Apache Tomcat Server Administration - Timicoseddon-software/JEE/Tomcat Administration.pdf · Apache Tomcat Server Administration 1. Introduction to Tomcat 2. Deploying Servlets and

Copyright ©2000-9 CRS Enterprises Ltd 1

Apache Tomcat ServerAdministration

by

Chris Seddon


Apache Tomcat ServerAdministration

1. Introduction to Tomcat2. Deploying Servlets and JSPs3. JNDI4. JDBC5. Security6. SSL7. Web Services8. Clustering9. Performance Tuning


Introduction to Tomcat


1. Introduction to Tomcat


Tomcat InstallationInstall as a service (or daemon)

use the Windows Installer (.exe) distributionor rc scripts on Unix

Install as standaloneuse the Zip distribution

Important Environment VariablesJAVA_HOMEJAVA_OPTS


Tomcat as a ServiceUse the Service Control Module

to start and stop the service

Automatic Startup is recommendedbut you can use Manual for testing


Starting and Stopping Tomcat


Is Tomcat Running?


What Port?Use netstat -van

netstat -vanoalso displays the PID - so you can kill a wayward pr ocess


Changing PortsConfigure ports in server.xml


... Changing PortsLook through server.xml for occurrences of 8080

<Connector acceptCount="100"

connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8080"redirectPort="8443"/>

<Connector acceptCount="100"

connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8080"redirectPort="8443"/>

server.xmlserver.xml


Default Portsadmin 8005

port used to shutdown Tomcat

http 8080normal http traffic

ssl8443normal https traffic

AJP 8009optimized version of the HTTP protocol used by Apache front end proxy

proxy 8082generic proxy portcan be used by other web servers


Using Port 8005You can shutdown Tomcat

by sending the SHUTDOWN string to Tomcatusually via Telnet

Only works on the localhostmight want to change this string

<Server port="8005" shutdown="SHUTDOWN"><Server port="8005" shutdown="SHUTDOWN">server.xmlserver.xml

<Server port="8005" shutdown="SomeSecretString"><Server port="8005" shutdown="SomeSecretString">server.xmlserver.xml


Manager AppControl deployments

start, start, redeploy, undeploy

Server Statuscheck on running server


Installing the Manager Appedit tomcat-users.xml

add manager role

login to manager apphttp://localhost:8080/manager/html

</tomcat-users><role rolename="manager"/><user username="tomcat"

password="tomcat" roles="manager"/>

</tomcat-users>

</tomcat-users><role rolename="manager"/><user username="tomcat"

password="tomcat" roles="manager"/>

</tomcat-users>

tomcat-users.xmltomcat-users.xml


Using Other JVMsOracle JRockit

catlina.batset JAVA_HOME=C:\bea\jrockit90_150_06set JAVA_OPTS=-Djrockit.managementserver.port=7091

jconsoleworks as before

consoleJRockit specific monitor program

IBM JDKfor use on Unix and Linux systems


2. Deploying Servlets and JSPs


Deploying Servlets and JSPs


HTTP Requests and ResponsesWeb browsers and Web servers communicate by using

HTTP requests and responses

The Web browser can request…A static resource, such as a fixed HTML pageA server-side application, such as Java servlet or JSP

HTTP request

Web browser Web server

HTTP response


Creating Web Server ApplicationsJava

Java ServletsJava Server Pages (JSPs)Typically a combination of both

Common Gateway Interface (CGI)CGI scripts in Perl, C, C++, etc.

Microsoft technologiesActive Server Pages (ASPs), using JScript or VBScri ptASP.NET, using any .NET language (C#, VB.NET, J#, e tc.)

Proprietary APIs, targeted at a specific Web serverInternet Information Services API (ISAPI)


Servlets and JSPs ...

Servletsand

JSPs

Servletsand

JSPs

creates and returns HTML


... Servlets and JSPsHosted by a 'servlet container'

container invokes the servlet or JSP when an HTTP request is received

Servlets and JSPs often interact with databasesindirectly using JDBC, iBatis, Hibernate

Servlets and JSPs can also interact with other componentsSpring beans, EJBs, JMS, Web services


Servlet ArchitectureServlet engine forwards client request to servlet

Response to client

Client requestServlet ContainerServlet Container

Web Server

Web Server MyServletMyServlet

Load servlet from local disk or remote web server

Pass request info to servlet

1

2

3

Pass response back to server

45

http://www.abc.com:8080/MyServlet?name=john&passwor d=secret


ServletsServlets can be very simple

public class MyServlet extends HttpServlet {

public void doGet(ServletRequest req, ServletResponse res) throws IOException, ServletException

{ // your stuff goes here

} }

public class MyServlet extends HttpServlet {

public void doGet(ServletRequest req, ServletResponse res) throws IOException, ServletException

{ // your stuff goes here

} }


Simple Servlet

import java.io.*;import javax.servlet.*; import javax.servlet.http.*;

public class HelloServlet extends HttpServlet {public void doGet( HttpServletRequest request,

