Apache Portable Runtime (APR) based Native library for Tomcat
Table of Contents
Tomcat can use the Apache Portable Runtime to provide superior scalability, performance, and better integration with native server technologies. The Apache Portable Runtime is a highly portable library that is at the heart of Apache HTTP Server 2.x. APR has many uses, including access to advanced IO functionality (such as sendfile, epoll and OpenSSL), OS level functionality (random number generation, system status, etc), and native process handling (shared memory, NT pipes and Unix sockets).
These features allows making Tomcat a general purpose webserver, will enable much better integration with other native web technologies, and overall make Java much more viable as a full fledged webserver platform rather than simply a backend focused technology.
APR support requires three main native components to be installed:
- APR library
- JNI wrappers for APR used by Tomcat (libtcnative)
- OpenSSL libraries
Windows binaries are provided for tcnative-1, which is a statically compiled .dll which includes OpenSSL and APR. It can be downloaded from here as 32bit or AMD x86-64 binaries. In security conscious production environments, it is recommended to use separate shared dlls for OpenSSL, APR, and libtcnative-1, and update them as needed according to security bulletins. Windows OpenSSL binaries are linked from the Official OpenSSL website (see related/binaries).
Most Linux distributions will ship packages for APR and OpenSSL. The JNI wrapper (libtcnative) will then have to be compiled. It depends on APR, OpenSSL, and the Java headers.
- APR 1.2+ development headers (libapr1-dev package)
- OpenSSL 0.9.7+ development headers (libssl-dev package)
- JNI headers from Java compatible JDK 1.4+
- GNU development environment (gcc, make)
The wrapper library sources are located in the Tomcat binary bundle, in the
Once the build environment is installed and the source archive is extracted, the wrapper library
can be compiled using (from the folder containing the configure script):
./configure && make && make install
Once the libraries are properly installed and available to Java (if loading fails, the library path will be displayed), the Tomcat connectors will automatically use APR. Configuration of the connectors is similar to the regular connectors, but have a few extra attributes which are used to configure APR components. Note that the defaults should be well tuned for most use cases, and additional tweaking shouldn't be required.
When APR is enabled, the following features are also enabled in Tomcat:
- Secure session ID generation by default on all platforms (platforms other than Linux required random number generation using a configured entropy)
- OS level statistics on memory usage and CPU usage by the Tomcat process are displayed by the status servlet
APR Lifecycle Listener Configuration
Name of the SSLEngine to use. off: Do not use SSL, on: Use SSL but no specific ENGINE.
The default value is on.
This initializes the native SSL engine, then enable the use of this engine in the connector
See the Official OpenSSL website for more details on SSL hardware engines and manufacturers.
APR Connectors Configuration
For HTTP configuration, see the HTTP connector configuration documentation.
For HTTPS configuration, see the HTTPS connector configuration documentation.
An example SSL Connector declaration is:
<Connector port="443" maxHttpHeaderSize="8192"
acceptCount="100" scheme="https" secure="true"
For AJP configuration, see the AJP connector configuration documentation.