CODEWITHSUNDEEP
openssltomcat7aprtomcat8.5
Sadmi
Sadmi

Reputation: 361

Tomcat 8.5 configuration with APR connecter and HTTPS

For security reasons we should upgrade our application server from Tomcat7 into Tomcat8.5(Tomcat is used as the application server in front of Apache HTTPD 2.4 which is the web server, they are integrated using AJP with mod_jk), after a successful configuration the application was able to run successfully but I noticed a high usage of CPU which reaches up to 100%.

Note that I used Tomcat8.5.47 native binaries for windows downloaded from here.

here is the config with which I enabled https in server.xml

<Connector port="8444" maxHttpHeaderSize="8192"
             maxThreads="150"
             enableLookups="false" disableUploadTimeout="true"
             acceptCount="100" scheme="https" secure="true"
             SSLEnabled="true"
             SSLCertificateFile="conf/certs/mycacert.pem"
             SSLCertificateKeyFile="conf/certs/cakey_enc.pem" />

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8444" />

Here is some details about the AJP connector, refer specialy to the protocol attribute.

enter image description here

After a long comparion between Tomcat7 and Tomcat8.5, When I entred https://localhost:port/manager/status for both Tomcat 7 and 8.5, I found that Tomcat7 is using http-apr-8080(for http), http-apr-8443(for https, it's mentioned http-apr and not https-apr) and ajp-apr-8009, but Tomact8.5 uses http-nio-8080, https-openssl-nio-8444 and ajp-nio-8009

So Tomcat7 uses APR in all connectors but Tomcat8.5 uses NIO.

Additionnel informations:

We are running Windows Server 2008 R2 64bits, with 4GB RAM(this is a test server).

APR 1.7

AJP 1.3

JVM 1.8.0_231-b11

Tomcat Initial memory pool: 1024MB

Tomcat Maximum memory pool: 1024MB

Openssl 1.1.1c

Thanks for your help!

Upvotes: 0

Views: 2849

Answers (2)

Sadmi
Sadmi

Reputation: 361

This thread High CPU load with the JSSE client poller on Tomcat 8.5 gave me the idea to try Tomcat8.5.5, it solves the problem with the spontaneous High CPU Usage when using Apr Connector

Upvotes: 0

Mark Thomas
Mark Thomas

Reputation: 16615

The defaults have changed in 8.5.x when the APR/native library is present.

In Tomcat 7 it was APR connector including OpenSSL for TLS.

In Tomcat 8.5 it is NIO connector including OpenSSL for TLS.

Using OpenSSL requires the APR/native connector.

If you really want APR/native (personally I'd stick with the defaults) the simplest way of doing it is to use the following in your HTTP Connector element protocol="org.apache.coyote.http11.Http11AprProtocol" and protocol="org.apache.coyote.ajp.AjpAprProtocol" for your AJP connector.

Upvotes: 3

Related Questions