Versions Compared

Old Version 10

changes.mady.by.user Chris Welford

Saved on

compared with

New Version Current

changes.mady.by.user Gary Parden

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Unix/ Linux installation: these instructions guide you to setting up tomcat to run as a service under the classic init mechanism on unix/ linux (System V) since this will be available on all platforms, but you should consider using Upstart, a more modern init mechanism that will be available on most modern unix/ linux distributions. Installation using upstart is widely covered on the web.

Further, at some versions of tomcat, on certain unix/ linux versions, a complete tomcat installation can be performed using a few simple package commands. Before you begin, a web search for tomcat installation at the desired version of tomcat, on the installed version of your unix/ linux distribution, may give you a much simpler installation method.

However you install tomcat, please note the settings that are needed under configuring tomcat

Download

The System Administrator should have set up a linked directory structure like [c:]/opt/tomcat. The details of this may differ between installations so from this point on, the “root” Tomcat tomcat directory will be referred to as $TOMCAT.

Download the appropriate version of Tomcat 8.0 from tomcat.apache.org and unpack (unzip/uncompress) into the $TOMCAT. (Refer to Compatibility Guide and Upgrade Planning for supported versions).

Installing on Unix / Linux

Tomcat login scripts

...

Install

Some instructions are given here for installing tomcat, and making it run as a service. You should ensure that any installation meets with your company standards.

Installing on windows

Run the tomcat installation program.

Installing on unix/ linux

Install the login scripts in tomcat login scripts into the tomcat user home directory. These scripts are correct as of Tomcat 8.0 but the PhixFlow consultant you should confirm that no changes are needed because of environment differences or because of different version of Tomcat.

Installing on Windows

Run the tomcat installation programversions of tomcat.

Anchor
configureTomcat
configureTomcat
Configure tomcat

context.xml: cache settings

The default Tomcat cache settings are insufficient for PhixFlow:

Add <Resources ... /> to at the end of the <Context/> block in context.xml so that the file looks something like this:

Code Block
languagexml
<Context>
    <!-- lines omitted -->
	<Resources cachingAllowed="true" cacheMaxSize="1000000" />
</Context>

Remember to enable this port in the server’s firewall (if enabled).

server.xml: Port Specification

...

(Optional)

By default, Tomcat will use ports 8080 for HTTP and 8443 for HTTPS.

If you need to use different ports, you can set them in $TOMCAT/conf/server.xml to specify the port that PhixFlow will use (usually 8081). Find the following lines and change as needed:. E.g.

Code Block
languagexml
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->

...

    <Connector


    <Connector
		port="8081"

...


		maxHttpHeaderSize="8192"

...

 ...

Remember to enable this port in the server’s firewall (if enabled).

...

Modify $TOMCAT/conf/web.xml to change the Tomcat session timeout period from its default value (30 mins). Find the following lines and change as needed:

Code Block
languagexml
<session-config>

...


	<session-

...

timeout>720</session-timeout>

...


</session-config>

Update <session-timeout> to the value you need, e.g. to 1440 720 (minutes i.e. 1 day12 hours).

Java and JVM Options

Download and install Java from java.com. Java JDK 1.8 is required (and version 1.8.0_74 or greater is recommended). The following JVM (Java Virtual Machine) options should be set to control (amongst other things) the amount of memory reserved for Tomcat and therefore made available for PhixFlow. The options are:

Option

Recommended Setting

Syntax

Initial Memory Pool

1024Mb on 32bit architecture. 40% of physical memory on x64 architecture. Consult your sys admin for recommended settings on virtual servers.

-Xms1024m

Max Memory Pool

As much as possible. 1024Mb on 32bit architecture. 75% of physical memory on x64 architecture. Consult your sys admin for recommended settings on virtual servers.

-Xmx1024m

Max PermGen Memory Pool

150Mb on 32bit. 1024Mb on x64.

-XX:MaxPermSize=150m

Garbage Collector Diagnostics

Enabled

-verbose:gc

...

Disable direct GUI access

Some JDBC (database) drivers generate warning messages direct to the screen if running under a GUI (graphical user interface).

These messages are confusing at best for a background service such as the PhixFlow web application server, and should be disabled.

This setting tells Java to behave as though there were no GUI present.

-Djava.awt.headless=true


To set JVM options:

Windows

  • Run the Tomcat Monitor
  • Open the Tomcat Monitor system tray Configure … menu
  • Select the Java tab
  • Set the Initial memory Pool (see table above)
  • Set the Max Memory Pool (see table above)
  • Add the following lines to the Java Options scrollable field:
Code Block
-
XX:MaxPermSize=150m
Xms1024m
-Xmx1024m
-verbose:gc

-Djava.awt.headless=true

Unix/Linux

If you have installed the scripts in

Appendix A

tomcat login scripts, these option will already be set however for clarity, these options are defined in the JAVA_OPTS environment variable set in the tomcat user’s shell startup file (e.g. .profile / .bash_profile / .cshrc in the user’s home directory – the actual startup file is determined by the user’s default shell settings).

