Notes on Setting up Tomcat 9 on Java 11 (AdoptOpenJDK) on Ubuntu 16.04 Alongside Tomcat 8 on Java 8

As the title says, these are my notes on installing Tomcat 9 on Ubuntu Linux 4.4.0-89-generic (Xenial, 16.04LTS), running on Java 11 from AdoptOpenJDK to run in parallel with an existing Tomcat 8 installation running on Java 8.

Follow the instructions at AdoptOpenJDK.net, except for Java whatever-version-you-want. You're basically adding a new repository to apt, and from then on, it should be pretty easy to keep it up to date (if the EC2 instance doesn't automaticaly keep itself up to date).

2023: Installed Amazon Corretto via apt.

When installing via apt, tomcat9 seems to land in:

• /etc/tomcat9
• /etc/default/tomcat9 (shell variables)
• /etc/logrotate.d/tomcat9
• /lib/systemd/system/tomcat9.service (Q: so, no need for explicit systemd config shown below? A: apparently not. The only thing I had to do was modify /etc/default/tomcat9 to set JAVA_HOME=/usr after installing Corretto.) – Looks like this one sets
  • CATALINA_HOME to /usr/share/tomcat9, but
  • CATALINA_BASE to /var/lib/tomcat9.
• /usr/share/tomcat9
• /usr/share/tomcat9-root
• /var/lib/tomcat9

(2025: See 2025 Restart (Update) to learn about copying files from your local machine using scp. That way you can download with a nice web browser on your local machine and you don't have to install elinks or whatever on the VM.)

Not available via apt. At least, not without adding another repository from somewhere (Apache?).

Downloaded with wget:

ip-172-30-0-82$ pwd
/home/ubuntu/Downloads

ip-172-30-0-82$ wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.31/bin/apache-tomcat-9.0.31.tar.gz

sudo groupadd tomcat
sudo useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat      # Choose the right home directory.

Note that home directory should probably be updated if you ever update tomcat, since it'll probably be version-specific.

I chown'd the /opt directories (tomcat + docs) to tomcat:tomcat recursively. I guess we'll see in future whether some of that stuff should have remained owned by root.

Into /usr/share/apache-tomcat-9.0.31

2025: note that Ubuntu 24.04 seems to come (from Amazon, at least) with an empty /opt directory, so that's what I used.

See:

• https://www.hostinger.com/tutorials/how-to-install-tomcat-on-ubuntu/

For the above instruction, I modified systemd service unit pathnames to match actual pathnames on the system.

(service unit: /etc/systemd/system/tomcat.service.)

I also modified the path for security to /dev/urandom, because that entry seems to exist on my system.

<2025-02-02 Sun 17:56> Current status: systemd service unit configured but won't start. Need to diagnose. Possibly need to point to jdk instead of jre (/usr/lib/jvm/java-17-amazon-corretto, maybe?)

<2025-02-03 Mon 18:30> Actually, I just needed to point JAVA_HOME to /usr instead of /usr/bin.

A key thing is the JAVA_OPTS environment variable, which was royally screwed up in the above hostinger page:

Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:///dev/urandom'

Not super hard. Your basic goal is to set the environment variables JAVA_HOME and CATALINA_HOME (at least) before firing up the supplied startup scripts. I basically copied my tomcat8 /etc/default script to a tomcat9 version and tinkered a bit.

2023: This section and the next (init) are replaced by a SystemD service file (2023: systemd).

• CLOSING NOTE [2023-09-04 Mon 15:18]
  Purged everything and re-installed via apt, paying attention to where everything went. After that, it turns out we don't need a systemd service unit (at least, not one we have to create ourselves) and we don't (yet) need to worry about server.xml, since it seems to have been configured properly already. See the section above on installing with apt.

Now that we've gotten the thing to start we need to it to not fail. It's looking for server.xml with path /usr/share/tomcat9/conf/server.xml, because CATALINA_HOME (configured for systemd) is /usr/share/tomcat9.

Looks I'll need to create a new security group that allows those ports, and then apply that group to the EC2 instance in question.

So: AWS Console | EC2 | Network & Security | Security Groups

Looks like there's something called "quicklaunch-1" that has what we want (plus another port, 9990, for whatever reason – is that a common experimental port?). Unfortunately, I can't attach it to the existing network interface for my instance. I guess I'd have to create a new network interface, but then I worry that my IP address would change and drive dyndns nuts (my DNS provider, dyn.com)

So, I just looked at my EC2 instance to see what networking security group was currently configured, and it turns out I can edit that group on the fly, and it works.

