diff --git a/molecule/resources/files/server.xml b/molecule/resources/files/server.xml
new file mode 100644
index 0000000000000000000000000000000000000000..bf81ebdcde01d45dc067284cbdcb3418614ac500
--- /dev/null
+++ b/molecule/resources/files/server.xml
@@ -0,0 +1,193 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!-- Note: A "Server" is not itself a "Container", so you may not
+ define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/server.html
+ -->
+<Server port="8005" shutdown="SHUTDOWN">
+ <!-- Security listener. Documentation at /docs/config/listeners.html
+ <Listener className="org.apache.catalina.security.SecurityListener" />
+ -->
+ <!-- APR library loader. Documentation at /docs/apr.html -->
+ <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+ <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+ <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+ <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+ <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+ <!-- Global JNDI resources
+ Documentation at /docs/jndi-resources-howto.html
+ -->
+ <GlobalNamingResources>
+ <!-- Editable user database that can also be used by
+ UserDatabaseRealm to authenticate users
+ -->
+ <Resource name="UserDatabase" auth="Container"
+ type="org.apache.catalina.UserDatabase"
+ description="User database that can be updated and saved"
+ factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+ pathname="conf/tomcat-users.xml" />
+ <Resource name="shared/jdbc/RosettaDS" auth="Container" type="javax.sql.DataSource" defaultAutoCommit="false"
+ factory="com.exlibris.core.infra.base.security.EncryptedDataSourceFactory"
+ driverClassName="oracle.jdbc.driver.OracleDriver"
+ url="jdbc:oracle:thin:@sdvlzarosoradev:1521:dps" username="V2SL_ros00" password="WjBb+90ZhMxVGsQlsw27iQ=="
+ maxActive="200" maxIdle="10" minIdle="5" maxWait="10000" initialSize="5"
+ testOnBorrow="true" testOnReturn="true" maxAge="36000000"
+ validatorClassName="com.exlibris.core.infra.base.security.ContextValidatorConnection"/>
+ </GlobalNamingResources>
+
+ <!-- A "Service" is a collection of one or more "Connectors" that share
+ a single "Container" Note: A "Service" is not itself a "Container",
+ so you may not define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/service.html
+ -->
+ <Service name="Catalina">
+
+ <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+ <!--
+ <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+ maxThreads="150" minSpareThreads="4"/>
+ -->
+
+
+ <!-- A "Connector" represents an endpoint by which requests are received
+ and responses are returned. Documentation at :
+ Java HTTP Connector: /docs/config/http.html
+ Java AJP Connector: /docs/config/ajp.html
+ APR (HTTP/AJP) Connector: /docs/apr.html
+ Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
+ -->
+ <Connector port="1801" maxHttpHeaderSize="8192"
+ protocol="org.apache.coyote.http11.Http11NioProtocol" enableLookups="false" redirectPort="8443"
+ acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"
+ compression="on" URIEncoding="UTF-8" executor="tomcatThreadPool" server=" "
+ compressibleMimeType="text/html,text/xml,application/xml,text/css,text/javascript,application/javascript,image/png"
+ relaxedQueryChars="[]"/>
+
+
+
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+ scheme="https" secure="true" SSLEnabled="true"
+ keystoreFile="/exlibris/dps/.keystore" keystorePass="hHbjtAx5dPVeDNmFqMKo"
+ clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
+ relaxedQueryChars="[]"/>
+
+
+
+ <!-- A "Connector" using the shared thread pool-->
+ <!--
+ <Connector executor="tomcatThreadPool"
+ port="8080" protocol="HTTP/1.1"
+ connectionTimeout="20000"
+ redirectPort="8443" />
+ -->
+ <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
+ This connector uses the NIO implementation. The default
+ SSLImplementation will depend on the presence of the APR/native
+ library and the useOpenSSL attribute of the AprLifecycleListener.
+ Either JSSE or OpenSSL style configuration may be used regardless of
+ the SSLImplementation selected. JSSE style configuration is used below.
+ -->
+ <!--
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+ maxThreads="150" SSLEnabled="true">
+ <SSLHostConfig>
+ <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+ type="RSA" />
+ </SSLHostConfig>
+ </Connector>
+ -->
+ <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
+ This connector uses the APR/native implementation which always uses
+ OpenSSL for TLS.
+ Either JSSE or OpenSSL style configuration may be used. OpenSSL style
+ configuration is used below.
+ -->
+ <!--
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+ maxThreads="150" SSLEnabled="true" >
+ <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+ <SSLHostConfig>
+ <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
+ certificateFile="conf/localhost-rsa-cert.pem"
+ certificateChainFile="conf/localhost-rsa-chain.pem"
+ type="RSA" />
+ </SSLHostConfig>
+ </Connector>
+ -->
+
+ <!-- Define an AJP 1.3 Connector on port 8009 -->
+ <!--
+ <Connector protocol="AJP/1.3"
+ address="::1"
+ port="8009"
+ redirectPort="8443" />
+ -->
+
+ <!-- An Engine represents the entry point (within Catalina) that processes
+ every request. The Engine implementation for Tomcat stand alone
+ analyzes the HTTP headers included with the request, and passes them
+ on to the appropriate Host (virtual host).
