I have a tomcat installation that is the default one. This is also setup to start automatically when my system starts. This default installation can be started or stopped with
sudo /etc/init.d/tomcat7 start | stop | restart
Logging works for this installation.
I also have 2 other tomcats (other version of tomcat7 installed on this system). Both of these instances are installed in the project workspaces. These tomcat instances are added to projects using the Servers view. Logging does not work for them at all. (I can't find anything if I look into their logs folders). What do I need to change to activate logging for these installations.
For the configuration of the DailyRollingFileAppender you can have a look at the answer for this question: log4j properties DailyRollingFileAppender does not work or other similar posts.
In order to check if the log4j configuration is really read or not, you can turn on debugging by adding this parameter in the start configuration:
-Dlog4j.debug
The appender should work as soon as this is activated. Check your home folder or your logs folder to see if it works.
You can essentially add this type of appender for each extra Tomcat you have in your configuration.
Related
The application installed on Tomcat (9.0.36.B.RELEASE) connects to an external source using SSL (in this case, IBM MQ). I therefore need to specify a truststore, and password for this truststore.
I got it to work adding this to the JVM_OPTS in setenv.sh:
-Djavax.net.ssl.trustStore=/opt/apps/certs/myapplication.truststore
-Djavax.net.ssl.trustStorePassword=TRUSTSTORE-PASSWORD
-Djavax.net.ssl.keyStore=/opt/apps/certs/myapplication.keystore
-Djavax.net.ssl.keyStorePassword=KEYSTORE-PASSWORD
Classic issue with this, the passwords are visible when I do ps -ef|grep java (runs on RHEL).
I have seen a couple suggestions on how to do this (like Hiding plain text password in JVM startup argumnets. " ps -ef | grep 'javax.net.ssl.keyStorePassword'"). But these change/add code or configuration in the WAR file.
I am looking for a "tomcat" solution. Is there a way to to this within the confines of Tomcat. Changes to the WAR file are difficult to implement, as the application comes from a vendor.
Note: this is not for a connector configuration in web.xml since that would only setup SSL for incoming connections. Here the application is making connections to an external system (so outbound from Tomcat's perspective).
You can add additional properties to $CATALINA_BASE/conf/catalina.properties and they will be sourced during Tomcat's startup. As you are certainly aware, system properties are global to the JVM, so there is no way to restrict this configuration to a single application only: the entire Tomcat server will be affected.
Almost all Java system properties can by set this way, with a few exceptions:
catalina.base and catalina.home (obviously),
the configuration for Tomcat logging,
the configuration for JMX and other tools that start before user code.
Attention: You must check whether the VersionLoggerListener (defined in server.xml) does not have logProps="true", otherwise the values of system properties will be logged. By default only the JVM arguments are logged.
Why can't I log in to the status page tomcat or manager app page in tomcat from a clean install?
So I go to get a tomcat version like here :http://mirror.olnevhost.net/pub/apache/tomcat/tomcat-7/v7.0.92/bin/apache-tomcat-7.0.92-windows-x86.zip
This is windows 32 bit, I unzip the thing and place it into my custom app's tomcat folder (renaming it from apache-tomcat-7.0.92 to just tomcat)
Then I install the tomcat7 service to windows services.msc using "service.bat install" command and then start it in the services.msc
I go to localhost:8080 and getr the main page that states tomcat is installed ... then when I try to click on the status page to login it won't allow...
I configured the tomcat-users xml file and triple checked all settings, even restarted server and restarted service etc
but it won't let me login no matter what?!?!?!
1) anyone can duplicate this, since I'm doing this from clean install
2) only thing is I'm putting it under a different root directory but I cannot imagine that would make a difference, I haven't changed anything upon clean install
Surely this cannot be broken like this and must be simple something that I somehow missed but I can't see how
I need to disable basic auth on weblogic server, which can be done by adding <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> into config.xml in a weblogic domain.
