Java Mailing List Archive

http://www.junlu.com/

Home » users-digest.tomcat »

users Digest 21 Mar 2013 00:54:48 -0000 Issue 11306

users-digest-help

2013-03-20


Author LoginPost Reply

users Digest 21 Mar 2013 00:54:48 -0000 Issue 11306

Topics (messages 240593 through 240602)

Re: Tomcat 6.0.20/Windows 2008 R2/SSL Configuration
 240593 by: Cédric Couralet
 240594 by: Mark Eggers
 240598 by: my business mail

501 error not going to location
 240595 by: Shelley
 240597 by: Konstantin Kolinko
 240599 by: Shelley

Re: SSL Best Practices
 240596 by: Jeffrey Janner

BIO acceptorThreadCount
 240600 by: igaz

[OT] Sharing lots of little pieces of data across a cluster
 240601 by: Christopher Schultz

Re: Tomcat Behavior on Multiple HTTP requests from same browser
 240602 by: Christopher Schultz

Administrivia:

---------------------------------------------------------------------
To post to the list, e-mail: users@(protected)
To unsubscribe, e-mail: users-digest-unsubscribe@(protected)
For additional commands, e-mail: users-digest-help@(protected)

----------------------------------------------------------------------


Attachment: users_240593.eml (zipped)
2013/3/20 Harris, Jeffrey E. <Jeffrey.Harris@(protected)>:
>
>> -----Original Message-----
>> From: my business mail [mailto:mv.mail3@(protected)]
>> Sent: Wednesday, March 20, 2013 2:39 PM
>> To: Tomcat Users List
>> Subject: Re: Tomcat 6.0.20/Windows 2008 R2/SSL Configuration
>>
>> I only added the keystore property not truststore. I was just following
>> what i'd done for tomcat4.1 on w2k3. Here is the log file. The
>> keystore file is DEF in the path indicated, but i see the error below
>> in the catalina file.
>>
>> Mar 20, 2013 2:35:21 PM
>> org.apache.catalina.startup.SetAllPropertiesRule
>> begin
>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
>> property 'clientAuth' to 'false' did not find a matching property.
>> Mar 20, 2013 2:35:21 PM
>> org.apache.catalina.startup.SetAllPropertiesRule
>> begin


> One problem is that Tomcat is not finding your keystore file or loading your
> certificates. This can be because you entered the wrong path or file name,
> specified the wrong password, or there is a problem with the actual content
> of your keystore file.
>

Or maybe you are using APR with respect to SSL?

The configuration is a little different .

Can you try by replacing protocol="HTTP/1.1" with
protocol=org.apache.coyote.http11.Http11Protocol in your SSL
connector?


Attachment: users_240594.eml (zipped)
Comments inline and also I pasted your configuration in from a previous
email.

On 3/20/2013 11:39 AM, my business mail wrote:
> I only added the keystore property not truststore. I was just following
> what i'd done for tomcat4.1 on w2k3.

In general, don't do this. Tomcat 4.1 (rest its weary code) is long
dead, and configuration options may have changed. Please read the
relevant documentation.

For your version of Tomcat (please at least upgrade to 6.0.36), the
relevant URL is:

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Configuration

Here is the log file. The keystore
> file is DEF in the path indicated, but i see the error below in the
> catalina file.
>
> Mar 20, 2013 2:35:21 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'clientAuth' to 'false' did not find a matching property.
> Mar 20, 2013 2:35:21 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'keystoreFile' to 'D:/DevCert/dev.keystore' did not find a matching
> property.
> Mar 20, 2013 2:35:21 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'keystorePass' to 'password1' did not find a matching property.
> Mar 20, 2013 2:35:21 PM org.apache.catalina.core.AprLifecycleListener init
> INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
> Mar 20, 2013 2:35:21 PM org.apache.catalina.core.AprLifecycleListener init
> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
> [false], random [true].

You are loading the APR libraries. This requires a different connector
configuration. You have the following:

  <Connector port="8442" protocol="HTTP/1.1" SSLEnabled="true"
          maxThreads="150" scheme="https" secure="true"
          clientAuth="false" sslProtocol="TLS"
          keystoreFile="D:/DevCert/dev.keystore"
          keystorePass="password1" />

This appears to be fine for a Java-based SLL connection. You are using
APR, and its SSL connection is based on OpenSSL. Therefore, you need
something like the following:

<Connector
       port="8443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       SSLCertificateFile="/usr/local/ssl/server.crt"
       SSLCertificateKeyFile="/usr/local/ssl/server.pem"
       clientAuth="optional" SSLProtocol="TLSv1"/>

This is copied straight from the documentation cited above (so it's UNIX
/ Linux specific). You'll also need to generate your cert and key files
a bit differently. Instructions on how to do that are also in the
document I cited above.

If you don't want to do that (and use Java SSL), then move
tcnative-1.dll out of your path (renaming it is the easiest way).

If this is a production machine, the native SSL is much faster than
Java-based SSL (been told that, I front all my SSL stuff with Apache
HTTPD so I don't know).

So either rename tcnative-1.dll or follow the documentation to use the
APR configuration.

