cloudfoundry · duanemay · Nov 5, 2025
diff --git a/config/blobs.yml b/config/blobs.yml
@@ -1,7 +1,3 @@
-apache-tomcat-10.1.49.tar.gz:
-  size: 14129174
-  object_id: 2bcc158e-35eb-45a9-5459-8cfd83914714
-  sha: sha256:d1f5969fbaf7ade296fb8acf7b13a1ef1305d27f2caa3a4c5124e8d4c8aa2b88
 bellsoft-21.0.9+15.tar.gz:
   size: 231042429
   object_id: 02cb0a18-6116-4eed-7fc4-193eafb4ab7d

diff --git a/jobs/uaa/spec b/jobs/uaa/spec
@@ -18,9 +18,6 @@ templates:
   config/messages.properties.erb: config/messages.properties
   config/uaa.crt.erb: config/uaa.crt
   config/boot/application.yml.erb: config/boot/application.yml
-  config/tomcat/tomcat.logging.properties: config/tomcat/logging.properties
-  config/tomcat/tomcat.server.xml.erb: config/tomcat/server.xml
-  config/tomcat/tomcat.context.xml.erb: config/tomcat/context.xml
 
   bbr/pre-backup-lock.sh.erb: bin/bbr/pre-backup-lock
   bbr/pre-restore-lock.sh.erb: bin/bbr/pre-restore-lock
@@ -51,12 +48,6 @@ packages:
   - uaa
 
 properties:
-  runtime.tomcat.enabled:
-    description: |
-      Deprecated. Set to true to force UAA to run within a Apache Tomcat container.
-      Set to false, to use a Spring Boot runtime with an embedded Apache Tomcat container.
-      This property will be removed when Apache Tomcat as a runtime is removed.
-    default: true
   uaa.rate_limiter:
     config:
       loggingOption:
@@ -149,7 +140,7 @@ properties:
 
   # General server properties
   uaa.catalina_opts:
-    description: "The options used to configure Tomcat"
+    description: "The options used to configure the UAA Server"
     default: -Xmx768m -XX:MaxMetaspaceSize=256m
   uaa.localhost_http_port:
     description: |
@@ -187,7 +178,7 @@ properties:
     description: "Array of the router IPs acting as the first group of HTTP/TCP backends. These will be added to the proxy_ips_regex as exact matches."
     default: []
   uaa.keepalive_timeout:
-    description: Timeout value in milliseconds for the connection keepalive of the tomcat server
+    description: Timeout value in milliseconds for the connection keepalive of the UAA server
     default: 120000
 
   env.http_proxy:

diff --git a/jobs/uaa/templates/bin/pre-start.erb b/jobs/uaa/templates/bin/pre-start.erb
@@ -149,29 +149,21 @@ function insert_ssl_cert {
     log "Installed Server SSL certificate"
 }
 
-function configure_tomcat {
-    # When run with bpm, the vcap user does not have permissions to read
-    # files in the jobs and packages directories. Consequently, we move
-    # our tomcat installation into a directory where we have full permissions.
-    rm -rf /var/vcap/data/uaa/tomcat
-    mkdir -p /var/vcap/data/uaa/
-    cp -a /var/vcap/packages/uaa/tomcat /var/vcap/data/uaa/
-    cp -a /var/vcap/jobs/uaa/config/tomcat/* /var/vcap/data/uaa/tomcat/conf/
-    chown -R vcap:vcap /var/vcap/data/uaa/
-}
-
 function configure_spring_boot {
+    log "Configure Spring Boot directories"
+
     # When run with bpm, the vcap user does not have permissions to read
     # files in the jobs and packages directories. Consequently, we move
     # our spring boot installation into a directory where we have full permissions.
     rm -rf /var/vcap/data/uaa/boot
-    mkdir -p /var/vcap/data/uaa
-    mkdir -p /var/vcap/data/sys/run/uaa/exec-tmp
-    cp -a /var/vcap/packages/uaa/boot /var/vcap/data/uaa/
-    cp -a /var/vcap/jobs/uaa/config/boot/* /var/vcap/data/uaa/boot/
     mkdir -p /var/vcap/data/uaa/boot/webapps
     mkdir -p /var/vcap/data/uaa/boot/work
-    chown -R vcap:vcap /var/vcap/data/uaa/boot
+    cp -a /var/vcap/packages/uaa/boot /var/vcap/data/uaa/
+    cp -a /var/vcap/jobs/uaa/config/boot/* /var/vcap/data/uaa/boot/
+    chown -R vcap:vcap /var/vcap/data/uaa
+
+    # Bouncy Castle FIPS needs a tmp dir with exec permissions
+    mkdir -p /var/vcap/data/sys/run/uaa/exec-tmp
     chown -R vcap:vcap /var/vcap/data/sys/run/uaa/exec-tmp
     chmod 0755 /var/vcap/data/sys/run/uaa/exec-tmp
 }
@@ -191,11 +183,8 @@ PERSISTENT_UAA_CA_CERTS_FILE=$PERSISTENT_CERTS_DIR/uaa-ca-certs-cache.txt
 LDAP_CERTS_FILE=/var/vcap/jobs/uaa/config/ldap.crt
 PERSISTENT_LDAP_CERTS_FILE=$PERSISTENT_CERTS_DIR/ldap-certs-cache.txt
 
