Confluence+Tomcat+HTTPD(handling HTTPS traffic, with Tomcat backstage) - The easiest way to install Confluence with Tomcat and Httpd!

Confluence is the best Enterprise wiki IMHO. So that's how you can install and run it -
# cp jdk-6u18-linux-x64.bin /srv/
# cd /srv
# sh jdk-6u18-linux-x64.bin
# ln -s jdk1.6.0_18 jdk
# updatedb;locate javac |grep bin

Here /srv/jdk is the actual JAVA_HOME for your machine. Note this as you will need it to run the future commands.

alternatives --install /usr/bin/java java /srv/jdk1.6.0_18/bin/java 100
alternatives --install /usr/bin/jar jar /srv/jdk1.6.0_18/bin/jar 100
alternatives --install /usr/bin/javac javac /srv/jdk1.6.0_18/bin/bin/javac 100

Finally you should configure alternative to use Sun's JVM as the default JVM. To do this type:
# /usr/sbin/alternatives --config java

In the future when we update Java, we only need to update this symlink (for JAVA_HOME) and paragraph 2 and 2

Last check:
# java -version
java version "1.5.0_22"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_22-b03)
Java HotSpot(TM) 64-Bit Server VM (build 1.5.0_22-b03, mixed mode)

# wget

# cp apache-tomcat-6.0.26.tar.gz /srv
# cd /srv/
# tar -xvzf apache-tomcat-6.0.26.tar.gz
# ln -s apache-tomcat-6.0.26 tomcat

Create Env. var. config file:

# cat /srv/tomcat/bin/
export JAVA_HOME=/srv/jdk
export PATH="${PATH}:${JAVA_HOME}/bin/"

CATALINA_OPTS="-server -XX:+UseParallelGC -Xms2048m -Xmx2048m -XX:MaxPermSize=1024m -XX:+CMSClassUnloadingEnabled -XX:+CMSPermGenSweepingEnabled -Djava.awt.headless=true"

We would like to run tomcat as a tomcat user:

# groupadd tomcat
# useradd -g tomcat -c "Tomcat" -d /srv/tomcat -s "/bin/bash" tomcat

# chown -R tomcat:tomcat /srv/tomcat
# chown -R tomcat:tomcat /srv/apache-tomcat-6.0.26

# su - tomcat -c '/srv/tomcat/bin/'
Using CATALINA_BASE:   /srv/tomcat
Using CATALINA_HOME:   /srv/tomcat
Using CATALINA_TMPDIR: /srv/tomcat/temp
Using JRE_HOME:        /srv/jdk
Using CLASSPATH:       /srv/tomcat/bin/bootstrap.jar

# ps -ef | grep tom
tomcat    8672     1  1 13:10 ?        00:00:03 /srv/jdk/bin/java -Djava.util.logging.config.file=/srv/tomcat/conf/ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server -XX:+UseParallelGC -Xms2048m -Xmx2048m -XX:MaxPermSize=1024m -XX:+CMSClassUnloadingEnabled -XX:+CMSPermGenSweepingEnabled -Djava.awt.headless=true -Djava.endorsed.dirs=/srv/tomcat/endorsed -classpath /srv/tomcat/bin/bootstrap.jar -Dcatalina.base=/srv/tomcat -Dcatalina.home=/srv/tomcat org.apache.catalina.startup.Bootstrap start

Checking now that tomcat can run the service and it's fine by going to http://serverIP:8080/

Shutting it down:

# su - tomcat -c '/srv/tomcat/bin/'

5. Create init script:
Init script:

# cat /etc/init.d/tomcat
# Startup script for Tomcat on Linux
# chkconfig: 35 80 20
# description: start & stop tomcat that is running CLE
# --> check