> Mar 20, 2013 2:35:22 PM org.apache.coyote.http11.Http11AprProtocol init
> INFO: Initializing Coyote HTTP/1.1 on http-8080
> Mar 20, 2013 2:35:22 PM org.apache.coyote.http11.Http11AprProtocol init
> SEVERE: Error initializing endpoint
> java.lang.Exception: No Certificate file specified or invalid file format
>    at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
>    at org.apache.tomcat.util.net.AprEndpoint.init (AprEndpoint.java:697)
>    at
> org.apache.coyote.http11.Http11AprProtocol.init (Http11AprProtocol.java:107)
>    at
> org.apache.catalina.connector.Connector.initialize (Connector.java:1058)
>    at
> org.apache.catalina.core.StandardService.initialize (StandardService.java:677)
>    at
> org.apache.catalina.core.StandardServer.initialize (StandardServer.java:795)
>    at org.apache.catalina.startup.Catalina.load (Catalina.java:535)
>    at org.apache.catalina.startup.Catalina.load (Catalina.java:555)
>    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>    at
> sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39)
>    at
> sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25)
>    at java.lang.reflect.Method.invoke (Method.java:597)
>    at org.apache.catalina.startup.Bootstrap.load (Bootstrap.java:260)
>    at org.apache.catalina.startup.Bootstrap.main (Bootstrap.java:412)
> Mar 20, 2013 2:35:22 PM org.apache.catalina.startup.Catalina load
> SEVERE: Catalina.start
> LifecycleException: Protocol handler initialization failed:
> java.lang.Exception: No Certificate file specified or invalid file format
>    at
> org.apache.catalina.connector.Connector.initialize (Connector.java:1060)
>    at
> org.apache.catalina.core.StandardService.initialize (StandardService.java:677)
>    at
> org.apache.catalina.core.StandardServer.initialize (StandardServer.java:795)
>    at org.apache.catalina.startup.Catalina.load (Catalina.java:535)
>    at org.apache.catalina.startup.Catalina.load (Catalina.java:555)
>    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>    at
> sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39)
>    at
> sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25)
>    at java.lang.reflect.Method.invoke (Method.java:597)
>    at org.apache.catalina.startup.Bootstrap.load (Bootstrap.java:260)
>    at org.apache.catalina.startup.Bootstrap.main (Bootstrap.java:412)
> Mar 20, 2013 2:35:22 PM org.apache.catalina.startup.Catalina load
> INFO: Initialization processed in 2143 ms
> Mar 20, 2013 2:35:22 PM org.apache.catalina.core.StandardService start
> INFO: Starting service Catalina
> Mar 20, 2013 2:35:22 PM org.apache.catalina.core.StandardEngine start
> INFO: Starting Servlet Engine: Apache Tomcat/6.0.20
> Mar 20, 2013 2:35:23 PM org.apache.coyote.http11.Http11AprProtocol start
> INFO: Starting Coyote HTTP/1.1 on http-8080
> Mar 20, 2013 2:35:24 PM org.apache.coyote.http11.Http11AprProtocol start
> SEVERE: Error starting endpoint
> java.lang.Exception: Socket bind failed: [730048] Only one usage of each
> socket address (protocol/network address/port) is normally permitted.
>    at org.apache.tomcat.util.net.AprEndpoint.init (AprEndpoint.java:623)
>    at org.apache.tomcat.util.net.AprEndpoint.start (AprEndpoint.java:730)
>    at
> org.apache.coyote.http11.Http11AprProtocol.start (Http11AprProtocol.java:137)
>    at org.apache.catalina.connector.Connector.start (Connector.java:1131)
>    at
> org.apache.catalina.core.StandardService.start (StandardService.java:531)
>    at
> org.apache.catalina.core.StandardServer.start (StandardServer.java:710)
>    at org.apache.catalina.startup.Catalina.start (Catalina.java:583)
>    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>    at
> sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39)
>    at
> sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25)
>    at java.lang.reflect.Method.invoke (Method.java:597)
>    at org.apache.catalina.startup.Bootstrap.start (Bootstrap.java:288)
>    at org.apache.catalina.startup.Bootstrap.main (Bootstrap.java:413)
> Mar 20, 2013 2:35:24 PM org.apache.catalina.startup.Catalina start
> SEVERE: Catalina.start:
> LifecycleException: service.getName(): "Catalina"; Protocol handler start
> failed: java.lang.Exception: Socket bind failed: [730048] Only one usage of
> each socket address (protocol/network address/port) is normally permitted.
>    at org.apache.catalina.connector.Connector.start (Connector.java:1138)
>    at
> org.apache.catalina.core.StandardService.start (StandardService.java:531)
>    at
> org.apache.catalina.core.StandardServer.start (StandardServer.java:710)
>    at org.apache.catalina.startup.Catalina.start (Catalina.java:583)
>    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>    at
> sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39)
>    at
> sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25)
>    at java.lang.reflect.Method.invoke (Method.java:597)
>    at org.apache.catalina.startup.Bootstrap.start (Bootstrap.java:288)
>    at org.apache.catalina.startup.Bootstrap.main (Bootstrap.java:413)
> Mar 20, 2013 2:35:24 PM org.apache.catalina.startup.Catalina start
> INFO: Server startup in 2023 ms
>
>
> On Wed, Mar 20, 2013 at 2:27 PM, Harris, Jeffrey E. <
> Jeffrey.Harris@(protected):
>
>>
>>
>>> -----Original Message-----
>>> From: my business mail [mailto:mv.mail3@(protected)]
>>> Sent: Wednesday, March 20, 2013 2:18 PM
>>> To: Tomcat Users List
>>> Subject: Re: Tomcat 6.0.20/Windows 2008 R2/SSL Configuration
>>>
>>> So, I know the port numbers can be set to any unused port. I was
>>> toggling between 8442 and 8443. Neither worked. I just set it back to
>>> 8443.
>>> I feel like it's connecting somehow, because if I put in a port number
>>> that isn't configured...I get a connection error message.
>>> Otherwise, the browser icon just keeps spinning...nothing happens.No
>>> errors at all.
>>>
>>> On Wed, Mar 20, 2013 at 2:09 PM, David kerber <dckerber@(protected)>
>>> wrote:
>>>
>>>> On 3/20/2013 2:02 PM, my business mail wrote:
>>>>
>>>>> OK, here is the text copied from notepad.
>>>>>
>>>>>
>>>>>     <Connector executor="tomcatThreadPool"
>>>>>            port="8080" protocol="HTTP/1.1"
>>>>>            connectionTimeout="20000"
>>>>>            redirectPort="8443" />
>>>>>
>>>>>
>>>>>     <Connector port="8442" protocol="HTTP/1.1" SSLEnabled="true"
>>>>>
>>>>
>>>> 8442? Shouldn't it be 8443?
>>>>
>>>>
>>>>
>>>>             maxThreads="150" scheme="https" secure="true"
>>>>>            clientAuth="false" sslProtocol="TLS"
>>>>> keystoreFile="D:/DevCert/dev.**keystore" keystorePass="password1" />
>>>>>
>>>>>
>>>>>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
>>>>> />
>>>>>
>>>>>
>>>>
>>>> ------------------------------**------------------------------**-----
>>> -
>>>> --- To unsubscribe, e-mail:
>>>> users-unsubscribe@(protected)-
>>> unsubscribe@(protected).
>>>> org> For additional commands, e-mail: users-help@(protected)
>>>>
>>>>
>>
>> I do not see a reference to a truststore:
>>
>>           truststoreFile=".\conf\myts.jks"
>>
>> The truststore can be the same file as the keystore.
>>
>> What do the error logs show?
>>
>> Jeffrey Harris

