• Author / Uploaded
• Manuel Vega

Citation preview

CMDBuild V2.4.1 Manual de instalación

1

Installing cmdbuild on Ubuntu 16.04 LTS Install ubuntu on your platform. Requerimientos • • • •

Procesador 1Ghz (64 bits) 8 Gb RAM 400 Gb disco Conexión a internet 1

-Descargamos el ISO desde el URL de Ubuntu, muy recomendado usar la via torrent (mas rápida y no recargamos un único servidor) y generamos un DVD / USB booteable -Hacemos boot de nuestro servidor y escogemos el idioma en que instalaremos, en este caso, English presionando Enter

-Entramos a instalar por la primera opción Instalar Ubuntu Server presionando Enter

-Escogemos nuestra ubicación y presionamos Enter

2

-Se nos pide confirmar si auto detecta la distribución del teclado, respondemos No y presionamos Enter

-Confirmamos nuestro distribución de teclado, en mi caso, Spanish (Latin American) y presionamos Enter

3

-Volvemos a confirmar nuestra distribución de teclado y presionamos Enter

-El instalador carga algunos drivers

-Escribimos el hostname de nuestro servidor de la forma host (nombre) dominio (dominio internet) y presionamos Enter sobre el botón Continuar

4

-Creamos una cuenta de usuario para administrar nuestro servidor. Escribimos el nombre del encargado y presionamos Enter sobre el botón Continuar

-Escribimos el nombre de usuario con el que se logeara y presionamos Enter sobre el botón Continuar

-Escribimos la contraseña a usar (un nuevo detalle en esta versión, se puede activar la opción Show Password in Clear para ver lo que escribimos). Presionamos Enter sobre el botón Continuar

5

-Confirmamos la contraseña. Presionamos Enter sobre el botón Continuar

-Quieres cifrar tu carpeta de usuario? Elegimos la opción y presionamos Enter sobre el botón Continuar

-El sistema auto detecta nuestra ubicación y sugiere la zona horaria, si es la correcta, elegimos Si y presionamos Enter sobre el botón Continuar

6

-Tiempo para particionar el disco. Elegimos la segunda opción, Guiado con LVM y presionamos Enter

-Nos mostraran discos detectados en el equipo, escogemos cual se usar y presionamos Enter

-Este el disco donde instalaremos? Presionamos Enter sobre Si

-Usaremos todo el espacio del disco. Presionamos Enter sobre el botón Continuar

7

-Ultima oportunidad para arrepentirnos. Respondemos Si para escribir cambios y formatear presionando Enter

-Comienza la instalación base

8

-Usas un proxy para salir a internet? Escribela en la caja de texto (no usas proxy, dejalo en blanco). Presionamos Enter en el botón Continuar

-Escogemos la primera opción, Sin actualizaciones automáticas y presionamos Enter

-Hora de escoger que paquetes instalar, para un modo minimal elegimos Standard system utilities y OpenSSH server. Presionamos Enter sobre el botón Continuar

9

-Se instalan los paquetes, hora de ir por un café ;-)

-Instalaremos Grub en el sector de arranque del disco. Respondemos Si presionando Enter

-Ya finalizamos la instalación de Linux Ubuntu server Xenial Xerus. Reiniciamos el equipo y retiramos el DVD / USB booteable desde la que instalamos

10

-Ingresamos con la cuenta creada en pasos anteriores y primer paso, actualizar nuestro OS con los comandos sudo apt-get update sudo apt-get dist-upgrade

Ya tenemos listo nuestro servidor Linux Ubuntu server LTS Xenial Xerus 16.04.

Install Java by running: First, add Oracle's PPA, then update your package repository. • •

sudo add-apt-repository ppa:webupd8team/java sudo apt-get update

In addition to configuring proxies, tell sudo to preserve the environment with the -E option: export http_proxy=http://: export https_proxy=http://: sudo -E add-apt-repository ppa:webupd8team/java with username and password:

11

export https_proxy=https://:@: Then, depending on the version you want to install, execute one of the following commands:

Oracle JDK 8 This is the latest stable version of Java at time of writing, and the recommended version to install. You can do so using the following command: •

sudo apt-get install oracle-java8-installer

Setting the JAVA_HOME Environment Variable Many programs, such as Java servers, use the JAVA_HOME environment variable to determine the Java installation location. To set this environment variable, we will first need to find out where Java is installed. You can do this by executing the same command as in the previous section: •

sudo update-alternatives --config java

Copy the path from your preferred installation and then open /etc/environment using nano or your favorite text editor. •

sudo nano /etc/environment

At the end of this file, add the following line, making sure to replace the highlighted path with your own copied path. /etc/environment JAVA_HOME="/usr/lib/jvm/java-8-oracle"

Save and exit the file, and reload it. •

source /etc/environment

You can now test whether the environment variable has been set by executing the following command: •

echo $JAVA_HOME

This will return the path you just set.