# set this to the location of tomcat

if [ -e $TOMCAT_PIDFILE ]; then
case "$1" in
    if [ -f $TOMCAT_PIDFILE ]; then
       if [ -e /proc/$TOMCAT_PID ]; then
          is_running=`cat /proc/$TOMCAT_PID/cmdline|grep java`
          if [ $is_running ]; then
             $0 stop
       /bin/rm -f $TOMCAT_PIDFILE

    echo "Starting Tomcat"
    su -m -c "$TOMCAT_START_SCRIPT start" $TOMCAT_USER
    echo "Stopping Tomcat [takes about a minute]..."
    sleep 30
    if [ -f $TOMCAT_PIDFILE ]; then
       kill -9 $TOMCAT_PID
       /bin/rm -f $TOMCAT_PIDFILE
    echo "   ...done"
    $0 stop
    $0 start
    echo "Usage: $0 {start|stop|restart}"
    exit 1
exit 0

# chmod +x /etc/init.d/tomcat
# chkconfig --add tomcat
# chkconfig tomcat on


Go to and grab Confluence 3.2.1_01 - EAR/WAR (TAR.GZ Archive)  by pressing on "Show All" link:
# cd /srv
# wget
# tar -xvzf confluence-3.2.1_01.tar.gz
# ln -s confluence-3.2.1_01 confluence

2.# vi /srv/confluence/confluence/WEB-INF/classes/


3.Create ROOT.xml file:
# cat /srv/tomcat/conf/Catalina/localhost/ROOT.xml
<Context path="" docBase="/srv/confluence/confluence" debug="0" reloadable="true">
 <!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/ -->

# mkdir -p /srv/
# chown -R tomcat:tomcat confluence confluence-3.2.1_01

5. Configuring Tomcat's URI encoding:
# vi /srv/tomcat/conf/server.xml

Add a URIEncoding="UTF-8" property to the connectors:

    <Connector port="8080" protocol="HTTP/1.1"
               redirectPort="8443" />

Make sure you're asking Tomcat to look for connection on localhost ( only, meaning it'll ignore your public-facing traffic, for even tighter security.

   <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" address="" redirectPort="8443" />

6. We need this as we would work with Oracle DB. For MySQL DB please download apropriate MySQL connector and install in in similar way.
# wget
# cp ojdbc14.jar /srv/tomcat/lib/
# chown tomcat:tomcat /srv/tomcat/lib/ojdbc14.jar
# ls -l /srv/tomcat/lib
-rw-r--r-- 1 tomcat tomcat 1555682 Jan 11 11:33 ojdbc14.jar

7. Start the Setup Wizard

# /etc/init.d/tomcat start
# tail -f /srv/tomcat/logs/catalina.out
# tail -f

Go to

Use instructions at

Choose: ->Direct (JDBC) Connection ->

Setup Standard Database
Driver Class Name:     oracle.jdbc.OracleDriver
Database URL:
User Name:     Username
Password:     Password

Choose:  ->Example Site

Setup System Administrator -> Configure Account: admin/verysecretpassword

Go to Dashboard->Administration->Daily Backup Administration, and disable backups and attachments
Go to Dashboard->Dashboard->Administration->Attachment Storage, edit and choose "In Confluence's configured database"

8a. Configure LDAP integration with Confluence (If you need to. But you can skip this if you only want local authentication):
First read this:
Add LDAP Integration -
Automatically Add LDAP users to the confluence-users Group -
Global Permissions Overview -
Customising atlassian-user.xml -
Add LDAP Integration For User Authentication Only -
atlassian-user.xml reference -

[root@vera033 confluence]# cd /srv/confluence-3.2.1_01/confluence/WEB-INF/classes/
[root@vera033 classes]# cp atlassian-user.xml atlassian-user.xml.orig
[root@vera033 classes]# vi atlassian-user.xml
[root@vera033 classes]# cp seraph-config.xml seraph-config.xml.orig
[root@vera033 classes]# vi seraph-config.xml

Edit files:
[root@vera070 tmp]# diff -Naur atlassian-user.xml.orig atlassian-user.xml
--- atlassian-user.xml.orig     2010-05-11 13:12:54.000000000 +1000
+++ atlassian-user.xml  2010-05-11 12:35:53.000000000 +1000
@@ -17,30 +17,28 @@

