Protecting against POODLE attack in Tomcat 7

Standard

What is a POODLE attack?

The internet has been a buzz with security issues this year such as Heartbleed, and Shellshock. POODLE is no different and effects almost every server on the internet. This exploit is done by performing a man in the middle attack and relying on the clients software to fallback to SSL 3.0. The result is an attacker can make around 250 SSL 3.0 requests and decrypt one byte of encrypted data.

What is the solution?

It is very simple to patch the vulnerability in Tomcat 7. This assumes that your CRT and Key file are already configured. Check your server.xml file and assure that you have set the sslEnabledProtocols to the following:

Now restart your tomcat server and check if you are secure. Lots of simple tools exist to check your sites security.

Clearing Tomcat logs on startup

Standard

Tomcat logs can become overwhelming to read in a development environment. Usually, you would only need to see the most recent error logs when testing your program. The older errors are irrelevant. This simple shell script solves the problem of error logs piling up.

Navigate to the tomcat/bin folder. Edit the file named “startup.sh”. You will need to be logged in as root to perform these changes. Place the following code at the top of the file, directly after the last comments.

Now when Tomcat starts it will remove all old log files, and the application folder before proceeding.

Using with Netbeans

To deploy with Netbeans navigate to Services -> Servers -> Apache Tomcat (Your server). Right click and select Properties. There will be a tab labeled Startup. Select Use Custom Catalina Script. Finally, browse and select the tomcat startup.sh script that was edited above.

netbean-catalina-script-custom

Running tomcat port 80

Standard

The Hypertext Transfer Protocol (HTTP) is the foundation of data communication for the web. By default Tomcat does not use port 80 for communication. Tomcat runs on port 8080 instead. Using iptables all traffic can be pre-routed from port 80 to port 8080, or all traffic from port 443 (SSL) to port 8443 (tomcat SSL port). This walkthrough shows how to setup port 80 forwarding in Centos 6.x.

To do this modify your iptables file and replace the contents with the following.

Past in the following:

Finally, restart iptables to apply the changes:

Tomcat service script

Standard

Once you have installed Tomcat from source, it becomes more convenient to create a service script to stop/start/restart the server.

Once properly configured you will be able to control tomcat like so…

Begin by adding a group ‘tomcat’. This is necessary so that the tomcat server can run without root privileges.

Create the user ‘tomcat’ and add it to the group we have created above.

To make Tomcat into a service create a new file called tomcat in the init.d directory. Then chmod that file to 0777 so it can be accessed by the service manager.

Inside the tomcat file created above paste the following. Remember to modify the variables CATALINA_HOME and CATALINA_BASE to the location of your apache tomcat installation.

If you want tomcat server to start when the server reboots. Add it to the chkconfig. This will assure that the server starts when your server is rebooted.

Tomcat remote debugging Netbeans

Standard

To enable remote debugging on your website edit the catalina.sh file on your tomcat installation. This file is located in the bin folder.

Make sure port 8000 is open on your webserver, you should now be able to use the Netbeans remote debugger to attach to the tomcat server.

Tomcat 7 JDBC Connection Pooler Configuration

Standard

Tomcat 7.0.40 has a issue running the standard connection pooler. Following the Apache tutorial can lead to a error

The solution is to add a different factory reference to your resource definition.

/META-INF/context.xml

/WEB-INF/web.xml

This should solve the issue with Tomcat selecting the inappropriate factory for connection pooling.