Running tomcat as a normal user on port 80

I had to run tomcat on port 80 as a non root user, but problem was that the non-root users can not bind to port numbers lower than 1024 on Linux. So I was not able to start tomcat as a normal user after changing the HTTP connector port to 80. Normally webservers like Apache runs a process as root user which binds it to port 80, other processes of Apache runs as normal www-data user. The way around was to use authbind linux utility (bind sockets to privileged ports without root) for this purpose.

For this example I am using Ubuntu 12.04 and Tomcat 7 and Oracle jdk1.6.0_45.

I will create one user tomcat and I will run tomcat server using that user.

Creating the user tomcat:

useradd  -d /app/tomcat tomcat

I have deployed tomcat on /app/tomcat directory and created the user using /app/tomcat as home directory (it is not necessary to create the user with the tomcat directory as home directory, but make sure that the user has read/write access)

Change ownership of the /app/tomcat  folder

chown –R tomcat:tomcat /app/tomcat 

Now install authbind

apt-get install authbind

Access  to low numbered ports is controlled by permissions and contents of files in a configuration area, /etc/authbind

I will create an empty file 80 inside the byport folder inside the authbind config directory /etc/authbind. Now I will give permission who can access this 80 file as well as port 80.

touch /etc/authbind/byport/80
chmod 500 /etc/authbind/byport/80
chown tomcat /etc/authbind/byport/80

As I want to run tomcat server as tomcat user on port 80, so I gave tomcat user access to this 80 file.

Now I am going to add the JVM option in catalina.sh file using the JAVA_OPTS

-Djava.net.preferIPv4Stack=true

IPv6 stack is preferred by default on a dual-stack machine, as our preference is IPv4, so this setting is done through the option -Djava.net.preferIPv4Stack=true .

Now I will write the init.d script for tomcat, using the authbind to run tomcat server as non-root tomcat user.

/etc/init.d/tomcat file:

 

 

CATALINA_HOME="/app/tomcat"

case "$1" in
start)
tomcat_id=$(ps -ef | grep $CATALINA_HOME | grep -v grep | awk '{print $2}' | head -n 1)
if [ -n "$tomcat_id" ]
then
   echo "Tomcat is already Running with PID:" $tomcat_id
else
   echo "Starting tomcat from $CATALINA_HOME"
   sudo -u tomcat authbind --deep $CATALINA_HOME/bin/startup.sh
fi
;;
stop)
tomcat_id=$(ps -ef | grep $CATALINA_HOME | grep -v grep | awk '{print $2}' | head -n 1)
if [ -n "$tomcat_id" ]
then
   echo "Stopping tomcat from $CATALINA_HOME"
   sudo -u tomcat authbind --deep $CATALINA_HOME/bin/shutdown.sh
else
   echo "Tomcat is not running"
fi
;;
status)
        tomcat_id=$(ps -ef | grep $CATALINA_HOME | grep -v grep | awk '{print $2}' | head -n 1)
        if [ -n "$tomcat_id" ]
        then
                echo "Tomcat is Running with PID:" $tomcat_id
        else
                echo "Tomcat is not Running......."
        fi
;;
*)
echo $"usage: $0 {start|stop|status}"
exit 3
;;
esac

 

We can start and stop tomcat using:

service tomcat start

service tomcat stop

To auto start tomcat at system reboot run as root:

update-rc.d tomcat defaults

That’s it , also we can use the same process to run glassfish server as non-root user on port 80.

Using self-signed certificate in Tomcat for secure connection

For one of our in-house applications (running on Tomcat), I had to implement SSL. All the communications to that application must be secure, as the application will store some sensitive information. As we are going to use this application inside our organization, so I had decided to deploy self-signed certificate instead of paying money and buying certificate from some CA.

Step 1: Generate self-signed certificate

Creating self-signed certificate is very easy, and I am going to use the keytool program which comes with JDK. Using keytool I will create a keystore file to store the server's private key and self-signed certificate.
root@pranabs:~# keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/conf/.keystore -validity 365
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  MY CA
What is the name of your organizational unit?
  [Unknown]:  Development
What is the name of your organization?
  [Unknown]:  M Ltd.
What is the name of your City or Locality?
  [Unknown]:  Pune
What is the name of your State or Province?
  [Unknown]:  Maharashtra
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=MY CA, OU=Development, O=M Ltd., L=Pune, ST=Maharashtra, C=IN correct?
  [no]:  yes
Enter key password for <tomcat>
        (RETURN if same as keystore password):

-genkey: Generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v1 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias.
-alias: All keystore entries (key and trusted certificate entries) are accessed via unique aliases.
-keyalg: specifies the algorithm to be used to generate the key pair.
-keystore: keytool command creates a new keystore file, in the home directory of the user under which the command was run, and named it as .keystore. To specify a different location or filename, the –keystore parameter is used.
-validity: It specifies the number of days for which the certificate should be considered valid.
When we run the command, we will first be prompted for the keystore password. Enter the password for the keystore. This password we have to specify in tomcat’s server.xml file.
Next we have to enter general information about the Certificate, such as company, contact name, and so on. Later if somebody access some secure page, he/she can view these information of the certificate. Here we have to make sure that the information that we entered are acceptable by our users.
Finally, we have to enter the key password, this password is for the certificate that we are generating. Here we must enter the same password as we entered for the keystore password (this is a tomcat restriction).