-        <!--
-        <ldap key="ldapRepository" name="LDAP" cache="true">
-                       <host></host>
-                       <port>389</port>
-                       <securityPrincipal>cn=admin,dc=atlassian,dc=private</securityPrincipal>
-                       <securityCredential>secret</securityCredential>
-                       <securityProtocol>plain</securityProtocol>
-                       <securityAuthentication>simple</securityAuthentication>
-                       <baseContext>dc=atlassian,dc=private</baseContext>
-                       <baseUserNamespace>dc=staff,dc=perftest,dc=atlassian,dc=private</baseUserNamespace>
-                       <baseGroupNamespace>dc=groups,dc=perftest,dc=atlassian,dc=private</baseGroupNamespace>
-                       <usernameAttribute>cn</usernameAttribute>
-                       <userSearchFilter>(objectClass=inetorgperson)</userSearchFilter>
-                       <firstnameAttribute>givenname</firstnameAttribute>
+         <ldap key="ldapRepository" name="ldap://" cache="true">
+                       <host></host>
+                       <port>4389</port>
+                       <securityPrincipal></securityPrincipal>
+                       <securityCredential></securityCredential>
+                       <securityProtocol></securityProtocol>
+                       <securityAuthentication>none</securityAuthentication>
+                       <baseContext>o=My University,c=AU</baseContext>
+                       <baseUserNamespace>o=My University,c=AU</baseUserNamespace>
+                       <baseGroupNamespace>o=My University,c=AU</baseGroupNamespace>
+                       <usernameAttribute>uid</usernameAttribute>
+                       <userSearchFilter>(objectClass=person)</userSearchFilter>
+                       <firstnameAttribute>givenName</firstnameAttribute>
-                       <groupSearchFilter>(objectClass=groupOfNames)</groupSearchFilter>
-                       <membershipAttribute>member</membershipAttribute>
-                       <userSearchAllDepths>false</userSearchAllDepths>
-                       <groupSearchAllDepths>false</groupSearchAllDepths>
+                       <groupSearchFilter>(objectClass=groupOfUniqueNames)</groupSearchFilter>
+                       <membershipAttribute>uniquemember</membershipAttribute>
+                       <userSearchAllDepths>true</userSearchAllDepths>
+                       <groupSearchAllDepths>true</groupSearchAllDepths>
-        -->
         <!-- END of LDAP Repository -->

         <!-- Default confluence user repository -->
[root@vera070 tmp]#
[root@vera070 tmp]#
[root@vera070 tmp]# diff -Naur seraph-config.xml.orig seraph-config.xml
--- seraph-config.xml.orig      2010-05-11 13:12:38.000000000 +1000
+++ seraph-config.xml   2010-05-11 13:15:32.000000000 +1000
@@ -26,7 +26,7 @@

     <rolemapper class=""/>
     <controller class="com.atlassian.confluence.setup.seraph.ConfluenceSecurityController"/>
-    <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>
+    <authenticator class="com.atlassian.confluence.user.ConfluenceGroupJoiningAuthenticator"/>

         <service class="com.atlassian.seraph.service.PathService">
[root@vera070 tmp]#

Copy those files to the right location:
[root@vera070 tmp]# cp atlassian-user.xml seraph-config.xml /srv/confluence/confluence/WEB-INF/classes/
[root@vera070 tmp]# chown -R tomcat:tomcat /srv/confluence /srv/confluence-3.2.1_01

After configuring LDAP, login twice with your LDAP user and check in the "Browse"->"People Directory" that there are no duplicate users.
If there are, go to "Browse"->"Confluence Admin"->"Content Indexing" and rebuild the index.


# yum install httpd httpd-devel gcc gcc-c++

Go to and download the source code:
# wget
# tar -xvzf tomcat-connectors-1.2.30-src.tar.gz

Read docs/webserver_howto/apache.html or native/BUILDING.txt for options.

# cd tomcat-connectors-1.2.30-src/native/
# which apxs
# ./configure --with-apxs=/usr/sbin/apxs --enable-api-compatibility
# make
# make install
See any operating system documentation about shared libraries for
more information, such as the ld(1) and manual pages.
chmod 755 /usr/lib64/httpd/modules/

Please be sure to arrange /etc/httpd/conf/httpd.conf...

