Home / user-1759

Zac Thompson's questions

Martin Hope
Zac Thompson
Asked: 2011-03-03 20:50:54 +0800 CST
  • 2

I'd like to restrict the SSL access to a Tomcat instance using certificates, and not relying on any "user" accounts.

I have a CA which is being used to sign the certificates, but if I configure Tomcat to trust the CA then it will trust anyone signed by it, whereas I would like to be much more restrictive and only allow certs for which I have approved that particular usage (namely, for the apps I have running on that server).

It seems to me that this is exactly what the Extended Key Usage part of X.509 is for, and I can create certs with that field defined to a custom value, but I can't figure out if there is any way to make Tomcat pay attention to that field and only allow certain Usages. Does anyone know how to do this? Even pointers for Apache httpd would be useful, since I could put Tomcat behind an https front end in a pinch.

tomcat java ssl x509
Martin Hope
Zac Thompson
Asked: 2010-06-30 14:09:21 +0800 CST
  • 0

I have a (sparc) Solaris 10 server with 16G of RAM. There are over 4G free.

Memory: 16G phys mem, 4371M free mem, 8193M swap, 8193M free swap

I am running a lot of java processes (I'm using the 32-bit JVM because none of them need a lot of memory) and want to run another one. But it claims to be out of memory.

# /usr/jdk/jdk1.6.0_17/bin/java -version
Error occurred during initialization of VM
Could not reserve enough space for object heap

I tried running with a reduced memory pool max size (-Xmx). Then I gradually increased the ceiling until it was very high indeed. How much should it be allocating without the -Xmx flag? According to this page, I wouldn't expect it to try to use more than 1G. And yet I can go to more than three times that without error.

# /usr/jdk/jdk1.6.0_17/bin/java -Xmx3900m -version
java version "1.6.0_17"
Java(TM) SE Runtime Environment (build 1.6.0_17-b04)
Java HotSpot(TM) Server VM (build 14.3-b01, mixed mode)

If I raise it above that level, then I start to get other errors, but I would expect that since I am approaching the 4G limit of address space for a 32-bit process anyway.

What could possibly be happening here, and how can I diagnose it myself? Edit: most of the java processes are running as different users (no more than 10 per user). But note in the above that I am trying to launch the new process (merely 'java -version') as root.

# ulimit -a
core file size        (blocks, -c) unlimited
data seg size         (kbytes, -d) unlimited
file size             (blocks, -f) unlimited
open files                    (-n) 256
pipe size          (512 bytes, -p) 10
stack size            (kbytes, -s) 8192
cpu time             (seconds, -t) unlimited
max user processes            (-u) 29995
virtual memory        (kbytes, -v) unlimited
java solaris memory