Share data for Apache Tomcat only

Question

Now, there are on server A (Windows Server 2012) running:
- Apache Tomcat 7 (used by a CRM system)
- MySQL database
- local data for Tomcat (e-mail attachments from that CRM etc.)

I'd like to move Apache Tomcat to server B (Windows Server 2012 in the same domain) but keep the database and local data on server A.

What's the correct and secure way to share the local data from server A only to Tomcat running on server B?

Answer 1

I suspect if the network between your servers isn't trusted.

If you want a secure way, you need to

1. Enable the network access in the mysql (both in the host-based auth, and both in the users table)
2. Make the mysql server listening on port 3306 in your my.cnf.
3. Enable the port 3306 in the firewall of your mysql machine, but only for your server B.
4. Enable the ssl support in your mysql server on server A.
5. If there are any intermediate firewalls/routers/packet filtering, enable the B->A:3306 TCP connections, but only them.
6. Generate a long and secure password for your tomcat user, for example with the pwgen command. Set up this password in your mysql.
7. Change the configuration of your tomcat web application on server B to use A:3306 with your password in the mysql configuration. It needs a little bit of java experience, probably you will need to change some xml files somewhere below a WEB-INF of META-INF directory.
8. Deploy the webapp on server B.
9. Test the TCP-level possibility on server B with a telnet A 3306 command. If ok, go further.
10. The the Mysql connectivity on server B to server A with the mysql --host=A --port=3306 --user=... --pass=... command. If it works, go further.
11. Start the webapp and test if it can also connect.

These are not really step-by-step instructions, every step needs probably further investigation from you. But actually, these are the main big leaps. If something isn't clear, we are here for your next question.

---

Extension: As you wrote, the net between A and B can be considered trusted. In this case, you don't need any encryption between the servers, although a minor firewalling I considered needed. Because you make your mysql server connectable from the net, it were really useful if only B were able to connect your database on A. It can be solved combining port filtering with mysql authentication. But, you don't need to worry with the encryption which makes the things a lot better for you if you aren't an admin.

---

Extension #2: Although you didn't write anything where is your "local data", I can suspect it is in files. Files can be shared very easily with the SMB network sharing, and this share can be mounted on server B just as a subdirectory or as a separate drive. It were better if it had some type of independence from the original web application. For example, if it was in ...\webapps\yourappname\attachments, it were better if it were out of your webapps folder on server B. This can require a little bit a configuration of the web application.

Extension #3: Apache, tomcat, every your server runs as a user, and you can easily configure, as which user. If they are installed as Services, you can do that in the Administrative Tools -> Services. And then, on the windows filesharing, you can set the security settings of the share that only this network user will be able to read that share. Warning: you need to change the settings on two places. First, you have to change the security of the network share, and second, on the files being served. But both you can do on simply right-click on the given directory in windows explorer.

Extension #4: I considered very useful if you separated the shared folder from your web-app. This requires probably a little bit of configuration of that. Maybe you should extend your question, where is your web-app and where are your local data files on your server A.