TDS Installation Checklist for Production Security

Initial Installation

Install Java

  1. Download and install the latest version of JDK 1.7

Tomcat Install

  1. Create a dedicated user and group for running Tomcat who does not have root privileges. Modify the permissions in ${tomcat_home} to allow this user access to only the necessary parts of the Tomcat installation.
  2. Download and install the latest version of Tomcat 7.
  3. In ${tomcat_home}/bin create a setenv.sh shell script, and set the values of $JAVA_HOME, $JAVA_OPTS and $CATALINA_BASE:
        #!/bin/sh
        #
        ulimit -n 2048
        #
        CATALINA_HOME="/opt/tomcat-home"
        export CATALINA_HOME
        CATALINA_BASE="/opt/tomcat-home"
        export CATALINA_BASE
        JAVA_HOME="/opt/jdk"
        export JAVA_HOME
        #
        CONTENT_ROOT="-Dtds.content.root.path=/data/thredds/tds/content"
        NORMAL="-d64 -Xmx4090m -Xms512m -server"
        MAX_PERM_GEN="-XX:MaxPermSize=256m"
        HEADLESS="-Djava.awt.headless=true"
        JAVA_PREFS_SYSTEM_ROOT="-Djava.util.prefs.systemRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs -Djava.util.prefs.userRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs"
        #             
        JAVA_OPTS="$CONTENT_ROOT $NORMAL $MAX_PERM_GEN $HEADLESS $JAVA_PREFS_SYSTEM_ROOT"
        export JAVA_OPTS
          
  4. Purchase a real certificate from a certificate authority, so users are not confused and question the legitimacy of your web site.
  5. Make the following modifications to ${tomcat_home}/conf/server.xml:
    • Enable digest passwords by commenting out the UserDatabaseRealm and enabling the MemoryRealm.
    • Enable SSL by uncommenting the SSL Connector listening on port 8443, and add the required keystoreFile and keystorePass attributes.
    • Enable compression by adding compression and compressableMimeType attributes to 8080 Connector.
    • Enable access logging by uncommenting the AccessLogValve and change the prefix and suffix and pattern attributes.
  6. Create a password digest using the ${tomcat_home}/bin/digest.sh script.
  7. Make the following modifications to ${tomcat_home}/conf/tomcat-users.xml:
  8. Make the following modifications to ${tomcat_home}/webapps/manager/WEB-INF/web.xml:
    1. Make sure the manager is only available via SSL by adding a user-data-constraint with a transport-guarantee of CONFIDENTIAL inside the security-constraint element.
  9. Remove any unused applications from ${tomcat_home}/webapps.

TDS Install

  1. Download the latest thredds.war file, and put it into ${tomcat_home}/webapps.
  2. Start/restart Tomcat so that it has a chance to create initial files in ${tomcat_home}/content/thredds.
  3. Modify ${tomcat_home}/content/thredds/catalog.xml for your site, as in this example.
  4. Modify  ${tomcat_home}/content/thredds/threddsConfig.xml for your site in the following manner:
  5. If needed, limit access to the TDS and create a robots.txt file in ${tomcat_home}/webapps/ROOT/ to restrict crawler activity.

Maintenance and Upgrades

Maintenance

Be sure to periodically check to make sure you are running the latest versions of Java, Tomcat and the TDS.

  • If you have enabled access logging (and you should), zip up the unused access logs in ${tomcat_home}/logs/ and archive them off to another directory.
  • Likewise, zip up the unused TDS servlet logs in ${tomcat_home}/content/thredds/logs and archive them as well.

Upgrading the TDS

When installing a new thredds.war, everything in ${tomcat_home}/webapps/ is overwritten. However, nothing in ${tomcat_home}/content/ is overwritten.

Use one of the following methods to deploying a new version of the TDS