JSSE Debug Output Missing In 4.0.1 Log
oliverhrdz Oct 26, 2005 3:57 PMWe are upgrading from 3.2.2 to 4.0.1. In 3.2.2, we saw in the server.log file the following debug output:
2005-10-05 14:42:31,203 DEBUG [org.apache.tomcat.util.net.jsse.JSSE14Support] Cert #0 = [ [ Version: V1 Subject: CN= <snip> 0010: 32 C5 D3 12 80 93 17 7C EF 92 5A CD 8C 1C EB 3C 2.........Z....< 0020: 52 7E 51 96 C4 F6 0C ED 5F BF 03 01 F5 3A A5 73 R.Q....._....:.s 0030: 3A 3D 25 CE 51 AB 83 45 C5 94 9C 72 AB 2B C6 A1 :=%.Q..E...r.+.. 0040: 45 0F 44 34 F1 69 31 79 94 6E A6 B9 F4 B3 95 CF E.D4.i1y.n...... 0050: F0 03 E9 4F 30 B4 08 83 94 5C 4C 1C B7 AE 5F FA ...O0....\L..._. 0060: DF EF 9D 6E BB 8E 90 61 76 11 A8 A1 22 C3 3B 02 ...n...av...".;. 0070: 8B 99 29 30 DE 59 3C 6F 6C 07 CA D7 C2 79 1F EE ..)0.Y<ol....y.. ]
This output aids in identifying which remote clients are connecting over SSL, as it displays their PKI certificates. The clients are connecting via proxies, so the access logs don't help. In JBoss 4.0.1, I no longer see this output.
I have tried configuring log4j by updating the log4j.xml file, in various ways, with no luck. I have also tried setting the verbosity level of what seems like a logging setting in the server.xml file under the tomcat folder to debug, and that didn't work either. In the log4j.xml file, I tried setting debug on explicitly for the class org.apache.tomcat.util.net.jsse.JSSE14Support. I've also commented out the section that limited the category org.apache to info. My last attempt was creating a separate appender to log only the org.apache.tomcat.util.net.jsse.JSSE14Support category, and I still cannot get the JBoss 4.0.1 server.log file to output this much needed info. What must I configure to get 4.0.1 to output this same information as 3.2.2 did?
Thanks in advance,
-Oliver Hernandez
log4j.xml file:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE log4j:configuration SYSTEM "log4j.dtd"> <!-- ===================================================================== --> <!-- --> <!-- Log4j Configuration --> <!-- --> <!-- ===================================================================== --> <!-- $Id: log4j.xml,v 1.26.2.1 2004/09/19 22:18:42 starksm Exp $ --> <!-- | For more configuration infromation and examples see the Jakarta Log4j | owebsite: http://jakarta.apache.org/log4j --> <log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="false"> <!-- ================================= --> <!-- Preserve messages in a local file --> <!-- ================================= --> <!-- A time/date based rolling appender <appender name="FILE" class="org.jboss.logging.appender.DailyRollingFileAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="File" value="${jboss.server.home.dir}/log/server.log"/> <param name="Threshold" value="INFO"/> <param name="Append" value="false"/> <!- - Rollover at midnight each day - -> <param name="DatePattern" value="'.'yyyy-MM-dd"/> <!- - Rollover at the top of each hour <param name="DatePattern" value="'.'yyyy-MM-dd-HH"/> - -> <layout class="org.apache.log4j.PatternLayout"> <!- - The default pattern: Date Priority [Category] Message\n - -> <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/> <!- - The full pattern: Date MS Priority [Category] (Thread:NDC) Message\n <param name="ConversionPattern" value="%d %-5r %-5p [%c] (%t:%x) %m%n"/> - -> </layout> </appender> --> <!-- A size based file rolling appender --> <appender name="FILE" class="org.jboss.logging.appender.RollingFileAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="File" value="${jboss.server.home.dir}/log/server.log"/> <param name="Append" value="false"/> <param name="MaxFileSize" value="500KB"/> <param name="MaxBackupIndex" value="100000"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/> </layout> </appender> <!-- ============================== --> <!-- Append messages to the console --> <!-- ============================== --> <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="Target" value="System.out"/> <param name="Threshold" value="INFO"/> <layout class="org.apache.log4j.PatternLayout"> <!-- The default pattern: Date Priority [Category] Message\n --> <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}] %m%n"/> </layout> </appender> <!-- ============================== --> <!-- Appender for JSSE trace output --> <!-- ============================== <appender name="JSSELOG" class="org.jboss.logging.appender.RollingFileAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="File" value="${jboss.server.home.dir}/log/jssetrace.log"/> <param name="Append" value="false"/> <param name="MaxFileSize" value="500KB"/> <param name="MaxBackupIndex" value="100000"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/> </layout> </appender> --> <!-- ====================== --> <!-- More Appender examples --> <!-- ====================== --> <!-- Buffer events and log them asynchronously <appender name="ASYNC" class="org.apache.log4j.AsyncAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <appender-ref ref="FILE"/> <appender-ref ref="CONSOLE"/> <appender-ref ref="SMTP"/> </appender> --> <!