Overview#
This page describes the differences between Tomcat files in PKI 10.6 and PKI 10.5. These changes will eventually be automatically applied during RPM upgrade or server restart.
server.xml#
$ git diff DOGTAG_10_5_BRANCH:base/server/tomcat8/conf/server.xml base/server/tomcat-8.5/conf/server.xml
diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat-8.5/conf/server.xml
index d08e3b1a3..dd9c2f337 100644
--- a/base/server/tomcat8/conf/server.xml
+++ b/base/server/tomcat-8.5/conf/server.xml
@@ -1,4 +1,4 @@
-<?xml version='1.0' encoding='utf-8'?>
+<?xml version="1.0" encoding="UTF-8"?>
<!-- BEGIN COPYRIGHT BLOCK
Copyright (C) 2012 Red Hat, Inc.
All rights reserved.
@@ -115,7 +115,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
- Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+ Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port [PKI_UNSECURE_PORT]
@@ -123,17 +123,17 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
[PKI_UNSECURE_PORT_SERVER_COMMENT]
<Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]"
- port="[PKI_UNSECURE_PORT]"
- protocol="HTTP/1.1"
- redirectPort="[PKI_SECURE_PORT]"
- maxHttpHeaderSize="8192"
- acceptCount="100"
- maxThreads="150"
- minSpareThreads="25"
- enableLookups="false"
- connectionTimeout="80000"
- disableUploadTimeout="true"
- />
+ port="[PKI_UNSECURE_PORT]"
+ protocol="HTTP/1.1"
+ redirectPort="[PKI_SECURE_PORT]"
+ maxHttpHeaderSize="8192"
+ acceptCount="100"
+ maxThreads="150"
+ minSpareThreads="25"
+ enableLookups="false"
+ connectionTimeout="80000"
+ disableUploadTimeout="true"
+ />
<!-- A "Connector" using the shared thread pool-->
<!--
@@ -148,97 +148,51 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
- [PKI_SECURE_PORT_SERVER_COMMENT]
- <!-- DO NOT REMOVE - Begin define PKI secure port
- NOTE: The following 'keys' (and their assigned values) are exclusive to
- the 'tomcatjss' JSSE module:
-
- 'enableOCSP'
- 'ocspResponderURL'
- 'ocspResponderCertNickname'
- 'ocspCacheSize'
- 'ocspMinCacheEntryDuration'
- 'ocspMaxCacheEntryDuration'
- 'ocspTimeout'
- 'strictCiphers'
- 'clientauth' (ALL lowercase)
- 'sslVersionRangeStream'
- 'sslVersionRangeDatagram'
- 'sslRangeCiphers'
- 'serverCertNickFile'
- 'passwordFile'
- 'passwordClass'
- 'certdbDir'
-
- and are referenced via the value of the 'sslImplementationName' key.
- NOTE: The OCSP settings take effect globally, so it should only be set once.
-
- In setup where SSL clientauth="true", OCSP can be turned on by
- setting enableOCSP to true like the following:
- enableOCSP="true"
- along with changes to related settings, especially:
- ocspResponderURL=<see example in connector definition below>
- ocspResponderCertNickname=<see example in connector definition below>
- Here are the definition to all the OCSP-related settings:
- enableOCSP - turns on/off the ocsp check
- ocspResponderURL - sets the url where the ocsp requests are sent
- Make sure this URL uses the NON SSL or HTTP port for the OCSP interface.
- Ex: use 8080 instead of say 8443.
-
- ocspResponderCertNickname - sets the nickname of the cert that is
- either CA's signing certificate or the OCSP server's signing
- certificate.
- The CA's signing certificate should already be in the db, in
- case of the same security domain.
