To all,
Oh... Here is the entry in our server.xml (probably the most important part) <Connector port="<Omitted>" address="<Omitted>" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA" keyAlias="<omitted>" keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks" keystorePass="<omitted>" /> <Connector port="<omitted>" address="<omitted>" protocol="org.apache.coyote.http11.Http11Protocol" maxthreads="150" scheme="https" SSLEnabled="true" secure="true" clientAuth="want" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA" keyAlias="<omitted>" keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks" keystorePass="<omitted>" /> Users connect directly to first listed connection.... The second SSL port is not currently used. Thanks, Lee From: Brewer, Edward L [mailto:lee.bre...@vanderbilt.edu] Sent: Tuesday, October 07, 2014 1:31 PM To: users@tomcat.apache.org Subject: Help with Apache Tomcat/7.0.53 SSL issue To all, I am using Apache Tomcat 7.0.53 and I am having an intermittent issue with SSL. I am currently running three environments (Dev, UAT, and Prod. Prod comprises 4 VMs (uname states version as "2.6.32-431.11.2.el6.x86_x86_64 GNU/Linux" ) with each containing a local version of Java [ Java(TM) SE Runtime Environment (build 1.7.0_55-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode) ] As well Tomcat and Java are owned by the user running the app. The VMs are load balanced over two pair of LTMs (LTM1 balances node 1 and node 2; LTM2 balances node 3 and node 4). The test environment is scaled down to just one LTM with two nodes and development is just a single VM. Now, when I deployed dev and test I did not have any issues with SSL.... everything went as planned. When I deployed into production, I started to get complaints about timeouts to the service. After much troubleshooting... we were able to discern, using curl, that in production the LTM was not getting a response back from the application (using TCPDUMP) intermittently. Our LTMs are configured to server as a SSL proxy. On the VM, TCPDUMP shows that traffic is being presented to the socket but there is no response. As far as I can tell the three environments (TOMCAT and JAVA) are the same. I find nothing in the logs from both access and catalina.out. When I restart the servers the problem goes away for about one hour then it comes back rapidly. Using top and sar I do not see any issues with operating system performance. Also, by going done to one node the problem persists. As well here are the options that are in setenv.sh export JAVA_OPTS="$JAVA_OPTS\ -verbosegc\ -Xms256m\ -XX:+DisableExplicitGC\ -Xmx2g" Here is the error that I see from curl curl: (52) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 Help, Lee Brewer Lee Brewer | Application Developer | Information Technology | Vanderbilt University lee.bre...@vanderbilt.edu<mailto:lee.bre...@vanderbilt.edu> | phone 615.343.2802 | it.vanderbilt.edu<http://it.vanderbilt.edu/> [Vanderbilt IT logo]
