Red Hat Training

A Red Hat training course is available for Red Hat JBoss Web Server

Chapter 2. New Features and Enhancements

2.1. Apache HTTP Server Separated from Tomcat

The Apache HTTP Server distribution is now shared between the JWS and JBoss Core Services entitlements. The shared distribution can be downloaded in ZIP from Apache HTTP Server download page on the support portal. The RPM distribution of HTTP must be consumed from the JBCS channel, while the Tomcat servers will continue to be delivered in the JWS3 channel.

Installation instructions for the Apache HTTP Server are provided in the Apache HTTP Server Installation Guide. You should refer to that guide for instructions for ZIP and RPM setup on the set of supported operating systems.

Maintenance for the Apache HTTP Server and the Tomcat servers will no longer be coordinated in JWS minor and micro releases. The HTTP server and the Tomcat servers will receive independent updates intended to provide more timely fixes for security and other high priority defect fixes.

2.2. Transition from httpd24 (JWS3 Channel) to jbcs-httpd24-httpd (JBCS Channel)

To install httpd with JWS 3.1.0, you need to subscribe and enable the JBCS channel. The httpd package has moved from the JWS channel to the JBCS channel. If you are using httpd, then migrate from the httpd24 package in JWS to the JBCS software collections new jbcs-httpd24-httpd package.

2.3. tomcat-native Dependencies Available in the JBCS Channel

The tomcat-native package requires the jbcs-httpd24-httpd-libs and jbcs-httpd24-openssl packages, which are available only in the JBCS channel. To access them, you have to subscribe and enable the JBCS channel.

2.4. Tomcat

  • Inclusion of the latest available version of Tomcat 8.0.36.
  • Inclusion of the latest available version of Tomcat 7.0.70.
  • Replaced the existing init scripts for Tomcat 7 and Tomcat 8 with systemd units on Red Hat Enterprise Linux 7.

2.5. Using a Password Vault with Red Hat JBoss Web Server 3.1

A password vault is used to mask passwords and other sensitive strings, and store them in an encrypted Java keystore. This allows you to eliminate storing clear-text passwords in your Tomcat configuration files, as Tomcat can lookup passwords and other sensitive strings from a keystore using the vault.

Note

For more information about using password vault, see Using a Password Vault with Red Hat JBoss Web Server 3.1.

2.6. SELinux Policies in RHEL ZIP for Tomcat

In this release, SELinux policies are provided in the ZIP packages. The SELinux security model is enforced by the kernel and ensures applications have limited access to resources such as file system locations and ports. This helps ensure that the errant processes (either compromised or poorly configured) are restricted and in some cases prevented from running. The .postinstall.selinux file is included in each tomcat folder. If required, you can run the postinstall.selinux script.

To install the SELinux policies using ZIP:

  1. Install the prerequisite packages:

    • selinux-policy-devel
    • Tomcat 7 or 8
  2. Download and unzip the JWS Tomcat distribution from the JWS channel.

  3. Execute the following commands: 

    cd $JWS_HOME/tomcat7  OR cd $JWS_HOME/tomcat8
sh .postinstall.selinux
cd selinux
make -f /usr/share/selinux/devel/Makefile
semodule -i tomcat7.pp OR semodule -i tomcat8.pp
cd $JWS_HOME

  4. Start the Tomcat service. 

    bin/startup.sh

  5. Check the context of the running process expecting tomcat7_t. 

    ps -eZf | grep tomcat | head -n1

  6. To verify the contexts of the Tomcat log directory and so on. 

    ls -lZ tomcat7/logs/

2.7. SELinux Policies in RHEL RPM for Tomcat

SELinux policies for each Tomcat are provided via their own Tomcat sub-packages: tomcat7-selinux and tomcat8-selinux. These packages are available in the JWS channel.

  • To enable SELinux policies on Tomcat 7, install the tomcat7-selinux package.
  • To enable SELinux policies on Tomcat 8, install the tomcat8-selinux package.

2.8. Hibernate

  • Upgraded to Hibernate version 4.2.23.

2.9. Microsoft Azure Testing and Certification

  • JBoss Web Server 3.1 has been tested and certified for Microsoft Azure.

2.10. Updated CGIServlet to Resolve httpoxy Issue

In this release, a CGIServlet fix is provided for the httpoxy issue, see CVE-2016-5388. The envHttpHeaders parameter is included in the CGIServlet to solve the httpoxy issue.

You can also configure the filter and valve to resolve the httpoxy issue. For more information about using the filter and valve, see HTTPoxy - Is my JBoss/tomcat affected?.