CCL Home Page
Up Directory CCL apacheRH7.0
Apache 1.3.14/Tomcat 3.2.1/RedHat7.0
-------------- Comments added by users ------
Date: Mon, 29 Jan 2001 17:49:48 +0100
From: GOMEZ Henri 
Cc: Jan Labanowski 
Subject: RE: Installation logs for Tomcat 3.2.1 and Apache 1.3.14 for RedH
    at 7.0

Did you know there is build RPM for Tomcat at ?
You may add a note in your documents.
PS: mod_jk and mo_jserv are in tomcat-mod RPM ;-)

This is a log of my installation/Compilation of Apache DSO
with SSL, MM, and Tomcat 3.2.1 final (source distribution) under
RedHat Linux 7.0 (RH7.0), Kernel 2.2.16-22, with updates up to 2000.12.31.
This includes compilation from scratch of both Apache as well as Tomcat. 
I personally usually compile stuff from scratch, since I have the NIH 
(Not Invented Here) mental syndrome, and I do not like THEIR layout.
Frankly, I do not like my own layout after a while too, and change it
often. I also wrote another memo on installing binary distribution of Apache
under RedHat 7.0 and binary Tomcat. You actually need to read both.

This memo was originally writtent around Jan 13, 2001

The UNIX commands are in italic. It assumed that you will just grab them
with the mouse and paste them in your xterm...

Few terms:
  Apache -- the Web Server
  DSO -- Dynamic Shared Object (additional modules can be added/updated
         to Apache without the need to recompile the whole thing, similar
         to shared libraries, but DSO modules are not only called, but
         can also call routines within Apache)
  MM  -- memory management or something like that - an add-on to Apache
         and its modules to communicate via shared memory rather than files

  SSL -- Secure Socket Layer - the encryption and certificate package which
         works with Apache

  Tomcat -- the Java Server Pages (JSP) and Servlet container which uses the
         Java Servlets spec 2.2, and the JSP spec 1.1.
         It is still being actively developed and has some "features".

You may want to read my FAQ on Tomcat 3.1 beta 1. since it will be
easier to follow this installation log. It is available at:

I assume you have moderately latest GNU tools (gmake, gzip, etc...) installed
and you also have a recent version of perl installed 
( ). These should have come with your RH Linux
You can also get the wget utility from
However, I recommend the older wget from the RH7.0 2nd CD, since it
has the man page. I describe install of the GNU wget first and then
I tell ou how to  the older RH one.
You can install the latest GNU one (it is at ver 1.6 now) as: 
    get wget-1.6.tar.gz and move it to directory /usr/local/uploads or
       the one you like the most, e.g.; /tmp.
    gtar zxvf wget-1.6.tar.gz
    cd wget-1.6
    make install

and make sure it is in your PATH and INFOPATH variable (wget from GNU
has only info pages, from what I see). The wget is usually installed
in /usr/local/bin and the infopages in /usr/local/info.
I did:

and did

   install-info --info-file=/usr/local/info/ --info-dir=/usr/local/info

so you can later type

   info wget

and seek knowledge.

Then check by typing 'wget' alone on the command line, if it tells you
that your URL is missing, you are up and running.

The older version of wget (there is not much change) is also on your 2nd CD
in RedHat distribution. You can get it from there as:

    put the 2nd CD in your CD drive
    mount /mnt/cdrom
    cd /mnt/cdrom/RedHat/RPMS
    rpm -Uhv wget-1.5.3-10.i386.rpm

and replace RedHat CD with the CD of Harmonia Mundi RUS 788032/HM 57
(Scriabin 1872-1915 and the Scrabinians) by Saison Russe, and continue
listening [BTW, are those Scriabin wax cylinders real? -- by ear, there
must be, since it is the best case of the Prelude 11/1 I have ever heard,
and I heard a lot {:-)}]).

Then you can type:
    man wget

like the good old days, and learn about wget.

You also need to know what UNIX database is installed on your RH7.0 linux

    ls -l /usr/include/*db*

If you have 

total 24
-rw-r--r--    1 root     root         8298 Aug 17 21:06 db.h
-rw-r--r--    1 root     root         4456 Aug 17 21:06 mpool.h
-rw-r--r--    1 root     root         2877 Aug 17 21:06 ndbm.h
you have Berkley DB installed.

If you have only:

total 16
-rw-r--r--    1 root     root         1563 Jul 13  2000 dbm.h
-rw-r--r--    1 root     root         4744 Jul 13  2000 gdbm.h
-rw-r--r--    1 root     root         2003 Jul 13  2000 ndbm.h

you only have GNU dbm installed.

You can install Berkley DB easily. Go to the RPM site, 
(say: or
which is the same machine). Then, go to:
--> Go directly to the RPM database --> RedHat-7.0 for i386
--> The list of RPM indexed by name --> 
--> Packages beginning with letter D  and take:

or you can take these RPMs from the Disk 1 in RH7.0 distribution:

   put disk in CD drive
   mount /mnt/cdrom
   cd /mnt/cdrom/RedHat/RPMS
   cp  cp db1-1.85-4.i386.rpm /tmp
   cp db1-devel-1.85-4.i386.rpm /tmp
   umount /mnt/cdrom

Assuming you put the RPMs in /tmp, do:

  cd /tmp    
  rpm -Uhv db1-devel-1.85-4.i386.rpm
  rpm -Uhv db1-1.85-4.i386.rpm
  (do not worry, if db1-1.85-4.i386.rpm says it is already installed, that
  means that you only needed the include files from db1-devel-1.85-4.i386.rpm).

1) Be a root... Run ksh or bash or other sh, but not C-shell.
   Before you install the new Apache, you have to know if you have some
   other installation of Apache running. If you do, you need to decide
   if you want to keep the old Apache running, or you stop it. 
   The problem is that Apache server by default listens to standard
   Web TCP ports, and you cannot have some other Apache listen on the same
   port(s). If you installed Apache as a part of RH7.0 distribution
   you may consider looking at my log where I install binary Tomcat
   for the binary Apache from RH7.0 distribution rather than following
   this set of instructions. On the other hand, if you want to have
   full control over your Apache, and the flexibility to add updates
   and new modules, you may want to follow the "from scratch" install
   presented here.  If your old apache already "occupies" the default
   Web ports, 80 -- HTTP, 443 -- HTTPS, you need to either disable the
   old Apache, or to install the new Apache on some other ports, or to modify
   the config file of the old Apache to make it listen to some other ports.
   and restart it. Below, I will tell you how.

   To learn which ports are already booked, do:

      netstat -a | grep LISTEN


      netstat -a -n | grep LISTEN

   if you want to see all ports given as numbers, rather than services names.

   If you get (among others):
      tcp        0      0 *:www             *:*                     LISTEN    
      tcp        0      0 *:https           *:*                     LISTEN    
   (or, with netstat -n option:
      tcp        0      0*               LISTEN
      tcp        0      0*               LISTEN )
   The "well known ports" for HTTP and HTTPS are booked and some web
   server is running. 

2) If the old server is Apache which came with RH7.0, and you want to stop
   it, do:

       cd /etc/rc.d/init.d
       ./httpd stop
       chkconfig --del httpd (do not panic, you can always do:
                                chkconfig --add httpd
                              to get to start at boot again)
       ps auwx | grep httpd | grep -v grep    (just in case, it should not run)
         and kill all processes which are reported (second column is pid) as:
           kill pid1 pid2 pid2 ....

3) If you do not want to kill previous Apache, and install the 
   new one in such a way that their TCP ports do not conflict, just
   continue on, and you will OK, since this installation uses
   ports 4080 and 4443 rather than standard ports which your existing
   installation is most likely using.

4) If you want to install the new Apache with the default ports (80 and 443)
   and you want to change the existing Apache (I assume it is the Apache
   which came with RedHat7.0 distribution) to some other ports, say
   5080 (for HTTP) and 5443 (for HTTPs) you do the following:
     a) stop apache:
         cd /etc/rc.d/init.d
         ./httpd stop
     b) edit file /etc/httpd/conf/httpd.conf and change ports:
         cd /etc/httpd/conf
         cp -p httpd.conf httpd.conf.original
         emacs (or vi or whatever) httpd.conf and replace lines:
           Listen 80   -->    Listen 5080
           Port 80     -->    Port 5080
           Listen 443  -->    Listen 5443
           <VirtualHost _default_:443> --> <VirtualHost _default_:5443>
     c) restart apache and check pages

         cd /etc/rc.d/init.d
         ./httpd start
         and try if this works, i.e., try the URLs:

         Note, that your pages will only work correctly if you were
         using relative links. If at any place you have a full URL, say: or
         you need to convert it to the one which provide the port number, i.e., for the HTTP, and the for the HTTPS. Finding such
         pages may be a problem for dynamic content (e.g., CGI scripts or SSI,
         or JavaScript) where the actual URL may reside in a symbolic variable.
         For the static html, you may find this usefull:

   find /var/www/html -type f -exec grep -l -i '' \; print


   find /var/www/html -type f -exec grep -l -i '' \; print

         which will list the files that contain or string. Of course, you need to replace it
         with your machine name.

5) Install Java 1.3. I did: 
    a) went to
    b) clicked on Products and API on the left bar
    c) clicked on Java 2 platform Standard edition J2SE
    d) Java 2 SDK Standard Edition v 1.3
    e) Linux Intel x86
    f) GNUZIP Tar shell script, one large bundle -> [continue]
    g) Yes to license [Accept]
    h) j2sdk-1_3_0-linux.bin = 26,857,036 bytes -> FTP download
    i) I placed the file j2sdk-1_3_0-linux.bin in:
    j) cd  /usr/local/uploads
       chmod 755 j2sdk-1_3_0-linux.bin
    k) this produced directory: /usr/local/uploads/jdk1.3
       I moved this directory :
          mv /usr/local/uploads/jdk1.3 /usr/local/j2sdk-1_3_0
       and then made a link:
          ln -s /usr/local/j2sdk-1_3_0 /usr/local/jdk1.3

   Set your environment variables for Java (I am assuming you use
   some Bourne shell lookalike -- ksh or sh.

      export JAVA_HOME
      export PATH
      export CLASSPATH

6) Installed JCE 1.2.1 Java Cryptography Extension 1.2.1 
    Go to:
    Click on: Download JCE 1.2.1 Software, policy files, and docs  
    This will get you:
      mkdir /usr/local/JCE
      cd /usr/local/JCE
      cp /where/u/saved/it/ .
    Then added the security provider to Java:
      a) copied JCE jars to lib/ext
         cp /usr/local/JCE/jce1.2.1/lib/*.jar /usr/local/jdk1.3/jre/lib/ext
         export CLASSPATH
      b) edited /usr/local/jdk1.3/jre/lib/security/ and added

7) Installed JSSE (JavaTM Secure Socket Extension (JSSE) 1.0.1)
   available from
      mkdir /usr/local/jsse
   with a browser go to:
    Click on domestic distribution
    Logged in, accepted, continue, answered Yes, Continue, 
       cd /usr/local/jsse
       cp /where/you/saved/it/ .
    I installed the JSSE as "installed extension" for jdk1.3 and
    copied them to /usr/local/jdk1.3/jre/lib/ext directory

       cp -p /usr/local/jsse/jsse1.0.2/lib/*jar $JAVA_HOME/jre/lib/ext
       export CLASSPATH

    Then, I registered the provider in $JAVA_HOME/jre/lib/security/
    by adding a line:

8) Installing openssl... Even if you have the openssl and libraries already
   installed, you probably have to go through this step, due to a number
   of utilities and scripts which I do not see installed from original RPM.
   Also openssl which come with my RH 7.0 Linux was an older version (0.9.5a).

   Create directory /usr/local/openssl and retrieve latest release of openssl

     mkdir /usr/local/openssl
     cd /usr/local/openssl

   Compiled the openssl [if you are in Europe, you need to
   check the mod_ssl INSTALL for the no-idea option. Note: RSA released RSAREF
   to public domain, so I do not have to use RSAREF library in US, and can
   use the optimized library which comes with openssl: 

     cd /usr/local/openssl
     gtar zxvf openssl-0.9.6.tar.gz
     cd openssl-0.9.6
     ./config -fPIC shared \
              --prefix=/usr/local/openssl \

     make test
     make install
     cp -a /usr/local/openssl/openssl-0.9.6/lib* /usr/local/openssl/lib

9) Make top directory for Apache 1.3.14 installation. I did

     mkdir /usr/local/apache_1.3.14

  Then set APACHE_HOME environment variable

    export APACHE_HOME

  I also made a subdirectory "sources" to have all needed sources in one

     mkdir /usr/local/apache_1.3.14/sources
     cd /usr/local/apache_1.3.14/sources

   Put there the tar files:


   I also serve here some local copies of some files (those which 
   are not "munition" according to US export laws which are quite far
   from present day reality -- people from US are going to CANADA to
   develop software, put it there on anon ftp, and then "import" it to US --
   another example of government protection for which we pay our taxes...)


10) Unpack sources to buld DSO Apache with mod_ssl and mm:

     cd /usr/local/apache_1.3.14
     cd sources
     gtar zxvf apache_1.3.14.tar.gz
     gtar zxvf mod_ssl-2.7.1-1.3.14.tar.gz
     gtar zxvf mm-1.1.3.tar.gz

11) Compiled MM shared memory library
     cd /usr/local/apache_1.3.14/sources/mm-1.1.3
     ./configure --disable-shared

12) Configured  mod_ssl
     cd /usr/local/apache_1.3.14/sources/mod_ssl-2.7.1-1.3.14
     EAPI_MM=../mm-1.1.3  \  
     ./configure \

13) Now you need to configure, compile and install apache.
    The compilation off the box will not work on RedHat 7.0. 
    The reason is that when RedHat changes the location of include files
    the Apache guys try to adjust. But then Red Hat changes stuff again.
    You need to choose between new (ndbm) and old (db or dbm) Unix Berkeley
    database API and libraries (actually you can have 3 different versions
    of Berkeley DB), or choose the GNU implementation (gdbm) of Berkeley DB.
    The great piece describing the confusion and mess in this area is
    Jan Wolter: "Unix Incompatibility Notes: DBM Hash Libraries"
    I include local copy here. 
    Also you need to decide if you want to use mod_auth_db (which uses old DB
    API, and the include file db.h or dbm.h)  or the mod_auth_dbm (which uses
    the new DB API, and include file ndbm.h). There is no much difference
    between mod_auth_dbm and mod_auth_db; both are used to authenticate
    users logging to your site using database approach. For many users these
    modules are preffered over the mod_auth module which does Basic
    Authentication with a Unix passwd type file. Of course, you can also
    use other databases like mSQL, postgress, DBI. The corresponding modules
    are available. Sorry, I do not want to step into it.
    In any case, you will need DB or GDBM since the mod_rewrite uses it,
    and you will definitely need mod_rewrite.
    I present here 3 scenarios and you pick one which you like. 
      a) if you do
           ls -l /usr/include/db1
         and it tells you that you have it you can use either mod_auth_db or

        aa) If you want db1 and mod_auth_db:

                 cd /usr/local/apache_1.3.14/sources/apache_1.3.14
                 SSL_BASE=/usr/local/openssl/openssl-0.9.6 \
                 EAPI_MM=/usr/local/apache_1.3.14/sources/mm-1.1.3 \
                 INCLUDES=-I/usr/include/db1 \
                 LIBS=-ldb1 \
                 ./configure --prefix=/usr/local/apache_1.3.14 \
                             --enable-module=so \
                             --enable-rule=SHARED_CORE \
                             --enable-module=most \
                             --enable-shared=max \
                             --enable-module=ssl \
                             --enable-shared=ssl \
                             --enable-module=auth_db \
                             --enable-shared=auth_db \
                             --disable-shared=auth_dbm \

        ab) If you want db1 and mod_auth_dbm:

             cd /usr/local/apache_1.3.14/sources/apache_1.3.14
             SSL_BASE=/usr/local/openssl/openssl-0.9.6 \
             EAPI_MM=/usr/local/apache_1.3.14/sources/mm-1.1.3 \
             INCLUDES=-I/usr/include/db1 \
             LIBS=-ldb1 \
             ./configure --prefix=/usr/local/apache_1.3.14 \
                --enable-module=so \
                --enable-rule=SHARED_CORE \
                --enable-module=most \
                --enable-shared=max \
                --enable-module=ssl \
                --enable-shared=ssl \
                --disable-shared=auth_db \
                --disable-module=auth_db \
                --enable-module=auth_dbm \

      b) you do
           ls -l /usr/include/db1
         and it tells you that you do not have db1, (and you do not want to
         install it as described on the top of this file), so you do
           ls -l /usr/include/gdbm
         and it tells that you have GNU DB, and you can install mod_auth_dbm
         (you probably could install the mod_auth_db, sinc GNU DB also
         has the old API support, but believe me, it would be pain).
         But it is painful...

      cd /usr/local/apache_1.3.14/sources/apache_1.3.14/src/modules/standard

        edit  mod_auth_dbm.c and replace block: 

              #if defined(WIN32)
              #include <sdbm.h>
              #define dbm_open sdbm_open
              #define dbm_fetch sdbm_fetch
              #define dbm_close sdbm_close
              #elif defined(__GLIBC__) && defined(__GLIBC_MINOR__) \
              && __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1
              #include <db1/ndbm.h>
              #include <ndbm.h>


              #include <ndbm.h>        

       edit the  mod_rewrite.h and replace block:

              #if defined(__GLIBC__) && defined(__GLIBC_MINOR__) \
                  && __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1
              #include <db1/ndbm.h>
              #include <ndbm.h>


              #include <ndbm.h>

       and finaly configure and compile apache:

           cd /usr/local/apache_1.3.14/sources/apache_1.3.14
           SSL_BASE=/usr/local/openssl/openssl-0.9.6 \
           EAPI_MM=/usr/local/apache_1.3.14/sources/mm-1.1.3 \
           INCLUDES=-I/usr/include/gdbm \
           LIBS=-lgdbm \
           ./configure --prefix=/usr/local/apache_1.3.14 \
                --enable-module=so \
                --enable-rule=SHARED_CORE \
                --enable-module=most \
                --enable-shared=max \
                --enable-module=ssl \
                --enable-shared=ssl \
                --enable-module=auth_dbm \
                --enable-shared=auth_dbm \
                --disable-shared=auth_db \


    Now you can make certificates. If you want to install self signed
    certificates which you will use (read a pagefull below), do:

      make certificate TYPE=custom

    If you have your certificates already made and signed you can just
    create dummy certificates as:

      make certificate TYPE=dummy

    and you will replace them later in the $APACHE_HOME/conf with the
    real ones. 

    Then you install Apacje in the directories under $APACHE_HOME

      make install

   I include the log of my conversation for certificate TYPE=custom here as:
   One thing to remember, is to enter the fully qualified domain name of the
   host on which this Apache Web server runs (in my case:
   when you are asked for info for X.509 certificate signing request
   for SERVER [server.csr] at item 6. Common Name.
   I then tarred my certificates/keys into a file:

     cd /usr/local/apache_1.3.14/sources/apache_1.3.14/conf
     tar zcvf /usr/local/apache-certificates.tgz ssl*
     chmod 600 /usr/local/apache-certificates.tgz

   just in case, if I lost them (these certificates were made for 5 years,
   and I do not want to redo it every time I update apache). When you need
   to restore the certificates, just do:

     cd $APACHE_HOME/conf
     tar zxvf  /usr/local/apache-certificates.tgz

   You can also copy them on the diskette and keep them safely. In my case:

     fdformat /dev/fd0H1440
     mkfs -t msdos /dev/fd0H1440

   and, assuming that you have a line:
      /dev/fd0       /mnt/floppy      auto    noauto,owner    0 0
   in your /etc/fstab file, and that the directory /mnt/floppy exists,
   you mount it as:

      mount /mnt/floppy

   then copy your certificates:

      cp /usr/local/apache-certificates.tgz /mnt/floppy

   Unmount your diskette:

      umount /mnt/floppy

   and put the diskette in the safe place. 
   Of course, you could also to it with Mutils, if you have them installed:

     mformat -f 1440 a:
     mcopy /usr/local/apache-server1-certificates.tgz a:
     mdir a:

   Also, if for some reason, you need to redo the certificates (I actually
   had to do it, since I had a typo in server name, discovered it after
   I finished the apache installation): 

     cd /usr/local/apache_1.3.14/sources/apache_1.3.14
     make certificate TYPE=custom

   and copy them by hand to the $APACHE_HOME/conf directory:

     cd /usr/local/apache_1.3.14/sources/apache_1.3.14/conf
     tar zcvf /usr/local/apache-certificates.tgz ssl*
     chmod 600 /usr/local/apache-certificates.tgz
     cd $APACHE_HOME/conf
     tar zxvf  /usr/local/apache-certificates.tgz

   and do not redo the make install !!! 

14) edited a file in $APACHE_HOME/conf/httpd.conf (in my case:
      /usr/local/apache_1.3.14/conf/httpd.conf). You can look at
    the copy of my initial httpd.conf.
    I made a few changes to the original default httpd.conf which was
    produced by the installation, namely, changed the ports on which
    Apache listens to requests so the new installtion does not interfere
    with the Apache server, which currently runs on your machine (assuming
    that you have some server already running). I have no way of knowing
    which ports on your machine are assigned to some services. In my case
    I chose the port 4080 for the unencrypted Web Server port (which
    corresponds to standard port 80 for HTTP), and the 4443 port for
    the secure port (which corresponds to the standard port 443 for HTTPS).
    I simply changed the following lines in
      Port 80                      --->  Port 4080

      Listen 80                    --->  Listen 4080
      Listen 443                   --->  Listen 4443
      <VirtualHost _default_:443>  --->  <VirtualHost _default_:4443> 

15) I created the a file which starts the Web server when machine
    is rebooted. I named it /etc/rc.d/init.d/httpd-jkl. Its copy
    is given here. Then, I started
    the new apache as:
       /etc/rc.d/init.d/httpd-jkl start
    and checked if the pages show up at
    and    (this one will asked me to accept the
                                         server certificate which I created)

    In the https case you should get a lot of windows
    which ask you for accepting the certificate. Just click Next to the
    series of questions, and also mark "Keep this certificate forever"
    on one of the boxes.

    Pages worked so I used chkconfig to add the script to be used at boot: 

       cd /etc/rc.d/init.d
       chkconfig --add httpd-jkl
    and checked if the links for thr rc.dx directories were added by

       chkconfig --list httpd-jkl

    which gave me:
       httpd-jkl       0:off   1:off   2:off   3:on    4:on    5:on    6:off
    and I was happy since the links in appropriate directories were created.

    Note, I can start and stop apache either as:
       /etc/rc.d/init.d/httpd-jkl start
       /etc/rc.d/init.d/httpd-jkl stop
    or as
       /usr/local/apache_1.3.14/bin/apachectl startssl
       /usr/local/apache_1.3.14/bin/apachectl stop

    Stop apache, since you are not finshed yet.

        Building and installing tomcat

16)  At this point it is probably prudent to log out and log in again as root
     and reset your environment variables by doing:

       export JAVA_HOME
       export PATH
       export CLASSPATH

17)You need to get the latest JAXP (Sun API and XML parsing in Java). They
   have the Early Access 1.1. Click on links under:
      "Java API for XML Parsing (JAXP)"
   Or try the
   At the time I was writing it it was: Version 1.1 Early Access 2 
   Take it... It has DOM2 and SAX2, while the stable JAXP 1.0.1 has only
   DOM1 and SAX1. So, go to:
   click on Java API for XML Processing Reference Implementation
   Java API for XML Processing Reference Implementation
   Version 1.1 Early Access 2
   Java API for XML Processing Reference Implementation version 1.1ea2
   You have to be registered (I you do Java, you are registered...)
   Agree to whatever (but be careful, since their lawyers look for work
   after they finished the settlement with MS) and click on download to get: = 3,095,370 bytes
   I have placed it in /tmp and then:

       cd /tmp
       mv  jaxp-1.1ea2 /usr/local
       export XML
       export CLASSPATH

   I compiled and ran JAXP examples:

       cd ${XML}/examples/dom
       java -cp ${CLASSPATH}:. main
       cd ${XML}/examples/sax

   and did the example for invalid document:

        java -cp ${CLASSPATH}:. -Djavax.xml.parsers.validation=true \
            main ../samples/namespace.xml

   and the one for the valid document:

        java -cp ${CLASSPATH}:. -Djavax.xml.parsers.validation=true \
            main ../samples/book-order.xml

   and the one for the well-formedness only

        java -cp ${CLASSPATH}:. main ../samples/namespace.xml

   and they seemed to work.        
18) Create directory /usr/local/tomcat_3.2.1

      mkdir /usr/local/tomcat_3.2.1
      export JAKARTA_HOME

   and put there the source release 3.2.1 of tomcat:


    I also have them here locally, if you want:
19) Untar them as:

        cd $JAKARTA_HOME
        mkdir jakarta-ant-src
        cd jakarta-ant-src
        gtar zxvf ../jakarta-ant-src.tar.gz
        cd /usr/local/tomcat_3.2.1
        gtar zxvf jakarta-servletapi-3.2-src.tar.gz
        gtar zxvf jakarta-tomcat-3.2.1-src.tar.gz

20) Installing/building  ANT -- the tool needed to build Tomcat

       cd $JAKARTA_HOME/jakarta-ant-src
       cd $JAKARTA_HOME/build
       mv ant $JAKARTA_HOME/ant-1.2
       export ANT_HOME
       export CLASSPATH
       export PATH

21) Installing/building servlet API

       cd $JAKARTA_HOME/jakarta-servletapi-3.2-src
       chmod 755 
       ./ dist
       cd $JAKARTA_HOME/dist
       mv servletapi ${JAKARTA_HOME}/servletapi-3.2
       export SERVLETAPI_HOME
       export CLASSPATH

    At this point we accummulated lots of environment variables. It seems
    useful to create a short script which will set them when sourced. You will
    find it handy when you log out and log in again and want to continue
    installation. I called this script env4tomcat and placed it in my
    /root/bin directory. And you can get my version here. Then I executed

       .  /root/bin/env4tomcat
    Note that the script already contains environment variables for
    TOMCAT, though we did not arrive there yet.

22) Installing/building tomcat:
    When I did: 

       cd $JAKARTA_HOME/jakarta-tomcat-3.2.1-src

    I got an error:
         33: /usr/local/tomcat_3.2.1/jakarta-ant/bin not found.
    Rather than changing the build.xml, I did:

       cd $JAKARTA_HOME
       mkdir jakarta-ant
       cd jakarta-ant
       ln -s ${ANT_HOME}/bin bin

    and repeated the compilation:

       cd $JAKARTA_HOME/jakarta-tomcat-3.2.1-src
       ./ dist
       cd ${JAKARTA_HOME}/dist
       mv tomcat ${JAKARTA_HOME}/tomcat-3.2.1
       export TOMCAT_HOME

23) testing Tomcat  

     Since there are a lot of files in the $TOMCAT_HOME/conf, I decided
     to move all files which are there to a separate directory, and then
     copy what I need:

       cd $TOMCAT_HOME/conf
       mkdir original-conf
       mv * original-conf
       cd original-conf
       cp -p server.xml ..
       cp -p web.xml ..
       cp -p ..
       cp -p tomcat-users.xml ..
       cp -p mod_jk.conf ..
       cd ..

     Since I have other Tomcats running on this machine, I changed
     the default ports in $TOMCAT_HOME/conf/server.xml

         cd $TOMCAT_HOME/conf

         emacs/vi/joe/whatever server.xml
               Change 8080 --> 4180
               Change 8007 --> 4007
     While the SSL connector is at this moment commented out, I changed
     the port 
               Change 8443 --> 4143

     so I do not forget about it in the future. I also mounted webapps/ROOT
     as /ROOT and changed all docBase attributes of Context to full path.
     While /ROOT is also mounted in server.xml as /, I need another mount
     point for Apache. If I mounted ROOT as / in apache, all my content
     would have to be served by Tomcat, since DocumentRoot would be located
     there. There are many ways of doing this, for example, I could copy
     only the index.html file to the Apache DocumentRoot directory and mount
     the subirectories of /ROOT as Contexts. I decided to mount /ROOT as
     context /ROOT (i.e., it will be accessed as http://my.machine:port/ROOT
     and solve the problem of relative/absolute links by using rewrite module. 
     Note that server.xml is the file which is read in by Tomcat to
     configure itself. The other files are not read in by Tomcat. The web.xml
     in the ${TOMCAT_HOME}/conf is not read in either (but it is read in
     in other versions of Tomcat). This web.xml should be a starting place
     for your own web.xml files which you place under WEB-INF directory
     in your servlet/JSP contexts (WEB applications).
     The other files are mostly prototypes of config files for the various
     Web servers which work with Tomcat. Moreover, based on its own
     configuration, it produces prototype configuration files for various
     Web servers: iis_redirect.reg-auto and (for
     MS IIS), mod_jk.conf-auto (for mod_jk module of Apache), obj.conf-auto
     (for Netescape or whoever/whatever server, if you know what I mean),
     and tomcat-apache.conf (for Apache mod_jserv module which we do not use
     here). These prototype files are essentially ready to go for simple
     configurations. The files like tomcat-apache.conf,,
     tomcat.conf are used when tomcat was working with mod_jserv module.
     We are using here mod_jk module, and these files can be ignored.
     The files for mod_jk module of Apache are mod_jk.conf and For the time being, I tested if Tomcat works
     alone by starting it as:

       cd $TOMCAT_HOME/bin
    then checked the stuff at tomcat port       

    and looked at test pages. Things worked... Then I shut it down as:


    What worried me was the number of threads the Tomcat opened, namely
       ps auwx | grep java | wc -l
    gave 36. These are supposedly lightweight threads and you should not
    worry about this.

24)  Now, let us create the mod_jk module. This is a DSO object
     which you load into Apache. It is called "server plug-in"
     sometimes. It allows Apache to talk to Tomcat. While Tomcat
     can also run inprocess, it cannot be supported with current Apache/Tomcat
     combination. So there are two processes: Apache and Tomcat, and they
     need to talk to each other if they want to work together (or at
     least send memos {:-)}). Note that in this communication Apache
     (The web server) is a client (not a server!) of Tomcat.
     Tomcat is started, and listens for requests from Apache, i.e., in
     this relation, it is a server. Tomcat listens by default on port 8007, 
     but you can change it by editing the server.xml file. In my case,
     as you saw in 23) I had to change the default port since I have several
     Tomcats running on my machine. The module mod_jk is compiled as:

        cd $JAKARTA_HOME/jakarta-tomcat-3.2.1-src/src/native      
        cd apache1.3
        $APACHE_HOME/bin/apxs -o  \
             -I${JAVA_HOME}/include/linux \
             -I../jk -I${JAVA_HOME}/include \
             -c *.c ../jk/*.c  

        cp ${APACHE_HOME}/libexec

      While I provide here the binary: -- press right mouse button here and choose: Save Link as
      which you can just copy to ${APACHE_HOME}/libexec directory I strongly
      suggest that you build the one yourself, since there are many options
      to Apache, and it simply will not work, if your Apache is different
      than my Apache.

25)   When I tested standalone Tomcat in 23), it created automatically
      a config file for mod_jk for Apache which is available as:
      I did the following:

        cd $TOMCAT_HOME/conf
        mv mod_jk.conf mod_jk.conf.original
        mv mod_jk.conf-auto mod_jk.conf

      i.e., I saved the original and copied the automatic version to
      For the time being, I edited the Apache config file to include
      the mod_jk.conf (more needs to be done for sensible install,
      though). I edited file;
      $APACHE_HOME/conf/httpd.conf and at the last line I put:
         Include /usr/local/tomcat_3.2.1/tomcat-3.2.1/conf/mod_jk.conf
      The actual initial httpd.conf is here.
      I replaced all occurances of ajp12 with ajp13 in the
      ${TOMCAT_HOME}/conf/mod_jk.conf and added a mount point for /ROOT
      You can find the copy of it here. I also changed server.xml (see below).
      Just compare it to the original with UNIX diff utility.  
      Made several changes to Namely:
      changed workers.tomcat_home, workers.java_home, ps, worker.ajp12.port,
      worker.ajp13.port and commented out all inprocess stuff which is meant
      for the Web servers which support inprocess. You can look up them here.
      Note, my ajp12 port is 4006 and ajp13 is 4007. 
26) changed the $TOMCAT_HOME/conf/server.xml to activate the ajp13 connector.
    Added this:
        <!-- Apache AJP13 support. -->
        <Connector className="org.apache.tomcat.service.PoolTcpConnector">
            <Parameter name="handler"
            <Parameter name="port" value="4007"/>
    Left apj12 support at port 4006 since it is needed for shutdown.
    Look here for initial server.xml.

27) Heavily edited the $TOMCAT_HOME/bin/, 
    $TOMCAT_HOME/bin/ and $TOMCAT_HOME/bin/ 
    to include necessary environmental
    variables. These initial files can be found here: 

28) Started tomat

        cd $TOMCAT_HOME/bin

   It told me something like this:

Using classpath: /usr/local/tomcat_3.2.1/tomcat-3.2.1/lib/jasper.jar:/usr/local
2001-01-28 03:31:39 - ContextManager: Adding context Ctx(/examples )
2001-01-28 03:31:39 - ContextManager: Adding context Ctx( /admin )
Starting tomcat. Check logs/tomcat.log for error messages
2001-01-28 03:31:39 - ContextManager: Adding context Ctx(  )
2001-01-28 03:31:39 - ContextManager: Adding context Ctx( /test )
2001-01-28 03:31:40 - PoolTcpConnector: Starting HttpConnectionHandler on 4180
2001-01-28 03:31:40 - PoolTcpConnector: Starting Ajp12ConnectionHandler on 4006
2001-01-28 03:31:41 - PoolTcpConnector: Starting Ajp13ConnectionHandler on 4007

   (if you have errors, check if tomcat or something else is not running
   and using the same TCP ports. Do, for exampl:
      ps auxw | grep tomcat
    and kill if needed. Also check if any ports from above: 4006, 4007,
    4080, 4180, 4443, are used by using: 

       netstat -a | more

    They would be listed in the first column, e.g., *.4443

29) Started Apache

   $APACHE_HOME/bin/apachectl startssl

   Things worked on port 4080(http) and 4443(https). I checked and 

30) Stopped Tomcat

        cd $TOMCAT_HOME/bin

31) Stopped Apache
       $APACHE_HOME/bin/apachectl stop

32) Reconfigured Tomcat and Apache to do things I want them to do.

    a) In $APACHE_HOME/conf/httpd.conf made sure mod_jk is before mod_rewrite

      LoadModule jk_module          libexec/
      LoadModule rewrite_module     libexec/


      AddModule mod_jk.c
      AddModule mod_rewrite.c

    and commented out the line
       # LoadModule jk_module libexec/

    in $TOMCAT_HOME/conf/mod_jk.conf

33) In the $APACHE_HOME/conf/httpd.conf I added some rewrite
    rules before
        ##  SSL Global Context
    comment , and also inside 4443 virtual host scope after line:
        TransferLog /usr/local/apache_1.3.14/logs/access_log   :
         <IfModule mod_rewrite.c>
         RewriteEngine On
         RewriteLog /usr/local/apache_1.3.14/logs/rewrite_log
         RewriteLogLevel 2
         RewriteRule ^/ROOT/examples /examples [R]
         RewriteRule ^/ROOT/test /test [R]
         RewriteRule ^/ROOT/admin /admin [R]
         RewriteRule ^/ROOT/ROOT /ROOT [R]
         RewriteRule ^/tomcat.gif /ROOT/tomcat.gif [R]
         RewriteRule ^/examples/servlets$     /examples/servlets/  [R]
         RewriteRule ^/examples/jsp$     /examples/jsp/  [R]
         RewriteRule ^/examples$     /examples/  [R]
         RewriteRule ^/admin$          /admin/  [R]
         RewriteRule ^/ROOT$          /ROOT/  [R]
         RewriteRule ^/test$          /test/  [R]

    for the HTTP (port 4080) and HTTPS (virtual host at 4443). It was needed
    to cure a problem that $TOMCAT_HOME/webapps/ROOT
    is a Document Root for Tomcat, but for Apache, the 
    $APACHE_HOME/htdocs is the Document Root. 

34) Created new users, in my case webinst, and webrun, and groups for
    them, home directories, and regular login environment.  
    The webrun was assigned /bin/bash and webinst had tcsh as primary
    shell (yes, I know that t/csh is brain dead, but people want it,
    and people will have it -- it sucks, e.g., with its limitations:
    "Word too long" when your environment variable is longer than 1024 --
    it happens to me all the time with longer CLASSPATHs).
    Note, that when you execute the script as
          su - uid -c script
    the script will be executed with the default shell (i.e., the shell
    the user uid has assigned in /etc/passwd)  of the uid user, and it 
    does not matter what you put in #!/bin/someshell on the top of your script.
    While some UNICES allow you to specify shell on the command line (Linux
    allows) I did not use this feature.
    The script is sourced with default shell, not forked with a new shell. 
    The webinst will own most of the files in the web site, while the
    webrun will be the user who runs the Apache server and the tomcat.
    It will own log files and other files which the apache/tomcat/ needs
    to write.  In $APACHE_HOME/conf/httpd.conf I did:
       User webrun
       Group webrun
    Also, I changed the directories for the Document root and CGI-BIN
    Final version of httpd.conf is given here.
    Also chown_ed to webrun the log directories:

      chown -R webrun $APACHE_HOME/logs
      chgrp -R webrun $APACHE_HOME/logs

    And for tomcat:

      chown -R webrun $TOMCAT_HOME/conf
      chgrp -R webrun $TOMCAT_HOME/conf
      chown -R webrun $TOMCAT_HOME/logs
      chgrp -R webrun $TOMCAT_HOME/logs
      chown -R webrun $TOMCAT_HOME/work
      chgrp -R webrun $TOMCAT_HOME/work

35) In $APACHE_HOME/bin

      cp apachectl apache-tomcat

    and edited apache-tomcat to have a script to start/stop
    tomcat and apache. This is an example: $APACHE_HOME/bin/apache-tomcat
    Then chmoded apache-tomcat to be executable :

       chmod 755 $APACHE_HOME/bin/apache-tomcat

36) Started the apache/tomcat as:

       $APACHE_HOME/bin/apache-tomcat startssl

    and checked if and worked. 
    They did, so I killed the server with:

       $APACHE_HOME/bin/apache-tomcat stop

    Now, I also changed the startup script httpd-jkl in /etc/rc.d/init.d
    to use the apache_tomcat rather than apachectl. The final version
    is here. I also disabled the
    RH7.0 Apache which comes with the standard installation by

      /etc/rc.d/init.d/httpd stop
      chkconfig --del httpd
      chkconfig --list httpd

    which showed rightly that httpd will not be invoked on boot:
      httpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off

    and replaced Apache with this installation. I allowed the startup on
    boot by activating the my script described above: 
      chkconfig --add httpd-jkl
      chkconfig --list httpd-jkl

    with list giving me OK:
       httpd-jkl       0:off   1:off   2:off   3:on    4:on    5:on    6:off
    Note, since we are using different ports, you do not have to stop the
    original Apache which works on standard ports 80 and 443. 

37) changed permissions/ownership on the example directories

      cd $TOMCAT_HOME/webapps
      chown -R webinst .
      chgrp -R webinst .
      cd $TOMCAT_HOME/logs
      chown -R  webrun .

38) After all these changes, the ports should be the following:

                    Orig       New     Files affected
    http(apache) --> 80   -->  4080  ${APACHE_HOME}/conf/httpd.conf

    https        --> 443  -->  4443  ${APACHE_HOME}/conf/httpd.conf

    http(tomcat) --> 8080 --> 4180   ${TOMCAT_HOME}/conf/server.xml
                 --> 8009 --> 4007   ${TOMCAT_HOME}/conf/

    tomcat/apj12 --> 8007 --> 4006   ${TOMCAT_HOME}/conf/

39) Since starting/stopping apache+tomcat in this environment requires
    one to be a root, I created C wrappers to start and stop the whole zoo.

   and compiled it with

     gcc -o apache_start apache_start.c

   as a root, and then added suid permissions to the resulting
   apache_start executable file as:

     chmod ug+s apache_start

   I did exactly the same with apache_stop.c

      gcc -o apache_stop apache_stop.c  
      chmod ug+s apache_stop   


   Now, people do not have to have root access to start/stop Web Server/Tomcat

   I also added a C program killme.c which kills the processes which are
   running by user webrun. It is indentded to be used after "apache_stop"
   to kill some runaway processes started by apache, Tomcat, or JServ.
   After compiling the program:

      gcc -o killme killme.c

   changed its user and group ownership to webrun and added
   SETUID permission bits

      chown webrun killme
      chgrp webrun killme
      chmod ug+s killme

   To learn which processes need to be killed, the user does

       ps -ef | grep webrun | grep -v grep

   (I actually saved this line as a shell script "killwhich" so they can
   just type: killwhich).
   and the user can kill the processes listed by previous command as:
       killme pid1 pid2 ....
   where pidn is the process id number in the second column.

40)If you look at my httpd.conf file
    I have there a virtual host on HTTPS port 4443. The DocumentRoot directory
    of this virtual host points at /content/html/private and the CGI script
    directory /content/cgi/private are protected with the Basic Authentication
    and contain the file .htaccess file:

       AuthUserFile /usr/local/apache_1.3.14/auth/htpasswd
       AuthGroupFile /usr/local/apache_1.3.14/auth/htgroup
       AuthName "This directory is for internal users only"
       AuthType Basic

       <Limit GET POST PUT>
       require group cclstaff

    My /usr/local/apache_1.3.14/auth/htpasswd was similar to:


    i.e., listed user names and their encrypted passwords. You can
    get the encrypted password by typing at UNIX command line:

          print crypt("PASSWORD", "AB"), "\n";

    where "PASSWORD" should be actual open text password in quotes,
    "AB" is a two character seed (can be any combination of letters and
    digits, and some other characters, but stay with letters and digits
    to be on safe side), and ^D is CTRL/D. For example, the abouve would
    yield: ABIp8WSAPJnhI (of course, I am not endorsing using PASSWORD for

    My /usr/local/apache_1.3.14/auth/htgroup was similar to:

      cclstaff:jkl bubus lalus

    Of course you can have more groups and people.     

                 -- THE END --

If you see something wrong here, please let me know, so I can save
other peoples time.

Modified: Mon Jul 23 06:12:39 2001 GMT
Page accessed 12211 times since Fri Jan 31 04:35:20 2003 GMT