Tomcat is an open-source web server for Java-based applications. It is used for deploying Java Servlet and JSP applications. Java servlets are small programs defining how a server handles requests and responses. Tomcat acts as an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies.
There are multiple versions of Tomcat available. We will discuss the installation of Tomcat 10 for our tutorial. If you want to install Tomcat 9, the instructions will be the same. If there are any changes, they will be specified in the tutorial.
For our tutorial, we will install Tomcat 10 along with the Nginx server to act as a reverse proxy and protect it using SSL. There is a Tomcat 10.1.x version which is the latest alpha version of Tomcat, but we will not be installing that.
Prerequisites
-
A server running Rocky Linux 8.5
-
A non-sudo user with superuser privileges.
-
Make sure everything is updated.
$ sudo dnf update
-
Packages required for the installation.
$ sudo dnf install wget tar
Step 1 - Install Java
Tomcat 9 and 10 require Java 8 and later. We will install OpenJDK 11, the open-source implementation of the Java platform.
Run the following command to install OpenJDK.
$ sudo dnf install java-11-openjdk-devel
Verify the installation.
$ java -version openjdk version "11.0.13" 2021-10-19 LTS OpenJDK Runtime Environment 18.9 (build 11.0.13+8-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.13+8-LTS, mixed mode, sharing)
Step 2 - Create a System User
We will create a new system user to minimize any security risk by running Tomcat as a root user. For the new user, we will set /opt/tomcat as the home directory.
Run the following command to create a new system user for Tomcat.
$ sudo useradd -m -U -d /opt/tomcat -s /bin/false tomcat
Step 3 - Download Tomcat
The latest version of Tomcat v10 can be downloaded from its download page. At the time of writing this tutorial, v10.0.14 is the latest available version. Check the latest version before you download Tomcat.
Use wget to download Tomcat.
$ VERSION=10.0.14
$ wget https://dlcdn.apache.org/tomcat/tomcat-10/v${VERSION}/bin/apache-tomcat-${VERSION}.tar.gz
Extract the file to the /opt/tomcat directory.
$ sudo tar -xf apache-tomcat-${VERSION}.tar.gz -C /opt/tomcat/
Create a symbolic link to the latest version of Tomcat that points to Tomcat's installation directory.
$ sudo ln -s /opt/tomcat/apache-tomcat-${VERSION} /opt/tomcat/latest
Change the ownership of the directory to the user created earlier.
$ sudo chown -R tomcat:tomcat /opt/tomcat
Step 4 - Create a Systemd Unit File
The next step is to create a service file for the Tomcat server so that it can be started automatically.
Create and open the file /etc/systemd/system/tomcat.service for editing.
$ sudo nano /etc/systemd/system/tomcat.service
Paste the following code.
[Unit] Description=Apache Tomcat 10 Servlet container Wants=network.target After=network.target [Service] Type=forking User=tomcat Group=tomcat Environment="JAVA_HOME=/usr/lib/jvm/jre" Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom" Environment="CATALINA_BASE=/opt/tomcat/latest" Environment="CATALINA_HOME=/opt/tomcat/latest" Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid" Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC" ExecStart=/opt/tomcat/latest/bin/startup.sh ExecStop=/opt/tomcat/latest/bin/shutdown.sh Restart=always [Install] WantedBy=multi-user.target
Save the file by pressing Ctrl + X and entering Y when prompted to save.
Step 5 - Start and Enable the Tomcat service
Reload the service daemon to enable the Tomcat service.
$ sudo systemctl daemon-reload
Enable and Start the Tomcat service.
$ sudo systemctl enable tomcat --now
Check the service status.
$ sudo systemctl status tomcat
? tomcat.service - Apache Tomcat 10 Servlet container
Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2021-12-17 15:54:28 UTC; 24s ago
Process: 86219 ExecStart=/opt/tomcat/latest/bin/startup.sh (code=exited, status=0/SUCCESS)
Main PID: 86226 (java)
Tasks: 19 (limit: 11411)
Memory: 132.7M
CGroup: /system.slice/tomcat.service
??86226 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/tomcat/latest/conf/logging.properties>
Dec 17 15:54:27 howtoforge systemd[1]: Starting Apache Tomcat 10 Servlet container...
Dec 17 15:54:28 howtoforge systemd[1]: Started Apache Tomcat 10 Servlet container.
Step 6 - Configure Firewall
Rocky Linux uses Firewalld Firewall. Check the firewall's status.
$ sudo firewall-cmd --state running
Allow HTTP and HTTPS ports.
$ sudo firewall-cmd --permanent --add-service=http $ sudo firewall-cmd --permanent --add-service=https
Reload the firewall to enable the changes.
