Install Java and Apache Tomcat (RHEL)
In the steps below, replace xx or xxx with the build number you are using.
1. If you are using AzureSQL for your database, go to Using Azure SQL Server as the Persistence Provider. Perform the steps in that section to set up the database, and you will be referred back to this section.
2. If you are using MSSQL for your database, go to Using MSSQL as the Persistence Provider . Perform the steps in that section to set up the database, and you will be referred back to this section.
3. Refer to the ThingWorx System Requirements for version requirements and then download the Java (JDK) RPM file from Oracle’s website.
4. Run the Java installer:
$ sudo rpm -i jdk-8uxxx-linux-x64.rpm
5. Create the directory and move the JDK:
$ sudo mkdir -p /usr/lib/jvm
$ sudo mv /usr/java/jdk1.8.0_xxx/ /usr/lib/jvm/
$ sudo mv /usr/java/jdk1.8.0_xxx/ /usr/lib/jvm/
6. Set the Java alternatives:
$ sudo alternatives --install /usr/bin/java java /usr/lib/jvm/jdk1.8.0_xxx/bin/java 1
$ sudo alternatives --install /usr/bin/keytool keytool /usr/lib/jvm/jdk1.8.0_xxx/bin/keytool 1
$ sudo alternatives --install /usr/bin/keytool keytool /usr/lib/jvm/jdk1.8.0_xxx/bin/keytool 1
7. Change access permissions:
$ sudo chmod a+x /usr/bin/java
$ sudo chmod a+x /usr/bin/keytool
$ sudo chmod a+x /usr/bin/keytool
If you receive an error, use the following command:
$ sudo chmod -f a+x /usr/bin/keytool
8. Change Owner:
$ sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_xxx/
9. Configure master links:
$ sudo alternatives --config java
Select the option that contains /usr/lib/jvm/jdk1.8.0_xxx/bin/java
$ sudo rm /usr/java/latest
$ sudo ln -s /usr/lib/jvm/jdk1.8.0_xxx /usr/java/latest
$ sudo ln -s /usr/lib/jvm/jdk1.8.0_xxx/bin/keytool /usr/bin/keytool
$ sudo ln -s /usr/lib/jvm/jdk1.8.0_xxx /usr/java/latest
$ sudo ln -s /usr/lib/jvm/jdk1.8.0_xxx/bin/keytool /usr/bin/keytool
If you receive a File Exists error, ignore and continue.
$ sudo alternatives --config keytool
10. Verify Java version. Your version may not be the version in the example that follows:
$ java -version
java version "1.8.0_xxx"
Java(TM) SE Runtime Environment (build 1.8.0_xxx-bxx)
Java HotSpot(TM) 64-Bit Server VM (build xx.xx-bxx, mixed mode)
java version "1.8.0_xxx"
Java(TM) SE Runtime Environment (build 1.8.0_xxx-bxx)
Java HotSpot(TM) 64-Bit Server VM (build xx.xx-bxx, mixed mode)
11. Install Tomcat. Download the Tomcat installer. The steps in this process use Tomcat 8.5.xx, where xx is replaced with the version you are using.
$ wget https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.xx/bin/apache-tomcat-8.5.xx.tar.gz
 |
Best practice includes verifying the integrity of the Tomcat file by using the signatures or checksums for each release. Refer to Apache’s documentation for more information.
|
12. Extract the contents:
$ tar -xf apache-tomcat-8.5.xx.tar.gz
13. Move Tomcat to /usr/share/tomcat8.5:
$ sudo mkdir -p /usr/share/tomcat8.5
$ sudo mv apache-tomcat-8.5.xx /usr/share/tomcat8.5/8.5.xx
$ sudo mv apache-tomcat-8.5.xx /usr/share/tomcat8.5/8.5.xx
14. Define environment variables in /etc/environment:
$ export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_xxx
$ export CATALINA_HOME=/usr/share/tomcat8.5/8.5.xx
$ export CATALINA_HOME=/usr/share/tomcat8.5/8.5.xx
15. Change directory to /usr/share/tomcat8.5/8.5.xx:
$ cd /usr/share/tomcat8.5/8.5.xx
16. Add user and group to the system:
$ sudo groupadd -r tomcat8.5
$ sudo useradd -r -d /usr/share/tomcat8.5 -g tomcat8.5 -s /bin/false tomcat8.5
$ sudo chown -R tomcat8.5:tomcat8.5 /usr/share/tomcat8.5
$ sudo useradd -r -d /usr/share/tomcat8.5 -g tomcat8.5 -s /bin/false tomcat8.5
$ sudo chown -R tomcat8.5:tomcat8.5 /usr/share/tomcat8.5
17. Change owner and access permissions of bin/, lib/, and webapps/:
$ sudo chown -Rh tomcat8.5:tomcat8.5 bin/ lib/ webapps/
$ sudo chmod 775 bin/ lib/ webapps/
$ sudo chmod 775 bin/ lib/ webapps/
18. Change owner and access permissions of usr/share/tomcat8.5/8.5xx:
sudo chown -R tomcat8.5:tomcat8.5 /usr/share/tomcat8.5/8.5.xx
sudo chmod -R 775 /usr/share/tomcat8.5/8.5.xx
sudo chmod -R 775 /usr/share/tomcat8.5/8.5.xx
19. Change owner and access permissions of conf/:
$ sudo chown -Rh root:tomcat8.5 conf/
$ sudo chmod -R 640 conf
sudo chown -R tomcat8.5:tomcat8.5 /usr/share/tomcat8.5/8.5.xx
sudo chmod -R 777 /usr/share/tomcat8.5/8.5.xx
$ sudo chmod -R 640 conf
sudo chown -R tomcat8.5:tomcat8.5 /usr/share/tomcat8.5/8.5.xx
sudo chmod -R 777 /usr/share/tomcat8.5/8.5.xx
Permissions and ownership should be revisited for a production system to increase security on a operating system level.
