mark Thomas ma...@apache.org wrote:

 On 06/05/2015 10:43, Arjit Gupta wrote:
  Hello Tomcat Community,
 
  I am building tomcat 7.0.59 with java7 on HP-UX(OS) itanium(IA64)
 processor.
  After building it successful I am running *ant test*. Which is failing
 due
  to exception which is as below:
 
  Testcase: testSimpleSsl took 4.085 sec
  Caused an ERROR
  sun.security.validator.ValidatorException: PKIX path validation failed:
  java.security.cert.CertPathValidatorException: timestamp check failed
  javax.net.ssl.SSLHandshakeException:

 snip/

  I have manually tested the ssl functionality on Tomcat by enabling it
 from
  server.xml .It is working fine.
  Please suggest the plausible cause of the above exception.

 The test certificates used in the unit tests have expired.

  Is the this exception is coming due to some problem in build or some
  configuration issue in OS?

 No.

 Mark


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ant test on Tomcat 7.0.59 is failing due to exceptions

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Arjit,

On 5/7/15 12:09 AM, Arjit Gupta wrote:
 Thanks Tomcat Community for the quick reply.
 
 As answer provided by Mark the test certificate used by unit tests
 have been expired, So please provide me any link where I could
 download the certificates in order to test these unit tests
 successful.

You should just be able to create a new certificate with the same
common name (localhost?).

Or, you can pick-up a new certificate from svn if the certificate has
been updated.

- -chris

 On Wed, May 6, 2015 at 5:33 PM, Mark Thomas ma...@apache.org
 wrote:
 
 On 06/05/2015 10:43, Arjit Gupta wrote:
 Hello Tomcat Community,
 
 I am building tomcat 7.0.59 with java7 on HP-UX(OS)
 itanium(IA64)
 processor.
 After building it successful I am running *ant test*. Which is
 failing
 due
 to exception which is as below:
 
 Testcase: testSimpleSsl took 4.085 sec Caused an ERROR 
 sun.security.validator.ValidatorException: PKIX path validation
 failed: java.security.cert.CertPathValidatorException:
 timestamp check failed javax.net.ssl.SSLHandshakeException:
 
 snip/
 
 I have manually tested the ssl functionality on Tomcat by
 enabling it
 from
 server.xml .It is working fine. Please suggest the plausible
 cause of the above exception.
 
 The test certificates used in the unit tests have expired.
 
 Is the this exception is coming due to some problem in build or
 some configuration issue in OS?
 
 No.
 
 Mark
 
 
 -

 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVS1FPAAoJEBzwKT+lPKRYUqsP/2dMJSHOy/wU8oUs1R9gUyXZ
vU1/zeBPWZFlvdX/tW5+mWdWuD4CadI6PaEVhvwX/hVz7+Oi0XgThlcGc+y8thDb
bmECjXeWr8QRol6QQCFrYR/l51OYiICiU+ZCnKQnZ07gSTb0N+C7/+ynTCgvB79G
PrrLGQXd3OnvwmiLpHmrgXeupZva7yUh46WfalffUiimDRwrwBegO6I4x0+QQINb
os20rEGx7TpnCWLZIMH2SqWJgImDTrAsAvXr2fiJVXVSu8y3WvVvT4tG2w4XV+oW
FhbNMjpaI8s1PjO4x8IDCVWgtn/97gtbVfn2tTpDD5V/Ym+zvMj4OnUr3Qrw8Dqn
yd1xYx1/bUdh107biiaDfrvF2bP++eaGEtTabN6M9QlcqnAosd2yW0fWLISs7MtB
YP3cR5GYhvx2pCTC74sLc2jClclWdUm+yPp9RR2fhthY3xfOxQ/k3+8CEXW5BOLM
K/lLTgP2R1pNUArJ0M9jamj/LwVLty+TrJ+63rk6uLKMo+R5371vu1MMfDCqqSQB
rxtsZnBi7nkpoNglBZPAFopneijiW0VKcL+9HKCxjclnV9eHgPBdr0sW034g8lQd
qYL0J0smIef3bYbgNYcNfKngAJ9H9mOuIKUdbCM2cHPJSpjrmL4BT2OmUy8rgxn5
tbFeeaHpYk6x/bfNFmf9
=wqOA
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ant test on Tomcat 7.0.59 is failing due to exceptions

[Arjit Gupta]

Hello Tomcat Community,

I am building tomcat 7.0.59 with java7 on HP-UX(OS) itanium(IA64) processor.
After building it successful I am running *ant test*. Which is failing due
to exception which is as below:

Testcase: testSimpleSsl took 4.085 sec
Caused an ERROR
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: timestamp check failed
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: timestamp check failed
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:636)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:609)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:603)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:592)
at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:586)
at org.apache.tomcat.util.net.TestSsl.testSimpleSsl(TestSsl.java:62)
Caused by: sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: timestamp check
failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:260)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
Caused by: java.security.cert.CertPathValidatorException: timestamp check
failed
at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)
at
sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Sat
Feb 28 10:58:42 IST 2015
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:273)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:581)
at
sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:184)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:136)
at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)

This exception is coming from various test files as below:
TestClientCert.java
TestCustomSsl.java
TestSsl.java

I have manually tested the ssl functionality on Tomcat by enabling it from
server.xml .It is working fine.
Please suggest the plausible cause of the above exception.
Is the this exception is coming due to some problem in build or some
configuration issue in OS?

Thanks in Advance.

Arjit Kumar

Re: ant test on Tomcat 7.0.59 is failing due to exceptions

[Mark Thomas]

On 06/05/2015 10:43, Arjit Gupta wrote:
 Hello Tomcat Community,
 
 I am building tomcat 7.0.59 with java7 on HP-UX(OS) itanium(IA64) processor.
 After building it successful I am running *ant test*. Which is failing due
 to exception which is as below:
 
 Testcase: testSimpleSsl took 4.085 sec
 Caused an ERROR
 sun.security.validator.ValidatorException: PKIX path validation failed:
 java.security.cert.CertPathValidatorException: timestamp check failed
 javax.net.ssl.SSLHandshakeException:

snip/

 I have manually tested the ssl functionality on Tomcat by enabling it from
 server.xml .It is working fine.
 Please suggest the plausible cause of the above exception.

The test certificates used in the unit tests have expired.

 Is the this exception is coming due to some problem in build or some
 configuration issue in OS?

No.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ant test on Tomcat 7.0.59 is failing due to exceptions

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 5/6/15 8:03 AM, Mark Thomas wrote:
 On 06/05/2015 10:43, Arjit Gupta wrote:
 Hello Tomcat Community,
 
 I am building tomcat 7.0.59 with java7 on HP-UX(OS) itanium(IA64)
 processor. After building it successful I am running *ant test*.
 Which is failing due to exception which is as below:
 
 Testcase: testSimpleSsl took 4.085 sec Caused an ERROR 
 sun.security.validator.ValidatorException: PKIX path validation
 failed: java.security.cert.CertPathValidatorException: timestamp
 check failed javax.net.ssl.SSLHandshakeException:
 
 snip/
 
 I have manually tested the ssl functionality on Tomcat by
 enabling it from server.xml .It is working fine. Please suggest
 the plausible cause of the above exception.
 
 The test certificates used in the unit tests have expired.
 
 Is the this exception is coming due to some problem in build or
 some configuration issue in OS?
 
 No.

Is there any reason not to auto-generate test certs at the beginning
of the ant test target?

Also, it's possible to disable certain portions of the
certificate-checking algorithm. Would it be worth it to implement
those workarounds so that expired certs won't fail?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVSg6kAAoJEBzwKT+lPKRYh7gP/0UxglztKH4NT1o82KdPws8/
XDLUs6O96LTQWg2XvsXpbcBvO93nBHoStojigGV8IiDdLl2Jcju+ggH+KHIc0Ywv
SjCSI9s981tk+F7sJOQibNCwxWWCaP+bG1oydPJukCsd+OB4tk6ltP8tPcASjo7u
pU88bTxlJMT3T97B3QnVhZV8UOtZQQxISA5bZOU3l/UhjLsV7zfCxqu/1Bki7u3F
2+hD5iwY4qrU52+iyeqzWL3NNFsd4ygO5aWJyELD5WQS50e8otjMvBgD9gZ7DN+H
nvz9eJWsrlIxyZmpjDBtxBTfPua5BJ4Ne/Im/QUe5LAYrxHlR751VhG/tVPMfJNM
OvAMEqP2bmL5b0cPpcZxY8j8t1J951Wxp9EhK2UhapCMDUfrmO7xDrFH4Oc/fUjq
oLS8Tgqws5BE/blhjwHgX3TxemrwzBcbSAFJoGoOo32qr9ZjWP3V5k8nU2u7YNZR
nH7IKyMOTOxkPtcKG1HUaVFMPl68+0rbRnJpbQHqz8wi9WUgokuEhB9oSL1egFNs
LptNDYjsfc696GZrjtQnnxvS6ViW5+q9AokaddO+xelbtTUAZ7Y3FsXK/QDJuKoX
AUVz6eTTC8GLTMt1AFvM+SKL3PKIAAZHPv7u2o+hLHtViSUKBlqB5IaQs6RFiRN2
f8dqOtaSmUWHsIEFSzTJ
=cxQ4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ant test on Tomcat 7.0.59 is failing due to exceptions

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 5/6/15 9:01 AM, Mark Thomas wrote:
 On 06/05/2015 13:52, Christopher Schultz wrote:
 Mark,
 
 On 5/6/15 8:03 AM, Mark Thomas wrote:
 On 06/05/2015 10:43, Arjit Gupta wrote:
 Hello Tomcat Community,
 
 I am building tomcat 7.0.59 with java7 on HP-UX(OS)
 itanium(IA64) processor. After building it successful I am
 running *ant test*. Which is failing due to exception which
 is as below:
 
 Testcase: testSimpleSsl took 4.085 sec Caused an ERROR 
 sun.security.validator.ValidatorException: PKIX path
 validation failed:
 java.security.cert.CertPathValidatorException: timestamp 
 check failed javax.net.ssl.SSLHandshakeException:
 
 snip/
 
 I have manually tested the ssl functionality on Tomcat by 
 enabling it from server.xml .It is working fine. Please
 suggest the plausible cause of the above exception.
 
