PR for FIPS implemenation (#351)

* Part 1 of FIPS Compliance

* MQ Web Server FIPSs changes

* Remove function param

* Updates to FIPS MQ WebServer

* Fix build error

* Merge latest code from private-master

* Rename fips variable

* Fix build break

* Fix build break

* Fix build break

* Add new docker tests

* First cut of fips metrics

* First cut of fips metrics

* Second part of metrics fips

* Second part of metrics fips

* Added NativeHA FIPS

* Updated test

* Add Native HA tests

* Optimze FIPS handling

* Update comments

* Apply changes from private-master

* Undo metrics changes

* Merge latest changes

* Pull in changes from master

* Update copyright year

* Resolve merge conflicts

test/docker/devconfig_test.go

@@ -24,6 +24,7 @@ import (
 	"strings"
 	"testing"
 	"time"
+	"crypto/tls"
 
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
@@ -59,10 +60,10 @@ func TestDevGoldenPath(t *testing.T) {
 		runJMSTests(t, cli, id, false, "app", defaultAppPasswordOS, "false", "")
 	})
 	t.Run("REST admin", func(t *testing.T) {
-		testRESTAdmin(t, cli, id, insecureTLSConfig)
+		testRESTAdmin(t, cli, id, insecureTLSConfig, "")
 	})
 	t.Run("REST messaging", func(t *testing.T) {
-		testRESTMessaging(t, cli, id, insecureTLSConfig, qm, "app", defaultAppPasswordWeb)
+		testRESTMessaging(t, cli, id, insecureTLSConfig, qm, "app", defaultAppPasswordWeb, "")
 	})
 	// Stop the container cleanly
 	stopContainer(t, cli, id)
@@ -124,10 +125,10 @@ func TestDevSecure(t *testing.T) {
 		runJMSTests(t, cli, ctr.ID, true, "app", appPassword, "false", "TLS_RSA_WITH_AES_256_CBC_SHA256")
 	})
 	t.Run("REST admin", func(t *testing.T) {
-		testRESTAdmin(t, cli, ctr.ID, insecureTLSConfig)
+		testRESTAdmin(t, cli, ctr.ID, insecureTLSConfig, "")
 	})
 	t.Run("REST messaging", func(t *testing.T) {
-		testRESTMessaging(t, cli, ctr.ID, insecureTLSConfig, qm, "app", appPassword)
+		testRESTMessaging(t, cli, ctr.ID, insecureTLSConfig, qm, "app", appPassword, "")
 	})
 
