{"id":14373,"date":"2019-01-20T14:19:17","date_gmt":"2019-01-20T22:19:17","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/01\/20\/news-8125\/"},"modified":"2019-01-20T14:19:17","modified_gmt":"2019-01-20T22:19:17","slug":"news-8125","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/01\/20\/news-8125\/","title":{"rendered":"Hardening guide for Tomcat 8 on RedHat 6.5 (64bit edition)"},"content":{"rendered":"<p><strong>Credit to Author: eyalestrin| Date: Thu, 07 May 2015 18:30:34 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<div class=\"pf-content\">\n<p>This document explains the process of installation, configuration and hardening of Tomcat 8.x server, based on RedHat 6.5 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from<br \/> <a href=\"http:\/\/en.wikipedia.org\/wiki\/BREACH_(security_exploit)\" target=\"_blank\">BEAST attack<\/a> and <a href=\"http:\/\/en.wikipedia.org\/wiki\/CRIME_(security_exploit)\" target=\"_blank\">CRIME attack<\/a>.<br \/> Some of the features explained in this document are supported by only some of the Internet browsers:<\/p>\n<ul>\n<li>TLS 1.2 \u2013 Minimum browser support: IE 8.0 on Windows 7\/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0<\/li>\n<\/ul>\n<ol>Installation phase<\/p>\n<li>Login to the server using Root account.<\/li>\n<li>Create a new account:<br \/> <code>groupadd tomcat<br \/> useradd -g tomcat -d \/home\/tomcat -s \/bin\/sh tomcat<\/code><\/li>\n<li>Download the lastest JDK8 for Linux from:<br \/> <code>http:\/\/www.oracle.com\/technetwork\/java\/javase\/downloads\/jdk8-downloads-2133151.html<\/code><\/li>\n<li>Upgrade to the latest build of Oracle JDK:<br \/> <code>rpm -Uvh \/tmp\/jdk-8u45-linux-x64.rpm<\/code><\/li>\n<li>Delete the JDK8 source files:<br \/> <code>rm -rf \/tmp\/jdk-8u45-linux-x64.rpm<br \/> rm -rf \/usr\/java\/jdk1.8.0_45\/src.zip<\/code><\/li>\n<li>Download the latest Tomcat 8 source files:<br \/> <code>cd \/opt<br \/> wget http:\/\/apache.spd.co.il\/tomcat\/tomcat-8\/v8.0.21\/bin\/apache-tomcat-8.0.21.tar.gz<\/code><\/li>\n<li>Extract Tomcat source files:<br \/> <code>tar zxf \/opt\/apache-tomcat-8.0.21.tar.gz -C \/opt<\/code><\/li>\n<li>Rename the Tomcat folder:<br \/> <code>mv \/opt\/apache-tomcat-8.0.21 \/opt\/tomcat<\/code><\/li>\n<li>Remove default content:<br \/> <code>rm -rf \/opt\/apache-tomcat-8.0.21.tar.gz<br \/> rm -rf \/opt\/tomcat\/webapps\/docs<br \/> rm -rf \/opt\/tomcat\/webapps\/examples<br \/> rm -rf \/opt\/tomcat\/webapps\/ROOT\/RELEASE-NOTES.txt<br \/> rm -rf \/opt\/tomcat\/webapps\/host-manager<br \/> rm -rf \/opt\/tomcat\/webapps\/manager<br \/> rm -rf \/opt\/tomcat\/work\/Catalina\/localhost\/docs<br \/> rm -rf \/opt\/tomcat\/work\/Catalina\/localhost\/examples<br \/> rm -rf \/opt\/tomcat\/work\/Catalina\/localhost\/host-manager<br \/> rm -rf \/opt\/tomcat\/work\/Catalina\/localhost\/manager<\/code><\/li>\n<li>Change folder ownership and permissions:<br \/> <code>chown -R tomcat.tomcat \/opt\/tomcat<br \/> chmod g-w,o-rwx \/opt\/tomcat<br \/> chmod g-w,o-rwx \/opt\/tomcat\/conf<br \/> chmod o-rwx \/opt\/tomcat\/logs<br \/> chmod o-rwx \/opt\/tomcat\/temp<br \/> chmod g-w,o-rwx \/opt\/tomcat\/bin<br \/> chmod g-w,o-rwx \/opt\/tomcat\/webapps<br \/> chmod 770 \/opt\/tomcat\/conf\/catalina.policy<br \/> chmod g-w,o-rwx \/opt\/tomcat\/conf\/catalina.properties<br \/> chmod g-w,o-rwx \/opt\/tomcat\/conf\/context.xml<br \/> chmod g-w,o-rwx \/opt\/tomcat\/conf\/logging.properties<br \/> chmod g-w,o-rwx \/opt\/tomcat\/conf\/server.xml<br \/> chmod g-w,o-rwx \/opt\/tomcat\/conf\/tomcat-users.xml<br \/> chmod g-w,o-rwx \/opt\/tomcat\/conf\/web.xml<\/code><\/li>\n<li>Move to the folder <span style=\"color: #0000ff\">\/opt\/tomcat\/lib<\/span><br \/> <code>cd \/opt\/tomcat\/lib<\/code><\/li>\n<li>Extract the file catalina.jar<br \/> <code>jar xf catalina.jar org\/apache\/catalina\/util\/ServerInfo.properties<\/code><\/li>\n<li>Edit using VI, the file <span style=\"color: #0000ff\">\/opt\/tomcat\/lib\/org\/apache\/catalina\/util\/ServerInfo.properties<\/span><br \/> Replace the string below from:<br \/> <code>server.infoerver.info=Apache Tomcat\/8.0.21<\/code><br \/> To:<br \/> <code>server.infoerver.info=Secure Web server<\/code>Replace the string below from:<br \/> <code>server.number=8.0.21.0<\/code><br \/> To:<br \/> <code>server.number=1.0.0.0<\/code><\/p>\n<p>Replace the string below from:<br \/> <code>server.built=Mar 23 2015 14:11:21 UTC<\/code><br \/> To:<br \/> <code>server.built=Jan 01 2000 00:00:00 UTC<\/code><\/li>\n<li>Move to the folder <span style=\"color: #0000ff\">\/opt\/tomcat\/lib<\/span><br \/> <code>cd \/opt\/tomcat\/lib<\/code><\/li>\n<li>Repackage the file catalina.jar<br \/> <code>jar uf catalina.jar org\/apache\/catalina\/util\/ServerInfo.properties<\/code><\/li>\n<li>Remove the folder below:<br \/> <code>rm -rf \/opt\/tomcat\/lib\/org<\/code><\/li>\n<li>Edit using VI, the file <span style=\"color: #0000ff\">\/opt\/tomcat\/conf\/server.xml<\/span> and make the following changes:<br \/> Replace the:<br \/> <code>&lt;Connector port=\"8080\" protocol=\"HTTP\/1.1\"<br \/> connectionTimeout=\"20000\"<br \/> redirectPort=\"8443\" \/&gt;<\/code><br \/> To:<br \/> <code>&lt;Connector port=\"8080\" protocol=\"HTTP\/1.1\"<br \/> connectionTimeout=\"20000\"<br \/> xpoweredBy=\"false\"<br \/> allowTrace=\"false\"<br \/> redirectPort=\"8443\" \/&gt;<\/code>Replace the:<br \/> <code>&lt;Server port=\"8005\" shutdown=\"SHUTDOWN\"&gt;<\/code><br \/> To:<br \/> <code>&lt;Server port=\"-1\" shutdown=\"SHUTDOWN\"&gt;<\/code><\/p>\n<p>Replace the:<br \/> <code>autoDeploy=\"true\"<\/code><br \/> To:<br \/> <code>autoDeploy=\"false\"<\/code><\/li>\n<li>Create using VI, the file error.jsp inside the application directory (example: <span style=\"color: #0000ff\">\/opt\/tomcat\/webapps\/ROOT\/error.jsp<\/span>) with the following content:<br \/> <code>&lt;html&gt;<br \/> &lt;head&gt;<br \/> &lt;title&gt;404-Page Not Found&lt;\/title&gt;<br \/> &lt;\/head&gt;<br \/> &lt;body&gt; The requested URL was not found on this server. &lt;\/body&gt;<br \/> &lt;\/html&gt;<\/code><\/li>\n<li>Edit using VI, the file <span style=\"color: #0000ff\">\/opt\/tomcat\/conf\/web.xml<\/span> and add the following sections, before the end of the &#8220;<span style=\"color: #0000ff\">web-app<\/span>&#8221; tag:<br \/> <code>&lt;error-page&gt;<br \/> &lt;error-code&gt;400&lt;\/error-code&gt;<br \/> &lt;location&gt;\/error.jsp&lt;\/location&gt;<br \/> &lt;\/error-page&gt;<br \/> &lt;error-page&gt;<br \/> &lt;error-code&gt;401&lt;\/error-code&gt;<br \/> &lt;location&gt;\/error.jsp&lt;\/location&gt;<br \/> &lt;\/error-page&gt;<br \/> &lt;error-page&gt;<br \/> &lt;error-page&gt;<br \/> &lt;error-code&gt;403&lt;\/error-code&gt;<br \/> &lt;location&gt;\/error.jsp&lt;\/location&gt;<br \/> &lt;\/error-page&gt;<br \/> &lt;error-code&gt;404&lt;\/error-code&gt;<br \/> &lt;location&gt;\/error.jsp&lt;\/location&gt;<br \/> &lt;\/error-page&gt;<br \/> &lt;error-page&gt;<br \/> &lt;error-code&gt;405&lt;\/error-code&gt;<br \/> &lt;location&gt;\/error.jsp&lt;\/location&gt;<br \/> &lt;\/error-page&gt;<br \/> &lt;error-page&gt;<br \/> &lt;error-code&gt;410&lt;\/error-code&gt;<br \/> &lt;location&gt;\/error.jsp&lt;\/location&gt;<br \/> &lt;\/error-page&gt;<br \/> &lt;error-page&gt;<br \/> &lt;error-code&gt;411&lt;\/error-code&gt;<br \/> &lt;location&gt;\/error.jsp&lt;\/location&gt;<br \/> &lt;\/error-page&gt;<br \/> &lt;error-page&gt;<br \/> &lt;error-code&gt;412&lt;\/error-code&gt;<br \/> &lt;location&gt;\/error.jsp&lt;\/location&gt;<br \/> &lt;\/error-page&gt;<br \/> &lt;error-page&gt;<br \/> &lt;error-code&gt;413&lt;\/error-code&gt;<br \/> &lt;location&gt;\/error.jsp&lt;\/location&gt;<br \/> &lt;\/error-page&gt;<br \/> &lt;error-page&gt;<br \/> &lt;error-code&gt;408&lt;\/error-code&gt;<br \/> &lt;location&gt;\/error.jsp&lt;\/location&gt;<br \/> &lt;\/error-page&gt;<br \/> &lt;error-page&gt;<br \/> &lt;error-code&gt;500&lt;\/error-code&gt;<br \/> &lt;location&gt;\/error.jsp &lt;\/error-page&gt;&lt;!-- Define a Security Constraint on this Application --&gt;<br \/> &lt;security-constraint&gt;<br \/> &lt;web-resource-collection&gt;<br \/> &lt;web-resource-name&gt;HTMLManger and Manager command&lt;\/web-resource-name&gt;<br \/> &lt;url-pattern&gt;\/jmxproxy\/*&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/html\/*&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/list&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/sessions&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/start&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/stop&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/install&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/remove&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/deploy&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/undeploy&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/reload&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/save&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/serverinfo&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/status\/*&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/roles&lt;\/url-pattern&gt;<br \/> &lt;url-pattern&gt;\/resources&lt;\/url-pattern&gt;<br \/> &lt;\/web-resource-collection&gt;<br \/> &lt;auth-constraint&gt;<br \/> &lt;role-name&gt;manager&lt;\/role-name&gt;<br \/> &lt;\/auth-constraint&gt;<br \/> &lt;\/security-constraint&gt;<\/code><\/li>\n<li>Create using VI, the file <span style=\"color: #0000ff\">\/etc\/init.d\/tomcat<\/span>, with the following content:<br \/> <code>#!