+

Search Tips   |   Advanced Search

Configure Apache Tomcat

We must configure a secure JMX connection for Apache Tomcat application server.

The Server Configuration Tool and the Ant tasks will generate a default secure JMX connection, which includes the definition of a JMX remote port, and the definition of authentication properties. They modify <tomcatInstallDir>/bin/setenv.bat and <tomcatInstallDir>/bin/setenv.sh to add these options to CATALINA_OPTS:

-Djava.rmi.server.hostname=localhost
-Dcom.sun.management.jmxremote.port=8686
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false

8686 is a default value. The value for this port can be changed if the port is not available on the computer.

This file might not be used if you start Apache Tomcat with another command. If we installed the Apache Tomcat Windows Service Installer, the service launcher does not use setenv.bat.

Important: This configuration is not secure by default. To secure the configuration, we must manually complete steps 2 and 3 of the following procedure.

Manually configuring Apache Tomcat:

  1. For a simple configuration, add the following options to CATALINA_OPTS:
    -Djava.rmi.server.hostname=localhost
    -Dcom.sun.management.jmxremote.port=8686
    -Dcom.sun.management.jmxremote.authenticate=false
    -Dcom.sun.management.jmxremote.ssl=false

  2. To activate authentication, see the Apache Tomcat user documentation SSL Support - BIO and NIO and SSL Configuration HOW-TO.

  3. For a JMX configuration with SSL enabled, add the following options:
    -Dcom.sun.management.jmxremote=true
    -Dcom.sun.management.jmxremote.port=8686
    -Dcom.sun.management.jmxremote.ssl=true 
    -Dcom.sun.management.jmxremote.authenticate=false 
    -Djava.rmi.server.hostname=localhost  
    -Djavax.net.ssl.trustStore=<key store location>
    -Djavax.net.ssl.trustStorePassword=<key store password>
    -Djavax.net.ssl.trustStoreType=<key store type>
    -Djavax.net.ssl.keyStore=<key store location>
    -Djavax.net.ssl.keyStorePassword=<key store password>
    -Djavax.net.ssl.keyStoreType=<key store type>

    The port 8686 can be changed.

  4. If the Tomcat instance is running behind a firewall, the JMX Remote Lifecycle Listener must be configured. See the Apache Tomcat documentation for JMX Remote Lifecycle Listener.

    The following environment properties must also be added to the Context section of the administration services application in the server.xml file, such as in the following example:

    <Context docBase="worklightadmin" path="/worklightadmin ">
        <Environment name="ibm.worklight.admin.rmi.registryPort" value="registryPort" type="java.lang.String" override="false"/>
        <Environment name="ibm.worklight.admin.rmi.serverPort" value="serverPort" type="java.lang.String" override="false"/>
    </Context>

    In the previous example:

    • registryPort must have the same value as the rmiRegistryPortPlatform attribute of the JMX Remote Lifecycle Listener.

    • serverPort must have the same value as the rmiServerPortPlatform attribute of the JMX Remote Lifecycle Listener.

  5. If we installed Apache Tomcat with the Apache Tomcat Windows Service Installer instead of adding the options to CATALINA_OPTS, run <TomcatInstallDir>/bin/Tomcat7w.exe, and add the options in the Java tab of the Properties window.


What to do next

For more information about the optimization of MobileFirst Server, especially the tuning of the JVM memory allocation, see Tuning.


Parent topic: Configuration of the application server