Apache Tomcat Version 7.0.59 on CentOS 6.8 to handle 2k requests/second
Hi, is there a way to configure tomcat to handle 2k requests/second (2k meaning 2000 requests per second). How many cpu cores do i need to setup tomcat to handle 2k requests/second? How much physical memory the server should have? Any guidelines or rule of thumb to be followed? Any help will be highly appreciable. Thanks in Advance. Regards, Kaushal
Re: Apache Tomcat Version 7.0.59 on CentOS 6.8 to handle 2k requests/second
On 14/11/2016 14:28, Kaushal Shriyan wrote: > Hi, > > is there a way to configure tomcat to handle 2k requests/second (2k meaning > 2000 requests per second). How many cpu cores do i need to setup tomcat to > handle 2k requests/second? How much physical memory the server should have? That will depend on your application. My laptop will easily handle 10 times that for a simple application. I have seen much larger servers unable to handle more than a handful of requests a second for a large, complex, poorly performing application. > Any guidelines or rule of thumb to be followed? Any help will be highly > appreciable. Profile your application. Mark > > Thanks in Advance. > > Regards, > > Kaushal > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Tomcat Version 7.0.59 on CentOS 6.8 to handle 2k requests/second
On Mon, Nov 14, 2016 at 8:06 PM, Mark Thomas wrote: > On 14/11/2016 14:28, Kaushal Shriyan wrote: > > Hi, > > > > is there a way to configure tomcat to handle 2k requests/second (2k > meaning > > 2000 requests per second). How many cpu cores do i need to setup tomcat > to > > handle 2k requests/second? How much physical memory the server should > have? > > That will depend on your application. > > My laptop will easily handle 10 times that for a simple application. I > have seen much larger servers unable to handle more than a handful of > requests a second for a large, complex, poorly performing application. > > > Any guidelines or rule of thumb to be followed? Any help will be highly > > appreciable. > > Profile your application. > Thanks Mark Thomas for the quick reply. Please suggest me any open source profiling application which i can start with. I will appreciate if you can help me understand the relation between 2k requests/second vs cpu cores of the server. Thanks again in advance. Regards, Kaushal
RE: Apache Tomcat Version 7.0.59 on CentOS 6.8 to handle 2k requests/second
> -Original Message- > From: Kaushal Shriyan [mailto:kaushalshri...@gmail.com] > Sent: Monday, November 14, 2016 8:46 AM > To: Tomcat Users List > Subject: Re: Apache Tomcat Version 7.0.59 on CentOS 6.8 to handle 2k > requests/second > > On Mon, Nov 14, 2016 at 8:06 PM, Mark Thomas wrote: > > > On 14/11/2016 14:28, Kaushal Shriyan wrote: > > > Hi, > > > > > > is there a way to configure tomcat to handle 2k requests/second (2k > > meaning > > > 2000 requests per second). How many cpu cores do i need to setup > > > tomcat > > to > > > handle 2k requests/second? How much physical memory the server > > > should > > have? > > > > That will depend on your application. > > > > My laptop will easily handle 10 times that for a simple application. I > > have seen much larger servers unable to handle more than a handful of > > requests a second for a large, complex, poorly performing application. > > > > > Any guidelines or rule of thumb to be followed? Any help will be > > > highly appreciable. > > > > Profile your application. > > > > Thanks Mark Thomas for the quick reply. > > Please suggest me any open source profiling application which i can start > with. I > will appreciate if you can help me understand the relation between 2k > requests/second vs cpu cores of the server. > > Thanks again in advance. > > Regards, > > Kaushal There is no fixed relationship between requests per second and number of cores. It all depends on your application. Think of it this way: if each request takes 1 second, you'll get fewer requests per second than if each request takes 1 millisecond. Whether a request takes 1 second or 1 millisecond has more to do with your application than hardware. As for an open source profiler, try asking your favorite search engine. John
