web analytics

Archive for the ‘Tomcat’ Category

Hardening guide for Tomcat 8 on RedHat 6.5 (64bit edition)

This document explains the process of installation, configuration and hardening of Tomcat 8.x server, based on RedHat 6.5 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from
BEAST attack and CRIME attack.
Some of the features explained in this document are supported by only some of the Internet browsers:

  • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    Installation phase

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd tomcat
    useradd -g tomcat -d /home/tomcat -s /bin/sh tomcat
  3. Download the lastest JDK8 for Linux from:
    http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
  4. Upgrade to the latest build of Oracle JDK:
    rpm -Uvh /tmp/jdk-8u45-linux-x64.rpm
  5. Delete the JDK8 source files:
    rm -rf /tmp/jdk-8u45-linux-x64.rpm
    rm -rf /usr/java/jdk1.8.0_45/src.zip
  6. Download the latest Tomcat 8 source files:
    cd /opt
    wget http://apache.spd.co.il/tomcat/tomcat-8/v8.0.21/bin/apache-tomcat-8.0.21.tar.gz
  7. Extract Tomcat source files:
    tar zxf /opt/apache-tomcat-8.0.21.tar.gz -C /opt
  8. Rename the Tomcat folder:
    mv /opt/apache-tomcat-8.0.21 /opt/tomcat
  9. Remove default content:
    rm -rf /opt/apache-tomcat-8.0.21.tar.gz
    rm -rf /opt/tomcat/webapps/docs
    rm -rf /opt/tomcat/webapps/examples
    rm -rf /opt/tomcat/webapps/ROOT/RELEASE-NOTES.txt
    rm -rf /opt/tomcat/webapps/host-manager
    rm -rf /opt/tomcat/webapps/manager
    rm -rf /opt/tomcat/work/Catalina/localhost/docs
    rm -rf /opt/tomcat/work/Catalina/localhost/examples
    rm -rf /opt/tomcat/work/Catalina/localhost/host-manager
    rm -rf /opt/tomcat/work/Catalina/localhost/manager
  10. Change folder ownership and permissions:
    chown -R tomcat.tomcat /opt/tomcat
    chmod g-w,o-rwx /opt/tomcat
    chmod g-w,o-rwx /opt/tomcat/conf
    chmod o-rwx /opt/tomcat/logs
    chmod o-rwx /opt/tomcat/temp
    chmod g-w,o-rwx /opt/tomcat/bin
    chmod g-w,o-rwx /opt/tomcat/webapps
    chmod 770 /opt/tomcat/conf/catalina.policy
    chmod g-w,o-rwx /opt/tomcat/conf/catalina.properties
    chmod g-w,o-rwx /opt/tomcat/conf/context.xml
    chmod g-w,o-rwx /opt/tomcat/conf/logging.properties
    chmod g-w,o-rwx /opt/tomcat/conf/server.xml
    chmod g-w,o-rwx /opt/tomcat/conf/tomcat-users.xml
    chmod g-w,o-rwx /opt/tomcat/conf/web.xml
  11. Move to the folder /opt/tomcat/lib
    cd /opt/tomcat/lib
  12. Extract the file catalina.jar
    jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
  13. Edit using VI, the file /opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties
    Replace the string below from:
    server.infoerver.info=Apache Tomcat/8.0.21
    To:
    server.infoerver.info=Secure Web serverReplace the string below from:
    server.number=8.0.21.0
    To:
    server.number=1.0.0.0Replace the string below from:
    server.built=Mar 23 2015 14:11:21 UTC
    To:
    server.built=Jan 01 2000 00:00:00 UTC
  14. Move to the folder /opt/tomcat/lib
    cd /opt/tomcat/lib
  15. Repackage the file catalina.jar
    jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
  16. Remove the folder below:
    rm -rf /opt/tomcat/lib/org
  17. Edit using VI, the file /opt/tomcat/conf/server.xml and make the following changes:
    Replace the:
    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443" />

