-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Phil,
On 8/3/20 21:43, Phil Steitz wrote: > > > On 7/24/20 10:46 AM, Christopher Schultz wrote: All, > > I have a JNDI <Resource> which is a JDBC DataSource. It is set to > singleton="true" via defaults (not explicitly set). > > The JDBC Connections in this DataSource pool (using dbcp2 as > provided by Tomcat) have TLS configuration including client > certificates, trusted server certificates, etc. > > I'd like to be able to "bounce" the DataSource so that each > Connection is re-established in order to pick-up any new TLS > configuration -- specifically, reloading the key store and trust > store for the connection . > > What's the best way to do that? > >> Do you want the connections that are checked out to clients to >> be force-closed, so they will get exceptions when they try to use >> them, or are you OK waiting until they get returned to the pool? Waiting is totally fine for me. The idea is to rotate a TLS certificate in advance of its expiration. I would expect that quite a long grace period would be tolerable (like 24 hours), but my application only uses db connections for a few ms at a time before returning them. Others may have other expectations or requirements. >> If you are OK being kind to clients, there is an enhancement >> request pending for DBCP >> (https://issues.apache.org/jira/browse/DBCP-559) >> <https://issues.apache.org/jira/browse/DBCP-559> that might do >> what you want. I have not tested this, but I suspect that BDS >> closed followed by "open" (new method proposed, to be >> JMX-exposed) would cause idle connections to be closed >> immediately, checked out to be closed when they come back and new >> ones to be created in a new pool created by the open request. This sounds like exactly what I'm looking for. Subject to the JDBC driver and DriverManager also playing along, of course. >> If you really need to kill them all immediately, that would (as >> Mark said) require an invalidateAll or somesuch method added to >> commons pool, then exposed by DBCP as maybe closeAll. Agreed, but not important for me as of yet. Thanks! - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8pxCYACgkQHPApP6U8 pFiPbRAAvfSBbgjdFX+/n2iuhLWC+VPH+BBBeaLC+PlDXK/6QXZiUohUdmO5WO6X ODh7N370DaLpI2feve/4by6WtNXEbqAe+SH8udrxKZFziYpKvah62sSqZvtwNAuw vEJ8ZjT29HAGBDGI6ZD7BaQR71lX8F6/QPKNsm1UBMMuxAVvoNZVF4dvG+tE86l+ a26Pv4IEglc30RiNHxyiz4SqQR9geuA0bhd18hRrNpJ1z3gis/zUzzHrWKWlCijT zCFgbeUp37mcFPvnnqF6Nc0nbnw7GMdom6a7ulkQUbVyJQlvnfPpX6IWSW+ZTiNh V4h4PmB5wwzrHse9Wdt1MH7mm0j3X1FO0UJwJLbj7lcgd6oy06NBO1YNaId9EhVt rQVKwmHQpHSWwbuFoB+rk2xztFiq3vtON8NeFW37ktlG3jrdSFO0E/p5qcHJ0yxx 2VF9LH1/kzbCqBWyIzYT2DxnqxjYLU+TjxyZ6MBufZirbMubCWo6Q9HH1Azss8cc u869HHg0Id/xK0up+26OIlGoDnIfEIhdq7M3v7N6MgIyLVaxnkAp27Qioa8Bjmu9 L/Idm7HM/36JFsBtPwuGwf0Rsi4e4l6rNw67EN9IDjmTZaBkQ4+u+A+yBxlzfE7J NQbykcgs0LJkalCZVtbaKyypTE2K1T5Vi07DTNGu2IkEGgRuKTE= =210/ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org