Java App Servers

Java application servers that support the Java EE platform and features include JOnAS from Object Web, WildFly (formerly JBoss AS) from JBoss, Geronimo from Apache, TomEE from Apache, Resin Java Application Server from Caucho Technology, Blazix from Desiderata Software, Enhydra Server from, and GlassFish from Oracle. Commercial Java app servers include WebLogic by Oracle, WebSphere from IBM and the open source JBoss Enterprise Application Platform (JBoss EAP) by Red Hat.

Share tech news, updates, or what's on your mind.

Sign up to Post

There are numerous questions about how to setup an IBM HTTP Server to be administered from WebSphere Application Server administrative console. I do hope this article will wrap things up and become a reference for this task.

You need three things to start/stop and administer IHS server from within WAS admin console:
1. IHS admin server configured and running
2. admin credential created with password on IHS admin server
3. IHS server defined on WAS side and admin credentials stored in there.

Configuring IBM HTTP Server administration server is in fact configuring separate apache instance (httpd process daemon) and the product provides scripting tools to do that. However, Windows and Linux versions differ a bit in that aspect.

When your IHS installation is on Windows and you want to start/stop it from WAS console, you need to have your web server based on Windows service (if you just want to start/stop it manually from shell scripts it is not necessary). Now, there’s a manual way to configure Windows service, but this a topic for a separate article, so let’s assume we’re installing IBM HTTP Server with Installation Manager and we create corresponding Windows service underway, which is shown as a screenshot from IM below. Please note that “Startup type”  option is set to “Manual” for greater control. Also, leave the setting for “Log on with local system account” as it is unless you need some specific account to use for your IHS.
LVL 11

Author Comment

by:Radek Baranowski
Comment Utility
Very good point, indeed it lacked some wrap-up at the end. I do hope the paragrapgh added will be a sufficient summary.

[Webinar] Learn How Hackers Steal Your Credentials
[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Upgrading Tomcat –
There are a couple of methods to upgrade Tomcat

is to use The Apache Installer
is to download and unzip and run the services.bat remove|install Tomcat6

Because of the App that we are working with, we can only use Tomcat 6.

Note: Care should be taken by the installer to address proper notification, testing and there could be variations to doing this process.

Why upgrade?  There can be many reasons and just to keep up-to-date is not always the best reason to do so.  However, reading the Apache Tomcat Change Log and the fact that there have been many releases since the version that I am going to show below which address memory, cpu and other components when running on the server.

From we can find some compelling reasons as to why we are going to upgrade:
50306: New StuckThreadDetectionValve to detect requests that take a long time to process, which might indicate that their processing threads are stuck. Based on a patch provided by TomLu. (kkolinko)
Add denyStatus attribute to RequestFilterValve (RemoteAddrValve, RemoteHostValve valves). It allows to use different HTTP response code when rejecting denied request. E.g. 404 instead of 403. (kkolinko)
52850: Extend memory leak prevention and detection code to work with IBM as well as Oracle JVMs. Based on a patch provided by Rohit Kelapure. (kkolinko)
LVL 27

Expert Comment

by:Rainer Meller
Comment Utility
just a remark, whenever I upgrade tomcat I always look for the latest java version.

so basically I stop tomcatm, save the webapps and config folder. deinstall tomcat, install latest (java6 or java7), install tomcat, copy the webapps and config folder to their former location.

I always make sure to copy the latest tcnative-1.dll file to the tomcat/bin folder. This is needed when you install tomcat on a server without access to the internet.

apart from that good article,

Expert Comment

by:Shashikanth P
Comment Utility

I have upgrading Apache Tomcat 9.0.0.M3 to 9.0.0.M21 i.e latest version .

I am also getting the above  errors but i IGNORE the two steps but my tomcat has successfully upgraded .

Is there  any issue  in my up gradation process please let me know .
This article is about some of the basic and important steps to be used to improve the performance in web-sphere commerce application development.

