Re: Tomcat Service(s) on Windows, Procmon question

[david w]

Sent: Thursday, November 7, 2024 8:53 PM
To: Tomcat Users List 
Subject: RE: Tomcat Service(s) on Windows, Procmon question

Sorry to top-reply, but does this regression exist in 10.1.31 as well, or only 
9.0.96?

From: Christopher Schultz 
Sent: Thursday, November 7, 2024 1:16 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat Service(s) on Windows, Procmon question

Jon, On 11/7/24 13: 08, Mcalexander, Jon J. wrote: > Happy Thursday everybody, 
> > I have a question around starting a Tomcat Service Instance on Windows 
servers. Is there a way to have the Tomcat Startup kick off a script before 
starting


Jon,



On 11/7/24 13:08, Mcalexander, Jon J. wrote:

> Happy Thursday everybody,

>

> I have a question around starting a Tomcat Service Instance on Windows 
> servers. Is there a way to have the Tomcat Startup kick off a script before 
> starting that will clear the contents of the workDir (Clear the cache so to 
> say)?

>

> We have run into some issues after upgrading our binaries to Tomcat 9.0.96 
> where applications start throwing some unknown method errors when starting. 
> The fix for this was to clear the workDir contents before startup and let 
> Tomcat do it's recompile steps. Note, the app didn't change, but the binaries 
> did.



Please note that there is a regression in 9.0.96 that you need to be

aware of that affects JSPs. It will affect you, since you are reporting

(a) missing method errors and (b) you want to clear your work directory,

presumably to remove .jsp -> .java -> .class files to trigger

recompilation of all of those.



I would pause and NOT deploy 9.0.96 because recompilation will stop the

app from throwing those missing-method errors, but some tags might

actually not behave properly.



> We separate our CATALINA_HOME from our CATALINA_BASE, so app teams just need 
> to restart their instance after the upgrade.

>

> Doing this in Linux/Unix/MAC, is easier as we can do this with the setenv.sh 
> script or in the startup or shutdown scripts. However Windows is more 
> difficult as the instance runs as a service.

>

> Any help here would be much appreciated.



As to your question about procrun running a script before it launches

Tomcat, I think the short answer is "no" but I do have an idea for you.



Create a new service called Tomcat-cleanup, make it a simply BAT/PS

script that cleans-out that directory, and make it a startup dependency

of the real Tomcat service.



-chris





You can also create a scheduled task that starts every time a Windows service 
starts and this task could run your script for you.
this script would require possibly administrator rights in order to actually 
perform any file operations that your script would need to do, but this is your 
call and it wouldn’t compromise the tomcat service or service account so could 
be an alternative.
David

-

To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org

For additional commands, e-mail: 
users-h...@tomcat.apache.org

Tomcat on Windows : new keystore possibilities

[david w]

Hello
Referring to the documentation on Apache Tomcat 9 Configuration Reference 
(9.0.87) - The HTTP 
Connector
 keystore types, i wanted to get mentioned that a new set of possibilities is 
available with newer java builds, when using Tomcat in a Windows environment.


As mentioned on the OpenJDK bug tracker: 
https://bugs.openjdk.org/browse/JDK-8286790


The Windows KeyStore support in the SunMSCAPI provider has been expanded to 
include access to the local machine location. The new keystore types are:



Windows-MY-LOCALMACHINE

Windows-ROOT-LOCALMACHINE



The following keystore types were also added, allowing developers to make it 
clear they map to the current user:

 Windows-MY-CURRENTUSER (same as "Windows-MY")

Windows-ROOT-CURRENTUSER (same as "Windows-ROOT")


Alongside other configurations possible on the server side, web certificates 
can be automatically published, renewed and managed with a company's internal 
Active Directory CA. The account running the Tomcat Windows Service needs local 
Administrator rights to be able to refernce these certificate stores.

With this enabled, and setting the server.xml Connector like shown below can 
make certificate management a lot easier.



the use of a predefined Environment Variable for the system name, possible when 
using also this setting  in catalina.properties:
#GPO Managed restricted file: TESTING
#allow_System ENVVar Usage
org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource

 makes it easier to maintain a common server.xml file through tools like GPO.

Could it be useful to somehow document this, as it does make our WIndows admin 
life easier!!

Re: Tomcat on Windows : new keystore possibilities

[david w]

If you can share a way for this to not be necessary, I'm all ears...😁

David Wooffindin

From: Bill Stewart 
Sent: Monday, April 8, 2024 4:22:37 PM
To: Tomcat Users List 
Subject: Re: Tomcat on Windows : new keystore possibilities

On Mon, Apr 8, 2024 at 3:49 AM david w wrote:

The account running the Tomcat Windows Service needs local Administrator
> rights to be able to refernce these certificate stores.
>

Fortunately, this statement is not correct.

