Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: neutral (asf.osuosl.org: local policy)
From: "Alla Winter" <alla@cobrasource.com>
To: "'Tomcat Users List'" <users@tomcat.apache.org>
Subject: RE: Please help me to configure TOMCAT with APR connector Thanks.
 Solved
Date: Mon, 9 Oct 2006 14:09:14 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcbrtHU5cECsw5a8Qv+mKT1/QdLCDwAHtVog
In-Reply-To: <20061009150534.43801.qmail@web50609.mail.yahoo.com>
Message-ID: <auto-000087767667@fe.mail.megapathdsl.net>

Mr. Patel,
I was following your advice and I was able to successfully configure TOMCAT
to use APR. I used it with jdk 1.4
Thanks a lot for your help! I really appreciated it.

PS. Now, after this I think I know some of the answers on my questions.  I
may not know the explanation to it, but I just can list the facts, so that
if somebody else have the same issues, they will know what to do.  The
answers follow the questions.

-----Original Message-----
From: Dhaval Patel [mailto:dhaval04@yahoo.com] 
Sent: Monday, October 09, 2006 10:06 AM
To: Tomcat Users List
Subject: Re: Please help me to configure TOMCAT with APR connector Thanks

Hi,

  I would say two things:

(1) Use JDK 1.5 for Tomcat 5.5.x.
(2) Look at
http://mail-archives.apache.org/mod_mbox/tomcat-users/200512.mbox/%3C2005120
1144849.70939.qmail@web50613.mail.yahoo.com%3E

  for how to configure SSL + APR on windows.

  As far as your questions are concerned, someone will able to answer that.
:)

Regards,
D

--- Alla Winter <alla@cobrasource.com> wrote:

> I would appreciate if you would answer on my questions.
> 
> Thanks
> 
>  
> 
>   _____  
> 
> From: Alla Winter [mailto:alla@cobrasource.com] 
> Sent: Friday, October 06, 2006 1:13 PM
> To: users@tomcat.apache.org
> Subject: Please help me to configure TOMCAT with APR connector Thanks
> 
>  
> 
> I am trying to configure TOMCAT 5.5.17  JDK, 1.4.2.12  with APR on Windows
> 2000.  I was able to start this version of tomcat without ssl
configuration
> and my application is working OK with it.
> 
> Here are the steps what I did:
> 
> 1.	I downloaded tcnative-1.dll into c\Cobra\nativeLib  
> 2.	I added a line in startup.bat :    set
> LD_LIBRARY_PATH=c\Cobra\nativeLib  
> 3.	I put the working in production certificate and the key  ( in
> production we currently using APACHE 2 and jk2 connector, I assume that
the
> same certificate format is valid for OppenSSl)  under
> c:/apache-tomcat-5.5.17/conf/
> 4.	I changed the server.xml     (see the attached).
> 
> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
> minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
> disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" SSLEngine="on"
> SSLCertificateFile="c:/apache-tomcat-5.5.17/conf/mycobrasource.crt"
> SSLCertificateKeyFile="c:/apache-tomcat-5.5.17/conf/mycobrasource.key" />
> 
>  
> 
> But due to whatever reason Tomcat is looking for keystore, the error
message
> is "SEVERE: Error initializing endpoint
> 
> java.io.FileNotFoundException: C:\Documents and
> Settings\Alla.COBRASOURCE\.keystore"   
> 
>  
> 
> What I am doing wrong?
> 
>  
> 
> I also would appreciate if you would clarify for me a few things:
> 
> the documentation says
> 
> " APR support requires three main native components to be installed: 
> 
> *         APR library 
> 
> *         JNI wrappers for APR used by Tomcat (libtcnative) 
> 
> *         OpenSSL libraries ""
> 
> And then we are referred to download "compiled .dll which includes OpenSSL
> and APR.", which is tcnative-1.dll
I guess I misunderstood this statement, and tcnative.dll does not include
OpenSSL, the referred site contains the stand alone executable OpenSSL.exe,
which has to be downloaded.
> 
> Does that include JNI wrapper as well?
*****************************************************************

Since it works, it seems that it does
*****************************************************************

