tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <>
Subject Re: Second Instance of Tomcat
Date Thu, 07 Nov 2013 18:37:53 GMT
On Nov 7, 2013, at 12:46 PM, Crystal Maramba <> wrote:

> Hi,
> I am getting ready to deploy the Second Instance of Tomcat on the same server using different
IP addresses.
> \Tomcat\Instance1 (IP Address: xx.xx.xx.x1)
> \Tomcat\Instance2 (IP Address: xx.xx.xx.x2)
> I have a few question, see below:
> 1)     For the Tomcat server ports, I will be using the Connector Port and Redirect port
to bind it to a specific IP address by using "address="xx.xx.xx.xx"". Is there a way to use
the same Shutdown Port and AJP Port to bind it to a different IP address? Or do I have to
change the Shutdown and AJP port number.

The shutdown address can be specified in Tomcat 7, not in Tomcat 6.

All of the AJP connectors (Tomcat 6 & 7) support an "address" attribute.  See here.

> 2)     Keystore:
> a.       I am going to be using https, can I use the same .keystore to import the certificate?

Not exactly sure I follow you here.  Are you asking if you can configure the connector for
both instances of Tomcat to point to the same keystore file?  As far as I know, that's OK.

> b.       If I move the .keystore to another location outside of Tomcat home, will Tomcat
be able to see the .keystore if I specify the path within the server.xml file for .keystore

Yes.  See keystoreFile.

> c.       Should I create a new .keystore for the new instance?

That's up to you.  Do whatever makes the most sense for your setup.

> d.       What is the best practice for this?

It's tough to say what is a "best practice", since most environments are different and what
makes the most sense for you likely depends on your unique environment.

What I can say is that I often see SSL terminated in front of Tomcat with a dedicated hardware
device or Apache HTTPD.  It performs well, plus it makes sense in setups with multiple Tomcat
instances because there is already something in front of the Tomcat instances to load balance
across them.

That doesn't mean you have to do that though.  You could terminate the SSL with Tomcat and
people do.  If you go this route, I'd suggest using the APR or NIO connector though.  The
APR connector performs the best with SSL, but is a little trickier to setup.  The NIO doesn't
perform as good as the APR, but I believe it's better than the BIO connector and it's easy
to setup.

> 3)     Does anyone know a way to encrypt the clear-text passwords specified in tom-user.xml
for the Tomcat manager and server.xml file for .keystore?

I don't know of anything for the tomcat-users.xml file.  It's my understanding that this file
is not recommended for production use, so you should probably look at using a JDBC or LDAP
realm instead.

Another option would be to write a custom realm that decrypts the passwords.

Having said that, I believe the general suggestion here is to apply proper unix permissions
on the files to control access to them.  For example, you should set the owner to be the user
that is running Tomcat, which should *not* be root and set the permission to r/w only for
the owner.


> Any help would be greatly appreciated.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message