\/bin\/bash<br \/> # description: Tomcat Start Stop Restart<br \/> # processname: tomcat<br \/> # chkconfig: 234 20 80<br \/> JAVA_HOME=<span style=\"color: #0000ff\">\/usr\/java\/jdk1.8.0_45<\/span><br \/> export JAVA_HOME<br \/> PATH=$JAVA_HOME\/bin:$PATH<br \/> export PATH<br \/> CATALINA_HOME=\/opt\/tomcat\/bin<br \/> case $1 in<br \/> start)<br \/> \/bin\/su tomcat $CATALINA_HOME\/startup.sh<br \/> ;;<br \/> stop)<br \/> \/bin\/su tomcat $CATALINA_HOME\/shutdown.sh<br \/> ;;<br \/> restart)<br \/> \/bin\/su tomcat $CATALINA_HOME\/shutdown.sh<br \/> \/bin\/su tomcat $CATALINA_HOME\/startup.sh<br \/> ;;<br \/> esac<br \/> exit 0<\/code><br \/> Note: Update the &#8220;<span style=\"color: #0000ff\">JAVA_HOME<\/span>&#8221; path according to the install JDK build.<\/li>\n<li>Change the permission on the tomcat script:<br \/> <code>chmod 755 \/etc\/init.d\/tomcat<\/code><\/li>\n<li>To start Tomcat service at server start-up, run the command:<br \/> <code>chkconfig tomcat on<\/code><\/li>\n<li>To manually start the Tomcat service, use the command:<br \/> <code>service tomcat start<\/code><\/li>\n<li>Configure IPTables:<br \/> <code>service iptables stop<br \/> iptables -P INPUT DROP<br \/> iptables -A INPUT -i lo -j ACCEPT<br \/> iptables -A OUTPUT -o lo -j ACCEPT<br \/> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<\/code><\/li>\n<li>Allow SSH access from Internal segment (i.e. <span style=\"color: #0000ff\">10.0.0.0\/8<\/span>)<br \/> <code>iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s <span style=\"color: #0000ff\">10.0.0.0\/8<\/span> -j ACCEPT<\/code><br \/> Note: Replace <span style=\"color: #0000ff\">10.0.0.0\/8<\/span> with the internal segment and subnet mask.<\/li>\n<li>Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. <span style=\"color: #0000ff\">eth0<\/span>)<br \/> <code>iptables -A INPUT -m state --state NEW -p tcp --dport 8080 -i <span style=\"color: #0000ff\">eth0<\/span> -j ACCEPT<\/code><br \/> Note: Replace <span style=\"color: #0000ff\">eth0<\/span> with the public interface name.<\/li>\n<li>Save the IPTables settings:<br \/> <code>service iptables save<\/code><\/li>\n<\/ol>\n<ol>SSL Configuration Phase<\/p>\n<li>Login to the server using Root account.<\/li>\n<li>Create folder for the SSL certificate files:<br \/> <code>mkdir -p \/opt\/tomcat\/ssl<br \/> chown -R tomcat:tomcat \/opt\/tomcat\/ssl<br \/> chmod -R 755 \/opt\/tomcat\/ssl<\/code><\/li>\n<li>Run the command below to generate a key store:<br \/> <code>\/usr\/java\/jdk1.8.0_45\/bin\/keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore \/opt\/tomcat\/ssl\/server.key -storepass <span style=\"color: #0000ff\">ComplexPassword<\/span> -validity 1095 -alias \"<span style=\"color: #0000ff\">FQDN_Name<\/span>\"<\/code><br \/> Note 1: The command above should be written as one line.<br \/> Note 2: Replace <span style=\"color: #0000ff\">ComplexPassword<\/span> with your own complex password.<br \/> Note 3: Replace &#8220;<span style=\"color: #0000ff\">FQDN_Name<\/span>&#8221; with the server DNS name.