1) Always leverage the Dyna-caching facility provided by the product

2) Remove the unwanted code from JSP when you are customizing the store for your need.

3) Look for <wcf:getData  tags and see if you are still using them

4) Reduce the usage of data beans in nested forEach loops

5) Make sure that background Ajax calls will not take more than 2 seconds. So that that you avoid the bad state of attribute and cookie values

6) Mostly web sphere commerce out of the box code will have all the feature supported and the code will be checking for all those feature. If your business requirements are not needed all those features try to remove the unused code, attributes and checks.

8)Whenever possible try to do minimal change on the out of the box(OOTB)  features to achieve your customized features.

9) Dojo widgets are used by customizing in WC. When you need some more web 2.0 features you can use the Dojo toolkit itself or you can use jQuery.

10) Try to get the preliminary validations at front end. Like quantity, names, login etc. And some of the specific secure business flows in backed as well.

11) Use common variable include in the JEnvironmentSetup.jspf

12) Use JSP comments for comments like <%-- Some comments --%> and avoid big comments in html comments <!-- Some Html Comments -->

Most of the developers using Tomcat find it easy to configure the datasource in Server.xml and use the JNDI name in the code to get the connection.  So the default connection pool using DBCP (or any other framework) is made available and the life goes easy using the connection pool.

But problems pop up when you use Tomcat as your production server. The most vulnerable part is the exposure of database username and password in clear text format. There are lots of chances for the data being corrupted using the login credentials. So the need of the hour is to safeguard the exposed username and password through some means.

And here goes the way to do it....

Credit: Full credit to Michael Remijan for this wonderful article on how to secure the password in Tomcat.  Please read it at:

What I am discussing here is the other way of implementing it using the Cipher encryption based on a encryption key, just to make the life of some intruders a little bit harder.  Ok, let's get to the code straight away,

Here is the normal Datasource configuration in Server.xml,.  A you can see, username and password are exposed, which is vulnerable and totally unacceptable.

<Context path="/myProject" docBase="myProject" debug="1" reloadable="true">
 <Resource name="jdbc/test" auth="Container" type="javax.sql.DataSource"  driverClassName="oracle.jdbc.driver.OracleDriver" url="jdbc:oracle:thin:@server:1523:TEST"

Open in new window

This exercise is about for the following scenario:
Dmgr and One node with 2 application server.
Each application server contains it owns application.

Application server name as follows

server1 contains app1
server2 contains app1

1) You need to setup websphere global security with LDAP registry or Federated repository
2) You need to create two users on LDAP ( for example user1 and user2)

Requirement: WAS 7.0 and LDAP or you can also use federated repository ( file based  repository comes as a default security with WAS7.0)

The objective of this article is access for one user for a particular application server with in cell but limiting their access to other application server and applications. This article helps where you have application owner want to maintain their own app.

This can achieve this by configuring through the use of Administrative Authorization Groups. These groups map specific scopes or objects to console users and roles, thus allowing those users that role access to those specific objects.

Steps for configuring Fine Grained Adminstrative Security via  Administrative Authorization Groups

  1. In the administrative console, under Users and Groups, click Administrative user roles.
      Click ADD
  2. Under Roles, scroll down and select Monitor
  3. Click on the Search button it display all users from our LDAP
  4. Select user1 and user2.  Click the right arrow to move them to the …

Author Comment

Comment Utility
Thank you very much
Verbose logging is used to diagnose garbage collector problems.
By default, -verbose:gc output is written to either native_stderr.log or native_stdout.log.   It is also possible to redirect the logs to a user-specified file.

This article will describe the steps to redirect the verbose gc logs to user specified file for the Windows platform.

By default, -verbose:gc output is written to stderr.  The  -Xverbosegclog command can be used to redirect the verbosegc output to user specified file other than the native stdout/stderr file.


