Overview#
The current Dogtag only supports Tomcat 7. In Fedora 23 the Tomcat is changed to version 8, which is incompatible with the current Dogtag. This page contains the efforts required to support Tomcat 8 in Fedora 23.
Build Issues#
Dogtag does not compile#
The following classes need to be updated due to changes in Tomcat API and Servlet API:
base/server/tomcat/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
base/server/tomcat/src/com/netscape/cms/tomcat/ProxyRealm.java
base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java
See also:
Tomcat JSS does not compile#
The Tomcat JSS needs to be updated due to changes in Tomcat API.
Support for multiple Tomcat versions#
Since the same Dogtag versions may run on multiple platforms, and each platform supports the different Tomcat versions, Dogtag needs to support multiple Tomcat versions simultaneously. That means Dogtag must maintain separate set of files for each Tomcat versions, and build the ones available on the target platform. If a platforms supports both Tomcat versions, Dogtag needs to provide a mechanism to select which Tomcat version to use on new and existing instances.
Same thing with Tomcat JSS, since the same Tomcat JSS versions may run on multiple platforms with different Tomcat versions, it needs to maintain separate set of files for each Tomcat version.
Installation Issues#
Incompatible Tomcat configuration#
The base/server/share/conf/server.xml needs to be modified:
add SecurityListener
remove JasperListener
add JreMemoryLeakPreventionListener
add ThreadLocalLeakPreventionListener
Incompatible deployment descriptors#
The following deployment descriptors need to be updated:
base/server/share/conf/Catalina/localhost/ROOT.xml
base/server/share/conf/Catalina/localhost/pki.xml
base//shared/conf/Catalina/localhost/.xml
The changes include:
move allowLinking attribute from Context to Resources
See also The Context Container.
NullPointerException during SSL initialization#
The current Tomcat JSS and JSS does not support the non-blocking Java NIO connector which is used by default in Tomcat 8.
25-Feb-2015 20:27:38.190 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["http-nio-8443"]
java.lang.NullPointerException
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:362)
...
The workaround is to configure the secure connector in server.xml to use the blocking Java connector.
<Connector
...
protocol="org.apache.coyote.http11.Http11Protocol"
... />
See also:
Missing Mozilla-JSS provider#
Due to the Tomcat JSS issue above, the JSS security provider is not loaded:
25-Feb-2015 20:29:29.849 SEVERE [localhost-startStop-1] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Exception initializing random number generator using provider [Mozilla-JSS]
java.security.NoSuchProviderException: no such provider: Mozilla-JSS
at sun.security.jca.GetInstance.getService(GetInstance.java:83)
...
With the above workaround the problem no longer exists.
Runtime Issues#
Internal Server Error during authentication#
The server generates an internal server error during the authentication process over SSL and there is no error in the log file:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-user-find
PKIException: Internal Server Error
The problem disappears after fixing Tomcat JSS build issues.
Upgrade Issues#
When upgrading existing instances from F21 to F22, some of the configuration changes would have to be done automatically by an upgrade script to the correct Tomcat version:
updating Tomcat configuration
updating deployment descriptors