Author: dq

Apache2 / SSL

How to create a self-signed SSL Certificate …

… which can be used for testing purposes or internal usage

Overview

The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process.

Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser).

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.

If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessarythe data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

Login or su as root (sudo su)

mkdir /etc/apache2/ssl/

cd /etc/apache2/ssl/

Step 1: Generate a Private Key

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

openssl genrsa -des3 -out self.signed.key 2048

Generating RSA private key, 1024 bit long modulus
…………………………………………………++++++
……..++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password – Enter PEM pass phrase:

Step 2: Generate a CSR (Certificate Signing Request)

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.akadia.com, then enter public.akadia.com at this prompt. The command to generate the CSR is as follows:

openssl req -new -key self.signed.key -out self.signed.csr

Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Ohio
Locality Name (eg, city) [Newbury]:Lewis Center
Organization Name (eg, company) [My Company Ltd]:QBytesWorld
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:qbytesworld.com
Email Address []:qbytes.dq@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

cp self.signed.key self.signed.key.org
openssl rsa -in self.signed.key.org -out self.signed.key

The newly created server.key file has no more passphrase in it.

-rw-r–r– 1 root root 1127 Feb 17 13:57 self.signed.csr
-rw-r–r– 1 root root 1679 Feb 17 13:57 self.signed.key
-rw-r–r– 1 root root 1751 Feb 17 13:57 self.signed.key.org

Step 4: Generating a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

To generate a temporary certificate which is good for 365 days, issue the following command:

openssl x509 -req -days 3650 -in self.signed.csr -signkey self.signed.key -out self.signed.crt
Signature ok
subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch
Getting Private key

Step 5: Lock it down
chmod 400 /etc/apache2/ssl/self.signed.crt
chmod 400 /etc/apache2/ssl/self.signed.csr
chmod 400 /etc/apache2/ssl/self.signed.key
chmod 400 /etc/apache2/ssl/self.signed.key.org

Step 5: Installing the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.

cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

Step 6: Configuring SSL Enabled Virtual Hosts

<VirtualHost *:443>
ServerName www.sample.com
ServerAlias sample.com
ServerAdmin webmaster@sample.com
JkMount /* ajp13_worker
CustomLog /srv/www-logs/samlple.ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ErrorLog /srv/www-logs/sample.com.ssl.error.log
# JkMount /status/* stat1
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/self.signed.crt
SSLCertificateKeyFile /etc/apache2/ssl/self.signed.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>

Step 7: Enable ssl module to run:

a2enmod ssl

Verify we are listening on port 443:

/etc/apache2/ports.conf

Listen 443

Edit /etc/apache2/sites-available/ssl (or whatever you called your new ssl site's config) and change port 80 in the name of the site to 443. Also change the virtual host setting. Add the lines "SSLEngine On" and "SSLCertificateFile /etc/apache2/ssl/apache.pem" . The configuration file should have the following lines:

Step 8: Restart Apache and Test

/etc/init.d/apache2 stop
/etc/init.d/apache2 start

sudo service apache2 restart

https://public.akadia.com/ 

More information:

May need more data from http://wiki.debian.org/SubversionApache2SSLHowto

TODO: Check this document and the comment that says that we're not generating the certificate we need.

Change Home path

As root, open the file /etc/passwd

You will see a line that looks like this:
Code:
  • davidq:x:1000:100:,,,:/home/davidq:/bin/bash
Change it to this:
Code:
  • davidq:x:1000:100:,,,:/home/whatevery:/bin/bash

Make sure you have done this:

Code:
  • mkdir /home/whatevery
  • chown davidq /home/whatevery

Convert DHCP network configuration to static IP configuration

My friend wanted to know how to change or convert DHCP network configuration to static configuration. After initial installation, he wanted to change network settings. Further, his system is w/o GUI system aka X Windows. Here is quick way to accomplish the same:

Your main network configuration file is /etc/network/interfaces

Desired new sample settings:
=> Host IP address 192.168.1.100
=> Netmask: 255.255.255.0
=> Network ID: 192.168.1.0
=> Broadcast IP: 192.168.1.255
=> Gateway/Router IP: 192.168.1.254
=> DNS Server: 192.168.1.254

Open network configuration file
$ sudo vi /etc/network/interfacesOR$ sudo nano /etc/network/interfaces

Find and remove dhcp entry:
iface eth0 inet dhcp

Append new network settings:

iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.254

Save and close the file. Restart the network:
$ sudo /etc/init.d/networking restart

Task: Define new DNS servers

Open /etc/resolv.conf file
$ sudo vi /etc/resolv.conf

You need to remove old DNS server assigned by DHCP server:
search myisp.com
nameserver 192.168.1.254
nameserver 202.54.1.20
nameserver 202.54.1.30

Save and close the file.

Task: Test DNS server

$ host cyberciti.biz

Network command line cheat sheet

You can also use commands to change settings. Please note that these settings are temporary and not the permanent. Use above method to make network changes permanent or GUI tool as described below.

Task: Display network interface information

$ ifconfig

Task: Take down network interface eth0 / take a network interface down

$ sudo ifconfig eth0 downOR $ sudo ifdown eth0

Task: Bring a network interface eth0 up

$ sudo ifconfig eth0 upOR$ sudo ifup eth0

Task: Change IP address and netmask from command line

Activate network interface eth0 with a new IP (192.168.1.50) / netmask:
$ sudo ifconfig eth0 192.168.1.50 netmask 255.255.255.0 up

Task: Display the routing table

$ /sbin/route OR$ /sbin/route -n
Output: 

Kernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Ifacelocalnet        *               255.255.255.0   U     0      0        0 ra0172.16.114.0    *               255.255.255.0   U     0      0        0 eth0172.16.236.0    *               255.255.255.0   U     0      0        0 eth1default         192.168.1.254   0.0.0.0         UG    0      0        0 ra0

Task: Add a new gateway

$ sudo route add default gw 172.16.236.0

Task: Display current active Internet connections (servers and established connection)

$ netstat -nat

Task: Display open ports

$ sudo netstat -tulpOR$ sudo netstat -tulpn

Task: Display network interfaces stats (RX/TX etc)

$ netstat -i

Task: Display output for active/established connections only

$ netstat -e
$ netstat -te
$ netstat -tue

Where,

  • -t : TCP connections
  • -u : UDP connections
  • -e : Established

Task: Test network connectivity

Send ICMP ECHO_REQUEST to network hosts, routers, servers etc with ping command. This verifies connectivity exists between local host and remote network system:
$ ping router
$ ping 192.168.1.254
$ ping cyberciti.biz

See simple Linux system monitoring with ping command and scripts for more information.

Task: Use GUI (Graphical Configuration) network Tool

If you are new, use GUI configuration tool, type the following command at terminal:
$ network-admin &

Above command is Ubuntu's GUI for configuring network connections tool.

Final tip – Learn how find out more information about commands

A man page is your best friend when you wanted to learn more about particular command or syntax. For example, read detailed information about ifconfig and netstat command:
$ man ifconfig
$ man netstat

Just get a short help with all command options by appending –help option to each command:
$ netstat --help

Find out what command is used for particular task by searching the short descriptions and manual page names for the keyword:
$ man -k 'delete directory'
$ apropos -s 1 remove

Display short descriptions of a command:
$ whatis rm
$ whatis netstat

Linux offers an excellent collection of utilities, which can be use to finding the files and executables, remember you cannot memorize all the commands and files 😉

Format and Mount Disk

info via: https://help.ubuntu.com/community/InstallingANewHardDrive

Get the logical name:

  • $ sudo lshw -C disk

*-disk
description: ATA Disk
product: WDC WD1600JB-00D
vendor: Western Digital
physical id: 0.0.0
bus info: scsi@0:0.0.0
logical name: /dev/sda
version: 75.1
serial: WD-WMACK2068123
size: 149GiB (160GB)
capabilities: partitioned partitioned:dos
configuration: ansiversion=5 signature=00031122
*-cdrom
description: DVD writer
product: DVD_RW ND-3550A
vendor: _NEC
physical id: 0.1.0
bus info: scsi@0:0.1.0
logical name: /dev/cdrom
logical name: /dev/cdrw
logical name: /dev/dvd
logical name: /dev/dvdrw
logical name: /dev/scd0
logical name: /dev/sr0
version: 1.05
serial: [
capabilities: removable audio cd-r cd-rw dvd dvd-r
configuration: ansiversion=5 status=ready
*-medium
physical id: 0
logical name: /dev/cdrom
*-disk
description: ATA Disk
product: WDC WD15EARS-00M
vendor: Western Digital
physical id: 0.0.0
bus info: scsi@2:0.0.0
logical name: /dev/sdb
version: 51.0
serial: WD-WMAZA3997903
size: 1397GiB (1500GB)
capabilities: partitioned partitioned:dos
configuration: ansiversion=5 signature=474f0d94

Partition disk less than 2TB:

  • $ sudo fdisk /dev/sdb

n = new part (may need to delete first)

p = partition

w = write changes

Partition disk greater than 2TB:

sudo parted /dev/sdX # substitute with your drive (and you prolly need sudo)
> mklabel gpt # makes a new gpt partition table, afaik needed for >2TB
> mkpart pri 1 -1 # makes a new primary partition from start to end,
# note there are only primary partitions on gpt

>quit

Format disk:

  • $ sudo mkfs -t ext4 /dev/sdx1

Regain some disk:

  • $ sudo tune2fs -m 1 /dev/sdx1

Get the UUID of the disk:

  • $ sudo blkid

/dev/sda1: UUID="a491df4c-8870-4f68-bb12-fb3411c14141" TYPE="ext4"
/dev/sda5: UUID="8b9ce164-3b75-48c0-a115-c73522eea519" TYPE="swap"
/dev/sdb1: UUID="1be03f9f-b068-41a2-994f-ff790307ff2c" SEC_TYPE="ext2" TYPE="ext3"

Play it safe, make a backup

cp /etc/fstab ~

Auto Mount disk:

  • $ sudo pico /etc/fstab

UUID=1be03f9f-b068-41a2-994f-ff790307ff2c /mnt/local/sdx1 ext4 defaults,errors=remount-ro 0 1

  • $ sudo mkdir -p /mnt/local/sdx1
Prevent write to local
  • $ sudo chmod 000 /mnt/local/sdx1
Mount disk
  • $ sudo mount -a
  • $ sudo mount -l

Auto Mount Network disk:

  • $ sudo pico /etc/fstab


# Network share
//192.168.1.20/d /media/qbw-srv smbfs username=%user%,password=%password%,umask=000 0 0

  • $ sudo mkdir /media/qbw-srv
  • $ sudo mount -a

Temp Mount Network disk:

  • $ sudo mount -t smbfs -o username=<username> //<win-box>/<share> /mnt/<name-of-mountpoint>

Format the disk NTFS (Not such a good ideal, does not support user:group)

sudo apt-get install ntfsprogs

sudo mkntfs /dev/sdx1 -f -L Tera -v

crontab

Visual CRONTAB: http://www.corntab.com/pages/crontab-gui

===========================

===========================

http://www.pantz.org/software/cron/croninfo.html

# backup will run on 7th day of the month
 0 0 7 * * cp -r -u -f /media/shares/ /media/backup/shares/ >>/var/log/cronrun

/root/backup.sh

#!/bin/sh
####################################
#
# Backup to NFS mount script.
#
####################################
# What to backup.
#backup_files="/root /srv /home /var/spool/mail /etc /boot /opt"
backup_files="/root /srv /home /var/spool/mail /etc /boot /opt"

# Create archive filename.
day=$(date +"%Y-%m-%d.%H-%M-%S")
servername=$(hostname -s)
archive_file="$servername.$day.tgz"

