From 6d69355ab9566ef797cf7319eb7cab67aeb8f902 Mon Sep 17 00:00:00 2001
From: Stephen D Marshall <STMARSH@uk.ibm.com>
Date: Thu, 19 Mar 2020 12:26:13 +0000
Subject: [PATCH] Tls fix (#74)

* Fix issue with TLS
---
 cmd/runmqserver/webserver.go | 10 +++++-----
 internal/tls/tls_web.go      | 26 +++++++++++++++-----------
 2 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/cmd/runmqserver/webserver.go b/cmd/runmqserver/webserver.go
index 2b249fa..f3b98d6 100644
--- a/cmd/runmqserver/webserver.go
+++ b/cmd/runmqserver/webserver.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018, 2020
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -83,7 +83,7 @@ func startWebServer(webKeystore, webkeystorePW, webTruststoreRef string) error {
 	return nil
 }
 
-func configureSSO(p12TrustStore tls.KeyStoreData) (string, error) {
+func configureSSO(p12TrustStore tls.KeyStoreData, webKeystore string) (string, error) {
 	// Ensure all required environment variables are set for SSO
 	requiredEnvVars := []string{
 		"MQ_OIDC_CLIENT_ID",
@@ -118,7 +118,7 @@ func configureSSO(p12TrustStore tls.KeyStoreData) (string, error) {
 	}
 
 	// Configure SSO TLS
-	return tls.ConfigureWebKeystore(p12TrustStore)
+	return tls.ConfigureWebKeystore(p12TrustStore, webKeystore)
 }
 
 func configureWebServer(keyLabel string, p12Truststore tls.KeyStoreData) (string, error) {
@@ -136,12 +136,12 @@ func configureWebServer(keyLabel string, p12Truststore tls.KeyStoreData) (string
 	// Configure Single-Sign-On for the web server (if enabled)
 	enableSSO := os.Getenv("MQ_BETA_ENABLE_SSO")
 	if enableSSO == "true" || enableSSO == "1" {
-		webKeystore, err = configureSSO(p12Truststore)
+		webKeystore, err = configureSSO(p12Truststore, webKeystore)
 		if err != nil {
 			return "", err
 		}
 	} else if keyLabel == "" && os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME") != "" {
-		webKeystore, err = tls.ConfigureWebKeystore(p12Truststore)
+		webKeystore, err = tls.ConfigureWebKeystore(p12Truststore, webKeystore)
 		if err != nil {
 			return "", err
 		}
diff --git a/internal/tls/tls_web.go b/internal/tls/tls_web.go
index e281fec..441cb85 100644
--- a/internal/tls/tls_web.go
+++ b/internal/tls/tls_web.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2019
+© Copyright IBM Corporation 2019, 2020
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -24,8 +24,8 @@ import (
 	"github.com/ibm-messaging/mq-container/internal/keystore"
 )
 
-// webServerKeystoreName is the name of the web server Keystore
-const webServerKeystoreName = "default.p12"
+// webKeystoreDefault is the name of the default web server Keystore
+const webKeystoreDefault = "default.p12"
 
 // ConfigureWebTLS configures TLS for the web server
 func ConfigureWebTLS(keyLabel string) error {
@@ -64,31 +64,35 @@ func ConfigureWebTLS(keyLabel string) error {
 }
 
 // ConfigureWebKeyStore configures the Web Keystore
-func ConfigureWebKeystore(p12Truststore KeyStoreData) (string, error) {
-	webKeystore := filepath.Join(keystoreDir, webServerKeystoreName)
+func ConfigureWebKeystore(p12Truststore KeyStoreData, webKeystore string) (string, error) {
+
+	if webKeystore == "" {
+		webKeystore = webKeystoreDefault
+	}
+	webKeystoreFile := filepath.Join(keystoreDir, webKeystore)
 
 	// Check if a new self-signed certificate should be generated
 	genHostName := os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME")
 	if genHostName != "" {
 
 		// Create the Web Keystore
-		newWebKeystore := keystore.NewPKCS12KeyStore(webKeystore, p12Truststore.Password)
+		newWebKeystore := keystore.NewPKCS12KeyStore(webKeystoreFile, p12Truststore.Password)
 		err := newWebKeystore.Create()
 		if err != nil {
-			return "", fmt.Errorf("Failed to create Web Keystore %s: %v", webKeystore, err)
+			return "", fmt.Errorf("Failed to create Web Keystore %s: %v", webKeystoreFile, err)
 		}
 
 		// Generate a new self-signed certificate in the Web Keystore
 		err = newWebKeystore.CreateSelfSignedCertificate("default", fmt.Sprintf("CN=%s", genHostName), genHostName)
 		if err != nil {
-			return "", fmt.Errorf("Failed to generate certificate in Web Keystore %s with DN of 'CN=%s': %v", webKeystore, genHostName, err)
+			return "", fmt.Errorf("Failed to generate certificate in Web Keystore %s with DN of 'CN=%s': %v", webKeystoreFile, genHostName, err)
 		}
 
 	} else {
 		// Check Web Keystore already exists
-		_, err := os.Stat(webKeystore)
+		_, err := os.Stat(webKeystoreFile)
 		if err != nil {
-			return "", fmt.Errorf("Failed to find existing Web Keystore %s: %v", webKeystore, err)
+			return "", fmt.Errorf("Failed to find existing Web Keystore %s: %v", webKeystoreFile, err)
 		}
 	}
 
@@ -98,5 +102,5 @@ func ConfigureWebKeystore(p12Truststore KeyStoreData) (string, error) {
 		return "", fmt.Errorf("Failed to find existing Web Truststore %s: %v", p12Truststore.Keystore.Filename, err)
 	}
 
-	return webServerKeystoreName, nil
+	return webKeystore, nil
 }