-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for Red Hat JBoss Web Server
Installation Guide
Install and Configure Red Hat JBoss Web Server 5.1
Abstract
Chapter 1. Introduction
1.1. About Red Hat JBoss Web Server
The JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It consists of:
- Apache Tomcat: a servlet container in accordance with the Java Servlet Specification. JBoss Web Server contains Apache Tomcat 9.
- The Apache Tomcat Native Library: a Tomcat library, which improves Tomcat scalability, performance, and integration with native server technologies.
- The tomcat-vault: an extension for the JBoss Web Server used for securely storing passwords and other sensitive information used by a JBoss Web Server.
- The mod_cluster library: a library that allows communication between Apache Tomcat and the Apache HTTP Server’s mod_proxy_cluster module. This allows the Apache HTTP Server to be used as a load balancer for JBoss Web Server. For information on the configuration of mod_cluster, or for information on the installation and configuration of the alternative load balancers mod_jk and mod_proxy, see the HTTP Connectors and Load Balancing Guide.
- If you need clustering or session replication support for Java applications, Red Hat recommends that you use Red Hat JBoss Enterprise Application Platform (JBoss EAP).
Component | Version |
---|---|
Apache Tomcat 9 | 9.0.7-20 |
Tomcat Vault | 1.1.7.Final-redhat-2 |
Tomcat Native | 1.2.17-28 |
mod_cluster | 1.4.0-9.Final-redhat-1 |
JBoss logging | 3.3.1-5.Final-redhat-1 |
This Installation Guide includes procedures for the installation, minor upgrade, and basic configuration of the Tomcat servers from JBoss Web Server on supported operating systems. Installation and configuration instructions for the Apache HTTP Server are covered in the JBoss Core Services Documentation.
1.2. Supported Operating Systems and Configurations
Operating System | Chipset Architecture | Java Virtual Machine |
---|---|---|
Red Hat Enterprise Linux 8 | x86_64 | OpenJDK 1.8, OpenJDK 11, OracleJDK 11 |
1.3. Installation Methods
JBoss Web Server can be installed on supported Red Hat Enterprise Linux, Microsoft Windows, and Solaris systems using ZIP installation files available for each platform. JBoss Web Server can also be installed on supported Red Hat Enterprise Linux systems using RPM packages.
For ZIP installations, below is a summary of the components that are included in the ZIP files which form the core part of a JBoss Web Server installation.
jws-application-server-5.1.0.zip
- Tomcat 9
- mod_cluster
- tomcat-vault
jws-application-server-5.1.0-<platform>-<architecture>.zip
- Platform-specific utilities
1.4. Component Documentation Bundle
JBoss Web Server includes an additional documentation bundle that includes the original vendor documentation for each component. This documentation bundle, jws-docs-5.1.0.zip
, is available at the Red Hat Customer Portal, and contains additional documentation for the following:
- tomcat
- tomcat-native
- tomcat-vault
Chapter 2. Migration From Base OS RHEL 7 Tomcat to JWS-5 Tomcat
For RHEL 8, Tomcat will be provided by the Red Hat JBoss Web Server team, where as previously it was provided by the Red Hat Enterprise Linux team. This section will cover the major differences between RHEL 7’s Tomcat package and the package provided by the JBoss Web Server project.
2.1. General Differences
-
The package directories are all located within the SCL directories, i.e.:
/opt/rh/jws5/root/usr/share/tomcat vs /usr/share/tomcat
-
The
jws5-tomcat-webapps
package doesn’t include the examples webapps, for security purposes -
The
jws5-tomcat-webapps
package drops its dependency onjakarta-taglibs-standard
which was needed by examples (not shipped). - The Tomcat version is Tomcat 9 instead of Tomcat 7. See the Tomcat Migration Guides for help migrating your Tomcat version.
-
The systemd service unit’s named changed from
tomcat
tojws5-tomcat
, but functions the same. -
The
jws5-tomcat
package increases the minor version of java required from version 7 to version 8. -
The
jws5-tomcat
package drops the previous dependencies onapache-commons-daemon
,apache-commons-logging
,apache-commons-collections
,apache-commons-pool
, andapache-commons-dbcp
. -
The
jws5-tomcat
package drops jsvc support. *Thejws5-tomcat
package drops the RHEL ECJ version requirement and replaces it with a requirement for thejws5-ecj
package (This is to get the minimum version required). -
The
jws5-tomcat
package includes a new packagejws5-tomcat-selinux
which is not installed by default. This means selinux is NOT enabled by default.
2.2. Build Dependencies
-
The
jws5-tomcat
package includes no patch files, it’s built from our own fork. -
The
jws5-tomcat
package drops several build time dependencies while adding a few build dependencies from JBCS (these only matter if customers want to rebuild the RPM, which isn’t supported).
