[[http://tmade.de|Home tmade.de]]

[[http://wiki.tmade.de|Home Wiki]]

===== Tomcat =====

==== Tomcat Log ====

  /srv/www/tomcat6/logs/catalina.out               #Tomcat logfile

To check, if server has started (finally all applications loaded), have a look on string (within catalina.out):

  "Server startup in"
  
==== Version ==== 
  
To check version of tomcat:
  
   /usr/share/tomcat5.5/bin/version.sh             #Check Tomcat version
==== Tomcat Manager ====

The tomcat manager can be used to start, stop and deploy applications. The manager can be accessed on:

  http(s)://HOST-IP/manger/html
  
To add/ modify a tomcat user (admin) edit "tomcat-root/conf/tomcat-users.xml".

Example:

<code>
  <role rolename="manager-gui"/>
  <role rolename="manager-script"/>
  <user username="admin" password="password" roles="manager-gui,manager-script"/>
</code>

**Note:** The relevant part might be configured with XML-comments (<!-- -->) and has to be uncommented (remove "<!-- -->") to get it work!

To avoid setting a plaintext password execute:

  export JAVA_HOME="/usr/lib/jvm/default-java/"                        #JAVA_HOME has to be setup to get it work. 
  tomcat-root/bin/digest.sh –a MD5 "test"                              #The password "test" will be created
  
Example:

<code>
./digest.sh -a MD5 "test"
test:098f6bcd4621d373cade4e832627b4f6
</code>

Afterwards replace 

  <user username="admin" password="password" roles="manager-gui,manager-script"/>
  
with

  <user username="admin" password="098f6bcd4621d373cade4e832627b4f6" roles="manager-gui,manager-script"/>


Additionally edit the "tomcat-root/conf/server.xml" as follows.

Previously:
<code>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>
</code>

Afterwards:
<code>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" digest="MD5"
             resourceName="UserDatabase" validate="true"/>
</code>
  
Finaly the tomcat has to be restarted.

==== Limit Manager Access ====

To limit network access to "127.0.0.1, 192.168.1.*, 192.168.0.*" for the tomcat-manager edit:

  tomcat-root/conf/Catalina/localhost/manager.xml
  
Previously:

<code>
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<Context antiResourceLocking="false" privileged="true" />
</code>

Afterwards:

<code>
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->

<Context path="/manager"
        docBase="/usr/share/tomcat6-admin/manager"
        antiResourceLocking="false" privileged="true" >

  <!-- Link to the user database we will get roles from -->
  <ResourceLink name="users" global="UserDatabase"
                type="org.apache.catalina.UserDatabase"/>

  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
    allow="127.0.0.1,192.168.1.*,192.168.0.*"/>

</Context>
</code>

==== Tomcat Initscript ====
  
The following script (/etc/init.d/tomcat6) will start Tomcat6 and may be added on autostart (chkconfig tomcat6 on).

<code>
#! /bin/sh
#
# Author: Thomas Roehm
#
# /etc/init.d/tomcat6
#
#   and symbolic its link
#
# /sbin/rctomcat6
#
### BEGIN INIT INFO
# Provides: tomcat6
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: Start Tomcat6
# Startup script for Tomcat
# description: Tomcat jakarta JSP server
### END INIT INFO
#Necessary environment variables
export CATALINA_HOME="/srv/www/tomcat6"

if [ ! -f $CATALINA_HOME/bin/catalina.sh ]
then
echo "Tomcat not available..."
exit
fi

start() {
echo -n -e '\E[0;0m'"\033[1;32mStarting Tomcat: \033[0m \n"
su -l tomcat -c $CATALINA_HOME/bin/startup.sh
sleep 3
}

stop() {
PID=`(cat /var/log/tomcat6/tomcat.pid)`
echo -n -e '\E[0;0m'"\033[1;31mShutting down Tomcat: \033[m \n"
su -l tomcat -c $CATALINA_HOME/bin/shutdown.sh
sleep 10
kill $PID
rm  /var/log/tomcat6/tomcat.pid
}

status() {
ps ax | grep "org.apache.catalina.startup.Bootstrap start" | grep tomcat | awk '{printf $1 " "}' > /tmp/tomcat_process.txt
process=`(cat /tmp/tomcat_process.txt)`
if [ -s /tmp/tomcat_process.txt ]
then
echo "Tomcat is running with PID $process"
else
echo "Tomcat has been stopped"
fi
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
sleep 15
start
;;
status)
status
;;
*)
echo "Usage: tomcat6 {start|stop|restart|status}"
exit 1
esac
</code>

Additionally to start/stop with "rctomcat6 option":

  ln –s /ect/init.d/tomcat6 /sbin/rctomcat6

==== Tomcat systemd unit-file ====

Path:

  /etc/systemd/system/tomcat.service
  
Content:

<code>
# Systemd unit file for default tomcat
#
# To create clones of this service:
# DO NOTHING, use tomcat@.service instead.

