Install TomCat Servlet Container

From QwikITedia

Contents 1 TomCat v6.0.xx Installation 1.1 Change Tomcat Port 1.2 Setup Tomcat Mgr 1.3 Install an SSL Web Certificate on TomCat 1.3.1 Preparation 1.3.2 Generate Keystore 1.3.3 Check keystore 1.3.4 Backup Keystore 1.3.5 Generate CSR 1.3.6 Request Cert 1.3.7 Obtain Cert 1.3.8 Add cert to keystore 1.3.9 Adjust Server.xml file 1.3.10 Troubleshoot 1.3.11 Addendum

TomCat v6.0.xx Installation

• Get the latest Stable Binary distribution(Core) of TomCat from an Apache Tomcat mirror
• At time of these docs this was v6.0.20

root@myserver:/home/resmonde# wget http://apache.mirrors.hoobly.com/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz

• Extract it:

root@myserver:/home/resmonde# tar -xvzf apache-tomcat-6.0.20.tar.gz

• Move Tomcat to its own directory:

root@myserver:/home/resmonde# mv apache-tomcat-6.0.20/ /usr/local/tomcat

• Move there

root@myserver:/home/resmonde# cd /usr/local/tomcat
root@myserver:/usr/local/tomcat# 

• Ensure the path to Java is in the .bashrc file for all the folk who will be running tomcat:

export JAVA_HOME=/usr/lib/jvm/java-6-sun

• To enable Tomcat to start up automatically, we'll need an initialization script:

vi /etc/init.d/tomcat6

• Paste in the following:

# Tomcat auto-start
#
# description: Auto-starts tomcat
# processname: tomcat
# pidfile: /var/run/tomcat.pid

export JAVA_HOME=/usr/lib/jvm/java-6-sun

case $1 in
start)
        sh /usr/local/tomcat/bin/startup.sh
        ;; 
stop)   
        sh /usr/local/tomcat/bin/shutdown.sh
        ;; 
restart)
        sh /usr/local/tomcat/bin/shutdown.sh
        sh /usr/local/tomcat/bin/startup.sh
        ;; 
esac    
exit 0

• Ensure script is executable:

root@myserver:/usr/local/tomcat# chmod 755 /etc/init.d/tomcat6

• Now link this script to the startup folders with a symbolic link. Execute these two commands:

root@myserver:/usr/local/tomcat# ln -s /etc/init.d/tomcat6 /etc/rc1.d/K99tomcat
root@myserver:/usr/local/tomcat# ln -s /etc/init.d/tomcat6 /etc/rc2.d/S99tomcat

• Start the Servlet engine:

/etc/init.d/tomcat6 start

• By default, your tomcat install should now be active on port 8080 :: http://myserver:8080/

Change Tomcat Port

• Edit the file:

/usr/local/tomcat/conf/server.xml

• Change the port number on the line which reads:

<Connector port="8080" protocol="HTTP/1.1"

• Stop Tomcat and start it again and go to your new port to see it: http://myserver:xxxx

Setup Tomcat Mgr

• This little server admin tool enables quick servlet engine admin tasks such as easily deploying WAR files
• It requires a username and password which you must add to the xml file which controls access
• Edit the TomCat Manager file

vi /usr/local/tomcat/conf/tomcat-users.xml

• Add the following in between the <tomcat-users></tomcat-users> xml-tags

<role rolename="manager"/>
<user username="admin" password="xxxxxxxjjjjfffhh" roles="manager"/>

• Restart Tomcat
• Go to http://myserver:8080/manager/html
• Enter admin for username and whatever password you set

Install an SSL Web Certificate on TomCat

• Assumptions:
  • You want to apply an SSL cert to a Tomcat Servlet Container.
  • Your site is/will be https://eng.anytech.com <fictional at time of writing>
• These docs pertain to the installation of a Thawte SSL cert.

Preparation

If there is already a keystore for Tomcat in the default location (/root/.keystore), delete it to start afresh

Generate Keystore

• Generate a private key for your CSR for the 'Eng' key generation using the default location (/root/.keystore)

keytool -genkey -keysize 1024 -keyalg RSA -alias tomcat -keystore /root/.keystore

Enter Password = thisTLEW33& <just an example>
First Name Last Name = eng.anytech.com
Org Unit = Anytech Eng
Org Name = Anytech Inc
City = San Francisco
State = California
To Letter Country code = US
Is this OK yes
enter same password or hit return

Check keystore

Check that you can read the keystore file (should now have app private key called tomcat):

keytool -list -keystore /root/.keystore

Backup Keystore

• Backup your keystore and store somewhere off server but safe:

cp /root/.keystore /root/.keystore.backup

Generate CSR

• This is the file(certreq.csr) the CA will use to create your unique cert:

keytool -certreq -alias tomcat -keyalg  RSA -file certreq.csr -keystore /root/.keystore

Request Cert

• Login to CA website
• Use web form to request cert..you'll need to paste in the CSR you generated.

Obtain Cert

• You'll be notified via email when the cert is ready
• Login to Thawte.com to retrieve it
• Save it is *.p7b format into a file such as aoa.crt
• Transfer to server

Add cert to keystore

• Import key to keystore (aoa.crt) Key to keystore(/root/.keystore):

keytool -import -alias tomcat -keystore /root/.keystore -trustcacerts -file aoa.crt

Adjust Server.xml file

<Connector 
           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="${user.home}/.keystore" keystorePass="thisTLEW33&"
           clientAuth="false" sslProtocol="TLS"/>

• Restart Tomcat
• Check logs to ensure no errors upon startup:

tail /usr/local/tomcat/logs/catalina.out

• Check: https://eng.anytech.com/

Troubleshoot

• Unless your mistake is obvious save yourself a lot of time and Contact Thawte (or the cert authority) and send them the output of keystore in an email
• Obtain Output of keystore using:

keytool -list -keystore keystorefilename -v

• Using this verbose output they can spot the problem in a heart beat.

Addendum

• If you made a mistake and want to remove the key from keystore:

keytool -delete -alias tomcat -keystore .keystore

• Helpful list of keytool usages can be found here:

http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html