David Ghedini

Linux, Java, Oracle, and PostgreSQL


David Ghedini

Thursday Jun 19, 2014

Install Tomcat 8 on CentOS, RHEL, or Fedora

This post will cover installing and configuration of Tomcat 8 on CentOS 6

Tomcat 8 implements the Servlet 3.1 and JavaServer Pages 2.3 specifications and a number of new features. In this post, we'll install Tomcat 8, JDK 7, configure Tomcat as a service, create a start/stop script, and (optionally) configure Tomcat to run under a non-root user.

We will also configure basic access to Tomcat Manager and take a quick look at memory management using JAVA_OPTS

Finally, we will look at running Tomcat on port 80 as well as some strategies for running Tomcat behind Apache.

I have just updated this post with Tomcat 8.0.8, the current stable release of Tomcat 8.

If you are using a different release, simply change the file names below accordingly.

To begin, we'll need to install the Java Development Kit (JDK) 7

JDK 1.7 is the minimum JDK version for Tomcat 8.


Step 1: Install JDK 1.7



You can download the latest JDK here: http://www.oracle.com/technetwork/java/javase/downloads/index.html

We'll install JDK 7, Update 60 (7u60). The JDK is specific to 32 and 64 bit versions.

My CentOS box is 64 bit, so I'll need: jdk-7u60-linux-x64.tar.gz.

If you are on 32 bit, you'll need: jdk-7u60-linux-i586.tar.gz

Start by creating a new directory /usr/java:

[root@srv6 ~]# mkdir /usr/java  


Change to the /usr/java directory we created

[root@srv6 ~]# cd /usr/java  
[root@srv6 java ]# 


Download the appropriate JDK and save it to /usr/java directory we created above.

Unpack jdk-7u60-linux-x64.tar.gz in the /usr/java directory using tar -xzf:

[root@srv6 java]# tar -xzf jdk-7u60-linux-x64.tar.gz


This will create the directory /usr/java/jdk1.7.0_60. This will be our JAVA_HOME.


We can now set JAVA_HOME and put Java into the path of our users.

To set it for your current session, you can issue the following from the CLI:
[root@srv6 java]# JAVA_HOME=/usr/java/jdk1.7.0_60
[root@srv6 java]# export JAVA_HOME
[root@srv6 java]# PATH=$JAVA_HOME/bin:$PATH
[root@srv6 java]# export PATH

To set the JAVA_HOME permanently, however, we need to add below to the ~/.bash_profile of the user (in this case, root).
We can also add it /etc/profile and then source it to give to all users.
JAVA_HOME=/usr/java/jdk1.7.0_60
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
Once you have added the above to ~/.bash_profile, you should log out, then log back in and check that the JAVA_HOME is set correctly.

[root@srv6 ~]#  echo $JAVA_HOME
/usr/java/jdk1.7.0_60


Note: If you decided to use JDK 6 rather than 7 as we did above, simply save the JDK 6 bin file to /opt (or another location), then navigate to /usr/java and issue: 'sh /opt/jdk-6u33-linux-x64.bin'. This will create a JAVA Home of /usr/java/jdk1.6.0.33


Step 2: Download and Unpack Tomcat 8.0.8 (or latest)



We will install Tomcat 8 under /usr/share.

Switch to the /usr/share directory:

[root@srv6 ~]# cd /usr/share
[root@srv6 share ]# 
Download apache-tomcat-8.0.8.tar.gz (or the latest version) here

and save it to /usr/share

Once downloaded, you should verify the MD5 Checksum for your Tomcat download using the md5sum command.

[root@srv6 share ]# md5sum apache-tomcat-8.0.8.tar.gz
c377b34fc4d228a63f7f1a51efbec333 *apache-tomcat-8.0.8.tar.gz
Compare the output above to the MD5 Checksum provided next to the download link and you used above and check that it matches.

unpack the file using tar -xzf:

[root@srv6 share ]# tar -xzf apache-tomcat-8.0.8.tar.gz  
This will create the directory /usr/share/apache-tomcat-8.0.8


Step 3: Configure Tomcat to Run as a Service.