. . . . just my two cents.
/mde/


Attachment: users_240598.eml (zipped)
On Wed, Mar 20, 2013 at 3:38 PM, Mark Eggers <its_toasted@(protected):

> Comments inline and also I pasted your configuration in from a previous
> email.
>
>
> On 3/20/2013 11:39 AM, my business mail wrote:
>
>> I only added the keystore property not truststore. I was just following
>> what i'd done for tomcat4.1 on w2k3.
>>
>
> In general, don't do this. Tomcat 4.1 (rest its weary code) is long dead,
> and configuration options may have changed. Please read the relevant
> documentation.
>
> For your version of Tomcat (please at least upgrade to 6.0.36), the
> relevant URL is:
>
> http://tomcat.apache.org/**tomcat-6.0-doc/ssl-howto.html#**Configuration<http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Configuration>
>
>
> Here is the log file. The keystore
>
>> file is DEF in the path indicated, but i see the error below in the
>> catalina file.
>>
>> Mar 20, 2013 2:35:21 PM org.apache.catalina.startup.**
>> SetAllPropertiesRule
>> begin
>> WARNING: [SetAllPropertiesRule]{Server/**Service/Connector} Setting
>> property
>> 'clientAuth' to 'false' did not find a matching property.
>> Mar 20, 2013 2:35:21 PM org.apache.catalina.startup.**
>> SetAllPropertiesRule
>> begin
>> WARNING: [SetAllPropertiesRule]{Server/**Service/Connector} Setting
>> property
>> 'keystoreFile' to 'D:/DevCert/dev.keystore' did not find a matching
>> property.
>> Mar 20, 2013 2:35:21 PM org.apache.catalina.startup.**
>> SetAllPropertiesRule
>> begin
>> WARNING: [SetAllPropertiesRule]{Server/**Service/Connector} Setting
>> property
>> 'keystorePass' to 'password1' did not find a matching property.
>> Mar 20, 2013 2:35:21 PM org.apache.catalina.core.**AprLifecycleListener
>> init
>> INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
>> Mar 20, 2013 2:35:21 PM org.apache.catalina.core.**AprLifecycleListener
>> init
>> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
>> [false], random [true].
>>
>
> You are loading the APR libraries. This requires a different connector
> configuration. You have the following:
>
>
>   <Connector port="8442" protocol="HTTP/1.1" SSLEnabled="true"
>           maxThreads="150" scheme="https" secure="true"
>           clientAuth="false" sslProtocol="TLS"
>           keystoreFile="D:/DevCert/dev.**keystore"
>           keystorePass="password1" />
>
> This appears to be fine for a Java-based SLL connection. You are using
> APR, and its SSL connection is based on OpenSSL. Therefore, you need
> something like the following:
>
> <Connector
>        port="8443" maxThreads="200"
>        scheme="https" secure="true" SSLEnabled="true"
>        SSLCertificateFile="/usr/**local/ssl/server.crt"
>        SSLCertificateKeyFile="/usr/**local/ssl/server.pem"
>        clientAuth="optional" SSLProtocol="TLSv1"/>
>
> This is copied straight from the documentation cited above (so it's UNIX /
> Linux specific). You'll also need to generate your cert and key files a bit
> differently. Instructions on how to do that are also in the document I
> cited above.
>
> If you don't want to do that (and use Java SSL), then move tcnative-1.dll
> out of your path (renaming it is the easiest way).
>
> If this is a production machine, the native SSL is much faster than
> Java-based SSL (been told that, I front all my SSL stuff with Apache HTTPD
> so I don't know).
>
> So either rename tcnative-1.dll or follow the documentation to use the APR
> configuration.
>
>
> Mar 20, 2013 2:35:22 PM org.apache.coyote.http11.**Http11AprProtocol init
>> INFO: Initializing Coyote HTTP/1.1 on http-8080
>> Mar 20, 2013 2:35:22 PM org.apache.coyote.http11.**Http11AprProtocol init
>> SEVERE: Error initializing endpoint
>> java.lang.Exception: No Certificate file specified or invalid file format
>>    at org.apache.tomcat.jni.**SSLContext.setCertificate(**Native
>> Method)
>>    at org.apache.tomcat.util.net.**AprEndpoint.init(AprEndpoint.**
