Hardening guide for Tomcat 8 on RedHat 6.5 (64bit edition)
Credit to Author: eyalestrin| Date: Thu, 07 May 2015 18:30:34 +0000
This document explains the process of installation, configuration and hardening of Tomcat 8.x server, based on RedHat 6.5 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from
BEAST attack and CRIME attack.
Some of the features explained in this document are supported by only some of the Internet browsers:
- TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
- Installation phase
- Login to the server using Root account.
- Create a new account:
groupadd tomcat
useradd -g tomcat -d /home/tomcat -s /bin/sh tomcat - Download the lastest JDK8 for Linux from:
http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html - Upgrade to the latest build of Oracle JDK:
rpm -Uvh /tmp/jdk-8u45-linux-x64.rpm - Delete the JDK8 source files:
rm -rf /tmp/jdk-8u45-linux-x64.rpm
rm -rf /usr/java/jdk1.8.0_45/src.zip - Download the latest Tomcat 8 source files:
cd /opt
wget http://apache.spd.co.il/tomcat/tomcat-8/v8.0.21/bin/apache-tomcat-8.0.21.tar.gz - Extract Tomcat source files:
tar zxf /opt/apache-tomcat-8.0.21.tar.gz -C /opt - Rename the Tomcat folder:
mv /opt/apache-tomcat-8.0.21 /opt/tomcat - Remove default content:
rm -rf /opt/apache-tomcat-8.0.21.tar.gz
rm -rf /opt/tomcat/webapps/docs
rm -rf /opt/tomcat/webapps/examples
rm -rf /opt/tomcat/webapps/ROOT/RELEASE-NOTES.txt
rm -rf /opt/tomcat/webapps/host-manager
rm -rf /opt/tomcat/webapps/manager
rm -rf /opt/tomcat/work/Catalina/localhost/docs
rm -rf /opt/tomcat/work/Catalina/localhost/examples
rm -rf /opt/tomcat/work/Catalina/localhost/host-manager
rm -rf /opt/tomcat/work/Catalina/localhost/manager - Change folder ownership and permissions:
chown -R tomcat.tomcat /opt/tomcat
chmod g-w,o-rwx /opt/tomcat
chmod g-w,o-rwx /opt/tomcat/conf
chmod o-rwx /opt/tomcat/logs
chmod o-rwx /opt/tomcat/temp
chmod g-w,o-rwx /opt/tomcat/bin
chmod g-w,o-rwx /opt/tomcat/webapps
chmod 770 /opt/tomcat/conf/catalina.policy
chmod g-w,o-rwx /opt/tomcat/conf/catalina.properties
chmod g-w,o-rwx /opt/tomcat/conf/context.xml
chmod g-w,o-rwx /opt/tomcat/conf/logging.properties
chmod g-w,o-rwx /opt/tomcat/conf/server.xml
chmod g-w,o-rwx /opt/tomcat/conf/tomcat-users.xml
chmod g-w,o-rwx /opt/tomcat/conf/web.xml - Move to the folder /opt/tomcat/lib
cd /opt/tomcat/lib - Extract the file catalina.jar
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties - Edit using VI, the file /opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties
Replace the string below from:
server.infoerver.info=Apache Tomcat/8.0.21
To:
server.infoerver.info=Secure Web serverReplace the string below from:
server.number=8.0.21.0
To:
server.number=1.0.0.0Replace the string below from:
server.built=Mar 23 2015 14:11:21 UTC
To:
server.built=Jan 01 2000 00:00:00 UTC - Move to the folder /opt/tomcat/lib
cd /opt/tomcat/lib - Repackage the file catalina.jar
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties - Remove the folder below:
rm -rf /opt/tomcat/lib/org - Edit using VI, the file /opt/tomcat/conf/server.xml and make the following changes:
Replace the:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
To:
<Connector port="8080" protocol="HTTP/1.1"Replace the:
connectionTimeout="20000"
xpoweredBy="false"
allowTrace="false"
redirectPort="8443" />
<Server port="8005" shutdown="SHUTDOWN">
To:
<Server port="-1" shutdown="SHUTDOWN">Replace the:
autoDeploy="true"
To:
autoDeploy="false" - Create using VI, the file error.jsp inside the application directory (example: /opt/tomcat/webapps/ROOT/error.jsp) with the following content:
<html>
<head>
<title>404-Page Not Found</title>
</head>
<body> The requested URL was not found on this server. </body>
</html> - Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
<error-page>
<error-code>400</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>401</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-page>
<error-code>403</error-code>
<location>/error.jsp</location>
</error-page>
<error-code>404</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>405</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>410</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>411</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>412</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>413</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>408</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error.jsp </error-page><!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/jmxproxy/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
