diff options
Diffstat (limited to 'pki/base/kra/shared/conf/server.xml')
| -rw-r--r-- | pki/base/kra/shared/conf/server.xml | 532 |
1 files changed, 159 insertions, 373 deletions
diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml index 71b433bef..9a24cfa44 100644 --- a/pki/base/kra/shared/conf/server.xml +++ b/pki/base/kra/shared/conf/server.xml @@ -1,208 +1,196 @@ -<!-- Example Server Configuration File --> -<!-- Note that component elements are nested corresponding to their - parent-child relationships with each other --> - -<!-- A "Server" is a singleton element that represents the entire JVM, - which may contain one or more "Service" instances. The Server - listens for a shutdown command on the indicated port. - - Note: A "Server" is not itself a "Container", so you may not - define subcomponents such as "Valves" or "Loggers" at this level. +<?xml version='1.0' encoding='utf-8'?> +<!-- BEGIN COPYRIGHT BLOCK + Copyright (C) 2006-2010 Red Hat, Inc. + All rights reserved. + Modifications: configuration parameters + END COPYRIGHT BLOCK --> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" at this level. + Documentation at /docs/config/server.html --> <!-- DO NOT REMOVE - Begin PKI Status Definitions --> <!-- -Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] -Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] -Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services -PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] -Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) +Unsecure Port = http://[PKI_MACHINE_NAME]:[PKI_UNSECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Agent Port = https://[PKI_MACHINE_NAME]:[PKI_AGENT_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/agent/[PKI_SUBSYSTEM_TYPE] +Secure EE Port = https://[PKI_MACHINE_NAME]:[PKI_EE_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/ee/[PKI_SUBSYSTEM_TYPE] +Secure Admin Port = https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE]/services +PKI Console Port = pkiconsole https://[PKI_MACHINE_NAME]:[PKI_ADMIN_SECURE_PORT]/[PKI_SUBSYSTEM_TYPE] +Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) --> <!-- DO NOT REMOVE - End PKI Status Definitions --> <Server port="[TOMCAT_SERVER_PORT]" shutdown="SHUTDOWN"> - <!-- Comment these entries out to disable JMX MBeans support used for the - administration web application --> + <!--APR library loader. Documentation at /docs/apr.html --> + <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> + <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> + <Listener className="org.apache.catalina.core.JasperListener" /> + <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html --> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> - <!-- Global JNDI resources --> + <!-- Global JNDI resources + Documentation at /docs/jndi-resources-howto.html + --> <GlobalNamingResources> - - <!-- Test entry for demonstration purposes --> - <Environment name="simpleValue" type="java.lang.Integer" value="30"/> - <!-- Editable user database that can also be used by - UserDatabaseRealm to authenticate users --> + UserDatabaseRealm to authenticate users + --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> - + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share - a single "Container" (and therefore the web applications visible - within that Container). Normally, that Container is an "Engine", - but this is not required. - - Note: A "Service" is not itself a "Container", so you may not - define subcomponents such as "Valves" or "Loggers" at this level. + a single "Container" Note: A "Service" is not itself a "Container", + so you may not define subcomponents such as "Valves" at this level. + Documentation at /docs/config/service.html --> - - <!-- Define the Tomcat Stand-Alone Service --> <Service name="Catalina"> - + + <!--The connectors can use a shared executor, you can define one or more named thread pools--> + <!-- + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" + maxThreads="150" minSpareThreads="4"/> + --> + + <!-- A "Connector" represents an endpoint by which requests are received - and responses are returned. Each Connector passes requests on to the - associated "Container" (normally an Engine) for processing. - - By default, a non-SSL HTTP/1.1 Connector is established on port 8080. - You can also enable an SSL HTTP/1.1 Connector on port 8443 by - following the instructions below and uncommenting the second Connector - entry. SSL support requires the following steps (see the SSL Config - HOWTO in the Tomcat 5 documentation bundle for more detailed - instructions): - * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or - later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". - * Execute: - %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) - $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) - with a password value of "changeit" for both the certificate and - the keystore itself. - - By default, DNS lookups are enabled when a web application calls - request.getRemoteHost(). This can have an adverse impact on - performance, so you can disable it by setting the - "enableLookups" attribute to "false". When DNS lookups are disabled, - request.getRemoteHost() will return the String version of the - IP address of the remote client. + and responses are returned. Documentation at : + Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) + Java AJP Connector: /docs/config/ajp.html + APR (HTTP/AJP) Connector: /docs/apr.html + Define a non-SSL HTTP/1.1 Connector on port 8080 --> -<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> -[PKI_UNSECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true"/> - - -<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> -[PKI_SECURE_PORT_SERVER_COMMENT] -<!-- DO NOT REMOVE - Begin define PKI secure port --> -<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="[PKI_AGENT_CLIENTAUTH]" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -<!-- DO NOT REMOVE - End define PKI secure port --> - -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - -[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] -<Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" maxHttpHeaderSize="8192" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" disableUploadTimeout="true" - acceptCount="100" scheme="https" secure="true" - clientAuth="false" sslProtocol="SSL" - sslOptions="ssl2=false,ssl3=true,tls=true" - ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" - ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" - serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" - passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" - passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" - certdbDir="[PKI_INSTANCE_PATH]/alias"/> -[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] - - <!