-------------- Comments added by users ------ Date: Mon, 29 Jan 2001 17:49:48 +0100 From: GOMEZ HenriTo: tomcat-user@jakarta.apache.org Cc: Jan Labanowski Subject: RE: Installation logs for Tomcat 3.2.1 and Apache 1.3.14 for RedH at 7.0 Did you know there is build RPM for Tomcat at jakarta.apache.org ? http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.1/rpms/ [ * added by jkl... as the versions change, the pointers change. For example, * at this moment (2001/08/01) this link is: * http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.3/rpms/ ] You may add a note in your documents. PS: mod_jk and mo_jserv are in tomcat-mod RPM ;-) Regards ---------------------------------------------- Date: Sat, 10 Mar 2001 00:52:20 -0500 (EST) From: Jan Labanowski To: aras Cc: Jan Labanowski Subject: Re: Linux Red Hat 7.0, Apache (1.3.14), Tomcat 3.2.1, mod_jk Steve, Thank you for your comments... I will try to answer some of these below and add them to the file http://www.ccl.net/cca/software/UNIX/apache/apacheRH7.0httpd/README.html Jan Jan K. Labanowski | phone: 614-292-9279, FAX: 614-292-7168 Ohio Supercomputer Center | Internet: jkl@ccl.net 1224 Kinnear Rd, | http://www.ccl.net/chemistry.html Columbus, OH 43212-1163 | http://www.ccl.net/ On Fri, 9 Mar 2001, aras wrote: >.... the intro deleted ... > > In step 9 you got JAXP. Exactly what is it for? Does TomCat use > jaxp.jar and/or parser.jar in parsing out web.xml and server.xml? If > so, How is it called? There is a lot of XML parsing in Tomcat. And beside, the ANT is used to build Tomcat, and build files of ANT are XML files. In jakarta-tomcat-3.2.1-src/src/j2ee/org/apache/tomcat/util/XMLParser.java the XML validating parser from JAXP is used to parse web.xml and server.xml. > > > The files you suggest for testing jaxp, in step 12, wern't in my jaxp > dir, so I used DOMEcho. I think it's the same stuff. Because in the meantime, the JAXP Early Access 1.1 became Final JAXP 1.1, which is different. > > > In step 17 I received many errors from tomcat.sh, that complained about > the ==. I'm using bash. I don't think bash has a == operator. man bash under CONDITIONAL EXPRESSIONS section: string1 == string2 True if the strings are equal. = may be used in place of ==. Are you sure you are using bash? Do you have a link in /bin sh -> bash > I > changed all the == back to a single = . The other part I didn't > understand was your use of the :- operator. I thought its use was > such: echo $TOMCAT_HOME:-'TomCat var not defined' Again man bash says under Parameter Expansion. ${parameter:-word} Use Default Values. If parameter is unset or null, the expansion of word is substituted. Otherwise, the value of parameter is substituted. I like this one since it has smiley face... In this case, if TOMCAT_HOME is defined, it expands to the content of ${TOMCAT_HOME}, and it TOMCAT_HOME is not defined, it expands to empty string, i.e., "". The way people do it usually is: if [ "x${TOMCAT_HOME}" == "x" ] ; then do stuff when TOMCAT_HOME not set or empty else do stuff when TOMCAT_HOME is set and nonempty fi > You have code like this ${TOMCAT_HOME:-} I don't get it. I changed it > to ${TOMCAT_HOME:-'blah/blah/tomcat'} I don't know if I'm right, and I > actually thought I should use the := operator so it would set the env > var. You cannot set the TOMCAT_HOME (if not set) in the conditional since you do not know. What they do is: if [ "${TOMCAT_HOME:-}" == "" ] ; then # try to find tomcat if [ -d ${HOME}/opt/tomcat/conf ] ; then TOMCAT_HOME=${HOME}/opt/tomcat echo "Defaulting TOMCAT_HOME to $TOMCAT_HOME" fi if [ -d /opt/tomcat/conf ] ; then TOMCAT_HOME=/opt/tomcat echo "Defaulting TOMCAT_HOME to $TOMCAT_HOME" fi # Add other "standard" locations for tomcat fi > > In step 19 I recieved an error stating "bad user name apache" I figured > maybe it was in httpd.conf so I added the user apache and that seemed to > go away. Why the user apache? Benefits? Good point!!! This is probably because you did not install RH7.0 from scratch, but upgraded from the previous linux installation of RH, and previous