The Apache Tomcat Servlet/JSP Container

Apache Tomcat 6.0

Apache Logo

Apache Tomcat 6.0

Apache Portable Runtime and Tomcat

Introduction

Tomcat can use the Apache Portable Runtime to provide superior scalability, performance, and better integration with native server technologies. The Apache Portable Runtime is a highly portable library that is at the heart of Apache HTTP Server 2.x. APR has many uses, including access to advanced IO functionality (such as sendfile, epoll and OpenSSL), OS level functionality (random number generation, system status, etc), and native process handling (shared memory, NT pipes and Unix sockets).

These features allows making Tomcat a general purpose webserver, will enable much better integration with other native web technologies, and overall make Java much more viable as a full fledged webserver platform rather than simply a backend focused technology.

Installation

APR support requires three main native components to be installed:

  • APR library
  • JNI wrappers for APR used by Tomcat (libtcnative)
  • OpenSSL libraries

Windows

Windows binaries are provided for tcnative-1, which is a statically compiled .dll which includes OpenSSL and APR. It can be downloaded from here as 32bit or AMD x86-64 binaries. In security conscious production environments, it is recommended to use separate shared dlls for OpenSSL, APR, and libtcnative-1, and update them as needed according to security bulletins. Windows OpenSSL binaries are linked from the Official OpenSSL website (see related/binaries).

Linux

Most Linux distributions will ship packages for APR and OpenSSL. The JNI wrapper (libtcnative) will then have to be compiled. It depends on APR, OpenSSL, and the Java headers.

Requirements:

  • APR 1.2+ development headers (libapr1-dev package)
  • OpenSSL 0.9.7+ development headers (libssl-dev package)
  • JNI headers from Java compatible JDK 1.4+
  • GNU development environment (gcc, make)

The wrapper library sources are located in the Tomcat binary bundle, in the bin/tomcat-native.tar.gz archive. Once the build environment is installed and the source archive is extracted, the wrapper library can be compiled using (from the folder containing the configure script):

./configure && make && make install

APR Components

Once the libraries are properly installed and available to Java (if loading fails, the library path will be displayed), the Tomcat connectors will automatically use APR. Configuration of the connectors is similar to the regular connectors, but have a few extra attributes which are used to configure APR components. Note that the defaults should be well tuned for most use cases, and additional tweaking shouldn't be required.

When APR is enabled, the following features are also enabled in Tomcat:

  • Secure session ID generation by default on all platforms (platforms other than Linux required random number generation using a configured entropy)
  • OS level statistics on memory usage and CPU usage by the Tomcat process are displayed by the status servlet

APR Lifecycle Listener Configuration
AprLifecycleListener

Name of the SSLEngine to use. off: Do not use SSL, on: Use SSL but no specific ENGINE. The default value is on. This initializes the native SSL engine, then enable the use of this engine in the connector using the SSLEnabled attribute. Example:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
      

See the Official OpenSSL website for more details on SSL hardware engines and manufacturers.

APR Connectors Configuration
HTTP

When APR is enabled, the HTTP connector will use sendfile for hadling large static files (all such files will be sent ansychronously using high performance kernel level calls), and will use a socket poller for keepalive, increasing scalability of the server.

The following attributes are supported in the HTTP APR connector in addition to the ones supported in the regular HTTP connector:

AttributeDescription
firstReadTimeout

The first read of a request will be made using the specified timeout. If no data is available after the specified time, the socket will be placed in the poller. The value of this attribute is in ms. Setting this value to 0 or -1 will increase scalability by always using a poller to handle keepalive, but will have a minor impact on latency (see the related pollTime attribute). The difference is that with 0, the first read of a request will be made using a short timeout, while with -1, the first read will be made using the regular socket timeout that is configured on the connector. Setting this to -2 will cause the connector to not use the poller for keepalive in most situations, emulating the behavior of the java.io HTTP connector. The default value is -1. Note: on Windows, the actual value of firstReadTimeout will be 500 + the specified value, if the specified value is strictly positive.

pollTime

Duration of a poll call. Lowering this value will slightly decrease latency of connections being kept alive in some cases, but will use more CPU as more poll calls are being made. The default value is 2000 (5ms).

pollerSize

Amount of sockets that the poller responsible for polling kept alive connections can hold at a given time. Extra connections will be closed right away. The default value is 8192, corresponding to 8192 keepalive connections.

useSendfile

Use kernel level sendfile for certain static files. The default value is true.

sendfileSize

Amount of sockets that the poller responsible for sending static files asynchronously can hold at a given time. Extra connections will be closed right away without any data being sent (resulting in a zero length file on the client side). Note that in most cases, sendfile is a call that will return right away (being taken care of "synchonously" by the kernel), and the sendfile poller will not be used, so the amount of static files which can be sent concurrently is much larger than the specified amount. The default value is 1024.

