2016-06-13

Misc settings with Tomcat

Force HTTPS connections

In conf/web.xml:
<security-constraint>
    <web-resource-collection>
        <web-resource-name>SSL Content</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Disable JSESSIONID/CSRF URL rewrite

In conf/web.xml:
<session-config>
   <tracking-mode>COOKIE</tracking-mode>
</session-config>
Posted by at No comments:

Tomcat with Let's Encrypt cert on Ubuntu 16.04

Ref

Goal

To get Let's Encrypt's cert work with Tomcat container.

How

Install and get a LE cert

sudo apt install letsencrypt
sudo letsencrypt certonly
It should ask for email, the domain this machine is at.

Converting LE's certs to PKCS12 format

Get root, cd into letsencrypt's cert folder indicated by last command, and run:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out sslcert.p12 -name tomcat -CAfile chain.pem -caname root
Move the p12 cert to a place tomcat can see.

Configure Tomcat to use the cert

Edit conf/server.xml, enable the 443 connector.
Add the attributes in this connector: 

keystoreFile="sslcert.p12" keystoreType="PKCS12" keystorePass="[change_to_your_password]"
Restart Tomcat, and the https should be working.
Posted by at No comments:

Tomcat 8, authbind on port 80/443, systemd with Ubuntu 16.04

Ref 1
Ref 2
Ref 3

Goal

I'd like to be able to use the upstream/downloaded Tomcat, running as a standalone, serving 80/443 ports, and starting automatically with system boot.
Below is based on vanilla Ubuntu 16.04 image from Google Compute Engine.

How

Install Java

sudo apt install default-jdk-headless

Add tomcat user and group

With --system so that this user could not sign in system.
sudo addgroup --system tomcat
sudo adduser --system --ingroup tomcat tomcat

Unpack Tomcat installation

Download apache-tomcat-8.0.35.tar.gz. Then:
tar xf apache-tomcat-8.0.35.tar.gz
sudo mv apache-tomcat-8.0.35 /home/tomcat/
sudo chown tomcat:tomcat -R /home/tomcat/apache-tomcat-8.0.35

Install and configure authbind

sudo apt install authbind
sudo touch /etc/authbind/byport/{443,80}
sudo chmod 500 /etc/authbind/byport/{443,80}
sudo chown tomcat:tomcat /etc/authbind/byport/{443,80}

Configure Tomcat

sudo sed -i 's/8080/80/g' /home/tomcat/apache-tomcat-8.0.35/conf/server.xml
sudo sed -i 's/8443/443/g' /home/tomcat/apache-tomcat-8.0.35/conf/server.xml

Configure authbind

sudo vim /etc/systemd/system/tomcat.service
Then paste in the content: 

[Unit]
Description=Tomcat Container
After=network.target

[Service]
Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jre
Environment=CATALINA_PID=/home/tomcat/tmp/tomcat.pid
Environment=CATALINA_HOME=/home/tomcat/apache-tomcat-8.0.35
Environment=CATALINA_BASE=/home/tomcat/apache-tomcat-8.0.35

ExecStart=/home/tomcat/apache-tomcat-8.0.35/bin/startup.sh
ExecStop=/home/tomcat/apache-tomcat-8.0.35/bin/shutdown.sh

User=tomcat
Group=tomcat
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target
After saving:
sudo systemctl daemon-reload
sudo systemctl enable tomcat.service
sudo systemctl restart tomcat.service
Posted by at 3 comments:
Subscribe to: Posts (Atom)