Tutorial

How To Install Apache Tomcat 8 on CentOS 7

Published on June 19, 2015

Not using CentOS 7?Choose a different version or distribution.

CentOS 7

Introduction

Apache Tomcat is a web server and servlet container that is used to serve Java applications. Tomcat is an open source implementation of the Java Servlet and JavaServer Pages technologies, released by the Apache Software Foundation. This tutorial covers the basic installation and some configuration of the latest release of Tomcat 8 on your CentOS 7 server.

Prerequisites

Before you begin with this guide, you should have a separate, non-root user account set up on your server. You can learn how to do this by completing steps 1-3 in the initial server setup for CentOS 7. We will be using the demo user created here for the rest of this tutorial.

Install Java

Tomcat requires that Java is installed on the server, so any Java web application code can be executed. Let’s satisfy that requirement by installing OpenJDK 7 with yum.

To install OpenJDK 7 JDK using yum, run this command:

sudo yum install java-1.7.0-openjdk-devel

Answer y at the prompt to continue installing OpenJDK 7.

Note that a shortcut to the JAVA_HOME directory, which we will need to configure Tomcat later, can be found at /usr/lib/jvm/jre.

Now that Java is installed, let’s create a tomcat user, which will be used to run the Tomcat service.

Create Tomcat User

For security purposes, Tomcat should be run as an unprivileged user (i.e. not root). We will create a new user and group that will run the Tomcat service.

First, create a new tomcat group:

sudo groupadd tomcat

Then create a new tomcat user. We’ll make this user a member of the tomcat group, with a home directory of /opt/tomcat (where we will install Tomcat), and with a shell of /bin/false (so nobody can log into the account):

sudo useradd -M -s /bin/nologin -g tomcat -d /opt/tomcat tomcat

Now that our tomcat user is set up, let’s download and install Tomcat.

Install Tomcat

The easiest way to install Tomcat 8 at this time is to download the latest binary release then configure it manually.

Download Tomcat Binary

Find the latest version of Tomcat 8 at the Tomcat 8 Downloads page. At the time of writing, the latest version is 8.5.37. Under the Binary Distributions section, then under the Core list, copy the link to the “tar.gz”.

Let’s download the latest binary distribution to our home directory using wget.

First, install wget using the yum package manager:

sudo yum install wget

Then, change to your home directory:

cd ~

Now, use wget and paste in the link to download the Tomcat 8 archive, like this (your mirror link will probably differ from the example):

wget https://www-eu.apache.org/dist/tomcat/tomcat-8/v8.5.37/bin/apache-tomcat-8.5.37.tar.gz

We’re going to install Tomcat to the /opt/tomcat directory. Create the directory, then extract the the archive to it with these commands:

sudo mkdir /opt/tomcat
sudo tar xvf apache-tomcat-8*tar.gz -C /opt/tomcat --strip-components=1

Now we’re ready to set up the proper user permissions.

Update Permissions

The tomcat user that we set up needs to have the proper access to the Tomcat installation. We’ll set that up now.

Change to the Tomcat installation path:

cd /opt/tomcat

Give the tomcat group ownership over the entire installation directory:

sudo chgrp -R tomcat /opt/tomcat

Next, give the tomcat group read access to the conf directory and all of its contents, and execute access to the directory itself:

sudo chmod -R g+r conf
sudo chmod g+x conf

Then make the tomcat user the owner of the webapps, work, temp, and logs directories:

sudo chown -R tomcat webapps/ work/ temp/ logs/

Now that the proper permissions are set up, let’s set up a Systemd unit file.

Install Systemd Unit File

Because we want to be able to run Tomcat as a service, we will set up a Tomcat Systemd unit file .

Create and open the unit file by running this command:

sudo vi /etc/systemd/system/tomcat.service

Paste in the following script. You may also want to modify the memory allocation settings that are specified in CATALINA_OPTS:

/etc/systemd/system/tomcat.service

# Systemd unit file for tomcat
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target

[Service]
Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPID

User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target

Save and exit. This script tells the server to run the Tomcat service as the tomcat user, with the settings specified.

Now reload Systemd to load the Tomcat unit file:

sudo systemctl daemon-reload

Now you can start the Tomcat service with this systemctl command:

sudo systemctl start tomcat

Check that the service successfully started by typing:

sudo systemctl status tomcat

If you want to enable the Tomcat service, so it starts on server boot, run this command:

sudo systemctl enable tomcat

Tomcat is not completely set up yet, but you can access the default splash page by going to your domain or IP address followed by :8080 in a web browser:

Open in web browser:
http://server_IP_address:8080

You will see the default Tomcat splash page, in addition to other information. Now we will go deeper into the installation of Tomcat.

