Cat in the Cloud: Apache Tomcat in Amazon EC2
Part I - The Basics
Last update: 02-May-2012
By Dmitry LESKOV
This article is part of a step-by-step guide for Java Web application
developers wanting to get their feet wet in the Amazon cloud.
If you are not totally new to Amazon EC2, you may wish
to either skip the first section or go straight to:
Part II - Taking Control Over Your Java Stack
Part III - Advanced Topics (such as running on port 80)
Creating an Amazon EC2 Instance
If you have not done so yet, create an Amazon Web Services (AWS) account.
As of August 2011, you may test drive AWS at no cost for up to one year,
provided you do not go beyond certain usage limits.
Go to http://aws.amazon.com/,
click "Create an AWS Account" and follow the prompts.
There are two caveats to the sign-up process. First,
you need to enter a valid phone number and have it verified
before you can use the service. A robot will call you and ask you to enter
your PIN code using your phone key pad.
You also need to provide your credit card data even if you sign up
for the free tier, so that Amazon could start charging you if you indeed go beyond
the free tier limits.
Sign in to the AWS Management Console, switch to the the Amazon EC2 tab,
and click the Launch Instance button.
What actually launches is the Request Instances Wizard.
Choose an Amazon Machine Image (AMI) and click the Select button next to it.
On the free tier, your choice is limited to Amazon Linux AMIs and selected Community AMIs.
Also, you may only launch micro instances that have less than 1GB of RAM,
so it does not make much sense to select a 64-bit AMI.
Below it is assumed that you have selected the Basic 32-bit Amazon Linux AMI.
You may click Continue on the first two screens of the Instance Details step
— the defaults are okay and may be changed later anyway. On the third screen,
assign a name to your instance for ease of future management.
Type the name into the Value field and click Continue.
On the Key Pair step, create a new key pair: enter a name and click
Create & Download your Key Pair.
Save the key pair file (
On the Configure Firewall screen, create a new Security Group.
There will be a rule for SSH access. As a minimum, you should add
All ICMP (for ping to work), and a custom TCP rule for port 8080.
Add a rule for
HTTP if you want to access Tomcat on port 80 or
run it behind an HTTP proxy.
You may wish to restrict SSH access by IP address for extra security.
Delete the preconfigured SSH rule, and add a new one, specifying
your Internet connection netmask for Source.
When you are done with firewall rules, click Continue.
Review the instance settings and click Launch.
Click View your instances on the Instances page.
In the Show/Hide Columns dialog,
check only the Status and Public DNS boxes.
Uncheck the rest for now. You can always enable other columns later.
Your instance is now up and running, and it has been assigned a public IP address
and DNS name that you and others may use to connect to it from anywhere on the Internet.
(It also has a private IP address and DNS name for communication with other instances.)
It seems that an instance with a public IP address of
will have a Public DNS name beginning with
but this is not documented.
Copy the Public DNS address to the clipboard…
…and login to your instance via SSH as user “
On Linux, use the
-i option to specify your key to
ssh -i key-pair-file ec2-user@public-DNS
To upload files, use
scp -i key-pair-file file ec2-user@public-DNS:
Advanced setup: create a file
~/.ssh/config with the following
alias will serve as a symbolic alias of
public-DNS for use with ssh tools, and
key-pair-file is the pathname of the key pair file.
You may use
%d to denote the user's directory.
The above commands will then shorten to:
ssh alias # Interactive shell
scp file alias: # File upload (mind the colon!)
On Windows, there are a number of SSH clients. Here is how to configure
- Extract the private key (*.ppk) from the key pair (*.pem) using PuTTYgen
(load an existing private key file, OK, enter passphrase twice, Save private key.)
Launch PuTTY or open a new session.
In the Connection / Data category, enter "
ec2-user" in the
Auto-login username field.
In the Connection / SSH / Auth category, enter the full pathname of the
private key file (
.ppk) into the field Private key for authentication.
Return to the Session category and enter the Elastic IP associated with
your instance into the Host Name (or IP address) field.
Enter a name for your session, e.g. "AWS-Tomcat",
under Saved Sessions and click Save.
Tip: You may wish to create a shortcut for PuTTY that
loads your saved session:
path-to-putty\putty.exe -load "session-name"
Click Open and enter your private key passphrase when prompted.
