Add pki_http_enable param

A new pki_http_enable parameter has been added for pkispawn
to enable/disable the plain HTTP connector in server.xml.
Currently the plain HTTP connector is enabled by default,
but in the future it might be disabled by default such that
the server will only use the secure HTTP connector.

The security domain CLIs have been modified such that they
work without the plain HTTP connector.

The TPS test with separate instances has been modified to
verify that the system works without plain HTTP connectors.

.github/workflows/tps-separate-test.yml

@@ -57,10 +57,19 @@ jobs:
               -D pki_ds_url=ldap://cads.example.com:3389 \
               -D pki_cert_id_generator=random \
               -D pki_request_id_generator=random \
+              -D pki_http_enable=False \
               -v
 
           docker exec ca pki-server cert-find
 
+      - name: Verify there is no plain HTTP connectors in CA
+        run: |
+          docker exec ca pki-server http-connector-find | tee output
+
+          echo "Secure" > expected
+          sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual
+          diff expected actual
+
       - name: Install banner in CA container
         run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
 
@@ -98,10 +107,19 @@ jobs:
               -D pki_ds_url=ldap://krads.example.com:3389 \
               -D pki_key_id_generator=random \
               -D pki_request_id_generator=random \
+              -D pki_http_enable=False \
               -v
 
           docker exec kra pki-server cert-find
 
+      - name: Verify there is no plain HTTP connectors in KRA
+        run: |
+          docker exec kra pki-server http-connector-find | tee output
+
+          echo "Secure" > expected
+          sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual
+          diff expected actual
+
       - name: Install banner in KRA container
         run: docker exec kra cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
 
@@ -135,10 +153,19 @@ jobs:
               -D pki_cert_chain_path=${SHARED}/ca_signing.crt \
               -D pki_admin_cert_file=${SHARED}/ca_admin.cert \
               -D pki_ds_url=ldap://tksds.example.com:3389 \
+              -D pki_http_enable=False \
               -v
 
           docker exec tks pki-server cert-find
 
+      - name: Verify there is no plain HTTP connectors in TKS
+        run: |
+          docker exec tks pki-server http-connector-find | tee output
+
+          echo "Secure" > expected
+          sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual
+          diff expected actual
+
       - name: Install banner in TKS container
         run: docker exec tks cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
 
@@ -178,10 +205,27 @@ jobs:
               -D pki_authdb_hostname=tpsds.example.com \
               -D pki_authdb_port=3389 \
               -D pki_enable_server_side_keygen=True \
+              -D pki_http_enable=False \
               -v
 
           docker exec tps pki-server cert-find
 
+      - name: Verify there is no plain HTTP connectors in TPS
+        run: |
+          docker exec tps pki-server http-connector-find | tee output
+
+          echo "Secure" > expected
+          sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual
+          diff expected actual
+
+      - name: Verify there is no plain HTTP ports in security domain
+        run: |
+          docker exec ca pki-server sd-subsystem-find | tee output
+
+          echo -n "" > expected
+          sed -ne "/^ *Port:/p" output > actual
+          diff expected actual
+
       - name: Install banner in TPS container
         run: docker exec tps cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
 

base/common/python/pki/system.py

@@ -81,7 +81,7 @@ def from_json(cls, json_value):
         host.Hostname = json_value['Hostname']
         host.SecurePort = json_value['SecurePort']
         host.SubsystemName = json_value['SubsystemName']
-        host.Port = json_value['Port']
+        host.Port = json_value.get('Port')
 
         return host
 

base/server/etc/default.cfg

@@ -258,6 +258,8 @@ pki_proxy_https_port=443
 pki_security_manager=true
 pki_tomcat_server_port=8005
 
+pki_http_enable=True
+
 # Paths
 # These are used in the processing of pkispawn and are not supposed
 # to be overwritten by user configuration files.

