Apache Tomcat 6 Installation on Debian Lenny¶
Actually, there is no standard Debian package for Apache Tomcat 6. So, the most recent version of Apache Tomcat 6 (actually 6.0.29) can be found on the Apache Tomcat 6 Download page
So, download the latest release and extract it into the /opt directory and create a link to /opt/tomcat6.
wget http://apache.mirror.digionline.de//tomcat/tomcat-6/v6.0.29/bin/apache-tomcat-6.0.29.tar.gz tar xvfz apache-tomcat-6.0.29.tar.gz -C /opt ln -s apache-tomcat-6.0.29 /opt/tomcat6
Next, we should create an init script, to start tomcat automatically.
Create a file /etc/init.d/tomcat6 with the following content.
Ensure that the JAVA_HOME envrionment variable points to your Java installation (see SUN JDK6 Installation on Debian Lenny)!
# Tomcat auto-start # # description: Auto-starts tomcat # processname: tomcat # pidfile: /var/run/tomcat.pid case $1 in start) sh /opt/tomcat6/bin/startup.sh ;; stop) sh /opt/tomcat6/bin/shutdown.sh ;; restart) sh /opt/tomcat6/bin/shutdown.sh sh /opt/tomcat6/bin/startup.sh ;; esac exit 0
Finally, make that script executable and include it into the run folders
chmod 755 /etc/init.d/tomcat6 update-rc.d tomcat6 defaults
Start Tomcat6 by the following command.
/etc/init.d tomcat6 start
Tomcat 6 should be accessible on http://localhost:8080/.
There are two alternatives to run a Tomcat web container using SSL sockets and make it accessible on https port (443). If Tomcat is running as stand-alone web server, then a SSL Connector should be configured within Tomcat. Alternatively, Tomcat can run behind a web server proxying SSL connections from users to the Tomcat web container.
Tomcat Stand-alone configuration¶
Configuring Tomcat for SSL requires to define an SSL connector. This can be done by editing /opt/tomcat6/conf/server.xml and uncommenting the SSL connector definition (line 84) and define it as follows:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/ssl/private/server.p12" keystorePass="secret" keystoreType="PKCS12" />
In order to handle SSL connections, Tomcat requires a keystore containing the servers key, certificate and the CA certificate chain to the server's certificate. Presuming, the files are available as PEM-encoded files, please follow the instructions on PKCS#12 Keystore creation to create a valid keystore for your Tomcat instance.
Next, copy the server.p12 to the location defined in the Tomcat configuration (keystoreFile), adopt the keystore password (keystorePass) and restart Tomcat with the following command.
Tomcat 6 should be accessible on https://localhost/.
Observe Tomcat's log file (/opt/tomcat6/logs/catalina.out) for error messages.
Configuring Tomcat behind an Apache Web Server usign mod_ajp¶
The second alternative is to use the Apache web server as a proxy to Tomcat. This option is recommended when some other services were also hosted by the Apache web server.
First, install Debian's package apache2 and add its user www-admin to the group ssl-cert. The ladder enables Apache web server to access its key and certificate files in the subdirectories of /etc/ssl.
apt-get install apache2 adduser www-data ssl-cert
Next, create a site configuration file for proxying Tomcat through Apache. Therefore, the Apache module proxy_ajp is used. For that, it is sufficient to adopt the default SSL configuration file /etc/apache2/sites-available/default-ssl as follows.
At the beginning, adopt the VirtualHost name, ServerName and ServerAdmin to its real hostname and email address.
<VirtualHost server.e-taxonomy.eu:443> ServerName server.e-taxonomy.eu ServerAdmin webmaster@localhost
Then, adopt the SSL certificate file locations so that they point to the certificate files and the rootCA certificate directory.
SSLCertificateFile /etc/ssl/certs/server-cert.pem SSLCertificateKeyFile /etc/ssl/private/server-key.pem SSLCACertificatePath /etc/ssl/certs/ SSLCACertificateFile /etc/ssl/private/cert-chain.pem
Next, add the following sequence to configure that anything should be proxied via the AJP protocol to Tomcat port 8009.
<Proxy *> AddDefaultCharset Off Order deny,allow Allow from all </Proxy> ProxyPass / ajp://localhost:8009/ ProxyPassReverse / ajp://localhost:8009/
Finally, the site must be enabled as well as the modules ssl and proxy_ajp. Also, set the ACLs appropriately and restart Apache2 web server.
a2ensite default-ssl a2enmod ssl a2enmod proxy_ajp chown root:root /etc/apache2/sites-available/default-ssl chmod 644 /etc/apache2/sites-available/default-ssl /etc/init.d/apache2 restart
Using Tomcat manager¶
If you want to use the Tomcat manager, don't forget to define a tomcat administration user. So, Edit the file /opt/tomcat6/conf/tomcat-users.xml as follows
<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="tomcat"/> <role rolename="manager"/> <role rolename="admin"/> <user username="tomcat" password="s3cret" roles="admin,manager,tomcat"/> </tomcat-users>
Replace the username tomcat and the password by your own.