Tomcat 8 Migration
- 1 Overview
- 2 Build Issues
- 3 Installation Issues
- 4 Runtime Issues
- 5 Upgrade Issues
- 6 References
The current Dogtag only supports Tomcat 7. In Fedora 23 the Tomcat is changed to version 8, which is incompatible with the current Dogtag. This page contains the efforts required to support Tomcat 8 in Fedora 23.
Dogtag does not compile
The following classes need to be updated due to changes in Tomcat API and Servlet API:
Tomcat JSS does not compile
The Tomcat JSS needs to be updated due to changes in Tomcat API.
Support for multiple Tomcat versions
Since the same Dogtag versions may run on multiple platforms, and each platform supports the different Tomcat versions, Dogtag needs to support multiple Tomcat versions simultaneously. That means Dogtag must maintain separate set of files for each Tomcat versions, and build the ones available on the target platform. If a platforms supports both Tomcat versions, Dogtag needs to provide a mechanism to select which Tomcat version to use on new and existing instances.
Same thing with Tomcat JSS, since the same Tomcat JSS versions may run on multiple platforms with different Tomcat versions, it needs to maintain separate set of files for each Tomcat version.
Incompatible Tomcat configuration
The base/server/share/conf/server.xml needs to be modified:
- add SecurityListener
- remove JasperListener
- add JreMemoryLeakPreventionListener
- add ThreadLocalLeakPreventionListener
Incompatible deployment descriptors
The following deployment descriptors need to be updated:
The changes include:
- move allowLinking attribute from Context to Resources
See also The Context Container.
NullPointerException during SSL initialization
The current Tomcat JSS and JSS does not support the non-blocking Java NIO connector which is used by default in Tomcat 8.
25-Feb-2015 20:27:38.190 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["http-nio-8443"] java.lang.NullPointerException at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:362) ...
The workaround is to configure the secure connector in server.xml to use the blocking Java connector.
<Connector ... protocol="org.apache.coyote.http11.Http11Protocol" ... />
Missing Mozilla-JSS provider
Due to the Tomcat JSS issue above, the JSS security provider is not loaded:
25-Feb-2015 20:29:29.849 SEVERE [localhost-startStop-1] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Exception initializing random number generator using provider [Mozilla-JSS] java.security.NoSuchProviderException: no such provider: Mozilla-JSS at sun.security.jca.GetInstance.getService(GetInstance.java:83) ...
With the above workaround the problem no longer exists.
Internal Server Error during authentication
The server generates an internal server error during the authentication process over SSL and there is no error in the log file:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-user-find PKIException: Internal Server Error
The problem disappears after fixing Tomcat JSS build issues.
When upgrading existing instances from F21 to F22, some of the configuration changes would have to be done automatically by an upgrade script to the correct Tomcat version:
- updating Tomcat configuration
- updating deployment descriptors
- Tomcat 8
- Migrating from 7.0.x to 8.0.x
- Apache Tomcat 8.0 API
- Tomcat 8.0 source repository
- PKI Ticket #1264 - Support for Tomcat 8.0
- PKI Ticket #1310 - Auto migration to Tomcat 8
- PKI Bug 1195811 - PKI fails to install, missing support for Tomcat 8.0
- Tomcat JSS Bug 1198450 - Support for Tomcat 8
- tomcatjss project
- tomcatjss Fedora package
- JDK 8 source repository