Re: JVM crashing with caCertificatePath in server.xml

2024-05-15 Thread Michael Osipov 
On 2024/05/15 01:51:41 Andy Arismendi wrote:
> ADDITIONAL ENVIRONMENT INFO UPDATE:
> 
> libtcnative: org.apache.catalina.core.AprLifecycleListener.lifecycleEvent 
> Loaded Apache Tomcat Native library [1.3.0] using APR version [1.7.4].
> 
> CRASH LOG
> 
> See enclosed: hs_err_pid4464.log

Attachments are stripped. You not to upload it somewhere or send via email.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

2024-05-15 Thread Michael Osipov 
On 2024/05/14 20:27:02 Christopher Schultz wrote:
> 
> 
> On 5/14/24 15:23, Andy Arismendi wrote:
> > Sure thing -
> > 
> > ADDITIONAL ENVIRONMENT INFO:
> > 
> > libtcnative: tcnative-1.dll is included in the Tomcat 9.0.89 64-bit Windows 
> > zip download, not sure about the version...
> > OpenSSL version: 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) 
> > (with FIPS 140-2)
> > 
> > Regarding expecting a directory of certificate hash files, I wasn’t
> > aware of this, assumed it would pick up CA cert PEM files in a
> > directory.
> 
> The Tomcat documentation does say this just needs to be a directory full 
> of PEM files. I can trace through the code to see if it's more like what 
> Michael-O posted. Honestly, the whole idea of having to run c_rehash is 
> a stupid hack for stupid programs. You should never have to do that. :/

If the docs say so, then we need to fix the docs because all path input in 
OpenSSL expects simplified subject hashes. Anything else will not work/will be 
ignored. Use strace/truss/etc. and you will see what OpenSSL will try to read. 
"openssl s_server" will do the trick here for you.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

2024-05-15 Thread Michael Osipov 
On 2024/05/15 01:51:41 Andy Arismendi wrote:
> ADDITIONAL ENVIRONMENT INFO UPDATE:
> 
> libtcnative: org.apache.catalina.core.AprLifecycleListener.lifecycleEvent 
> Loaded Apache Tomcat Native library [1.3.0] using APR version [1.7.4].
> 
> CRASH LOG
> 
> See enclosed: hs_err_pid4464.log
> 
> c_rehash.pl
> 
> I didn’t have perl, tried strawberry perl, it didn’t seem to create symlinks 
> on Windows so I do it with a powershell using "openssl x509 -subject_hash 
> -fingerprint -noout -in " making symlinks in the same directory for 
> each CA cert PEM e.g. a655d288.0 (link) -> cert.pem (file). This didn’t seem 
> to make a difference though, JVM still crashed.

To make sure I have just tried:
> 8981 2024-05-15T10:26:58.717 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Server version name:   
> Apache Tomcat/9.0.89
> 8982 2024-05-15T10:26:58.722 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Server built:  
> May 3 2024 20:22:11 UTC
> 8983 2024-05-15T10:26:58.722 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Server version number: 
> 9.0.89.0
> 8984 2024-05-15T10:26:58.722 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log OS Name:   
> HP-UX
> 8985 2024-05-15T10:26:58.723 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log OS Version:
> B.11.31
> 8986 2024-05-15T10:26:58.723 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Architecture:  
> IA64N
> 8987 2024-05-15T10:26:58.723 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Java Home: 
> /opt/java8/jre
> 8988 2024-05-15T10:26:58.723 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log JVM Version:   
> 1.8.0.27-hp-ux-b1
> 8989 2024-05-15T10:26:58.724 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
> Hewlett Packard Enterprise Company
> 8990 2024-05-15T10:26:58.724 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: 
> /var/opt/tomcat-services
> 8991 2024-05-15T10:26:58.724 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: 
> /opt/ports/apache-tomcat-9.0.89
> 9015 2024-05-15T10:26:58.733 INFORMATION [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache 
> Tomcat Native library [1.3.0] using APR version [1.7.4].
> 9016 2024-05-15T10:26:58.733 INFORMATION [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR 
> capabilities: IPv6 [true], sendfile [true], accept filters [false], random 
> [true], UDS [true].
> 9017 2024-05-15T10:26:58.733 INFORMATION [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL 
> configuration: useAprConnector [true], useOpenSSL [true]
> 9018 2024-05-15T10:26:58.816 INFORMATION [main] 
> org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL 
> successfully initialized [OpenSSL 3.0.13 30 Jan 2024]