version of Linux and Apache used user/group nobody for apache. Starting from RH7.0 the default user which runs apache is "apache" and is included in the default /etc/passwd and /etc/group created during installation. apache:x:48:48:Apache:/var/www:/bin/false (in /etc/passwd). apache:x:48: (in /etc/group). You probably should add these entries to respective files, or change apache to nobody in the default httpd.conf. > > Lastly, in step 23 you added to new users. I'm guessing security. You > tried to explain the need for tcsh but I still don't understand. I > thought it was becasue the c files you wrote in step 26. Is there > someting tcsh provides that bash does not? Yes, it is for security reason. Apache server starts as root (usually) and then it spawns the children which run as user/group specified in the httpd.conf file. If it was running as root serving requests, it would be a substantial security risk. When someone gains access to your computer through some untidy CGI script or servlet as nobody, apache, or webrun (in my case), they cannnot do much harm. But if they were root, they can change your password file, install trojan horses, you name it... So the idea is to run the processes of tomcat and apache servers as some users with very few privileges, which do not own many files (they only need to own log files, since they have to write to them). > > > Again, thanks for your time. > > > Best regards, > > Steve > --------------------------------------------------------------------------- This is a log of my installation of precompiled Apache DSO with SSL, MM, and Tomcat 3.2.1 final (binary distribution) and EA JAXP 1.1 on RedHat Linux 7.0, Kernel 2.2.16-22, with updates up to 2000.12.31. In this case, I am using the Apache server which came with original RedHat 7.0 Linux distribution rather than compiling Apache from source. This memo was originally written around Jan 15, 2001 Few terms: Apache -- the Web Server DSO -- Dynamic Shared Object (additional modules can be added/updated to Apache without the need to recompile the whole thing, similar to shared libraries, but DSO modules are not only called, but can also call routines within Apache) MM -- memory management or something like that - an add-on to Apache and its modules to communicate via shared memory rather than files (faster). SSL -- Secure Socket Layer - the encryption and certificate package which works with Apache Tomcat -- the Java Server Pages (JSP) and Servlet container which uses the Java Servlets spec 2.2, and the JSP spec 1.1. It is still being actively developed and has some "features", but is quite stable. People complain about mod_jk and ajp13 occassionally. You may want to read my FAQ on Tomcat 3.1 beta 1. since it will be easier to follow this installation log. It is available at: http://www.ccl.net/cca/software/UNIX/apache/tomcat3.1b1-faq.html I assume that you will use this document simply by grabbing the UNIX commands from the browser window, and pasting them into your xterm or whatever. The Unix commands are in italic. I assume that you have moderately latest GNU tools (gmake, gzip, etc...) installed and you also have a recent version of perl installed ( http://www.cpan.org/src/index.html ). These should have come with your RH Linux distribution. You can also get the wget utility from ftp://ftp.gnu.org/pub/gnu/wget/ and install it (it is at ver 1.6 now): get wget-1.6.tar.gz and move it to directory /usr/local/uploads or the one you like the most, e.g.; /tmp. gtar zxvf wget-1.6.tar.gz cd wget-1.6 ./configure make make install and make sure it is in your PATH variable. It is usually installed in /usr/local/bin by default. But check... Type wget alone on the command line, and if it tells you that your URL is missing, you are OK. Be a root... Run ksh or other sh (e.g., bash), but not C-shell. Install all the updates available for the Linux (e.g., go to the site: http://rpmfind.net. I installed the following updates. You probably do not need all of them. But it never hurts to update (I am not talking about MS updates, here...