Hardening Tomcat 9

Posted : admin On 1/26/2022
  1. Authoritative hardening checklists for all platforms, database systems and applications – CIS Benchmarks. While there are numerous reference sources for such checklists – The SANS Institute, NIST, Microsoft and Oracle all publish hardening best practice checklists, plus there are numerous guides and forums across the internet - these different sources can lead to contradictory advice.
  2. Otherwise, if you want some customized help with your hardening projects, give us a call. Secure Compliance Solutions is the trusted security advisor for Chicagoland’s small-to-medium businesses. We offer a variety of services that promote a strengthened security posture and a culture of compliance.


Improving Apache Tomcat Security - A Step By Step Guide Apache Tomcat boasts an impressive track record when it comes to security. According to the official Apache Tomcat Wiki Pages, there has never been a reported case of actual damage or significant data loss due to a malicious attack on any Apache Tomcat instance.

This guide describes the procedure for upgrading Apache Tomcat 8, as installed with an existing Uniface 9.x or 10.x installation, to Apache Tomcat 8.5 or 9. This guide currently only focusses on Windows.

1.1 Assumptions

In this guide, we make the following assumptions:

  • The current configuration does not deviate very much from the default Uniface installation, meaning the directory structure has not changed.
    Note: Any alternative configurations and add-ons to Tomcat 8 should first be listed and addressed before continuing to the Uniface-specific migration.
  • The upgrade will be to Tomcat 8.5 or Tomcat 9.
  • The current version of Apache Tomcat is installed on a Windows system.

1.2 Resources

  • Apache Tomcat 9.0: https://tomcat.apache.org/download-90.cgi
  • Apache Tomcat 8.5: https://tomcat.apache.org/download-80.cgi
  • JRE: http://www.oracle.com/technetwork/java/javase/downloads/index.html

Additional resources:

  • Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat: https://www.youtube.com/playlist?list=PLec4UnOD-AIISHRIMe7SIWORr5y8KSuU3
  • Hardening Tomcat Lecture Files: https://unifaceinfo.com/community-samples/

Before continuing, please read the migration guides provided by Tomcat and check if there are specific settings that require attention: https://tomcat.apache.org/migration.html

2.1 Install and test the new Apache Tomcat version

Tomcat versions 8.5 and 9 both contain a file called RUNNING.txt in the binaries root directory. It describes the installation process in more detail. We recommend that you read this file because it provides greater detail on the installation and workings of Tomcat. Relevant parts from this guide are used in this document.

Prerequisites

  1. Download the core binary distribution of Tomcat 8.5 or 9 for Windows from the location mentioned under 1.2Resources.
  2. Unpack the binary distribution zip file in <UNIFACE_INSTALL>common, and make sure the original directory structure is maintained.
    Note: This is the default when installing Uniface, but it can be any preferred directory.
Securing

Setup JRE (from RUNNING.txt)

If your current JRE matches the Tomcat installation requirement, you can skip this step. Java installations are typically found in <PROGRAM_FILES>Java

  1. Download and Install a Java SE Runtime Environment (JRE)
  2. Download a Java SE Runtime Environment (JRE), release version 8 or later, from http://www.oracle.com/technetwork/java/javase/downloads/index.html
    Note: Make sure the JRE version has the same architecture as tomcat, so if tomcat is 32bit, make sure JRE is also 32bit and so on.
  3. Install the JRE according to the instructions included with the release. You may also use a full Java Development Kit (JDK) rather than just a JRE.

2.2 Configure Environment Variables

RUNNING.txt section 3 contains detailed information about environment variables for Tomcat. It is recommended that you read this section carefully and follow its recommendations.

However, if you choose to use the startup script logic mentioned in RUNNING.txt, section 3.1, you should at least set the path to JRE as an environment variable:

  1. Open a text editor and add the following lines:
    set 'JRE_HOME=<PROGRAM_FILES>Java<JRE>'
    exit /b 0
    where <JRE> is the installed JRE version.
    Note: it is recommended to save the existing version of the var JRE_HOME in a separate .bat file in order to easily switch back to the original situation.
  2. Save the text file as setenv.bat in <TOMCAT_INSTALL>bin.

2.3 Install the Tomcat service

You are now ready to install the Tomcat service.

  1. Open a command prompt and execute the command

cd <TOMCAT_INSTALL>bin

2. Execute the command:
setenv.bat

Execute the command
service.bat install 'Uniface'

This will install the Tomcat service with the name Uniface and display name Apache Tomcat <version> Uniface.

