Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1188603

Summary: [RFE] Tomcat configuration of Red Hat Satellite 6 is bound to all interfaces and should only be bound to localhost
Product: Red Hat Satellite Reporter: Rich Jerrido <rjerrido>
Component: InstallationAssignee: Chris Roberts <chrobert>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.7CC: bbuckingham, bkearney, chrobert, stbenjam
Target Milestone: UnspecifiedKeywords: FutureFeature
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-09 20:16:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rich Jerrido 2015-02-03 11:07:23 UTC 
Description of problem:
On a working Satellite 6 instance, the configuration of Tomcat is bound to 0.0.0.0 (all interfaces). It is my understanding that the only web application running in Tomcat is Candlepin, which isn't meant to be directly accessible by end users. 

It is requested to update the configuration of tomcat to only bind itself to localhost (127.0.0.1). This would increase the security profile of the Satellite. Additionally, it would make it less likely for an end-user to directly interact with Candlepin, which is an unsupported use-case. 

Version-Release number of selected component (if applicable):
candlepin-tomcat6-0.9.23.1-1.el6.noarch
tomcat6-6.0.24-80.el6.x86_64


How reproducible:
100%

Steps to Reproduce:
1. Install Satellite 6
2. run lsof to see the open ports


Actual results:

[root@satellite ~]# lsof -P -i TCP:8080 -i TCP:8443 -i TCP:8009
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
java    4840 tomcat   37u  IPv4  31798      0t0  TCP *:8080 (LISTEN)
java    4840 tomcat   43u  IPv4  31801      0t0  TCP *:8443 (LISTEN)
java    4840 tomcat   49u  IPv4  31817      0t0  TCP *:8009 (LISTEN)

3.

Expected results:

Tomcat should be bound only on localhost

Additional info:

Updating each connector in /etc/tomcat6/server.xml with the 'address="127.0.0.1' parameter binds tomcat to localhost. See below:

<Connector port="8080" address="127.0.0.1" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->

    <Connector port="8443" address="127.0.0.1" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="want" SSLProtocol="TLS"
               keystoreFile="conf/keystore"
               truststoreFile="conf/keystore"
               keystorePass="<REDACTED>"
               keystoreType="PKCS12"
               ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                    TLS_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
               truststorePass="<REDACTED>" />

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" redirectPort="8443" />
Comment 1 RHEL Program Management 2015-02-03 11:23:30 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 3 Stephen Benjamin 2016-07-29 14:19:34 UTC 
Created redmine issue http://projects.theforeman.org/issues/15896 from this bug
Comment 4 Bryan Kearney 2017-09-14 17:52:09 UTC 
This is more of an RFE. Relcassifying.
Comment 5 Chris Roberts 2017-11-09 20:16:51 UTC 

*** This bug has been marked as a duplicate of bug 1501499 ***