TDS Installation Checklist for Production Security

Initial Installation

Install Java

  1. Download and install the latest version of JDK 1.7

Tomcat Install

  1. Create a dedicated user and group for running Tomcat who does not have root privileges. Modify the permissions in ${tomcat_home} to allow this user access to only the necessary parts of the Tomcat installation.
  2. Download and install the latest version of Tomcat 7.
  3. In ${tomcat_home}/bin create a shell script, and set the values of $JAVA_HOME, $JAVA_OPTS and $CATALINA_BASE:
        ulimit -n 2048
        export CATALINA_HOME
        export CATALINA_BASE
        export JAVA_HOME
        NORMAL="-d64 -Xmx4090m -Xms512m -server"
        JAVA_PREFS_SYSTEM_ROOT="-Djava.util.prefs.systemRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs -Djava.util.prefs.userRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs"
        export JAVA_OPTS
  4. Purchase a real certificate from a certificate authority, so users are not confused and question the legitimacy of your web site.
  5. Make the following modifications to ${tomcat_home}/conf/server.xml:
  6. Create a password digest using the ${tomcat_home}/bin/ script.
  7. Make the following modifications to ${tomcat_home}/conf/tomcat-users.xml:
  8. Make the following modifications to ${tomcat_home}/webapps/manager/WEB-INF/web.xml:
    1. Make sure the manager is only available via SSL by adding a user-data-constraint with a transport-guarantee of CONFIDENTIAL inside the security-constraint element.
  9. Remove any unused applications from ${tomcat_home}/webapps.

TDS Install

  1. Download the latest thredds.war file, and put it into ${tomcat_home}/webapps.
  2. Start/restart Tomcat so that it has a chance to create initial files in ${tomcat_home}/content/thredds.
  3. Modify ${tomcat_home}/content/thredds/catalog.xml for your site, as in this example.
  4. Modify  ${tomcat_home}/content/thredds/threddsConfig.xml for your site in the following manner:
  5. If needed, limit access to the TDS and create a robots.txt file in ${tomcat_home}/webapps/ROOT/ to restrict crawler activity.

Maintenance and Upgrades


Be sure to periodically check to make sure you are running the latest versions of Java, Tomcat and the TDS.

Upgrading the TDS

When installing a new thredds.war, everything in ${tomcat_home}/webapps/ is overwritten. However, nothing in ${tomcat_home}/content/ is overwritten.

Use one of the following methods to deploying a new version of the TDS