{:-)). The ones marked bold are strongly recommended updates rpm -Uhv LPRng-3.6.24-2.i386.rpm rpm -Uhv apache-1.3.14-3.i386.rpm \ apache-devel-1.3.14-3.i386.rpm \ apache-manual-1.3.14-3.i386.rpm \ mod_perl-1.24-6.i386.rpm \ mod_ssl-2.7.1-3.i386.rpm rpm -Uhv auth_ldap-1.4.5-1.i386.rpm rpm -Uhv bind-8.2.2_P7-1.i386.rpm bind-devel-8.2.2_P7-1.i386.rpm \ bind-utils-8.2.2_P7-1.i386.rpm rpm -Uhv cpp-2.96-69.i386.rpm rpm -Uhv cyrus-sasl-1.5.24-11.i386.rpm cyrus-sasl-1.5.24-11.src.rpm rpm -Uhv e2fsprogs-1.18-16.i386.rpm e2fsprogs-devel-1.18-16.i386.rpm rpm -Uhv ed-0.2-19.i386.rpm rpm -Uhv emacs-20.7-17.i386.rpm emacs-X11-20.7-17.i386.rpm \ emacs-el-20.7-17.i386.rpm emacs-leim-20.7-17.i386.rpm \ emacs-nox-20.7-17.i386.rpm rpm -Uhv fetchmail-5.5.0-3.i386.rpm fetchmailconf-5.5.0-3.i386.rpm rpm -Uhv gcc-2.96-69.i386.rpm gcc-c++-2.96-69.i386.rpm \ gcc-chill-2.96-69.i386.rpm gcc-g77-2.96-69.i386.rpm \ gcc-objc-2.96-69.i386.rpm rpm -Uhv ghostscript-5.50-8.i386.rpm rpm -Uhv glibc-2.2-12.i386.rpm glibc-common-2.2-12.i386.rpm \ glibc-devel-2.2-12.i386.rpm glibc-profile-2.2-12.i386.rpm rpm -Uhv imap-2000-3.i386.rpm imap-devel-2000-3.i386.rpm rpm -Uhv iputils-20001010-1.i386.rpm rpm -Uhv joe-2.8-43.i386.rpm rpm -Uhv kpackage-1.3.10-7.i386.rpm rpm -Uhv libstdc++-2.96-69.i386.rpm libstdc++-devel-2.96-69.i386.rpm rpm -Uhv mod_dav-1.0.2-2.i386.rpm rpm -Uhv modutils-2.3.21-1.i386.rpm rpm -Uhv mount-2.10m-6.i386.rpm rpm -Uhv mysql-3.23.29-1.i386.rpm mysql-devel-3.23.29-1.i386.rpm \ mysql-server-3.23.29-1.i386.rpm rpm -Uhv mysqlclient9-3.23.22-3.i386.rpm rpm -Uhv ncurses-5.2-2.i386.rpm ncurses-devel-5.2-2.i386.rpm rpm -Uhv netscape-common-4.76-1.i386.rpm \ netscape-communicator-4.76-1.i386.rpm \ netscape-navigator-4.76-1.i386.rpm rpm -Uhv nscd-2.2-12.i386.rpm rpm -Uhv nss_ldap-122-1.7.i386.rpm nss_ldap-122-1.7.src.rpm rpm -Uhv openssh-2.3.0p1-4.i386.rpm openssh-askpass-2.3.0p1-4.i386.rpm \ openssh-askpass-gnome-2.3.0p1-4.i386.rpm \ openssh-clients-2.3.0p1-4.i386.rpm \ openssh-server-2.3.0p1-4.i386.rpm rpm -Uhv pam-0.72-37.i386.rpm rpm -Uhv pine-4.30-2.i386.rpm rpm -Uhv python-xmlrpc-1.2.1-1.i386.rpm rpm -Uhv rp-pppoe-2.5-1.i386.rpm rp-pppoe-2.5-1.src.rpm rpm -Uhv slocate-2.4-1.i386.rpm rpm -Uhv stunnel-3.10-2.i386.rpm rpm -Uhv sysklogd-1.3.33-8.i386.rpm rpm -Uhv sysstat-3.2.4-5.i386.rpm rpm -Uhv tcsh-6.10-1.i386.rpm rpm -Uhv tmpwatch-2.6.2-1.7.i386.rpm rpm -Uhv usermode-1.37-2.i386.rpm rpm -Uhv xinetd-2.1.8.9pre11-1.i386.rpm After you made the updates, it is a prudent thing to actually reboot the machine. 1) Install Java 1.3. I did: a) went to http://www.javasoft.com b) clicked on Products and API on the left bar c) clicked on Java 2 platform Standard edition J2SE d) Java 2 SDK Standard Edition v 1.3 e) Linux x86 f) GNUZIP Tar shell script, one large bundle -> [continue] g) Yes to license [Accept] h) j2sdk-1_3_0-linux.bin = 26,857,036 bytes -> FTP download i) I placed the file j2sdk-1_3_0-linux.bin in: /usr/local/uploads j) cd /usr/local/uploads chmod 755 j2sdk-1_3_0-linux.bin ./j2sdk-1_3_0-linux.bin k) this produced directory: /usr/local/uploads/jdk1.3 I moved this directory : mv /usr/local/uploads/jdk1.3 /usr/local/j2sdk-1_3_0 and then made a link: ln -s /usr/local/j2sdk-1_3_0 /usr/local/jdk1.3 l) set environment variables: JAVA_HOME=/usr/local/jdk1.3 export JAVA_HOME PATH=/usr/local/bin:${JAVA_HOME}/bin:${PATH} export PATH CLASSPATH=${JAVA_HOME}/lib/tools.jar:${JAVA_HOME}/lib/dt.jar export CLASSPATH 3) Installed JCE 1.2.1 Java Cryptography Extension 1.2.1 Go to: http://www.javasoft.com/products/jce/ Click on: Download JCE 1.2.1 Software, policy files, and docs This will get you: jce-1_2_1.zip mkdir /usr/local/JCE cd /usr/local/JCE cp ..../jce-1_2_1.zip . unzip jce-1_2_1.zip Then added the security provider to Java: a) copied JCE jars to lib/ext cp /usr/local/JCE/jce1.2.1/lib/*.jar /usr/local/jdk1.3/jre/lib/ext CLASSPATH=${CLASSPATH}:${JAVA_HOME}/jre/lib/ext/jce1_2_1.jar export CLASSPATH b) edited /usr/local/jdk1.3/jre/lib/security/java.security and added line: security.provider.3=com.sun.crypto.provider.SunJCE 4) Installed JSSE (JavaTM Secure Socket Extension (JSSE) 1.0.2) available from http://java.sun.com/products/jsse/ mkdir /usr/local/jsse with a browser go to: http://java.sun.com/products/jsse/ Click on domestic distribution Logged in, accepted, continue, answered Yes, Continue, downloaded jsse-1_0_2-do.zip cd /usr/local/jsse cp ..../jsse-1_0_2-do.zip . unzip jsse-1_0_2-do.zip I installed the JSSE as "installed extension" for jdk1.3 and copied them to /usr/local/jdk1.3/jre/lib/ext directory ($JAVA_HOME/jre/lib/ext): cp -p /usr/local/jsse/jsse1.0.2/lib/*jar $JAVA_HOME/jre/lib/ext CLASSPATH=${CLASSPATH}:${JAVA_HOME}/jre/lib/ext/jcert.jar CLASSPATH=${CLASSPATH}:${JAVA_HOME}/jre/lib/ext/jnet.jar CLASSPATH=${CLASSPATH}:${JAVA_HOME}/jre/lib/ext/jsse.jar export CLASSPATH Then, I registered the provider in $JAVA_HOME/jre/lib/security/java.security by adding a line: security.provider.4=com.sun.net.ssl.internal.ssl.Provider 5) If you have apache installed by default from the RH7.0 CD, or if you installed RH7.0 apache, you can skip the apache installation. If you installed some other Apache distribution or RPMs, you are on your own, since IT can be anything anywhere. My install was as: Put RH7.0 CD Nr 1 to CD DRIVE mount /mnt/cdrom cd /mnt/cdrom/RedHat/RPMS rpm -Uhv apache* rpm -Uhv mod_ssl* mod_perl* openssl* If it tells you that some package is already installed, remove it from the line and try again (e.g., openssl will most likely be installed). If it tells you that it needs a package (unsolved dependancies), add the package to the command line and try again. The RH Apache distribution places the important files in: /usr/lib/apache -- shared modules /usr/include/apache -- include files needed for compiling modules /etc/httpd -- config and authorization files /usr/sbin/httpd -- executable of httpd /usr/sbin/apxs -- executable of apxs /usr/bin/dbmmanage -- to manage database of authorized users /var/log/httpd -- apache log files /var/www/icons -- GIFs needed by Apache /var/www/html -- document root /var/www/cgi-bin -- cgi bin directory /usr/share/ssl -- SSL files needed to produce certificates 6) While RH apache comes with the test certificate installed in the /etc/httpd/conf, you need to produce a new set of self-signed certificates/keys which have your machine name as "Common Name". Otherwise the browsers will complain that your certificate name does not match the actual name of the machine. My log from Certificate creation is here. What I did was: cd /etc/httpd/conf mkdir old-keys mv ssl* old-keys mkdir ssl.key mkdir ssl.csr mkdir ssl.crt make genkey # Then, you will need to "unpassword" the keys # or you would have problems to start apache at boot time (it would # ask for the password) openssl rsa -in ssl.key/server.key -out ssl.key/server.key.unsecure cp ssl.key/server.key.unsecure ssl.key/server.key make certreq make testcert One thing to remember, is to enter the fully qualified domain name of the host on which this Apache Web server runs (in my case: pse.ccl.net) as the "Common Name". I then tarred my certificates/keys into a file: cd /etc/httpd/conf tar zcvf /usr/local/apache-certificates.tgz ssl* chmod 600 /usr/local/apache-certificates.tgz just in case, if I lost them, I can restore original certificates, without forcing users to go through the Certificate registration process in their browser. You can also copy them on the diskette and keep them safely. In my case: fdformat /dev/fd0H1440 mkfs -t msdos /dev/fd0H1440 and, assuming that you have a line: /dev/fd0 /mnt/floppy auto noauto,owner 0 0 in your /etc/fstab file, and that the directory /mnt/floppy exists, you mount it as: mount /mnt/floppy then copy your certificates: cp /usr/local/apache-certificates.tgz /mnt/floppy Unmount your diskette: umount /mnt/floppy and put the diskette in the safe place. Of course, you could also to it with Mutils, if you have them installed: mformat -f 1440 a: mcopy /usr/local/apache-server1-certificates.tgz a: mdir a: 6) You start Apache with a script which comes with the RPM: /etc/rc.d/init.d/httpd start and stop it by: /etc/rc.d/init.d/httpd stop To make apache start automatically at