Bare-metal
Linux Ubuntu or Debian
Overview
The Trust1Validation can be deployed on a Tomcat 9 server. Below you will find instructions on how you can deploy the Trust1Validation on a bare metal installation.
The utilities service is a Play (https://www.playframework.com/) application that can be deployed on the same server.
The OS used to validate this deployment method, is Ubuntu 22.04 LTS
Trust1Validation Service
Installing Java
Tomcat 9 requires Java SE eight or later. We’ll set up OpenJDK 11 as an example.
Run the next instructions with sudo privileges, we will update the package registries first and then install OpenJDK 11:
sudo apt update
sudo apt install openjdk-11-jdk
As soon as the installation is done, confirm it by checking with the following command:
java -version
The output should be similar to this:
openjdk version "11.0.7" 2020-04-14
OpenJDK Runtime Environment (build 11.0.7+10-post-Ubuntu-3ubuntu1)
OpenJDK 64-Bit Server VM (build 11.0.7+10-post-Ubuntu-3ubuntu1, mixed mode, sharing)
System consumer
Deploying Tomcat in a basic consumer context is considered unsafe practice. We’ll create a brand new system consumer and group with residence listing /decide/tomcat
that may run the Tomcat service. To create this consumer run the following command:
sudo useradd -m -U -d /opt/tomcat -s /bin/false tomcat
Downloading and installing Tomcat
You can retrieve the Tomcat binaries from their downloads page.
We need the core
package.
We will use wget
to download the binaries. We will set the version as a variable since we will need it later on
VERSION=9.0.88
wget https://dlcdn.apache.org/tomcat/tomcat-9/v${VERSION}/bin/apache-tomcat-${VERSION}.tar.gz -P /tmp
Once the download is complete, extract the tar file to the /opt/tomcat
directory::
sudo tar -xf /tmp/apache-tomcat-${VERSION}.tar.gz -C /opt/tomcat/
For ease of use can make a symbolic link
sudo ln -s /opt/tomcat/apache-tomcat-${VERSION} /opt/tomcat/latest
Later, when upgrading Tomcat, unpack the new version and alter the symlink to that version.
Now we need to update the directory ownership to the consumer we've created before:
sudo chown -R tomcat: /opt/tomcat
The shell scripts inside the Tomcat’s bin
directory must be made executable:
sudo sh -c 'chmod +x /opt/tomcat/latest/bin/*.sh'
These scripts are used to start, stop and manage the Tomcat instance.
Running as a service
Now we will set up a service so that Tomcat is automatically started on system boot.
Open your text editor and create a tomcat.service
unit file in the /etc/systemd/system/
directory:
sudo nano /etc/systemd/system/tomcat.service
Paste the following configuration:
[Unit]
Description=Tomcat 9 servlet container
After=network.target
[Service]
Type=forking
User=tomcat
Group=tomcat
Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true"Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh
ExecStart=/opt/tomcat/latest/bin/startup.sh
[Install]
WantedBy=multi-user.target
Modify the JAVA_HOME
variable if the path to your Java installation is different.
Save and close the file and notify systemd that a new service file has been created:
sudo systemctl daemon-reload
Enable and start the Tomcat service:
sudo systemctl enable --now tomcat
Check the service status:
sudo systemctl status tomcat
The output should show that the Tomcat server is enabled and running:
● tomcat.service - Tomcat 9 servlet container
Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-05-25 17:58:37 UTC; 4s ago
Process: 5342 ExecStart=/opt/tomcat/latest/bin/startup.sh (code=exited, status=0/SUCCESS)
Main PID: 5362 (java)
...
You can start, stop and restart Tomcat same as any other systemd service:
sudo systemctl start tomcat
sudo systemctl stop tomcat
sudo systemctl restart tomcat
Trust1Validation deployment
Now we have a running tomcat server we want to deploy our service.
first up we remove the original ROOT
application
sudo rm -rf /opt/tomcat/latest/webapps/ROOT
Next up we will deploy our war
file.
mv /location-of-war/t1c-dss-api.war /opt/tomcat/latest/webapps/ROOT.war
Now restart the service to make sure the service is deployed and running
sudo systemctl restart tomcat
You can also verify everything with the Tomcat web application manager

For the manager make sure you've enabled a user in the /opt/tomcat/latest/conf/tomcat-users.xml
which is needed to log in to the manager.
Now the service should be available on localhost:8080
and is ready to be exposed.

Fileopen limit
The fileopen limit can be troublesome on webservers causing 503 errors. To prevent this we increase the filopen limit to a more reasonable amount;
To view the current user limits set, add the “-a” option in the “ulimit” command:
ulimit -a
You can change the limit of opened files by adding the following to /etc/security/limits.conf
:
* soft nofile 2048 # Set the limit according to your needs
* hard nofile 2048
Then you can reload the configuration using sysctl -p
on the shell. Check this article.
