With the move from RHEL 7 to RHEL 8, RedHat dropped tomcat from the distribution, refocusing their efforts on JBoss as a separate project and dropping tomcat. I have a legacy application to support about which we know not very much. It comes in a WAR and it "just works".
We migrated from RHEL 7.9 to RHEL 8.6 as was required by policy, and took our tomcat 7 + apache-commons libraries with us and it worked just fine, however vulnerability scans now complain about an older version of apache-commons. Compliance is a big deal, and so regardless of relative risk, Vulnerabilities Must Be Patched. Therefore, we need to have the same old application running in an application server on a machine which is finding-free in vulnerability scans.
I am not sure I understand the migration guides in https://tomcat.apache.org/migration.html correctly, but I think I am understanding correctly that some of the elements of apache-commons are being included now in later versions of tomcat.
I need to maintain servers with packages wherever possible, but the latest versions of tomcat are not available in the repos, because tomcat does not exist any longer in RHEL. However Tomcat 9 is available in a compliant way as a package at this organization.
One path to resolution based on my current understanding:
- Set up a new machine in a test environment and put it behind the same load balancer as the other webservers.
- Install tomcat 9
- Iterate - try installing the WAR and see what happens. look at its log in journalctl and iteratively resolve for what is missing.
But with that method, I'd assume I need to go manually get apache-commons libraries.
Apologies in advance for any lack of research on my part. The difficulty is that we have very little Java experience on the team, and this combines LINUX administration with Java application servers and a Java application. This is essentially a system administration issue in my view as we are not touching the application itself and only need to know what to feed it to make it happy.