2.3. JWS-5 Features Not Available In Tomcat 7 From RHEL 7
- Access to use Tomcat-Native
- Access to use Tomcat-Vault
- Access to JBCS httpd, which is utilized as a load balancer for Tomcat
- Access to use mod_cluster as a load balancer of httpd
- Access to JWS zips to use instead of the RPM distribution, allows for running multiple instances of Tomcat.
2.4. Using Tomcat 9 From JWS-5 on RHEL
Once you have the JWS/Runtimes SKU, then you can execute the commands given in the Managing JBoss Web Server on Red Hat Enterprise Linux section of this installation guide.
Chapter 3. Installing JBoss Web Server on Red Hat Enterprise Linux
You can install JBoss Web Server on Red Hat Enterprise Linux using one of two methods:
Regardless of which method you choose, you must first install a supported Java Development Kit (JDK).
3.1. Prerequisites
3.1.1. Installing a Java Development Kit (JDK)
Before installing JBoss Web Server, you must first install a supported Java Development Kit (JDK).
Full list of supported JDKs for Red Hat JBoss Web Server 5.1:
Operating System | Chipset Architecture | Java Virtual Machine |
---|---|---|
Red Hat Enterprise Linux 8 | x86_64 | OpenJDK 1.8, OpenJDK 11, OracleJDK 11 |
Installing a JDK using the YUM package manager
Subscribe your Red Hat Enterprise Linux system to the appropriate channel:
OpenJDK:
- rhel-8-server-rpms
As the root user, execute the command to install a 1.8 JDK:
# yum install java-1.8.0-openjdk-devel
Run the following commands as the root user to ensure the correct JDK is in use:
# alternatives --config java
# alternatives --config javac
These commands return lists of available JDK versions with the selected version marked with a plus (
+
) sign. If the selected JDK is not the desired one, change to the desired JDK as instructed in the shell prompt.ImportantAll software that use the
java
andjavac
commands uses the JDK set byalternatives
. Changing Java alternatives may impact on the running of other software.
Installing a JDK from a compressed archive (such as .zip or .tar)
If the JDK was downloaded from the vendor’s website (Oracle or OpenJDK), use the installation instructions provided by the vendor and set the JAVA_HOME
environment variable.
If the JDK has was installed from a compressed archive, set the JAVA_HOME
environment variable for Tomcat before running JBoss Web Server.
In the bin
directory of Tomcat (JWS_HOME/tomcat/bin
), create a file named setenv.sh
, and insert the JAVA_HOME
path definition.
For example:
$ cat JWS_HOME/tomcat/bin/setenv.sh
export JAVA_HOME=/usr/lib/jvm/jre-1.8.0-openjdk.x86_64
3.1.2. Red Hat Enterprise Linux Package Prerequisites
Before installing JBoss Web Server on Red Hat Enterprise Linux, ensure the following prerequisites are met.
- A supported JDK is installed.
- Additionally, RHEL-8 users needing to run JSSE+OpenSSL or APR, you will need to use Tomcat-Native for it to work properly. The file for Tomcat-Native can be found in the native zip directory. To install OpenSSL and APR, run the following commands:
# yum install openssl
# yum install apr
-
You must remove the
tomcatjss
package before installing thetomcat-native
package. Thetomcatjss
package uses an underlying NSS security model rather than the OpenSSL security model.
Removing the tomcatjss Package
As the root user, run the following command to remove
tomcatjss
:# yum remove tomcatjss
3.2. ZIP Installation
Ensure that all of the prerequisites are met before installing JBoss Web Server.
3.2.1. Downloading and Extracting JBoss Web Server
To install JBoss Web Server, download and extract the installation ZIP files.
- Open a browser and log in to the Red Hat Customer Portal.
- Click Downloads.
- Click Red Hat JBoss Web Server in the Product Downloads list.
- Select the correct JBoss Web Server version from the Version drop-down menu.
Click Download for each of the following files, ensuring that you select the correct platform and architecture for your system:
-
The Red Hat JBoss Web Server 5.1 Application Server (
jws-application-servers-5.1.0.zip
). -
The Red Hat JBoss Web Server 5.1 Native Components for RHEL (
jws-application-servers-5.1.0-<platform>-<architecture>.zip
).
-
The Red Hat JBoss Web Server 5.1 Application Server (
Unzip the downloaded ZIP files to your installation directory.
For example:
# unzip jws-application-server-5.1.0.zip -d /opt/ # unzip -o jws-application-server-5.1.0-<platform>-<architecture>.zip -d /opt/
The directory created by extracting the ZIP archives is the top-level directory for JBoss Web Server. This is referred to as JWS_HOME
.
