Download Tomcat
The System Administrator should have set up a linked directory structure like [c:]/opt/tomcat. The details of this may differ between installations so from this point on, the “root”
...
tomcat directory will be referred to as $TOMCAT.
Download the appropriate version of Tomcat
...
from tomcat.apache.org and unpack (unzip/uncompress) into the $TOMCAT
...
Installing on Unix / Linux
Tomcat login scripts
Install the login scripts in Appendix A into the tomcat user home directory. These scripts are correct as of Tomcat 8.0 but the PhixFlow consultant should confirm that no changes are needed because of environment differences or because of different version of Tomcat.
Installing on Windows
Run the tomcat installation program.
server.xml: Port Specification
Modify $TOMCAT/conf/server.xml to specify the port that PhixFlow will use (usually 8081). Find the following lines and change as needed:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector
port="8081"
...
Database JDBC Drivers
The drivers needed to connect to PhixFlow’s own database are now included in the release and do not have to be downloaded separately.
Drivers used to connect to external databases may still have to be downloaded.
For information on using SQLServer with Integrated Authentication, see Appendix B
Start Tomcat
To start Tomcat:
...
Windows
...
Run the Tomcat Monitor.
Click on Right mouse menu -> Start Service
...
Unix
...
Login to the unix server as user tomcat.
unix> cd $TOMCAT
unix> startup.sh
To make Tomcat start automatically when the server boots:
...
Windows
...
Run the Tomcat Monitor.
Right click on the Apache Tomcat icon in the system tray and select Configure …
On the ‘General’ tab:
Set Startup Type to Automatic.
...
Unix
...
As the root user, install the “tomcat” script listed in in Appendix A and create a softlink to it from the appropriate run-level directory. The actual run-level directories are specific to the particular unix variant.
...
You may wish to install tomcat to support secure connections over SSL.
This is described in the standard tomcat documentation - for example https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html - but some notes are given here to get you started.
Type of certificate
If access to PhixFlow is only intended for people in your organisation, you may wish to create a self-signed certificate. This still provides a secure connection, but this will generate security warnings when users first connect, and they will not see a padlock in the address bar of their browser. If this is not acceptable to your users or by your company policy, or if you are going to provide access to people outside your organisation, you should obtain your certificate from a certificate authority (CA).
A list of certificate authorities is given on https://en.wikipedia.org/wiki/Certificate_authority.
Info |
---|
Two example installations are given here: a self-signed certificate on ubuntu, and a self-signed certificate on windows. There are the two commonest platforms for PhixFlow, and the instructions are provided to help you set PhixFlow up quickly to operate securely over with HTTPS. Please remember that these are examples only - your organisation may have standards that apply to certificate installation and use, you may need to use certificates from a certificate authority (CA). If you need to use certificates from a CA and there are no special standards in your organisation that apply to the installation process, you can review the example installations below, following special steps where indicated for CA certificates. The examples use a Java tool called keytool, so you must have Java installed to follow these. The examples are based on the tomcat documentation (https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html) - but note that there are alternative approaches. E.g. for ubuntu you can follow instructions for generating a self-signed certificate here: https://help.ubuntu.com/14.04/serverguide/certificates-and-security.html. |
Overview
All installations process will contain the steps:
- Obtain a certificate - whether self-signed or from a certificate authority
- Create a keystore
- Tell tomcat where to find the keystore
Obtain certificate and create keystore
Using the Java tool keytool you can create a self-signed certificate and a keystore in one step.
U
Info |
---|
|
Tip |
---|
|
Windows
Code Block | ||
---|---|---|
| ||
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore <path to keystore file> |
E.g.
Code Block | ||
---|---|---|
| ||
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore C:\app\secure\keystore |
Linux
Code Block | ||
---|---|---|
| ||
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore <path to keystore file> |
E.g.
Code Block | ||
---|---|---|
| ||
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/secure/keystore |
Enter a keystore password when prompted - <keystorePasswd>
Enter data about your company, contact name, etc - this information will be displayed when users access PhixFlow
Enter a private key password when prompted - <privateKeyPasswd>
Edit the tomcat configuration file
Code Block | ||
---|---|---|
| ||
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
--> |
Code Block |
---|
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
--> |
...
. (Refer to Compatibility Guide and Upgrade Planning for supported versions).
Install Tomcat
Some instructions are given here for installing Tomcat, and making it run as a service. You should ensure that any installation meets with your company standards.
- For Windows instructions, see Install Tomcat on Windows.
- For Unix/Linux instructions, see Install Tomcat on Linux.
Configure Tomcat
Anchor | ||||
---|---|---|---|---|
|
Having completed the basic Tomcat installation, stop the Tomcat service then make the following changes:
conf/context.xml: Configure the Cache
The default Tomcat cache settings are insufficient for PhixFlow:
Edit $TOMCAT/conf/context.xml:
Add <Resources ... /> to at the end of the <Context/> block so that the file looks something like this:
Code Block | ||
---|---|---|
| ||
<Context>
<!-- lines omitted -->
<Resources allowLinking="true" cachingAllowed="true" cacheMaxSize="1000000" />
</Context> |
Note | ||
---|---|---|
You do not need to read this note to complete the Tomcat configuration; these notes are provided for a reference of why we have recommended certain settings in the connection configuration. Cache Max Size
Tomcat caches static files in memory so that it can respond faster. The cache has a max. size to stop it taking up too much memory. PhixFlow's static files (things like icons) are collectively too large to fit in the default |
conf/server.xml: Configure the Connector
- Edit $TOMCAT/conf/server.xml:
- Find the line starting <Connector port="8080"
- Edit the <Connector block to
- Use the required port number (port="8080"). Tomcat defaults to port 8080 for HTTP, but you may need to use a different port if you are running other web servers on the same host.