We will now see how to run Tomcat as a service and create a simple Start/Stop/Restart script, as well as to start Tomcat at boot.

Change to the /etc/init.d directory and create a script called 'tomcat' as shown below.

[root@srv6 share]# cd /etc/init.d
[root@srv6 init.d]# vi tomcat
And here is the script we will use.

#!/bin/bash
# description: Tomcat Start Stop Restart
# processname: tomcat
# chkconfig: 234 20 80
JAVA_HOME=/usr/java/jdk1.7.0_60
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
CATALINA_HOME=/usr/share/apache-tomcat-8.0.8

case $1 in
start)
sh $CATALINA_HOME/bin/startup.sh
;; 
stop)   
sh $CATALINA_HOME/bin/shutdown.sh
;; 
restart)
sh $CATALINA_HOME/bin/shutdown.sh
sh $CATALINA_HOME/bin/startup.sh
;; 
esac    
exit 0
The above script is simple and contains all of the basic elements you will need to get going.

As you can see, we are simply calling the startup.sh and shutdown.sh scripts located in the Tomcat bin directory (/usr/share/apache-tomcat-8.0.8/bin).

You can adjust your script according to your needs and, in subsequent posts, we'll look at additional examples.

CATALINA_HOME is the Tomcat home directory (/usr/share/apache-tomcat-8.0.8)

Now, set the permissions for your script to make it executable:

[root@srv6 init.d]# chmod 755 tomcat
We now use the chkconfig utility to have Tomcat start at boot time. In my script above, I am using chkconfig: 234 20 80. 2345 are the run levels and 20 and 80 are the stop and start priorities respectively. You can adjust as needed.

[root@srv6 init.d]# chkconfig --add tomcat
[root@srv6 init.d]# chkconfig --level 234 tomcat on
Verify it:

[root@srv6 init.d]# chkconfig --list tomcat
tomcat          0:off   1:off   2:on    3:on    4:on    5:off   6:off
Now, let's test our script.

Start Tomcat:
[root@srv6 ~]# service tomcat start
Using CATALINA_BASE:   /usr/share/apache-tomcat-8.0.8
Using CATALINA_HOME:   /usr/share/apache-tomcat-8.0.8
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-8.0.8/temp
Using JRE_HOME:        /usr/java/jdk1.7.0_60
Using CLASSPATH:       /usr/share/apache-tomcat-8.0.8/bin/bootstrap.jar:/usr/share/apache-tomcat-8.0.8/bin/tomcat-juli.jar
Stop Tomcat:

[root@srv6 ~]# service tomcat stop
Using CATALINA_BASE:   /usr/share/apache-tomcat-8.0.8
Using CATALINA_HOME:   /usr/share/apache-tomcat-8.0.8
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-8.0.8/temp
Using JRE_HOME:        /usr/java/jdk1.7.0_60
Using CLASSPATH:       /usr/share/apache-tomcat-8.0.8/bin/bootstrap.jar:/usr/share/apache-tomcat-8.0.8/bin/tomcat-juli.jar
Restarting Tomcat (Must be started first):

[root@srv6 ~]# service tomcat restart
Using CATALINA_BASE:   /usr/share/apache-tomcat-8.0.8
Using CATALINA_HOME:   /usr/share/apache-tomcat-8.0.8
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-8.0.8/temp
Using JRE_HOME:        /usr/java/jdk1.7.0_60
Using CLASSPATH:       /usr/share/apache-tomcat-8.0.8/bin/bootstrap.jar:/usr/share/apache-tomcat-8.0.8/bin/tomcat-juli.jar
Using CATALINA_BASE:   /usr/share/apache-tomcat-8.0.8
Using CATALINA_HOME:   /usr/share/apache-tomcat-8.0.8
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-8.0.8/temp
Using JRE_HOME:        /usr/java/jdk1.7.0_60
Using CLASSPATH:       /usr/share/apache-tomcat-8.0.8/bin/bootstrap.jar:/usr/share/apache-tomcat-8.0.8/bin/tomcat-juli.jar
We should review the Catalina.out log located at /usr/share/apache-tomcat-8.0.8/logs/catalina.out and check for any errors.