> And then it tells "In security conscious production environments, it is
> recommended to use separate shared dlls for OpenSSL, APR, and
> libtcnative-1,"
> 
> Where the binaries for those separate dlls  ( beside openSSL) can be found
?
> Many Windows users do not have C compiler to build it from scratch?
> 
> It is also unclear what exactly instruct TOMCAT to use APR instead of
JSSE?
**********************
 I didn't put OpenSSL.exe in the LD_LIBRARY_PATH , so that is why TOMCAT was
looking for keystore.
****************************
> 
> Also, in the example of server.xml configuration SSLCertificateFile
keyword
> is referring to .crt file.  While we have signed by Thawte  .cer file.  I
> just changed the extension of the file. Is that the same file?

*****************************************************************
Changing the extension worked.
*****************************************************************
> 
> I would greatly appreciate your help.
> 
> Thanks
> s
> 
>  
> 
>  
> 
> > <!-- Example Server Configuration File -->
> <!-- Note that component elements are nested corresponding to their
>      parent-child relationships with each other -->
> 
> <!-- A "Server" is a singleton element that represents the entire JVM,
>      which may contain one or more "Service" instances.  The Server
>      listens for a shutdown command on the indicated port.
> 
>      Note:  A "Server" is not itself a "Container", so you may not
>      define subcomponents such as "Valves" or "Loggers" at this level.
>  -->
> 
> <Server port="8005" shutdown="SHUTDOWN">
> 
>   <!-- Comment these entries out to disable JMX MBeans support used for
the 
>        administration web application -->
>   <Listener className="org.apache.catalina.core.AprLifecycleListener" />
>   <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
/>
>   <Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
>   <Listener
className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
> 
>   <!-- Global JNDI resources -->
>   <GlobalNamingResources>
> 
>     <!-- Test entry for demonstration purposes -->
>     <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
> 
>     <!-- Editable user database that can also be used by
>          UserDatabaseRealm to authenticate users -->
>     <Resource name="UserDatabase" auth="Container"
>               type="org.apache.catalina.UserDatabase"
>        description="User database that can be updated and saved"
>            factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>           pathname="conf/tomcat-users.xml" />
> 
>   </GlobalNamingResources>
> 
>   <!-- A "Service" is a collection of one or more "Connectors" that share
>        a single "Container" (and therefore the web applications visible
>        within that Container).  Normally, that Container is an "Engine",
>        but this is not required.
> 
>        Note:  A "Service" is not itself a "Container", so you may not
>        define subcomponents such as "Valves" or "Loggers" at this level.
>    -->
> 
>   <!-- Define the Tomcat Stand-Alone Service -->
>   <Service name="Catalina">
> 
>     <!-- A "Connector" represents an endpoint by which requests are
received
>          and responses are returned.  Each Connector passes requests on to
the
>          associated "Container" (normally an Engine) for processing.
> 
>          By default, a non-SSL HTTP/1.1 Connector is established on port
8080.
>          You can also enable an SSL HTTP/1.1 Connector on port 8443 by
>          following the instructions below and uncommenting the second
Connector
>          entry.  SSL support requires the following steps (see the SSL
Config
>          HOWTO in the Tomcat 5 documentation bundle for more detailed
>          instructions):
>          * If your JDK version 1.3 or prior, download and install JSSE
1.0.2 or
>            later, and put the JAR files into "$JAVA_HOME/jre/lib/ext".
>          * Execute:
>              %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
(Windows)
>              $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
(Unix)
>            with a password value of "changeit" for both the certificate
and
>            the keystore itself.
> 
>          By default, DNS lookups are enabled when a web application calls
>          request.getRemoteHost().  This can have an adverse impact on
>          performance, so you can disable it by setting the
>          "enableLookups" attribute to "false".  When DNS lookups are
disabled,
>          request.getRemoteHost() will return the String version of the
>          IP address of the remote client.
>     -->
> 
>     <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
>     <Connector port="8080" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" redirectPort="8443" acceptCount="100"
>                connectionTimeout="20000" disableUploadTimeout="true" />
>     <!-- Note : To disable connection timeouts, set connectionTimeout
value
>      to 0 -->
> 	
> 	<!-- Note : To use gzip compression you could set the following
properties :
> 	
> 			   compression="on" 
> 			   compressionMinSize="2048" 
> 			   noCompressionUserAgents="gozilla, traviata" 
> 			   compressableMimeType="text/html,text/xml"
> 	-->
> 
>     <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
>     
>     <Connector port="8443" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS" 
> SSLEngine="on"
>
SSLCertificateFile="c:/apache-tomcat-5.5.17/conf/mycobrasource.crt"
>
SSLCertificateKeyFile="c:/apache-tomcat-5.5.17/conf/mycobrasource.key"
> 	
> />
>    
> 
>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>     <Connector port="8009" 
>                enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" />
> 
>     <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
>     <!-- See proxy documentation for more information about using this.
-->
>     <!--
>     <Connector port="8082" 
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" acceptCount="100"
connectionTimeout="20000"
>                proxyPort="80" disableUploadTimeout="true" />
>     -->
> 
>     <!-- An Engine represents the entry point (within Catalina) that
processes
>          every request.  The Engine implementation for Tomcat stand alone
>          analyzes the HTTP headers included with the request, and passes
them
>          on to the appropriate Host (virtual host). -->
> 
>     <!-- You should set jvmRoute to support load-balancing via AJP ie :
>     <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1">