Tomcat - Two Way SSL as Server
Hi All, I'm trying to implement two way SSL on a new web service that we are building and I'm having some issues. First some info on the environment. Server version: Apache Tomcat/8.0.36 Server built: Jun 9 2016 13:55:50 UTC Server number: 8.0.36.0 OS Name:Linux OS Version: 3.10.0-514.el7.x86_64 Architecture: amd64 JVM Version:1.8.0_111-b14 JVM Vendor: Oracle Corporation We use an internal certificate authority to sign all of our certificates. So all the client certificates are signed by our internal root. When I trust the root certificate in the client trust store everything works. All client certificates signed by the internal root work. However, if I remove the root certificate from the client trust store, and add individual client certificates instead I get a cert chain error. *** ECDH ServerKeyExchange Signature Algorithm SHA512withRSA Server key: Sun EC public key, 256 bits public x coord: 107108750176335210433834926983330116805775068919227166974389735341685270962458 public y coord: 931957257342369027430064693780870682091490580979485264905626079337507 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) *** CertificateRequest Cert Types: RSA, DSS, ECDSA Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA Cert Authorities: *** ServerHelloDone http-nio2-8443-exec-4, WRITE: TLSv1.2 Handshake, length = 4482 http-nio2-8443-exec-2, READ: TLSv1.2 Handshake, length = 7 *** Certificate chain *** http-nio2-8443-exec-2, fatal error: 42: null cert chain javax.net.ssl.SSLHandshakeException: null cert chain %% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] http-nio2-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = bad_certificate http-nio2-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2 http-nio2-8443-exec-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain http-nio2-8443-exec-2, called closeOutbound() http-nio2-8443-exec-2, closeOutboundInternal() This is an issue for us as we can't have all the client certificates in the company granted access to this endpoint, it kind of defeats the purpose. The company root certificate is in another trust store used on server startup. Here are my configs. Server.xml connector: Systemd init: # Systemd unit file for tomcat [Unit] Description=Apache Tomcat After=syslog.target network.target [Service] Type=forking Environment=JAVA_HOME=/usr/lib/jvm/jre Environment=CATALINA_PID=/usr/local/tomcat/temp/tomcat.pid Environment=CATALINA_HOME=/usr/local/tomcat Environment=CATALINA_BASE=/usr/local/tomcat Environment='CATALINA_OPTS= -Xms2048M -Xmx2048M -server -XX:+UseParallelGC \ -Dcom.sun.management.jmxremote \ -Dcom.sun.management.jmxremote.port=8090 \ -Dcom.sun.management.jmxremote.ssl=false \ -Dcom.sun.management.jmxremote.authenticate=true \ -Dcom.sun.management.jmxremote.password.file=/usr/local/tomcat/conf/jmxremote.password \ -Dcom.sun.management.jmxremote.access.file=/usr/local/tomcat/conf/jmxremote.access \ -Djavax.net.debug=SSL \ -Djavax.net.ssl.trustStore=/usr/local/tomcat/certs/servertrust.jks \ -Djavax.net.ssl.trustStorePassword=CrazyPasswordHere \ -Djavax.net.ssl.keyStore=/usr/local/tomcat/certs/serverclient.jks \ -Djavax.net.ssl.keyStorePassword=CrazyPasswordHere ' Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom' ExecStart=/usr/local/tomcat/bin/startup.sh ExecStop=/bin/kill -15 $MAINPID User=tomcat Group=tomcat [Install] WantedBy=multi-user.target Thanks! Robert Sulliman
RE: Tomcat - Two Way SSL as Server