HttpServletResponse response)throws ServletException, IOException {

response.setContentType("text/html");PrintWriter output = response.getWriter();output.println("<HTML>");output.println("<HEAD><TITLE>Hello</TITLE></HEAD>");output.println("<BODY>");output.println("<BIG>Hello World</BIG>");output.println("</BODY></HTML>");

}}

import java.io.*;import javax.servlet.*; import javax.servlet.http.*;

public class HelloServlet extends HttpServlet {public void doGet( HttpServletRequest request ,

HttpServletResponse response )throws ServletException, IOException {

response.setContentType("text/html");PrintWriter output = response.getWriter();output.println(" <HTML>");output.println(" <HEAD><TITLE>Hello</TITLE></HEAD> ");output.println(" <BODY>");output.println(" <BIG>Hello World</BIG> ");output.println(" </BODY></HTML>");

}}

HelloServlet.javaHelloServlet.java


ServletEngine

ServletEngine

Servlet Instance

void init(ServletConfig config) { ... } void init(ServletConfig config) { ... }

void doGet( ServletRequest request, ServletResponse response){ ... }

void doPut( ServletRequest request, ServletResponse response){ ... }

void doGet( ServletRequest request, ServletResponse response){ ... }

void doPut( ServletRequest request, ServletResponse response){ ... }

void destroy( ) { ... } void destroy( ) { ... }

xalled only once - when

servlet is loaded

called each time a client request is received

called when servlet is unloaded

Servlet Lifecycle


Web ApplicationsWeb application is a collection of

servlets, JSPs, HTML files, images packaged into a single WAR file

//

WEB-INFWEB-INF web.xmlweb.xml

liblib

classesclasses

HTMLimagesscriptsJSPs

HTMLimagesscriptsJSPs

servletsservlets

libraryJARs

libraryJARs


Deployment Descriptor

<?xml version= '1.0' encoding= 'UTF-8'?><web-app xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"

xmlns= "http://java.sun.com/xml/ns/javaee"xmlns:web= "http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"xsi:schemaLocation= "http://java.sun.com/xml/ns/javaee

http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"id= "WebApp_ID" version= "2.5" >

<welcome-file-list><welcome-file>index.html</welcome-file>

</welcome-file-list>

<servlet><servlet-name>Simple</servlet-name><servlet-class>demos.jee.servlets.SimpleServlet</se rvlet-class>

</servlet>

<servlet-mapping><servlet-name>Simple</servlet-name><url-pattern>/MySimpleServlet</url-pattern>

</servlet-mapping></web-app>

<?xml version= '1.0' encoding= 'UTF-8'?><web-app xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"

xmlns= "http://java.sun.com/xml/ns/javaee"xmlns:web= "http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"xsi:schemaLocation= "http://java.sun.com/xml/ns/javaee

http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"id= "WebApp_ID" version= "2.5" >

<welcome-file-list><welcome-file>index.html</welcome-file>

</welcome-file-list>

<servlet><servlet-name> Simpl e</servlet-name><servlet-class> demos.jee.servlets.SimpleServlet </servlet-class>

</servlet>

<servlet-mapping><servlet-name> Simple </servlet-name><url-pattern> /MySimpleServlet </url-pattern>

</servlet-mapping></web-app>

web.xmlweb.xml


A Simple JSPMixture of Java and HTML

...<table border=1 align=center>

<tr><td colspan=4>Powers of Numbers</td>

</tr><%

for (i = 1; i <= 30; i++) {%>

<tr><td><%= i %></td><td><%= square(i) %></td><td><%= cube(i) %></td><td><%= quad(i) %></td>

</tr><% } %>

</table></body></html>

...<table border=1 align=center>

<tr><td colspan=4>Powers of Numbers</td>

</tr><%

for (i = 1; i <= 30; i++) {%>

<tr><td><%= i %></td><td><%= square(i) %></td><td><%= cube(i) %></td><td><%= quad(i) %></td>

</tr><% } %>

</table></body></html>


JSPs are translated into servlets by the JSP enginestatic text is translated into out.write() callsJava code is copied as-is

JSP Page Life Cycle - Overview

Translate page into servlet

Compile servlet source

JSPJSP

Servlet .java fileServlet .java file

Servlet .class fileServlet .class file


Sun's Recommended ArchitectureSun recommends a Model/View/Controller pattern

Servlet = "Controller"JSP = "View"Bean(s) = "Model"

HTML form

HTML form

EJBEJB

Servlet(C)

Servlet(C)

Bean(M)

Bean(M)

11

22

4433

JSP(V)

JSP(V)

55

HTTP requestCreate bean(s)

Access bean(s)in JSP code

Forwardto JSP

HTML returnedto browser

JDBC


3. JNDI


JNDI


Naming Service ConceptsA naming service binds objects to meaningful names

files are bound to filenamesIP addresses are bound to computer names

Many different naming services existeach has its own naming convention

Sun's NIS+Domain Naming Service (DNS)Lightweight Directory Access Protocol (LDAP)

