Apache Tomcat 6 Installation on Debian Lenny

In order to install Apache Tomcat 6 web container, a Java virtual machine like SUN JDK6 must be installed first. For that, please follow the instructions SUN JDK6 Installation on Debian Lenny.

Actually, there is no standard Debian package for Apache Tomcat 6. So, the most recent version of Apache Tomcat 6 (actually 6.0.29) can be found on the Apache Tomcat 6 Download page

So, download the latest release and extract it into the /opt directory and create a link to /opt/tomcat6.

tar xvfz apache-tomcat-6.0.29.tar.gz -C /opt
ln -s apache-tomcat-6.0.29 /opt/tomcat6

Next, we should create an init script, to start tomcat automatically.

Create a file /etc/init.d/tomcat6 with the following content.

Ensure that the JAVA_HOME envrionment variable points to your Java installation (see SUN JDK6 Installation on Debian Lenny)!

# Tomcat auto-start
# description: Auto-starts tomcat
# processname: tomcat
# pidfile: /var/run/

case $1 in
sh /opt/tomcat6/bin/
sh /opt/tomcat6/bin/
sh /opt/tomcat6/bin/
sh /opt/tomcat6/bin/
exit 0

Finally, make that script executable and include it into the run folders

chmod 755 /etc/init.d/tomcat6
update-rc.d tomcat6 defaults

Start Tomcat6 by the following command.

/etc/init.d tomcat6 start

Tomcat 6 should be accessible on http://localhost:8080/.

SSL Configuration

There are two alternatives to run a Tomcat web container using SSL sockets and make it accessible on https port (443). If Tomcat is running as stand-alone web server, then a SSL Connector should be configured within Tomcat. Alternatively, Tomcat can run behind a web server proxying SSL connections from users to the Tomcat web container.

Tomcat Stand-alone configuration

Configuring Tomcat for SSL requires to define an SSL connector. This can be done by editing /opt/tomcat6/conf/server.xml and uncommenting the SSL connector definition (line 84) and define it as follows:

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="/etc/ssl/private/server.p12" keystorePass="secret" keystoreType="PKCS12"  />

In order to handle SSL connections, Tomcat requires a keystore containing the servers key, certificate and the CA certificate chain to the server's certificate. Presuming, the files are available as PEM-encoded files, please follow the instructions on PKCS#12 Keystore creation to create a valid keystore for your Tomcat instance.

Next, copy the server.p12 to the location defined in the Tomcat configuration (keystoreFile), adopt the keystore password (keystorePass) and restart Tomcat with the following command.

/etc/init.d/tomcat6 restart

Tomcat 6 should be accessible on https://localhost/.

Observe Tomcat's log file (/opt/tomcat6/logs/catalina.out) for error messages.

Configuring Tomcat behind an Apache Web Server usign mod_ajp

The second alternative is to use the Apache web server as a proxy to Tomcat. This option is recommended when some other services were also hosted by the Apache web server.

First, install Debian's package apache2 and add its user www-admin to the group ssl-cert. The ladder enables Apache web server to access its key and certificate files in the subdirectories of /etc/ssl.

apt-get install apache2
adduser www-data ssl-cert

Site configuration

Next, create a site configuration file for proxying Tomcat through Apache. Therefore, the Apache module proxy_ajp is used. For that, it is sufficient to adopt the default SSL configuration file /etc/apache2/sites-available/default-ssl as follows.

At the beginning, adopt the VirtualHost name, ServerName and ServerAdmin to its real hostname and email address.

    ServerAdmin webmaster@localhost

Then, adopt the SSL certificate file locations so that they point to the certificate files and the rootCA certificate directory.

SSLCertificateFile    /etc/ssl/certs/server-cert.pem
SSLCertificateKeyFile /etc/ssl/private/server-key.pem

SSLCACertificatePath /etc/ssl/certs/
SSLCACertificateFile /etc/ssl/private/cert-chain.pem

Next, add the following sequence to configure that anything should be proxied via the AJP protocol to Tomcat port 8009.

<Proxy *>
  AddDefaultCharset Off
  Order deny,allow
  Allow from all

ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/

Finally, the site must be enabled as well as the modules ssl and proxy_ajp. Also, set the ACLs appropriately and restart Apache2 web server.

a2ensite default-ssl
a2enmod ssl
a2enmod proxy_ajp

chown root:root /etc/apache2/sites-available/default-ssl
chmod 644 /etc/apache2/sites-available/default-ssl

/etc/init.d/apache2 restart

Using Tomcat manager

If you want to use the Tomcat manager, don't forget to define a tomcat administration user. So, Edit the file /opt/tomcat6/conf/tomcat-users.xml as follows

<?xml version='1.0' encoding='utf-8'?>
  <role rolename="tomcat"/>
  <role rolename="manager"/>
  <role rolename="admin"/>
  <user username="tomcat" password="s3cret" roles="admin,manager,tomcat"/>

Replace the username tomcat and the password by your own.

Add picture from clipboard (Maximum size: 40 MB)