Install PostgreSQL by running: • •

sudo apt-get update sudo apt-get install postgresql postgresql-contrib

Switch over to the postgres account on your server by typing: •

sudo -i -u postgres

You can now access a Postgres prompt immediately by typing: 12

•

psql

You will be logged in and able to interact with the database management system right away. Exit out of the PostgreSQL prompt by typing: •

\q

If you are logged in as the postgres account, you can create a new user by typing: •

createuser --interactive

If, instead, you prefer to use sudo for each command without switching from your normal account, you can type: •

sudo -u postgres createuser --interactive

The script will prompt you with some choices and, based on your responses, execute the correct Postgres commands to create a user to your specifications. Output Enter name of role to add: cmdbuild Shall the new role be a superuser? (y/n) y

Managing users and rights To manage users, you first have to edit /etc/postgresql/current/main/pg_hba.conf and modify the default configuration which is very locked down and secure. For example, if you want postgres to manage its own users (not linked with system users), you will add the following line: 8 ../../../solr/solr-tomcat.xml ├── catalina.properties ├── context.xml ├── logging.properties ├── policy.d │   ├── 01system.policy │   ├── 02debian.policy │   ├── 03catalina.policy │   ├── 04webapps.policy │   ├── 05solr.policy -> /etc/solr/tomcat.policy │   └── 50local.policy ├── server.xml ├── tomcat-users.xml └── web.xml

/usr/share/tomcat6

/usr/share/tomcat6 ├── bin │   ├── bootstrap.jar │   ├── catalina.sh │   ├── catalina-tasks.xml │   ├── digest.sh │   ├── setclasspath.sh │   ├── shutdown.sh │   ├── startup.sh │   ├── tomcat-juli.jar -> ../../java/tomcat-juli.jar │   ├── tool-wrapper.sh │   └── version.sh ├── defaults.md5sum ├── defaults.template └── lib ├── annotations-api.jar -> ../../java/annotations-api-6.0.35.jar ├── catalina-ant.jar -> ../../java/catalina-ant-6.0.35.jar ├── catalina-ha.jar -> ../../java/catalina-ha-6.0.35.jar ├── catalina.jar -> ../../java/catalina-6.0.35.jar ├── catalina-tribes.jar -> ../../java/catalina-tribes-6.0.35.jar ├── commons-dbcp.jar -> ../../java/commons-dbcp.jar ├── commons-pool.jar -> ../../java/commons-pool.jar ├── el-api.jar -> ../../java/el-api-2.1.jar ├── jasper-el.jar -> ../../java/jasper-el-6.0.35.jar ├── jasper.jar -> ../../java/jasper-6.0.35.jar ├── jasper-jdt.jar -> ../../java/ecj.jar ├── jsp-api.jar -> ../../java/jsp-api-2.1.jar ├── servlet-api.jar -> ../../java/servlet-api-2.5.jar ├── tomcat-coyote.jar -> ../../java/tomcat-coyote-6.0.35.jar ├── tomcat-i18n-es.jar -> ../../java/tomcat-i18n-es-6.0.35.jar ├── tomcat-i18n-fr.jar -> ../../java/tomcat-i18n-fr-6.0.35.jar 55 └── tomcat-i18n-ja.jar -> ../../java/tomcat-i18n-ja-6.0.35.jar

/usr/share/tomcat6-root/

If you install Tomcat 7 using apt: sudo apt-get install tomcat7

Then the webapps are located in /var/lib/tomcat7 $ tree /var/lib/tomcat7 -L 2 /var/lib/tomcat7 ├── common │   └── classes ├── conf -> /etc/tomcat7 ├── logs -> ../../log/tomcat7 ├── server │   └── classes ├── shared │   └── classes ├── webapps │   └── ROOT └── work -> ../../cache/tomcat7