    To:
    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    xpoweredBy="false"
    allowTrace="false"
    redirectPort="8443" />
    Replace the:
    <Server port="8005" shutdown="SHUTDOWN">
    To:
    <Server port="-1" shutdown="SHUTDOWN">Replace the:
    autoDeploy="true"
    To:
    autoDeploy="false"
  18. Create using VI, the file error.jsp inside the application directory (example: /opt/tomcat/webapps/ROOT/error.jsp) with the following content:
    <html>
    <head>
    <title>404-Page Not Found</title>
    </head>
    <body> The requested URL was not found on this server. </body>
    </html>
  19. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <error-page>
    <error-code>400</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>401</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-page>
    <error-code>403</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-code>404</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>405</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>410</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>411</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>412</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>413</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>408</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>500</error-code>
    <location>/error.jsp </error-page><!-- Define a Security Constraint on this Application -->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>HTMLManger and Manager command</web-resource-name>
    <url-pattern>/jmxproxy/*</url-pattern>
    <url-pattern>/html/*</url-pattern>
    <url-pattern>/list</url-pattern>
    <url-pattern>/sessions</url-pattern>
    <url-pattern>/start</url-pattern>
    <url-pattern>/stop</url-pattern>
    <url-pattern>/install</url-pattern>
    <url-pattern>/remove</url-pattern>
    <url-pattern>/deploy</url-pattern>
    <url-pattern>/undeploy</url-pattern>
    <url-pattern>/reload</url-pattern>
    <url-pattern>/save</url-pattern>
    <url-pattern>/serverinfo</url-pattern>
    <url-pattern>/status/*</url-pattern>
    <url-pattern>/roles</url-pattern>
    <url-pattern>/resources</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</role-name>
    </auth-constraint>
    </security-constraint>
  20. Create using VI, the file /etc/init.d/tomcat, with the following content:
    #!/bin/bash
    # description: Tomcat Start Stop Restart
    # processname: tomcat
    # chkconfig: 234 20 80
    JAVA_HOME=/usr/java/jdk1.8.0_45
    export JAVA_HOME
    PATH=$JAVA_HOME/bin:$PATH
    export PATH
    CATALINA_HOME=/opt/tomcat/bin
    case $1 in
    start)
    /bin/su tomcat $CATALINA_HOME/startup.sh
    ;;
    stop)
    /bin/su tomcat $CATALINA_HOME/shutdown.sh
    ;;
    restart)
    /bin/su tomcat $CATALINA_HOME/shutdown.sh
    /bin/su tomcat $CATALINA_HOME/startup.sh
    ;;
    esac
    exit 0
    Note: Update the “JAVA_HOME” path according to the install JDK build.
  21. Change the permission on the tomcat script:
    chmod 755 /etc/init.d/tomcat
  22. To start Tomcat service at server start-up, run the command:
    chkconfig tomcat on
  23. To manually start the Tomcat service, use the command:
    service tomcat start
  24. Configure IPTables:
    service iptables stop
    iptables -P INPUT DROP
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  25. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask.
  26. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 8080 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
  27. Save the IPTables settings:
    service iptables save
    SSL Configuration Phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /opt/tomcat/ssl
    chown -R tomcat:tomcat /opt/tomcat/ssl
    chmod -R 755 /opt/tomcat/ssl
  3. Run the command below to generate a key store:
    /usr/java/jdk1.8.0_45/bin/keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -validity 1095 -alias "FQDN_Name"Note 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  4. Run the command below to generate a CSR (certificate request):
    /usr/java/jdk1.8.0_45/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -alias "FQDN_Name"Note 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  5. Send the file /tmp/tomcat.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  7. Copy the file “server.crt” using SCP into /opt/tomcat/ssl
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /opt/tomcat/ssl
  10. Run the command below to import the trusted root CA public certificate:
    /usr/java/jdk1.8.0_45/bin/keytool -import -alias "FQDN_Name" -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/ca-bundle.crtNote 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  11. Run the command below to import the signed public key into the key store:
    /usr/java/jdk1.8.0_45/bin/keytool -import -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/server.crtNote 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
  12. Stop the Tomcat service:
    service tomcat stop
  13. Edit using VI, the file /opt/tomcat/conf/server.xml and add the section below:
    <Connector port="8443"
    protocol="HTTP/1.1"
    maxThreads="150"
    xpoweredBy="false"
    allowTrace="false"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keystoreFile="/opt/tomcat/ssl/server.key"
    keystorePass="ComplexPassword"
    keyAlias="FQDN_Name"
    clientAuth="false"
    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"
    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />
    Note 1: Replace ComplexPassword with your own complex password.
    Note 2: Replace “FQDN_Name” with the server DNS name.
  14. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <user-data-constraint>
    <description>
    Constrain the user data transport for the whole application
    </description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  15. Edit using VI, the file /opt/tomcat/conf/context.xml and add the following parameter inside the context tag:
    usehttponly="true"
  16. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
  17. Save the IPTables settings:
    service iptables save
  18. To manually start the Tomcat service, use the command:
    service tomcat start

