====== Tomcat ======
==== Tomcat SSL ====
==== Setting up tomcat with HTTP Native library. ===
<code xml | server.xml>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" maxThreads="200" secure="true" SSLEnabled="true" SSLCertificateFile="/etc/pki/tls/certs/k2patel.in.crt" SSLCertificateKeyFile="/etc/pki/tls/private/k2patel.in.key" SSLCACertificateFile="/etc/pki/tls/certs/k2patel.in.int.ca" sslEnabledProtocols="TLSv1.1,TLSv1.2" SSLHonorCipherOrder="true" SSLCipherSuite="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"></Connector>
</code>

==== Setting up HSTS with HTTP Native Library. ====

<code xml | web.xml>
    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
           <param-name>hstsMaxAgeSeconds</param-name>
           <param-value>31536000</param-value>
        </init-param>
        <init-param>
           <param-name>antiClickJackingEnabled</param-name>
           <param-value>false</param-value>
        </init-param>
        <init-param>
           <param-name>hstsIncludeSubDomains</param-name>
           <param-value>true</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>

    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
</code>

==== Setting up redirect ====
<code xml | web.xml>
    <security-constraint>
       <web-resource-collection>
          <web-resource-name>Entire Application</web-resource-name>
             <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
    </security-constraint>
</code>

==== RHEL 8 / Tomcat 9====

=== Install Packages ===
<code bash>
dnf install java-1.8.0-openjdk-devel tar apr-util-devel apr-util-openssl gcc openssl-devel
</code>

=== Create User ===
<code bash>
groupadd --system tomcat -g 91 # with group id 91
useradd -u 91 -d /usr/share/tomcat -r -s /bin/false -g tomcat tomcat  # with user id 91
</code>

=== Download Tomcat Package ===
<code bash>
export TOM_VERSION="9.0.36"
wget "https://apache.osuosl.org/tomcat/tomcat-9/v${TOM_VERSION}/bin/apache-tomcat-${TOM_VERSION}.tar.gz"
</code>

=== Extract Package ===
<code bash>
tar -xvf apache-tomcat-${TOM_VERSION}.tar.gz -C /usr/share/
ln -s /usr/share/apache-tomcat-${TOM_VERSION} /usr/share/tomcat
</code>

=== Set Ownership ===
<code bash>
chown -R tomcat:tomcat /usr/share/tomcat
chown -R tomcat:tomcat /usr/share/apache-tomcat-${TOM_VERSION}
</code>

=== Systemd service ===
<code bash | /etc/systemd/system/tomcat.service>
[Unit]
Description=Tomcat Server
After=syslog.target network.target

[Service]
Type=forking
User=tomcat
Group=tomcat

Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment='JAVA_OPTS=-Djava.awt.headless=true'
Environment=CATALINA_HOME=/usr/share/tomcat
Environment=CATALINA_BASE=/usr/share/tomcat
Environment=CATALINA_PID=/usr/share/tomcat/temp/tomcat.pid
Environment='CATALINA_OPTS=-Xms512M -Xmx3072M'
ExecStart=/usr/share/tomcat/bin/catalina.sh start
ExecStop=/usr/share/tomcat/bin/catalina.sh stop

[Install]
WantedBy=multi-user.target
</code>

=== Backup / Remove examples ===
<code bash>
cp -Rp /usr/share/tomcat/webapps /usr/share/tomcat/webapps.bk
rm -rf /usr/share/tomcat/webapps/{docs,examples,ROOT}
</code>

=== Set User ===
<code xml | tomcat-users.xml>
<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<user username="admin" password="something" roles="admin-gui,manager-gui,manager-script,manager-jmx,admin-script"/>
</code>

=== Tomcat Native ===
<code bash>
cd /usr/share/tomcat/bin
tar -xvf tomcat-native.tar.gz
cd tomcat-native-1.2.24-src/native
./configure --with-java-home=/usr/lib/jvm/java-openjdk --with-ssl=yes --prefix=/usr/share/tomcat
make && make install
</code>

<code bash | /usr/share/tomcat/bin/setenv.sh>
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CATALINA_HOME/lib
export LD_LIBRARY_PATH
</code>

:!: Set SSL[[tomcat#tomcat_ssl|tomcat#tomcat_ssl]] \\
:?: Set Auto redirect if needed [[tomcat#setting_up_redirect|tomcat#setting_up_redirect]]

=== Start Service ===
<code bash>
systemctl daemon-reload
systemctl enable tomcat
systemctl start tomcat
</code>

=== Firewall ===
<code bash>
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --add-port=8443/tcp
firewall-cmd --reload
</code>