1394093 – [RFE] add support for customizing tomcat server.xml options

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1394093 - [RFE] add support for customizing tomcat server.xml options

Summary: [RFE] add support for customizing tomcat server.xml options

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	Unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-11 01:51 UTC by jnikolak
Modified:	2020-04-15 14:50 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-18 18:06:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description jnikolak 2016-11-11 01:51:01 UTC

ISSUE

* NMAP reports security warning for tomcat



ENVIRONMENT
* Satellite 6.2



RESOLUTION

* Disable HTTP TRACE Method for Apache  
--> https://access.redhat.com/solutions/884243


--> allowTrace="False"
For both connectors -->  /etc/tomcat/server.xml
Then restart tomcat



GOAL

Add allowTrace=False lines by default as part of a Satellite Build

Comment 1 Brad Buckingham 2016-11-15 16:12:42 UTC

Hi Kurt, what are your thoughts about the security implications of this one to Satellite and the severity that should be applied?

Comment 2 Kurt Seifried 2016-11-15 17:01:56 UTC

We are planning to harden this in a future version of Satellite, please see:

https://bugzilla.redhat.com/show_bug.cgi?id=1305782

in fact you can probably close this as a duplicate of the above.

Comment 3 Brad Buckingham 2016-11-15 19:21:37 UTC

Kurt, thank you for the quick feedback. 

Based on the input, I am going to close this one as a duplicate; however, please re-open with details, if there is any concern with this approach.  Thanks!

*** This bug has been marked as a duplicate of bug 1305782 ***

Comment 4 Stephen Benjamin 2016-11-15 20:11:45 UTC

Reopened, as tomcat is configured by puppet-candlepin which doesn't seem to expose any many for customizing the server.yml.  We'll need to enable that before the solution in the other BZ works for this too.

Comment 6 Stephen Benjamin 2016-11-18 18:06:03 UTC

All of the tomcat documentation says the default is allowTrace is false, so not sure why nmap is being triggered.

  - http://tomcat.apache.org/tomcat-5.5-doc/config/http.html
  - http://tomcat.apache.org/tomcat-6.0-doc/config/http.html


I looked at my local tomcat instance on Satellite 6.2 EL7, and TRACE is not enabled.  

[root@sat-rhel7 ~]#  curl -v -X TRACE -k http://localhost:8080/candlepin/status
* About to connect() to localhost port 8080 (#0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> TRACE /candlepin/status HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Server: Apache-Coyote/1.1
< Allow: POST, GET, DELETE, OPTIONS, PUT, HEAD
< Content-Length: 0
< Date: Fri, 18 Nov 2016 18:04:51 GMT
< 
* Connection #0 to host localhost left intact


Likewise on EL6:

[vagrant@sat-rhel7 ~]$ curl -v -X TRACE -k http://localhost:8080/candlepin/status
* About to connect() to localhost port 8080 (#0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> TRACE /candlepin/status HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Server: Apache-Coyote/1.1
< Allow: POST, GET, DELETE, OPTIONS, PUT, HEAD
< Content-Length: 0
< Date: Fri, 18 Nov 2016 18:05:45 GMT
< 
* Connection #0 to host localhost left intact

Note You need to log in before you can comment on or make changes to this bug.