How to implement SSL on Tomcat 5.5

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform

SSL implementation phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /var/apache/tomcat55/conf/ssl.crt
  3. Create folder for the SSL private key:
    mkdir -p /var/apache/tomcat55/conf/ssl.key
  4. Change ownership of all server files to the tomcat user:
    chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
  5. Run the command bellow to generate a key store:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
    Note: The command above should be written as one line.
    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
    Note: The command above should be written as one line.
  6. Run the command bellow to generate a CSR (certificate request):
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
    Note: The command above should be written as one line.
    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
    Note: The command above should be written as one line.
  7. Send the file /tmp/tomcat.csr to a Certificate Authority server.
  8. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  9. Copy the file “server.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
  10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  11. Copy the file “ca-bundle.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
  12. Run the command bellow to import the trusted root CA public certificate:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
    Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
    Note: The command above should be written as one line.

  13. Run the command bellow to import the signed public key into the key store:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
    Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
    Note: The command above should be written as one line.

  14. Stop the Tomcat service:
    /etc/init.d/tomcat stop
  15. Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
    <Connector port="8443" maxHttpHeaderSize="8192"
    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="SSLv3"
    keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
    keystorePass="ComplexPassword"
    truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
    truststorePass="changeit"
    ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
    tcpNoDelay="true" />
  16. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
    <user-data-constraint>
    <description>
    Constrain the user data transport for the whole application
    </description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  17. Start the Tomcat service:
    /etc/init.d/tomcat start -security

Hardening guide for Tomcat 5.5 on Solaris 10 platform

Pre-installation notes
This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.