>> java:697)
>>    at
>> org.apache.coyote.http11.**Http11AprProtocol.init(**
>> Http11AprProtocol.java:107)
>>    at
>> org.apache.catalina.connector.**Connector.initialize(**
>> Connector.java:1058)
>>    at
>> org.apache.catalina.core.**StandardService.initialize(**
>> StandardService.java:677)
>>    at
>> org.apache.catalina.core.**StandardServer.initialize(**
>> StandardServer.java:795)
>>    at org.apache.catalina.startup.**Catalina.load(Catalina.java:**535)
>>    at org.apache.catalina.startup.**Catalina.load(Catalina.java:**555)
>>    at sun.reflect.**NativeMethodAccessorImpl.**invoke0(Native Method)
>>    at
>> sun.reflect.**NativeMethodAccessorImpl.**invoke(**
>> NativeMethodAccessorImpl.java:**39)
>>    at
>> sun.reflect.**DelegatingMethodAccessorImpl.**invoke(**
>> DelegatingMethodAccessorImpl.**java:25)
>>    at java.lang.reflect.Method.**invoke(Method.java:597)
>>    at org.apache.catalina.startup.**Bootstrap.load(Bootstrap.java:**
>> 260)
>>    at org.apache.catalina.startup.**Bootstrap.main(Bootstrap.java:**
>> 412)
>> Mar 20, 2013 2:35:22 PM org.apache.catalina.startup.**Catalina load
>> SEVERE: Catalina.start
>> LifecycleException: Protocol handler initialization failed:
>> java.lang.Exception: No Certificate file specified or invalid file format
>>    at
>> org.apache.catalina.connector.**Connector.initialize(**
>> Connector.java:1060)
>>    at
>> org.apache.catalina.core.**StandardService.initialize(**
>> StandardService.java:677)
>>    at
>> org.apache.catalina.core.**StandardServer.initialize(**
>> StandardServer.java:795)
>>    at org.apache.catalina.startup.**Catalina.load(Catalina.java:**535)
>>    at org.apache.catalina.startup.**Catalina.load(Catalina.java:**555)
>>    at sun.reflect.**NativeMethodAccessorImpl.**invoke0(Native Method)
>>    at
>> sun.reflect.**NativeMethodAccessorImpl.**invoke(**
>> NativeMethodAccessorImpl.java:**39)
>>    at
>> sun.reflect.**DelegatingMethodAccessorImpl.**invoke(**
>> DelegatingMethodAccessorImpl.**java:25)
>>    at java.lang.reflect.Method.**invoke(Method.java:597)
>>    at org.apache.catalina.startup.**Bootstrap.load(Bootstrap.java:**
>> 260)
>>    at org.apache.catalina.startup.**Bootstrap.main(Bootstrap.java:**
>> 412)
>> Mar 20, 2013 2:35:22 PM org.apache.catalina.startup.**Catalina load
>> INFO: Initialization processed in 2143 ms
>> Mar 20, 2013 2:35:22 PM org.apache.catalina.core.**StandardService start
>> INFO: Starting service Catalina
>> Mar 20, 2013 2:35:22 PM org.apache.catalina.core.**StandardEngine start
>> INFO: Starting Servlet Engine: Apache Tomcat/6.0.20
>> Mar 20, 2013 2:35:23 PM org.apache.coyote.http11.**Http11AprProtocol
>> start
>> INFO: Starting Coyote HTTP/1.1 on http-8080
>> Mar 20, 2013 2:35:24 PM org.apache.coyote.http11.**Http11AprProtocol
>> start
>> SEVERE: Error starting endpoint
>> java.lang.Exception: Socket bind failed: [730048] Only one usage of each
>> socket address (protocol/network address/port) is normally permitted.
>>    at org.apache.tomcat.util.net.**AprEndpoint.init(AprEndpoint.**
>> java:623)
>>    at org.apache.tomcat.util.net.**AprEndpoint.start(AprEndpoint.**
>> java:730)
>>    at
>> org.apache.coyote.http11.**Http11AprProtocol.start(**
>> Http11AprProtocol.java:137)
>>    at org.apache.catalina.connector.**Connector.start(Connector.**
>> java:1131)
>>    at
>> org.apache.catalina.core.**StandardService.start(**
>> StandardService.java:531)
>>    at
>> org.apache.catalina.core.**StandardServer.start(**
>> StandardServer.java:710)
>>    at org.apache.catalina.startup.**Catalina.start(Catalina.java:**583)
>>    at sun.reflect.**NativeMethodAccessorImpl.**invoke0(Native Method)
>>    at
>> sun.reflect.**NativeMethodAccessorImpl.**invoke(**
>> NativeMethodAccessorImpl.java:**39)
>>    at
>> sun.reflect.**DelegatingMethodAccessorImpl.**invoke(**
>> DelegatingMethodAccessorImpl.**java:25)
>>    at java.lang.reflect.Method.**invoke(Method.java:597)
