This shows you the differences between two versions of the page.
tomcat [2020/06/11 21:41] k2patel |
tomcat [2020/08/10 02:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Tomcat ====== | ||
- | ==== Tomcat SSL ==== | ||
- | ==== Setting up tomcat with HTTP Native library. === | ||
- | <code xml | server.xml> | ||
- | <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" maxThreads="200" secure="true" SSLEnabled="true" SSLCertificateFile="/etc/pki/tls/certs/k2patel.in.crt" SSLCertificateKeyFile="/etc/pki/tls/private/k2patel.in.key" SSLCACertificateFile="/etc/pki/tls/certs/k2patel.in.int.ca" sslEnabledProtocols="TLSv1.1,TLSv1.2" SSLHonorCipherOrder="true" SSLCipherSuite="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"></Connector> | ||
- | </code> | ||
- | |||
- | ==== Setting up HSTS with HTTP Native Library. ==== | ||
- | |||
- | <code xml | web.xml> | ||
- | <filter> | ||
- | <filter-name>httpHeaderSecurity</filter-name> | ||
- | <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> | ||
- | <init-param> | ||
- | <param-name>hstsMaxAgeSeconds</param-name> | ||
- | <param-value>31536000</param-value> | ||
- | </init-param> | ||
- | <init-param> | ||
- | <param-name>antiClickJackingEnabled</param-name> | ||
- | <param-value>false</param-value> | ||
- | </init-param> | ||
- | <init-param> | ||
- | <param-name>hstsIncludeSubDomains</param-name> | ||
- | <param-value>true</param-value> | ||
- | </init-param> | ||
- | <async-supported>true</async-supported> | ||
- | </filter> | ||
- | |||
- | <filter-mapping> | ||
- | <filter-name>httpHeaderSecurity</filter-name> | ||
- | <url-pattern>/*</url-pattern> | ||
- | </filter-mapping> | ||
- | </code> | ||
- | |||
- | ==== Setting up redirect ==== | ||
- | <code xml | web.xml> | ||
- | <security-constraint> | ||
- | <web-resource-collection> | ||
- | <web-resource-name>Entire Application</web-resource-name> | ||
- | <url-pattern>/*</url-pattern> | ||
- | </web-resource-collection> | ||
- | <user-data-constraint> | ||
- | <transport-guarantee>CONFIDENTIAL</transport-guarantee> | ||
- | </user-data-constraint> | ||
- | </security-constraint> | ||
- | </code> | ||
- | |||
- | ==== RHEL 8 / Tomcat 9==== | ||
- | |||
- | === Install Packages === | ||
- | <code bash> | ||
- | dnf install java-1.8.0-openjdk-devel tar apr-util-devel apr-util-openssl gcc openssl-devel | ||
- | </code> | ||
- | |||
- | === Create User === | ||
- | <code bash> | ||
- | groupadd --system tomcat -g 91 // with group id 91 | ||
- | useradd -u 91 -d /usr/share/tomcat -r -s /bin/false -g tomcat tomcat // with user id 91 | ||
- | </code> | ||
- | |||
- | === Download Tomcat Package === | ||
- | <code bash> | ||
- | export TOM_VERSION="9.0.36" | ||
- | wget "https://apache.osuosl.org/tomcat/tomcat-9/v${TOM_VERSION}/bin/apache-tomcat-${TOM_VERSION}.tar.gz" | ||
- | </code> | ||
- | |||
- | === Extract Package === | ||
- | <code bash> | ||
- | tar -xvf apache-tomcat-${TOM_VERSION}.tar.gz -C /usr/share/ | ||
- | ln -s /usr/share/apache-tomcat-${TOM_VERSION} /usr/share/tomcat | ||
- | </code> | ||
- | |||
- | === Set Ownership === | ||
- | <code bash> | ||
- | chown -R tomcat:tomcat /usr/share/tomcat | ||
- | chown -R tomcat:tomcat /usr/share/apache-tomcat-${TOM_VERSION} | ||
- | </code> | ||
- | |||
- | === Systemd service === | ||
- | <code bash | /etc/systemd/system/tomcat.service> | ||
- | [Unit] | ||
- | Description=Tomcat Server | ||
- | After=syslog.target network.target | ||
- | |||
- | [Service] | ||
- | Type=forking | ||
- | User=tomcat | ||
- | Group=tomcat | ||
- | |||
- | Environment=JAVA_HOME=/usr/lib/jvm/jre | ||
- | Environment='JAVA_OPTS=-Djava.awt.headless=true' | ||
- | Environment=CATALINA_HOME=/usr/share/tomcat | ||
- | Environment=CATALINA_BASE=/usr/share/tomcat | ||
- | Environment=CATALINA_PID=/usr/share/tomcat/temp/tomcat.pid | ||
- | Environment='CATALINA_OPTS=-Xms512M -Xmx3072M' | ||
- | ExecStart=/usr/share/tomcat/bin/catalina.sh start | ||
- | ExecStop=/usr/share/tomcat/bin/catalina.sh stop | ||
- | |||
- | [Install] | ||
- | WantedBy=multi-user.target | ||
- | </code> | ||
- | |||
- | === Backup / Remove examples === | ||
- | <code bash> | ||
- | cp -Rp /usr/share/tomcat/webapps /usr/share/tomcat/webapps.bk | ||
- | rm -rf /usr/share/tomcat/webapps/{docs,examples,ROOT} | ||
- | </code> | ||
- | |||
- | === Set User === | ||
- | <code xml | tomcat-users.xml> | ||
- | <role rolename="manager-gui"/> | ||
- | <role rolename="admin-gui"/> | ||
- | <role rolename="admin-script"/> | ||
- | <role rolename="manager-script"/> | ||
- | <role rolename="manager-jmx"/> | ||
- | <user username="admin" password="something" roles="admin-gui,manager-gui,manager-script,manager-jmx,admin-script"/> | ||
- | </code> | ||
- | |||
- | === Tomcat Native === | ||
- | <code bash> | ||
- | cd /usr/share/tomcat/bin | ||
- | tar -xvf tomcat-native.tar.gz | ||
- | cd tomcat-native-1.2.24-src/native | ||
- | ./configure --with-java-home=/usr/lib/jvm/java-openjdk --with-ssl=yes --prefix=/usr/share/tomcat | ||
- | make && make install | ||
- | </code> | ||
- | |||
- | <code bash | /usr/share/tomcat/bin/setenv.sh> | ||
- | LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CATALINA_HOME/lib | ||
- | export LD_LIBRARY_PATH | ||
- | </code> | ||
- | |||
- | :!: Set SSL[[tomcat#tomcat_ssl|tomcat#tomcat_ssl]] \\ | ||
- | :?: Set Auto redirect if needed [[tomcat#setting_up_redirect|tomcat#setting_up_redirect]] | ||
- | |||
- | === Start Service === | ||
- | <code bash> | ||
- | systemctl daemon-reload | ||
- | systemctl enable tomcat | ||
- | systemctl start tomcat | ||
- | </code> | ||
- | |||
- | === Firewall === | ||
- | <code bash> | ||
- | firewall-cmd --permanent --add-port=8080/tcp | ||
- | firewall-cmd --permanent --add-port=8443/tcp | ||
- | firewall-cmd --reload | ||
- | </code> | ||
- | |||
- | |||
- | |||