This is the default Tomcat home page, that can be found on the local file system at: /var/lib/tomcat7/webapps/ROOT/index.html

56

6

Installing Community Edition on Linux Installing additional software for Alfresco

The third-party software used by Alfresco is installed when you use the setup wizards to install Alfresco. If you wish to install the third-party software independently, this information describes the steps for obtaining and installing the software. Some of the software can be installed any time before or after installing Alfresco. 1 Installing LibreOffice
 In Alfresco, you can transform a document from one format to another, for example, a text file to a PDF file. To have access to these transformation facilities in Alfresco, you must install LibreOffice. This is optional, and can be done any time after Alfresco is installed. 57

2



sudo apt-get install libreoffice

Installing ImageMagick
 To enable image manipulation in Alfresco, you must install and configure ImageMagick. Alfresco uses ImageMagick to manipulate images for previewing.

sudo apt-get install ghostscript imagemagick convert --version

3

Installing Ghostscript
 Alfresco uses Ghostscript for creating document thumbnails and previews. Use this information to install Ghostscript on your system. apt-get install ghostscript

4

Installing TinyMCE language packs
 Translations in Alfresco use the language packs supplied in the default install. The supported language packs are: German (de), English (en), Spanish (es), French (fr), Italian (it), Japanese (ja), and Dutch (nl). The language used switches according to the browser locale. Ensure that your browser is set up to view the relevant locale, which ensures that the special characters display correctly in your installed instance.

58

Installing ImageMagick

To enable image manipulation in Alfresco, you must install and configure ImageMagick. Alfresco uses ImageMagick to manipulate images for previewing. 1 Verify that ImageMagick, Ghostscript, and Ghostscript fonts are already installed on your system. Use the ImageMagick convert command to check that you have the right software installed on your machine. This command is usually located in /usr/bin: install Image. 2 If the ImageMagick and Ghostscript software is not available on your system, download and install the appropriate package for your platform. To download ImageMagick, browse to ImageMagick download website. 
 To download Ghostscript, browse to Ghostscript download website.
 
 Note:
 In next steps you will make changes to the Alfresco application configuration files to enable the manually installed ImageMagick application. These steps can only be performed after Alfresco has been installed. 3 Browse to the directory. See System paths for more information. 4 Open the alfresco-global.properties file. 5 Modify the ImageMagick properties to point to the ImageMagick root directory: 6 Table 1. ImageMagick properties






1

Property

1

Description

1

img.root

1

On Windows, set this property to img.root=C:\ \ImageMagickOn Linux, set this property to img.root=/ ImageMagick
 Note:
 Do not include a slash (/) at the end of the path. For example, / ImageMagick/

1

img.dyn

1

On Windows, set this property to img.dyn=${img.root}\ \libOn Linux, set this property to img.dyn=${img.root}/lib

1

img.exe

1

On Windows, set this property to img.exe=${img.root}\ \convert.exeOn Linux, set this property to img.exe=$ {img.root}/bin/convert

1

img.coder s

1

On Windows, set this property to img.coders=${img.root}\ \modules\\codersOn Linux, set this property to img.coders=$ {img.root}/modules/coders

1

img.confi g

1

On Windows, set this property to img.config=${img.root}\ \config On Linux, set this property to img.config=$ {img.root}/config

19




Note:
 Test that you are able to convert a PDF using the command convert filename.pdf[0] filename.png.

59

Installing TinyMCE language packs

Translations in Alfresco use the language packs supplied in the default install. The supported language packs are: German (de), English (en), Spanish (es), French (fr), Italian (it), Japanese (ja), and Dutch (nl). The language used switches according to the browser locale. Ensure that your browser is set up to view the relevant locale, which ensures that the special characters display correctly in your installed instance. The source-localized files are encoded in ASCII, and the special and accented characters are displayed using escape sequences. The source files have been renamed using the corresponding locale for each language. For example, site-welcome.properties is called sitewelcome_ fr.properties for the French version. If you wish to use a translation that is not supplied with Alfresco, then you must add the appropriate TinyMCE language pack for the translation to work correctly. If you installed Alfresco using one of the setup wizards, the default language packs are already installed. If you have installed Alfresco manually, you must install the supported language pack manually. 1 Browse to the TinyMCE website: TinyMCE. 2 Download the required TinyMCE language pack. 
 Note:
 The next step makes configuration changes to the Share application to configure the additional language packs for TinyMCE. This step can only be performed after Alfresco has been installed. 3 Unpack the language file to: /webapps/share/modules/editors/ tiny_mce/langs. 4 Ensure that the browser cache is cleared or refresh the page.

