Using Apache Tomcat Server

This page is targeted at Scala Developers, who want to get a simple, or multiple web applications going, or create a dynamic web site using Scala. However nearly everything will also apply to people who want to use Java, Kotlin and other JVM language. Its not geared towards advanced professional Scala developers who will almost all be using other solutions. If like me you come to the Tomcat Server, with only the experience of running Apache vanilla servers, setting up Tomcat is significantly more complicated than the extreme simplicity of installing an Apache Vanilla server. Note referring to it as Apache Vanilla is my own naming scheme as referring to it just as "Apache" can be confusing. So here follows a list of steps for setting up Tomcat on your own Desktop, laptop, home server or VPS.

There are default values here that you can change as you work down the page. Although once you've used a value, stick with it or you will create an inconsistent system. Insert your own values below. the data is used for page generation locally and is not sent back to our servers.

  1. Upgrade packages. sudo apt update sudo apt upgrade Install Fail2Ban to protect against brute force login attacks sudo apt install fail2ban sudo systemctl enable --now fail2ban
  2. Lease a VPS. A virtual private server. The price of these have dropped considerably over the years and will almost certainly continue to drop. You can purchase a VPS with a couple of cores and 4 Gig of RAM for a few dollars / pounds / Euros a month these days. If you are really tight with money you could probably get away with 2 gigs, but I would recommend starting with a comfortable 4 gigs. When starting out I recommend just buying monthly, as your needs will change. For the time being I don't have enough experience to make recommendations. I've had good service from Digital Ocean for a number of years running a VPS for Apache Vanilla, but they are some what pricey to get 4 gigs of ram for a small project with minimal users. I intend to come back and update this later. I'm currently using an Ubuntu Operating System, just out of familiarity. Now obviously if you are using your own desktop, laptop or home server, you won't need this step and you will probably want to try that first before spending money on a VPS. But you will almost certainly need one to get your site / app out to the world.
  3. Install Java. Currently suggesting Java 25 LTS. Note the jdk at the end of the version. sudo apt install openjdk-25-jdk -y Check the version java -version
    openjdk version "25" 2025-09-16
    OpenJDK Runtime Environment (build 25+36-Ubuntu-1)
    OpenJDK 64-Bit Server VM (build 25+36-Ubuntu-1, mixed mode, sharing)
     Open the all users environment configuration file sudo nano /etc/environment Add line JAVA_HOME=/usr/lib/jvm/java-25-openjdk-amd64 Save and exit (Ctrl-X and then Y) sudo reboot After reboot or logging in again for remote server echo $JAVA_HOME /usr/lib/jvm/java-25-openjdk-amd64
  4. Create a new user and a new group of the same name and add it to the sudo group. For these examples we'll call it 'tommy'. I find it better to have a different name for the user than the folder we will create next. Again for desktop, laptop and home server this is not necessary and you can use your own username. sudo useradd -ms /bin/bash -G sudo tommy sudo passwd tommy
  5. Create a directory for tomcat and change the owner and group. The directory doesn't have to be called tomcat and placed in the Opt directory, but this is a pretty standard schema. You can use your own username on a home machine. sudo mkdir /opt/tomcat sudo chown tommy:tommy /opt/tomcat Switch user to tommy. Then change directory. Change user unless, you already login in as the tomcat owner. sudo su tommy cd /opt/tomcat Create a directory called Base inside the tomcat directory. This will be used for CatalinaBase and will allow you to keep configuration files to use with multiple installs and major version changes of Apache. tommy@computer:/opt/tomcat mkdir Base
  6. Go to the Tomcat Download page: https://tomcat.apache.org/download-11.cgi . Currently we're on major version 11. Generally you should use the latest version. I haven't tested these instructions before 10.0, but they should work at least back to version 9, if you have some specific reason to use an earlier version. At the time of updating the latest sub version is 11.0.14. Make sure you download the latest sub version, because Apache cut the links to the older sub versions. Copy the tar.gz file link into the browser. Once its downloaded copy the sha256 code into the next command to check the integrity of the download. If its good the sha code should be echoed back in red and the file name in white. tommy@computer:/opt/tomcat wget https://dlcdn.apache.org/tomcat/tomcat-11/v11.0.14/bin/apache-tomcat-11.0.14.tar.gz tommy@computer:/opt/tomcat sha512sum apache-tomcat-11.0.14.tar.gz | grep alongsequenceoflettersanddigits
  7. Then unpack the tar file and create a link. This will allow us to easily swap in an updated minor version of Tomcat 11.0. These are released frequently. tommy@computer:/opt/tomcat tar xf apache-tomcat-11.0.14.tar.gz -C /opt/tomcat tommy@computer:/opt/tomcat ln -s apache-tomcat-11.0.14 tom11 Then checking what we've got. tommy@computer:/opt/tomcat ls apache-tomcat-11.0.14 apache-tomcat-11.0.14.tar.gz Base tom11
  8. Create the logs and conf directories and copy across the server.xml and web.xml files from the installation directory structure to the base directory structure. If the catalina base and catalina home directories are the same, which is often the case in beginners installation instructions, then this is redundant. tommy@computer:/opt/tomcat mkdir Base/logs tommy@computer:/opt/tomcat mkdir Base/conf tommy@computer:/opt/tomcat cp tom11/conf/server.xml tom11/conf/web.xml Base/conf Create a home page for your server. Again not necessary if base and home are set to the same directory, as Tomcat comes with web pages and example apps. tommy@computer:/opt/tomcat mkdir -p Base/webapps/ROOT tommy@computer:/opt/tomcat nano Base/webapps/ROOT/index.html Copy the code below into the editor. 
    <!doctype html>
<html>
<head>
<title>Holding Page</title>
<meta charset='UTF-8'>
<meta name='viewport' content='width=device-width,initial-scale=1.0'>
</head>