3.2.2. Managing JBoss Web Server on Red Hat Enterprise Linux
There are two supported methods for running and managing Red Hat JBoss Web Server on Red Hat Enterprise Linux:
The recommended method for managing the JBoss Web Server is using a system daemon.
3.2.2.1. Managing JBoss Web Server using a system daemon for .zip installations on Red Hat Enterprise Linux
Using the JBoss Web Server with a system daemon provides a method of starting the JBoss Web Server services at system boot. The system daemon also provides start, stop and status check functions.
The default system daemon for Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 7 is systemd and for Red Hat Enterprise Linux 6 the default is SysV.
To determine which system daemon is running, issue ps -p 1 -o comm=
.
For systemd:
$ ps -p 1 -o comm= systemd
For SysV:
$ ps -p 1 -o comm= init
3.2.2.1.1. Setting up and using the JBoss Web Server with SysV
Prerequisites
-
The
redhat-lsb-core
package. To install, run:yum install redhat-lsb-core
Setting up the JBoss Web Server for SysV
As the root user, execute the .postinstall.sysv
script:
# cd JWS_HOME/tomcat
# sh .postinstall.sysv
Controlling the JBoss Web Server with SysV
SysV commands can only be issued by the root user.
To enable the JBoss Web Server services to start at boot using SysV:
# chkconfig jws5-tomcat on
To start the JBoss Web Server using SysV:
# service jws5-tomcat start
To stop the JBoss Web Server using SysV:
# service jws5-tomcat stop
To verify the status of the JBoss Web Server using SysV (the
status
operation can be executed by any user):$ service jws5-tomcat status
For more information on using SysV, see: Red Hat Enterprise Linux 6 Deployment Guide: Running Services
3.2.2.1.2. Setting up and using the JBoss Web Server with systemd
Setting up the JBoss Web Server for systemd
As the root user, execute the .postinstall.systemd
script:
# cd JWS_HOME/tomcat
# sh .postinstall.systemd
Controlling the JBoss Web Server with systemd
Systemd commands can only be issued by the root user.
To enable the JBoss Web Server services to start at boot using systemd:
# systemctl enable jws5-tomcat.service
To start the JBoss Web Server using systemd:
# systemctl start jws5-tomcat.service
To stop the JBoss Web Server using systemd:
# systemctl stop jws5-tomcat.service
To verify the status of the JBoss Web Server using systemd (the
status
operation can be executed by any user):# systemctl status jws5-tomcat.service
For more information on using systemd, see: RHEL 7 System Administrator’s Guide: Managing System Services
There is currently no RHEL 8 System Administrator’s Guide available. This document will be updated to include it when it is made available.
3.2.2.2. Managing JBoss Web Server on a command line
3.2.2.2.1. Configuring the JBoss Web Server Installation
The following configuration steps are performed by the .postinstall.sysv
script and the .postinstall.systemd
script described in Managing JBoss Web Server using a system daemon for .zip installations on Red Hat Enterprise Linux
Some configuration is required before running JBoss Web Server. This section includes the following configuration procedures:
- Setting the JAVA_HOME Environment Variable.
- Creating the tomcat user for simple and secure user management: Creating a Tomcat User.
- Grant the tomcat user access to the JBoss Web Server by moving the ownership of tomcat directory to the tomcat user.
Setting the JAVA_HOME Environment Variable
You must set the JAVA_HOME
environment variable for Tomcat before running JBoss Web Server.
In the bin
directory of Tomcat (JWS_HOME/tomcat/bin
), create a file named setenv.sh
, and insert the JAVA_HOME
path definition.
For example: export JAVA_HOME=/usr/lib/jvm/jre-1.8.0-openjdk.x86_64
Creating a Tomcat User
Follow this procedure to create the tomcat
user and its parent group:
-
In a shell prompt as the root user, change directory to
JWS_HOME
. Run the following command to create the
tomcat
user group:# groupadd -g 53 -r tomcat
Run the following command to create the
tomcat
user in thetomcat
user group:# useradd -c "tomcat" -u 53 -g tomcat -s /bin/sh -r tomcat
Move the ownership of tomcat directory to the tomcat user
From
JWS_HOME
, run the following command to assign the ownership of the Tomcat directories to thetomcat
user to allow the user to run the Tomcat service:# chown -R tomcat:tomcat tomcat/
You can use
ls -l
to verify that thetomcat
user is the owner of the directory.Ensure that the
tomcat
user has execute permissions to all parent directories. For example:# chmod -R u+X tomcat/
3.2.2.2.2. Starting JBoss Web Server
Run the following command as the tomcat
user:
$ sh JWS_HOME/tomcat/bin/startup.sh
3.2.2.2.3. Stopping JBoss Web Server
To stop Tomcat, run the following command as the tomcat
user:
$ sh JWS_HOME/tomcat/bin/shutdown.sh
3.3. RPM Installation
Installing JBoss Web Server from RPM packages installs Tomcat as service, and installs its resources into absolute paths. The RPM installation option is available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8.
