Sunday, July 18, 2010

Tomcat Manager Password

This post will cover basic set up and configuration to access the Tomcat Manager interface.

After installing Tomcat 6, as shown in my previous post, you can navigate to http://yourdomain.com:8080 to access the Tomcat Manager.

With some variation, which we will note, the procedure is the same for Tomcat 5, 6, and 7 (Beta).

By default, no users or passwords are created for the Tomcat manager role.

To set a user name and password, we need to configure the tomcat-users.xml file located at $CATALINA_HOME/conf/tomcat-users.xml.

In the case of our installation, $CATALINA_HOME is located at /usr/share/apache-tomcat-6.0.26.

By default the Tomcat 6 tomcat-users.xml file will look as below.

Note that while examples are provided, the elements between the <tomcat-users> and </tomcat-users> tags have been commented-out using <!-- -->

Most of what you need is explained in the file itself.











Now, in order to access Tomcat Manager we simply need to add a role, manager, and then add a user name with password and assign the user to the manager role.

I'll create a user 'david' with password 'BlogPost', and I'll assign 'david' to the manager role.






 



That's it! Very simple.

We added the role 'manager', and then created the username 'david' with password 'BlogSpot' and assigned the user to manager role.

IMPORTANT NOTE: For Tomcat 7.0, which is now in Beta Release, the role name is manager-gui. If configuring Tomcat 7.0, use this in place of 'manager':





 



Now, restart your Tomcat instance, and verify that you are able to access the Tomcat Manager at http://yourdomain.com:8080.

Click on the Tomcat Manager link on the Administration menu and enter the user name and password you created above.


Securing Your Tomcat Manager Password: Creating an SHA or MD5 Digest Password

You could stop here, but since the password is stored in plain text in the tomcat-users.xml file, it's a good idea to encrypt your password.

By default, Tomcat employs a simple, file based UserDatabase Realm for security. In this case, passwords are stored in plain text in the tomcat-users.xml file we configured above.

There are much stronger security Realms that can be used such as JNDI and JDBC, but we'll start with the simplest and create a Digested version of our password we created above.

For our Digest algorithm we can use SHA or MD5.

We can do this in a few simple steps.

First, we create a Digest version of our password using the digest.sh script located at $CATALINA_HOME/bin/digest.sh

For SHA, we use issue ./digest.sh -a sha BlogSpot as shown below.

[root@server1 bin]# ./digest.sh -a sha BlogSpot
BlogSpot:89fc9f60780695d50b5cf5b0598957fc88c91487

We then copy the output, 89fc9f60780695d50b5cf5b0598957fc88c91487, which is our SHA Digest password. Copy it somewhere safe, you will need it in a moment.


Similarly, for MD5, we issue ./digest.sh -a md5 BlogSpot as shown below.

[root@server1 bin]# ./digest.sh -a md5 BlogSpot
BlogSpot:f105429be7c7a3518f9376b3de4f0f1d

We then copy the output, f105429be7c7a3518f9376b3de4f0f1d, which is our MD5 Digest password. Copy it somewhere safe, you will need it in a moment.


Now, in our tomcat-users.xml file, replace the plain text password we created 'BlogSpot' (or whatever you used) with the SHA or MD5 Digest password you generated above. I'm going to use SHA.


[root@server1 conf]# vi tomcat-users.xml










Finally, we need to make an adjustment to our server.xml file, located in the Tomcat conf directory, so Tomcat knows we are using a Digest password as well as the Digest algorithm we selected (SHA or MD5).

In your server.xml file, look for this section:


 


At the end of the entry, we add: digest="sha" as shown below if we used the SHA Digest Algorithm.






If we used the MD5, we add digest="md5" as shown below.





We have now created the manager role, added a user with password to the manager role, as well as encrypted our user password using MD5 or SHA Digest.

Later we'll look at JDBC and JNDI security Realms, as well as other measures for securing your Tomcat installation.