JNDI is an interface to naming servicespermits applications to name and locate objects in the naming servicecan use any underlying naming service

transparent to the Java programmer


What do we use JNDI for?Database connections

defining a data source

Remotingto communicate with a CORBA serverto create a EJB proxy

JMSto connect to the Messaging Service

LDAPto obtain security and other information from an LD AP server

Transactionsto obtain a connection to the Tx Manager


Applications independent of the services used

JNDI Architecture

JNDI SPIJNDI SPI

JNDI APIJNDI API

Naming ManagerNaming Manager

Java AppJava App

CORBACORBARMIRMIDNSDNS LDAPLDAP


WebLogic JNDI ArchitectureEach server maintains its own JNDI tree

trees are independentdepend on what has been deployed to that server

Servers in a cluster are synchronizedJNDI trees are duplicatedunicast or multicast messages are shared between th e servers

to keep their JNDI trees the sameby transmitting deltas (changes)

Viewing the JNDI ishelpful in resolving problems with

database poolsJMS connectionsEJB deployments


4. JDBC


JDBC


What is JDBC?JDBC is an API for executing SQL statementsJDBC is

Java Database Connectivitybased on Microsoft's ODBCsingle API for all databases

platform independentdatabase vendor independent (Sybase , Oracle, Infor mix ...)

fully object oriented

JDBC drivers written in pure Javacan be automatically downloaded on a network


JDBC Architecture

ClientClient

Java ApplicationJava Application

JDBC APIJDBC API

ODBC Bridge

ODBC Bridge

MixedLanguage

MixedLanguage

NetBridge

NetBridge

PureJava

PureJava

Type 1 Type 2 Type 3 Type 4

Web ServerWeb Server

DatabaseDatabase


Two-tier Client/Server

Local client processingHeavy resource usageUI and business code mixedReplication of effortSecurity implications for untrusted applets

DBMSDBMS

Java codeJava code

network boundary

DriverDriver


Three-tier Client/Server

DBMSDBMS

Java Application ServerJava Application Server

network boundary

Java client codeJava client code

network boundary

JDBCJDBC

Server handles connections, security, load balancing


Driver Types

1

2

3

4

1

2

3

4

JDBC-ODBC bridge

Java to Native DB Driver

Java to Web Server to DB Driver

Pure Java Driver

JDBC-ODBC bridge

Java to Native DB Driver

Java to Web Server to DB Driver

Pure Java Driver

OK for Windows, but very slow

Mixed language and good availability, but native driver must be installed on client

Excellent solution when multiple clients. Web Server handles most issues. Client requires no configuration.

Excellent solution for a small number of clients. Client requires no configuration.

OK for Windows, but very slow

Mixed language and good availability, but native driver must be installed on client

Excellent solution when multiple clients. Web Server handles most issues. Client requires no configuration.

Excellent solution for a small number of clients. Client requires no configuration.


JDBC Type 1 DriversJDBC-ODBC bridge plus ODBC driver:

JavaSoft bridge product provides JDBC access via OD BC drivers

Installationmust be loaded on each client machine that uses thi s driverODBC code has to be installedsome associated database client code may require in stallation

PerformancePoor because of the layered drivers

Availabilityalways available but only from JavaSoftvirtually all databases have ODBC driverson appropriate on Windows platforms


JDBC Type 2 DriversNative-API partly-Java driver

mixed languageJava front end drivers interfacing to C/C++ drivers

some drivers primarily Javasome drivers primarily C/C++

InstallationC/C++ back end drivers must be installed on each cl ient machine

PerformanceGood because interfacing to efficient C/C++ drivers

Availabilitymany drivers available from various vendorsall major most databases have Type 2 drivers availa bleappropriate on Windows/Unix and other platforms


JDBC Type 3 DriversJDBC-Net pure Java driver

translates JDBC calls into a DBMS independent net p rotocolnet protocol translated to a DBMS protocol by a Web Server.

Web Server able to connect pure Java clients to many different databasesthe most flexible JDBC alternativeideal for Internet access

access through firewalls needs further consideratio n

MiddlewareWeb Server able to provide additional services


Type 3 Middleware ServicesMiddleware for JDBC Type 3 Drivers

may support connection poolingsingle administratorsecurity localised on Web Serverencryption can be provided between client and Web S erver

Connection Poolsset up by Web Server before client requests connect ionmany clients supported by a few connectionspool can grow and shrinkWeb Server handles all threading issuesvery efficient


JDBC Type 4 DriversPure Java Drivers

converts JDBC calls into the network protocol used by DBMS directly

Installationall driver code can be downloaded on demandvery flexible

Performancereasonably good

Availabilitymany drivers available in the last 12 monthsall major most databases have Type 4 drivers availa bleappropriate on Windows/Unix and other platforms


The Need for Connection PoolingConnection pools are used to enhance the performanc e

of executing commands on a databasedirect connection to the database strongly discoura ged

Connections are expensive - share connections betwee n usersmaximize bandwidth of each connectionpre-allocates connections - no waitingshares security - only WebLogic needs access to data basefail-over and load balancing possible in clustered environmentif all the connections are being used, a new connec tion is made and is

added to the pool

Users obtain a virtual connectionacquire laterelease early


Connection Pooling and Data Sources

DatabaseDatabase

ConnectionPool

ConnectionPool

connection-1connection-1





JNDIJNDI

DataSourceObject

DataSourceObject

ApplicationCode

ApplicationCode


5. Security


Security


Authentication and AuthorizationAuthorization

what resources can you access?use XML descriptorsembed authorization in Java codeuse vendor specific mechanisms

