Apache Tomcat is a web server and servlet container that is used to deliver Java applications. The Apache Software Foundation’s Tomcat is an open source implementation of the Java Servlet and JavaServer Pages technologies. This article will walk you through the basic installation and configuration of the current release of Tomcat 9 on your Debian 9 server.
Before you begin, make sure your server has a non-root user with sudo capabilities set up.
To run any Java web application code, Tomcat requires Java to be installed on the server. We may meet that criterion by using apt to install OpenJDK.
First, you should update your apt package index:
Then, using apt, install the Java Development Kit package:
Now that Java has been installed, we can establish a tomcat user to execute the Tomcat service.
Tomcat should be operated as an unprivileged user for security reasons (i.e. not root). We’ll create a new user and group to manage the Tomcat service
To begin, create a new Tomcat group:
Create a new Tomcat user after that. We’ll add this user to the tomcat group, give it a home directory of /opt/tomcat (where we’ll install Tomcat), and a shell of /bin/false (so no one can log in):
Now that we’ve established our Tomcat user, let’s download and install Tomcat.
The best way to install Tomcat 9 is to obtain the most recent binary release and then manually configure it.
Next, navigate to your server’s /tmp directory. This is a nice place to save transitory stuff, such as the Tomcat tarball, that we won’t require after extracting the Tomcat contents:
To get the tarball, we’ll use the curl command-line tool. Install curl:
Curl should now be used to download the link you copied from the Tomcat website:
Tomcat will be installed in the /opt/tomcat directory. Create the directory, then use the following commands to extract the archive to it:
Following that, we can configure the appropriate user permissions for our installation.
The Tomcat user we created must have access to the Tomcat installation. We’ll take care of that right away.
Navigate to the location where we unpacked the Tomcat installation:
Give the tomcat group ownership of the full installation directory:
Next, grant the tomcat group read access to the conf directory and its contents, as well as execute access to the directory itself:
Let the webapps, work, temp, and logs directories belong to the tomcat user:
Now that we’ve set up the correct permissions, we can construct a systemd service file to administer the Tomcat process.
We want Tomcat to run as a service, thus we’ll create a systemd service file.
Tomcat need information about where Java is installed. This route is generally known as “JAVA HOME.” The simplest approach to find that location is to use the following command:
java-1.8.0-openjdk-amd64 1081 /usr/lib/jvm/java-1.8.0-openjdk-amd64
The last column’s result is your JAVA HOME (highlighted in red). Given the preceding example, the correct JAVA HOME for this server is:
/usr/lib/jvm/java-1.8.0-openjdk-amd64
Your JAVA HOME variable may differ.
We may create the systemd service file with this information. Open the tomcat.service file in the /etc/systemd/system directory by typing:
Copy and paste the following into your service file. If necessary, change the value of JAVA HOME to match the value found on your machine. You may also want to tweak the memory allocation options supplied in CATALINA OPTS:
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
Environment=JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment=’CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC’
Environment=’JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom’
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target
Save and close the file when you’re finished.
Next, restart the systemd daemon so it is aware of our service file:
Start the Tomcat service by typing:
Check if it began without any issues by typing:
You should see something similar to this:
Output :
● tomcat.service – Apache Tomcat Web Application Container
Loaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2018-09-05 20:47:44 UTC; 3s ago
Process: 9037 ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=0/SUCCESS)
Main PID: 9046 (java)
Tasks: 46 (limit: 4915)
CGroup: /system.slice/tomcat.service
└─9046 /usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Dja
Sep 05 20:47:44 tomcat systemd[1]: Starting Apache Tomcat Web Application Container…
Sep 05 20:47:44 tomcat systemd[1]: Started Apache Tomcat Web Application Container.
This ensures that Tomcat is operational on your server.
Now that the Tomcat service has been started, we can verify that the default page is accessible.
First, we must configure the firewall to allow our requests to reach the service. If you followed the prerequisites, you should now have a ufw firewall activated.
Tomcat accepts standard requests on port 8080. Type: to allow traffic to that port.
You can visit the default splash page after modifying the firewall by navigating to your domain or IP address followed by:8080 in a web browser:
http://server_domain_or_IP:8080
In addition to other information, you will see the default Tomcat splash screen. If you click on the URLs for the Manager App, for example, you will be denied access. That access can be configured next.
If you were successful in accessing Tomcat, now is the time to enable the service file so that Tomcat begins automatically at boot:
To use the Tomcat manager web app, we must first add a login to our Tomcat server. This will be accomplished by modifying the tomcat-users.xml file as follows:
You should add a user who has access to the manager-gui and admin-gui (web apps that come with Tomcat). You can do so by creating a user between the tomcat-users tags, as seen below. Change the username and password to something more secure:
<tomcat-users . . .>
<user username=”admin” password=”password” roles=”manager-gui,admin-gui”/>
</tomcat-users>
When you’re finished, save and close the file.
Newer versions of Tomcat, by default, limit access to the Manager and Host Manager apps to connections from the server. Because we are installing on a distant machine, you should remove or modify this limitation. Open the necessary context.xml files to adjust the IP address limitations on these.
Enter: for the Manager app
Type: Host Manager into the search bar.
Comment out the IP address restriction on the inside to allow connections from everywhere. Alternatively, if you want to restrict access to only connections from your own IP address, add your public IP address to the list:
<Context antiResourceLocking=”false” privileged=”true” >
<!–<Valve className=”org.apache.catalina.valves.RemoteAddrValve”
allow=”127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1″ />–>
</Context>
When you’re finished, save and close the files.
Restart the Tomcat service to apply our changes:
We may now access the web administration interface in a web browser after creating a user. Again, you can get to the relevant interface by typing your server’s domain name or IP address in your browser, followed by port 8080:
http://server_domain_or_IP:8080
The page you view should be the same as the one you saw when you tested earlier:
Let’s look at the Manager App, which may be accessed using the link or http://server domain or IP:8080/manager/html. You must input the account credentials that you specified in the tomcat-users.xml file. Following that, you should see something like this:
The Web Application Manager is used to manage your Java applications. You can Start, Stop, Reload, Deploy, and Undeploy here. You can also run some diagnostics on your apps (i.e. find memory leaks). Lastly, information about your server is available at the very bottom of this page.
Let’s look at the Host Manager, which may be accessed using the link or http://server domain or IP:8080/host-manager/html/:
You can add virtual hosts to serve your apps from the Virtual Host Manager page.
Your Tomcat installation is complete! You can now launch your own Java web applications!
Your Tomcat installation is now operational but unencrypted. This implies that all data, including sensitive information like passwords, is delivered in plain text, which can be intercepted and read by other internet users. It is strongly advised that you encrypt your connections with SSL to avoid this happening.