Related Posts:
Install Tomcat 6 on CentOS
Tomcat Oracle JDBC Connection
Tomcat Custom 404 Page

Tuesday, July 6, 2010

Tomcat 7 Beta Release

Tomcat 7.0.0 Beta was released on June 29th.

http://tomcat.apache.org/tomcat-7.0-doc/index.html

"The Apache Tomcat Project is proud to announce the release of version 7.0.0 beta of Apache Tomcat. This release is the first Apache Tomcat release to support the Servlet 3.0, JSP 2.2 and EL 2.2 specifications. In addition, it includes numerous other improvements such as web application memory leak detection and prevention, extensive internal code clean-up and support for including external content directly in a web application (aliases)."

The list of improvements and additional features looks like exciting stuff.

I just got started playing with it a few days ago, the baseline installation is as Tomcat 6 (see my previous post here).

One configuration change I came across off the bat is the need to use the role of manager-gui, replacing the old manager role:






Well, I hope to be posting much more soon......

Sunday, July 4, 2010

Install Tomcat 6 on CentOS

NOTE: For an updated and expanded version of this post, please see:

http://www.davidghedini.com/pg/entry/install_tomcat_6_on_centos

This post will cover installation and configuration of Tomcat 6 on CentOS 5.

We will also show how to run Tomcat as a service, create a start/stop script, and configure Tomcat to run under a non-root user.

This post has been updated for Tomcat 6.0.32.

This post below will work with any Tomcat 6.x version, but I have been keeping it updated to keep the links consistent and to make it as "copying-and-paste" as possible.

If you are looking for our tutorial on installing Tomcat 7 on CentOS/RHEL, you can find it here.

This installation of Tomcat 6.0.32 was done on CentOS 5.5, but any CentOS 5.x should work, as well as RHEL and Fedora.

If you do not already have the Java Development Kit (JDK) installed on your machine, you will need to download and install the required JDK for your platform.

If you do have the JDK installed, you can skip to: Step 2: Download and Install the Tomcat 6.0.32:


Step 1: Install the JDK

You can download the JDK here: http://www.oracle.com/technetwork/java/javase/downloads/index.html

I'm using the latest, which is JDK 6, update 24. The JDK is specific to 32 and 64 bit versions.

My CentOS box is 64 bit, so I'll need: jdk-6u24-linux-x64.bin.

If you are on 32 bit, you'll need: jdk-6u24-linux-i586.bin

Download the appropriate JDK and save it to a directory. I'm saving it to /root.

Move (mv) or copy (cp) the file to the /opt directory:

[root@blanche ~]# mv jdk-6u24-linux-x64.bin /opt/jdk-6u24-linux-x64.bin  

Create a new directory /usr/java.

[root@blanche ~]# mkdir /usr/java  

Change to the /usr/java directory we created and install the JDK using 'sh /opt/jdk-6u24-linux-x64.bin'

[root@blanche ~]# cd /usr/java
[root@blanche java]# sh /opt/jdk-6u24-linux-x64.bin

Set the JAVA_HOME path. This is where we installed our JDK above.

To set it for your current session, you can issue the following from the CLI:

[root@blanche java]# JAVA_HOME=/usr/java/jdk1.6.0_24
[root@blanche java]# export JAVA_HOME
[root@blanche java]# PATH=$JAVA_HOME/bin:$PATH
[root@blanche java]# export PATH

To set the JAVA_HOME for users, we add below to the user ~/.bashrc or ~/.bash_profile of the user. We can also add it /etc/profile and then source it to give to all users.

JAVA_HOME=/usr/java/jdk1.6.0_24
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH

Once you have added the above to ~/.bash_profile or ~/.bashrc, you should log out, then log back in and check that the JAVA_HOME is set correctly.

[root@blanche ~]#  echo $JAVA_HOME
/usr/java/jdk1.6.0_24


Step 2: Download and Install Tomcat 6.0.32:

Download apache-tomcat-6.0.32.tar.gz here

Save the file to a directory. I'm saving it to /root/apache-tomcat-6.0.32.tar.gz

Before proceeding, you should verify the MD5 Checksum for your Tomcat download (or any other download).

