Install java, tomcat5 & get working on secure web server

Install java

Download java development kit, extract and install:

rpm -i jdk-1_5_0_16-linux-i586.rpm

Initially this didn't seem to work, but after uninstalling & reinstalling it seemed OK.

Install Tomcat

Download tomcat 5, extract & move to /usr/local -

wget http://mirrors.ukfast.co.uk/sites/ftp.apache.org/tomcat/tomcat-5/v5.5.27/bin/apache-tomcat-5.5.27.tar.gz

- we got location from browser on another machine & copied and pasted into our ssh session -

tar -zxvf apache-tomcat-5.5.27.tar.gz
mv apache-tomcat-5.5.27 /usr/local/tomcat

Edit the catalina.sh file -

cd /usr/local/tomcat/bin
nano catalina.sh

Add into catalina.sh -

JAVA_HOME=/usr/java/jdk1.5.0_16/jre

Save and exit and try starting it up:

./startup.sh

It worked, showing:

Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/java/jdk1.5.0_16/jre

Tomcat is now visible at: http://{FQDN}:8080/

OK!


Proxy through to tomcat

Now we use proxy pass to make this appear on the normal web port:

nano /etc/httpd/conf/httpd.conf

In the Virtual Host section at the bottom of the file:

ServerAdmin oursupport@oururl
DocumentRoot ***fix this!***
ServerName portal.oururl

# Proxy Pass local tomcat instance onto normal apache port 80
# Proxy
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

Save, exit and

service httpd restart

Now we should see tomcat on: http://{FQDN}/

OK.


Add new IP interface

We do this on our system due to the organisation of web services on the firewall. We add a new IP interface to server in the external web range allowed on firewall. This is done by creating a secondary IP address on the eth0 interface:

cd /etc/sysconfig/network-scripts

copy config of eth0 to eth0:{new last byte of IP address}

cp ifcfg-eth0 ifcfg-eth0:{new last byte of IP address}
nano ifcfg-eth0:{new last byte of IP address}

in this file change:

DEVICE=eth0:{new last byte of IP address}

and

IPADDR={your class C}.{new last byte of IP address}

save and

service network restart

Update DNS

Change DNS to have name pointing at IP address & reverse - not documented here!

Get certificates and keys lined up ready

Generate a key using openssl, generate Certificate Signing Request (CSR) and send to your certificate authority - a whole other can of worms - not documented here! Should get a certificate file back.

We get {load of letter & numbers}.pem file - rename file {servername}.cer and we put it in /config/httpd/certs - make sure your key file is in there too. Also the intermediate certificate, if required (like ours is!).

Get https working

Edit httpd.conf again -

nano /etc/httpd/conf/httpd.conf

Uncomment the line:

NameVirtualHost *:80

and add new one for the secure connection:

NameVirtualHost {IP address}:443

and copy existing virtual host section, editing the top line of this VirtualHost section to read:

VirtualHost 195.195.14.62:443

- in pointy brackets (which I left out as they throw this blog out!) and adding:

#SSL
SSLEngine on
SSLCertificateFile /config/httpd/certs/{servername}.cer
SSLCertificateKeyFile /config/httpd/certs/{certificate authority}.key
SSLCACertificateFile /config/httpd/certs/{intermediate certificate authority}.pem

at the end of the VirtualHost section. Install mod_ssl:

yum install mod_ssl -y

service network restart

- there is still a problem - FAILED ! See DocumentRoot bit above - I think that needs fixing!