Re: SSL Certificate Renewal

2019-06-12 Thread Ognjen Blagojevic
Nitin On 13.6.2019. 07.37, Nitin Kadam wrote: I have apache tomcat server running with publicly signed SSL certificate configured in server.xml, the same certificate is expiring in next week, I need steps to the to renew of same. *Server OS: Windows 2012 R2* *Apache Tomcat/8.5.38* 1. How to gen

Re: Fwd: Tomcat question

2018-04-30 Thread Ognjen Blagojevic
Zahi, On 30.4.2018. 11:09, Zahi Fail wrote: curl -X POST \ http://localhost:8080/userManagement/rest/Traffic/users2 \ -H 'Authorization: Basic dG9tY2F0OnMzY3JldA==' \ -H 'Cache-Control: no-cache' \ -H 'Content-Type: application/json' \ -H 'Postman-Token: 71819f33-6206-02c5-5cf2-8d

Re: Fwd: Tomcat question

2018-04-30 Thread Ognjen Blagojevic
Zahi, On 25.4.2018. 13:19, zahi.f...@gmail.com wrote: I configured in my conf\server.xml file the realm as below: Ok, so the configuration looks fine. You said you are using Postman to send the request. Can you paste the `curl` command that the postman can generate for you just to check if i

Re: Tomcat question

2018-04-24 Thread Ognjen Blagojevic
Zahi, On 23.4.2018. 16:38, Zahi Fail wrote: > This is the following code from my web.xml file: ... > *and in the tomcat-user.xml i have updated the code as below: * ... You need to configure appropriate realm. Did you do that? You can do it in your webapp's context.xml, or in server.xml file, b

Re: Facing issue while configuring SSL

2016-07-15 Thread Ognjen Blagojevic
Román, On 15.7.2016 5:01, Román Valoria wrote: The SSL Certificate was created using the wrong FQDN, which meant that the hostname to IP address resolution done by the browser was failing. The telnet command was done using the wrong FQDN, while openssl using localhost. On top of that, since the

Re: Facing issue while configuring SSL

2016-07-14 Thread Ognjen Blagojevic
Devendra, On 14.7.2016 10:38, Devendra Sengar wrote: But the tomcat server is started without any error but won't able to open the home page of tomcat giving the error like: This site can’t be reached The webpage at *https://:8443/* might be temporarily down or it may have moved permanently to a

Re: Need help setting up SSL on Tomcat 8

2016-07-14 Thread Ognjen Blagojevic
Sean, On 13.7.2016 21:56, Sean Son wrote: Thank you for your answer guys. Is there anywhere in the Tomcat config files that I would need to specify the DNS name? Like in Apache we would specify the DNS name in a Virtualhost. Take a look at context xml, attribute "name" in Host element [1], an

Re: Need help setting up SSL on Tomcat 8

2016-07-13 Thread Ognjen Blagojevic
Sean, On 12.7.2016 14:49, Sean Son wrote: Hello thank you for your response. I am currently only accessing the server using IP address only. We do not have a DNS record set up for the server as of yet. It will be something like webapp.example.com Once there is a DNS record in place, and you ac

Re: Need help setting up SSL on Tomcat 8

2016-07-11 Thread Ognjen Blagojevic
On 11.7.2016 16:29, Sean Son wrote: Here is the certificate path: - Go Daddy Root Certificate Authority - G2 - Go Daddy Secure Certificate Authority - G2 - *.example.com That looks Ok. Did you, perhaps, tried to access server on subdomain of example.com? Wildca

Re: Need help setting up SSL on Tomcat 8

2016-07-08 Thread Ognjen Blagojevic
On 7.7.2016 23:17, Daniel Savard wrote: Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID). Looks like adding the keyAlias to the connector did not fix anything unfortunately. Did you examined the received certificate in the browser. Us

Re: Need help setting up SSL on Tomcat 8

2016-07-06 Thread Ognjen Blagojevic
Sean, On 5.7.2016 17:14, Sean Son wrote: Hello Daniel and all Here is the output.. the full output http://pastebin.com/AQckw6ig Keytool output indicates that there are two entries in keystore: 1. Entry with alias "root", created Jun 16, 2016, which is intermediate certificate for Go Daddy:

Re: Source IP filtering on some URLs before Container-managed authentication

2015-11-23 Thread Ognjen Blagojevic
Andre, On 20.11.2015 17:44, André Warnier (tomcat) wrote: Well, you can use a lot more conditions in urlrewrite filter, such as a client IP + URL patterns + lots more. And you can combine them using the type="next". Your original post said "My webapp have a set of resources, let's call that set

Re: Source IP filtering on some URLs before Container-managed authentication

2015-11-20 Thread Ognjen Blagojevic
Andre, Chris, On 20.11.2015 9:30, André Warnier (tomcat) wrote: On 19.11.2015 21:26, Christopher Schultz wrote: I think that may be the only way to do it. IIRC, someone did some work to allow Filters to be used in the valve chain, but I don't think there is any facility for specifying s for tho

Source IP filtering on some URLs before Container-managed authentication

2015-11-19 Thread Ognjen Blagojevic
Hi, My webapp have a set of resources, let's call that set R. Some of those resources need to be accessed only from certain source IP addresses, let's call that subset R'. And some subset of R' (let's call it R'') needs authentication. I have a reqirement to check source IP address before au

Re: Question for posgresq, and jdbc.jar placement.