/docs is, by default, only accessible from localhost.

The access-denied error pages returned when I tried to access /docs in the browser were actually helpful.

• Allow access from the web at large:
  • Edit webapps/docs/META-INF/context.xml and comment out the Valve element that filters on remote address.

This worked without restarting anything. I guess Tomcat is monitoring these files for changes.

Looks like I need to enable access to the manager app, according to Google's AI Does not appear correct or helpful.

• Configure user with manager-gui role. This role is built in, so I didn't need to add the role itself, just a user having the role.
  • Edit conf/tomcat-users.xml to add a user with manager-gui access.

Update context.xml for two webapps:

• manager (For Tomcat 9, requires manager-gui role assigned to user in /conf/tomcat-users.xml)
• host-manager (For Tomcat 9, requires admin-gui role assigned to user in /conf/tomcat-users.xml)

Which, in my initial naive install, are in /usr/share/apache-tomcat-9.0.31/webapps (in their respective META-INF subdirectories).

Just comment out the following lines in each:

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
       allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />

(Yikes! Regular expressions! Well, I guess it's better against IP addresses than domain names.)

2025: Looks like authbind is still the way to go. It lives in package authbind, which you'll need to install.

Problems with authbind. Maybe put all tomcat users (8,9) in a "tomcat" group, and assign that group permission to open low-numbered ports via authbind?

Need to figure this out for tomcat9. Tomcat8 not having any trouble.

Need to adjust Connector setting in conf/server.xml. Different port. Maybe copy the existing element, comment it out, and make changes on the copy.

So, there's this thing called update-rc.d, and it writes all the /etc/rcN.d scripts, where N is a Unix "run level", given to the init command when the system starts up or shuts down.

Run levels are documented here: https://en.wikipedia.org/wiki/Runlevel, but really, there's not a lot to know. The rc/N/.d scripts run when leaving a run level and entering a new one.

So, for example, when booting from power-off straight into run level 3 (normal multiuser w/no GUI), all the startup scripts in rc3.d will be run.

When running at run level 3, if somebody shuts down the system (run level 0), all the shutdown scripts in rc3.d will be run, and then all the startup scripts in rc0.d will be run (there probably won't be any).

It does get a little complicated when services depend on each other (like, say, a web server like Tomcat would depend on networking services being up; otherwise, what's the point?).

So, you can write an init script and put some header info in to specify when it should run, and hand it off to update-rc.d, which then populates the various rc/N/.d directories.

This is what's done in the javabirder site mentioned in Configure init, above.

Header info is as follows:

#!/bin/bash
### BEGIN INIT INFO
# Provides: tomcat9
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start/Stop Tomcat server
### END INIT INFO

So, we need the network to be up if the web server will be up (duh), and we'll run it all the multi-user run levels. (Not sure why we run it at runlevel 2, which is explicitly a "no network", but oh well. We'll probably never use that run level anyway.)

And, we'll stop it at run levels 0, 1, and 6.

When we run it, we get this:

ip-172-30-0-82# sudo update-rc.d -n tomcat9 defaults
insserv: enable service ../init.d/tomcat9 -> /etc/init.d/../rc0.d/K01tomcat9
insserv: enable service ../init.d/tomcat9 -> /etc/init.d/../rc1.d/K01tomcat9
insserv: enable service ../init.d/tomcat9 -> /etc/init.d/../rc2.d/S01tomcat9
insserv: enable service ../init.d/tomcat9 -> /etc/init.d/../rc3.d/S01tomcat9
insserv: enable service ../init.d/tomcat9 -> /etc/init.d/../rc4.d/S01tomcat9
insserv: enable service ../init.d/tomcat9 -> /etc/init.d/../rc5.d/S01tomcat9
insserv: enable service ../init.d/tomcat9 -> /etc/init.d/../rc6.d/K01tomcat9
insserv: dryrun, not creating .depend.boot, .depend.start, and .depend.stop

…and when we reboot the system, Tomcat 9 comes back up! (Eventually.)

Need to edit /etc/tomcat9/tomcat-users.xml to include a user having both the above roles.