- In case of an ocsp signing certificate, one must import the cert
- into the subsystem's nss db and set trust. e.g.:
- certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64
- ocspCacheSize - sets max cache entries
- ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt
- ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt
- ocspTimeout -sets OCSP timeout in seconds
-
- See <instance dir>/conf/ciphers.info
- About the TLS range related parameters
- -->
<Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]"
- port="[PKI_SECURE_PORT]"
- protocol="org.apache.coyote.http11.Http11Protocol"
- SSLEnabled="true"
- sslProtocol="SSL"
- scheme="https"
- secure="true"
- connectionTimeout="80000"
- keepAliveTimeout="300000"
- maxHttpHeaderSize="8192"
- acceptCount="100" maxThreads="150" minSpareThreads="25"
- enableLookups="false" disableUploadTimeout="true"
- sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
- enableOCSP="false"
- ocspResponderURL="http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ca/ocsp"
- ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
- ocspCacheSize="1000"
- ocspMinCacheEntryDuration="60"
- ocspMaxCacheEntryDuration="120"
- ocspTimeout="10"
- strictCiphers="true"
- clientAuth="[PKI_AGENT_CLIENTAUTH]"
- sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
- sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
- sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
- serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
- passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
- passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
- certdbDir="[PKI_INSTANCE_PATH]/alias"
- />
+ port="[PKI_SECURE_PORT]"
+ protocol="org.dogtagpki.tomcat.Http11NioProtocol"
+ SSLEnabled="true"
+ sslProtocol="SSL"
+ scheme="https"
+ secure="true"
+ connectionTimeout="80000"
+ keepAliveTimeout="300000"
+ maxHttpHeaderSize="8192"
+ acceptCount="100"
+ maxThreads="150"
+ minSpareThreads="25"
+ enableLookups="false"
+ disableUploadTimeout="true"
+ enableOCSP="false"
+ ocspResponderURL="http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ca/ocsp"
+ ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
+ ocspCacheSize="1000"
+ ocspMinCacheEntryDuration="60"
+ ocspMaxCacheEntryDuration="120"
+ ocspTimeout="10"
+ strictCiphers="true"
+ clientAuth="[PKI_AGENT_CLIENTAUTH]"
+ sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
+ sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
+ sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
+ serverCertNickFile="[PKI_INSTANCE_PATH]/conf/serverCertNick.conf"
+ passwordFile="[PKI_INSTANCE_PATH]/conf/password.conf"
+ passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
+ certdbDir="[PKI_INSTANCE_PATH]/alias"
+ keystoreType="pkcs12"
+ keystoreFile="[pki_instance_configuration_path]/keystore.p12"
+ keystorePassFile="[pki_instance_configuration_path]/keystore.pwd"
+ keyAlias="sslserver"
+ trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager"
+ />
<!-- DO NOT REMOVE - End define PKI secure port -->
<!-- Define an AJP 1.3 Connector on port [PKI_AJP_PORT] -->
[PKI_OPEN_AJP_PORT_COMMENT]
<Connector port="[PKI_AJP_PORT]"
- protocol="AJP/1.3"
- redirectPort="[PKI_AJP_REDIRECT_PORT]"
- address="[PKI_AJP_HOST]" />
+ protocol="AJP/1.3"
+ redirectPort="[PKI_AJP_REDIRECT_PORT]"
+ address="[PKI_AJP_HOST]" />
[PKI_CLOSE_AJP_PORT_COMMENT]
@@ -275,7 +229,7 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
</Realm>
-->
- <Host name="localhost" appBase="[PKI_INSTANCE_PATH]/webapps"
+ <Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
catalina.properties#
$ git diff DOGTAG_10_5_BRANCH:base/server/share/conf/catalina.properties base/server/tomcat-8.5/conf/catalina.properties
diff --git a/base/server/share/conf/catalina.properties b/base/server/tomcat-8.5/conf/catalina.properties
index 2199a78d8..4c84589ac 100644
--- a/base/server/share/conf/catalina.properties
+++ b/base/server/tomcat-8.5/conf/catalina.properties
@@ -25,7 +25,7 @@
# passed to checkPackageAccess unless the
# corresponding RuntimePermission ("accessClassInPackage."+package) has
# been granted.
-package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
+package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.jasper.,org.apache.tomcat.
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
@@ -36,7 +36,8 @@ package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,o
# by default, no packages are restricted for definition, and none of
# the class loaders supplied with the JDK call checkPackageDefinition.
#
-package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
+package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,\
+org.apache.jasper.,org.apache.naming.,org.apache.tomcat.
#
#
@@ -50,7 +51,14 @@ package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
-common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
+#
+# Note: Values are enclosed in double quotes ("...") in case either the
+# ${catalina.base} path or the ${catalina.home} path contains a comma.
+# Because double quotes are used for quoting, the double quote character
+# may not appear in a path.
