Configuring Tomcat for BMC AMI Ops Console Management
Related topics
BMC AMI Ops Console Management provides you with a customized version of the Apache Tomcat (Tomcat) web server for the best possible out-of-the-box experience. BMC AMI Ops Console Management requires Tomcat for configuration and operator usage.
If you would like to provide your own version of Apache Tomcat, see Providing your own Apache Tomcat.
As delivered, Apache Tomcat includes documentation, sample applications, and a management application. These components are not required and have been removed for use with BMC AMI Ops Console Management. Also, the default Tomcat configuration does not include an encrypted HTTPS configuration. By default, this product includes an encrypted HTTPS connector, as well as disabling the unencrypted HTTP connector.
Overriding network configuration
The TCP/IP configuration used by Tomcat may be configured in the $AMICM_HOME/iocinst/tomcat/connector.cfg file if needed. The following table describes what can be overridden:
| Name | Default value | Description |
|---|---|---|
| MVCM_HTTP_PORT | 80 | The port Tomcat uses for HTTP connections, if the unencrypted connector is enabled (see below). |
| MVCM_HTTPS_PORT | 443 / 1443 for non-root installer | The port Tomcat uses for encrypted HTTPS connections. |
| MVCM_LISTEN_ADDR | 0.0.0.0 | The IP address Tomcat uses for incoming connections. The default 0.0.0.0 instructs the Tomcat to accept connections on all network addresses. |
| MVCM_SHUTDOWN_PORT | 8005 | The port Tomcat listens on for shutdown commands. This may be set to -1 as a security precaution. |
Below is a sample connector.cfg file:
MVCM_SHUTDOWN_PORT=-1
MVCM_LISTEN_ADDRESS=192.168.240.23
The connector.cfg file is external to the main Tomcat directories, and it is included in saved configurations. This means that the configuration settings are not overwritten by an upgrade.
Enabling unencrypted HTTP
The unencrypted HTTP connector configuration is saved in the file .../iocinst/config/tomcat/http-connector.xml. This file is included as an XML reference to the Tomcat server.xml configuration file. This file is required and is provided when the product is installed.
Starting from Fix pack version 4.2.04, the unencrypted HTTP connector is disabled. This is accomplished by leaving the http-connector.xml file empty.
If you want to enable unencrypted access, add a connector element to http-connector.xml as follows:
<Connector port="${com.bmc.mvcm.http.port}" protocol="HTTP/1.1"
connectionTimeout="20000"
socket.soKeepAlive="true"
redirectPort="${com.bmc.mvcm.https.port}" />
Advanced configurations
The provided server.xml file should not be modified since future upgrades overwrite this file, and you need to apply your changes after each upgrade. Advanced configurations may be achieved by providing your own server.xml file and placing it in .../iocinst/tomcat/server.xml. The tomcat startup scripts automatically use this configuration file if it is present.
For example, if you want to require client certificates, copy the provided server.xml to .../iocinst/tomcat/server.xml and update the Connector element to include the required attributes as follows:
SSLEnabled="true"
maxThreads="150"
port="1234"
compression="on"
socket.soKeepAlive="true"
scheme="https"
protocol="org.apache.coyote.http11.Http11NioProtocol">
SSLHostConfig
protocols="TLSv1.2+TLSv1.3"
certificateVerification="required"
truststoreFile="path to your trust store"
truststorePassword="your trust store password"
ciphers="HIGH:!aNULL:!RC4:!MD5:!kRSA:@STRENGTH">
<Certificate
certificateKeyAlias="tomcat"
certificateKeystoreFile="${com.bmc.zso.amicm.env.basedir}/tomcat/iockeystore.jks"
certificateKeystorePassword="keystore password"
certificateKeystoreType="PKCS12"
type="RSA"/>
</SSLHostConfig>
</Connector>
Additional configurations are available. For more information, see the Apache Tomcat documentation.