-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for Red Hat JBoss Web Server
2.1.1 Release Notes
Red Hat JBoss Web Server 2.1
Release Notes for Red Hat JBoss Web Server 2.1.1
Red Hat Customer Content Services
Abstract
These release notes contain important information related to Red Hat JBoss Web Server 2.1.1. Read these Release Notes in their entirety before installing Red Hat JBoss Web Server 2.1.1.
1. Introduction to Red Hat JBoss Enterprise Web Server 2.1
Welcome to the Red Hat JBoss Enterprise Web Server 2.1. As you become familiar with the newest version of JBoss Enterprise Web Server, these Release Notes provide you with information about new features, as well as known and resolved issues. Use this document in conjunction with the entire JBoss Enterprise Web Server 2.1 documentation suite, available at the Red Hat Customer Service Portal's JBoss Enterprise Web Server documentation page.
1.1. About Red Hat JBoss Enterprise Web Server
JBoss Enterprise Web Server is a fully-integrated and certified set of components for hosting Java web applications. It is comprised of the industry's leading web server (Apache HTTP Server), the popular Apache Tomcat Servlet container as well as load balancers (mod_jk and mod_cluster), Hibernate, the Tomcat Native library and others.
1.2. Overview
This document contains information about the new features, known and resolved issues of Red Hat JBoss Enterprise Web Server version 2.1. Customers are requested to read this document prior to installing this version.
1.3. Upgraded to openssl-1.0.2h
JBoss Web Server 2.1.1 has been upgraded to openssl-1.0.2h. This is because OpenSSL 0.9.8 is end of life and no longer supported. There is added support of TLSv1.2 and new ciphers only for Apache HTTP Server and JBoss EAP 6.4.10 Natives. By default, SSv3 is disabled. SSLv2 and some unsafe ciphers have been removed.
Note
JBoss Web Server 2.1.1 does not support TLSv1.2 for APR connectors on Tomcat. TLSv1.2 works with Java connectors on JDK 1.7 or later.
JBoss OpenSSL 1.0.2h does not claim FIPS certification. Hence, we do not support and test FIPS with JBoss Web Server 2.1.1 on any of our platforms. In case you need more information about FIPS on a specific platform, you can submit a support case online or contact us by phone.
Note
The tomcat-native is upgraded to version 1.1.34.
1.4. Set OPENSSL_CONF and LD_LIBRARY_PATH
You need to set
OPENSSL_CONF
and LD_LIBRARY_PATH
.
Using the custom engine is feasible as per the upstream documentation. For more information see, https://www.openssl.org/docs/manmaster/apps/config.html
Note
To get your custom engine working, you have to set it in the upper section of the
openssl.cnf
file before any other section. Then, you need to export the OPENSSL_CONF
variable to make openssl
use this configuration.
The sample configuration for JBoss Web Server is installed in
The configuration of environment variables is required when the
/home/user/jboss-ews-2.1
:
export OPENSSL_CONF=/home/user/jboss-ews-2.1/httpd/conf/openssl/pki/tls/openssl.cnf
export LD_LIBRARY_PATH=/home/user/jboss-ews-2.1/httpd/lib:$LD_LIBRARY_PATH
httpd
, httpd.event
, and httpd.worker
are run directly. When apachectl
script is used for starting the httpd server, the postinstall
script updates the correct LD_LIBRARY_PATH
and OPENSSL_CONF
variables in the apachectl
script.
2. Supported Configurations
For supported hardware and software configurations, see the JBoss Enterprise Web Server Supported Configurations reference on the Customer Portal at JBoss Enterprise Web Server Supported Configurations page.
3. Changes and Resolved Issues
httpd
- 1182341 - httpd22 service is not enabling the right MPM
- Prior to JBoss Web Server 2.1.1, it was not possible to use the worker MPM. This is because the systemd unit explicitly called the httpd prefork binary. This is resolved by updating the systemd unit so that it uses the HTTPD variable defined in the sysconfig file, or prefork, by default.
- 1292824 - httpd22: rpm scripts act on httpd.service rather than httpd22.service
httpd22
package for EL7 provides a service file namedhttpd22.service
. The rpm scripts are now updated to use that name and not to usehttpd.service
httpd,openssl,tomcat-native
- 1342073 - Upgrade openssl from 0.9.8 to 1.0.2h
- Added support of TLSv1.2 and new ciphers. This is because openssl 0.9.8 is end of life and no longer supported. SSLv2 and SSLv3 and some unsafe ciphers have been removed.