$ sudo firewall-cmd --reload
Step 7 - Configure Tomcat Web Management Interface
The web management interface will only be accessible once we create a user credential for it.
Tomcat users and roles are defined in the /opt/tomcat/latest/conf/tomcat-users.xml file. Open the file for editing.
$ sudo nano /opt/tomcat/latest/conf/tomcat-users.xml
Add the following lines before the </tomcat-users line. Replace the username and password with your credentials.
Choose different credentials for Manager and Administrator Tomcat portals.
<tomcat-users>
<!--
Comments
-->
<role rolename="manager-gui"/>
<user username="manager" password="managerpassword" roles="manager-gui" />
<role rolename="admin-gui"/>
<user username="admin" password="adminpassword" roles="admin-gui"/>
</tomcat-users>
Save the file by pressing Ctrl + X and entering Y when prompted to save.
By default, the Tomcat interface is only accessible from the localhost. If you need to access it from anywhere, you need to configure it.
Open the /opt/tomcat/latest/webapps/manager/META-INF/context.xml for editing.
$ sudo nano /opt/tomcat/latest/webapps/manager/META-INF/context.xml
Remove the following lines or comment them out as specified below by enclosing it in <!-- and -->.
<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
Allowing access from any IP address is a security risk. You can restrict it by allowing access only from your public IP address. If your public IP address is 22.22.22.22, then change the line as follows.
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|22.22.22.22" />
The list of allowed IP addresses is separated by a vertical bar (|). You can either add single IP addresses or use a regular expression.
Save the file by pressing Ctrl + X and entering Y when prompted to save.
Perform the same changes on the file /opt/tomcat/latest/webapps/host-manager/META-INF/context.xml as well.
Once finished, restart the Tomcat server.
$ sudo systemctl restart tomcat
Step 8 - Install SSL
To install an SSL certificate using Let's Encrypt, we need to install the Certbot tool.
Firstly, you need to download and install the EPEL repository.
$ sudo dnf install epel-release
Run the following commands to install Certbot.
$ sudo dnf install certbot
Generate the SSL certificate.
$ sudo certbot certonly --standalone --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m name@example.com -d tomcat.example.com
The above command will download a certificate to the /etc/letsencrypt/live/tomcat.example.com directory on your server.
Generate a Diffie-Hellman group certificate.
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Create a challenge webroot directory for Let's Encrypt auto-renewal.
$ sudo mkdir -p /var/lib/letsencrypt
Create a Cron Job to renew the SSL. It will run every day to check the certificate and renew if needed. For that, first, create the file /etc/cron.daily/certbot-renew and open it for editing.
$ sudo nano /etc/cron.daily/certbot-renew
Paste the following code.
#!/bin/sh certbot renew --cert-name tomcat.example.com --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
Save the file by pressing Ctrl + X and entering Y when prompted.
Change the permissions on the task file to make it executable.
$ sudo chmod +x /etc/cron.daily/certbot-renew
Step 9 - Install Nginx
Rocky Linux 8.5 ships with the latest stable version of Nginx. Install it using the following command.
$ sudo dnf module install nginx:1.20
Verify the installation.
$ nginx -v nginx version: nginx/1.20.1
Enable and start the Nginx service.
$ sudo systemctl enable nginx --now
Create and open the file /etc/nginx/conf.d/tomcat.conf for editing.
$ sudo nano /etc/nginx/conf.d/tomcat.conf
Paste the following code in it.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name tomcat.example.com;
access_log /var/log/nginx/tomcat.access.log;
error_log /var/log/nginx/tomcat.error.log;
# SSL
ssl_certificate /etc/letsencrypt/live/tomcat.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tomcat.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/tomcat.example.com/chain.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
resolver 8.8.8.8;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# enforce HTTPS
server {
listen 80;
listen [::]:80;
server_name tomcat.example.com;
return 301 https://$host$request_uri;
}
Save the file by pressing Ctrl + X and entering Y when prompted once finished.
Open the file /etc/nginx/nginx.conf for editing.
$ sudo nano /etc/nginx/nginx.conf
Add the following line before the line include /etc/nginx/conf.d/*.conf;.
server_names_hash_bucket_size 64;
Save the file by pressing Ctrl + X and entering Y when prompted.
Verify the Nginx configuration file syntax.
$ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart the Nginx service to enable the new configuration.
$ sudo systemctl restart nginx
Step 10 - Run TomCat
Launch https://tomcat.example.com in your browser, and it will open the following screen.
You can now access the Server Status, Manager App and Host Manager pages using the login credentials we configured in step 7.
Conclusion
This concludes our tutorial on installing and configuring Tomcat Server on a Rocky Linux 8.5 based server and serving it via Nginx reverse proxy, and using SSL to protect it. If you have any questions, post them in the comments below.