Permalink to this page: https://cwiki.apache.org/confluence/x/gSslBg

...

Meta

How do I add a question to this page?

...

However, do not add questions without answers to this page. If you have a question about how to do something in Tomcat which has not been addressed yet, ask the tomcat-user list. Once you've figured out how to fix your problem, come back and update the Wiki to allow the rest of us to benefit from what you've learned!

...

Download the source bundle or grab the source XML file files from Subversion repository. If you are not familiar with Subversion, see http://www.apache.org/dev/contributors.html.Tomcat Git repository (at GitHub).

The docs are in the webapps/docs subdirectory. They are in XML format and get processed into the HTML documentation as part of the Tomcat release.

...

If you're interested in previewing your changes, you will need to follow the directions for building Tomcat yourself. The docs will be generated in the output/build/webapps/docs directory just like with any normal Tomcat distributions.

Open a Bugzilla enhancement item with the explanation of your enhancements, and attach a svn git diff or diff -u format of your patch, or create a Pull Request at GitHub. We will evaluate and commit your patch as needed.

Note, that the Tomcat web site is updated with every release, so that documentation changes will not be visible until next Tomcat release. It is possible to view documentation for unreleased versions of Tomcat 7, Tomcat 8.5 and Tomcat 6, 9 that is published by ASF Buildbot. See links on the buildbot page on Apache Tomcat web site.

...

• It also makes a lot of sense to use the JavaServiceWrapper.

How to run Tomcat without root privileges?

...

#include <unistd.h> #include <stdlib.h>

int main( int argc, char \*argv\[\] ) \{

• if ( setuid( 0 ) != 0 ) perror( "setuid() error" ); printf( "Starting ${APPLICATION}\n" ); execl( "/bin/sh", "sh", "/path/startupscript", 0 ); return 1;

}

Run the following as root (replacing tmp with whatever you want the startup script to be and replacing XXXXX with whatever group you want to be able to start and stop tomcat:

...

• /sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT
• /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443
• /sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT
• /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080

/sbin/iptables-save or /etc/init.d/iptables save

...

• /sbin/iptables -t nat -A OUTPUT -p tcp -o lo -destination-port 443 -j REDIRECT --to-ports 8443

Also note that if you have existing rules defined in your chains, you will need to make sure that the rules above are not ruled-out by another rule when using -A to add the above rules. For example, if you have an existing FORWARD rule that says "-j REJECT" than adding the FORWARD rule after it will have no effect.

...

Rotate catalina.out using logrotate (or similar)

To use a tool like [logrotate|http://linuxcommand.org/man_pages/logrotate8.html], you'll want to use the "copytruncate" configuration option. This will copy catalina.out to another file (like catalina.out.\[datestamp\]) and then truncates catalina.out to zero-bytes. There is a major downside to this if catalina.out is seeing a lot of action: some log messages written to the log file during the copy/truncate procedure may be lost.

Rotate catalina.out using rotatelogs or chronolog (or similar)

...

• Tomcat Connectors Documentation
• Tomcat Connectors FAQ
• Configuring Tomcat Connectors for Apache
• Connectors How To
• AJP Connector in Tomcat 7 Configuration Reference

The following excellent article was written by Mladen Turk. He is a Developer and Consultant for JBoss Inc in Europe, where he is responsible for native integration. He is a long time commiter for Jakarta Tomcat Connectors, Apache Httpd and Apache Portable Runtime projects.

• Fronting Tomcat with Apache or IIS - Best Practices
• http://people.apache.org/~mturk/docs/article/ftwai.html

John Turner has an excellent page about Using Apache HTTP with Apache Tomcat. Several different connectors have been built, and some connector projects have been abandoned (so beware of old documentation).

...

• http://marc.info/?l=tomcat-user&m=106285452711698&w=2
• http://marc.info/?l=tomcat-user&m=107584265122914&w=2

Using OpenSSL:

• http://marc.info/?l=tomcat-user&m=106293430225790&w=2
• http://marc.info/?l=tomcat-user&m=106453566416102&w=2
• http://marc.info/?l=tomcat-user&m=106621232531781&w=2

A description of "what SSL is all about anyway":

• http://marc.info/?l=tomcat-user&m=106692394104667&w=2

HowTo SSL Client Authentication with Fallback to FORM Authentication

...

