/srv/www/tomcat6/logs/catalina.out #Tomcat logfile
To check, if server has started (finally all applications loaded), have a look on string (within catalina.out):
"Server startup in"
To check version of tomcat:
/usr/share/tomcat5.5/bin/version.sh #Check Tomcat version
The tomcat manager can be used to start, stop and deploy applications. The manager can be accessed on:
http(s)://HOST-IP/manger/html
To add/ modify a tomcat user (admin) edit “tomcat-root/conf/tomcat-users.xml”.
Example:
<role rolename="manager-gui"/> <role rolename="manager-script"/> <user username="admin" password="password" roles="manager-gui,manager-script"/>
Note: The relevant part might be configured with XML-comments (<!– –>) and has to be uncommented (remove “<!– –>”) to get it work!
To avoid setting a plaintext password execute:
export JAVA_HOME="/usr/lib/jvm/default-java/" #JAVA_HOME has to be setup to get it work. tomcat-root/bin/digest.sh –a MD5 "test" #The password "test" will be created
Example:
./digest.sh -a MD5 "test" test:098f6bcd4621d373cade4e832627b4f6
Afterwards replace
<user username="admin" password="password" roles="manager-gui,manager-script"/>
with
<user username="admin" password="098f6bcd4621d373cade4e832627b4f6" roles="manager-gui,manager-script"/>
Additionally edit the “tomcat-root/conf/server.xml” as follows.
Previously:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
Afterwards:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" digest="MD5"
resourceName="UserDatabase" validate="true"/>
Finaly the tomcat has to be restarted.
To limit network access to “127.0.0.1, 192.168.1.*, 192.168.0.*” for the tomcat-manager edit:
tomcat-root/conf/Catalina/localhost/manager.xml
Previously:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<Context antiResourceLocking="false" privileged="true" />
Afterwards:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<Context path="/manager"
docBase="/usr/share/tomcat6-admin/manager"
antiResourceLocking="false" privileged="true" >
<!-- Link to the user database we will get roles from -->
<ResourceLink name="users" global="UserDatabase"
type="org.apache.catalina.UserDatabase"/>
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.0.0.1,192.168.1.*,192.168.0.*"/>
</Context>
The following script (/etc/init.d/tomcat6) will start Tomcat6 and may be added on autostart (chkconfig tomcat6 on).
#! /bin/sh
#
# Author: Thomas Roehm
#
# /etc/init.d/tomcat6
#
# and symbolic its link
#
# /sbin/rctomcat6
#
### BEGIN INIT INFO
# Provides: tomcat6
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: Start Tomcat6
# Startup script for Tomcat
# description: Tomcat jakarta JSP server
### END INIT INFO
#Necessary environment variables
export CATALINA_HOME="/srv/www/tomcat6"
if [ ! -f $CATALINA_HOME/bin/catalina.sh ]
then
echo "Tomcat not available..."
exit
fi
start() {
echo -n -e '\E[0;0m'"\033[1;32mStarting Tomcat: \033[0m \n"
su -l tomcat -c $CATALINA_HOME/bin/startup.sh
sleep 3
}
stop() {
PID=`(cat /var/log/tomcat6/tomcat.pid)`
echo -n -e '\E[0;0m'"\033[1;31mShutting down Tomcat: \033[m \n"
su -l tomcat -c $CATALINA_HOME/bin/shutdown.sh
sleep 10
kill $PID
rm /var/log/tomcat6/tomcat.pid
}
status() {
ps ax | grep "org.apache.catalina.startup.Bootstrap start" | grep tomcat | awk '{printf $1 " "}' > /tmp/tomcat_process.txt
process=`(cat /tmp/tomcat_process.txt)`
if [ -s /tmp/tomcat_process.txt ]
then
echo "Tomcat is running with PID $process"
else
echo "Tomcat has been stopped"
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
sleep 15
start
;;
status)
status
;;
*)
echo "Usage: tomcat6 {start|stop|restart|status}"
exit 1
esac
Additionally to start/stop with “rctomcat6 option”:
ln –s /ect/init.d/tomcat6 /sbin/rctomcat6
Path:
/etc/systemd/system/tomcat.service
Content:
# Systemd unit file for default tomcat # # To create clones of this service: # DO NOTHING, use tomcat@.service instead. [Unit] Description=Apache Tomcat Web Application Container After=syslog.target network.target [Service] Type=forking #EnvironmentFile=/etc/tomcat/tomcat.conf ExecStart=/data/tomcat8.5/bin/startup.sh ExecStop=/data/tomcat8.5/bin/shutdown.sh User=tomcat Group=tomcat [Install] WantedBy=multi-user.target
The following script can be used (in combination with the tomcat-initscript) for heartbeat (Linux-HA).
The file has to be saved on “/usr/lib/ocf/resources.d/heartbeat/tomcat6”.
#!/bin/sh
export OCF_ROOT=/usr/lib/ocf
CATALINA_HOME="${OCF_RESKEY_catalina_home}"
export CATALINA_HOME
. ${OCF_ROOT}/resource.d/heartbeat/.ocf-shellfuncs
INIT_SCRIPT=/etc/init.d/tomcat6
case "$1" in
start)
cd "$CATALINA_HOME/bin"
${INIT_SCRIPT} start > /dev/null 2>&1 && exit || exit 1
;;
stop)
cd "$CATALINA_HOME/bin"
${INIT_SCRIPT} stop > /dev/null 2>&1 && exit || exit 1
;;
status)
cd "$CATALINA_HOME/bin"
${INIT_SCRIPT} status > /dev/null 2>&1 && exit || exit 1
;;
monitor)
cd "$CATALINA_HOME/bin"
# Check if Ressource is stopped
${INIT_SCRIPT} status > /dev/null 2>&1 || exit 7
# Otherwise check services (XXX: Maybe loosen retry / timeout)
wget --no-proxy -O /dev/null http://localhost:8080/i52server/ 2>&1 | grep 'connected' && exit || exit 1
;;
meta-data)
cat <<END
<?xml version="1.0"?>
<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
<resource-agent name="tomcat6">
<version>1.0</version>
<longdesc lang="en">
OCF Ressource Agent for Tomcat6.
</longdesc>
<shortdesc lang="en">OCF Ressource Agent for Tomcat 6</shortdesc>
<parameters>
<parameter name="catalina_home" unique="1" required="1">
<longdesc lang="en">
Home directory of Tomcat
</longdesc>
<shortdesc>Home directory of Tomcat</shortdesc>
<content type="string" default="" />
</parameter>
</parameters>
<actions>
<action name="start" timeout="60s" />
<action name="stop" timeout="120s" />
<action name="status" timeout="60" />
<action name="monitor" depth="0" timeout="30s" interval="10s" start-delay="10s" />
<action name="meta-data" timeout="5s" />
<action name="validate-all" timeout="5"/>
</actions>
</resource-agent>
END
;;
esac
CATALINA_PID=/var/log/tomcat6/tomcat.pid --DisplayName ServiceName #Service display name in processlist
Examples of paramters set in {$Tomcat}/bin/catalina.sh
CATALINA_OPTS="
-Djava.awt.headless=true \
-Dcatalina.home=$CATALINA_BASE \
-Dcatalina.base=$CATALINA_BASE \
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
-Djava.util.logging.config.file=conf\logging.properties \
-Djavax.xml.validation.SchemaFactory:http://www.w3.org/2001/XMLSchema=org.apache.xerces.jaxp.validation.XMLSchemaFactory \
-Xmx5021M \
-XX:MaxPermSize=256m \
-XX:+HeapDumpOnOutOfMemoryError \
-XX:HeapDumpPath=/srv/www/tomcat6/logs \
-Djava.compiler=NONE \
-Xdebug \
-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000 \
-Xnoagent \
-Dcom.sun.management.jmxremote=true \
-Dorg.eclipse.jdt.core.compiler.source=1.5 \
-Dorg.eclipse.jdt.core.compiler.compliance=1.5 \
-Djavax.xml.datatype.DatatypeFactory=com.sun.org.apache.xerces.internal.jaxp.datatype.DatatypeFactoryImpl \
-DconfigurationsFilePath=/etc/configuration \
-DoptionalConfigurationsFilePath=/etc/configuration \
-Dcompression=false \
-Duser.language=de \
-Duser.country=DE \
-Dcontentgrabber.default.charset=iso-8859-1 \
-Dmail.mime.charset=UTF-8 \
-Djavax.xml.bind.JAXBContext=com.sun.xml.bind.v2.ContextFactory \
-Djavax.net.ssl.keyStore=/srv/www/tomcat6/keystore/keystorefile.keystore \
-Djavax.net.ssl.keyStorePassword=password \
-Dhttp.proxyHost=10.10.15.15 \
-Dhttp.proxyPort=8080 \
-Djava.io.tmpdir=/var/log/tomcat6/temp \
-Dorg.eclipse.jdt.core.compiler.codegen.TargetPlatform=1.5 \
-DlogsFilePath=/var/log/tomcat6 \
-Dhttp.nonProxyHosts=localhost|127.0.0.1 \
-Dhttps.nonProxyHosts=localhost|127.0.0.1 "
# -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk15Logger \
“JAVA OPTS” can be set on:
Example (/etc/default/tomcat):
JAVA_OPTS="-XX:MaxPermSize=256m -Xms512m -Xmx1024m"
Edit /srv/www/tomcat/webapps/ROOT/index.html to:
