Understanding Apache Tomcat File Configurations
Apache Tomcat is a widely used, open-source Java web application server that provides a robust environment for running Java-based applications. Innoslate utilizes Apache Tomcat to enhance its functionality, allowing users to deploy and manage our web application with ease. Tomcat serves as the backbone for Innoslate's server-side operations, enabling features such as dynamic content generation, session management, and integration with the database. Its architecture supports the Java Servlet and JavaServer Pages (JSP) specifications, which are essential for building scalable and maintainable web applications. By leveraging Apache Tomcat, Innoslate ensures high performance, reliability, and flexibility in delivering its services to users.
Below we highlight frequently asked configurations within the Apache Tomcat files, providing essential guidance to help users customize their Tomcat server settings according to their specific application requirements. These configurations are crucial for optimizing performance, enhancing security, and ensuring seamless integration with other services. By understanding and applying these settings, users can tailor their Tomcat environment to better suit their operational needs, ultimately improving the overall functionality of their web applications. Whether you're adjusting the port for your application, setting session timeouts, or configuring reverse proxy settings, the following sections will provide clear instructions and best practices to facilitate these important modifications.
Note, after applying any of the below settings, you MUST restart the Apache Tomcat Server. This may be done with the Startup and Shutdown Scripts in the bin file located at: C:\Innoslate4\apache-tomcat\bin
| Configuring Browser Port |
| Configuring User Timeout Settings |
| Setting up Tomcat with a Reverse Proxy |
| Enabling TLS v1.2 |
| Cipher Requirements |
Configuring Browser Port
To change the 8080 port Innoslate defaults to, you'll need to access the following XML file in the Innoslate files: C:\Innoslate4\apache-tomcat\conf\server.xml and update the following to change to the port to what you want.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
Note, after applying the above settings, you MUST restart the Apache Tomcat Server. This may be done with the Startup and Shutdown Scripts in the bin file located at: C:\Innoslate4\apache-tomcat\bin
Configuring User Timeout Settings
To configure session timeout settings, you will need to navigate to your “web.xml” file, found within the Innoslate4 folder at the following directory: “Innoslate4\apache-tomcat-8.5.30\webapps\innoslate4\WEB-INF”.
You will need to modify the following field:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
Modify “30” to the number of minutes you want session to stay active.
Note, after applying the above settings, you MUST restart the Apache Tomcat Server. This may be done with the Startup and Shutdown Scripts in the bin file located at: C:\Innoslate4\apache-tomcat\bin
Setting up Tomcat with a Reverse Proxy
Apache Tomcat does not necessarily require an Origin header to function properly. However, if an Origin header is included in your requests, it is important that it matches the host name of your Tomcat server.
For example, a call from api.example.com with an Origin header set to 'api.example.com' (in case of browser) will not work since <Host name="localhost"> is the default value.
The host name in the file server.xml (can be found at C:\Innoslate4\apache-tomcat\conf\server.xml ) will need to be configured to match the domain name used in the virtual host of apache server. To configure this, you'll need to change the name="localhost" to name=api.example.com:
<Host name="api.example.com" appBase="webapps"
unpackWARs="true" autoDeploy="true" deployXML="true">
Also update the connector tag in the server.xml:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
scheme="https" secure="true" proxyName="api.example.com" proxyPort="443" />
The following attributes inform tomcat, it is being accessed via a reverse proxy with ssl.
scheme="https" secure="true" proxyName="api.example.com" proxyPort="443"
If you do not perform the above step of adding proxy to Connector tag, every POST request will throw a 403 error.
Note, after applying the above settings, you MUST restart the Apache Tomcat Server. This may be done with the Startup and Shutdown Scripts in the bin file located at: C:\Innoslate4\apache-tomcat\bin
Enabling TLS v1.2
To verify the TLS version in use, please open the Chrome console and navigate to the security tab. There, you will find details regarding the connection, confirming whether it is utilizing TLS 1.2 or a higher version.
To enable TLS, you will need a certificate and a Java Keystore. This can either be a self-signed certificate or one issued by a recognized certificate authority. If you decide to obtain a certificate from a vendor, it is crucial to adhere to their specific instructions for integrating it with Apache Tomcat. Alternatively, if you prefer to create your own self-signed certificate, please follow the steps outlined below.
Creating a Self-Signed Certificate
We will create the certificate using the KEYTOOL which comes in the JDK installation.
Do this by invoking the following command on CMD.
keytool -genkey -alias tomcatssl -keyalg RSA -keysize 2048 -keystore
keystore.jks -validity 3650
keytool will be (in “quotes”) the directory where keytool.exe is stored.
For example, the command when doing this procedure looked like this:
C:\Users\Orpheus>"C:\Program Files\Java\jre1.8.0_201\bin\keytool.exe" -genkey -alias
tomcatssl -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 3650
After that command you will be prompted to fill in certificate fields. Be sure to simply press enter on the final prompt, and not type a new password.
Java Keystore
Create the Java Keystore by entering the following in the command prompt to create the keystore:
"C:\Program Files\Java\jdk1.8.0_251\jre\bin\keytool.exe" -genkey -alias tomcat -keyalg RSA -keystore "C:\Innoslate4\apache-tomcat\webapps\innoslate4\WEB-INF\localhost.jks"
Copy and paste the generated keystore.jks, it will be in whatever directory you were in when
invoking the keytool.exe command, into the conf folder within the apache tomcat folder:
C:\Innoslate4\apache-tomcat-8.5.30\conf
Then securely store the certificate—whether self-signed or obtained from a Certificate Authority—in the localhost.jks file.
Now, open the server.xml file (Navigate to C:\Innoslate4\apache-tomcat\conf) and enter the following:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="webapps\innoslate4\WEB-INF\localhost.jks"
keystorePass="changeit"
clientAuth="false"
sslProtocol="TLSv1.2"
SSLCipherSuite="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!NULL:!RC4:!RC2:!DES:!3DES:!SHA:!SHA256:!SHA384:!MD5+HIGH:+MEDIUM"
/>
Note: SSLCipherSuite="<Cipher suite string>" goes on Connector as an attribute
In the same server.xml, identify the connector port for which you intend to disable TLS 1.0 and 1.1. Change the line to <SSLHostConfig> <SSLHostConfig protocols =” TLSv1.2”>
Cipher Requirements
For more information see https://docs.openssl.org/1.1.1/man1/ciphers/
Cipher suite string explanation:
HIGH:MEDIUM: Includes strong and medium-strength ciphers.
!MD5: Excludes any cipher using the MD5 hash algorithm.
!EXP: Excludes any cipher using the "EXPORT" cipher suite.
!NULL: Excludes any cipher with "NULL" encryption.
!eNULL: Excludes any cipher with "NULL" encryption.
!aNULL: Excludes any cipher with "NULL" encryption.
!LOW: Excludes any cipher considered "low" strength.
!ADH: Excludes any cipher using "anonymous Diffie-Hellman".
!3DES: Exclude any cipher using triple DES
!DES: Exclude any cipher using DES
!RC4: Exclude any cipher using RC4
!RC2: Exclude any cipher using RC2
!SHA: Exclude any cipher using using SHA1.
!SHA256: Exclude any cipher using using SHA256.
!SHA384: Exclude any cipher using using SHA384.