centos tomcat

Apache Tomcat is an open source implementation of Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. It is one of the most widely used application and web servers in the world today. Tomcat is easy to use and has a robust ecosystem.

This tutorial describes how to install Tomcat 9.0 on CentOS 8.

Install Java

Tomcat 9 requires Java SE 8 or higher. We will install OpenJDK 11 , which is an open source implementation of the Java platform.

Run the following command as root or as a user with sudo privileges to install Java.

1
sudo dnf install java-11-openjdk-devel

After the installation is complete, verify by checking the Java version.

1
java -version

The output should look like the following.

1
2
3
openjdk version "11.0.5" 2019-10-15 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing)

Create a system user

Running Tomcat under the root user is a security risk. We will create a new system user and group it with the home directory /opt/tomcat where the Tomcat service will be run. To do this, enter the following command.

1
sudo useradd -m -U -d /opt/tomcat -s /bin/false tomcat

Download Tomcat

The Tomcat binary distribution can be downloaded from the Tomcat download page. At the time of writing, the latest version of Tomcat is 9.0.30. Before proceeding further, check the Tomcat 9 download page to see if a newer version is available.

Use wget to download the Tomcat zip file to the /tmp directory.

1
VERSION=9.0.30

Once the download is complete, extract the tar file to the /opt/tomcat directory.

1
sudo tar -xf /tmp/apache-tomcat-${VERSION}.tar.gz -C /opt/tomcat/

Tomcat is updated periodically. To better control versioning and updates, we will create a symbolic link named latest that points to the Tomcat installation directory.

1
sudo ln -s /opt/tomcat/apache-tomcat-${VERSION} /opt/tomcat/latest

The previously created system user must have access to the tomcat installation directory. Change the directory ownership to user and group tomcat.

1
sudo chown -R tomcat: /opt/tomcat

Makes shell scripts in the bin directory executable.

1
sudo sh -c 'chmod +x /opt/tomcat/latest/bin/*.sh'

These scripts are used to start and stop Tomcat.

Create the Systemd Unit unit file

Instead of manually starting and stopping the Tomcat server, we set it to run as a service. Open your text editor and create a tomcat.service Systemd Unit file in the /etc/systemd/system/ directory.

1
sudo nano /etc/systemd/system/tomcat.service

Paste the following.

/etc/systemd/system/tomcat.service

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[Unit]
Description=Tomcat 9 servlet container
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

Save and close the file.

Notify systemd of the existence of a new service file by typing the following.

1
sudo systemctl daemon-reload

Enable and start the Tomcat service.

1
sudo systemctl enable --now tomcat

Check service status.

1
sudo systemctl status tomcat

The output should show that the Tomcat server is enabled and running.

1
2
3
4
5
‚óŹ tomcat.service - Tomcat 9 servlet container
   Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-01-15 20:38:07 UTC; 30s ago
  Process: 3957 ExecStart=/opt/tomcat/latest/bin/startup.sh (code=exited, status=0/SUCCESS)
  ...

Configure firewall

If your server is protected by a firewall and you want to access the tomcat interface from outside your local network, you need to open port 8080.

Open the required port using the following command.

1
sudo firewall-cmd --permanent --zone=public --add-port=8080/tcp

Typically, a reverse proxy should be used when running Tomcat in a production environment. Best practice is to only allow access to port 8080 from the internal network.

Configuring the Tomcat Web Management Interface

At this point, you should be able to access Tomcat on port 8080 using a web browser. Since we have not created users yet, we cannot access the web administration interface.

Tomcat users and roles are defined in the tomcat-users.xml file.

If you open the file, you will notice that it is full of comments and examples describing how to configure the file.

1
sudo nano /opt/tomcat/latest/conf/tomcat-users.xml

To create new users that can access the tomcat web interface (manager-gui and admin-gui), edit the file as follows. Ensure that the username and password are changed to a more secure way.

/opt/tomcat/latest/conf/tomcat-users.xml

1
2
3
4
5
6
7
8
<tomcat-users>
<!--
    Comments
-->
   <role rolename="admin-gui"/>
   <role rolename="manager-gui"/>
   <user username="admin" password="admin_password" roles="admin-gui,manager-gui"/>
</tomcat-users>

By default, the Tomcat Web Management Interface is configured to allow access from the local host only.

If you need to access the web interface from anywhere, open the following file and comment out the lines.

/opt/tomcat/latest/webapps/manager/META-INF/context.xml

1
2
3
4
5
6
<Context antiResourceLocking="false" privileged="true" >
<!--
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>

/opt/tomcat/latest/webapps/host-manager/META-INF/context.xml

1
2
3
4
5
6
<Context antiResourceLocking="false" privileged="true" >
<!--
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>

Please note that it is not recommended to allow access from anywhere, as this poses a security risk.

If you only want to access the web interface from a specific IP, instead of commenting these blocks, add your public IP to the list.

Suppose your public IP is 41.41.41.41 and you only want to allow access from that IP.

/opt/tomcat/latest/webapps/manager/META-INF/context.xml

1
2
3
4
<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|41.41.41.41" />
</Context>

/opt/tomcat/latest/webapps/host-manager/META-INF/context.xml

1
2
3
4
<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|41.41.41.41" />
</Context>

The list of allowed IP addresses is a list separated by vertical lines |. You can add individual IP addresses or use regular expressions.

When finished, restart the Tomcat service for the changes to take effect.

1
sudo systemctl restart tomcat

Test if the installation is successful

Open your browser and type: http://<your_domain_or_IP_address>:8080

The Tomcat Web Application Manager dashboard allows you to deploy, undeploy, start, stop and reload applications. It can be found at the following location: http://<your_domain_or_IP_address>:8080/manager/html .

The Tomcat Virtual Host Manager dashboard allows you to create, delete and manage Tomcat virtual hosts. It can be found at the following location: http://<your_domain_or_IP_address>:8080/host-manager/html .

Conclusion

We have shown you how to install Tomcat 9.0 on CentOS 8 and how to access the Tomcat administration interface. For more information about Apache Tomcat, please visit the official documentation page.