How to Install Apache Tomcat 9 on Debian 10/9: A Step-by-Step Guide
Apache Tomcat is a powerful, open-source Java servlet container that functions as a web server for Java-based applications. Whether you’re a developer testing a new web app or a system administrator deploying a production service, a proper Tomcat installation is crucial for performance and security.
This guide provides a comprehensive, step-by-step process for installing and configuring Apache Tomcat 9 on Debian 10 (Buster) and Debian 9 (Stretch). We will focus on best practices, including setting up a dedicated user and configuring a systemd service for easy management.
Step 1: Install Java (OpenJDK)
Tomcat is a Java application, so its primary requirement is a Java Development Kit (JDK). We will install OpenJDK, the open-source implementation of the Java Platform.
First, update your server’s package index:
sudo apt update
Next, install the default JDK package. This will install a suitable version of OpenJDK for running Tomcat 9.
sudo apt install default-jdk
Once the installation is complete, you can verify that Java is installed correctly by checking its version:
java -version
You should see output confirming the OpenJDK version, ensuring the environment is ready for Tomcat.
Step 2: Create a Dedicated Tomcat User
For security reasons, it is highly recommended to run Tomcat under its own unprivileged user. Running services like Tomcat as the root user poses a significant security risk. We will create a new user and group named tomcat that will be used exclusively for this service.
Create a new tomcat group:
sudo groupadd tomcat
Now, create the tomcat user. We’ll make this a system user (with the -r flag) that cannot log in to the server directly and assign it to the tomcat group. The home directory will be /opt/tomcat, where we will install the application.
sudo useradd -s /bin/false -g tomcat -d /opt/tomcat -r tomcat
This user is now ready to own and run the Tomcat installation.
Step 3: Download and Install Apache Tomcat
We will download the latest binary release of Tomcat 9 from the official Apache Tomcat website.
First, navigate to the /tmp directory, a good place for temporary downloads.
cd /tmp
Next, use a tool like wget to download the Tomcat 9 tarball. You can find the link for the latest “tar.gz” file from the Tomcat 9 Downloads page.
wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.89/bin/apache-tomcat-9.0.89.tar.gz
(Note: Please check the official downloads page for the absolute latest version link and update the command accordingly.)
Once the download is finished, create the destination directory and extract the archive into it.
sudo mkdir /opt/tomcat
sudo tar xzvf apache-tomcat-*.tar.gz -C /opt/tomcat --strip-components=1
The --strip-components=1 flag ensures that the contents of the versioned directory inside the archive are extracted directly into /opt/tomcat.
Step 4: Configure Ownership and Permissions
Now that Tomcat is installed, we must grant the tomcat user the correct permissions to manage the installation.
First, change the group ownership of the entire installation directory to the tomcat group.
sudo chgrp -R tomcat /opt/tomcat
Next, give the tomcat group read access to the conf directory and all its contents, and execute access to the directory itself.
sudo chmod -R g+r /opt/tomcat/conf
sudo chmod g+x /opt/tomcat/conf
Finally, make the tomcat user the owner of the webapps, work, temp, and logs directories, as Tomcat needs to write to these locations.
sudo chown -R tomcat:tomcat /opt/tomcat/webapps/
sudo chown -R tomcat:tomcat /opt/tomcat/work/
sudo chown -R tomcat:tomcat /opt/tomcat/temp/
sudo chown -R tomcat:tomcat /opt/tomcat/logs/
These permission changes are a critical security step that hardens your installation.
Step 5: Create a systemd Service File
To manage Tomcat as a standard system service, we’ll create a systemd unit file. This allows you to easily start, stop, restart, and enable Tomcat to run on boot.
Create a new file named tomcat.service in the /etc/systemd/system/ directory:
sudo nano /etc/systemd/system/tomcat.service
Paste the following content into the file. You may need to update the JAVA_HOME path if you installed Java in a non-standard location. You can find your Java path by running sudo update-java-alternatives -l.
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
User=tomcat
Group=tomcat
Environment="JAVA_HOME=/usr/lib/jvm/default-java"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
Environment="JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom"
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target
Save and close the file.
This service file defines how systemd should manage the Tomcat process, including the user to run it as and Java memory allocation settings (-Xms and -Xmx), which you can adjust based on your server’s resources.
Step 6: Start and Enable the Tomcat Service
Now, reload the systemd daemon so it recognizes our new service file.
sudo systemctl daemon-reload
You can now start the Tomcat service:
sudo systemctl start tomcat
Check the status to ensure it started without errors:
sudo systemctl status tomcat
If everything is working, you will see an “active (running)” status.
Finally, enable the Tomcat service to start automatically on boot:
sudo systemctl enable tomcat
Step 7: Adjust the Firewall and Test
By default, Tomcat runs on port 8080. If you are running the UFW firewall, you will need to open this port to allow external traffic.
sudo ufw allow 8080
You can now test your installation by navigating to http://your_server_ip:8080 in a web browser. You should see the default Apache Tomcat landing page, confirming that your installation was successful.
Step 8: Configure the Web Management Interface (Optional)
For production environments, you may want to access the Web Application Manager and Host Manager. These are secured by default. To enable access, you must edit the tomcat-users.xml file.
sudo nano /opt/tomcat/conf/tomcat-users.xml
Inside the <tomcat-users> ... </tomcat-users> tags, add a user with the appropriate roles. Be sure to use a strong, unique password.
<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<user username="admin" password="YOUR_STRONG_PASSWORD" roles="manager-gui,admin-gui"/>
By default, access to these management apps is restricted to connections from the server itself. To allow remote access, you would need to edit the context.xml file for each application, but this is not recommended for security reasons unless you are restricting it to a specific trusted IP address.
After making these changes, you must restart Tomcat for them to take effect:
sudo systemctl restart tomcat
Your Apache Tomcat 9 server is now fully installed, secured, and configured to run as a robust service on your Debian system. You are ready to deploy your Java web applications.
Source: https://kifarunix.com/install-apache-tomcat-9-on-debian-10-debian-9/