20. Change access permissions of logs/, temp/, and work/:
$ sudo chown -R tomcat8.5:adm logs/ temp/ work/
$ sudo chmod 760 logs/ temp/ work/
$ sudo chmod 760 logs/ temp/ work/
21. Create self-signed certificate:
$ /usr/lib/jvm/jdk1.8.0_xxx/jre/bin/keytool -genkey -alias tomcat8.5 -keyalg RSA
22. Follow the instructions to complete the certificate creation process.
◦ Set the keystore password.
◦ Follow the prompts to set up your security certificate.
◦ Set the tomcat8.5 user password to be the same as the keystore password.
$ sudo cp ~/.keystore /usr/share/tomcat8.5/8.5.xx/conf/
$ sudo chown root:tomcat8.5 /usr/share/tomcat8.5/8.5.xx/conf/.keystore
$ sudo chmod 640 /usr/share/tomcat8.5/8.5.xx/conf/.keystore
$ sudo chown root:tomcat8.5 /usr/share/tomcat8.5/8.5.xx/conf/.keystore
$ sudo chmod 640 /usr/share/tomcat8.5/8.5.xx/conf/.keystore
23. Uncomment the Manager element in context.xml to prevent sessions from persisting across restarts. Open /usr/share/tomcat8.5/8.5.xx/conf/context.xml in a text editor (as root) and remove the ‘<!—‘ before ‘<Manager pathname="" />’ and the ‘-->’ after.
24. Save the file.
25. Define an Apache Manager user in tomcat-users.xml. Open /usr/share/tomcat8.5/8.5.xx/conf/tomcat-users.xml in a text editor (as root). Just above the final line (</tomcat-users>) add the following line:
<user username="<Tomcat username> " password="<Tomcat password> " roles="manager,manager-gui"/>
26. Save the file.
|
|
The roles included are for ease of testing and can be removed if security is a concern.
|
|
|
For security reasons, it is critical that you disable the AJP connector, if not already done so by default, by performing the following step.
|
27. In the location of the Tomcat installation, open conf/server.xml and search for the following line. If found, comment it out and save the file:
<Connector port ="8009" protocol="AJP/1.3" redirectPort="8443"/>
|
|
In Apache Tomcat 9.0 and later, the rejectIllegalHeader attribute defaults to true. Manually modifying the conf/web.xml file to set this attribute to false is not recommended or supported by PTC.
|
28. Set up Tomcat as a service to start on boot. First, build JSVC if it is not already installed on your system:
$ sudo yum install gcc
$ cd /usr/share/tomcat8.5/8.5.xx/bin/
$ sudo tar xvfz commons-daemon-native.tar.gz
$ cd commons-daemon-*-native-src/unix
$ sudo ./configure --with-java=$JAVA_HOME
$ sudo yum install make
$ sudo make
$ sudo cp jsvc ../..
$ sudo tar xvfz commons-daemon-native.tar.gz
$ cd commons-daemon-*-native-src/unix
$ sudo ./configure --with-java=$JAVA_HOME
$ sudo yum install make
$ sudo make
$ sudo cp jsvc ../..
29. Create the Tomcat service file:
$ sudo touch /usr/lib/systemd/system/tomcat.service
30. Open /usr/lib/systemd/system/tomcat.service in a text editor (as root) and paste in the following:
|
|
In the example below, set values for -Xms and -Xmx to 75% of the available OS memory (for example, 12GB for a 16GB RAM system). Refer to JVM Tuning for additional information.
