diff --git a/.github/workflows/tps-separate-test.yml b/.github/workflows/tps-separate-test.yml index fef111c4d94..560dc02a4d1 100644 --- a/.github/workflows/tps-separate-test.yml +++ b/.github/workflows/tps-separate-test.yml @@ -57,10 +57,19 @@ jobs: -D pki_ds_url=ldap://cads.example.com:3389 \ -D pki_cert_id_generator=random \ -D pki_request_id_generator=random \ + -D pki_http_enable=False \ -v docker exec ca pki-server cert-find + - name: Verify there is no plain HTTP connectors in CA + run: | + docker exec ca pki-server http-connector-find | tee output + + echo "Secure" > expected + sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual + diff expected actual + - name: Install banner in CA container run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat @@ -98,10 +107,19 @@ jobs: -D pki_ds_url=ldap://krads.example.com:3389 \ -D pki_key_id_generator=random \ -D pki_request_id_generator=random \ + -D pki_http_enable=False \ -v docker exec kra pki-server cert-find + - name: Verify there is no plain HTTP connectors in KRA + run: | + docker exec kra pki-server http-connector-find | tee output + + echo "Secure" > expected + sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual + diff expected actual + - name: Install banner in KRA container run: docker exec kra cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat @@ -135,10 +153,19 @@ jobs: -D pki_cert_chain_path=${SHARED}/ca_signing.crt \ -D pki_admin_cert_file=${SHARED}/ca_admin.cert \ -D pki_ds_url=ldap://tksds.example.com:3389 \ + -D pki_http_enable=False \ -v docker exec tks pki-server cert-find + - name: Verify there is no plain HTTP connectors in TKS + run: | + docker exec tks pki-server http-connector-find | tee output + + echo "Secure" > expected + sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual + diff expected actual + - name: Install banner in TKS container run: docker exec tks cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat @@ -178,10 +205,27 @@ jobs: -D pki_authdb_hostname=tpsds.example.com \ -D pki_authdb_port=3389 \ -D pki_enable_server_side_keygen=True \ + -D pki_http_enable=False \ -v docker exec tps pki-server cert-find + - name: Verify there is no plain HTTP connectors in TPS + run: | + docker exec tps pki-server http-connector-find | tee output + + echo "Secure" > expected + sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual + diff expected actual + + - name: Verify there is no plain HTTP ports in security domain + run: | + docker exec ca pki-server sd-subsystem-find | tee output + + echo -n "" > expected + sed -ne "/^ *Port:/p" output > actual + diff expected actual + - name: Install banner in TPS container run: docker exec tps cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat diff --git a/base/common/python/pki/system.py b/base/common/python/pki/system.py index 7c267ad08a1..5ec3e53f694 100644 --- a/base/common/python/pki/system.py +++ b/base/common/python/pki/system.py @@ -81,7 +81,7 @@ def from_json(cls, json_value): host.Hostname = json_value['Hostname'] host.SecurePort = json_value['SecurePort'] host.SubsystemName = json_value['SubsystemName'] - host.Port = json_value['Port'] + host.Port = json_value.get('Port') return host diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index e6f636568c3..94ebfc7a738 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -258,6 +258,8 @@ pki_proxy_https_port=443 pki_security_manager=true pki_tomcat_server_port=8005 +pki_http_enable=True + # Paths # These are used in the processing of pkispawn and are not supposed # to be overwritten by user configuration files. diff --git a/base/server/python/pki/server/cli/sd.py b/base/server/python/pki/server/cli/sd.py index aec747ed8ac..068bf3c83d3 100644 --- a/base/server/python/pki/server/cli/sd.py +++ b/base/server/python/pki/server/cli/sd.py @@ -176,7 +176,7 @@ def print_help(self): print(' -i, --instance Instance ID (default: pki-tomcat).') print(' --subsystem Subsystem type') print(' --hostname Hostname') - print(' --unsecure-port Unsecure port (default: 8080)') + print(' --unsecure-port Unsecure port') print(' --secure-port Secure port (default: 8443)') print(' --domain-manager Domain manager') print(' --clone Clone') @@ -201,7 +201,7 @@ def execute(self, argv): instance_name = 'pki-tomcat' subsystem_type = None