- Enable compression (compression="on")
- After editing, the <Connector/> block should look like this:
Code Block | ||
---|---|---|
| ||
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
compression="on"/> |
Remember to enable this port in the server’s firewall (if enabled).
web.xml: Session timeout
Modify $TOMCAT/conf/web.xml to change the Tomcat session timeout period from its default value (30 mins). Find the following lines and change as needed:
<session-config>
<session-timeout>1440</session-timeout>
</session-config>
Update <session-timeout> to the value you need, e.g. to 1440 (minutes i.e. 1 day).
Java and JVM Options
Download and install Java from java.com. Java JDK 1.8 is required (and version 1.8.0_74 or greater is recommended). The following JVM (Java Virtual Machine) options should be set to control (amongst other things) the amount of memory reserved for Tomcat and therefore made available for PhixFlow. The options are:
Option | Recommended Setting | Syntax |
Initial Memory Pool | 1024Mb on 32bit architecture. 40% of physical memory on x64 architecture. Consult your sys admin for recommended settings on virtual servers. | -Xms1024m |
Max Memory Pool | As much as possible. 1024Mb on 32bit architecture. 75% of physical memory on x64 architecture. Consult your sys admin for recommended settings on virtual servers. | -Xmx1024m |
Max PermGen Memory Pool | 150Mb on 32bit. 1024Mb on x64. | -XX:MaxPermSize=150m |
Garbage Collector Diagnostics | Enabled | -verbose:gc |
To set JVM options:
...
Windows
...
Run the Tomcat Monitor
Open the Tomcat Monitor system tray Configure … menu
Select the Java tab
Set the Initial memory Pool (see table above)
Set the Max Memory Pool (see table above)
Add the following lines to the Java Options scrollable field:
-XX:MaxPermSize=150m
-verbose:gc
-Djava.awt.headless=true
...
Unix/Linux
...
If you have installed the scripts in Appendix A, these option will already be set however for clarity, these options are defined in the JAVA_OPTS environment variable set in the tomcat user’s shell startup file (e.g. .profile / .bash_profile / .cshrc in the user’s home directory – the actual startup file is determined by the user’s default shell settings).
JAVA_OPTS=’-Xms1024m -Xmx1024m -XX:MaxPermSize=150m -verbose:gc -Djava.awt.headless=true’
Note | ||
---|---|---|
You do not need to read this note to complete the Tomcat configuration; these notes are provided for a reference of why we have recommended certain settings in the connection configuration. Compression
Turning compression on reduces the amount of data passed between a client (i.e. a web browser on someone's computer), so this setting should improve the performance of the PhixFlow front end, especially if users are going to access the front end over a slow connection. |
web.xml: Configure Session Timeout and the Secure Flag on Cookies
Session timeout
The default session timeout period is 30 minutes. You can change this to a different period e.g. 12 hours (720 minutes) by doing the following:
- Edit $TOMCAT/conf/web.xml
- Find the line containing <session-timeout.
- Change the session timeout period from its default value (30 mins). Once changed, it should look something like this (this example shows a 12-hour timeout).
Code Block | ||
---|---|---|
| ||
<session-config>
<session-timeout>720</session-timeout>
</session-config> |
Secure flag on cookies
If you are going to set up an encypted connection to PhixFlow, i.e. access via HTTPS (see Configure Tomcat for HTTPS), you may also want to set the secure flag on cookies. This is a further security measure that reduces the risk of the cookies that PhixFlow creates being maliciously used to gain unauthorised access, and is a commonly used setting for web applications (https://www.owasp.org/index.php/SecureFlag). To do this, add a <cookie-config>
block to the <session-config>
block in the web.xml
file, as in the example below.
Note |
---|
This also sets the HTTP only flag, another common hardening measure for web applications. In fact, this is set by default, but it can be useful to explicitly set this in your configuration for clarity, and to assist with any security audits you may wish to undertake. |
Code Block |
---|
<session-config>
<session-timeout>720</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config> |
Pre-installed Web Applications
Warning |
---|
We recommend that you remove all web applications that are provided as part of the Tomcat installation as they are not required for PhixFlow's normal operation and constitute potential security loopholes. |
These are the pre-installed web apps, in more detail.
Supplied Web Application | Description |
---|---|
ROOT | The ROOT web application presents a very low security risk but it does include the version of Tomcat that is being used. The ROOT web application should normally be removed from a publicly accessible Tomcat instance, not for security reasons, but so that a more appropriate default page is shown to users. |
Documentation | The documentation web application presents a very low security risk but it does identify the version of Tomcat that is being used. It should normally be removed from a publicly accessible Tomcat instance. |
Examples | The examples web application should always be removed from any security sensitive installation. |
Manager | The Manager application allows the remote deployment of web applications and is frequently targeted by attackers due to the widespread use of weak passwords and publicly accessible Tomcat instances with the Manager application enabled. |
Host Manager | The Host Manager application allows the creation and management of virtual hosts - including the enabling of the Manager application for a virtual host. |
Database JDBC Drivers
The drivers needed to connect to PhixFlow’s own database are included within the release pack and no action is needed.
If you want to connect, via a Datasource, to an external database, you can rely on the bundled drivers to connect to any database that is one of PhixFlow's supported technologies and versions for its own connection - see Compatibility Guide and Upgrade Planning. If the external database is not covered by these, you will need to install a JDBC driver to support these connections. These JDBC drivers are available from the database suppliers, and must be placed in:
Code Block |
---|
[tomcat home]/lib |
For information on using SQLServer with Integrated Authentication, see SQLServer Integrated Authentication.