PhixFlow Help

Install Tomcat

Unix/Linux Installation

This page explains how to set up Tomcat to run as a service under the classic init mechanism on Unix/Linux (System V), as this is available on all platforms. However, you could use Upstart instead. Upstart is a more modern init mechanism that is available on most modern Unix/Linux distributions. Installation using Upstart is widely documented on the web.

For some versions of Tomcat on specific Unix/Linux distributions, you can use a few simple package commands to install Tomcat. Before you begin, search the web search for Tomcat installation instructions about the version of Tomcat you intend to install on your Unix/Linux version. You may find a much simpler installation method.

Whichever method you use to install Tomcat, remember to then configure it as described in Configuring Tomcat, below.

Sections on this page

Download Tomcat

The System Administrator should have set up a linked directory structure like [c:]/opt/tomcat. The details of this may differ between installations so from this point on, the “root” tomcat directory will be referred to as $TOMCAT.

Download the appropriate version of Tomcat from tomcat.apache.org and unpack (unzip/uncompress) into the $TOMCAT. (Refer to System Requirements and Compatibility for supported versions).

Install Tomcat

Some instructions are given here for installing Tomcat, and making it run as a service. You should ensure that any installation meets with your company standards.

Configure Tomcat

Having completed the basic Tomcat installation, stop the Tomcat service then make the following changes:

conf/context.xml: Configure the Cache

The default Tomcat cache settings are insufficient for PhixFlow:

Edit $TOMCAT/conf/context.xml:

Add <Resources ... /> to at the end of the <Context/> block so that the file looks something like this:

<Context>
    <!-- lines omitted -->
	<Resources allowLinking="true" cachingAllowed="true" cacheMaxSize="1000000" />
</Context>


You do not need to read this note to complete the Tomcat configuration; these notes are provided for a reference of why we have recommended certain settings in the connection configuration.

Cache Max Size

cacheMaxSize="1000000"

Tomcat caches static files in memory so that it can respond faster. The cache has a max. size to stop it taking up too much memory. PhixFlow's static files (things like icons) are collectively too large to fit in the default cacheMaxSize, so we set it to a size that can accommodate all PhixFlow's static files.

conf/server.xml: Configure the Connector and disable AJP connection

  1. Edit $TOMCAT/conf/server.xml:
  2. Find the line starting <Connector port="8080"
  3. Edit the <Connector block to
    • Use the required port number (port="8080"). Tomcat defaults to port 8080 for HTTP, but you may need to use a different port if you are running other web servers on the same host.
    • Enable compression (compression="on")
  4. After editing, the <Connector/> block should look like this:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           compression="on"/>

Remember to enable this port in the server’s firewall (if enabled).

You do not need to read this note to complete the Tomcat configuration; these notes are provided for a reference of why we have recommended certain settings in the connection configuration.

Compression

compression="on"

Turning compression on reduces the amount of data passed between a client (i.e. a web browser on someone's computer), so this setting should improve the performance of the PhixFlow front end, especially if users are going to access the front end over a slow connection.

To disable the AJP connection:

  1. Find the block
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

2. Update this to

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

Note: in versions after 8.5.50 of tomcat, this connection should be disabled by default.

web.xml: Configure Session Timeout and the Secure Flag on Cookies

Session timeout

The default session timeout period is 30 minutes. You can change this to a different period e.g. 12 hours (720 minutes) by doing the following:

  1. Edit $TOMCAT/conf/web.xml
  2. Find the line containing <session-timeout.
  3. Change the session timeout period from its default value (30 mins). Once changed, it should look something like this (this example shows a 12-hour timeout).
<session-config>
	<session-timeout>720</session-timeout>
</session-config>

Secure flag on cookies

If you are going to set up an encypted connection to PhixFlow, i.e. access via HTTPS (see Configure Tomcat for HTTPS), you may also want to set the secure flag on cookies. This is a further security measure that reduces the risk of the cookies that PhixFlow creates being maliciously used to gain unauthorised access, and is a commonly used setting for web applications (https://www.owasp.org/index.php/SecureFlag). To do this, add a <cookie-config> block to the <session-config> block in the web.xml file, as in the example below.

This also sets the HTTP only flag, another common hardening measure for web applications. In fact, this is set by default, but it can be useful to explicitly set this in your configuration for clarity, and to assist with any security audits you may wish to undertake.

<session-config>
    <session-timeout>720</session-timeout>
    <cookie-config>
       <http-only>true</http-only>
       <secure>true</secure> 
    </cookie-config>
</session-config>

Pre-installed Web Applications

We recommend that you remove all web applications that are provided as part of the Tomcat installation as they are not required for PhixFlow's normal operation and constitute potential security loopholes.

These are the pre-installed web apps, in more detail.

Supplied Web ApplicationDescription
ROOTThe ROOT web application presents a very low security risk but it does include the version of Tomcat that is being used. The ROOT web application should normally be removed from a publicly accessible Tomcat instance, not for security reasons, but so that a more appropriate default page is shown to users.
DocumentationThe documentation web application presents a very low security risk but it does identify the version of Tomcat that is being used. It should normally be removed from a publicly accessible Tomcat instance.
ExamplesThe examples web application should always be removed from any security sensitive installation.
ManagerThe Manager application allows the remote deployment of web applications and is frequently targeted by attackers due to the widespread use of weak passwords and publicly accessible Tomcat instances with the Manager application enabled.
Host ManagerThe Host Manager application allows the creation and management of virtual hosts - including the enabling of the Manager application for a virtual host.

Database JDBC Drivers

The drivers needed to connect to PhixFlow’s own database are included within the release pack and no action is needed.

If you want to connect, via a Datasource, to an external database, you can rely on the bundled drivers to connect to any database that is one of PhixFlow's supported technologies and versions for its own connection - see System Requirements and Compatibility. If the external database is not covered by these, you will need to install a JDBC driver to support these connections. These JDBC drivers are available from the database suppliers, and must be placed in:

[tomcat home]/lib

For information on using SQLServer with Integrated Authentication, see SQLServer Integrated Authentication.

Please let us know if we could improve this page feedback@phixflow.com