I would definitely not recommend running the Tomcat service using a
privileged account.

Bill

Re: Tomcat on Windows : new keystore possibilities

[david w]

I understand, but am not looking for troubleshooting but trying to raise 
awareness of the new sunmscapi capabilities.
I'm testing using the private key in the windows machine store to simplify tls 
implementation.
For this it requires local admin rights but I am also looking how to not need 
this...

David Wooffindin

From: Bill Stewart 
Sent: Monday, April 8, 2024 5:36:47 PM
To: Tomcat Users List 
Subject: Re: Tomcat on Windows : new keystore possibilities

On Mon, Apr 8, 2024 at 8:27 AM david w wrote:

If you can share a way for this to not be necessary, I'm all ears...
>

I can read computer certificates from non-privileged accounts on Windows.
(How would a user application such as a browser work otherwise?)

I'm not sure what's different on your system or why you think a privileged
account is required.

In any case, this would not be a Tomcat-specific issue but rather some kind
of configuration issue. (What I am saying is that troubleshooting this
issue on your machine is really outside the scope of this specific mailing
list.)

I would repeat my recommendation not to run a web server of any kind
(Tomcat or otherwise) using a privileged account.

Bill

Re: How to configure Tomcat with a Managed Service Account when using LocalMachine certificates for TLS

[david w]

I've had the same experience, but with a regular AD service account, not an MSA.
The account needs to have local administrator rights for the certificate to be 
found and used; setting ACL on the keystores is not enough.


David

From: Gavioto 🕵 
Sent: Tuesday, June 25, 2024 3:27:12 PM
To: users@tomcat.apache.org 
Subject: RE: How to configure Tomcat with a Managed Service Account when using 
LocalMachine certificates for TLS

- how are are starting Tomcat?
  Tomcat is starting as a service with "Domain\account1$" (Managed Service 
Account)

- is Tomcat installed as a Windows service?
  Yes

- which account is Tomcat running under?
  "Domain\account1$" (Managed Service Account) It is not a normal domain 
account used for the service.  Secure group managed service accounts - 
Microsoft Entra | Microsoft 
Learn

Regarding the mean of "user" I'm referring to the user who is running the 
Tomcat Service. In this case, the Managed Service Account.


De: Mark Thomas 
Enviado: martes, 25 de junio de 2024 12:51
Para: users@tomcat.apache.org 
Asunto: Re: How to configure Tomcat with a Managed Service Account when using 
LocalMachine certificates for TLS

A few questions:

- how are are starting Tomcat?

- is Tomcat installed as a Windows service?

- which account is Tomcat running under?

There are a few references to "user" in your question. It is not clear
if this is:
- the user administering a Tomcat service
- a user that is starting Tomcat from the command line
- the user that the Tomcat service is running as
- something else

Mark


On 25/06/2024 11:30, Alberto Corral wrote:
> Hello!
>
> After some research, docs, and test, I didn't found an answer to my issue.
>
> I'm writing to the list  because I have to configure a probably not very 
> common Tomcat configuration and didn't found correct configuration of if it 
> is posible to do it.
> Also I didn't find previous information or examples on internet and the wiki.
>
> There is a similar question in Server Fault 
> https://serverfault.com/questions/1161457/can-i-use-certificates-in-the-local-machine-from-a-managed-service-account,
>  but not solved yet.
>
> The configuration has been also involved with a JDK recent bug-fix (but 10 
> years old), but this part is fixed using latest available JDK versions.
> So I think it would be valuable to document an Use Case based on real 
> experience that can be both, tested in future versions, and also useful for 
> future users, available in the wiki or official docs :-)
>
> May be what's I'm trying to do is not really possible, but need to know if 
> this is a Tomcat limitation or a Windows one.
>
> My actual configuration
>
> Server version name:   Apache Tomcat/9.0.65
> Server version number: 9.0.65.0
> Server built:  Jul 14 2022 12:28:53 UTC
> Architecture:  amd64
> OS Version:10.0
> OS Name:   Windows Server 2019
> JVM Vendor:Eclipse Adoptium
> JVM Version:   11.0.23+9
> Java Home: 
> C:\OpenJDK11U-jdk_x64_windows_hotspot_11.0.23_9\jdk-11.0.23+9
>
> Actual secure configuration used:
>
>  server="Unknown"
> maxThreads="150" scheme="https" secure="true"
>   enableLookups="true"
>   KeystoreType="Windows-MY-LOCALMACHINE"
> clientAuth="false" sslProtocol="TLS"
> KeystoreFile=""
> KeyAlias="tomcat" />
>
>
> Configuration:
> - The certificate is in the LOCALMACHINE Windows Storage and allows read 
> access to the user "account1$" which is an AD Managed Service Account.
> -
>
> Facts:
> - If the user have read access but not local admin, then the previous stack 
> trace is generated.
> - If I give local Admin rights to the service account, it seems can access to 
> the Certificate Storage, in other case, the previous Stack Trace is generated.
> - Unless I gave local Admin rights, apache opens port 8443, but doesn't 
> respond to requests on 8443 when testing and no error in logs appears.
>
> What is the question is "How to configure Tomcat with a Managed Service 
> Account when using LocalMachine certificates for TLS"
>
> Notes:
> - JDK 11.0.20+ is required due a well known bug that has been backported from 
> JDK 21  [JDK-6782021] It is not possible to read local computer certificates 
> with the SunMSCAPI provider - Java Bug System 
> (openjdk.org) 
> (https://bugs.openjdk.org/browse/JDK-6782021) and [JDK-8303520] It is not 
> possible to read local computer certificates with the SunMSCAPI provider - 
> Java Bug System (openjdk.org) 
> (https://bugs.openjdk.org/browse/JDK-8303520)
>
> Next program can help to check different configurations, and it works when 
> the certificate has read permission for the user who is running it.
>
> // JDK8313367test.java - Simple test case to demonstrate OpenJDK defect 
> JDK-8313367
> //

