Apache Tomcat Server

Purpose of this document is to document how to install Apache Tomcat server with SSL certificate in the amazon EC2 cloud.

Special thanks to day, geek where I took the tomcat installation from.

Server instance

8.04 LTS Hardy Server 64-Bit (Large, Extra Large Instances)

  • Large Instance 7.5 GB of memory,
  • 4 EC2 Compute Units (2 virtual cores with 2 EC2 Compute Units each)
  • 850 GB of instance storage, 64-bit platform

Public DNS: ec2-75-101-229-75.compute-1.amazonaws.com
Private DNS: domU-12-31-39-07-B0-C2.compute-1.internal

Connect to the server

The SSH conenction to the server requires a valid key file.
ssh -i  dgweb.pem root@PUBLIC_DNS.amazonaws.com

Upgrade Server

First we update the server to make sure we are running the latest version.
apt-get update
apt-get upgrade


To be able to run Tomacat we need the latest version of JAVA JDK
apt-get install sun-java6-jdk

Tomcat 6

First we need to download the latest version from the apache tomcat web site and extract it to a temp directory.

wget http://mirrors.issp.co.th/apache/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz

tar xvzf apache-tomcat-6.0.20.tar.gz

Move the tomcat folder to it permanent destination.

mv apache-tomcat-6.0.20 /usr/local/tomcat6

Tomcat configuration

We nee to tell tomcat where to find the JAVA_HOME directory this can be done in the .bashrc file.

vim ~/.bashrc

Where we add the following line to the end of the file.

export JAVA_HOME=/usr/lib/jvm/java-6-sun

Now we create the start-up file so tomcat will start-up automatically.

vim /etc/init.d/tomcat6

Copy and past the following code:

# Tomcat auto-start
# description: Auto-starts tomcat
# processname: tomcat
# pidfile: /var/run/tomcat.pid
 export JAVA_HOME=/usr/lib/jvm/java-6-sun
 case $1 in
        sh /usr/local/tomcat6/bin/startup.sh
        sh /usr/local/tomcat6/bin/shutdown.sh
        sh /usr/local/tomcat6/bin/shutdown.sh
        sh /usr/local/tomcat6/bin/startup.sh
exit 0

Change file permission to execute.

chmod 755 /etc/init.d/tomcat6

Now we can link the script to the start-up folder.

ln -s /etc/init.d/tomcat6 /etc/rc1.d/K99tomcat6
ln -s /etc/init.d/tomcat6 /etc/rc2.d/S99tomcat6

Tomcat should run now under http://PUBLIC_DNS.amazonaws.com:8080/

Specify the minimum and maximum memory tomcat should be allocated. Create the following file.

vim /usr/local/tomcat6/bin/setenv.sh

and add this line to associate min 1GB and maximum 5GB of memory.

export CATALINA_OPTS="-server -XX:+UseParallelGC -Xms1024m -Xmx5120m -XX:MaxPermSize=160m -Djava.awt.headless=true"

Apache2 / MySql

To install apache2 and mysql we use the default ubuntu command to make sure we get a compatible version

apt-get install apache2
apt-get install mysql-server

We should now be able to access apache server:

Configure apache2 with tomcat6

Apache, mod_proxy/mod_jk2, Tomcat:
Configure Apache as the front end to all requests then forward certain URLs or virtual hosts to Tomcat.  This option lets have some content served by Tomcat (e.g. a whole domain, or a certain directory on a domain) and other content (e.g. HTML, PHP pages, etc) served by Apache

aptitude install libapache2-mod-jk

Next we need to modify Apache's configuration files to point specified paths of your site to Tomcat. First create a workers file that contains connection properties to Tomcat.

vi /etc/libapache2-mod-jk/workers.properties

Add the following lines to the file:

# This file provides minimal jk configuration properties needed to
# connect to Tomcat.
# We define a worked named 'default'



This creates a worker named "default" which connects to the Tomcat ajp port 8009. Now we make Apache aware of this file and tell it how to log jk information. Open apache2.conf:

vi /etc/apache2/apache2.conf

Add the following lines to the bottom of the file:

# Where to find workers.properties
JkWorkersFile /etc/libapache2-mod-jk/workers.properties

# Where to put jk logs
JkLogFile /var/log/apache2/mod_jk.log

# Set the jk log level [debug/error/info]
JkLogLevel info

# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

Next we tell Apache which paths of your site to let Tomcat serve. Site configuration files reside in /etc/apache2/sites-enabled. If Apache serves one site you can edit the default site. Open the site configuration file and add the following between the VirtualHosts tags:

vi /etc/apache2/sites-enabled/000-default

Delete "DocumentRoot /var/www"

rm -R /var/www/

And mount new location

JkMount / default
JkMount /* default

Notice the JKMount and JKUnMount lines. These settings enable Tomcat to serve all paths by default, and Apache to handle the /static and /photos paths. Adjust accordingly to your site. Next restart Apache so the changes take effect:

/etc/init.d/tomcat6 restart
/etc/init.d/apache2 restart

Configure SSL certificate

First we need to create the certificate wit VeriSign therefore we need to create a CRS key file.

Create CRS certificate

$JAVA_HOME/bin/keytool -genkey -alias dg -keyalg RSA -keystore dg_keystore

keytool -certreq -keyalg RSA -alias dg -file certreq.csr -keystore dg_keystore

Install certificate

We use Apache to configure the SSL not Tomcat. Better to keep Tomcat simple, no SSL certificates in Tomcat or Java. just a standard Apache set-up


Simply in Apache
We have two <VirtualHost> websites configured
1 - on port 80
2 - on port 443

Once that is done we will be able to connect to the website via both HTTPS and HTTP
the next step is "forcing" the user to go to the HTTPS when we want.
First option we might use a "Scheme Enforcement" to force the user to SSL pages that we define.
Another way to do this would be to use ModRewrite in Apache to force redirect to HTTPS pages that we want

Create the site configuration file for secure.
vi /etc/apache2/sites-enabled/ssl-000-default
And add the following
NameVirtualHost *:443
<VirtualHost *:443>
        ServerName www.dizzygoat.com
        ServerAdmin webmaster@localhost

        #JkMount / default
        JkMount /* default

        ErrorLog /var/log/apache2/dizzygoat.com-ssl-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/dizzygoat.com-ssl-access.log combined
        ServerSignature On

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/public.crt
        SSLCertificateKeyFile /etc/apache2/ssl/private.crt
        SSLCACertificateFile /etc/apache2/ssl/intermediate.crt
Next restart Apache so the changes take effect:
sudo /etc/init.d/apache2 restart

HOWTO get rid of the SSL pass-phrase dialog at Apache startup

The reason why this dialog pops up at startup and every re-start is that the RSA private key inside your private.key file is stored in encrypted format for security reasons. The pass-phrase is needed to be able to read and parse this file. When you can be sure that your server is secure enough you perform two steps:

Remove the encryption from the RSA private key (while preserving the original file):

cp private.key private.key.orig
openssl rsa -in private.key.orig -out private.key

Make sure the private.key file is now only readable by root (or webserver UID):

chmod 400 private.key


Tags: Open Source, Apache, Technology 30-Jan-09

Write a comment

  • Required fields are marked with *.
Name: *

Email: *


Comment: *

If you have trouble reading the code, click on the code itself to generate a new random code.

Help prevent spam - enter security code above: