How to secure Tomcat in Red Hat JBoss Web Server and RHEL

Solution Verified - Updated -

Issue

  • We would like to disable the EAP and EWS admin consoles in production for security purposes and to ensure developers deploy via command-line.  We'll simply use the JON server we have for JMX monitoring purposes. What directories can we safely remove to accomplish that without impacting normal app server operations on EAP and EWS?

  • On EWS can we remove everything under webapps, including manager and host-manager or does Tomcat need manager or host-manager for operations?

  • By default the shutdown port will honour the shutdown request from all the connections made locally. Can we customize it so that it can listen only to a particular IP address ?

Environment

  • Red Hat JBoss Web Server 5.x
  • Red Hat Enterprise Linux (RHEL) 7,8,9
  • Apache Tomcat 7,8,9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content