Since we saved the Tomcat download to /root/apache-tomcat-6.0.32.tar.gz, we'll go to the /root directory and use the md5sum command.

[root@blanche ~]# md5sum apache-tomcat-6.0.32.tar.gz
082a0707985b6c029920d4d6d5ec11cd

Compare the output above to the MD5 Checksum provided by the Apache Tomcat MD5 page and insure that they match exactly. (There is also a link to display the MD5 checksum located just to the right off the download link).

Now, move (mv) or copy (cp) the file to the /usr/share directory:

[root@blanche ~]# mv apache-tomcat-6.0.32.tar.gz /usr/share/apache-tomcat-6.0.32.tar.gz

Change to the /usr/share directory and unpack the file using tar -xzf:

[root@blanche ~]# cd /usr/share
[root@sv2 blanche ]# tar -xzf apache-tomcat-6.0.32.tar.gz  

This will create the directory /usr/share/apache-tomcat-6.0.32

At this point, you could start Tomcat via the Tomcat bin directory using the Tomcat startup.sh script located at /usr/share/apache-tomcat-6.0.32/bin.

[root@blanche share]# cd /usr/share/apache-tomcat-6.0.32/bin
[root@blanche bin]# ./startup.sh


Step 3: How to Run Tomcat as a Service.

We will now see how to run Tomcat as a service and create a simple Start/Stop/Restart script, as well as to start Tomcat at boot.

Change to the /etc/init.d directory and create a script called 'tomcat' as shown below.

[root@blanche share]# cd /etc/init.d
[root@blanche init.d]# vi tomcat


#!/bin/bash
# description: Tomcat Start Stop Restart
# processname: tomcat
# chkconfig: 234 20 80
JAVA_HOME=/usr/java/jdk1.6.0_24
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
CATALINA_HOME=/usr/share/apache-tomcat-6.0.32


case $1 in
start)
sh $CATALINA_HOME/bin/startup.sh
;; 
stop)   
sh $CATALINA_HOME/bin/shutdown.sh
;; 
restart)
sh $CATALINA_HOME/bin/shutdown.sh
sh $CATALINA_HOME/bin/startup.sh
;; 
esac    
exit 0

The above script is simple and contains all of the basic elements you will need to get going.

As you can see, we are simply calling the startup.sh and shutdown.sh scripts located in the Tomcat bin directory (/usr/share/apache-tomcat-6.0.32/bin).

You can adjust your script according to your needs and, in subsequent posts, we'll look at additional examples.

CATALINA_HOME is the Tomcat home directory (/usr/share/apache-tomcat-6.0.32)

Now, set the permissions for your script to make it executable:

[root@blanche init.d]# chmod 755 tomcat

We now use the chkconfig utility to have Tomcat start at boot time. In my script above, I am using chkconfig: 244 20 80. 2445 are the run levels and 20 and 80 are the stop and start priorities respectively. You can adjust as needed.

[root@blanche init.d]# chkconfig --add tomcat
[root@blanche init.d]# chkconfig --level 234 tomcat on

Verify it:

[root@blanche init.d]# chkconfig --list tomcat
tomcat          0:off   1:off   2:on    3:on    4:on    5:off   6:off

Now, let's test our script.

Start Tomcat:
[root@blanche ~]# service tomcat start
Using CATALINA_BASE:   /usr/share/apache-tomcat-6.0.32
Using CATALINA_HOME:   /usr/share/apache-tomcat-6.0.32
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-6.0.32/temp
Using JRE_HOME:        /usr/java/jdk1.6.0_24
Using CLASSPATH:       /usr/share/apache-tomcat-6.0.32/bin/bootstrap.jar

Stop Tomcat:

[root@blanche ~]# service tomcat stop
Using CATALINA_BASE:   /usr/share/apache-tomcat-6.0.32
Using CATALINA_HOME:   /usr/share/apache-tomcat-6.0.32
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-6.0.32/temp
Using JRE_HOME:        /usr/java/jdk1.6.0_24
Using CLASSPATH:       /usr/share/apache-tomcat-6.0.32/bin/bootstrap.jar

Restarting Tomcat (Must be started first):

