Administering Apache Tomcat

Apache Tomcat is the most popular platform for deploying Java-based™ Web applications. In this two-day course, attendees learn how to administer the Tomcat server, deploy applications to the server, ensure the server’s security, troubleshoot problems, and cluster Tomcat to ensure high availability.

Note: This course can be taught using Tomcat 9.0, 8.5, 8.0, 7.0, or 6.0, with topics added or removed as appropriate to your version. This course can also be easily adapted to teach administration of TomEE Web Profile.

APACHE TOMCAT TRAINING OBJECTIVES

• Set up and configure Apache Tomcat
• Deploy Java web applications to the Tomcat server
• Configure Tomcat valves for access logging, single sign-on, and access control
• Monitor Tomcat via its JMX MBeans and a variety of tools, including JConsole, VisualVM, and PSI Probe
• Tune Tomcat for optimal performance
• Configure Tomcat logs and troubleshoot Tomcat
• Secure Tomcat
• Build and monitor database connection pools
• Run Tomcat behind a web server, such as Apache httpd or Microsoft IIS
• Build Tomcat clusters to ensure high availability

APACHE TOMCAT TRAINING PREREQUISITES

All attendees should be familiar with general principles of Web server administration and have some experience building Web applications. Prior experience with Java as an application server administrator or developer is helpful but not required.

APACHE TOMCAT TRAINING MATERIALS

All attendees receive Bascom Bridge’s  comprehensive courseware and a two-page checklist of performance tuning and security suggestions.

SOFTWARE NEEDED FOR EACH PC:

• At least 3GB RAM and 10GB hard drive space.
• The course can be taught using any modern operating system, including Windows, Linux, MacOS X, and Solaris. Upon request, a VMware VM can be provided with a self-contained Linux environment for the training.
• For classes delivered online, all participants need either dual monitors or a separate device logged into the online session so that they can do their work on one screen and watch the instructor on the other. A separate computer connected to a projector or large screen TV would be another way for students to see the instructor’s screen simultaneously with working on their own.

APACHE TOMCAT TRAINING OUTLINE

• Introduction
  • Overview of the Apache Software Foundation and the Jakarta Project
  • Overview of Java EE as a platform
  • Overview of the features and functionality specifically provided by Tomcat
• Installing Tomcat
  • Installing the Java Runtime Environment (JRE)
  • Performing the Tomcat installation (with nuances specific to your operating system discussed)
• Examining the Tomcat installation directories
  • bin
  • conf
  • lib
  • logs
  • temp
  • webapps
  • work
• Configuring Tomcat
  • server.xml (detailed walkthrough)
  • web.xml
  • context.xml
• Tomcat Valves
  • AccessLog
  • RequestFilterValve
  • Selective coverage of other filters as needed in your environment
  • Discussion of how filters are progressively replacing valves
• Memory management and JMX monitoring
  • Understanding Java garbage collection
  • Using JAVA_OPTS, JMX and JConsole to monitor and tune Tomcat memory usage
  • Sizing Tomcat’s JVM memory heap
  • Using JMX and JConsole to configure Tomcat via Tomcat’s MBeans
  • Updating Tomcat’s configuration via JMX “on the fly” without restarting Tomcat
  • Load testing with JMeter
  • Using VisualVM (new monitoring tool built into JDK 6) and PSI Probe
  • Controlling JMX MBeans via Ant
• Logging
  • JULI logging
  • log4j logging
  • Understanding exceptions and thread dumps
• Connecting databases with Tomcat applications
  • Classic JDBC approach
  • Better approach: JNDI resources
  • Setting up and monitoring database connection pools
• Security
  • File system security
  • Java security manager
  • Realms, authentication, and authorization
  • SSL (optional)
  • Closing potential security holes in Tomcat’s default configuration
    • Turning off the shutdown port
    • Ensuring directory listings are disabled
    • Removing unnecessary applications
    • Password protecting the JMX port (if open)
    • Turning off unnecessary connectors
    • Hardening the remaining connectors
• Performance tuning strategies
  • Additional JVM tuning tips
  • Changing to a different garbage collector (Parallel, Concurrent Mark Sweep, or G1)
  • Building native connectors
  • Disabling/removing unneeded applications
  • Tuning incoming connections and back-end database connection pools
  • Turning off Jasper development mode
  • Precompiling JSPs
  • Preloading servlets
  • Turning off autodeploy and automatic watching of web.xml files
• Tomcat 7/8 New Features [optional]
  • Memory leak prevention and detection
  • Support for new versions of the Servlet, JSP, and EL specs(and the practical implications of this for Tomcat admins)
  • Cross-site request forgery prevention (and how to configure)
  • Session fixation attack prevention
  • Alias support (which allow static content to be stored outside the WAR file)
  • Reference links for your developers
• Running Tomcat behind Apache httpd or IIS [this section would be taught using your web server and connector module of choice]
  • Why run Tomcat behind Apache httpd or IIS?
  • Installing mod_jk (Apache httpd or IS) or mod_proxy_ajp and mod_proxy_balancer (Apache httpd 2.2 or later only)
  • Proxying traffic to Tomcat via AJP
  • Monitoring the status of your web server’s connection to Tomcat
  • Load balancing Tomcat via mod_jk or mod_proxy_balancer
• Tomcat Clustering
  • Configuring mod_jk (in Apache or IIS) or mod_proxy_balancer (Apache 2.2 or later only) as a load balancer
  • Hardware load balancing as an alternative to software load balancing
  • Sticky sessions
  • Session Replication using <Cluster />
  • Configuring the application to be distributable
  • Setting up and testing failover
  • Alternative session replication back-ends
• Conclusion