<body>
<h1>Holding Page</h1>
This is coming from computer, a tomcat 11.0.14 server
</body>
</html>
  9. Create a systemd unit file. sudo nano /etc/systemd/system/tom11.service Add the following code. Then control o, return, control x.
    [Unit]
    Description=Apache Tomcat 11.0 Web Application Container
    After=network.target

    [Service]
    Type=forking

    Environment="JAVA_HOME=/usr/lib/jvm/java-1.25.0-openjdk-amd64"
    Environment="CATALINA_PID=/opt/tomcat/Base/temp/tomcat.pid"
    Environment="CATALINA_HOME=/opt/tomcat/tom11/"
    Environment="CATALINA_BASE=/opt/tomcat/Base/"
    Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
    Environment="JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom"
    ExecStart=/opt/tomcat/tom11/bin/startup.sh
    ExecStop=/opt/tomcat/tom11/bin/shutdown.sh
    User=tommy
    Group=tommy
    UMask=0007
    RestartSec=10
    Restart=always
    [Install]
    WantedBy=multi-user.target
  10. Check if Apache2 Vanilla is running. It seems to be running by default on Ubuntu Server. sudo systemctl status apache2 If its running sudo systemctl disable apache2 sudo systemctl stop apache2 Then reset Systemd sudo systemctl daemon-reload sudo systemctl start tom11 sudo systemctl status tom11 If status good, open a web page at the IpNumber:8080, or the DomainName:8080 on a VPS, or on a local machine at localhost:8080. On a VPS you will probably want to now enable the server to start automatically, but perhaps not if this is your personal laptop or desktop sudo systemctl enable tom11
  11. To switch to port 80 the http defaults sudo apt install authbind sudo touch /etc/authbind/byport/80 sudo chown tommy: /etc/authbind/byport/80 sudo chmod 500 /etc/authbind/byport/80 And for HTTPS to use 443 sudo touch /etc/authbind/byport/443 sudo chown tommy: /etc/authbind/byport/443 sudo chmod 500 /etc/authbind/byport/443 Reopen the Systemd Unit file. sudo nano /etc/systemd/system/tom11.service
    Change ExecStart=/opt/tomcat/tom11/bin/startup.sh to ExecStart=authbind --deep /opt/tomcat/tom11/bin/startup.sh
    Open the Tomcat configuration file. sudo nano /opt/tomcat/Base/conf/server.xml
    Change <Connector port="8080" protocol to <Connector port="80" protocol
    Change redirectPort=\"8443\" to redirectPort=\"443\"
    reset sudo systemctl daemon-reload sudo systemctl restart tom11 The page should now be available without the port :8080 suffix.
  12. Install snap sudo apt install snapd Install certbot sudo snap install --classic certbot certbot 5.1.0 from Certbot Project (certbot-eff✓) installed Ensure that the cerbot command can be run sudo ln -s /snap/bin/certbot /usr/bin/certbot Stop tomcat. sudo systemctl stop tom11 Install certificate. When asked to enter domain name, you can enter multiple web domains, but you only use the first in the ensuing commands. sudo certbot certonly --standalone Configure permissions to certificates sudo chgrp -R tommy /etc/letsencrypt/live/ sudo chgrp -R tommy /etc/letsencrypt/archive/ sudo chmod -R 750 /etc/letsencrypt/live/ sudo chmod -R 750 /etc/letsencrypt/archive/ sudo chmod 640 /etc/letsencrypt/live/mywebsite.com/privkey.pem sudo chmod 644 /etc/letsencrypt/live/mywebsite.com/cert.pem sudo chmod 644 /etc/letsencrypt/live/mywebsite.com.com/chain.pem Check permissions - if you dont have access then something wrong... ls -la /etc/letsencrypt/live/richstrat.com/
  13. Configure Tomcat to use 443 & link to ssl cert above nano /opt/tomcat/Base/conf/server.xml Uncomment the section and modify as below 
    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="150" SSLEnabled="true" secure="true" scheme="https">
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
  <SSLHostConfig>
    <Certificate certificateFile="/etc/letsencrypt/live/mywebsite.com/cert.pem"
      certificateKeyFile="/etc/letsencrypt/live/mywebsite.com/privkey.pem"
      certificateChainFile="/etc/letsencrypt/live/mywebsite.com/chain.pem" />
  </SSLHostConfig>
</Connector>
     Restart Tomcat sudo systemctl start tom11 sudo systemctl status tom11 Go to https://mywebsite.com