With my smartcard it just works:
>  maxParameterCount="1000"
> maxHttpHeaderSize="24576" maxThreads="250"
> SSLEnabled="true" scheme="https" secure="true"
> defaultSSLHostConfigName="...">
>  honorCipherOrder="true" disableSessionTickets="true"
> certificateVerification="optional" certificateVerificationDepth="5"
> 
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384"
> caCertificatePath="/opt/openssl/certs">
>  certificateKeyFile="/opt/openssl/.../key.crt"
> certificateKeyPasswordFile="/opt/openssl/.../password" type="RSA" 
> />
> 
>  value="/opt/openssl/siemens-medium+strong-clientcert-cacerts.crt" />
> 
> 
> 
> 

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Regarding Tomcat url redirection

2024-05-15 Thread Christopher Schultz 

Lavanya,

On 5/15/24 04:43, lavanya tech wrote:
Though to write you privately, regaridng the tomcat url redirection as 
the mail chain is getting more big big


It's better to post to the list, so anyone in your situation can learn 
from it.



Let me know if its fine for you and here is what I did.

1)      autoDeploy="true">

           


Don't do this. Just put towl.war into webapps/ and let it auto-deploy. 
What you are doing here is double-deploying your "towl" application: 
once as "" (ROOT) and once as "/towl". Remove this from server.xml.



           
           className="org.apache.catalina.valves.rewrite.RewriteValve" />


Okay.


2) I have towl application and towl.war under webapps directory
3) added  proxy port and proxyname to connector

     protocol="org.apache.coyote.http11.Http11NioProtocol"

                maxThreads="150" SSLEnabled="true">
                proxyPort="8443" proxyName="server.lbg.com 
">
         className="org.apache.coyote.http2.Http2Protocol" />

         
             
         
     


Okay.


4) added rewrite.config under conf directory
 > # Redirect everything that is not server.lbg.com 
 to

 > # server.lbg.com . Don't worry about /towl yet.
 > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
 > RewriteRule ^/(.*) https://server.lbg.com:8443/$1 
 [L]

 >
 > # Redirect anything that isn't already going to /towl
 > # to go to /towl
 > RewriteCond %{REQUEST_URI} !^/towl
 > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 
 [L]


5) restarted tomcat
6) can access all the urls https://server.lbg.com:8443 
, https://server.lbg.com 
, https://server.lbg.com:8443/towl 
, https://server.lbg.com/towl 

https://example.lbg.com:8443 , 
https://example.lbg.com , 
https://example.lbg.com:8443/towl , 
https://example.lbg.com/towl 


Unfortunately aliasing still doesnot work https://example.lbg.com 
 --> https://server.lbg.com:8443/towl 
 and many urls works


The "aliasing" will always be weird. IMO it's better to redirect. If you 
change to redirect, does everything *work*, even if you don't like how 
the browser's URL bar displays?


-chris

On Tue, May 14, 2024 at 11:38 PM Christopher Schultz 
mailto:ch...@christopherschultz.net>> wrote:


Lavanya,

On 5/14/24 15:11, lavanya tech wrote:
 > You are right. We need aliasing here which means the URL in the
browser
 > does not change.
 > May I know where should I put the below rewrite files ?
 >
 > # Redirect everything that is not server.lbg.com
 to
 > # server.lbg.com . Don't worry about /towl
yet.
 > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
 > RewriteRule ^/(.*) https://server.lbg.com:8443/$1
 [R=301,L]
 >
 > # Redirect anything that isn't already going to /towl
 > # to go to /towl
 > RewriteCond %{REQUEST_URI} !^/towl
 > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1
 [R=301,L]

AIUI, you can put all of the above in conf/rewrite.config and configure
the  under your  just as you had it before.