- 1358118 CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0]
- 1338646 CVE-2016-3110 CVE-2016-3110 mod_cluster: remotely Segfault Apache http server
- 1337151 CVE-2016-2105 CVE-2016-2105 openssl: EVP_EncodeUpdate overflow [jbews-2.1.0]
- 1337155 CVE-2016-2106 CVE-2016-2106 openssl: EVP_EncryptUpdate overflow [jbews-2.1.0]
- 1182872 CVE-2014-3570 CVE-2014-3570 CVE-2015-0204 openssl: various flaws [jbews-2.1.0]
- 1305629 CVE-2014-0226 httpd: changelog typo for previous release notes relative to CVE-2014-0226
- 1219591 - /var/run/httpd22 file is deleted after reboot
- Prior to EWS 2.1.1, when a rhel-7 server reboots the
/var/run/httpd22
file was deleted and it was not possible to start the httpd22 service again. This was resolved by adding the directory to the system’stmpfiles.d
configuration so that the system recreates the directory after every reboot. - 1305580 - httpd supplied jb-ews-2-for-rhel-6-server-rpms deplist is missing apr-util-ldap
- Included a sub-package that contains the ldap dependency.
apr-util-ldap
is in an optional RHEL7 channel, therefore the new sub-package is added, customers using ldap authentication need to install it with the dependency. - 1251796 - Need 2048-bit DH support for JWS HTTPD
- OpenSSL is updated to version 1.0.2h allowing to append newly generated DH_PARAM key to default certification file localhost.crt.After installing httpd and running
.postinstall
script use few more commands to extend default certification file if needed. Runopenssl
provided by zip/rpm package with<path_to_provided_openssl_folder>
/openssl dhparam -out dh_2048.pem 2048
for generatingDH_PARAM
with 2048-bit key. Append the content ofdh_2048.pem
tolocalhost.crt
created by.postinstall
script.httpd/conf.d/ssl.conf
should show the destination of file. Now, start the httpd server.The server starts with extended Server Temp Key: DH, 2048 bits. You can verify it by running<path_to_provided_openssl_folder>
/openssl s_client -connect localhost:443 -cipher DHE-RSA-AES256-GCM-SHA384
. - 1342071 - Upgrade mod_jk to 1.2.41
- Previously in JBoss Enterprise Web Server, an outdated version of mod_jk was included in the product. This is now fixed in JBoss Enterprise Web Server 2.1 by including mod_jk version 1.2.41, which incorporates the required miscellaneous bug fixes into the product.
httpd,mod_cluster
- 1309598 - ProxyErrorOverride On disables workers when a 50x error code is returned by the backend server
- When a VirtualHost uses ProxyPass to proxy traffic, the backend uses ProxyErrorOverride to host custom error pages on the Apache httpd side. When the backend replies with a 50x error code mod_proxy/mod_cluster marks that worker as down, breaking the session stickiness. This issue is fixed.
- 1339966 - upgrade mod_cluster native to 1.2.13.Final
- Previously in JBoss Enterprise Web Server, an outdated version of mod_jk was included in the product. This is now fixed in JBoss Enterprise Web Server 2.1 by including mod_jk version 1.2.41 is included which incorporates the required miscellaneous bug fixes into the product.
- 1342074 - Upgrade mod_cluster from 1.2.12.Final to 1.2.13.Final
- Previously in JBoss Enterprise Web Server, an outdated version of mod_cluster was included in the product. This is now fixed in JBoss Enterprise Web Server 2.1 by including mod_cluster version 1.2.13 is included, which incorporates the required miscellaneous bug fixes into the product.
mod_jk
- 1328231 - mod_jk Segmentation fault when trying to resolve unknown host
mod_cluster
- 1338642 - mod_cluster undersizes the connection pool
- The connection pool was undersized causing the ping to fail when all connections of the pool were used. Causing the following error message: [error] (70007)The timeout specified has expired: proxy: ajp: failed to acquire connection for …This is fixed to increase the connection to ThreadsPerChild+1.
- 1340958 - UpperCase Alias never matches any context
- The worker virtual host aliases were treated as case-sensitive. So, one FQDN used as an alias, typed once upper case and once lower case were treated as two different aliases. This issue is fixed in this release. All aliases are converted to lower case. For example, EXAMPLE.COM or example.com, alias is handled as the same alias.
mod_cluster
- 1338644 - Add JVMRoute or node identifier to httpd/mod_cluster errors
- Mod_cluster error messages used to state merely the fact that an error occurred. With this patch, the offending worker’s JVMRoute is printed in the log so as it is easier for user to determine the cause of the problem.
- 1338641 - StickySessions does not work for ProxyPass from unenabled context
- The StickySessions works for ProxyPass from unenabled context. This has been fixed in this release.
