Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3EE04CF63 for ; Mon, 3 Jun 2013 18:48:53 +0000 (UTC) Received: (qmail 25051 invoked by uid 500); 3 Jun 2013 18:48:49 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 25001 invoked by uid 500); 3 Jun 2013 18:48:49 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 24992 invoked by uid 99); 3 Jun 2013 18:48:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Jun 2013 18:48:49 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS,UNPARSEABLE_RELAY X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [216.82.251.9] (HELO mail1.bemta12.messagelabs.com) (216.82.251.9) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Jun 2013 18:48:45 +0000 Received: from [216.82.250.115:55271] by server-9.bemta-12.messagelabs.com id D4/96-32585-8F4ECA15; Mon, 03 Jun 2013 18:48:24 +0000 X-Env-Sender: esiewick@ementum.com X-Msg-Ref: server-15.tower-127.messagelabs.com!1370285283!7908582!33 X-Originating-IP: [216.166.12.98] X-StarScan-Received: X-StarScan-Version: 6.9.6; banners=-,-,- X-VirusChecked: Checked Received: (qmail 7122 invoked from network); 3 Jun 2013 18:48:23 -0000 Received: from out001.collaborationhost.net (HELO out001.collaborationhost.net) (216.166.12.98) by server-15.tower-127.messagelabs.com with RC4-SHA encrypted SMTP; 3 Jun 2013 18:48:23 -0000 Received: from AUSP01VMBX11.collaborationhost.net ([10.2.8.165]) by AUSP01MHUB07.collaborationhost.net ([10.2.8.242]) with mapi; Mon, 3 Jun 2013 13:48:17 -0500 From: Edward Siewick To: Tomcat Users List Date: Mon, 3 Jun 2013 13:48:17 -0500 Subject: RE: Tomcat7 and SPNEGO configuration questions Thread-Topic: Tomcat7 and SPNEGO configuration questions Thread-Index: Ac5frSYmQwSWrm65TxiiqJad1bsxpQAx74Kr Message-ID: References: ,<51AB70B6.1060706@internetallee.de> In-Reply-To: <51AB70B6.1060706@internetallee.de> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Felix & Friends, I've made a fair amount of progress, though I'm still not able to log in wi= th a domain credential. The domain account ID doesn't appear in the Tomcat7= logging at all, though it is in tomcat-users.xml. So I might now only be c= onfused as to the syntax of: server.xml for JAAS; the webapp's "realm" bits= in web.xml for SPNEGO, or; tomcat-users.xml. I have tried changing tomcat-= users.xml to "OPENIDMDEV/esiewick", "COM.OPENIDMDEV/esiewick" and just "esi= ewick". And, I've adjusted the Account ID in the Windows Security prompt to= match each of these. On the progress, here's some detail for the listserv archive. A first issue was how I was trying to get the CATALINA_OPTS set, so I shoul= d start with a "Thank you" for nudging me on the CATALINA_OPTS bit. I had t= ried to add CATALINA_OPTS to the init.d script, which apparently was getti= ng over-written later in the Tomcat7 startup sequence. To correct, I simply= added "-Dsun.security.krb5.debug=3Dtrue -Dsun.security.jgss.debug=3Dtrue" = to the bin/setenv.sh, vice the init.d script. After this, debug=3Dtrue appe= ared properly in the resulting process, below. ps ajx | grep tomc 27474 29541 29541 27446 pts/3 29541 S+ 0 0:00 tail -f /var/log/t= omcat7/catalina.out 1 29585 29571 27391 pts/0 29626 Sl 0 0:36 /usr/java/jre1.6.0= _39/bin/java -Djava.util.logging.config.file=3D/usr/share/tomcat7c/conf/logging.propert= ies -Djava.util.logging.manager=3Dorg.apache.juli.ClassLoaderLogManager -Xmx512m -XX:MaxPermSize=3D256m -XX:PermSize=3D256m -Dsun.security.krb5.debug=3Dtrue -Dsun.security.jgss.debug=3Dtrue -Djava.endorsed.dirs=3D/usr/share/tomcat7c/endorsed -classpath /usr/share/tomcat7c/bin/bootstrap.jar:/usr/share/tomcat7c/bin/t= omcat-juli.jar -Dcatalina.base=3D/usr/share/tomcat7c -Dcatalina.home=3D/usr/share/tomcat7= c -Djava.io.tmpdir=3D/usr/share/tomcat7c/temp org.apache.catalina.startup.Bo= otstrap start This changed the error logging, adding a clue that smelled like a crypto mo= dule limitation: Found unsupported keytype (18) for HTTP/openid-linux.openidmdev.com@OPENIDM= DEV.COM The trace was: Debug is true storeKey true useTicketCache false useKeyTab true doNotPromp= t true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/c= onf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linu= x.