Recommended Tomcat Setup

Recommended Apache Tomcat Setup

Fusion Registry must be run within a Java Servlet Container. Regnology recommends using Apache Tomcat as the Java Servlet Container, as this has been used during the testing lifecycle of Fusion Registry. The Fusion Registry has only been tested in Apache Tomcat and therefore we cannot guarantee that the Fusion Registry will work with other Java Servlet Containers.

There are a few things to consider when running Fusion Registry on Apache Tomcat.

Security

For enhanced security, we recommend the following:

server.xml file

By default, Tomcat will display Stack Traces in certain circumstances. We recommend the following change be made to the file: server.xml. This file is located in the Apache Tomcat Directory <Apache Root>/conf

Edit the file and and locate the "Host" section. At the end of this section, just before the closing </Host> tag, insert the following:

 <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>

This will prevent stack traces from being displayed to the user with HTTP error codes. Tomcat must be restarted for this change to take effect.

context.xml file

Since release 11.13 of the Fusion Registry, the product now ships with a default context.xml file which is located in the META-INF directory in the Fusion Registry directory. This file overrides Tomcat's cookie pre-processor settings and enforces a strict SameSite cookies policy. More information on SameSite cookie security policies can be found here. This prevents potential vulnerabilities related to Cross-Site Request Forgery (CSRF).

No action is required on the deployer's side, but if you want to disable this setting, either change or delete the file.