> -Original Message- > From: Robert Sulliman [mailto:robert.sulli...@sjrb.ca] > Sent: Monday, November 14, 2016 12:25 PM > To: users@tomcat.apache.org > Subject: Tomcat - Two Way SSL as Server > > Hi All, > > I'm trying to implement two way SSL on a new web service that we are building > and I'm having some issues. > > First some info on the environment. > > Server version: Apache Tomcat/8.0.36 > Server built: Jun 9 2016 13:55:50 UTC > Server number: 8.0.36.0 > OS Name:Linux > OS Version: 3.10.0-514.el7.x86_64 > Architecture: amd64 > JVM Version:1.8.0_111-b14 > JVM Vendor: Oracle Corporation > > We use an internal certificate authority to sign all of our certificates. So > all the > client certificates are signed by our internal root. When I trust the root > certificate in the client trust store everything works. All client > certificates signed > by the internal root work. > > However, if I remove the root certificate from the client trust store, and add > individual client certificates instead I get a cert chain error. > > *** ECDH ServerKeyExchange > Signature Algorithm SHA512withRSA > Server key: Sun EC public key, 256 bits > public x coord: > 10710875017633521043383492698333011680577506891922716697438973534 > 1685270962458 > public y coord: > 9319572573423690274300646937808706820914905809794852649056260 > 79337507 > parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) > *** CertificateRequest > Cert Types: RSA, DSS, ECDSA > Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, > SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, > SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, > SHA1withECDSA, SHA1withRSA, SHA1withDSA Cert Authorities: > C=CA> > *** ServerHelloDone > http-nio2-8443-exec-4, WRITE: TLSv1.2 Handshake, length = 4482 http-nio2- > 8443-exec-2, READ: TLSv1.2 Handshake, length = 7 > *** Certificate chain > > *** > http-nio2-8443-exec-2, fatal error: 42: null cert chain > javax.net.ssl.SSLHandshakeException: null cert chain %% Invalidated: > [Session- > 2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] > http-nio2-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = > bad_certificate http-nio2-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2 http- > nio2-8443-exec-2, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLHandshakeException: null cert chain http-nio2-8443-exec-2, > called closeOutbound() http-nio2-8443-exec-2, closeOutboundInternal() > This is an issue for us as we can't have > all the client certificates in the company granted access to this endpoint, > it kind > of defeats the purpose. > > The company root certificate is in another trust store used on server startup. > Here are my configs. > > Server.xml connector: > >port="8443" maxThreads="24" minSpareThreads="4" > maxSpareThreads="4" acceptCount="1000" server=" " >scheme="https" secure="true" SSLEnabled="true" >keystoreFile="certs/servercert.jks" keystorePass=" > CrazyPasswordHere" >clientAuth="true" > truststoreFile="/usr/local/tomcat/certs/clienttrust.jks" > truststorePass="CrazyPasswordHere" >sslEnabledProtocols="TLSv1.2" sslProtocol="TLS" > > ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WIT > H_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_C > BC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA" >useServerCipherSuitesOrder="true" compression="on" > compressionMinSize="2048" > > compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript, > application/javascript" /> Systemd init: > > # Systemd unit file for tomcat > [Unit] > Description=Apache Tomcat > After=syslog.target network.target > > [Service] > Type=forking > > Environment=JAVA_HOME=/usr/lib/jvm/jre > Environment=CATALINA_PID=/usr/local/tomcat/temp/tomcat.pid > Environment=CATALINA_HOME=/usr/local/tomcat > Environment=CATALINA_BASE=/usr/local/tomcat > Environment='CATALINA_OPTS= -Xms2048M -Xmx2048M -server - > XX:+UseParallelGC \ -Dcom.sun.management.jmxremote \ > -Dcom.sun.management.jmxremote.port=8090 \ - > Dcom.sun.management.jmxremote.ssl=false \ - > Dcom.sun.management.jmxremote.authenticate=true \ - > Dcom.sun.management.jmxremote.password.file=/usr/local/tomcat/conf/jmxr > emote.password \ - > Dcom.sun.management.jmxremote.access.file=/usr/local/tomcat/conf/jmxrem > ote.access \ -Djavax.net.debug=SSL \ - > Djavax.net.ssl.trustStore=/usr/local/tomcat/certs/servertrust.jks \ - > Djavax.net.ssl.trustStorePassword=CrazyPasswordHere \ - > Djavax.net.ssl.keyStore=/usr/local/tomcat/certs/serverclient.jks \ - > Djavax.net.ssl.keyStorePassword=CrazyPasswordHere ' > Environment='
