Add TLS support (#243)

* Add TLS support * Security fix for libsystemd0 systemd systemd-sysv libudev1
2018-11-07 11:47:41 +00:00
parent fd262b173e
commit 350b8318ee
4 changed files with 20 additions and 7 deletions
--- a/cmd/runmqserver/webserver.go
+++ b/cmd/runmqserver/webserver.go
@@ -172,17 +172,17 @@ func configureSSO_TLS() error {
 	if err != nil {
 		return err
 	}
-	log.Debug("Creating self-signed certificate in key store")
+	log.Debug("Generating PKCS12 file")
-	err = ks.CreateSelfSignedCertificate("default", "CN=IBMMQWeb,O=IBM,OU=Platform,C=GB")
+	err = ks.GeneratePKCS12("/mnt/tls/tls.key", "/mnt/tls/tls.crt", "/run/tls/tls.p12", "default", "password")
 	if err != nil {
 		return err
 	}
-	log.Debug("Importing self-signed certificate into trust store")
+	log.Debug("Importing certificate into key store")
-	err = ts.Import(ks.Filename, ks.Password)
+	err = ks.Import("/run/tls/tls.p12", "password")
 	if err != nil {
 		return err
 	}
-	log.Debug("Adding OIDC CA certificate to trust store")
+	log.Debug("Adding OIDC certificate to trust store")
 	err = ts.Add(os.Getenv("MQ_OIDC_CERTIFICATE"), "OIDC")
 	return err
 }
--- a/install-mq.sh
+++ b/install-mq.sh
@@ -65,7 +65,8 @@ if ($UBUNTU); then
    procps \
    sed \
    tar \
-    util-linux
+    util-linux \
    openssl
 fi
 # Install additional packages required by MQ, this install process and the runtime scripts
@@ -84,7 +85,8 @@ $RHEL && yum -y install \
  procps-ng \
  sed \
  tar \
-  util-linux
+  util-linux \
  openssl
 # Download and extract the MQ installation files
 DIR_EXTRACT=/tmp/mq
@@ -139,6 +141,7 @@ rm -rf ${DIR_EXTRACT}
 # Apply any bug fixes not included in base Ubuntu or MQ image.
 # Don't upgrade everything based on Docker best practices https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#run
 $UBUNTU && apt-get install -y libapparmor1 libsystemd0 systemd systemd-sysv libudev1 perl-base --only-upgrade
 # End of bug fixes
 # Clean up cached files
--- a/internal/keystore/keystore.go
+++ b/internal/keystore/keystore.go
@@ -141,6 +141,15 @@ func (ks *KeyStore) CreateStash(log *logger.Logger) error {
 	return nil
 }
 // GeneratePKCS12 generates a PKCS12 file
 func (ks *KeyStore) GeneratePKCS12(keyFile, crtFile, pkcs12File, label, password string) error {
 	out, _, err := command.Run("openssl", "pkcs12", "-export", "-inkey", keyFile, "-in", crtFile, "-out", pkcs12File, "-name", label, "-passout", "pass:"+password)
 	if err != nil {
 		return fmt.Errorf("error running \"openssl pkcs12 -export\": %v %s", err, out)
 	}
 	return nil
 }
 // Import imports a certificate file in the keystore
 func (ks *KeyStore) Import(inputFile, password string) error {
 	out, _, err := command.Run(ks.command, "-cert", "-import", "-file", inputFile, "-pw", password, "-target", ks.Filename, "-target_pw", ks.Password, "-target_type", ks.keyStoreType)
--- a/mq-advanced-server-rhel/mq-buildah.sh
+++ b/mq-advanced-server-rhel/mq-buildah.sh
@@ -86,6 +86,7 @@ buildah run ${ctr_mq} -- microdnf ${microdnf_opts} install \
  shadow-utils \
  tar \
  util-linux \
  openssl \
  which
 # Install "sudo" if using MQ Advanced for Developers