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false= storePass is false clearPass is false >>> KeyTabInputStream, readName(): OPENIDMDEV.COM >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): openid-linux.openidmdev.com >>> KeyTab: load() entry length: 98; type: 18 Found unsupported keytype (18) for HTTP/openid-linux.openidmdev.com@OPENIDM= DEV.COM Key for the principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM not a= vailable in /usr/share/tomcat7c/conf/tomcat7.keytab [Krb5LoginModule] authentication failed Unable to obtain password from user In http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss= -features.html I found: "NOTE: The JCE framework within JDK includes an ability to enforce restrict= ions regarding the cryptographic algorithms and maximum cryptographic stren= gths available to applications. Such restrictions are specified in "jurisdi= ction policy files". The jurisdiction policy files bundled in Java SE limit= s the maximum key length. Hence, in order to use AES256 encryption type, yo= u will need to install the JCE crypto policy with the unlimited version to = allow AES with 256-bit key." So, the second issue pertained to cryptography limitations set in /usr/java= /jre1.6.0_39/lib/security/. The tomcat7.keytab was created only with "aes25= 6-cts-hmac-sha1-96" and the /etc/krb5.conf has a likewise limited suite. Th= e fix was to download Oracle's jce_policy-6.zip, unzip it, and copy the "un= limited" versions of local_policy.jar and US_export_policy.jar into /usr/ja= va/jre1.6.0_39/lib/security/. After the jce_policy-6.zip *.jar files were in place, I got: Debug is true storeKey true useTicketCache false useKeyTab true doNotPromp= t true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/c= onf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linu= x.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false= storePass is false clearPass is false >>> KeyTabInputStream, readName(): OPENIDMDEV.COM >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): openid-linux.openidmdev.com >>> KeyTab: load() entry length: 98; type: 18 Added key: 18version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18. 0: EncryptionKey: keyType=3D18 kvno=3D0 keyValue (hex dump)=3D 0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../.. 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....>> KdcAccessibility: reset default etypes for default_tkt_enctypes: 18. >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000, = number of retries =3D3, #bytes=3D168 >>> KDCCommunication: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000= ,Attempt =3D1, #bytes=3D168 >>> KrbKdcReq send: #bytes read=3D210 >>> KrbKdcReq send: #bytes read=3D210 >>> KdcAccessibility: remove openiddc.openidmdev.com:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Mon Jun 03 13:11:34 EDT 2013 1370279494000 suSec is 37310 error code is 25 error Message is Additional pre-authentication required realm is OPENIDMDEV.COM sname is krbtgt/OPENIDMDEV.COM eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type =3D 19 PA-ETYPE-INFO2 etype =3D 18 PA-ETYPE-INFO2 salt =3D OPENIDMDEV.COMHTTPopenid-linux.openidmdev.= com PA-ETYPE-INFO2 s2kparams =3D null AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ Updated salt from pre-auth =3D OPENIDMDEV.COMHTTPopenid-linux.openidmdev.co= m >>>KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com default etypes for default_tkt_enctypes: 18. Pre-Authenticaton: find key for etype =3D 18 AS-REQ: Add PA_ENC_TIMESTAMP now >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000, = number of retries =3D3, #bytes=3D255 >>> KDCCommunication: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000= ,Attempt =3D1, #bytes=3D255 >>> KrbKdcReq send: #bytes read=3D100 >>> KrbKdcReq send: #bytes read=3D100 >>> KdcAccessibility: remove openiddc.openidmdev.com:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Mon Jun 03 13:11:34 EDT 2013 1370279494000 suSec is 209191 error code is 52 error Message is Response too big for UDP, retry with TCP realm is OPENIDMDEV.COM sname is krbtgt/OPENIDMDEV.COM msgType is 30 >>> KrbKdcReq send: kdc=3Dopeniddc.openidmdev.com TCP:88, timeout=3D30000, = number of retries =3D3, #bytes=3D255 >>> KDCCommunication: kdc=3Dopeniddc.openidmdev.com TCP:88, timeout=3D30000= ,Attempt =3D1, #bytes=3D255 >>>DEBUG: TCPClient reading 1611 bytes >>> KrbKdcReq send: #bytes read=3D1611 >>> KrbKdcReq send: #bytes read=3D1611 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM EncryptionKey: keyType=3D18 keyBytes (hex dump)=3D0000: F3 27 EC F5 C3 55 4= D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../.. 