This post will cover installing and basic configuration of Tomcat 7 on CentOS 5.x. The procedure can be used for Fedora and RHEL as well. Tomcat 7 implements the JavaServer Pages 2.2 and Servlet 3.0 specifications and a number of new features. The Manager application also has a new look with finer-grain roles and access than 6.x In this post, we'll install the required JDK, Tomcat, configure Tomcat as a service, create a start/stop/restart script, and (optionally) configure Tomcat to run under a non-root user. For this installation, we'll use Tomcat 7.0.19, the current stable release of Tomcat 7. This post began with the first Tomcat 7 release and I have tried to keep it updated to keep things as "copy and paste" as possible. I've also updated the post for JDK 6, Update 26. To begin, we'll need to install the Java Development Kit (JDK) 1.6
JDK 1.6 is the minimum JDK version for Tomcat 7. If you do have the JDK installed, you can skip to: Step 2: Download and Unpack Tomcat 7.0.19:
You can download the JDK here: We'll install the latest JDK, which is JDK 6 Update 26. The JDK is specific to 32 and 64 bit versions. My CentOS box is 64 bit, so I'll need: jdk-6u26-linux-x64.bin If you are on 32 bit, you'll need: jdk-6u26-linux-i586.bin Download the appropriate JDK and save it to a directory. I'm saving it to /root. Move (mv) or copy (cp) the file to the /opt directory:
[root@srv6 ~]# mv jdk-6u26-linux-x64.bin /opt/jdk-6u26-linux-x64.bin
Create a new directory /usr/java.
[root@srv6 ~]# mkdir /usr/java
Change to the /usr/java directory we created and install the JDK using 'sh /opt/jdk-6u26-linux-x64.bin'
[root@srv6 ~]# cd /usr/java[root@srv6 java]# sh /opt/jdk-6u26-linux-x64.bin
Set the JAVA_HOME path. This is where we installed our JDK above. To set it for your current session, you can issue the following from the CLI:
[root@srv6 java]# JAVA_HOME=/usr/java/jdk1.6.0_26[root@srv6 java]# export JAVA_HOME[root@srv6 java]# PATH=$JAVA_HOME/bin:$PATH[root@srv6 java]# export PATH
To set the JAVA_HOME permanently, we add below to either the ~/.bashrc or ~/.bash_profile of the user (in this case, root). We can also add it /etc/profile and then source it to give to all users.
JAVA_HOME=/usr/java/jdk1.6.0_26export JAVA_HOMEPATH=$JAVA_HOME/bin:$PATHexport PATH
Once you have added the above to ~/.bash_profile or ~/.bashrc, you should log out, then log back in and check that the JAVA_HOME is set correctly.
[root@srv6 ~]# echo $JAVA_HOME/usr/java/jdk1.6.0_26
Download apache-tomcat-7.0.19.tar.gz Alternatively, you can download using wget.
[root@srv6 ~]# wget http://apache.mivzakim.net/tomcat/tomcat-7/v7.0.19/bin/apache-tomcat-7.0.19.tar.gz
Save the file to a directory. I'm saving it to /root/apache-tomcat-7.0.19.tar.gz Before proceeding, you should verify the MD5 Checksum for your Tomcat download (or any other download). Since we saved the Tomcat download to /root/apache-tomcat-7.0.19.tar.gz, we'll go to the /root directory and use the md5sum command.
[root@srv6 ~]# md5sum apache-tomcat-7.0.19.tar.gz5a5e9bc742714d1b7210d9f68764fd8e *apache-tomcat-7.0.19.zip
Compare the output above to the MD5 Checksum provided by and insure that they match exactly. Now, move (mv) or copy (cp) the file to the /usr/share directory:
[root@srv6 ~]# mv apache-tomcat-7.0.19.tar.gz /usr/share/apache-tomcat-7.0.19.tar.gz
Change to the /usr/share directory and unpack the file using tar -xzf:
[root@srv6 ~]# cd /usr/share[root@sv2 srv6 ]# tar -xzf apache-tomcat-7.0.19.tar.gz
This will create the directory /usr/share/apache-tomcat-7.0.19
We will now see how to run Tomcat as a service and create a simple Start/Stop/Restart script, as well as to start Tomcat at boot. Change to the /etc/init.d directory and create a script called 'tomcat' as shown below.
[root@srv6 share]# cd /etc/init.d[root@srv6 init.d]# vi tomcat
#!/bin/bash## tomcat: Start/Stop Tomcat 7## chkconfig: - 90 10# description: Tomcat is a Java application Server.# processname: tomcatCATALINA_HOME=/opt/tomcatTOMCAT_USER=tomcatLOCKFILE=/var/lock/subsys/tomcatRETVAL=0start(){ echo "Starting Tomcat7: " su - $TOMCAT_USER -c "$CATALINA_HOME/bin/startup.sh" RETVAL=$? echo [ $RETVAL -eq 0 ] && touch $LOCKFILE return $RETVAL}stop(){ echo "Shutting down Tomcat7: " $CATALINA_HOME/bin/shutdown.sh RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f $LOCKFILE return $RETVAL}case "$1" in start) start ;; stop) stop ;; restart) stop start ;; status) status tomcat ;; *) echo $"Usage: $0 {start|stop|restart|status}" exit 1 ;;esacexit $? The above script is simple and contains all of the basic elements you will need to get going. As you can see, we are simply calling the startup.sh and shutdown.sh scripts located in the Tomcat bin directory (/usr/share/apache-tomcat-7.0.19/bin). You can adjust your script according to your needs and, in subsequent posts, we'll look at additional examples. CATALINA_HOME is the Tomcat home directory (/usr/share/apache-tomcat-7.0.19) Now, set the permissions for your script to make it executable:
[root@srv6 init.d]# chmod 755 tomcat
We now use the chkconfig utility to have Tomcat start at boot time. In my script above, I am using chkconfig: 234 20 80. 2445 are the run levels and 20 and 80 are the stop and start priorities respectively. You can adjust as needed.