+ Documentation at /docs/config/engine.html -->
+
+ <!-- You should set jvmRoute to support load-balancing via AJP ie :
+ <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+ -->
+ <Engine name="Catalina" defaultHost="localhost" jvmRoute="sdvlzarosappdev.slub-dresden.de:1801">
+
+ <!--For clustering, please take a look at documentation at:
+ /docs/cluster-howto.html (simple how to)
+ /docs/config/cluster.html (reference documentation) -->
+ <!--
+ <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+ -->
+
+ <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+ via a brute-force attack -->
+ <Realm className="org.apache.catalina.realm.LockOutRealm">
+ <!-- This Realm uses the UserDatabase configured in the global JNDI
+ resources under the key "UserDatabase". Any edits
+ that are performed against this UserDatabase are immediately
+ available for use by the Realm. -->
+ <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+ resourceName="UserDatabase"/>
+ </Realm>
+
+ <Host name="localhost" appBase="webapps" unpackWARs="true"
+ autoDeploy="false" deployXML="false">
+
+ <!-- SingleSignOn valve, share authentication between web applications
+ Documentation at: /docs/config/valve.html -->
+ <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+
+ <!-- Access log processes all example. Documentation at: /docs/config/valve.html
+ Note: The pattern used is equivalent to using pattern="common" -->
+
+ <Valve className="org.apache.catalina.valves.AccessLogValve"
+ prefix="localhost_access_log." suffix=".log" pattern="%h "%{X-Forwarded-For}i" %l %u %t %r %s %b %D %S %T %I %{institute}c "%{User-Agent}i""
+ directory="${jboss.server.log.dir}/access_log" resolveHosts="false" />
+ <!--
+ <Valve className="org.apache.catalina.valves.AccessLogValve"
+ directory="logs" prefix="localhost_access_log." suffix=".txt"
+ pattern="%h %l %u %t "%r" %s %b" />
+ -->
+
+ </Host>
+ </Engine>
+ </Service>
+</Server>
diff --git a/molecule/resources/playbooks/prepare.yml b/molecule/resources/playbooks/prepare.yml
index 5dd7c5e32c6f13cd53b0563d4db9b7db3ed9fbe7..66ab4151add612e1c722b269a5f2a525821f4cf5 100644
--- a/molecule/resources/playbooks/prepare.yml
+++ b/molecule/resources/playbooks/prepare.yml
@@ -49,6 +49,20 @@
path: "/etc/yum.repos.d/SLUB.repo"
state: absent
become: true
+ - name: create Tomcat server.xml file
+ block:
+ - name: create Tomcat directory
+ ansible.builtin.file:
+ path: "/exlibris/dps/d4_1/system.dir/thirdparty/tomcat/conf/"
+ state: directory
+ mode: "0755"
+ become: true
+ - name: copy Tomcat config
+ ansible.builtin.copy:
+ src: "../files/server.xml" # noqa no-relative-paths
+ dest: "/exlibris/dps/d4_1/system.dir/thirdparty/tomcat/conf/"
+ mode: "0644"
+ become: true
- name: create sudo group, because we ignore RHEL's wheel group
ansible.builtin.group:
name: "sudo"
diff --git a/tasks/rosetta/configure_tomcat.yml b/tasks/rosetta/configure_tomcat.yml
new file mode 100644
index 0000000000000000000000000000000000000000..247b1e38f6deac034ecfe88364f5c0800d894178
--- /dev/null
+++ b/tasks/rosetta/configure_tomcat.yml
@@ -0,0 +1,29 @@
+---
+- name: install prerequisites for using community.general.xml module
+ ansible.builtin.package:
+ name: "python-lxml"
+ state: latest
+
+- name: find server.xml
+ ansible.builtin.stat:
+ path: "/exlibris/dps/d4_1/system.dir/thirdparty/tomcat/conf/server.xml"
+ changed_when: false
+ register: serverxml
+
+- name: configure Tomcat, if it's installed by Rosetta
+ community.general.xml:
+ path: "/exlibris/dps/d4_1/system.dir/thirdparty/tomcat/conf/server.xml"
+ backup: true
+ xpath: "{{ item.xpath }}"
+ attribute: "{{ item.attribute }}"
+ value: "{{ item.value }}"
+ loop:
+ # configure Tomcat crypto to mitigate against Greenbone OID: 1.3.6.1.4.1.25623.1.0.106223
+ - xpath: "/Server/Service/Connector[@port='8443']"
+ attribute: "ciphers"
+ value: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"
+ # configure Tomcat maxActive workers for performance
+ - xpath: "/Server/GlobalNamingResources/Resource[@name='shared/jdbc/RosettaDS']"
+ attribute: "maxActive"
+ value: "2000"
+ when: serverxml.stat.exists
diff --git a/tasks/rosetta/main_rosetta.yml b/tasks/rosetta/main_rosetta.yml
index 941d1fef128e76acae1615e7b8885f440d7ddbad..2e0eef48bd72e317635a9ece804030bf57eceba2 100644
--- a/tasks/rosetta/main_rosetta.yml
+++ b/tasks/rosetta/main_rosetta.yml
@@ -34,3 +34,6 @@
- name: install error summary
ansible.builtin.import_tasks: "rosetta/install_error_summary.yml"
tags: [monitoring, reporting, visibility, errorsummary]
+- name: configure Tomcat server
+ ansible.builtin.import_tasks: "rosetta/configure_tomcat.yml"
+ tags: [rosetta, tomcat, java]