 	// Stop the container cleanly
@@ -343,6 +344,7 @@ func TestSSLKEYRWithCACert(t *testing.T) {
 	// execute runmqsc to display qmgr SSLKEYR and CERTLABL attibutes.
 	// Search the console output for exepcted values
 	_, sslkeyROutput := execContainer(t, cli, ctr.ID, "", []string{"bash", "-c", "echo 'DISPLAY QMGR SSLKEYR CERTLABL' | runmqsc"})
+
 	if !strings.Contains(sslkeyROutput, "SSLKEYR(/run/runmqserver/tls/key)") {
 		// Although queue manager is ready, it may be that MQSC scripts have not been applied yet.
 		// Hence wait for a second and retry few times before giving up.
@@ -371,3 +373,412 @@ func TestSSLKEYRWithCACert(t *testing.T) {
 	// Stop the container cleanly
 	stopContainer(t, cli, ctr.ID)
 }
+
+// Verifies SSLFIPS is set to NO if MQ_ENABLE_FIPS=false
+func TestSSLFIPSNO(t *testing.T) {
+	t.Parallel()
+
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	containerConfig := container.Config{
+		Env: []string{
+			"LICENSE=accept",
+			"MQ_QMGR_NAME=QM1",
+			"MQ_ENABLE_EMBEDDED_WEB_SERVER=false",
+			"MQ_ENABLE_FIPS=false",
+		},
+		Image: imageName(),
+	}
+	hostConfig := container.HostConfig{
+		Binds: []string{
+			coverageBind(t),
+			tlsDir(t, false) + ":/etc/mqm/pki/keys/default",
+		},
+	}
+	networkingConfig := network.NetworkingConfig{}
+	ctr, err := cli.ContainerCreate(context.Background(), &containerConfig, &hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanContainer(t, cli, ctr.ID)
+	startContainer(t, cli, ctr.ID)
+	waitForReady(t, cli, ctr.ID)
+
+	// execute runmqsc to display qmgr SSLKEYR, SSLFIPS and CERTLABL attibutes.
+	// Search the console output for exepcted values
+	_, sslFIPSOutput := execContainer(t, cli, ctr.ID, "", []string{"bash", "-c", "echo 'DISPLAY QMGR SSLKEYR CERTLABL SSLFIPS' | runmqsc"})
+	if !strings.Contains(sslFIPSOutput, "SSLKEYR(/run/runmqserver/tls/key)") {
+		t.Errorf("Expected SSLKEYR to be '/run/runmqserver/tls/key' but it is not; got \"%v\"", sslFIPSOutput)
+	}
+	if !strings.Contains(sslFIPSOutput, "CERTLABL(default)") {
+		t.Errorf("Expected CERTLABL to be 'default' but it is not; got \"%v\"", sslFIPSOutput)
+	}
+
+	if !strings.Contains(sslFIPSOutput, "SSLFIPS(NO)") {
+		t.Errorf("Expected SSLFIPS to be 'NO' but it is not; got \"%v\"", sslFIPSOutput)
+	}
+
+	// Stop the container cleanly
+	stopContainer(t, cli, ctr.ID)
+}
+
+// Verifies SSLFIPS is set to YES if certificates for queue manager
+// are supplied and MQ_ENABLE_FIPS=true
+func TestSSLFIPSYES(t *testing.T) {
+	t.Parallel()
+
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	appPassword := "differentPassw0rd"
+	containerConfig := container.Config{
+		Env: []string{
+			"LICENSE=accept",
+			"MQ_APP_PASSWORD=" + appPassword,
+			"MQ_QMGR_NAME=QM1",
+			"MQ_ENABLE_EMBEDDED_WEB_SERVER=false",
+			"MQ_ENABLE_FIPS=true",
+		},
+		Image: imageName(),
+	}
+	hostConfig := container.HostConfig{
+		Binds: []string{
+			coverageBind(t),
+			tlsDir(t, false) + ":/etc/mqm/pki/keys/default",
+		},
+	}
+	networkingConfig := network.NetworkingConfig{}
+	ctr, err := cli.ContainerCreate(context.Background(), &containerConfig, &hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanContainer(t, cli, ctr.ID)
+	startContainer(t, cli, ctr.ID)
+	waitForReady(t, cli, ctr.ID)
+
+	// Check for expected message on container log
+	logs := inspectLogs(t, cli, ctr.ID)
+	if !strings.Contains(logs, "FIPS cryptography is enabled.") {
+		t.Errorf("Expected 'FIPS cryptography is enabled.' but got %v\n", logs)
+	}
+
+	// execute runmqsc to display qmgr SSLKEYR, SSLFIPS and CERTLABL attibutes.
