Bug 1517827

Summary: [RFE] Satellite 6: add the ability to choose supported cipher suites for Tomcat
Product: Red Hat Satellite Reporter: Daniele <dconsoli>
Component: CandlepinAssignee: Barnaby Court <bcourt>
Status: CLOSED ERRATA QA Contact: Sanket Jagtap <sjagtap>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.12CC: aperotti, bbuckingham, bkearney, lzap, mhulan, rjerrido, sjagtap, tbrisker
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 12:39:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1541321    

Comment 1 Tomer Brisker 2017-11-28 09:22:45 UTC
Puppet is already covered by BZ 1491363, modifying this BZ to only address tomcat and moving to candlepin component.

Comment 2 Tomer Brisker 2017-11-29 13:35:37 UTC
This should already be possible in Satellite 6.3 thanks to: https://github.com/theforeman/puppet-candlepin/commit/c5a36f728cc12443709d0437b205c4a9e32c0fbe 

This can be done by providing candlepin::ciphers variable in custom-hiera.yaml.
Moving to ONQA for verification.

Comment 3 Sanket Jagtap 2017-12-12 13:26:01 UTC
Build: Satellite 6.3.0 snap 27

We are able to override the Ciphers in /etc/tomcat/server.xml using custom-hiera.yaml.

[root@sgi-uv20-01 tomcat]# cat /etc/foreman-installer/custom-hiera.yaml  | grep candlepin
candlepin::ciphers: ['TLS_RSA_WITH_AES_128_CBC_SHA','TLS_DHE_RSA_WITH_AES_256_CBC_SHA']


satellite-installer 
Installing             Done                                               [100%] [................................................................................................................................]
  Success!

cat /etc/tomcat/server.xml | grep ciphers -C 10
         described in the APR documentation -->

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="want"
               sslProtocols="TLSv1.2,TLSv1.1,TLSv1"
               keystoreFile="conf/keystore"
               truststoreFile="conf/keystore"
               keystoreType="PKCS12"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
                    TLS_DHE_RSA_WITH_AES_256_CBC_SHA"

Comment 6 errata-xmlrpc 2018-02-21 12:39:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336