User Tools

Site Tools


tomcat

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
tomcat [2018/01/22 19:08]
k2patel created
tomcat [2020/06/11 21:42] (current)
k2patel [RHEL 8 / Tomcat 9]
Line 1: Line 1:
 ====== Tomcat ====== ====== Tomcat ======
 ==== Tomcat SSL ==== ==== Tomcat SSL ====
-Setting up tomcat with HTTP Native library. +==== Setting up tomcat with HTTP Native library. ​=== 
-<code | server.xml>​+<​code ​xml | server.xml>​
 <​Connector port="​8443"​ protocol="​org.apache.coyote.http11.Http11AprProtocol"​ scheme="​https"​ maxThreads="​200"​ secure="​true"​ SSLEnabled="​true"​ SSLCertificateFile="/​etc/​pki/​tls/​certs/​k2patel.in.crt"​ SSLCertificateKeyFile="/​etc/​pki/​tls/​private/​k2patel.in.key"​ SSLCACertificateFile="/​etc/​pki/​tls/​certs/​k2patel.in.int.ca"​ sslEnabledProtocols="​TLSv1.1,​TLSv1.2"​ SSLHonorCipherOrder="​true"​ SSLCipherSuite="​ECDHE-ECDSA-CHACHA20-POLY1305:​ECDHE-RSA-CHACHA20-POLY1305:​ECDHE-ECDSA-AES128-GCM-SHA256:​ECDHE-RSA-AES128-GCM-SHA256:​ECDHE-ECDSA-AES256-GCM-SHA384:​ECDHE-RSA-AES256-GCM-SHA384:​DHE-RSA-AES128-GCM-SHA256:​DHE-RSA-AES256-GCM-SHA384:​ECDHE-ECDSA-AES128-SHA256:​ECDHE-RSA-AES128-SHA256:​ECDHE-ECDSA-AES128-SHA:​ECDHE-RSA-AES256-SHA384:​ECDHE-RSA-AES128-SHA:​ECDHE-ECDSA-AES256-SHA384:​ECDHE-ECDSA-AES256-SHA:​ECDHE-RSA-AES256-SHA:​DHE-RSA-AES128-SHA256:​DHE-RSA-AES128-SHA:​DHE-RSA-AES256-SHA256:​DHE-RSA-AES256-SHA:​ECDHE-ECDSA-DES-CBC3-SHA:​ECDHE-RSA-DES-CBC3-SHA:​EDH-RSA-DES-CBC3-SHA:​AES128-GCM-SHA256:​AES256-GCM-SHA384:​AES128-SHA256:​AES256-SHA256:​AES128-SHA:​AES256-SHA:​DES-CBC3-SHA:​!DSS"></​Connector>​ <​Connector port="​8443"​ protocol="​org.apache.coyote.http11.Http11AprProtocol"​ scheme="​https"​ maxThreads="​200"​ secure="​true"​ SSLEnabled="​true"​ SSLCertificateFile="/​etc/​pki/​tls/​certs/​k2patel.in.crt"​ SSLCertificateKeyFile="/​etc/​pki/​tls/​private/​k2patel.in.key"​ SSLCACertificateFile="/​etc/​pki/​tls/​certs/​k2patel.in.int.ca"​ sslEnabledProtocols="​TLSv1.1,​TLSv1.2"​ SSLHonorCipherOrder="​true"​ SSLCipherSuite="​ECDHE-ECDSA-CHACHA20-POLY1305:​ECDHE-RSA-CHACHA20-POLY1305:​ECDHE-ECDSA-AES128-GCM-SHA256:​ECDHE-RSA-AES128-GCM-SHA256:​ECDHE-ECDSA-AES256-GCM-SHA384:​ECDHE-RSA-AES256-GCM-SHA384:​DHE-RSA-AES128-GCM-SHA256:​DHE-RSA-AES256-GCM-SHA384:​ECDHE-ECDSA-AES128-SHA256:​ECDHE-RSA-AES128-SHA256:​ECDHE-ECDSA-AES128-SHA:​ECDHE-RSA-AES256-SHA384:​ECDHE-RSA-AES128-SHA:​ECDHE-ECDSA-AES256-SHA384:​ECDHE-ECDSA-AES256-SHA:​ECDHE-RSA-AES256-SHA:​DHE-RSA-AES128-SHA256:​DHE-RSA-AES128-SHA:​DHE-RSA-AES256-SHA256:​DHE-RSA-AES256-SHA:​ECDHE-ECDSA-DES-CBC3-SHA:​ECDHE-RSA-DES-CBC3-SHA:​EDH-RSA-DES-CBC3-SHA:​AES128-GCM-SHA256:​AES256-GCM-SHA384:​AES128-SHA256:​AES256-SHA256:​AES128-SHA:​AES256-SHA:​DES-CBC3-SHA:​!DSS"></​Connector>​
 </​code>​ </​code>​
  
