Difference between revisions of "SUNScholar/Prepare Ubuntu/S05/Ubuntu-14.04"

From Libopedia
Jump to navigation Jump to search
Line 88: Line 88:
Save and exit the file.
==Step 5.4 Java  environment settings for Tomcat webapp server==
==Step 5.4 Java  environment settings for Tomcat webapp server==

Revision as of 15:27, 25 May 2016


Step 5.1: Install Tomcat

Type the following:

sudo apt-get install tomcat7

Step 5.2: Allow Tomcat to listen on ports "80" and "443"

Step 5.2.1: Setup "authbind" for Tomcat

To enable Tomcat to listen on a privileged port below 100, we need to enable "authbind". Edit the /etc/default/tomcat7 file as follows:

sudo nano /etc/default/tomcat7

Remove the hash sign from in front of the authbind parameter and change authbind to yes as follows

# If you run Tomcat on port numbers that are all higher than 1023, then you
# do not need authbind.  It is used for binding Tomcat to lower port numbers.
# NOTE: authbind works only with IPv4.  Do not enable it when using IPv6.
# (yes/no, default: no)

Save and exit the file.

Now we need to tell "authbind" that Tomcat is allowed to use lower port numbers. Type the following commands:

sudo touch /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
sudo chmod 0755 /etc/authbind/byport/80
sudo chmod 0755 /etc/authbind/byport/443
sudo chown tomcat7.tomcat7 /etc/authbind/byport/80
sudo chown tomcat7.tomcat7 /etc/authbind/byport/443
cd /etc/authbind/byport
ls -l

Now Tomcat has permission to use ports 80 and 443. See below for an example listing of the files in the /etc/authbind/byport folder.

dspace@dspace:/etc/authbind/byport# ls -l
total 0
-rwxr-xr-x 1 tomcat7 tomcat7 0 2011-06-10 18:33 443
-rwxr-xr-x 1 tomcat7 tomcat7 0 2011-06-10 18:33 80

Step 5.2.2: Setup Tomcat to listen on insecure port 80

Now we tell the Tomcat server to listen on the "authbind" ports. Edit the following file.

sudo nano /etc/tomcat7/server.xml

Find the connector for port 8080 and change it to port 80.

See example below.

    <Connector port="80" protocol="HTTP/1.1" 
               redirectPort="443" />

If enabled, comment out the AJP 1.3 connector. It is not needed.

Save and exit the file.

Step 5.2.3: Setup Tomcat to listen on secure port 443

Please go to: http://wiki.lib.sun.ac.za/index.php/SUNScholar/Secure_Internet_Connections later, after installation to do secure port 443 setup.

For now and testing it is ok, just to use port 80 only for Tomcat connections.

Step 5.3: Setup Tomcat admin users

Type as follows:

sudo nano /etc/tomcat7/tomcat-users.xml

Delete all the contents of the file and add the following admin and manager roles with a password. Replace XXXX with your password!

<?xml version='1.0' encoding='utf-8'?>
  <role rolename="manager-gui"/>
  <role rolename="manager-jmx"/>
  <user username="dspace" password="XXXX" roles="manager-gui,manager-jmx"/>

Save and exit the file.

Step 5.4 Java environment settings for Tomcat webapp server

To setup the environment variables for Tomcat java web applications, type the following:

sudo nano /etc/default/tomcat7

Check the following for comparison:

# You may pass JVM startup parameters to Java here. If unset, the default
# options (-Djava.awt.headless=true -Xmx128m) will be used.
#JAVA_OPTS="-Djava.awt.headless=true -Xmx128m"
JAVA_OPTS="-Djava.awt.headless=true -Xms1024m -Xmx2048m -XX:MaxPermSize=1024m"

Java environment settings used for SUNScholar

Your settings will depend on how much RAM you have available to assign to the Tomcat server. See graph below as well.

JAVA_OPTS="-Djava.awt.headless=true -Xmx8192m -Xms4096m -XX:PermSize=4096m -XX:MaxPermSize=8192m -Dfile.encoding=UTF-8 -XX:+UseConcMarkSweepGC"

Graph of RAM memory usage on SUNScholar.


Step 5.5 Setup Tomcat server permissions

Please see: http://stackoverflow.com/questions/2645298/how-to-sanely-configure-security-policy-in-tomcat-6 and https://www.mulesoft.com/tcat/tomcat-security

Type the following;

sudo nano /etc/default/tomcat7

Change "TOMCAT7_SECURITY" to yes.

# Use the Java security manager? (yes/no, default: no)

Create DSpace security policy

sudo nano /etc/tomcat7/policy.d/05dspace.policy

Copy and paste the following;

grant codeBase "file:/home/dspace/-" {
  permission java.security.AllPermission;
grant codeBase "file:/tmp/-" {
  permission java.security.AllPermission;

Update file permissions for the policy

sudo chown root.tomcat7 /etc/tomcat7/policy.d/05dspace.policy

Finally restart Tomcat

sudo service tomcat7 restart

Step 5.6: Setup user permissions

sudo adduser tomcat7 dspace
sudo adduser dspace tomcat7

Step 5.7: Restart the Tomcat server

Now restart the tomcat server as follows:

sudo service tomcat7 restart

Step 5.8: Post Tomcat installation checks

Now let's look if all went well:

sudo netstat -tapn | grep java

Tomcat should be listening on port 80 now:

dspace@dspace:~# sudo netstat -tapn | grep java
tcp6       0      0          :::*                    LISTEN      11093/java      
tcp6       0      0 :::80                   :::*                    LISTEN      11093/java      

Thats it, now you have a working Java webapp server.

Step 5.9: Troubleshooting

  • Check optimisations done for Tomcat in the link below
  • Please remember only ONE server at time may listen on any TCP/UDP port on your server.
  • A reboot of the server may be needed to get Tomcat working on ports 80 and 443 correctly.
  • Later on during the actual DSpace installation, you will have to select a "root" webapp so that you have a clean URL. See link below.