 The test certificates used in the unit tests have expired.
 
 Is the this exception is coming due to some problem in build
 or some configuration issue in OS?
 
 No.
 
 Is there any reason not to auto-generate test certs at the
 beginning of the ant test target?
 
 In principle no. In theory, entropy issues?

Good point. How many certificates do we need? Perhaps we could have an
ant property that controls whether generation of a new certificate
would happen or not.

 Also, it's possible to disable certain portions of the 
 certificate-checking algorithm. Would it be worth it to
 implement those workarounds so that expired certs won't fail?
 
 I prefer the generation option.

Okay.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVShQnAAoJEBzwKT+lPKRYcoQP/17dQROT3E6hXOyiEHVesPn+
34qF75s3HXkjgI/aR6k1+74UHWwfaIXgfkHvb0aFrIh2rcnP9YKAlzNg/wA3iADN
MfInjrlwu1shEAg1FkJw8vjzfgt4xoGnxOZ/1UEDrUQEdnSiHCqGP95x0upRjKQe
62oYIe8zDSbQL0v/AGgNtr6MGaZZ/VKwd/eLDFNC3Y0uGVlmDjAFYUNSPLgGKlDQ
EicBNeAh365wPHTK/9fwmcuvcuiGUcs9ruoviJOZ2jSghcbdwJE4ONhlL7xuOAGv
3LfOdHA9XtAFJMW87SeZ9LfMZjdxc04yLorr5H3pBVHEesisPwHCl9WOL/yvkfEM
st8lkQpCklykFpryx2e92s/c7K+2nK+ym5RcjU7cao1ImoDSU1w0cnvUctiJDqOf
Tlh2+6IgOzuIF5BLMbK4bkk4UnLivzRy9XwEOBrfgkzenb1M2Sg/xgrBHHQLnpHr
xeKYJTO7dgxrBZ2EYe9NTNoNqvUztt+bywk/uVcDbaVnjb0Kt0epaQJp5Cb5gFbS
VHjXyawirg3FWQTFPl3MIq8cMmJBDSjsuN4O1MFfxXx7rrS74MGxTz1s/UjETU2C
diC3iG/WpzI/ODkPXH00Cv0/bxrvkAL25YjShprhTFcOFhcA80ma53rlJtAlUeGV
FYxV/5/hEMvxR10nfKJc
=JiJE
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ant test on Tomcat 7.0.59 is failing due to exceptions

[Mark Thomas]

On 06/05/2015 13:52, Christopher Schultz wrote:
 Mark,
 
 On 5/6/15 8:03 AM, Mark Thomas wrote:
 On 06/05/2015 10:43, Arjit Gupta wrote:
 Hello Tomcat Community,

 I am building tomcat 7.0.59 with java7 on HP-UX(OS) itanium(IA64)
 processor. After building it successful I am running *ant test*.
 Which is failing due to exception which is as below:

 Testcase: testSimpleSsl took 4.085 sec Caused an ERROR 
 sun.security.validator.ValidatorException: PKIX path validation
 failed: java.security.cert.CertPathValidatorException: timestamp
 check failed javax.net.ssl.SSLHandshakeException:
 
 snip/
 
 I have manually tested the ssl functionality on Tomcat by
 enabling it from server.xml .It is working fine. Please suggest
 the plausible cause of the above exception.
 
 The test certificates used in the unit tests have expired.
 
 Is the this exception is coming due to some problem in build or
 some configuration issue in OS?
 
 No.
 
 Is there any reason not to auto-generate test certs at the beginning
 of the ant test target?

In principle no. In theory, entropy issues?

 Also, it's possible to disable certain portions of the
 certificate-checking algorithm. Would it be worth it to implement
 those workarounds so that expired certs won't fail?

I prefer the generation option.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ant test on Tomcat 7.0.59 is failing due to exceptions

[Konstantin Kolinko]

2015-05-06 15:52 GMT+03:00 Christopher Schultz 
 Mark,

 On 5/6/15 8:03 AM, Mark Thomas wrote:
 On 06/05/2015 10:43, Arjit Gupta wrote:
 Hello Tomcat Community,

 I am building tomcat 7.0.59 with java7 on HP-UX(OS) itanium(IA64)
 processor. After building it successful I am running *ant test*.
 Which is failing due to exception which is as below:

 Testcase: testSimpleSsl took 4.085 sec Caused an ERROR
 sun.security.validator.ValidatorException: PKIX path validation
 failed: java.security.cert.CertPathValidatorException: timestamp
 check failed javax.net.ssl.SSLHandshakeException:

 snip/

 I have manually tested the ssl functionality on Tomcat by
 enabling it from server.xml .It is working fine. Please suggest
 the plausible cause of the above exception.

 The test certificates used in the unit tests have expired.

 Is the this exception is coming due to some problem in build or
 some configuration issue in OS?

 No.

 Is there any reason not to auto-generate test certs at the beginning
 of the ant test target?

 Also, it's possible to disable certain portions of the
 certificate-checking algorithm. Would it be worth it to implement
 those workarounds so that expired certs won't fail?


1) Document this issue in BUILDING.txt

2) Usually people can get recent certificates from our source tree in
svn and swap them in.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ant test on Tomcat 7.0.59 is failing due to exceptions

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Konstantin,

On 5/6/15 9:25 AM, Konstantin Kolinko wrote:
 2015-05-06 15:52 GMT+03:00 Christopher Schultz 
 Mark,
 
 On 5/6/15 8:03 AM, Mark Thomas wrote:
 On 06/05/2015 10:43, Arjit Gupta wrote:
 Hello Tomcat Community,
 
 I am building tomcat 7.0.59 with java7 on HP-UX(OS)
 itanium(IA64) processor. After building it successful I am
 running *ant test*. Which is failing due to exception which
 is as below:
 
 Testcase: testSimpleSsl took 4.085 sec Caused an ERROR 
 sun.security.validator.ValidatorException: PKIX path
 validation failed:
 java.security.cert.CertPathValidatorException: timestamp 
 check failed javax.net.ssl.SSLHandshakeException:
 
 snip/
 
 I have manually tested the ssl functionality on Tomcat by 
 enabling it from server.xml .It is working fine. Please
 suggest the plausible cause of the above exception.
 
 The test certificates used in the unit tests have expired.
 
 Is the this exception is coming due to some problem in build
 or some configuration issue in OS?
 
 No.
 
 Is there any reason not to auto-generate test certs at the
 beginning of the ant test target?
 
 Also, it's possible to disable certain portions of the 
 certificate-checking algorithm. Would it be worth it to
 implement those workarounds so that expired certs won't fail?
 
 
 1) Document this issue in BUILDING.txt
 
 2) Usually people can get recent certificates from our source tree
 in svn and swap them in.

So in order to successfully run unit tests against an old package
(e.g. Tomcat 7.0.5), one has to fetch artifacts from the current
source tree? That's just ugly.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVShc5AAoJEBzwKT+lPKRY5YAQAMCkycg/Y30ZJyNbYhlrvZUR
YGTszCKEsS9g0VZTpSD6Mlxu5PviLYf1o0ABADl/HyLfi57VpCO+u1wrwUoIYEYa
BeDCFonBW2rURjFAejy2cxgjGJetnfSdaSk5el3BznZs8ThmfZuiHIsfNYbYMS0e
RsGECuW/DK92A20UYa1vwD8TQcWtXxTYnWpq/XWUwNwjvK9vmboZ5n7UODb/he1Q
tQiHpw6hnsAdH2ckZ98IP0KjfuvlFn7BQtSRBF+GcFL5dAcDvET8cmYJI0ENjFav
M+Aom5MHzQBR4GVlVqxctL/KtPm5pHP9hWiraDUXiW9BoprnnKyG+de9Enwerlfd
CI3y/b5qX2JypwVxfBFToSUOon700+/Av5sT6VEB2OYAIIb+ukqFAQpnUE+AkaID
+otfDy56DZM44haffG0VLAnt1h0frGSx4kmyCT0BjO3fm6Fgelrd1VT0Ys3A53JS
D4Sc5rwI/Ws4c2GaXHbaVM5c2MGf0AUVZXbf++Wv7O1PAf9wjKu9Xy6MXFIXJkuM
nBYN8Ydzve9LIQM+h5kH9W/hwNMephFmpsquhQXazYADatekaYlMPlmZgEoqIZQb
5VE60u72DXLdVZ3a+AQCb0pgHLWfdG9xzQ+m8kRmnQA3Vfc5OlALU2ZOch6vD3za
jeiuM5AIgEFJUk63glsa
=4xIj
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ant test on Tomcat 7.0.59 is failing due to exceptions

[Arjit Gupta]

Thanks Tomcat Community for the quick reply.

As answer provided by Mark the test certificate used by unit tests have
been expired, So please provide me any link where I could download the
certificates in order to test these unit tests successful.

Thanks in Advance.

Arjit Kumar


On Wed, May 6, 2015 at 5:33 PM, Mark Thomas ma...@apache.org wrote:

 On 06/05/2015 10:43, Arjit Gupta wrote:
  Hello Tomcat Community,
 
  I am building tomcat 7.0.59 with java7 on HP-UX(OS) itanium(IA64)
 processor.
  After building it successful I am running *ant test*. Which is failing
 due
  to exception which is as below:
 
  Testcase: testSimpleSsl took 4.085 sec
  Caused an ERROR
  sun.security.validator.ValidatorException: PKIX path validation failed:
  java.security.cert.CertPathValidatorException: timestamp check failed
  javax.net.ssl.SSLHandshakeException:

 snip/

  I have manually tested the ssl functionality on Tomcat by enabling it
 from
  server.xml .It is working fine.
  Please suggest the plausible cause of the above exception.

 The test certificates used in the unit tests have expired.

  Is the this exception is coming due to some problem in build or some
  configuration issue in OS?

 No.

 Mark


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SPNEGO test configuration with Manager webapp

[Felix Schumacher]

Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas ma...@apache.org:
On 28/03/2015 14:43, David Marsh wrote:
 Ok so I went back to basics and created three new VM's.
 
