CalPoly Tomcat Configuration

These are the Tomcat configuration instructions from the CalPoly team's wiki.  Again, these are specific to our systems but may help others trying to configure tomcat for a production environment.

Tomcat Configuration Guide

Port Assignments

Each instance of Tomcat will need unique ports assigned to it. Out of the box, these ports are:

Port

Description

Notes

8005

Control port

Not used when launched via jsvc

8009

AJP connector

 

8080

HTTP connector

 

8443

HTTPS connector

Disabled by default

????

JMX connector

 

A text file or spreadsheet will need to be kept to keep track of ports. And depending on deployment type, not all ports will be necessary.

Common configuration

If not using jsvc, give it a unique control port:

<Server port="8005" shutdown="SHUTDOWN">

Daemon set-up (using jsvc)

Copy the attached daemon.sh to the bin directory.

Edit or create the file bin/setenv.sh with the following:

JSVC=/usr/local/AppServers/bin/jsvc
JSVC_OPTS="-jvm server"
LD_LIBRARY_PATH=/usr/local/AppServers/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

JSVC should be the absolute path of the jsvc tool.

JSVC_OPTS ensures that it uses the server JVM (as opposed to the client JVM).

Setting LD_LIBRARY_PATH is necessary because sudo sanitizes it. Also be sure to use an absolute path to jsvc and the lib directory.

Finally, add the following to bin/setenv.sh

CATALINA_USER=wasadmin

You may, of course, substitute the user for any other unprivileged user.

JMX configuration

Subject to change

The details of this will most likely change as we would probably want to limit JMX access.

Create or edit the file bin/setenv.sh with the following:

CATALINA_OPTS="-Dcom.sun.management.jmxremote \
    -Dcom.sun.management.jmxremote.port=8050 \
    -Dcom.sun.management.jmxremote.ssl=false \
    -Dcom.sun.management.jmxremote.authenticate=false"

Be sure to use the actual assigned JMX port (8050 above).

uPortal 3.1 configuration changes

Add the following entry to line ~74 of conf/catalina.properties so that uPortal can copy shared jar files as part of the build process.

shared.loader=${catalina.base}/shared/lib/*.jar

Configuring for mod_jk or mod_proxy_ajp

mod_jk deployment only uses the control port and AJP connector port.

Comment out the HTTP connector:

    <!--
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->

Give Tomcat a unique AJP connector port and bind it to localhost:

    <Connector address="127.0.0.1" port="8009" protocol="AJP/1.3" redirectPort="8443" />

Configuring for mod_proxy/mod_proxy_http

Plain HTTP proxy deployment only uses the control port and HTTP connector port.

Comment out the AJP connector:

    <!--
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    -->

Give Tomcat a unique HTTP connector port and bind it to localhost:

    <Connector address="127.0.0.1" port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

Configuring for jsvc

Necessity for jsvc deployment

Deployment using jsvc is only necessary when binding to ports below 1024, i.e. the default HTTP and HTTPS ports.

jsvc deployment only uses the HTTP connector port and HTTPS connector port, and these don't necessarily have to be unique. In fact, for best effect, they should be the standard ports 80 and 443. Note that the HTTPS connector port is optional if the application does not require SSL!

Comment out the AJP connector:

    <!--
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    -->

Change the HTTP connector port to 80, bind it to the virtual host IP (xxx below):

    <Connector address="xxx" port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

Also be sure to change redirectPort to the actual HTTPS connector port.

If needed by the application, add the HTTPS connector, binding it to the virtual host IP (xxx below):

    <Connector address="xxx" port="443" maxHttpHeaderSize="8192"
               maxThreads="150"
               acceptCount="100" scheme="https" secure="true"
               SSLEnabled="true"
               SSLCertificateFile="${catalina.base}/conf/zzz.crt"
               SSLCertificateKeyFile="${catalina.base}/conf/yyy.key" />

zzz.crt is a file containing the certificate, with the above setting placing it in the Tomcat's conf directory. yyy.key is the (unencrypted) private key, also located in Tomcat's conf directory

Mapping Request URI to ~user/public_html Directory

(See the section "User Web Applications" under http://tomcat.apache.org/tomcat-6.0-doc/config/host.html.)

The Software Download channel requires that images and support documents be retrieved from ~sitesoft/public_html.
To configure Tomcat to do this, a Listener needs to be added to the server.xml file as a child of the <Host> tag: 

<Host name="localhost" ...>
  ...
  <Listener className="org.apache.catalina.startup.UserConfig"
            directoryName="public_html"
            userClass="org.apache.catalina.startup.PasswdUserDatabase"/>
  ...
</Host>