RE: Tomcat - Two Way SSL as Server
Thanks John, I am trying to do #2, manually adding client certificates to the trust store. However it doesn't work unless I add the root certificate to the trust store as well, or I get the certificate chain error below. It is a headache to handle certs like this, but as a rule of thumb we leave the responsibility for these certs on the client themselves. I'm pretty sure I'm not going to persuade security to create a new CA for me just for this one service... If I use a custom servlet, I lose the ability to do revocation checks on the certificates (I'm assuming that Tomcat does this natively, I haven't actually tested it yet.) Robert Sulliman -Original Message- From: john.e.gr...@wellsfargo.com [mailto:john.e.gr...@wellsfargo.com] Sent: Monday, November 14, 2016 1:24 PM To: users@tomcat.apache.org Subject: RE: Tomcat - Two Way SSL as Server > -Original Message- > From: Robert Sulliman [mailto:robert.sulli...@sjrb.ca] > Sent: Monday, November 14, 2016 12:25 PM > To: users@tomcat.apache.org > Subject: Tomcat - Two Way SSL as Server > > Hi All, > > I'm trying to implement two way SSL on a new web service that we are > building and I'm having some issues. > > First some info on the environment. > > Server version: Apache Tomcat/8.0.36 > Server built: Jun 9 2016 13:55:50 UTC > Server number: 8.0.36.0 > OS Name:Linux > OS Version: 3.10.0-514.el7.x86_64 > Architecture: amd64 > JVM Version:1.8.0_111-b14 > JVM Vendor: Oracle Corporation > > We use an internal certificate authority to sign all of our > certificates. So all the client certificates are signed by our > internal root. When I trust the root certificate in the client trust > store everything works. All client certificates signed by the internal root > work. > > However, if I remove the root certificate from the client trust store, > and add individual client certificates instead I get a cert chain error. > > *** ECDH ServerKeyExchange > Signature Algorithm SHA512withRSA > Server key: Sun EC public key, 256 bits > public x coord: > 10710875017633521043383492698333011680577506891922716697438973534 > 1685270962458 > public y coord: > 9319572573423690274300646937808706820914905809794852649056260 > 79337507 > parameters: secp256r1 [NIST P-256, X9.62 prime256v1] > (1.2.840.10045.3.1.7) > *** CertificateRequest > Cert Types: RSA, DSS, ECDSA > Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, > SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, > SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, > SHA1withECDSA, SHA1withRSA, SHA1withDSA Cert Authorities: > ST=Alberta, C=CA> > *** ServerHelloDone > http-nio2-8443-exec-4, WRITE: TLSv1.2 Handshake, length = 4482 > http-nio2- 8443-exec-2, READ: TLSv1.2 Handshake, length = 7 > *** Certificate chain > > *** > http-nio2-8443-exec-2, fatal error: 42: null cert chain > javax.net.ssl.SSLHandshakeException: null cert chain %% Invalidated: > [Session- 2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] > http-nio2-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = > bad_certificate http-nio2-8443-exec-2, WRITE: TLSv1.2 Alert, length = > 2 http- nio2-8443-exec-2, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLHandshakeException: null cert chain > http-nio2-8443-exec-2, called closeOutbound() http-nio2-8443-exec-2, > closeOutboundInternal() This is an > issue for us as we can't have all the client certificates in the > company granted access to this endpoint, it kind of defeats the purpose. > > The company root certificate is in another trust store used on server startup. > Here are my configs. > > Server.xml connector: > >port="8443" maxThreads="24" minSpareThreads="4" > maxSpareThreads="4" acceptCount="1000" server=" " >scheme="https" secure="true" SSLEnabled="true" >keystoreFile="certs/servercert.jks" keystorePass=" > CrazyPasswordHere" >clientAuth="true" > truststoreFile="/usr/local/tomcat/certs/clienttrust.jks" > truststorePass="CrazyPasswordHere" >sslEnabledProtocols="TLSv1.2" sslProtocol="TLS" > > ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WIT > H_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_C > BC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA" >useServerCipherSuitesOrder="true" compression="on" > compressionMinSize="2048" > > compressableMimeType="text/html,text/xml,text/plain,text/css,text/java > script, application/javascript" /> > Systemd init: > > # Systemd unit file for tomcat > [Unit] > Description=Apache Tomcat > After=syslog.target network.target > > [Service] > Type=forking > > Environment=JAVA_HOME=/usr/lib/jv
