Bug 1460040 - Comply with ASF trademark rules
Comply with ASF trademark rules
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: tomcatjss (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Matthew Harmsen
Asha Akkiangady
:
Depends On: 1460037
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-08 17:58 EDT by Matthew Harmsen
Modified: 2017-08-01 17:09 EDT (History)
8 users (show)

See Also:
Fixed In Version: tomcatjss-7.2.1-6.el7
Doc Type: Bug Fix
Doc Text:
Cause: JSS for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS was not compliant with ASF trademark rules outlined in http://tomcat.apache.org/legal.html. Consequence: The Apache Tomcat organization insisted that we become compliant with ASF trademark rules. Fix: We made all the agreed upon changes to the README and the spec file so that all information displayed to a user would be in compliance with the ASF trademark rules. Result: JSS for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS is now in compliance with ASF trademark rules.
Story Points: ---
Clone Of: 1460037
Environment:
Last Closed: 2017-08-01 17:09:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Harmsen 2017-06-08 17:58:54 EDT
+++ This bug was initially created as a clone of Bug #1460037 +++

In order to comply with ASF trademark rules outlined in:

 * http://tomcat.apache.org/legal.html

change the package summary from:

    Summary:  JSSE implementation using JSS for Tomcat

to:

    Summary:  JSS for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS



Similarly, although it is not the first reference, the %description could be changed from:

    %description
    A Java Secure Socket Extension (JSSE) implementation
    using Java Security Services (JSS) for Tomcat 7.
    
    NOTE:  The 'tomcatjss' package conflicts with the 'tomcat-native' package
           because it uses an underlying NSS security model rather than the
           OpenSSL security model, so these two packages may not co-exist.

to:

    %description
    A Java Secure Socket Extension (JSSE) implementation
    using Java Security Services (JSS) for Apache Tomcat 7.
    
    NOTE:  The 'tomcatjss' package conflicts with the 'tomcat-native' package
           because it uses an underlying NSS security model rather than the
           OpenSSL security model, so these two packages may not co-exist.

Also, if so desired, change the following three changelog entries from:

    - Bugzilla Bug #1198450 - Support for Tomcat 8
    
    - Bugzilla Bug #871171 - Provide Tomcat support for TLS v1.1 and
    
    - PKI TRAC Ticket #283 - Dogtag 10: Integrate Tomcat 6 'tomcatjss.jar' and
      Tomcat 7 'tomcat7jss.jar' in Fedora 18 tomcatjss package

to:

    - Bugzilla Bug #1198450 - Support for Apache Tomcat 8
    
    - Bugzilla Bug #871171 - Provide Apache Tomcat support for TLS v1.1 and
    
    - PKI TRAC Ticket #283 - Dogtag 10: Integrate Apache Tomcat 6 'tomcatjss.jar'
      and Apache Tomcat 7 'tomcat7jss.jar' in Fedora 18 tomcatjss package

Finally, the README must also be changed from:

    tomcatjss, a JSSE module for Tomcat that uses JSS, a Java interface to
    Network Security Services(NSS).

to:

    The tomcatjss package is a Java Secure Socket Extension (JSSE) module for
    Apache Tomcat that uses Java Security Services (JSS), a Java interface to
    Network Security Services (NSS).
Comment 6 Sumedh Sidhaye 2017-06-23 00:08:20 EDT
[root@csqa4-guest01 ~]# rpm -qi tomcatjss
Name        : tomcatjss
Version     : 7.2.1
Release     : 6.el7
Architecture: noarch
Install Date: Sunday 18 June 2017 11:40:57 PM EDT
Group       : System Environment/Libraries
Size        : 51869
License     : LGPLv2+
Signature   : (none)
Source RPM  : tomcatjss-7.2.1-6.el7.src.rpm
Build Date  : Tuesday 13 June 2017 11:21:42 AM EDT
Build Host  : x86-020.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : JSS Connector for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS
Description :
JSS Connector for Apache Tomcat, installed via the tomcatjss package,
is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that
uses Java Security Services (JSS), a Java interface to Network Security
Services (NSS).

NOTE:  The 'tomcatjss' package conflicts with the 'tomcat-native' package
       because it uses an underlying NSS security model rather than the
       OpenSSL security model, so these two packages may not co-exist.

The spec file changes are inline with the comments above.

However some of the contents of README file are not inline with the above comments.
Especially text mentioned for sslOptions, ssl2Ciphers etc

Here is what I see the README from srpm:

tomcatjss, a JSSE module for Tomcat that uses JSS, a Java interface to
Network Security Services(NSS). 

tomcatjss defines a number of attributes for a Connector including:

clientauth: specify if client authentication is required in the connector (or
port), it can be true or false. If true then client authentication is required.

sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
implementation. Each option takes the form of: option=[true|false].
tomcatjss supports the options: ssl2, ssl3, tls.

ssl2Ciphers: specify a list of SSL2 ciphers that tomcatjss should  accept 
or reject from the client. You can use + to denote "accept", - means "reject".

ssl3Ciphers: specifies a list of SSL3 ciphers that tomcatjss should accept
or reject from the client. You can use + to denote "accept", - means "reject".