[root@srv6 init.d]# more /usr/share/apache-tomcat-8.0.8/logs/catalina.out
We can now access the Tomcat Manager page at:

http://yourdomain.com:8080 or http://yourIPaddress:8080 and we should see the Tomcat home page.



Step 4: Configuring Tomcat Manager Access.



Tomcat 8 contains a number of changes that offer finer-grain roles.

For security reasons, no users or passwords are created for the Tomcat manager roles by default. In a production deployment, it is always best to remove the Manager application.

To set roles, user name(s) and password(s), we need to configure the tomcat-users.xml file located at $CATALINA_HOME/conf/tomcat-users.xml.

In the case of our installation, $CATALINA_HOME is located at /usr/share/apache-tomcat-8.0.8.

By default the Tomcat 8 tomcat-users.xml file will have the elements between the and tags commented-out. .

New roles for Tomcat 8 offer finer-grained access and The following roles are now available:

manager-gui
manager-status
manager-jmx
manager-script
admin-gu
admin-script.

We can set the manager-gui role, for example as below

:
<tomcat-users>
<role rolename="manager-gui"/>
<user username="tomcat" password="secret" roles="manager-gui"/>
</tomcat-users>


Caution should be exercised in granting multiple roles so as not to under-mind security.


Step 5 (Oprtional): Manage Memory Usage Using JAVA_OPTS.



Getting the right heap memory settings for your installation will depend on a number of factors.

For simplicity, we will set our inital heap size, Xms, and our maximum heap size, Xmx, to the same value of 128 Mb

Simliarly, there are several approaches you can take as to where and how you set your JAVA_OPTS

Again, for simplicity, we will add our JAVA_OPTS memory parameters in our Catalina.sh file.

So, open the Catalina.sh file located under /usr/share/apache-tomcat-8.0.8/bin with a text editor or vi.

Since we are using 128 Mb for both initial and maximum heap size, add the following line to Catalina.sh

JAVA_OPTS="-Xms128m -Xmx128m" 


I usually just add this in the second line of the file so it looks as so:

#!/bin/sh
JAVA_OPTS="-Xms128m -Xmx128m" 
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at



Step 6 (Optional): How to Run Tomcat using Minimally Privileged (non-root) User.



In our Tomcat configuration above, we are running Tomcat as Root.

For security reasons, it is always best to run services with the only those privileges that are necessary.

There are some who make a strong case that this is not required, but it's always best to err on the side of caution.

To run Tomcat as non-root user, we need to do the following:

1. Create the group 'tomcat':

[root@srv6 ~]# groupadd tomcat
2. Create the user 'tomcat' and add this user to the tomcat group we created above.

[root@srv6 ~]# useradd -s /bin/bash -g tomcat tomcat
The above will create a home directory for the user tomcat in the default user home as /home/tomcat

If we want the home directory to be elsewhere, we simply specify so using the -d switch.

[root@srv6 ~]# useradd -g tomcat -d /usr/share/apache-tomcat-8.0.8/tomcat tomcat
The above will create the user tomcat's home directory as /usr/share/apache-tomcat-8.0.8/tomcat

3. Change ownership of the tomcat files to the user tomcat we created above:

[root@srv6 ~]# chown -Rf tomcat.tomcat /usr/share/apache-tomcat-8.0.8/
Note: it is possible to enhance our security still further by making certain files and directories read-only. This will not be covered in this post and care should be used when setting such permissions.