+	// Search the console output for exepcted values
+	_, sslFIPSOutput := execContainer(t, cli, ctr.ID, "", []string{"bash", "-c", "echo 'DISPLAY QMGR SSLKEYR CERTLABL SSLFIPS' | runmqsc"})
+	if !strings.Contains(sslFIPSOutput, "SSLKEYR(/run/runmqserver/tls/key)") {
+		t.Errorf("Expected SSLKEYR to be '/run/runmqserver/tls/key' but it is not; got \"%v\"", sslFIPSOutput)
+	}
+	if !strings.Contains(sslFIPSOutput, "CERTLABL(default)") {
+		t.Errorf("Expected CERTLABL to be 'default' but it is not; got \"%v\"", sslFIPSOutput)
+	}
+
+	if !strings.Contains(sslFIPSOutput, "SSLFIPS(YES)") {
+		t.Errorf("Expected SSLFIPS to be 'YES' but it is not; got \"%v\"", sslFIPSOutput)
+	}
+
+	t.Run("JMS", func(t *testing.T) {
+		// Run the JMS tests, with no password specified
+		runJMSTests(t, cli, ctr.ID, true, "app", appPassword, "false", "TLS_RSA_WITH_AES_256_CBC_SHA256")
+	})
+
+	// Stop the container cleanly
+	stopContainer(t, cli, ctr.ID)
+}
+
+// TestDevSecureFIPSYESWeb verifies if the MQ Web Server is running in FIPS mode
+func TestDevSecureFIPSTrueWeb(t *testing.T) {
+	t.Parallel()
+
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	const tlsPassPhrase string = "passw0rd"
+	qm := "qm1"
+	appPassword := "differentPassw0rd"
+	containerConfig := container.Config{
+		Env: []string{
+			"LICENSE=accept",
+			"MQ_QMGR_NAME=" + qm,
+			"MQ_APP_PASSWORD=" + appPassword,
+			"DEBUG=1",
+			"WLP_LOGGING_MESSAGE_FORMAT=JSON",
+			"MQ_ENABLE_EMBEDDED_WEB_SERVER_LOG=true",
+			"MQ_ENABLE_FIPS=true",
+		},
+		Image: imageName(),
+	}
+	hostConfig := container.HostConfig{
+		Binds: []string{
+			coverageBind(t),
+			tlsDir(t, false) + ":/etc/mqm/pki/keys/default",
+			tlsDir(t, false) + ":/etc/mqm/pki/trust/default",
+		},
+		// Assign a random port for the web server on the host
+		// TODO: Don't do this for all tests
+		PortBindings: nat.PortMap{
+			"9443/tcp": []nat.PortBinding{
+				{
+					HostIP: "0.0.0.0",
+				},
+			},
+		},
+	}
+	networkingConfig := network.NetworkingConfig{}
+	ctr, err := cli.ContainerCreate(context.Background(), &containerConfig, &hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanContainer(t, cli, ctr.ID)
+
+	startContainer(t, cli, ctr.ID)
+	waitForReady(t, cli, ctr.ID)
+	cert := filepath.Join(tlsDir(t, true), "server.crt")
+	waitForWebReady(t, cli, ctr.ID, createTLSConfig(t, cert, tlsPassPhrase))
+
+	// Create a TLS Config with a cipher to use when connecting over HTTPS
+	var secureTLSConfig *tls.Config = createTLSConfigWithCipher(t, cert, tlsPassPhrase, []uint16{tls.TLS_RSA_WITH_AES_256_GCM_SHA384})
+	// Put a message to queue
+	t.Run("REST messaging", func(t *testing.T) {
+		testRESTMessaging(t, cli, ctr.ID, secureTLSConfig, qm, "app", appPassword, "")
+	})
+
+	// Create a TLS Config with a non-FIPS cipher to use when connecting over HTTPS
+	var secureNonFIPSCipherConfig *tls.Config = createTLSConfigWithCipher(t, cert, tlsPassPhrase, []uint16{tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA})
+	// Put a message to queue - the attempt to put message will fail with a EOF return message.
+	t.Run("REST messaging", func(t *testing.T) {
+		testRESTMessaging(t, cli, ctr.ID, secureNonFIPSCipherConfig, qm, "app", appPassword, "EOF")
+	})
+
+	// Stop the container cleanly
+	stopContainer(t, cli, ctr.ID)
+}
+
+// TestDevSecureNOFIPSWeb verifies if the MQ Web Server is not running in FIPS mode
+func TestDevSecureFalseFIPSWeb(t *testing.T) {
+	t.Parallel()
+
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	const tlsPassPhrase string = "passw0rd"
+	qm := "qm1"
+	appPassword := "differentPassw0rd"
+	containerConfig := container.Config{
