Apache Tomcat is an open-source Java Servlet container that implements Jakarta Servlet, Jakarta Expression Language, and Jakarta WebSocket specifications. It provides a pure Java HTTP web server environment for running Java-based web applications. Tomcat 10.1 is the current stable release based on Jakarta EE 10, and it is the recommended version for new deployments.
This guide covers two methods of installing Apache Tomcat 10 on Rocky Linux 10, AlmaLinux 10, and Fedora 42 – from the default OS repositories and from the official Apache tarball. We also configure the Tomcat Manager web interface, firewalld rules, SELinux policies, deploy a sample WAR file, and set up Nginx as a reverse proxy with SSL termination.
Prerequisites
- A server running Rocky Linux 10, AlmaLinux 10, RHEL 10, or Fedora 42
- Root or sudo access
- At least 1 GB RAM (2 GB recommended for production)
- Java 21 (OpenJDK) – installed in Step 1
- Ports 8080 (Tomcat HTTP) and 443 (HTTPS if using Nginx reverse proxy) open in firewall
Step 1: Install Java 21 (OpenJDK) on Rocky Linux 10 / AlmaLinux 10
Tomcat 10.1 requires Java 11 or later. We install Java 21 LTS (OpenJDK) since it is the current long-term support release available in the default repositories.
sudo dnf install -y java-21-openjdk java-21-openjdk-develVerify the Java installation by checking the version:
java -versionThe output confirms Java 21 is installed and ready:
openjdk version "21.0.10" 2025-10-14 LTS
OpenJDK Runtime Environment (Red_Hat-21.0.10.0.7-1.el10) (build 21.0.10+7-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-21.0.10.0.7-1.el10) (build 21.0.10+7-LTS, mixed mode, sharing)Set the JAVA_HOME environment variable so Tomcat and other Java applications can locate the JDK:
echo 'export JAVA_HOME=/usr/lib/jvm/java-21-openjdk' | sudo tee /etc/profile.d/java.sh
source /etc/profile.d/java.shConfirm the variable is set:
echo $JAVA_HOMEThis should print the JDK path:
/usr/lib/jvm/java-21-openjdkMethod 1: Install Tomcat 10 from DNF Repositories
The simplest way to install Tomcat is from the default OS repositories. Rocky Linux 10, AlmaLinux 10, and Fedora 42 ship Tomcat 10.1 packages.
Step 2a: Install Tomcat Package
sudo dnf install -y tomcat tomcat-webapps tomcat-admin-webappsThe tomcat-webapps package installs the default ROOT and sample applications, while tomcat-admin-webapps provides the Manager and Host Manager web interfaces.
Check the installed Tomcat version:
rpm -qi tomcat | grep -i versionYou should see Tomcat 10.1.x confirmed:
Version : 10.1.36Step 2b: Enable and Start Tomcat Service
sudo systemctl enable --now tomcatVerify the service is running:
sudo systemctl status tomcatThe output should show Tomcat as active (running):
● tomcat.service - Apache Tomcat Web Application Container
Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; preset: disabled)
Active: active (running) since Sat 2026-03-22 10:15:32 UTC; 5s ago
Main PID: 12345 (java)
Tasks: 30 (limit: 23456)
Memory: 128.0M
CPU: 3.200s
CGroup: /system.slice/tomcat.serviceThe repo method installs Tomcat to /usr/share/tomcat with configuration files in /etc/tomcat and logs in /var/log/tomcat. Skip ahead to Step 5 to configure the Manager interface.
Method 2: Install Tomcat 10 from Apache Tarball
For the latest Tomcat release (10.1.52 at the time of writing) or when you need full control over the installation, download and install from the official Apache Tomcat download page.
Step 3a: Create Tomcat User and Group
Create a dedicated system user and group for running Tomcat. This limits the impact of any security vulnerability in the application.