Just for completeness you can verify what is the current limit for opened files using: ulimit -n
Extra's
In case your server is protected by a firewall, you’ll want to open port 8080
.
Trust1Validation Utilities
Overview
The digital trust service utilities is a extension on the digital trust service. This provide functionalities like PDF/A validation.
Installing Java
We’ll set up OpenJDK 11.
Run the next instructions with sudo privileges, we will update the package registries first and then install OpenJDK 11:
sudo apt update
sudo apt install openjdk-11-jdk
As soon as the installation is done, confirm it by checking with the following command:
java -version
The output should look something like this:
openjdk version "11.0.7" 2020-04-14
OpenJDK Runtime Environment (build 11.0.7+10-post-Ubuntu-3ubuntu1)
OpenJDK 64-Bit Server VM (build 11.0.7+10-post-Ubuntu-3ubuntu1, mixed mode, sharing)
System consumer
Deploying Play in a basic consumer context is considered unsafe practice. We’ll create a brand new system consumer and group with residence listing /decide/play
that may run the Play service. To create this consumer run the following command:
sudo useradd -m -U -d /opt/play -s /bin/false play
Downloading and installing DSS utils
You can retrieve the DSS utils binaries from their our download page
We will use wget
to download the binaries.
wget ${URL} -P /tmp
Once the download is complete, extract the tar file to the /opt/play
directory::
sudo unzip /tmp/t1t-dss-utils-api-1.0.0-SNAPSHOT.zip -d /opt
Running as a service
Now we will set up a service so that DSS utils is automatically started on system boot.
Open your text editor and create a dssutils.service
unit file in the /etc/systemd/system/
directory:
sudo nano /etc/systemd/system/dssutils.service
Paste the following configuration:
[Unit]
Description=Trust1Team Digital Trust Service Utilities
After=syslog.target network.target
Before=httpd.service
[Service]
WorkingDirectory=/opt/t1t-dss-utils-api-1.0.0-SNAPSHOT/
ExecStart=/opt/t1t-dss-utils-api-1.0.0-SNAPSHOT/bin/t1t-dss-utils-api
Restart=on-failure
[Install]
WantedBy=multi-user.target
Save and close the file and notify systemd that a new service file has been created:
sudo systemctl daemon-reload
Enable and start the DSS utils service:
sudo systemctl enable --now dssutils
Check the service status:
sudo systemctl status dssutils
The output should show that the Tomcat server is enabled and running:
● dssutils.service - Trust1Team Digital Trust Service Utilities
Loaded: loaded (/etc/systemd/system/dssutils.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-04-23 09:18:11 CEST; 1s ago
Main PID: 16016 (java)
Tasks: 19 (limit: 2184)
Memory: 149.4M
CPU: 1.878s
CGroup: /system.slice/dssutils.service
└─16016 java -Duser.dir=/opt/t1t-dss-utils-api-1.0.0-SNAPSHOT -Dpidfile.path=/dev/null -cp /opt/t1t-dss-utils-api-1.0.0-SNAPSHOT/lib/../conf/:/opt/t1t-dss-utils-api-1.0.0-SNAPSHOT/lib/com.trust1team.t1t-dss-utils-api-1.0.>
Apr 23 09:18:11 ubuntu-linux-22-04-02-desktop t1t-dss-utils-api[16016]: 07:18:11,379 |-INFO in ch.qos.logback.classic.model.processor.LoggerModelHandler - Setting level of logger [eu.europa.esig.dss] to INFO
Apr 23 09:18:11 ubuntu-linux-22-04-02-desktop t1t-dss-utils-api[16016]: 07:18:11,379 |-INFO in ch.qos.logback.classic.model.processor.LoggerModelHandler - Setting level of logger [org.apache.pdfbox] to WARN
Apr 23 09:18:11 ubuntu-linux-22-04-02-desktop t1t-dss-utils-api[16016]: 07:18:11,379 |-INFO in ch.qos.logback.classic.model.processor.RootLoggerModelHandler - Setting level of ROOT logger to INFO
Apr 23 09:18:11 ubuntu-linux-22-04-02-desktop t1t-dss-utils-api[16016]: 07:18:11,380 |-INFO in ch.qos.logback.core.model.processor.AppenderRefModelHandler - Attaching appender named [ASYNCSTDOUT] to Logger[ROOT]
...
You can start, stop and restart DSS utils same as any other systemd service:
sudo systemctl start dssutils
sudo systemctl stop dssutils
sudo systemctl restart dssutils
Last updated