Step 2: Edit tomcat configuration file

Here we are going to configure tomcat’s https connector. Open tomcat’s server.xml configuration file. In my config file tomcat is configured to use port 80 (tomcat default 8080) for http connection and port 443 (tomcat default 8443) for https connection. In https connector, specify the keystoreFile and keystorePass attributes.
# pico /usr/local/tomcat/conf/server.xml
<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/usr/local/tomcat/conf/.keystore"  keystorePass="xxxxxxxx"    />
Save the file.

Step 3: Configure Tomcat to redirect HTTP requests to HTTPS.

Edit the web.xml file of the application
#pico /usr/local/tomcat/webapps/myapp/WEB-INF/web.xml
and add the following lines:

<web-app ……….>
…….
…….
…….
 <security-constraint>
        <web-resource-collection>
         <web-resource-name>myapp</web-resource-name>
         <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
   </security-constraint>

</web-app>

Save the file and restart tomcat. That’s it and we are done, our application is now secured .

Creating multiple instances in Tomcat 7

Creating multiple tomcat instances in windows is never been so easy as with Tomcat 7. It’s very easy with the Windows installer; also the installer creates the windows service. No manual work of creating new directory, copying files, editing configuration files and creating windows service. All these can be done through the new Tomcat 7 windows installer.
Suppose I want to create three tomcat instances. Run the installer and in the Configuration Options select the appropriate ports and service name for each instance.
Suppose my first instance is Tomcat7_KNIT, enter the ports as per requirement and also the name of the name of the Windows service for this instance.

 Select the installation location

To create my second instance Tomcat7_Nirman, again run the tomcat installer. At the configuration options select ports different from the first instance.

 
Select the installation folder

Similarly for the 3^rd instance, select the ports and installation directory after running the installer

After the installation is done, I can see the three tomcat services. The name of a service is prefixed by Apache Tomcat 7.0 . By default the service startup is manual, if required change it to automatic.

জয় আই অসম,

প্রণব শর্মা

Creating new Tomcat instance - 2nd Way

In one of my previous posts Creating a new Tomcat5.5 Instance , I wrote how to create multiple tomcat instances using one utility called tomcat service manager. When I was migrating applications from one server to the new server, I had to create multiple Tomcat services. But the problem I faced was that the new server was Windows 2003 64 bit version and Tomcat Service Manager utility was not running in it. So I had to look for some other option to create the new Tomcat instances and services. So I did the following steps to create the new instances
1) I had downloaded the zip version of Tomcat (Do not download the windows installer version).
2) Extract it to the desired location. Suppose I want tomcat in D:\TomcatOER for deploying my OER confluence application.
3) Edit the server.xml file and change default shutdown port, default http port, default connection port, redirect port of the tomcat instance.
4) Now we have to create the windows service for this instance.
Tomcat zipped version comes with service.bat batch file to create the windows service.
Now we are going to run a small batch script which first sets the environment variables and then call the service.bat file to create the service named TomcatOER.
REM ###This is the path of the installed JDK
set JAVA_HOME=C:\Program Files\Java\jdk1.6.0_20

REM ###Path where I unzipped Tomcat
set TOMCAT_HOME=D:\TomcatOER
set CATALINA_BASE=D:\TomcatOER
D:
cd %TOMCAT_HOME%\bin
call service.bat install TomcatOER
Run this script to create the Tomcat service named TomcatOER.
5) Now we can use Tomcat6w GUI application for monitoring and configuring Tomcat service.
Run this from command line to configuring the TomcatOER service.
tomcat6w //ES//TomcatOER

জয় আই অসম,

প্রণব শর্মা

Creating a new Tomcat5.5 Instance

Please follow the following steps to create a new Tomcat Instance:

• Copy the entire working tomcat directory structure (Suppose from existing D:\Tomcat_existing to new E:\Tomcat_new)
• Edit the server.xml file of the new instance E:\Tomcat_new
• Change the default shutdown port from 8005 to some other port (like 8006)
• Change the default http port from 8080 to some other port (like 8090)
• Change the default connection port from 8009 to some other port (like 8010)
• Save server.xml
• Delete the contents of logs directory in the new instance
• Edit the workers.properties file and add a new worker process with port 80XX
• Create a new Tomcat service for the new instance. I used one utility called tomcat service manager (tsm.exe URL http://www.daveoxley.co.uk/tcsm/ ) to create the tomcat service.

জয় আই অসম,

প্রণব শর্মা