B-PRD-VTL — Tomcat Hardening Runbook

Host

B-PRD-VTL

Oracle Linux 8.8

VTL Software

FalconStor

Tomcat (FalconStor)

9.0.112

Tomcat (OMSA)

9.0.34

Tomcat install

/usr/local/apache-tomcat

Service control

/etc/rc.d/init.d/autovtl

Webapps

fms, obd, manager*, host-manager*

Vulnerability Findings & Remediation Status

CVE-2026-34487

Insertion of sensitive information into log file (Kubernetes bearer token exposure in clustering component). Affects Tomcat 9.0.13 → 9.0.116. Fixed in 9.0.117.

VENDOR

CVE-2026-34500

CLIENT_CERT auth bypass with FFM under soft-fail-disabled scenarios. Affects Tomcat 9.0.92 → 9.0.116. Fixed in 9.0.117.

VENDOR

CVE-2020-1938

"Ghostcat" — AJP connector file read / RCE class. Triggered by exposed AJP/8009 with secretRequired="false". Mitigated by AJP lockdown or removal (Phase 3).

PHASE 3

Tomcat 9.0.34

OMSA-bundled Tomcat is on 9.0.34 (~80 patch versions behind). Aggregate CVE exposure ≫ the two flagged. Mitigated by disabling dsm_om_connsvc (Phase 2).

PHASE 2

Default webapps

manager and host-manager deployed under FalconStor Tomcat. Standard hardening — not in customer scan but widely audited.

PHASE 4

HTTP/80 plaintext

Plaintext HTTP listener defined in server.xml. Audit and disable if not used as a redirect-only port.

PHASE 5

Phase 1 Pre-flight Discovery & Baseline

01 Confirm running state and capture baseline configs BASELINE ▶

Confirm Tomcat instances and listeners # FalconStor Tomcat — should show 9.0.112 and IBM J9 /usr/local/apache-tomcat/bin/version.sh # All listening sockets — note 80, 443, 8009, 1311 in particular ss -ltnp # OMSA web service status systemctl status dsm_om_connsvc dataeng dsm_om_shrsvc Capture rollback baseline mkdir -p /root/tomcat-baseline-$(date +%Y%m%d) cd /root/tomcat-baseline-$(date +%Y%m%d) # Backup full Tomcat config tree (small, low cost) tar -czf tomcat-conf.tar.gz -C /usr/local/apache-tomcat conf # Backup webapps to be removed (manager, host-manager) tar -czf mgr-webapps.tar.gz -C /usr/local/apache-tomcat/webapps manager host-manager # Capture current netstat / ss state for comparison post-change ss -ltnp > listeners-before.txt ps -ef | grep -E 'catalina|dsm_om|java' | grep -v grep > processes-before.txt Verify FalconStor service-control script cat /etc/rc.d/init.d/autovtl | grep -E 'tomcat|catalina|fms|obd' | head -30

Snapshot first. All edits in later phases assume a clean rollback path — the baseline tarball is the source of truth. Tomcat is started by FalconStor's autovtl init script, not systemd, so service control commands later will go via that script.

02 Determine if AJP/8009 is actively used by a frontend proxy DISCOVER ▶

# Is anything currently connected to AJP/8009? ss -tn | grep ':8009 ' # Any local httpd / Apache config doing mod_proxy_ajp? grep -rli 'mod_proxy_ajp\|ProxyPass.*ajp\|JkMount' /etc/httpd /etc/apache2 2>/dev/null # Is httpd even running on this host? systemctl status httpd 2>/dev/null ss -ltn | grep -E ':80 |:443 ' # Recent AJP traffic in Tomcat access logs (if any) tail -200 /apps/apache-tomcat/logs/localhost_access* 2>/dev/null | grep -i ajp

If ss -tn | grep ':8009 ' returns no rows AND no mod_proxy_ajp config exists locally, AJP is unused — proceed with Option A (remove) in Phase 3. If anything is connected, treat as Option B (lock down).

