Personendaten-Repositorium

These steps are going to be covered by this article:

• Installation of the Apache Web Server
• Installation of Apache's Servlet Container Tomcat
• Connecting Tomcat to a MySQL server for user data management
• Setting up a communication channel between Web Server and

Servlet Container by using the Apache Tomcat Connector

The Apache web server can be installed using the available package manager. Here, we will assume Apache httpd has been installed by this method.

As a Servlet Container, we will be using a Tomcat instance owned by a dedicated user. That is, the Tomcat installation will be located and run by a user created particularly for this purpose. Let's assume this user is called tomcat8082 from hereon, with their home folder called /home/tomcat8082. This will limit access on resources external to running services.

As a connector between the Apache Web Server and the Tomcat Servlet Container, we will be using the mod_jk module. Though not neccessary, we recommend this kind of setup based on security concerns. For instance, requiring SSL for connections to our PDR repositorium is easier in Apache's Web Server.

Tomcat binary distributions are available at the Apache webpage. The core binary archive file is being unpacked into the home folder of the user meant to run Tomcat. For convenience, the unpacked directory is renamed to tomcat1. Tomcat can now be started up and shut down using the scripts available in /home/tomcat8082/tomcat1/bin directory.

In order to get Apache's Web Server and Tomcat to work together, we will set up a local port connection using the Apache Tomcat Connector (JK).

The module mod_jk is responsible for a communication channel over which web server and servlet container can stay in touch, i.e. in this setup the Apache http server and Tomcat's servlet container Catalina. Even though Tomcat could be used as an http server as well, we prefer it to focus on running Java web services, and let the apache2 HTTP server deal with serving HTTP.

We can simply install mod_jk from the system's software repos:

aptitude install libapache2-mod-jk

In order to be able to talk to each other, both the web server and the servlet container must be configured accordingly. Several preconditions must be met before mod_jk establishes a connection between the two servers. Amonst others, we have to make sure our worker operates correctly. By worker, we mean a Tomcat instance.

Configure workers at /etc/libapache2-mod-jk/workers.properties. Modifications of the default configs likely to be necessary are:

• workers.java_home=/usr/lib/jvm/java-6-openjdk-amd64 - set path to the JVM
• workers.Tomcat_home=/home/tomcat8082/tomcat1 - location of our Tomcat instance
• We also want to define where and how our workers can be contacted:

    worker.list=worker1, stat
    worker.worker1.port=8010
    worker.worker1.host=localhost
    worker.worker1.type=ajp13 #
    worker.worker1.lbfactor=1 # load balance
    worker.stat.type=status

We can now proceed to telling the HTTP server how to connect to that worker by configuring mod_jk. At /etc/apache2/mods-enabled/jk.conf, we specify where the module will find the worker configuration:

JkWorkersFile /etc/libapache2-mod-jk/workers.properties

What's left to be done for the HTTP server is to include the worker and assign those URL prefixes we want Tomcat's webservices being available at. We equip the <VirtualHost> elements in the configuratino files in our /etc/apache2/sites-enabled/ directory:

DocumentRoot /var/www
JkMount /prefix* worker1

At this point we still haven't really connected Tomcat to the Web Server yet, so there is some more configuring.

In this section, it is assumed that a Tomcat instance has been installed as suggested at the top of this article.

In order for PDR-Allies to work, an environment variable PDR_HOME needs to be set. A good place for this to be taken care of is Tomcat's startup script. Place this line in your Tomcat's bin/startup.sh:

  export PDR_HOME=/home/tomcat8082/.pdr

Instead of having authentification data in Tomcat's configuration files, we will be having a MySQL data base to which we connect using JDBC. In this example, the MySQL server has been installed from the system's official repos using the package manager.

We begin by creating a new user tomcat with read permission on the tomcat_auth database:

mysql> CREATE USER tomcat@localhost IDENTIFIED BY 'passwd';
Query OK, 0 ROWS affected (0.06 sec)
mysql> GRANT SELECT ON tomcat_auth.* TO tomcat@localhost;

There is a script for initialization of the tomcat_auth database. Once downloaded, it can be executed by calling:

mysql -u root -p < tomcat_auth.sql

The script itself goes like this:

tomcat_auth.sql

DROP DATABASE IF EXISTS tomcat_auth;
CREATE DATABASE tomcat_auth;
USE tomcat_auth;
 
CREATE TABLE users
(
  user_name VARCHAR(15) NOT NULL PRIMARY KEY,
  user_pass VARCHAR(15) NOT NULL
);
 
CREATE TABLE roles
(
  role_name VARCHAR(15) NOT NULL PRIMARY KEY
);
 
CREATE TABLE user_roles
(
  user_name VARCHAR(15) NOT NULL,
  role_name VARCHAR(15) NOT NULL,
  PRIMARY KEY( user_name, role_name )
);

Once the database has been created, tomcat users can be stored by calling

mysql> INSERT INTO users (user_name, user_pass) VALUES ('u', 'p');

as the mysql server root.

Note: Since Tomcat 6.x, some details in configuration have been changed, which can be confusing. This is how the admin user roles work as of version 7:

• manager-gui - allows access to the HTML GUI and the status pages
• manager-script - allows access to the text interface and the status pages
• manager-jmx - allows access to the JMX proxy and the status pages
• manager-status - allows access to the status pages only

Finally, we tell Tomcat where to find the DB by defining a JDBCRealm in tomcat's conf/server.xml.

<Realm className="org.apache.catalina.realm.JDBCRealm"
        debug="99"
        driverName="org.gjt.mm.mysql.Driver"
        connectionURL="jdbc:mysql://localhost/tomcat_auth?user=tomcat&amp;password=passwd"
        userTable="users"
        userNameCol="user_name"
        userCredCol="user_pass"
        userRoleTable="user_roles"
        roleNameCol="role_name"
        autoReconnect="true"/>

To get Connector to work, we got to tell Tomcat where and how he can connect with the Apache Web Server:

In /home/tomcat8082/tomcat1/conf/server.xml, we specify the port to connect to:

<!-- Define an AJP 1.3 Connector on port 8010 -->
<Connector port="8010" protocol="AJP/1.3" redirectPort="8443" />

That's it.