-- EMail events to an administrator <appender name="SMTP" class="org.apache.log4j.net.SMTPAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="Threshold" value="ERROR"/> <param name="To" value="admin@myhost.domain.com"/> <param name="From" value="nobody@myhost.domain.com"/> <param name="Subject" value="JBoss Sever Errors"/> <param name="SMTPHost" value="localhost"/> <param name="BufferSize" value="10"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="[%d{ABSOLUTE},%c{1}] %m%n"/> </layout> </appender> --> <!-- Syslog events <appender name="SYSLOG" class="org.apache.log4j.net.SyslogAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="Facility" value="LOCAL7"/> <param name="FacilityPrinting" value="true"/> <param name="SyslogHost" value="localhost"/> </appender> --> <!-- Log events to JMS (requires a topic to be created) <appender name="JMS" class="org.apache.log4j.net.JMSAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="Threshold" value="ERROR"/> <param name="TopicConnectionFactoryBindingName" value="java:/ConnectionFactory"/> <param name="TopicBindingName" value="topic/MyErrorsTopic"/> </appender> --> <!-- Log events through SNMP <appender name="TRAP_LOG" class="org.apache.log4j.ext.SNMPTrapAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="ImplementationClassName" value="org.apache.log4j.ext.JoeSNMPTrapSender"/> <param name="ManagementHost" value="127.0.0.1"/> <param name="ManagementHostTrapListenPort" value="162"/> <param name="EnterpriseOID" value="1.3.6.1.4.1.24.0"/> <param name="LocalIPAddress" value="127.0.0.1"/> <param name="LocalTrapSendPort" value="161"/> <param name="GenericTrapType" value="6"/> <param name="SpecificTrapType" value="12345678"/> <param name="CommunityString" value="public"/> <param name="ForwardStackTraceWithTrap" value="true"/> <param name="Threshold" value="DEBUG"/> <param name="ApplicationTrapOID" value="1.3.6.1.4.1.24.12.10.22.64"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d,%p,[%t],[%c],%m%n"/> </layout> </appender> --> <!-- ================ --> <!-- Limit categories --> <!-- ================ --> <!-- Limit the org.apache category to INFO as its DEBUG is verbose <category name="org.apache.commons"> <priority value="INFO"/> </category> --> <!-- <category name="org.apache.tomcat.util.net.jsse"> <priority value="TRACE" class="org.jboss.logging.XLevel"/> <appender=ref ref="JSSELOG"/> </category> --> <!-- Limit the org.jgroups category to WARN as its INFO is verbose --> <category name="org.jgroups"> <priority value="WARN"/> </category> <!-- Limit apache axis to INFO as its DEBUG is even more verbose --> <category name="org.apache.axis"> <priority value="INFO"/> </category> <!-- Limit JBoss categories --> <category name="org.jboss"> <priority value="INFO"/> </category> <!-- Limit the JSR77 categories --> <category name="org.jboss.management"> <priority value="INFO"/> </category> <!-- Limit JBoss webservice category <category name="org.jboss.webservice"> <priority value="DEBUG"/> </category> --> <!-- Decrease the priority threshold for the org.jboss.varia category <category name="org.jboss.varia"> <priority value="DEBUG"/> </category> --> <!-- Show the evolution of the DataSource pool in the logs [inUse/Available/Max] <category name="org.jboss.resource.connectionmanager.JBossManagedConnectionPool"> <priority value="TRACE" class="org.jboss.logging.XLevel"/> </category> --> <!-- | An example of enabling the custom TRACE level priority that is used | by the JBoss internals to diagnose low level details. This example | turns on TRACE level msgs for the org.jboss.ejb.plugins package and its | subpackages. This will produce A LOT of logging output. <category name="org.jboss.system"> <priority value="TRACE" class="org.jboss.logging.XLevel"/> </category> <category name="org.jboss.ejb.plugins"> <priority value="TRACE" class="org.jboss.logging.XLevel"/> </category> --> <!-- | Logs these events to SNMP: - server starts/stops - cluster evolution (node death/startup) - When an EJB archive is deployed (and associated verified messages) - When an EAR archive is deployed <category name="org.jboss.system.server.Server"> <priority value="INFO" /> <appender-ref ref="TRAP_LOG"/> </category> <category name="org.jboss.ha.framework.interfaces.HAPartition.lifecycle"> <priority value="INFO" /> <appender-ref ref="TRAP_LOG"/> </category> <category name="org.jboss.deployment.MainDeployer"> <priority value="ERROR" /> <appender-ref ref="TRAP_LOG"/> </category> <category name="org.jboss.ejb.EJBDeployer"> <priority value="INFO" /> <appender-ref ref="TRAP_LOG"/> </category> <category name="org.jboss.deployment.EARDeployer"> <priority value="INFO" /> <appender-ref ref="TRAP_LOG"/> </category> --> <!-- ======================= --> <!-- Setup the Root category --> <!-- ======================= --> <root> <appender-ref ref="CONSOLE"/> <appender-ref ref="FILE"/> </root> <!-- Clustering logging --> <!-- Uncomment the following to redirect the org.jgroups and org.jboss.ha categories to a cluster.log file. <appender name="CLUSTER" class="org.jboss.logging.appender.RollingFileAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="File" value="${jboss.server.home.dir}/log/cluster.log"/> <param name="Append" value="false"/> <param name="MaxFileSize" value="500KB"/> <param name="MaxBackupIndex" value="1"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/> </layout> </appender> <category name="org.jgroups"> <priority value="DEBUG" /> <appender-ref ref="CLUSTER"/> </category> <category name="org.jboss.ha"> <priority value="DEBUG" /> <appender-ref ref="CLUSTER"/> </category> --> </log4j:configuration>
