How to Install Tomcat 9 on Debian 10 Linux

Posted 

5 min read

Apache Tomcat is an open-source JAVA based application server that implements Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies. It is one of the most widely used applications and web servers in the world today.

This tutorial explains how to install Apache Tomcat 9.0 on Debian 10 Buster and configure the Tomcat web management interface.

Prerequisites

The instructions assume that you are logged in as root or user with sudo privileges.

Installing OpenJDK

Tomcat 9.0 requires Java SE 8 or later to be installed on the server.

Execute the following command to install the OpenJDK package:

sudo apt install default-jdk

Creating a Tomcat user

Running Tomcat as a root user is a security risk and is not recommended. We’ll create a new user that will be used to run the Tomcat service.

Run the following command creates a new system user and group with a home directory of /opt/tomcat:

sudo useradd -m -U -d /opt/tomcat -s /bin/false tomcat

Downloading Tomcat

At the time of writing, the latest Tomcat version is 9.0.27. Before continuing with the next step, you should check the Tomcat 9 download page to see if a newer version is available.

Change to the /tmp directory and download the latest Tomcat binary release:

cd /tmp
wget https://www-eu.apache.org/dist/tomcat/tomcat-9/v9.0.27/bin/apache-tomcat-9.0.27.tar.gz

When the download is complete, extract the gzipped archive:

tar -xf apache-tomcat-9.0.27.tar.gz

Move the Tomcat source files to it to the /opt/tomcat directory:

sudo mv apache-tomcat-9.0.27 /opt/tomcat/

Tomcat 9 is updated periodically. To have more control over versions and updates, create a symbolic link named latest that points to the Tomcat installation directory:

sudo ln -s /opt/tomcat/apache-tomcat-9.0.27 /opt/tomcat/latest

Later when upgrading Tomcat, simply unpack the newer version and change the symlink to point to the latest version.

Change the ownership of the /opt/tomcat directory to user and group tomcat, so that the user can have access to the installation directory:

sudo chown -R tomcat: /opt/tomcat

Make the scripts inside the bin directory executable:

sudo sh -c 'chmod +x /opt/tomcat/latest/bin/*.sh'

Creating SystemD Unit File

Open your text editor and create a new file named tomcat.service with the following contents:

sudo nano /etc/systemd/system/tomcat.service
/etc/systemd/system/tomcat.service
[Unit]
Description=Tomcat 9.0 servlet container
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/default-java"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

Notify systemd that a new unit file exists and start the Tomcat service by typing:

sudo systemctl daemon-reload
sudo systemctl start tomcat

Check the status of the Tomcat service by typing:

sudo systemctl status tomcat
● tomcat.service - Tomcat 9.0 servlet container
   Loaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: 
   Active: active (running) since Sat 2019-11-09 13:53:51 PST; 5s ago
  Process: 5752 ExecStart=/opt/tomcat/latest/bin/startup.sh (code=exited, status
 Main PID: 5759 (java)

If there are no errors, enable the Tomcat service to be automatically started at boot time:

sudo systemctl enable tomcat

You can start, stop and restart Tomcat same as any other systemd unit service:

sudo systemctl start tomcat
sudo systemctl stop tomcat
sudo systemctl restart tomcat

Adjusting the Firewall

If you have a firewall running on your Debian system and you want to access the tomcat interface from the outside of your local network, you’ll need to open the port 8080:

sudo ufw allow 8080/tcp

When running a Tomcat application in a production environment, most likely you will have a load balancer or reverse proxy, and it’s a best practice to restrict access to port 8080 only to your internal network.

Configuring Tomcat Web Management Interface

Now that Tomcat is installed, the next step is to create a user with access to the web management interface.

Tomcat users and their roles are defined in the tomcat-users.xml file.

If you open the file, you will notice that it is filled with comments and examples describing how to configure the file:

sudo nano /opt/tomcat/latest/conf/tomcat-users.xml

We will define the new user in the tomcat-users.xml file, as shown below. The user will have access to the tomcat web interface (manager-gui and admin-gui). Be sure you change the username and password to something more secure:

/opt/tomcat/latest/conf/tomcat-users.xml
<tomcat-users>
<!--
    Comments
-->
   <role rolename="admin-gui"/>
   <role rolename="manager-gui"/>
   <user username="admin" password="admin_password" roles="admin-gui,manager-gui"/>
</tomcat-users>

By default the Tomcat web management interface allows access only from the localhost. If you want to access the web interface from a remote IP or from anywhere which is not recommended because it is a security risk you can open the following files and make the following changes.

If you need to access the web interface from anywhere open the following files and comment or remove the lines highlighted in yellow:

/opt/tomcat/latest/webapps/manager/META-INF/context.xml
<Context antiResourceLocking="false" privileged="true" >
<!--
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>
/opt/tomcat/latest/webapps/host-manager/META-INF/context.xml
<Context antiResourceLocking="false" privileged="true" >
<!--
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>

If you need to access the web interface only from a specific IP, instead of commenting the blocks add your public IP to the list. Let’s say your public IP is 32.32.32.32 and you want to allow access only from that IP:

/opt/tomcat/latest/webapps/manager/META-INF/context.xml
<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|32.32.32.32" />
</Context>
/opt/tomcat/latest/webapps/host-manager/META-INF/context.xml
<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|32.32.32.32" />
</Context>

The list of allowed IP addresses is a list separated with vertical bar |. You can add single IP addresses or use a regular expressions.

Restart the Tomcat service for changes to take effect:

sudo systemctl restart tomcat

Test the Installation

Open your browser and type: http://<your_domain_or_IP_address>:8080

If the installation is successful, a screen similar to the following will appear:

Tomcat web application manager dashboard is available at http://<your_domain_or_IP_address>:8080/manager/html. From here, you can deploy, undeploy, start, stop, and reload your applications.

Tomcat virtual host manager dashboard is available at http://<your_domain_or_IP_address>:8080/host-manager/html. From here you can create, delete and manage Tomcat virtual hosts.

Conclusion

You have successfully installed Tomcat 9.0 on your Debian 10 system. You can now visit the official Apache Tomcat 9.0 Documentation and learn more about the Apache Tomcat features.

If you hit a problem or have feedback, leave a comment below.