Authenticationwho are you?

username + passwordcertificates

JAASJava Authentication and Authorization Service

programmatic security


Users and RolesConfigure users and roles in tomcat-users.xml

</tomcat-users><role rolename="tomcat"/><role rolename="role1"/><user username="tomcat" password="tomcat" roles="tom cat"/><user username="both" password="tomcat" roles="tomc at,role1"/><user username="role1" password="tomcat" roles="rol e1"/><role rolename="manager"/><user username="tomcat" password="tomcat" roles="ma nager"/>

</tomcat-users>

</tomcat-users><role rolename="tomcat"/><role rolename="role1"/><user username="tomcat" password="tomcat" roles ="tomcat"/><user username="both" password="tomcat" roles="tomc at,role1"/><user username="role1" password="tomcat" roles="rol e1"/><role rolename="manager"/><user username="tomcat" password="tomcat" roles="ma nager"/>

</tomcat-users>

tomcat-users.xmltomcat-users.xml


Tomcat RealmsRealms Available

UserDatabaseRealmthe built in realm

JDBCRealmstore users in Oracle, Sybase, DB2 ..

JNDIRealmstore users in LDAP, Active Directory ...

JAASRealmstore users in customized system

Realms defined in server.xml


Memory RealmSimple Realm

specified in server.xmlnot for production use

<GlobalNamingResources><Resource

auth="Container" description="User database" factory="org.apache.catalina.users.MemoryUserDataba seFactory" name="UserDatabase" pathname=" conf/tomcat-users.xml " type="org.apache.catalina.UserDatabase"/>

</GlobalNamingResources>



JDBC RealmMore useful Realm

can be used for production usedetails in online manual

<GlobalNamingResources><Realm

className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql:myauthority?user=admin&am p;password=pass" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name"/>

</GlobalNamingResources>



How to Secure EntitiesUse JEE Deployment Descriptors

original way of securing JEE resources (Servlets, J SPs, EJBs)specified in XML => embedded in WAR, JAR, EAR file

Use Programmatic Securityembed security in Java codevery flexibledifficult for Administrators to modify


Protecting Web ApplicationsAuthorization

Using Declarative Security: define roles that should access the protected resou rces determine Web Application resources that must be pr otected map protected resource to roles that should access them

Programmatic Security:security embedded in Java codedifficult to maintain, but more flexible

Roles are vendor independentmap roles to users/groups in the vendor's security realm

Authenticationall security requires an authentication mechanism

provided by vendor


Authentication - Login Pagesupplied by the Web Server or by the application:

BASIC Web browser displays a dialog boxFORM uses a custom JSP form with username and passwordCLIENT-CERT uses client certificates

<login-config> <auth-method>BASIC||FORM ||CLIENT-CERT</auth-method> <form -login-config> <form -login-page>login.jsp</form -login-page> <form -error-page>badLogin.jsp</form -error-page>

</form -login-config> </login-config>

<login-config> <auth-method> BASIC||FORM||CLIENT-CERT</auth-method> <form -login-config> <form -login-page>login.jsp</form -login-page> <form -error-page>badLogin.jsp</form -error-page>

</form -login-config> </login-config>


Form AuthenticationYou supply the login page

JSP, a Servlet, or an HTML page

must have the fieldsj_usernamej_passwordj_security_check

<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="password" name="j_password"> <input type="SUBMIT">

</form>

<form method="POST" action=" j_security_check "> <input type="text" name=" j_username "> <input type="password" name=" j_password "> <input type="SUBMIT">

</form>


Authorization - Web Resources You can apply security constraints to resources in your

Web applicationusers must already be authenticated

<security-constraint> <web-resource-collection> <web-resource-name>My Resource</web-resource-name> <url-pattern>/sports/*</url-pattern> <http-method>POST</http-method>

</web-resource-collection><auth-constraint><role-name>Users</role-name><role-name>Managers</role-name>

</auth-constraint>

<security-constraint> <web-resource-collection> <web-resource-name>My Resource</web-resource-name> <url-pattern> /sports/* </url-pattern> <http-method>POST</http-method>

</web-resource-collection><auth-constraint><role-name> Users </role-name><role-name> Managers </role-name>

</auth-constraint>

<security-role> <role-name>Users</role-name>

</security-role> <security-role>

<role-name>Managers</role-name> </security-role>

<security-role> <role-name> Users </role-name>

</security-role> <security-role>

<role-name> Managers </role-name> </security-role>


Programmatic AuthenticationGenerate content based on a user's role

HttpServletRequest interface defines isUserInRole()to determine if the current user is in a specified role.