-- Note : To disable connection timeouts, set connectionTimeout value - to 0 --> - - <!-- Note : To use gzip compression you could set the following properties : - - compression="on" - compressionMinSize="2048" - noCompressionUserAgents="gozilla, traviata" - compressableMimeType="text/html,text/xml" - --> - + [PKI_UNSECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + /> + + <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> + [PKI_SECURE_PORT_SERVER_COMMENT] + <!-- DO NOT REMOVE - Begin define PKI secure port --> + <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="[PKI_AGENT_CLIENTAUTH]" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias" + /> + <!-- DO NOT REMOVE - End define PKI secure port --> + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_ADMIN_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="false" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + [PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT][PKI_EE_SECURE_PORT_SERVER_COMMENT] + <Connector name="[PKI_EE_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_EE_SECURE_PORT]" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" + maxHttpHeaderSize="8192" + acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" + enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" + SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + clientAuth="false" + sslOptions="[TOMCAT_SSL_OPTIONS]" + ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" + ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" + tls3Ciphers="[TOMCAT_TLS3_CIPHERS]" + serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf" + passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf" + passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" + certdbDir="[PKI_INSTANCE_PATH]/alias"/> + [PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] + + <!-- A "Connector" using the shared thread pool--> + <!-- + <Connector executor="tomcatThreadPool" + port="8080" protocol="HTTP/1.1" + connectionTimeout="20000" + redirectPort="8443" /> + --> + <!-- Define a SSL HTTP/1.1 Connector on port 8443 + This connector uses the JSSE configuration, when using APR, the + connector should be using the OpenSSL style configuration + described in the APR documentation --> + <!-- + <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" + maxThreads="150" scheme="https" secure="true" + clientAuth="false" sslProtocol="TLS" /> + --> <!-- Define an AJP 1.3 Connector on port 8009 --> <!-- - <Connector port="8009" - enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> + <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> --> - <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> - <!-- See proxy documentation for more information about using this. --> - <!-- - <Connector port="8082" - maxThreads="150" minSpareThreads="25" maxSpareThreads="75" - enableLookups="false" acceptCount="100" connectionTimeout="20000" - proxyPort="80" disableUploadTimeout="true" /> - --> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them - on to the appropriate Host (virtual host). --> + on to the appropriate Host (virtual host). + Documentation at /docs/config/engine.html --> <!-- You should set jvmRoute to support load-balancing via AJP ie : - <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> + <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> --> - - <!-- Define the top level container in our container hierarchy --> <Engine name="Catalina" defaultHost="localhost"> - <!-- The request dumper valve dumps useful debugging information about - the request headers and cookies that were received, and the response - headers and cookies that were sent, for all requests received by - this instance of Tomcat. If you care only about requests to a - particular virtual host, or a particular application, nest this - element inside the corresponding <Host> or <Context> entry instead. - - For a similar mechanism that is portable to all Servlet 2.4 - containers, check out the "RequestDumperFilter" Filter in the - example application (the source for this filter may be found in - "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). + <!--For clustering, please take a look at documentation at: + /docs/cluster-howto.html (simple how to) + /docs/config/cluster.html (reference documentation) --> + <!-- + <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> + --> - Request dumping is disabled by default. Uncomment the following - element to enable it. --> + <!-- The request dumper valve dumps useful debugging information about + the request and response data received and sent by Tomcat. + Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.valves.RequestDumperValve"/> --> - <!-- Because this Realm is here, an instance will be shared globally --> - <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately @@ -210,229 +198,27 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> - <!-- Comment out the old realm but leave here for now in case we - need to go back quickly --> - <!-- - <Realm className="org.apache.catalina.realm.MemoryRealm" /> - --> - - <!-- Replace the above Realm with one of the following to get a Realm - stored in a database and accessed via JDBC --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="org.gjt.mm.mysql.Driver" - connectionURL="jdbc:mysql://localhost/authority" - connectionName="test" connectionPassword="test" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="oracle.jdbc.driver.OracleDriver" - connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" - connectionName="scott" connectionPassword="tiger" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - - <!-- - <Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="sun.jdbc.odbc.JdbcOdbcDriver" - connectionURL="jdbc:odbc:CATALINA" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name" /> - --> - <!-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. --> - <Host name="localhost" appBase="webapps" - unpackWARs="true" autoDeploy="false" - xmlValidation="false" xmlNamespaceAware="false"> - - <!