>>    at org.apache.catalina.startup.**Bootstrap.start(Bootstrap.**
>> java:288)
>>    at org.apache.catalina.startup.**Bootstrap.main(Bootstrap.java:**
>> 413)
>> Mar 20, 2013 2:35:24 PM org.apache.catalina.startup.**Catalina start
>> SEVERE: Catalina.start:
>> LifecycleException: service.getName(): "Catalina"; Protocol handler
>> start
>> failed: java.lang.Exception: Socket bind failed: [730048] Only one usage
>> of
>> each socket address (protocol/network address/port) is normally permitted.
>>    at org.apache.catalina.connector.**Connector.start(Connector.**
>> java:1138)
>>    at
>> org.apache.catalina.core.**StandardService.start(**
>> StandardService.java:531)
>>    at
>> org.apache.catalina.core.**StandardServer.start(**
>> StandardServer.java:710)
>>    at org.apache.catalina.startup.**Catalina.start(Catalina.java:**583)
>>    at sun.reflect.**NativeMethodAccessorImpl.**invoke0(Native Method)
>>    at
>> sun.reflect.**NativeMethodAccessorImpl.**invoke(**
>> NativeMethodAccessorImpl.java:**39)
>>    at
>> sun.reflect.**DelegatingMethodAccessorImpl.**invoke(**
>> DelegatingMethodAccessorImpl.**java:25)
>>    at java.lang.reflect.Method.**invoke(Method.java:597)
>>    at org.apache.catalina.startup.**Bootstrap.start(Bootstrap.**
>> java:288)
>>    at org.apache.catalina.startup.**Bootstrap.main(Bootstrap.java:**
>> 413)
>> Mar 20, 2013 2:35:24 PM org.apache.catalina.startup.**Catalina start
>> INFO: Server startup in 2023 ms
>>
>>
>> On Wed, Mar 20, 2013 at 2:27 PM, Harris, Jeffrey E. <
>> Jeffrey.Harris@(protected):
>>
>>
>>>
>>> -----Original Message-----
>>>> From: my business mail [mailto:mv.mail3@(protected)]
>>>> Sent: Wednesday, March 20, 2013 2:18 PM
>>>> To: Tomcat Users List
>>>> Subject: Re: Tomcat 6.0.20/Windows 2008 R2/SSL Configuration
>>>>
>>>> So, I know the port numbers can be set to any unused port. I was
>>>> toggling between 8442 and 8443. Neither worked. I just set it back to
>>>> 8443.
>>>> I feel like it's connecting somehow, because if I put in a port number
>>>> that isn't configured...I get a connection error message.
>>>> Otherwise, the browser icon just keeps spinning...nothing happens.No
>>>> errors at all.
>>>>
>>>> On Wed, Mar 20, 2013 at 2:09 PM, David kerber <dckerber@(protected)>
>>>> wrote:
>>>>
>>>> On 3/20/2013 2:02 PM, my business mail wrote:
>>>>>
>>>>> OK, here is the text copied from notepad.
>>>>>>
>>>>>>
>>>>>>     <Connector executor="tomcatThreadPool"
>>>>>>            port="8080" protocol="HTTP/1.1"
>>>>>>            connectionTimeout="20000"
>>>>>>            redirectPort="8443" />
>>>>>>
>>>>>>
>>>>>>     <Connector port="8442" protocol="HTTP/1.1" SSLEnabled="true"
>>>>>>
>>>>>>
>>>>> 8442? Shouldn't it be 8443?
>>>>>
>>>>>
>>>>>
>>>>>             maxThreads="150" scheme="https" secure="true"
>>>>>
>>>>>>            clientAuth="false" sslProtocol="TLS"
>>>>>> keystoreFile="D:/DevCert/dev.****keystore" keystorePass="password1"
>>>>>> />
>>>>>>
>>>>>>
>>>>>>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
>>>>>> />
>>>>>>
>>>>>>
>>>>>>
>>>>> ------------------------------****----------------------------**
>>>>> --**-----
>>>>>
>>>> -
>>>>
>>>>> --- To unsubscribe, e-mail:
>>>>> users-unsubscribe@(protected)-
>>>>>
>>>> unsubscribe@(protected).
>>>>
>>>>> org> For additional commands, e-mail: users-help@(protected)
>>>>>
>>>>>
>>>>>
>>> I do not see a reference to a truststore:
>>>
>>>           truststoreFile=".\conf\myts.**jks"
>>>
>>> The truststore can be the same file as the keystore.
>>>
>>> What do the error logs show?
>>>
>>> Jeffrey Harris
>>>
>>
> . . . . just my two cents.
> /mde/
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@(protected)>
> For additional commands, e-mail: users-help@(protected)
>
> __________________________________________________________
*RESOLVED*
thank you, I renamed the tcnative-1.dll file from the path just as the
comment below indicated. this made it work!

