You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Sharma, Siddharth" <Si...@Staples.com> on 2006/06/16 03:29:52 UTC

Apache with Tomcat and session affinity problem

I have IBM HttpServer 2.0 (it is an apache essentially) fronting two 
tomcat instances (version 5.5.16) using mod_jk over ajp13. 
I have configured a load balancer worker to spray load across two workers
representing these two tomcat instances. 
And it works. 
The problem is I do not see a session id cookie in the response, so I am not
sure if it is maintaining session affinity. 
I have configured the load balancer worker for session affinity with this
directive in worker.properties: 
worker.lb_worker.sticky_session=True 

What am I missing? 
What is the exact name of the cookie that mod_jk injects?

I apologize if this is not the right mailing list for connector questions
and will appreciate if someone could point me to it.

Thanks in advance
-Sidd 



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat SSL, how to set up with clientAuth="true".

Posted by fr...@netscape.net.

Hi,
Sorry I made a mistake with the file name: 
truststoreFile="d:\tomcat\conf\truststore-itcilo.jks" 
It should be:
truststoreFile="d:\tomcat\conf\truststore-itcilo2.jks" 
 
Now both IE and Netscape have entered the SSL session but they cannot get through. I think the reason is that both IE and Netscape do not recognized the Root Certificate made by openssl. The Netscape shows an error of 8182. The IE just comes out a regular blank page.
 
Now I am trying to get my server certified from www.cacert.org. If still not working, then I have to spend money to buy certificates.
 
Thanks!
 
Frank Peng.
 

-----Original Message-----
From: frankpeng@netscape.net
To: users@tomcat.apache.org
Sent: Thu, 15 Jun 2006 22:24:36 -0400
Subject: Tomcat SSL, how to set up with clientAuth="true".


Hi, List!
 
I have set up a SSL connection for my Tomcat 5.5.17 to a database connection 
using SSL. 
In my CATALINA_OPTS, there are some parameters to define where the store files 
are. It is like this:
-Djavax.net.ssl.keyStore=<the keystore file>
-Djavax.net.ssl.keyStorePassword=<the password>
 
The JDBC driver works fine with the database in SSL.
 
Also I have set up an one-way https. So I have another keystore file in 
/tomcat/conf/server-keystore2.jks
 
in my server.xml I set up like this:
 
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="d:\tomcat\conf\server-keystore2.jks"
keystorePass="changeit"
URIEncoding="utf-8" />
 
It worked when I https://breakevilaxis.org
 
Then I finished all steps made by marc in the following link without any error 
message,
 
http://marc.theaimsgroup.com/?l=tomcat-user&m=106293430225790&w=2
 
Now the server.xml is like this.
 
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
truststoreFile="d:\tomcat\conf\truststore-itcilo.jks" 
truststorePass="changeit" 
keystoreFile="d:\tomcat\conf\server-keystore2.jks"
keystorePass="changeit"
URIEncoding="utf-8" />
 
Also I made an entry in the tomcat-user.xml
<user username="Frank Peng" password="tomcat" roles="tomcat"/>
This is the Common Name I used when I create client's certificate with openssl.
 
When I import the santiago.p12 file into both IE and netscape, both says 
successfully.
But in the IE, in the Certificate Informaton says, "The integrity of this 
certificate cannot be guaranteed. The certificate may be corrupted or may have 
been altered.
 
I also followed the step 4 and delete the TRUSTED word and saved ca.pem as 
ca.crt and imported into browswer's root certficate authorities. There is 
nothing wrong with this. 
 
Now, when I hit https://breakevilaxis.org, it comes out the regular blank page.
 
"The page cannot be displayed"
 
On netscape, it says the connection was refused.
When I was creating the santiago.p12 file, I was asked to type an export 
password. I used this password when I imported the p12 file into netscape. But I 
did not ask this password when I imported this p12 into IE. But both IE and 
Netscape cannot reach the web site.
 
