You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Matthew Herzog <ma...@gmail.com> on 2016/05/05 21:05:01 UTC
Do I need a keystore?
when I run the startup script
/usr/bin/java -Djava.security.egd=file:/dev/./urandom
-Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m
-XX:+UseConcMarkSweepGC -classpath
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp
-Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
I see the following error.
SEVERE: Failed to initialize end point associated with ProtocolHandler
["http-bio-8443"]
java.io.FileNotFoundException: /root/.keystore (No such file or directory)
So if I change my ajp config from
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
to
<Connector port="8009" protocol="AJP/1.3" redirectPort="80" />
will I be able to avoid the keystore work? I'm doing a proof of concept so
my cluster will never be exposed to the Internet.
--
"I am no Einstein."
-- Albert Einstein
Re: Do I need a keystore?
Posted by Matthew Herzog <ma...@gmail.com>.
Yeah, I'm still *not* running tomcat as root. I ran it as root once to see
if I could tease out any useful error messages, and I probably caused
errors by doing so.
In any case I'll read the docs, and thanks.
On Fri, May 6, 2016 at 12:24 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matthew,
>
> On 5/5/16 9:09 PM, Matthew Herzog wrote:
> > You said, "the http-bio-8443 endpoint is an HTTP connector, not an
> > AJP13 connector."
> >
> > This is confusing to me because all the tutorials I have read don't
> > say anything about commenting out the line in server.xml that
> > reads:
> >
> > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>
> Usually tutorials are written to get you started quickly, and don't
> want to explain what's really going on.
>
> Read the documentation for "redirectPort" on this page:
> https://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html
> (or this page)
> https://tomcat.apache.org/tomcat-8.0-doc/config/http.html
>
> The redirectPort has meaning, but it's not the meaning you were
> thinking. The real port being used above is 8009. You can set the
> redirect port to 12345 and you will still use port 8009 to connect to
> your AJP connector.
>
> In your case, it appears you are not even using your AJP connector, so
> its configuration is essentially meaningless.
>
> > I had assumed port 8443 was analogous to port 443. Bad assumption
> > on my part.
>
> 8443 is traditionally the port used by non-privileged processes to
> listen for HTTPS requests. That's why you'll likely see a <Connector
> port="8443" SSLEngine="on" secure="true" ... /> somewhere in your
> configuration. In order to use TLS (the modern name for what used to
> be called SSL), you definitely need to have a keystore.
>
> (I suppose you could use NULL authentication and/or key exchange and
> yes, I guess you could use a pre-shared key, but I don't believe
> Tomcat currently supports such setups, and obviously using NULL
> authentication and/or key exchange pretty much means that you aren't
> using encryption, so there's no point in using HTTPS at that point.)
>
> But, really: don't run Tomcat as root. If there's a reason you think
> you should be (or need to be) running Tomcat as root, let us know and
> we'll tell you how to fix that so you don't need to run as root anymore.
>
> Hope that helps,
> - -chris
>
> > On Thu, May 5, 2016 at 5:28 PM, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Matthew,
> >
> > On 5/5/16 5:05 PM, Matthew Herzog wrote:
> >>>> when I run the startup script
> >>>>
> >>>> /usr/bin/java -Djava.security.egd=file:/dev/./urandom
> >>>> -Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m
> >>>> -XX:+UseConcMarkSweepGC -classpath
> >>>> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-ju
> li.
> >
> >>>>
> jar:/usr/share/java/commons-daemon.jar
> >>>>
> >>>>
> > -Dcatalina.base=/usr/share/tomcat
> > -Dcatalina.home=/usr/share/tomcat
> >>>> -Djava.endorsed.dirs=
> >>>> -Djava.io.tmpdir=/var/cache/tomcat/temp
> >>>> -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.prop
> ert
> >
> >>>>
> ies
> >>>>
> >>>>
> > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> >>>> org.apache.catalina.startup.Bootstrap start
> >>>>
> >>>> I see the following error.
> >>>>
> >>>> SEVERE: Failed to initialize end point associated with
> >>>> ProtocolHandler ["http-bio-8443"]
> >>>>
> >>>> java.io.FileNotFoundException: /root/.keystore (No such file
> >>>> or directory) So if I change my ajp config from
> >>>>
> >>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
> >>>> /> to
> >>>>
> >>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="80"
> >>>> />
> >>>>
> >>>> will I be able to avoid the keystore work? I'm doing a proof
> >>>> of concept so my cluster will never be exposed to the
> >>>> Internet.