2015-10-22 Thread Ognjen Blagojevic
Jose & Chris, On 21.10.2015 20:47, Christopher Schultz wrote: Jose, On 10/21/15 7:33 AM, Jose María Zaragoza wrote: IMHO $CATALINA_HOME/lib would be the right place +1 Are you willing to elaborate why do you prefer $CATALINA_HOME instead of $CATALINA_BASE? I don't have multiple Tomcat

Re: How do LockOutRealms work ?

2015-09-01 Thread Ognjen Blagojevic
Mark, On 31.8.2015 12:42, Mark Thomas wrote: I experienced situations where the user calls the first level service desk and a ticket goes all its way to someone who can read the server logs and understand the issue... Not exactly optimal. I agree. That is why most organisations provide self-

Re: Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

2015-08-28 Thread Ognjen Blagojevic
Diarmuid, On 27.8.2015 22:31, dmccrthy wrote: * our non-production server with the same versions of all client software connects with no errors to a non-production instance of the same 3rd party service using the same cipher suite. So the tool we're using is our 3rd party client Web app (the "To

Re: Need configuration example for Tomcat 7.0.55 TLS configuration

2015-04-08 Thread Ognjen Blagojevic
On 7.4.2015 15:23, Christopher Schultz wrote: After a weekend of ripping out clumps of my hair and swearing at my computer, nothing had worked. In desperation, before upgrading Java and Tomcat, I tried regenerating my self-signed certificate with new settings (SHA256 instead of SHA1) and that s

Re: Need configuration example for Tomcat 7.0.55 TLS configuration

2015-04-06 Thread Ognjen Blagojevic
Tom, On 5.4.2015 3:06, Tom Williamson wrote: I would like to know if anyone has a working example of getting TLS 1.2 working on Tomcat 7.0.55, so that it can be accessed by the latest version of Chrome and Firefox. Which version of Java do you use? Make sure it is Java 7 or 8, and if you alre

Re: SSL / TLS compression | SPDY service|CVE-2012-4929

2015-03-27 Thread Ognjen Blagojevic
Rahul, On 27.3.2015 14:42, Rahul Kumar Singh wrote: So how to disable compression and / or the SPDY service in tomcat6. If you are using JSSE connectors (BIO/NIO/NIO2), compression is already disabled because JSSE does not support it, and there is no support for SPDY protocol on those connec

Re: Chrome reports Tomcat hosted sites as using 'obsolete cryptography'

2015-03-26 Thread Ognjen Blagojevic
Egor, On 26.3.2015 21:23, Mark Thomas wrote: On 26/03/2015 17:30, Egor Philippov wrote: Anyone familiar with the warning or know whether it represents a real security problem? That depends on your definition of 'real'. I'm not aware of any viable attacks but general opinion is that now is the

Re: Changing Tomcat's SSL ciphers

2015-03-03 Thread Ognjen Blagojevic
Eric, On 2.3.2015 23:45, Eric wrote: I am trying to change the ciphers that my Tomcat 7 server supports. I am using the APR connector. Here's the connector information in server.xml with the line saying which ciphers to support: SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256"

Re: Cannot disable SSL v3

2014-10-20 Thread Ognjen Blagojevic
Deepak, On 17.10.2014 19:13, dku...@ccilindia.co.in wrote: How can I know which protocol support my JVM. We are using java1.7.0_40 Take a look at: https://wiki.apache.org/tomcat/Security/POODLE Please let us know is any turnaround in my server.xml configuration to disable SSL v3. Pleas

Re: Tomcat 6 SSL issue

2014-10-16 Thread Ognjen Blagojevic
Baran, On 16.10.2014 19:20, Baran Topal wrote: I did the new CSR with the new private key. Ok. "You could also add protocol attribute to force JSSE connector (BIO or NIO), to prevent connector auto-selection." 1) What is the protocol attribute and where to add it? To your Connector config

Re: Tomcat 6 SSL issue

2014-10-13 Thread Ognjen Blagojevic
Baran, On 10.10.2014 21:06, Baran Topal wrote: Then I received 2 files from the certificate authority, abc.com.cer and abc.om.p7b What certificates do those files contain? Attribute maxSpareThreads is not listed in docs: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html You co