4. Adjust the start/stop service script we created above. In our new script, we need to su to the user tomcat:

#!/bin/bash
# description: Tomcat Start Stop Restart
# processname: tomcat
# chkconfig: 234 20 80
JAVA_HOME=/usr/java/jdk1.7.0_60
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
CATALINA_HOME=/usr/share/apache-tomcat-8.0.8/bin

case $1 in
start)
/bin/su tomcat $CATALINA_HOME/startup.sh
;; 
stop)   
/bin/su tomcat $CATALINA_HOME/shutdown.sh
;; 
restart)
/bin/su tomcat $CATALINA_HOME/shutdown.sh
/bin/su tomcat $CATALINA_HOME/startup.sh
;; 
esac    
exit 0



Step 7 (Optional): How to Run Tomcat on Port 80 as Non-Root User.



Note: the following applies when you are running Tomcat in "stand alone" mode with Tomcat running under the minimally privileged user Tomcat we created in the previous step.

To run services below port 1024 as a user other than root, you can add the following to your IP tables:

[root@srv6 ~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080  
[root@srv6 ~]# iptables -t nat -A PREROUTING -p udp -m udp --dport 80 -j REDIRECT --to-ports 8080  


Be sure to save and restart your IP Tables.

Step 8 (Optional): Running Tomcat behind Apache



As an alternative to running Tomcat on port 80, if you have Apache in front of Tomcat, you can use mod_proxy as well as ajp connector to map your domain to your Tomcat application(s) using an Apache vhost as shown below.

While Tomcat has improved it's 'standalone performance', I still prefer to have Apace in front of it for a number of reasons.

In your Apache config, be sure to set KeepAlive to 'on'. Apache tuning, of course, is a whole subject in itself...


Example 1: VHOST with mod_proxy:





<VirtualHost *:80>
    ServerAdmin admin@yourdomain.com
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com


    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
       Order allow,deny
       Allow from all
    </Proxy>


    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/


    ErrorLog logs/yourdomain.com-error_log
    CustomLog logs/yourdomain.com-access_log common

</VirtualHost>


Example 2: VHOST with ajp connector and mod_proxy:

<VirtualHost *:80>
	ServerAdmin admin@yourdomain.com
	ServerName yourdomain.com
	ServerAlias www.yourdomain.com


	ProxyRequests Off
	ProxyPreserveHost On
	<Proxy *>
	Order allow,deny
	Allow from all
	</Proxy>

	ProxyPass / ajp://localhost:8009/
	ProxyPassReverse / ajp://localhost:8009/


	ErrorLog logs/yourdomain.com-error_log
	CustomLog logs/yourdomain.com-access_log common
</VirtualHost>



In both vhost examples above, we are "mapping" the domain to Tomcat's ROOT directory.

If we wish to map to an application such as yourdomain.com/myapp, we can add some rewrite as shown below.

This will rewrite all requests for yourdomain.com to yourdomain.com/myapp.

Example 3: VHOST with rewrite:


<VirtualHost *:80>
	ServerAdmin admin@yourdomain.com
	ServerName yourdomain.com
	ServerAlias www.yourdomain.com


	RewriteEngine On
	RewriteRule ^/$ myapp/ [R=301]

	ProxyRequests Off
	ProxyPreserveHost On
	<Proxy *>
	Order allow,deny
	Allow from all
	</Proxy>

	ProxyPass / ajp://localhost:8009/
	ProxyPassReverse / ajp://localhost:8009/


	ErrorLog logs/yourdomain.com-error_log
	CustomLog logs/yourdomain.com-access_log common
</VirtualHost>



Related Tomcat Posts

Learn More About Apache Tomcat 8 Apache Tomcat Foundation Tomcat 8

Bookmark and Share



Tuesday Sep 11, 2012

PostgreSQL 9.2 Released

PostgreSQL 9.2 has been released (9.2.0):

http://www.postgresql.org/docs/9.2/static/release-9-2.html

Update (September 16, 2012): Just update my blog to 9.2 using pg_upgrade.

So far, so good.

Bookmark and Share



Tuesday Aug 14, 2012

Apache TomEE on CentOS 6

This post will cover installing Apache TomEE on CentOS 6.x

TomEE is a certified implementation of the Java EE 6 Web Profile.