60

Installing Linux libraries manually

Use this information to install Linux libraries manually on supported Linux distributions, such as Ubuntu, SUSE and Red Hat. LibreOffice requires the following libraries to be installed on your system: • libfontconfig • libICE • libSM • libXrender • libXext • libXinerama • libcups • libGLU On some Linux distributions, such as Ubuntu, SUSE, and Red Hat, the Alfresco setup wizard will validate whether or not the required libraries are present. If the required libraries are missing, you will get a warning message. You can install them using your package manager from the command line. If LibreOffice does not start up normally with Alfresco, test manually; for example, by running this startup script: start ex. {installdir}/libreoffice/scripts/libreoffice_ctl.sh start status ex. {installdir} /libreoffice/scripts/libreoffice_ctl.sh status

If you receive errors that indicate that a library missing, work with your system administrator to add the missing library or its equivalent from your configured repositories. sudo apt-get install libsm6:i386

61

Installing Community Edition on Linux (text mode)

Use this information to install Alfresco on Linux where you do not have a graphical interface. The Linux installation file can be run as a graphical setup wizard, but you can also run this file to install Alfresco using text mode. Text mode is a keyboard-based installation method. 1 Download the installation file: alfresco-community-installer-201606-EA-linuxx64.bin Files are available from Download and install Alfresco. 2 Run the following file: alfresco-community-installer-201606-EA-linux-x64.bin
 Follow the prompts on the screen to complete the install. 3 Choose a language for the installation steps. Enter the number that relates to your chosen language. 4 Enter the folder where you'd like to install Alfresco. 
 Installation folder

5 6 7 8

Please choose a folder to install Alfresco Community (Evaluation Use Only) Select a folder [/opt/alfresco-community]: 


9

The default is /opt/alfresco-community. You might need root (sudo) rights to access this folder. Enter a password to use for your Administrator user. 
 Admin Password

10 11 Please give a password to use for the Alfresco administrator account. 12 13 Admin Password: :


The Administrator user is called admin. The Administrator is the user account that can manages Alfresco and its users. 14 Repeat the password. 15 Enter Y (yes) to continue with the installation. 16 (Optional) If you are logged in as root, you then see an option for installing Alfresco as a service. 
 Note:
 If you are logged in as a standard user, you do not see this option.
 


You can optionally register Alfresco Enterprise as a service. This way it will 17 automatically be started every time the machine is started. 18 19 Install Alfresco Community as a service? [Y/n]:" 20 21 The alfresco service script file exists. Please insert a different name for the 22 service script. 23 24 Service script name: [alfresco]:



 ◦

Select Yes to register Alfresco as a service. The default name of the service is alfresco. The server will then automatically be started every time the machine is started. If you select Yes, when you click Next, you may be asked to provide the Alfresco service script name. Enter a name for the script to run the service. 62

◦ Select No to install Alfresco. 25 Enter Y (yes) to continue with the installation. 


Setup is now ready to begin installing Alfresco Community (Evaluation Use Only) on 26 your computer. 27 28 Do you want to continue? [Y/n]:


You'll then see a status bar showing the progress of the files being installed. When it is complete, you'll see the following: 
 
 29 30

Installing 0% ______________ 50% ______________ 100% ########################################

31 To finish the install and show the README file, enter Y (yes). 32 Finally, press Enter to continue. When you have finished, start the server and login using the user admin and the password you entered in step 4. Use the URL http://127.0.0.1:8080/share on this machine to verify that Alfresco is running successfully. This is not an externally addressable URL, which means that it's not possible for users on other machines to access this URL. To make sure that other users can access the machine where Alfresco is installed, you need to define and create a publicly addressable name.