Re: Tomcat JVM Crash

2014-10-13 Thread Ognjen Blagojevic
Chad, On 10.10.2014 18:12, Chad Maniccia wrote: I have reported my findings to Oracle. They need to fix the bug, but for us the best solution was just to move away from JSSE and switch to APR OpenSSL which is the recommend solution to begin with. Thank you for reporting that back to us. Cou

Re: tomcat crash problem (INTERNAL)

2014-10-06 Thread Ognjen Blagojevic
Subbu, On 6.10.2014 10:27, bala-subrahmanyam.bha...@telenor.com wrote: Could you please suggest one best open source java profiler for analysing and monitoring the tomcat server. I don't know which (open source) one is the best, but you may try your luck with: 1. MAT (http://www.eclipse.or

Re: tomcat crash problem (INTERNAL)

2014-10-03 Thread Ognjen Blagojevic
Subbu, On 3.10.2014 10:25, bala-subrahmanyam.bha...@telenor.com wrote: Hi Ognjen, Tomcat is crashing with the below error message. java.lang.OutOfMemoryError: GC overhead limit exceeded Please, reply below the quotes, it is standard on this list. Tomcat have small memory footprint, way belo

Re: tomcat crash problem (OPEN)

2014-10-03 Thread Ognjen Blagojevic
Subbu, 3.10.2014 9:38, bala-subrahmanyam.bha...@telenor.com wrote: I upgraded tomcat from 5.0.28 to 6.0.36, after upgrade tomcat server is consuming lot of memory and once if memory reaches to 3GB then it is crashing (max memory I configured is 3GB). What kind of a crash is that? Does JVM cr

Re: Tomcat 8.0.14 - doesn§t start from Netbeans 8.0.1 IDE

2014-10-03 Thread Ognjen Blagojevic
Mitko, On 3.10.2014 8:52, Mitev, Mitko wrote: Tomcat 8.0.12 :noJuliConfig set JAVA_OPTS=%JAVA_OPTS% %LOGGING_CONFIG% Tomcat 8.0.14 :noJuliConfig set JAVA_OPTS=”%JAVA_OPTS% %LOGGING_CONFIG%” Actually, the qotation marks in 8.0.14 are in different position: set "JAVA_OPTS=%JAVA_OPTS% %LOGGING_

Re: question on certificate use - resending with attachment descriptions in case they get stripped out again. If this doesnt work I will resend the email when I get home

2014-10-02 Thread Ognjen Blagojevic
Ray, On 1.10.2014 21:05, ray.d...@usbank.com wrote: Loaded the website and let the error popup happen once, then I install the certificate it prompts about (to my truststore). If you mean that you imported CA-signed certificate to your Java keystore where your private key is already stored, u

Re: question on certificate use - resending with attachment descriptions in case they get stripped out again. If this doesnt work I will resend the email when I get home

2014-09-30 Thread Ognjen Blagojevic
Ray, On 30.9.2014 20:54, ray.d...@usbank.com wrote: And then on the browser, when I try to load the site, I get a blank screen again, says "Internet Explorer cannot display the webpage". If I use "tomcat" as the alias in my connector, the site loads but then I get the "Certificate Error" po

Re: a problem: tomcat exits unexpectedly

2014-09-19 Thread Ognjen Blagojevic
Zhao, On 19.9.2014 3:42, bo zhao wrote: but I can't find any error message in the log? what causes the tomcat to pause and stop? One of the suspects for restarts and shutdown seems to be the class com.jd.clover.center.service.AbstractScheduleTaskProcess, as there is a log message regarding i

Re: Deploy application as Root

2014-09-12 Thread Ognjen Blagojevic
Kiran, Question I have is that if I upload war file via manager app, where does it go ? It goes to appBase (e.g. direcotry "webapps") as war file, and if neither unpackWARs at element nor unpackWAR of Context element is set to "false", they are unpacked to the directory of the same name (e

Re: Context parameter override?

2014-09-11 Thread Ognjen Blagojevic
Andre, On 10.9.2014 18:43, André Warnier wrote: Otherwise, my customer sysadmins would have to unpack the WAR, edit web.xml to insert their specific values, and re-pack the WAR. Which they do not like to do either. My customers also do not like a solution consisting in having these parameters

Re: Deploy application as Root

2014-09-11 Thread Ognjen Blagojevic
Kiran, On 11.9.2014 5:52, Kiran Badi wrote: I am trying to deploy application as ROOT.war in tomcat 7.50 provided by hosting service provider, but for some reasons I get below message FAIL - War file "ROOT.war" cannot be uploaded if context is defined in server.xml I have below in server xml

Re: stress testing tomcat applications

2014-09-11 Thread Ognjen Blagojevic
Elias, On 11.9.2014 2:03, Elias Kopsiaftis wrote: My best guess is that tomcat doesnt like to accept requests coming for two different logins from the same IP and same program. Is that accurate? Is anything else that could be going wrong here? Tomcat should allow multiple sessions from same IP

