Unidata recommends performing the following tasks to prepare your system prior to installing the TDS.
Review The System Requirements
Consult the System Requirements before installation to ensure your server environment is compatable for running the TDS.
Purchase TLS Certificate From A Certificate Authority
The use of HTTPS has been the defacto standard for web traffic since Chrome and other browsers have started denoting HTTP sites as “Not Secure”
Unidata highly recommends the use of the HTTPS protocol with your TDS, and a certificate signed by a Certificate Authority (CA).
Create Dedicated Tomcat User And Group
Do Not Run Tomcat As The Super User
The JVM doesn’t fork at all, nor does it support setuid()
calls.
The JVM, and therefore Tomcat, is one process.
The JVM is a virtual machine with many threads under the same process.
Because of OS constraints, all threads in the same JVM process must run under the same user id.
No thread may run as the root
user unless they are all are run as the root
user.
Hence, any programs run in Tomcat (TDS, manager application, other JSPs and servlets) will run as the root
user.
If you choose to run the Tomcat process as the root
user, and an attacker manages to exploit a weakness in Tomcat or something running in ${tomcat_home}/webapps/
to run arbitrary commands, those commands will be run as the superuser!
We strongly discourage running Tomcat as the root
user and recommend creating an unprivileged, dedicated user and group for running the Tomcat process.
Create A Dedicated User/Group For Running Tomcat
The following example shows creation of a dedicated user/group on a linux system. (Windows and Mac OS users will need to consult their systems administrator regarding user/group creation for those operating systems.)
In this example, both the user and group names will be named tomcat
, and the user’s home directory, a.k.a. ${tomcat_home}
, is /usr/local/tomcat
.
Both the groupadd
and useradd
commands are run as the root
user:
# groupadd tomcat
# useradd -g tomcat -d /usr/local/tomcat tomcat
You should see and entry for a tomcat
user in your /etc/group
file:
tomcat:x:2001:
And, something like the following in your /etc/passwd
file:
tomcat:x:25945:2001::/usr/local/tomcat:/bin/bash
Create Server Startup/Shutdown Scripts For Tomcat
Create the appropriate server startup and shutdown scripts for your server if you intend to run the TDS in a production environment.