INSTALL TOMCAT 8
create tomcat group and user
$ sudo groupadd tomcat
$ sudo useradd -M -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
go to home directory
$ cd ~
download tomcat
$ sudo wget http://mirror.symnds.com/software/Apache/tomcat/tomcat-8/v8.5.5/bin/apache-tomcat-8.5.5.tar.gz
create tomcat folder under /opt/
$ sudo mkdir /opt/tomcat
extract the archive to the new tomcat folder
$ sudo tar xvf apache-tomcat-8.5.5.tar.gz -C /opt/tomcat –strip-components=1
PERMISSIONS
update permissions by giving tomcat user and tomcat group to the entire tomcat directory. Give also write access to the conf directory and read access to the files in that conf directory.
Run the steps by changing to admin
change to root
$ sudo su
make all folders and files tomcat user and group
$ chown -Rf tomcat.tomcat /opt/tomcat/
go to tomcat folder
$ cd /opt/tomcat/
give write access to conf folder and read access to its files
$ sudo chmod g+rwx conf
$ sudo chmod g+r conf/*
let’s go back from root to our previous user
$ exit
RUN TOMCAT AS A SERVICE
Let’s setup a Tomcat Systemd unit file
create and open tomcat as a service
$ sudo vi /etc/systemd/system/tomcat.service
I changed Xms512M -Xmx1024M to Xms1024M -Xmx2048M
# Systemd unit file for tomcat [Unit] Description=Apache Tomcat Web Application Container After=syslog.target network.target [Service] Type=forking Environment=JAVA_HOME=/opt/jdk1.8.0_101/ Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid Environment=CATALINA_HOME=/opt/tomcat Environment=CATALINA_BASE=/opt/tomcat Environment='CATALINA_OPTS=-Xms1024M -Xmx2048M -server -XX:+UseParallelGC' Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom' ExecStart=/opt/tomcat/bin/startup.sh ExecStop=/bin/kill -15 $MAINPID User=tomcat Group=tomcat [Install] WantedBy=multi-user.target
Now reload Systemd to load the Tomcat unit file
$ sudo systemctl daemon-reload
Open 8080, 80 ports for Firewall
$ sudo firewall-cmd –zone=public –add-port=8080/tcp –permanent
$ sudo firewall-cmd –zone=public –add-port=80/tcp –permanent
$ sudo firewall-cmd –reload
$ sudo systemctl restart firewalld.service
$ sudo iptables -L
If you need to remove let’s say http and you just want to use 8080
$ firewall-cmd –zone=public –remove-service=http
let’s start, enable and check tomcat, stop if needed
$ sudo systemctl start tomcat
$ sudo systemctl enable tomcat
$ sudo systemctl status
if you see error then for more details
$ journalctl -xe
to stop tomcat
$ sudo systemctl stop tomcat
Finally you should see it’s working. Go to the server’s url
http://server-ipaddress:8080/
CONFIGURE TOMCAT USERS
change to root
$ sudo su
there are different roles to be assigned, let’s see what they are
———————————————————————————————————–
manager-gui - allows access to the HTML GUI and the status pages manager-script - allows access to the text interface and the status pages manager-jmx - allows access to the JMX proxy and the status pages manager-status - allows access to the status pages only
$ vi /opt/tomcat/conf/tomcat-users.xml
let’s add the following
<role rolename="manager-gui"/> <role rolename="manager-script"/> <role rolename="manager-status"/> <user username="blabla" password="blabla" roles="manager-gui,manager-script,manager-status"/>
$ vi /opt/tomcat/webapps/manager/META-INF/context.xml
comment the valve to access manager app link from all machines
<Context antiResourceLocking="false" privileged="true" > <!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> --> </Context>
Now go again to the server address and click Manager App. Enter username password you have provided in tomcat-users.xml file
CHANGE PORT TO 80
stop tomcat
$ systemctl stop tomcat
change port 8080 to 80
$ sudo vi /opt/tomcat/conf/server.xml
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
NEVER EVER START TOMCAT WITH SYSTEMCTL, RUN START.SH FROM COMMAND LINE
$ cd /opt/tomcat/bin
start
$ ./startup.sh
shutdown
$ ./shutdown.sh
Now go again to the server address and click Manager App. Enter username password you have provided in tomcat-users.xml file
INSTALL AUTHBIND ON CENTOS 7
If you still having port 80 issues on your Centos 7 then try authbind
go to opt directory
$ cd /opt/
download rpm
$ wget https://s3.amazonaws.com/aaronsilber/public/authbind-2.1.1-0.1.x86_64.rpm
run rpm
$ sudo rpm -Uvh authbind-2.1.1-0.1.x86_64.rpm
now configure port 80 for tomcat
$ sudo touch /etc/authbind/byport/80
$ sudo chmod 500 /etc/authbind/byport/80
$ sudo chown tomcat /etc/authbind/byport/80
You can do the same steps for port 443 if needed
$ sudo touch /etc/authbind/byport/443
$ sudo chmod 500 /etc/authbind/byport/443
$ sudo chown tomcat /etc/authbind/byport/443
Port 80 is very tricky, many have issues to run Tomcat 8 on Centos 7 with port 80
Normally, it’s not suggested to run Tomcat from command line as a root. Some people choose to preroute port 80 to 8080
iptables -t nat -A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8080
But prerouting is a work around and not a complete solution. Mine worked when I stopped Tomcat as a service and restarted it from command line.
at first, many thanks for sharing information; now, would you explain the reason for statement ‘never ever start tomcat with systemctl’?
LikeLike
It’s because starting tomcat from system wise and manually are different. Systemctl might cause conflicts with ip whereas standalone is more reliable
LikeLike
Running Tomcat with systemd and authbind works if you change the last line in Tomcat’s startup.sh to:
exec authbind –deep “$PRGDIR”/”$EXECUTABLE” start “$@”
LikeLike