sudo groupadd -r tomcat
sudo useradd -r -g tomcat -d /opt/tomcat -s /sbin/nologin tomcatStep 3b: Download and Extract Tomcat
Download the latest Tomcat 10.1.x tarball and extract it to /opt/tomcat:
TOMCAT_VER="10.1.52"
cd /tmp
curl -LO https://dlcdn.apache.org/tomcat/tomcat-10/v${TOMCAT_VER}/bin/apache-tomcat-${TOMCAT_VER}.tar.gzExtract the archive and move it into place:
sudo mkdir -p /opt/tomcat
sudo tar xzf /tmp/apache-tomcat-${TOMCAT_VER}.tar.gz -C /opt/tomcat --strip-components=1
sudo chown -R tomcat:tomcat /opt/tomcatSet execute permission on the shell scripts in the bin directory:
sudo chmod +x /opt/tomcat/bin/*.shStep 3c: Create systemd Service File for Tomcat
Create a systemd unit file so Tomcat starts automatically on boot and can be managed with systemctl:
sudo vi /etc/systemd/system/tomcat.serviceAdd the following service configuration:
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
User=tomcat
Group=tomcat
Environment="JAVA_HOME=/usr/lib/jvm/java-21-openjdk"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.targetReload systemd, enable, and start the Tomcat service:
sudo systemctl daemon-reload
sudo systemctl enable --now tomcatVerify it is running:
sudo systemctl status tomcatThe service should show active (running) with the Tomcat Java process as the main PID.
Step 4: Configure Firewall for Tomcat
Open port 8080/TCP in firewalld to allow access to the Tomcat web interface:
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reloadVerify the port is open:
sudo firewall-cmd --list-portsYou should see 8080/tcp in the output. Open your browser and navigate to http://your-server-ip:8080 – the Tomcat default landing page should appear.
Step 5: Configure Tomcat server.xml
The main Tomcat configuration file is server.xml. For the repo installation, it is at /etc/tomcat/server.xml. For the tarball installation, it is at /opt/tomcat/conf/server.xml.
Open the configuration file:
sudo vi /opt/tomcat/conf/server.xmlThe default HTTP connector listens on port 8080. Key settings to review:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxThreads="200"
minSpareThreads="10"
maxParameterCount="1000" />Common changes for production deployments:
port– change the HTTP listen port (default 8080)maxThreads– maximum concurrent request processing threads (default 200)connectionTimeout– milliseconds to wait for the request after connection (default 20000)address– addaddress="127.0.0.1"to restrict Tomcat to localhost when using a reverse proxy
If you plan to run Tomcat behind Nginx (covered in Step 9), bind Tomcat to localhost only by adding address="127.0.0.1" to the Connector element. This prevents direct access on port 8080 from the internet.
Step 6: Configure Tomcat Manager GUI (tomcat-users.xml)
The Tomcat Manager application allows deploying, undeploying, and managing web applications through a web interface. You need to create users with the appropriate roles.
Edit the tomcat-users.xml file. For the repo install, the path is /etc/tomcat/tomcat-users.xml. For the tarball install:
sudo vi /opt/tomcat/conf/tomcat-users.xmlAdd the following role and user definitions before the closing </tomcat-users> tag:
<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<user username="admin" password="StrongPassword123!" roles="manager-gui,admin-gui"/>Replace StrongPassword123! with a strong, unique password.
Allow Remote Access to Manager
By default, the Manager and Host Manager apps only allow access from localhost. To access from a remote IP, edit the context configuration.
For the tarball installation:
sudo vi /opt/tomcat/webapps/manager/META-INF/context.xmlFind the Valve element with the RemoteAddrValve and update the allow attribute to include your IP address (replace 192.168.1.100 with your actual IP):
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192\.168\.1\.100" />Do the same for the Host Manager app:
sudo vi /opt/tomcat/webapps/host-manager/META-INF/context.xmlUpdate the same allow pattern in this file as well. Restart Tomcat to apply the changes:
sudo systemctl restart tomcatYou can now access the Manager at http://your-server-ip:8080/manager/html and log in with the credentials you configured.
Step 7: Configure SELinux for Tomcat
On Rocky Linux 10 and AlmaLinux 10, SELinux is enabled by default in enforcing mode. If you used the repo installation, the SELinux policies are already configured. For the tarball installation, you need to set the correct contexts.
