Tomcat fresh install on Amazon EC2 Redhat Instance

Standard

This tutorial will demonstrate how to install a fresh version of apache tomcat 7.0.53 from source on an Amazon EC2 Redhat based instance. Including the installation of mysql, vsftpd, ssl (forced for the entire tomcat server), and iptables prerouting.

To begin, login to your EC2 instance and do a quick yum update. This will assure that all of your virtual machine’s libraries are up to date.

yum update 

When prompted, type “yes” to install updates. This update process can last several minutes.

The first library to install will be mysql. Run the following commands to install the server.

yum install mysql
yum install mysql-server
yum install mysql-devel 

Once installed turn on mysql to the chkconfig. This command makes it so mysql will automatically start on server reboot.

chkconfig mysqld on

Now you must configure mysql. Begin by starting the service.

service mysqld start 

It will output the following message:

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

Run the following command to set your new password for root login.

/usr/bin/mysqladmin -u root password 'new-password'

Now login to mysql terminal by typing the following:

mysql -u root -p

It will prompt you for your password that you have just set above. Next step is to set up user permissions. This is accomplished by first creating a user, then assigning them permissions to access a given database.

#Create a new user, with password
CREATE USER 'username'@'%' IDENTIFIED BY 'user_password';

#Set to given database for a user
GRANT ALL PRIVILEGES ON database_name.* TO 'username'@'*' WITH GRANT OPTION;

#List all users and grants
SELECT user,host FROM mysql.user;

Mysql is now ready to use, you now have a user that should have grant permissions to access a given database (if you made one).

The next step is to setup apache tomcat 7.0.52. Navigate to the opt directory of your server. Then download the Tomcat file and extracting it.

cd /opt/
wget http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.53/bin/apache-tomcat-7.0.53.tar.gz
tar -zxvf apache-tomcat-7.0.53.tar.gz
rm apache-tomcat-7.0.53.tar.gz

Tomcat comes loaded will all the files you need. You can test running the server by navigating to the bin directory and running the startup script.

cd /opt/apache-tomcat-7.0.53/bin/
./startup.sh

Note: If tomcat fails to start; check to make sure that java jdk is installed.

java -version
java version "1.7.0_71"
OpenJDK Runtime Environment (rhel-2.5.3.2.el6_6-x86_64 u71-b14)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)

If no installation of java is found using yum install jdk 1.7

yum install java-1.7.0-openjdk java-1.7.0-openjdk-devel

It would be much nicer if you could start / stop the server like a service ex. “service tomcat start”. If you want tomcat to run as a server read the Tomcat Service Script tutorial.

Now I want tomcat to run on port 80. Port 80 is the standard port for all internet traffic. To direct traffic from port 80 to tomcat please follow my “Running Tomcat port 80” guide.

The next step is to enable SSL for security. In my case I want SSL to be force / required on all requests. Let’s say I have private data being transmitted so this is necessary.

First edit the conf/server.xml file. Note that the tomcat.keystore file should point to the location you placed your keystore file on the webserver. I have placed my in the root of the tomcat server.

<Connector port="8443" enableLookups="false" protocol="HTTP/1.1" proxyPort="443" keystorePass="changeit" keystoreFile="/opt/apache-tomcat-7.0.53/keys/tomcat.keystore" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" Server="My server name" clientAuth="false" sslProtocol="TLS" />

To force SSL on all connections edit the conf/web.xml file. At the end of the file before the closing tag add:

<!-- Require HTTPS for everything except /files and (favicon) and /css. -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>HTTPSOnly</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>HTTPSOrHTTP</web-resource-name>
      <url-pattern>*.ico</url-pattern>
      <url-pattern>/files/*</url-pattern>
      <url-pattern>/css/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

Tomcat will now force SSL on all incoming connections, it is ready for your war file. To upload a war file we need a ftp client. By default this Redhat instance does not come with the libraries configured. I choose to use vsftpd.

yum install vsftpd
yum install ftp

The next step is to configure permissions.

vi /etc/vsftpd/vsftpd.conf

Look for the following lines and uncomment / modify.

anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES

After edits are made, restart the service.

service vsftpd restart

Finally, you need to add a user to the system to login as.

adduser ec2-user
passwd ec2-user

Your server should now accept incoming connections via port 21 (FTP).

Once you login you will only have access to your home directory. Hence, you will not be able / have permissions to upload to the tomcat server directory in the opt folder. To fix this add a symbolic link in your home directory to the webapps directory of the tomcat installation.

ln -s /opt/apache-tomcat-8.0.8/webapps/ /home/ec2-user/webapps