[root@srv6 init.d]# chkconfig --add tomcat[root@srv6 init.d]# chkconfig --level 234 tomcat on
Verify it:
[root@srv6 init.d]# chkconfig --list tomcattomcat 0:off 1:off 2:on 3:on 4:on 5:off 6:off
Now, let's test our script. Start Tomcat:
[root@srv6 ~]# service tomcat startUsing CATALINA_BASE: /usr/share/apache-tomcat-7.0.19Using CATALINA_HOME: /usr/share/apache-tomcat-7.0.19Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.19/tempUsing JRE_HOME: /usr/java/jdk1.6.0_26Using CLASSPATH: /usr/share/apache-tomcat-7.0.19/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.19/bin/tomcat-juli.jar
Stop Tomcat:
[root@srv6 ~]# service tomcat stopUsing CATALINA_BASE: /usr/share/apache-tomcat-7.0.19Using CATALINA_HOME: /usr/share/apache-tomcat-7.0.19Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.19/tempUsing JRE_HOME: /usr/java/jdk1.6.0_26Using CLASSPATH: /usr/share/apache-tomcat-7.0.19/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.19/bin/tomcat-juli.jar
Restarting Tomcat (Must be started first):
[root@srv6 ~]# service tomcat restartUsing CATALINA_BASE: /usr/share/apache-tomcat-7.0.19Using CATALINA_HOME: /usr/share/apache-tomcat-7.0.19Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.19/tempUsing JRE_HOME: /usr/java/jdk1.6.0_26Using CLASSPATH: /usr/share/apache-tomcat-7.0.19/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.19/bin/tomcat-juli.jarUsing CATALINA_BASE: /usr/share/apache-tomcat-7.0.19Using CATALINA_HOME: /usr/share/apache-tomcat-7.0.19Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.19/tempUsing JRE_HOME: /usr/java/jdk1.6.0_26Using CLASSPATH: /usr/share/apache-tomcat-7.0.19/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.19/bin/tomcat-juli.jar
We should review the Catalina.out log located at /usr/share/apache-tomcat-7.0.19/logs/catalina.out and check for any errors.
[root@srv6 init.d]# more /usr/share/apache-tomcat-7.0.19/logs/catalina.out
We can now access the swanky new Tomcat Manager page at: http://yourdomain.com:8080 or http://yourIPaddress:8080 and we should see the Tomcat home page.
Tomcat 7 contains a number of changes that offer finer-grain roles. For security reasons, no users or passwords are created for the Tomcat manager roles by default. In a production deployment, it is always best to remove the Manager application. To set roles, user name(s) and password(s), we need to configure the tomcat-users.xml file located at $CATALINA_HOME/conf/tomcat-users.xml. In the case of our installation, $CATALINA_HOME is located at /usr/share/apache-tomcat-7.0.19. By default the Tomcat 7 tomcat-users.xml file will look as below.
Note that while examples are provided, the elements between the <tomcat-users> and </tomcat-users> tags have been commented-out. New roles for Tomcat 7 offer finer-grained access. The following roles are available: manager-gui manager-status manager-jmx manager-script admin-gu admin-script. We can enable access for the manager-gui role, for example as below:
Caution should be exercised in granting multiple roles so as not to under-mind security.
In our Tomcat configuration above, we are running Tomcat as Root. For security reasons, it is always best to run services with the only those privileges that are necessary. There are some who make a strong case that this is not required, but it's always best to err on the side of caution. To run Tomcat as non-root user, we need to do the following: 1. Create the group 'tomcat':
[root@srv6 ~]# groupadd tomcat
2. Create the user 'tomcat' and add this user to the tomcat group we created above.
[root@srv6 ~]# useradd -s /bin/bash -g tomcat tomcat
The above will create a home directory for the user tomcat in the default user home as /home/tomcat If we want the home directory to be elsewhere, we simply specify so using the -d switch.
[root@srv6 ~]# useradd -g tomcat -d /usr/share/apache-tomcat-7.0.19/tomcat tomcat
The above will create the user tomcat's home directory as /usr/share/apache-tomcat-7.0.19/tomcat 3. Change ownership of the tomcat files to the user tomcat we created above:
[root@srv6 ~]# chown -Rf tomcat.tomcat /usr/share/apache-tomcat-7.0.19/
Note: it is possible to enhance our security still further by making certain files and directories read-only. This will not be covered in this post and care should be used when setting such permissions. 4. Adjust the start/stop service script we created above. In our new script, we need to su to the user tomcat:
#!/bin/bash# description: Tomcat Start Stop Restart# processname: tomcat# chkconfig: 234 20 80JAVA_HOME=/usr/java/jdk1.6.0_26export JAVA_HOMEPATH=$JAVA_HOME/bin:$PATHexport PATHTOMCAT_HOME=/usr/share/apache-tomcat-7.0.19/bincase $1 instart)/bin/su tomcat $TOMCAT_HOME/startup.sh;;stop)/bin/su tomcat $TOMCAT_HOME/shutdown.sh;;restart)/bin/su tomcat $TOMCAT_HOME/shutdown.sh/bin/su tomcat $TOMCAT_HOME/startup.sh;;esacexit 0
Note: the following applies when you are running Tomcat in "stand alone" mode with Tomcat running under the minimally privileged user Tomcat we created in the previous step. To run services below port 1024 as a user other than root, you can add the following to your IP tables:
[root@srv6 ~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080[root@srv6 ~]# iptables -t nat -A PREROUTING -p udp -m udp --dport 80 -j REDIRECT --to-ports 8080