ArcGIS Server 10.1 - Tomcat issues

Discussion created by robertwjones on Sep 18, 2012
Latest reply on Feb 24, 2015 by andrewbrown
Preparing a deployment of ArcGIS Server 10.1 has led me to a number of questions around security as regards the embedded Tomcat that ships with it:

1. Is this embedded Tomcat recommended for deployment in production environments? I note that the embedded Tomcat for Server Java at 10 was not, which makes me suspicious whether this is also the case for Server 10.1:

'By default, the services you create and deploy in ArcGIS Server Manager are available through Manager's internal Web server. This, however, is not a recommended production environment. By exporting the REST handler into a standard .war file, you can deploy this as an application to an ESRI-supported J2EE server.'

2. What is Esri's policy as regards patching this embedded Tomcat if/when vulnerabilities in Tomcat or the bundled JRE come to light?

3. Assuming Esri do not intend to produce a fresh release of Server with each patch to Tomcat/Java, what resources are provided to enable us to patch the embedded Tomcat/JRE ourselves? Is this thought so trivial as to not warrant documentation?

I've had a good look around, I think, but this information doesn't seem to be available.