If you want aliasing and not redirection, then you don't want the [R]
flag. IMO, you should really do a redirect. If you don't, then the
application and the browser disagree about the base URL and all
kinds of
things like that.

-chris

 > On Tuesday, May 14, 2024, Christopher Schultz
mailto:ch...@christopherschultz.net>>
 > wrote:
 >
 >> Lavanya,
 >>
 >> On 5/14/24 09:12, lavanya tech wrote:
 >>
 >>> IMHO removing the port number is always the preferred solution
— I never
  did it
 
 
 > can we achieve this with tomcat or we need to setup an
reverse proxy
 > here.
 >
 >
  Your application uses whatever internal URLs it wants. Are you
building
  those yourself, or are you asking Tomcat for the e.g.
hostname, etc.? If
  it's Tomcat, this is where the proxyName and proxyPort come in.
 
 >>>
 >>>    - Yes, I have not built these UrLs before. It’s was working
from the
 >>> very
 >>> beginning. As. I mentioned we are not able to reach goal or
whatever.
 >>>
 >>> Rather than saying redirection, I would say it’s aliasing.
 >>>
 >>
 >> Please be specific. "Aliasing" (to me) means "the URL does to
the right
 >> place but doesn't change in the browser's URL" and "redirection" (to
 >> ever

Re: JVM crashing with caCertificatePath in server.xml

2024-05-15 Thread Andy Arismendi 
Ah wasn’t sure if attachments worked, log content information below. Yea the 
docs just say directory for trusted CA PEM certificates.


TOMCAT DOCS

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html: caCertificatePath 
(OpenSSL only) Name of the directory that contains the certificates for the 
trusted certificate authorities. The format is PEM-encoded.


CATALINA LOG FINE LEVEL CONTENT

15-May-2024 01:37:45.569 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server version name:   
Apache Tomcat/9.0.89
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server built:  
May 3 2024 20:22:11 UTC
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server version number: 
9.0.89.0
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Name:   
Windows Server 2019
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Version:
10.0
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Architecture:  
amd64
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Java Home: 
D:\Program Files\Java\jre
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:   
1.8.0_322-b06
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
Azul Systems, Inc.
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: 
D:\Program Files\apache-tomcat
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: 
D:\Program Files\apache-tomcat
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.util.logging.config.file=D:\Program 
Files\apache-tomcat\conf\logging.properties
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djdk.tls.ephemeralDHKeySize=2048
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dignore.endorsed.dirs=
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dcatalina.base=D:\Program Files\apache-tomcat
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dcatalina.home=D:\Program Files\apache-tomcat
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.io.tmpdir=D:\Program Files\apache-tomcat\temp
15-May-2024 01:37:45.600 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache 
Tomcat Native library [1.3.0] using APR version [1.7.4].
15-May-2024 01:37:45.600 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: 
IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
15-May-2024 01:37:45.600 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL 
configuration: useAprConnector [false], useOpenSSL [true]
15-May-2024 01:37:45.647 FINE [main] 
org.apache.catalina.core.AprLifecycleListener.initializeSSL Current FIPS mode: 
[1]
15-May-2024 01:37:45.647 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.initializeSSL Using OpenSSL with 
the FIPS provider as the default provider
15-May-2024 01:37:45.647 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL 
successfully initialized [OpenSSL 3.0.13 30 Jan 2024]
15-May-2024 01:37:45.756 FINE [main] 
org.apache.tomcat.util.modeler.Registry.getMBeanServer Created MBeanServer
15-May-2024 01:37:46.069 FINE [main] 
org.apache.catalina.util.LifecycleBase.setStateInternal Setting state for 
[org.apache.catalina.deploy.NamingResourcesImpl@5e955596] to [INITIALIZING]
15-May-2024 01:37:46.084 FINE [main] 
org.apache.catalina.util.LifecycleBase.setStateInternal Setting state for 
[org.apache.catalina.deploy.NamingResourcesImpl@5e955596] to [INITIALIZED]
15-May-2024 01:37:46.116 FINE [main] 
org.apache.catalina.util.LifecycleBase.setStateInternal Setting state for 
[StandardService[Catalina]] to [INITIALIZING]
15-May-2024 01:37:46.116 FINE [main] 
org.apache.catalina.util.LifecycleBase.setStateInternal Setting state for 
[StandardEngine[Catalin