-Setting up HSTS with HTTP Native Library. +==== Setting up HSTS with HTTP Native Library. ​==== 
-<code | web.xml>+ 
 +<​code ​xml | web.xml>
     <​filter>​     <​filter>​
         <​filter-name>​httpHeaderSecurity</​filter-name>​         <​filter-name>​httpHeaderSecurity</​filter-name>​
Line 31: Line 32:
     </​filter-mapping>​     </​filter-mapping>​
 </​code>​ </​code>​
 +
 +==== Setting up redirect ====
 +<code xml | web.xml>
 +    <​security-constraint>​
 +       <​web-resource-collection>​
 +          <​web-resource-name>​Entire Application</​web-resource-name>​
 +             <​url-pattern>/​*</​url-pattern>​
 +       </​web-resource-collection>​
 +       <​user-data-constraint>​
 +          <​transport-guarantee>​CONFIDENTIAL</​transport-guarantee>​
 +       </​user-data-constraint>​
 +    </​security-constraint>​
 +</​code>​
 +
 +==== RHEL 8 / Tomcat 9====
 +
 +=== Install Packages ===
 +<code bash>
 +dnf install java-1.8.0-openjdk-devel tar apr-util-devel apr-util-openssl gcc openssl-devel
 +</​code>​
 +
 +=== Create User ===
 +<code bash>
 +groupadd --system tomcat -g 91 # with group id 91
 +useradd -u 91 -d /​usr/​share/​tomcat -r -s /bin/false -g tomcat tomcat ​ # with user id 91
 +</​code>​
 +
 +=== Download Tomcat Package ===
 +<code bash>
 +export TOM_VERSION="​9.0.36"​
 +wget "​https://​apache.osuosl.org/​tomcat/​tomcat-9/​v${TOM_VERSION}/​bin/​apache-tomcat-${TOM_VERSION}.tar.gz"​
 +</​code>​
 +
 +=== Extract Package ===
 +<code bash>
 +tar -xvf apache-tomcat-${TOM_VERSION}.tar.gz -C /usr/share/
 +ln -s /​usr/​share/​apache-tomcat-${TOM_VERSION} /​usr/​share/​tomcat
 +</​code>​
 +
 +=== Set Ownership ===
 +<code bash>
 +chown -R tomcat:​tomcat /​usr/​share/​tomcat
 +chown -R tomcat:​tomcat /​usr/​share/​apache-tomcat-${TOM_VERSION}
 +</​code>​
 +
 +=== Systemd service ===
 +<code bash | /​etc/​systemd/​system/​tomcat.service>​
 +[Unit]
 +Description=Tomcat Server
 +After=syslog.target network.target
 +
 +[Service]
 +Type=forking
 +User=tomcat
 +Group=tomcat
 +
 +Environment=JAVA_HOME=/​usr/​lib/​jvm/​jre
 +Environment='​JAVA_OPTS=-Djava.awt.headless=true'​
 +Environment=CATALINA_HOME=/​usr/​share/​tomcat
 +Environment=CATALINA_BASE=/​usr/​share/​tomcat
 +Environment=CATALINA_PID=/​usr/​share/​tomcat/​temp/​tomcat.pid
 +Environment='​CATALINA_OPTS=-Xms512M -Xmx3072M'​
 +ExecStart=/​usr/​share/​tomcat/​bin/​catalina.sh start
 +ExecStop=/​usr/​share/​tomcat/​bin/​catalina.sh stop
 +
 +[Install]
 +WantedBy=multi-user.target
 +</​code>​
 +
 +=== Backup / Remove examples ===
 +<code bash>
 +cp -Rp /​usr/​share/​tomcat/​webapps /​usr/​share/​tomcat/​webapps.bk
 +rm -rf /​usr/​share/​tomcat/​webapps/​{docs,​examples,​ROOT}
 +</​code>​
 +
 +=== Set User ===
 +<code xml | tomcat-users.xml>​
 +<role rolename="​manager-gui"/>​
 +<role rolename="​admin-gui"/>​
 +<role rolename="​admin-script"/>​
 +<role rolename="​manager-script"/>​
 +<role rolename="​manager-jmx"/>​
 +<user username="​admin"​ password="​something"​ roles="​admin-gui,​manager-gui,​manager-script,​manager-jmx,​admin-script"/>​
 +</​code>​
 +
 +=== Tomcat Native ===
 +<code bash>
 +cd /​usr/​share/​tomcat/​bin
 +tar -xvf tomcat-native.tar.gz
 +cd tomcat-native-1.2.24-src/​native
 +./configure --with-java-home=/​usr/​lib/​jvm/​java-openjdk --with-ssl=yes --prefix=/​usr/​share/​tomcat
 +make && make install
 +</​code>​
 +
 +<code bash | /​usr/​share/​tomcat/​bin/​setenv.sh>​
 +LD_LIBRARY_PATH=$LD_LIBRARY_PATH:​$CATALINA_HOME/​lib
 +export LD_LIBRARY_PATH
 +</​code>​
 +
 +:!: Set SSL[[tomcat#​tomcat_ssl|tomcat#​tomcat_ssl]] \\
 +:?: Set Auto redirect if needed [[tomcat#​setting_up_redirect|tomcat#​setting_up_redirect]]
 +
 +=== Start Service ===
 +<code bash>
 +systemctl daemon-reload
 +systemctl enable tomcat
 +systemctl start tomcat
 +</​code>​
 +
 +=== Firewall ===
 +<code bash>
 +firewall-cmd --permanent --add-port=8080/​tcp
 +firewall-cmd --permanent --add-port=8443/​tcp
 +firewall-cmd --reload
 +</​code>​
 +
 +
 +
 +
tomcat.1516648139.txt.gz · Last modified: 2018/01/22 19:08 by k2patel