 Windows Server 2008 R2
 Windows 7 Client
 Windows 7 Tomcat
 
 I still had same issues, until I changed the Java on the tomcat
server to JDK 7 u45.
 
 It appears there are breaking changes to JAAS/GSS in newer JDKs ?

Thank you for doing all this testing. That is useful information to
know. The next step (for you, me or anyone who has the time and wants
to
help) is to test subsequent Java 7 releases and see at which version it
stops working. I'd hope that a review of the relevant change log would
identify the change that triggered the breakage and provide some clues
on how to fix it.

It would be worth testing the Java 8 releases the same way.

I read it, that jdk 7 works and jdk 8 is problematic. 

There are a few Kerberos related Chaves in jdk 8 ( 
http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html).

Interesting are the two changes:

* DES is disabled by default
* constrained delegation is supported. 

My guess would be, that it would help (in this case) to reenable DES by adding 
allow_weak_crypto=true in the krb5.conf.

Regards
Felix 

Mark


 
 David
 
 
 From: dmars...@outlook.com
 To: users@tomcat.apache.org
 Subject: RE: SPNEGO test configuration with Manager webapp
 Date: Fri, 27 Mar 2015 23:40:06 +

 By the way Tomcat 8 was running on JDK :-

 C:\Windows\system32java -version
 java version 1.8.0_40
 Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
 Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)

 Version update 40 should include some JRE fixes around GSS and
SPNEGO, including ignoring parts of NegoEx, however
 it does not seem to work.

 I've also created a Windows 7 client with same config just different
DNS of win-pc02.kerbtest.local

 It has the same issue going from firefox to
http://win-tc01.kerbtest.local/manager/html
 I get the same three 401's and the Negotiate.

 
 Date: Thu, 26 Mar 2015 12:11:34 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 David Marsh wrote:
 Hi Mark,

 Thanks for that, yes I've got 30 years windows experience, I can
use Linux at a push but its not really my area expertise.

 I'm a Java / Windows programmer so I should be able to understand
it, but not kerberos or Active Directory expert.

 I have used Waffle in the past with success and used JAAS/GSS-API
in Java thick clients.

 I made the IE settings you outlined but it seems to still prompt.
 IE has win-tc01.kerbtest.local as a trusted site.
 Enable Windows Integrated Authentication is on
 Auto logon only in Intranet Zone is on

 I've been using Firefox to test and that does send 401 and
negotiate, but causes the GSS token error mentioned.

 Active directory and krb5.ini are using eType 23 which is rc4-hmac

 The windows client OS and tomcat server OS has registry setting
for allowtgtsessionkey set to 1 (enabled).

 Java kinit test works and stores a ticket in the Java session
cache.

 So problem seems to be either :-

 1. Browser sends bad token
 2. Token is good but Oracle JDK 8 GSS-API cannot handle it


 Another shot almost in the dark : while browsing hundreds of
Kerberos-related pages on the
 WWW, one other recommendation which seems to appear regularly (and
Mark also mentioned
 that somewhere), is that each time you make a change somewhere, you
should reboot the
 machine afterward, before re-testing. (Particularly on Windows
machines).
 I know it's a PITA, but I have also found the same to be true
sometimes when merely
 dealing with NTLM matters. There are probably some hidden caches
that get cleared only in
 that way.


 many thanks

 David

 Date: Thu, 26 Mar 2015 11:32:39 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 David Marsh wrote:
 Hi Mark,
 Thanks that would be great !
 Do you have a good mechanism to test and ensure kerberos token
is passed to tomcat and not NTLM token ?
 I believe that I can answer that.

 And the basic answer is no.

 First the basic principle, valid for this and many many other
areas : the server cannot
 impose anything on the browser. The local user can always
override anything received
 from the server, by a setting in the browser. And a hacker can of
course do anything.
 All the server can do, is tell the browser what it will accept,
and the browser can tell
 the server ditto.
 So, never assume the opposite, and you will save yourself a lot
of fruitless searches and
 dead-ends.

 Now more specific :
 1) For Kerberos to be used at all at the browser level, the
server must send a 401
 response with Negociate as the requested authentication method.
Unless it does that,
 the browser will never even attempt to send a Kerberos
Authorization

RE: SPNEGO test configuration with Manager webapp

[David Marsh]

I've tested all the following public JDKs 

jdk-7u45-windows-i586.exe
jdk-7u65-windows-i586.exe
jdk-7u75-windows-i586.exe
jdk-8-windows-i586.exe
jdk-8u5-windows-i586.exe
jdk-8u11-windows-i586.exe
jdk-8u20-windows-i586.exe
jdk-8u25-windows-i586.exe
jdk-8u31-windows-i586.exe
jdk-8u40-windows-i586.exe -- Only this one fails SPNEGO / Bad GSS Token

Seems a recent fix must broken it.

David


 Subject: Re: SPNEGO test configuration with Manager webapp
 From: felix.schumac...@internetallee.de
 Date: Sun, 29 Mar 2015 10:13:29 +0200
 To: users@tomcat.apache.org



 Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas ma...@apache.org:
On 28/03/2015 14:43, David Marsh wrote:
 Ok so I went back to basics and created three new VM's.

 Windows Server 2008 R2
 Windows 7 Client
 Windows 7 Tomcat

 I still had same issues, until I changed the Java on the tomcat
server to JDK 7 u45.

 It appears there are breaking changes to JAAS/GSS in newer JDKs ?

Thank you for doing all this testing. That is useful information to
know. The next step (for you, me or anyone who has the time and wants
to
help) is to test subsequent Java 7 releases and see at which version it
stops working. I'd hope that a review of the relevant change log would
identify the change that triggered the breakage and provide some clues
on how to fix it.

It would be worth testing the Java 8 releases the same way.

 I read it, that jdk 7 works and jdk 8 is problematic.

 There are a few Kerberos related Chaves in jdk 8 ( 
 http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html).

 Interesting are the two changes:

 * DES is disabled by default
 * constrained delegation is supported.

 My guess would be, that it would help (in this case) to reenable DES by 
 adding allow_weak_crypto=true in the krb5.conf.

 Regards
 Felix

Mark



 David

 
 From: dmars...@outlook.com
 To: users@tomcat.apache.org
 Subject: RE: SPNEGO test configuration with Manager webapp
 Date: Fri, 27 Mar 2015 23:40:06 +

 By the way Tomcat 8 was running on JDK :-

 C:\Windows\system32java -version
 java version 1.8.0_40
 Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
 Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)

 Version update 40 should include some JRE fixes around GSS and
SPNEGO, including ignoring parts of NegoEx, however
 it does not seem to work.

 I've also created a Windows 7 client with same config just different
DNS of win-pc02.kerbtest.local

 It has the same issue going from firefox to
http://win-tc01.kerbtest.local/manager/html
 I get the same three 401's and the Negotiate.

 
 Date: Thu, 26 Mar 2015 12:11:34 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 David Marsh wrote:
 Hi Mark,

 Thanks for that, yes I've got 30 years windows experience, I can
use Linux at a push but its not really my area expertise.

 I'm a Java / Windows programmer so I should be able to understand
it, but not kerberos or Active Directory expert.

 I have used Waffle in the past with success and used JAAS/GSS-API
in Java thick clients.

 I made the IE settings you outlined but it seems to still prompt.
 IE has win-tc01.kerbtest.local as a trusted site.
 Enable Windows Integrated Authentication is on
 Auto logon only in Intranet Zone is on

 I've been using Firefox to test and that does send 401 and
negotiate, but causes the GSS token error mentioned.

 Active directory and krb5.ini are using eType 23 which is rc4-hmac

 The windows client OS and tomcat server OS has registry setting
for allowtgtsessionkey set to 1 (enabled).

 Java kinit test works and stores a ticket in the Java session
cache.

 So problem seems to be either :-

 1. Browser sends bad token
 2. Token is good but Oracle JDK 8 GSS-API cannot handle it


 Another shot almost in the dark : while browsing hundreds of
Kerberos-related pages on the
 WWW, one other recommendation which seems to appear regularly (and
Mark also mentioned
 that somewhere), is that each time you make a change somewhere, you
should reboot the
 machine afterward, before re-testing. (Particularly on Windows
machines).
 I know it's a PITA, but I have also found the same to be true
sometimes when merely
 dealing with NTLM matters. There are probably some hidden caches
that get cleared only in
 that way.


 many thanks

 David

 Date: Thu, 26 Mar 2015 11:32:39 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 David Marsh wrote:
 Hi Mark,
 Thanks that would be great !
 Do you have a good mechanism to test and ensure kerberos token
is passed to tomcat and not NTLM token ?
 I believe that I can answer that.

 And the basic answer is no.

 First the basic principle, valid for this and many many other
areas : the server cannot
 impose anything on the browser. The local

Re: SPNEGO test configuration with Manager webapp

[André Warnier]

David Marsh wrote:
I've tested all the following public JDKs 


jdk-7u45-windows-i586.exe
jdk-7u65-windows-i586.exe
jdk-7u75-windows-i586.exe
jdk-8-windows-i586.exe
jdk-8u5-windows-i586.exe
jdk-8u11-windows-i586.exe
jdk-8u20-windows-i586.exe
jdk-8u25-windows-i586.exe
jdk-8u31-windows-i586.exe
jdk-8u40-windows-i586.exe -- Only this one fails SPNEGO / Bad GSS Token

Seems a recent fix must broken it.


That is really great info.  Thanks.

By the way, would you still have the Tomcat Kerberos logs that fail, in comparison to one 
where it works ?





David



Subject: Re: SPNEGO test configuration with Manager webapp
From: felix.schumac...@internetallee.de
Date: Sun, 29 Mar 2015 10:13:29 +0200
To: users@tomcat.apache.org



Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas ma...@apache.org:

On 28/03/2015 14:43, David Marsh wrote:

Ok so I went back to basics and created three new VM's.

Windows Server 2008 R2
Windows 7 Client
Windows 7 Tomcat

I still had same issues, until I changed the Java on the tomcat

server to JDK 7 u45.