What is most interesting is that it is build on top of Tomcat 7. Literally. Nothing has been removed from Tomcat 7, only added to.

Installation is quite identical to Tomcat 7 and you can even deploy TomEE as a WAR from within an existing Tomcat 7.x installation.

I wasn't keen on this option as the overall directory structure, jar locations, conf files, etc...are different from the apache-tomee-1.0.0-webprofile package layout, which we will be installing below.

Conversely, it could be an option to consider as apache-tomee-1.0.0-webprofile is packaged with Tomcat 7.0.27 (current stable is 7.0.29).

There is also a TomEE Plus package with additional features, but this is not Java EE6 certified. Installation of TomEE Plus is identical to Web Profile below, just change the file names.

Below, we'll install TomEE and configure it to run as a service. To see how to run TomEE as an unprivileged user, Manager configuration, run on port 80, etc, etc...please see my Tomcat 7 Installation post

To begin, we'll need to install the Java Development Kit (JDK) 6




Step 1: Install JDK 1.6 latest



You can download the latest JDK here: http://www.oracle.com/technetwork/java/javase/downloads/index.html

We'll install the latest JDK, which is JDK 6, Update 33.

For CentOS 64 bit, I'll be using jdk-6u33-linux-x64.bin (for 32 bit, use jdk-6u33-linux-i586.bin)

Download jdk-6u33-linux-x64.bin and save it the /opt directory.

[root@demo3 opt]# ls
jdk-6u33-linux-x64.bin


Creating a new directory /usr/java:

[root@demo3 opt ]# mkdir /usr/java  


Change to the /usr/java directory we created

[root@demo3 opt ]# cd /usr/java  
[root@demo3 java ]# 


Execute the bin file using 'sh /opt/jdk-6u33-linux-x64.bin' (if you saved jdk-6u33-linux-x64.bin to a location other than /opt, adjust accordingly)

[root@demo3 java]# sh /opt/jdk-6u33-linux-x64.bin


This will create the directory /usr/java/jdk1.6.0_33. This will be our JAVA_HOME.


We can now set JAVA_HOME and put Java into the path of our users.

To set the JAVA_HOME, add below to the .bash_profile of root (you can do the same for user tomcat - or any other user - later if you decide to run it under a non-privileged user).
JAVA_HOME=/usr/java/jdk1.6.0_33
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH


Once you have added the above to .bash_profile, issue '. ~/.bash_profile' as shown below. Or you can simply log out and log back in.

[root@demo3 ~]#  . ~/.bash_profile


Verify that Java is now in your path by issuing 'echo $JAVA_HOME'

[root@demo3 ~]# echo $JAVA_HOME
/usr/java/jdk1.6.0_33


You can also issue 'java -version' to check that Java is available to your user.

[root@demo3 ~]# java -version
java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b04)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03, mixed mode)


Step 2: Download and Unpack Apache TomEE 1.0.0 (or latest)



We will install TomEE under /usr/share.

Switch to the /usr/share directory:

[root@demo3 ~]# cd /usr/share
[root@demo3 share ]# 
Download apache-tomee-1.0.0-webprofile.tar.gz (or the latest version) here

and save it to /usr/share

unpack the file using tar -xzf:

[root@demo3 share ]# tar -xzf apache-tomee-1.0.0-webprofile.tar.gz 
This will create the directory /usr/share/apache-tomee-webprofile-1.0.0

This will be the home directory for TomEE


Step 3: Configure TomEE to Run as a Service.



Create a simple Start/Stop/Restart for TomEE.

Change to the /etc/init.d directory and create a script called 'tomee' as shown below.

[root@demo3 share]# cd /etc/init.d
[root@demo3 init.d]# vi tomee
And here is the script we will use.