Re: JSSE or APR

2014-08-21 Thread Ognjen Blagojevic
On 21.8.2014 10:24, Ognjen Blagojevic wrote: For JSSE connectors you may use one of two different file formats: PKCS#12 or JKS. That would be, "keystore file formats". -Ognjen - To unsubscribe, e-mail: user

Re: JSSE or APR

2014-08-21 Thread Ognjen Blagojevic
John, On 20.8.2014 18:08, John McLean wrote: I used the following ubuntu guide to create my csr: https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html If you followed steps from that guide you now might have: 1. Private key in PEM format (e.g. server.key) 2. Certificate si

Re: New User Help

2014-08-18 Thread Ognjen Blagojevic
Colin, On 18.8.2014 4:42, Colin Kincaid Williams wrote: I have then deployed the application war file using the manager. The application is supposed to take json POST requests, related to a path on the host filesystem such as /opt/app/app_data/datafile . The POST requests work on the old glassfi

Re: access non-default webapp

2014-08-11 Thread Ognjen Blagojevic
Patcharee, On 11.8.2014 14:00, Patcharee Thongtra wrote: I have two applications running in Tomcat 6. I made the first app as a default web app by placing it as ROOT.war in webapps/. How can I access the second app? Whenever I browse http://localhost:8080/the_second_app/ Tomcat thinks I will acc

Re: Restricting SSL access within webapp

2014-08-04 Thread Ognjen Blagojevic
Chris, On 4.8.2014 22:47, Christopher Schultz wrote: Encryption is more expensive than /not/ encrypting, but it's much harder on the server (many connections) than it is on the client (single-digit). Since these days, everyone is disabling compression for SSL, the biggest problem for a dial-up c

Re: JKS keystore password Encryption

2014-08-04 Thread Ognjen Blagojevic
Sanaullah, On 4.8.2014 17:26, Sanaullah wrote: I will also search the archive as well. You may find Wiki also useful: http://wiki.apache.org/tomcat/FAQ/Password -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.a

Re: TC7 and SSL Questions

2014-07-24 Thread Ognjen Blagojevic
John, On 24.7.2014 21:11, John Smith wrote: 1. Can I specify /admin/* as a security constraint url pattern so that only that directory runs under SSL? Yes, you can. 2. The NIO connector is accepted for JSSE, since I'm using it already, is there any point in not using it as my SSL connector?

Re: How to monitor performance of tomcat

2014-05-21 Thread Ognjen Blagojevic
Randhir, On 21.5.2014 14:31, Randhir Singh wrote: I had changed catalina.sh in our development environment like a week back and want to implement it in the production environment but I got this doubt. I feel catalina.sh is invoked by startup.sh but am not sure. I have already taken downtime for

Re: catalina.out is 13G

2014-04-22 Thread Ognjen Blagojevic
On 22.4.2014 16:22, Filip Hanik wrote: http://www.tomcatexpert.com/knowledge-base/rotating-catalinaout-log-files Also, there is a related issue in Bugzilla, to make things easier to configure: https://issues.apache.org/bugzilla/show_bug.cgi?id=53930 -Ognjen -

Re: Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x

2014-04-13 Thread Ognjen Blagojevic
Andre, On 12.4.2014 0:51, André Warnier wrote: Ognjen Blagojevic wrote: On 11.4.2014 10:52, André Warnier wrote: 3) if he has recorded past encrypted traffic to/from your server, and saved this recording, then he can at any time go back and decrypt this past traffic, and pick up anything

Re: Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x

2014-04-11 Thread Ognjen Blagojevic
On 11.4.2014 10:52, André Warnier wrote: 3) if he has recorded past encrypted traffic to/from your server, and saved this recording, then he can at any time go back and decrypt this past traffic, and pick up anything interesting from there, even without having the new keys. Such a recording coul

Re: [OT] HeartBleed bug

2014-04-09 Thread Ognjen Blagojevic
Chris, On 9.4.2014 14:53, Christopher Schultz wrote: My recommendation would be to treat everything OpenSSL touches as tainted and re-key anyway. [I will assume we are talking about OpenSSH implementation.] That dependins of the definition of "what OpenSSL touches". OpenSSL consists of two l

Re: [OT] HeartBleed bug

2014-04-09 Thread Ognjen Blagojevic
André, On 9.4.2014 9:49, André Warnier wrote: I wonder if I may ask this list-OT question to the SSH experts on the list : I run some 25 webservers (Apache httpd-only, Tomcat-only, or Apache httpd + Tomcat). I do not use HTTPS on any of them. But I use SSH (OpenSSH) to connect to them over the

Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?

