LATEST VERSION: 3.2 - CHANGELOG
Pivotal tc Server v3.2

Security Information

Pivotal is committed to providing products and solutions that allow you to assess the security of your information, secure your information infrastructure, protect your sensitive information, and manage security information and events to assure effectiveness and regulatory compliance. As part of this commitment, the following Pivotal tc Server-specific security information is provided to help you secure your environment:

External Interfaces, Ports, and Services

A tc Runtime instance uses TCP/IP ports to receive incoming requests and send outgoing responses. Different protocols (such as HTTP/S, JMX, and AJP) listen on different ports. If you create a tc Runtime instance using all default values, then the default TCP/IP ports for the various protocols are as follows:

  • HTTP: 8080
  • HTTPS: 8443
  • JMX: 6969
  • AJP: 8009

You can change the TCP/IP listen ports for a particular tc Runtime instance by updating the INSTANCE-DIR/conf/catalina.properties file, where INSTANCE-DIR refers to the directory in which the tc Runtime instance is located, such as /var/opt/pivotal/pivotal-tc-server-standard/myserver.

The following snippet of catalina.properties shows how to change the HTTP, HTTPS, and JMX ports to 8181, 8553, and 7979, respectively:

...
nio.http.port=8181
nio.https.port=8553
base.jmx.port=7979

Pivotal tc Server does not have any external interfaces or services that need to be enabled or opened.

Resources That Must Be Protected

The following tc Server configuration files should be readable only by the dedicated tc Server user who runs the tc Runtime instance:

  • server.xml
  • context.xml
  • web.xml
  • catalina.properties
  • jmxremote.password
  • keystore-name.keystore (Instances configured with the NIO Connector)
  • cert-name.cer (Instances configured with the APR Connector)
  • key-name.key (Instances configured with the APR Connector)

These configuration files are specific to a tc Runtime instance and are stored in the INSTANCE-DIR/conf directory, where INSTANCE-DIR refers to the directory in which the tc Runtime instance is located, such as /var/opt/pivotal/pivotal-tc-server-standard/myserver.

Log File Locations

The default log files for a tc Runtime instance are as follows:

  • catalina.out: Contains System.out and System.err messages.
  • catalina.date.log: Contains log messages from the Catalina service.
  • localhost.date.log: Contains log messages from the localhost engine of the Catalina service.
  • localhost_access_log.date.txt: Contains information about access requests.

These log files are specific to a tc Runtime instance and are stored by default in the INSTANCE-DIR/logs directory, where INSTANCE-DIR refers to the directory in which the tc Runtime instance is located, such as /var/opt/pivotal/pivotal-tc-server-standard/myserver.

These log files should be readable and writable only by the dedicated tc Server user who runs the tc Runtime instance.

User Accounts Created at Installation

If you install Pivotal tc Server on Red Hat Enterprise Linux (RHEL) using the RPM, then a user with the following characteristics is automatically created:

  • ID: tcserver
  • Group: pivotal
  • You must log in as root or user with appropriate sudo privileges and su - tcserver.

When installing from RPM on RHEL, the tc Server installation directory will be owned by the root user, with group pivotal. The tcserver user will have permission to execute appropriate scripts, such as tcruntime-instance.sh and tcruntime-ctl.sh. You should create tc Runtime instances as the tcserver user, and stop and start them as this user.

When installing tc Server on Windows or from a *.zip or *.tar file, a user account is not automatically created for you. Rather, you must create a dedicated tc Server user account whose only purpose is to run tc Runtime instances. Additionally:

  • This user should be the only user who has the permission to start and stop the tc Runtime instance, and should have no other permissions.
  • It should not be possible to logon to the computer directly as this dedicated tc Server user.
  • tc Server configuration files should be readable only by this dedicated tc Server user.
  • tc Server log files should be readable and writable only by this dedicated tc Server user.

Obtaining and Installing Security Updates

Pivotal tc Server is a Web application server based on open-source Apache Tomcat. A particular version of tc Server includes particular versions of Apache Tomcat, such as tomcat-7.0.26.A.RELEASE or tomcat-8.0.30.A.RELEASE. New versions of tc Servers typically include updated versions of Apache Tomcat, some of which might fix important security vulnerabilities. To install these security updates, you install the new version of tc Server and then upgrade your existing instances.

To download the latest *.zip or *.tar distributions of the Pivotal tc Server, go to the Pivotal tc Server download page.

When using RPMs on RHEL, use the yum upgrade command to upgrade to the latest Pivotal tc Server version.

See Upgrade and Migration Guide for details.