Table of Contents

How to Install Tomcat 9 on CentOS 8

Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies. It is one of the most widely adopted applications and web servers in the world today. Tomcat is simple to use and has a robust ecosystem of add-ons.

Installation Tutorial

This tutorial explains how to install Tomcat 9.0 on CentOS 8.

Installing Java

Tomcat 9 requires Java SE 8 or later. We will install OpenJDK 11, the open-source implementation of the Java Platform.

Run the following command as root or user with sudo privileges to install Java:

# dnf install java-11-openjdk-devel

Once the installation is complete, verify it by checking the Java version:

# java -version

The output should look something like this:

openjdk version "11.0.5" 2019-10-15 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing)

Creating a System User

Running Tomcat under the root user is a security risk. We'll create a new system user and group with home directory /opt/tomcat that will run the Tomcat service. To do so, enter the following command:

# useradd -m -U -d /opt/tomcat -s /bin/false tomcat

Downloading Tomcat

Tomcat binary distribution is available for download from the Tomcat downloads page.

At the time of writing, the latest Tomcat version is 9.0.30. Before continuing with the next step, check the Tomcat 9 download page to see if a newer version is available.

Download the Tomcat zip file with wget to the /tmp directory:

# VERSION=9.0.30
# wget https://www-eu.apache.org/dist/tomcat/tomcat-9/v${VERSION}/bin/apache-tomcat-${VERSION}.tar.gz -P /tmp

Once the download is complete, extract the tar file to the /opt/tomcat directory:

# tar -xf /tmp/apache-tomcat-${VERSION}.tar.gz -C /opt/tomcat/

Tomcat is updated on a regular basis. To have more control over versions and updates, we'll create a symbolic link called latest, that points to the Tomcat installation directory:

# ln -s /opt/tomcat/apache-tomcat-${VERSION} /opt/tomcat/latest

The system user that was previously created, must have access to the tomcat installation directory. Change the directory ownership to user and group tomcat:

# chown -R tomcat: /opt/tomcat

Make the shell scripts inside the bin directory executable:

# sh -c 'chmod +x /opt/tomcat/latest/bin/*.sh'

These scripts are later used to start and stop Tomcat from the systemd unit file.

Creating a Systemd Unit File

Instead of manually starting and stopping the Tomcat server, we'll set it to run as a service. Open your text editor and create a tomcat.service unit file in the /etc/systemd/system/ directory:

# vim /etc/systemd/system/tomcat.service

Paste the following content:

[Unit]
Description=Tomcat 9 servlet container
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

Save and close the file.

Notify systemd that a new service file exists, by typing:

# systemctl daemon-reload

Enable and start the Tomcat service:

# systemctl enable --now tomcat

Check the service status; the output should show that the Tomcat server is enabled and running:

# systemctl status tomcat

● tomcat.service - Tomcat 9 servlet container
   Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-01-15 20:38:07 UTC; 30s ago
  Process: 3957 ExecStart=/opt/tomcat/latest/bin/startup.sh (code=exited, status=0/SUCCESS)
  ...

Configuring Firewall

If your server is protected by a firewall and you want to access the tomcat interface from the outside of the local network, you need to open port 8080.

Use the following commands to open the necessary port:

# firewall-cmd --permanent --zone=public --add-port=8080/tcp
sudo firewall-cmd --reload

Typically, when running Tomcat in a production environment, you should use a load balancer or reverse proxy. It's a best practice to allow access to port 8080 only to your internal network.

Additional: Configuring Tomcat Web Management Interface

At this point, you should be able to access Tomcat with a web browser on port 8080. The web management interface is not accessible because we have not created a user yet.

Tomcat users and roles are defined in the tomcat-users.xml file.

If you open the file, you will notice that it is filled with comments and examples describing how to configure the file.

# vim /opt/tomcat/latest/conf/tomcat-users.xml

Tomcat users are defined the user in the tomcat-users.xml file. To create a new user that can access the tomcat web interface (manager-gui and admin-gui), edit file as shown below. Make sure you change the username and password to something more secure:

<tomcat-users>
<!--
    Comments
-->
   <role rolename="admin-gui"/>
   <role rolename="manager-gui"/>
   <user username="admin" password="admin_password" roles="admin-gui,manager-gui"/>
</tomcat-users>

By default Tomcat web management interface is configured to allow access only from the localhost.

If you need to access the web interface from anywhere open the following files and comment or remove the lines highlighted in yellow:

# vim /opt/tomcat/latest/webapps/manager/META-INF/context.xml

<Context antiResourceLocking="false" privileged="true" >
<!--
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>

# vim /opt/tomcat/latest/webapps/host-manager/META-INF/context.xml

<sxh xml>
<Context antiResourceLocking="false" privileged="true" >
<!--
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
</Context>
</sxh>

Please note, allowing access from anywhere is not recommended because it is a security risk.

If you want to access the web interface only from a specific IP, instead of commenting the blocks add your public IP to the list.

Let's say your public IP is ''41.41.41.41'' and you want to allow access only from that IP:

<code># vim /opt/tomcat/latest/webapps/manager/META-INF/context.xml

<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|41.41.41.41" />
</Context>

# vim /opt/tomcat/latest/webapps/host-manager/META-INF/context.xml

<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|41.41.41.41" />
</Context>

The list of allowed IP addresses is a list separated with vertical bar |. You can add single IP addresses or use a regular expressions.

Once done, restart the Tomcat service for changes to take effect:

# systemctl restart tomcat

Testing Management Interface Installation

Open your browser and type: http://<your_domain_or_IP_address>:8080

Upon successful installation, a screen similar to the following should appear:


Tomcat web application manager dashboard allows you to deploy, undeploy, start, stop, and reload your applications. It is available at: http://<your_domain_or_IP_address>:8080/manager/html.


Tomcat virtual host manager dashboard allows you to create, delete, and manage Tomcat virtual hosts. It is available at: http://<your_domain_or_IP_address>:8080/host-manager/html.