<url-pattern>/stop</url-pattern>
<url-pattern>/install</url-pattern>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
<url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint> - Create using VI, the file /etc/init.d/tomcat, with the following content:
#!/bin/bash
# description: Tomcat Start Stop Restart
# processname: tomcat
# chkconfig: 234 20 80
JAVA_HOME=/usr/java/jdk1.8.0_45
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
CATALINA_HOME=/opt/tomcat/bin
case $1 in
start)
/bin/su tomcat $CATALINA_HOME/startup.sh
;;
stop)
/bin/su tomcat $CATALINA_HOME/shutdown.sh
;;
restart)
/bin/su tomcat $CATALINA_HOME/shutdown.sh
/bin/su tomcat $CATALINA_HOME/startup.sh
;;
esac
exit 0
Note: Update the “JAVA_HOME” path according to the install JDK build. - Change the permission on the tomcat script:
chmod 755 /etc/init.d/tomcat - To start Tomcat service at server start-up, run the command:
chkconfig tomcat on - To manually start the Tomcat service, use the command:
service tomcat start - Configure IPTables:
service iptables stop
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
Note: Replace 10.0.0.0/8 with the internal segment and subnet mask. - Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
iptables -A INPUT -m state --state NEW -p tcp --dport 8080 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name. - Save the IPTables settings:
service iptables save
- SSL Configuration Phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /opt/tomcat/ssl
chown -R tomcat:tomcat /opt/tomcat/ssl
chmod -R 755 /opt/tomcat/ssl - Run the command below to generate a key store:
/usr/java/jdk1.8.0_45/bin/keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -validity 1095 -alias "FQDN_Name"
Note 1: The command above should be written as one line.
Note 2: Replace ComplexPassword with your own complex password.
Note 3: Replace “FQDN_Name” with the server DNS name. - Run the command below to generate a CSR (certificate request):
/usr/java/jdk1.8.0_45/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -alias "FQDN_Name"
Note 1: The command above should be written as one line.
Note 2: Replace ComplexPassword with your own complex password.
Note 3: Replace “FQDN_Name” with the server DNS name. - Send the file /tmp/tomcat.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /opt/tomcat/ssl
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /opt/tomcat/ssl
- Run the command below to import the trusted root CA public certificate:
/usr/java/jdk1.8.0_45/bin/keytool -import -alias "FQDN_Name" -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/ca-bundle.crt
Note 1: The command above should be written as one line.
Note 2: Replace ComplexPassword with your own complex password.
Note 3: Replace “FQDN_Name” with the server DNS name. - Run the command below to import the signed public key into the key store:
/usr/java/jdk1.8.0_45/bin/keytool -import -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/server.crt
Note 1: The command above should be written as one line.
Note 2: Replace ComplexPassword with your own complex password. - Stop the Tomcat service:
service tomcat stop - Edit using VI, the file /opt/tomcat/conf/server.xml and add the section below:
<Connector port="8443"
protocol="HTTP/1.1"
maxThreads="150"
xpoweredBy="false"
allowTrace="false"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="/opt/tomcat/ssl/server.key"
keystorePass="ComplexPassword"
keyAlias="FQDN_Name"
clientAuth="false"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />
Note 1: Replace ComplexPassword with your own complex password.
Note 2: Replace “FQDN_Name” with the server DNS name. - Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
<user-data-constraint>
<description>
Constrain the user data transport for the whole application
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> - Edit using VI, the file /opt/tomcat/conf/context.xml and add the following parameter inside the context tag:
usehttponly="true" - Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name. - Save the IPTables settings:
service iptables save - To manually start the Tomcat service, use the command:
service tomcat start
- The original post can be found at http://security-24-7.com/hardening-guide-for-tomcat-8-on-redhat-6-5-64bit-edition/
