-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 12/27/19 14:22, James H. H. Lampert wrote: > On 12/26/19 8:31 PM, Igal Sapir wrote: >> You should check out Chris' presentations on the topic. He >> outlines a very efficient process. There is probably more >> materials out there, but a quick search brings up the video [1] >> and slides [2] from his presentation at ApacheCon earlier this >> year, as well as his shell script for automating the process. > > Excellent video. I'm glad you think so. Before the recording begins, there are ~10 minutes worth of shenanigans where 4 Tomcat PMC members try to figure out how to get the projector working. And no, Rémy, it wasn't because I was using a Mac :) > As it happens, one way or another (and I'm not entirely sure > *which* way; I'd have to look at my notes), we *do* have Tomcat > listening directly on 443 (but not 80; nothing there is currently > listening on 80) on that particular EC2 instance (and I'm pretty > sure we have HTTPD running on a *different* port, for the SVN and > Trac sharing the box). ACME almost requires port 80 to be opened. There are other opens, but the simplest is to open port 80[1]. > At this point, I think I'm going to have to go through the video > at least once more, just to come up with intelligent questions to > ask, other than "What is JMX?" (I've already got the Wikipedia > article up, but it seems to be more about the internal nuts and > bolts of it than about how to use it.). When the subject first > comes up in the presentation, I saw some sort of JMX GUI in use, > that was evidently something the attendees were already familiar > with, but I'm completely in the dark. Honestly, you don't even have to understand JMX itself (spoiler alert: it's a protocol which lets you manage stuff, like SNMP does. It's Java-specific, requires RMI and an odd configuration. I wouldn't recommend using it directly unless you want to use a GUI client like VisualVM or one of the Java IDEs that has one bundles into it. I always recommend using the JMXProxyServlet which is a part of the manager webapp. It gives you access to all the MXBean stuff that you can get via the full JMX protocol without having to have complicated (JMX) configuration, additional ports opened on your firewall, or a GUI available at all. (I tend to work on headless Linux-based servers, so a GUI isn't convenient at all. Likewise, running a GUI to ping an MXBean in a crontab isn't something you want to do.) If you have a Tomcat running on your localhost desktop, this will be easy to explore: just fire-up VisualVM (which you may have to download[1] and install) or jvisualvm (if you have a JDK) and attach to the JVM running Tomcat. Under the "MBeans" tab, there is a tree of ... stuff. Poke-around in there and have a look at the things under "Catalina". Many of them are read-only, but some of them have writable values and also "operations" that you can invoke to cause something to happen on the server. At $work, we have an MBean for reloading system announcements from our database. We can push an announcement into a table in our database and every 5 minutes our application servers refresh their list of announcements from the db. This allows us to have mostly-current information available to the application server without having to hit the db for every single user hitting a certain set of pages. That MBean just has a "reload" operation which takes no arguments and returns nothing. When it runs, it refreshes the announcements from the database. Tomcat has something similar for the TLS configuration. If you reload that, it will re-load the keystores, truststores, certificates, etc. that were in the original configuration. - -chris [1] https://jmorahan.net/article/lets-encrypt-without-port-80 [2] https://visualvm.github.io/ -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GeEMACgkQHPApP6U8 pFjLghAAq0R7SxJbkmQTOd4/M/fbdkEk5ybjarXGFG4/+PeSzavdIShbI2QEx7VD 1ymtN9IHCRCA786llno0+YJqzRMkW5XTQ89+ggH5/gGshTvtYmeaIBhCjxyqeBiQ bOO1va5bWDXFCdDsDRJFHyZ42tT52G27F0CZZgzaXlrxu0peWm2oZFGtcim1hxFY bh6MIq13pPIBWZTNk4DRLBn/rTnop/yHTU+RC916ZVnvycMrhgEl6BOWiB1Tbm1o jtCABd8xkz9o+Ozzm0NfEKYBbZFozLA4WL+hOObzdPaKcixLtAdsU2ZBMCjM9bmS mthISotVTCI6ypNSCjISAg3aA+1rfSUh1Si40moAK+H939Adwt4mM+J4L54xXZxh qvy4YgwHUScycYMAvCJA+j/PONldsDJJ0QMiDO1Ihb4PnZKhaXcI+6tmb1fjwvL/ ifunV6InrLrHVKLcpvhdA3QKw2+TlsmZXdoGJUiaDn/UjAwvGkw9GhxLd0UVE/B3 Tdv19dkxQnJjaef+SE1Zci2CSgVV4VlvKUcJ9HlyJvi0IIvWIR9nRzagDjUEiosA c9WsQVyfdu5+unkjyQXmY/NZNt1um0XfF5qBLqucfdS2ccsUPyE5EbHwso83yaCn iftxyTNhiTj6GwR5kpKyb0lbXPDchEJzPoQ9F6Er12HB5Inmf9w= =v9pw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org