You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Leo Donahue - RDSA IT <Le...@mail.maricopa.gov> on 2013/02/25 18:38:23 UTC
JAVA_OPTS catalina.bat vs tomcat7w.exe
If I've asked this question before, my apologies.
What is the difference between setting Java_OPTS in catalina.bat vs using the tomcat7w.exe with -D options in the Java Tab if you installed Tomcat as a windows service?
Leo
Re: JAVA_OPTS catalina.bat vs tomcat7w.exe
Posted by "Howard W. Smith, Jr." <sm...@gmail.com>.
On Mon, Feb 25, 2013 at 3:08 PM, Howard W. Smith, Jr. <
smithh032772@gmail.com> wrote:
>
> can you please clarify 'the server is open to abuse from pretty much
> anyone who can reach it'? can you refer to me a blog or an article that
> discusses app abuse via jmx? i have hardware firewall in place and the jmx
> port is not open/available at the hardware firewall level. I usually login
> remotely to production server, and open Java visual VM to check status of
> the app (via JMX).
>
>
>
I just searched google for:
tomcat jmx abuse attack
and I see a lot of search results mentioning 'jboss', but found a document
(that mentions tomcat, too) [1] that I could skim/read for now. Thanks.
[1] [PDF] *Abusing*
Jboss<https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&cad=rja&ved=0CGwQFjAG&url=https%3A%2F%2Fwww.trustwave.com%2Fdownloads%2Fspiderlabs%2FTrustwave-SpiderLabs-Abusing-Jboss-Papathanasiou.pdf&ei=7sQrUafYJsHvqAHwrYHQBQ&usg=AFQjCNFMm__avVjkVr5Rl6NQrfCbXOQmMg&sig2=aJBWyp4u7G8Rfq4eIgaRZA&bvm=bv.42768644,d.b2I>
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
Posted by Leo Donahue - RDSA IT <Le...@mail.maricopa.gov>.
>-----Original Message-----
>From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
>Subject: Re: JAVA_OPTS catalina.bat vs tomcat7w.exe
>
>Chuck, I have similar settings, and so far, so good (no abuse/attack), and I
>recently re-added jmx settings in tomcat7w.exe for my app...just to routinely
>check performance and/or memory-used by the app, while running on
>production server.
>
>can you please clarify 'the server is open to abuse from pretty much anyone
>who can reach it'? can you refer to me a blog or an article that discusses app
>abuse via jmx?
http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
Posted by "Howard W. Smith, Jr." <sm...@gmail.com>.
On Feb 25, 2013 5:41 PM, "Caldarale, Charles R" <Ch...@unisys.com>
wrote:
>
> > From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> > Subject: Re: JAVA_OPTS catalina.bat vs tomcat7w.exe
>
> > can you please clarify 'the server is open to abuse from pretty much
anyone
> > who can reach it'?
>
> The key phrase is "anyone who can reach it". If everyone within your
firewall is fully trusted, then don't worry about it. If not everyone is
fully trusted, then your current settings allow those persons to make
arbitrary changes to the configuration of Tomcat and your webapps with
rather limited tracking of who did what. The MBeans exposed by the JMX
interface are not just viewable, they are modifiable by anyone with access.
>
> - Chuck
Understood, thanks.
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail and
its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> Subject: Re: JAVA_OPTS catalina.bat vs tomcat7w.exe
> can you please clarify 'the server is open to abuse from pretty much anyone
> who can reach it'?
The key phrase is "anyone who can reach it". If everyone within your firewall is fully trusted, then don't worry about it. If not everyone is fully trusted, then your current settings allow those persons to make arbitrary changes to the configuration of Tomcat and your webapps with rather limited tracking of who did what. The MBeans exposed by the JMX interface are not just viewable, they are modifiable by anyone with access.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JAVA_OPTS catalina.bat vs tomcat7w.exe
Posted by "Howard W. Smith, Jr." <sm...@gmail.com>.
On Mon, Feb 25, 2013 at 2:42 PM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
> > From: Leo Donahue - RDSA IT [mailto:LeoDonahue@mail.maricopa.gov]
> > Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
>
> > -Dcom.sun.management.jmxremote=true
> > -Dcom.sun.management.jmxremote.port=9090
> > -Dcom.sun.management.jmxremote.ssl=false
> > -Dcom.sun.management.jmxremote.authenticate=false
>
> Since you have JMX enabled without authentication, the server is open to
> abuse from pretty much anyone who can reach it.