base/server/python/pki/server/cli/sd.py

@@ -176,7 +176,7 @@ def print_help(self):
         print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
         print('      --subsystem <type>             Subsystem type')
         print('      --hostname <hostname>          Hostname')
-        print('      --unsecure-port <port>         Unsecure port (default: 8080)')
+        print('      --unsecure-port <port>         Unsecure port')
         print('      --secure-port <port>           Secure port (default: 8443)')
         print('      --domain-manager               Domain manager')
         print('      --clone                        Clone')
@@ -201,7 +201,7 @@ def execute(self, argv):
         instance_name = 'pki-tomcat'
         subsystem_type = None
         hostname = None
-        unsecure_port = '8080'
+        unsecure_port = None
         secure_port = '8443'
         domain_manager = False
         clone = False

base/server/python/pki/server/deployment/__init__.py

@@ -274,21 +274,36 @@ def create_server_xml(self, instance):
         logger.info('Removing UserDatabase')
         server_config.remove_global_naming_resource('UserDatabase')
 
-        logger.info('Configuring Unsecure connector')
+        # find default HTTP connector
         connector = server_config.get_connector(port='8080')
-        connector.set('name', 'Unsecure')
-        connector.set('port', self.mdict['pki_http_port'])
-        connector.set('redirectPort', self.mdict['pki_https_port'])
-        connector.set('maxHttpHeaderSize', '8192')
-        connector.set('acceptCount', '100')
-        connector.set('maxThreads', '150')
-        connector.set('minSpareThreads', '25')
-        connector.set('enableLookups', 'false')
-        connector.set('connectionTimeout', '80000')
-        connector.set('disableUploadTimeout', 'true')
+        service = connector.getparent()
+
+        # get HTTP connector position
+        index = service.index(connector)
+
+        if config.str2bool(self.mdict['pki_http_enable']):
+
+            logger.info('Configuring HTTP connector')
+            connector.set('name', 'Unsecure')
+            connector.set('port', self.mdict['pki_http_port'])
+            connector.set('redirectPort', self.mdict['pki_https_port'])
+            connector.set('maxHttpHeaderSize', '8192')
+            connector.set('acceptCount', '100')
+            connector.set('maxThreads', '150')
+            connector.set('minSpareThreads', '25')
+            connector.set('enableLookups', 'false')
+            connector.set('connectionTimeout', '80000')
+            connector.set('disableUploadTimeout', 'true')
+
+            # add the HTTPS connector after this connector
+            index = index + 1
+
+        else:
+            logger.info('Removing HTTP connector')
+            service.remove(connector)
 
-        logger.info('Adding Secure connector')
-        connector = server_config.create_connector(name='Secure')
+        logger.info('Adding HTTPS connector')
+        connector = server_config.create_connector(name='Secure', index=index)
         connector.set('port', self.mdict['pki_https_port'])
         connector.set('protocol', 'org.dogtagpki.tomcat.Http11NioProtocol')
         connector.set('SSLEnabled', 'true')

base/server/python/pki/server/subsystem.py

@@ -1494,7 +1494,7 @@ def add_security_domain_subsystem(
             subsystem_id,
             subsystem_type,
             hostname,
-            unsecure_port='8080',
+            unsecure_port=None,
             secure_port='8443',
             domain_manager=False,
             clone=False,
@@ -1552,7 +1552,7 @@ def join_security_domain(
             sd_url,
             host_id,
             hostname,
-            unsecure_port='8080',
+            unsecure_port=None,
             secure_port='8443',
             domain_manager=False,
             clone=False,
@@ -1576,10 +1576,12 @@ def join_security_domain(
                 '--install-token', install_token,
                 '--type', self.type,
                 '--hostname', hostname,
-                '--unsecure-port', unsecure_port,
-                '--secure-port', secure_port
+                '--secure-port', secure_port,
             ]
 
+            if unsecure_port is not None:
+                cmd.extend(['--unsecure-port', unsecure_port])
+
             if domain_manager:
                 cmd.append('--domain-manager')
 

base/server/src/main/java/org/dogtagpki/server/cli/SDSubsystemAddCLI.java

@@ -54,7 +54,7 @@ public void createOptions() {
         option.setArgName("hostname");
         options.addOption(option);
 
-        option = new Option(null, "unsecure-port", true, "Unsecure port (default: 8080)");
+        option = new Option(null, "unsecure-port", true, "Unsecure port");
         option.setArgName("port");
         options.addOption(option);
 
@@ -89,7 +89,7 @@ public void execute(CommandLine cmd) throws Exception {
             throw new CLIException("Missing hostname");
         }
 
