Adding a User to Tomcat

30 minutes
  • 6 Learning Objectives

About this Hands-on Lab

Welcome to this hands-on lab for adding users to Tomcat 9 using Red Hat Enterprise 8. Apache’s Tomcat is a Java based application platform built around deploying and managing Java Web Applications.

This lab focuses on adding new users to an existing Tomcat environment. The server provided is Red Hat Enterprise 8, and has Tomcat 9 preinstalled for you (available on port **8080**).

You will log into the server and add a user that uses digest authentication to validate that the password is correct.

You will need to edit the `server.xml` file

Once you create the SHA-512 key, you will need to change the `tomcat-users.xml` file to make use of it.

Then you will need to confirm that everything works by logging into the server as that user.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Test to Ensure You Can Access the Preconfigured Tomcat Instance, Using the Server’s Public IP Address and Port 8080

It may take from 3 to 10 minutes after the hands-on lab has started before you can access the Tomcat server on Port 8080.

To access the server, visit the external IP address and test in a web browser on port 8080.

For example, if the IP address shown was then you would put the following URL into your web browser:

Log into the Server Console to Perform the Required Tasks

Ensure you can log into the provided server.

Change the Tomcat Server so It Uses Digest Authentication

Change to the /usr/local/tomcat9 folder and edit the conf/server.xml:

Find the following lines:

 <Realm className="org.apache.catalina.realm.UserDatabaseRealm"

Replace them with the this:

 <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="sha-512" />

Save the file and exit.

You Will Need to Create the SHA-512 Key with the Password of Your Choice

From the tomcat folder, run the bin/digest command with appropriate options:

  • If the password is PenguinTemp61 then the following command would generate the hash:
    ./bin/ -a sha-512 -h org.apache.catalina.realm.MessageDigestCredentialHandler PenGuinTemp88

Copy the generated hash to the clipboard. It will be used later.

NOTE: Your password will be echoed back to you as part of the returned response. Don’t copy the password or the :, just the long string of numbers.

You Will Need to Change the tomcat-users.xml File to Make Use of the Password Hash You Generated

Edit the conf/tomcat-users.xml file and replace the plain text password with the hash you copied earlier.

Be careful to only replace the old password that’s inside the quotes (""). Leave the rest of the entry as is. If you have problems logging into the GUI after the change then check to make sure the formatting of that line of user information is correct.

Since changes were made to the server.xml you will need to restart the Tomcat server:

sudo systemctl restart tomcat
Test That the New User Works by Using It to Log into the Server

Go to the Tomcat server in your web browser by going to the public IP address of the server and appending :8080 to it.

Then go to the Manager App in the GUI. You should get a username and password prompt. Enter the username and password.

You should be able to log in.

If you are unable to log in. Troubleshoot the changes that were made.

Additional Resources

Your manager heard about digest authentication for use with Tomcat users, and has asked you to set up a test system.

You have a server that is already configured, and you have been tasked with doing what is required to get this system up and running.

You will make changes to the Tomcat server as required to enable the use of a SHA-512 key instead of a plain text password.

Perform the tasks as described in the lab's Learning Objectives.

A successful hands-on lab will have you able to log into the Tomcat GUI using your new user and password.

NOTE: It may take 3 to 10 minutes after the hands-on lab has started before you are able to log into the server. This is fine and will not affect the performance of the tasks for the hands-on lab.

Logging In

Use the credentials provided on the hands-on lab overview page, and use SSH to log into the provided server as cloud_user. Note that this is for connecting to the server, not the Tomcat GUI.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?