You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Crystal Maramba <cm...@acumenllc.com> on 2013/11/07 18:46:25 UTC

Second Instance of Tomcat

Hi,

I am getting ready to deploy the Second Instance of Tomcat on the same server using different IP addresses.

\Tomcat\Instance1 (IP Address: xx.xx.xx.x1)
\Tomcat\Instance2 (IP Address: xx.xx.xx.x2)

I have a few question, see below:


1)     For the Tomcat server ports, I will be using the Connector Port and Redirect port to bind it to a specific IP address by using "address="xx.xx.xx.xx"". Is there a way to use the same Shutdown Port and AJP Port to bind it to a different IP address? Or do I have to change the Shutdown and AJP port number.

2)     Keystore:

a.       I am going to be using https, can I use the same .keystore to import the certificate?

b.       If I move the .keystore to another location outside of Tomcat home, will Tomcat be able to see the .keystore if I specify the path within the server.xml file for .keystore path?

c.       Should I create a new .keystore for the new instance?

d.       What is the best practice for this?

3)     Does anyone know a way to encrypt the clear-text passwords specified in tom-user.xml for the Tomcat manager and server.xml file for .keystore?

Any help would be greatly appreciated.

Re: Second Instance of Tomcat

Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dan,

On 11/7/13, 2:43 PM, Daniel Mikusa wrote:
> On Nov 7, 2013, at 2:08 PM, Crystal Maramba
> <cm...@acumenllc.com> wrote:
> 
>> Thanks, Dan. That helps a lot.
> 
> Please don't top post.  Reply inline or at the bottom.
> 
>> 2) a. I was referring to importing another certificate to the
>> same .keystore that Instance1 is using.
> 
> A keystore file can contain multiple certificates.  You just need
> to specify which certificate to use and that is done by specifying
> the "keyAlias" attribute on your connector.
> 
>> 3) The tomcat-users.xml file is used to store the user and
>> password for the tomcat manager which is used to deploy .war
>> files.
> 
> Ignore what I previously wrote here.  You can store hashes of your
> password in tomcat-users.xml.  To do this, you need to add the
> "digest" attribute on your Realm.  For the default configuration
> that would look like this.

Note that Tomcat uses a bare cryptographic digest, and not anything
more industrial-strength such as a "password derivation" function like
bcrypt/scrypt/PBKDF2. As such, your tomcat-users.xml file will be
vulnerable to rainbow-attacks, etc. if stolen.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSfAizAAoJEBzwKT+lPKRYDIYP/A+b92pYcR9Z3wNCUiiJCa9J
4raZqaBsIgTnXDX+d5Q+PdMmcyX6bru5KYi2iz+GsXToQMKOJSzCAnZTUjiNpiAI
O3C/x5Rcw0jaICIFhAmX4WMlOio2vN7aiIgVv5HDHVgB3b3h4bjhNeDQF9rsSsN5
HOSOak3fpeBz9cp3hVAc7QGskwbsgfzDBIorj/QGecyZAWnXWt0+ZEaXuJjCLrow
LsQ2OnyElxxE3wpaPDXZfaf4lzN1Er0qX9ofiVmUEH7SQm2/iR3zQXGzNGYxyUQb
fVbH71euT96WG+ilV2UghVJLGMtKVv5fIjBaB0RAe8LslodmVZpNHl4Uw8i2/4X1
UPMLGfeYLuwNn2PGh/L/JC7y9B2jOACo8mrIMLRmSmqYeNydyZiWx3yg/xqu8ifv
a6hE69tqwWiq6Ukfit4/b3RgOBeh1N20QLd6R/IOTO0stgUH2y7ajXFzirqdOy8N
EknoSc1cuBqtvEq6tpn6MbeZUYexNKLD+V6QH3GOb9CMp8AbF8cRZpt6fkpdTXIX
wvLtW+PAfzSgq/De8ncmPOytekTsc5CHwzvolEhMc+2posw0OY875CJotHUnJgJ0
8nKE7TwlKRUZiJyC5W/eufERqY3KMS+imkh7zwmaOyK2Q8RH10zLpILLHplMDzzh
cu/oXnlGRqNTv0pmxvPo
=l2cb
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Second Instance of Tomcat

Posted by Daniel Mikusa <dm...@gopivotal.com>.
On Nov 7, 2013, at 2:08 PM, Crystal Maramba <cm...@acumenllc.com> wrote:

> Thanks, Dan. That helps a lot.

Please don't top post.  Reply inline or at the bottom.

> 2) a. I was referring to importing another certificate to the same .keystore that Instance1 is using.

A keystore file can contain multiple certificates.  You just need to specify which certificate to use and that is done by specifying the "keyAlias" attribute on your connector.