PuTTY comes with a program called PSCP that copies files over ssh. For example,
to upload a file to your instance, issue the following command:
path-to-putty\pscp.exe -i private-key file ec2-user@public-DNS:
or, if you have a saved PuTTY session:
path-to-putty\pscp.exe file session-name:
Using username "ec2-user".
Authenticating with public key "AWS-Tomcat"
Passphrase for key "AWS-Tomcat":
__| __|_ )
_| ( / Amazon Linux AMI
See /usr/share/doc/system-release/ for latest release notes.
No packages needed for security; 16 packages available
Update the instance with the latest patches and upgrades,
especially if there are security updates available:
sudo yum update
The Amazon Linux AMI has a JRE preinstalled and the
environment variable already set:
java version "1.6.0_22"
OpenJDK Runtime Environment (IcedTea6 1.10.6) (amazon-220.127.116.11.44.amzn1-i386)
OpenJDK Client VM (build 20.0-b11, mixed mode)
You may notice that this is an OpenJDK build. Do not let the Java version string
fool you, though — as of Feb 24, 2012 it had
the latest security patches.
That said, Oracle had released the official Java SE 6u31 binaries addressing
those security issues ten days earlier.
Update 02-May-2012: OpenJDK 7 has not found its way into Amazon Linux
repositories yet, but no doubt it will be there soon as Java SE 6 is approaching
End Of Life. Use the following command to display the available OpenJDK packages:
yum --enablerepo="*" list available | grep openjdk
If you want to develop in the cloud or need to run Tomcat in debug mode,
install the full JDK:
sudo yum install java-1.6.0-openjdk-devel
Refer to the follow-up article for instructions on installing Oracle Java.
Installing Tomcat From The Official Repo
Update 02-May-2012: As of version 2012.03, the main Amazon Linux
repository contains both versions 6 and 7 of Apache Tomcat.
Simply replace “
tomcat6” with “
below if you want to use Tomcat 7.
Linux distributions typically include some version of Apache Tomcat,
and Amazon Linux is no exception. Check the version using the
yum info command:
yum info tomcat6
. . .
Version : 6.0.35
. . .
If your Web application is known to work on this version of Tomcat,
you may go ahead and install it:
sudo yum install tomcat6
If you need to customize your Tomcat environment,
edit the main Tomcat configuration file
(absent in the official Apache Tomcat downloads):
There is also a per-service configuration file template at
/etc/sysconfig/tomcat. Refer to the comment
at the top of the file for instructions on setting up multiple Tomcat
services on one Amazon Linux system.
sudo service tomcat6 start
Starting tomcat6: [ OK ]
If you now try to connect to your instance on port 8080,
you should get error 400 (Bad Request).
That's okay; it happens because the standard Tomcat samples,
documentation, and management web apps
are not included in the
tomcat6 package or
its dependencies. You may either install them now:
sudo yum install tomcat6-webapps tomcat6-docs-webapp tomcat6-admin-webapps
or deploy your own application(s) to
(which is a symlink to
It should now be working:
If you still cannot connect:
check that Tomcat has indeed started and is listening on port 8080:
sudo fuser -v -n tcp 8080
USER PID ACCESS COMMAND
8080/tcp: tomcat pid F.... java
check that your instance's security group permits inbound connections
to port 8080 from your IP address.
To have Tomcat start automatically on instance boot, issue the following commands:
sudo chkconfig --level 345 tomcat6 on
. . .
tomcat6 0:off 1:off 2:off 3:on 4:on 5:on 6:off
. . .
As you can see, installing Tomcat from the official Amazon Linux repo
is a breeze, with all the housekeeping taken care of:
binaries, config files, and user data are distributed nicely
a dedicated non-privileged account is created, file and directory permissions are set
accordingly, log rotation is enabled, and a proper service script is installed.
There are just two problems:
You get specific versions of Java, Tomcat, and supplementary libraries,
whereas your Web application may require or may have been tested on different versions.
tomcat6 package has lots of dependencies
some of which you may not need, and others may be specific versions
that are incompatible with your Web app. Run
yum deplist tomcat6
to see the dependencies. (Note that this command only shows
the immediate dependencies of the given package.)
In the follow-up articles, we'll discuss
how to install your preferred versions of Java and Tomcat,
advanced configuration topics,
and the protection of your Web applications.