RPM installation packages for JBoss Web Server are available from Red Hat Subscription Management.
3.3.1. Installing JBoss Web Server from RPM packages
Before downloading and installing the RPM packages, you must register your system with Red Hat Subscription Management and subscribe to the respective Content Delivery Network (CDN) repositories.
For information on registering Red Hat Enterprise Linux, see:
Configuring the Subscription Service for Red Hat Enterprise Linux 6
OR
The Subscription Manager for Red Hat Enterprise Linux 7
OR
The Subscription Manager for Red Hat Enterprise Linux 8
Attaching subscriptions to Red Hat Enterprise Linux (if required)
If the system does not have a subscription attached that provides JBoss Web Server:
- Log in to the Red Hat Subscription Manager.
- Click on the Systems tab.
-
Click on the
Name
of the system to add the subscription to. -
Change from the Details tab to the Subscriptions tab, then click
Attach Subscriptions
. -
Select the check box beside the subscription to attach, then click
Attach Subscriptions
.
To verify that a subscription provides the required CDN repositories:
- Log in to: https://access.redhat.com/management/subscriptions.
-
Click the
Subscription Name
. Under Products Provided, you require:
- JBoss Enterprise Web Server.
- Red Hat JBoss Core Services.
Installing JBoss Web Server from RPM packages using YUM
On a command line, subscribe to the JBoss Web Server CDN repositories for your operating system version using
subscription-manager
:# subscription-manager repos --enable <repository>
For Red Hat Enterprise Linux 6:
- jws-5-for-rhel-6-server-rpms
- jb-coreservices-1-for-rhel-6-server-rpms
For Red Hat Enterprise Linux 7:
- jws-5-for-rhel-7-server-rpms
- jb-coreservices-1-for-rhel-7-server-rpms
Issue the following command as the root user to install JBoss Web Server:
# yum groupinstall jws5
Note- Although not recommended, instead of using the group install, you can install each of the packages and their dependencies individually.
- The Red Hat JBoss Core Services repositories above are required for the installation of JBoss Web Server.
3.3.2. Starting JBoss Web Server
In a shell prompt as the root user, start the Tomcat service.
For Red Hat Enterprise Linux 6:
# service jws5-tomcat start
For Red Hat Enterprise Linux 7:
# systemctl start jws5-tomcat.service
This is the only supported method of starting JBoss Web Server for an RPM installation.
To verify that Tomcat is running, the output of the service
status
command should be reviewed. This can be executed as any user.For Red Hat Enterprise Linux 6:
# service jws5-tomcat status
For Red Hat Enterprise Linux 7:
# systemctl status jws5-tomcat.service
For complete instructions on installing and configuring HTTPD on RHEL 8, please see this link
3.3.3. Stopping JBoss Web Server
In a shell prompt as the root user, stop the Tomcat service.
For Red Hat Enterprise Linux 6:
# service jws5-tomcat stop
For Red Hat Enterprise Linux 7:
# systemctl stop jws5-tomcat.service
To verify that Tomcat is no longer running, the output of the service
status
command should be reviewed. This can be executed as any user.For Red Hat Enterprise Linux 6:
# service jws5-tomcat status
For Red Hat Enterprise Linux 7:
# systemctl status jws5-tomcat.service
For complete instructions on installing and configuring HTTPD on RHEL 8, please see this link
3.3.4. Configuring JBoss Web Server Services to Start at Boot
Use the following commands to enable the JBoss Web Server services to start at boot.
For Red Hat Enterprise Linux 6:
# chkconfig jws5-tomcat on
For Red Hat Enterprise Linux 7:
# systemctl enable jws5-tomcat.service
3.4. SELinux Policies
3.4.1. SELinux Policy Information
The following table contains information about the SELinux policies provided in the jws5-tomcat-selinux packages.
Table 3.1. RPMs and Default SELinux Policies
Name | Port Information | Policy Information |
---|---|---|
jws5_tomcat |
Four ports in |
The jws5_tomcat policy is installed, which sets the appropriate SELinux domain for the process when Tomcat executes. It also sets the appropriate contexts to allow tomcat to write to |
For more information about using SELinux and other Red Hat Enterprise Linux security information, see the Red Hat Enterprise Linux Security Guide.
