Tomcat Private Instances
Last modified: August 15, 2023
Overview
- This document only applies to Tomcat 8.5.
- If you are running a server that uses AlmaLinux, Rocky Linux™, or Ubuntu®, you can only install Tomcat in container-based packages that use EasyApache 4’s containers. For more information about using Tomcat on these operating systems, read our Tomcat via Containers documentation.
- We strongly recommend that only experienced Tomcat administrators use Tomcat.
Tomcat runs as a per-user private instance. This allows each cPanel account user to manage their own Tomcat services and configuration.
Private instances
Each user’s instance of Tomcat runs its applications as the user. The user can stop and start services, and manage their Tomcat configuration to suit their needs.
The private instance approach increases the security of your system and operates on the user’s designated ports.
Configuration
A cPanel user must possess shell access to perform these actions.
When you enable Tomcat for a user account, the system sets up a blank environment for the user. The system creates the environment in the following location, where user
represents the user’s username:
/home/user/ea-tomcat85/conf
Default configuration
EasyApache 4 makes the following configuration changes from the default Tomcat 8.5 behavior to the ~/ea-tomcat85/conf/server.xml
file:
- Disables the shutdown port by default.
- Sets the
xpoweredBy
attribute of all Connectors to afalse
value. - Remove the
redirectPort
attribute. - Adds the
ErrorReportValue
class to all hosts with theshowServerInfo
value set to afalse
value. - Sets the following host attributes to a
false
value:autoDeploy
deployOnStartup
deployXML
Configure applications
To use the Tomcat instance, configure the desired applications in the /home/user/ea-tomcat85/webapps/ROOT
directory. You can also set up a proxy to point to the app’s location. For more information about proxies, read our Tomcat Proxies documentation.
To deploy a Tomcat application, read Tomcat’s Tomcat Web Application Deployment documentation.
Configure SSL
If you want to use SSL in Tomcat, you must configure it manually.
To configure SSL, perform the following steps:
- Request a port for SSL from the system administrator. The system administrator can assign these ports with the cpuser_port_authority script.
- Configure the port to use SSL in the
~/ea-tomcat85/conf/server.xml
file.- Add the
redirectPort
attribute. - Add the appropriate SSL connector. For example, you wanted to configure SSL with HTTP, your entry might resemble the following example, where
10000
represents your assigned HTTP port, and10003
represents the SSL port:
- Add the
<Connector port="10000" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="10003" />
<Connector port="10003" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" keystoreFile="/path/to/kestorefile" keystorePass="my_keystore_password"/>
We strongly recommend that you do not store plain text passwords in files. However, if you do, you must not loosen the .conf
file permissions.
For more information, read Tomcat’s SSL/TLS Configuration documentation.
Proxies
You must set up Apache proxies manually. For more information, read our Tomcat Proxies documentation.
Manage services as a user
To manage services in Tomcat, users can use the cpuser_service
manager and Ubic subsystem. This script adds services and allows users to easily stop and restart their services.
For example, run the following command on the command line to restart your Tomcat service:
ubic restart ea-tomcat85
If Ubic does not exist in your PATH
, you must add it to your configuration. For example, you might add the following line to your .bashrc
file:
export PATH=$(dirname $(readlink /usr/local/cpanel/3rdparty/bin/perl)):$PATH
Jailshell users cannot see the status of their previously started Tomcat service. The default jailshell permissions only allow users to view their current session’s processes. If they attempt to restart an already active service with Ubic, the system will launch a duplicate process.
Tomcat security
If your desired Tomcat applications support it, we strongly recommend that you enable Tomcat’s Security Manager. This adds extra security, but may break some applications. For more information, read Tomcat’s Security Manager How-To documentation.