How to Install Tomcat 9 on Ubuntu 20.04

Published on

6 min read

Install Tomcat 9 on Ubuntu 20.04

This tutorial describes how to install and configure Tomcat 9 on Ubuntu 20.04.

Apache Tomcat is an open-source web server and Java servlet container. It is one of the most popular choices for building Java-based websites and applications. Tomcat is lightweight, easy to use, and has a robust ecosystem of add-ons.

Installing Java

Tomcat 9 requires Java SE 8 or later to be installed on the system. We’ll install OpenJDK 11 , the open-source implementation of the Java Platform.

Run the following commands as user with sudo privileges or root to update the packages index and install the OpenJDK 11 JDK package:

sudo apt updatesudo apt install openjdk-11-jdk

Once the installation is complete, verify it by checking the Java version:

java -version

The output should look something like this:

openjdk version "11.0.7" 2020-04-14
OpenJDK Runtime Environment (build 11.0.7+10-post-Ubuntu-3ubuntu1)
OpenJDK 64-Bit Server VM (build 11.0.7+10-post-Ubuntu-3ubuntu1, mixed mode, sharing)

Creating a System User

Running Tomcat under the root user is a security risk. We’ll create a new system user and group with home directory /opt/tomcat that will run the Tomcat service. To do so, enter the following command:

sudo useradd -m -U -d /opt/tomcat -s /bin/false tomcat

Downloading Tomcat

Tomcat binary distribution is available for download from the Tomcat downloads page .

At the time of writing, the latest Tomcat version is 9.0.35. Before continuing with the next step, check the Tomcat 9 download page to see if a newer version is available.

Use wget to download the Tomcat zip file to the /tmp directory:

VERSION=9.0.35wget${VERSION}/bin/apache-tomcat-${VERSION}.tar.gz -P /tmp

Once the download is complete, extract the tar file to the /opt/tomcat directory:

sudo tar -xf /tmp/apache-tomcat-${VERSION}.tar.gz -C /opt/tomcat/

Tomcat is updated on a regular basis with security patches and new features. To have more control over versions and updates, we’ll create a symbolic link called latest, that points to the Tomcat installation directory:

sudo ln -s /opt/tomcat/apache-tomcat-${VERSION} /opt/tomcat/latest

Later, when upgrading Tomcat, unpack the newer version and change the symlink to point to it.

The system user that was previously created must have access to the tomcat installation directory. Change the directory ownership to user and group tomcat:

sudo chown -R tomcat: /opt/tomcat

The shell scripts inside the Tomcat’s bin directory must be executable :

sudo sh -c 'chmod +x /opt/tomcat/latest/bin/*.sh'

These scripts are used to start, stop and, otherwise manage the Tomcat instance.

Creating SystemD Unit File

Instead of using the shell scripts to start and stop the Tomcat server, we’ll set it to run as a service.

Open your text editor and create a tomcat.service unit file in the /etc/systemd/system/ directory:

sudo nano /etc/systemd/system/tomcat.service

Paste the following configuration:

Description=Tomcat 9 servlet container



Environment=" -Djava.awt.headless=true"

Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"


Modify the JAVA_HOME variable if the path to your Java installation is different.

Save and close the file and notify systemd that a new unit file exists:

sudo systemctl daemon-reload

Enable and start the Tomcat service:

sudo systemctl enable --now tomcat

Check the service status:

sudo systemctl status tomcat

The output should show that the Tomcat server is enabled and running:

● tomcat.service - Tomcat 9 servlet container
     Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2020-05-25 17:58:37 UTC; 4s ago
    Process: 5342 ExecStart=/opt/tomcat/latest/bin/ (code=exited, status=0/SUCCESS)
   Main PID: 5362 (java)

You can start, stop and restart Tomcat same as any other systemd service:

sudo systemctl start tomcatsudo systemctl stop tomcatsudo systemctl restart tomcat

Configuring Firewall

If your server is protected by a firewall and you want to access Tomcat from the outside of your local network, you need to open port 8080.

Use the following command to open the necessary port:

sudo ufw allow 8080/tcp
Generally, when running Tomcat in a production environment, you should use a load balancer or reverse proxy . It’s a best practice to allow access to port 8080 only from your internal network.

Configuring Tomcat Web Management Interface

At this point, you should be able to access Tomcat with a web browser on port 8080. The web management interface is not accessible because we have not created a user yet.

Tomcat users and roles are defined in the tomcat-users.xml file. This file is a template with comments and examples showing how to create a user or role.

In this example, we’ll create a user with “admin-gui” and “manager-gui” roles. The “admin-gui” role allows the user to access the /host-manager/html URL and create, delete, and otherwise manage virtual hosts. The “manager-gui” role allows the user to deploy and undeploy web application without having to restart the entire container through the /host-manager/html interface.

Open the tomcat-users.xml file and create a new user, as shown below:

sudo nano /opt/tomcat/latest/conf/tomcat-users.xml
   <role rolename="admin-gui"/>
   <role rolename="manager-gui"/>
   <user username="admin" password="admin_password" roles="admin-gui,manager-gui"/>

Make sure you change the username and password to something more secure.

By default, Tomcat web management interface is configured to allow access to the Manager and Host Manager apps only from the localhost. To access the web interface from a remote IP, you will have to remove these restrictions. This may have various security implications, and it is not recommended for production systems.

To enable access to the web interface from anywhere, open the following two files and comment or remove the lines highlighted in yellow.

For the Manager app:

sudo nano /opt/tomcat/latest/webapps/manager/META-INF/context.xml

For the Host Manager app:

sudo nano /opt/tomcat/latest/webapps/host-manager/META-INF/context.xml
<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />

If you want to access the web interface only from a specific IP, instead of commenting the blocks add your public IP to the list.

Let’s say your public IP is and you want to allow access only from that IP:

<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|" />

The list of allowed IP addresses is a list separated with vertical bar |. You can add single IP addresses or use a regular expressions.

Once done, restart the Tomcat service for changes to take effect:

sudo systemctl restart tomcat

Test the Tomcat Installation

Open your browser and type: http://<your_domain_or_IP_address>:8080

Assuming the installation is successful, a screen similar to the following should appear:

Tomcat 8.5

Tomcat web application manager is available at: http://<your_domain_or_IP_address>:8080/manager/html.

Tomcat web application manager

Tomcat virtual host manager is available at: http://<your_domain_or_IP_address>:8080/host-manager/html.

Tomcat virtual host manager


We’ve shown you how to install Tomcat 9.0 on Ubuntu 20.04 and how to access the Tomcat management interface.

For more information about Apache Tomcat, visit the official documentation page .

If you hit a problem or have feedback, leave a comment below.