+#
+# PKI: added ${catalina.base}/common/lib/*.jar
+common.loader="${catalina.base}/common/lib/*.jar","${catalina.base}/lib","${catalina.base}/lib/*.jar","${catalina.home}/lib","${catalina.home}/lib/*.jar"
#
# List of comma-separated paths defining the contents of the "server"
@@ -63,6 +71,11 @@ common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/l
# "foo/*.jar": Add all the JARs of the specified folder as class
# repositories
# "foo/bar.jar": Add bar.jar as a class repository
+#
+# Note: Values may be enclosed in double quotes ("...") in case either the
+# ${catalina.base} path or the ${catalina.home} path contains a comma.
+# Because double quotes are used for quoting, the double quote character
+# may not appear in a path.
server.loader=
-# List of JAR files that should not be scanned for configuration information
-# such as web fragments, TLD files etc. It must be a comma separated list of
-# JAR file names.
+# Default list of JAR files that should not be scanned using the JarScanner
+# functionality. This is typically used to scan JARs for configuration
+# information. JARs that do not contain such information may be excluded from
+# the scan to speed up the scanning process. This is the default list. JARs on
+# this list are excluded from all scans. The list must be a comma separated list
+# of JAR file names.
+# The list of JARs to skip may be over-ridden at a Context level for individual
+# scan types by configuring a JarScanner with a nested JarScanFilter.
# The JARs listed below include:
# - Tomcat Bootstrap JARs
# - Tomcat API JARs
@@ -89,39 +112,52 @@ shared.loader=
# - Jasper JARs
# - Tomcat JARs
# - Common non-Tomcat JARs
-# - Sun JDK JARs
-# - Apple JDK JARs
-tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
+# - Test JARs (JUnit, Cobertura and dependencies)
+tomcat.util.scan.StandardJarScanFilter.jarsToSkip=\
bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
-annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,\
-catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
+annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\
+jaspic-api.jar,\
+catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-storeconfig.jar,\
+catalina-tribes.jar,\
jasper.jar,jasper-el.jar,ecj-*.jar,\
-tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
+tomcat-api.jar,tomcat-util.jar,tomcat-util-scan.jar,tomcat-coyote.jar,\
+tomcat-dbcp.jar,tomcat-jni.jar,tomcat-websocket.jar,\
tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
tomcat-jdbc.jar,\
+tools.jar,\
commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
commons-math*.jar,commons-pool*.jar,\
-jstl.jar,\
+jstl.jar,taglibs-standard-spec-*.jar,\
geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
jmx-tools.jar,jta*.jar,log4j*.jar,mail*.jar,slf4j*.jar,\
xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
-dnsns.jar,ldapsec.jar,localedata.jar,sunjce_provider.jar,sunmscapi.jar,\
-sunpkcs11.jar,jhall.jar,tools.jar,\
-sunec.jar,zipfs.jar,\
-apple_provider.jar,AppleScriptEngine.jar,CoreAudio.jar,dns_sd.jar,\
-j3daudio.jar,j3dcore.jar,j3dutils.jar,jai_core.jar,jai_codec.jar,\
-mlibwrapper_jai.jar,MRJToolkit.jar,vecmath.jar,\
-junit.jar,junit-*.jar,ant-launcher.jar
+junit.jar,junit-*.jar,hamcrest-*.jar,easymock-*.jar,cglib-*.jar,\
+objenesis-*.jar,ant-launcher.jar,\
+cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\
+jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\
+xom-*.jar
+
+# Default list of JAR files that should be scanned that overrides the default
+# jarsToSkip list above. This is typically used to include a specific JAR that
+# has been excluded by a broad file name pattern in the jarsToSkip list.
+# The list of JARs to scan may be over-ridden at a Context level for individual
+# scan types by configuring a JarScanner with a nested JarScanFilter.
+tomcat.util.scan.StandardJarScanFilter.jarsToScan=\
+log4j-web*.jar,log4j-taglib*.jar,log4javascript*.jar,slf4j-taglib*.jar
-#
# String cache configuration.
tomcat.util.buf.StringCache.byte.enabled=true
#tomcat.util.buf.StringCache.char.enabled=true
#tomcat.util.buf.StringCache.trainThreshold=500000
#tomcat.util.buf.StringCache.cacheSize=5000
+# Allow for changes to HTTP request validation
+# WARNING: Using this option will expose the server to CVE-2016-6816
+#tomcat.util.http.parser.HttpParser.requestTargetAllow=|
+
+# PKI: https://pagure.io/dogtagpki/issue/1658
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true