-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sean,
On 8/10/16 12:56 PM, Sean Son wrote: > On Wed, Aug 10, 2016 at 11:41 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Sean, > > On 8/10/16 10:39 AM, Sean Son wrote: >>>> On Wed, Aug 10, 2016 at 10:06 AM, Sean Son >>>> <linuxmailinglistsem...@gmail.com >>>>> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Aug 9, 2016 at 5:05 PM, Mark Eggers >>>>> <its_toas...@yahoo.com.invalid >>>>>> wrote: >>>>> >>>>>> Sean, >>>>>> >>>>>> >>>>>> On 8/9/2016 1:55 PM, Sean Son wrote: >>>>>>> On Mon, Aug 8, 2016 at 11:31 AM, Mark Eggers >>>>>>> <its_toas...@yahoo.com.invalid> wrote: >>>>>>> >>>>>>>> Sean, >>>>>>>> >>>>>>>> On 8/8/2016 7:10 AM, Sean Son wrote: >>>>>>>>> On Fri, Aug 5, 2016 at 5:34 PM, Mark Eggers >>>>>>>> <its_toas...@yahoo.com.invalid> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> On 8/5/2016 2:19 PM, Sean Son wrote: >>>>>>>>>>> Hello! >>>>>>>>>>> >>>>>>>>>>> I am currently running Tomcat 8 on RHEL 7.2 >>>>>>>>>>> with one web application called AppVet (A >>>>>>>>>>> mobile Application Vetting program). The >>>>>>>>>>> application works well but when I tried to use >>>>>>>>>>> a script to allow tomcat to start up at boot, >>>>>>>>>>> the webapp gives an authentication error. I saw >>>>>>>>>>> the following error in the logs for appvet: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [ERROR] Could not connect to database: >>>>>>>>>>> com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> Communications link failure >>>>>>>>>>> >>>>>>>>>>> The last packet sent successfully to the server >>>>>>>>>>> was 0 milliseconds ago. The driver has not >>>>>>>>>>> received any packets from the server. Make sure >>>>>>>>>>> your MySQL password in your >>>>>>>>>>> AppVetProperties.xml file is correct >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I know for a fact that the MySQL password is >>>>>>>>>>> correct in that XML file. I double checked it >>>>>>>>>>> already. Any ideas on how I should fix this >>>>>>>>>>> error? >>>>>>>>>>> >>>>>>>>>>> This is the script that I am using for >>>>>>>>>>> startup/shutdown of Tomcat8 on boot: >>>>>>>>>>> >>>>>>>>>>> http://pastebin.com/mrvfDtTD >>>>>>>>>>> >>>>>>>>>>> Thanks! >>>>>>>>>>> >>>>>>>>>>> Sean >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> It appears that your Tomcat process is running as >>>>>>>>>> root. Do not do this. >>>>>>>>>> >>>>>>>>>> Is your MySQL server up and running before Tomcat >>>>>>>>>> is started? >>>>>>>>>> >>>>>>>>>> . . . just my two cents /mde/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Hello thank you for your response >>>>>>>>> >>>>>>>>> I created a user account for Tomcat, I will set >>>>>>>>> the script to use that account instead of the root >>>>>>>>> account. Question though, does this account need a >>>>>>>>> password? >>>>>>>> >>>>>>>> Yes, especially since you'll be running a service. >>>>>>>> >>>>>>>> Note that if you're running Tomcat on a privileged >>>>>>>> port (less than 1024), a non-root account will not be >>>>>>>> able to bind to this port. >>>>>>>> >>>>>>>> You have three choices. >>>>>>>> >>>>>>>> 1. iptables >>>>>>>> >>>>>>>> route port 80 to port 8080 (Tomcat default) >>>>>>>> internally. Take a look at the iptables >>>>>>>> documentation. >>>>>>>> >>>>>>>> 2. jsvc >>>>>>>> >>>>>>>> jsvc from the Apache Commons Daemon project allows >>>>>>>> you to run a service such as Tomcat more easily. I >>>>>>>> don't remember if there is an RPM for RHEL or not >>>>>>>> (possible in EPEL). It's configuration and startup >>>>>>>> script are different, but the documentation is a good >>>>>>>> start (there are Tomcat