<\/li>\n<li>Run the command below to generate a CSR (certificate request):<br \/> <code>\/usr\/java\/jdk1.8.0_45\/bin\/keytool -certreq -keyalg \"RSA\" -file \/tmp\/tomcat.csr -keystore \/opt\/tomcat\/ssl\/server.key -storepass <span style=\"color: #0000ff\">ComplexPassword<\/span> -alias \"<span style=\"color: #0000ff\">FQDN_Name<\/span>\"<\/code><br \/> Note 1: The command above should be written as one line.<br \/> Note 2: Replace <span style=\"color: #0000ff\">ComplexPassword<\/span> with your own complex password.<br \/> Note 3: Replace &#8220;<span style=\"color: #0000ff\">FQDN_Name<\/span>&#8221; with the server DNS name.<\/li>\n<li>Send the file <span style=\"color: #0000ff\">\/tmp\/tomcat.csr<\/span> to a Certificate Authority server.<\/li>\n<li>As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with &#8220;Begin&#8221; and ending with &#8220;End&#8221; (include those two lines), into notepad, and save the file as &#8220;<span style=\"color: #0000ff\">server.crt<\/span>&#8220;<\/li>\n<li>Copy the file &#8220;<span style=\"color: #0000ff\">server.crt<\/span>&#8221; using SCP into <span style=\"color: #0000ff\">\/opt\/tomcat\/ssl<\/span><\/li>\n<li>Follow the link on the email from the CA server, to create the Root CA chain, and save it as &#8220;<span style=\"color: #0000ff\">ca-bundle.crt<\/span>&#8221; (Note: The file must be PEM (base64) encoded).<\/li>\n<li>Copy the file &#8220;<span style=\"color: #0000ff\">ca-bundle.crt<\/span>&#8221; using SCP into <span style=\"color: #0000ff\">\/opt\/tomcat\/ssl<\/span><\/li>\n<li>Run the command below to import the trusted root CA public certificate:<br \/> <code>\/usr\/java\/jdk1.8.0_45\/bin\/keytool -import -alias \"<span style=\"color: #0000ff\">FQDN_Name<\/span>\" -keystore \/opt\/tomcat\/ssl\/server.key -storepass <span style=\"color: #0000ff\">ComplexPassword<\/span> -trustcacerts -file \/opt\/tomcat\/ssl\/ca-bundle.crt<\/code><br \/> Note 1: The command above should be written as one line.<br \/> Note 2: Replace ComplexPassword with your own complex password.<br \/> Note 3: Replace &#8220;<span style=\"color: #0000ff\">FQDN_Name<\/span>&#8221; with the server DNS name.<\/li>\n<li>Run the command below to import the signed public key into the key store:<br \/> <code>\/usr\/java\/jdk1.8.0_45\/bin\/keytool -import -keystore \/opt\/tomcat\/ssl\/server.key -storepass <span style=\"color: #0000ff\">ComplexPassword<\/span> -trustcacerts -file \/opt\/tomcat\/ssl\/server.crt<\/code><br \/> Note 1: The command above should be written as one line.<br \/> Note 2: Replace <span style=\"color: #0000ff\">ComplexPassword<\/span> with your own complex password.<\/li>\n<li>Stop the Tomcat service:<br \/> <code>service tomcat stop<\/code><\/li>\n<li>Edit using VI, the file <span style=\"color: #0000ff\">\/opt\/tomcat\/conf\/server.xml<\/span> and add the section below:<br \/> <code>&lt;Connector port=\"8443\"<br \/> protocol=\"HTTP\/1.1\"<br \/> maxThreads=\"150\"<br \/> xpoweredBy=\"false\"<br \/> allowTrace=\"false\"<br \/> SSLEnabled=\"true\"<br \/> scheme=\"https\"<br \/> secure=\"true\"<br \/> keystoreFile=\"\/opt\/tomcat\/ssl\/server.key\"<br \/> keystorePass=\"<span style=\"color: #0000ff\">ComplexPassword<\/span>\"<br \/> keyAlias=\"<span style=\"color: #0000ff\">FQDN_Name<\/span>\"<br \/> clientAuth=\"false\"<br \/> ciphers=\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA\"<br \/> sslEnabledProtocols=\"TLSv1,TLSv1.1,TLSv1.2\" \/&gt;<\/code><br \/> Note 1: Replace <span style=\"color: #0000ff\">ComplexPassword<\/span> with your own complex password.