63

Installing Community Edition on Linux

The setup wizard for Linux installs all the software and components that you require for running Alfresco. This setup wizard installs Alfresco and additional software, including a Tomcat application server, PostgreSQL database, JRE, and LibreOffice. 1 Download the installation file: alfresco-community-installer-201606-EA-linuxx64.bin Files are available from Download and install Alfresco.
 This Alfresco setup wizard is for 64-bit Linux systems. 2 Execute the downloaded file. You can do this by changing the file permissions:
 chmod +x alfresco-community-installer-201606-EA-linux-x64.bin 
 and running the file:./alfresco-community-installer-201606-EA-linux-x64.bin


3 4 5 6

The setup wizard starts. On the Language Selection window, select the installation language. The default language is English. Click OK to accept the default language. On the Setup - Alfresco Community window, click Next. Select the installation language. This sets the language to be used for the remainder of the setup wizard. On the Installation type window, choose how you want to use the setup wizard. There are two types of installation in the setup wizard:
 1

1

Description

1

Easy type installs Alfresco using the default options and configuration. This install type requires you to enter information in only two fields: the Alfresco install location and the administrator password. Choose this route to install Alfresco with the default environment.Note:
 If you have previously installed Alfresco and the server is running, when you run this installation wizard again, you may be prompted to enter alternative port numbers for the components and services that you install.

1

Advanced type installs Alfresco but lets you configure the server ports and service properties. You can also choose which additional components to install.

O pti on 1 Ea sy

1 A dv an ce d a b

c

d e

13 To complete the Easy setup wizard: Select Easy, and then click Next. On the Installation Folder window, click Next to accept the default location. 
 Note:
 You must use ASCII characters only when setting the installation folder using the Alfresco setup wizard. On the Admin Password window, enter a password for the Administrator user (admin). 
 CAUTION:
 You must use ASCII characters only when setting the password using the Alfresco setup wizard. If you need to reset the password (to include non-ASCII characters) after installation, see Changing a user's password. Repeat the password, and then click Next. Click Next through the remaining windows in the setup wizard. 64

Click Finish to complete the installation. Go to the step for the Completing the Alfresco Community Setup Wizard window and launching Alfresco Share. 7 To complete the Advanced setup wizard, select Advanced and then click Next.
 Follow the remaining steps in this task. 8 On the Select Components window, select the components that you want to install. Deselect the components that you do not want to install. a Java (this is JRE only) b PostgreSQL c LibreOffice d Solr 1 e Solr 4 f Alfresco Office Services g Web Quick Start h Google Docs Integration 9 When you have finished selecting the components, click Next. 10 On the Installation Folder window, click Next to accept the default location. For example, the default location is /opt/alfresco-community.
 f

Alternatively, click the 


icon to choose another location.


11

Note:
 You must use ASCII characters only when setting the installation folder using the Alfresco setup wizard. The Database Server Parameters window prompts you to enter a port number for your database. On the Tomcat Port Configuration window, enter the following Tomcat configuration parameters: a Web Server Domain For example, the default is 127.0.0.1.
 The URL http://127.0.0.1:8080/share is based on the web server domain and the Tomcat port number that you specify on the Tomcat Port Configuration window. The default of 127.0.0.1 can be used on this machine to verify that Alfresco is running successfully. However, it is not an externally addressable URL, which means that it is not possible for users on other machines to access this URL. To make sure that other users can access the machine where Alfresco is installed, you need to define and create a publicly addressable name. b Tomcat Server Port For example, the default is 8080. c Tomcat Shutdown Port For example, the default is 8005. d Tomcat SSL Port For example, the default is 8443. e Tomcat AJP Port For example, the default is 8009. (Optional) If you are installing the LibreOffice component, the LibreOffice Server Port window displays. Enter a port number on which the LibreOffice server will listen. On the Alfresco FTP Port window, enter a port number for the Alfresco FTP server. On the Admin Password window, type a password. Repeat the password, and then click Next. This sets the password for the Alfresco Administrator user account (admin).


12

13 14 15 


CAUTION:
 You must use ASCII characters only when setting the password using the Alfresco setup wizard. If you need to reset the password (to include non-ASCII characters) after installation, see Changing a user's password. 16 (Optional) If you are installing SharePoint Protocol Support, the Alfresco SharePoint Port window displays. Enter a port number, and then click Next. 17 On the Ready to Install window, click Next. The Installing window displays, showing the progress of the installation. 65

18 On the Completing the Alfresco Community Setup Wizard window, click Finish. This window shows check boxes that determine whether you will see the Readme file, the Getting Started web page, and also whether to launch Alfresco. By default, these options are selected and will launch when you click Finish. If you do not want to start Alfresco at this point, deselect the Launch Alfresco Community check box. 19 Click OK to close the Readme. 
 The Alfresco server starts and then Alfresco launches in your default browser.
 
