tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Janner <Jeffrey.Jan...@PolyDyne.com>
Subject RE: Help with Apache Tomcat/7.0.53 SSL issue
Date Wed, 22 Oct 2014 14:51:36 GMT
> -----Original Message-----
> From: Brewer, Edward L [mailto:lee.brewer@Vanderbilt.Edu]
> Sent: Tuesday, October 07, 2014 1:36 PM
> To: Tomcat Users List
> Subject: RE: Help with Apache Tomcat/7.0.53 SSL issue
> 
> To all,
> 
> 
> Oh...  Here is the entry in our server.xml  (probably the most important part)
> 
> <Connector port="<Omitted>" address="<Omitted>" protocol="HTTP/1.1"
> SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
> clientAuth="false"
> ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_
> DHE_RSA_WITH_3DES_EDE_CBC_SHA" keyAlias="<omitted>"
> keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks"
> keystorePass="<omitted>" />
> 
> <Connector port="<omitted>" address="<omitted>"
> protocol="org.apache.coyote.http11.Http11Protocol" maxthreads="150"
> scheme="https" SSLEnabled="true" secure="true" clientAuth="want"
> ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_
> DHE_RSA_WITH_3DES_EDE_CBC_SHA" keyAlias="<omitted>"
> keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks"
> keystorePass="<omitted>" />
> 
> Users connect directly to first listed connection.... The second SSL port is not
> currently used.
> 
> Thanks,
> Lee
> 
> From: Brewer, Edward L [mailto:lee.brewer@Vanderbilt.Edu]
> Sent: Tuesday, October 07, 2014 1:31 PM
> To: users@tomcat.apache.org
> Subject: Help with Apache Tomcat/7.0.53 SSL issue
> 
> To all,
> 
> I am using Apache Tomcat 7.0.53 and I am having an intermittent issue with
> SSL.  I am currently running three environments (Dev, UAT, and Prod. Prod
> comprises 4 VMs  (uname  states version as  "2.6.32-431.11.2.el6.x86_x86_64
> GNU/Linux" ) with each containing a local version of Java [ Java(TM) SE
> Runtime Environment (build 1.7.0_55-b13)  Java HotSpot(TM) 64-Bit Server
> VM (build 24.55-b03, mixed mode) ]  As well Tomcat and Java are owned by
> the user running the app.  The VMs are load balanced over two pair of LTMs
> (LTM1 balances node 1 and node 2;  LTM2 balances node 3 and node 4).  The
> test environment is scaled down to just one LTM with two nodes and
> development is just a single VM.
> 
> Now, when I deployed dev and test I did not have any issues with SSL....
> everything went as planned.  When I deployed into production, I started to
> get complaints about timeouts to the service.  After much troubleshooting...
> we were able to discern, using curl, that in production the LTM was not
> getting a response back from the application (using TCPDUMP)
> intermittently.   Our LTMs are configured to server as a SSL proxy.  On the
> VM, TCPDUMP shows that traffic is being presented to the socket but there
> is no response.  As far as I can tell the three environments (TOMCAT and
> JAVA) are the same.   I find nothing in the logs from both access and
> catalina.out.  When I restart the servers the problem goes away for about
> one hour then it comes back rapidly.  Using top and sar I do not see any
> issues with operating system performance.  Also,  by going done to one node
> the problem persists.  As well here are the options that are in setenv.sh
> 
> export JAVA_OPTS="$JAVA_OPTS\
> -verbosegc\
> -Xms256m\
> -XX:+DisableExplicitGC\
> -Xmx2g"
> 
> 
> Here is the error that I see from curl
> 
> curl: (52) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
> 
> Help,
> Lee Brewer

Lee, you say you checked the access & catalina logs, but did you check the stdout &
stderr logs?
Since the problem goes away for about an hour after you restart, could you be having memory
issues?  Those are usually reported in the stderr log.
Is 2g a valid value for -Xmx?  I've always specified it in terms of Megs, that is -Xmx2048m.
Jeff

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message