> 3) The tomcat-users.xml file is used to store the user and password for the tomcat manager which is used to deploy .war files.

Ignore what I previously wrote here.  You can store hashes of your password in tomcat-users.xml.  To do this, you need to add the "digest" attribute on your Realm.  For the default configuration that would look like this.

<Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase" digest="SHA-256" />
      </Realm>

See here for more details.

  https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html

Dan


> 
> -----Original Message-----
> From: Daniel Mikusa [mailto:dmikusa@gopivotal.com] 
> Sent: Thursday, November 07, 2013 10:38 AM
> To: Tomcat Users List
> Subject: Re: Second Instance of Tomcat
> 
> On Nov 7, 2013, at 12:46 PM, Crystal Maramba <cm...@acumenllc.com> wrote:
> 
>> Hi,
>> 
>> I am getting ready to deploy the Second Instance of Tomcat on the same server using different IP addresses.
>> 
>> \Tomcat\Instance1 (IP Address: xx.xx.xx.x1)
>> \Tomcat\Instance2 (IP Address: xx.xx.xx.x2)
>> 
>> I have a few question, see below:
>> 
>> 
>> 1)     For the Tomcat server ports, I will be using the Connector Port and Redirect port to bind it to a specific IP address by using "address="xx.xx.xx.xx"". Is there a way to use the same Shutdown Port and AJP Port to bind it to a different IP address? Or do I have to change the Shutdown and AJP port number.
> 
> The shutdown address can be specified in Tomcat 7, not in Tomcat 6.
> 
>   https://tomcat.apache.org/tomcat-7.0-doc/config/server.html
> 
> All of the AJP connectors (Tomcat 6 & 7) support an "address" attribute.  See here.
> 
>  https://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html#Standard_Implementations
> 
>> 
>> 2)     Keystore:
>> 
>> a.       I am going to be using https, can I use the same .keystore to import the certificate?
> 
> Not exactly sure I follow you here.  Are you asking if you can configure the connector for both instances of Tomcat to point to the same keystore file?  As far as I know, that's OK.
> 
> 
>> b.       If I move the .keystore to another location outside of Tomcat home, will Tomcat be able to see the .keystore if I specify the path within the server.xml file for .keystore path?
> 
> Yes.  See keystoreFile.
> 
>  https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
> 
> 
>> c.       Should I create a new .keystore for the new instance?
> 
> That's up to you.  Do whatever makes the most sense for your setup.
> 
> 
>> d.       What is the best practice for this?
> 
> It's tough to say what is a "best practice", since most environments are different and what makes the most sense for you likely depends on your unique environment.
> 
> What I can say is that I often see SSL terminated in front of Tomcat with a dedicated hardware device or Apache HTTPD.  It performs well, plus it makes sense in setups with multiple Tomcat instances because there is already something in front of the Tomcat instances to load balance across them.
> 
> That doesn't mean you have to do that though.  You could terminate the SSL with Tomcat and people do.  If you go this route, I'd suggest using the APR or NIO connector though.  The APR connector performs the best with SSL, but is a little trickier to setup.  The NIO doesn't perform as good as the APR, but I believe it's better than the BIO connector and it's easy to setup.
> 
> 
>> 3)     Does anyone know a way to encrypt the clear-text passwords specified in tom-user.xml for the Tomcat manager and server.xml file for .keystore?
> 
> I don't know of anything for the tomcat-users.xml file.  It's my understanding that this file is not recommended for production use, so you should probably look at using a JDBC or LDAP realm instead.  
> 
>  https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html
> 
> Another option would be to write a custom realm that decrypts the passwords.
> 
> Having said that, I believe the general suggestion here is to apply proper unix permissions on the files to control access to them.  For example, you should set the owner to be the user that is running Tomcat, which should *not* be root and set the permission to r/w only for the owner.
> 
> Dan
> 
>> 
>> Any help would be greatly appreciated.
>> 
>> 
>> 
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Second Instance of Tomcat

Posted by Crystal Maramba <cm...@acumenllc.com>.
Thanks, Dan. That helps a lot.

2) a. I was referring to importing another certificate to the same .keystore that Instance1 is using.
3) The tomcat-users.xml file is used to store the user and password for the tomcat manager which is used to deploy .war files.