Installation phase

  1. Login to the server using Root account.
  2. Make sure the folder /usr/jdk exists:
    ls /ad /usr/jdk
  3. If the folder /usr/jdk doesn’t exists, manually create it:
    mkdir /usr/jdk
  4. Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
  5. Move to /usr/jdk folder
    cd /usr/jdk
  6. Change the permissions on the JDK 1.6 (32bit) script:
    chmod +x jdk-6u15-solaris-i586.sh
  7. Run the command bellow to install JDK 1.6 (32bit):
    ./jdk-6u15-solaris-i586.sh
  8. Change the permissions on the JDK 1.6 (x64) script:
    chmod +x jdk-6u15-solaris-x64.sh
  9. Run the command bellow to install JDK 1.6 (x64):
    ./jdk-6u15-solaris-x64.sh
  10. Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples:
    rm /usr/jdk/jdk-6u15-solaris-i586.sh
    rm /usr/jdk/jdk-6u15-solaris-x64.sh
    rm /usr/jdk/jdk1.6.0_15/src.zip
    rm -r /usr/jdk/jdk1.6.0_15/demo
    rm -r /usr/jdk/jdk1.6.0_15/sample
  11. Remove the link for the Java
    rm /usr/bin/java
  12. Create new link for the Java (for x64 servers):
    ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
  13. Reload the links into memory:
    rehash
  14. Mount Solaris 10 DVD, and move to the packages folder:
    cd /cdrom/sol_10_1008_x86/Solaris_10/Product
  15. Run the command bellow to install Tomcat packages:
    pkgadd -d . SUNWtcatr SUNWtcatu
  16. Remove the following default folders:
    rm -r /usr/apache/tomcat55/webapps/tomcat-docs
    rm /var/apache/tomcat55/webapps/tomcat-docs
    rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt
    rm -r /var/apache/tomcat55/webapps/jsp-examples
    rm -r /var/apache/tomcat55/webapps/servlets-examples
    rm -r /var/apache/tomcat55/webapps/webdav
    rm -r /var/apache/tomcat55/webapps/balancer
  17. Copy the server.xml configuration file:
    cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xmlNote: The above command should be written as one line.
  18. Edit using VI, the file /var/apache/tomcat55/conf/server.xml
    Uncomment the section bellow:
    org.apache.catalina.valves.AccessLogValveReplace the non-SSL HTTP/1.1 Connector:
    From:
    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <connector port="8080" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" />
    To:
    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <connector port="8080" debug="off" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" tcpnodelay="true" />
  19. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <!-- Define a Security Constraint on this Application -->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>HTMLManger and Manager command</web-resource-name>
    <url-pattern>/jmxproxy/*</url-pattern>
    <url-pattern>/html/*</url-pattern>
    <url-pattern>/list</url-pattern>
    <url-pattern>/sessions</url-pattern>
    <url-pattern>/start</url-pattern>
    <url-pattern>/stop</url-pattern>
    <url-pattern>/install</url-pattern>
    <url-pattern>/remove</url-pattern>
    <url-pattern>/deploy</url-pattern>
    <url-pattern>/undeploy</url-pattern>
    <url-pattern>/reload</url-pattern>
    <url-pattern>/save</url-pattern>
    <url-pattern>/serverinfo</url-pattern>
    <url-pattern>/status/*</url-pattern>
    <url-pattern>/roles</url-pattern>
    <url-pattern>/resources</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</ROLE-NAME>
    </auth-constraint>
    </security-constraint>
  20. Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines:
    <role rolename="admin">
    <role rolename="manager">
    <user roles="admin,manager" password="adminpass" username="admin">
    Note: Specify complex password for the admin account (and document it).
  21. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml
    Uncomment the section bellow:
    org.apache.catalina.valves.RemoteAddrValveReplace the data of the value bellow:
    From:
    allow="127.0.0.1"To:
    allow="172.16.*.*"Note: You may replace “172.16.*.*” with internal network segment.
    Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″
  22. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml
    Inside the “Context” section, add the following line:
    <valve allow="172.16.*.*" classname="org.apache.catalina.valves.RemoteAddrValve">Note: You may replace “172.16.*.*” with internal network segment.
    Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″
  23. Move to the folder /usr/apache/tomcat55/server/lib
    cd /usr/apache/tomcat55/server/lib
  24. Extract the file catalina.jar
    jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
  25. Edit using VI, the file /usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.propertiesReplace the string bellow from:
    server.infoerver.info=Apache Tomcat/5.5.26To:
    server.infoerver.info=Secure Web serverReplace the string bellow from:
    server.number=5.5.26.0To:
    server.number=1.0.0.0
  26. Move to the folder /usr/apache/tomcat55/server/lib
    cd /usr/apache/tomcat55/server/lib
  27. Repackage the file catalina.jar
    jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
  28. Remove the folder bellow:
    rm -r /usr/apache/tomcat55/server/lib/org
  29. Create a user account for the Tomcat service:
    mkdir /home/tomcatgroupadd tomcat
    useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat
    chown tomcat:tomcat /home/tomcat/
    passwd tomcat
    passwd -l tomcat
  30. Create using VI, the file /etc/init.d/tomcat with the following content:
    #!/bin/sh
    #
    # Startup script for Tomcat
    #
    case "$1" in
    start)
    echo -n "Starting Tomcat"
    JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security
    ;;
    stop)
    echo -n "Stopping Tomcat"
    JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh
    ;;
    restart)
    $0 stop
    $0 start
    ;;
    *)
    echo "Usage: $0 {startstoprestart}"
    exit 1
    esac
  31. Change the permissions on the file /etc/init.d/tomcat
    chmod u+x /etc/init.d/tomcat
  32. Create soft link/symoblic links for system level startup
    ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat
    ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat
  33. Reload the links into memory:
    rehash
  34. Change ownership of all server files to the tomcat user:
    chown -R tomcat:tomcat /var/apache/tomcat55/*
    chown -R tomcat:tomcat /usr/apache/tomcat55/*