hostname = None - unsecure_port = '8080' + unsecure_port = None secure_port = '8443' domain_manager = False clone = False diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index fb49664b187..e09a8c5c1c0 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -274,21 +274,36 @@ def create_server_xml(self, instance): logger.info('Removing UserDatabase') server_config.remove_global_naming_resource('UserDatabase') - logger.info('Configuring Unsecure connector') + # find default HTTP connector connector = server_config.get_connector(port='8080') - connector.set('name', 'Unsecure') - connector.set('port', self.mdict['pki_http_port']) - connector.set('redirectPort', self.mdict['pki_https_port']) - connector.set('maxHttpHeaderSize', '8192') - connector.set('acceptCount', '100') - connector.set('maxThreads', '150') - connector.set('minSpareThreads', '25') - connector.set('enableLookups', 'false') - connector.set('connectionTimeout', '80000') - connector.set('disableUploadTimeout', 'true') + service = connector.getparent() + + # get HTTP connector position + index = service.index(connector) + + if config.str2bool(self.mdict['pki_http_enable']): + + logger.info('Configuring HTTP connector') + connector.set('name', 'Unsecure') + connector.set('port', self.mdict['pki_http_port']) + connector.set('redirectPort', self.mdict['pki_https_port']) + connector.set('maxHttpHeaderSize', '8192') + connector.set('acceptCount', '100') + connector.set('maxThreads', '150') + connector.set('minSpareThreads', '25') + connector.set('enableLookups', 'false') + connector.set('connectionTimeout', '80000') + connector.set('disableUploadTimeout', 'true') + + # add the HTTPS connector after this connector + index = index + 1 + + else: + logger.info('Removing HTTP connector') + service.remove(connector) - logger.info('Adding Secure connector') - connector = server_config.create_connector(name='Secure') + logger.info('Adding HTTPS connector') + connector = server_config.create_connector(name='Secure', index=index) connector.set('port', self.mdict['pki_https_port']) connector.set('protocol', 'org.dogtagpki.tomcat.Http11NioProtocol') connector.set('SSLEnabled', 'true') diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py index e0d28de94cd..4835b045973 100644 --- a/base/server/python/pki/server/subsystem.py +++ b/base/server/python/pki/server/subsystem.py @@ -1494,7 +1494,7 @@ def add_security_domain_subsystem( subsystem_id, subsystem_type, hostname, - unsecure_port='8080', + unsecure_port=None, secure_port='8443', domain_manager=False, clone=False, @@ -1552,7 +1552,7 @@ def join_security_domain( sd_url, host_id, hostname, - unsecure_port='8080', + unsecure_port=None, secure_port='8443', domain_manager=False, clone=False, @@ -1576,10 +1576,12 @@ def join_security_domain( '--install-token', install_token, '--type', self.type, '--hostname', hostname, - '--unsecure-port', unsecure_port, - '--secure-port', secure_port + '--secure-port', secure_port, ] + if unsecure_port is not None: + cmd.extend(['--unsecure-port', unsecure_port]) + if domain_manager: cmd.append('--domain-manager') diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SDSubsystemAddCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SDSubsystemAddCLI.java index c9019389615..ad65cccd68a 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SDSubsystemAddCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SDSubsystemAddCLI.java @@ -54,7 +54,7 @@ public void createOptions() { option.setArgName("hostname"); options.addOption(option); - option = new Option(null, "unsecure-port", true, "Unsecure port (default: 8080)"); + option = new Option(null, "unsecure-port", true, "Unsecure port"); option.setArgName("port"); options.addOption(option); @@ -89,7 +89,7 @@ public void execute(CommandLine cmd) throws Exception { throw new CLIException("Missing hostname"); } - String unsecurePort = cmd.getOptionValue("unsecure-port", "8080"); + String unsecurePort = cmd.getOptionValue("unsecure-port"); String securePort = cmd.getOptionValue("secure-port", "8443"); boolean domainManager = cmd.hasOption("domain-manager"); boolean clone = cmd.hasOption("clone"); @@ -150,7 +150,11 @@ public void execute(CommandLine cmd) throws Exception { attrs.add(new LDAPAttribute("cn", cn)); attrs.add(new