Re: [EXTERNAL] Re: Archive localhost_access_log

[david w]

There are other ways to capture or store logs... Tools or toolsets like 
Telegraf.
OT but could be of help




Thank you Mr. Funk.

My request is two-folds a) archive the log files elsewhere (not the "logs" 
folder) based on some policy b) clean up (delete) the archived files based on 
some policy.

If I'm not mistaken, your suggestion may address the latter but nothing on the 
former?

Thanks and regards,
-
Quoc

-Original Message-
From: Tim Funk 
Sent: Tuesday, March 18, 2025 1:10 PM
To: Tomcat Users List 
Subject: [EXTERNAL] Re: Archive localhost_access_log

Personally. I rely on a daily cron with a find by time and the -delete flag. 
Where the time to keeps is based on policy.

-Tim

On Tue, Mar 18, 2025 at 9:52 AM Nguyen, Quoc A. (QUANTUM MANAGEMENT, LLC) 
 wrote:

> Hello,
>
> Tomcat server version: 9.0.98.
>
> server.xml configuration for AccessLogValve:
>
>  directory="logs" prefix="localhost_access_log" suffix=".log" maxDays="7"
> pattern="%h %{X-Forwarded-For}i %t %I "%m %U" %{local}p %s %b %D"
> resolveHosts="false" />
>
> Everything works fine.  Now, I have a requirement to archive these log
> files similar to log4j  (pattern is already taken care of
> in the valve) with  (archive when the file size reaches
> certain
> size) and  (cleanup archived files).
>
> Is there a way to archive these logs via the configuration in the valve?
> If not, what the best way to go about it: a custom class that
> implements ValveBase or extends AccessLogValve or do something else entirely?
>
>
>
B�CB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�]
 �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[�\�\��Z[�X�] �\X�K�ܙ�B�

JDBC/MySQL user login goes stale

[David W. Brown]

Hello TC dev and Gurus, I have a webapp comprised of several Servlets and JSP 
pages. The webapp is functioning very well but after a few hours of no 
connections or interaction the TC webapp loses its connection with the MySQL 
DB. We are using the server.xml defined JDBC/MySQL security model using the 
users and user_roles tables DB structure. The logins work perfectly until a few 
hours of (like overnight) in attendance. Even thought the TC Servlet server is 
still up and running logins all fail. After restarting TC the login mechanism 
works perfectly. Particulars follow. Please advise.

TC Servlet server 5.5.7
MySQL 4.1

OS Windows XP (whistler).

David Brown
IT/Systems
USM-I KBR-Central
APO AE 09316

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How to Install Tomcat 5.5 Administration Web Application

[David W. Brown]

Hello Nissam, I am having the same problem with the Tomcat Admin. However, I am 
using the JDBC Realm (MySQL) instead of the tomcat-users.xml. Please advise, 
David.

On 26/Apr/2006 06:39 nissam wrote ..
> 
> Hi
>Add a user like below.
>
>Remove the cache and restart tomcat. The admin application should be
> working.
> rgds
> nissam
> --
> View this message in context: 
> http://www.nabble.com/How-to-Install-Tomcat-5.5-Administration-Web-Application-t1368054.html#a4099700
> Sent from the Tomcat - User forum at Nabble.com.
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
David Brown
IT/Systems
USM-I KBR-Central
APO AE 09316


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]