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....>, sun.security.jgss.spnego.Sp= NegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (<>, sun.security.jgss.krb5= .Krb5AcceptCredential) Found key for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM(18) Entered Krb5Context.acceptSecContext with state=3DSTATE_NEW [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject Debug is true storeKey true useTicketCache false useKeyTab true doNotPromp= t true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/c= onf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linu= x.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false= storePass is false clearPass is false KeyTab instance already exists Added key: 18version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18. 0: EncryptionKey: keyType=3D18 kvno=3D0 keyValue (hex dump)=3D 0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../.. 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000, = number of retries =3D3, #bytes=3D168 >>> KDCCommunication: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000= ,Attempt =3D1, #bytes=3D168 >>> KrbKdcReq send: #bytes read=3D210 >>> KrbKdcReq send: #bytes read=3D210 >>> KdcAccessibility: remove openiddc.openidmdev.com:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Mon Jun 03 13:11:49 EDT 2013 1370279509000 suSec is 608182 error code is 25 error Message is Additional pre-authentication required realm is OPENIDMDEV.COM sname is krbtgt/OPENIDMDEV.COM eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type =3D 19 PA-ETYPE-INFO2 etype =3D 18 PA-ETYPE-INFO2 salt =3D OPENIDMDEV.COMHTTPopenid-linux.openidmdev.= com PA-ETYPE-INFO2 s2kparams =3D null AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ Updated salt from pre-auth =3D OPENIDMDEV.COMHTTPopenid-linux.openidmdev.co= m >>>KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com default etypes for default_tkt_enctypes: 18. Pre-Authenticaton: find key for etype =3D 18 AS-REQ: Add PA_ENC_TIMESTAMP now >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000, = number of retries =3D3, #bytes=3D255 >>> KDCCommunication: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000= ,Attempt =3D1, #bytes=3D255 >>> KrbKdcReq send: #bytes read=3D100 >>> KrbKdcReq send: #bytes read=3D100 >>> KdcAccessibility: remove openiddc.openidmdev.com:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Mon Jun 03 13:11:49 EDT 2013 1370279509000 suSec is 614041 error code is 52 error Message is Response too big for UDP, retry with TCP realm is OPENIDMDEV.COM sname is krbtgt/OPENIDMDEV.COM msgType is 30 >>> KrbKdcReq send: kdc=3Dopeniddc.openidmdev.com TCP:88, timeout=3D30000, = number of retries =3D3, #bytes=3D255 >>> KDCCommunication: kdc=3Dopeniddc.openidmdev.com TCP:88, timeout=3D30000= ,Attempt =3D1, #bytes=3D255 >>>DEBUG: TCPClient reading 1611 bytes >>> KrbKdcReq send: #bytes read=3D1611 >>> KrbKdcReq send: #bytes read=3D1611 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM EncryptionKey: keyType=3D18 keyBytes (hex dump)=3D0000: F3 27 EC F5 C3 55 4= D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../.. 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....>, sun.security.jgss.spnego.Sp= NegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (<>, sun.security.jgss.krb5= .Krb5AcceptCredential) Found key for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM(18) Entered Krb5Context.acceptSecContext with state=3DSTATE_NEW [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject Debug is true storeKey true useTicketCache false useKeyTab true doNotPromp= t true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/c= onf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linu= x.