+		Env: []string{
+			"LICENSE=accept",
+			"MQ_QMGR_NAME=" + qm,
+			"MQ_APP_PASSWORD=" + appPassword,
+			"DEBUG=1",
+			"WLP_LOGGING_MESSAGE_FORMAT=JSON",
+			"MQ_ENABLE_EMBEDDED_WEB_SERVER_LOG=true",
+			"MQ_ENABLE_FIPS=false",
+		},
+		Image: imageName(),
+	}
+	hostConfig := container.HostConfig{
+		Binds: []string{
+			coverageBind(t),
+			tlsDir(t, false) + ":/etc/mqm/pki/keys/default",
+			tlsDir(t, false) + ":/etc/mqm/pki/trust/default",
+		},
+		// Assign a random port for the web server on the host
+		PortBindings: nat.PortMap{
+			"9443/tcp": []nat.PortBinding{
+				{
+					HostIP: "0.0.0.0",
+				},
+			},
+		},
+	}
+	networkingConfig := network.NetworkingConfig{}
+	ctr, err := cli.ContainerCreate(context.Background(), &containerConfig, &hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanContainer(t, cli, ctr.ID)
+	startContainer(t, cli, ctr.ID)
+	waitForReady(t, cli, ctr.ID)
+
+	cert := filepath.Join(tlsDir(t, true), "server.crt")
+	waitForWebReady(t, cli, ctr.ID, createTLSConfig(t, cert, tlsPassPhrase))
+
+	// As FIPS is not enabled, the MQ WebServer (actually Java) will choose a JSSE provider from the list
+	// specified in java.security file. We will need to enable java.net.debug and then parse the web server
+	// logs to check what JJSE provider is being used. Hence just check the jvm.options file does not contain
+	// -Dcom.ibm.jsse2.usefipsprovider line.
+	_, jvmOptionsOutput := execContainer(t, cli, ctr.ID, "", []string{"bash", "-c", "cat /var/mqm/web/installations/Installation1/servers/mqweb/configDropins/defaults/jvm.options"})
+	if strings.Contains(jvmOptionsOutput, "-Dcom.ibm.jsse2.usefipsprovider") {
+		t.Errorf("Did not expect -Dcom.ibm.jsse2.usefipsprovider but it is not; got \"%v\"", jvmOptionsOutput)
+	}
+
+	// Just do a HTTPS GET as well to query installation details.
+	var secureTLSConfig *tls.Config = createTLSConfigWithCipher(t, cert, tlsPassPhrase, []uint16{tls.TLS_RSA_WITH_AES_256_GCM_SHA384})
+	t.Run("REST admin", func(t *testing.T) {
+		testRESTAdmin(t, cli, ctr.ID, secureTLSConfig, "")
+	})
+
+	// Stop the container cleanly
+	stopContainer(t, cli, ctr.ID)
+}
+
+// Verify SSLFIPS is set to NO if no certificates were supplied
+func TestSSLFIPSTrueNoCerts(t *testing.T) {
+	t.Parallel()
+
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	appPassword := "differentPassw0rd"
+	containerConfig := container.Config{
+		Env: []string{
+			"LICENSE=accept",
+			"MQ_APP_PASSWORD=" + appPassword,
+			"MQ_QMGR_NAME=QM1",
+			"MQ_ENABLE_EMBEDDED_WEB_SERVER=false",
+			"MQ_ENABLE_FIPS=true",
+		},
+		Image: imageName(),
+	}
+	hostConfig := container.HostConfig{
+		Binds: []string{
+			coverageBind(t),
+		},
+	}
+	networkingConfig := network.NetworkingConfig{}
+	ctr, err := cli.ContainerCreate(context.Background(), &containerConfig, &hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanContainer(t, cli, ctr.ID)
+	startContainer(t, cli, ctr.ID)
+	waitForReady(t, cli, ctr.ID)
+
+	// execute runmqsc to display qmgr SSLKEYR, SSLFIPS and CERTLABL attibutes.
+	// Search the console output for exepcted values
+	_, sslFIPSOutput := execContainer(t, cli, ctr.ID, "", []string{"bash", "-c", "echo 'DISPLAY QMGR SSLKEYR CERTLABL SSLFIPS' | runmqsc"})
+	if !strings.Contains(sslFIPSOutput, "SSLKEYR( )") {
+		t.Errorf("Expected SSLKEYR to be ' ' but it is not; got \"%v\"", sslFIPSOutput)
+	}
+	if !strings.Contains(sslFIPSOutput, "CERTLABL( )") {
+		t.Errorf("Expected CERTLABL to be blank but it is not; got \"%v\"", sslFIPSOutput)
+	}
+
+	if !strings.Contains(sslFIPSOutput, "SSLFIPS(NO)") {
