Scribd
Upload
18 views7 pages

How to upgrade Tomcat version manually on existing on

Uploaded by

Ahmed Abd El Latif
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
18 views7 pages

How to upgrade Tomcat version manually on existing on

Uploaded by

Ahmed Abd El Latif
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

How to upgrade Tomcat version manually on

existing on-premise Foundry instance in case of


security vulnerabilities

Introduction
Below are the steps to upgrade Tomcat version manually on existing on-premise Foundry
instance in case of security vulnerabilities. When manually upgrading Tomcat, always
upgrade to minor version. For example, if current Tomcat version is 9.0.0 upgrade it to 9.0.x.

Instructions

1. Take the backup of existing Foundry instance.

2. Download the required Tomcat version from https://tomcat.apache.org/download-


90.cgi. Download the binary distribution of type 64-bit Windows zip. This works
both for Linux and Windows.

3. Unzip the downloaded zip file to folder "tomcat".

4. Delete all the folder from tomcat\webapps except manager.

Folders to be deleted:
tomcat\webapps\ROOT,
tomcat\webapps\docs,
tomcat\webapps\examples,
tomcat\webapps\host-manager

5. Copy "Catalina" folder from existing Foundry instance tomcat\conf folder to


new tomcat\conf folder.

6. Make below updates to tomcat\conf\server.xml file.

a. Add below tag at the end of <Host> section, just above closing of </Host>
tag.

<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false" showServerInfo="false"/>
6.
b. Copy the entire connector tag from existing Foundry instance which is present
in tomcat\conf\server.xml and replace it in new tomcat\conf\server.xml.
If existing Foundry instance is http, then copy only http connector tag else,
copy both http and https connector tags and update in new tomcat\conf\
server.xml. This needs to be done in <Service name="Catalina"> section
by deleting existing connector tag.

<Connector server="HCL" port="<http port>" protocol="HTTP/1.1"


maxHttpHeaderSize="8192" maxThreads="150" enableLookups="false"
acceptCount="25" disableUploadTimeout="true" tcpNoDelay="true"
compression="on"
compressableMimeType="text/css,text/javascript,text/html"
connectionTimeout="20000" redirectPort="8443"/>

<Connector port="<https port>" protocol="HTTP/1.1" SSLEnabled="true"


maxThreads="150" minSpareThreads="25" maxSpareThreads="150"
maxHttpHeaderSize="8192" connectionTimeout="20000" scheme="https"
secure="true" clientAuth="false" enableLookups="false" acceptCount="25"
disableUploadTimeout="true" server="HCL" tcpNoDelay="true" compression="on"
compressionMinSize="512000"
compressableMimeType="text/html,text/xml,text/css,text/plain,text/
javascript,application/x-javascript,application/javascript,application/
json,application/xml" sslProtocol="TLS" keystoreFile="<keystore location>"
keystorePass="<keystore password>" keystoreType="JKS"/>

6.
c. Update the shutdown port as per in existing Foundry instance.

<Server port="<shutdown port>" shutdown="SHUTDOWN">

6.
d. Change

e. <Host name="localhost" appBase="webapps"


unpackWARs="true" autoDeploy="true">

to

<Host name="localhost" appBase="webapps"


unpackWARs="true" autoDeploy="false">

7. Make below updates to tomcat\conf\catalina.properties files.


a. Copy "common.loader" line from existing Foundry instance tomcat\conf\
catalina.properties file and update in new tomcat\conf\
catalina.properties file.

b. Copy "middleware.home" line from existing Foundry instance tomcat\conf\


catalina.properties file and add at the end in new tomcat\conf\
catalina.properties file.

8. Copy the existing context.xml file from tomcat\conf and replace it in new tomcat\
conf folder.

9. Copy all war files from existing tomcat\webapps folder to new tomcat\
webapps folder.

10. Copy JAVA_OPTS, JAVA_HOME and JRE_HOME lines from existing Foundry
instance tomcat\bin\catalina.sh file (catalina.bat in windows) and add at the start
of new tomcat\bin\catalina.sh file (catalina.bat in windows).

11. Copy jboss-logging, mariadb, mysql, mssql,


postgresql and ojdbc (SapJCoDestinationProvider if existed) jar files from
existing Foundry instance tomcat\lib folder to new tomcat\lib folder.

12. Comment out below section


in tomcat/webapps/manager/META-INF/context.xml file.

13. <Valve className="org.apache.catalina.valves.RemoteAddrValve"


allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />

14. Copy the file tomcat-users.xml from existing Foundry instance tomcat\conf and
replace it in new tomcat\conf folder.

15. Add below tags above the "Built In Filter Definitions" comment line in tomcat\
conf\web.xml.

<servlet-mapping>

<servlet-name>default</servlet-name>

<url-pattern>/j_spring_security_check</url-pattern>
</servlet-mapping>

<servlet-mapping>

<servlet-name>default</servlet-name>

<url-pattern>/j_spring_security_logout</url-pattern>

</servlet-mapping>

15. Add below tags at the end just above </web-app> tag in tomcat\conf\web.xml if
protocol is https.

<security-constraint>

<web-resource-collection>

<web-resource-name>Protected Context</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<!-- auth-constraint goes here if you require authentication -->

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

16. Add below thing just below the "Built In Filter Mappings" comment line in tomcat\
conf\web.xml.
<filter>

<filter-name>httpHeaderSecurity</filter-name>

<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</
filter-class>

<async-supported>true</async-supported>

<init-param>

<param-name>antiClickJackingEnabled</param-name>

<param-value>true</param-value>

</init-param>

<init-param>

<param-name>antiClickJackingOption</param-name>

<param-value>ALLOW-FROM</param-value>

</init-param>

<init-param>

<param-name>hstsEnabled</param-name>

<param-value>true</param-value>

</init-param>

<init-param>

<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>

</init-param>

<init-param>

<param-name>hstsIncludeSubDomains</param-name>

<param-value>true</param-value>

</init-param>

<init-param>

<param-name>hstsPreload</param-name>

<param-value>true</param-value>

</init-param>

<init-param>

<param-name>xssProtectionEnabled</param-name>

<param-value>true</param-value>

</init-param>

<init-param>

<param-name>blockContentTypeSniffingEnabled</param-name>

<param-value>true</param-value>

</init-param>

</filter>
<filter-mapping>

<filter-name>httpHeaderSecurity</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

17. In tomcat\lib\catalina.jar file, update the


file org/apache/catalina/util/ServerInfo.properties by commenting
out server.info, server.number and server.built.

You might also like