LDAPAttribute("SubsystemName", subsystemID)); attrs.add(new LDAPAttribute("Host", hostname)); - attrs.add(new LDAPAttribute("UnSecurePort", unsecurePort)); + + if (unsecurePort != null) { + attrs.add(new LDAPAttribute("UnSecurePort", unsecurePort)); + } + attrs.add(new LDAPAttribute("SecurePort", securePort)); attrs.add(new LDAPAttribute("SecureAgentPort", securePort)); attrs.add(new LDAPAttribute("SecureAdminPort", securePort)); diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SDSubsystemCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SDSubsystemCLI.java index 6339aad606e..feeab77e086 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SDSubsystemCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SDSubsystemCLI.java @@ -26,7 +26,12 @@ public static void printSubsystem(SecurityDomainHost host) { System.out.println(" Subsystem ID: " + host.getId()); System.out.println(" Hostname: " + host.getHostname()); - System.out.println(" Port: " + host.getPort()); + + String port = host.getPort(); + if (port != null) { + System.out.println(" Port: " + port); + } + System.out.println(" Secure Port: " + host.getSecurePort()); if (host.getDomainManager() != null) { diff --git a/base/tools/src/main/java/com/netscape/cmstools/system/SecurityDomainHostAddCLI.java b/base/tools/src/main/java/com/netscape/cmstools/system/SecurityDomainHostAddCLI.java index d3b2e633115..cb768595592 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/system/SecurityDomainHostAddCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/system/SecurityDomainHostAddCLI.java @@ -32,7 +32,7 @@ public void printHelp() { @Override public void createOptions() { - Option option = new Option(null, "port", true, "Port (default: 8080)"); + Option option = new Option(null, "port", true, "Port"); option.setArgName("port"); options.addOption(option); @@ -63,7 +63,7 @@ public void execute(CommandLine cmd) throws Exception { SecurityDomainHost host = new SecurityDomainHost(); host.setId(hostID); - String port = cmd.getOptionValue("port", "8080"); + String port = cmd.getOptionValue("port"); host.setPort(port); String securePort = cmd.getOptionValue("securePort", "8443"); diff --git a/base/tools/src/main/java/com/netscape/cmstools/system/SecurityDomainJoinCLI.java b/base/tools/src/main/java/com/netscape/cmstools/system/SecurityDomainJoinCLI.java index e4544d700b6..cccfa47f609 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/system/SecurityDomainJoinCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/system/SecurityDomainJoinCLI.java @@ -57,7 +57,7 @@ public void createOptions() { option.setArgName("hostname"); options.addOption(option); - option = new Option(null, "unsecure-port", true, "Unsecure port (default: 8080)"); + option = new Option(null, "unsecure-port", true, "Unsecure port"); option.setArgName("port"); options.addOption(option); @@ -103,7 +103,7 @@ public void execute(CommandLine cmd) throws Exception { throw new Exception("Missing hostname"); } - String unsecurePort = cmd.getOptionValue("unsecure-port", "8080"); + String unsecurePort = cmd.getOptionValue("unsecure-port"); String securePort = cmd.getOptionValue("secure-port", "8443"); boolean domainManager = cmd.hasOption("domain-manager"); boolean clone = cmd.hasOption("clone"); @@ -114,7 +114,11 @@ public void execute(CommandLine cmd) throws Exception { content.putSingle("type", type); content.putSingle("name", hostID); content.putSingle("host", hostname); - content.putSingle("httpport", unsecurePort); + + if (unsecurePort != null) { + content.putSingle("httpport", unsecurePort); + } + content.putSingle("sport", securePort); content.putSingle("agentsport", securePort); content.putSingle("adminsport", securePort); diff --git a/docs/changes/v11.5.0/Server-Changes.adoc b/docs/changes/v11.5.0/Server-Changes.adoc index c9b287e6b18..fade397b3d7 100644 --- a/docs/changes/v11.5.0/Server-Changes.adoc +++ b/docs/changes/v11.5.0/Server-Changes.adoc @@ -8,3 +8,9 @@ A new `pki_ds_url` parameter has been added for `pkispawn` to replace the follow * `pki_ds_ldap_port` * `pki_ds_ldaps_port` * `pki_ds_secure_connection` + +== Add pki_http_enable parameter == + +A new `pki_http_enable` parameter has been added for `pkispawn` +to enable/disable the plain HTTP connector in `server.xml`. +The default value is `True`.