2014-04-09 Thread Ognjen Blagojevic
Chris, On 9.4.2014 7:22, Christopher Schultz wrote: - -1 Switching to JSSE only stops the hemorrhaging. You should consider all your server keys compromised if OpenSSL 1.0.1 was used (prior to "g" patch level). If you switch to JSSE, your key may already have been compromised, so the switch doe

Re: Does the HeartBleed vulnerability affect Apache Tomcat servers using Tomcat Native?

2014-04-08 Thread Ognjen Blagojevic
On 8.4.2014 18:48, Arlo White wrote: Are Apache Tomcat servers using Tomcat Native & APR vulnerable to the HeartBleed OpenSSL bug, or does this layer insulate them? http://heartbleed.com/ They are vulnerable. There is no layer to insulate. You may test with: http://filippo.io/Heartbleed/ I

Re: Windows tcnative openssl ciphers question

2014-04-07 Thread Ognjen Blagojevic
Jeffrey, EECDH/ECDHE is disabled in tcnative-1.dll. There is already a request to enable it. Take a look at: https://issues.apache.org/bugzilla/show_bug.cgi?id=55915 -Ognjen On 8.4.2014 0:07, Jeffrey Janner wrote: Ok, this is a question for the native libs builders (or whoever knows the

Re: Valid certificate chain failing with "unable to find valid certification path to requested "

2014-04-04 Thread Ognjen Blagojevic
Chris, On 4.4.2014 16:27, Christopher Schultz wrote: So they don't have a big "Daddy" certificate that has signed all of their intermediate certificates? Boo. That would fix nearly everything. Actually, having different root certificates, one for SHA-1, and one for SHA-2 is recommended migrat

Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does

2014-04-04 Thread Ognjen Blagojevic
Mark, On 4.4.2014 23:54, Mark Thomas wrote: The CA that signed your certificate might not be one of the root CAs trusted by the user agent. Most likely it is an intermediate CA. The root CA will have signed the intermediate CA's certificate and the intermediate CA will have signed your certifica

Re: Tomcat 6 SSL CA Certificate does not work, but Self signed Certificate does

2014-04-04 Thread Ognjen Blagojevic
Mark, On 4.4.2014 23:00, Mark Murphy wrote: So let me try to understand what is going on here. I generate a keystore using keytool, that contains a key. At this point it is equal to a self signed certificate, and it works, but the browser complains that there is no CA. (Standard on this list i

Re: Valid certificate chain failing with "unable to find valid certification path to requested "

2014-04-04 Thread Ognjen Blagojevic
On 4.4.2014 5:23, Toby Lazar wrote: I've run my client program with the -Djavax.net.debug=all option. First it listed out all of the trusted authorities. Mine is GoDaddy and this is the record: That one is not the issuer of your certificate. GoDaddy has many issuing certificates. The GoDaddy

Re: Valid certificate chain failing with "unable to find valid certification path to requested "

2014-04-03 Thread Ognjen Blagojevic
On 4.4.2014 0:27, Toby Lazar wrote: As others have noted here on other threads, you can use: http://portecle.sourceforge.net/ to see exactly which certificates your server is providing clients (Examine SSL/TLS connection). Viewing server certificates via browsers can be misleading since they d

Re: Generate pkcs12 certificates from offical COMODO certs

2014-02-15 Thread Ognjen Blagojevic
Frank, On 15.2.2014 7:02, Frank BONNET wrote: seems to work without it ! I recommend that you always import intermediate certificates into the keystore. If you don't, some clients / web browsers will find a way to lookup for missing certificates, but others will fail. Therefore, it is much

Re: Generate pkcs12 certificates from offical COMODO certs

2014-02-14 Thread Ognjen Blagojevic
Frank, On 14.2.2014 15:00, BONNET, Frank wrote: the intermediate cert in the one named "chain" right ? Yes, it is usually named that way. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional

Re: Generate pkcs12 certificates from offical COMODO certs

2014-02-14 Thread Ognjen Blagojevic
Frank, On 14.2.2014 14:10, BONNET, Frank wrote: I have officials certificates for apache2 from COMODO that I would like to import into tomcat ( pkcs12 ) if someone has links / infos to do this task it would be a great help ( google doesn't help much ) You didn't mention if you have any prefe

[OT] Re: Tomcat JDBC Error

2014-01-28 Thread Ognjen Blagojevic
Leo, On 27.1.2014 18:17, Leo Medina wrote: Can you please elaborate more as to what you meant by: "com.mysql.jdbc.Driver must be present in one of your webapps. I'd expect it to be in a JAR that has mysql in the name. If you don't need it remove it." I meant that we don't have a mysql db. in

Re: Weird certificate situation -- I don't even understand why it works at all!

2014-01-21 Thread Ognjen Blagojevic
Mark, On 21.1.2014 9:55, Mark Thomas wrote: Why would this even work at all? Hard to say without seeing your server.xml. I could only guess: you misspelled "keyAlias" attribute name, so Tomcat just reads first key in the keystore. It would be worth checking if the keyAlias atribute had any

Re: Weird certificate situation -- I don't even understand why it works at all!

