Tomcat Security Tips

In this section:

This section provides some basic tips on security concerns when running Tomcat in a production WebFOCUS environment. For development environments that are safely behind a firewall, this section is normally optional. You must be an administrator to the Windows machine to perform tasks in this section.


Top of page

x
Tomcat User ID and NTFS Permissions

How to:

Reference:

By default, when Tomcat runs as a Windows service, it runs as the Local System account that was created with Windows. The Local System account has full access to your Windows system. In a production environment, it is a good idea to run Tomcat as a user who has more restricted access. To do this, create a user ID for Tomcat, configure Tomcat to use that ID, and set NTFS permissions to grant that ID full access to Tomcat, WebFOCUS, and other directories it needs.



x
Procedure: How to Create a Tomcat User ID
  1. Open the Windows Control Panel, Administrative Tools, and Computer Management.

    Note: On Windows XP machines, you may need to select Switch to Classic View.

  2. Under System Tools, expand Local Users and Groups.
  3. Right-click Users and choose New User.
  4. Name the new user and provide a password.
  5. Deselect User must change password at next logon, and select Password never expires.
  6. Click Create.

    The Tomcat user is created and added to the users group. An administrator may wish to move Tomcat into a special group with even less access to the system. However, if you do this, you must ensure Tomcat can read and execute from all the Java directories and any required JDBC drivers.

  7. Click Close to close the New User window.


x
Procedure: How to Configure Tomcat to Use the Tomcat User ID
  1. Open the Windows Services window.
  2. If Tomcat is started, right-click Apache Tomcat and choose Stop.
  3. Right-click Apache Tomcat and choose Properties.

    The Apache Tomcat Properties window appears.

  4. Select the Log On tab.

    By default, this is set to the Local System account.

  5. Click This Account.
  6. Specify the Tomcat user ID in the This Account field.
  7. Type and confirm the password you defined for the Tomcat user ID. If you ever change this password, you must change it here as well.
  8. Click OK.

    A message similar to the following should display:

    This account .\Tomcat has been granted Log On As a Service right.


x
Procedure: How to Set NTFS Permissions for Tomcat

After setting Tomcat to run as this user ID, you must grant this user ID full NTFS permissions to Tomcat and WebFOCUS directories

  1. Open Windows Explorer and right-click the Tomcat installation directory:
    C:\Program Files\Apache Software Foundation\Tomcat 7.0.19

    or

    C:\ibi\tomcat
  2. Choose Properties and click the Security tab.

    If there is no Security tab and you are using Windows XP, you may need to turn off the Simple File Sharing option. You can do this in Windows Explorer, by clicking Tools, Folder Options, View, and deselecting Use Simple File Sharing.

  3. Click Add.
  4. Display all users on the local machine.
    1. Click Advanced in the Window that appears.
    2. If it is not set to your hostname, click the Locations button, select your hostname, and click OK.
    3. Click Find Now to display all users on the local machine.
  5. Scroll down to select the user ID that you set to run Tomcat.
  6. Click OK.
  7. Click OK to return to the main properties window for the directory.
  8. Select the Tomcat user ID, and check the Allow box for Full Control.
  9. Click OK.
  10. Repeat this procedure for the WebFOCUS81 and apps directories:
    drive:\ibi\WebFOCUS81
    drive:\ibi\apps

    You can also further restrict permissions at a later time.



x
Reference: Permissions Concerns

Required NTFS permissions and user IDs vary depending on your system, environment, security needs, and administrator preferences. Tomcat, IIS, and the WebFOCUS Reporting Server normally run as separate accounts and there are cases where they all read or write to the same directory or file. It is a good idea to create a group containing all the required user IDs.

The WebFOCUS Security and Administration manual contains additional information on permissions.

If the Tomcat user is not in the default Users group and/or you have restricted permissions throughout your system, ensure the Tomcat user ID can read from the directories containing any JDBC drivers. In addition, ensure Tomcat can read and execute the directories containing the Java JDK.


WebFOCUS