Configure Tomcat Web Management Interface

In order to use the manager webapp that comes with Tomcat, we must add a login to our Tomcat server. We will do this by editing the tomcat-users.xml file:

sudo vi /opt/tomcat/conf/tomcat-users.xml

This file is filled with comments which describe how to configure the file. You may want to delete all the comments between the following two lines, or you may leave them if you want to reference the examples:

tomcat-users.xml excerpt

<tomcat-users>
...
</tomcat-users>

You will want to add a user who can access the manager-gui and admin-gui (webapps that come with Tomcat). You can do so by defining a user similar to the example below. Be sure to change the username and password to something secure:

tomcat-users.xml — Admin User

<tomcat-users>
    <user username="admin" password="password" roles="manager-gui,admin-gui"/>
</tomcat-users>

Save and quit the tomcat-users.xml file.

By default, newer versions of Tomcat restrict access to the Manager and Host Manager apps to connections coming from the server itself. Since we are installing on a remote machine, you will probably want to remove or alter this restriction. To change the IP address restrictions on these, open the appropriate context.xml files.

For the Manager app, type:

sudo vi /opt/tomcat/webapps/manager/META-INF/context.xml

For the Host Manager app, type:

sudo vi /opt/tomcat/webapps/host-manager/META-INF/context.xml

Inside, comment out the IP address restriction to allow connections from anywhere. Alternatively, if you would like to allow access only to connections coming from your own IP address, you can add your public IP address to the list:

context.xml files for Tomcat webapps

<Context antiResourceLocking="false" privileged="true" >
  <!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->
</Context>

Save and close the files when you are finished.

To put our changes into effect, restart the Tomcat service:

sudo systemctl restart tomcat

Access the Web Interface

Now that Tomcat is up and running, let’s access the web management interface in a web browser. You can do this by accessing the public IP address of the server, on port 8080:

Open in web browser:
http://server_IP_address:8080

You will see something like the following image:

Tomcat root

As you can see, there are links to the admin webapps that we configured an admin user for.

Let’s take a look at the Manager App, accessible via the link or http://server_IP_address:8080/manager/html:

Tomcat Web Application Manager

The Web Application Manager is used to manage your Java applications. You can Start, Stop, Reload, Deploy, and Undeploy here. You can also run some diagnostics on your apps (i.e. find memory leaks). Lastly, information about your server is available at the very bottom of this page.

Now let’s take a look at the Host Manager, accessible via the link or http://server_IP_address:8080/host-manager/html/:

Tomcat Virtual Host Manager

From the Virtual Host Manager page, you can add virtual hosts to serve your applications from.

Conclusion

Your installation of Tomcat is complete! Your are now free to deploy your own Java web applications!

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Mitchell Anicas

author

Still looking for an answer?

Ask a question Search for more help

Was this helpful?

10 Comments

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

saronic • August 21, 2015

Hi,thanks your blog. I have followed your instruction exactly and ip:8080 works. But, I changed the tomcat’s listen port from 8080 to 80 in the tomcat home directory/conf/server.xml, after :sudo systemctl restart tomcat.service. I can’t access ip:80. and find that tomcat does not listen at port 80 by :netstat an | grep 80 but I use the script:tomcat_home/bin/start.sh , ip:80 works again. Please tell me where I did wrong. THANKS.

saronic • August 23, 2015

thanks you reply. My /etc/systemd/system/tomcat.service:

# Systemd unit file for tomcat
[Unit]
... ....
[Service]
User=tomcat
Group=tomcat

so I guess the user who are running Tomcat is ‘tomcat’. I donot know if ‘tomcat’ has the permission to bind to port < 1024? I just add the user : tomcat to system with command:

$ sudo useradd -M -s /bin/nologin -g tomcat -d /opt/tomcat tomcat

I did nothing else to tell the centos 7 if the user :tomcat should has the permission to bind port < 1024.

DarkLogix • October 10, 2015

I followed all the instructions with just a few tweaks I changed the group name from tomcat to tomcatGP (just to make it clear which was the group and which was the user.)

and I installed jave 8u60 via “yum -y install java-1.8.0-openjdk.x86_64”

I have the page up and running on 8080 but when I tested deploying a war file via the manager web app I got a permission error.

this is just one part in getting my gauc server going, I want to get tomcat 8 w/ java 8, on centOS7 with the ARP listener using my 16,384bit wildcard cert working and then work on the other parts of getting guac running.