RE: Tomcat - Two Way SSL as Server
> -Original Message- > From: Robert Sulliman [mailto:robert.sulli...@sjrb.ca] > Sent: Monday, November 14, 2016 2:46 PM > To: Tomcat Users List > Subject: RE: Tomcat - Two Way SSL as Server > > Thanks John, > > I am trying to do #2, manually adding client certificates to the trust store. > However it doesn't work unless I add the root certificate to the trust store > as > well, or I get the certificate chain error below. It is a headache to handle > certs > like this, but as a rule of thumb we leave the responsibility for these certs > on the > client themselves. > > I'm pretty sure I'm not going to persuade security to create a new CA for me > just > for this one service... If I use a custom servlet, I lose the ability to do > revocation > checks on the certificates (I'm assuming that Tomcat does this natively, I > haven't > actually tested it yet.) > > Robert Sulliman > > -Original Message- > From: john.e.gr...@wellsfargo.com [mailto:john.e.gr...@wellsfargo.com] > Sent: Monday, November 14, 2016 1:24 PM > To: users@tomcat.apache.org > Subject: RE: Tomcat - Two Way SSL as Server > > > > > > > -Original Message- > > From: Robert Sulliman [mailto:robert.sulli...@sjrb.ca] > > Sent: Monday, November 14, 2016 12:25 PM > > To: users@tomcat.apache.org > > Subject: Tomcat - Two Way SSL as Server > > > > Hi All, > > > > I'm trying to implement two way SSL on a new web service that we are > > building and I'm having some issues. > > > > First some info on the environment. > > > > Server version: Apache Tomcat/8.0.36 > > Server built: Jun 9 2016 13:55:50 UTC > > Server number: 8.0.36.0 > > OS Name:Linux > > OS Version: 3.10.0-514.el7.x86_64 > > Architecture: amd64 > > JVM Version:1.8.0_111-b14 > > JVM Vendor: Oracle Corporation > > > > We use an internal certificate authority to sign all of our > > certificates. So all the client certificates are signed by our > > internal root. When I trust the root certificate in the client trust > > store everything works. All client certificates signed by the internal root > > work. > > > > However, if I remove the root certificate from the client trust store, > > and add individual client certificates instead I get a cert chain error. > > > > *** ECDH ServerKeyExchange > > Signature Algorithm SHA512withRSA > > Server key: Sun EC public key, 256 bits > > public x coord: > > > 10710875017633521043383492698333011680577506891922716697438973534 > > 1685270962458 > > public y coord: > > > 9319572573423690274300646937808706820914905809794852649056260 > > 79337507 > > parameters: secp256r1 [NIST P-256, X9.62 prime256v1] > > (1.2.840.10045.3.1.7) > > *** CertificateRequest > > Cert Types: RSA, DSS, ECDSA > > Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, > > SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, > > SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, > > SHA1withECDSA, SHA1withRSA, SHA1withDSA Cert Authorities: > > > ST=Alberta, C=CA> > > *** ServerHelloDone > > http-nio2-8443-exec-4, WRITE: TLSv1.2 Handshake, length = 4482 > > http-nio2- 8443-exec-2, READ: TLSv1.2 Handshake, length = 7 > > *** Certificate chain > > > > *** > > http-nio2-8443-exec-2, fatal error: 42: null cert chain > > javax.net.ssl.SSLHandshakeException: null cert chain %% Invalidated: > > [Session- 2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] > > http-nio2-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = > > bad_certificate http-nio2-8443-exec-2, WRITE: TLSv1.2 Alert, length = > > 2 