boot time: cd /etc/rc.d/init.d chkconfig --add httpd and check if the links for the rc.d* directories were added: chkconfig --list httpd-jkl which should give: httpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off Stop apache, since you are not finshed yet. /etc/rc.d/init.d/httpd stop Installing binary distribution of Tomcat ======================================== 7) Create directory for Tomcat and set JAKARTA_HOME variable: mkdir /usr/local/jakarta_3.2.1 cd /usr/local/jakarta_3.2.1 JAKARTA_HOME=/usr/local/jakarta_3.2.1 export JAKARTA_HOME Go to Jakarta site and download binary tar balls to ${JAKARTA_HOME} wget http://jakarta.apache.org/builds/tomcat/release/v3.2.1/bin/jakarta-servletapi-3.2.tar.gz wget http://jakarta.apache.org/builds/tomcat/release/v3.2.1/bin/jakarta-tomcat-3.2.1.tar.gz I am including the local copies here: jakarta-servletapi-3.2.tar.gz jakarta-tomcat-3.2.1.tar.gz Then, I "ungnunzip-untarred" (:-)} the tar balls: tar zxvf jakarta-servletapi-3.2.tar.gz tar zxvf jakarta-tomcat-3.2.1.tar.gz 8) At this point it is probably prudent to log out and log in again as root and reset your environment variables by doing: JAVA_HOME=/usr/local/jdk1.3 export JAVA_HOME PATH=/usr/local/bin:${JAVA_HOME}/bin:${PATH} export PATH CLASSPATH=${JAVA_HOME}/lib/tools.jar:${JAVA_HOME}/lib/dt.jar export CLASSPATH JAKARTA_HOME=/usr/local/jakarta_3.2.1 export JAKARTA_HOME TOMCAT_HOME=${JAKARTA_HOME}/jakarta-tomcat-3.2.1 export TOMCAT_HOME 9) You need to get the latest JAXP (Sun API and XML parsing in Java). They have the Early Access 1.1. Take it... It has DOM2 and SAX2, while the stable JAXP 1.0 has only DOM1 and SAX1. So, go to: http://java.sun.com/xml/ click on Java API for XML Processing Reference Implementation Java API for XML Processing Reference Implementation Version 1.1 Early Access 2 Java API for XML Processing Reference Implementation version 1.1ea2 You have to be registered (I you do Java, you are registered...) Agree to whatever (but be careful, since their lawyers look for work after they finished the settlement with MS) and click on download to get: jaxp-1_1-ea2.zip = 3,095,370 bytes I have placed it in /tmp and then: cd /tmp unzip jaxp-1_1-ea2.zip mv jaxp-1.1ea2 /usr/local XML=/usr/local/jaxp-1.1ea2 export XML CLASSPATH=${CLASSPATH}:${XML}/jaxp.jar:${XML}/crimson.jar CLASSPATH=${CLASSPATH}:${XML}/xalan.jar export CLASSPATH 10) At this point it is good to create a simple shell script which will set your environmental variables, so when you come back after logout, you do not have to type all this stuff. I placed the setmyenv in my /root directory and did: . /root/setmyenv as the first thing after log in (of course, I could put this stuff in the .bashrc, but I like to start with clean root environment, so I know what is happening). 11) Delete the parser.jar and jaxp.jar from the ${TOMCAT_HOME}/lib cd ${TOMCAT_HOME}/lib rm jaxp.jar parser.jar Note, I did not put the new jars into the ${TOMCAT_HOME}/lib at this time. I rather have them in the CLASSPATH until things stabilize... 12) I compiled and ran JAXP examples: cd ${XML}/examples/dom javac main.java java -cp ${CLASSPATH}:. main cd ${XML}/examples/sax javac main.java and did the example for invalid document: java -cp ${CLASSPATH}:. -Djavax.xml.parsers.validation=true \ main ../samples/namespace.xml and the one for the valid document: java -cp ${CLASSPATH}:. -Djavax.xml.parsers.validation=true \ main ../samples/book-order.xml and the one for the well-formedness only java -cp ${CLASSPATH}:. main ../samples/namespace.xml and they seemed to work. 14) To use Tomcat with Apache, you need mod_jk or mod_jserv. Those are modules for Apache which allow Apache to talk to Tomcat servlet container via TCP socket. In this scenario, the Apache is handling communication with outside world (takes the HTTP requests). When request is for JSP page or a servlet, it passes it to Tomcat. To do that Apache needs a module which knows how to talk to Tomcat, and Tomcat has to listen to Apache on some port. Moreover, they need to agree, how they will talk to each other (the protocol: there