How to install Tomcat 8.5 on Debian 9 / Ubuntu 16.04 / Linux Mint 18

Requirement

First, switch to the root user.

su -

OR

sudo su -

Tomcat requires Java JDK to be installed on the machine. You can either install Oracle JDK or OpenJDK.

READ: How to Install Oracle JAVA 8 on Debian 9
READ: How to Install Oracle JAVA 8 on Ubuntu 16.04 / LinuxMint 18

For this demo, I am going with OpenJDK.

apt-get -y install openjdk-8-jdk

Once Java is installed, you can verify the Java version by using the following command.

java -version

Output:

openjdk version "1.8.0_141"
OpenJDK Runtime Environment (build 1.8.0_141-8u141-b15-1~deb9u1-b15)
OpenJDK 64-Bit Server VM (build 25.141-b15, mixed mode

For best practice, Tomcat should never be run as privileged user (root). So, create a low-privilege user for running the Tomcat service.

groupadd tomcat
mkdir /opt/tomcat
useradd -g tomcat -d /opt/tomcat -s /bin/nologin tomcat
or
useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

Download & Configure Apache Tomcat

You can download the latest version of the Apache Tomcat from the official website.

wget http://www-us.apache.org/dist/tomcat/tomcat-8/v8.5.27/bin/apache-tomcat-8.5.27.tar.gz

Extract the tomcat on to your desired (/opt/tomcat) directory.

tar -zxvf apache-tomcat-*.tar.gz
mv apache-tomcat-8.5.27/* /opt/tomcat/

Change the ownership of the extracted directory so that tomcat user can write files to it.

chown -R tomcat:tomcat /opt/tomcat/

chmod +x /opt/tomcat/bin/*.sh 

Change the add in /etc/bash.bashrc  and /etc/profile  and /etc/environment

# Variaveis Java
JAVA_HOME=/usr/lib/jvm/java-8-oracle
CATALINA_HOME=/opt/tomcat
export JAVA_HOME
JRE_HOME=$JAVA_HOME/jre
export JRE_HOME
#PATH=$PATH:$JAVA_HOME/bin:$JRE_HOME/bin:
#export PATH
export CATALINA_HOME

Controlling Apache Tomcat

Manual

You can start and stop the Tomcat using the script which comes along with the package.

To start Tomcat service, go to the Tomcat directory and run:

cd /opt/tomcat/bin/
sh startup.sh

Output:

Using CATALINA_BASE:   /opt/tomcat
Using CATALINA_HOME:   /opt/tomcat
Using CATALINA_TMPDIR: /opt/tomcat/temp
Using JRE_HOME:        /usr
Using CLASSPATH:       /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar
Tomcat started.

To stop Tomcat service, run:

sh shutdown.sh

Change the ownership of the extracted directory so that tomcat user can write files to it.

chown -R tomcat:tomcat /opt/tomcat/

Systemd

We can also configure systemd to start the Tomcat service. Skip the below step in case you do not want to use systemd for managing Tomcat service.

Create a tomcat systemd service file. Green ones depend on the environment, so change them accordingly.

nano /etc/systemd/system/tomcat.service

Add the below information to Tomcat systemd service file.

[Unit]
Description=Apache Tomcat 8.x Web Application Container
Wants=network.target
After=network.target

[Service]
Type=forking

Environment=JRE_HOME=/usr/lib/jvm/java-8-oracle/jre
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1G -Djava.net.preferIPv4Stack=true'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
SuccessExitStatus=143

User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target

Reload systemd daemon.

systemctl daemon-reload

To start the Tomcat service; run:

systemctl start tomcat

Check the status of Tomcat, run:

systemctl status tomcat

Enable the auto start of Tomcat service on system boot:

systemctl enable tomcat

Verify Apache Tomcat

By default, Tomcat runs on port 8080. Use can use the netstat command to check the port status.

netstat -antup | grep 8080
or
netstat -plntu | grep 8080

Output:

tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      12224/java

OBS----> READ: netstat command not found – Quick Fix

Firewall

You may need to allow Tomcat server requests in the firewall so that we can access the application from the external network.

ufw allow 8080

Configure Apache Tomcat Web UI

Tomcat comes with the web-manager and Host Manager for managing Tomcat. Both Host Manager and Web Manager are password protected, and it requires a username and password to access.

Only the user with the manager-gui and admin-gui role is allowed to access web manager and host-manager respectively. Those two roles are defined in tomcat-users.xml file.

nano /opt/tomcat/conf/tomcat-users.xml

Place the following two lines (role and user definition) just above the last line.

manager-gui,admin-gui"/>
tomcat" password="admin" roles="manager-gui,admin-gui"/>

For security reason, Web Manager and Host Manager is accessible only from the localhost, ie, from the server itself.

If you want to access managers from the remote system then you need to add your source network in allow list. To do that, edit the below two files.

nano /opt/tomcat/webapps/manager/META-INF/context.xml

nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

Update the below line on both files with source IP from which your accessing the Web and Host Manager. .* will allow everyone to have access to managers.

allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|.*" />

OR

You can allow only part of your network. For example, to allow only 192.168.0.0/24 network, you can use the below values.

allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.*" />

Restart the Tomcat service.

systemctl restart tomcat