-process_certs
-
-configure_tomcat
-
 configure_spring_boot
+process_certs
 
 rm -rf $TMP_DIR
 

diff --git a/jobs/uaa/templates/bin/uaa b/jobs/uaa/templates/bin/uaa
@@ -32,12 +32,13 @@ JAVA_OPTS="$JAVA_OPTS -Dnetworkaddress.cache.ttl=0 $HTTP_PROXY_JAVA_OPTIONS $KEY
 JAVA_OPTS="$JAVA_OPTS -Dlog4j.configurationFile=/var/vcap/jobs/uaa/config/log4j2.properties"
 JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"
 JAVA_OPTS="$JAVA_OPTS -Djava.io.tmpdir=/var/vcap/data/sys/run/uaa/exec-tmp"
+JAVA_OPTS="$JAVA_OPTS -Dorg.bouncycastle.native.loader.install_dir=/var/vcap/data/sys/run/uaa/exec-tmp"
 JAVA_OPTS="$JAVA_OPTS -XX:+HeapDumpOnOutOfMemoryError"
 JAVA_OPTS="$JAVA_OPTS -XX:HeapDumpPath=${uaa_log_dir}"
 export PATH
 export JAVA_OPTS
 
-BOOT_RUN_LOCATION=/var/vcap/data/uaa/boot
+boot_run_location=/var/vcap/data/uaa/boot
 BOOT_OPTS="${JAVA_OPTS}"
 ### TODO what is the difference between -Dlog4j.configurationFile and -Dlogging.config?
 BOOT_OPTS="${BOOT_OPTS} -Dlogging.config=/var/vcap/jobs/uaa/config/log4j2.properties"
@@ -46,27 +47,17 @@ BOOT_OPTS="${BOOT_OPTS} -Dmetrics.perRequestMetrics=true"
 BOOT_OPTS="${BOOT_OPTS} -Dserver.servlet.context-path=/"
 BOOT_OPTS="${BOOT_OPTS} -Dstatsd.enabled=true"
 BOOT_OPTS="${BOOT_OPTS} <%= p("uaa.catalina_opts") %>"
-BOOT_FILE=${BOOT_RUN_LOCATION}/uaa-boot.war
-
-TOMCAT_ENABLED=<%= p("runtime.tomcat.enabled") %>
-if [[ "${TOMCAT_ENABLED}" == "true" ]]; then
-  export CATALINA_TMPDIR=/var/vcap/data/sys/run/uaa/exec-tmp
-  log "Calling Tomcat start up command"
-  /var/vcap/packages/uaa/tomcat/bin/catalina.sh run &
-  CATALINA_PID=$!
-  log "uaa/tomcat started in background. Waiting for signals."
-  wait "${CATALINA_PID}"
-  EXIT_STATUS=$?
-  log "uaa/tomcat job exiting"
-  exit $EXIT_STATUS
-else
-  # location of application.yml
-  cd ${BOOT_RUN_LOCATION}
-  java ${BOOT_OPTS} -jar ${BOOT_FILE} &
-  BOOT_PID=$!
-  log "uaa/boot started in background. Waiting for signals."
-  wait "${BOOT_PID}"
-  EXIT_STATUS=$?
-  log "uaa/boot job exiting"
-  exit $EXIT_STATUS
-fi
+BOOT_FILE=${boot_run_location}/uaa-boot.war
+
+# location of application.yml
+cd ${boot_run_location}
+java ${BOOT_OPTS} -jar ${BOOT_FILE} > ${uaa_log_dir}/boot.log 2>&1 &
+boot_pid=$!
+mkdir -p /var/vcap/sys/run/bpm/uaa
+echo "${boot_pid}" > /var/vcap/sys/run/bpm/uaa/uaa.pid
+sleep 1
+log "uaa/boot(pid=${boot_pid}) started in background. Waiting for signals."
+wait "${boot_pid}"
+exit_status=$?
+log "uaa/boot(pid=${boot_pid}) job exiting, with status: ${exit_status}"
+exit ${exit_status}
diff --git a/jobs/uaa/templates/config/bpm.yml.erb b/jobs/uaa/templates/config/bpm.yml.erb
@@ -2,8 +2,6 @@ processes:
 - name: uaa
   executable: /var/vcap/jobs/uaa/bin/uaa
   env:
-    CATALINA_BASE: /var/vcap/data/uaa/tomcat
-    CATALINA_HOME: /var/vcap/data/uaa/tomcat
     CLOUDFOUNDRY_CONFIG_PATH: /var/vcap/jobs/uaa/config
     CLOUDFOUNDRY_LOG_PATH: /var/vcap/sys/log/uaa
     CATALINA_OPTS: "<%= p('uaa.catalina_opts') %>"

