Knowledgebase: Pre-Sales
How to Harden Tomcat Web Server
Posted by Aly Essa, Last modified by John Tkaczewski on 01 March 2017 04:13 PM

Overview

Before moving your FileCatalyst Workflow deployment from staging to live status, there are a few optional steps that can be taken to ensure that your Tomcat Web Server has been hardened. The Hardening of a Web Server is a process where the security on the Web Server is enhanced by applying specific changes to the configuration. This results in a reduced risk of malicious attacks on the Web Server.

This article will guide you through some of the sections of the Tomcat Server. The paths and configurations mentioned below are referenced based on Windows OS, however, the same configurations can be used on a Linux OS. If you require assistance with a Linux OS deployment, submit a ticket through our Support Portal. (http://support.filecatalyst.com)

 

Environment

FileCatalyst Workflow v4.9 and later.

Apache Tomcat Web Server v7.0 and v8.0 only.

Note:
These modifications should be applied to an external installation of Apache Tomcat and not to any instances that have used the self-executable installer. If you have used the self-executable installer please submit a ticket through our Support Portal. (http://support.filecatalyst.com)

 

Resolution

In order to successfully harden Apache Tomcat, you will need to resolve all of the issues below.

  1. Removing Server Banner or Server Name

    The Server Name is usually returned in the Response Headers. The Response Header can be customized to not return the name or type of Web Server that is being used.

    If you hit the landing page of FileCatalyst Workflow (http://www.yoursite.com/workflow) and Right Click on the page and select Inspect Element. You will find a docked window inside your browser, navigate to the Network Tab and reload the page. Click on the logon.jsp link and look for the Response Headers section.  A typical (default) response looks like:

    Content-Type:text/html;charset=UTF-8
    Date:Fri, 08 Jul 2016 14:36:40 GMT
    Server:Apache-Coyote/1.1
    Transfer-Encoding:chunked
    X-FRAME-OPTIONS:SAMEORIGIN

    Use the following steps to remove Server:Apache-Coyote/1.1 entry:

    1. Shutdown the Tomcat Web Server.
    2. Using a text editor open the Server.xml file. It is typically found in <Tomcat_Home>/conf/server.xml.
    3. Scroll down to your Connector Port add the following:

      Server=" " 

      Your modified Connector will look like:

      <Connector port="80" protocol="HTTP/1.1"
      connectionTimeout="20000"
      Server=" "
      redirectPort="8443" />

    4. Save the file and close the text editor.
    5. Start your Tomcat Web Server and the new changes will take effect.
    6. The new Response Header that is returned will have the following information:

      Content-Type:text/html;charset=UTF-8
      Date:Fri, 08 Jul 2016 14:45:55 GMT
      Server:
      Transfer-Encoding:chunked
      X-FRAME-OPTIONS:SAMEORIGIN
  2. Use SSL connections and force all connections to use HTTPS.

    1. For the Tomcat Web Server to accept SSL connections, a valid SSL Certificate needs to be deployed on the Web Server. Use the following guide to Generate and deploy the SSL Certificate to the Tomcat Server:
      http://support.filecatalyst.com/index.php?/Knowledgebase/Article/View/295/9/tomcat-csr-and-ssl-certificate-installation-and-renewal

    2. Once the SSL Certificate is deployed, all connectivity to the Web Server can be forced to use HTTPS. The steps to modify the configurations on the Web Server can be found here:
      http://support.filecatalyst.com/index.php?/Knowledgebase/Article/View/317/0/how-to-force-https-connections-in-workflow-or-webmail

  3. Run Tomcat from a non-privileged Account.

    It is best practice to use a separate account that has lowered permissions. This will protect other services running on the machine in case of any security breach.

    1. Create a user for the Tomcat Web Server.
    2. Linux - Change the ownership of the /<Tomcat_Home>/ directory to the newly created user.
      Windows - From the Service Manager, change the Tomcat Service properties to use another Logon Account.

  4. Removing unwanted applications the Webapps Directory.

    By default, Tomcat installs and deploys web applications which may not be required in your environment. These can be removed from Webapps directory (/<Tomcat_Home>/webapps/).

    1. The following folders may or may not be present but are not required for a FileCatalyst Workflow deployment:

      • Docs - This folder contains the Tomcat Documentation.
      • Examples - JSP and Servlets for demos are in this folder.
      • Manager - Web UI that allows deploy and deploy applications.

  5. Shutdown Port and Command

    The Tomcat Web Server is configured to be shut down on port 8005 and the command that is used is SHUTDOWN. Telnet to IP:port can be used to call a SHUTDOWN to the Tomcat Web Server.
    The port value and command string should be modified from the default values in the Server.xml file.

    1. Shutdown the Tomcat Web Server.
    2. Using a text editor open the Server.xml file and modify the following entry:

      <Server port="8005" shutdown="SHUTDOWN">

      These values should be changed to a Port value that is not in use and the command can be customized as well. Here is an example:


      <Server port="9889" shutdown="SHUTD0WNT0MCAT">

    3. Save the file and close the text editor.

  6. Change the Website Icon

    By default, the favicon.ico file located in the <Tomcat_Home>/webapps/ROOT/ folder will be loaded when anyone loads the FileCatalyst Workflow page or any other Tomcat Web Server page that is hosted on your machine. Replace this file (<Tomcat_Home>/webapps/ROOT/favicon.ico) with an icon of your choice and rename your file to favicon.ico and restart the Tomcat Web Server.

  7. Hide details from error pages
    Edit <tomcat_home>/conf/server.xml add the following valve to the host portion of the file:

    <valve classname="org.apache.catalina.valves.ErrorReportValve" showreport="false" showserverinfo="false">