-        String unsecurePort = cmd.getOptionValue("unsecure-port", "8080");
+        String unsecurePort = cmd.getOptionValue("unsecure-port");
         String securePort = cmd.getOptionValue("secure-port", "8443");
         boolean domainManager = cmd.hasOption("domain-manager");
         boolean clone = cmd.hasOption("clone");
@@ -150,7 +150,11 @@ public void execute(CommandLine cmd) throws Exception {
             attrs.add(new LDAPAttribute("cn", cn));
             attrs.add(new LDAPAttribute("SubsystemName", subsystemID));
             attrs.add(new LDAPAttribute("Host", hostname));
-            attrs.add(new LDAPAttribute("UnSecurePort", unsecurePort));
+
+            if (unsecurePort != null) {
+                attrs.add(new LDAPAttribute("UnSecurePort", unsecurePort));
+            }
+
             attrs.add(new LDAPAttribute("SecurePort", securePort));
             attrs.add(new LDAPAttribute("SecureAgentPort", securePort));
             attrs.add(new LDAPAttribute("SecureAdminPort", securePort));

base/server/src/main/java/org/dogtagpki/server/cli/SDSubsystemCLI.java

@@ -26,7 +26,12 @@ public static void printSubsystem(SecurityDomainHost host) {
 
         System.out.println("  Subsystem ID: " + host.getId());
         System.out.println("  Hostname: " + host.getHostname());
-        System.out.println("  Port: " + host.getPort());
+
+        String port = host.getPort();
+        if (port != null) {
+            System.out.println("  Port: " + port);
+        }
+
         System.out.println("  Secure Port: " + host.getSecurePort());
 
         if (host.getDomainManager() != null) {

base/tools/src/main/java/com/netscape/cmstools/system/SecurityDomainHostAddCLI.java

@@ -32,7 +32,7 @@ public void printHelp() {
 
     @Override
     public void createOptions() {
-        Option option = new Option(null, "port", true, "Port (default: 8080)");
+        Option option = new Option(null, "port", true, "Port");
         option.setArgName("port");
         options.addOption(option);
 
@@ -63,7 +63,7 @@ public void execute(CommandLine cmd) throws Exception {
         SecurityDomainHost host = new SecurityDomainHost();
         host.setId(hostID);
 
-        String port = cmd.getOptionValue("port", "8080");
+        String port = cmd.getOptionValue("port");
         host.setPort(port);
 
         String securePort = cmd.getOptionValue("securePort", "8443");

base/tools/src/main/java/com/netscape/cmstools/system/SecurityDomainJoinCLI.java

@@ -57,7 +57,7 @@ public void createOptions() {
         option.setArgName("hostname");
         options.addOption(option);
 
-        option = new Option(null, "unsecure-port", true, "Unsecure port (default: 8080)");
+        option = new Option(null, "unsecure-port", true, "Unsecure port");
         option.setArgName("port");
         options.addOption(option);
 
@@ -103,7 +103,7 @@ public void execute(CommandLine cmd) throws Exception {
             throw new Exception("Missing hostname");
         }
 
-        String unsecurePort = cmd.getOptionValue("unsecure-port", "8080");
+        String unsecurePort = cmd.getOptionValue("unsecure-port");
         String securePort = cmd.getOptionValue("secure-port", "8443");
         boolean domainManager = cmd.hasOption("domain-manager");
         boolean clone = cmd.hasOption("clone");
@@ -114,7 +114,11 @@ public void execute(CommandLine cmd) throws Exception {
         content.putSingle("type", type);
         content.putSingle("name", hostID);
         content.putSingle("host", hostname);
-        content.putSingle("httpport", unsecurePort);
+
+        if (unsecurePort != null) {
+            content.putSingle("httpport", unsecurePort);
+        }
+
         content.putSingle("sport", securePort);
         content.putSingle("agentsport", securePort);
         content.putSingle("adminsport", securePort);

docs/changes/v11.5.0/Server-Changes.adoc

@@ -8,3 +8,9 @@ A new `pki_ds_url` parameter has been added for `pkispawn` to replace the follow
 * `pki_ds_ldap_port`
 * `pki_ds_ldaps_port`
 * `pki_ds_secure_connection`
+
+== Add pki_http_enable parameter ==
+
+A new `pki_http_enable` parameter has been added for `pkispawn`
+to enable/disable the plain HTTP connector in `server.xml`.
+The default value is `True`.