After Setup Tomcat with Apache Web Server in Linux, you might want to transfer the SSL certificate from Apache Tomcat Server to Apache Web Server.
- Convert Tomcat SSL Certificate to Apache Web Server SSL Certificate:
- keytool -importkeystore -scrkeystore [tomcat key file] -destkeystore [new p12 key file] -srcstoretype jks -deststoretype pkcs12
- openssl pkcs12 -in [new p12 key file] -out [new pem file]
- openssl x509 -text -in [new pem file]
- (command above will show some text, copy the certificate portion and paste to a new certificate file)
- [Optional] Convert the certificate to run without password
- openssl rsa -in [new pem file] -out [no password pem file]
- openssl x509 -text -in [no password pem file]
- (same as step 1, copy the certificate portion and paste to a new certificate file)
- Edit httpd.conf:
- uncomment “Inlucde conf/extra/httpd-ssl.conf”
- enable mod_ssl
- enable mod_socache_shmcb
- Edit httpd-ssl.conf:
- SSLCertificateFile [certificate file location]
- SSLCertificateKeyFile [pem file location]
- add JkMount /[SSL Web] balancer
Tutorial below show how to setup Apache Tomcat as back-end and Apache Web Server as front-end at your Web Server. In this way user can run both PHP and JSP in one single server without setting up different ports, and also make use of the advantage of Apache Web Server Modules like Mod Security. All the installation files mentioned below are in source code format, however you may also install using respective Linux package manager.
(This tutorial is assumed Tomcat is already installed in the server, located at /apache-tomcat)
- First of all, install httpd by running command below inside the httpd extracted directory (get it from http://httpd.apache.org). The SSL feature is optional (httpd will be installed at /usr/local/apache2).
- ./configure –enable-ssl –enable-so –with-ssl=/usr/local/ssl
- make install
- Troubleshoot: the following packages are missing during my installation of httpd, for your reference
- install apr
- make install
- install apr-util
- ./configure –with-apr=/usr/local/apr
- make install
- install pcre
- ./configure –disable-cpp
- make install
- Install tomcat-connectors (to create mod_jk.so)
- in terminal, change directory to native folder in the extracted directory and issue following commands:
- ./configure –with-apxs=/usr/local/apache2/bin/apxs
- make install
- copy native/apache-2.0/mod_jk.so to /usr/local/apache2/modules (it might auto put it into the folder during the installation)
- copy conf/httpd-jk.conf to /apache-tomcat/conf/mod_jk.conf
- copy conf/workers.properties to /apache-tomcat/conf/workers.properties
- edit /usr/local/apache2/conf/httpd.conf
- add line “Include /apache-tomcat/conf/mod_jk.conf”
- edit /apache-tomcat/conf/mod_jk.conf (this is the part to specify which url to refer Apahce Tomcat, eg jspSystem)
- JkWorkersFile workers.properties
- add line “JkMount /jspSystem/* balancer”
- add line “JkMount /jspSystem/ balancer”
- edit /apache-tomcat/conf/workers.properties
- Set Apache Tomcat to run at port 8080.
- Now you can start Apache Web Server (like using this command /usr/local/apache2/bin/apachectl -k start)
When we putting more than 3 applications in Tomcat Webapp, we might experience slowness and eventually application crash, even after we have increase Tomcat reserved memory. It is normally refer as Out of Memory Error in PermGen space.
Default PermGen space size is 64MB. To increase it, similar to increase Tomcat reserved memory, we need to edit $TOMCAT/bin/catalina.bat (or catalina.sh in Linux) and look for JAVA_OPTS:
set JAVA_OPTS = ""
-XX:PermSize=500m -XX:MaxPermSize=500m to JAVA_OPTS. If JAVA_OPTS exists with other parameters, just append the new parameters to it.
set JAVA_OPTS = "-Xms2000m -Xmx2000m -XX:PermSize=500m -XX:MaxPermSize=500m"
It is recommended to set size as 1/4 of the reserved memory, eg 1/4 of the 2GB reserved memory will be 500MB PermGen space size.
Other reference: 2 solution of java.lang.OutOfMemoryError in Java
Here is another method to install tomcat startup script in Linux (there is another method in my earlier post)
- Download tomcat and rename the file name from tomcat.doc to tomcat only (remove the extension)
- Put the file under /etc/inid.d
- Give execute privilege to the file (chmod +x /etc/init.d/tomcat)
- Adjust 2 parameters in the file, TOMCAT and JAVA_HOME.