>     --> 
>          
>     <!-- Define the top level container in our container hierarchy -->
>     <Engine name="Catalina" defaultHost="localhost">
> 
>       <!-- The request dumper valve dumps useful debugging information
about
>            the request headers and cookies that were received, and the
response
>            headers and cookies that were sent, for all requests received
by
>            this instance of Tomcat.  If you care only about requests to a
>            particular virtual host, or a particular application, nest this
>            element inside the corresponding <Host> or <Context> entry
instead.
> 
>            For a similar mechanism that is portable to all Servlet 2.4
>            containers, check out the "RequestDumperFilter" Filter in the
>            example application (the source for this filter may be found in
>            "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters").
> 
>            Request dumping is disabled by default.  Uncomment the
following
>            element to enable it. -->
>       <!--
>       <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
>       -->
> 
>       <!-- Because this Realm is here, an instance will be shared globally
-->
> 
>       <!-- This Realm uses the UserDatabase configured in the global JNDI
>            resources under the key "UserDatabase".  Any edits
>            that are performed against this UserDatabase are immediately
>            available for use by the Realm.  -->
>       <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>              resourceName="UserDatabase"/>
> 
>       <!-- Comment out the old realm but leave here for now in case we
>            need to go back quickly -->
>       <!--
>       <Realm className="org.apache.catalina.realm.MemoryRealm" />
>       -->
> 
>       <!-- Replace the above Realm with one of the following to get a
Realm
>            stored in a database and accessed via JDBC -->
> 
>       <!--
>       <Realm  className="org.apache.catalina.realm.JDBCRealm"
>              driverName="org.gjt.mm.mysql.Driver"
>           connectionURL="jdbc:mysql://localhost/authority"
>          connectionName="test" connectionPassword="test"
>               userTable="users" userNameCol="user_name"
userCredCol="user_pass"
>           userRoleTable="user_roles" roleNameCol="role_name" />
>       -->
> 
>       <!--
>       <Realm  className="org.apache.catalina.realm.JDBCRealm"
>              driverName="oracle.jdbc.driver.OracleDriver"
>           connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL"
>          connectionName="scott" connectionPassword="tiger"
>               userTable="users" userNameCol="user_name"
userCredCol="user_pass"
>           userRoleTable="user_roles" roleNameCol="role_name" />
>       -->
> 
>       <!--
>       <Realm  className="org.apache.catalina.realm.JDBCRealm"
>              driverName="sun.jdbc.odbc.JdbcOdbcDriver"
>           connectionURL="jdbc:odbc:CATALINA"
>               userTable="users" userNameCol="user_name"
userCredCol="user_pass"
>           userRoleTable="user_roles" roleNameCol="role_name" />
>       -->
> 
>       <!-- Define the default virtual host
>            Note: XML Schema validation will not work with Xerces 2.2.
>        -->
>       <Host name="localhost" appBase="webapps"
>        unpackWARs="true" autoDeploy="true"
>        xmlValidation="false" xmlNamespaceAware="false">
> 
>         <!-- Defines a cluster for this node,
>              By defining this element, means that every manager will be
changed.
>              So when running a cluster, only make sure that you have
webapps in there
>              that need to be clustered and remove the other ones.
>              A cluster has the following parameters:
> 
>              className = the fully qualified name of the cluster class
> 
>              clusterName = a descriptive name for your cluster, can be
anything
> 
>              mcastAddr = the multicast address, has to be the same for all
the nodes
> 
>              mcastPort = the multicast port, has to be the same for all
the nodes
>              
>              mcastBindAddress = bind the multicast socket to a specific
address
>              
>              mcastTTL = the multicast TTL if you want to limit your
broadcast
>              
>              mcastSoTimeout = the multicast readtimeout 
> 
>              mcastFrequency = the number of milliseconds in between