2014-01-21 Thread Ognjen Blagojevic
James, On 21.1.2014 0:14, James H. H. Lampert wrote: It seems that one of our customers moved their server to a different physical box, over the weekend, and we're now seeing some definite weirdness: Their Tomcat now shows a certificate that expired this past September. But it gets weirder: T

Re: Cannot connect from outside using Tomcat 7/APR/SSL on AWS Windows system

2014-01-19 Thread Ognjen Blagojevic
Jeffrey, On 19.1.2014 6:03, Christopher Schultz wrote: Could it be as simple as having set the "address" attribute? +1 BTW, setting attribute preverIPv4Stack=true on server side doesn't mean anything for the client. The client will try to connect with the protocol he prefers. The client m

Re: SSL certificates

2014-01-17 Thread Ognjen Blagojevic
On 17.1.2014 19:14, James H. H. Lampert wrote: At this point, if you haven't already done so, I would strongly suggest getting your CA's tech support in on this. +1 Reserved IP addresses and internal server names are not unique on the Internet, so the certificates for them may be reused in di

Re: SSL certificates

2014-01-17 Thread Ognjen Blagojevic
Miten, On 17.1.2014 14:33, Miten Mehta wrote: The catalina.out complaines with SSL handshake stating No Name matching mhoodws.ril.local found. For security reasons, CA shouldn't sign any certificate containing internal server name (either as CN, or subjectAltName): "As of July 1, 2012, all

Re: Symantec SSL cert in tomcat 6

2014-01-03 Thread Ognjen Blagojevic
Martin, On 4.1.2014 0:27, Martin Gainty wrote: With JKS keystore you must keep private key and certificates in the same keystore. MG>Since A pfx that Verisign provides contains key and cert MG>"Windows servers use .pfx files to contain the public key files (your SSL Certificate files, provi

Re: Symantec SSL cert in tomcat 6

2014-01-03 Thread Ognjen Blagojevic
Gene, On 3.1.2014 14:55, Gene Matthews wrote: Thie symantec instructions say to ensure the alias for the ssl cert has an Entry Type of PrivateKeyEntry. Mine DOES NOT. Instructions say if it does not, to please import the certificate in the “Private Key” alias. With JKS keystore you must ke

Re: JSVC error

2014-01-02 Thread Ognjen Blagojevic
Vicky, On 31.12.2013 11:16, vicky wrote: ./startdaemon.sh: line 13: 7429 Segmentation fault (core dumped) ./bin/jsvc -cp $CATALINA_HOME/bin/bootstrap.jar:$CATALINA_HOME/bin/tomcat-juli.jar -outfile $CATALINA_BASE/logs/catalina.out -errfile $CATALINA_BASE/logs/catalina.err -Dcatalina.hom

Re: ssl_error_internal_error_alert in tomcat 7‏

2013-12-20 Thread Ognjen Blagojevic
Jaya, On 20.12.2013 16:52, jaya ravindran wrote: That means server can do TLSv1. Then why can't it connect with TLS protocol on browsers. You may want to add -Djavax.net.debug=all to CATALINA_OPTS to debug handshake on server side. Compare OpenSSL handshake to Firefox handshake. Also, ther

Re: enable SSL for Tomcat

2013-12-04 Thread Ognjen Blagojevic
Sivakumar, On 4.12.2013 14:27, sivakumar_balag...@contractor.amat.com wrote: This csr has the DN formatted like CN=, OU=, O=, L=, ST=, C= which is based on the information we give while genarating the keystore. But the signing authority in our domain accepts the dn format with cn=,ou=Devices,o

Re: enable SSL for Tomcat

2013-12-04 Thread Ognjen Blagojevic
Sivakumar, On 4.12.2013 12:11, sivakumar_balag...@contractor.amat.com wrote: I need to enable SSL for tomcat in a windows server 2008. I have generated a certificate using the csr generated by this command: certreq -new request.inf request.req (...) I have imported this certificate to CACERT

Re: [OT] Symantic has a first tomcat worm ;-)

2013-11-25 Thread Ognjen Blagojevic
Chris, On 25.11.2013 20:56, Christopher Schultz wrote: What most users do is to copy the XML example, and paste it into tomcat-users.xml. If that were the case, I would have expected to see "tomcat:s2cret" listed in the worm's "obvious creds" list. Since it's not there, I suppose that

Re: [OT] Symantic has a first tomcat worm ;-)

2013-11-25 Thread Ognjen Blagojevic
Mikolaj, On 25.11.2013 12:46, Mikolaj Rydzewski wrote: On 25.11.2013 12:42, Ognjen Blagojevic wrote: I also think it would be very usefull if 401 error page for manager application does not example password "s3cret", but randomly generated long password unique for every request. I g