examples). >>>>>>>> >>>>>>>> https://commons.apache.org/proper/commons-daemon/jsvc.html >>>>>>>> >>>>>>>> >>>>>>>> 3. Apache HTTPD front end with mod_proxy_ajp or mod_jk >>>>>>>> >>>>>>>> I'd do this if you need Apache HTTPD for other web >>>>>>>> applications (a PHP application, perhaps). There is >>>>>>>> good documentation available on the Tomcat web site, >>>>>>>> as well as a ton of discussion on the mailing list to >>>>>>>> get this running. >>>>>>>> >>>>>>>> If you don't feel like building software, I'd >>>>>>>> recommend mod_proxy_ajp. I find mod_jk more flexible >>>>>>>> and a little easier to use (opinions on easy of use >>>>>>>> vary), but you'd have to build mod_jk from source. >>>>>>>> It's easy to do, but some people find that a little >>>>>>>> more challenging. >>>>>>>> >>>>>>>>> >>>>>>>>> Also, I cant tell if the MySQL server is up and >>>>>>>>> running prior to Tomcat being started. I know that >>>>>>>>> mysqld is enabled to start at boot, but I dont know >>>>>>>>> if Tomcat starts prior to MySQL. How would I >>>>>>>>> figure that out? >>>>>>>>> >>>>>>>> >>>>>>>> I thought REHL 7 uses systemd and not init scripts? >>>>>>>> >>>>>>>> There have been many discussions on the mailing list >>>>>>>> concerning systemd and Tomcat. I think someone has >>>>>>>> posted appropriate systemd scripts. >>>>>>>> >>>>>>>> If not, then look at /etc/rc3.d. Start and stop >>>>>>>> scripts are executed in numerical order. Start >>>>>>>> scripts start with S, stop scripts start with K. >>>>>>>> >>>>>>>> Adjust the numbers in your Tomcat init script >>>>>>>> (/etc/initinit.d) so that the start comes after >>>>>>>> MySQL (second number in the chkconfig line). >>>>>>>> >>>>>>>> You'll have to chkconfig --del and chkconfig --add to >>>>>>>> have the new numbers take effect in /etc/rcx.d. >>>>>>>> >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> >>>>>>>> >>>>>>>> . . . just my two cents /mde/ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> hello thank you for your response. >>>>>>> >>>>>>> So i decided to go the SystemD route and I found this >>>>>>> article online: >>>>>>> >>>>>>> https://panovski.me/install-tomcat-8-on-centos-7/ >>>>>>> >>>>>>> I followed the instructions and instead of downloading >>>>>>> Tomcat and installing it in /opt/tomcat, I copied the >>>>>>> existing Tomcat installation, which was in >>>>>>> /home/username, into /opt/tomcat and I gave the entire >>>>>>> installation directory, an owner and group of tomcat. >>>>>>> Then I set up the following tomcat.service unit file: >>>>>>> >>>>>>> >>>>>>> [Unit] Description=Apache Tomcat Web Application >>>>>>> Container After=network.target >>>>>>> >>>>>>> [Service] Type=forking PIDFile=/var/run/tomcat.pid >>>>>>> Environment=CATALINA_PID=/var/run/tomcat.pid >>>>>>> Environment=JAVA_HOME=/usr/java/jdk1.8.0_92 >>>>>>> Environment=CATALINA_HOME=/opt/tomcat/apache-tomcat-8.0.35 >>>>>>> >>>>>>> Environment=CATALINA_BASE=/opt/tomcat/apache-tomcat-8.0.35 >>>>>>> Environment=CATALINA_OPTS= >>>>>>> >>>>>>> ExecStart=/opt/tomcat/apache-tomcat-8.0.35/bin/jsvc \ >>>>>>> -Dcatalina.home=${CATALINA_HOME} \ >>>>>>> -Dcatalina.base=${CATALINA_BASE} \ -cp >>>>>>> ${CATALINA_HOME}/bin/commons-daemon.jar:${CATALINA_HOME}/bin >>>>>> >>>>>>> /bootstrap.jar:${CATALINA_HOME}/bin/tomcat-juli.jar >>>>>>> >>>>>>> >>>>>> \ >>>>>>> -user tomcat \ -java-home ${JAVA_HOME} \ -pidfile >>>>>>> /var/run/tomcat.pid \ -errfile SYSLOG \ -outfile SYSLOG >>>>>>> \ $CATALINA_OPTS \ >>>>>>> org.apache.catalina.startup.Bootstrap >>>>>>> >>>>>>> ExecStop=/opt/tomcat/bin/jsvc \ -pidfile >>>>>>> /var/run/tomcat.pid \ -stop \ >>>>>>> org.apache.catalina.startup.Bootstrap >>>>>>> >>>>>>> [Install] WantedBy=multi-user.target >>>>>>> >>>>>>> >>>>>>> >>>>>>> I set up JSVC as well just like how the article >>>>>>> suggested, but when I run systemctl start tomcat and I >>>>>>> try to browse to https://IP Address:8443 (I am using >>>>>>> SSL on Tomcat), I get the following errors in the >>>>>>> webbrowser: >>>>>>> >>>>>>> http://pastebin.com/8RANM5NF >>>>>>> >>>>>>> Any ideas on what I should do to resolve this issue? >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>> >>>>>> Looks like a permissions problem: >>>>>> >>>>>> /opt/tomcat/apache-tomcat-8.0.35/work/Catalina/localhost/ROO >>>>>> >>>>>> T/org/apache/jsp/index_jsp.class (Permission denied) >>>>>> >>>>>> What are the permissions and ownership (owner, group) for >>>>>> the files and directories under /opt/tomcat - especially >>>>>> /opt/tomcat/apache-tomcat-8.0.35? >>>>>> >>>>>> . . . just my two cents /mde/ >>>>>> >>>>>> >>>>> Hello ! thank you for your response >>>>> >>>>> I checked the permissions for that path: the owner and >>>>> group for the path is tomcat:tomcat EXCEPT for the >>>>> index_jsp.class and index_jsp.java, both of which are >>>>> owned/group by root. So it looks like when the systemd >>>>> unit is ran, the two files are created by root as opposed >>>>> to by Tomcat. how would I fix this? >>>>> >>>>> >>>>> Thanks! >>>>> >>>>> >>>>> >>>> >>>> Hello >>>> >>>> I changed the permissions on the two files tomcat:tomcat >>>> and restarted Tomcat... it took a while, probably close to 10 >>>> minutes for the server to come up but now I can see the >>>> Tomcat start page.. How come it takes so long for it to start >>>> up? Any way that I can speed up the process? > > Take a thread dump to find out what's going on. > > My guess is that the server is waiting for entropy from > /dev/random > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > Thank you for your response. I installed haveged from the EPEL > repository. I read that it should fix that issue. I rebooted the > server a few times and it seems to be coming up much better now. IMHO, the use haveged is a terrible idea: it takes /dev/random (theoretically, a reliable source of suitable entropy) and turns it into /dev/urandom (theoretically, an unreliable source of low entropy). This affects the entire system and all processes running on it. So, with haveged running and you use "openssl genrsa" or "gpg --gen-key" then you get a very poor-quality key. If you want to hobble Java specifically, you can change the security policy for the JRE to use /dev/urandom. Many distributions already do this for you, possibly to the detriment of your security within Java itself. But it certainly does make things run faster. Much like disconnecting the transmission in your car from its engine will allow the engine to reach a higher RPM in a shorter amount of time. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXq3ojAAoJEBzwKT+lPKRYOSIP/Rl6j7ZZuw4LaqzVDLLJin+t WR5rkAGhpx7u//E5J41ZoKTird+h9qGsnyR1/r7rMthUjL+7FTxWe9ANH6Jh3z2f bSjTUANBpeCtvXTgQSoxvkUhXi12j5WPyLJN7IEPzgiO8M5ltz47XveXRx02bAwd lOYSnkCAWOIpFyw92AeyTK30LDqWEU1TcACNQ+jlJYA0hMAjBjU6At0AD4cnC/sx ra/yS7xdXhbjrva+uBsRKrEDhC+Y7KApRZDVNh7Tvd2vVNgfEGcFb9bkC7AzGErl pKz5eezGyc2SWki6E47rAnEdpRvRQLaBJl8OF7SoZli6TPOCOSpJYqjgZmOdZgLS gZvCuegZwB+qmrUgxUask4tarkXoU+uZBTRwsl9Dfc03JtG56TT17BgSXZS6o+XV lKM6chKlyaBbwWPXPUyXCex9WDlOJ7bHqOYALr7MMU3vvlBw45l4UgpBZ7gSELy4 k5etZiIWiuwDeQgiXaR+2G/+I5bV33k/kqxkfedNUfzPAQl0GPXGwcPKWCgAQ/6a fxicYtmfLkp+6jBPmejSl92mQX/tZ7HlOlqupmR0GMBw6epe14YleWUSITInN0gu arMJ09JcGNbGrhAWy1mXElVR50y6p3nBCYsR451JMnX5RNlItQZ66mtnEI7IsA4s 4kLWjqDOOlIRpGjHqXX1 =+3C4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