-----Original Message-----
From: Daniel Mikusa [mailto:dmikusa@gopivotal.com] 
Sent: Thursday, November 07, 2013 10:38 AM
To: Tomcat Users List
Subject: Re: Second Instance of Tomcat

On Nov 7, 2013, at 12:46 PM, Crystal Maramba <cm...@acumenllc.com> wrote:

> Hi,
> 
> I am getting ready to deploy the Second Instance of Tomcat on the same server using different IP addresses.
> 
> \Tomcat\Instance1 (IP Address: xx.xx.xx.x1)
> \Tomcat\Instance2 (IP Address: xx.xx.xx.x2)
> 
> I have a few question, see below:
> 
> 
> 1)     For the Tomcat server ports, I will be using the Connector Port and Redirect port to bind it to a specific IP address by using "address="xx.xx.xx.xx"". Is there a way to use the same Shutdown Port and AJP Port to bind it to a different IP address? Or do I have to change the Shutdown and AJP port number.

The shutdown address can be specified in Tomcat 7, not in Tomcat 6.

   https://tomcat.apache.org/tomcat-7.0-doc/config/server.html

All of the AJP connectors (Tomcat 6 & 7) support an "address" attribute.  See here.

  https://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html#Standard_Implementations

> 
> 2)     Keystore:
> 
> a.       I am going to be using https, can I use the same .keystore to import the certificate?

Not exactly sure I follow you here.  Are you asking if you can configure the connector for both instances of Tomcat to point to the same keystore file?  As far as I know, that's OK.


> b.       If I move the .keystore to another location outside of Tomcat home, will Tomcat be able to see the .keystore if I specify the path within the server.xml file for .keystore path?

Yes.  See keystoreFile.

  https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support


> c.       Should I create a new .keystore for the new instance?

That's up to you.  Do whatever makes the most sense for your setup.


> d.       What is the best practice for this?

It's tough to say what is a "best practice", since most environments are different and what makes the most sense for you likely depends on your unique environment.

What I can say is that I often see SSL terminated in front of Tomcat with a dedicated hardware device or Apache HTTPD.  It performs well, plus it makes sense in setups with multiple Tomcat instances because there is already something in front of the Tomcat instances to load balance across them.

That doesn't mean you have to do that though.  You could terminate the SSL with Tomcat and people do.  If you go this route, I'd suggest using the APR or NIO connector though.  The APR connector performs the best with SSL, but is a little trickier to setup.  The NIO doesn't perform as good as the APR, but I believe it's better than the BIO connector and it's easy to setup.


> 3)     Does anyone know a way to encrypt the clear-text passwords specified in tom-user.xml for the Tomcat manager and server.xml file for .keystore?

I don't know of anything for the tomcat-users.xml file.  It's my understanding that this file is not recommended for production use, so you should probably look at using a JDBC or LDAP realm instead.  

  https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html

Another option would be to write a custom realm that decrypts the passwords.

Having said that, I believe the general suggestion here is to apply proper unix permissions on the files to control access to them.  For example, you should set the owner to be the user that is running Tomcat, which should *not* be root and set the permission to r/w only for the owner.

Dan

> 
> Any help would be greatly appreciated.
> 
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Second Instance of Tomcat

Posted by Daniel Mikusa <dm...@gopivotal.com>.
On Nov 7, 2013, at 12:46 PM, Crystal Maramba <cm...@acumenllc.com> wrote:

> Hi,
> 
> I am getting ready to deploy the Second Instance of Tomcat on the same server using different IP addresses.
> 
> \Tomcat\Instance1 (IP Address: xx.xx.xx.x1)
> \Tomcat\Instance2 (IP Address: xx.xx.xx.x2)
> 
> I have a few question, see below:
> 
> 
> 1)     For the Tomcat server ports, I will be using the Connector Port and Redirect port to bind it to a specific IP address by using "address="xx.xx.xx.xx"". Is there a way to use the same Shutdown Port and AJP Port to bind it to a different IP address? Or do I have to change the Shutdown and AJP port number.

The shutdown address can be specified in Tomcat 7, not in Tomcat 6.

   https://tomcat.apache.org/tomcat-7.0-doc/config/server.html

All of the AJP connectors (Tomcat 6 & 7) support an "address" attribute.  See here.

  https://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html#Standard_Implementations

> 
> 2)     Keystore:
> 
> a.       I am going to be using https, can I use the same .keystore to import the certificate?

Not exactly sure I follow you here.  Are you asking if you can configure the connector for both instances of Tomcat to point to the same keystore file?  As far as I know, that's OK.


> b.       If I move the .keystore to another location outside of Tomcat home, will Tomcat be able to see the .keystore if I specify the path within the server.xml file for .keystore path?

Yes.  See keystoreFile.

  https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support


> c.       Should I create a new .keystore for the new instance?

That's up to you.  Do whatever makes the most sense for your setup.


> d.       What is the best practice for this?

It's tough to say what is a "best practice", since most environments are different and what makes the most sense for you likely depends on your unique environment.