03 Determine if HTTP/80 is in active use or redirect-only DISCOVER ▶

# What does the port 80 connector look like in server.xml? grep -A6 'Connector port="80"' /usr/local/apache-tomcat/conf/server.xml # Are there active connections to 80 right now? ss -tn | grep ':80 ' # Recent 80 traffic in access logs grep ' 80 ' /apps/apache-tomcat/logs/localhost_access* 2>/dev/null | tail -50 # Is 80 just redirecting to 443? Check from the host itself curl -Ik http://localhost/

If curl returns a 301/302 to https and access logs show only redirect responses, port 80 is acting as a courtesy redirect and is low risk. If it serves fms or obd directly over plaintext, that's a finding to fix.

Phase 2 Disable OMSA Web GUI (separate Tomcat instance)

04 Stop and disable dsm_om_connsvc — keep hardware monitoring QUICK WIN ▶

Pre-check — confirm OMSA architecture # All three services should be present; only dsm_om_connsvc runs the web GUI systemctl status dsm_om_connsvc dataeng dsm_om_shrsvc # Confirm port 1311 is currently listening (the OMSA web port) ss -ltn | grep 1311 Stop and disable the web service systemctl disable --now dsm_om_connsvc # Verify it's stopped and disabled systemctl is-active dsm_om_connsvc # expect: inactive systemctl is-enabled dsm_om_connsvc # expect: disabled # Port 1311 should now be silent ss -ltn | grep 1311 # expect: no output Confirm hardware monitoring still works (CLI path) # dataeng must still be active — this is the actual monitoring engine systemctl status dataeng # omreport CLI talks directly to dataeng, not the web service omreport chassis omreport storage controller omreport system summary | head -20

Why this works: OMSA's hardware monitoring runs in dataeng, which is a separate service from the Tomcat-backed web GUI in dsm_om_connsvc. Disabling the web service removes the vulnerable Tomcat 9.0.34 from the network entirely while keeping inventory, alerts, and SNMP traps fully functional. omreport / omconfig CLI continue to work locally.

Note: If anyone uses the web GUI at https://b-prd-vtl:1311 for ad-hoc hardware checks, they will need to switch to omreport from the CLI, or query iDRAC directly out-of-band. Communicate this change before the cutover.

Phase 3 AJP Connector Lockdown — Ghostcat (CVE-2020-1938)

05 Remove or harden the AJP/8009 connector CRITICAL ▶

Option A — Remove (preferred)

No frontend proxy on this host (Phase 1 step 02 returned no AJP traffic / no httpd). Comment out the connector entirely.

Option B — Lock down

AJP is in active use by a local Apache httpd / IIS frontend. Bind to localhost and add a shared secret.

Backup server.xml before editing cp -p /usr/local/apache-tomcat/conf/server.xml \ /usr/local/apache-tomcat/conf/server.xml.bak.$(date +%Y%m%d-%H%M%S) Option A — Comment out the AJP connector # Edit /usr/local/apache-tomcat/conf/server.xml and wrap the AJP block in # comments so it is preserved but inert: # #  vi /usr/local/apache-tomcat/conf/server.xml # Confirm only the comment markers and connector remain — no orphan brackets grep -n '8009\|AJP' /usr/local/apache-tomcat/conf/server.xml Option B — Lock down (only if AJP genuinely required) # Generate a strong shared secret openssl rand -hex 32 # Edit server.xml — replace the AJP connector with the locked-down version: # # <Connector port="8009" protocol="AJP/1.3" # address="127.0.0.1" # secret="<PASTE_GENERATED_HEX>" # redirectPort="443" /> # # NOTE: The same secret must also be configured on the frontend # (e.g. ProxyPass ... secret=<value> in httpd or workers.properties for mod_jk). vi /usr/local/apache-tomcat/conf/server.xml # Sanity-check XML structure before restart xmllint --noout /usr/local/apache-tomcat/conf/server.xml && echo "XML OK"

Why this matters more than the flagged CVEs: CVE-2020-1938 (Ghostcat) is a pre-auth file read / potential RCE. Any host that can reach 8009 with the connector in its current state can read arbitrary files from inside webapps and, in many configurations, execute uploaded JSPs. secretRequired="false" + no address= bind = wide open from any network interface this Tomcat listens on.

Restart deferred: Do not restart Tomcat yet — Phases 4 and 5 may require additional server.xml / webapp changes. Phase 6 handles the single coordinated restart.