3.4.2. SELinux Policies for an RPM Installation
SELinux policies for JBoss Web Server are provided by the jws5-tomcat-selinux
package. These packages are available in the JWS channel.
To enable SELinux policies for JBoss Web Server 5.1, install the jws5-tomcat-selinux
package.
3.4.3. SELinux Policies for a ZIP Installation
In this release, SELinux policies are provided in the ZIP packages. The SELinux security model is enforced by the kernel and ensures applications have limited access to resources such as file system locations and ports. This helps ensure that the errant processes (either compromised or poorly configured) are restricted and in some cases prevented from running.
The .postinstall.selinux
file is included in the tomcat
folder of jws-application-server-5.1.0-<platform>-<architecture>.zip
. If required, you can run the .postinstall.selinux
script.
To install the SELinux policies using ZIP:
Install the
selinux-policy-devel
package:yum install -y selinux-policy-devel
Execute the
.postinstall.selinux
script:cd <JWS_home>/tomcat/ sh .postinstall.selinux
Make and install the SELinux module:
cd selinux make -f /usr/share/selinux/devel/Makefile semodule -i jws5-tomcat.pp
Apply the SELinux contexts for JBoss Web Server:
restorecon -r <JWS_home>/tomcat/
Add access permissions to the required ports for JBoss Web Server. The JBoss Web Server has access to ports
8080
,8009
,8443
and8005
on Red Hat Enterprise Linux 7 systems.When additional ports are required for JBoss Web Server, use the
semanage
command to provide the necessary permissions, replacing the port number with the port required:semanage port -a -t http_port_t -p tcp <port>
NoteThe JBoss Web Server on Red Hat Enterprise Linux 6 systems has access to the same ports as Red Hat Enterprise Linux 7 systems, with the exception of port
8005
. To grant the JBoss Web Server access to this port on a Red Hat Enterprise Linux 6 system, as the root user, issue:semanage port -a -t http_port_t -p tcp 8005
Start the Tomcat service:
<JWS_home>/tomcat/bin/startup.sh
Check the context of the running process expecting
jws5_tomcat
:ps -eo pid,user,label,args | grep jws5_tomcat | head -n1
To verify the contexts of the Tomcat directories, for example:
ls -lZ <JWS_home>/tomcat/logs/
By default, the SElinux policy provided is not active and the Tomcat processes run in the unconfined_java_t
domain. This domain does not confine the processes, and it is recommended that you undertake the following security precautions if you chose not to enable the SElinux policy provided:
-
Restrict file access for the
tomcat
user to only the files and directories that are necessary to the JBoss Web Server runtime. -
Do not run Tomcat as the
root
user.
Chapter 4. Using Jsvc to Start Tomcat
As JSVC is no longer supported from Tomcat on RHEL, this section no longer exists. It will be removed entirely in the next Service Pack.
Instead, please see using a system daemon and follow the instructions there.
Chapter 5. Hibernate on JBoss Web Server
Hibernate is an object-relational mapping framework. It is provided by the JBoss Web Server Maven Repository (jboss-web-server-5.1.0-maven-repository.zip
). This packaged version is used on all supported platforms.
Hibernate is used in the same way it is used for a regular Tomcat installation: the Hibernate JAR files are added into a deployment WAR file. Tomcat provides a default connection pooling mechanism, which is defined in context.xml
. However, persistence.xml
and web.xml
are also required. The example below shows a configuration with the Tomcat connection pooling mechanism.
/META-INF/context.xml
defines the connection pools Tomcat should create.context.xml
<Context> <Resource name="jdbc/DsWebAppDB" auth="Container" type="javax.sql.DataSource" username="sa" password="" driverClassName="org.h2.Driver" url="jdbc:h2:mem:target/test/db/h2/hibernate" maxActive="8" maxIdle="4"/> </Context>
/WEB-INF/classes/META-INF/persistence.xml
is a JPA configuration file. It defines how the application configures Hibernate to consume connections from the Tomcat pool. If you are using the Hibernate API directly, use a similar configuration to that shown inhibernate.cfg.xml
.persistence.xml
<persistence version="1.0" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd"> <persistence-unit name="dswebapp"> <provider>org.hibernate.ejb.HibernatePersistence</provider> <properties> <property name="hibernate.dialect" value="org.hibernate.dialect.H2Dialect" /> <property name="hibernate.connection.datasource" value="java:comp/env/jdbc/DsWebAppDB"/> </properties> </persistence-unit> </persistence>
/WEB-INF/web.xml
is a regular web application deployment file, which instructs Tomcat which datasource to consume. In the example below, the datasource isjdbc/DsWebAppDB
.web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <resource-env-ref> <resource-env-ref-name>jdbc/DsWebAppDB</resource-env-ref-name> <resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type> </resource-env-ref> </web-app>
For details, see the Hibernate documentation for JBoss Web Server.