HTTPS

When APR is enabled, the HTTPS connector will use a socket poller for keepalive, increasing scalability of the server. It also uses OpenSSL, which may be more optimized than JSSE depending on the processor being used, and can be complemented with many commercial accelerator components. Unlike the HTTP connector, the HTTPS connector cannot use sendfile to optimize static file processing.

The HTTPS APR connector has the same basic attributes than the HTTP APR connector, but adds OpenSSL specific ones. For the full details on using OpenSSL, please refer to OpenSSL documentations and the many books available for it (see the Official OpenSSL website). The SSL specific attributes for the connector are:

AttributeDescription
SSLEnabled

Enable SSL on the socket, default value is false. Set this value to true to enable SSL handshake/encryption/decryption in the APR connector.

SSLProtocol

Protocol which may be used for communicating with clients. The default is "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1", and "SSLv2+SSLv3".

SSLCipherSuite

Ciphers which may be used for communicating with clients. The default is "ALL", with other acceptable values being a list of ciphers, with ":" used as the delimiter (see OpenSSL documentation for the list of ciphers supported).

SSLCertificateFile

Name of the file that contains the server certificate. The format is PEM-encoded.

SSLCertificateKeyFile

Name of the file that contains the server private key. The format is PEM-encoded. The default value is the value of "SSLCertificateFile" and in this case both certificate and private key have to be in this file (NOT RECOMMENDED).

SSLPassword

Pass phrase for the encrypted private key. If "SSLPassword" is not provided, the callback fonction should prompt for the pass phrase.

SSLVerifyClient

Ask client for certificate. The default is "none", meaning the client will not have the opportunity to submit a certificate. Other acceptable values include "optional", "require" and "optionalNoCA".

SSLVerifyDepth

Maximum verification depth for client certificates. The default is "10".

SSLCACertificateFile

See the mod_ssl documentation.

SSLCACertificatePath

See the mod_ssl documentation.

SSLCertificateChainFile

See the mod_ssl documentation.

SSLCARevocationFile

See the mod_ssl documentation.

SSLCARevocationPath

See the mod_ssl documentation.

An example SSL Connector declaration can be:

    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               SSLEnabled="true" 
               SSLCertificateFile="${catalina.base}/conf/localhost.crt"
               SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" />

AJP

When APR is enabled, the AJP connector will use a socket poller for keepalive, increasing scalability of the server. As AJP is designed around a pool of persistent (or almost persistent) connections, this will reduce significantly the amount of processing threads needed by Tomcat. Unlike the HTTP connector, the AJP connector cannot use sendfile to optimize static file processing.

The following attributes are supported in the AJP APR connector in addition to the ones supported in the regular AJP connector:

AttributeDescription
firstReadTimeout

The first read of a request will be made using the specified timeout. If no data is available after the specified time, the socket will be placed in the poller. The value of this attribute is in ms. Setting this value to 0 or -1 will increase scalability by always using a poller to handle keepalive, but will have a minor impact on latency (see the related pollTime attribute). The difference is that with 0, the first read of a request will be made using a short timeout, while with -1, the first read will be made using the regular socket timeout that is configured on the connector. Setting this to -2 will cause the connector to not use the poller for keepalive in most situations, emulating the behavior of the java.io HTTP connector. The default value is -1. Note: on Windows, the actual value of firstReadTimeout will be 500 + the specified value, if the specified value is strictly positive.

pollTime

Duration of a poll call. Lowering this value will slightly decrease latency of connections being kept alive in some cases, but will use more CPU as more poll calls are being made. The default value is 2000 (5ms).

pollerSize

Amount of sockets that the poller responsible for polling kept alive connections can hold at a given time. Extra connections will be closed right away. The default value is 8192, corresponding to 8192 keepalive connections.


Copyright © 1999-2006, Apache Software Foundation