Table of Contents

Tomcat

Tomcat SSL

Setting up tomcat with HTTP Native library.

| server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" maxThreads="200" secure="true" SSLEnabled="true" SSLCertificateFile="/etc/pki/tls/certs/k2patel.in.crt" SSLCertificateKeyFile="/etc/pki/tls/private/k2patel.in.key" SSLCACertificateFile="/etc/pki/tls/certs/k2patel.in.int.ca" sslEnabledProtocols="TLSv1.1,TLSv1.2" SSLHonorCipherOrder="true" SSLCipherSuite="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"></Connector>

Setting up HSTS with HTTP Native Library.

| web.xml
    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
           <param-name>hstsMaxAgeSeconds</param-name>
           <param-value>31536000</param-value>
        </init-param>
        <init-param>
           <param-name>antiClickJackingEnabled</param-name>
           <param-value>false</param-value>
        </init-param>
        <init-param>
           <param-name>hstsIncludeSubDomains</param-name>
           <param-value>true</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>
 
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Setting up redirect

| web.xml
    <security-constraint>
       <web-resource-collection>
          <web-resource-name>Entire Application</web-resource-name>
             <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
    </security-constraint>

RHEL 8 / Tomcat 9

Install Packages

dnf install java-1.8.0-openjdk-devel tar apr-util-devel apr-util-openssl gcc openssl-devel

Create User

groupadd --system tomcat -g 91 # with group id 91
useradd -u 91 -d /usr/share/tomcat -r -s /bin/false -g tomcat tomcat  # with user id 91

Download Tomcat Package

export TOM_VERSION="9.0.36"
wget "https://apache.osuosl.org/tomcat/tomcat-9/v${TOM_VERSION}/bin/apache-tomcat-${TOM_VERSION}.tar.gz"

Extract Package

tar -xvf apache-tomcat-${TOM_VERSION}.tar.gz -C /usr/share/
ln -s /usr/share/apache-tomcat-${TOM_VERSION} /usr/share/tomcat

Set Ownership

chown -R tomcat:tomcat /usr/share/tomcat
chown -R tomcat:tomcat /usr/share/apache-tomcat-${TOM_VERSION}

Systemd service

| /etc/systemd/system/tomcat.service
[Unit]
Description=Tomcat Server
After=syslog.target network.target
 
[Service]
Type=forking
User=tomcat
Group=tomcat
 
Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment='JAVA_OPTS=-Djava.awt.headless=true'
Environment=CATALINA_HOME=/usr/share/tomcat
Environment=CATALINA_BASE=/usr/share/tomcat
Environment=CATALINA_PID=/usr/share/tomcat/temp/tomcat.pid
Environment='CATALINA_OPTS=-Xms512M -Xmx3072M'
ExecStart=/usr/share/tomcat/bin/catalina.sh start
ExecStop=/usr/share/tomcat/bin/catalina.sh stop
 
[Install]
WantedBy=multi-user.target

Backup / Remove examples

cp -Rp /usr/share/tomcat/webapps /usr/share/tomcat/webapps.bk
rm -rf /usr/share/tomcat/webapps/{docs,examples,ROOT}

Set User

| tomcat-users.xml
<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<user username="admin" password="something" roles="admin-gui,manager-gui,manager-script,manager-jmx,admin-script"/>

Tomcat Native

cd /usr/share/tomcat/bin
tar -xvf tomcat-native.tar.gz
cd tomcat-native-1.2.24-src/native
./configure --with-java-home=/usr/lib/jvm/java-openjdk --with-ssl=yes --prefix=/usr/share/tomcat
make && make install
| /usr/share/tomcat/bin/setenv.sh
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CATALINA_HOME/lib
export LD_LIBRARY_PATH

:!: Set SSLtomcat#tomcat_ssl
:?: Set Auto redirect if needed tomcat#setting_up_redirect

Start Service

systemctl daemon-reload
systemctl enable tomcat
systemctl start tomcat

Firewall

firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --add-port=8443/tcp
firewall-cmd --reload