Re: Regarding Tomcat url redirection

2024-05-15 Thread lavanya tech 
Hi Chris,

>

If i remove this from server.xml file i have the below error.

Message java.lang.NoClassDefFoundError: org/towl/indexer/web/Prefix

Description The server encountered an unexpected condition that prevented
it from fulfilling the request.

Exception

jakarta.servlet.ServletException: java.lang.NoClassDefFoundError:
org/towl/indexer/web/Prefix
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:333)
jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)

The "aliasing" will always be weird. IMO it's better to redirect. If you
change to redirect, does everything *work*, even if you don't like how
the browser's URL bar displays?
  --> I tried but it didnot work
ok apart from this tpic , we have one more issue found.


Actually application team, they are deploying two applications one with
towl (which you are already aware) the other one is (towl-app) they have
defined seperate server.xml for both.

Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example.lbg.com


Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example-app.lbg.com

which means we have two aliases for server.lbg.com , earlier we were
concentrating only on one example.lbg.com , now i wanted to somehow enable
access as the same for the other one also
https://example-app.lbg.com --> https://server.lbg.com:8444/towl-app

So i created iptable rule in the sameway as before redirect 443 to 8444 and
i have the urls working same as example.lbg.com

Both the server.xml files are here

/git/towl/apachetomcat/conf/server.xml
/git/towl-app/apachetomcat/conf/server.xml --> I changed the port of
connectors and everything

But now when i try to access https://example.lbg.com --> I get webpage of
https://example-app.lbg.com and sometimes i get webpage of
https://example.lbg.com after refresh itself which is wierd

May i know why this is happening. If we fix this then I am thinking to
disable the unwated urls leaving the required ones. for example the below
ones. I think that would be easier ? rather than redirecting or aliasing-->
Because we noticed that towl application is already pointing with
https://example.lbg.com

   https://server.lbg.com:8443
  https://example-lbg.com:8443
  

   https://server.lbg.com:8444
  https://example-lbg.com:8444
  


kindly suggest us a fix.

Thanks once again for your time

Regards,
Lavanya




On Wed, May 15, 2024 at 2:16 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Lavanya,
>
> On 5/15/24 04:43, lavanya tech wrote:
> > Though to write you privately, regaridng the tomcat url redirection as
> > the mail chain is getting more big big
>
> It's better to post to the list, so anyone in your situation can learn
> from it.
>
> > Let me know if its fine for you and here is what I did.
> >
> > 1)   > autoDeploy="true">
> >
>
> Don't do this. Just put towl.war into webapps/ and let it auto-deploy.
> What you are doing here is double-deploying your "towl" application:
> once as "" (ROOT) and once as "/towl". Remove this from server.xml.
>
> >
> > > className="org.apache.catalina.valves.rewrite.RewriteValve" />
>
> Okay.
>
> > 2) I have towl application and towl.war under webapps directory
> > 3) added  proxy port and proxyname to connector
> >
> >   > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="150" SSLEnabled="true">
> > proxyPort="8443" proxyName="server.lbg.com
> > ">
> >   > className="org.apache.coyote.http2.Http2Protocol" />
> >  
> >   >   certificateKeystorePassword="pass"
> >   type="RSA" />
> >  
> >  
>
> Okay.
>
> > 4) added rewrite.config under conf directory
> >  > # Redirect everything that is not server.lbg.com
> >  to
> >  > # server.lbg.com . Don't worry about /towl
> yet.
> >  > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
> >  > RewriteRule ^/(.*) https://server.lbg.com:8443/$1
> >  [L]
> >  >
> >  > # Redirect anything that isn't already going to /towl
> >  > # to go to /towl
> >  > RewriteCond %{REQUEST_URI} !^/towl
> >  > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1
> >  [L]
> >
> > 5) restarted tomcat
> > 6) can access all the urls https://server.lbg.com:8443
> > , https://server.lbg.com
> > , https://server.lbg.com:8443/towl
> > , https://server.lbg.com/towl
> > 
> > https://example.lbg.com:8443 ,
> > https://example.lbg.com

