Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info

Linux Installation

This page explains how to set up Tomcat to run as a service under systemd. This is widely avaiable across linux distributions.

You can, however, if you wish, run tomcat under the System V init mechanism, or upstart. If you wish to do this, consult the Tomcat documentation: https://tomcat.apache.org/



Panel
borderColor#7da054
titleColorwhite
titleBGColor#7da054
borderStylesolid
titleSections on this page

Table of Contents
indent12px
stylenone


Download Tomcat

The System Administrator should have set up a linked directory structure like [c:]/opt/tomcat. The details of this may differ between installations so from this point on, the “root”

...

tomcat directory will be referred to as $TOMCAT.

Download the appropriate version of Tomcat

...

from tomcat.apache.org and unpack (unzip/uncompress) into the $TOMCAT.

...

(Refer to System Requirements and Compatibility for supported versions).

Install Tomcat

Some instructions are given here for installing

...

Tomcat, and making it run as a service. You should ensure that any installation meets with your company standards.

Tomcat login scripts

Install the login scripts in tomcat login scripts into the tomcat user home directory. These scripts are correct as of Tomcat 8.0 but the PhixFlow consultant should confirm that no changes are needed because of environment differences or because of different version of Tomcat.

Installing on Windows

Run the tomcat installation program.

server.xml: Port Specification

...

Configure Tomcat
Anchor
configureTomcat
configureTomcat

Having completed the basic Tomcat installation, stop the Tomcat service then make the following changes:

conf/context.xml: Configure the Cache

The default Tomcat cache settings are insufficient for PhixFlow:

Edit $TOMCAT/conf/context.xml:

Add <Resources ... /> to at the end of the <Context/> block so that the file looks something like this:

Code Block
languagexml
<Context>
    <!-- lines omitted -->
	<Resources allowLinking="true" cachingAllowed="true" cacheMaxSize="1000000" />
</Context>


Info
titleWhy we recommend the cacheMaxSize

We recommend the cacheMaxSize="1000000" because Tomcat caches static files in memory so that it can respond faster. The cache has a max. size to stop it taking up too much memory. PhixFlow's static files (things like icons) are collectively too large to fit in the default cacheMaxSize, so we set it to a size that can accommodate all PhixFlow's static files.


conf/server.xml: Configure the Connector and add user to access messages


Info

We recommend setting maxPostSize="20971520". In technical terms, this is the maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. In practical terms, this is needed so that grids in applications in PhixFlow that hold a lot of data can be refreshed.

To configure the connector: 

  1. Edit $TOMCAT/conf/server.xml:
  2. Find the line starting <Connector port="8080".
  3. Edit the <Connector block:
    • to use the required port number (port="8080").
      Tomcat defaults to port 8080 for HTTP, but you may need to use a different port if you are running other web servers on the same host.
    • to enable compression (compression="on").
  4. After editing, the <Connector/> block should look like this:
Code Block
languagexml
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
          

...

 

...

redirectPort="

...

8443"

...


           maxPostSize="

...

20971520"
           compression="on"/>


Info
titleWhy we recommend compression

We recommend compression="on" because this reduces the amount of data passed between a client (the web browser on someone's computer). This setting should improve the performance of the PhixFlow front end, especially if users are going to access the front end over a slow connection.

Remember to enable this port in the server’s firewall (if enabled).

To add the user to the access messages:

  • Find the Access Log Value message pattern. This is usually near the bottom of the file and looks like:
Code Block
               pattern="%h %l %u %t "%r" %s %b" />
  • Add %{username}s to the pattern to add the user into access messages - make sure you include the "s" character after the curly brackets. (These log messages appear in the system log files localhost_access_log.<date>.txt; for futher details, see Server Log Files). The pattern should now appear as:
Code Block
               pattern="%h %l %u %t "%r" %{username}s %s %b" />

web.xml: Configure Session

...

Timeout and the Secure Flag on Cookies

Session timeout

The default session timeout period is 30 minutes. You can change this to a different period e.g. 12 hours (720 minutes) by doing the following:

  1. Edit $TOMCAT/conf/web.xml

...

  1. Find the line containing <session-timeout.
  2. Change the session timeout period from its default value (30 mins).

...

  1. Once changed, it should look something like this (this example shows a 12-hour timeout).
Code Block
languagexml
<session-config>
	<session-

...

timeout>720</session-timeout>
</session-config>

Update <session-timeout> to the value you need, e.g. to 1440 (minutes i.e. 1 day).

Java and JVM Options

Download and install Java from java.com. Java JDK 1.8 is required (and version 1.8.0_74 or greater is recommended). The following JVM (Java Virtual Machine) options should be set to control (amongst other things) the amount of memory reserved for Tomcat and therefore made available for PhixFlow. The options are:

...

Option

...

Recommended Setting

...

Syntax

...

Initial Memory Pool

...

1024Mb on 32bit architecture. 40% of physical memory on x64 architecture. Consult your sys admin for recommended settings on virtual servers.

...

-Xms1024m

...

Max Memory Pool

...

As much as possible. 1024Mb on 32bit architecture. 75% of physical memory on x64 architecture. Consult your sys admin for recommended settings on virtual servers.