http- nio2-8443-exec-2, fatal: engine already closed. Rethrowing > > javax.net.ssl.SSLHandshakeException: null cert chain > > http-nio2-8443-exec-2, called closeOutbound() http-nio2-8443-exec-2, > > closeOutboundInternal() This is an > > issue for us as we can't have all the client certificates in the > > company granted access to this endpoint, it kind of defeats the purpose. > > > > The company root certificate is in another trust store used on server > > startup. > > Here are my configs. > > > > Server.xml connector: > > > > >port="8443" maxThreads="24" minSpareThreads="4" > > maxSpareThreads="4" acceptCount="1000" server=" " > >scheme="https" secure="true" SSLEnabled="true" > >keystoreFile="certs/servercert.jks" keystorePass=" > CrazyPasswordHere" > >clientAuth="true" > > truststoreFile="/usr/local/tomcat/certs/clienttrust.jks" > > truststorePass="CrazyPasswordHere" > >sslEnabledProtocols="TLSv1.2" sslProtocol="TLS" > > > > > ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WIT > > H_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > > > > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_C > > BC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA" > >useServerCipherSuitesOrder="tr
Tomcat 9 How do you set httpHeaderSecurity properly
Trying to enable some header filters in web.xml and NOT having any luck. I pretty much had to guess how to do this and my config looks like this: httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter blockContentTypeSniffingEnabled true antiClickJackingEnabled true antiClickJackingOption SAMEORIGIN xssProtectionEnabled true true Thank You, Dustin Delage - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 How do you set httpHeaderSecurity properly
On 14/11/2016 21:11, Dustin Delage wrote: > Trying to enable some header filters in web.xml and NOT having any luck. I > pretty much had to guess how to do this and my config looks like this: > > > httpHeaderSecurity > > org.apache.catalina.filters.HttpHeaderSecurityFilter -class> > > > blockContentTypeSniffingEnabled > true > Not necessary - that is the default. > > > antiClickJackingEnabled > true > Not necessary - that is the default. > > > antiClickJackingOption > SAMEORIGIN > This one you will need. > > > xssProtectionEnabled > true > > true Not necessary - that is the default. > And the filter mapping? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 9 How do you set httpHeaderSecurity properly
What's this filter mapping you speak of? -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, November 14, 2016 4:16 PM To: Tomcat Users List Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly On 14/11/2016 21:11, Dustin Delage wrote: > Trying to enable some header filters in web.xml and NOT having any > luck. I pretty much had to guess how to do this and my config looks like > this: > > > httpHeaderSecurity > > org.apache.catalina.filters.HttpHeaderSecurityFilter lter > -class> > > > blockContentTypeSniffingEnabled > true > Not necessary - that is the default. > > > antiClickJackingEnabled > true > Not necessary - that is the default. > > > antiClickJackingOption > SAMEORIGIN > This one you will need. > > > xssProtectionEnabled > true > > true Not necessary - that is the default. > And the filter mapping? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 How do you set httpHeaderSecurity properly
On 14/11/2016 21:32, Dustin Delage wrote: > What's this filter mapping you speak of? https://java.net/downloads/servlet-spec/Final/servlet-3_1-final.pdf The Tomcat docs (and to a lesser extent this list) assume users of Tomcat are familiar with the Servlet specification. While it appears you need to read all of that document fairly soon, chapter 6 should answer your immediate questions. Mark > > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Monday, November 14, 2016 4:16 PM > To: Tomcat Users List > Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly > > On 14/11/2016 21:11, Dustin Delage wrote: >> Trying to enable some header filters in web.xml and NOT having any >> luck. I pretty much had to