Error Page

{"type":"doc","content":[{"type":"paragraph","content":[{"text":"This article describes how to harden your Tomcat installation. The examples applies to Apache Tomcat 8.x. ","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Step-by-step instructions","type":"text"}]},{"type":"expand","attrs":{"title":"Add Rate limit filter to prevent DoS Attacks"},"content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Tomcat version 9.0.76 or higher is required to support the Rate limit filter. The filter can be used for older Prime/Identity Manager versions as well if Tomcat is updated to a supported version.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"To prevent \"Denial of Service\" (DoS) attacks, a \"Rate limit filter\" can be added to ","type":"text"},{"text":"web.xml","type":"text","marks":[{"type":"strong"},{"type":"em"}]},{"text":" in the Tomcat installation.","type":"text"}]},{"type":"paragraph","content":[{"text":"In Smart ID Docker containers it will be added automatically.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The filter can be added to ","type":"text"},{"text":"web.xml","type":"text","marks":[{"type":"strong"},{"type":"em"}]},{"text":" for each application if adjusting the settings individually is needed, instead of having a global setting valid for all applications. However, it is easier to maintain in one location.","type":"text"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure the filter in ","type":"text"},{"text":"Tomcat/conf/web.xml","type":"text","marks":[{"type":"strong"},{"type":"em"}]},{"text":". See an example below:","type":"text"}]}]}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Example: Rate limit filter","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":" \n\n RateLimitFilter global\n org.apache.catalina.filters.RateLimitFilter\n \n \n bucketRequests\n 200\n \n \n \n bucketDuration\n 60\n \n\n\n RateLimitFilter global\n *\n","type":"text"}]}]},{"type":"expand","attrs":{"title":"Remove server banner"},"content":[{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Go to the ","type":"text"},{"text":"$tomcat/conf","type":"text","marks":[{"type":"code"}]},{"text":" folder","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Modify ","type":"text"},{"text":"server.xml","type":"text","marks":[{"type":"em"}]},{"text":" by using a text editor.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add the following to ","type":"text"},{"text":"Connector port","type":"text","marks":[{"type":"code"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"Server =\" \"","type":"text"}]},{"type":"paragraph","content":[{"text":"Example:","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"Example: Remove server banner","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]}]}]}]},{"type":"expand","attrs":{"title":"Enable TLS/SSL"},"content":[{"type":"paragraph","content":[{"text":"To enable TLS/SSL, add a connector for port 443 to the Tomcat configuration:","type":"text"},{"text":" ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}},{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Go to the ","type":"text"},{"text":"$tomcat/conf","type":"text","marks":[{"type":"code"}]},{"text":" folder","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Modify ","type":"text"},{"text":"server.xml","type":"text","marks":[{"type":"em"}]},{"text":" by using a text editor.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add the following content:","type":"text"},{"type":"hardBreak"}]},{"type":"codeBlock","content":[{"text":"\"\n keystoreType=\"PKCS12\"\n truststoreFile=\"/opt/tomcat/cert/castore.jks\"\n truststorePass=\"\"\n truststoreType=\"JKS\"\n sslProtocol=\"TLS\"\n sslEnabledProtocols=\"TLSv1.2\"\n useServerCipherSuitesOrder=\"true\"\n ciphers=\"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,\n TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \n TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\n TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \n TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \n TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,\n TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\"\n/>","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"For more information, see ","type":"text"},{"text":"https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html","type":"text","marks":[{"type":"link","attrs":{"href":"https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html"}}]},{"text":". ","type":"text"}]}]},{"type":"expand","attrs":{"title":"Enforce HTTPS"},"content":[{"type":"paragraph","content":[{"text":"Even if you have an http connector, for example in port 8080, it will redirect to the configured ssl port. To enforce HTTPS, do the following:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Go to the ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"$tomcat/conf","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"em"}]},{"text":" folder","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Modify ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"web.xml","type":"text","marks":[{"type":"em"}]},{"text":" with a text editor.