diff --git a/jobs/uaa/templates/config/tomcat/tomcat.context.xml.erb b/jobs/uaa/templates/config/tomcat/tomcat.context.xml.erb
diff --git a/jobs/uaa/templates/config/tomcat/tomcat.logging.properties b/jobs/uaa/templates/config/tomcat/tomcat.logging.properties
diff --git a/jobs/uaa/templates/config/tomcat/tomcat.server.xml.erb b/jobs/uaa/templates/config/tomcat/tomcat.server.xml.erb
diff --git a/packages/uaa/packaging b/packages/uaa/packaging
@@ -14,23 +14,6 @@ fi
 # Ensure correct permissions
 chmod -R a+r jdk
 
-tomcat_tar_file=$(find "${BOSH_COMPILE_TARGET}" -name "apache-tomcat-*.tar.gz" | sort --version-sort| tail -n1)
-mkdir tomcat
-tar zxvf "${tomcat_tar_file}" -C tomcat --strip 1
-if [[ $? != 0 ]] ; then
-  echo "Cannot unpack Tomcat"
-  exit 1
-fi
-
-cd tomcat
-rm -rf webapps/*
-cp -a "${BOSH_COMPILE_TARGET}"/wars/cloudfoundry-identity-uaa.war webapps/ROOT.war
-cp -a "${BOSH_COMPILE_TARGET}"/wars/cloudfoundry-identity-statsd.war webapps/statsd.war
-cp -a "${BOSH_COMPILE_TARGET}"/wars/tomcat-listener.jar lib/tomcat-listener.jar
-
-chmod 0755 bin/
-chmod 0755 bin/*.sh
-
 # setup a spring boot directory
 cd ${BOSH_INSTALL_TARGET}
 mkdir boot

diff --git a/packages/uaa/pre_packaging b/packages/uaa/pre_packaging
@@ -22,16 +22,12 @@ fi
 
 #setup Java path
 export PATH=$JAVA_HOME/bin:$PATH
-
 mkdir wars
 
 #build cloud foundry UAA war
 cd "${BUILD_DIR}"/uaa
 GIT_DIR=$(find "${RELEASE_DIR}" -path "*/modules/src/uaa") ./gradlew clean assemble --max-workers=4 -Pversion="${UAA_VERSION}"
 cp uaa/build/libs/"cloudfoundry-identity-uaa-${UAA_VERSION}.war" "${BUILD_DIR}"/wars/cloudfoundry-identity-uaa.war
-cp statsd/build/libs/"cloudfoundry-identity-statsd-${UAA_VERSION}.war" "${BUILD_DIR}"/wars/cloudfoundry-identity-statsd.war
-cp server/build/libs/"tomcat-listener-${UAA_VERSION}.jar" "${BUILD_DIR}"/wars/tomcat-listener.jar
-
 ls -la "${BUILD_DIR}"/wars
 
 #clean build UAA data and build tools (java)

diff --git a/packages/uaa/spec b/packages/uaa/spec
@@ -3,5 +3,4 @@ name: uaa
 dependencies:
 files:
 - uaa/**/*
-- bellsoft-*.tar.gz
-- apache-*.tar.gz
+- bellsoft-*.tar.gz