are two of them at this moment: ajp12 and ajp13), and which TCP ports they will use to communicate (i.e., Apache has to know where Tomcat will be listening - note, tomcat does not have to be on the same machine, and there may be many tomcats listening to the same Apache, or many Apaches taking to the same Tomcat -- but this is outside the primer given here). I will not talk about the mod_jserv. While it is an excellent piece of work, it also is getting old and is now considered a legacy. It was originally developed for JSERV, the server engine for Servlet 2.0 spec, which is passe (it is 2 years old, i.e., ancient and obsolete) but, on the other hand, it is well debugged and used for production, as opposed to mod_jk, but again, I like bleeding edge, but do not call 911 yet...). So again. mod_jk is the module which plugs into Apache. Tomcat is a TCP server (i.e., opens a TCP port and listens to clients who come and want to talk to it), and Apache is a TCP client for Tomcat, i.e., it starts talking. The small problem for non programmers is that you do not get a binary mod_jk with Tomcat. You only get the source. You need to compile the mod_jk. It is not a big deal: cd ${JAKARTA_HOME} wget http://jakarta.apache.org/builds/tomcat/release/v3.2.1/src/jakarta-tomcat-3.2.1-src.tar.gz tar zxvf jakarta-tomcat-3.2.1-src.tar.gz cd ${JAKARTA_HOME}/jakarta-tomcat-3.2.1-src/src/native cd apache1.3 /usr/sbin/apxs -o mod_jk.so \ -I${JAVA_HOME}/include/linux \ -I../jk -I${JAVA_HOME}/include \ -c *.c ../jk/*.c cp mod_jk.so /usr/lib/apache While I provide the binary of mod_jk.so here (save it as: RightClick/SaveLinkAs) you should really compile it on your own machine. 15)Test tomcat standalone: Since there are a lot of files in the $TOMCAT_HOME/conf, I decided to move all files which are there to a separate directory, and then copy what I need back: cd $TOMCAT_HOME/conf mkdir original-conf mv * original-conf cd original-conf cp server.xml .. cp web.xml .. cp workers.properties .. cp tomcat-users.xml .. I looked at my ${TOMCAT_HOME}/conf/server.xml and added connector for protocol ajp13 at port 8006 (you have to keep ajp12 connector, even if you do not use it, to be able to shut down Tomcat). I also changed all the docBases in Context tags to full paths, e.g.: docBase="webapps/examples" --> docBase="/usr/local/jakarta_3.2.1/jakarta-tomcat-3.2.1/webapps/examples I also created directory (for testing) below Apache DocumentRoot mkdir /var/www/html/examples-test and unpacked there an examples.war file so I can do testing of new Context, which is not in a default location: ${TOMCAT_HOME}/webapps. cd /var/www/html/examples-test jar xvf ${TOMCAT_HOME}/webapps/examples.war I then mounted examples-test directory in ${TOMCAT_HOME}/conf/server.xml . My initial server.xml file is here. Note that server.xml is the file which is read in by Tomcat to configure itself. Tomcat does not use any information from workers.properties or mod_jk.conf for itself. These are meant for apache or other Web severs for which Tomcat works. There may be some confusion here, since Tomcat actually produces prototype configuration files for various Web servers. These files have the *.auto extension. The following files were produce on runing startup.sh: iis_redirect.reg-auto and uriworkermap.properties-auto (for MS IIS), mod_jk.conf-auto (for mod_jk module of Apache), obj.conf-auto (for Netescape or whoever/whatever server, if you know what I mean), and tomcat-apache.conf (for Apache mod_jserv module which we do not use here). These are prototype files, which are essentially ready to go for simple configurations. The files like tomcat-apache.conf, tomcat.properties, tomcat.conf are used when tomcat was working with mod_jserv module. We are using here mod_jk module, and these files can be ignored. The files for mod_jk module of Apache are mod_jk.conf and workers.properties. For the time being, I tested if Tomcat works alone by starting it as: cd ${TOMCAT_HOME}/bin ./startup.sh You should get something like here Then, try to see Tomcat in your browser: http://your.machine:8080/ Try some examples, (http://your.machine:8080/examples/jsp), etc. If you think that have problems shut it down as: cd ${TOMCAT_HOME}/bin ./shutdown.sh and see if ports 8080 and 8007 are not booked by something else. List ports as: netstat -a -n | grep -i listen Before we worke on config files, it may be good to shutdown the Tomcat: ./shutdown.sh 16) After testing Tomcat, it created automatically a config file for mod_jk for Apache as $TOMCAT_HOME/conf/mod_jk.conf-auto. I saved this file as mod_jk.conf and edited it: cd $TOMCAT_HOME/conf mv mod_jk.conf-auto mod_jk.conf I edited the Apache config file, /etc/httpd/conf/httpd.conf, to include the mod_jk.conf at the very end (more needs to be done for sensible install, though). I added a line at the end of httpd.conf Include /usr/local/jakarta_3.2.1/jakarta-tomcat-3.2.1/conf/mod_jk.conf The actual initial httpd.conf is here. In mod_jk.conf I replaced all occurances of ajp12 with ajp13 and made few other changes. You can find the copy of it here. I also made several changes to workers.properties. Namely: changed workers.tomcat_home, workers.java_home, ps, and worker.ajp13.port port to 8006. Also commented out all inprocess definitions (tomcat does not run inprocess within apache). You can look them up here. Note, my ajp12 port is 8007 and ajp13 is 8006. 17) Heavily edited the $TOMCAT_HOME/bin/startup.sh, $TOMCAT_HOME/bin/startup.sh and $TOMCAT_HOME/bin/jspc.sh and also tomcat.sh (made it write a pid file in $TOMCAT_HOME/logs/tomcat.pid so it can be used by boot up start-up script described later). to include necessary environment variables. These files can be found here: startup.sh shutdown.sh jspc.sh tomcat.sh Started tomat cd $TOMCAT_HOME/bin ./startup.sh What worried me was the number of threads the Tomcat opened, namely ps auwx | grep java | wc -l gave over 40. But maybe this is not a problem, since these are lightweight threads which Linux now reports. 18) Started Apache /etc/rc.d/init.d/httpd start It complained about missing link: Cannot load /etc/httpd/libexec/mod_jk.so into server: /etc/httpd/libexec/mod_jk.so: cannot open shared object file: No such file or directory Obviously, the httpd was not compiled tidely. I added a link: cd /etc/httpd ln -s ../../usr/lib/apache libexec And started Apache again: /etc/rc.d/init.d/httpd start This time, it did not bark. Then I tried: http://pse.ccl.net/examples/jsp/ https://pse.ccl.net/examples/jsp/ http://pse.ccl.net/examples-test/jsp/ https://pse.ccl.net/examples-test/servlets/ and I was clicking on examples and it all worked... (I think... {:-)}). You will see major delays when you click on the JSP for the first time, but then, they load fast. 19) Stopped Apache /etc/rc.d/init.d/httpd stop 20) Stopped Tomcat cd $TOMCAT_HOME/bin ./shutdown.sh 21) After 19) and 20) the Apache and Tomcat should be cleanly shut down. But it is good to check if zombies are not left: ps auwx | egrep 'httpd|java' and I was fine. If you are not, you need to kill those @!%#*^s and ask yourself: What did I do wrong? (since you obviously did -- it worked for me I swear (:-) -- BTW, is your apj12 protocol unabled in server.xml?). 22) Reconfigured Tomcat and Apache to do things I want them to do. a) In /etc/httpd/conf/httpd.conf made sure mod_jk is before mod_rewrite LoadModule jk_module libexec/mod_jk.so LoadModule rewrite_module libexec/mod_rewrite.so and AddModule mod_jk.c AddModule mod_rewrite.c and commented out the line # LoadModule jk_module libexec/mod_jserv.so in $TOMCAT_HOME/conf/mod_jk.conf 23) Created new users, in my case webinst, and webrun, and groups for them, home directories, and regular login environment. adduser webinst passwd webinst adduser webrun passwd webrun In the /etc/passwd, I assigned /bin/bash for webrun, while webinst had /bin/tcsh as a primary shell (yes, I know that t/csh is brain dead, but people want it, and people will have it -- it sucks, e.g., with its limitations: "Word too long" when your environment variable is longer than 1024 -- it happens to me all the time with longer CLASSPATHs). Note that when you execute the script as su - uid -c script the script will be executed with the default shell (i.e., the shell which is assigned to the user in /etc/passwd), and it does not matter what you put in #!