guess how to do this and my config looks like >> this: >> >> >> httpHeaderSecurity >> >> org.apache.catalina.filters.HttpHeaderSecurityFilter> lter >> -class> >> >> >> blockContentTypeSniffingEnabled >> true >> > Not necessary - that is the default. > > >> >> >> antiClickJackingEnabled >> true >> > Not necessary - that is the default. > > >> >> >> antiClickJackingOption >> SAMEORIGIN >> > This one you will need. > > >> >> >> xssProtectionEnabled >> true >> >> true > Not necessary - that is the default. > > >> > > And the filter mapping? > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 9 How do you set httpHeaderSecurity properly
Thanks -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, November 14, 2016 4:38 PM To: Tomcat Users List Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly On 14/11/2016 21:32, Dustin Delage wrote: > What's this filter mapping you speak of? https://java.net/downloads/servlet-spec/Final/servlet-3_1-final.pdf The Tomcat docs (and to a lesser extent this list) assume users of Tomcat are familiar with the Servlet specification. While it appears you need to read all of that document fairly soon, chapter 6 should answer your immediate questions. Mark > > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Monday, November 14, 2016 4:16 PM > To: Tomcat Users List > Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly > > On 14/11/2016 21:11, Dustin Delage wrote: >> Trying to enable some header filters in web.xml and NOT having any >> luck. I pretty much had to guess how to do this and my config looks >> like >> this: >> >> >> httpHeaderSecurity >> >> org.apache.catalina.filters.HttpHeaderSecurityFilter> i >> lter >> -class> >> >> >> blockContentTypeSniffingEnabled >> true >> > Not necessary - that is the default. > > >> >> >> antiClickJackingEnabled >> true >> > Not necessary - that is the default. > > >> >> >> antiClickJackingOption >> SAMEORIGIN >> > This one you will need. > > >> >> >> xssProtectionEnabled >> true >> >> true > Not necessary - that is the default. > > >> > > And the filter mapping? > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 9 How do you set httpHeaderSecurity properly
Works now, thanks. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, November 14, 2016 4:38 PM To: Tomcat Users List Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly On 14/11/2016 21:32, Dustin Delage wrote: > What's this filter mapping you speak of? https://java.net/downloads/servlet-spec/Final/servlet-3_1-final.pdf The Tomcat docs (and to a lesser extent this list) assume users of Tomcat are familiar with the Servlet specification. While it appears you need to read all of that document fairly soon, chapter 6 should answer your immediate questions. Mark > > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Monday, November 14, 2016 4:16 PM > To: Tomcat Users List > Subject: Re: Tomcat 9 How do you set httpHeaderSecurity properly > > On 14/11/2016 21:11, Dustin Delage wrote: >> Trying to enable some header filters in web.xml and NOT having any >> luck. I pretty much had to guess how to do this and my config looks >> like >> this: >> >> >> httpHeaderSecurity >> >> org.apache.catalina.filters.HttpHeaderSecurityFilter> i >> lter >> -class> >> >> >> blockContentTypeSniffingEnabled >> true >> > Not necessary - that is the default. > > >> >> >> antiClickJackingEnabled >> true >> > Not necessary - that is the default. > > >> >> >> antiClickJackingOption >> SAMEORIGIN >> > This one you will need. > > >> >> >> xssProtectionEnabled >> true >> >> true > Not necessary - that is the default. > > >> > > And the filter mapping? > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 8.5.4 to 8.5.5 SSL Issue