Locally, when I created the tomcat server keystore, I used 192.168.0.90, which 
is the server I am running, to be the CN and OU. Then on another computer I 
typed https://192.168.0.90, it won't work. It works with http://192.168.0.90. 
Somebody said, the CN and OU must match the domain name you type after the 
https. But still it did not work.
 
Please help to figure out what is wrong.
 
Frank Peng.

Tomcat SSL, how to set up with clientAuth="true".

Posted by fr...@netscape.net.

Hi, List!
 
I have set up a SSL connection for my Tomcat 5.5.17 to a database connection using SSL. 
In my CATALINA_OPTS, there are some parameters to define where the store files are. It is like this:
-Djavax.net.ssl.keyStore=<the keystore file>
-Djavax.net.ssl.keyStorePassword=<the password>
 
The JDBC driver works fine with the database in SSL.
 
Also I have set up an one-way https. So I have another keystore file in /tomcat/conf/server-keystore2.jks
 
in my server.xml I set up like this:
 
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="d:\tomcat\conf\server-keystore2.jks"
keystorePass="changeit"
URIEncoding="utf-8" />
 
It worked when I https://breakevilaxis.org
 
Then I finished all steps made by marc in the following link without any error message,
 
http://marc.theaimsgroup.com/?l=tomcat-user&m=106293430225790&w=2
 
Now the server.xml is like this.
 
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
truststoreFile="d:\tomcat\conf\truststore-itcilo.jks" 
truststorePass="changeit" 
keystoreFile="d:\tomcat\conf\server-keystore2.jks"
keystorePass="changeit"
URIEncoding="utf-8" />
 
Also I made an entry in the tomcat-user.xml
<user username="Frank Peng" password="tomcat" roles="tomcat"/>
This is the Common Name I used when I create client's certificate with openssl.
 
When I import the santiago.p12 file into both IE and netscape, both says successfully.
But in the IE, in the Certificate Informaton says, "The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered.
 
I also followed the step 4 and delete the TRUSTED word and saved ca.pem as ca.crt and imported into browswer's root certficate authorities. There is nothing wrong with this. 
 
Now, when I hit https://breakevilaxis.org, it comes out the regular blank page.
 
"The page cannot be displayed"
 
On netscape, it says the connection was refused.
When I was creating the santiago.p12 file, I was asked to type an export password. I used this password when I imported the p12 file into netscape. But I did not ask this password when I imported this p12 into IE. But both IE and Netscape cannot reach the web site.
 
Locally, when I created the tomcat server keystore, I used 192.168.0.90, which is the server I am running, to be the CN and OU. Then on another computer I typed https://192.168.0.90, it won't work. It works with http://192.168.0.90. Somebody said, the CN and OU must match the domain name you type after the https. But still it did not work.
 
Please help to figure out what is wrong.
 
Frank Peng.

Re: Apache with Tomcat and session affinity problem

Posted by Filip Hanik - Dev Lists <de...@hanik.com>.

have you set jvmRoute in your engine element (server.xml)?
this is how mod_jk does session affinity

filipp



Sharma, Siddharth wrote:
> I have IBM HttpServer 2.0 (it is an apache essentially) fronting two 
> tomcat instances (version 5.5.16) using mod_jk over ajp13. 
> I have configured a load balancer worker to spray load across two workers
> representing these two tomcat instances. 
> And it works. 
> The problem is I do not see a session id cookie in the response, so I am not
> sure if it is maintaining session affinity. 
> I have configured the load balancer worker for session affinity with this
> directive in worker.properties: 
> worker.lb_worker.sticky_session=True 
>
> What am I missing? 
> What is the exact name of the cookie that mod_jk injects?
>
> I apologize if this is not the right mailing list for connector questions
> and will appreciate if someone could point me to it.
>
> Thanks in advance
> -Sidd 
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>   


-- 


Filip Hanik

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org