Phase 4 Remove Default Management Webapps

06 Verify FalconStor does not depend on manager / host-manager, then remove CAUTION ▶

Pre-check — does FalconStor reference these webapps? # Search FalconStor install tree for any reference to manager/host-manager grep -rli '/manager\|/host-manager' /usr/local/vtl 2>/dev/null # Check tomcat-users.xml — are any users provisioned for these roles? grep -iE 'manager-gui|manager-script|admin-gui' \ /usr/local/apache-tomcat/conf/tomcat-users.xml # Inspect context descriptors (these allow webapp-level access controls) ls -la /usr/local/apache-tomcat/webapps/manager/META-INF/context.xml 2>/dev/null cat /usr/local/apache-tomcat/webapps/manager/META-INF/context.xml 2>/dev/null Backup before removal tar -czf /root/tomcat-baseline-$(date +%Y%m%d)/mgr-webapps-removed.tar.gz \ -C /usr/local/apache-tomcat/webapps manager host-manager Remove the webapps rm -rf /usr/local/apache-tomcat/webapps/manager rm -rf /usr/local/apache-tomcat/webapps/host-manager # Confirm only fms and obd remain (plus any other FalconStor symlinks) ls -la /usr/local/apache-tomcat/webapps/

FalconStor patch caveat: When FalconStor next ships an installer/patch, it may re-deploy manager and host-manager as part of its stock Tomcat tarball. Add a post-patch verification step to your FalconStor change procedure that re-runs the removal commands above. The backup tarball at /root/tomcat-baseline-*/mgr-webapps-removed.tar.gz is your rollback if FalconStor support insists either webapp is required.

Phase 5 HTTP/80 Listener Audit

07 Disable plaintext HTTP/80 if not used as a redirect CONDITIONAL ▶

Use Case 1 — Redirect only

Phase 1 step 03 showed 80 issues only 301/302 to https. Acceptable risk; leave in place or optionally disable.

Use Case 2 — Plaintext fms/obd

80 actually serves the webapps over plaintext. Must be disabled.

Disable the HTTP/80 connector (either case, if disabling) # Comment out the HTTP/80 connector block in server.xml: # #  vi /usr/local/apache-tomcat/conf/server.xml # Validate XML xmllint --noout /usr/local/apache-tomcat/conf/server.xml && echo "XML OK" # Confirm 443 connector is unaffected (still present) grep -A3 'Connector port="443"' /usr/local/apache-tomcat/conf/server.xml

If 80 is genuinely just a redirect and end-users rely on typing the hostname without https, leaving it in place is defensible. The vulnerability scanner is unlikely to flag a redirect-only connector. Document the decision either way in the change record.

Phase 6 Restart, Verify & Re-scan

08 Restart FalconStor Tomcat via autovtl and verify VERIFY ▶

Final XML sanity check before restart xmllint --noout /usr/local/apache-tomcat/conf/server.xml && echo "XML OK" Restart via FalconStor service control # Tomcat is started/stopped by autovtl, NOT systemd /etc/rc.d/init.d/autovtl status /etc/rc.d/init.d/autovtl restart # Wait for Tomcat to come back up (typically 30-60s on this host) sleep 45 Verify Tomcat is back and listening correctly ps -ef | grep catalina | grep -v grep ss -ltn # Expected listeners after hardening: # 443 — HTTPS (FalconStor fms/obd) ✓ present # 80 — depending on Phase 5 decision ✓ or absent # 8009 — absent (Option A) or 127.0.0.1 (Opt B) ✓ no public bind # 1311 — absent (OMSA web disabled) ✓ silent Functional verification — FalconStor webapps curl -Ik https://localhost/fms/ curl -Ik https://localhost/obd/ # Manager webapp should now 404 (or connection refused if 80 is closed) curl -sk https://localhost/manager/html | head -3 Functional verification — OMSA hardware monitoring omreport chassis omreport storage controller Diff against baseline ss -ltnp > /root/tomcat-baseline-$(date +%Y%m%d)/listeners-after.txt diff /root/tomcat-baseline-*/listeners-before.txt \ /root/tomcat-baseline-*/listeners-after.txt

Test the VTL itself. Beyond port checks, log into the FalconStor management UI (https://b-prd-vtl/fms) and confirm tape libraries, virtual tapes, replication jobs, and any backup-server clients are all reporting healthy. Run a non-disruptive backup test or verify a scheduled job completes successfully before signing off the change.

