Configuring Tomcat

The INUBIT software uses Tomcat.

The following table provides an overview of several configuration options:

What? Where?

Servlet configuration

<inubit-installdir>/inubit/server/process_engine/webapps/ibis/WEB-INF/web.xml

Changing JVM memory (Process Engine)

<inubit-installdir>/inubit/server/process_engine/bin/setenv.[bat|sh]

`set JAVA_PARAMS=-Xmx2048M`

Configuring log file Tomcat logs into the file

<inubit-installdir>/inubit/server/process_engine/logs/catalina.out resp. *.log.

Linux only

This log file does not rotate, it grows without limit and can thus cause problems. In order to define a maximum size for the log file and let it rotate, use the cronolog tool.

Deactivating the automatic stopping of the Process Engine

The INUBIT Process Engine recognizes errors while it is shut down and stops the process correctly if necessary.

By default, this behavior is activated, but it can be deactivated using the Workbench (Administration > General Settings > Administration > Server > Stop system process if necessary).

Deactivating this option makes sense if the INUBIT Process Engine’s status should be monitored and controlled by custom-specific script solutions.

Once Tomcat was started the INUBIT Process Engine’s current process ID is written to the file <inubit-installdir>/inubit/server/process_engine/bin/catalina.pid.

In external scripts, this ID can be used to recognize the INUBIT Process Engine’s status:

  • Linux

    ps aux | grep | cat catalina.pid
  • Windows

    `tasklist /FI "PID eq <PID>"`

Annotation

In order to be able to access URLs (e.g. via browser) within the Tomcat, i.e. an application located in the Tomcat (such as INUBIT), these are secured with credentials. Since all calls run through the Tomcat, they are also secured at this level.

When a URL is called, Tomcat resolves all configured roles accordingly and only allows access to these configured roles with the stored credentials. By default, the credentials are stored in the tomcat‑users.xml file.

Example implementation within the INUBIT default installation

  • Tomcat server.xml

    A so-called Realm is defined, which contains the users and passwords. The Realm points to the file tomcat‑users.xml. You can also change it later, refer to https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html.

  • INUBIT web.xml

    Example: Role ibisaccess is allowed to access the resource List Web Services Servlet.

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>List Web Services Servlet</web-resource-name>
            <url-pattern>/listServices</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ibisaccess</role-name>
        </auth-constraint>
    </security-constraint>

    This procedure applies to any application within the Tomcat. One or more role names can be referenced that should have access to this resource.

  • INUBIT tomcat-users.xml

    Example: User root for role ibisaccess

    <tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0">
        <role rolename="ibisaccess"/>
        <user username="root" password="myPassword" roles="ibisaccess"/>
    </tomcat-users>

When calling the resource https://<server>:<port>/ibis/listServices the username root and password myPassword are valid credentials and will be allowed through. All other credentials are rejected and the content of the resource is not displayed.

If you add further applications in Tomcat, e.g. Tomcat Manager, AS4 Gateway and define further URLs with role reference in the web.xml of the respective application, it acts the same.