LearningWeb • October 27, 2015

This comment has been deleted

dbauszus • November 13, 2015

Got stuck trying to deploy a war. Had to make the tomcat user also own the webapps folder in order to get this going.

curtisdecompile • November 25, 2015

This was excellent help for me.

I have a suggestion and an issue.

To search for what Java versions are available, use: $sudo yum search java | grep openjdk | more

One issue: I could not access the default Tomcat website on port 8080.

This is what I did:

Open the firewall: $ sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent $ sudo firewall-cmd --reload

The first command uses --permanent. You are defining this port to be open after a reboot or reload. The second command reload the firewall. You can check on the status of the ports by using: $ sudo firewall-cmd --zone=public --list-ports On my system, I get: 80/tcp 8080/tcp

Environment: Tomcat 8.0.28, Java 1.8.0.

tuananh • December 17, 2015

For someone when start tomcat 8 on Oracle JDK 8 and tomcat 8 hangout at “Deploying web application directory /opt/tomcat/webapps/ROOT” You should edit file /usr/java/jdk1.8.0_66/jre/lib/security/java.security and change line securerandom.source=file:/dev/random by securerandom.source=file:/dev/./urandom

ranjeet • March 27, 2016

I have installed but not able to login. I tried every thing.

ranjeet • March 27, 2016

Getting error

28-Mar-2016 01:01:40.238 SEVERE [main] org.apache.catalina.realm.CombinedRealm.startInternal Failed to start “org.apache.catalina.realm.UserDatabaseRealm” realm org.apache.catalina.LifecycleException: Failed to start component [Realm[UserDatabaseRealm]] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:153) at org.apache.catalina.realm.CombinedRealm.startInternal(CombinedRealm.java:250) at org.apache.catalina.realm.LockOutRealm.startInternal(LockOutRealm.java:120) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:904) at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:441) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:787) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.startup.Catalina.start(Catalina.java:629) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:351) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:485) Caused by: org.apache.catalina.LifecycleException: No UserDatabase component found under key UserDatabase at org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:241) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)

while my server.xml file

<?xml version=‘1.0’ encoding=‘utf-8’?>

  http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. –> <Server port=“8005” shutdown=“SHUTDOWN”> <Listener className=“org.apache.catalina.startup.VersionLoggerListener” /> <Listener className=“org.apache.catalina.core.AprLifecycleListener” SSLEngine=“on” /> <Listener className=“org.apache.catalina.core.JasperListener” /> <Listener className=“org.apache.catalina.core.JreMemoryLeakPreventionListener” /> <Listener className=“org.apache.catalina.mbeans.GlobalResourcesLifecycleListener” /> <Listener className=“org.apache.catalina.core.ThreadLocalLeakPreventionListener” />

<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
    maxThreads="150" minSpareThreads="4"/>
-->


<!-- A "Connector" represents an endpoint by which requests are received
     and responses are returned. Documentation at :
     Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
     Java AJP  Connector: /docs/config/ajp.html
     APR (HTTP/AJP) Connector: /docs/apr.html
     Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
           port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
     This connector uses the BIO implementation that requires the JSSE
     style configuration. When using the APR/native implementation, the
     OpenSSL style configuration is required as described in the APR/native
     documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />
-->

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


<!-- An Engine represents the entry point (within Catalina) that processes
     every request.  The Engine implementation for Tomcat stand alone
     analyzes the HTTP headers included with the request, and passes them
     on to the appropriate Host (virtual host).
     Documentation at /docs/config/engine.html -->

<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">

  <!--For clustering, please take a look at documentation at:
      /docs/cluster-howto.html  (simple how to)
      /docs/config/cluster.html (reference documentation) -->
  <!--
  <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
  -->

  <!-- Use the LockOutRealm to prevent attempts to guess user passwords
       via a brute-force attack -->
  <Realm className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

  <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">

    <!-- SingleSignOn valve, share authentication between web applications
         Documentation at: /docs/config/valve.html -->
    <!--
    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
    -->

    <!-- Access log processes all example.
         Documentation at: /docs/config/valve.html
         Note: The pattern used is equivalent to using pattern="common" -->
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log." suffix=".txt"
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />

  </Host>
</Engine>

</Service> </Server>

pixzon • March 30, 2016

Hello, i cant start Tomcat.

Errorcode

# sudo systemctl start tomcat
Job for tomcat.service failed because the control process exited with error code. See "systemctl status tomcat.service" and "journalctl -xe" for details.

I use CentOS 14.

Where can help me? :-)