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add the following before the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" syntax:","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n \n Protected Context\n /*\n \n \n CONFIDENTIAL\n \n","type":"text"}]}]}]}]},{"type":"expand","attrs":{"title":"Add Secure & HttpOnly flag to cookie"},"content":[{"type":"paragraph","content":[{"text":"It is possible to steal or manipulate web application session and cookies without having a secure cookie. Here \"","type":"text"},{"text":"secure","type":"text","marks":[{"type":"code"}]},{"text":"\" is a flag which is injected in the response header.","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add this line in the ","type":"text"},{"text":"session-config","type":"text","marks":[{"type":"code"}]},{"text":" section of the ","type":"text"},{"text":"web.xml","type":"text","marks":[{"type":"em"}]},{"text":" file:","type":"text"}]},{"type":"codeBlock","content":[{"text":" \n true\n true\n","type":"text"}]}]}]}]},{"type":"expand","attrs":{"title":"Run Tomcat from non-privileged account"},"content":[{"type":"paragraph","content":[{"text":"This is valid for Linux- and Unix-like operating systems. ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}}]}]},{"type":"paragraph","content":[{"text":"To lower the impact of a potential attack, it is recommended to run Tomcat with a non-privileged user. ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#242729"}}]},{"text":"Follow these steps to add a non-privileged user and run Tomcat with that user:","type":"text"},{"text":" ","type":"text","marks":[{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Create a group called ","type":"text"},{"text":"tomcat","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add a user called ","type":"text"},{"text":"tomcat","type":"text","marks":[{"type":"code"}]},{"text":" to the ","type":"text"},{"text":"tomcat","type":"text","marks":[{"type":"code"}]},{"text":" group, with the following attributes:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Set the home directory to ","type":"text"},{"text":"/opt/tomcat","type":"text","marks":[{"type":"em"}]},{"text":". This directory is where Tomca","type":"text"},{"text":"t is installed.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}}]},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Set the shell to ","type":"text"},{"text":"/bin/nologin","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}},{"type":"em"}]},{"text":" (so that nobody can log into the account).","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Start Tomcat as the new ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}}]},{"text":"tomcat","type":"text","marks":[{"type":"code"}]},{"text":" user. ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}}]},{"type":"hardBreak"},{"type":"hardBreak"}]},{"type":"paragraph","content":[{"text":"Linux example: add tomcat group and user","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"# Preparation\nsudo groupadd tomcat\nsudo useradd -M -s /bin/nologin -g tomcat -d /opt/tomcat tomcat\nsudo chgrp -R tomcat /opt/tomcat\nsudo chmod -R g+r conf\nsudo chmod g+x conf\nsudo chown -R tomcat webapps/ work/ temp/ logs/ cert/\n \n# Startup as tomcat user\nsudo su -c /opt/tomcat/bin/startup.sh - tomcat","type":"text"}]}]}]}]},{"type":"expand","attrs":{"title":"Remove default/unwanted applications"},"content":[{"type":"paragraph","content":[{"text":"By default, Tomcat comes with the following web applications, which may be required in a production environment. You can delete them to keep it clean and avoid any known security risk with Tomcat default application.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"ROOT ","type":"text","marks":[{"type":"code"}]},{"text":"– Default welcome page","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Docs ","type":"text","marks":[{"type":"code"}]},{"text":"– Tomcat documentation","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Examples ","type":"text","marks":[{"type":"code"}]},{"text":"– JSP and servlets for demonstration","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Manager, host-manager","type":"text","marks":[{"type":"code"}]},{"text":" – Tomcat administration","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"They are available under the ","type":"text"},{"text":"$tomcat/webapps","type":"text","marks":[{"type":"code"}]},{"text":" folder.","type":"text"}]}]},{"type":"expand","attrs":{"title":"Change SHUTDOWN port and command"},"content":[{"type":"paragraph","content":[{"text":"By default, Tomcat is configured to be shutdown via port 8005. Tomcat can then be shut down by opening telnet to IP:port and issuing the SHUTDOWN command.","type":"text"}]},{"type":"paragraph","content":[{"text":"It’s recommended to change the Tomcat shutdown port and default command to something unpredictable.