<html> <head> <meta http-equiv="refresh" content="0;URL=/i5server"> </head> <body> </body> </html>
Tomcat:
1. Create a local Certificate:
keytool -genkey -alias tomcat -keysize 2048 -keyalg RSA -keystore <your_keystore_filename> #keystore_filename: E.g. tomcatSSL
2. The CSR is then created with:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <your_keystore_filename>
3. Import the rootCA certificate into your keystore (you have to export it previously from the signed certificate):
keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_rootCA_certificate>
4. Import the intermediate certificate into you keystore (you have to export it previously from the signed certificate):
keytool -import -alias intermediate -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_intermediate_certificate>
5. And finally import your new Certificate:
keytool -import -alias tomcat -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>
Note: The “alias” has to differ for the rootCA, intermediate and certificate!
Official:
Tomcat (keytool) This document provides instructions for installing TC Trust SSL certificate. If you are unable to use these instructions for your server, we recommend that you contact either the vendor of your server software or an organisation that supports Tomcat. 1 Install the Root CA certificate You must first obtain the Root CA certificate (TC TrustCenter Class 2 CA II) and save the Root CA certificate as root.cer. In the following example please replace the example keystore name 'keystore.key' with your keystore name. Use the following command to import this certificate in the keystore: keytool -import -alias root -keystore keystore.key -trustcacerts -file root.cer 2 Install the Intermediate CA certificate Create a file in Notepad and save the Intermediate CA certificate (TC TrustCenter Class 2 L1 CA XI) as intermediate.cer. Use the following command to import this certificate in the keystore: keytool -import -alias intermediate -keystore keystore.key -trustcacerts -file intermediate.cer 3 Install the TC Trust SSL certificate Your TC Trust SSL certificate will be sent via email. Look for the TC Trust SSL certificate text in the body of the email and copy and paste it into a .crt file (such as tc_server.crt) using Vi or Notepad. Please be sure to include the header and footer as well as the surrounding dashes including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. NOTE: Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file otherwise additional characters may render the certificate unusable. Enter the following command to import your TC Trust SSL certificate (certreq.csr is the alias specified during CSR creation): keytool -import -alias server.crt -file server.crt -keystore keystore.key
keytool -list -keystore <keystorefile.jks> keytool -list -v -keystore <keystorefile.jks> #verbose keytool -list -v -keystore /path/to/keystore.jks -storetype PKCS12 -storepass the_password #all at once
Show alias of your keystore file (just if the alias “foo” is known):
keytool -list -keystore <keystorefile.jks> -alias <foo>
Convert key, crt certificate to pfx:
openssl pkcs12 -export -out mypfxfile.pxf -inkey domain.name.key -in domain.name.crt
Convert pfx certificate to jks:
keytool -importkeystore -srckeystore mypfxfile.pxf -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS #type JKS keytool -importkeystore -srckeystore mypfxfile.pxf -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype pkcs12 #type pkcs12
keytool -storepasswd -keystore KEYSTORE.jks #Keystore only has one password keytool -keypasswd -alias alias-name -keystore KEYSTORE.jks #To change password of private key