This document explains the process of installation, configuration and hardening of Tomcat 8.x server, based on RedHat 6.5 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack. Some of the features explained in this document are supported by only some of the Internet browsers:
- TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
Installation phase1. Login to the server using Root account.
2. Create a new account: groupadd tomcat useradd -g tomcat -d /home/tomcat -s /bin/sh tomcat
3. Download the lastest JDK8 for Linux from: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
4. Upgrade to the latest build of Oracle JDK: rpm -Uvh /tmp/jdk-8u45-linux-x64.rpm
5. Delete the JDK8 source files: rm -rf /tmp/jdk-8u45-linux-x64.rpm rm -rf /usr/java/jdk1.8.0_45/src.zip
6. Download the latest Tomcat 8 source files: cd /opt wget http://apache.spd.co.il/tomcat/tomcat-8/v8.0.21/bin/apache-tomcat-8.0.21.tar.gz
7. Extract Tomcat source files: tar zxf /opt/apache-tomcat-8.0.21.tar.gz -C /opt
8. Rename the Tomcat folder: mv /opt/apache-tomcat-8.0.21 /opt/tomcat
9. Remove default content: rm -rf /opt/apache-tomcat-8.0.21.tar.gz rm -rf /opt/tomcat/webapps/docs rm -rf /opt/tomcat/webapps/examples rm -rf /opt/tomcat/webapps/ROOT/RELEASE-NOTES.txt rm -rf /opt/tomcat/webapps/host-manager rm -rf /opt/tomcat/webapps/manager rm -rf /opt/tomcat/work/Catalina/localhost/docs rm -rf /opt/tomcat/work/Catalina/localhost/examples rm -rf /opt/tomcat/work/Catalina/localhost/host-manager rm -rf /opt/tomcat/work/Catalina/localhost/manager
10. Change folder ownership and permissions: chown -R tomcat.tomcat /opt/tomcat chmod g-w,o-rwx /opt/tomcat chmod g-w,o-rwx /opt/tomcat/conf chmod o-rwx /opt/tomcat/logs chmod o-rwx /opt/tomcat/temp chmod g-w,o-rwx /opt/tomcat/bin chmod g-w,o-rwx /opt/tomcat/webapps chmod 770 /opt/tomcat/conf/catalina.policy chmod g-w,o-rwx /opt/tomcat/conf/catalina.properties chmod g-w,o-rwx /opt/tomcat/conf/context.xml chmod g-w,o-rwx /opt/tomcat/conf/logging.properties chmod g-w,o-rwx /opt/tomcat/conf/server.xml chmod g-w,o-rwx /opt/tomcat/conf/tomcat-users.xml chmod g-w,o-rwx /opt/tomcat/conf/web.xml
11. Move to the folder /opt/tomcat/lib cd /opt/tomcat/lib
12. Extract the file catalina.jar jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
13. Edit using VI, the file /opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties Replace the string below from: server.infoerver.info=Apache Tomcat/8.0.21 To: server.infoerver.info=Secure Web serverReplace the string below from: server.number=8.0.21.0 To: server.number=1.0.0.0Replace the string below from: server.built=Mar 23 2015 14:11:21 UTC To: server.built=Jan 01 2000 00:00:00 UTC
14. Move to the folder /opt/tomcat/lib cd /opt/tomcat/lib
15. Repackage the file catalina.jar jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
16. Remove the folder below: rm -rf /opt/tomcat/lib/org
17. Edit using VI, the file /opt/tomcat/conf/server.xml and make the following changes: Replace the: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> To: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" xpoweredBy="false" allowTrace="false" redirectPort="8443" />Replace the: <Server port="8005" shutdown="SHUTDOWN"> To: <Server port="-1" shutdown="SHUTDOWN">Replace the: autoDeploy="true" To: autoDeploy="false"
18. Create using VI, the file error.jsp inside the application directory (example: /opt/tomcat/webapps/ROOT/error.jsp) with the following content: <html> <head> <title>404-Page Not Found</title> </head> <body> The requested URL was not found on this server. </body> </html>
19. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag: <error-page> <error-code>400</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>401</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-page> <error-code>403</error-code> <location>/error.jsp</location> </error-page> <error-code>404</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>405</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>410</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>411</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>412</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>413</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>408</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>500</error-code> <location>/error.jsp </error-page><!-- Define a Security Constraint on this Application --> <security-constraint> <web-resource-collection> <web-resource-name>HTMLManger and Manager command</web-resource-name> <url-pattern>/jmxproxy/*</url-pattern> <url-pattern>/html/*</url-pattern> <url-pattern>/list</url-pattern> <url-pattern>/sessions</url-pattern> <url-pattern>/start</url-pattern> <url-pattern>/stop</url-pattern> <url-pattern>/install</url-pattern> <url-pattern>/remove</url-pattern> <url-pattern>/deploy</url-pattern> <url-pattern>/undeploy</url-pattern> <url-pattern>/reload</url-pattern> <url-pattern>/save</url-pattern> <url-pattern>/serverinfo</url-pattern> <url-pattern>/status/*</url-pattern> <url-pattern>/roles</url-pattern> <url-pattern>/resources</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> </security-constraint>