 Important:
 It can take several minutes to start the Alfresco server and to launch Alfresco. Your browser opens and tries to connect to http://127.0.0.1:8080/share. 20 Log on to Alfresco as the admin user. Enter the password that you specified in the Admin Password window. The Alfresco server is launched automatically as a service called alfresco. This service comprises the following individual services:

a b

postgresql Tomcat Server

21 If you did not automatically launch Alfresco at the end of the setup wizard, to start Alfresco, you need to start all the services. 22 Manually start the Alfresco server: Browse to /opt/alfresco-community/ (the installation folder that you created in 9). As an administrator, run 
 ./alfresco.sh start

23 To fully stop Alfresco, you must stop all the services: Browse to /opt/alfrescocommunity/ (the installation folder that you created in 9). As an administrator, run 
 ./alfresco.sh stop

66

Alfresco UI Interface Nos conectamos desde un browser a http://10.10.10.5:8080/share y entramos con el usuario admin y la contraseña que colocamos al instalar.

-Ya en el Dashboard de administrador damos click en More - Groups para crear grupos.

-Para crear un grupo damos click al botón Browse. 67

-Nos aparecen los grupos del sistema ya creados, damos click al botón redondo New group.

-Llenamos el campo Identifier con un nombre único y el campo Display Name con un comentario. Damos click al botón Create Group.

68

-Después de ingresar los grupos ya debemos verlos en el listado junto a los del sistema.

-Ya podemos crear usuarios. Damos click al link izquierdo Users y después en el botón New User.

69

-Llenamos los campos del nuevo usuario teniendo en cuenta que los campos obligatorios son los terminados en * y debemos asignarle un group.

-Un usuario puede pertenecer a varios grupos a la vez al igual que tener una cuota de uso de disco. Ademas, podemos en un caso dado deshabilitar una cuenta con la opción Disable Account.

70

-Ya creado el usuario podemos buscarlo en Users escribiendo parte del nombre en el campo User Search.

Ya tenemos nuestro Alfresco Community funcionando y listo para comenzar a crear sitios de colaboración y demás.

71

7

How To Encrypt Tomcat 8 Connections with Apache or Nginx on Ubuntu 16.04 Introduction Apache Tomcat is a web server and servlet container designed to serve Java applications. Frequently used in production enterprise deployments and for smaller application needs, Tomcat is both flexible and powerful. In this guide, we will discuss how to secure your Ubuntu 16.04 Tomcat installation with SSL. By default, upon installation, all communication between the Tomcat server and clients is unencrypted, including any passwords entered or any sensitive data. There are a 72

number of ways that we can incorporate SSL into our Tomcat installation. This guide will cover how to set up a SSL-enabled proxy server to securely negotiate with clients and then hand requests off to Tomcat. We will cover how to set this up with both Apache and Nginx.

Why a Reverse Proxy? There are a number of ways that you can set up SSL for a Tomcat installation, each with its set of trade-offs. After learning that Tomcat has the ability to encrypt connections natively, it might seem strange that we'd discuss a reverse proxy solution. SSL with Tomcat has a number of drawbacks that make it difficult to manage: • Tomcat, when run as recommended with an unprivileged user, cannot bind to restricted ports like the conventional SSL port 443: There are workarounds to this, like using the authbind program to map an unprivileged program with a restricted port, setting up port forwarding with a firewall, etc., but they still represent additional complexity. • SSL with Tomcat is not as widely supported by other software: Projects like Let's Encrypt provide no native way of interacting with Tomcat. Furthermore, the Java keystore format requires conventional certificates to be converted before use, which complicates automation. • Conventional web servers release more frequently than Tomcat: This can have significant security implications for your applications. For instance, the supported Tomcat SSL cipher suite can become out-of-date quickly, leaving your applications with suboptimal protection. In the event that security updates are needed, it is likely easier to update a web server than your Tomcat installation. A reverse proxy solution bypasses many of these issues by simply putting a strong web server in front of the Tomcat installation. The web server can handle client requests with SSL, functionality it is specifically designed to handle. It can then proxy requests to Tomcat running in its normal, unprivileged configuration. This separation of concerns simplifies the configuration, even if it does mean running an additional piece of software.