Note: The display name for the service can be changed by editing service.bat. Look for :
set DISPLAYNAME=Apache Tomcat (version) %SERVICE_NAME%

Open the windows services and note that the service is installed:

Open <TOMCAT_INSTALL>confserver.xml and change all port numbers that start with 8 into 9, for example:



<Connector port='9080' protocol='HTTP/1.1' connectionTimeout='20000' redirectPort='9443' />


We will change this back once the new service is ready, but this will ensure the new service can run beside the existing Tomcat8 service. See chapter “3.4 Finalize the installation”.

Right click the “Apache Tomcat 9.0 Uniface” service and click start. This should start the service, which should then have the status ‘running’ (after refresh) in de Services view.

2.4 Test the Tomcat service

After startup, the default web applications included with Tomcat will be available by visiting:
http://localhost:9080/

This section describes how to get the Uniface WRD and any existing applications to work with the new Apache Tomcat installation. It is assumed that there is already a working Tomcat installation available on the system, so that you can duplicate the configuration.

Before you start, we recommend that you stop the service Apache Tomcat <version> Uniface which we just created in the previous chapter.

3.1 Install the WRD classes

  1. Open a File Explorer and go to
    <UNIFACE_INSTALL>commontomcatlib
  2. Locate the wrd.jar file and copy it to
    <TOMCAT_INSTALL>lib

Note: Alternatively you can also move the wrd.jar to <UNIFACE_INSTALL>unifacewebappsWEB-INFlib

3.2 Review the Uniface configuration

Hardening Tomcat 9

uniface.xml

Copy the file uniface.xml in
<UNIFACE_INSTALL>commontomcatconfCatalinalocalhost
to

<TOMCAT_INSTALL>confCatalinalocalhost

This file contains the location of the Uniface application (and WEB-INFweb.xml) which typically resides in
<UNIFACE_INSTALL>unifacewebappsuniface

The content of this file should look something like this:


<?xml version='1.0' encoding='ISO-8859-1'?>

<!-- Context configuration file for Uniface -->

<Context docBase='<UNIFACE_INSTALL>unifacewebappsuniface'>
<Valve className='org.apache.catalina.valves.AccessLogValve' prefix='uniface-' suffix='.log' pattern='common'/>
</Context>


3.3 Review customized configuration files

The previous two steps (3.1 and 3.2) are basically the only two steps that need to be taken in order to make Uniface work under the new version of Tomcat. However, depending on your local situation, there may be custom configuration implemented apart from the Uniface mandatory configuration.
Relevant configuration files can be found in the <TOMCAT_INSTALL>conf directory:

- catalina.properties

- catalina.policy

- context.xml

- tomcat-users.xml

- logging.properties

- web.xml

We recommend that you use a tool such as BeyondCompare (https://www.scootersoftware.com/download.php) to compare the content of the files between Tomcat8 and the new Tomcat version.

Note:server.xml also falls under this category, however, we’ve modified it in a previous step to allow the new service to run alongside the old service, and will be edited in chapter “3.4 Finalize the installation”


3.4 Finalize the installation

At this point the new tomcat service is ready to start using the new Uniface configuration.

Testing

  1. Start the service “Apache Tomcat <version> Uniface” and make it is running by refreshing and verifying the status (‘running’)
  2. Open a browser and go to the URL http://localhost:9080/uniface/wrd/<DSPNAME> to check if the application works as expected.

Restore server.xml

  1. If all works as expected, stop the “Apache Tomcat <version> Uniface” service and open server.xml in order to set the port numbers back by comparing it to the Tomcat8 server.xml configuration and save the file.
  2. Stop the existing tomcat8 service and start the “Apache Tomcat <version> Uniface” service. The Uniface application now runs under the new Tomcat version.
  3. Open a browser again and go to the URL http://localhost:8080/uniface/wrd/<DSPNAME> and verify that the application now also runs under port 8080 (or you custom port)

Cleaning up

Hardening apache tomcat 9

Before removing the tomcat8 binaries, remove the service:

  1. Open a command prompt as administrator
  2. Execute the command:
    sc delete “tomcat8_service_name”




Apache Tomcat is the leading Java application server by market share and the world's most widely used web application server overall. Currently at version 8, the popular web server has not been without its security flaws, perhaps most famously publicized in this incident of aircraft hacking by security researcher Chris Roberts earlier this year. However, hardening Tomcat's default configuration is just plain good security sense—even if you don't plan on using it on your plane's network. The following are 15 way to secure Apache Tomcat 8, out-of-the-box.

