top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Second Instance of Tomcat

+2 votes
432 views

I am getting ready to deploy the Second Instance of Tomcat on the same server using different IP addresses.

TomcatInstance1 (IP Address: xx.xx.xx.x1)
TomcatInstance2 (IP Address: xx.xx.xx.x2)

I have a few question, see below:

1) For the Tomcat server ports, I will be using the Connector Port and Redirect port to bind it to a specific IP address by using "address="xx.xx.xx.xx"". Is there a way to use the same Shutdown Port and AJP Port to bind it to a different IP address? Or do I have to change the Shutdown and AJP port number.

2) Keystore:
a. I am going to be using https, can I use the same .keystore to import the certificate?
b. If I move the .keystore to another location outside of Tomcat home, will Tomcat be able to see the .keystore if I specify the path within the server.xml file for .keystore path?
c. Should I create a new .keystore for the new instance?
d. What is the best practice for this?

3) Does anyone know a way to encrypt the clear-text passwords specified in tom-user.xml for the Tomcat manager and server.xml file for .keystore?

posted Nov 7, 2013 by Seema Siddique

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

2 Answers

+1 vote
 
Best answer

1) The shutdown address can be specified in Tomcat 7, not in Tomcat 6.

https://tomcat.apache.org/tomcat-7.0-doc/config/server.html

All of the AJP connectors (Tomcat 6 & 7) support an "address" attribute. See here.

https://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html#Standard_Implementations

2 a) Not exactly sure I follow you here. Are you asking if you can configure the connector for both instances of Tomcat to point to the same keystore file? As far as I know, that's OK.

2 b) Yes. See keystoreFile.

https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support

2 c) That's up to you. Do whatever makes the most sense for your setup.

2 d) It's tough to say what is a "best practice", since most environments are different and what makes the most sense for you likely depends on your unique environment.

What I can say is that I often see SSL terminated in front of Tomcat with a dedicated hardware device or Apache HTTPD. It performs well, plus it makes sense in setups with multiple Tomcat instances because there is already something in front of the Tomcat instances to load balance across them.

That doesn't mean you have to do that though. You could terminate the SSL with Tomcat and people do. If you go this route, I'd suggest using the APR or NIO connector though. The APR connector performs the best with SSL, but is a little trickier to setup. The NIO doesn't perform as good as the APR, but I believe it's better than the BIO connector and it's easy to setup.

3) I don't know of anything for the tomcat-users.xml file. It's my understanding that this file is not recommended for production use, so you should probably look at using a JDBC or LDAP realm instead.

https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html

Another option would be to write a custom realm that decrypts the passwords.

Having said that, I believe the general suggestion here is to apply proper unix permissions on the files to control access to them. For example, you should set the owner to be the user that is running Tomcat, which should *not* be root and set the permission to r/w only for the owner.

answer Nov 7, 2013 by Deepak Dasgupta
+1 vote

The combination of IPAddr:port needs to be unique, so you can use the same port numbers if they're on different IP addresses, or the same IP addresses if the instances are listening on different ports.

Can't help you with the keystore stuff.

answer Nov 7, 2013 by Majula Joshi
Similar Questions
+2 votes

I'm running a server with multiple instance of tomcat each instance has some apps deployed & accessed with host:port, like

myhost.com:7777/app1
myhost.com:8888/app2
myhost.com:9999/app3

Is there any way to hide the port from users & making app URL simpler with keeping multi instance? like this or any thing near

app1.myhost.com
app2.myhost.com
app3.myhost.com
0 votes

In my web app, I'd like to re-use the (server-wide) Tomcat Realm that is already being used for HTTP Basic authentication but couldn't find a way how to get hold of the actual Realm instance.

I spent quite some time looking for a solution (complicated by the fact that most Google hits actually referred to the LDAP authentication realm) but found none. Is there a "config-file-only" solution or do I need to dig into the Tomcat source code and come up with my own JNDI ObjectFactory to achieve this ?

0 votes

How to use multiple virtual hosts with a single SSL instance running on the standard https port.

+1 vote

In tomcat does the no . of open sockets on http port (netstat -anlp|grep 8080) is it equal to number of threads in use in tomcat .
Actually I want to understand how & when I can say that the all threads in a tomcat are fully utilized that why it is responding slow.

+3 votes

I have a requirement where the tomcat load has to be managed by tuning the following parameters.

--> Limit the number of user requests at Apache level that are routed to Tomcat server.
--> Track the number of processed requests and the requests that are queued at Apache level.

Any suggestions?

...