It appears there are breaking changes to JAAS/GSS in newer JDKs ?

Thank you for doing all this testing. That is useful information to
know. The next step (for you, me or anyone who has the time and wants
to
help) is to test subsequent Java 7 releases and see at which version it
stops working. I'd hope that a review of the relevant change log would
identify the change that triggered the breakage and provide some clues
on how to fix it.

It would be worth testing the Java 8 releases the same way.

I read it, that jdk 7 works and jdk 8 is problematic.

There are a few Kerberos related Chaves in jdk 8 ( 
http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html).

Interesting are the two changes:

* DES is disabled by default
* constrained delegation is supported.

My guess would be, that it would help (in this case) to reenable DES by adding 
allow_weak_crypto=true in the krb5.conf.

Regards
Felix

Mark



David



From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Fri, 27 Mar 2015 23:40:06 +

By the way Tomcat 8 was running on JDK :-

C:\Windows\system32java -version
java version 1.8.0_40
Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)

Version update 40 should include some JRE fixes around GSS and

SPNEGO, including ignoring parts of NegoEx, however

it does not seem to work.

I've also created a Windows 7 client with same config just different

DNS of win-pc02.kerbtest.local

It has the same issue going from firefox to

http://win-tc01.kerbtest.local/manager/html

I get the same three 401's and the Negotiate.



Date: Thu, 26 Mar 2015 12:11:34 +0100
From: a...@ice-sa.com
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

David Marsh wrote:

Hi Mark,

Thanks for that, yes I've got 30 years windows experience, I can

use Linux at a push but its not really my area expertise.

I'm a Java / Windows programmer so I should be able to understand

it, but not kerberos or Active Directory expert.

I have used Waffle in the past with success and used JAAS/GSS-API

in Java thick clients.

I made the IE settings you outlined but it seems to still prompt.
IE has win-tc01.kerbtest.local as a trusted site.
Enable Windows Integrated Authentication is on
Auto logon only in Intranet Zone is on

I've been using Firefox to test and that does send 401 and

negotiate, but causes the GSS token error mentioned.

Active directory and krb5.ini are using eType 23 which is rc4-hmac

The windows client OS and tomcat server OS has registry setting

for allowtgtsessionkey set to 1 (enabled).

Java kinit test works and stores a ticket in the Java session

cache.

So problem seems to be either :-

1. Browser sends bad token
2. Token is good but Oracle JDK 8 GSS-API cannot handle it


Another shot almost in the dark : while browsing hundreds of

Kerberos-related pages on the

WWW, one other recommendation which seems to appear regularly (and

Mark also mentioned

that somewhere), is that each time you make a change somewhere, you

should reboot the

machine afterward, before re-testing. (Particularly on Windows

machines).

I know it's a PITA, but I have also found the same to be true

sometimes when merely

dealing with NTLM matters. There are probably some hidden caches

that get cleared only in

that way.



many thanks

David


Date: Thu, 26 Mar 2015 11:32:39 +0100
From: a...@ice-sa.com
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

David Marsh wrote:

Hi Mark,
Thanks that would be great !
Do you have a good mechanism to test and ensure kerberos token

is passed to tomcat and not NTLM token ?

I believe that I can answer that.

And the basic answer

RE: SPNEGO test configuration with Manager webapp

[David Marsh]

Broken trace :-

25-Mar-2015 15:46:22.131 INFO [main] 
org.apache.catalina.core.StandardService.startInternal
Starting
service Catalina
25-Mar-2015 15:46:22.133 INFO [main] 
org.apache.catalina.core.StandardEngine.startInternal
Starting
Servlet Engine: Apache Tomcat/8.0.20
25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software 
Foundation\Tomcat
8.0\
webapps\docs
25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache 
Software Foundation\Tomcat
8.0\webapps\docs has finished in 380 ms
25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software 
Foundation\Tomcat
8.0\
webapps\manager
25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1] 
org.apache.catalina.authenticator.Authenticato
rBase.startInternal No SingleSignOn Valve is present
25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache 
Software Foundation\Tomcat
8.0\webapps\manager has finished in 93 ms
25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software 
Foundation\Tomcat
8.0\
webapps\ROOT
25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache 
Software Foundation\Tomcat
8.0\webapps\ROOT has finished in 59 ms
25-Mar-2015 15:46:22.797 INFO [main] org.apache.coyote.AbstractProtocol.start 
Starting ProtocolHandl
er [http-nio-80]
25-Mar-2015 15:46:22.806 INFO [main] org.apache.coyote.AbstractProtocol.start 
Starting ProtocolHandl
er [ajp-nio-8009]
25-Mar-2015 15:46:22.808 INFO [main] org.apache.catalina.startup.Catalina.start 
Server startup
in 72
1 ms
25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against 
GET /html --
false
25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' 
against GET /html
-- fal
se
25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for 
scripts)]'
against
GET /html -- false
25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for 
humans)]' against
G
ET /html -- true
25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against 
GET /html --
false
25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' 
against GET /html
-- fal
se
25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for 
scripts)]'
against
GET /html -- false
25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for 
humans)]' against
G
ET /html -- true
25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1] 
org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate No authorization header sent by client
25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints

RE: SPNEGO test configuration with Manager webapp

[David Marsh]

 [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files (x86)\Apache 
Software Foundation\T
omcat 8.0\webapps\docs has finished in 3,916 ms
28-Mar-2015 14:20:38.335 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files (x86)\Apache 
Software Foundation\Tomca
t 8.0\webapps\manager
28-Mar-2015 14:20:38.585 FINE [localhost-startStop-1] 
org.apache.catalina.authenticator.Authenticato
rBase.startInternal No SingleSignOn Valve is present
28-Mar-2015 14:20:38.772 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files (x86)\Apache 
Software Foundation\T
omcat 8.0\webapps\manager has finished in 437 ms
28-Mar-2015 14:20:38.788 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files (x86)\Apache 
Software Foundation\Tomca
t 8.0\webapps\ROOT
28-Mar-2015 14:20:39.006 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files (x86)\Apache 
Software Foundation\T
omcat 8.0\webapps\ROOT has finished in 218 ms
28-Mar-2015 14:20:39.037 INFO [main] org.apache.coyote.AbstractProtocol.start 
Starting ProtocolHandl
er [http-nio-80]
28-Mar-2015 14:20:39.084 INFO [main] org.apache.coyote.AbstractProtocol.start 
Starting ProtocolHandl
er [ajp-nio-8009]
28-Mar-2015 14:20:39.115 INFO [main] org.apache.catalina.startup.Catalina.start 
Server startup in 65
24 ms
28-Mar-2015 14:21:03.119 FINE [http-nio-80-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
28-Mar-2015 14:21:23.809 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[HTML Manager interface 
(for humans)]' against G
ET /html -- true
28-Mar-2015 14:21:23.809 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[Status interface]' against 
GET /html -- false
28-Mar-2015 14:21:23.824 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[Text Manager interface 
(for scripts)]' against
GET /html -- false
28-Mar-2015 14:21:23.840 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[JMX Proxy interface]' 
against GET /html -- fal
se
28-Mar-2015 14:21:23.855 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[HTML Manager interface 
(for humans)]' against G
ET /html -- true
28-Mar-2015 14:21:23.871 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[Status interface]' against 
GET /html -- false
28-Mar-2015 14:21:23.887 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[Text Manager interface 
(for scripts)]' against
GET /html -- false
28-Mar-2015 14:21:23.887 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[JMX Proxy interface]' 
against GET /html -- fal
se
28-Mar-2015 14:21:23.918 FINE [http-nio-80-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke  Calling hasUserDataPermission()
28-Mar-2015 14:21:23.918 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission   User data constraint has no restrictions
28-Mar-2015 14:21:23.933 FINE [http-nio-80-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke  Calling authenticate()
28-Mar-2015 14:21:23.933 FINE [http-nio-80-exec-1] 
org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate No authorization header sent by client
28-Mar-2015 14:21:23.949 FINE [http-nio-80-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke  Failed authenticate() test
28-Mar-2015 14:21:24.433 FINE [http-nio-80-exec-2] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
28-Mar-2015 14:21:24.448 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[HTML Manager interface 
(for humans)]' against G
ET /html -- true
28-Mar-2015 14:21:24.464 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[Status interface]' against 
GET /html -- false
28-Mar-2015 14:21:24.479 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint

RE: SPNEGO test configuration with Manager webapp

[David Marsh]

Ok so I went back to basics and created three new VM's.

Windows Server 2008 R2
Windows 7 Client
Windows 7 Tomcat

I still had same issues, until I changed the Java on the tomcat server to JDK 7 
u45.

It appears there are breaking changes to JAAS/GSS in newer JDKs ?

David


 From: dmars...@outlook.com
 To: users@tomcat.apache.org
 Subject: RE: SPNEGO test configuration with Manager webapp
 Date: Fri, 27 Mar 2015 23:40:06 +

 By the way Tomcat 8 was running on JDK :-

 C:\Windows\system32java -version
 java version 1.8.0_40
 Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
 Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)

 Version update 40 should include some JRE fixes around GSS and SPNEGO, 
 including ignoring parts of NegoEx, however
 it does not seem to work.

 I've also created a Windows 7 client with same config just different DNS of 
 win-pc02.kerbtest.local

 It has the same issue going from firefox to 
 http://win-tc01.kerbtest.local/manager/html
 I get the same three 401's and the Negotiate.

 
 Date: Thu, 26 Mar 2015 12:11:34 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 David Marsh wrote:
 Hi Mark,

 Thanks for that, yes I've got 30 years windows experience, I can use Linux 
 at a push but its not really my area expertise.

 I'm a Java / Windows programmer so I should be able to understand it, but 
 not kerberos or Active Directory expert.

 I have used Waffle in the past with success and used JAAS/GSS-API in Java 
 thick clients.

 I made the IE settings you outlined but it seems to still prompt.
 IE has win-tc01.kerbtest.local as a trusted site.
 Enable Windows Integrated Authentication is on
 Auto logon only in Intranet Zone is on

 I've been using Firefox to test and that does send 401 and negotiate, but 
 causes the GSS token error mentioned.

