On this page
Used scripts
The Web Application Platform, as deployed by our installer, runs on a bundled Apache Tomcat. As such, best practices for hardening Apache Tomcat should be followed.
Although we have already constrained ciphers and protocols at the JVM level, it is best practice to do so at the Tomcat configuration level. We also need to address issues such as secure cookies, disable XSS on foreign sites, and also remove default directories published as part of the default installation. The official Tomcat documentation covers a large portion of this (recommended reading) - https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html. Additionally, there are a plethora of documents online covering all aspects of securing Tomcat to OWASP standards.
server.xml
There are various changes that can be made to <install_root>/WebAppPlatform/conf/server.xml in order to harden the system.
The first step (do not do this if running on Windows) is to disable the shutdown port.
For this, you need to change:
<Server port="8005" shutdown="SHUTDOWN">
to
<Server port="-1" shutdown="SHUTDOWN">
The next step is to disable the AJP connector unless you specifically intend to use it.
For this, you need to change:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
to
<!-- Define an AJP 1.3 Connector on port 8009 --> <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
The next step is to disable the redirection on port 8080.
For this, you need to change:
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
to
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
Server=" "
redirectPort="8443" />
-->
Finally, we want to prevent our instance from advertising what server is being used in the event that an error is encountered.
For this, you need to go to the very bottom of the file and add the following, right above the closing </Host> tag.
<!-- Suppress server name on internal error pages -->
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
</Host>
web.xml
Having completed the configuration of server.xml, we will now proceed to configure <install_root>/WebAppPlatform/conf/web.xml.
We need to ensure that cookies are constrained to HTTPS.
<!-- ==================== Default Session Configuration ================= -->
<!-- You can set the default session timeout (in minutes) for all newly -->
<!-- created sessions by modifying the value below. -->
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
You only need to insert the following lines:
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
Tomcat installation
Having made the necessary changes to the configuration files, we will now proceed to remove all of the default applications in the tomcat distribution, which could expose our installation to external vulnerabilities.
If we look at a directory of <install_root>/WebAppPlatform/webapps, we will see the following:
drwxrwxr-x. 14 twcloud twcloud 4096 Apr 15 14:39 docs drwxrwxr-x. 6 twcloud twcloud 83 Apr 15 14:39 examples drwxrwxr-x. 5 twcloud twcloud 87 Apr 15 14:39 host-manager drwxrwxr-x. 5 twcloud twcloud 103 Apr 15 14:39 manager drwxrwxr-x. 3 twcloud twcloud 283 Apr 15 14:39 ROOT drwxr-x---. 8 twcloud twcloud 117 Apr 15 14:47 webapp -rwxrwxr-x. 1 twcloud twcloud 67742880 Oct 31 17:56 webapp.war
As you can see, in addition to webapp.war and the webapp directory, there are additional directories, containing applications, which could potentially be exploited.
You want to remove docs, examples, host-manager, manager, and ROOT.
When you remove the ROOT application directory, accessing https://ip_address:8443 will no longer display the Apache Tomcat default landing page.
Upgrading and patching Apache Tomcat
Web Application Platform uses Apache Tomcat as the Java web application server for deployment. Upgrading or patching is often required to keep your Tomcat server up to date with all the latest security and performance improvements.
Refer to the table below for major version compatibility between Web Application Platform and Apache Tomcat releases.
| Deployed Web Application Platform Major Version | 2022x All | 2024x All |
| Supported Apache Tomcat Major Version | 9.X | 10.X |
The files required for upgrading and patching Tomcat are a compilation of JAR files residing in <install_root>/WebAppPlatform/bin and <install_root>/WebAppPlatform/lib.
Always make a backup of these directories before performing any upgrade or patch.
For Linux server deployment, use the upgrade_tomcat_webapp.sh script to automatically update your instance to the target Tomcat version (set in script). This script can perform installation either from a locally-stored package or pull from Apache’s server (internet access required).
To upgrade Apache Tomcat on Linux using script
- Download upgrade_tomcat_webapp.sh script.
- For a server with internet access:
- Execute the script and specify the desired Tomcat version when prompted.
For offline installation:
- Download the Apache Tomcat package from https://archive.apache.org/dist/tomcat (tar.gz and zip files are both supported.)
- Execute the script and confirm installation from a local package.
To manually "slip-stream" an update without having to fully replace the Tomcat installation, replace the existing JAR files in these directories with ones from the newer Apache Tomcat package. After replacing the JAR files, make sure the new files’ permission and ownership are same as before.
Upgrading Web Application Platform bundled JDK
Web Application Platform can run with Java 17.0.1. If you wish to use it instead of the bundled version, it is located in <install_root>/WebAppPlatform/jre.
To upgrade JDK automatically, download and use the upgrade_jdk_webapp.sh script.