# Where to backup to.
env=01
#mount=/mnt/local/sdb1
mount=/mnt/nfs/fs-$env.sdb1
#dest="$mount/backup/$servername"
dest="$mount/backup"
mkdir -p $dest

fullpath=$dest/$archive_file
# Print start status message.
echo "Backing up $backup_files to $fullpath"
echo $(date)
echo

# Backup the files using tar.
#tar czf $fullpath $backup_files
tar czf $fullpath $backup_files
chmod 400 $fullpath

# Print end status message.
echo
#echo $(date)
echo "Backup finished"
date

# Long listing of files in $dest to check file sizes.
ls -lh $dest

read this: http://www.thegeekstuff.com/2010/09/rsync-command-examples/

Shutdown/Restart

shutdown command
shutdown arranges for the system to be brought down in a safe way. All logged-in users are notified that the system is going down and, within the last five minutes of TIME, new logins are prevented. The shutdown utility provides an automated shutdown procedure for supersers to nicely notify users when the system is shutting down, saving them from system administrators, hackers, and gurus, who would otherwise not bother with such niceties.

The shutdown command can be used to turn off or reboot a computer.


How do I use shutdown command?
Type the command as follows to shutdown server / computer immediately:
$ sudo shutdown -h now
OR
$ sudo shutdown -h 0

How do I shutdown compute at specific time?
To shutdown computer at 6:45pm, enter:
$ sudo shutdown -h 18:45 "Server is going down for maintenance"
At 6:30pm message will go out to all user and 6:45 system will shutdown.

halt or poweroff or reboot command for stopping and restarting the system:
 $ sudo halt
OR
$ sudo poweroff

Simply use reboot command:
 $ sudo reboot
OR
$ sudo shutdown -r 0

Artifactory setup

  • $ sudo mkdir /media/share/artifactory
  • $ sudo chown tomcat6:tomcat6 /media/share/artifactory
  • $ sudo pico /etc/default/tomcat6
    • Add highlighted red:
      Add highlighted blue if not already present
      JAVA_OPTS="-Djava.awt.headless=true -XX:+UseConcMarkSweepGC -DHUDSON_HOME=/media/shares/hudson -Dartifactory.home=/media/shares/artifactory -server -Xms1g -Xmx1g -Xss256k -XX:PermSize=128m -XX:MaxPermSize=128m -XX:NewSize=384m -XX:MaxNewSize=384m"
  • $ sudo /etc/init.d/tomcat6 restart

Download Artifactory latest from: http://sourceforge.net/projects/artifactory/files/artifactory/

Unzip

Upload WAR file to: http://ubuntu-server:8080/manager/html

Validate http://servername:8080/artifactory

Hudson setup

  • $ sudo mkdir /media/shares/hudson
  • $ sudo chown tomcat6:tomcat6 /media/shares/hudson
  • $ sudo pico /etc/default/tomcat6
    • Add highlighted red:
      Add highlighted blue if not already present
      JAVA_OPTS="-Djava.awt.headless=true -XX:+UseConcMarkSweepGC -DHUDSON_HOME=/media/shares/hudson -Dartifactory.home=/media/shares/artifactory -server -Xms1g -Xmx1g -Xss256k -XX:PermSize=128m -XX:MaxPermSize=128m -XX:NewSize=384m -XX:MaxNewSize=384m"
  • $ sudo /etc/init.d/tomcat6 restart
  • $ cd /var/lib/tomcat6/webapps
  • $ sudo wget http://hudson-ci.org/downloads/war/2.0.1/hudson.war

Validate http:\\servername:8080\hudson

Tomcat multi instance manual config

Get Tomcat to follow links:

### cd /var/lib/tomcat7/webapps/QBW-FrontPage/META-INF

### ls -l
-rw-r–r– 1 root root 89 Feb 4 00:22 context.xml
### vi context.xml
<?xml version='1.0' encoding='utf-8'?>
<Context reloadable="true" allowLinking="true" />

Needed for: QBW-FrontPage.war (435.41 kb)

Tomcat

Tomcat is actually very simple install. It is a matter of extracting the files in a location, modifying a few scripts, and running the startup scripts. For those who are not 100% familiar with how tomcat works, it sets up using the environment variables of the user that is executing the startup script.