>
>
Chuck, I have similar settings, and so far, so good (no abuse/attack), and
I recently re-added jmx settings in tomcat7w.exe for my app...just to
routinely check performance and/or memory-used by the app, while running on
production server.
can you please clarify 'the server is open to abuse from pretty much anyone
who can reach it'? can you refer to me a blog or an article that discusses
app abuse via jmx? i have hardware firewall in place and the jmx port is
not open/available at the hardware firewall level. I usually login remotely
to production server, and open Java visual VM to check status of the app
(via JMX).
- Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail and
> its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Leo Donahue - RDSA IT [mailto:LeoDonahue@mail.maricopa.gov]
> Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
> If running Tomcat 7.0.37 as a windows service, and using the tomcat7w.exe
> to set the options, are these wrong?
> -Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37
> -Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37
> -Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed
> -Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp
> -Dcom.sun.management.jmxremote=true
> -Dcom.sun.management.jmxremote.port=9090
> -Dcom.sun.management.jmxremote.ssl=false
> -Dcom.sun.management.jmxremote.authenticate=false
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-7.0.37\conf\logging.properties
> -XX:PermSize=128m
> -XX:MaxPermSize=384m
> Initial memory pool: 256MB
> Maximum memory pool: 512MB
The settings are not unreasonable, but whether or not they're appropriate for your environment, only someone familiar with that environment can say. Since you have JMX enabled without authentication, the server is open to abuse from pretty much anyone who can reach it. Proper heap settings are entirely dependent on the webapps being run.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
Posted by Leo Donahue - RDSA IT <Le...@mail.maricopa.gov>.
>-----Original Message-----
>From: Leo Donahue - RDSA IT [mailto:LeoDonahue@mail.maricopa.gov]
>Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
>
>If running Tomcat 7.0.37 as a windows service, and using the tomcat7w.exe to
>set the options, are these wrong?
>
>Java Options:
>-Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37
>-Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37
>-Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed
>-Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp
>-Dcom.sun.management.jmxremote=true
>-Dcom.sun.management.jmxremote.port=9090
>-Dcom.sun.management.jmxremote.ssl=false
>-Dcom.sun.management.jmxremote.authenticate=false
>-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>-Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-
>7.0.37\conf\logging.properties
>-Djava.opts=-XX:PermSize=128m -XX:MaxPermSize=384m
Wrong..
Just remove -Djava.opts=
Should be:
-Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37
-Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37
-Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed
-Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=9090
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-7.0.37\conf\logging.properties
-XX:PermSize=128m
-XX:MaxPermSize=384m
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
Posted by Leo Donahue - RDSA IT <Le...@mail.maricopa.gov>.
>-----Original Message-----
>From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
>Subject: RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
>
>> From: Leo Donahue - RDSA IT [mailto:LeoDonahue@mail.maricopa.gov]
>> Subject: JAVA_OPTS catalina.bat vs tomcat7w.exe
>
>> What is the difference between setting Java_OPTS in catalina.bat vs
>> using the tomcat7w.exe with -D options in the Java Tab if you
>> installed Tomcat as a windows service?
>
>The latter is useful, the former isn't. Services do not use environment
>variables.
>
> - Chuck
If running Tomcat 7.0.37 as a windows service, and using the tomcat7w.exe to set the options, are these wrong?
Java Options:
-Dcatalina.base=C:\ApacheTomcat\apache-tomcat-7.0.37
-Dcatalina.home=C:\ApacheTomcat\apache-tomcat-7.0.37
-Djava.endorsed.dirs=C:\ApacheTomcat\apache-tomcat-7.0.37\endorsed
-Djava.io.tmpdir=C:\ApacheTomcat\apache-tomcat-7.0.37\temp
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=9090
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=C:\ApacheTomcat\apache-tomcat-7.0.37\conf\logging.properties
-Djava.opts=-XX:PermSize=128m -XX:MaxPermSize=384m
Initial memory pool: 256MB
Maximum memory pool: 512MB
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JAVA_OPTS catalina.bat vs tomcat7w.exe
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Leo Donahue - RDSA IT [mailto:LeoDonahue@mail.maricopa.gov]
> Subject: JAVA_OPTS catalina.bat vs tomcat7w.exe
> What is the difference between setting Java_OPTS in catalina.bat vs using
> the tomcat7w.exe with -D options in the Java Tab if you installed Tomcat
> as a windows service?
The latter is useful, the former isn't. Services do not use environment variables.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org