Re: JVM crashing with caCertificatePath in server.xml

2024-05-15 Thread Michael Osipov 
Good news. I can reproduce on Windows:
15-May-2024 16:40:31.092 INFORMATION [main] 
org.apache.coyote.AbstractProtocol.init Initialisiere 
ProtocolHandler["https-openssl-apr-18444"]
15-May-2024 16:40:31.144 WARNUNG [main] 
org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the 
[ciphers] attribute in a manner consistent with the latest OpenSSL development 
branch. Some of the specified [ciphers] are not supported by the configured SSL 
engine for this connector (which may use JSSE or an older OpenSSL version) and 
have been skipped: [[TLS_DH_DSS_WITH_AES_256_GCM_SHA384, 
TLS_DH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_AES_128_CCM_SHA256, 
TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256]]
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x024928d5cd10, pid=33136, 
tid=0x55b8
#
# JRE version: OpenJDK Runtime Environment (Zulu 8.68.0.21-CA-win64) 
(8.0_362-b09) (build 1.8.0_362-b09)
# Java VM: OpenJDK 64-Bit Server VM (25.362-b09 mixed mode windows-amd64 
compressed oops)
# Problematic frame:
# C  [tcnative-1.dll+0xccd10]
#
# Failed to write core dump. Minidumps are not enabled by default on client 
versions of Windows
#
# An error report file with more information is saved as:
# C:\Temp\apache-tomcat-9.0.89\hs_err_pid33136.log
#
# If you would like to submit a bug report, please visit:
#   http://www.azul.com/support/
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#

I will do a custom build of Tomcat Native and see where it crashes. Stay tuned.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Logrotation throu CATALINA_OUT_CMD in Tomcat9

2024-05-15 Thread Peter Rader 
Hi,

my catalina.out is getting bigger and bigger.

In order to have smaller catalina.out I noticed this environment-variable: 
CATALINA_OUT_CMD

Inside the catalina.sh is documented:

# CATALINA_OUT_CMD (Optional) Command which will be executed and receive
#   as its stdin the stdout and stderr from the Tomcat java
#   process. If CATALINA_OUT_CMD is set, the value of
#   CATALINA_OUT will be used as a named pipe.
#   No default.
#   Example (all one line)
#   CATALINA_OUT_CMD="/usr/bin/rotatelogs -f 
$CATALINA_BASE/logs/catalina.out.%Y-%m-%d.log 86400"

I try to use that example and export this variable before start of tomcat:

   export CATALINA_OUT_CMD="/usr/bin/rotatelogs -f 
/home/tomcat/apache-tomcat-9.0.75/logs/catalina.out.%Y-%m-%d.log 86400" 

Unfortunately the tomcat does not work anymore, instead this message appear:

/home/tomcat/apache-tomcat-9.0.75/logs/catalina.out exists and is not a 
named pipe. Start aborted.
 
Any Ideas?
 
Kind regards

Peter Rader

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Logrotation throu CATALINA_OUT_CMD in Tomcat9

2024-05-15 Thread Chuck Caldarale 

> On May 15, 2024, at 12:43, Peter Rader  wrote:
> 
> my catalina.out is getting bigger and bigger.


(I should Insert a philosophical discussion on not using stdout for application 
logging here, but I’ll leave that for some other time.)