09 Request vulnerability re-scan and document residuals CLOSE-OUT ▶

# Confirm final port state for the change record ss -ltnp | grep -E ':80 |:443 |:1311 |:8009 ' # Capture installed Tomcat version for evidence /usr/local/apache-tomcat/bin/version.sh | grep -E 'Server version|Server number' # OMSA package state — for evidence the bundled web service is no longer reachable rpm -q srvadmin-tomcat systemctl is-enabled dsm_om_connsvc

Open a re-scan request with the customer's vuln scanning team. Expected outcome: the AJP, manager-webapp, and OMSA-Tomcat findings should all clear. The original two CVEs (9.0.117) will remain open until the FalconStor patch lands — note this in the change record with the FalconStor case number as the linked remediation track.

Rollback Restore Baseline if Required

RB Restore server.xml, webapps, and OMSA web service ROLLBACK ▶

Restore Tomcat config cd /root/tomcat-baseline-$(date +%Y%m%d) # Restore server.xml cp -p /usr/local/apache-tomcat/conf/server.xml.bak.* \ /usr/local/apache-tomcat/conf/server.xml # Or full conf restore from tarball tar -xzf tomcat-conf.tar.gz -C /usr/local/apache-tomcat Restore manager / host-manager webapps tar -xzf mgr-webapps-removed.tar.gz \ -C /usr/local/apache-tomcat/webapps Re-enable OMSA web service systemctl enable --now dsm_om_connsvc ss -ltn | grep 1311 Restart FalconStor Tomcat /etc/rc.d/init.d/autovtl restart

Each phase has an independent rollback path — you do not have to roll back everything if only one change causes an issue. Identify the failing phase, restore only its artefacts, and proceed with the remainder.

Quick Reference Step Summary

Command	Purpose	Notes
/usr/local/apache-tomcat/bin/version.sh	Confirm FalconStor Tomcat version	9.0.112 expected baseline
ss -ltnp	Capture listener state pre/post change	Diff for evidence
tar -czf .../tomcat-conf.tar.gz	Backup full conf tree	Rollback artefact
systemctl disable --now dsm_om_connsvc	Disable OMSA web GUI	Phase 2 — kills 1311 listener
omreport chassis	Verify hardware monitoring intact	dataeng path, not Tomcat
vi .../conf/server.xml	Comment out AJP /8009 connector	Phase 3 Option A
openssl rand -hex 32	Generate AJP shared secret	Phase 3 Option B only
xmllint --noout server.xml	Validate XML before restart	Critical — bad XML = no Tomcat
rm -rf .../webapps/{manager,host-manager}	Remove default management webapps	Phase 4 — re-verify after FalconStor patches
/etc/rc.d/init.d/autovtl restart	Restart FalconStor Tomcat	Not systemd — vendor init script
curl -Ik https://localhost/fms/	Confirm FalconStor webapp reachable	Functional check post-restart
diff listeners-before listeners-after	Evidence of port-state change	Attach to change record

⚠ Key Notes

This runbook does not close CVE-2026-34487 / CVE-2026-34500 — those require the FalconStor patch that brings their bundled Tomcat to 9.0.117. Track that separately under the FalconStor support case.
Tomcat is started by /etc/rc.d/init.d/autovtl, not systemd. Do not attempt systemctl start tomcat — there is no such unit on this host.
OMSA hardware monitoring (alerts, SNMP traps, omreport CLI) continues to function with dsm_om_connsvc disabled — only the web GUI on port 1311 is removed.
The AJP connector currently has secretRequired="false" and no address bind. This is the highest-impact finding in the room and is not on the customer's scan report. Address it regardless of the FalconStor patch timeline.
FalconStor's next patch may re-deploy manager / host-manager webapps and may revert server.xml. Add a post-patch hardening verification step to your FalconStor change procedure.
Validate server.xml with xmllint --noout before every restart. A malformed connector block will prevent Tomcat starting and FalconStor's fms/obd with it.
Always keep a clear rollback path — back up conf/ and any removed webapps under /root/tomcat-baseline-YYYYMMDD/ before editing.