> >
> > You are confused about a few things:
> >
> > 1. It's never good to run as root. Stop doing that.
> >
> > 2. The "redirectPort" attribute doesn't have any effect on what
> > ports Tomcat binds to.
> >
> > 3. The http-bio-8443 endpoint is an HTTP connector, not an AJP13
> > connector.
> >
> > 4. If you want to enable TLS, then yes, you will need a keystore.
> >
> > So, if you don't need HTTPS, then disable whatever connector you
> > have that looks kind of like this:
> >
> > <Connector port="443" secure="true" ... />
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlcsHHoACgkQ9CaO5/Lv0PBKhQCgsJu9C2UMC96ZGNdP5NB3OwpV
> +qoAnA7gObq81vvSAtQg49aTwjZw7oN6
> =TA7w
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
"I am no Einstein."
-- Albert Einstein
Re: Do I need a keystore?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matthew,
On 5/5/16 9:09 PM, Matthew Herzog wrote:
> You said, "the http-bio-8443 endpoint is an HTTP connector, not an
> AJP13 connector."
>
> This is confusing to me because all the tutorials I have read don't
> say anything about commenting out the line in server.xml that
> reads:
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Usually tutorials are written to get you started quickly, and don't
want to explain what's really going on.
Read the documentation for "redirectPort" on this page:
https://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html
(or this page)
https://tomcat.apache.org/tomcat-8.0-doc/config/http.html
The redirectPort has meaning, but it's not the meaning you were
thinking. The real port being used above is 8009. You can set the
redirect port to 12345 and you will still use port 8009 to connect to
your AJP connector.
In your case, it appears you are not even using your AJP connector, so
its configuration is essentially meaningless.
> I had assumed port 8443 was analogous to port 443. Bad assumption
> on my part.
8443 is traditionally the port used by non-privileged processes to
listen for HTTPS requests. That's why you'll likely see a <Connector
port="8443" SSLEngine="on" secure="true" ... /> somewhere in your
configuration. In order to use TLS (the modern name for what used to
be called SSL), you definitely need to have a keystore.
(I suppose you could use NULL authentication and/or key exchange and
yes, I guess you could use a pre-shared key, but I don't believe
Tomcat currently supports such setups, and obviously using NULL
authentication and/or key exchange pretty much means that you aren't
using encryption, so there's no point in using HTTPS at that point.)
But, really: don't run Tomcat as root. If there's a reason you think
you should be (or need to be) running Tomcat as root, let us know and
we'll tell you how to fix that so you don't need to run as root anymore.
Hope that helps,
- -chris
> On Thu, May 5, 2016 at 5:28 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> Matthew,
>
> On 5/5/16 5:05 PM, Matthew Herzog wrote:
>>>> when I run the startup script
>>>>
>>>> /usr/bin/java -Djava.security.egd=file:/dev/./urandom
>>>> -Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m
>>>> -XX:+UseConcMarkSweepGC -classpath
>>>> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-ju
li.
>
>>>>
jar:/usr/share/java/commons-daemon.jar
>>>>
>>>>
> -Dcatalina.base=/usr/share/tomcat
> -Dcatalina.home=/usr/share/tomcat
>>>> -Djava.endorsed.dirs=
>>>> -Djava.io.tmpdir=/var/cache/tomcat/temp
>>>> -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.prop
ert
>
>>>>
ies
>>>>
>>>>
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>>>> org.apache.catalina.startup.Bootstrap start
>>>>
>>>> I see the following error.
>>>>
>>>> SEVERE: Failed to initialize end point associated with
>>>> ProtocolHandler ["http-bio-8443"]
>>>>
>>>> java.io.FileNotFoundException: /root/.keystore (No such file
>>>> or directory) So if I change my ajp config from
>>>>
>>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
>>>> /> to
>>>>
>>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="80"
>>>> />
>>>>
>>>> will I be able to avoid the keystore work? I'm doing a proof
>>>> of concept so my cluster will never be exposed to the
>>>> Internet.
>
> You are confused about a few things:
>
> 1. It's never good to run as root. Stop doing that.
>
> 2. The "redirectPort" attribute doesn't have any effect on what
> ports Tomcat binds to.