1. Unzip or untar (be careful to use GNU tar) the file containing the administration web app files (eg. apache-tomcat-5.5.17-admin.zip) to a temporary directory, eg. c:\temp.
2. Copy c:\temp\apache-tomcat-5.5.17\conf\Catalina\localhost\admin.xml to the directory c:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\Catalina\localhost.
3. Copy the entire directory tree c:\temp\apache-tomcat-5.5.17\server\webapps\admin

to the directory c:\Program Files\Apache Software Foundation\Tomcat 5.5\server\webapps. This is an overlay, so \server\webapps is just pointing you to the \server\webapps, and the admin directory with its contents will be the only thing you see added there.

1. Add a line to your c:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\tomcat-users.xml file so that you have a user who has admin role. For example, add this line just before the last line (containing </tomcat-users>) of the file:
   • <user username="admin" password="makesomethingup" roles="admin,manager"/>
2. Restart Tomcat.
3. Now when you visit _http://localhost:8080/admin_ you should see a page that asks for a user name and password. If you still see the "no longer loaded" error message in your browser, you must either force a full reload of the web page (in Firefox, hold down Shift key while clicking on the Reload button) or just restart your browser completely.

Tomcat 6.0 and later

Development of Administration web app was ceased and it is no longer provided for Tomcat 6.0 and later versions.

...

For other parameters, look at the following pages:

• FAQ/Memory
• OutOfMemory

If you are running Tomcat as a Windows service, then environment variables and setenv.bat script have no effect. The relevant settings for the service wrapper application are stored in the Windows registry. They can be edited via Configuration application (tomcat<N>w.exe). See "Java" tab in the configuration dialog. The{{-Xms}} and -Xmx options are configured in fields named "Initial memory pool" and "Maximum memory pool". Other options can be added to "Java Options" field as if they were specified on the command line of java executable.

...

Congratulations. You have created and tested a first web application (traditionally called "mywebapp"), users can access it via the URL "http://myhost.company.com/mywebapp". You are very proud and satisfied. But now, how do you change the setup, so that "mywebapp" gets called when the user enters the URL "http://myhost.company.com" ?

The pages and code of your "mywebapp" application currently reside in (CATALINA_BASE)/webapps/mywebapp/. In a standard Tomcat installation, you will notice that under the same directory (CATALINA_BASE)/webapps/, there is a directory called ROOT (the capitals are important, even under Windows).  That is the residence of the _current_ Tomcat default application, the one that is called right now when a user calls up "http://myhost.company.com\[:port\]". The trick is to put your application in its place.

First stop Tomcat.
Then before you replace the current default application, it may be a good idea to make a copy of it somewhere else.
Then delete everything under the ROOT directory, and move everything that was previously under the (CATALINA_BASE)/webapps/mywebapp/ directory, toward this (CATALINA_BASE)/webapps/ROOT directory. In other words, what was previously .../mywebapp/WEB-INF should now be .../ROOT/WEB-INF (and not .../ROOT/mywebapp/WEB-INF).

...

• Use a classloader's getResource to get an url to the properties file and load it into the Properties. The properties file must be located within the webapp classpath (i.e. either WEB-INF/classes/... or in a jar in WEB-INF/lib/).

A challenge is to get the classloader when you are in a static initializer:

...

• Use a ResourceBundle. See the Java docs for the specifics of how the ResourceBundle class works. Using this method, the properties file must go into the WEB-INF/classes directory or in a jar file contained in the WEB-INF/lib directory.
• Another way is to use the method getResourceAsStream() from the ServletContext class. This allows you update the file without having to reload the webapp as required by the first method. Here is an example code snippet, without any error trapping:

// Assuming you are in a Servlet extending HttpServlet
// This will look for a file called "/more/cowbell.properties" relative
// to your servlet Root Context
InputStream is = getServletContext().getResourceAsStream("/more/cowbell.properties");
Properties  p  = new Properties();
p.load(is);
is.close();

...

