Add TLS support (#243)

* Add TLS support

* Security fix for libsystemd0 systemd systemd-sysv libudev1

cmd/runmqserver/webserver.go

@@ -159,17 +159,17 @@ func configureSSO_TLS() error {
 	if err != nil {
 		return err
 	}
-	log.Debug("Creating self-signed certificate in key store")
-	err = ks.CreateSelfSignedCertificate("default", "CN=IBMMQWeb,O=IBM,OU=Platform,C=GB")
+	log.Debug("Generating PKCS12 file")
+	err = ks.GeneratePKCS12("/mnt/tls/tls.key", "/mnt/tls/tls.crt", "/run/tls/tls.p12", "default", "password")
 	if err != nil {
 		return err
 	}
-	log.Debug("Importing self-signed certificate into trust store")
-	err = ts.Import(ks.Filename, ks.Password)
+	log.Debug("Importing certificate into key store")
+	err = ks.Import("/run/tls/tls.p12", "password")
 	if err != nil {
 		return err
 	}
-	log.Debug("Adding OIDC CA certificate to trust store")
+	log.Debug("Adding OIDC certificate to trust store")
 	err = ts.Add(os.Getenv("MQ_OIDC_CERTIFICATE"), "OIDC")
 	return err
 }

install-mq.sh

@@ -63,7 +63,8 @@ if ($UBUNTU); then
     procps \
     sed \
     tar \
-    util-linux
+    util-linux \
+    openssl
 fi
 
 # Install additional packages required by MQ, this install process and the runtime scripts
@@ -82,7 +83,8 @@ $RHEL && yum -y install \
   procps-ng \
   sed \
   tar \
-  util-linux
+  util-linux \
+  openssl
 
 # Download and extract the MQ installation files
 DIR_EXTRACT=/tmp/mq
@@ -139,7 +141,7 @@ rm -rf ${DIR_EXTRACT}
 
 # Apply any bug fixes not included in base Ubuntu or MQ image.
 # Don't upgrade everything based on Docker best practices https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#run
-$UBUNTU && apt-get install -y libapparmor1 --only-upgrade
+$UBUNTU && apt-get install -y libsystemd0 systemd systemd-sysv libudev1 --only-upgrade
 # End of bug fixes
 
 # Clean up cached files

internal/keystore/keystore.go

@@ -125,6 +125,15 @@ func (ks *KeyStore) CreateStash(log *logger.Logger) error {
 	return nil
 }
 
+// GeneratePKCS12 generates a PKCS12 file
+func (ks *KeyStore) GeneratePKCS12(keyFile, crtFile, pkcs12File, label, password string) error {
+	out, _, err := command.Run("openssl", "pkcs12", "-export", "-inkey", keyFile, "-in", crtFile, "-out", pkcs12File, "-name", label, "-passout", "pass:"+password)
+	if err != nil {
+		return fmt.Errorf("error running \"openssl pkcs12 -export\": %v %s", err, out)
+	}
+	return nil
+}
+
 // Import imports a certificate file in the keystore
 func (ks *KeyStore) Import(inputFile, password string) error {
 	out, _, err := command.Run(ks.command, "-cert", "-import", "-file", inputFile, "-pw", password, "-target", ks.Filename, "-target_pw", ks.Password, "-target_type", ks.keyStoreType)

mq-advanced-server-rhel/mq-buildah.sh

@@ -57,7 +57,8 @@ buildah run $ctr_mq -- yum install -y --setopt install_weak_deps=false --setopt=
   procps-ng \
   sed \
   tar \
-  util-linux
+  util-linux \
+  openssl
 
 # Clean up cached files
 buildah run $ctr_mq -- yum clean all