7月 222017
 

Apache Tomcat非root权限加固配置

[root@www_cluster1 ~]# cd /data/
[root@www_cluster1 data]# chown -R root.opsuser apache-tomcat-7.0.79/
[root@www_cluster1 data]# cd apache-tomcat-7.0.79/
[root@www_cluster1 apache-tomcat-7.0.79]# chmod -R g+w logs/ temp/ work/ webapps/
[root@www_cluster1 apache-tomcat-7.0.79]# chmod -R g+r conf/*
[root@www_cluster1 apache-tomcat-7.0.79]#
6月 092016
 

1,安装JDK

visualvm-and-tomcat-jvm-01

[root@localhost ~]# yum install jdk-7u80-linux-x64.rpm


[root@localhost ~]# java -version
java version "1.7.0_80"
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)
[root@localhost ~]#

2,运行Tomcat

[root@localhost ~]# tar xzf apache-tomcat-7.0.69.tar.gz
[root@localhost ~]# mv apache-tomcat-7.0.69 /usr/local/
[root@localhost ~]# cd /usr/local/apache-tomcat-7.0.69/bin/
[root@localhost bin]# ./startup.sh
Using CATALINA_BASE: /usr/local/apache-tomcat-7.0.69
Using CATALINA_HOME: /usr/local/apache-tomcat-7.0.69
Using CATALINA_TMPDIR: /usr/local/apache-tomcat-7.0.69/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/apache-tomcat-7.0.69/bin/bootstrap.jar:/usr/local/apache-tomcat-7.0.69/bin/tomcat- 
juli.jar
Tomcat started.
[root@localhost bin]#

查看端口监听

visualvm-and-tomcat-jvm-02

访问页面

visualvm-and-tomcat-jvm-03
3,使用jstatd提供监控

新建一个安全策略配置文件
进入jstatd命令所在目录

visualvm-and-tomcat-jvm-04

root@localhost bin]# vi jstatd.all.policy
grant codebase "file:${java.home}/../lib/tools.jar" {
 permission java.security.AllPermission;
};

修改本机hosts主机名及IP对应关系

[root@localhost ~]# hostname -i
127.0.0.1 127.0.0.1
[root@localhost ~]#

修改

#127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.95 localhost localhost.localdomain

再次确认

[root@localhost ~]# hostname -i
192.168.2.95
[root@localhost ~]#

启动jstatd服务
使用-p指定端口,默认TCP/1099
使用-J-Djava.rmi.server.logCalls=true开启日志
使用-J-Djava.rmi.server.hostname=192.168.2.95指定主机IP地址

[root@localhost ~]# cd /usr/java/jdk1.7.0_80/bin/
[root@localhost bin]# ./jstatd -J-Djava.security.policy=jstatd.all.policy -J-Djava.rmi.server.logCalls=true -p 11099

内容引用:

Using Internal RMI Registry

This example demonstrates starting jstatd with an internal RMI registry. This example assumes that no other server is bound 
to the default RMI Registry port (port 1099).
jstatd -J-Djava.security.policy=all.policy

Enabling RMI logging capabilities.

This example demonstrates starting jstatd with RMI logging capabilities enabled. This technique is useful as a 
troubleshooting aid or for monitoring server activities.
jstatd -J-Djava.security.policy=all.policy -J-Djava.rmi.server.logCalls=true

-p portPort number where the RMI registry is expected to be found, or, if not found, created if -nr is not specified.

 

使用VisualVM连接jstatd主机

visualvm-and-tomcat-jvm-05

visualvm-and-tomcat-jvm-06 visualvm-and-tomcat-jvm-07
4,使用jmx提供监控

修改catalina.sh并重启tomcat服务

XMX和XMS设置值相同,MaxPermSize和MinPermSize设置值相同,可以避免伸缩堆内存大小带来的应用程序暂停,使用户访问Web或Application时获得流畅的体验。

[root@localhost ~]# cd /usr/local/apache-tomcat-7.0.69/bin/
[root@localhost bin]# vi catalina.sh

JAVA_OPTS="-Xms256m -Xmx256m -XX:PermSize=128m -XX:MaxPermSize=128m"

CATALINA_OPTS="-Djava.rmi.server.hostname=192.168.2.95
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=8081
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false"

重启tomcat并确认端口监听

[root@localhost bin]# ./startup.sh
Using CATALINA_BASE: /usr/local/apache-tomcat-7.0.69
Using CATALINA_HOME: /usr/local/apache-tomcat-7.0.69
Using CATALINA_TMPDIR: /usr/local/apache-tomcat-7.0.69/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/apache-tomcat-7.0.69/bin/bootstrap.jar:/usr/local/apache-tomcat-7.0.69/bin/tomcat- 
juli.jar
Tomcat started.
[root@localhost bin]# netstat -ltn |grep 8081
tcp 0 0 :::8081 :::* LISTEN
[root@localhost bin]#

使用VisualVM连接jstatd主机

visualvm-and-tomcat-jvm-08

visualvm-and-tomcat-jvm-09 visualvm-and-tomcat-jvm-10