[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target

[Service]
Type=forking
#EnvironmentFile=/etc/tomcat/tomcat.conf
ExecStart=/data/tomcat8.5/bin/startup.sh
ExecStop=/data/tomcat8.5/bin/shutdown.sh
User=tomcat
Group=tomcat

[Install]
WantedBy=multi-user.target
</code>


==== OCF-Script ====

The following script can be used (in combination with the tomcat-initscript) for heartbeat (Linux-HA).

The file has to be saved on "/usr/lib/ocf/resources.d/heartbeat/tomcat6".

<code>
#!/bin/sh
export OCF_ROOT=/usr/lib/ocf
CATALINA_HOME="${OCF_RESKEY_catalina_home}"
export CATALINA_HOME
. ${OCF_ROOT}/resource.d/heartbeat/.ocf-shellfuncs
INIT_SCRIPT=/etc/init.d/tomcat6

case  "$1" in
        start)
                cd "$CATALINA_HOME/bin"
                ${INIT_SCRIPT} start > /dev/null 2>&1 && exit || exit 1
        ;;
        stop)
                cd "$CATALINA_HOME/bin"
                ${INIT_SCRIPT} stop > /dev/null 2>&1 && exit || exit 1
        ;;
        status)
                cd "$CATALINA_HOME/bin"
                ${INIT_SCRIPT} status > /dev/null 2>&1 && exit || exit 1
        ;;

        monitor)
                cd "$CATALINA_HOME/bin"
                # Check if Ressource is stopped
                ${INIT_SCRIPT} status > /dev/null 2>&1 || exit 7

                # Otherwise check services (XXX: Maybe loosen retry / timeout)
                wget --no-proxy -O /dev/null http://localhost:8080/i52server/ 2>&1 | grep 'connected' && exit || exit 1
        ;;

        meta-data)
                cat <<END
<?xml version="1.0"?>
<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
<resource-agent name="tomcat6">
<version>1.0</version>
<longdesc lang="en">
OCF Ressource Agent for Tomcat6.
</longdesc>
<shortdesc lang="en">OCF Ressource Agent for Tomcat 6</shortdesc>
<parameters>
<parameter name="catalina_home" unique="1" required="1">
<longdesc lang="en">
Home directory of Tomcat
</longdesc>
<shortdesc>Home directory of Tomcat</shortdesc>
<content type="string" default="" />
</parameter>
</parameters>
<actions>
<action name="start" timeout="60s" />
<action name="stop" timeout="120s" />
<action name="status" timeout="60" />
<action name="monitor" depth="0" timeout="30s" interval="10s" start-delay="10s" />
<action name="meta-data" timeout="5s" />
<action name="validate-all"  timeout="5"/>
</actions>
</resource-agent>
END
        ;;
esac
</code>

==== Catalina(.sh) Variables / Parameters ====

  CATALINA_PID=/var/log/tomcat6/tomcat.pid
  --DisplayName ServiceName 	           #Service display name in processlist

Examples of paramters set in {$Tomcat}/bin/catalina.sh

<code>
CATALINA_OPTS="
        -Djava.awt.headless=true \
        -Dcatalina.home=$CATALINA_BASE \
        -Dcatalina.base=$CATALINA_BASE \
        -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
        -Djava.util.logging.config.file=conf\logging.properties \
        -Djavax.xml.validation.SchemaFactory:http://www.w3.org/2001/XMLSchema=org.apache.xerces.jaxp.validation.XMLSchemaFactory \
        -Xmx5021M \
        -XX:MaxPermSize=256m \
        -XX:+HeapDumpOnOutOfMemoryError \
        -XX:HeapDumpPath=/srv/www/tomcat6/logs \
        -Djava.compiler=NONE \
        -Xdebug \
        -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000 \
        -Xnoagent \
        -Dcom.sun.management.jmxremote=true \
        -Dorg.eclipse.jdt.core.compiler.source=1.5 \
        -Dorg.eclipse.jdt.core.compiler.compliance=1.5 \
        -Djavax.xml.datatype.DatatypeFactory=com.sun.org.apache.xerces.internal.jaxp.datatype.DatatypeFactoryImpl \
        -DconfigurationsFilePath=/etc/configuration \
        -DoptionalConfigurationsFilePath=/etc/configuration \
        -Dcompression=false \
        -Duser.language=de \
        -Duser.country=DE \
        -Dcontentgrabber.default.charset=iso-8859-1 \
        -Dmail.mime.charset=UTF-8 \
        -Djavax.xml.bind.JAXBContext=com.sun.xml.bind.v2.ContextFactory \
        -Djavax.net.ssl.keyStore=/srv/www/tomcat6/keystore/keystorefile.keystore \
        -Djavax.net.ssl.keyStorePassword=password \
        -Dhttp.proxyHost=10.10.15.15 \
        -Dhttp.proxyPort=8080 \
        -Djava.io.tmpdir=/var/log/tomcat6/temp \
        -Dorg.eclipse.jdt.core.compiler.codegen.TargetPlatform=1.5 \
        -DlogsFilePath=/var/log/tomcat6 \
        -Dhttp.nonProxyHosts=localhost|127.0.0.1 \
        -Dhttps.nonProxyHosts=localhost|127.0.0.1 "
#       -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk15Logger \

