Monday, October 6, 2014

Standalone Tomcat7 re-deployment for Oxalis

Its already a third time when I have to re-deploy Tomcat due to application, environment or even Tomcat issues.

Current system/situation:
- Centos 6.5
- Running Tomcat6, Tomcat7 (7.0.37). Integrated
- Difi Oxalis cant run in the same 'house' with Difi XML validator
- Difi Oxalis AS2 has mime issues running Tomcat 7.0.37-7.0.40
- Java available: 1.6, 1.7 (both JDK's and JRE's). Ref "update-alternatives --config java"

Quick cheat-sheet on how to re-deply Tomcat7 (7.0.55) with Oxalis config:

# cd /opt/
# wget
# tar -xvf apache-tomcat-7.0.55.tar.gz
# mv apache-tomcat-7.0.55 tomcat7
# cd tomcat7
# export TOMCAT_HOME=/opt/tomcat7
# export CATALINA_HOME=/opt/tomcat7
# ant -Dtomcat.home=$TOMCAT_HOME -f /root/metro/metro-on-tomcat.xml install
# nano /opt/tomcat7/tomcat-users.xml

   <user username="manager" password="******" roles="manager"/>

# nano /opt/tomcat7/web.xml
    -- comment out all the welcome lines. cocoon needs this

# cp /var/lib/tomcat7/webapps/*.war /opt/tomcat7/webapps/
# nano /opt/tomcat7/server.xml

  <connector port="8443" protocol="HTTP/1.1" sslenabled="true">
   maxThreads="150" scheme="https" secure="true"              
   clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,SSLv3,SSLv2Hello" keystoreFile=".keystore" keyAlias="tomcat"  keystorePass="******" />

# cp /usr/share/tomcat7/ssl_tomcat /opt/tomcat7/ -R
# cp /usr/share/tomcat7/.keystore /opt/tomcat7/
# sh bin/

--- edit or create tomcat startup script

# nano /etc/init.d/tomcat7

  # description: Tomcat Start Stop Restart
  # processname: tomcat
  # chkconfig: 234 20 80
  export PATH

  # Define the tomcat username

  case $1 in
    sh $CATALINA_HOME/bin/
    sh $CATALINA_HOME/bin/
    sh $CATALINA_HOME/bin/
    sh $CATALINA_HOME/bin/
         if [ -f "/var/run/${NAME}.pid" ]; then
 #           status ${NAME}
 #           RETVAL="$?"   
             read kpid < /var/run/${NAME}.pid
             if [ -d "/proc/${kpid}" ]; then
                 echo "${NAME} (pid ${kpid}) is running..."
             pid="$(/usr/bin/pgrep -d , -u ${TOMCAT_USER} -G ${TOMCAT_USER}  java)"
             if [ -z "$pid" ]; then
 #               status ${NAME}     
 #               RETVAL="$?"
                 echo "${NAME} is stopped"
             echo "${NAME} (pid $pid) is running..."
         sh $CATALINA_HOME/bin/      
         echo "Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status|version}"
  exit 0   

# chmod 755 /etc/init.d/tomcat7
# chkconfig --add tomcat7
# chkconfig --level 234 tomcat7 on
# chkconfig --list tomcat7
# /etc/init.d/tomcat7 restart

Some explanations of the cheat-sheet:
- Tomcat7 was deployed as current stable Centos compatible version (7.0.37)
- wget url - download using preferred server
- Metro requirement - ref to Oxalis installation description, its just one .jar file stored in endorsed dir, it might as well be just copied from your old Tomcat installation
- passwords in '*******' - dont forget to replace with your passwords
- cocoon installation is optional
- please note that Tomcat 7.0.55 cant locate your .keystore and you have to define its path manually using tags "keystoreFile" and "keyAlias" which where not needed before
- sslEnabledProtocols is another fix related to SSLv2 beeing disabled in Java7 and OpenSSL 1.0.0+
- ssl_tomcat folder is optional

Monday, March 24, 2014

Tomcat7 startup. This account is currently not available.

There are a couple of possible causes and solutions online. Main problem is pretty obvious: tomcat user account.
One of the solutions tells:

Using a standard Tomcat installation and a tomcat user with no login shell, attempts to start Tomcat failed with a "This account is currently not available." message. However, the tomcat user shouldn't have a shell available as it's not a login account. Updating the tomcat6 command in/etc/init.d/tomcat6 to specify the shell when invoking Tomcat fixes this.

Some other solutions tell that account should be reset, password changed and shell set from nologin to bash. In all these cases you are making a security hole, tomcat account should be disabled in all cases. My suggestion would be to check if you had tomcat user defined before, for example when deploying tomcat6..  Then check if TOMCAT_HOME matches tomcat users home. If TOMCAT_HOME value is set to /usr/share/tomcat6 and you are starting tomcat7 - you will get the same error as with a locked account.