From 2e453f2257fa7132fe0fbbb88b6f507e50817feb Mon Sep 17 00:00:00 2001
From: Stephen Marshall <stmarsh@uk.ibm.com>
Date: Tue, 3 Dec 2019 11:49:10 +0000
Subject: [PATCH] Fix web certificate for dev image

---
 Dockerfile-server                                        | 2 +-
 cmd/runmqserver/post_init.go                             | 7 ++++++-
 cmd/runmqserver/tls.go                                   | 6 +++---
 cmd/runmqserver/webserver.go                             | 9 +++++++--
 internal/tls/tls.go                                      | 4 ++--
 .../Installation1/servers/mqweb/tls.xml.tpl              | 4 ++--
 6 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/Dockerfile-server b/Dockerfile-server
index ef3879b..898cba9 100644
--- a/Dockerfile-server
+++ b/Dockerfile-server
@@ -149,6 +149,6 @@ COPY incubating/mqadvanced-server-dev/web /etc/mqm/web
 RUN chown -R mqm:mqm /etc/mqm/* \
   && chmod +x /usr/local/bin/runmq* \
   && install --directory --mode 0775 --owner mqm --group root /run/runmqdevserver
-ENV MQ_ENABLE_EMBEDDED_WEB_SERVER=1
+ENV MQ_ENABLE_EMBEDDED_WEB_SERVER=1 MQ_GENERATE_CERTIFICATE_HOSTNAME=localhost
 USER $MQM_UID
 ENTRYPOINT ["runmqdevserver"]
diff --git a/cmd/runmqserver/post_init.go b/cmd/runmqserver/post_init.go
index 61713f7..aa4b119 100644
--- a/cmd/runmqserver/post_init.go
+++ b/cmd/runmqserver/post_init.go
@@ -30,10 +30,15 @@ func postInit(name, keylabel string, p12Trust tls.KeyStoreData) error {
 		if err != nil {
 			return err
 		}
+		// If trust-store is empty, set reference to point to the key-store
+		p12TrustStoreRef := "MQWebTrustStore"
+		if len(p12Trust.TrustedCerts) == 0 {
+			p12TrustStoreRef = "MQWebKeyStore"
+		}
 		// Start the web server, in the background (if installed)
 		// WARNING: No error handling or health checking available for the web server
 		go func() {
-			err = startWebServer(keystore, p12Trust.Password)
+			err = startWebServer(keystore, p12Trust.Password, p12TrustStoreRef)
 			if err != nil {
 				log.Printf("Error starting web server: %v", err)
 			}
diff --git a/cmd/runmqserver/tls.go b/cmd/runmqserver/tls.go
index b129127..6c68ba3 100644
--- a/cmd/runmqserver/tls.go
+++ b/cmd/runmqserver/tls.go
@@ -118,11 +118,11 @@ func configureTLS(certLabel string, cmsKeystore tls.KeyStoreData, devmode bool)
 	return nil
 }
 
-// configureSSOTLS configures MQ Console TLS for Single Sign-On
-func configureSSOTLS(p12TrustStore tls.KeyStoreData) (string, error) {
+// configureWebKeyStore configures the key stores for the web console
+func configureWebKeyStore(p12TrustStore tls.KeyStoreData) (string, error) {
 	// TODO find way to supply this
 	// Override the webstore variables to hard coded defaults
-	webKeyStoreName := tls.IntegrationDefaultLabel + ".p12"
+	webKeyStoreName := tls.WebDefaultLabel + ".p12"
 
 	// Check keystore exists
 	ks := filepath.Join(keyStoreDir, webKeyStoreName)
diff --git a/cmd/runmqserver/webserver.go b/cmd/runmqserver/webserver.go
index 060a35b..c0a66ad 100644
--- a/cmd/runmqserver/webserver.go
+++ b/cmd/runmqserver/webserver.go
@@ -31,7 +31,7 @@ import (
 	"github.com/ibm-messaging/mq-container/internal/tls"
 )
 