What I can say is that I often see SSL terminated in front of Tomcat with a dedicated hardware device or Apache HTTPD.  It performs well, plus it makes sense in setups with multiple Tomcat instances because there is already something in front of the Tomcat instances to load balance across them.

That doesn't mean you have to do that though.  You could terminate the SSL with Tomcat and people do.  If you go this route, I'd suggest using the APR or NIO connector though.  The APR connector performs the best with SSL, but is a little trickier to setup.  The NIO doesn't perform as good as the APR, but I believe it's better than the BIO connector and it's easy to setup.


> 3)     Does anyone know a way to encrypt the clear-text passwords specified in tom-user.xml for the Tomcat manager and server.xml file for .keystore?

I don't know of anything for the tomcat-users.xml file.  It's my understanding that this file is not recommended for production use, so you should probably look at using a JDBC or LDAP realm instead.  

  https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html

Another option would be to write a custom realm that decrypts the passwords.

Having said that, I believe the general suggestion here is to apply proper unix permissions on the files to control access to them.  For example, you should set the owner to be the user that is running Tomcat, which should *not* be root and set the permission to r/w only for the owner.

Dan

> 
> Any help would be greatly appreciated.
> 
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Second Instance of Tomcat

Posted by Crystal Maramba <cm...@acumenllc.com>.
Do you know what the syntax would be to have the AJP and Shutdown port bind to the IP? Would it be the same "address="xx.xx.xx.xx"".?

For ex:
<Server port="8005" shutdown="SHUTDOWN" address="xx.xx.xx.xx">
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="xx.xx.xx.xx"/>

-----Original Message-----
From: David kerber [mailto:dckerber@verizon.net] 
Sent: Thursday, November 07, 2013 10:00 AM
To: Tomcat Users List
Subject: Re: Second Instance of Tomcat

On 11/7/2013 12:46 PM, Crystal Maramba wrote:
> Hi,
>
> I am getting ready to deploy the Second Instance of Tomcat on the same server using different IP addresses.
>
> \Tomcat\Instance1 (IP Address: xx.xx.xx.x1)
> \Tomcat\Instance2 (IP Address: xx.xx.xx.x2)
>
> I have a few question, see below:
>
>
> 1)     For the Tomcat server ports, I will be using the Connector Port and Redirect port to bind it to a specific IP address by using "address="xx.xx.xx.xx"". Is there a way to use the same Shutdown Port and AJP Port to bind it to a different IP address? Or do I have to change the Shutdown and AJP port number.


The combination of IPAddr:port needs to be unique, so you can use the same port numbers if they're on different IP addresses, or the same IP addresses if the instances are listening on different ports.

Can't help you with the keystore stuff.



>
> 2)     Keystore:
>
> a.       I am going to be using https, can I use the same .keystore to import the certificate?
>
> b.       If I move the .keystore to another location outside of Tomcat home, will Tomcat be able to see the .keystore if I specify the path within the server.xml file for .keystore path?
>
> c.       Should I create a new .keystore for the new instance?
>
> d.       What is the best practice for this?
>
> 3)     Does anyone know a way to encrypt the clear-text passwords specified in tom-user.xml for the Tomcat manager and server.xml file for .keystore?
>
> Any help would be greatly appreciated.
>
>
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Second Instance of Tomcat

Posted by David kerber <dc...@verizon.net>.
On 11/7/2013 12:46 PM, Crystal Maramba wrote:
> Hi,
>
> I am getting ready to deploy the Second Instance of Tomcat on the same server using different IP addresses.
>
> \Tomcat\Instance1 (IP Address: xx.xx.xx.x1)
> \Tomcat\Instance2 (IP Address: xx.xx.xx.x2)
>
> I have a few question, see below:
>
>
> 1)     For the Tomcat server ports, I will be using the Connector Port and Redirect port to bind it to a specific IP address by using "address="xx.xx.xx.xx"". Is there a way to use the same Shutdown Port and AJP Port to bind it to a different IP address? Or do I have to change the Shutdown and AJP port number.


The combination of IPAddr:port needs to be unique, so you can use the 
same port numbers if they're on different IP addresses, or the same IP 
addresses if the instances are listening on different ports.

Can't help you with the keystore stuff.



>
> 2)     Keystore:
>
> a.       I am going to be using https, can I use the same .keystore to import the certificate?
>
> b.       If I move the .keystore to another location outside of Tomcat home, will Tomcat be able to see the .keystore if I specify the path within the server.xml file for .keystore path?
>
> c.       Should I create a new .keystore for the new instance?
>
> d.       What is the best practice for this?
>
> 3)     Does anyone know a way to encrypt the clear-text passwords specified in tom-user.xml for the Tomcat manager and server.xml file for .keystore?
>
> Any help would be greatly appreciated.
>
>
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org