tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brewer, Edward L" <lee.bre...@Vanderbilt.Edu>
Subject RE: Help with Apache Tomcat/7.0.53 SSL issue
Date Tue, 07 Oct 2014 18:35:31 GMT
To all,


Oh...  Here is the entry in our server.xml  (probably the most important part)

<Connector port="<Omitted>" address="<Omitted>" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="false" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
keyAlias="<omitted>" keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks"
keystorePass="<omitted>" />

<Connector port="<omitted>" address="<omitted>" protocol="org.apache.coyote.http11.Http11Protocol"
maxthreads="150" scheme="https" SSLEnabled="true" secure="true" clientAuth="want" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
keyAlias="<omitted>" keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks"
keystorePass="<omitted>" />

Users connect directly to first listed connection.... The second SSL port is not currently
used.

Thanks,
Lee

From: Brewer, Edward L [mailto:lee.brewer@Vanderbilt.Edu]
Sent: Tuesday, October 07, 2014 1:31 PM
To: users@tomcat.apache.org
Subject: Help with Apache Tomcat/7.0.53 SSL issue

To all,

I am using Apache Tomcat 7.0.53 and I am having an intermittent issue with SSL.  I am currently
running three environments (Dev, UAT, and Prod. Prod comprises 4 VMs  (uname  states version
as  "2.6.32-431.11.2.el6.x86_x86_64 GNU/Linux" ) with each containing a local version of Java
[ Java(TM) SE Runtime Environment (build 1.7.0_55-b13)  Java HotSpot(TM) 64-Bit Server VM
(build 24.55-b03, mixed mode) ]  As well Tomcat and Java are owned by the user running the
app.  The VMs are load balanced over two pair of LTMs (LTM1 balances node 1 and node 2;  LTM2
balances node 3 and node 4).  The test environment is scaled down to just one LTM with two
nodes and development is just a single VM.

Now, when I deployed dev and test I did not have any issues with SSL.... everything went as
planned.  When I deployed into production, I started to get complaints about timeouts to the
service.  After much troubleshooting... we were able to discern, using curl, that in production
the LTM was not getting a response back from the application (using TCPDUMP) intermittently.
  Our LTMs are configured to server as a SSL proxy.  On the VM, TCPDUMP shows that traffic
is being presented to the socket but there is no response.  As far as I can tell the three
environments (TOMCAT and JAVA) are the same.   I find nothing in the logs from both access
and catalina.out.  When I restart the servers the problem goes away for about one hour then
it comes back rapidly.  Using top and sar I do not see any issues with operating system performance.
 Also,  by going done to one node the problem persists.  As well here are the options that
are in setenv.sh

export JAVA_OPTS="$JAVA_OPTS\
-verbosegc\
-Xms256m\
-XX:+DisableExplicitGC\
-Xmx2g"


Here is the error that I see from curl

curl: (52) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

Help,
Lee Brewer

Lee Brewer | Application Developer | Information Technology | Vanderbilt University
lee.brewer@vanderbilt.edu<mailto:lee.brewer@vanderbilt.edu> | phone 615.343.2802 | it.vanderbilt.edu<http://it.vanderbilt.edu/>
[Vanderbilt IT logo]


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message