<% if(request.isUserInRole("Manager")) {

%><jsp:include page="managerMenu.jsp"/>

<%} else {

%> <jsp:include page="basicMenu.jsp"/>

<%}

%>

<% if(request. isUserInRole ("Manager")) {

%><jsp:include page="managerMenu.jsp"/>

<%} else {

%> <jsp:include page="basicMenu.jsp"/>

<%}

%>


Role Assignment Vendor provides role mappings to real users and gro ups

<security-role-assignment> <role-name>Users</role-name> <principal-name>employees</principal-name>

</security-role-assignment>

<security-role-assignment> <role-name>Managers</role-name> <principal-name>zoe</principal-name> <principal-name>susan</principal-name>


<security-role-assignment> <role-name> Users </role-name> <principal-name> employees </principal-name>


<security-role-assignment> <role-name> Managers </role-name> <principal-name> zoe</principal-name> <principal-name> susan </principal-name>



6. SSL


SSL


SSLSymmetric Key Encryption

one key to encrypt and decrypt

PKI Encryptionpublic and private keys to encrypt and decrypt

Digital Signatureshow to authenticate sources

Digital Certificatestamperproof distribution of keys


plain text plain textciphertext

encrypt decrypt

Conventional EncryptionSymmetric Key Encryption

one key encrypts and decryptsfast bulk encryption


DES - Data Encryption StandardData Encryption Standard

adopted 1977 by US Government56 bit keyencryption in 64 bit blocks

DES came from IBM research project called LUCIFER128 bit keyencryption in 128 bit blocks

DES uses multiple permutationsdecryption is in reverse orderresistant to differential cryptanalysis


Decryption by Brute ForceDES now considered breakable

fastest computers can crack DES in minutes?

If 56 bit DES could be decrypted in 10 -6 secs ...then longer keys would take:

76 bit key 1 sec82 bit key 1 min88 bit key 1 hour93 bit key 1 day101 bit key 1 year111 bit key 1000 years121 bit key 1,000,000 years128 bit key 150,000,000 years



encrypt decrypt

Public Key InfrastructurePublic and Private Key Encryption

two keys to encrypt and decryptslow for bulk encryptiongood for key distribution



encrypt decrypt

A B

B's public key B's private key

PKI - SecrecyA sends a secret message to B

only B can decrypt the message (using B's private k ey)message might have been sent by an imposter



encrypt decrypt

A B

A's private key A's public key

PKI - AuthenticationA sends an authenticated message to B

everyone can decrypt the message (using A's public key)only A could have sent the the message (B decrypts using A's public key)



encrypt decrypt

A B

A's private key A's public keyB's public key B's private key

PKI - Authentication and PrivacyA sends a private, authenticated message to B

only B can decrypt the message (using B's private k ey)only A could have sent the the message (B decrypts using A's public key)


A B

Man

in the

Middle

Man in the Middle AttackX intercepts B's public key

substitutes his own public key

X can now intercept messages from Aand can hence impersonate A

B's private key

X's public key

A's private key

X's public key

A's public key

X's private key

X's private key

B's public key


PKI - Key LengthsKeys are the product of 2 prime numbersLonger keys are required for PKI than symmetric key

encryptionprimes become scarce as numbers get large


Digital Certificate

Public KeyDistinguished Name

Expiry DateName of Certificate Authority

Other useful information

Public KeyDistinguished Name

Expiry DateName of Certificate Authority

Other useful information

CA's Public Key

CA's Digital Signature

CA's Public Key

CA's Digital Signature

Digital CertificateDigital Certificate


Certificate Chains

CA’scertificate

CA’scertificate

CACA

Certificatefor

abc.com

Certificatefor

abc.com

CACA

Certificatefor

xyz.com

Certificatefor

xyz.com

abc.comabc.com

CertificateforJoe

CertificateforJoe

xyz.comxyz.com

signed


Digital Signatures ...

Text

Message

7483217

74832177483217

one way hash one way hash

SENDER RECEIVER

?Tyj^eW

Text

Message

?Tyj^eW

public key

private key


Digital Signature

send to clientsend to client


TextMessage

TextMessage

Encrypted HashEncrypted Hash


Hashed TextMessage

Hashed TextMessage

Decrypted HashDecrypted Hash


One Way SSL

TomcatTomcatcertificate

Server sends certificate to browserchecked against trusted CAs


Two Way SSL

TomcatTomcat

certificate

Server sends certificate to browserchecked against trusted CAs

Browser sends certificate to serverchecked against authorized users

certificate


Configuring SSL on Tomcat1. Generate Private Key and Self Certified Certific ate

add to your keystore

2. Generate a certificate signing request - CSRsend it to your CA

3. On receipt, import into your cacerts keystoretrusted certificates are store in a different keyst ore

4. Import your new certificateinto your keystore

5. Update Tomcat configurationmodify server.xml


Using Sun's KeytoolGenerate Private Key and Certificate

Generate CSRset NAME="CN=localhost, OU=me, O=me, C=UK"

@REM -- Generate Certificate Requestkeytool -certreq -v -alias myPrivateKeyAlias ^

-file myCertificateRequest.pem ^-keypass myPassword ^-storepass myPassword ^-keystore myIdentityKeystore.jks

set NAME="CN=localhost, OU=me, O=me, C=UK"

@REM -- Generate Certificate Requestkeytool -certreq -v -alias myPrivateKeyAlias ^

