web analytics

Hardening guide for Tomcat 5.5 on Solaris 10 platform

Pre-installation notes
This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.

Installation phase

  1. Login to the server using Root account.
  2. Make sure the folder /usr/jdk exists:
    ls /ad /usr/jdk
  3. If the folder /usr/jdk doesn’t exists, manually create it:
    mkdir /usr/jdk
  4. Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
  5. Move to /usr/jdk folder
    cd /usr/jdk
  6. Change the permissions on the JDK 1.6 (32bit) script:
    chmod +x jdk-6u15-solaris-i586.sh
  7. Run the command bellow to install JDK 1.6 (32bit):
    ./jdk-6u15-solaris-i586.sh
  8. Change the permissions on the JDK 1.6 (x64) script:
    chmod +x jdk-6u15-solaris-x64.sh
  9. Run the command bellow to install JDK 1.6 (x64):
    ./jdk-6u15-solaris-x64.sh
  10. Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples:
    rm /usr/jdk/jdk-6u15-solaris-i586.sh
    rm /usr/jdk/jdk-6u15-solaris-x64.sh
    rm /usr/jdk/jdk1.6.0_15/src.zip
    rm -r /usr/jdk/jdk1.6.0_15/demo
    rm -r /usr/jdk/jdk1.6.0_15/sample
  11. Remove the link for the Java
    rm /usr/bin/java
  12. Create new link for the Java (for x64 servers):
    ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
  13. Reload the links into memory:
    rehash
  14. Mount Solaris 10 DVD, and move to the packages folder:
    cd /cdrom/sol_10_1008_x86/Solaris_10/Product
  15. Run the command bellow to install Tomcat packages:
    pkgadd -d . SUNWtcatr SUNWtcatu
  16. Remove the following default folders:
    rm -r /usr/apache/tomcat55/webapps/tomcat-docs
    rm /var/apache/tomcat55/webapps/tomcat-docs
    rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt
    rm -r /var/apache/tomcat55/webapps/jsp-examples
    rm -r /var/apache/tomcat55/webapps/servlets-examples
    rm -r /var/apache/tomcat55/webapps/webdav
    rm -r /var/apache/tomcat55/webapps/balancer
  17. Copy the server.xml configuration file:
    cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xmlNote: The above command should be written as one line.
  18. Edit using VI, the file /var/apache/tomcat55/conf/server.xml
    Uncomment the section bellow:
    org.apache.catalina.valves.AccessLogValveReplace the non-SSL HTTP/1.1 Connector:
    From:
    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <connector port="8080" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" />
    To:
    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <connector port="8080" debug="off" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" tcpnodelay="true" />
  19. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <!-- Define a Security Constraint on this Application -->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>HTMLManger and Manager command</web-resource-name>
    <url-pattern>/jmxproxy/*</url-pattern>
    <url-pattern>/html/*</url-pattern>
    <url-pattern>/list</url-pattern>
    <url-pattern>/sessions</url-pattern>
    <url-pattern>/start</url-pattern>
    <url-pattern>/stop</url-pattern>
    <url-pattern>/install</url-pattern>
    <url-pattern>/remove</url-pattern>
    <url-pattern>/deploy</url-pattern>
    <url-pattern>/undeploy</url-pattern>
    <url-pattern>/reload</url-pattern>
    <url-pattern>/save</url-pattern>
    <url-pattern>/serverinfo</url-pattern>
    <url-pattern>/status/*</url-pattern>
    <url-pattern>/roles</url-pattern>
    <url-pattern>/resources</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</ROLE-NAME>
    </auth-constraint>
    </security-constraint>
  20. Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines:
    <role rolename="admin">
    <role rolename="manager">
    <user roles="admin,manager" password="adminpass" username="admin">
    Note: Specify complex password for the admin account (and document it).
  21. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml
    Uncomment the section bellow:
    org.apache.catalina.valves.RemoteAddrValveReplace the data of the value bellow:
    From:
    allow="127.0.0.1"To:
    allow="172.16.*.*"Note: You may replace “172.16.*.*” with internal network segment.
    Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″
  22. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml
    Inside the “Context” section, add the following line:
    <valve allow="172.16.*.*" classname="org.apache.catalina.valves.RemoteAddrValve">Note: You may replace “172.16.*.*” with internal network segment.
    Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″
  23. Move to the folder /usr/apache/tomcat55/server/lib
    cd /usr/apache/tomcat55/server/lib
  24. Extract the file catalina.jar
    jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
  25. Edit using VI, the file /usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.propertiesReplace the string bellow from:
    server.infoerver.info=Apache Tomcat/5.5.26To:
    server.infoerver.info=Secure Web serverReplace the string bellow from:
    server.number=5.5.26.0To:
    server.number=1.0.0.0
  26. Move to the folder /usr/apache/tomcat55/server/lib
    cd /usr/apache/tomcat55/server/lib
  27. Repackage the file catalina.jar
    jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
  28. Remove the folder bellow:
    rm -r /usr/apache/tomcat55/server/lib/org
  29. Create a user account for the Tomcat service:
    mkdir /home/tomcatgroupadd tomcat
    useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat
    chown tomcat:tomcat /home/tomcat/
    passwd tomcat
    passwd -l tomcat
  30. Create using VI, the file /etc/init.d/tomcat with the following content:
    #!/bin/sh
    #
    # Startup script for Tomcat
    #
    case "$1" in
    start)
    echo -n "Starting Tomcat"
    JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security
    ;;
    stop)
    echo -n "Stopping Tomcat"
    JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh
    ;;
    restart)
    $0 stop
    $0 start
    ;;
    *)
    echo "Usage: $0 {startstoprestart}"
    exit 1
    esac
  31. Change the permissions on the file /etc/init.d/tomcat
    chmod u+x /etc/init.d/tomcat
  32. Create soft link/symoblic links for system level startup
    ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat
    ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat
  33. Reload the links into memory:
    rehash
  34. Change ownership of all server files to the tomcat user:
    chown -R tomcat:tomcat /var/apache/tomcat55/*
    chown -R tomcat:tomcat /usr/apache/tomcat55/*

Leave a Reply