Hardening guide for Tomcat 5.5 on Solaris 10 platform
Pre-installation notes
This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.
Installation phase
- Login to the server using Root account.
- Make sure the folder /usr/jdk exists:
ls /ad /usr/jdk
- If the folder /usr/jdk doesn’t exists, manually create it:
mkdir /usr/jdk
- Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
- Move to /usr/jdk folder
cd /usr/jdk
- Change the permissions on the JDK 1.6 (32bit) script:
chmod +x jdk-6u15-solaris-i586.sh
- Run the command bellow to install JDK 1.6 (32bit):
./jdk-6u15-solaris-i586.sh
- Change the permissions on the JDK 1.6 (x64) script:
chmod +x jdk-6u15-solaris-x64.sh
- Run the command bellow to install JDK 1.6 (x64):
./jdk-6u15-solaris-x64.sh
- Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples:
rm /usr/jdk/jdk-6u15-solaris-i586.sh
rm /usr/jdk/jdk-6u15-solaris-x64.sh
rm /usr/jdk/jdk1.6.0_15/src.zip
rm -r /usr/jdk/jdk1.6.0_15/demo
rm -r /usr/jdk/jdk1.6.0_15/sample
- Remove the link for the Java
rm /usr/bin/java
- Create new link for the Java (for x64 servers):
ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
- Reload the links into memory:
rehash
- Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
- Run the command bellow to install Tomcat packages:
pkgadd -d . SUNWtcatr SUNWtcatu
- Remove the following default folders:
rm -r /usr/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt
rm -r /var/apache/tomcat55/webapps/jsp-examples
rm -r /var/apache/tomcat55/webapps/servlets-examples
rm -r /var/apache/tomcat55/webapps/webdav
rm -r /var/apache/tomcat55/webapps/balancer
- Copy the server.xml configuration file:
cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xml
Note: The above command should be written as one line. - Edit using VI, the file /var/apache/tomcat55/conf/server.xml
Uncomment the section bellow:
org.apache.catalina.valves.AccessLogValve
Replace the non-SSL HTTP/1.1 Connector:
From:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
To:
<connector port="8080" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" />
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<connector port="8080" debug="off" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" tcpnodelay="true" /> - Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/jmxproxy/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
<url-pattern>/stop</url-pattern>
<url-pattern>/install</url-pattern>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
<url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</ROLE-NAME>
</auth-constraint>
</security-constraint> - Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines:
<role rolename="admin">
Note: Specify complex password for the admin account (and document it).
<role rolename="manager">
<user roles="admin,manager" password="adminpass" username="admin"> - Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml
Uncomment the section bellow:
org.apache.catalina.valves.RemoteAddrValve
Replace the data of the value bellow:
From:
allow="127.0.0.1"
To:
allow="172.16.*.*"
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″ - Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml
Inside the “Context” section, add the following line:
<valve allow="172.16.*.*" classname="org.apache.catalina.valves.RemoteAddrValve">
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″ - Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
- Extract the file catalina.jar
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
- Edit using VI, the file /usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.propertiesReplace the string bellow from:
server.infoerver.info=Apache Tomcat/5.5.26
To:
server.infoerver.info=Secure Web server
Replace the string bellow from:
server.number=5.5.26.0
To:
server.number=1.0.0.0
- Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
- Repackage the file catalina.jar
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
- Remove the folder bellow:
rm -r /usr/apache/tomcat55/server/lib/org
- Create a user account for the Tomcat service:
mkdir /home/tomcatgroupadd tomcat
useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat
chown tomcat:tomcat /home/tomcat/
passwd tomcat
passwd -l tomcat - Create using VI, the file /etc/init.d/tomcat with the following content:
#!/bin/sh
#
# Startup script for Tomcat
#
case "$1" in
start)
echo -n "Starting Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security
;;
stop)
echo -n "Stopping Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {startstoprestart}"
exit 1
esac - Change the permissions on the file /etc/init.d/tomcat
chmod u+x /etc/init.d/tomcat
- Create soft link/symoblic links for system level startup
ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat
ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat - Reload the links into memory:
rehash
- Change ownership of all server files to the tomcat user:
chown -R tomcat:tomcat /var/apache/tomcat55/*
chown -R tomcat:tomcat /usr/apache/tomcat55/*