1. Don't run Tomcat as the root user

This line of advice applies to most web server platforms. Web-related services should not be run by user accounts with a high level of administrative access. In Tomcat's case, a user with the minimum necessary OS permissions should be created exclusively to run the Tomcat process.

2. Remove any default sample or test web applications

Most web server platforms also provide a set of sample or test web application for demo and learning purposes. These applications have been known to harbor vulnerabilities, and should be removed if not in use. Tomcat's examples web application is an application that should be removed to prevent exploitation.

3. Put Tomcat's shutdown procedure on lockdown

This prevents malicious actors from shutting down Tomcat's web services. Either disable the shutdown port by setting the port attribute in the server.xml file to -1. If the port must be kept open, be sure to configure a strong password for shutdown.

4. Disable support for TRACE requests

Though useful for debugging, enabling allowTrace can expose some browsers to an cross-site scripting XSS attack. This can be mitigated by disabling allowTrace in the server.xml file.

5. Disable sending of the X-Powered-By HTTP header

Hardening Apache Tomcat 9

If enabled, Tomcat will send information such as the Servlet and JSP specification versions and the full Tomcat version, among others. This gives attackers a workable starting point to craft an attack. To prevent this information leakage, disable the xpoweredBy attribute in the server.xml file.

6. Disable SSLv3 to prevent POODLE attacks

POODLE is a SSL v3 protocol vulnerability discovered in 2014. An attacker can gain access to sensitive information such as passwords and browser cookies by exploiting this vulnerability; subsequently, SSL v3 (and SSL in general) should not be included in server.xml file under the sslEnabledProtocols attribute.

Securing Tomcat 9

7. Set the deployXML attribute to false in a hosted environment

The prevents would-be attackers from attempting to increase privileges to a web application by packaging an altered/custom context.xml. This is especially critical in hosted environments where other web applications sharing the same server resources cannot be trusted.

8. Configure and use realms judiciously

Tomcat's realms are designed differently and their limitations should be understood before use. For example, the DataSourceRealm should be used in place of the JDBCRealm, as the latter is single threaded for all authentication/authorization options and not suited for production use. The JAASRealm should also be avoided, as it is seldom used and sports an immature codebase.

9. Set Tomcat to create new facade object for each request

This can be configured by setting the org.apache.catalina.connector.RECYCLE_FACADES system property to true. By doing this, you reduce the chance of a buggy application exposing data between requests.

10. Ensure that access to resources is set to read-only

This can be done by setting readonly to true under DefaultServlet, effectively preventing clients from deleting/modifying static resources on the server and uploading new resources.

11. Disable Tomcat from displaying directory listings

Listing the contents of directories with a large number of files can consume considerable system resources, and can therefore be used in a denial-of-service (DoS) attack. Setting listings to false under DefaultServlet mitigates this risk.

12. Enable logging of network traffic

In general, logs should generated and maintained on all levels (e.g., user access, Tomcat internals, et al), but network traffic logging is especially useful for breach assessment and forensics. To set up your Tomcat application to create logs of network traffic, use/configure the AccessLogValve component.

13. Disable automated deployment if not in use

If you're running a fully-realized CI/CD pipeline, good for you—you'll need full use of Tomcat's host components. However, if not—be sure to set all the host attributes to false (autoDeploy, deployOnStartup, and deployXML) to prevent them from being compromised by an attacker.

14. Disable or limit the Tomcat Manager Webapp

Tomcat Manager enables easy configuration and management of Tomcat instances through one web interface. Convenient, no doubt—for both authorized administrators and attackers. Alternative methods for administering Tomcat instances are therefore better, but if Tomcat Manager must be used, be sure to use its configuration options to limit your risk exposure.

15. Limit the availability of connectors

Connectors by default listen to all interfaces. For better security, they should only listen to those required by your web application and ignore the rest. This can be accomplished by setting the address attribute of the connector element.

In short, Apache Tomcat's popularity invariably means that its vulnerabilities and exploits are well known by both security professionals and malicious actors alike. Out-of-the-box security is never sufficient for protecting against today's cyber threats, and proper hardening of Tomcat is especially critical given the server platform's ubiquity. Looking for a way to perform these hardening checks and more, automatically—with just a few mouse clicks? Check out ScriptRock's platform for vulnerability detection and security monitoring. It's free for up to 10 servers, so try it today on us.

Securing Tomcat 9 Owasp

Sources