</code>

==== JAVA OPTS ====
"JAVA OPTS" can be set on:

  *init-script
  */etc/default/tomcat
  *catalina.sh

Example (/etc/default/tomcat):

  JAVA_OPTS="-XX:MaxPermSize=256m -Xms512m -Xmx1024m"

==== Forwarding to webapplication ====
Edit /srv/www/tomcat/webapps/ROOT/index.html to: 

<code>
<html>

<head>
<meta http-equiv="refresh" content="0;URL=/i5server">
</head>

<body>
</body>

</html>
</code>

==== Certificat Request ====

Tomcat:

1. Create a local Certificate: 

  keytool -genkey -alias tomcat -keysize 2048 -keyalg RSA -keystore <your_keystore_filename>                                        #keystore_filename: E.g. tomcatSSL

2. The CSR is then created with: 

  keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <your_keystore_filename>

3. Import the rootCA certificate into your keystore (you have to export it previously from the signed certificate):

  keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_rootCA_certificate>
  
4. Import the intermediate certificate into you keystore (you have to export it previously from the signed certificate):

  keytool -import -alias intermediate -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_intermediate_certificate>

5. And finally import your new Certificate:

  keytool -import -alias tomcat -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>
  
**Note:** The "alias" has to differ for the rootCA, intermediate and certificate!

Official:

<code>
Tomcat (keytool)  

This document provides instructions for installing TC Trust SSL certificate.  If you are unable to use these instructions for your server, we recommend that you contact either the vendor of your server software or an organisation that supports Tomcat.
1 Install the Root CA certificate
You must first obtain the Root CA certificate (TC TrustCenter Class 2 CA II) and save the Root CA certificate as root.cer. In the following example please replace the example keystore name 'keystore.key' with your keystore name.

Use the following command to import this certificate in the keystore:

  keytool -import -alias root -keystore keystore.key -trustcacerts -file root.cer

2 Install the Intermediate CA certificate

Create a file in Notepad and save the Intermediate CA certificate (TC TrustCenter Class 2 L1 CA XI) as intermediate.cer. 

Use the following command to import this certificate in the keystore:

  keytool -import -alias intermediate -keystore keystore.key -trustcacerts -file intermediate.cer

3 Install the TC Trust SSL certificate

Your TC Trust SSL certificate will be sent via email. Look for the TC Trust SSL certificate text in the body of the email and copy and paste it into a .crt file (such as tc_server.crt) using Vi or Notepad. Please be sure to include the header and footer as well as the surrounding dashes including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
NOTE: Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file otherwise additional characters may render the certificate unusable.

Enter the following command to import your TC Trust SSL certificate (certreq.csr is the alias specified during CSR creation):

  keytool -import -alias server.crt -file server.crt -keystore keystore.key

</code>

  
====Check====

  keytool -list -keystore <keystorefile.jks>
  keytool -list -v -keystore <keystorefile.jks>                                                            #verbose
  keytool -list -v -keystore /path/to/keystore.jks -storetype PKCS12 -storepass the_password               #all at once
	
Show alias of your keystore file (just if the alias "foo" is known):

  keytool -list -keystore <keystorefile.jks> -alias <foo>


==== Certificat Conversion ====

Convert key, crt certificate to pfx:

  openssl pkcs12 -export -out mypfxfile.pxf -inkey domain.name.key -in domain.name.crt

Convert pfx certificate to jks:

  keytool -importkeystore -srckeystore mypfxfile.pxf -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS              #type JKS
  keytool -importkeystore -srckeystore mypfxfile.pxf -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype pkcs12           #type pkcs12 

==== Change Password ====

  keytool -storepasswd -keystore KEYSTORE.jks                            #Keystore only has one password
  keytool -keypasswd  -alias alias-name -keystore KEYSTORE.jks           #To change password of private key