/bin/someshell on the top of your script. While under Linux (but not under all Unices), you can change the shell with a "-s" option to su, I wanted to keep things simple. The script is sourced with default shell, not forked with a new shell. The webinst will own most of the files in the web site, while the webrun will be the user who runs the Apache server and the tomcat. It will own log files and other files which the apache/tomcat/ needs to write. In /etc/httpd/conf/httpd.conf I changed apache to webrun: User webrun Group webrun I also changed names of the log files and pid files. To learn what I did, just run diff and see the differences between the default file which came with Apache distribution, and my incarnation. My httpd.conf file after few changes looked like: httpd.conf Also chown_ed to webrun the log directories: chown -R webrun.webrun /var/log/httpd And for tomcat: chown -R webrun.webrun $TOMCAT_HOME/conf chown -R webrun.webrun $TOMCAT_HOME/logs chown -R webrun.webrun $TOMCAT_HOME/work 24) Now, I had to make a script which would start Tomcat/Apache on boot-up in unison. My understanding is that since Tomcat is a TCP server with respect to Apache, it should be started before Apache. Supposedly it does not matter much, but who knows. I derived the startup script from the original /etc/rc.d/init.d/httpd and saved it as: /etc/rc.d/init.d/httpd.jkl. I made sure that its exec permissions are on: chmod 755 /etc/rc.d/init.d/httpd.jkl The copy of the script is here: httpd.jkl 25) Started the apache/tomcat as: /etc/rc.d/init.d/httpd.jkl start and checked if http://pse.ccl.net/examples and https://pse.ccl.net/examples worked. Of course, you check www.yourmachine.com, not the pse.ccl.net. The examples worked, so I killed the server with: /etc/rc.d/init.d/httpd.jkl stop I also disabled the default RH7.0 Apache httpd which comes with the standard installation by executing: chkconfig --del httpd and then checked with: chkconfig --list httpd which showed rightly that httpd will not be invoked on boot: httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Then, I made sure that the new httpd.jkl is used to start Apache/Tomcat at boot up: chkconfig --add httpd.jkl chkconfig --list httpd.jkl with list giving me OK: httpd.jkl 0:off 1:off 2:off 3:on 4:on 5:on 6:off 26)Since starting/stopping apache+tomcat in this environment requires one to be a root, I created C wrappers to start and stop the whole zoo. apache_start.c. This is important when people who do not have root access do development. I compiled it with gcc -o apache_start apache_start.c as a root, and then added suid/sgid permissions to the resulting apache_start executable file as: chmod ug+s apache_start I put the file in /usr/local/bin directory, so it is usually in the user's PATH. Of course, you can check in these C wrappers if user is authorized to use it. I am checking if invoking user is webinst. I did exactly the same with apache_stop.c gcc -o apache_stop apache_stop.c chmod ug+s apache_stop apache_stop.c Now, people do not have to have root access to start/stop Web Server/Tomcat. They can just type: apache_stop apache_start to restart Apache/Tomcat combo. I also added a C program killme.c which kills the processes which are running by user webrun. It is intended to be used after "apache_stop" to kill some runaway processes started by apache, Tomcat, or JServ. After compiling the program: gcc -o killme killme.c changed its user and group ownership to webrun and added SETUID permission bits chown webrun killme chgrp webrun killme chmod ug+s killme To learn which processes need to be killed, the user does ps auwx | grep webrun | grep -v grep (I actually saved this line as a shell script "killwhich" so they can just type: killwhich). and the user can kill the processes listed by previous command as: killme pid1 pid2 .... where pidn is the process id number in the second column.