# ls -l /etc/httpd/modules/
-rwxr-xr-x 1 root root 959821 Jan  7 14:10 /etc/httpd/modules/

# chkconfig --add httpd
# chkconfig httpd on

# mkdir -p /etc/httpd/conf/vhosts.d

6. add those lines to /etc/httpd/conf/httpd.conf file:

Include /etc/httpd/conf/mod_jk.conf
Include /etc/httpd/conf/vhosts.d/*.conf

7. Create /etc/httpd/conf/mod_jk.conf:

# cat /etc/httpd/conf/mod_jk.conf
LoadModule jk_module modules/

# mod_jk config
# Where to find
# Update this path to match your conf directory location (put next to httpd.conf)
JkWorkersFile /etc/httpd/conf/
# Where to put jk shared memory
# Update this path to match your local state directory or logs directory
JkShmFile /var/log/httpd/mod_jk.shm
# Where to put jk logs
# Update this path to match your logs directory location (put mod_jk.log next to access_log)
JkLogFile /var/log/httpd/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the timestamp log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
#JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"
# Globally deny access to the WEB-INF directory
<LocationMatch '.*WEB-INF.*'>
AllowOverride None
deny from all

8. Create /etc/httpd/conf/ file (I've commented several options I've used for testing):

LoadModule jk_module modules/

# cat /etc/httpd/conf/
# This file provides minimal jk configuration properties needed to
# connect to Tomcat.
# We define a workers named worker1 and worker2
# worker.list=worker1,worker2
# worker.worker2.type=ajp13
# worker.worker2.port=8009
# worker.worker2.lbfactor=1

# Load-balancing behaviour (add when you have more than 1 worker and change and worker.list accordingly)
# worker.loadbalancer.type=lb

# Status worker for managing load balancer (add when you have more than 1 worker)
# worker.status.type=status

9. Create /etc/httpd/conf/vhosts.d/

# cat /etc/httpd/conf/vhosts.d/
NameVirtualHost *:80

<VirtualHost *:80>
ServerAlias vera033

# Just in case
DocumentRoot /srv/vera

# if not specified, the global error log is used
ErrorLog /var/log/httpd/
CustomLog /var/log/httpd/ combined
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off

# Add index.jsp to DirectoryIndex files
DirectoryIndex index.php index.html index.htm index.shtml index.php4 index.php3 index.phtml index.cgi index.jsp

JkMount /* worker1
# JkMount /*.jsp worker1

9a. Create /srv/vera
# mkdir -p /srv/vera

10. Finally, you must edit $CATALINA_HOME/conf/server.xml to make sure that the AJP connection is enabled on port 8009, and to turn off clear-text traffic on port 8080. The AJP connector should NOT be commented out:
# vi /srv/tomcat/conf/server.xml
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" address="" redirectPort="8443" />

Make sure you're asking Tomcat to look for connection on localhost ( only, meaning it'll ignore your public-facing traffic, for even tighter security.

And the HTTP connector on port 8080 should be commented out (no need to listen on 8080 in our case):

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <!-- <Connector port="8080" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" /> -->

Now let's instruct APACHE to handle HTTPS traffic, with Tomcat backstage:

# yum install mod_ssl openssl

# ls -l /etc/pki/tls/certs

Option I:
Generate a self-signed certificate
Using OpenSSL we will generate a self-signed certificate. If you are using this on a production server you will need a key from Trusted Certificate Authority, but if you are just using this on a personal site or for testing purposes a self-signed certificate is fine. To create the key you will need to be root so you can either su to root or use sudo in front of the commands
openssl genrsa -out ca.key 1024 # Generate private key

a.1) Generate private key
openssl genrsa -out ca.key 1024

a.2) Generate CSR
# openssl req -new -key ca.key -out ca.csr

b) Generate Self Signed Key
# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

c) Move the files to the correct locations
# mv ca.crt /etc/pki/tls/certs
# mv ca.key /etc/pki/tls/private/ca.key
# mv ca.csr /etc/pki/tls/private/ca.csr

d) In the /etc/httpd/conf/vhosts.d/01vera033.its.your.domain.conf you will only need to add those 2 lines to <VirtualHost *:443> section:

SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Unlike Option II (Path to production) where we add 3 lines:

SSLCertificateFile /etc/pki/tls/certs/
SSLCertificateKeyFile /etc/pki/tls/private/
SSLCACertificateFile /etc/pki/tls/certs/thawteintermediate.crt

Option II (Path to production):

a) To create a private key without using the triple des encryption standard, use the following command:

# cd /srv/home/lkolchin/keys
# openssl genrsa -out 1024

b) Create a Certificate Signing Request

To obtain a certificate signed by a certificate authority, you will need to create a Certificate Signing Request (CSR). The purpose is to send the certificate authority enough information to create the certificate without sending the entire private key or compromising any sensitive information. The CSR also contains the information that will be included in the certificate, such as, domain name, locality information, etc.

    * Locate the private key that you would like to creat a CSR from. Enter the following command:

You will be prompted for Locality information, common name (domain name), organizational information, etc. Check with the CA that you are applying to for information on required fields and invalid entries.
Send the CSR to the CA per their instructions.
Wait for your new certificate and/or create a self-signed certificate. A self-signed certificate can be used until you receive your certificate from the certificate authority.
[root@vera033 keys]# openssl req -new -key -out
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:AU
State or Province Name (full name) [Berkshire]:Victoria
Locality Name (eg, city) [Newbury]:Clayton
Organization Name (eg, company) [My Company Ltd]:My University
Organizational Unit Name (eg, section) []:e-Research Centre
Common Name (eg, your name or your server's hostname) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# ls -l
total 8
-rw-r--r-- 1 root root 773 Mar  3 13:39
-rw-r--r-- 1 root root 887 Mar  3 13:22

c) Now go to to obtain certificate, I'll get a trial for now ;)

Use this contact info:
My University
My campus
My Road
VIC 3204

Select RedHat Platform.

d) # cat

e) Paste Certificate Signing Request (CSR) inside the form.

f) Now when you've got the certificates let's copy them:

You'll get your "Your Thawte trial SSL certificate:" and "Thawte Test CA Root certificate"

Let's call them and thawteintermediate.crt accordingly.
# cp thawteintermediate.crt /etc/pki/tls/certs/
# cp /etc/pki/tls/private/
# chmod go-rwx /etc/pki/tls/private/

3. Edit /etc/httpd/conf/vhosts.d/

# cat /etc/httpd/conf/vhosts.d/
NameVirtualHost *:80

<VirtualHost *:80>
ServerAlias vera033

DocumentRoot /srv/vera

# if not specified, the global error log is used
ErrorLog /var/log/httpd/
CustomLog /var/log/httpd/ combined
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off

# Add index.jsp to DirectoryIndex files
DirectoryIndex index.php index.html index.htm index.shtml index.php4 index.php3 index.phtml index.cgi index.jsp

# JkMount /* worker1
# JkMount /*.jsp worker1
RedirectMatch ^/$
RedirectMatch ^/(.+)$1

NameVirtualHost *:443

<VirtualHost *:443>
DocumentRoot /srv/vera

JkMount /* worker1
# JkMount /*.jsp worker1

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2


SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

SSLCertificateFile /etc/pki/tls/certs/
SSLCertificateKeyFile /etc/pki/tls/private/
SSLCACertificateFile /etc/pki/tls/certs/thawteintermediate.crt


4. Remove default "SSL Virtual Host Context"
# vi /etc/httpd/conf.d/ssl.conf

Remove all
<VirtualHost _default_:443>

5. In Confluence Admin Interface go to "Browse"->"Confluence Admin"->"General Configuration"

Also change other configs as needd there.

I Think that's it ;)

Now you've got the best enterprised wiki on your own server!!!

Created by:
Leon Kolchinsky
Senior Software Specialist and Unix/Linux System Administrator at Monash Uni.

Comments (0)

RSS Collapse / Expand

Only registered and authorized users can leave comments. Login or Register