"If you don't want to do that (and use Java SSL), then move tcnative-1.dll
out of your path (renaming it is the easiest way)."

Attachment: users_240595.eml (zipped)
I've configured an error-page in my web.xml to handle 501 error-codes, but
the resource specified in the location entry is not being returned by the
container as expected.

Here is the content of my web deployment descriptor. Note that the 404
error-page works as expected, but the 501 error-page does not.

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">

  <error-page>
    <error-code>404</error-code>
    <location>/404</location>
  </error-page>
  <error-page>
    <error-code>501</error-code>
    <location>/501</location>
  </error-page>

</web-app>

Without an error-page element for the 501, the default Tomcat HTML error
page is returned with a status code of 501. When I add the error-page
element, the response status code is 501 but no content is returned
(Content-Length: 0). Instead, I would expect the content of my "/501"
location to be returned. (This is the exact problem that was described in
this thread [1] a couple years ago, but this thread did not seem to have an
answer/conclusion.)

This is occurring on Apache Tomcat 7.0.37.

Is there some additional configuration or modification needed for Tomcat to
honor the error-page location, or is this a bug?

[1]
http://mail-archives.apache.org/mod_mbox/tomcat-users/201109.mbox/%3C32475425.post@(protected)

Attachment: users_240597.eml (zipped)
2013/3/20 Shelley <randomshelley@(protected)>:
> I've configured an error-page in my web.xml to handle 501 error-codes, but
> the resource specified in the location entry is not being returned by the
> container as expected.
>
> Here is the content of my web deployment descriptor. Note that the 404
> error-page works as expected, but the 501 error-page does not.
>
> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
> java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
>
>   <error-page>
>      <error-code>404</error-code>
>      <location>/404</location>
>   </error-page>
>   <error-page>
>      <error-code>501</error-code>
>      <location>/501</location>
>   </error-page>
>
> </web-app>
>
> Without an error-page element for the 501, the default Tomcat HTML error
> page is returned with a status code of 501. When I add the error-page
> element, the response status code is 501 but no content is returned
> (Content-Length: 0). Instead, I would expect the content of my "/501"
> location to be returned. (This is the exact problem that was described in
> this thread [1] a couple years ago, but this thread did not seem to have an
> answer/conclusion.)
>
> This is occurring on Apache Tomcat 7.0.37.
>
> Is there some additional configuration or modification needed for Tomcat to
> honor the error-page location, or is this a bug?
>
> [1]
> http://mail-archives.apache.org/mod_mbox/tomcat-users/201109.mbox/%3C32475425.post@(protected)

1. How to you send your error and how do you test it?

2. You may try debugging, w3ith a breakpoint in
o.a.catalina.core.StandardHostValve.status(..)
http://wiki.apache.org/tomcat/FAQ/Developing#Debugging

3. What is your error page? A servlet, a static file, a JSP?

4. 501 is "invalid method". I wonder whether it tries to serve the
error page itself using the same "wrong" method. E.g. the
DefaultServlet processes only valid methods (GET, POST, HEAD, ...).

Best regards,
Konstantin Kolinko


Attachment: users_240599.eml (zipped)
>
> 1. How to you send your error and how do you test it?
>

I'm testing the error with simple HTTP clients that send requests using
HTTP methods that the container and my app don't support by default (e.g.
COPY, PROPFIND). While debugging my app, it's clear that the HTTP method
and request are being sent correctly, and it seems that the Tomcat
container's HttpServlet implementation handles sending the 501 error.

2. You may try debugging, w3ith a breakpoint in o.a.catalina.core.


Thanks, I may try that.

> 3. What is your error page? A servlet, a static file, a JSP?
>>
> It is a servlet, but I've also tested using a static HTML file, which
doesn't work either.

4. 501 is "invalid method". I wonder whether it tries to serve the error
> page itself using the same "wrong" method. E.g. the DefaultServlet
> processes only valid methods (GET, POST, HEAD, ...).


I think this may be what's happening. When the container HTTPServlet
receives the request for the error-page it's still using the original
method and so it's unable to serve up the error-page (again).

I'll try to do some more debugging of Tomcat's code to understand what's
happening, but in the meantime, I'd appreciate any other thoughts or ideas
as to how custom 501 error pages may be handled. Thanks!


On Wed, Mar 20, 2013 at 3:01 PM, Konstantin Kolinko
<knst.kolinko@(protected):

> 2013/3/20 Shelley <randomshelley@(protected)>:
> > I've configured an error-page in my web.xml to handle 501 error-codes,
> but
> > the resource specified in the location entry is not being returned by the
> > container as expected.
> >
> > Here is the content of my web deployment descriptor. Note that the 404
> > error-page works as expected, but the 501 error-page does not.
> >
> > <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
> > http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
> > java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
> >
> >   <error-page>
> >      <error-code>404</error-code>
> >      <location>/404</location>
> >   </error-page>
> >   <error-page>
> >      <error-code>501</error-code>
> >      <location>/501</location>
> >   </error-page>
> >
> > </web-app>
> >
> > Without an error-page element for the 501, the default Tomcat HTML error
> > page is returned with a status code of 501. When I add the error-page
> > element, the response status code is 501 but no content is returned
> > (Content-Length: 0). Instead, I would expect the content of my "/501"
> > location to be returned. (This is the exact problem that was described in
> > this thread [1] a couple years ago, but this thread did not seem to have
> an
> > answer/conclusion.)
> >
> > This is occurring on Apache Tomcat 7.0.37.
> >
> > Is there some additional configuration or modification needed for Tomcat
> to
> > honor the error-page location, or is this a bug?
> >
> > [1]
> >
> http://mail-archives.apache.org/mod_mbox/tomcat-users/201109.mbox/%3C32475425.post@(protected)
>
> 1. How to you send your error and how do you test it?
>
> 2. You may try debugging, w3ith a breakpoint in
> o.a.catalina.core.StandardHostValve.status(..)
> http://wiki.apache.org/tomcat/FAQ/Developing#Debugging
>
> 3. What is your error page? A servlet, a static file, a JSP?
>
> 4. 501 is "invalid method". I wonder whether it tries to serve the
> error page itself using the same "wrong" method. E.g. the
> DefaultServlet processes only valid methods (GET, POST, HEAD, ...).
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
>