On Tue, Oct 25, 2016 at 2:08 AM, Kreuser, Peter wrote: > Dear all, > > > On Sun, Oct 23, 2016 at 3:15 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA256 > > > > > > William, > > > > > > On 10/21/16 6:08 PM, William Boyd wrote: > > > > On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz < > > > > ch...@christopherschultz.net> wrote: > > > > > > > > William, > > > > > > > > On 10/21/16 4:37 PM, William Boyd wrote: > > > Hello, > > > > > > I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything > > > was working great until I enabled SSL with a self-signed > > > certificate. I am able to recreated the issue on 8.5.5. I > > > finally had to down graded to 8.5.4 to get SSL working with > > > identical configuration and cert. > > > > > > I want to be sure that this is not a known issue and that I'm > > > not doing something wrong before I create a bug report. > > > > > > Server version:Apache Tomcat/8.5.5 64-bit OS Name: > > > Windows 7 JVM Version: 1.8.0_102-b14 > > > > > > The cert was generated with this command: keytool > > > -genkeypair -keyalg RSA -alias tomcat -keystore > > > "C:/keys/keystore.jsk" -storepass changeit -validity 360 > > > -keysize 2048 -dname > > > CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA > > > > > > Configuration includes adding > > > -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS > > > > > > > > I think this might be the problem. Tomcat doesn't use > > > > javax.net.ssl.trustStore except as a backup in case you haven't > > > > specified a trust store in your . You have pointed that > > > > system property at a keystore, not a trust store. Technically, > > > > they are the same format, but they are used for different things. > > > > > > > > If you need that for making your own outgoing TLS connections then > > > > leave it in there and we'll try to get it to work, otherwise it's > > > > just confusing and might cause Tomcat to do weird things. > > > > > > > and using this connector config > > > > > > > > connectionTimeout="6" maxThreads="200" > > > minSpareThreads="4" enableLookups="false" compression="on" > > > server="Apache" scheme="https" secure="true" > > > SSLEnabled="true" keystoreFile="c:/keys/keystore.jsk" > > > keystorePass="changeit" keyAlias="tomcat" clientAuth="false" > > > sslProtocol="TLS"/> > > > > > > > > Looks good so far. > > > > > > > Here is the exception I get at startup > > > > > > 13-Oct-2016 15:05:17.309 SEVERE [main] > > > org.apache.coyote.AbstractProtocol.init Failed to initialize > > > end point associated with ProtocolHandler > > > ["https-openssl-nio-8001"] > > > java.lang.IllegalArgumentException: > > > java.security.InvalidAlgorithmParameterException: the > > > trustAnchors parameter must be non-empty at > > > org.apache.tomcat.util.net.AbstractJsseEndpoint. > createSSLContext(Ab > > > str > > > > > > > > > > actJsseEndpoint.java:103) > > > > > > > > > > at > > > org.apache.tomcat.util.net.AbstractJsseEndpoint. > initialiseSsl(Abstr > > > act > > > > > > > > > > JsseEndpoint.java:81) > > > > > > > > > > at > > > > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) > > > at > > > org.apache.tomcat.util.net.AbstractEndpoint.init( > AbstractEndpoint.j > > > ava > > > > > > > > > > :866) > > > > > > > > > > at > > > org.apache.tomcat.util.net.AbstractJsseEndpoint.init( > AbstractJsseEn > > > dpo > > > > > > > > > > int.java:213) > > > > > > > > > > at > > > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575) > > > at > > > org.apache.coyote.http11.AbstractHttp11Protocol.init( > AbstractHttp11 > > > Pro > > > > > > > > > > tocol.java:65) > > > > > > > > > > at > > > > org.apache.catalina.connector.Connector.initInternal( > Connector.java:9 > > > > > > > > > > > 44) > > > at > > > org.apache.catalina.util.LifecycleBase.init( > LifecycleBase.java:107) > > > > > > > > > > > > > > > > at > > > org.apache.catalina.core.StandardService.initInternal( > StandardServi > > > ce. > > > > > > > > > > java:549) > > > > > > > > > > at > > > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > > > > > > > > > at > > > org.apache.catalina.core.StandardServer.initInternal( > StandardServer > > > .ja > > > > > > > > > > va:873) > > > > > > > > > > at > > > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > > > > > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at > > > org.apache.catalina.startup.Catalina.load(Catalina.java:629) > > > at sun.reflect.NativeMethodAcces