4. Known Issues
httpd
- 978978 - Unexpected differences in httpd/include/ap_config_layout.h in ZIP and RPM
- In JBoss Enterprise Web Server 2.1.1, the following C macros are available in the ZIP distribution but are not present in the RPM distribution in
httpd/include/ap_config_layout.h
:#define DEFAULT_EXP_LIBEXECDIR "/usr/lib/httpd/modules" #define DEFAULT_REL_LIBEXECDIR "/usr/lib/httpd/modules" #define DEFAULT_EXP_INSTALLBUILDDIR "/usr/lib/httpd/build" #define DEFAULT_REL_INSTALLBUILDDIR "/usr/lib/httpd/build"
- 1362188 - EWS 2.1.1 CR1: snmp module doesn't response at solaris sparc
- SNMP does not respond on the defined port in the
snmpd.conf
file in solaris sparc. - 1025057 - SSLProxyMachineCertificateFile doesn't support PKCS#8 key format
- In JBoss Web Server, when a PKCS#8 key generated by OpenSSL is used, JBoss Web Server displays the following error and then terminates:
incomplete client cert configured for SSL proxy (missing or encrypted private key?)
The PKCS#8 format is not supported by mod_ssl, as mod_ssl uses different functions when loading the proxy key pair.This is a known issue in JBoss Web Server 3.0. As a workaround, convert from PKCS#8 to the raw PEM encoding of the RSA key and use "openssl pkcs8". - 1362029 - EWS 2.1.1 CR1: snmp module ignore conf setup
- The SNMP module does not start on the defined port specified in the
snmpd.conf
and uses the default port. In order to make the httpd read thesnmpd.conf
correctly, the solution is to place it under httpd'sconf/
directory, the directory in whichhttpd.conf
resides. - 1358422 - LD_LIBRARY_PATH entries exported in Unix session are overridden in apachectl script
- When
LD_LIBRARY_PATH
content was overwritten byapachectl
, you cannot set it before startingapachectl
. The workaround is to add$LD_LIBRARY_PATH
after:
on the line:export LD_LIBRARY_PATH="$currentDir/lib:
in theapachectl
script. - 1133129 - Request to resolve upstream bug 39737
- On Windows, the access log format "%{tid}P" logs invalid thread IDs.
- 1360822 - EWS 2.1.1 CR1: snmp module contains discrepency in snpm.conf.sample at windows
- The Httpd does not start due to missing "modules/" prefix before declaring .so files in conf.d/mod_snmpd.conf.sample.The workaround is to add "modules/" prefix to libsnmpcommon.so and libsnmpmonagt.so.The conf.d/mod_snmp.conf should contain LoadModule snmpcommon_module modules/libsnmpcommon.so LoadModule snmpagt_module modules/libsnmpmonagt.so.
httpd,tomcat6,tomcat7
- 1364453 - Socked bind failed on link-local [IPV6]
- Attempting to use a link-local scoped ipv6 address yields an exception and prevents httpd from binding to the address. Regarding
httpd
and since the upstream bug https://bz.apache.org/bugzilla/show_bug.cgi?id=59396 is not fixed, the only way is to use alink-local
scoped IPv6 address. Define the address along with scope ID or the link-local scoped interface, and followed by the port number without using brackets. For example,Listen fe80::4eeb:42ff:fedb:9dbd%3:80
.On Tomcat, to use alink-local
scoped IPv6 address, the workaround is to specify the scope ID along with the address in the address section. For example,address="fe80::124a:7dff:fea1:22be%3"
. - 1363653 - Tomcat security manager Error [EWS-2.1.1]
- While using Tomcat 7 and jdk 1.6 with security manager, the Tomcat catalina log includes the
java.security.AccessControlException: access denied
after it is started. You can ignore this error message.
mod_jk
- 900273 - mod_jk is unable to handle space after equal '=' sign in uriworkermap.properties where worker name includes a hyphen '-'
- In JBoss Enterprise Web Server, when a worker name includes the
-
character and a space is added after the=
character in theuriworkermaps.properties
file, the following error appears in the mod_jk logs:[25736:139832971024352] [error] uri_worker_map_ext::jk_uri_worker_map.c (506): Could not find worker with name jk-stauus in uri map post processing. [25736:139832971024352] [error] uri_worker_map_ext::jk_uri_worker_map.c (506): Could not find worker with name jk-stauus in uri map post processing.
This is a known issue in JBoss Enterprise Web Server 3.0. A workaround for this issue is to remove the space after the=
sign. Therefore,/jk-status|/* = jk-status
is changed to/jk-status|/* =jk-status
.
mod_cluster
- 1340955 - A VirtualHost's ProxyTimeout or Timeout does not always properly override global Timeout
- With a shorter global Timeout and a longer ProxyTimeout specified in the VirtualHost, the VirtualHost's ProxyTimeout does not always take precedence.
- 1338645 - MODCLUSTER000022: Failed to drain n remaining pending requests
A. Revision History
Revision History | |||
---|---|---|---|
Revision 2.1.1-15 | Thursday March 16 2017 | David Michael | |
|
Legal Notice
Copyright © 2017 Red Hat, Inc..
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.