Code Block
JAVA_OPTS=
'-Xms1024m -Xmx1024m -
XX:MaxPermSize=150m -
verbose:gc -Djava.awt.headless=
true’
true'

Database JDBC Drivers

The drivers needed to connect to PhixFlow’s own database are now included in within the release and do not have to be downloaded separatelypack and no action is needed.

Drivers used to connect to external databases may still have to be downloaded.

For information on using SQLServer with Integrated Authentication, see Appendix B SQLServer Integrated Authentication.

Start Tomcat

To start Tomcat:

Windows

Run the Tomcat Monitor.

Click on Right mouse menu -> Start Service

Unix

Login to the unix server as user tomcat.

Code Block
languagebash
unix> cd
 $TOMCAT
 $TOMCAT
unix> startup.sh

 

To make Tomcat start automatically when the server boots:

Make tomcat run as a service

Windows

  • Run the Tomcat Monitor.
  • Right click on the Apache Tomcat icon in the system tray and select Configure …
  • On the ‘General’ tab:
  • Set Startup Type to Automatic.

Unix/ Linux

As the root user, install the

...

tomcat script listed

...

in tomcat service scripts and create a

...

soft link to it from the appropriate run-level directory. The actual run-level directories are specific to the particular unix variant

...

You may wish to install tomcat to support secure connections over SSL.

This is described in the standard tomcat documentation - for example https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html - but some notes are given here to get you started.

Type of certificate

If access to PhixFlow is only intended for people in your organisation, you may wish to create a self-signed certificate. This still provides a secure connection, but this will generate security warnings when users first connect, and they will not see a padlock in the address bar of their browser. If this is not acceptable to your users or by your company policy, or if you are going to provide access to people outside your organisation, you should obtain your certificate from a certificate authority (CA).

A list of certificate authorities is given on https://en.wikipedia.org/wiki/Certificate_authority.

Info

Two example installations are given here: a self-signed certificate on ubuntu, and a self-signed certificate on windows. There are the two commonest platforms for PhixFlow, and the instructions are provided to help you set PhixFlow up quickly to operate securely over with HTTPS.

Please remember that these are examples only - your organisation may have standards that apply to certificate installation and use, you may need to use certificates from a certificate authority (CA). If you need to use certificates from a CA and there are no special standards in your organisation that apply to the installation process, you can review the example installations below, following special steps where indicated for CA certificates.

The examples use a Java tool called keytool, so you must have Java installed to follow these.

The examples are based on the tomcat documentation (https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html) - but note that there are alternative approaches. E.g. for ubuntu you can follow instructions for generating a self-signed certificate here: https://help.ubuntu.com/14.04/serverguide/certificates-and-security.html.

Overview

All installations process will contain the steps:

  1. Obtain a certificate - whether self-signed or from a certificate authority
  2. Create a keystore
  3. Tell tomcat where to find the keystore

Obtain certificate and create keystore

Using the Java tool keytool you can create a self-signed certificate and a keystore in one step.

 

Tip

 

 

Windows

Code Block
languagepowershell
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore pathToKeystoreFile

E.g.

Code Block
languagepowershell
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore C:\app\secure\keystore

Linux

Code Block
languagebash
 $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore pathToKeystoreFile

E.g.

Code Block
languagebash
 $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/secure/keystore

To complete the command:

  • Enter a keystore password when prompted - keystorePasswd
  • Enter data about your company, contact name, etc - this information will be displayed when users access PhixFlow
  • Select the default option not to set a separate password for the private key; if you want to do this, consult the tomcat documentation for further details.

Edit the tomcat configuration file

Edit the tomcat configuration file $TOMCAT/conf/server.xml as follows.

  • Find the connector specification like:
Code Block
languagexml
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443         This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

and update it to:

Code Block
languagexml
 <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443         This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               keystoreFile="pathToKeystoreFile" keystorePass="keystorePasswd"
               clientAuth="false" sslProtocol="TLS" />

E.g.

...

languagexml

...

.

...

  • Restart tomcat. PhixFlow will now be available at
Code Block
https://localhost:8443/phixflow

Remove standard HTTP access

Edit the tomcat configuration file $TOMCAT/conf/server.xml to comment out the standard connection.

  • Update the connection like:
Code Block
    <Connector port="8081" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

to

Code Block
    <!--
         <Connector port="8081" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->