20. Create using VI, the file /etc/init.d/tomcat, with the following content: #!/bin/bash # description: Tomcat Start Stop Restart # processname: tomcat # chkconfig: 234 20 80 JAVA_HOME=/usr/java/jdk1.8.0_45 export JAVA_HOME PATH=$JAVA_HOME/bin:$PATH export PATH CATALINA_HOME=/opt/tomcat/bin case $1 in start) /bin/su tomcat $CATALINA_HOME/startup.sh ;; stop) /bin/su tomcat $CATALINA_HOME/shutdown.sh ;; restart) /bin/su tomcat $CATALINA_HOME/shutdown.sh /bin/su tomcat $CATALINA_HOME/startup.sh ;; esac exit 0Note: Update the “JAVA_HOME” path according to the install JDK build.
21. Change the permission on the tomcat script: chmod 755 /etc/init.d/tomcat
22. To start Tomcat service at server start-up, run the command: chkconfig tomcat on
23. To manually start the Tomcat service, use the command: service tomcat start
24. Configure IPTables: service iptables stop iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
25. Allow SSH access from Internal segment (i.e. 10.0.0.0/8) iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask.
26. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0) iptables -A INPUT -m state --state NEW -p tcp --dport 8080 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
27. Save the IPTables settings: service iptables save
SSL Configuration Phase1. Login to the server using Root account.
2. Create folder for the SSL certificate files: mkdir -p /opt/tomcat/ssl chown -R tomcat:tomcat /opt/tomcat/ssl chmod -R 755 /opt/tomcat/ssl
3. Run the command below to generate a key store: /usr/java/jdk1.8.0_45/bin/keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -validity 1095 -alias "FQDN_Name"Note 1: The command above should be written as one line. Note 2: Replace ComplexPassword with your own complex password. Note 3: Replace “FQDN_Name” with the server DNS name.
4. Run the command below to generate a CSR (certificate request): /usr/java/jdk1.8.0_45/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -alias "FQDN_Name"Note 1: The command above should be written as one line. Note 2: Replace ComplexPassword with your own complex password. Note 3: Replace “FQDN_Name” with the server DNS name.
5. Send the file /tmp/tomcat.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt”
7. Copy the file “server.crt” using SCP into /opt/tomcat/ssl
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file “ca-bundle.crt” using SCP into /opt/tomcat/ssl
10. Run the command below to import the trusted root CA public certificate: /usr/java/jdk1.8.0_45/bin/keytool -import -alias "FQDN_Name" -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/ca-bundle.crtNote 1: The command above should be written as one line. Note 2: Replace ComplexPassword with your own complex password. Note 3: Replace “FQDN_Name” with the server DNS name.
11. Run the command below to import the signed public key into the key store: /usr/java/jdk1.8.0_45/bin/keytool -import -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/server.crtNote 1: The command above should be written as one line. Note 2: Replace ComplexPassword with your own complex password.
12. Stop the Tomcat service: service tomcat stop
13. Edit using VI, the file /opt/tomcat/conf/server.xml and add the section below: <Connector port="8443" protocol="HTTP/1.1" maxThreads="150" xpoweredBy="false" allowTrace="false" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/opt/tomcat/ssl/server.key" keystorePass="ComplexPassword" keyAlias="FQDN_Name" clientAuth="false" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />Note 1: Replace ComplexPassword with your own complex password. Note 2: Replace “FQDN_Name” with the server DNS name.
14. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag: <user-data-constraint> <description> Constrain the user data transport for the whole application </description> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>
15. Edit using VI, the file /opt/tomcat/conf/context.xml and add the following parameter inside the context tag: usehttponly="true"
16. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0) iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
17. Save the IPTables settings: service iptables save
18. To manually start the Tomcat service, use the command: service tomcat start