-file myCertificateRequest.pem ^-keypass myPassword ^-storepass myPassword ^-keystore myIdentityKeystore.jks


@REM -- create Private Key and Self Signed Certificatekeytool -genkey -v -alias myPrivateKeyAlias ^

-keyalg RSA -keysize 512 ^-dname %NAME% -keypass myPassword ^-validity 365 -keystore myIdentityKeystore.jks ^-storepass myPassword


@REM -- create Private Key and Self Signed Certificatekeytool -genkey -v -alias myPrivateKeyAlias ^

-keyalg RSA -keysize 512 ^-dname %NAME% -keypass myPassword ^-validity 365 -keystore myIdentityKeystore.jks ^-storepass myPassword

keys must be the same


Configuring TomcatUncomment connector section

from server.xml

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"maxThreads="150" scheme="https" secure="true"clientAuth="false" sslProtocol="TLS" keystoreFile="C:/... /myIdentityKeystore.jks"keystorePass="myPassword"/>

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"maxThreads="150" scheme="https" secure="true"clientAuth="false" sslProtocol="TLS" keystoreFile="C:/... /myIdentityKeystore.jks"keystorePass="myPassword"/>


7. Web Services


Web Services


Goals of Distributed ServicesPlatform independence

Unix / Windows

Language independenceJava, C++, C#, Python, PERL

Location transparencyservice can move without breaking clients

Service resiliencymultiple copies of a service

Fault toleranceclustering


Industry Solutions ...CORBA

Common Object Request Broker Architecturehigh-level architecture for object management

Problems:too complexinterfaces too rigidvendors find it difficult to comply with specificat ion

ServerServer ClientClient

ORB(location transparency)

ORB(location transparency)

SkeletonSkeleton ProxyProxy

NamingService

NamingService

register object


... Industry SolutionsEnterprise JavaBeans (EJB)

easier than CORBARMI-basedonly for Java systems

DCOMSimilar to CORBA

Microsoft only technologiesRelies heavily on code generation/wizards

Too complex


The ProblemHeterogeneity of Systems

multiple programming languages (Java, C++, VB, Perl , A+)multiple operating systems (Solaris, NT, Linux, IRI X)multiple transport protocols (HTTP, HTTPS, TCP, MQ)

We need a distributed computing framework that:reduces complexityeasy to develop withallows easy maintenance and distribution of service s

Application services, not just “web services”multi-transport support offers option of QoS to cli ents


The Strategy – SOAPSimple Object Access Protocol (SOAP)

its SIMPLE!messaging protocol

platform, language and transport neutralleverages XML

flexiblepromotes integration of web services (HTTP) with ap plication services

(non-HTTP)


ClientProcess

(C++)

ClientProcess

(C++)

What is a Service?

SOAP Server

SOAP Clients

Derivative Calculator

Derivative Calculator

SOAP RequestSOAP

RequestClient

Process(C#)

ClientProcess

(C#)

ClientProcess(Java)

ClientProcess(Java) Services

SOAP Response

SOAP Response

RuntimeRuntime


The Big Picture

SOAPServer

SOAPServer

TCP

HTTP

MQ

SOAPClient

SOAPClient

ClientProcess(Java)

ClientProcess(Java)

SOAP RequestSOAP

Request

SOAP Response

SOAP Response


<SOAP-ENV:Body>

</SOAP-ENV:Body>

<SOAP-ENV:Body>

</SOAP-ENV:Body>

<SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope>

</SOAP-ENV:Envelope >

<SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope>

</SOAP-ENV:Envelope >

SOAP message format

BodyBody

EnvelopeEnvelope

<CorpDirSearchRequest xmlns=http://saseo1/appmw/corpdir/>

<Criteria><EmployeeID>60877</EmployeeID>

</Criteria></CorpDirSearchRequest>

<CorpDirSearchRequest xmlns=http://saseo1/appmw/corpdir/>

<Criteria><EmployeeID>60877</EmployeeID>

</Criteria></CorpDirSearchRequest>

ActionAction


SOAP Envelope: Request

<SOAP-ENV:Envelope xmlns:SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope/>

<SOAP-ENV:Header><RequestID>1234</RequestID><Principal mustUnderstand="1">sterns</Principal>

</SOAP-ENV:Header><SOAP-ENV:Body><CorpDirSearchRequest xmlns=http://saseo1/appmw/cor pdir/><Criteria>

<EmployeeID>60877</EmployeeID></Criteria>

</CorpDirSearchRequest></SOAP-ENV:Body>

</SOAP-ENV:Envelope>



</SOAP-ENV:Header><SOAP-ENV:Body ><CorpDirSearchRequest xmlns=http://saseo1/appmw/cor pdir/><Criteria>

<EmployeeID>60877</EmployeeID></Criteria>

</CorpDirSearchRequest></SOAP-ENV:Body>



SOAP Envelope: Response



</SOAP-ENV:Header><SOAP-ENV:Body><CorpDirSearchResponse xmlns=http://saseo1/appmw/co rpdir/><Employee>