Chapter 6. Enabling HTTP/2 for the Red Hat JBoss Web Server
The Hypertext Transfer Protocols are standard methods of transmitting data between applications (such as servers and browsers) over the internet. HTTP/2 improves on HTTP/1.1 by providing enhancements such as:
- header compression - reducing the size of the header transmitted by omitting implied information, and
- multiple requests and responses over a single connection - using binary framing to break down response messages, as opposed to textual framing.
Using HTTP/2 with the Red Hat JBoss Web Server:
-
is supported for encrypted connections over TLS (
h2
). -
is not supported for unencrypted connections over TCP (
h2c
).
Prerequisites
- Root user access (Red Hat Enterprise Linux systems), or
- Red Hat JBoss Web Server 5.0 or higher
-
The following operating system native libraries (provided by
jws-application-server-5.1.0-<platform>-<architecture>.zip
where available).
RHEL-8 users needing to run JSSE+OpenSSL or APR, you will need to use Tomcat-Native for it to work properly. The file for Tomcat-Native can be found in the native zip directory. To install OpenSSL and APR, run the following commands:
# yum install openssl
# yum install apr
A connector that supports the HTTP/2 protocol with SSL enabled. For JBoss Web Server 5.1, the connectors with HTTP/2 protocol support are:
- The APR Native connector (APR)
- The NIO connector with JSSE + OpenSSL (JSSE)
- The NIO2 connector with JSSE + OpenSSL (JSSE)
Procedure
Enable HTTP/2 for a connector:
Add the HTTP/2 upgrade protocol (
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
) to the connector in the server configurationJWS_HOME/tomcat/conf/server.xml
.For example:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeystoreFile="/KeyStore.jks" certificateKeystorePassword="changeit" type="RSA" /> </SSLHostConfig> </Connector>
server.xml
contains an example connector definition for the APR protocol with the upgrade protocol to HTTP/2:<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" certificateFile="conf/localhost-rsa-cert.pem" certificateChainFile="conf/localhost-rsa-chain.pem" type="RSA" /> </SSLHostConfig> </Connector>
Restart the Red Hat JBoss Web Server as the root user, to apply the changed configuration.
For SysV (Red Hat Enterprise Linux 6) users:
# service jws5-tomcat restart
For systemd (Red Hat Enterprise Linux 7) users:
# systemctl restart jws5-tomcat.service
For Red Hat Enterprise Linux users running Red Hat JBoss Web Server using
startup.sh
:# JWS_HOME/sbin/shudown.sh # JWS_HOME/sbin/startup.sh
For Solaris users:
# sh JWS_HOME/tomcat/bin/daemon.sh stop # sh JWS_HOME/tomcat/bin/daemon.sh start
For Windows Server users:
# net restart tomcat9
Next Steps
Verify that HTTP/2 is enabled by reviewing the Red Hat JBoss Web Server logs or by using the curl
command:
Check the console output log (
JWS_HOME/tomcat/logs/catalina.out
) to verify that the "connector has been configured to support negotiation to [h2]":$ cat JWS_HOME/tomcat/logs/catalina.out | grep 'h2' 06-Apr-2018 04:49:26.201 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-apr-8443"] connector has been configured to support negotiation to [h2] via ALPN
Or verify using
curl
(for versions ofcurl
that supportHTTP2
):NoteTo check
curl
for HTTP/2 support:$ curl -V curl 7.55.1 (x86_64-redhat-linux-gnu) ... Release-Date: 2017-08-14 Protocols: dict file ftp ftps gopher http https ... Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy Metalink PSL
For example, when the HTTP/2 protocol is inactive:
$ curl -I http://<JBoss_Web_Server>:8080/ HTTP/1.1 200 ...
But if the HTTP/2 protocol is active,
curl
returns:$ curl -I https://<JBoss_Web_Server>:8443/ HTTP/2 200 ...
Where <JBoss_Web_Server> is the URI of the modified connector (such as
example.com
), and the port number is dependent on your configuration.
Additional Resources
- For additional information on using HTTP/2, see: Apache Tomcat 9 Configuration Reference: The HTTP Connector - HTTP/2 Support.
- For information on the HTTP/2 Upgrade Protocol and the supported attributes, see: Apache Tomcat 9 Configuration Reference: The HTTP2 Upgrade Protocol.