Create “tomcat” Group & User

First things first, what we would like to do, is create a new user called tomcat and make it impossible for it to logon.

sudo groupadd tomcat

Now you have to create a new user called “tomcat” (useradd tomcat) who belongs to the group “tomcat” (-g tomcat) and cannot login –s /usr/sbin/nologin. You also should set the home directory of that user to the directory where you moved the Tomcat server in the previous step. In this case that would be “/usr/local/tomcat” (-d /usr/local/tomcat). So you should end up with a statement that looks something like this:
 sudo useradd -g tomcat -s /usr/sbin/nologin -m -d /usr/local/tomcat tomcat

3. Now you should also add the user to the “www-data” group. This group should already exist. You do that by executing the following command:

sudo usermod -G www-data tomcat

4. Create INIT File for Tomcat

Now you should create an INIT-File that makes it possible to start, stop and restart your Tomcat Server. This file must be located in your “/etc/init.d/” directory. You can use the following command to create a file called “tomcat” and open up that file in an editor (I used nano).

sudo vi /etc/init.d/tomcat8x0

Now you should add the following lines into the file an save it:

#Tomcat auto-start

#description: Auto-starts tomcat

#processname: tomcat

#pidfile: /var/run/tomcat.pid

#this path should point to your JAVA_HOME Directory

#####export JAVA_HOME=/usr/lib/jvm/java-6-sun

case $1 in

start)

sh /opt/tomcat7/8×0/bin/startup.sh

;;

stop)

sh /opt/tomcat7/8×0/bin/shutdown.sh

;;

restart)

sh /opt/tomcat7/8×0/bin/startup.sh

sh /opt/tomcat7/8×0/bin/shutdown.sh

;;

esac

exit 0

Make sure you set the right paths for the startup.sh and shutdown.sh scripts. They reside in the /bin directory of your tomcat path (use the path to which you moved the tomcat files in step 2).

5. Adjust Permissions of INIT File

Since you have to execute the tomcat file, you have to assign the correct rights for the file to be executable.
This line should do the trick:

sudo chmod 755 /etc/init.d/tomcat8x0

6. Make Tomcat auto-start on boot (optional)

If you want the Tomcat Server to start every time the system boots up you can use the “update-rc.d” command to set a symbolic link at the correct runlevel. For the “tomcat fle” this looks like this:

sudo update-rc.d tomcat8x0 defaults

You can remove the autostart with the following command: sudo update-rc.d -f tomcat8x0 remove

Now the Tomcat Server starts automatically at system bootup. This step is optional you can always start your Tomcat Server manually like this:

sudo /etc/init.d/tomcat8x0 start

If we have already installed on another server, lets use SCP

Dest server: sudo chmod 777 /opt

Source server: sudo scp -r /opt/tomcat7 davidq@tomcat-02:/opt

Dest server: sudo chmod 755 /opt

IF scp was used….. (SET JMX HOST NAME)……Skip to section: Change the owner

Download the gz

mkdir ~/download

cd ~/download

wget http://apache.mirrors.tds.net/tomcat/tomcat-7/v7.0.35/bin/apache-tomcat-7.0.35.tar.gz

Now lets extract the files. Remember, our files are in the folder /download

tar -xf ​apache-tomcat-7.0.35.tar.gz

Copy them to the /opt folder

sudo cp -rf ~/download/apache-tomcat-7.0.35/* /opt/tomcat7/

sudo rm /opt/tomcat7/bin/*.bat

For every instance, we need to copy the folder over. For this exercise, we will create 2 instances:

sudo cp -rf /opt/tomcat7 /opt/tomcat7/8×0

sudo vi /opt/tomcat7/8×0/webapps/ROOT/index.jsp

replace:

<h1>${pageContext.servletContext.serverInfo}</h1>

With

<h1>${pageContext.servletContext.serverInfo} : <font color="red">Instance 8×0</font></h1>