<FirstName>Stephen</FirstName><LastName>Stern</LastName>

</Employee></CorpDirSearchResponse>

</SOAP-ENV:Body></SOAP-ENV:Envelope>



</SOAP-ENV:Header><SOAP-ENV:Body ><CorpDirSearchResponse xmlns=http://saseo1/appmw/co rpdir/><Employee>

<FirstName>Stephen</FirstName><LastName>Stern</LastName>

</Employee></CorpDirSearchResponse>

</SOAP-ENV:Body></SOAP-ENV:Envelope>


SOAP Envelope: Fault


<SOAP-ENV:Header><RequestID>1234</RequestID>

</SOAP-ENV:Header><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>Could not connect to database</faultst ring><faultactor>Slashnservice</faultactor><detail>JDBC Error Code: 989</detail>

</SOAP-ENV:Fault></SOAP-ENV:Body>



<SOAP-ENV:Header><RequestID>1234</RequestID>

</SOAP-ENV:Header><SOAP-ENV:Body ><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>Could not connect to database</faultst ring><faultactor>Slashnservice</faultactor><detail>JDBC Error Code: 989</detail>

</SOAP-ENV:Fault></SOAP-ENV:Body>



Disadvantages of SOAP?Verbose XML

bandwidth problem

Performance penalty for parsing XML…various solutions have been explored

including Tarari (hardware)implementing our own Binary XML


8. Clustering


Clustering


What is a Cluster?A Tomcat Server cluster consists of multiple Tomcat

Server instances running simultaneouslyworking together to provide increased scalability a nd reliability

A cluster appears to clients to be a single Tomcat Server instanceserver instances can run on the same machine or belocated on different machines

You can increase a cluster’s capacity by adding additional server instances to the cluster

You can have more than one clusterfront end for Web Appsback end for POJOs (Spring) or EJBs (using OpenEJB)


Benefits of ClusteringLoad Balancing

request can be balanced across servers in a clusterseveral load balancing algorithms are available

Fail Overif one server fails application fails over to anoth er server

Scalabilityif current configuration has limited throughput you can add extra servers

to the clusterthroughput is almost linearly proportional to numbe r of servers in the

cluster


What Components Can Be Clustered?Components that can be clustered

ServletsJSPsEJBsRMI objectsJMS destinationsJDBC connections

These components are usually deployed to all server s in the clusterbut you can deploy to part of a cluster


Cluster TopologyClusters spread across different machines

LAN, WAN or MANuse unicast or multicast to communicatecan have more than 1 server on a given machine

proxyserver

server1 server4

server3AdminServer

machine1 machine2 machine3

server2


Combined Tier

JSPServlet

EJB

JSPServlet

EJB

JSPServlet

EJB

JSPServlet

EJB

JSPServlet

EJB

JSPServlet

EJB

LoadBalancer

LoadBalancer

Firew

allF

irewall

Internet

Internet DatabaseDatabase

Presentation and Business tiers combined


Split TiersPresentation Tier Cluster at front endBusiness Tier Cluster at back end

JSPServlet

JSPServlet

JSPServlet

JSPServlet

JSPServlet

JSPServlet

LoadBalancer

LoadBalancer

Firew

allF

irewall

Internet


EJBEJB

EJBEJB

EJBEJB


Proxy Front End

JSPServlet

EJB

JSPServlet

EJB

JSPServlet

EJB

JSPServlet

EJB

JSPServlet

EJB

JSPServlet

EJB

ProxyServer

ProxyServer

Firew

allF

irewall

Internet


With Presentation and Business tiers combined

ApacheIIS


Proxy and Split TiersWith Split tiers

JSPServlet

JSPServlet

JSPServlet

JSPServlet

JSPServlet

JSPServlet

ProxyServer

ProxyServer

Firew

allF

irewall

Internet


EJBEJB

EJBEJB

EJBEJB

ApacheIIS


Architecture RecommendationsPlace static web content on separate web server in DMZ

Apache or IIS

Use combined tier topologyunless business logic heavily outweighs presentatio n logicsimpler configurationless network hops

Use hardware load balancersmuch faster

Proxy using http and not httpstry to avoid https on back endslowermore certificates required


VirtualizationMany customers are considering using Virtualization

to cut costsimprove performance

Oracle WebLogic Server Virtual Edition allows you to run Oracle WebLogic Server directly o n a hypervisor (e.g.

VMware ESX) without a standard operating system

Runs on top of LiquidVMa light-weight, high-performance virtual machine containing a software layer that directly connects system-level calls from

Oracle JRockit JVM no general-purpose operating system or other proces ses are running


9. Performance Tuning


Performance Tuning


Tuning RoadmapOperating System Tuning

sockets

Java Virtual Machinesvendor (Sun, Oracle, IBM)GCmemory

Tomcat ServerthreadingHttpSessions

DataBase Tuningconnection pool


JConsoleMonitor Tomcat

memory, threads, classes, MBeans


JVisualVM ...