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false= storePass is false clearPass is false KeyTab instance already exists Added key: 18version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18. 0: EncryptionKey: keyType=3D18 kvno=3D0 keyValue (hex dump)=3D 0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../.. 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000, = number of retries =3D3, #bytes=3D168 >>> KDCCommunication: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000= ,Attempt =3D1, #bytes=3D168 >>> KrbKdcReq send: #bytes read=3D210 >>> KrbKdcReq send: #bytes read=3D210 >>> KdcAccessibility: remove openiddc.openidmdev.com:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Mon Jun 03 13:11:56 EDT 2013 1370279516000 suSec is 589895 error code is 25 error Message is Additional pre-authentication required realm is OPENIDMDEV.COM sname is krbtgt/OPENIDMDEV.COM eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type =3D 19 PA-ETYPE-INFO2 etype =3D 18 PA-ETYPE-INFO2 salt =3D OPENIDMDEV.COMHTTPopenid-linux.openidmdev.= com PA-ETYPE-INFO2 s2kparams =3D null AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ Updated salt from pre-auth =3D OPENIDMDEV.COMHTTPopenid-linux.openidmdev.co= m >>>KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com default etypes for default_tkt_enctypes: 18. Pre-Authenticaton: find key for etype =3D 18 AS-REQ: Add PA_ENC_TIMESTAMP now >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000, = number of retries =3D3, #bytes=3D255 >>> KDCCommunication: kdc=3Dopeniddc.openidmdev.com UDP:88, timeout=3D30000= ,Attempt =3D1, #bytes=3D255 >>> KrbKdcReq send: #bytes read=3D100 >>> KrbKdcReq send: #bytes read=3D100 >>> KdcAccessibility: remove openiddc.openidmdev.com:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Mon Jun 03 13:11:56 EDT 2013 1370279516000 suSec is 595755 error code is 52 error Message is Response too big for UDP, retry with TCP realm is OPENIDMDEV.COM sname is krbtgt/OPENIDMDEV.COM msgType is 30 >>> KrbKdcReq send: kdc=3Dopeniddc.openidmdev.com TCP:88, timeout=3D30000, = number of retries =3D3, #bytes=3D255 >>> KDCCommunication: kdc=3Dopeniddc.openidmdev.com TCP:88, timeout=3D30000= ,Attempt =3D1, #bytes=3D255 >>>DEBUG: TCPClient reading 1611 bytes >>> KrbKdcReq send: #bytes read=3D1611 >>> KrbKdcReq send: #bytes read=3D1611 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM EncryptionKey: keyType=3D18 keyBytes (hex dump)=3D0000: F3 27 EC F5 C3 55 4= D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../.. 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....>, sun.security.jgss.spnego.Sp= NegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (<>, sun.security.jgss.krb5= .Krb5AcceptCredential) Found key for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM(18) Entered Krb5Context.acceptSecContext with state=3DSTATE_NEW [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject -- ________________________________________ From: Felix Schumacher [felix.schumacher@internetallee.de] Sent: Sunday, June 02, 2013 12:20 PM To: users@tomcat.apache.org Subject: Re: Tomcat7 and SPNEGO configuration questions Hi Edward, a few more questions: * What is your CATALINA_BASE and what CATALINA_HOME? * Have you verified, that your options (set by your JAVA_OPTS) are really used by your tomcat installation? Greetings Felix Am 31.05.2013 17:17, schrieb Edward Siewick: > Hi. > > I'm trying to get a baseline configuration working, following the http://= tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently of= f in the weeds having missed something, though. So I'd really appreciate a = sanity check of my configuration, and the testcase I'm attempting. I've go= t something messed up, and I'm looking for guidance on what to check. > > Environment is: > Tomcat-7.0.33 > Redhat RHEL 6.3 > Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2= 012 x86_64 x86_64 x86_64 GNU/Linux > > AD is on a Win2008R2 server. > Client is MSIE on a Win2007 workstation. "Enable Integrated Windows Authe= ntication" is set to true. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org