sending a "I'm alive"
> heartbeat
> 
>              mcastDropTime = the number a milliseconds before a node is
considered "dead" if no
> heartbeat is received
> 
>              tcpThreadCount = the number of threads to handle incoming
replication requests,
> optimal would be the same amount of threads as nodes 
> 
>              tcpListenAddress = the listen address (bind address) for TCP
cluster request on
> this host, 
>                                 in case of multiple ethernet cards.
>                                 auto means that address becomes
>
InetAddress.getLocalHost().getHostAddress()
> 
>              tcpListenPort = the tcp listen port
> 
>              tcpSelectorTimeout = the timeout (ms) for the
Selector.select() method in case the
> OS
>                                   has a wakup bug in java.nio. Set to 0
for no timeout
> 
>              printToScreen = true means that managers will also print to
std.out
> 
>              expireSessionsOnShutdown = true means that 
> 
>              useDirtyFlag = true means that we only replicate a session
after
> setAttribute,removeAttribute has been called.
>                             false means to replicate the session after
each request.
>                             false means that replication would work for
the following piece of
> code: (only for SimpleTcpReplicationManager)
>                             <%
>                             HashMap map =
(HashMap)session.getAttribute("map");
>                             map.put("key","value");
>                             %>
>              replicationMode = can be either 'pooled', 'synchronous' or
'asynchronous'.
>                                * Pooled means that the replication happens
using several sockets
> in a synchronous way. Ie, the data gets replicated, then the request
return. This is the same as
> the 'synchronous' setting except it uses a pool of sockets, hence it is
multithreaded. This is
> the fastest and safest configuration. To use this, also increase the nr of
tcp threads that you
> have dealing with replication.
>                                * Synchronous means that the thread that
executes the request, is
> also the
>                                thread the replicates the data to the other
nodes, and will not
> return until all
>                                nodes have received the information.
>                                * Asynchronous means that there is a
specific 'sender' thread for
> each cluster node,
>                                so the request thread will queue the
replication request into a
> "smart" queue,
>                                and then return to the client.
>                                The "smart" queue is a queue where when a
session is added to the
> queue, and the same session
>                                already exists in the queue from a previous
request, that session
> will be replaced
>                                in the queue instead of replicating two
requests. This almost
> never happens, unless there is a 
>                                large network delay.
>         -->             
>         <!--
>             When configuring for clustering, you also add in a valve to
catch all the requests
>             coming in, at the end of the request, the session may or may
not be replicated.
>             A session is replicated if and only if all the conditions are
met:
>             1. useDirtyFlag is true or setAttribute or removeAttribute has
been called AND
>             2. a session exists (has been created)
>             3. the request is not trapped by the "filter" attribute
> 
>             The filter attribute is to filter out requests that could not
modify the session,
>             hence we don't replicate the session after the end of this
request.
>             The filter is negative, ie, anything you put in the filter,
you mean to filter out,
>             ie, no replication will be done on requests that match one of
the filters.
>             The filter attribute is delimited by ;, so you can't escape
out ; even if you wanted
> to.
> 
>             filter=".*\.gif;.*\.js;" means that we will not replicate the
session after requests
> with the URI
>             ending with .gif and .js are intercepted.
>             
>             The deployer element can be used to deploy apps cluster wide.
>             Currently the deployment only deploys/undeploys to working
members in the cluster
>             so no WARs are copied upons startup of a broken node.
>             The deployer watches a directory (watchDir) for WAR files when
watchEnabled="true"
>             When a new war file is added the war gets deployed to the
local instance,
>             and then deployed to the other instances in the cluster.
>             When a war file is deleted from the watchDir the war is
undeployed locally 
>             and cluster wide
>         -->
>         
>         <!--
>         <Cluster
className="org.apache.catalina.cluster.tcp.SimpleTcpCluster"
>
managerClassName="org.apache.catalina.cluster.session.DeltaManager"
>                  expireSessionsOnShutdown="false"
>                  useDirtyFlag="true"
>                  notifyListenersOnReplication="true">
> 
>             <Membership 
>                 className="org.apache.catalina.cluster.mcast.McastService"
>                 mcastAddr="228.0.0.4"
>                 mcastPort="45564"
>                 mcastFrequency="500"
>                 mcastDropTime="3000"/>
> 
>             <Receiver 
>
className="org.apache.catalina.cluster.tcp.ReplicationListener"
>                 tcpListenAddress="auto"
>                 tcpListenPort="4001"
>                 tcpSelectorTimeout="100"
>                 tcpThreadCount="6"/>
> 
>             <Sender
>
className="org.apache.catalina.cluster.tcp.ReplicationTransmitter"
>                 replicationMode="pooled"
>                 ackTimeout="15000"
>                 waitForAck="true"/>
> 
>             <Valve
className="org.apache.catalina.cluster.tcp.ReplicationValve"
>
filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/>
>                    
>             <Deployer
className="org.apache.catalina.cluster.deploy.FarmWarDeployer"
>                       tempDir="/tmp/war-temp/"
>                       deployDir="/tmp/war-deploy/"
>                       watchDir="/tmp/war-listen/"
>                       watchEnabled="false"/>
>                       
>             <ClusterListener
> className="org.apache.catalina.cluster.session.ClusterSessionListener"/>
>         </Cluster>
>         -->        
> 
> 
> 
>         <!-- Normally, users must authenticate themselves to each web app
>              individually.  Uncomment the following entry if you would
like
>              a user to be authenticated the first time they encounter a
>              resource protected by a security constraint, and then have
that
>              user identity maintained across *all* web applications
contained
>              in this virtual host. -->
>         <!--
>         <Valve className="org.apache.catalina.authenticator.SingleSignOn"
/>
>         -->
> 
>         <!-- Access log processes all requests for this virtual host.  By
>              default, log files are created in the "logs" directory
relative to
>              $CATALINA_HOME.  If you wish, you can specify a different
>              directory with the "directory" attribute.  Specify either a
relative
>              (to $CATALINA_HOME) or absolute path to the desired
directory.
>         -->
>         <!--
>         <Valve className="org.apache.catalina.valves.AccessLogValve"
>                  directory="logs"  prefix="localhost_access_log."
suffix=".txt"
>                  pattern="common" resolveHosts="false"/>
>         -->
> 
>         <!-- Access log processes all requests for this virtual host.  By
>              default, log files are created in the "logs" directory
relative to
>              $CATALINA_HOME.  If you wish, you can specify a different
>              directory with the "directory" attribute.  Specify either a
relative
>              (to $CATALINA_HOME) or absolute path to the desired
directory.
>              This access log implementation is optimized for maximum
performance,
>              but is hardcoded to support only the "common" and "combined"
patterns.
>         -->
>         <!--
>         <Valve
className="org.apache.catalina.valves.FastCommonAccessLogValve"
>                  directory="logs"  prefix="localhost_access_log."
suffix=".txt"
>                  pattern="common" resolveHosts="false"/>
>         -->
> 
>       </Host>
> 
>     </Engine>
> 
>   </Service>
> 
> </Server>
> 
> > ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> > ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org