> In order to have smaller catalina.out I noticed this environment-variable: 
> CATALINA_OUT_CMD
> 
> Inside the catalina.sh is documented:
> 
> # CATALINA_OUT_CMD (Optional) Command which will be executed and receive
> #   as its stdin the stdout and stderr from the Tomcat java
> #   process. If CATALINA_OUT_CMD is set, the value of
> #   CATALINA_OUT will be used as a named pipe.
> #   No default.
> #   Example (all one line)
> #   CATALINA_OUT_CMD="/usr/bin/rotatelogs -f 
> $CATALINA_BASE/logs/catalina.out.%Y-%m-%d.log 86400"
> 
> I try to use that example and export this variable before start of tomcat:
> 
>   export CATALINA_OUT_CMD="/usr/bin/rotatelogs -f 
> /home/tomcat/apache-tomcat-9.0.75/logs/catalina.out.%Y-%m-%d.log 86400" 
> 
> Unfortunately the tomcat does not work anymore, instead this message appear:
> 
>/home/tomcat/apache-tomcat-9.0.75/logs/catalina.out exists and is not a 
> named pipe. Start aborted.


You need to do what the instructions state: create a FIFO and specify its name 
in the CATALINA_OUT variable. For example, do

mkfifo logs/catalina_out.pipe

one time, before starting Tomcat, then add the following to bin/setenv.sh:

export CATALINA_OUT="$CATALINA_HOME/logs/catalina_out.pipe"
export CATALINA_OUT_CMD=“rotatelogs -f 
$CATALINA_HOME/logs/catalina.out.%Y-%m-%d.log 86400"

This causes Tomcat to use the named pipe rather than logs/catalina.out for 
stdout and stderr messages, and then invoke rotatelogs to process the entries. 
As an alternative to setting CATALINA_OUT, you could just delete the existing 
logs/catalina.out file and recreate it as a FIFO, but I wouldn’t recommend it 
due to potential confusion.

  - Chuck

Aw: Re: Logrotation throu CATALINA_OUT_CMD in Tomcat9

2024-05-15 Thread Peter Rader 
> You need to do what the instructions state: create a FIFO and specify its 
> name in the CATALINA_OUT variable. For example, do

Ah, yes,

mkfifo catalina.out

fixed it for me. I had no idea what a fifo is, now I knew.

Kind regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

2024-05-15 Thread Michael Osipov 
On 2024/05/15 14:41:43 Michael Osipov wrote:
> Good news. I can reproduce on Windows:
> 15-May-2024 16:40:31.092 INFORMATION [main] 
> org.apache.coyote.AbstractProtocol.init Initialisiere 
> ProtocolHandler["https-openssl-apr-18444"]
> 15-May-2024 16:40:31.144 WARNUNG [main] 
> org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the 
> [ciphers] attribute in a manner consistent with the latest OpenSSL 
> development branch. Some of the specified [ciphers] are not supported by the 
> configured SSL engine for this connector (which may use JSSE or an older 
> OpenSSL version) and have been skipped: [[TLS_DH_DSS_WITH_AES_256_GCM_SHA384, 
> TLS_DH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 
> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_AES_128_CCM_SHA256, 
> TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, 
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256]]
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> #  EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x024928d5cd10, 
> pid=33136, tid=0x55b8
> #
> # JRE version: OpenJDK Runtime Environment (Zulu 8.68.0.21-CA-win64) 
> (8.0_362-b09) (build 1.8.0_362-b09)
> # Java VM: OpenJDK 64-Bit Server VM (25.362-b09 mixed mode windows-amd64 
> compressed oops)
> # Problematic frame:
> # C  [tcnative-1.dll+0xccd10]
> #
> # Failed to write core dump. Minidumps are not enabled by default on client 
> versions of Windows
> #
> # An error report file with more information is saved as:
> # C:\Temp\apache-tomcat-9.0.89\hs_err_pid33136.log
> #
> # If you would like to submit a bug report, please visit:
> #   http://www.azul.com/support/
> # The crash happened outside the Java Virtual Machine in native code.
> # See problematic frame for where to report the bug.
> #
> 
> I will do a custom build of Tomcat Native and see where it crashes. Stay 
> tuned.

Found the bug: It is either a flaw or uncertainty in OpenSSL. Details follow 
tomorrow.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org