Skip to main content
Security & Cloud 24/7

Hardening guide for Tomcat 5.5 on Solaris 10 platform

·626 words·3 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.

Pre-installation notes This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.

Installation phase

  1. Login to the server using Root account.
  2. Make sure the folder /usr/jdk exists: ls /ad /usr/jdk
  3. If the folder /usr/jdk doesn’t exists, manually create it: mkdir /usr/jdk
  4. Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
  5. Move to /usr/jdk folder cd /usr/jdk
  6. Change the permissions on the JDK 1.6 (32bit) script: chmod +x jdk-6u15-solaris-i586.sh
  7. Run the command bellow to install JDK 1.6 (32bit): ./jdk-6u15-solaris-i586.sh
  8. Change the permissions on the JDK 1.6 (x64) script: chmod +x jdk-6u15-solaris-x64.sh
  9. Run the command bellow to install JDK 1.6 (x64): ./jdk-6u15-solaris-x64.sh
  10. Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples: rm /usr/jdk/jdk-6u15-solaris-i586.sh rm /usr/jdk/jdk-6u15-solaris-x64.sh rm /usr/jdk/jdk1.6.0_15/src.zip rm -r /usr/jdk/jdk1.6.0_15/demo rm -r /usr/jdk/jdk1.6.0_15/sample
  11. Remove the link for the Java rm /usr/bin/java
  12. Create new link for the Java (for x64 servers): ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
  13. Reload the links into memory: rehash
  14. Mount Solaris 10 DVD, and move to the packages folder: cd /cdrom/sol_10_1008_x86/Solaris_10/Product
  15. Run the command bellow to install Tomcat packages: pkgadd -d . SUNWtcatr SUNWtcatu
  16. Remove the following default folders: rm -r /usr/apache/tomcat55/webapps/tomcat-docs rm /var/apache/tomcat55/webapps/tomcat-docs rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt rm -r /var/apache/tomcat55/webapps/jsp-examples rm -r /var/apache/tomcat55/webapps/servlets-examples rm -r /var/apache/tomcat55/webapps/webdav rm -r /var/apache/tomcat55/webapps/balancer
  17. Copy the server.xml configuration file: cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xmlNote: The above command should be written as one line.
  18. Edit using VI, the file /var/apache/tomcat55/conf/server.xml Uncomment the section bellow: org.apache.catalina.valves.AccessLogValveReplace the non-SSL HTTP/1.1 Connector: From: <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <connector port="8080" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" />To: <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <connector port="8080" debug="off" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" tcpnodelay="true" />
  19. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag: <!-- Define a Security Constraint on this Application --> <security-constraint> <web-resource-collection> <web-resource-name>HTMLManger and Manager command</web-resource-name> <url-pattern>/jmxproxy/*</url-pattern> <url-pattern>/html/*</url-pattern> <url-pattern>/list</url-pattern> <url-pattern>/sessions</url-pattern> <url-pattern>/start</url-pattern> <url-pattern>/stop</url-pattern> <url-pattern>/install</url-pattern> <url-pattern>/remove</url-pattern> <url-pattern>/deploy</url-pattern> <url-pattern>/undeploy</url-pattern> <url-pattern>/reload</url-pattern> <url-pattern>/save</url-pattern> <url-pattern>/serverinfo</url-pattern> <url-pattern>/status/*</url-pattern> <url-pattern>/roles</url-pattern> <url-pattern>/resources</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager</ROLE-NAME> </auth-constraint> </security-constraint>
  20. Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines: <role rolename="admin"> <role rolename="manager"> <user roles="admin,manager" password="adminpass" username="admin">Note: Specify complex password for the admin account (and document it).
  21. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml Uncomment the section bellow: org.apache.catalina.valves.RemoteAddrValveReplace the data of the value bellow: From: allow="127.0.0.1"To: allow="172.16.*.*"Note: You may replace “172.16.*.*” with internal network segment. Example: allow=“128.117.140.62, 128.117.140.63, 128.117.140.99”
  22. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml Inside the “Context” section, add the following line: <valve allow="172.16.*.*" classname="org.apache.catalina.valves.RemoteAddrValve">Note: You may replace “172.16.*.*” with internal network segment. Example: allow=“128.117.140.62, 128.117.140.63, 128.117.140.99”
  23. Move to the folder /usr/apache/tomcat55/server/lib cd /usr/apache/tomcat55/server/lib
  24. Extract the file catalina.jar jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
  25. Edit using VI, the file _/usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.properties_Replace the string bellow from: server.infoerver.info=Apache Tomcat/5.5.26To: server.infoerver.info=Secure Web serverReplace the string bellow from: server.number=5.5.26.0To: server.number=1.0.0.0
  26. Move to the folder /usr/apache/tomcat55/server/lib cd /usr/apache/tomcat55/server/lib
  27. Repackage the file catalina.jar jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
  28. Remove the folder bellow: rm -r /usr/apache/tomcat55/server/lib/org
  29. Create a user account for the Tomcat service: mkdir /home/tomcatgroupadd tomcat useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat chown tomcat:tomcat /home/tomcat/ passwd tomcat passwd -l tomcat
  30. Create using VI, the file /etc/init.d/tomcat with the following content: #!/bin/sh # # Startup script for Tomcat # case "$1" in start) echo -n "Starting Tomcat" JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security ;; stop) echo -n "Stopping Tomcat" JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh ;; restart) $0 stop $0 start ;; *) echo "Usage: $0 {startstoprestart}" exit 1 esac
  31. Change the permissions on the file /etc/init.d/tomcat chmod u+x /etc/init.d/tomcat
  32. Create soft link/symoblic links for system level startup ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat
  33. Reload the links into memory: rehash
  34. Change ownership of all server files to the tomcat user: chown -R tomcat:tomcat /var/apache/tomcat55/* chown -R tomcat:tomcat /usr/apache/tomcat55/*