-func startWebServer(keystore, keystorepw string) error {
+func startWebServer(keystore, keystorepw, p12TrustStoreRef string) error {
 	_, err := os.Stat("/opt/mqm/bin/strmqweb")
 	if err != nil && os.IsNotExist(err) {
 		log.Debug("Skipping web server, because it's not installed")
@@ -53,6 +53,7 @@ func startWebServer(keystore, keystorepw string) error {
 	if keystore != "" {
 		cmd.Env = append(cmd.Env, "AMQ_WEBKEYSTORE="+keystore)
 		cmd.Env = append(cmd.Env, "AMQ_WEBKEYSTOREPW="+keystorepw)
+		cmd.Env = append(cmd.Env, "AMQ_WEBTRUSTSTOREREF="+p12TrustStoreRef)
 	}
 
 	uid, gid, err := command.LookupMQM()
@@ -117,11 +118,12 @@ func configureSSO(p12TrustStore tls.KeyStoreData) (string, error) {
 	}
 
 	// Configure SSO TLS
-	return configureSSOTLS(p12TrustStore)
+	return configureWebKeyStore(p12TrustStore)
 }
 
 func configureWebServer(keyLabel string, p12Trust tls.KeyStoreData) (string, error) {
 	var keystore string
+
 	// Configure TLS for Web Console first if we have a certificate to use
 	err := configureWebTLS(keyLabel)
 	if err != nil {
@@ -138,7 +140,10 @@ func configureWebServer(keyLabel string, p12Trust tls.KeyStoreData) (string, err
 		if err != nil {
 			return keystore, err
 		}
+	} else if keyLabel == "" && os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME") != "" {
+		keystore, err = configureWebKeyStore(p12Trust)
 	}
+
 	_, err = os.Stat("/opt/mqm/bin/strmqweb")
 	if err != nil {
 		if os.IsNotExist(err) {
diff --git a/internal/tls/tls.go b/internal/tls/tls.go
index 1f96f4b..fb2e535 100644
--- a/internal/tls/tls.go
+++ b/internal/tls/tls.go
@@ -35,8 +35,8 @@ import (
 	pkcs "software.sslmate.com/src/go-pkcs12"
 )
 
-// IntegrationDefaultLabel is the default certificate label used by Cloud Integration Platform
-const IntegrationDefaultLabel = "default"
+// WebDefaultLabel is the default certificate label for the web console
+const WebDefaultLabel = "default"
 
 // P12TrustStoreName is the name of the PKCS#12 truststore used by the webconsole
 const P12TrustStoreName = "trust.p12"
diff --git a/web/installations/Installation1/servers/mqweb/tls.xml.tpl b/web/installations/Installation1/servers/mqweb/tls.xml.tpl
index dd9b7cb..2964f9a 100644
--- a/web/installations/Installation1/servers/mqweb/tls.xml.tpl
+++ b/web/installations/Installation1/servers/mqweb/tls.xml.tpl
@@ -2,6 +2,6 @@
 <server>
     <keyStore id="MQWebKeyStore" location="/run/runmqserver/tls/${env.AMQ_WEBKEYSTORE}" type="PKCS12" password="${env.AMQ_WEBKEYSTOREPW}"/>
     <keyStore id="MQWebTrustStore" location="/run/runmqserver/tls/trust.p12" type="PKCS12" password="${env.AMQ_WEBKEYSTOREPW}"/>
-    <ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="MQWebKeyStore" trustStoreRef="MQWebTrustStore" sslProtocol="TLSv1.2"/>
+    <ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="MQWebKeyStore" trustStoreRef="${env.AMQ_WEBTRUSTSTOREREF}" sslProtocol="TLSv1.2"/>
     <sslDefault sslRef="thisSSLConfig"/>
-</server>
\ No newline at end of file
+</server>