Prerequisites In order to complete this guide, you will have to have Tomcat already set up on your server. This guide will assume that you used the instructions in our Tomcat 8 on Ubuntu 16.04 installation guide to get set up. When you have a Tomcat up and running, continue below with the section for your preferred web server. Apache starts directly below, while the Nginx configuration can be found by skipping ahead a bit.

(Option 1) Proxying with the Apache Web Server's mod_jk

73

The Apache web server has a module called mod_jk which can communicate directly with Tomcat using the Apache JServ Protocol. A connector for this protocol is enabled by default within Tomcat, so Tomcat is already ready to handle these requests.

Section Prerequisites Before we can discuss how to proxy Apache web server connections to Tomcat, you must install and secure an Apache web server. You can install the Apache web server by following step 1 of this guide. Do not install MySQL or PHP. Afterwards, you will need to set up SSL on the server. The way you do this will depend on whether you have a domain name or not. • If you have a domain name... the easiest way to secure your server is with Let's Encrypt, which provides free, trusted certificates. Follow our Let's Encrypt guide for Apache to set this up. • If you do not have a domain... and you are just using this configuration for testing or personal use, you can use a self-signed certificate instead. This provides the same type of encryption, but without domain validation. Follow our self-signed SSL guide for Apache to get set up. When you are finished with these steps, continue below to learn how to hook up the Apache web server to your Tomcat installation.

Step 1: Install and Configure mod_jk First, we need to install the mod_jk module. The Apache web server uses this to communicate with Tomcat using the Apache JServ Protocol. We can install mod_jk from Ubuntu's default repositories. Update the local package index and install by typing: • •

sudo apt-get update sudo apt-get install libapache2-mod-jk

The module will be enabled automatically upon installation. Next, we need to configure the module. The main configuration file is located at /etc/ libapache2-mod-jk/workers.properties. Open this file now in your text editor: •

sudo nano /etc/libapache2-mod-jk/workers.properties

Inside, find the workers.tomcat_home directive. Set this to your Tomcat installation home directory. For our Tomcat installation, that would be /opt/tomcat: /etc/libapache2-mod-jk/workers.properties workers.tomcat_home=/opt/tomcat

Save and close the file when you are finished.

Step 2: Adjust the Apache Virtual Host to Proxy with mod_jk Next, we need to adjust our Apache Virtual Host to proxy requests to our Tomcat installation. The correct Virtual Host file to open will depend on which method you used to set up SSL. If you set up a self-signed SSL certificate using the guide linked to above, open the default-ssl.conf file: •

sudo nano /etc/apache2/sites-available/default-ssl.conf

If you set up SSL with Let's Encrypt, the file location will depend on what options you selected during the certificate process. You can find which Virtual Hosts are involved in serving SSL requests by typing: 74

•

sudo apache2ctl -S

Your output will likely begin with something like this: Output • VirtualHost configuration: • *:80 example.com (/etc/apache2/sites-enabled/000default.conf:1) • *:443 is a NameVirtualHost • default server example.com (/etc/apache2/sites-enabled/000default-le-ssl.conf:2) • port 443 namevhost example.com (/etc/apache2/sites-enabled/000default-le-ssl.conf:2) • port 443 namevhost www.example.com (/etc/apache2/sites-enabled/ default-ssl.conf:2) • • . . .

Looking at the lines associated with SSL port 443 (lines 3-6 in this example), we can determine which Virtual Hosts files are involved in serving those domains. Here, we see that both the 000-default-le-ssl.conf file and the default-ssl.conf file are involved, so you should edit both of these. Your results will likely differ: • •

sudo nano /etc/apache2/sites-enabled/000-default-le-ssl.conf sudo nano /etc/apache2/sites-enabled/default-ssl.conf

Regardless of which files you have to open, the procedure will be the same. Somewhere within the VirtualHost tags, you should enter the following:

. . . JKMount /* ajp13_worker . . .

Save and close the file. Repeat the above process for any other files you identified that need to be edited. When you are finished, check your configuration by typing: •

sudo apache2ctl configtest

If the output contains Syntax OK, restart the Apache web server process: •

sudo systemctl restart apache2

You should now be able get to your Tomcat installation by visiting the SSL version of your site in your web browser: https://example.com

Next, skip past the Nginx configuration below and continue at the section detailing how to restrict access to Tomcat in order to complete your configuration.