Now we need to modify the startup and shutdown scripts. In order to do so, lets go into the bin folder of each instance.

cd /opt/tomcat7/8×0/bin

In this folder will be startup.sh and shutdown.sh scripts. We need to modify these scripts to include the right environmental parameters. Add these commands to the startup.sh script:

#export JAVA_HOME=/usr/java/jdk1.7.0_07

#export JAVA_HOME=/usr/bin/java
​#export PATH=$JAVA_HOME/bin:$PATH
​export BASEDIR=/opt/tomcat7/810
​export CATALINA_BASE=/opt/tomcat7/810
​export CATALINA_HOME=/opt/tomcat7/810

and enable JMX

export JAVA_OPTS="-Dcom.sun.management.jmxremote.port=810x

-Dcom.sun.management.jmxremote.ssl=false

-Dcom.sun.management.jmxremote.authenticate=false

-Djava.rmi.server.hostname=192.168.1.8x"

or secured

export JAVA_OPTS="-Dcom.sun.management.jmxremote.port=8×09

-Djava.rmi.server.hostname=192.168.1.xx

-Dcom.sun.management.jmxremote.ssl=false

-Dcom.sun.management.jmxremote.authenticate=true

-Dcom.sun.management.jmxremote.password.file=/opt/tomcat7/jmxremote.password

-Dcom.sun.management.jmxremote.access.file=/opt/tomcat7/jmxremote.access

"

sudo vi /opt/tomcat7/jmxremote.access

#monitorRole readonly

#controlRole readwrite

username readwrite

sudo vi /opt/tomcat7/jmxremote.password

#monitorRole tomcat

#controlRole tomcat

username password

Or we can modify the ENVIRONMENT variables???

Now we define the environment variables JAVA_HOME and JRE_HOME. This file is in the "environment" in / etc. Command to edit the file:

sudo gedit /etc/environment


Here we record the routes where we have installed Java in my case this is as follows:

JAVA_HOME="/usr/local/jdk1.6.0_23"

JRE_HOME="/usr/local/jdk1.6.0_23/jre"

PATH="…(other path):$JAVA_HOME:$JRE_HOME"

How your script should look with the script modifications.

​Once done, do the same for the shutdown script (shutdown.sh).

Next, in the conf folder, we need to modify the server.xml file to modify the server ports used for tomcat. This is how we do it:

There are two ports needed: (1) the actual http port and (2) the shutdown port. For every instance we will create, these ports need to be different (Later we will see how to use the same ports with another method).

For our first instance, we can leave the defaults, 8080 and 8001. For the next instance, we will change the ports. (I like to add a 100 to the default which means 8180 and 8101 for the second port)

​​Configuring the shutdown port from 8005 to 8101 in server.xml

​Configuring the http port from 8080 to 8180 in server.xml

Change the owner of the folders to the group tomcat and the user tomcat:

sudo chown -R tomcat:tomcat /opt/tomcat7

Now to run the instance of Tomcat, lets execute the script as the user tomcat:

cd /opt/tomcat7/8×0/bin

su -p -s /bin/sh tomcat startup.sh

Lets check out our separate tomcat instances:

http://ipaddress-of-server:8101/

<role rolename="manager-script"/>

<role rolename="manager-jmx"/>

<role rolename="manager-status"/>

<role rolename="manager-gui"/>

<role rolename="admin-gui"/>

<role rolename="admin-script"/>

<user username="user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>

Autostart after boot

http://linuxphile.org/node/7

JMX (more reading)

http://tomcat.apache.org/tomcat-5.5-doc/monitoring.html#Enabling_JMX_Local

http://www.mulesoft.com/tomcat-jmx#.URFKkYJopec

HAProxy

I mentioned earlier that there is a way to have all your instances of Tomcat to respond on the same http port. We can achieve this using a server called HAProxy. HAProxy is an open source load balancer that you can use to redirect http requests to web servers that are using different ports. For a full breakdown of the configuration, please read my post on HAProxy here.


Tag Cloud