- The proposed internet standard for HTTP/2: IETF: RFC 7540 - Hypertext Transfer Protocol Version 2 (HTTP/2)
Chapter 7. Using a Password Vault with Red Hat JBoss Web Server 5.1
7.1. Using a Password Vault with Red Hat JBoss Web Server 5.1
A password vault is used to mask passwords and other sensitive strings, and store them in an encrypted Java keystore. This allows you to eliminate storing clear-text passwords in your Tomcat configuration files, as Tomcat can lookup passwords and other sensitive strings from a keystore using the vault.
Installing the JBoss Web Server password vault from .zip archive
The tomcat password vault is pre-installed by the jws-application-server-5.1.0.zip
file. The password vault can be used once configured and is located at: JWS_HOME/tomcat/lib/tomcat-vault.jar
.
Installing the JBoss Web Server password vault on Red Hat Enterprise Linux using the YUM package manager
Where the JBoss Web Server has been installed from RPMs on Red Hat Enterprise Linux, install the password vault as the root user by executing:
yum install jws5-tomcat-vault
The examples and commands below use JWS_HOME
as the JBoss Web Server installation directory. Replace JWS_HOME
with the path to your JBoss Web Server installation. Also, the paths below use /
for directory separators.
7.1.1. Enabling the Password Vault
- Stop Tomcat if it is running.
-
Edit
JWS_HOME/tomcat/conf/catalina.properties
, and add the following line:
org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.vault.util.PropertySourceVault
7.1.2. Creating a Java Keystore
To use a password vault, you must first create a Java keystore. You can do this using the keytool -genseckey
command. For example:
$ keytool -genseckey -keystore JWS_HOME/tomcat/vault.keystore -alias my_vault -storetype jceks -keyalg AES -keysize 128 -storepass <vault_password> -keypass <vault_password> -validity 730
The values above are examples only. Replace them with values specific to your environment.
For an explanation of the parameters, use the keytool -genseckey -help
command.
7.1.3. Storing the tomcat-vault vault.properties
file outside of the JWS_HOME directory
The vault.properties
file for the tomcat-vault
can be stored outside of JWS_HOME/tomcat/conf/
in a CATALINA_BASE/conf/
directory (if set).
To set the CATALINA_BASE directory, follow the instructions in the section 'Advanced Configuration - Multiple Tomcat Instances' in the Running The Apache Tomcat 9.0 Servlet/JSP Container document found on the Apache Tomcat Website.
The default location for CATALINA_BASE is JWS_HOME/tomcat/
also known as CATALINA_HOME.
For more information on setting CATALINA_BASE, see:
7.1.4. Initializing the Password Vault
The vault must be initialized before it can be used to store sensitive strings. This is done using the JWS_HOME/tomcat/bin/tomcat-vault.sh
vault script. For Microsoft Windows, the script is tomcat-vault.bat
.
The script can be run interactively or non-interactively. Below is an example of an interactive execution of the script to initialize a password vault, with the values shown below using the example keystore from the previous step.
7.1.4.1. Initializing the Vault for Apache Tomcat interactively
The values below are examples only. Replace them with values appropriate for your environment.
# JWS_HOME/tomcat/bin/tomcat-vault.sh WARNING JBOSS_HOME may be pointing to a different installation - unpredictable results may occur. ========================================================================= JBoss Vault JBOSS_HOME: JWS_HOME/tomcat JAVA: java ========================================================================= ********************************** **** JBoss Vault *************** ********************************** Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit 0 Starting an interactive session Enter directory to store encrypted files: JWS_HOME/tomcat/ Enter Keystore URL: JWS_HOME/tomcat/vault.keystore Enter Keystore password: <vault_password> Enter Keystore password again: <vault_password> Values match Enter 8 character salt: 1234abcd Enter iteration count as a number (Eg: 44): 120 Enter Keystore Alias: my_vault Initializing Vault Jun 16, 2018 10:24:27 AM org.apache.tomcat.vault.security.vault.PicketBoxSecurityVault init INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready Vault Configuration in tomcat properties file: ******************************************** ... KEYSTORE_URL=JWS_HOME/tomcat/vault.keystore KEYSTORE_PASSWORD=MASK-3CuP21KMHn7G6iH/A3YpM/ KEYSTORE_ALIAS=my_vault SALT=1234abcd ITERATION_COUNT=120 ENC_FILE_DIR=JWS_HOME/tomcat/ ... ******************************************** Vault is initialized and ready for use Handshake with Vault complete Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit 2
Note the output for the Tomcat properties file, as you will need this to configure Tomcat to use the vault.
Configuring Tomcat to Use the Password Vault
In JWS_HOME/tomcat/conf/
, create a file named vault.properties
containing the vault configuration produced when initializing the vault. The values provided below use the example vault initialized in the previous steps.
For KEYSTORE_PASSWORD
, you must use the masked value that was generated when initializing the vault.