Check the current SELinux status:
getenforceIf SELinux is Enforcing, apply the proper file contexts for the tarball installation:
sudo semanage fcontext -a -t tomcat_exec_t "/opt/tomcat/bin(/.*)?"
sudo semanage fcontext -a -t tomcat_var_lib_t "/opt/tomcat/lib(/.*)?"
sudo semanage fcontext -a -t tomcat_var_lib_t "/opt/tomcat/webapps(/.*)?"
sudo semanage fcontext -a -t tomcat_log_t "/opt/tomcat/logs(/.*)?"
sudo semanage fcontext -a -t tomcat_tmp_t "/opt/tomcat/temp(/.*)?"
sudo semanage fcontext -a -t tomcat_var_run_t "/opt/tomcat/work(/.*)?"
sudo semanage fcontext -a -t tomcat_etc_t "/opt/tomcat/conf(/.*)?"
sudo restorecon -Rv /opt/tomcatIf Tomcat needs to connect to a database or external service, allow network connections:
sudo setsebool -P tomcat_can_network_connect_db 1If you installed the policycoreutils-python-utils package is not available, install it first:
sudo dnf install -y policycoreutils-python-utilsStep 8: Deploy a Sample WAR Application
To verify Tomcat is working correctly, deploy the official sample WAR file. Download it directly into the Tomcat webapps directory:
sudo curl -L -o /opt/tomcat/webapps/sample.war https://tomcat.apache.org/tomcat-10.1-doc/appdev/sample/sample.war
sudo chown tomcat:tomcat /opt/tomcat/webapps/sample.warTomcat automatically deploys WAR files placed in the webapps directory. Wait a few seconds, then verify the deployment:
ls /opt/tomcat/webapps/sample/You should see the extracted application files:
hello.jsp images index.html META-INF WEB-INFAccess the sample application at http://your-server-ip:8080/sample/ in your browser. You should see the “Hello, World” sample page.
For the repo installation, the webapps directory is /var/lib/tomcat/webapps/ and you should set ownership to the tomcat user accordingly.
Step 9: Set Up Nginx Reverse Proxy with SSL for Tomcat
Running Tomcat behind Nginx as a reverse proxy provides SSL termination, better static file handling, and hides Tomcat from direct internet access. This is the recommended production setup.
Install Nginx and Certbot
sudo dnf install -y nginx certbot python3-certbot-nginxConfigure Nginx as Reverse Proxy
Create an Nginx server block for your Tomcat application:
sudo vi /etc/nginx/conf.d/tomcat.confAdd the following reverse proxy configuration (replace tomcat.example.com with your actual domain):
server {
listen 80;
server_name tomcat.example.com;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name tomcat.example.com;
# SSL certificates - managed by Certbot
ssl_certificate /etc/letsencrypt/live/tomcat.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tomcat.example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Proxy settings
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Increase max upload size for WAR deployments
client_max_body_size 100M;
}Obtain SSL Certificate
Before obtaining the SSL certificate, temporarily comment out the HTTPS server block (or the ssl_certificate lines) and update the HTTP block to not redirect. Then get the certificate:
sudo certbot --nginx -d tomcat.example.comCertbot automatically configures SSL in the Nginx config and sets up auto-renewal. Verify the renewal timer is active:
sudo systemctl status certbot-renew.timerBind Tomcat to Localhost
With Nginx handling external traffic, restrict Tomcat to listen only on localhost. Edit server.xml and add the address attribute to the HTTP Connector:
sudo vi /opt/tomcat/conf/server.xmlUpdate the Connector element:
<Connector port="8080" protocol="HTTP/1.1"
address="127.0.0.1"
connectionTimeout="20000"
redirectPort="8443"
maxParameterCount="1000" />Configure SELinux for Nginx Proxy
SELinux blocks Nginx from making outbound network connections by default. Allow the proxy connection:
sudo setsebool -P httpd_can_network_connect 1Open Firewall Ports for HTTPS
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reloadEnable and Start Nginx
sudo systemctl enable --now nginx
sudo systemctl restart tomcatVerify both services are running:
sudo systemctl status nginx tomcatBoth should show active (running). Your Tomcat application is now accessible through Nginx with SSL at https://tomcat.example.com.
Once the reverse proxy is confirmed working, remove the direct port 8080 access from the firewall since all traffic goes through Nginx:
sudo firewall-cmd --permanent --remove-port=8080/tcp
sudo firewall-cmd --reloadConclusion
Tomcat 10 is running on Rocky Linux 10 / AlmaLinux 10 / Fedora 42 with the Manager interface configured and a sample application deployed. For production environments, always run Tomcat behind a reverse proxy with SSL, restrict the Manager interface to trusted IPs, monitor JVM memory usage, and set up regular backups of your application data and configuration files. Check the official Tomcat 10.1 documentation for advanced tuning options including CI/CD pipeline integration with tools like Jenkins for automated deployments.
