Versions Compared

Old Version 6

changes.mady.by.user Former user

Saved on

compared with

New Version 7

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tomcat configuration:
The following instructions configure various parts of the Tomcat server.  It is recommended that all configurations are applied.  
The first task is to be sure tomcat is run with the permissions of the tomcat user.  This is far more secure than running tomcat as root and will quickly point out any misconfigurations that will certainly be found when your applications are deployed to a production environment. In order to complete the following configuration steps System configuration, Java installation/update and Tomcat installation/update need to be completed and you should have opened a new shell or logged in again to refresh your profile.

tomcat user enforcement

    • To enforce running Tomcat only as tomcat user add the following to the top of $CATALINA_HOME/bin/catalina.sh - e.g. vi $CATALINA_HOME/bin/catalina.sh

      # Detect whether the correct user, tomcat, is running the script

      if [ "$(whoami)" != "tomcat" ] ; then
      echo ""
      echo "Tomcat should ONLY be run by user tomcat !!!!!"
      echo "try sudo service tomcat start"
      echo ""
      exit 1
      fi

Tomcat should always be started by the tomcat user and never as root or another user. Please see the attached tomcat7 script for an example of the script that should be in /etc/init.d/

the Tomcat as user tomcat. Once /etc/init.d/tomcat7 is in place
chkconfig /etc/init.d/tomcat7 can be run (sudo) so that the Tomcat
application is started on reboot. In addition sudo service tomcat7 start/stop/restart
is used to manually run Tomcat.

3) To enforce running Tomcat only as tomcat user add the following to $CATALINA_HOME/bin/catalina.sh

# Detect whether the correct user, tomcat, is running the script
if [ "$(whoami)" != "tomcat" ] ; then
echo ""
echo "Tomcat should ONLY be run by user tomcat !!!!!"
echo ""
exit 1
fi

This will ensure only tomcat can start Tomcat server. Please see $CATALINA_HOME/bin/catalina.sh
for more information.

4) Make sure all directories and files in $CATALINA_HOME are owned by tomcat:tomcat

5) An effort has been made to place versions of Tomcat in /usr/src/tomcat. A link, current, is used
to point to the version indicated by $CATALINA_HOME. This facilitates upgrading Tomcat so that
only the link needs to be changed and no changes has to be made to /etc/profile.d/catalina.sh
The same applies to java versions installed. On this machine all Java versions are placed in /usr/src/jvm
and a link, current, points to the version used by the environment variable $JAVA_HOME which again
is set for all users in /etc/profile.d/java.sh.
Your application of this concept may vary but by putting it into practice will make upgrading
versions of Tomcat and Java far less painful.

...

    •  

    • This  will ensure even if someone tries to start Tomcat as a user other than tomcat (e.g. sudo bin/startup.sh) they will receive an error  and instructions on how to correctly start the server.

tomcat server - reasonable defaults

    • Following are some reasonable defaults to run Tomcat under.  They include setting memory constraints, modest increase of PermGen so redeploying applications does not cause OutOfPermGenMemory errors, Java7 GC and JMX file settings.  We encourage use of JMX because it is a standard we increasingly use for runtime monitoring and configuration and many applications now depend on JMX to run correctly.  Some of the settings will require editing to reflect your environment (e.g. ...jmx.rmi.server.hostname=192.168.1.xxx).
    • The following settings also define paths for "endorsed" lib and bin directories.  If you are unsure what these are for you probably don't need them but they should be configured in case they are needed.
    • If your current $CATALINA_HOME/bin/setenv.sh does not have setenv.sh then you will need to create it - sudo vi $CATALINA_HOME/bin/setenv.sh  This file is read by catalina.sh if it exists.  Copy/save into this file the following lines changing those configuration items that are different for your system (e.g. 192.168.1.xxx).


CATALINA_OPTS="-Dcom.sun.management.jmxremote \

  -Djava.rmi.server.hostname=192.168.1.xxx \

  -Xms512m -Xmx1024m \

  -XX:NewSize=256m -XX:MaxNewSize=256m -XX:PermSize=256m \

  -XX:MaxPermSize=512m -XX:+DisableExplicitGC \

  -XX:+CMSClassUnloadingEnabled -XX:+UseConcMarkSweepGC \

  -Dcom.sun.management.jmxremote.ssl=false \

  -Dcom.sun.management.jmxremote.password.file=$CATALINA_HOME/conf/jmxremote.password \

  -Dcom.sun.management.jmxremote.access.file=$CATALINA_HOME/conf/jmxremote.access"
 

export CATALINA_OPTS

export LD_LIBRARY_PATH=$CATALINA_HOME/endorsed/current/lib:$LD_LIBRARY_PATH

export PATH="$PATH:$CATALINA_HOME/endorsed/current/bin"

 

 



4) Make sure all directories and files in $CATALINA_HOME are owned by tomcat:tomcat

7) JMX is a service we use to monitor the health of Tomcat while it is running. Changes need to be made to

$CATALINA_HOME/conf/server.xml and $CATALINA_HOME/conf/setenv.sh.
The following directive needs to be added to server.xml - it can be placed with the other listeners.

...