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Modify the following in ","type":"text"},{"text":"server.xml","type":"text","marks":[{"type":"em"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"\">","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Or disable the shutdown port completely:","type":"text"}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]}]}]}]},{"type":"expand","attrs":{"title":"Replace default 404, 403, 500 page"},"content":[{"type":"paragraph","content":[{"text":"If you have the default pages for not found (404), forbidden (403), and server error (5xx), this will expose version details.","type":"text"}]},{"type":"paragraph","content":[{"text":"To mitigate this:","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Create a general error page:","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Go to the ","type":"text"},{"text":"$tomcat/webapps/$application.","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Create an ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"error.jsp ","type":"text","marks":[{"type":"em"}]},{"text":"file using a text editor.","type":"text"}]},{"type":"paragraph","content":[{"text":"Example","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"\n \n Error Page\n \n That's an error! \n","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"web.xml","type":"text","marks":[{"type":"em"}]},{"text":" to redirect to the general error page.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Go to the ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"$tomcat/conf","type":"text","marks":[{"type":"em"}]},{"text":" folder.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add the following in the ","type":"text"},{"text":"web.xml","type":"text","marks":[{"type":"em"}]},{"text":" file before the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" syntax:","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n 404\n /error.jsp\n\n\n 403\n /error.jsp\n\n\n 500\n /error.jsp\n","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"You can also do the same for ","type":"text"},{"text":"java.lang.Exception","type":"text","marks":[{"type":"code"}]},{"text":". This will help in not exposing the Tomcat version information if any such error happens. Add the following in ","type":"text"},{"text":"web.xml","type":"text","marks":[{"type":"em"}]},{"text":" and restart the tomcat server:","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n java.lang.Exception\n /error.jsp\n","type":"text"}]}]}]}]},{"type":"expand","attrs":{"title":"Restrict application to specific IP address or network"},"content":[{"type":"paragraph","content":[{"text":"If you don't want Identity Manager Admin or Identity Manager Tenant to be accessible over the internet, this is an example of how you can restrict access per application in Tomcat.","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Modify ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"$tomcat/webapps/$application/META-INF/context.xml","type":"text","marks":[{"type":"em"}]},{"type":"hardBreak"},{"text":"This will allow access from IPV4 localhost, IPV6 localhost, any IP that begins with 10 and also from the public IP of the Nexus Stockholm Office.","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n \n","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Restart Tomcat for changes to apply.","type":"text"}]}]}]}]},{"type":"expand","attrs":{"title":"Hide Exception stack trace in error page"},"content":[{"type":"paragraph","content":[{"text":"If you want to h","type":"text"},{"text":"ide the stack trace thrown by Tomcat (Application Server) when something goes wrong or there is an error in some configuration file then this is an example of how you can restrict display of error stack trace.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"To hide the tomcat stack trace add the following lines to the host section of your ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"server.xml","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"strong"},{"type":"em"}]},{"text":" file under ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"\\conf","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"strong"},{"type":"em"}]},{"text":" where you should already have the AccessLogValve:","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"paragraph","content":[{"text":"Modify ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"$tomcat/","type":"text","marks":[{"type":"em"}]},{"text":"conf ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"em"}]},{"text":"/","type":"text","marks":[{"type":"em"}]},{"text":"server.xml","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}},{"type":"em"}]}]},{"type":"codeBlock","content":[{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":"Disabling both ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"showServerInfo","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]},{"text":"showReport ","type":"text","marks":[{"type":"code"}]},{"text":"will now only return the HTTP status code.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Restart Tomcat for changes to apply.","type":"text"}]}]}]}]}],"version":1}

Browser not supported