PR for FIPS implemenation (#351)

* Part 1 of FIPS Compliance * MQ Web Server FIPSs changes * Remove function param * Updates to FIPS MQ WebServer * Fix build error * Merge latest code from private-master * Rename fips variable * Fix build break * Fix build break * Fix build break * Add new docker tests * First cut of fips metrics * First cut of fips metrics * Second part of metrics fips * Second part of metrics fips * Added NativeHA FIPS * Updated test * Add Native HA tests * Optimze FIPS handling * Update comments * Apply changes from private-master * Undo metrics changes * Merge latest changes * Pull in changes from master * Update copyright year * Resolve merge conflicts
2022-12-17 10:09:41 +05:30
parent 1ead807326
commit 794d1ed2b2
24 changed files with 956 additions and 39 deletions
--- a/cmd/runmqserver/main.go
+++ b/cmd/runmqserver/main.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2021
+© Copyright IBM Corporation 2017, 2022

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@ import (
 	"os"
 	"sync"

+	"github.com/ibm-messaging/mq-container/internal/fips"
 	"github.com/ibm-messaging/mq-container/internal/ha"
 	"github.com/ibm-messaging/mq-container/internal/metrics"
 	"github.com/ibm-messaging/mq-container/internal/ready"
@@ -144,6 +145,9 @@ func doMain() error {
 	// Print out versioning information
 	logVersionInfo()

+	// Determine FIPS compliance level
+	fips.ProcessFIPSType(log)
+
 	keyLabel, defaultCmsKeystore, defaultP12Truststore, err := tls.ConfigureDefaultTLSKeystores()
 	if err != nil {
 		logTermination(err)
@@ -170,6 +174,14 @@ func doMain() error {
 		}
 	}

+	// Log a message on the console to indicate FIPS certified
+	// cryptography being used.
+	if fips.IsFIPSEnabled() {
+		log.Println("FIPS cryptography is enabled.")
+	} else {
+		log.Println("FIPS cryptography is not enabled.")
+	}
+
 	enableTraceCrtmqm := os.Getenv("MQ_ENABLE_TRACE_CRTMQM")
 	if enableTraceCrtmqm == "true" || enableTraceCrtmqm == "1" {
 		err = startMQTrace()
--- a/cmd/runmqserver/post_init.go
+++ b/cmd/runmqserver/post_init.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018, 2022

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@ package main
 import (
 	"os"

+	"github.com/ibm-messaging/mq-container/internal/fips"
 	"github.com/ibm-messaging/mq-container/internal/tls"
 )

@@ -35,6 +36,15 @@ func postInit(name, keyLabel string, p12Truststore tls.KeyStoreData) error {
 		if len(p12Truststore.TrustedCerts) == 0 {
 			webTruststoreRef = "MQWebKeyStore"
 		}
+
+		// Enable FIPS for MQ Web Server if asked for.
+		if fips.IsFIPSEnabled() {
+			err = configureFIPSWebServer(p12Truststore)
+			if err != nil {
+				return err
+			}
+		}
+
 		// Start the web server, in the background (if installed)
 		// WARNING: No error handling or health checking available for the web server
 		go func() {
--- a/cmd/runmqserver/webserver.go
+++ b/cmd/runmqserver/webserver.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2020
+© Copyright IBM Corporation 2018, 2022

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -197,3 +197,25 @@ func configureWebServer(keyLabel string, p12Truststore tls.KeyStoreData) (string

 	return webKeystore, err
 }
+
+// Configure FIPS mode for MQ Web Server
+func configureFIPSWebServer(p12TrustStore tls.KeyStoreData) error {
+	var errOut error
+	// Need to update jvm.options file of MQ Web Server. We don't update the jvm.options file
+	// in /var/mqm/web/installations/Installation1/servers/mqweb directory. Instead we update
+	// the one in /var/mqm/web/installations/Installation1/servers/mqweb/configDropins/defaults.
+	// During runtime MQ Web Server merges the data from two files.
+	mqwebJvmOptsDir := "/var/mqm/web/installations/Installation1/servers/mqweb/configDropins/defaults"
+	_, errOut = os.Stat(mqwebJvmOptsDir)
+	if errOut == nil {
+		// Update the jvm.options file using the data from template file. Tell the MQ Web Server
+		// use a FIPS provider by setting "-Dcom.ibm.jsse2.usefipsprovider=true" and then tell it
+		// use a specific FIPS provider by setting "Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS".
+		errOut = mqtemplate.ProcessTemplateFile(mqwebJvmOptsDir+"/jvm.options.tpl",
+			mqwebJvmOptsDir+"/jvm.options", map[string]string{
+				"FipsProvider":     "true",
+				"FipsProviderName": "IBMJCEPlusFIPS",
+			}, log)
+	}
+	return errOut
+}