Tuesday, 26 November 2013

Installation of Apache-Tomcat with SSL


1.   Introduction : -

Tomcat is a Java Servlet container and web server from the Jakarta project of the Apache software foundation. A web server dishes out web pages in response to requests from a user sitting at a web browser. But web servers are not limited to serving up static HTML pages; they can also run programs in response to user requests and return the dynamic results to the users’ browser.  Tomcat is very good at this because it provides both Java servlet and JavaServerPages (JSP) technologies (in addition to traditional static pages and external CGI programming). The result is that Tomcat is good choice for use as a web server for many applications; also if you want a free servlet and JSP engine. It can be used standalone or used behind traditional web servers such as Apache httpd, with the traditional server serving static pages and Tomcat serving dynamic servlet and JSP requests.



2.   Required Packages:-

The packages which are being used in <My Company> for configuration are defined below. The package version of these may vary with coming updated version.

i)              apache-tomcat-6.0.33
ii)             jdk1.6.0_22
iii)            Red Hat Enterprise Linux 5.5


3.   Installation:-

i)              Install the RHEL 5.5 operating system on Hardware as defined by <My Company>  OS installation guide.
ii)             Create a tomcat user on Linux server for ownership of tomcat server. For security reasons we will be working in low privilege user mode instead of root user.

Run:

useradd –c  “Tomcat Web Server Account”  -m –d /home/tomcat –s /bin/bash tomcat

iv)           Download apache-tomcat-6.0.33 & jdk1.6.0_22 packages from Internet .


Move these packages into /home/tomcat directory and change ownership to tomcat user.

Run:-

$ cd /home/tomcat
$ chown –R tomcat.tomcat  /home/tomcat/apache-tomcat-6.0.33
$ chown  -R tomcat.tomcat /home/tomcat/jdk1.6.0_22
$ chmod -R u+x /home/tomcat/jdk1.6.0_22/bin



4.   Tomcat  Server Configuration:-

Set the ENVIROMENTAL VARIABLES in /home/tomcat/.bashrc file as defined below.

$ vi /home/tomcat/.bashrc
EDIT:-

#### JAVA & TOMCAT ENVIROMENT VARIABLE DEFINITIONS ####

JAVA_HOME=/home/tomcat/jdk1.6.0_22
CATALINA_HOME=/home/tomcat/apache-tomcat-6.0.33
CATALINA_BASE=/home/tomcat/apache-tomcat-6.0.33
PATH=$JAVA_HOME/bin:$CATALINA_HOME/bin:$PATH
export JAVA_HOME CATALINA_HOME PATH








5.    SSL Configuration:-

i)              Generate keystore file with self-signed Certificate

Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores. The JKS format is Java's standard "Java KeyStore" format, and is the format created by the keytool command-line utility.
To create a new keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:

               $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA \
                -keystore /home/tomcat/.keystore


After executing this command, you will first be prompted for the keystore password. The default password used by Tomcat is "changeit" (all lower case), although you can specify a custom password if you like. You will also need to specify the custom password in the server.xml configuration file, as described later.

Next, you will be prompted for general information about this Certificate, such as company, contact name, and so on. This information will be displayed to users who attempt to access a secure page in your application, so make sure that the information provided here matches what they will expect.
Finally, you will be prompted for the key password, which is the password specifically for this Certificate (as opposed to any other Certificates stored in the same keystore file). You MUST use the same password here as was used for the keystore password itself. This is a restriction of the Tomcat implementation. (Currently, the keytool prompt will tell you that pressing the ENTER key does this for you automatically.)
If everything was successful, you now have a keystore file with a Certificate that can be used by your server.

ii)             Edit the tomcat configuration file
$ vi $CATALINA_BASE/conf/server.xml
Uncomment the following lines and add keystore file path and define keystore certificate password for SSL configuration for tomcat server. 


<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                               maxThreads="150" scheme="https" secure="true"
                               keystoreFile="/home/tomcat/.keystore" keystorePass="changeit"
                               clientAuth="false" sslProtocol="TLS" />


Comment out the following entries in server.xml file to disable the tomcat web server to run on http protocol.

              
            <! --
                   <Connector port="8080" protocol="HTTP/1.1"
                                    connectionTimeout="20000"
                                     redirectPort="8443" />
-- >



6.   Start and stop tomcat service to activate the configuration.


Stop tomcat service:

 $CATALINA_HOME/bin/shutdown.sh

Start tomcat service:

 $CATALINA_HOME/bin/startup.sh


7.   Enable Logging:-

Edit the server.xml file to enable logging for tomcat server.

$ vi $CATALINA_HOME/conf/server.xml

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"   prefix="localhost_access_log." suffix=".txt" pattern="combined" resolveHosts="false"/>

The Logs are generated in $CATALINA_HOME/logs directory which can be analyzed for troubleshooting of tomcat server.







8.   Configure Heap Size in Tomcat 6.0:-

Stop Tomcat server, set environment variable CATALINA_OPTS, and then restart Tomcat. Look at the file tomcat-install/bin/catalina.sh or catalina.bat for how this variable is used. For example,
 Edit $CATALINA_HOME/bin/catalina.sh
export CATALINA_OPTS="-Xms1024m -Xmx1024m -XX:PermSize=256m XX:MaxPermSize=1024m"

9.   Finalization:-


After completing these configuration changes, you must restart Tomcat as you normally do, and you should be in business. You should be able to access any web application supported by Tomcat via SSL. For example, try:

http://tomcat.apache.org/tomcat-6.0-doc/images/void.gif
http://tomcat.apache.org/tomcat-6.0-doc/images/void.gif
http://tomcat.apache.org/tomcat-6.0-doc/images/void.gif
http://tomcat.apache.org/tomcat-6.0-doc/images/void.gif
https://localhost:8443
http://tomcat.apache.org/tomcat-6.0-doc/images/void.gif

No comments:

Post a Comment