Re: [OT] Symantic has a first tomcat worm ;-)

2013-11-25 Thread Ognjen Blagojevic
Mark, On 25.11.2013 11:08, Mark Thomas wrote: Unrelated to this issue, I have recently expanded the section of the docs that covers securing the default applications. The updates will be in the next release. Until then you can read it via the copy of the docs built by the CI system: http://ci.ap

Re: PFX generation using keytool

2013-11-06 Thread Ognjen Blagojevic
Nestor, Chris, On 6.11.2013 22:50, Christopher Schultz wrote: java.security.KeyStoreException: TrustedCertEntry not supported. Entry for alias root not imported. Do you want to quit the import process? [no]: How can i solve this issue? What kind of stuff can be found in your .keystore source?

Re: Secure Tomcat With SSL

2013-10-30 Thread Ognjen Blagojevic
On 30.10.2013 18:41, Jeffrey Janner wrote: Not sure where to go from here! Can anyone help? I just want to do something basic and that issecure tomcat with a godaddy SSL cert. First, go back and re-read the last wonderful response you received from Ognjen. He is right on the money for how you

Re: Secure Tomcat With SSL

2013-10-28 Thread Ognjen Blagojevic
Chris, On 28.10.2013 21:45, Chris Arnold wrote: Let us first determine which connector do you have configured (BIO, NIO or APR), because HTTPS configuration depends on connector type. Could you send your server.xml with comments and sensitive information removed?

Re: Secure Tomcat With SSL

2013-10-28 Thread Ognjen Blagojevic
Chris, Leo, On 28.10.2013 18:23, Leo Donahue - OETX wrote: I've been having some trouble lately converting keys and certs from OpenSSL format into Java's JKS format. I follow all of the magical incantations I can find online to convert key+cert into a Java keystore but I get no love. Is there a

Re: Secure Tomcat With SSL

2013-10-27 Thread Ognjen Blagojevic
Chris, On 27.10.2013 2:47, Chris Arnold wrote: This is both possible, only if you plan to use either BIO or NIO HTTP connector. If you plan to use APR, connector configuration is completely different. Not sure what either of these are. I just need secure tomcat Let us first determine which c

Re: Secure Tomcat With SSL

2013-10-26 Thread Ognjen Blagojevic
Chris, On 26.10.2013 23:39, Chris Arnold wrote: Tomcat 7.0.42 on SLES11. I am following http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration to secure tomcat. I have uncommented the SSL HTTP section. The configuration section of that doc, importing the certificate: i have a go

Re: can't connect to manager application

2013-10-19 Thread Ognjen Blagojevic
Mark, On 19.10.2013 17:51, Mark Eggers wrote: On 10/19/2013 7:44 AM, Ognjen Blagojevic wrote: If you want to keep parameter deployXML set to false, I believe you need to copy webapps/manager/META-INF/context.xml to conf/Catalina/localhost/manager.xml. Yep, reproducible on Windows 7. Thanks

Re: can't connect to manager application

2013-10-19 Thread Ognjen Blagojevic
Edoardo, On 19.10.2013 0:03, Edoardo Panfili wrote: 4- second modify to server.xml becomes It is great that you took effort to pin-point the source of the problem. Often users are not willing to do that. Now, deployXML=false instructs Tomcat to ignore context descriptors in directory web

Re: can't connect to manager application

2013-10-17 Thread Ognjen Blagojevic
On 18.10.2013 7:34, Edoardo Panfili wrote: To rule out faulty upgrade, could you try to reproduce the problem on clean Tomcat 7.0.42 install? the problem was surely present with 7.0.39, the 7.0.42 is a fresh installation for me. Could you please clarify: does the problem exists on 7.0.42, 7.0.

Re: can't connect to manager application

2013-10-17 Thread Ognjen Blagojevic
Edoardo, On 17.10.2013 18:45, Edoardo Panfili wrote: Some release ago (tomcat 7.0.x sorry, I can't be more precise) all was well also on production server. Maybe i did something wrong during an update. To rule out faulty upgrade, could you try to reproduce the problem on clean Tomcat 7.0.42 i

Re: Issue while using SSL with Embedded Tomcat 6.0.37

2013-10-12 Thread Ognjen Blagojevic
Chris, On 11.10.2013 18:02, Christopher Schultz wrote: Also, a bit of a brainstorming now: could this whole thing be IP protocol issue? I've seen similar behavior before, albeit not in context of SSL handshake: client tries to connect using IPv6 address, but firewall doesn't allow it, so client

Re: Issue while using SSL with Embedded Tomcat 6.0.37

2013-10-10 Thread Ognjen Blagojevic
Chris, On 10.10.2013 19:11, Christopher Schultz wrote: Also, Chirag has the connector supporting only "TLS", so SSLv2 HELLO should indeally fail entirely. Setting attribute sslProtocol="TLS" may actually enable all protocols from SSLv3 to TLSv1.2, plus SSLv2Hello. Even setting something like