... JVisualVM


Profiler ToolsOptimizeIt Java Performance Profiler

A performance debugging tool for Solaris and NThttp://www.codework.com/optimize/product.html

Hewlett Packard JMeter A Hewlett Packard tool for analyzing profiling info rmation.http://jakarta.apache.org/jmeter/

JProbe Profiler with Memory DebuggerA family of products that provide the capability to detect performance

bottlenecks, perform code coverage and other metric shttp://www.sitraka.com/software/jprobe/

Mercury Interactive's Topazapplication performance management solutionhttp://www-heva.mercuryinteractive.com/products/


JMeterdownload from http://jakarta.apache.org/jmeter/


Tuning the O/SMost important tuning parameters are

TCP wait_time TCP queue sizecaused by the operating system’s failure to release old sockets from a

close_wait callcan lead to

connection refused on server-side too many open files on server-sideaddress in use: connect on the client-side

ndd -set /dev/tcp tcp_conn_req_max_q 16384ndd -set /dev/tcp tcp_conn_req_max_q 16384SolarisSolaris

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\Tcpip\Parameters key:MaxUserPort = dword:00004e20 (20,000 decimal)TcpTimedWaitDelay = dword:0000001e (30 decimal)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\Tcpip\Parameters key:MaxUserPort = dword:00004e20 (20,000 decimal)TcpTimedWaitDelay = dword:0000001e (30 decimal)

WindowsWindows


DatabaseMake sure database is not on the same machine as

Tomcatdatabase will hog the CPUTomcat tuning will be ineffective

TomcatServer

TomcatServer

TomcatServer

TomcatServer

Machine1

Machine2DatabaseDatabase

Machine3


DatabaseTomcat Server and Databases

deploy on different machines

Is the Database a bottleneck?typically requires 3-4 times as much resources

Exclusive Accessimproves performance considerablycan't be employed on a cluster


Garbage CollectionAutomatic detection and reclaiming of unused

heap memory

Advantagesreduces likelihood of memory leakreduces likelihood of crash due to premature freein g of memorygenerally simplifies code

Disadvantagesperformance overheadusually deals only with

memory, not otherresources


How a Garbage Collector WorksStart with a set of

"root" referencesperhaps global

variables

Determine "live"objects from theroot set

"reachability"

Conservative collectormay not find all unreachableobjects

may not be able to detect all object referencesmay be hard to differentiate between ref and int

Root Set


Mark and SweepMore accurate

Trace object graphfrom root reference

mark each objectas "reachable"

All non markedobjects may becollected

More performanceoverhead

two or more passes through the heapapplication paused while collector runs

Root Set

unreachable


Heap Fragmentation

Heap can become fragmented over time

Requests for memory may be refusedenough available memory but not contiguous

Free


Generational Garbage CollectionMost objects are short lived

"infant mortality"

Allocate new objects from one region of the heapuse fast garbage collector regularly

Move longer lived objects to another regiongarbage collector runs less often herecan use more effective (or slower) algorithm

longer lived objects

"new" region "old" region


Heap Organisation

Permanent section used for reflective dataclass, method objects

New Objects allocated from EdenSS1 and SS2 are used in for copying objects"Survival Spaces"

Optional incremental collection for old region

Perm Old SS1 SS2 Eden

64Mb Old New

JVM Tuneable

Total Heap Size


Collecting the New Region"Minor" collection

copy live objects to Survival Space

OldSS1 SS2 Eden

OldSS1 SS2 Eden

OldSS1 SS2 Eden

OldSS1 SS2 Eden


Collecting the Old RegionMajor Collection

mark and compactmuch slower than minor collection

OldSS1 SS2 Eden

OldSS1 SS2 Eden

Marked fordeletion


Monitoring GCDifferent applications have different object usage patterns

garbage collector may require tuning

Use the -verbose:gc flag when running programreports statistics on each run of the collector

[GC 707K[GC 707K[GC 707K[GC 707K---->432K(1984K), 0.0045157 secs]>432K(1984K), 0.0045157 secs]>432K(1984K), 0.0045157 secs]>432K(1984K), 0.0045157 secs]




[Full GC 1871K[Full GC 1871K[Full GC 1871K[Full GC 1871K---->600K(2496K), 0.0254038 secs]>600K(2496K), 0.0254038 secs]>600K(2496K), 0.0254038 secs]>600K(2496K), 0.0254038 secs]




............









............

Object spacebefore collection

Object spaceafter collection

Total sizeof availableheap

Time tocollect

MajorCollection

MinorCollection


Total Heap SizeHeap size varies between min and max value

to keep free space to live objects ratio within lim its

Default

----XX:MinHeapFreeRatioXX:MinHeapFreeRatioXX:MinHeapFreeRatioXX:MinHeapFreeRatio

----XmsXmsXmsXms

----XmxXmxXmxXmx

----XX:MinHeapFreeRatioXX:MinHeapFreeRatioXX:MinHeapFreeRatioXX:MinHeapFreeRatio

MinimumHeap Size

MaximumHeap Size

40

70

2m

64m

Option

MinimumFree Ratio

MaximumFree Ratio

Documents

Apache Tomcat Server Administration - Timicoseddon-software/JEE/Tomcat Administration.pdf · Apache Tomcat Server Administration 1. Introduction to Tomcat 2. Deploying Servlets and