 Active directory and krb5.ini are using eType 23 which is rc4-hmac

 The windows client OS and tomcat server OS has registry setting for 
 allowtgtsessionkey set to 1 (enabled).

 Java kinit test works and stores a ticket in the Java session cache.

 So problem seems to be either :-

 1. Browser sends bad token
 2. Token is good but Oracle JDK 8 GSS-API cannot handle it


 Another shot almost in the dark : while browsing hundreds of 
 Kerberos-related pages on the
 WWW, one other recommendation which seems to appear regularly (and Mark also 
 mentioned
 that somewhere), is that each time you make a change somewhere, you should 
 reboot the
 machine afterward, before re-testing. (Particularly on Windows machines).
 I know it's a PITA, but I have also found the same to be true sometimes when 
 merely
 dealing with NTLM matters. There are probably some hidden caches that get 
 cleared only in
 that way.


 many thanks

 David

 Date: Thu, 26 Mar 2015 11:32:39 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 David Marsh wrote:
 Hi Mark,
 Thanks that would be great !
 Do you have a good mechanism to test and ensure kerberos token is passed 
 to tomcat and not NTLM token ?
 I believe that I can answer that.

 And the basic answer is no.

 First the basic principle, valid for this and many many other areas : the 
 server cannot
 impose anything on the browser. The local user can always override 
 anything received
 from the server, by a setting in the browser. And a hacker can of course 
 do anything.
 All the server can do, is tell the browser what it will accept, and the 
 browser can tell
 the server ditto.
 So, never assume the opposite, and you will save yourself a lot of 
 fruitless searches and
 dead-ends.

 Now more specific :
 1) For Kerberos to be used at all at the browser level, the server must 
 send a 401
 response with Negociate as the requested authentication method. Unless 
 it does that,
 the browser will never even attempt to send a Kerberos Authorization 
 back.
 2) for the browser to consider returning a Kerberos Authorization header 
 to the server,
 additional conditions depend on the browser.
 For IE :
 a) the enable Windows Integrated Authentication setting must be on 
 (checked), whether
 this is done locally by the user, or part of the standard IE settings 
 company-wide, or
 imposed by some network policy at corporate level.
 b) the server to which the browser is talking, must be known to IE as 
 either
 - part of the Intranet
 - or at least a trusted server
 That is defined in IE's security zones (which again can be local, or 
 corporation-wide).

 If condition (a) is not met, when the server sends a 401 Negociate, IE 
 will fall back to
 NTLM, always. And there is nothing you can do about that at the server 
 level.
 (Funnily enough, disabling the enable Windows Integrated Authentication 
 at the IE level,
 has the effect of disabling Kerberos, but not NTLM).

 If condition (b

Re: SPNEGO test configuration with Manager webapp

[Mark Thomas]

On 28/03/2015 14:43, David Marsh wrote:
 Ok so I went back to basics and created three new VM's.
 
 Windows Server 2008 R2
 Windows 7 Client
 Windows 7 Tomcat
 
 I still had same issues, until I changed the Java on the tomcat server to JDK 
 7 u45.
 
 It appears there are breaking changes to JAAS/GSS in newer JDKs ?

Thank you for doing all this testing. That is useful information to
know. The next step (for you, me or anyone who has the time and wants to
help) is to test subsequent Java 7 releases and see at which version it
stops working. I'd hope that a review of the relevant change log would
identify the change that triggered the breakage and provide some clues
on how to fix it.

It would be worth testing the Java 8 releases the same way.

Mark


 
 David
 
 
 From: dmars...@outlook.com
 To: users@tomcat.apache.org
 Subject: RE: SPNEGO test configuration with Manager webapp
 Date: Fri, 27 Mar 2015 23:40:06 +

 By the way Tomcat 8 was running on JDK :-

 C:\Windows\system32java -version
 java version 1.8.0_40
 Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
 Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)

 Version update 40 should include some JRE fixes around GSS and SPNEGO, 
 including ignoring parts of NegoEx, however
 it does not seem to work.

 I've also created a Windows 7 client with same config just different DNS of 
 win-pc02.kerbtest.local

 It has the same issue going from firefox to 
 http://win-tc01.kerbtest.local/manager/html
 I get the same three 401's and the Negotiate.

 
 Date: Thu, 26 Mar 2015 12:11:34 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 David Marsh wrote:
 Hi Mark,

 Thanks for that, yes I've got 30 years windows experience, I can use Linux 
 at a push but its not really my area expertise.

 I'm a Java / Windows programmer so I should be able to understand it, but 
 not kerberos or Active Directory expert.

 I have used Waffle in the past with success and used JAAS/GSS-API in Java 
 thick clients.

 I made the IE settings you outlined but it seems to still prompt.
 IE has win-tc01.kerbtest.local as a trusted site.
 Enable Windows Integrated Authentication is on
 Auto logon only in Intranet Zone is on

 I've been using Firefox to test and that does send 401 and negotiate, but 
 causes the GSS token error mentioned.

 Active directory and krb5.ini are using eType 23 which is rc4-hmac

 The windows client OS and tomcat server OS has registry setting for 
 allowtgtsessionkey set to 1 (enabled).

 Java kinit test works and stores a ticket in the Java session cache.

 So problem seems to be either :-

 1. Browser sends bad token
 2. Token is good but Oracle JDK 8 GSS-API cannot handle it


 Another shot almost in the dark : while browsing hundreds of 
 Kerberos-related pages on the
 WWW, one other recommendation which seems to appear regularly (and Mark 
 also mentioned
 that somewhere), is that each time you make a change somewhere, you should 
 reboot the
 machine afterward, before re-testing. (Particularly on Windows machines).
 I know it's a PITA, but I have also found the same to be true sometimes 
 when merely
 dealing with NTLM matters. There are probably some hidden caches that get 
 cleared only in
 that way.


 many thanks

 David

 Date: Thu, 26 Mar 2015 11:32:39 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 David Marsh wrote:
 Hi Mark,
 Thanks that would be great !
 Do you have a good mechanism to test and ensure kerberos token is passed 
 to tomcat and not NTLM token ?
 I believe that I can answer that.

 And the basic answer is no.

 First the basic principle, valid for this and many many other areas : the 
 server cannot
 impose anything on the browser. The local user can always override 
 anything received
 from the server, by a setting in the browser. And a hacker can of course 
 do anything.
 All the server can do, is tell the browser what it will accept, and the 
 browser can tell
 the server ditto.
 So, never assume the opposite, and you will save yourself a lot of 
 fruitless searches and
 dead-ends.

 Now more specific :
 1) For Kerberos to be used at all at the browser level, the server must 
 send a 401
 response with Negociate as the requested authentication method. Unless 
 it does that,
 the browser will never even attempt to send a Kerberos Authorization 
 back.
 2) for the browser to consider returning a Kerberos Authorization header 
 to the server,
 additional conditions depend on the browser.
 For IE :
 a) the enable Windows Integrated Authentication setting must be on 
 (checked), whether
 this is done locally by the user, or part of the standard IE settings 
 company-wide, or
 imposed by some network policy at corporate level.
 b) the server to which the browser is talking, must be known to IE

RE: SPNEGO test configuration with Manager webapp

[David Marsh]

By the way Tomcat 8 was running on JDK  :-

C:\Windows\system32java -version
java version 1.8.0_40
Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)

Version update 40 should include some JRE fixes around GSS and SPNEGO, 
including ignoring parts of NegoEx, however
it does not seem to work.

I've also created a Windows 7 client with same config just different DNS of 
win-pc02.kerbtest.local

It has the same issue going from firefox to 
http://win-tc01.kerbtest.local/manager/html
I get the same three 401's and the Negotiate.


 Date: Thu, 26 Mar 2015 12:11:34 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 David Marsh wrote:
 Hi Mark,

 Thanks for that, yes I've got 30 years windows experience, I can use Linux 
 at a push but its not really my area expertise.

 I'm a Java / Windows programmer so I should be able to understand it, but 
 not kerberos or Active Directory expert.

 I have used Waffle in the past with success and used JAAS/GSS-API in Java 
 thick clients.

 I made the IE settings you outlined but it seems to still prompt.
 IE has win-tc01.kerbtest.local as a trusted site.
 Enable Windows Integrated Authentication is on
 Auto logon only in Intranet Zone is on

 I've been using Firefox to test and that does send 401 and negotiate, but 
 causes the GSS token error mentioned.

 Active directory and krb5.ini are using eType 23 which is rc4-hmac

 The windows client OS and tomcat server OS has registry setting for 
 allowtgtsessionkey set to 1 (enabled).

 Java kinit test works and stores a ticket in the Java session cache.

 So problem seems to be either :-

 1. Browser sends bad token
 2. Token is good but Oracle JDK 8 GSS-API cannot handle it


 Another shot almost in the dark : while browsing hundreds of Kerberos-related 
 pages on the
 WWW, one other recommendation which seems to appear regularly (and Mark also 
 mentioned
 that somewhere), is that each time you make a change somewhere, you should 
 reboot the
 machine afterward, before re-testing. (Particularly on Windows machines).
 I know it's a PITA, but I have also found the same to be true sometimes when 
 merely
 dealing with NTLM matters. There are probably some hidden caches that get 
 cleared only in
 that way.


 many thanks

 David

 Date: Thu, 26 Mar 2015 11:32:39 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 David Marsh wrote:
 Hi Mark,
 Thanks that would be great !
 Do you have a good mechanism to test and ensure kerberos token is passed 
 to tomcat and not NTLM token ?
 I believe that I can answer that.

 And the basic answer is no.

 First the basic principle, valid for this and many many other areas : the 
 server cannot
 impose anything on the browser. The local user can always override 
 anything received
 from the server, by a setting in the browser. And a hacker can of course do 
 anything.
 All the server can do, is tell the browser what it will accept, and the 
 browser can tell
 the server ditto.
 So, never assume the opposite, and you will save yourself a lot of 
 fruitless searches and
 dead-ends.