#!/bin/bash
# description: TomEE Start Stop Restart
# processname: tomee
# chkconfig: 234 20 80
JAVA_HOME=/usr/java/jdk1.6.0_33
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
CATALINA_HOME=apache-tomee-webprofile-1.0.0

case $1 in
start)
sh $CATALINA_HOME/bin/startup.sh
;; 
stop)   
sh $CATALINA_HOME/bin/shutdown.sh
;; 
restart)
sh $CATALINA_HOME/bin/shutdown.sh
sh $CATALINA_HOME/bin/startup.sh
;; 
esac    
exit 0
You can adjust your script according to your needs.

Make the script executable:

[root@demo3 init.d]# chmod 755 tomee
Add to chkconfig with run levels 234 (or whatever you prefer)

[root@demo3 init.d]# chkconfig --add tomee
[root@demo3 init.d]# chkconfig --level 234 tomee on
Verify it:

[root@demo3 init.d]# chkconfig --list tomee
tomee          0:off   1:off   2:on    3:on    4:on    5:off   6:off
Test the script.

Start TomEE:
[root@demo3 ~]# service tomee start
Using CATALINA_BASE:   /usr/share/apache-tomee-webprofile-1.0.0
Using CATALINA_HOME:   /usr/share/apache-tomee-webprofile-1.0.0
Using CATALINA_TMPDIR: /usr/share/apache-tomee-webprofile-1.0.0/temp
Using JRE_HOME:        /usr/java/jdk1.6.0_33
Using CLASSPATH:       /usr/share/apache-tomee-webprofile-1.0.0/bin/bootstrap.jar:/usr/share/apache-tomee-webprofile-1.0.0/bin/tomcat-juli.jar
Check if the Tomcat Manager page is visible at http://yourIPaddress:8080. If not check your firewall and logs.

Stop TomEE:

[root@demo3 ~]# service tomee stop
Using CATALINA_BASE:   /usr/share/apache-tomee-webprofile-1.0.0
Using CATALINA_HOME:   /usr/share/apache-tomee-webprofile-1.0.0
Using CATALINA_TMPDIR: /usr/share/apache-tomee-webprofile-1.0.0/temp
Using JRE_HOME:        /usr/java/jdk1.6.0_33
Using CLASSPATH:       /usr/share/apache-tomee-webprofile-1.0.0/bin/bootstrap.jar:/usr/share/apache-tomee-webprofile-1.0.0/bin/tomcat-juli.jar
Review the catalina.out log located at /usr/share/apache-tomee-webprofile-1.0.0/logs/catalina.out and check for any errors.

[root@demo3 init.d]# more /usr/share/apache-tomee-webprofile-1.0.0/logs/catalina.out


Step 4 (Optional): Configure Remote Access to TomEE Console



By default, the TomEE Console is restricted via a valve to 127.0.0.1 (localhost).

You can remove or change this via the context.xml at:

/usr/share/apache-tomee-webprofile-1.0.0/webapps/tomee/META-INF/context.xml

<Context>
  <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1|0:0:0:0:0:0:0:1(%.*)?|^::1$" deny=""/>
</Context>


As with Tomcat 7, piping (|) is used in place of commas.


Below is a quick look at the TomEE Console screens and it's tabs:


TomEE Console Welcome Page:

TomEE Console



TomEE Console Test Page:

TomEE Console Test



TomEE Console JNDI Page:

TomEE Console JNDI



TomEE Console EJB Page:

TomEE Console EJB



TomEE Console Class Page:

TomEE Console Class



TomEE Console Invoke Page:

TomEE Console Invoke



To see how to run TomEE as an unprivileged user, Manager configuration, run on port 80, etc... please see my Tomcat 7 Installation post Related Tomcat Posts

Learn More About Apache Tomcat 7 Apache Tomcat Foundation Tomcat 7

Tomcat 7 Hosting

Bookmark and Share




Main Menu

Built With

Search

Pages

LinkedIn

Technorati Profile

Add Technorati Favorite

Tag Cloud

Enciva Solutions

Navigation

Visitors

Sponsors

Feeds

Tag Cloud

VPS Hosting: 1Gbps Network