Tomcat Security Tips

Topics:

This section provides some basic tips on security concerns when running Tomcat in a production WebFOCUS environment. For development environments that are safely behind a firewall, this section is normally optional. You must be an administrator to the Windows machine to perform tasks in this section.

Tomcat User ID and NTFS Permissions

How to:

Reference:

By default, when Tomcat runs as a Windows service, it runs as the Local System account that was created with Windows. The Local System account has full access to your Windows system. In a production environment, it is a good idea to run Tomcat as a user who has more restricted access. To do this, create a user ID for Tomcat, configure Tomcat to use that ID, and set NTFS permissions to grant that ID full access to Tomcat, WebFOCUS, and other directories it needs.

Procedure: How to Create a Tomcat User ID

  1. Open the Windows Control Panel, Administrative Tools, and Computer Management.
  2. Under System Tools, expand Local Users and Groups.
  3. Right-click Users and select New User.
  4. Name the new user and provide a password.
  5. Deselect User must change password at next logon, and select Password never expires.
  6. Click Create.

    The Tomcat user is created and added to the users group. An administrator may wish to move Tomcat into a special group with even less access to the system. However, if you do this, you must ensure Tomcat can read and execute from all the Java directories and any required JDBC drivers.

  7. Click Close to close the New User window.

Procedure: How to Configure Tomcat to Use the Tomcat User ID

  1. Open the Windows Services window.
  2. If Tomcat is started, right-click Apache Tomcat and select Stop.
  3. Right-click Apache Tomcat and select Properties.

    The Apache Tomcat Properties window appears.

  4. Select the Log On tab.

    By default, this is set to the Local System account.

  5. Click This account.
  6. Specify the Tomcat user ID in the This account field.
  7. Type and confirm the password you defined for the Tomcat user ID. If you ever change this password, you must change it here as well.
  8. Click OK.

    A message similar to the following should display:

    This account .\Tomcat has been granted Log On As a Service right.

Reference: Permissions Concerns

Required NTFS permissions and user IDs vary depending on your system, environment, security needs, and administrator preferences. Tomcat, IIS, and the WebFOCUS Reporting Server normally run as separate accounts and there are cases where they all read or write to the same directory or file. It is a good idea to create a group containing all the required user IDs.

The WebFOCUS Security and Administration manual contains additional information on permissions.

If the Tomcat user is not in the default Users group and/or you have restricted permissions throughout your system, ensure the Tomcat user ID can read from the directories containing any JDBC drivers. In addition, ensure Tomcat can read and execute the directories containing the Java JDK.

WebFOCUS

Feedback