I'm deploying a web service to weblogic directly from IntelliJ Idea and every time I start deploy, the config.xml is replaced by a new one, so I cannot change config manually. I guess I need to pass some extra arguments in IntelliJ's run configuration. Does anyone has any experiences with this?
It was my mistake. I tried to modify config.xml and forgot my server is still running. According to this page I think it's pretty obvious why this happens. So, it has nothing to do with IntelliJ Idea.
Caution: Do not edit configuration files for a domain that is
currently running. Because Oracle WebLogic Server rewrites the files
periodically, your changes will be lost. Depending on your platform,
you also could cause Oracle WebLogic Server failures.
We are using Apache Tomcat 7 for my web applications and we have decided to go on production stage.
So now is the time to think about how to secure the Tomcat and the machine. After reading "Apache tomcat security considerations" we decided to go on run tomcat process on dedicated user with minimum scenario.
From what I understand the best option is to configure it in a way that the running tomcat process has only read privilege to all the tomcat files.
I figured I would do it in this way:
I would create 2 users:
-tomcat_process - only for running tomcat
-admin - this is the one all the files belong to
tomcat_process will have access to conf directory, and also will be able to run scripts from tomcat/bin/
My main problem is that Tomcat needs to write to some files in $CATALINA_HOME/$CATALINA_BASE. I know I can change the location of logs and work directory and I thought I would point them to tomcat_process home dir (is this even a good idea?).
But I can't find any information if I can change the path to /conf/Catalina dir. Is it possible?
I would like to avoid adding write access to conf directory, as the whole configurations sits in there.
Or do you think that I should live those directories where their are and just add write privileges to them for tomcat_process?
I was wondering if you could please tell me if this is a correct approach or can I do it better?
I'm so confused with all those security guides which are telling me to restrict privileges but not telling how to do it :(
Keeping it simple I think is the key:
Create a new tomcat for each (set of) web application(s) with their own user.
Limit the tomcat resources to only the tomcat user. In linux you can use the chmod/chown command for this.
Place the tomcat behind a reverse proxy: Internet (https) <- external Firewall -> Apache Reverse Proxy <- Internal Firewall (block all unless whitelisted) --> Tomcat
Delete all standard webapps 'manager', 'root', 'docs'
Disable the shutdown command in server.xml
As for java web applications try to contain them in their own sandbox, meaning own database, own users.
To safe maintenance effort, you could run multiple instances using one tomcat binary and a single tomcat user.
http://www.openlogic.com/wazi/bid/188102/How-to-Run-Multiple-Instances-of-Tomcat-on-a-Single-Server
We have several Tomcat 7 instances installed on different servers. We sometimes deploy basically the same app to different Tomcats (for different customers) with the only differences being configs. In an effort to standardize logging locations, etc., we are trying to make the apps "universal" so that simply deploying the war file to a Tomcat instance will wire it up automatically so that we don't have to remember to change app for customer 1 and then again for customer 2, etc.
Anyway, in each Tomcat/conf folder, I have added some properties to the end of the catalina.properties file. Example:
# custom logging
log.base=c:/logs/tomcat/myapp
log.file=MYAPP.log
Now, in my application's log4j.cfg file, I have:
log4j.appender.R.File=${log.base}/${log.file}
And in my application's myapp.cfg I have:
logfile=${log.file}
Works great when I deploy. Tomcat puts everything where it should be except what's in the logging.properties file.
That file normally contains:
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
But I want to change the ${catalina.base}/logs to use my own ${log.base} variable. But Tomcat (or perhaps log4j?) doesn't recognize this. Instead, it actually creates a directory named "${log.base}" in the Tomcat root folder.
I read that you can declare custom variables in a setenv.bat file. I did that and it still didn't work.
How can I fix this?
BTW, I am using Windows, Tomcat 7 and the Windows service install (with the GUI).
Thanks
Set the environment variable JAVA_OPTS in setenv.bat. In this way you give a java VM argument. The following works in setenv.sh in Linux:
export JAVA_OPTS="-Dlog.base=/logs/tomcat/"
Now you should be able to use ${log.base} in logging.properties