(Option 2) HTTP Proxying with Nginx Proxying is also easy with Nginx, if you prefer it to the Apache web server. While Nginx does not have a module allowing it to speak the Apache JServ Protocol, it can use its robust HTTP proxying capabilities to communicate with Tomcat. 75

Section Prerequisites Before we can discuss how to proxy Nginx connections to Tomcat, you must install and secure Nginx. You can install Nginx by following our guide on installing Nginx on Ubuntu 16.04. Afterwards, you will need to set up SSL on the server. The way you do this will depend on whether you have a domain name or not. • If you have a domain name... the easiest way to secure your server is with Let's Encrypt, which provides free, trusted certificates. Follow our Let's Encrypt guide for Nginx to set this up. • If you do not have a domain... and you are just using this configuration for testing or personal use, you can use a self-signed certificate instead. This provides the same type of encryption, but without domain validation. Follow our self-signed SSL guide for Nginx to get set up. When you are finished with these steps, continue below to learn how to hook up the Nginx web server to your Tomcat installation.

Step 1: Adjusting the Nginx Server Block Configuration Setting up Nginx to proxy to Tomcat is very straight forward. Begin by opening the server block file associated with your site. We will assume you are using the default server block file in this guide: •

sudo nano /etc/nginx/sites-available/default

Inside, towards the top of the file, we need to add an upstream block. This will outline the connection details so that Nginx knows where our Tomcat server is listening. Place this outside of any of the server blocks defined within the file: /etc/nginx/sites-available/default upstream tomcat { server 127.0.0.1:8080 fail_timout=0; } server { . . .

Next, within the server block defined for port 443, modify the location / block. We want to pass all requests directly to the upstream block we just defined. Comment out the current contents and use the proxy_pass directive to pass to the "tomcat" upstream we just defined. We will also need to include the proxy_params configuration within this block. This file defines many of the details of how Nginx will proxy the connection: /etc/nginx/sites-available/default upstream tomcat { server 127.0.0.1:8080 fail_timout=0; } server { . . . location / { #try_files $uri $uri/ =404; 76

include proxy_params; proxy_pass http://tomcat/; } . . . }

When you are finished, save and close the file.

Step 2: Test and Restart Nginx Next, test to make sure your configuration changes did not introduce any syntax errors: •

sudo nginx -t

If no errors are reported, restart Nginx to implement your changes: •

sudo systemctl restart nginx

You should now be able get to your Tomcat installation by visiting the SSL version of your site in your web browser: https://example.com

Restricting Access to the Tomcat Installation Now you have SSL encrypted access to your Tomcat installation, we can lock down the Tomcat installation a bit more. Since we want all of our requests to Tomcat to come through our proxy, we can configure Tomcat to only listen for connections on the local loopback interface. This ensures that outside parties cannot attempt to make requests from Tomcat directly. Open the server.xml file within your Tomcat configuration directory to change these settings: •

sudo nano /opt/tomcat/conf/server.xml

Within this file, we need to modify the Connector definitions. Currently there are two Connectors enabled within the configuration. One handles normal HTTP requests on port 8080, while the other handles Apache JServ Protocol requests on port 8009. The configuration will look something like this: /opt/tomcat/conf/server.xml . . .

. . .

In order to restrict access to the local loopback interface, we just need to add an "address" attribute set to 127.0.0.1 in each of these Connector definitions. The end result will look like this: /opt/tomcat/conf/server.xml . . .

. . .

After you've made those two changes, save and close the file. We need to restart our Tomcat process to implement these changes: •

sudo systemctl restart tomcat

If you followed our Tomcat installation guide, you have a ufw firewall enabled on your installation. Now that all of our requests to Tomcat are restricted to the local loopback interface, we can remove the rule from our firewall that allowed external requests to Tomcat. •

sudo ufw delete allow 8080

Your Tomcat installation should now only be accessible through your web server proxy.

Conclusion At this point, connections to your Tomcat instance should be encrypted with SSL with the help of a web server proxy. While configuring a separate web server process might increase the software involved in serving your applications, it simplifies the process of securing your traffic significantly.

78