Getting Started with ThingWorx > Installing and Upgrading ThingWorx > RHEL Installation > H2/Azure SQL > Install Java and Apache Tomcat (RHEL)
  
Install Java and Apache Tomcat (RHEL)
* 
In the steps below, replace xx or xxx with the build number you are using.
1. Download the Java (JDK) RPM file from Oracle’s website.
* 
Refer to the System Requirements document for version requirements.
2. Run the Java installer:
$ sudo rpm -i jdk-8uxxx-linux-x64.rpm
3. Create the directory and move the JDK:
$ sudo mkdir -p /usr/lib/jvm
$ sudo mv /usr/java/jdk1.8.0_xxx/ /usr/lib/jvm/
4. Set the Java alternatives:
$ sudo alternatives --install /usr/bin/java java /usr/lib/jvm/jdk1.8.0_xxx/bin/java 1
$ sudo alternatives --install /usr/bin/keytool keytool /usr/lib/jvm/jdk1.8.0_xxx/bin/keytool 1
5. Change access permissions:
$ sudo chmod a+x /usr/bin/java
$ sudo chmod a+x /usr/bin/keytool

* 
If you receive an error, use the following:
$ sudo chmod -f a+x /usr/bin/keytool
6. Change Owner:
$ sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_xxx/
7. Configure master links:
$ sudo alternatives --config java
* 
Select the option that contains /usr/lib/jvm/jdk1.8.0_xxx/bin/java
$ sudo rm /usr/java/latest
$ sudo ln -s /usr/lib/jvm/jdk1.8.0_xxx /usr/java/latest
$ sudo ln -s /usr/lib/jvm/jdk1.8.0_xxx/bin/keytool /usr/bin/keytool
* 
This may return a File Exists error. If so, ignore and continue.
$ sudo alternatives --config keytool
8. Verify Java version:
* 
Your build version may differ.
$ java -version
java version "1.8.0_xxx"
Java(TM) SE Runtime Environment (build 1.8.0_xxx-bxx)
Java HotSpot(TM) 64-Bit Server VM (build xx.xx-bxx, mixed mode)
9. Install Tomcat. Download the Tomcat installer:
* 
This steps in this process use Tomcat 8.5.xx, where xx is replaced with the version you are using.
$ wget https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.xx/bin/apache-tomcat-8.5.xx.tar.gz
* 
Best practice includes verifying the integrity of the Tomcat file by using the signatures or checksums for each release. Refer to Apache’s documentation for more information.
10. Extract the contents:
$ tar -xf apache-tomcat-8.5.xx.tar.gz
11. Move Tomcat to /usr/share/tomcat8.5:
$ sudo mkdir -p /usr/share/tomcat8.5
$ sudo mv apache-tomcat-8.5.xx /usr/share/tomcat8.5/8.5.xx
12. Define environment variables in /etc/environment:
$ export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_xxx
$ export CATALINA_HOME=/usr/share/tomcat8.5/8.5.xx
13. Change directory to /usr/share/tomcat8.5/8.5.xx:
$ cd /usr/share/tomcat8.5/8.5.xx
14. Add user and group to the system:
$ sudo groupadd -r tomcat8.5
$ sudo useradd -r -d /usr/share/tomcat8.5 -g tomcat8.5 -s /bin/false tomcat8.5
$ sudo chown -R tomcat8.5:tomcat8.5 /usr/share/tomcat8.5
15. Change owner and access permissions of bin/, lib/, and webapps/:
$ sudo chown -Rh tomcat8.5:tomcat8.5 bin/ lib/ webapps/
$ sudo chmod 775 bin/ lib/ webapps/
16. Change owner and access permissions of conf/:
$ sudo chown -Rh root:tomcat8.5 conf/
$ sudo chmod -R 640 conf
sudo chown -R tomcat8.5:tomcat8.5 /usr/share/tomcat8.5/8.5.xx
sudo chmod -R 777 /usr/share/tomcat8.5/8.5.xx
* 
Permissions and ownership should be revisited for a production system to increase security on a operating system level.
17. Change access permissions of logs/, temp/, and work/:
$ sudo chown -R tomcat8.5:adm logs/ temp/ work/
$ sudo chmod 760 logs/ temp/ work/
18. Create self-signed certificate:
$ /usr/lib/jvm/jdk1.8.0_xxx/jre/bin/keytool -genkey -alias tomcat8.5 -keyalg RSA
19. Follow the instructions to complete the certificate creation process.
Set the keystore password.
Follow the prompts to set up your security certificate.
Set the tomcat8.5 user password to the same as the keystore password.
$ sudo cp ~/.keystore /usr/share/tomcat8.5/8.5.xx/conf/
$ sudo chown root:tomcat8.5 /usr/share/tomcat8.5/8.5.xx/conf/.keystore
$ sudo chmod 640 /usr/share/tomcat8.5/8.5.xx/conf/.keystore
20. Uncomment the Manager element in context.xml to prevent sessions from persisting across restarts. Open /usr/share/tomcat8.5/8.5.xx/conf/context.xml in a text editor (as root) and remove the ‘<!—‘ before ‘<Manager pathname="" />’ and the ‘-->’ after.
21. Save the file.
22. Modify the shutdown string and protocol used by the SSL Connector in server.xml. Open /usr/share/tomcat8.5/8.5.xx/conf/server.xml in a text editor (as root) Uncomment the following section:
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
23. Paste the following directly below the uncommented section:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="${user.home}/8.5.xx/conf/.keystore" keystorePass="<PostgreSQL keystore password>" clientAuth="false" sslProtocol="TLS" />
24. Define an Apache Manager user in tomcat-users.xml. Open /usr/share/tomcat8.5/8.5.xx/conf/tomcat-users.xml in a text editor (as root). Just above the final line (</tomcat-users>) add the following line:
<user username="<Tomcat username> " password="<Tomcat password> " roles="manager,manager-gui"/>
25. Save the file.
* 
The roles included are for ease of testing and can be removed if security is a concern.
26. Set up Tomcat as a service to start on boot. First, build JSVC:
$ sudo yum install gcc
* 
This may already be installed on your system.
$ cd /usr/share/tomcat8.5/8.5.xx/bin/
$ sudo tar xvfz commons-daemon-native.tar.gz
$ cd commons-daemon-*-native-src/unix
$ sudo ./configure --with-java=$JAVA_HOME

