How to secure Tomcat in Red Hat JBoss Web Server and RHEL
Issue
-
We would like to disable the EAP and EWS admin consoles in production for security purposes and to ensure developers deploy via command-line. We'll simply use the JON server we have for JMX monitoring purposes. What directories can we safely remove to accomplish that without impacting normal app server operations on EAP and EWS?
-
On EWS can we remove everything under webapps, including manager and host-manager or does Tomcat need manager or host-manager for operations?
- By default the shutdown port will honour the shutdown request from all the connections made locally. Can we customize it so that it can listen only to a particular IP address ?
Environment
- Red Hat JBoss Web Server 5.x
- Red Hat Enterprise Linux (RHEL) 7,8,9
- Apache Tomcat 7,8,9
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.