Chapter 2. New Features and Enhancements
2.1. Apache HTTP Server Separated from Tomcat
The Apache HTTP Server distribution is now shared between the JWS and JBoss Core Services entitlements. The shared distribution can be downloaded in ZIP from Apache HTTP Server download page on the support portal. The RPM distribution of HTTP must be consumed from the JBCS channel, while the Tomcat servers will continue to be delivered in the JWS3 channel.
Installation instructions for the Apache HTTP Server are provided in the Apache HTTP Server Installation Guide. You should refer to that guide for instructions for ZIP and RPM setup on the set of supported operating systems.
Maintenance for the Apache HTTP Server and the Tomcat servers will no longer be coordinated in JWS minor and micro releases. The HTTP server and the Tomcat servers will receive independent updates intended to provide more timely fixes for security and other high priority defect fixes.
2.2. Transition from httpd24 (JWS3 Channel) to jbcs-httpd24-httpd (JBCS Channel)
To install httpd
with JWS 3.1.0, you need to subscribe and enable the JBCS channel. The httpd
package has moved from the JWS channel to the JBCS channel. If you are using httpd
, then migrate from the httpd24
package in JWS to the JBCS software collections new jbcs-httpd24-httpd
package.
2.3. tomcat-native Dependencies Available in the JBCS Channel
The tomcat-native
package requires the jbcs-httpd24-httpd-libs
and jbcs-httpd24-openssl
packages, which are available only in the JBCS channel. To access them, you have to subscribe and enable the JBCS channel.
2.4. Tomcat
- Inclusion of the latest available version of Tomcat 8.0.36.
- Inclusion of the latest available version of Tomcat 7.0.70.
-
Replaced the existing
init
scripts for Tomcat 7 and Tomcat 8 withsystemd
units on Red Hat Enterprise Linux 7.
2.5. Using a Password Vault with Red Hat JBoss Web Server 3.1
A password vault is used to mask passwords and other sensitive strings, and store them in an encrypted Java keystore. This allows you to eliminate storing clear-text passwords in your Tomcat configuration files, as Tomcat can lookup passwords and other sensitive strings from a keystore using the vault.
For more information about using password vault, see Using a Password Vault with Red Hat JBoss Web Server 3.1.
2.6. SELinux Policies in RHEL ZIP for Tomcat
In this release, SELinux policies are provided in the ZIP packages. The SELinux security model is enforced by the kernel and ensures applications have limited access to resources such as file system locations and ports. This helps ensure that the errant processes (either compromised or poorly configured) are restricted and in some cases prevented from running. The .postinstall.selinux
file is included in each tomcat
folder. If required, you can run the postinstall.selinux
script.
To install the SELinux policies using ZIP:
Install the prerequisite packages:
-
selinux-policy-devel
- Tomcat 7 or 8
-
- Download and unzip the JWS Tomcat distribution from the JWS channel.
Execute the following commands:
cd $JWS_HOME/tomcat7 OR cd $JWS_HOME/tomcat8 sh .postinstall.selinux cd selinux make -f /usr/share/selinux/devel/Makefile semodule -i tomcat7.pp OR semodule -i tomcat8.pp cd $JWS_HOME
Start the Tomcat service.
bin/startup.sh
Check the context of the running process expecting
tomcat7_t
.ps -eZf | grep tomcat | head -n1
To verify the contexts of the Tomcat log directory and so on.
ls -lZ tomcat7/logs/
2.7. SELinux Policies in RHEL RPM for Tomcat
SELinux policies for each Tomcat are provided via their own Tomcat sub-packages: tomcat7-selinux
and tomcat8-selinux
. These packages are available in the JWS channel.
-
To enable SELinux policies on Tomcat 7, install the
tomcat7-selinux
package. -
To enable SELinux policies on Tomcat 8, install the
tomcat8-selinux
package.
2.8. Hibernate
- Upgraded to Hibernate version 4.2.23.
2.9. Microsoft Azure Testing and Certification
- JBoss Web Server 3.1 has been tested and certified for Microsoft Azure.
2.10. Updated CGIServlet to Resolve httpoxy Issue
In this release, a CGIServlet fix is provided for the httpoxy issue, see CVE-2016-5388. The envHttpHeaders
parameter is included in the CGIServlet to solve the httpoxy issue.
You can also configure the filter and valve to resolve the httpoxy issue. For more information about using the filter and valve, see HTTPoxy - Is my JBoss/tomcat affected?.