Page History
...
No Format |
---|
apt install --no-install-recommends default-jdk-headless tomcat9 \
vim less openssl unzip curl expat multitail gnupg net-tools
systemctl stop tomcat9 |
...
Tip | ||||
---|---|---|---|---|
| ||||
In case you're replacing an expiring TLS certificate where the matching private key is still considered to be secure and of sufficient strength (in 2021 2024 CE for RSA keys that means a key size of at least 2048 bits) you may want to keep using the existing private key (and PKCS#12 keystore passphrase) and generate the CSR from that key.
When asked to "Enter Import Password" supply the existing Then generate a CSR from the extracted private key, either by supplying the necessary data (at least the subject) on the command line or by entering any data interactively when being prompted for it (when not adding
When asked to "Enter pass phrase for webserver.key" again provide the passphrase from the previous steps. The content of webserver.csr is what you provide to your CA then, e.g. via |
...
No Format |
---|
rm -f /var/log/tomcat9/* systemctl restart tomcat9 ls -l /var/log/tomcat9/ multitail /var/log/tomcat9/* -l 'journalctl -u tomcat9.service -f' # exit with 'q' systemctl stop tomcat9 |
Since If you're certain there's no catalina.log file being generated anymore we you can also disable the default logrotate config snippet for it:
...
Debian's Tomcat comes with an almost-usable systemd service that needs to be amended in order to
- Avoid the systemd-house-of-horror that's still all too common with Tomcat/Java packaging
- Avoid slow startup times due to use of a blocking /dev/random (cf. Myths about urandom also linked from the Shib wiki).
- Allow the IDP application to write logs and metadata to the filesystem as needed
- Avoid Try avoiding the creation of catalina.out (we already have its content in journald using this configuration)
...