<br \/> Note 2: Replace &#8220;<span style=\"color: #0000ff\">FQDN_Name<\/span>&#8221; with the server DNS name.<\/li>\n<li>Edit using VI, the file <span style=\"color: #0000ff\">\/opt\/tomcat\/conf\/web.xml<\/span> and add the following sections, before the end of the &#8220;<span style=\"color: #0000ff\">web-app<\/span>&#8221; tag:<br \/> <code>&lt;user-data-constraint&gt;<br \/> &lt;description&gt;<br \/> Constrain the user data transport for the whole application<br \/> &lt;\/description&gt;<br \/> &lt;transport-guarantee&gt;CONFIDENTIAL&lt;\/transport-guarantee&gt;<br \/> &lt;\/user-data-constraint&gt;<\/code><\/li>\n<li>Edit using VI, the file <span style=\"color: #0000ff\">\/opt\/tomcat\/conf\/context.xml<\/span> and add the following parameter inside the context tag:<br \/> <code>usehttponly=\"true\"<\/code><\/li>\n<li>Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. <span style=\"color: #0000ff\">eth0<\/span>)<br \/> <code>iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -i <span style=\"color: #0000ff\">eth0<\/span> -j ACCEPT<\/code><br \/> Note: Replace <span style=\"color: #0000ff\">eth0<\/span> with the public interface name.<\/li>\n<li>Save the IPTables settings:<br \/> <code>service iptables save<\/code><\/li>\n<li>To manually start the Tomcat service, use the command:<br \/> <code>service tomcat start<\/code><\/li>\n<\/ol>\n<ol> <\/ol>\n<ol> The original post can be found at <a href=\"http:\/\/security-24-7.com\/hardening-guide-for-tomcat-8-on-redhat-6-5-64bit-edition\/\" title=\"http:\/\/security-24-7.com\/hardening-guide-for-tomcat-8-on-redhat-6-5-64bit-edition\/\" target=\"_blank\">http:\/\/security-24-7.com\/hardening-guide-for-tomcat-8-on-redhat-6-5-64bit-edition\/<\/a><\/ol>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2450\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: eyalestrin| Date: Thu, 07 May 2015 18:30:34 +0000<\/strong><\/p>\n<p>This document explains the process of installation, configuration and hardening of Tomcat 8.x server, based on RedHat 6.5 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack. Some of the features explained in this document are supported by only some of the Internet &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2450\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Hardening guide for Tomcat 8 on RedHat 6.5 (64bit edition)<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10755],"class_list":["post-14373","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-commentary"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=14373"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14373\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=14373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=14373"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=14373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}