-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Joseph,
On 7/29/19 13:55, Joseph Dornisch wrote: >> Joseph, >> >> On 7/25/19 11:53, Joseph Dornisch wrote: >>> Hello, >>> >>> I have a CRL configured in my tomcat server configuration. If >>> I update it and want to have Tomcat refresh it, I can login >>> into https://127.0.0.1/manager/html and click the "Re-read" >>> button under "Configuration->Re-read TLS configuration files" >>> and this causes my CRL to be reread. It works great. >>> >>> However,I have read here, " >>> https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Enc ry >> >>> pt%20Apache%20Tomcat.pdf" >>> >>> >> on page 34 you can do basically the same thing with a command >> something >>> like: >>> https://localhost/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocol Ha >> >>> ndler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22&op=reloadSslHostConfigs >>> >>> When I do this, I get back: >>> >>> Error - java.lang.NullPointerException >>> java.lang.NullPointerException at >>> org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal( JM >> >>> XProxyServlet.java:264) >> >> What >>> >> is the port number and bind-address of your protocol handler? > > Is this different than the web server. I directed it to use 443, as > I am running tomcat https out of 443. I also just specified the > local machine name. I think I tried a few things here. Is there a > good way to look up what these should be if they are different than > how you access tomcat in genera.? > >> >>> Is this command supposed to work in Tomcat 8.5.43? Is there a >>> different command. Short of this, the only way to force reload >>> without manual intervention seems to be to login to the >>> manager from code, and then execute >>> https://127.0.0.1/manager/html/sslReload?org.apache.catalina.filters .C >> >>> SRF_NONCE= >>> >>> >> <nonce_value_from_established_session> >> >> The URL you have above (if correct) is using the manager to do >> the same thing using the JMX proxy that you are doing with the >> manager GUI. > > It's only incorrect in that I changed the 'NONCE' to text for the > purpose of hopefully making it more readable here. It does work to > reload the configuration (and specifically reread my CRL files). > >> >>> I've seen that I might also write some code that Tomcat itself >>> would run periodically to refresh the SSL configuration. Could >>> anyone provide any ideas here? >> >> You can do it, but IMO it's better to trigger it externally, >> assuming that you are already deploying the manager app and the >> JMX proxy servlet > > Apparently we might have security issues if we run the manager > application in production so right now I am planning on extending > the Http11NioProtocol class to periodically refresh as is done in: > https://serverfault.com/questions/328533/can-tomcat-reload-its-ssl-cer tificate-without-being-restarted I > would reconsider using manager+JMX. You can lock it down a bit so that it will e.g. only accept connections from localhost and you can put a password on it. Your scripts will have to contain that password but you can make sure those scripts are only readable by e.g. the Tomcat user and you should be okay. > Thank you for responding Chris, if you have any additional advice, > I'd be very happy to read it. (or if anyone else wants to add > advice, I'd be happy to read that as well). Please see my reply under the original thread. I think it will help. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1AXyQACgkQHPApP6U8 pFgZUQ//Xc4znBTXwGE0SkHbHPm2D86Q+0vudwwx1osM8x2F2KA2kiIhKYTCJZQh ApBixExuLpjWWQ02oCrrl0NzdmUbxC8e2WvQRnF6XWB9/f1gLbMIgOVQDjYa4FWB IiHljPO5AABiYeIUjDWE6a7Stffh3BYAJ04D1f3xMLh9uciuXPvKbnny7zWNbC/j xzTNRndNtTmYippzIhRjPFjjaBfz3KLVST9WnU1bgXDFbgbMRCL5tSs27dvT8nOX SNI8RoZGFMc+V1A1RnviuKZJ2DxnELcusKW0P4Zqc8Rrrpc6cspm6x+fC2AtOK6I WaIeRj4w5f04VkaUH87CDfXYCyGEcGc6wkxZMK6y5QrZleBpvL8j9aujmqVX1yJE 4Q9y5RN4vKoq+S9RUEHSlXrjIkWoNoCRIOD7zofdUrswdJ+Ovf0Av6OjUaTN4XNX GflZ7HqPmQ4rQV3fVE8yDm/wyvyLWxEn7COg38976/ZrPUs6gf2WuegP/SMgDp+n IoyuJJ85jvlcr9AyE0GhjNCkb3TC/GKNKM1rGxB/sBagWTtCH3HDfJX5DMWlfFXp LCbRjJ1wEX3XJqspKAhUcJiuFNZIN0zWGQkULOwJm+d9JmmPGriOP3r1kJ6h3V5F FjUwp1ndKgh6p0CWbdrsHnatwzqAlfiNxyLzCyPmpe91urriy3I= =RI2q -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