server.xml file in tomcat subfolder:
<Server> <!-- Use a custom version of StandardService that allows the connectors to be started independent of the normal lifecycle start to allow web apps to be deployed before starting the connectors. --> <Service name="jboss.web" className="org.jboss.web.tomcat.tc5.StandardService"> <!-- A HTTP/1.1 Connector on port 8080 --> <!-- <Connector port="8080" address="${jboss.bind.address}" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"/> --> <!-- A AJP 1.3 Connector on port 8009 --> <!-- <Connector port="8009" address="${jboss.bind.address}" enableLookups="false" redirectPort="8443" debug="0" protocol="AJP/1.3"/> --> <!-- SSL/TLS Connector configuration using the admin devl guide keystore --> <Connector port="443" address="${jboss.bind.address}" maxThreads="100" minSpareThreads="5" maxSpareThreads="15" scheme="https" secure="true" clientAuth="true" keystoreFile="${jboss.server.home.dir}/conf/webado.jks" keystorePass="WebADO1" sslProtocol="TLS" /> <Engine name="jboss.web" defaultHost="localhost"> <!-- The JAAS based authentication and authorization realm implementation that is compatible with the jboss 3.2.x realm implementation. - certificatePrincipal : the class name of the org.jboss.security.auth.certs.CertificatePrincipal impl used for mapping X509[] cert chains to a Princpal. --> <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" /> <!-- A subclass of JBossSecurityMgrRealm that uses the authentication behavior of JBossSecurityMgrRealm, but overrides the authorization checks to use JACC permissions with the current java.security.Policy to determine authorized access. <Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" /> --> <Logger className="org.jboss.web.tomcat.Log4jLogger" verbosityLevel="debug" category="org.jboss.web.localhost.Engine"/> <Host name="localhost" autoDeploy="false" deployOnStartup="false" deployXML="false"> <!-- Uncomment to enable request dumper. This Valve "logs interesting contents from the specified Request (before processing) and the corresponding Response (after processing). It is especially useful in debugging problems related to headers and cookies." --> <!-- <Valve className="org.apache.catalina.valves.RequestDumperValve" /> --> <!-- Access logger --> <Valve className="org.apache.catalina.valves.AccessLogValve" prefix="localhost_access_" suffix=".log" pattern="common" directory="${jboss.server.home.dir}/log" resolveHosts="true" /> <!-- Uncomment to enable single sign-on across web apps deployed to this host. Does not provide SSO across a cluster. If this valve is used, do not use the JBoss ClusteredSingleSignOn valve shown below. --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"/> --> <!-- Uncomment to enable single sign-on across web apps deployed to this host AND to all other hosts in the cluster. If this valve is used, do not use the standard Tomcat SingleSignOn valve shown above. Valve uses a JBossCache instance to support SSO credential caching and replication across the cluster. The JBossCache instance must be configured separately. By default, the valve shares a JBossCache with the service that supports HttpSession replication. See the "tc5-cluster-service.xml" file in the server/all/deploy directory for cache configuration details. Besides the attributes supported by the standard Tomcat SingleSignOn valve (see the Tomcat docs), this version also supports the following attribute: treeCacheName JMX ObjectName of the JBossCache MBean used to support credential caching and replication across the cluster. If not set, the default value is "jboss.cache:service=TomcatClusteringCache", the standard ObjectName of the JBossCache MBean used to support session replication. --> <!-- <Valve className="org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn" debug="0"/> --> <!-- Uncomment to check for unclosed connections and transaction terminated checks in servlets/jsps. Important: You need to uncomment the dependency on the CachedConnectionManager in META-INF/jboss-service.xml <Valve className="org.jboss.web.tomcat.tc5.jca.CachedConnectionValve" cachedConnectionManagerObjectName="jboss.jca:service=CachedConnectionManager" transactionManagerObjectName="jboss:service=TransactionManager" /> --> <!-- Default context parameters --> <DefaultContext cookies="true" crossContext="true" override="true"/> </Host> </Engine> </Service> </Server>