This describes the installation and configuration for a Tomcat server running on a Linux environment and how to download install/update the Java version. Windows installations can apply these configurations in a similar manner. If you are unable to complete any of these steps because the command does not exist (e.g. service tomcat7 start, openssl dgst -md5 tomcat.tar.zip) then please contact SysAdmin for assistance.
tomcat user:
- Make sure a user, tomcat, has been created with no privileges, no shell. (e.g. tomcat:x:506:99::/home/tomcat:/sbin/nologin). If you are unsure how to do this please contact SysAdmin for assistance (e.g. sudo useradd -M -s /usr/bin/nologin -g nobody tomcat).
...
- If an entry for catalina.sh does not already exist in /etc/profile.d/catalina.sh then you will need to create one; sudo vi /etc/profile.d/catalina.sh
In this this file put the following line:
export $CATALINA_HOME=/opt/apache-tomcat/current
If the file already exists be sure it has the above entry. - Once you open a new shell or login you will be able to test this configuration:
echo $CATALINA_HOME should return /opt/apache-tomcat/<the directory you installed>
- If an entry for catalina.sh does not already exist in /etc/profile.d/catalina.sh then you will need to create one; sudo vi /etc/profile.d/catalina.sh
$JAVA_HOME
- If an entry for java.sh does not already exist in /etc/profile.d/java.sh then you will need to create one; sudo vi /etc/profile.d/java.sh
In this file put the following line:
export $JAVA_HOME=/opt/java/current
If the file already exists be sure it has the above entry. - Once you open a new shell or login you will be able to test this configuration:
echo $JAVA_HOME should return /opt/java/<the directory you installed> - and running java -version should return the version of Java you have installed.
- If an entry for java.sh does not already exist in /etc/profile.d/java.sh then you will need to create one; sudo vi /etc/profile.d/java.sh
/etc/init.d/tomcat7
The following configuration is the script that will start/stop/restart the Tomcat server both from the command line and executed when the system is restarted. From the command line usually executed by calling - sudo service tomcat7 stop/start/restart
In both cases the Tomcat server will be started to run with the permissions of the tomcat user.
- If an entry for tomcat7 does not exist in /etc/init.d/tomcat7 then you will need to create one. Attached to this issue is a file, initd-tomcat7. Open the file and copy the contents into sudo vi /etc/init.d/tomcat7. Save the file (e.g. :wq).
If an entry for tomcat7 already exists be sure it contains a similar if not identical code as the attached file otherwise the Tomcat server may not be correctly started. - Finally to be sure the the script will be executed upon startup run the following command sudo chkconfig /etc/init.d/tomcat7
- If an entry for tomcat7 does not exist in /etc/init.d/tomcat7 then you will need to create one. Attached to this issue is a file, initd-tomcat7. Open the file and copy the contents into sudo vi /etc/init.d/tomcat7. Save the file (e.g. :wq).
Java installation/update:
- If the server does not already have a directory, /opt/java then create one (sudo mkdir /opt/java). change to this directory - cd /opt/java
- Download the version of java appropriate for this version of linux (e.g. x86_64). The version of linux can be determined by running uname -a from the command line.
Oracle requires that you have accepted the license before you download the tar.gz file. This can be problematic for wget. Following is the command to run the download. Go to the Oracle Java download site, click on the accept license button, select the JDK version for this machine and copy the link. Replace the link in the following command with the one you have copied:wget --no-cookies \
--no-check-certificate \
--header "Cookie: oraclelicense=accept-securebackup-cookie" \
"http://download.oracle.com/otn-pub/java/jdk/7u55-b13/jdk-7u55-linux-x64.tar.gz"
- Untar the tomcat Once the file has completed downloading untar the java distribution and delete the tar file ( sudo tar cxf jdk-7u55-linux-x64.tar.gz ).
- If the directory, /opt/java, did not exist create a "current" symlink to the new java directory (e.g. sudo ln -s jdk-7u55-linux-x64 current). If the directory, /opt/java, did exist and the link, current, was already there then you will need to sudo unlink current before linking it again. NOTE: The reason for symlinking the directory is so any references to the current java installation (e.g. $JAVA_HOME, /etc/profile.d/java.sh...) do not have to be updated. This simplifies maintenance.
...
Tomcat configuration:
The following instructions configure various parts of the Tomcat server. It is recommended that all configurations are applied.
The first task is to be sure tomcat is run with the permissions of the tomcat user. This is far more secure than running tomcat as root and will quickly point out any misconfigurations that will certainly be found when your applications are deployed to a production environment.
tomcat user enforcement
- To enforce running Tomcat only as tomcat user add the following to the top of $CATALINA_HOME/bin/catalina.sh - e.g. vi $CATALINA_HOME/bin/catalina.sh
# Detect whether the correct user, tomcat, is running the scriptif [ "$(whoami)" != "tomcat" ] ; then
echo ""
echo "Tomcat should ONLY be run by user tomcat !!!!!"
echo ""
exit 1
fi
- To enforce running Tomcat only as tomcat user add the following to the top of $CATALINA_HOME/bin/catalina.sh - e.g. vi $CATALINA_HOME/bin/catalina.sh
Tomcat should always be started by the tomcat user and never as root or another user. Please see the attached tomcat7 script for an example of the script that should be in /etc/init.d/
...