Re: Issue while using SSL with Embedded Tomcat 6.0.37

2013-10-10 Thread Ognjen Blagojevic
Chirag, On 10.10.2013 6:19, Chirag Dewan wrote: A small update. The customers client is C++ client,which uses OpenSSL. And I found that client hello message is SSLv2 protocol. And the server response(server hello) is a TLSv1 protocol. Is there something I am missing? There is a difference in

Re: Issue while using SSL with Embedded Tomcat 6.0.37

2013-10-08 Thread Ognjen Blagojevic
Chris, On 8.10.2013 17:40, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Can anyone assist me in understanding why it is failing for the first time? And is there any way I can force the Tomcat not to select this cipher suite? Or any other way that I can resolve this issue. See

Re: setenv.sh issue

2013-09-20 Thread Ognjen Blagojevic
Vicky, On 9/20/2013 4:14 AM, vicky wrote: I need to set certain application specific enviornment variables ,pls suggest what is the best way of doing that. eg:- configuring enviornment variable for LOG4j file path 1. Please, don't top post. 2. I doubt log4j will read any environment variables

Re: setenv.sh issue

2013-09-20 Thread Ognjen Blagojevic
Vicky, On 20.9.2013 11:32, vicky wrote: Hi All, When i am declaring variables in my $CATALINA_BASE/bin/setenv.sh file , they are not getting exported :- eg:- export NAME=e1 export ID=22 But when i am declaring the same variables in $CATALINA_BASE/bin/startup.sh in following manner t

Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED

2013-09-17 Thread Ognjen Blagojevic
Mavenpol, On 16.9.2013 22:47, Mavenpol Saulon wrote: This server where I imported the certificates and has been encountering errors is just one of the servers that are configured to run SSL. All of the other servers have the same setup except for the "keytool -delete.." that I used in this parti

Re: Tomcat 7.0.42 Won't Start

2013-08-14 Thread Ognjen Blagojevic
Ragini, On 14.8.2013 22:53, Singh, Ragini wrote: Now when I place my application in the webapps folder and add the following to server.xml, my Tomcat doesn’t start. Adding context configuration into server.xml is discouraged. For alternative ways to configure context, please read: https:/

Re: FW: configuring realm UserDatabase do not works

2013-08-13 Thread Ognjen Blagojevic
Francesco, On 13.8.2013 1:01, Francesco Viscomi wrote: When I try to access the protect resource I get: (...) HTTP Status 403 - Access to the requested resource has been denied Error 403 means that user is authenticatied but not authorized (e.g. username and password are correct, but someth

Re: Upgrade to Tomcat 7 Issues

2013-08-12 Thread Ognjen Blagojevic
Seema, On 12.8.2013 13:09, Seema Patel wrote: org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot load JDBC driver class 'com.mysql.jdbc.Driver' ... Caused by: java.lang.ClassNotFoundException: com.mysql.jdbc.Driver You are doing fine. You correctly removed all the jar files as Chuck su

Re: Downgrade Tomcat7 to Tomcat6

2013-08-08 Thread Ognjen Blagojevic
Sumilang, On 8.8.2013 3:53, Sumilang Plucena wrote: I have a development server Ubuntu12.10 and Tomcat-7.0.30. But prior to upgrading Tomcat7 from Tomcat-6.0.29 we never had problem with our website. I would like to know how I can go about downgrading Tomcat7 without affecting applications ho

Re: LDAP/Realm with TLS in Tomcat 6/7?

2013-08-06 Thread Ognjen Blagojevic
Jens, On 6.8.2013 12:44, Jens Neu wrote: is there a lib/method/whatever to achieve Realm Auth in Tomcat > 5.x where username/password are protected by TLS? I never tried it myself, but you might find these links useful: https://wiki.apache.org/tomcat/JNDI_startTLs_HowTo https://issues.apa

Re: Remote deployments in Tomcat

2013-08-06 Thread Ognjen Blagojevic
Thulasiram, On 6.8.2013 12:46, Thulasiram Gopalakrishna wrote: If for some reason, the Manager application is / can not be deployed, is there still a way to achieve remote deployment on to Tomcat? Or is it a must, that we must be having Manager application deployed to deploy applications remot

Re: Problem with getRealPath("") on Tomcat 8

2013-08-02 Thread Ognjen Blagojevic
Mark, On 2.8.2013 13:33, Mark Thomas wrote: I noticed that (unlike Tomcat 7.0.42) this version throws IllegalArgumentException upon calling ServletContext.getRealPath(""). That looks like a bug in the new resources implementation. Thank you for your prompt response. I filed a bug: https:/

  1   2   3   >