TDS Installation Checklist for Production Security (Reference)

Initial Installation

Install Java

  1. Download and install the latest version of JDK 1.7

Tomcat Install

  1. Create a dedicated user and group for running Tomcat who does not have root privileges.
  2. As this user, download and install the latest version of Tomcat 7. You must use a version of Tomcat >= 7.0.43.
  3. In ${tomcat_home}/bin create a setenv.sh shell script, and set the values of JAVA_HOME, and CATALINA_BASE and CONTENT_ROOT. These each have to be customized to your installation. For example:
    #!/bin/sh
    JAVA_HOME="/usr/local/tds/jdk1.7.0_60"  
    export JAVA_HOME
              
    CATALINA_BASE="/usr/local/tds/apache-tomcat-7.0.42"  
    export CATALINA_BASE
    
    CONTENT_ROOT= "-Dtds.content.root.path=/opt/tds-live/content"
    Also in setenv.sh, set CATALINA_OPTS, for example:
    # modify these if you wish, or use as is
    NORMAL="-Xmx4g -Xms512m -server"
    
    # no longer needed in Java 8
    MAX_PERM_GEN="-XX:MaxPermSize=256m"
    
    # just use these as specified
    HEADLESS="-Djava.awt.headless=true"
    JAVA_PREFS="-Djava.util.prefs.systemRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs -Djava.util.prefs.userRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs"
    
    CATALINA_OPTS="$NORMAL $CONTENT_ROOT $MAX_PERM_GEN $HEADLESS $JAVA_PREFS"
    export CATALINA_OPTS
    (You can use JAVA_OPTS instead of CATALINA_OPTS, but JAVA_OPTS is used for any Java program, and CATALINA_OPTS is only used by Tomcat.)
  4. Purchase a real certificate from a certificate authority, so users are not confused and question the legitimacy of your web site.
  5. Make the following modifications to ${tomcat_home}/conf/server.xml:
    • Enable digest passwords by commenting out the UserDatabaseRealm and enabling the MemoryRealm.
    • Enable SSL by uncommenting the SSL Connector listening on port 8443, and add the required keystoreFile and keystorePass attributes.
    • Enable compression by adding compression and compressableMimeType attributes to 8080 Connector.
    • Enable access logging by uncommenting the AccessLogValve and change the prefix and suffix and pattern attributes.
  6. For each user, create a SHA1 password digest using the ${tomcat_home}/bin/digest.sh script or an online service such as http://www.freeformatter.com/message-digest.html
  7. Make the following modifications to ${tomcat_home}/conf/tomcat-users.xml:
    • Define the roles manager-gui and tdsConfig and tdsMonitor.
    • Add yourself as a user with the roles manager-gui and tdsConfig using your digest password your created in step #6 above.
    • <?xml version='1.0' encoding='utf-8'?>
      <tomcat-users>
      <role rolename="manager-gui"/>
      <role rolename="tdsConfig" description="can change THREDDS configuration files"/>
      <role rolename="tdsMonitor" description="can download THREDDS log files"/>
      <role rolename="tdsTrigger" description="can trigger featureCollection reloads"/>
      <user username="generalissimo" password="digest1" roles="manager-gui"/>
      <user username="capitan" password="digest2" roles="tdsTrigger,tdsConfig,tdsMonitor"/>
      <user username="tdm" password="digest3" roles="tdsTrigger"/>
      </tomcat-users>
  8. Make the following modifications to ${tomcat_home}/webapps/manager/WEB-INF/web.xml:
    1. Make sure the manager is only available via SSL by adding a user-data-constraint with a transport-guarantee of CONFIDENTIAL inside the security-constraint element.
    2. DO NOT ENABLE THE MANAGER WITHOUT RESTRICTING TO SSL ACCESS ONLY. (!)
  9. Remove any unused applications from ${tomcat_home}/webapps.
  10. (optional) Build netCDF-C library on your server. Standard install directory is /opt/netcdf.

TDS Install

  1. Download the latest thredds.war file, and put it into ${tomcat_home}/webapps.
  2. Start/restart Tomcat so that it has a chance to create initial files in ${tomcat_home}/content/thredds (optional).
  3. Modify ${tomcat_home}/content/thredds/catalog.xml for your site, as in this example.
  4. Modify  ${tomcat_home}/content/thredds/threddsConfig.xml for your site in the following manner:
  5. If needed, limit access to the TDS and create a robots.txt file in ${tomcat_home}/webapps/ROOT/ to restrict crawler activity.

 


Maintenance and Upgrades

Maintenance

Be sure to periodically check to make sure you are running the latest versions of Java, Tomcat and the TDS.

Upgrading the TDS

When installing a new thredds.war, everything in ${tomcat_home}/webapps/ is overwritten. However, nothing in ${tomcat_home}/content/ is overwritten.

Use one of the following methods to deploying a new version of the TDS