Bug 1517827 - [RFE] Satellite 6: add the ability to choose supported cipher suites for Tomcat
Summary: [RFE] Satellite 6: add the ability to choose supported cipher suites for Tomcat
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Candlepin
Version: 6.2.12
Hardware: All
OS: All
unspecified
medium
Target Milestone: Unspecified
Assignee: Barnaby Court
QA Contact: Sanket Jagtap
URL:
Whiteboard:
Depends On:
Blocks: 1541321
TreeView+ depends on / blocked
 
Reported: 2017-11-27 14:41 UTC by Daniele
Modified: 2019-04-01 20:27 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-21 12:39:59 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0336 0 normal SHIPPED_LIVE Important: Satellite 6.3 security, bug fix, and enhancement update 2018-02-21 22:43:42 UTC

Comment 1 Tomer Brisker 2017-11-28 09:22:45 UTC
Puppet is already covered by BZ 1491363, modifying this BZ to only address tomcat and moving to candlepin component.

Comment 2 Tomer Brisker 2017-11-29 13:35:37 UTC
This should already be possible in Satellite 6.3 thanks to: https://github.com/theforeman/puppet-candlepin/commit/c5a36f728cc12443709d0437b205c4a9e32c0fbe 

This can be done by providing candlepin::ciphers variable in custom-hiera.yaml.
Moving to ONQA for verification.

Comment 3 Sanket Jagtap 2017-12-12 13:26:01 UTC
Build: Satellite 6.3.0 snap 27

We are able to override the Ciphers in /etc/tomcat/server.xml using custom-hiera.yaml.

[root@sgi-uv20-01 tomcat]# cat /etc/foreman-installer/custom-hiera.yaml  | grep candlepin
candlepin::ciphers: ['TLS_RSA_WITH_AES_128_CBC_SHA','TLS_DHE_RSA_WITH_AES_256_CBC_SHA']


satellite-installer 
Installing             Done                                               [100%] [................................................................................................................................]
  Success!

cat /etc/tomcat/server.xml | grep ciphers -C 10
         described in the APR documentation -->

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="want"
               sslProtocols="TLSv1.2,TLSv1.1,TLSv1"
               keystoreFile="conf/keystore"
               truststoreFile="conf/keystore"
               keystoreType="PKCS12"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
                    TLS_DHE_RSA_WITH_AES_256_CBC_SHA"

Comment 6 errata-xmlrpc 2018-02-21 12:39:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336


Note You need to log in before you can comment on or make changes to this bug.