 Now more specific :
 1) For Kerberos to be used at all at the browser level, the server must 
 send a 401
 response with Negociate as the requested authentication method. Unless it 
 does that,
 the browser will never even attempt to send a Kerberos Authorization back.
 2) for the browser to consider returning a Kerberos Authorization header to 
 the server,
 additional conditions depend on the browser.
 For IE :
 a) the enable Windows Integrated Authentication setting must be on 
 (checked), whether
 this is done locally by the user, or part of the standard IE settings 
 company-wide, or
 imposed by some network policy at corporate level.
 b) the server to which the browser is talking, must be known to IE as either
 - part of the Intranet
 - or at least a trusted server
 That is defined in IE's security zones (which again can be local, or 
 corporation-wide).

 If condition (a) is not met, when the server sends a 401 Negociate, IE 
 will fall back to
 NTLM, always. And there is nothing you can do about that at the server 
 level.
 (Funnily enough, disabling the enable Windows Integrated Authentication 
 at the IE level,
 has the effect of disabling Kerberos, but not NTLM).

 If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it 
 /might/ fall
 back to Basic authentication, if its other settings allow that. That's when 
 you see the
 browser popup login dialog; and in an SSO context, this is a sure sign that 
 something
 isn't working as expected.

 Some authentication modules, at the server level, are able to adapt to what 
 the browser
 sends, others not. I believe that Waffle can accept either browser NTLM or 
 Kerberos
 authentication. Waffle works only

Re: SPNEGO test configuration with Manager webapp

[André Warnier]

David Marsh wrote:

Hi Mark,
Thanks that would be great !
Do you have a good mechanism to test and ensure kerberos token is passed to 
tomcat and not NTLM token ?


I believe that I can answer that.

And the basic answer is no.

First the basic principle, valid for this and many many other areas : the server cannot 
impose anything on the browser.  The local user can always override anything received 
from the server, by a setting in the browser.  And a hacker can of course do anything.
All the server can do, is tell the browser what it will accept, and the browser can tell 
the server ditto.
So, never assume the opposite, and you will save yourself a lot of fruitless searches and 
dead-ends.


Now more specific :
1) For Kerberos to be used at all at the browser level, the server must send a 401 
response with Negociate as the requested authentication method.  Unless it does that, 
the browser will never even attempt to send a Kerberos Authorization back.
2) for the browser to consider returning a Kerberos Authorization header to the server, 
additional conditions depend on the browser.

For IE :
a) the enable Windows Integrated Authentication setting must be on (checked), whether 
this is done locally by the user, or part of the standard IE settings company-wide, or 
imposed by some network policy at corporate level.

b) the server to which the browser is talking, must be known to IE as either
- part of the Intranet
- or at least a trusted server
That is defined in IE's security zones (which again can be local, or 
corporation-wide).

If condition (a) is not met, when the server sends a 401 Negociate, IE will fall back to 
NTLM, always. And there is nothing you can do about that at the server level.
(Funnily enough, disabling the enable Windows Integrated Authentication at the IE level, 
has the effect of disabling Kerberos, but not NTLM).


If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall 
back to Basic authentication, if its other settings allow that.  That's when you see the 
browser popup login dialog; and in an SSO context, this is a sure sign that something 
isn't working as expected.


Some authentication modules, at the server level, are able to adapt to what the browser 
sends, others not.  I believe that Waffle can accept either browser NTLM or Kerberos 
authentication.  Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server.

I do not know about the SPNEGO thing in Tomcat (from the name, it should).
The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but it works 
under both Windows and Linux.


And finally, about your problems : it seems that you have fallen in a very specific kind 
of hell, because you are trying to talk to a Windows-based Kerberos KDC (which is using 
Windows Kerberos libraries and encryption method choices and hostname formats etc..), from 
a Java JVM-based client (in this case the Tomcat server, whatever its underlying 
platform is), which is using Java Kerberos libraries and encryption method choices etc... 
 And it seems that between this Java Kerberos part and the Windows Kerberos part, there 
are a number of areas of mutual incomprehension (such as which key encryption methods they 
each implement, or which ones are the default ones for each).


And I am sure that the issue can be resolved.  But it is probably a question of finding 
out which among the 25 or more settings one can alter on each side, overlap and either 
agree or contradict eachother.


One underlying issue is that, as well in corporations as on the WWW, the Windows people 
and the Linux people tend to be 2 separate groups.  If you ask the Windows people how 
to set this up, they will tell you just do this and it works (assuming that all the 
moving parts are Windows-based); and if you ask the Linux people, they will tell you 
just do this and it works (assuming that all the moving parts are Linux-based).
And there are very few people (and web pages) which span both worlds with their various 
combinations.




David


Date: Thu, 26 Mar 2015 09:00:22 +
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

On 26/03/2015 00:36, David Marsh wrote:

Still getting :-
 java.security.PrivilegedActionException: GSSException: Defective token 
detected (Mechanism level: G
SSHeader did not find the right tag)

Folks here mention lack of NegoEx support or bugs in GSS-APi ?

http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1

Does Tomcat 8 work with NegoEx ?

Is Windows 8.1 and Windows Server 2012 RC2 supported ?

My test environment is Windows 2008 R2 server and Windows 7. It is
certainly possibly security has been tightened between those versions
and 2012/R2 + 8 that means things don't work by default with Java.

I'll see if I can find some time in the next few weeks to update my test
environment and do some more testing.

Mark

Re: SPNEGO test configuration with Manager webapp

[Mark Thomas]

On 26/03/2015 00:36, David Marsh wrote:
 Still getting :-
  java.security.PrivilegedActionException: GSSException: Defective token 
 detected (Mechanism level: G
 SSHeader did not find the right tag)
 
 Folks here mention lack of NegoEx support or bugs in GSS-APi ?
 
 http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
 
 Does Tomcat 8 work with NegoEx ?
 
 Is Windows 8.1 and Windows Server 2012 RC2 supported ?

My test environment is Windows 2008 R2 server and Windows 7. It is
certainly possibly security has been tightened between those versions
and 2012/R2 + 8 that means things don't work by default with Java.

I'll see if I can find some time in the next few weeks to update my test
environment and do some more testing.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: SPNEGO test configuration with Manager webapp

[David Marsh]

Hi Mark,
Thanks that would be great !
Do you have a good mechanism to test and ensure kerberos token is passed to 
tomcat and not NTLM token ?
David

 Date: Thu, 26 Mar 2015 09:00:22 +
 From: ma...@apache.org
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp
 
 On 26/03/2015 00:36, David Marsh wrote:
  Still getting :-
   java.security.PrivilegedActionException: GSSException: Defective token 
  detected (Mechanism level: G
  SSHeader did not find the right tag)
  
  Folks here mention lack of NegoEx support or bugs in GSS-APi ?
  
  http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
  
  Does Tomcat 8 work with NegoEx ?
  
  Is Windows 8.1 and Windows Server 2012 RC2 supported ?
 
 My test environment is Windows 2008 R2 server and Windows 7. It is
 certainly possibly security has been tightened between those versions
 and 2012/R2 + 8 that means things don't work by default with Java.
 
 I'll see if I can find some time in the next few weeks to update my test
 environment and do some more testing.
 
 Mark
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

RE: SPNEGO test configuration with Manager webapp

[David Marsh]

Hi Mark,

Thanks for that, yes I've got 30 years windows experience, I can use Linux at a 
push but its not really my area expertise.

I'm a Java / Windows programmer so I should be able to understand it, but not 
kerberos or Active Directory expert.

I have used Waffle in the past with success and used JAAS/GSS-API in Java thick 
clients.

I made the IE settings you outlined but it seems to still prompt.
IE has win-tc01.kerbtest.local as a trusted site.
Enable Windows Integrated Authentication is on
Auto logon only in Intranet Zone is on

I've been using Firefox to test and that does send 401 and negotiate, but 
causes the GSS token error mentioned.

Active directory and krb5.ini are using eType 23 which is rc4-hmac

The windows client OS and tomcat server OS has registry setting for  
allowtgtsessionkey set to 1 (enabled).

Java kinit test works and stores a ticket in the Java session cache.

So problem seems to be either :-

1. Browser sends bad token
2. Token is good but Oracle JDK 8 GSS-API cannot handle it

many thanks

David

 Date: Thu, 26 Mar 2015 11:32:39 +0100
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp
 
 David Marsh wrote:
 Hi Mark,
 Thanks that would be great !
 Do you have a good mechanism to test and ensure kerberos token is passed to 
 tomcat and not NTLM token ?
 
 I believe that I can answer that.
 
 And the basic answer is no.
 
 First the basic principle, valid for this and many many other areas : the 
 server cannot 
 impose anything on the browser. The local user can always override anything 
 received 
 from the server, by a setting in the browser. And a hacker can of course do 
 anything.
 All the server can do, is tell the browser what it will accept, and the 
 browser can tell 
 the server ditto.
 So, never assume the opposite, and you will save yourself a lot of fruitless 
 searches and 
 dead-ends.
 
 Now more specific :
 1) For Kerberos to be used at all at the browser level, the server must send 
 a 401 
 response with Negociate as the requested authentication method. Unless it 
 does that, 
 the browser will never even attempt to send a Kerberos Authorization back.
 2) for the browser to consider returning a Kerberos Authorization header to 
 the server, 
 additional conditions depend on the browser.
 For IE :
 a) the enable Windows Integrated Authentication setting must be on 
 (checked), whether 
 this is done locally by the user, or part of the standard IE settings 
 company-wide, or 
 imposed by some network policy at corporate level.
 b) the server to which the browser is talking, must be known to IE as either
 - part of the Intranet
 - or at least a trusted server
 That is defined in IE's security zones (which again can be local, or 
 corporation-wide).
 
 If condition (a) is not met, when the server sends a 401 Negociate, IE will 
 fall back to 
 NTLM, always. And there is nothing you can do about that at the server level.
 (Funnily enough, disabling the enable Windows Integrated Authentication at 
 the IE level, 
 has the effect of disabling Kerberos, but not NTLM).
 
 If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it 
 /might/ fall 
 back to Basic authentication, if its other settings allow that. That's when 
 you see the 
 browser popup login dialog; and in an SSO context, this is a sure sign that 
 something 
 isn't working as expected.
 