KEYSTORE_URL=JWS_HOME/tomcat/vault.keystore KEYSTORE_PASSWORD=MASK-3CuP21KMHn7G6iH/A3YpM/ KEYSTORE_ALIAS=my_vault SALT=1234abcd ITERATION_COUNT=120 ENC_FILE_DIR=JWS_HOME/tomcat/
7.1.4.2. Initializing the Vault for Apache Tomcat non-interactively (silent setup)
The Vault for Apache Tomcat can be created non-interactively by providing the required input as arguments to the tomcat-vault.sh
script. The vault.properties
file is also created as output of the tomcat-vault.sh
script when the -g, --generate-config
option is used.
The values below are examples only. Replace them with values appropriate for your environment.
$ JWS_HOME/tomcat/bin/tomcat-vault.sh \ --keystore JWS_HOME/tomcat/vault.keystore \ --keystore-password <vault_password> \ --alias my_vault \ --enc-dir JWS_HOME/tomcat/ \ --iteration 120 \ --salt 1234abcd \ --generate-config JWS_HOME/tomcat/conf/vault.properties
7.1.5. Storing a Sensitive String in the Password Vault
The vault script used in the previous steps is also used to store sensitive strings in the password vault. The script can be run interactively or non-interactively.
When adding a string to a password vault, the sensitive string needs a name that it will be referred by. For a password vault, this name is called an attribute name
, and the password itself is called a secured attribute
.
The example below demonstrates using the vault script non-interactively to store a password. It uses the vault that was initialized in the previous steps, and stores the sensitive string P@SSW0#D
with the attribute name manager_password
.
$ JWS_HOME/tomcat/bin/tomcat-vault.sh --keystore JWS_HOME/tomcat/vault.keystore --keystore-password <vault_password> --alias my_vault --enc-dir JWS_HOME/tomcat/ --iteration 120 --salt 1234abcd --vault-block my_block --attribute manager_password --sec-attr P@SSW0#D
You can optionally specify a vault block to store the password in. If you don’t specify a block, one will be automatically created for you. In the above example, my_block is used.
7.1.6. Using a Stored Sensitive String in Your Tomcat Configuration
After storing a sensitive string in the password vault, you can refer to it in your configuration files by entering the stored string’s attribute as ${VAULT::block_name::attribute_name::}
.
For example, to use the password stored in the previous steps, replace:
<user username="manager" password="P@SSW0#D" roles="manager-gui"/>
with:
<user username="manager" password="${VAULT::my_block::manager_password::}" roles="manager-gui"/>
As a result, only a reference to the password is visible in the Tomcat configuration file, and the actual password is only stored in the password vault.
Appendix A. Java IPv4/IPv6 Properties
Configuring Java Properties
In Java there are 2 properties that are used to configure IPv4 and IPv6. These are java.net.preferIPv4Stack
and java.net.preferIPv6Addresses
.
java.net.preferIPv4Stack (default: false)
If IPv6 is available then the underlying native socket, by default, is an IPv6 socket. This socket lets applications connect and accept connections from IPv4 and IPv6 hosts. If application use only IPv4 sockets, then set this property to true
. However, it will not be possible for the application to communicate with IPv6 only hosts.
java.net.preferIPv6Addresses (default: false)
If a host has both IPv4 and IPv6 addresses, and IPv6 is available, then the default behavior is to use IPv4 addresses over IPv6. This allows backward compatibility. If applications that depend on an IPv4 address representation, for example: 192.168.1.1. Then, set this property to true
to change the preference and use IPv6 addresses over IPv4 where possible.
To pass these properties to Tomcat, set CATALINA_OPTS
in the JWS_HOME/tomcat/bin/setenv.*
file.
If the JWS_HOME/tomcat/bin/setenv.sh
or JWS_HOME/tomcat/bin/setenv.bat
file does not exist, then you need to create one.
On Linux:
export "CATALINA_OPTS=-Djava.net.preferIPv4Stack=YOUR_VALUE -Djava.net.preferIPv6Addresses=YOUR_VALUE"
On Windows:
set "CATALINA_OPTS=-Djava.net.preferIPv4Stack=YOUR_VALUE -Djava.net.preferIPv6Addresses=YOUR_VALUE"
Configuring Tomcat Bindings
The Tomcat bindings can be set in JWS_HOME/tomcat/conf/server.xml
with the IPv6 address:
Specify the Tomcat binding address:
<Server … address="TOMCAT_BINDING_ADDRESS">
Specify the HTTP connector address:
<Connector protocol="HTTP/1.1" … address="HTTP_CONNECTOR_ADDRESS">
Specify the AJP connector address:
<Connector protocol="AJP/1.3" … address="AJP_CONNECTOR_ADDRESS">