tlsCiphers: specifies a list of TLS ciphers that tomcatjss should accept
or reject from the client. You can use + to denote "accept", - means "reject".

serverCertNickFile: a file in which specify the nickname of the
server certificate. The file should contain a single line that contains
the nickname.

passwordFile: specify a file in which a password that is required to access
NSS's security database. Each entry in the file needs to appear on its own
line and has the form: token_name=password

certdbDir: specify the directory the NSS security database resides in.

passwordClass: specify the class that will be used to read the password.

sslProtocol: needs to be SSL

sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation
in order to use the plugin

Here is an example of a secure connector:

<Connector port="8443"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           sslProtocol="SSL"
           scheme="https"
           secure="true"
           keyStoreType="PKCS11"
           maxHttpHeaderSize="8192"
           acceptCount="100"
           maxThreads="150"
           minSpareThreads="25"
           enableLookups="false"
           disableUploadTimeout="true"
           sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
           enableOCSP="false"
           ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp"
           ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
           ocspCacheSize="1000"
           ocspMinCacheEntryDuration="60"
           ocspMaxCacheEntryDuration="120"
           ocspTimeout="10"
           strictCiphers="false"
           clientAuth="agent"
           clientauth="agent"
           sslOptions="ssl2=true,ssl3=true,tls=true"
           ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
           ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
           tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
           serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf"
           passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf"
           passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
           certdbDir="/var/lib/pki/redhat.com-foobar/alias"
/>

If this is OK for now I can mark this bug as verified, but a need to confirm this before doing that.
Comment 7 Matthew Harmsen 2017-06-23 12:10:56 EDT
Sumedh,

Since you are looking at the tarball inside the SRPM without any patches applied, you are seeing the original text, since RHEL 7.4 only allowed us to re-base tarballs up to a set date; after that point, all changes must be applied via patches which are applied to the fixed tarball.

The changes to the README are enclosed in the patch entitled "tomcatjss-Comply-with-ASF-trademark-rules.patch" and are applied appropriately to "tomcatcatjss-7.2.1-6.el7.noarch.rpm".

Hence, to see the changes in the consumed RPM:

# rpm -qlp tomcatjss-7.2.1-6.el7.noarch.rpm 
/usr/share/doc/tomcatjss-7.2.1
/usr/share/doc/tomcatjss-7.2.1/LICENSE
/usr/share/doc/tomcatjss-7.2.1/README
/usr/share/java/tomcatjss-7.2.1.jar
/usr/share/java/tomcatjss.jar

If you view "/usr/share/doc/tomcatjss-7.2.1/README" you should see all of the changes documented above.

-- Matt
Comment 8 Asha Akkiangady 2017-06-23 13:39:18 EDT
Thank you Matt.
1. tomcatjss.spec file  has following summary:
Summary:  JSS Connector for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS

2. tomcatjss.spec has following description:
%description
JSS Connector for Apache Tomcat, installed via the tomcatjss package,
is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that
uses Java Security Services (JSS), a Java interface to Network Security
Services (NSS).

NOTE:  The 'tomcatjss' package conflicts with the 'tomcat-native' package
       because it uses an underlying NSS security model rather than the
       OpenSSL security model, so these two packages may not co-exist.

3. tomcatjss.spec file %changelog has following changes:
- Bugzilla Bug #1344804 - Build failure on RHEL 7.3
  (patch for Bugzilla Bug #1245786 - Build failure on F23 was backported to
   RHEL 7 to coincide with Apache Tomcat version change to 7.0.68+)
- Bugzilla Bug #1198450 - Support for Apache Tomcat 8
- Bugzilla Bug #871171 - Provide Apache Tomcat support for TLS v1.1 and
  TLS v1.2 

https://pagure.io/dogtagpki/issue/283 has the changes:
Dogtag 10: Integrate Apache Tomcat 6 'tomcatjss.jar' and Apache Tomcat 7 'tomcat7jss.jar' in Fedora 18 tomcatjss package

4. README file:
# rpm -qlp tomcatjss-7.2.1-6.el7.noarch.rpm 
/usr/share/doc/tomcatjss-7.2.1
/usr/share/doc/tomcatjss-7.2.1/LICENSE
/usr/share/doc/tomcatjss-7.2.1/README
/usr/share/java/tomcatjss-7.2.1.jar
/usr/share/java/tomcatjss.jar

File /usr/share/doc/tomcatjss-7.2.1/README has all the changes for ASF requirement.

JSS Connector for Apache Tomcat, installed via the tomcatjss package,
is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that
uses Java Security Services (JSS), a Java interface to Network Security
Services (NSS).

JSS Connector for Apache Tomcat defines a number of attributes for a Connector
including:

sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
implementation. Each option takes the form of: option=[true|false].
JSS Connector for Apache Tomcat supports the options: ssl2, ssl3, tls.

ssl2Ciphers: specify a list of SSL2 ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject"

ssl3Ciphers: specifies a list of SSL3 ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject".

tlsCiphers: specifies a list of TLS ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject".

Marking the bug verified.
Comment 9 errata-xmlrpc 2017-08-01 17:09:17 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2079

Note You need to log in before you can comment on or make changes to this bug.