$ sudo yum install make
$ sudo make
$ sudo cp jsvc ../..
27. Create the Tomcat service file:
$ sudo touch /usr/lib/systemd/system/tomcat.service
28. Open /usr/lib/systemd/system/tomcat.service in a text editor (as root) and paste in the following:
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target

[Service]
Type=forking
PIDFile=/var/run/tomcat.pid
Environment=CATALINA_PID=/var/run/tomcat.pid
Environment=JAVA_HOME=/usr/lib/jvm/jdk1.8.0_xxx
Environment=CATALINA_HOME=/usr/share/tomcat8.5/8.5.xx
Environment=CATALINA_BASE=/usr/share/tomcat8.5/8.5.xx
Environment=CATALINA_OPTS=

ExecStart=/usr/share/tomcat8.5/8.5.xx/bin/jsvc \
-Dcatalina.home=${CATALINA_HOME} \
-Dcatalina.base=${CATALINA_BASE} \
-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Dserver -XX:+UseNUMA \
-XX:+UseG1GC -Dfile.encoding=UTF-8 \
-Djava.library.path=${CATALINA_BASE}/webapps/Thingworx/WEB-INF/extensions \
-cp ${CATALINA_HOME}/bin/commons-daemon.jar:${CATALINA_HOME}/bin/bootstrap.jar:${CATALINA_HOME}/bin/tomcat-juli.jar \
-user tomcat8.5 \
-java-home ${JAVA_HOME} \
-pidfile /var/run/tomcat.pid \
-errfile ${CATALINA_HOME}/logs/catalina.out \
-outfile ${CATALINA_HOME}/logs/catalina.out \
$CATALINA_OPTS \
org.apache.catalina.startup.Bootstrap

[Install]
WantedBy=multi-user.target
29. Create a new file in the Tomcat usr/share/tomcat8.5/8.5.xx/bin file named setenv.sh:
CATALINA_OPTS=$CATALINA_OPTS -Djava.library.path="/usr/share/tomcat8.5/8.5.xx/webapps/Thingworx/WEB-INF/extensions"
30. Set Tomcat to run on system start up:
$ sudo systemctl enable tomcat.service
* 
This will allow the user to control the Tomcat service with the following commands:
sudo systemctl start tomcat
sudo systemctl stop tomcat
sudo systemctl restart tomcat
sudo systemctl status tomcat
31. In the location of the Tomcat installation, open CATALINA_HOME/conf/web.xml. Replace the default error page (default is stacktrace) by adding the following into the web.xml file. Place the following within the web-app tag (after the welcome-file-list tag ). A well-configured web application will override this default in CATALINA_HOME/webapps/APP_NAME/WEB-INF/web.xml so it won't cause problems.
<error-page><exception-type>java.lang.Throwable</exception-type><location>/error.jsp</location></error-page>
32. Remove all Tomcat example apps located in /<path_to_tomcat>/webapps/examples/.
* 
These apps should be removed to prevent unnecessary access to Tomcat, specifically in the context that would allow users to view other users cookies.
Configuring Ulimit Settings
Running the Tomcat application server processes as the "root" user compromises the overall system security and violates industry standard best practices. To avoid this, PTC recommends that you modify the /etc/security/limits.d/80-nofiles.conf file to include settings specific to the user by which the application servers are intended to be run.
Configuration File Example
The following configuration is an example of the default Redhat 7.1 OS configuration located at /etc/security/limits.d/80-nofiles.conf with the needed changes. In the following example, thingworx is the name of the user for the app server.

thingworx soft nofile 30720
thingworx hard nofile 30720
To commit this change, log out and then log into your system.
Install ThingWorx/PostgreSQL
1. H2 only: Go to Install ThingWorx.
2. PostgreSQL only: Go to Install and Configure PostgreSQL.