4) Serializing / Deserializing

You might want to try serializing the response of 'request.getUserPrincipal()' and deserialize it to an instance of \[webapp\]MyPrincipal.

How do I get direct access to a Tomcat Realm?

...

1. I have intentionally omitted proper resource handling. For example, one ought to ensure that qc.close() is always called by using a try { .. } finally { ..} block.

2. The code contains absolutely no references to com.ibm.mq*.jar.

...

The main thing to know (and the reason why I am writing this, because it took me some hours to find out): How do I know the property names, their meaning, and possible values? Well, there is an excellent manual, called "WebSphere MQ Using Java". It should be easy to find by entering the title into Google. The manual contains a section, called "Administering JMS objects", which describes the objects being configured in JNDI. But the most important part is the subsection on "Properties", which contains all the required details.

How do I use DataSources with Tomcat?

See UsingDataSources

How do I use Hibernate and database connection pooling with Tomcat?

See TomcatHibernate

How do I use DataSourceRealms for authentication and authorization?

See TomcatDataSourceRealms

...

1. Read the Tomcat FAQ
2. Read the Tomcat RELEASE NOTES - there is something about Linux in it
3. First look at the stack traces. I hope a stack trace was produced before the failure aborted the JVM process. After you get a few stack traces, see if a pattern appears. Trace back to source code if needed.
4. Patch (or unpatch!) the operating system as needed.
5. Patch (or unpatch!) the JVM (Java Virtual Machine).
6. Linux Problem? - read the RELEASE NOTES!
7. Look at commercial vendor support for other servlet engines. Sometimes the problem is universal regardless of servlet engine and may be a JVM/OS/application code issue
8. Search Google for web pages - maybe someone else had this problem. I'll bet they did.
9. Search Google news groups
10. If the JVM is from a commercial vendor, (eg: IBM, HP) check their release notes and news groups
11. Using a database? Make sure JDBC type 4 drivers are used. Check their release notes.
12. Tweak JVM memory parameters. Setting memory too high can be as bad as having memory too low. If your memory settings are set too high, Java 1.3 JVMs may freeze while waiting for the entire garbage collection to finish. Also if the JVM has too much memory, if may be starving other resources on the machine which are needed which may be causing unforeseen exceptions. In a nutshell, throwing more memory doesn't always solve the problem!
13. Turn off the Java JIT compiler. See the Java Docs on how to do this.

I'm encountering classloader problems when using JNI under Tomcat

...

• If you have not already done so begin by creating a new Tomcat context for your application. Navigate to TOMCAT_HOME\conf\Catalina\localhost and create a new file, say, myapp.xml. This will become part of your url, so to access your app you'll have to type *http://localhost:8080/myapp*.
• Enter the following in myapp.xml:

<Context docBase="c:/workspace/myapp/WebRoot" />

• This assumes you have a web application containing WEB-INF in c:/workspace/myapp/WebRoot
• Create two environment variables:

C:\>set JPDA_ADDRESS=1044
C:\>set JPDA_TRANSPORT=dt_socket

• Now, you can launch Tomcat with these debug options:

TOMCAT_HOME\bin\>catalina jpda start

• Use your IDE to connect to Tomcat through port 1044

See also: FAQ/Developing

How do I debug a Tomcat application when Tomcat is run as a Windows service ?

You can debug the tomcat service by editing the service parameters as follows.

• Launch a command prompt
• Set the proper CATALINA_HOME environment variable : pointing to tomcat home
• Run the following command:

%CATALINA_HOME%\bin\tomcat6w.exe //ES//tomcat6

• Select the Java tab in the properties dialog box,
• Add the following two lines to the Java Options text box:

-Xdebug
-Xrunjdwp:transport=dt_socket,address=127.0.0.1:1044,server=y,suspend=n

...

• Click on "Apply" and close the dialog by clicking on "OK"
• Restart the Apache Tomcat service
• Use your IDE to connect to Tomcat through port 1044

For IntelliJ IDEA you choose a remote debug target and set transport to "socket" and mode to "attach" , then you specify the host (127.0.0.1) and port (1044)

...