 Some authentication modules, at the server level, are able to adapt to what 
 the browser 
 sends, others not. I believe that Waffle can accept either browser NTLM or 
 Kerberos 
 authentication. Waffle works only on a Windows Tomcat server, not on a Linux 
 Tomcat server.
 I do not know about the SPNEGO thing in Tomcat (from the name, it should).
 The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but 
 it works 
 under both Windows and Linux.
 
 And finally, about your problems : it seems that you have fallen in a very 
 specific kind 
 of hell, because you are trying to talk to a Windows-based Kerberos KDC 
 (which is using 
 Windows Kerberos libraries and encryption method choices and hostname formats 
 etc..), from 
 a Java JVM-based client (in this case the Tomcat server, whatever its 
 underlying 
 platform is), which is using Java Kerberos libraries and encryption method 
 choices etc... 
 And it seems that between this Java Kerberos part and the Windows Kerberos 
 part, there 
 are a number of areas of mutual incomprehension (such as which key encryption 
 methods they 
 each implement, or which ones are the default ones for each).
 
 And I am sure that the issue can be resolved. But it is probably a question 
 of finding 
 out which among the 25 or more settings one can alter on each side, overlap 
 and either 
 agree or contradict eachother.
 
 One underlying issue is that, as well in corporations as on the WWW, the 
 Windows people 
 and the Linux people tend to be 2 separate groups. If you ask

Re: SPNEGO test configuration with Manager webapp

[André Warnier]

David Marsh wrote:

Hi Mark,

Thanks for that, yes I've got 30 years windows experience, I can use Linux at a 
push but its not really my area expertise.

I'm a Java / Windows programmer so I should be able to understand it, but not 
kerberos or Active Directory expert.

I have used Waffle in the past with success and used JAAS/GSS-API in Java thick 
clients.

I made the IE settings you outlined but it seems to still prompt.
IE has win-tc01.kerbtest.local as a trusted site.
Enable Windows Integrated Authentication is on
Auto logon only in Intranet Zone is on

I've been using Firefox to test and that does send 401 and negotiate, but 
causes the GSS token error mentioned.

Active directory and krb5.ini are using eType 23 which is rc4-hmac

The windows client OS and tomcat server OS has registry setting for  
allowtgtsessionkey set to 1 (enabled).

Java kinit test works and stores a ticket in the Java session cache.

So problem seems to be either :-

1. Browser sends bad token
2. Token is good but Oracle JDK 8 GSS-API cannot handle it



Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the 
WWW, one other recommendation which seems to appear regularly (and Mark also mentioned 
that somewhere), is that each time you make a change somewhere, you should reboot the 
machine afterward, before re-testing. (Particularly on Windows machines).
I know it's a PITA, but I have also found the same to be true sometimes when merely 
dealing with NTLM matters.  There are probably some hidden caches that get cleared only in 
that way.




many thanks

David


Date: Thu, 26 Mar 2015 11:32:39 +0100
From: a...@ice-sa.com
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

David Marsh wrote:

Hi Mark,
Thanks that would be great !
Do you have a good mechanism to test and ensure kerberos token is passed to 
tomcat and not NTLM token ?

I believe that I can answer that.

And the basic answer is no.

First the basic principle, valid for this and many many other areas : the server cannot 
impose anything on the browser. The local user can always override anything received 
from the server, by a setting in the browser. And a hacker can of course do anything.
All the server can do, is tell the browser what it will accept, and the browser can tell 
the server ditto.
So, never assume the opposite, and you will save yourself a lot of fruitless searches and 
dead-ends.


Now more specific :
1) For Kerberos to be used at all at the browser level, the server must send a 401 
response with Negociate as the requested authentication method. Unless it does that, 
the browser will never even attempt to send a Kerberos Authorization back.
2) for the browser to consider returning a Kerberos Authorization header to the server, 
additional conditions depend on the browser.

For IE :
a) the enable Windows Integrated Authentication setting must be on (checked), whether 
this is done locally by the user, or part of the standard IE settings company-wide, or 
imposed by some network policy at corporate level.

b) the server to which the browser is talking, must be known to IE as either
- part of the Intranet
- or at least a trusted server
That is defined in IE's security zones (which again can be local, or 
corporation-wide).

If condition (a) is not met, when the server sends a 401 Negociate, IE will fall back to 
NTLM, always. And there is nothing you can do about that at the server level.
(Funnily enough, disabling the enable Windows Integrated Authentication at the IE level, 
has the effect of disabling Kerberos, but not NTLM).


If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall 
back to Basic authentication, if its other settings allow that. That's when you see the 
browser popup login dialog; and in an SSO context, this is a sure sign that something 
isn't working as expected.


Some authentication modules, at the server level, are able to adapt to what the browser 
sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos 
authentication. Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server.

I do not know about the SPNEGO thing in Tomcat (from the name, it should).
The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but it works 
under both Windows and Linux.


And finally, about your problems : it seems that you have fallen in a very specific kind 
of hell, because you are trying to talk to a Windows-based Kerberos KDC (which is using 
Windows Kerberos libraries and encryption method choices and hostname formats etc..), from 
a Java JVM-based client (in this case the Tomcat server, whatever its underlying 
platform is), which is using Java Kerberos libraries and encryption method choices etc... 
And it seems that between this Java Kerberos part and the Windows Kerberos part, there 
are a number of areas of mutual incomprehension (such as which key encryption methods

Re: SPNEGO test configuration with Manager webapp

[André Warnier]

David Marsh wrote:

Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, 
still same symptoms.
 
Ran klist on client after firefox test and the three 401 responses. :-
 
 C:\Users\test.KERBTEST.000klist


Current LogonId is 0:0x2fd7a

Cached Tickets: (2)

#0 Client: test @ KERBTEST.LOCAL
Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e1 - forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 3/25/2015 14:46:43 (local)
End Time:   3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 - PRIMARY
Kdc Called: 192.168.0.200

#1 Client: test @ KERBTEST.LOCAL
Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a1 - forwardable renewable pre_authent name_canoni
calize
Start Time: 3/25/2015 14:51:21 (local)
End Time:   3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: 192.168.0.200

Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ 
KERBTEST.LOCAL ?

If I have ticket why do I get 401 ?


Maybe because these things come from 2 different places ?
- ticket # 0 is a general ticket-granting ticket (krbtgt) obtained by the client 
directly from the KDC
- ticket # 1 is a ticket to access HTTP/Tomcat, obtained by the client directly from the 
KDC  (after presenting his ticket-granting ticket)
- the 401 response is a response from Tomcat, when the client tries to access it by 
presenting his HTTP/Tomcat ticket
So the problem could be that Tomcat is unable to validate the client ticket, for some 
reason proper to Tomcat itself, not to the client ticket per se (which is probably valid)


Again, in your (presumably Tomcat) Kerberos log, it looked as if Tomcat was having trouble 
 pre-authenticating itself, whatever that means.  Maybe such a succesful 
pre-authentication is a pre-requisite for Tomcat to be able to recognise client tickets to 
itself ?



 


Date: Tue, 24 Mar 2015 22:46:15 +
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

On 24/03/2015 20:47, David Marsh wrote:

Hi Felix,
Thanks fort your help!
I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and 
also added the same definitions to the Java parameters in Configure Tomcat 
tool.I definitely got more information when using startup.bat, not sure the 
settings get picked up by the windows service ?
I do not think authentication completes, certainly authorization does not as I 
cant see the site and get 401 http status.
I have not configured a tomcat realm but I have put the test user a manager-gui 
group in Active Directory.

I've only given your config a quick scan, but the thing that jumps out
at me is spaces in the some of the paths. I'm not sure how well krb5.ini
will handle those. It might be fine. It might not be.

Mark



David

Date: Tue, 24 Mar 2015 21:39:38 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

Am 24.03.2015 um 21:25 schrieb David Marsh:

Everything is as described and still not working, except the jaas.conf is :-

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
useKeyTab=true
keyTab=C:/Program Files/Apache Software Foundation/Tomcat 
8.0/conf/tomcat.keytab
storeKey=true;
};

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
useKeyTab=true
keyTab=C:/Program Files/Apache Software Foundation/Tomcat 
8.0/conf/tomcat.keytab
storeKey=true;
};

In other words the principal is the tomcat server as it should be.


Date: Tue, 24 Mar 2015 21:17:59 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

Am 24.03.2015 um 21:05 schrieb David Marsh:

Sorry thats :-


principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL

under jaas.conf, it is set to the tomcat server DNS.

Is it working with this configuration, or just to point out, that you
copied the wrong jaas.conf for the mail?

Felix



From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: SPNEGO test configuration with Manager webapp
Date: Tue, 24 Mar 2015 20:02:04 +

I'm trying to get SPNEGO authentication working with Tomcat 8.

I've created three Windows VMs :-

Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32

RE: SPNEGO test configuration with Manager webapp

[David Marsh]

Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, 
still same symptoms.
 
Ran klist on client after firefox test and the three 401 responses. :-
 
 C:\Users\test.KERBTEST.000klist

Current LogonId is 0:0x2fd7a

Cached Tickets: (2)

#0 Client: test @ KERBTEST.LOCAL
Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e1 - forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 3/25/2015 14:46:43 (local)
End Time:   3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 - PRIMARY
Kdc Called: 192.168.0.200

#1 Client: test @ KERBTEST.LOCAL
Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a1 - forwardable renewable pre_authent name_canoni
calize
Start Time: 3/25/2015 14:51:21 (local)
End Time:   3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: 192.168.0.200

Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ 
KERBTEST.LOCAL ?

If I have ticket why do I get 401 ?
 

 Date: Tue, 24 Mar 2015 22:46:15 +
 From: ma...@apache.org
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 On 24/03/2015 20:47, David Marsh wrote:
 Hi Felix,
 Thanks fort your help!
 I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and 
 also added the same definitions to the Java parameters in Configure Tomcat 
 tool.I definitely got more information when using startup.bat, not sure the 
 settings get picked up by the windows service ?
 I do not think authentication completes, certainly authorization does not as 
 I cant see the site and get 401 http status.
 I have not configured a tomcat realm but I have put the test user a 
 manager-gui group in Active Directory.