|
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
PIDFile=/var/run/tomcat.pid
Environment=CATALINA_PID=/var/run/tomcat.pid
Environment=JAVA_HOME=/usr/lib/jvm/jdk1.8.0_xxx
Environment=CATALINA_HOME=/usr/share/tomcat8.5/8.5.xx
Environment=CATALINA_BASE=/usr/share/tomcat8.5/8.5.xx
Environment=CATALINA_OPTS=
ExecStart=/usr/share/tomcat8.5/8.5.xx/bin/jsvc \
-Dcatalina.home=${CATALINA_HOME} \
-Dcatalina.base=${CATALINA_BASE} \
-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Dserver -XX:+UseNUMA \
-XX:+UseG1GC -Dfile.encoding=UTF-8 \
-Djava.library.path=${CATALINA_BASE}/webapps/Thingworx/WEB-INF/extensions \
-Xms=<75% of available OS memory> \
-Xmx=<75% of available OS memory> \
-cp ${CATALINA_HOME}/bin/commons-daemon.jar:${CATALINA_HOME}/bin/bootstrap.jar:${CATALINA_HOME}/bin/tomcat-juli.jar \
-user tomcat8.5 \
-java-home ${JAVA_HOME} \
-pidfile /var/run/tomcat.pid \
-errfile ${CATALINA_HOME}/logs/catalina.out \
-outfile ${CATALINA_HOME}/logs/catalina.out \
$CATALINA_OPTS \
org.apache.catalina.startup.Bootstrap
[Install]
WantedBy=multi-user.target
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
PIDFile=/var/run/tomcat.pid
Environment=CATALINA_PID=/var/run/tomcat.pid
Environment=JAVA_HOME=/usr/lib/jvm/jdk1.8.0_xxx
Environment=CATALINA_HOME=/usr/share/tomcat8.5/8.5.xx
Environment=CATALINA_BASE=/usr/share/tomcat8.5/8.5.xx
Environment=CATALINA_OPTS=
ExecStart=/usr/share/tomcat8.5/8.5.xx/bin/jsvc \
-Dcatalina.home=${CATALINA_HOME} \
-Dcatalina.base=${CATALINA_BASE} \
-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Dserver -XX:+UseNUMA \
-XX:+UseG1GC -Dfile.encoding=UTF-8 \
-Djava.library.path=${CATALINA_BASE}/webapps/Thingworx/WEB-INF/extensions \
-Xms=<75% of available OS memory> \
-Xmx=<75% of available OS memory> \
-cp ${CATALINA_HOME}/bin/commons-daemon.jar:${CATALINA_HOME}/bin/bootstrap.jar:${CATALINA_HOME}/bin/tomcat-juli.jar \
-user tomcat8.5 \
-java-home ${JAVA_HOME} \
-pidfile /var/run/tomcat.pid \
-errfile ${CATALINA_HOME}/logs/catalina.out \
-outfile ${CATALINA_HOME}/logs/catalina.out \
$CATALINA_OPTS \
org.apache.catalina.startup.Bootstrap
[Install]
WantedBy=multi-user.target
31. If you are installing the ThingWorx Platform for the first time, the Java option -Duser.timezone=UTC should be added to the ExecStart block above, immediately following the line that begins with -Djava.library.path. The UTC timezone does not recognize daylight savings time. Setting this option prevents overwriting data when daylight savings time changes occur.
 |
Existing customers should NOT update this setting at this time.
|
32. Create a new file in the Tomcat usr/share/tomcat8.5/8.5.xx/bin file, setenv.sh:
CATALINA_OPTS="$CATALINA_OPTS -Djava.library.path=/usr/share/tomcat8.5/8.5.xx/webapps/Thingworx/WEB-INF/extensions"
33. Set Tomcat to run on system start up:
$ sudo systemctl enable tomcat.service
This will allow the user to control the Tomcat service with the following commands:
sudo systemctl start tomcat
sudo systemctl stop tomcat
sudo systemctl restart tomcat
sudo systemctl status tomcat
sudo systemctl stop tomcat
sudo systemctl restart tomcat
sudo systemctl status tomcat
34. In the location of the Tomcat installation, open CATALINA_HOME/conf/web.xml. Replace the default error page (default is stacktrace) by adding the following into the web.xml file. Place the following within the web-app tag (after the welcome-file-list tag ). A well-configured web application will override this default in CATALINA_HOME/webapps/APP_NAME/WEB-INF/web.xml so it won't cause problems.
<error-page><exception-type>java.lang.Throwable</exception-type><location>/error.jsp</location></error-page>
35. In the location of the Tomcat installation, open CATALINA_HOME/conf/server.xml. Add the following inside the <Host> </Host> tags:
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
36. Remove all the Tomcat webapps located in /<path_to_tomcat>/webapps/. Removing these apps prevents unnecessary access to Tomcat, specifically in the context that would allow users to view other users' cookies.
37. PTC strongly recommends the use of TLS when running ThingWorx. For detailed instructions on setting up TLS, refer to this technical support article.
38. If your application requires a specific cipher suite, refer to the following documentation for configuration information:
Configuring Ulimit Settings
Running the Tomcat application server processes as the "root" user compromises the overall system security and violates industry standard best practices. To avoid this, PTC recommends that you modify the /etc/security/limits.d/80-nofiles.conf file to include settings specific to the user by which the application servers are intended to be run.
Configuration File Example
The following configuration is an example of the default Redhat 7.1 OS configuration located at /etc/security/limits.d/80-nofiles.conf with the needed changes. In the following example, thingworx is the name of the user for the app server.
thingworx soft nofile 30720
thingworx hard nofile 30720
To commit this change, log out and then log into your system.
Install ThingWorx/PostgreSQL
1. H2: Go to Install ThingWorx.
2. PostgreSQL: Go to Install and Configure PostgreSQL.