...

-Xmx1024m

...

Max PermGen Memory Pool

...

150Mb on 32bit. 1024Mb on x64.

...

-XX:MaxPermSize=150m

...

Garbage Collector Diagnostics

...

Enabled

...

-verbose:gc

 

To set JVM options:

...

Windows

...

  • Run the Tomcat Monitor
  • Open the Tomcat Monitor system tray Configure … menu
  • Select the Java tab
  • Set the Initial memory Pool (see table above)
  • Set the Max Memory Pool (see table above)
  • Add the following lines to the Java Options scrollable field:
Code Block
-XX:MaxPermSize=150m
-verbose:gc
-Djava.awt.headless=true

...

Unix/Linux

...

If you have installed the scripts in tomcat login scripts, these option will already be set however for clarity, these options are defined in the JAVA_OPTS environment variable set in the tomcat user’s shell startup file (e.g. .profile / .bash_profile / .cshrc in the user’s home directory – the actual startup file is determined by the user’s default shell settings).

Code Block
JAVA_OPTS=’-Xms1024m -Xmx1024m -XX:MaxPermSize=150m -verbose:gc -Djava.awt.headless=true’

Database JDBC Drivers

The drivers needed to connect to PhixFlow’s own database are now included in the release and do not have to be downloaded separately.

Drivers used to connect to external databases may still have to be downloaded.

For information on using SQLServer with Integrated Authentication, see SQLServer Integrated Authentication.

Start Tomcat

To start Tomcat:

...

Windows

...

Run the Tomcat Monitor.

Click on Right mouse menu -> Start Service

...

Unix

...

Login to the unix server as user tomcat.

Code Block
languagebash
unix> cd $TOMCAT
unix> startup.sh

Make tomcat run as a service

Windows

  • Run the Tomcat Monitor.
  • Right click on the Apache Tomcat icon in the system tray and select Configure …
  • On the ‘General’ tab:
  • Set Startup Type to Automatic.

Unix/ Linux

Info

Note, in particular, that these instructions guide you to setting up tomcat to run as a service under the classic init mechanism on unix/ linux (System V) since this will be available on all platforms, but you should consider using Upstart, a more modern init mechanism that will be available on most modern unix/ linux distributions. Installation using upstart is widely covered on the web. Further, at some versions of tomcat, on certain unix/ linux distribution versions, tomcat can be installed with simply package commands - you can find these from a web search.

...

For secure connections (HTTPS)

Note

Only apply the settings in this section if you are going to set up a secure connection - that is, a connection that uses HTTPS.

If you are not doing this - that is, your connection will be over HTTP - use the configuration above.


Info

This also sets the HTTP only flag, another common hardening measure for web applications. In fact, this is set by default, but it can be useful to explicitly set this in your configuration for clarity, and to assist with any security audits you may wish to undertake.

If you are going to set up an encrypted connection to PhixFlow, i.e. access via HTTPS (see /wiki/spaces/INTRANET/pages/97734787), you may also want to set the secure flag on cookies. This is a further security measure that reduces the risk of the cookies that PhixFlow creates being maliciously used to gain unauthorised access, and is a commonly used setting for web applications (https://www.owasp.org/index.php/SecureFlag). To do this, add a <cookie-config> block to the <session-config> block in the web.xml file, as in the example below.


Code Block
<session-config>
    <session-timeout>720</session-timeout>
    <cookie-config>
       <http-only>true</http-only>
       <secure>true</secure> 
    </cookie-config>
</session-config>

Pre-installed Web Applications

Warning

We recommend that you remove all web applications that are provided as part of the Tomcat installation as they are not required for PhixFlow's normal operation and constitute potential security loopholes.

These are the pre-installed web apps, in more detail.

Supplied Web ApplicationDescription
ROOTThe ROOT web application presents a very low security risk but it does include the version of Tomcat that is being used. The ROOT web application should normally be removed from a publicly accessible Tomcat instance, not for security reasons, but so that a more appropriate default page is shown to users.
DocumentationThe documentation web application presents a very low security risk but it does identify the version of Tomcat that is being used. It should normally be removed from a publicly accessible Tomcat instance.
ExamplesThe examples web application should always be removed from any security sensitive installation.
ManagerThe Manager application allows the remote deployment of web applications and is frequently targeted by attackers due to the widespread use of weak passwords and publicly accessible Tomcat instances with the Manager application enabled.
Host ManagerThe Host Manager application allows the creation and management of virtual hosts - including the enabling of the Manager application for a virtual host.

Database JDBC Drivers

The drivers needed to connect to PhixFlow’s own database are included within the release pack and no action is needed.

If you want to connect, via a Datasource, to an external database, you can rely on the bundled drivers to connect to any database that is one of PhixFlow's supported technologies and versions for its own connection - see System Requirements and Compatibility. If the external database is not covered by these, you will need to install a JDBC driver to support these connections. These JDBC drivers are available from the database suppliers, and must be placed in:

Code Block
[tomcat home]/lib

For information on using SQLServer with Integrated Authentication, see MS SQL Server Integrated Authentication.