Comprehensive Guide to Apache Tomcat Deployment, Security, and JVM Monitoring

Runtime Environment Architecture

Web application servers handle dynamic content differently than static file servers. While traditional Apache HTTP Server relies on PHP modules or FastCGI, and Nginx delegates dynamic processing via FastCGI or reverse proxies, Apache Tomcat operates native as a Java Servlet container. Effective Tomcat administration requires distinguishing between the Java Development Kit (JDK), which supplies compilers and debugging utilities, and the Java Runtime Environment (JRE), which contains only the virtual machine and core libraries. Production deployments should always utilize the JDK to enable diagnostic tooling. Monitoring focus primarily centers on Java Virtual Machine (JVM) heap utilization, garbage collection cycles, and thread pool saturation.

Infrastructure Automation with Configuration Management

Manual installation of application stacks across multiple nodes is error-prone. The following workflow demonstrates how to standardize Tomcat 9 and JDK 11 deployment across a cluster using SaltStack, emphasizing modular state files and idempotent execution.

## Infrastructure Layout
## Control Node: 10.0.20.5 (salt-master, salt-minion)
## Worker Nodes: 10.0.20.6, 10.0.20.7 (salt-minion only)

## 1. Initialize Master/Minion Communication
# yum install -y salt-master salt-minion
# mkdir -p /etc/salt/states/base /etc/salt/pillar
# vim /etc/salt/master
fileserver_backend:
  - roots
file_roots:
  base:
    - /etc/salt/states/base

# vim /etc/salt/minion
master: 10.0.20.5
id: ctrl-node-01

systemctl enable --now salt-master salt-minion

## 2. Client Provisioning
# yum install -y salt-minion
# echo "master: 10.0.20.5" > /etc/salt/minion.d/master.conf
systemctl enable --now salt-minion

## 3. Key Acceptance & Verification
salt-key -A -y
salt-run manage.status

## 4. Modular State Definitions
# Directory preparation on master
mkdir -p /etc/salt/states/base/{runtime,appserver}/files

# Copy artifacts
cp openjdk-11.0.14_linux-x64_bin.tar.gz /etc/salt/states/base/runtime/files/
cp apache-tomcat-9.0.62.tar.gz /etc/salt/states/base/appserver/files/

# runtime/install.sls
java-archive:
  file.managed:
    - name: /opt/install/java-archive.tar.gz
    - source: salt://runtime/files/openjdk-11.0.14_linux-x64_bin.tar.gz
    - mode: 0644

java-runtime:
  archive.extracted:
    - name: /opt/jvm/
    - source: salt://runtime/files/openjdk-11.0.14_linux-x64_bin.tar.gz
    - keep_source: True
    - source_hash: sha256=YOUR_HASH_HERE
    - onlyif: test ! -d /opt/jvm/jdk-11.0.14

java-path-config:
  file.append:
    - name: /etc/profile.d/java_env.sh
    - text:
      - export JAVA_HOME=/opt/jvm/jdk-11.0.14
      - export PATH=$JAVA_HOME/bin:$PATH

# appserver/install.sls
include:
  - runtime.install

tomcat-package:
  file.managed:
    - name: /opt/install/tomcat-archive.tar.gz
    - source: salt://appserver/files/apache-tomcat-9.0.62.tar.gz
    - mode: 0644

tomcat-runtime:
  archive.extracted:
    - name: /opt/servers/
    - source: salt://appserver/files/apache-tomcat-9.0.62.tar.gz
    - keep_source: True
    - onlyif: test ! -d /opt/servers/tomcat-9.0.62
    - require:
      - archive: tomcat-package
      - file: java-runtime

tomcat-svc-user:
  group.present:
    - name: appsvc
  user.present:
    - name: appsvc
    - gid_from_name: True
    - shell: /sbin/nologin
    - require:
      - group: tomcat-svc-user

# top.sls
base:
  'role:appserver':
    - match: grain
    - appserver.install

Deploy the configuration using salt '*' state.highstate test=True for validation, followed by salt '*' state.highstate. Verify installation paths and run /opt/servers/tomcat-9.0.62/bin/version.sh on worker nodes.

Production Hardening Checklist

Out-of-the-box configurations expose unnecessary attack surfaces. Apply these modifications to server.xml and web.xml before exposing Tomcat to external networks.

