Chat with us, powered by LiveChat

How to get Tomcat running on CentOS 7.2 using privileged ports

By August 22, 2016CentOS, Java, Tomcat

Tomcat running on Centos using privileged portsIf you haven’t already got Java and Tomcat 7 running on CentOS 7.2, it’s pretty simple using yum. Just follow the instructions in this post.

This sets up Java to run with 8080 and/or 8443, but I want it to be my primary webserver.

Post install

I’ve been trying to get Tomcat to run under user tomcat but on privileged port 443 ( <1024 ). There is not a lot of current info on getting this working post yum installs of Java and Tomcat 7 on CentOS 7.2 , so perhaps adding it here would be good.

There is allot of misinformation out there and some of it doesn’t apply to the versions spoken about, configs in different places or not existing in the paths referenced.

A few pre-cursors

  1. I do not want to run Tomcat as root to be able to use a port <1024
  2. “setcap cap_net_bind_service+ep /path/to/bin/java” does not work. I tried everything I could.
  3. I do not want to run Apache, haproxy or NGINX running on a port <1024 as a frontend to Tomcat even though there are some advantages in doing this. Wasted overhead and another service to manage and keep updated.
  4. Using iptables or firewalld to redirect ports is not optimal IMO as restarting or changing the firewall config would stop users from reach Tomcat if the firewall stopped or had an issue which is a point of failure.

The best solution I found was:

  1. Install authbind pre-rolled as an RPM from here or use the referenced GIT project to build an rpm yourself. This installed without issue and without any dependencies.
  2. Once authbind is installed run the following depending on what ports you want to have Tomcat listening on:

sudo touch /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80
sudo chown tomcat /etc/authbind/byport/80
sudo touch /etc/authbind/byport/443
sudo chmod 500 /etc/authbind/byport/443
sudo chown tomcat /etc/authbind/byport/443

  1. Default user and group when Tomcat is installed by yum is “tomcat”
  2. Modify your tomcat “/etc/tomcat/server.xml” config and change to the ports you want to use. In my case it’s 443.
  3. The tricky part was getting authbind to work with systemd. After getting Tomcat set to start when the servers starts up I have the following 2 startup files:


  1. In all the other posts I read and how to’s they all reference in this file, but this script doesn’t exist if you used the before mentioned instructions to install Java/Tomcat using yum. I opened up the 2 files above and commented out the original “ExecStart” command, duplicated the line and added authbind as follows:

#ExecStart=/usr/libexec/tomcat/server start
ExecStart=/usr/bin/authbind –deep “/usr/libexec/tomcat/server” start

  1. After that I ran:

sudo systemctl daemon-reload
sudo systemctl restart tomcat.service

Tomcat fired up listening on port 443.

Aug 19 13:29:42 1556-109 authbind: INFO: Initializing ProtocolHandler [“http-bio-443”]
Aug 19 13:29:43 1556-109 authbind: Aug 19, 2016 1:29:43 PM org.apache.coyote.AbstractProtocol init

Problem solved! This was a lot easier to get working that some of the other solutions which involved multiple services running etc. If you have a better method or questions, please post a comment.

Leave a Reply