Attachment: users_240596.eml (zipped)
> -----Original Message-----
> From: Jeffrey D. Fisher [mailto:jeff.fisher12237@(protected)]
> Sent: Tuesday, March 19, 2013 9:34 AM
> To: 'Tomcat Users List'; mgainty@(protected)
> Subject: RE: SSL Best Practices
>
> Yes, I do have a CA-issued certificate with a chain to a trusted CA.
> I've imported it to the keystore. I am close to a solution. When I
> attempt to open the default Apache web page using "https:" I get an
> error page that says that the server cannot open the page. It opens
> with "http:" just fine.
> I have configured the normal ports i.e. "80" and "443" to redirect to
> "8443". The reason for this is that the users having to include the
> port numbers (8080 or 8443) would not be acceptable. They need only
> enter the DNS name into the browser and DNS does the rest.

This is a little overkill. Set up the "443" connector as the SSL connector and dump the "8443" connector as unneeded.
The "80" connector should redirect to "443".
And make sure that you are not using the APR, aka "native", library. Either comment out the listener for it, or remove the lib file from the bin directory, or both (best).
As others have suggested, make sure you mark the 443 connector as secure="true", and verify the other settings.
Here's the connectors I use for all my servers.

  <Connector address="[IP_ADDRESS]" port="80" maxHttpHeaderSize="8192"
         maxThreads="50" enableLookups="false" redirectPort="443" acceptCount="100"
         connectionTimeout="20000" disableUploadTimeout="true" compression="off" />
  <Connector address="[IP_ADDRESS]" port="443" maxHttpHeaderSize="8192"
         maxThreads="150" enableLookups="false" acceptCount="100"
         connectionTimeout="20000" disableUploadTimeout="true" compression="off"
         scheme="https" secure="true" SSLEnabled="true"
         SSLCertificateFile="path"
         SSLCertificateKeyFile="path"
         SSLCertificateChainFile="path"
         SSLPassword="password" />

Note this is for Tomcat 6 using the native lib. You'll have to replace the last 4 lines with the properties for the Java keystore, and there are probably some other changes needed for Tomcat 7.

>
> I am missing something in the configuration of SERVER.XML, WEB.XML or
> both to get the server to answer to an https connection. I cannot find
> what it is that I have not done or I have missed!
>
> Any input would be appreciated.
>
> Best...

There are web.xml tags -- security-constraint tree -- that also govern *when* to switch to using the SSL port.
Jeff



Attachment: users_240600.eml (zipped)
I was curious as to people's actual experience with setting a Connector's
acceptorThreadCount while using the BIO http connection (the default)

Frankly, I was unaware that java.net.ServerSockets were multi-thread safe
(although interestingly the javadoc explicitly states that
ServerSocketChannels are)

Has anyone seen throughput increase with larger # of acceptorThreads? Did
you set it == to # of hardware threads?



--
Sent from the Tomcat - User mailing list archive at Nabble.com.


Attachment: users_240601.eml (zipped)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I have an in-process "service" that stores valid nonces on a server
for a particular set of client operations. The nonces are created
once, then expire after a certain amount of time. They never change.
I'd like to make this in-process service into an out-of-process
service that can be accessed by any node in my cluster, basically
acting like a communal hash map.

Memcached is the perfect application for this kind of thing, right? It
is fast and simple, plus supports key expiration out of the box.

Doing a bit of reading (I've never actually used memcached before), it
seems like memcached is better-suited as a /cache/ -- that is,
something that sits between a slow data source and clients. They
suggest that you /not/ configure "failover" but instead allow a dying
node in your memcached cluster to simply die and consider the data
lost: go back to the canonical data source and re-fetch the data. In
my case, I have no (other) canonical data source: I just want to use
memcached.

(Note that if the whole service were to fall-over and I had to restart
the nonce-storage cluster and start with a completely empty
"database", it wouldn't be the end of the world. There would be a lot
of grumbling, because everyone would have to request new nonces and
re-start any transactions that were using them.)

Also, the memcached servers don't really know about each other, right?
So, it's not really a big, shared hashtable. Instead, it's like a
bunch of separate hash tables and the client knows which server ought
to have the data when it requests it based upon the key.

Am I barking up the wrong tree by looking at memcached? Is there
something else that would be better for me? It's a simple enough set
of requirements that writing it myself could be done easily. Then
again, it's a simple enough set of requirements that someone /must/
have done this before me.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRSla3AAoJEBzwKT+lPKRYGpsP+wW0kKEjm5k0p2cFrRDF9KAr
y5SWi3GWCPSNRbOJkR487CRfFN9cUCuyiq1+wuQrtbhG2osdeLUIb4dS7NOCTRh8
dknyZvGQw9BrBZXvUeVQnMsLrD02YE6qgEp8hAdnLZBoKLb8EOA1FACs2qdWaBW6
8XLxI6nw5yT/y6glP35syq/MfgjFsXdn8+2Wlu5KQdc6YciUMrG/L7ifB4Huxz+S
NFqVCsXJeVQU6MGpL1Bucn135WE3dHrZWJlnnP38iq2cATzo+0SM6Yq4ul2APjye
EoN252a5WXddEhzMyjRKC8U89XE8ELF44WiP9NN3niEyyHh035+iK3dawhpN40qi
XUw87TbnbL/4cAk8wu2d+gD3BHAFl9SrmkAcJ8lPKpn+ExSzFcgXwldc/TJah+yh
M8FOGNwF4FfOeVCkAEMEltsk9YJev8IQNPSAYKtI0tzzWtckmq0ujHQpBWd/2knw
YtSQALT6cjx0oyJnRTG02Jx1I6OsOQgVaHcarb8ejAAqkK3I0pge1tNroMU2QaHD
gNY5wl33msB5WpHRYlsmg0y+6bshjrOrJkpPoYpxuVgGZj5zrPls5WhuFk1zgZ6Z
e7j1BMMF/xVykNKS/bO1T6hqGsjCFSXCfT7WURbkkQyQ85Yiyvcmcfrt2tnVFX0x
dtB4zpCWED0XLw1CbG88
=eJjT
-----END PGP SIGNATURE-----