[root@blanche ~]# service tomcat restart
Using CATALINA_BASE:   /usr/share/apache-tomcat-6.0.32
Using CATALINA_HOME:   /usr/share/apache-tomcat-6.0.32
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-6.0.32/temp
Using JRE_HOME:        /usr/java/jdk1.6.0_24
Using CLASSPATH:       /usr/share/apache-tomcat-6.0.32/bin/bootstrap.jar
Using CATALINA_BASE:   /usr/share/apache-tomcat-6.0.32
Using CATALINA_HOME:   /usr/share/apache-tomcat-6.0.32
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-6.0.32/temp
Using JRE_HOME:        /usr/java/jdk1.6.0_24
Using CLASSPATH:       /usr/share/apache-tomcat-6.0.32/bin/bootstrap.jar



We should review the Catalina.out log located at /usr/share/apache-tomcat-6.0.32/logs/catalina.out and check for any errors.

[root@blanche init.d]# more /usr/share/apache-tomcat-6.0.32/logs/catalina.out


We can now access the Tomcat Manager page at:

http://yourdomain.com:8080 or http://yourIPaddress:8080 and we should see the Tomcat home page.


Step 5 (Optional): How to Run Tomcat using Minimally Privileged (non-root) User.

In our Tomcat configuration above, we are running Tomcat as Root.

For security reasons, it is always best to run services with the only those privileges that are necessary.

There are some who make a strong case that this is not required, but it's always best to err on the side of caution.

To run Tomcat as non-root user, we need to do the following:

1. Create the group 'tomcat':

[root@blanche ~]# groupadd tomcat
[root@blanche ~]# useradd -s /bin/bash -g tomcat tomcat

2. Create the user 'tomcat' and add this user to the tomcat group we created above.

[root@blanche ~]# groupadd tomcat
[root@blanche ~]# useradd -s /bin/bash -g tomcat tomcat

The above will create a home directory for the user tomcat in the default user home as /home/tomcat

If we want the home directory to be elsewhere, we simply specify so using the -d switch.

[root@blanche ~]# useradd -g tomcat -d /usr/share/apache-tomcat-6.0.32/tomcat tomcat

The above will create the user tomcat's home directory as /usr/share/apache-tomcat-6.0.32/tomcat


3. Change ownership of the tomcat files to the user we created above:

[root@blanche ~]# chown -Rf tomcat.tomcat /usr/share/apache-tomcat-6.0.32/

Note: it is possible to enhance our security still further by making certain files and directory read-only. This will not be covered in this post and care should be used when setting such permissions.


4. Adjust the start/stop service script we created above. In our new script, we need to su to the user tomcat:

#!/bin/bash
# description: Tomcat Start Stop Restart
# processname: tomcat
# chkconfig: 234 20 80
JAVA_HOME=/usr/java/jdk1.6.0_24
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
TOMCAT_HOME=/usr/share/apache-tomcat-6.0.32/bin


case $1 in
start)
/bin/su tomcat $TOMCAT_HOME/startup.sh
;; 
stop)   
/bin/su tomcat $TOMCAT_HOME/shutdown.sh
;; 
restart)
/bin/su tomcat $TOMCAT_HOME/shutdown.sh
/bin/su tomcat $TOMCAT_HOME/startup.sh
;; 
esac    
exit 0


Step 6 (Optional): How to Run Tomcat on Port 80 as Non-Root User.

Note: the following applies when you are running Tomcat in "stand alone" mode. That is, you are running Tomcat without Apache in front of it.

To run services below port 1024 as a user other than root, you can add the following to your IP tables:

[root@blanche ~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080  
[root@blanche ~]# iptables -t nat -A PREROUTING -p udp -m udp --dport 80 -j REDIRECT --to-ports 8080  


Tomcat 6 Hosting



Related Posts:
Tomcat Oracle JDBC Connection
Tomcat Manager Password
Tomcat Custom 404 Page
Install Tomcat 7 on CentOS/RHEL


Learn More About Apache Tomcat

Apache Tomcat Foundation
Tomcat 6