...
Code Block | ||
---|---|---|
| ||
JAVACATALINA_OPTS="$JAVA$CATALINA_OPTS -XX:+PrintCommandLineFlags -XX:MaxPermSize=384m -Xms1024m -Xmx2048m -Djsse.enableSNIExtension=false" |
CATALINA_OPTS vs JAVA_OPTS
The uPortal instructions above previously recommended using JAVA_OPTS
for heap sizing. This can lead to problems on memory constrained systems because JAVA_OPTS
will be used when trying to stop Tomcat with its own scripts. You don't typically need a large heap at all for that operation. It is recommended to use CATALINA_OPTS, this is a
better choice for sizing the heap in setenv
scripts, because that var will only be used for Tomcat's http-serving runtime.
Required file permissions
...
Some sites have chosen to disable SSLv3 on their CAS server due to various vulnerabilities. That can cause problems with the CAS client used in uPortal being unable to establish an HTTPS connection to the CAS server to validate the service ticket and throwing an exception
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
One solution is to set the protocols used by Java when making SSL connections. You can do this by adding the following property to JAVACATALINA_OPTS OPTS (or CATALINAJAVA_OPTS if using that):
Oracle Java7: -Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"
Your CAS server must be configured to use one of the mentioned protocols or the handshake will fail. If your test CAS server is publicly accessible, you can view which protocols it supports by entering its domain name into https://www.ssllabs.com/ssltest/.
If you run into troubles, refer to https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https and other resources to help diagnose the issue.
...