- Add the file into service list (chkconfig ––add tomcat)
Now you can double check whether tomcat is inside your service list or not by using “chkconfig ––list tomcat”. To start or stop tomcat, simply “service tomcat start” and “service tomcat stop”.
The method here is to implement CA certified SSL certificate in Tomcat Service.
- Generate a key store file using keytool utility (installed together with JDK). It will ask for a password to generate the key store file.
keytool -genkey -alias <any alias name> -keyalg RSA -keystore <output file>
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key
- Generate a certificate request file.
keytool -certreq -keyalg RSA -alias <alias> -file <output file> -keystore <keystore file>
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.key
- Then submit the certificate request to your CA. Normally you just need to submit the content of the request file.
- As a result you will get the content of the certificate. Copy the content and save it as a certificate file (for example tomcat.cer)
- For some CA (like Thawte), you need to download the CA trusted certificate from the their website in order to complete the implementation (EV_Root.cer and EV_intermediate.cer)
- Finally import the certificates using command below:
keytool -import -alias <alias name> -keystore <keystore file> -trustcacerts -file <certificate>
keytool -import -alias EV_Root -keystore online.key -trustcacerts -file EV_Root.cer
keytool -import -alias EV_intermediate -keystore online.key -trustcacerts -file EV_intermediate.cer
keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file tomcat.cer
Some references to retrieve private key from the key store that you generate.
By default, Tomcat Service is running under memory limit to 64MB. Java Memory Heap Exception might occur if the application has no enough memory to use. To increase or adjust the memory limit in Tomcat Service, simply edit $TOMCAT/bin/catalina.bat (or catalina.sh in Linux) and look for JAVA_OPTS:
set JAVA_OPTS = ""
-Xms128m -Xmx256m to JAVA_OPTS. Xms is the initial memory when Tomcat is run while Xmx is the maximum memory that Tomcat can use.
set JAVA_OPTS = "-Xms128m -Xmx256m"
Session Timeout in Tomcat is set at web.xml, either at Server Level ($TOMCAT/config/web.xml) or Web App Level ($TOMCAT/webapps/yourwebapp/WEB-INF/web.xml). Look for the following tag (or add in):
The number in session-timeout tag is in minutes. To make it unlimited or no time out, simply set the number to -1 and restart your Tomcat Service.
Tomcat by default has limited the amount of data (2 MB) that you can submit to Tomcat Service through Form Post Method. In other word, exception will occur if you upload something more than 2 MB. To increase the maximum post size or make it unlimited, you only need to:
- Edit the server.xml file in conf folder
- Look for the line (or similar):
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"/>
- Add this attribute: maxPostSize=”o”. Set the value 0 (zero) make it unlimited, or any size like “4MB”. Now it is look like this:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" maxPostSize="0"/>
- Restart Tomcat Service and done
Simple method to configure Tomcat (the version I try is Tomcat 6) so that all HTTP access will redirect to HTTPS.
Edit [TOMCAT_HOME]\webapps\ROOT\WEB-INF\web.xml, add the following codes inside the web-app tag (or just the above of </web-app>).
<web-resource-name>Automatic SSL Forwarding</web-resource-name>
Make Tomcat auto startup in Windows is easy, either install it as service or just put the startup batch into Windows startup list. But not for Linux. After you install (or unzip) Tomcat into your Linux machine, and everything tested OK, you can use steps below to make Tomcat startup as service in Linux (referring to Startup script for Tomcat on Centos | Redhat | Fedora):
- Download the startup script from here. There are 2 files inside the zip file: tomcatd and tomcatRunner.
- Extract them to /etc/init.d. Make sure they are runnable.
- Edit parameters below inside tomcatd file:
- JAVA: location of your java utility, for example /usr/java/jdk1.6.0_17/bin/java.
- tomcatuser: user that will run the service, usually I just change it to root. (default is tomcat)
- CATALINA_HOME: location of your Tomcat, example /usr/tomcat.
- Make a tomcat directory in /var/run:
- Add the tomcat service:
chkconfig ––add tomcatd
- Now you should able to test out the service:
service tomcatd restart
Here is another post to auto start Tomcat.