5 Best Security Practices For Tomcat Servers

Apache Tomcat

Tomcat is the acronym of Apache Tomcat, which is an open-source webserver to run Java codes. Tomcat provides a Java environment wherein Java Servlet, Java Expression Language, Java Server Pages, and all Java codes can successfully be implemented. Since its gaining popularity due to its flexibility, stability, and proper documentation, it has become a lucrative target for hackers for tampering the Java codes for their benefits.

Hence Tomcat application servers also require security against cyber-attacks and other web security vulnerabilities.

Let’s check out some best web security practices for Tomcat servers.

Best Security Practices for Tomcat Servers:1.    Be Cautious About Banner Grabbing:

Banner Grabbing is a process wherein you can connect to any remote computer and can access its software, its version, services, and its port. Whenever a server host request is sent via telnet command, it immediately displays the server name, version, and port as shown in the below image.

Server Host Request

Host Request

This information is enough for an attacker to locate vulnerabilities and misuse the same.

Hackers also checkout web server error pages for any loopholes where the version number of the server is also mentioned.

Tomcat Error Page


Since banner grabbing is the simplest way to exploit and intrude in application code, hackers love to opt for the same.

 The Process to Abolish Banner Grabbing:

·        Edit Server.xml File:

Find the server.xml file in the root path of Tomcat installation. It may either be located in /etc/tomcat”X” where X=server version or in /etc/tomcat6/server.xml.

You can also locate the file by entering the below command:

#> find / -name server.xml

Go to the connector port line in server.xml in the file. Add a server restriction in this line which indicates the Tomcat server, as to how to respond to a user request when asked for a system version.


1<Connector port=”7080”….

2 server=”AVISRV”

You can write anything in the server variable, as far as it is not empty, the hacker will not gain any information on the same. Once the respective changes are made, save the server.xml file.

This will prevent the server from divulging the server version information to intruders.

·        Edit SeverInfo.properties:

 Though this is a complex process, it is not impossible. Find Catalina.jar file by giving the following command.

#> find / -name catalina.jar

You need to find ServerInfo.properties from this file, but ensure to do a backup of this file before extracting the same.

Run the below command for extracting ServerInfo.properties.

#>  jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

This command helps in extracting the ServerInfo.properties file. From the file, you can change the values of the server.info and server.number for preventing banner grabbing.


You can change

server.info=Apache Tomcat 7.0.x.x/x





Save the changes and exit the file.

Restart Apache Tomcat:

Restart your Tomcat server and secure your applications against vulnerabilities. To know more about the restart process, click here.2.    Install and Configure SSL Certificate:

SSL (Secure Socket Layers) Certificate encrypts browser-server communication. You all must be aware that these digital certificates when configured in the server, secure the site data, and prevent exploitation of customer sensitive information.

Configuration of your website with SSL certificate using Apache Tomcat has 2 main requirements, i.e., JAVA SDK/ JDX and Tomcat (7+).


·    Create a Keystore file using Java, and CSR by running the below- mentioned command

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keystore.jks

 ·       Create a password

c:/RaxTonProduction/: keytool -genkey -alias tomcat -keyalg RSA
Enter Keystore password:  password (it will be invisible)
Re-enter new password: password
What is your first and last name?
  [Unknown]:  Avani Patel
What is the name of your organizational unit?
  [Unknown]:  AVAP
What is the name of your organization?
  [Unknown]:  AVAP
What is the name of your City or Locality?
  [Unknown]:  Ahmedabad
What is the name of your State or Province?
  [Unknown]:  GJ
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=Avani Patel, OU=AVAP, O=AVAP, L=Ahmedabad, ST=GJ, C=IN correct?
  [no]:  yes
Enter key password for
    (RETURN if same as Keystore password):  password
Re-enter new password: password

Keystore file will be created in your home directory.

·        The next step will be to configure Tomcat for SSL configuration. In the Tomcat installation directory, open the Conf folder and fetch the server.xml file.

Find the below text in the server.xml file.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" />

Modify this text as stated below

Connector SSLEnabled=”true” acceptCount=”100” clientAuth=”false”
    disableUploadTimeout=”true” enableLookups=”false” maxThreads=”25”
    port=”8443” keystoreFile=”/Users/loiane/.keystore” keystorePass=”password”
    protocol=”org.apache.coyote.http11.Http11NioProtocol” scheme=”https”
    secure=”true” sslProtocol=”TLS” />

After KeystorePass, the Keystore file is added it’s time to test the results.

·        Configure your app with SSL via access to the localhost by adding the below-stated code in the web.xml file.


Your application is secured with SSL because the URL pattern is set to /*.

To install SSL certificate on Tomcat server  you can visit CheapSSLShop, wherein you can find multiple brands of SSL certificates and SSL products at very nominal rates.

3.    Safeguard the Server Shutdown Port:

If the intruders can successfully shut down the Tomcat server it would be a disaster. To prevent these malicious hackers from shutting down Tomcat’s web services, it is viable to disable the shutdown port option.

Go to the server.xml file and set the port attribute to -1. Another best option to ensure that the port remains open is to set a strong password for shutdown so that disasters don’t happen.

4.    Clear Test-Web Apps and Extra Resources:

·     Many server platforms provide sample applications or test-web applications for demo purposes. These applications may be a carrier of web vulnerabilities and it’s best to remove them to prevent any server damages in the future.

 ·     Even unused apps on the server may be targeted for exploits in the future, and to prevent the same, it is feasible to uninstall the same for Tomcat security.

·     Post-installation of the Tomcat server all the sample directories and files which are unnecessary should be removed, to reduce exposure to malignant sources.

 ·    The wrong configuration of connectors or unused connectors should also be disabled to decrease the risk.

5.    Restrict User Access and IP address to Tomcat Manager WebApp:

The Tomcat manager web app comes with the Tomcat server. Its main function is to manage the applications that are running on the Tomcat server.

These days, cyber-criminals focus on web applications for security loopholes, so that they can gain unauthorized access to servers. Hence it is essential to restrict the access to Tomcat manager web app for preventive purposes.

Another way to prevent intruders is to restrict or deny access to specific IP addresses.

The Process to Restrict User Access:

·        Locate the application and click on the Config button of the Tomcat server.

·        Open the opt/tomcat/conf/ folder > tomcat-users. xml file.

·        Add users whom you want to give access along with the required credentials and roles stated for the same.

·        Save the changes & Restart your Tomcat server.

 The Process to Restrict IP Address:

·        Locate the application and click on the Config button of the Tomcat server.

·        Go to /opt/tomcat/webapps/ROOT/META-INF folder and click the context.xml file.

·        Add the below-mentioned strings to the context.xml file.

<Context antiJARLocking=”true” path=”/”>

<Valve className=”org.apache.catalina.valves.RemoteIpValve” />

<Valve className=”org.apache.catalina.valves.RemoteAddrValve” deny=”{IP_address}” />


 ·     Save the changes & restart your Tomcat server.

When user authentication is specified, unwanted users will not be able to access the server. The same goes for IP address, i.e., when an IP address is denied, the user will see HTTP Status 403 error, while trying to access the application.


 Thus, restricting the Tomcat Manager web application to unknowns will indirectly help protect your Tomcat server from intruders.

Wrapping Up:

The above article will help in securing your Apache Tomcat server and keeping it safe from unknown sources.


Leave a Reply

Your email address will not be published. Required fields are marked *