> -----Original Message----- > From: Harris, Jeffrey E. [mailto:jeffrey.har...@mantech.com] > Sent: Tuesday, February 12, 2013 5:35 PM > To: Tomcat Users List > Subject: RE: Need to Specify keystorePass on Command Line - Update > > > > > -----Original Message----- > > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > > Sent: Tuesday, February 12, 2013 6:00 PM > > To: Tomcat Users List > > Subject: Re: Need to Specify keystorePass on Command Line - Update > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Mark, > > > > On 2/12/13 4:27 AM, Mark Thomas wrote: > > > On 12/02/2013 00:53, Harris, Jeffrey E. wrote: > > >> Current status: > > >> > > >> I replaced keystorePass=<password> with > > >> 'keystorePass="${kspassword}"' in server.xml, and executed the > > >> command "tomcat7 //TS//Tomcat7 --JvmOptions=- > Dkspassword=<password>" > > >> and have been able to start the SSL listener as a console > > >> application. > > >> > > >> However, I have not been able to do the same thing with the > > >> service, using "sc start Tomcat7 > > >> "--JvmOptions=-Dkspassword=<password>", or putting the parameter > > >> into the properties of the service entry in Windows Services > Manager. > > >> > > >> I know Charles Caldarale said it could not be done with a service, > > >> but it is possible to pass parameters to a service, both using the > > >> Windows Services Manager, and via the sc command line utility. I > > >> am just not sure what syntax Tomcat is expecting for parameters; I > > would > > >> think it would match the syntax of the tomcat command above, since > > >> that is basically what is being called, just with different > > >> parameters. > > > > > > http://commons.apache.org/daemon/procrun.html > > > > Since OP is using "sc", there may be a problem there that you can't > > specify command-line parameters to a service. > > > > Obviously, adding the parameter to Windows Services Manager defeats > > the whole "must be on the command line, can't be in the registry" > > requirement. > > > > Christopher, > > The sc start command does allow command line parameters, but I think > the syntax of how the parameters are passed to the service executable > is not compatible with what Tomcat is expecting. On my test server, I > even used the SC command to create a service to start Tomcat by > directly executing java and the boot class file, and I could start SSL, > but only by embedding the password within a JvmOptions parameter before > the java command, not after it (which the java executable syntax > requires. > > The reason I am focusing on sc is that I CAN store the private key on a > different system, and set up a scheduled task on that system to check > the status of the Tomcat service on the target system, and restart the > service remotely (such as after a reboot). The sc command has a server > parameter so it can work remotely between servers (with the appropriate > permissions, of course). > > I am also looking at Andre's idea of using Apache as a proxy for Tomcat > (I presume using AJP13), and avoiding the need for SSL on Tomcat. I > talked to my developer about it, and he thinks that the Webapp can > still communicate with the remote service if the Apache server does the > PKI authentication with the remote system, and handles the SSL. > > Finally, I asked my developer to look at your idea of a property > source. > > Jeffrey Harris >
If you had read the Procrun documentation that Mark was kind enough to point you to above, you might have figured out that you need to modify your "--JvmOptions=..." syntax. You need to change it to "++JvmOptions=..." otherwise, you are overwriting all the other options that that are stored in the registry that the Tomcat service needs to start up. That includes things like the locations of catalina.base and catalina.home, and you're never gonna get the service to start without those. And one other thing, in some security circles, configuring windows to allow the running of remote sc commands is a pretty big no-no. If not done properly, anyone can stop your services from anywhere. Jeff