-- Defines a cluster for this node, - By defining this element, means that every manager will be changed. - So when running a cluster, only make sure that you have webapps in there - that need to be clustered and remove the other ones. - A cluster has the following parameters: - - className = the fully qualified name of the cluster class - - name = a descriptive name for your cluster, can be anything - - mcastAddr = the multicast address, has to be the same for all the nodes - - mcastPort = the multicast port, has to be the same for all the nodes - - mcastBindAddr = bind the multicast socket to a specific address - - mcastTTL = the multicast TTL if you want to limit your broadcast - - mcastSoTimeout = the multicast readtimeout - - mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="false" + xmlValidation="false" xmlNamespaceAware="false"> - mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received - - tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes - - tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, - in case of multiple ethernet cards. - auto means that address becomes - InetAddress.getLocalHost().getHostAddress() - - tcpListenPort = the tcp listen port - - tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS - has a wakup bug in java.nio. Set to 0 for no timeout - - printToScreen = true means that managers will also print to std.out - - expireSessionsOnShutdown = true means that - - useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. - false means to replicate the session after each request. - false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) - <% - HashMap map = (HashMap)session.getAttribute("map"); - map.put("key","value"); - %> - replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. - * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. - * Synchronous means that the thread that executes the request, is also the - thread the replicates the data to the other nodes, and will not return until all - nodes have received the information. - * Asynchronous means that there is a specific 'sender' thread for each cluster node, - so the request thread will queue the replication request into a "smart" queue, - and then return to the client. - The "smart" queue is a queue where when a session is added to the queue, and the same session - already exists in the queue from a previous request, that session will be replaced - in the queue instead of replicating two requests. This almost never happens, unless there is a - large network delay. - --> - <!-- - When configuring for clustering, you also add in a valve to catch all the requests - coming in, at the end of the request, the session may or may not be replicated. - A session is replicated if and only if all the conditions are met: - 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND - 2. a session exists (has been created) - 3. the request is not trapped by the "filter" attribute - - The filter attribute is to filter out requests that could not modify the session, - hence we don't replicate the session after the end of this request. - The filter is negative, ie, anything you put in the filter, you mean to filter out, - ie, no replication will be done on requests that match one of the filters. - The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. - - filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI - ending with .gif and .js are intercepted. - - The deployer element can be used to deploy apps cluster wide. - Currently the deployment only deploys/undeploys to working members in the cluster - so no WARs are copied upons startup of a broken node. - The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" - When a new war file is added the war gets deployed to the local instance, - and then deployed to the other instances in the cluster. - When a war file is deleted from the watchDir the war is undeployed locally - and cluster wide - --> - - <!-- - <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" - managerClassName="org.apache.catalina.cluster.session.DeltaManager" - expireSessionsOnShutdown="false" - useDirtyFlag="true" - notifyListenersOnReplication="true"> - - <Membership - className="org.apache.catalina.cluster.mcast.McastService" - mcastAddr="228.0.0.4" - mcastPort="45564" - mcastFrequency="500" - mcastDropTime="3000"/> - - <Receiver - className="org.apache.catalina.cluster.tcp.ReplicationListener" - tcpListenAddress="auto" - tcpListenPort="4001" - tcpSelectorTimeout="100" - tcpThreadCount="6"/> - - <Sender - className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" - replicationMode="pooled" - ackTimeout="15000"/> - - <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" - filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> - - <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" - tempDir="/tmp/war-temp/" - deployDir="/tmp/war-deploy/" - watchDir="/tmp/war-listen/" - watchEnabled="false"/> - </Cluster> - --> - - - - <!-- Normally, users must authenticate themselves to each web app - individually. Uncomment the following entry if you would like - a user to be authenticated the first time they encounter a - resource protected by a security constraint, and then have that - user identity maintained across *all* web applications contained - in this virtual host. --> + <!-- SingleSignOn valve, share authentication between web applications + Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - --> - <Valve className="org.apache.catalina.valves.AccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - This access log implementation is optimized for maximum performance, - but is hardcoded to support only the "common" and "combined" patterns. - --> + <!-- Access log processes all example. + Documentation at: /docs/config/valve.html --> <!-- - <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" + prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> - <!-- Access log processes all requests for this virtual host. By - default, log files are created in the "logs" directory relative to - $CATALINA_HOME. If you wish, you can specify a different - directory with the "directory" attribute. Specify either a relative - (to $CATALINA_HOME) or absolute path to the desired directory. - This access log implementation is optimized for maximum performance, - but is hardcoded to support only the "common" and "combined" patterns. - This valve use NIO direct Byte Buffer to asynchornously store the - log. - --> - <!-- - <Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" - directory="logs" prefix="localhost_access_log." suffix=".txt" - pattern="common" resolveHosts="false"/> - --> - - <!-- <Context docBase="webapps" path="/webapps" reloadable="false"/> --> </Host> - </Engine> - </Service> - </Server> |