 I've only given your config a quick scan, but the thing that jumps out
 at me is spaces in the some of the paths. I'm not sure how well krb5.ini
 will handle those. It might be fine. It might not be.

 Mark


 David
 Date: Tue, 24 Mar 2015 21:39:38 +0100
 From: felix.schumac...@internetallee.de
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 Am 24.03.2015 um 21:25 schrieb David Marsh:
 Everything is as described and still not working, except the jaas.conf is 
 :-

 com.sun.security.jgss.krb5.initiate {
 com.sun.security.auth.module.Krb5LoginModule required
 doNotPrompt=true
 principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
 useKeyTab=true
 keyTab=C:/Program Files/Apache Software Foundation/Tomcat 
 8.0/conf/tomcat.keytab
 storeKey=true;
 };

 com.sun.security.jgss.krb5.accept {
 com.sun.security.auth.module.Krb5LoginModule required
 doNotPrompt=true
 principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
 useKeyTab=true
 keyTab=C:/Program Files/Apache Software Foundation/Tomcat 
 8.0/conf/tomcat.keytab
 storeKey=true;
 };

 In other words the principal is the tomcat server as it should be.

 Date: Tue, 24 Mar 2015 21:17:59 +0100
 From: felix.schumac...@internetallee.de
 To: users@tomcat.apache.org
 Subject: Re: SPNEGO test configuration with Manager webapp

 Am 24.03.2015 um 21:05 schrieb David Marsh:
 Sorry thats :-

 principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
 under jaas.conf, it is set to the tomcat server DNS.
 Is it working with this configuration, or just to point out, that you
 copied the wrong jaas.conf for the mail?

 Felix
 
 From: dmars...@outlook.com
 To: users@tomcat.apache.org
 Subject: SPNEGO test configuration with Manager webapp
 Date: Tue, 24 Mar 2015 20:02:04 +

 I'm trying to get SPNEGO authentication working with Tomcat 8.

 I've created three Windows VMs :-

 Tomcat Server - Windows 8.1 32 bit VM
 Test Client - Windows 8.1 32 bit VM
 Domain Controller - Windows Server 2012 R2 64 bit VM

 The Tomcat Server and the Test Client are joined to the same domain 
 kerbtest.local, they are logged in with domain logins.

 The firewall is disabled on the Tomcat Server VM.

 I've followed the guidelines on the Apache Tomcat website.

 jaas.conf

 com.sun.security.jgss.krb5.initiate {
 com.sun.security.auth.module.Krb5LoginModule required
 doNotPrompt=true
 principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL
 useKeyTab=true
 keyTab=C:/Program Files/Apache Software Foundation/Tomcat 
 8.0/conf/tomcat.keytab
 storeKey=true;
 };

 com.sun.security.jgss.krb5.accept {
 com.sun.security.auth.module.Krb5LoginModule required
 doNotPrompt=true
 principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL
 useKeyTab=true
 keyTab=C:/Program Files/Apache Software Foundation

RE: SPNEGO test configuration with Manager webapp

[Felix Schumacher]

Am 25.03.2015 16:09, schrieb David Marsh:

Put keytab in c:\keytab\tomcat.keytab, ensured owner was
tc01@KERTEST.LOCAL, still same symptoms.

Ran klist on client after firefox test and the three 401 responses. :-

 C:\Users\test.KERBTEST.000klist

Current LogonId is 0:0x2fd7a

Cached Tickets: (2)

#0 Client: test @ KERBTEST.LOCAL
Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e1 - forwardable renewable initial 
pre_authent nam

e_canonicalize
Start Time: 3/25/2015 14:46:43 (local)
End Time:   3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 - PRIMARY
Kdc Called: 192.168.0.200

#1 Client: test @ KERBTEST.LOCAL
Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a1 - forwardable renewable pre_authent 
name_canoni

calize
Start Time: 3/25/2015 14:51:21 (local)
End Time:   3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: 192.168.0.200

Looks like I was granted a ticket for the SPN
HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?

If I have ticket why do I get 401 ?
Your client has got a service ticket for HTTP/win-tc01... This is used 
by firefox for authentication. Firefox transmits
this service ticket to the server (as base64 encoded in the 
WWW-Authenticate header).


Your server has to decrypt this ticket using its own ticket to get at 
the user information. This is where your problems arise.

It looks like your server has trouble to get its own ticket.

Are you sure, that the password you used for keytab generation (on the 
server side), is correct? ktpass will probably accept
any input as a password. Maybe you can check the keytab by using kinit 
(though I don't know, if it exists for windows, or how

the java one is used).

Felix





Date: Tue, 24 Mar 2015 22:46:15 +
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

On 24/03/2015 20:47, David Marsh wrote:

Hi Felix,
Thanks fort your help!
I have enabled krb5 and gss debug.I altered CATALINA_OPTS in 
startup.bat and also added the same definitions to the Java 
parameters in Configure Tomcat tool.I definitely got more information 
when using startup.bat, not sure the settings get picked up by the 
windows service ?
I do not think authentication completes, certainly authorization does 
not as I cant see the site and get 401 http status.
I have not configured a tomcat realm but I have put the test user a 
manager-gui group in Active Directory.


I've only given your config a quick scan, but the thing that jumps out
at me is spaces in the some of the paths. I'm not sure how well 
krb5.ini

will handle those. It might be fine. It might not be.

Mark



David

Date: Tue, 24 Mar 2015 21:39:38 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

Am 24.03.2015 um 21:25 schrieb David Marsh:
Everything is as described and still not working, except the 
jaas.conf is :-


com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
useKeyTab=true
keyTab=C:/Program Files/Apache Software Foundation/Tomcat 
8.0/conf/tomcat.keytab

storeKey=true;
};

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
useKeyTab=true
keyTab=C:/Program Files/Apache Software Foundation/Tomcat 
8.0/conf/tomcat.keytab

storeKey=true;
};

In other words the principal is the tomcat server as it should be.


Date: Tue, 24 Mar 2015 21:17:59 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

Am 24.03.2015 um 21:05 schrieb David Marsh:

Sorry thats :-


principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL

under jaas.conf, it is set to the tomcat server DNS.
Is it working with this configuration, or just to point out, that 
you

copied the wrong jaas.conf for the mail?

Felix



From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: SPNEGO test configuration with Manager webapp
Date: Tue, 24 Mar 2015 20:02:04 +

I'm trying to get SPNEGO authentication working with Tomcat 8.

I've created three Windows VMs :-

Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM

The Tomcat Server and the Test Client are joined to the same 
domain kerbtest.local

RE: SPNEGO test configuration with Manager webapp

[David Marsh]

Its possible I guess, although I would not expect that.

The test is :-

Client Test Windows 8.1 VM with Firefox - Tomcat Server Windows 8.1 VM

Firefox is not configured to use a proxy, its all in Vmware Workstation 10 
using the Vmnet01 virtual network.

Firefox has three 401 responses with headers Authorization and 
WWW-Authenticate :-

1 :- Reponse WWW-Authenticate: Negotiate

2 :- Request Authorization: Negotiate 
YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkmmuJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4=

Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==

3 :- Request Authorization: Negotiate 
oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qhPF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E=

Reponse WWW-Authenticate: Negotiate

I'm not sure how long they should be, but they all end = so expect not 
truncated ?


 Subject: RE: SPNEGO test configuration

RE: SPNEGO test configuration with Manager webapp

[David Marsh]

ator.authenticate No authorization header sent by client
25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against 
GET /html -- false
25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' 
against GET /html -- fal
se
25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for 
scripts)]' against
GET /html -- false
25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for 
humans)]' against G
ET /html -- true
25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against 
GET /html -- false
25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' 
against GET /html -- fal
se
25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for 
scripts)]' against
GET /html -- false
25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for 
humans)]' against G
ET /html -- true
25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt 
true ticketCache is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false 
principal is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is 
false storePass is false
clearPass is false
 KeyTabInputStream, readName(): kerbtest.local
 KeyTabInputStream, readName(): HTTP
 KeyTabInputStream, readName(): win-tc01.kerbtest.local
 KeyTab: load() entry length: 78; type: 23
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Java config name: C:\Program Files\Apache Software Foundation\Tomcat 
8.0\conf\krb5.ini
Loaded from Java config
Added key: 23version: 3
 KdcAccessibility: reset
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number 
 of retries =3, #bytes=
164
 KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt 
 =1, #bytes=164
 KrbKdcReq send: #bytes read=185
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16

Pre-Authentication Data:
PA-DATA type = 15

 KdcAccessibility: remove win-dc01.kerbtest.local:88
 KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
suSec is 701709
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16

Pre-Authentication Data:
PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq creating message
 KrbKdcReq

RE: SPNEGO test configuration with Manager webapp

[Felix Schumacher]

se.invoke Calling authenticate()
25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate No authorization header sent by client
25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]'
against GET /html -- false
25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy
interface]' against GET /html -- fal
se
25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager
interface (for scripts)]' against
GET /html -- false
25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager
interface (for humans)]' against G
ET /html -- true
25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]'
against GET /html -- false
25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy
interface]' against GET /html -- fal
se
25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager
interface (for scripts)]' against
GET /html -- false
25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager
interface (for humans)]' against G
ET /html -- true
25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
is false principal is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
is false storePass is false
clearPass is false
 KeyTabInputStream, readName(): kerbtest.local
 KeyTabInputStream, readName(): HTTP
 KeyTabInputStream, readName(): win-tc01.kerbtest.local
 KeyTab: load() entry length: 78; type: 23
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Java config name: C:\Program Files\Apache Software Foundation\Tomcat
8.0\conf\krb5.ini
Loaded from Java config
Added key: 23version: 3
 KdcAccessibility: reset
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,
number of retries =3, #bytes=
164
 KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
timeout=3,Attempt =1, #bytes=164
 KrbKdcReq send: #bytes read=185
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16

Pre-Authentication Data:
PA-DATA type = 15

 KdcAccessibility: remove win-dc01.kerbtest.local:88
 KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
suSec is 701709
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16

Pre-Authentication Data:
PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes