Apache Tomcat
AM examples often use Apache Tomcat (Tomcat) as the deployment container.
In these examples, Tomcat is installed on openam.example.com
and listens on the default ports without a Java
Security Manager enabled.
JVM startup
AM core services require a minimum JVM heap size of 1 GB, and a metadata space size of up to 256 MB. If you are evaluating AM and using the embedded DS, you require at least a 2 GB heap, as 50% of that space is allocated to DS. See Prepare the Java environment for details.
Set a CATALINA_OPTS
environment variable with the appropriate tuning for your environment.
For example, add the following in the $CATALINA_BASE/bin/setenv.sh
file:
export CATALINA_OPTS="$CATALINA_OPTS -server -Xmx2g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m"
Some versions of Microsoft Edge support the Expires
header attribute
instead of the Max-Age
header attribute, which may cause SAML v2.0 and agent logout sequences to fail.
If you have set the org.apache.catalina.STRICT_SERVLET_COMPLIANCE
Tomcat property to true
,
add the org.apache.tomcat.util.http.ServerCookie.ALWAYS_ADD_EXPIRE
property
in the $CATALINA_BASE/bin/setenv.sh
file, to add the Expires
attribute to the headers:
export CATALINA_OPTS="$CATALINA_OPTS -server -Xmx2g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m \
-Dorg.apache.tomcat.util.http.ServerCookie.ALWAYS_ADD_EXPIRES=true"
Slashes in resource names
Some AM resources have names that can contain slash characters (/), for example, in policy names, application names, and SAML v2.0 entities. These slash characters can cause unexpected behavior when running AM on Tomcat.
In development environments, a possible workaround is to configure Tomcat to allow encoded slash characters by adding
the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
property to the CATALINA_OPTS
variable; for example:
export CATALINA_OPTS="$CATALINA_OPTS -server -Xmx2g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m \
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
Do not enable |
Cookie domains
Set the cookie domain name value to an empty string (for host-only cookies) or to any non-top level domain (for domain cookies).
For example, if you install AM on openam.example.com
, you can set the cookie domain name to example.com
.
Because host-only cookies are more secure than domain cookies, you should use host-only cookies unless you have a good business case for using domain cookies. |
Refer to Install an instance to configure the cookie domain during installation.
Log request times
Tomcat provides components called valves that can be configured to track access to resources. The Access Log Valve outputs information about request activity to log files, for you to analyze or use when troubleshooting.
To record request times in the Access Log Valve log, configure the pattern
attribute to include the following values:
-
%D
- Time taken to send an entire request, in millis. This is the total processing time and may be affected by network conditions. -
%F
- Time taken to commit the response, in millis (not available in Tomcat 7 or earlier).
Example Valve
element in server.xml
:
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b %D %F" />
For information about the Access Log Valve configuration, refer to the documentation for Tomcat 7.0, or
Tomcat 8.0, which includes the %F
value.
Encoding and security
ForgeRock recommends that you edit the Tomcat <Connector>
configuration to set URIEncoding="UTF-8"
.
UTF-8 URI encoding ensures that URL-encoded characters in the paths of URIs are correctly decoded by the container.
This is particularly useful if your applications use the AM REST APIs and some identifiers,
such as user names, contain special characters.
You should also ensure the sslProtocol
property is set to TLS
,
which disables the potentially vulnerable SSL v3.0 protocol.
<Connector>
configuration elements are found in the configuration file, /path/to/tomcat/conf/server.xml
.
The following excerpt shows an example <Connector>
with the URIEncoding
and sslProtocol
attributes
set appropriately:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" />
When you have finished setting up Apache Tomcat, you should enforce HTTPS connections to AM. For details, refer to Secure connections to the AM container.