Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Make sure a user, tomcat, has been created with no privileges, no shell. (e.g. tomcat:x:506:99::/home/tomcat:/sbin/nologin).  If you are unsure how to do this please contact SysAdmin for assistance (e.g. sudo useradd -M -s /usr/binsbin/nologin -g nobody tomcat).
  • Edit /etc/passwd, change /home/tomcat to /opt/apache-tomcat/current

 

Java installation/update:

...

Oracle requires that you have accepted the license before you download the tar.gz file.  This can be problematic for wget.  Following is the command to run the download.  Go to the Oracle Java download site, click on the accept license button, select the JDK version for this machine and copy the link. Use the "JDK Server" version if available.  Replace the link below in the following command with the one you have copied:

sudo wget --no-cookies \
--no-check-certificate \0
--header "Cookie: oraclelicense=accept-securebackup-cookie" \
"http://download.oracle.com/otn-pub/java/jdk/7u55-b13/jdk-7u55-linux-x64.tar.gz"

For Java 8, check "http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html" and select the bundle corresponding to "Linux x64", if using linux 64 bits.

  • Once the file has completed downloading untar the java Once the file has completed downloading untar the java distribution and delete the tar file ( sudo tar zxvf jdk-7u55-linux-x64.tar.gz ).
  • If the directory, /opt/java, did not exist create a "current" symlink to the new java directory (e.g. sudo ln -s jdk-7u55-linux-x64 current). If the directory, /opt/java, did exist and the link, current, was already there then you will need to sudo unlink current before linking it again.  NOTE: The reason for symlinking the directory is so any references to the current java installation (e.g. $JAVA_HOME, /etc/profile.d/java.sh...) do not have to be updated.  This simplifies maintenance.
  • Remove any previous Java installation from the system. In Centos, get a list of packages:

...

  1. If  the server does not already have a directory, /opt/apache-tomcat, then create one (sudo mkdir /opt/apache-tomcat) and download the tomcat installation to this directory. You can download tomcat8 using the following command: sudo wget Tomcat 8 from the Apache Tomcat site (http://wwwtomcat.gtlibapache.gatech.edu/puborg/) using wget (e.g. wget http://mirrors.advancedhosters.com/apache/tomcat/tomcat-8/v8.0.20SOMEVERSION/bin/apache-tomcat-8.0.20SOMEVERSION.tar.gz)
  2. Be sure to check the sha1 or md5 hash on the download site is the same as for the downloaded tomcat file (e.g. openssl dgst -md5 apache-tomcat-7.0.xx.tar.gz). This should match the value at https://www.apache.org/dist/tomcat/tomcat-8/v8.0.20/bin/apache-tomcat-8
  3. Untar the tomcat distribution and delete the tar file (sudo tar zxvf apache-tomcat-8.0.20.tar.gz.md5Untar the tomcat distribution and delete the tar file (sudo tar zxvf apache-tomcat-8.0.20.tar.gz).
  4. If the directory, /opt/apache-tomcat/current, did not exist create a "current" symlink to the new tomcat server directory (e.g. sudo ln -s apache-tomcat-8.0.20 current). If the directory, /opt/apache-tomcat, did exist and the link, current, was already there then you will need to sudo unlink current before linking it again.  NOTE: The reason for symlinking the directory is so any references to the current tomcat server (e.g. $CATALINA_HOME, /etc/init.d/tomcat8...) do not have to be updated.  This simplifies maintenance.
  5. This concludes the steps necessary to install or update the version of Tomcat. Please see Tomcat configuration for steps required to configure Tomcat.

...

    • Following are some reasonable defaults to run Tomcat under.  They include setting memory constraints, modest increase of PermGen so redeploying applications does not cause OutOfMemoryError PermGen space errors, Java GC and JMX file settings.  We encourage use of JMX because it is a standard we increasingly use for runtime monitoring and configuration and many applications now depend on JMX to run correctly.  Some of the settings will require editing to reflect your environment (e.g. ...jmx.rmi.server.hostname=192.168.1.xxx).
    • The following settings also define paths for "endorsed" lib and bin directories.  If you are unsure what these are for you probably don't need them but they should be configured in case they are needed.
    • If your current $CATALINA_HOME/bin/setenv.sh does not have setenv.sh then you will need to create it - sudo vi $CATALINA_HOME/bin/setenv.sh  This file is read by catalina.sh if it exists.  Copy/save into this file the following lines changing those configuration items that are different for your system (e.g. 192.168.1.xxx).

CATALINA_OPTS="

...

-Xms512m -Xmx1024m \

  -Djava.rmi.server.hostname=192.168.1.xxx \

  -Xms512m -Xmx1024m \

...

-XX:NewSize=256m -XX:MaxNewSize

...

=256m \

...

-XX:+

...

DisableExplicitGC -XX:+

...

UseParallelGC \

...

-Dcom.sun.management.jmxremote.ssl=false \

...

-Dcom.sun.management.jmxremote.password.file=$CATALINA_HOME/conf/jmxremote.password \

...

-Dcom.sun.management.jmxremote.access.file=$CATALINA_HOME/conf/jmxremote.access"

export CATALINA_OPTS
export LD_LIBRARY_PATH=$CATALINA_HOME/endorsed/current/lib:$LD_LIBRARY_PATH
export PATH="$PATH:$CATALINA_HOME/endorsed/current/bin"

...

For JMX configuration:

CATALINA_OPTS="-Dcom.sun.management.jmxremote \
-Djava.rmi.server.hostname=HOSTNAME or IP \
-Xms512m -Xmx1024m \
-XX:NewSize=256m -XX:MaxNewSize=256m \
-XX:+DisableExplicitGC -XX:+UseParallelGC \
-Dcom.sun.management.jmxremote.ssl=false \
-Dcom.sun.management.jmxremote.password.file=$CATALINA_HOME/conf/jmxremote.password \
-Dcom.sun.management.jmxremote.access.file=$CATALINA_HOME/conf/jmxremote.access"


Tomcat Manager
In order to use the ..../manager/html interface to un/deploy/stop/start applications, GC and in broad terms see what is going on in the Tomcat server (in addition to JMX) you need to configure access to the url.  This is done in the $CATALINA_HOME/conf/tomcat-users.xml file.  The file has instructions and in the Apache documentation there is more elaboration.  A starting point for basic but very insecure configuration can be copied from the above file and modified as needed.
If the server is to host a public IP and it is required that there is access to the Tomcat Manager then it is required that access be limited to the internal VPN.  To do so include the following RemoteValveAddr code to the <Context> </Context> in the applications context.xml located in webapps/manager/META-INF and webapps/host-manager/META-INF. 

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
      allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.200\.\d+|172\.31\.2\.219"
      denyStatus="404" />


JMX
JMX is a service we use to monitor the health of Tomcat while it is running as well as updates to runtime configuration. Changes need to be made to $CATALINA_HOME/conf/server.xml and $CATALINA_HOME/bin/setenv.sh.  Please see tomcat server - reasonable defaults for setenv.sh changes.

...

...

The first step is to create the keystore:

sudo $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore $CATALINA_HOME/conf/keystore

...

The result of this command is a keystore file created in $CATALINA_HOME/conf/keystore

To change the default expiration of the self-signed certificate, use the following command:

sudo $JAVA_HOME/bin/keytool -selfcert -v -alias tomcat -validity 3650 -keystore keystore

Note: In the above example, certificate is valid for the next 10 years.

The next step is to edit $CATALINA_HOME/conf/server.xml to configure and enable the HTTPS connector.  Inside this file locate the following connector: 

...