>
> 3. The http-bio-8443 endpoint is an HTTP connector, not an AJP13
> connector.
>
> 4. If you want to enable TLS, then yes, you will need a keystore.
>
> So, if you don't need HTTPS, then disable whatever connector you
> have that looks kind of like this:
>
> <Connector port="443" secure="true" ... />
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlcsHHoACgkQ9CaO5/Lv0PBKhQCgsJu9C2UMC96ZGNdP5NB3OwpV
+qoAnA7gObq81vvSAtQg49aTwjZw7oN6
=TA7w
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Do I need a keystore?
Posted by Matthew Herzog <ma...@gmail.com>.
Firstly, thanks.
You said, "the http-bio-8443 endpoint is an HTTP connector, not an AJP13
connector."
This is confusing to me because all the tutorials I have read don't say
anything about commenting out the line in server.xml that reads:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
I had assumed port 8443 was analogous to port 443. Bad assumption on my
part.
On Thu, May 5, 2016 at 5:28 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matthew,
>
> On 5/5/16 5:05 PM, Matthew Herzog wrote:
> > when I run the startup script
> >
> > /usr/bin/java -Djava.security.egd=file:/dev/./urandom
> > -Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m
> > -XX:+UseConcMarkSweepGC -classpath
> > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.
> jar:/usr/share/java/commons-daemon.jar
> >
> >
> - -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat
> > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp
> > -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.propert
> ies
> >
> >
> - -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> > org.apache.catalina.startup.Bootstrap start
> >
> > I see the following error.
> >
> > SEVERE: Failed to initialize end point associated with
> > ProtocolHandler ["http-bio-8443"]
> >
> > java.io.FileNotFoundException: /root/.keystore (No such file or
> > directory) So if I change my ajp config from
> >
> > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
> > to
> >
> > <Connector port="8009" protocol="AJP/1.3" redirectPort="80" />
> >
> > will I be able to avoid the keystore work? I'm doing a proof of
> > concept so my cluster will never be exposed to the Internet.
>
> You are confused about a few things:
>
> 1. It's never good to run as root. Stop doing that.
>
> 2. The "redirectPort" attribute doesn't have any effect on what ports
> Tomcat binds to.
>
> 3. The http-bio-8443 endpoint is an HTTP connector, not an AJP13
> connector.
>
> 4. If you want to enable TLS, then yes, you will need a keystore.
>
> So, if you don't need HTTPS, then disable whatever connector you have
> that looks kind of like this:
>
> <Connector port="443" secure="true" ... />
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlcruwwACgkQ9CaO5/Lv0PDwTgCgkTa+TGbqw9WX0ttjVPShmKlr
> z24AnRnkDLeXVQcOxNVBU0EdHKxVB+Yw
> =KyZE
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
"I am no Einstein."
-- Albert Einstein
Re: Do I need a keystore?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matthew,
On 5/5/16 5:05 PM, Matthew Herzog wrote:
> when I run the startup script
>
> /usr/bin/java -Djava.security.egd=file:/dev/./urandom
> -Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m
> -XX:+UseConcMarkSweepGC -classpath
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.
jar:/usr/share/java/commons-daemon.jar
>
>
- -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat
> -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp
> -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.propert
ies
>
>
- -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> org.apache.catalina.startup.Bootstrap start
>
> I see the following error.
>
> SEVERE: Failed to initialize end point associated with
> ProtocolHandler ["http-bio-8443"]
>
> java.io.FileNotFoundException: /root/.keystore (No such file or
> directory) So if I change my ajp config from
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
> to
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="80" />
>
> will I be able to avoid the keystore work? I'm doing a proof of
> concept so my cluster will never be exposed to the Internet.
You are confused about a few things:
1. It's never good to run as root. Stop doing that.
2. The "redirectPort" attribute doesn't have any effect on what ports
Tomcat binds to.
3. The http-bio-8443 endpoint is an HTTP connector, not an AJP13
connector.
4. If you want to enable TLS, then yes, you will need a keystore.
So, if you don't need HTTPS, then disable whatever connector you have
that looks kind of like this:
<Connector port="443" secure="true" ... />
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlcruwwACgkQ9CaO5/Lv0PDwTgCgkTa+TGbqw9WX0ttjVPShmKlr
z24AnRnkDLeXVQcOxNVBU0EdHKxVB+Yw
=KyZE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org