## 1. Secure Management Interface
# server.xml
<Server port="9105" shutdown="K8sTmNtShutdownCmd">

## 2. Disable Unused Protocols
## Comment out or remove the AJP Connector block if HTTP/HTTPS is sufficient.

## 3. Restrict Application Root
<Context path="/portal" docBase="/data/apps/web-content" reloadable="false" crossContext="false"/>

## 4. Privilege Separation
## Never run the daemon as root. Create a dedicated user and transfer ownership.
chown -R appsvc:appsvc /opt/servers/tomcat-9.0.62
su -s /bin/bash appsvc -c "/opt/servers/tomcat-9.0.62/bin/startup.sh"

## 5. Directory Indexing Control
# conf/web.xml (locate DefaultServlet)
<init-param>
    <param-name>listings</param-name>
    <param-value>false</param-value>
</init-param>

## 6. Error Page Masking
# conf/web.xml
<error-page>
    <error-code>404</error-code>
    <location>/errors/generic-fallback.jsp</location>
</error-page>
<error-page>
    <error-code>500</error-code>
    <location>/errors/generic-fallback.jsp</location>
</error-page>

## 7. HTTP Header Obfuscation
# server.xml
<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           server="SecureGateway"
           xpoweredBy="false"
           redirectPort="443" />

## 8. Executable Permission Lockdown
chmod -R 0740 /opt/servers/tomcat-9.0.62/bin/
chmod 0750 /opt/servers/tomcat-9.0.62/bin/catalina.sh

## 9. Structured Access Logging
# server.xml
<Valve className="org.apache.catalina.valves.AccessLogValve"
       directory="logs"
       prefix="access_log." suffix=".log"
       pattern="%{yyyy-MM-dd HH:mm:ss}t | %h | %a | %r | %s | %D ms | \"%{Referer}i\" | \"%{User-Agent}i\""
       resolveHosts="false" />

## 10. Network Access Control Lists
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
       allow="10\.0\.20\.\d+|172\.16\.0\.\d+" />

JVM Diagnostics & Connector Tuning

Performance bottlenecks typically manifest in thread pool exhaustion or garbage collection pauses. External diagnostics and internal connnector parameters must be tuned in tandem.

## Diagnostic Toolchain
## Identify active JVM processes with verbose output
jps -lvm

## Extract thread dumps for blocked or waiting threads
jstack -F <PID> > /tmp/thread_analysis.dump

## Locate CPU-intensive threads within the JVM process
top -H -p <PID>
# Convert decimal thread ID (TID) to hexadecimal for cross-referencing in jstack
printf "%x\n" <TID>

## Analyze heap utilization & GC frequency
jstat -gcutil <PID> 2000 10  # Polls every 2 seconds, 10 times
jstat -compiler <PID>        # Inspect JIT compilation efficiency
jmap -histo:live <PID> | head -n 20  # Top memory consumers

Adjust connector attributes in server.xml to match workload characteristics. For high-concurrency API gateways:

<Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol"
           connectionTimeout="15000"
           keepAliveTimeout="10000"
           maxKeepAliveRequests="50"
           acceptCount="2000"
           maxThreads="800"
           minSpareThreads="100"
           maxConnections="10000"
           compression="on"
           compressionMinSize="1024"
           noCompressionUserAgents=".*MSIE 6.*"
           compressableMimeType="application/json,text/xml,application/xml,text/html,text/css,application/javascript"
           URIEncoding="UTF-8"
           useSendfile="true"
           disableUploadTimeout="true"
           useServerCipherSuitesOrder="true" />

JMX Telemetry Pipeline

Remote JVM monitoring requires expposing management beans through the JMX protocol. The following architecture routes telemetry from application nodes to a centralized collection gateway.

## 1. Install JMX Proxy Service (Collection Host)
yum install -y zabbix-java-gateway
systemctl enable --now zabbix-java-gateway

# /etc/zabbix/zabbix_java_gateway.conf
LISTEN_IP="0.0.0.0"
LISTEN_PORT=10901
START_POLLERS=25
TIMEOUT=30

systemctl restart zabbix-java-gateway

## 2. Configure Server Bridge
# /etc/zabbix/zabbix_server.conf
JavaGateway=10.0.20.5
JavaGatewayPort=10901
StartJavaPollers=25

## 3. Enable Remote JMX on Target Tomcat Instances
# Append to bin/setenv.sh (create if missing)
export CATALINA_OPTS="
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=10901
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.local.only=false
-Djava.rmi.server.hostname=10.0.20.6"

## 4. Verify Connectivity
telnet 10.0.20.6 10901
systemctl restart zabbix-server

## 5. Platform Configuration
## Import JMX template definitions into the monitoring dashboard.
## Assign the template to host entities, mapping the JMX interface port to 10901.
## Monitor heap memory pools (Eden, Survivor, Old Gen), thread states (RUNNABLE, WAITING, BLOCKED), and GC collection metrics.

Tags: apache-tomcat jvm-diagnostics saltstack-automation jmx-monitoring server-hardening

Posted on Fri, 12 Jun 2026 18:01:15 +0000 by sorenchr

Hot Tags

©2026 Freaks City