Attachment: users_240602.eml (zipped)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 3/20/13 2:25 PM, André Warnier wrote:
> Saurabh Agrawal wrote:
>> All our assets are served from L3 CDN. So the asset requests
>> never come to the application server.
>
> That, I do not understand. I do not understand what you mean by
> "assets" here, and I do not understand "L3 CDN". So I cannot tell
> of this is relevant or not to the problem.

CDN = Content Delivery Network. I'm not sure what "L3" (probably
"Level 3", a data center operations company) is, but a CDN is
basically a whole bunch of copies of your files geographically
distributed such that requesting a file always gets the bits that are
closest to you. Kind of a cool thing. ;)

The bottom line is that Saurabh expects only dynamic requests to come
to Tomcat, so keepalives should be much less useful than if Tomcat
were to be serving everything. Imagine httpd out front serving all
static content and forwarding dynamic stuff to Tomcat via AJP --
that's almost exactly what's going on here, except that the static
stuff is being served very efficiently from a network-topology
perspective.

Since AJP is in use, keepalive is almost entirely a red herring as
typical AJP connections are permanently-connected to the web server.

> So, by default, the keepAliveTimeout [for AJP] is set to
> "infinite".
>
> [snip]
>
> And if the client keeps the connection open, but does not send any
> additional request on that connection, the Thread will wait
> theoretically forever (because that is what the documentation says
> about the default value of these parameters).

No, the defaults are different for non-AJP connections. Tomcat's
default default is 60 seconds but the stock server.xml configures it
to 20 seconds.

> Now your case is a bit different, because - you are not using the
> HTTP BIO connector (you use AJP)

I think you've gotten yourself confused, here, unfortunately. You can
use AJP with BIO, NIO, or APR (maybe you mixed-up AJP and APR between
your eyes and your brain... the two are honestly too close to each
other and it is very easy to do that).

He is in fact using the BIO connector because he has specified
protocol="org.apache.coyote.ajp.AjpProtocol".

> - in front of your Tomcat, is an Apache httpd server. This server
> has its own keep-alive settings which apply to the connection of
> the client with Apache httpd. And these keep-alive settings are a
> bit different from the Tomcat ones (for example, there is a
> keep-alive timeout, but also a MaxKeepAliveRequests)

+1

> - between Apache httpd and Tomcat, there is the mod_jk module in
> Apache, and that module uses its own timeouts (as set in
> workers.properties), and in addition it uses itself a pool of
> connections to Tomcat, and this pool of connections has its own
> rules for keeping alive a connection between Apache and Tomcat.
>
> But the basic principles above apply, and may explain why you are
> seeing what appears to be one Thread dedicated to one client,
> forever.

I think there might be a problem with the instrumentation, or just
coincidences at a fairly implausible level. The trust of the matter is
that Tomcat does not allocate a thread permanently to a remote client
until ... whenever the client "disconnects" (whatever that means, as
HTTP is a connection-less protocol).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRSlo8AAoJEBzwKT+lPKRYodAP/Rz73chvzhyYPNWpePlvPaBm
x7bFxFCNg7hbHV7X1skgfG4CYbR9AsjFqcgkXovVSBcIZjKoNT/yCqwL20SMdNIo
glkx1Gz6gBfM8Ad68VL4xr7nGtwC1WraN2tCszc8dNrBJOjmQwp5tX09OWtpsxqe
DNQVfhGk8wtHmPWjXgK8Kr0lZDjfz540bp4OSAwohjixsCTr3C1PqVEiiZyYWazC
B/5tEkeJ7YtPQJqmJhgx1uR+CmU3ty5iQpLmr4K9uKTLSTjs3HGFV0nkCKQIXmQs
vzjt0eWr8VzbbZnY4QBfBIntgjQiDIoK9Mi+Q3uilYbjCJuFw4jJGICAjaZjlYxW
eW29Ag/WGthB6shOwStiLS+/KUenzXY9aNzHQ1sCeB9Pdsy2eI+Yg15TomwcfxcV
2LjtHZO13QQeGcHpr5vBId8x/B9x5W1bzs8gzUALPQhdsYqGixohu4Ad4nqmeBI0
VZ02jiEDQqr4zT6oJwDVPpm8FSS2wBZKURIp80iI4B2+bS1VPcKzY/J/aKCQRQCw
KP4VDtNiAOXD4a+8sHuZrOh8Q/splNnbhf2G687PryjfxQuk+HQPY/XfFvY1CXzD
ZZD1yVjkSaRfXDmDCfFxfD+a3lOmGhAa8NNR4dtJJo1w1lhrYXvx1ujdS5V3FgO5
xdKlzkg4u30lRrAQq6IO
=yLs6
-----END PGP SIGNATURE-----

©2008 junlu.com - Jax Systems, LLC, U.S.A.