TDS Installation Checklist for Production Security

Initial Installation

Install Java

1. Download and install the latest version of JDK 1.7

Tomcat Install

1. Create a dedicated user and group for running Tomcat who does not have root privileges. Modify the permissions in ${tomcat_home} to allow this user access to only the necessary parts of the Tomcat installation.
2. Download and install the latest version of Tomcat 7.
3. In ${tomcat_home}/bin create a setenv.sh shell script, and set the values of $JAVA_HOME, $JAVA_OPTS and $CATALINA_BASE:

       #!/bin/sh
       #
       ulimit -n 2048
       #
       CATALINA_HOME="/opt/tomcat-home"
       export CATALINA_HOME
       CATALINA_BASE="/opt/tomcat-home"
       export CATALINA_BASE
       JAVA_HOME="/opt/jdk"
       export JAVA_HOME
       #
       CONTENT_ROOT="-Dtds.content.root.path=/data/thredds/tds/content"
       NORMAL="-d64 -Xmx4090m -Xms512m -server"
       MAX_PERM_GEN="-XX:MaxPermSize=256m"
       HEADLESS="-Djava.awt.headless=true"
       JAVA_PREFS_SYSTEM_ROOT="-Djava.util.prefs.systemRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs -Djava.util.prefs.userRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs"
       #             
       JAVA_OPTS="$CONTENT_ROOT $NORMAL $MAX_PERM_GEN $HEADLESS $JAVA_PREFS_SYSTEM_ROOT"
       export JAVA_OPTS
         

4. Purchase a real certificate from a certificate authority, so users are not confused and question the legitimacy of your web site.
5. Make the following modifications to ${tomcat_home}/conf/server.xml:
• Enable digest passwords by commenting out the UserDatabaseRealm and enabling the MemoryRealm.
• Enable SSL by uncommenting the SSL Connector listening on port 8443, and add the required keystoreFile and keystorePass attributes.
• Enable compression by adding compression and compressableMimeType attributes to 8080 Connector.
• Enable access logging by uncommenting the AccessLogValve and change the prefix and suffix and pattern attributes.
6. Create a password digest using the ${tomcat_home}/bin/digest.sh script.
7. Make the following modifications to ${tomcat_home}/conf/tomcat-users.xml:
• Define the roles manager-gui and tdsConfig and tdsMonitor.
• Add yourself as a user with the roles manager-gui and tdsConfig using your digest password your created in step #6 above.
8. Make the following modifications to ${tomcat_home}/webapps/manager/WEB-INF/web.xml:
1. Make sure the manager is only available via SSL by adding a user-data-constraint with a transport-guarantee of CONFIDENTIAL inside the security-constraint element.
9. Remove any unused applications from ${tomcat_home}/webapps.

TDS Install

1. Download the latest thredds.war file, and put it into ${tomcat_home}/webapps.
2. Start/restart Tomcat so that it has a chance to create initial files in ${tomcat_home}/content/thredds.
3. Modify ${tomcat_home}/content/thredds/catalog.xml for your site, as in this example.
4. Modify  ${tomcat_home}/content/thredds/threddsConfig.xml for your site in the following manner:
• Add the needed information to the serverInformation element
• Enable any other optional services like WMS or WCS.
5. If needed, limit access to the TDS and create a robots.txt file in ${tomcat_home}/webapps/ROOT/ to restrict crawler activity.

Maintenance and Upgrades

Maintenance

Be sure to periodically check to make sure you are running the latest versions of Java, Tomcat and the TDS.

• If you have enabled access logging (and you should), zip up the unused access logs in ${tomcat_home}/logs/ and archive them off to another directory.
• Likewise, zip up the unused TDS servlet logs in ${tomcat_home}/content/thredds/logs and archive them as well.

Upgrading the TDS

When installing a new thredds.war, everything in ${tomcat_home}/webapps/ is overwritten. However, nothing in ${tomcat_home}/content/ is overwritten.

Use one of the following methods to deploying a new version of the TDS

• Tomcat manager application
• manual installation