...causes -verbose:gc output to be written to the specified file.  If the file cannot be found, -verbose:gc tries to create the file, and then continues as normal if it is successful.  If it cannot create the file (for example, if an invalid filename is passed into the command), it will redirect the output to stderr.  If you specify <X> and <Y> the -verbose:gc output is redirected to <X> files, each containing <Y> GC cycles.  (Refer IBM 1.5.0 Java diag guide ).
Here are the steps to redirect the verbosegc output to user specified file:          
1)  In WAS Administrative Console, expand Servers and then click on Application Servers.                                                    
2)  Click on the server …

Author Comment

Comment Utility
It is tutorial how to setup....

not the  problem or resolution

detail steps required more than 300 words
Configure Web Service (server application)

I. Configure security for Web Services methods First, we need to protect Session bean which implements the service:

1. Open EJB deployment descriptor (ejb-jar.xml) in the EJB project that contains your bean, go to Assembly tab
2. Add required security roles e.g. AllAuthenticated
3. Configure Method Permissions:
- select role, then select bean, then select appropriate methods that should be protected
4. Save and close file.
5. Open Application Deployment Descriptor (application.xml) in the EAR project
6. Go to Security tab, and click Gather
7. For each role specify bindings - check Users/Groups and type appropriate users, groups or special subject (e.g. All authenticated users).
8. Save and close file.

II. Configure WS-Secutity
Now after we protected EJB, call to the service will require proper authentication. We will configure the service to use LTPA token for authentication.

1. Open webservices.xml file, go to Extensions tab
2. Expand Request Consumer Service Configuration Details > Required Security Token, click Add:
- Name: LTPA
- Token: LTPA Token
- Click OK.

3. Expand Caller Part, click Add
- Name: LTPA_Caller
- Token: LTPAToken
- Click OK.

4. Go to Binding Configuration tab
5.Expand Request Consumer Binding Configuration Details > Token Consumer, click Add
- Token consumer name: LTPA_token_con
- Token consumer class:
- Security Token: LTPA

Author Comment

Comment Utility
1) It is tutorial how to setup.... (Securing Web Service with LTPA authentication)

2) not the  problem or resolution

Steps required more than 300 words.
-Xmx and -Xms are the two JVM options often used to tune JVM heap size.


Here are some common mistakes made when using them:


Assume BigApp is a java class file for the below examples.

1.         Missing m, M, g or G at the end (they are case insensitive). For example,

java -Xmx128 BigApp
java.lang.OutOfMemoryError: Java heap space

The correct command should be “java -Xmx128m BigApp”.


2.         Extra space in JVM options, or incorrect use of =. For example,

java -Xmx 128m BigApp
Invalid maximum heap size: -Xmx
Could not create the Java virtual machine.

java -Xmx=512m BigApp
Invalid maximum heap size: -Xmx=512m
Could not create the Java virtual machine.

The correct command should be “java -Xmx128m BigApp”, with no whitespace nor =.


-X options are different than -Dkey=value system properties, where = is used.


3.         Only setting -Xms JVM option and its value is greater than the default maximum heap size, which is 64m. The default minimum heap size seems to be 0. For example,

java -Xms128m BigApp
Error occurred during initialization of VM
Incompatible initial and maximum heap sizes specified

The correct command should be “java -Xms128m -Xmx128m BigApp”.


It’s a good idea to set the minimum and maximum heap size to the same value. In any case, don’t let the minimum heap size exceed the maximum heap size.


4.         Heap size is larger than your computer’s physical memory. For example,…

Expert Comment

Comment Utility
article is nice ...

please post more about  tunning tips too.

Thanks for article

Java App Servers

Java application servers that support the Java EE platform and features include JOnAS from Object Web, WildFly (formerly JBoss AS) from JBoss, Geronimo from Apache, TomEE from Apache, Resin Java Application Server from Caucho Technology, Blazix from Desiderata Software, Enhydra Server from, and GlassFish from Oracle. Commercial Java app servers include WebLogic by Oracle, WebSphere from IBM and the open source JBoss Enterprise Application Platform (JBoss EAP) by Red Hat.

Top Experts In
Java App Servers