Versions Compared

Old Version 12

changes.mady.by.user ASF Infrabot

Saved on

compared with

New Version 13

changes.mady.by.user ASF Infrabot

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Correct typo in Q4 title. Convert answer titles to use Header 3 markup.

...

  1. How do I use OpenSSL to set up my own Certificate Authority (CA)?
  2. OH NOOh no! PORT Port 8005 is available for anyone on localhost to shutdown my tomcat!
  3. What about Tomcat running as root?
  4. How do I force all my pages to run under HTTPS?
  5. What is the default login for the manager and admin app?
  6. How do I restrict access by ip address or remote host?
  7. How do I use jsvc/procrun to run Tomcat on port 80 securely?
  8. Has Tomcat's security been independently analyzed or audited?
  9. How do I change the Server header in the response?
  10. Why are passwords in plain text?

Answers

Anchor
Q1
Q1

How do I use OpenSSL to set up my own Certificate Authority (CA)?

Using OpenSSL to set up your own CA.

Anchor
Q2
Q2
OH NO

Oh no!

...

Port 8005 is available for anyone on localhost to shutdown my tomcat!

See these 2 discussions.

Anchor
Q3
Q3

What about Tomcat running as root?

See these threads:

Anchor
Q4
Q4

How

...

do I force all my pages to run under HTTPS?

Use security-constraint in web.xml.

Anchor
Q5
Q5

What is the default login for the manager and admin app?

The admin and manager application do not provide a default login. Doing so is a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml if you are using the default install. Configuring Manager Application Access

Anchor
Q6
Q6

How do I restrict access by ip address or remote host?

By using the RemoteHostValve or RemoteAddrValve. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! See also RemoteIpValve. Valve Reference Link

Anchor
Q7
Q7

How do I use jsvc/procrun to run Tomcat on port 80 securely?

Fairly easily (wink) See the Setup page in the docs for your tomcat release, and read this mailing list post for a complete setup example with permissions etc.

Anchor
Q8
Q8

Has Tomcat's security been independently analyzed or audited?

Yes, by numerous organizations and individuals, many times. Try this Google search and you'll see many references, guides, and analyses.

Anchor
Q9
Q9

How do I change the Server header in the response?

In server.xml - add a "server" attribute to the Connector element. http://tomcat.apache.org/tomcat-6.0-doc/config/http.html

Anchor
Q10
Q10

Why are passwords in plain text?

We have a page dedicated to this topic. FAQ/Password

...