In this section: |
This section provides some basic tips on security concerns when running Tomcat in a production WebFOCUS environment. For development environments that are safely behind a firewall, this section is normally optional. You must be an administrator to the Windows machine to perform tasks in this section.
How to: Reference: |
By default, when Tomcat runs as a Windows service, it runs as the Local System account that was created with Windows. The Local System account has full access to your Windows system. In a production environment, it is a good idea to run Tomcat as a user who has more restricted access. To do this, create a user ID for Tomcat, configure Tomcat to use that ID, and set NTFS permissions to grant that ID full access to Tomcat, WebFOCUS, and other directories it needs.
The Tomcat user is created and added to the users group. An administrator may wish to move Tomcat into a special group with even less access to the system. However, if you do this, you must ensure Tomcat can read and execute from all the Java directories and any required JDBC drivers.
The Apache Tomcat Properties window appears.
By default, this is set to the Local System account.
A message similar to the following should display:
This account .\Tomcat has been granted Log On As a Service right.
After setting Tomcat to run as this user ID, you must grant this user ID full NTFS permissions to Tomcat and WebFOCUS directories
C:\Program Files\Apache Software Foundation\Tomcat 8.0
or
C:\ibi\tomcat
drive:\ibi\WebFOCUS81
drive:\ibi\apps
You can also further restrict permissions at a later time.
Required NTFS permissions and user IDs vary depending on your system, environment, security needs, and administrator preferences. Tomcat, IIS, and the WebFOCUS Reporting Server normally run as separate accounts and there are cases where they all read or write to the same directory or file. It is a good idea to create a group containing all the required user IDs.
The WebFOCUS Security and Administration manual contains additional information on permissions.
If the Tomcat user is not in the default Users group and/or you have restricted permissions throughout your system, ensure the Tomcat user ID can read from the directories containing any JDBC drivers. In addition, ensure Tomcat can read and execute the directories containing the Java JDK.
WebFOCUS |