+		t.Errorf("Expected SSLFIPS to be 'NO' but it is not; got \"%v\"", sslFIPSOutput)
+	}
+
+	// Stop the container cleanly
+	stopContainer(t, cli, ctr.ID)
+}
+
+// Verifies SSLFIPS is set to NO if MQ_ENABLE_FIPS=tru (invalid value)
+func TestSSLFIPSInvalidValue(t *testing.T) {
+	t.Parallel()
+
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	containerConfig := container.Config{
+		Env: []string{
+			"LICENSE=accept",
+			"MQ_QMGR_NAME=QM1",
+			"MQ_ENABLE_EMBEDDED_WEB_SERVER=false",
+			"MQ_ENABLE_FIPS=tru",
+		},
+		Image: imageName(),
+	}
+	hostConfig := container.HostConfig{
+		Binds: []string{
+			coverageBind(t),
+			tlsDir(t, false) + ":/etc/mqm/pki/keys/default",
+		},
+	}
+	networkingConfig := network.NetworkingConfig{}
+	ctr, err := cli.ContainerCreate(context.Background(), &containerConfig, &hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanContainer(t, cli, ctr.ID)
+	startContainer(t, cli, ctr.ID)
+	waitForReady(t, cli, ctr.ID)
+
+	// execute runmqsc to display qmgr SSLKEYR, SSLFIPS and CERTLABL attibutes.
+	// Search the console output for exepcted values
+	_, sslFIPSOutput := execContainer(t, cli, ctr.ID, "", []string{"bash", "-c", "echo 'DISPLAY QMGR SSLKEYR CERTLABL SSLFIPS' | runmqsc"})
+	if !strings.Contains(sslFIPSOutput, "SSLKEYR(/run/runmqserver/tls/key)") {
+		t.Errorf("Expected SSLKEYR to be '/run/runmqserver/tls/key' but it is not; got \"%v\"", sslFIPSOutput)
+	}
+
+	if !strings.Contains(sslFIPSOutput, "CERTLABL(default)") {
+		t.Errorf("Expected CERTLABL to be 'default' but it is not; got \"%v\"", sslFIPSOutput)
+	}
+
+	if !strings.Contains(sslFIPSOutput, "SSLFIPS(NO)") {
+		t.Errorf("Expected SSLFIPS to be 'NO' but it is not; got \"%v\"", sslFIPSOutput)
+	}
+
+	// Stop the container cleanly
+	stopContainer(t, cli, ctr.ID)
+}
+
+// Container creation fails when invalid certs are passed and MQ_ENABLE_FIPS set true
+func TestSSLFIPSBadCerts(t *testing.T) {
+	t.Parallel()
+
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	containerConfig := container.Config{
+		Env: []string{
+			"LICENSE=accept",
+			"MQ_QMGR_NAME=QM1",
+			"MQ_ENABLE_EMBEDDED_WEB_SERVER=false",
+			"MQ_ENABLE_FIPS=true",
+		},
+		Image: imageName(),
+	}
+	hostConfig := container.HostConfig{
+		Binds: []string{
+			coverageBind(t),
+			tlsDirInvalid(t, false) + ":/etc/mqm/pki/keys/default",
+		},
+	}
+	networkingConfig := network.NetworkingConfig{}
+	ctr, err := cli.ContainerCreate(context.Background(), &containerConfig, &hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanContainer(t, cli, ctr.ID)
+	startContainer(t, cli, ctr.ID)
+
+	rc := waitForContainer(t, cli, ctr.ID, 20*time.Second)
+	// Expect return code 1 if container failed to create.
+	if rc == 1 {
+		// Get container logs and search for specific message.
+		logs := inspectLogs(t, cli, ctr.ID)
+		if strings.Contains(logs, "Failed to parse private key") {
+			t.Logf("Container creating failed because of invalid certifates")
+		}
+	} else {
+		// Some other error occurred.
+		t.Errorf("Expected rc=0, got rc=%v", rc)
+	}
+
+	// Stop the container cleanly
+	stopContainer(t, cli, ctr.ID)
+}

test/docker/devconfig_test_util.go

@@ -86,6 +86,10 @@ func tlsDirWithCA(t *testing.T, unixPath bool) string {
 	return filepath.Join(getCwd(t, unixPath), "../tlscacert")
 }
 
+func tlsDirInvalid(t *testing.T, unixPath bool) string {
+	return filepath.Join(getCwd(t, unixPath), "../tlsinvalidcert")
+}
+
 // runJMSTests runs a container with a JMS client, which connects to the queue manager container with the specified ID
 func runJMSTests(t *testing.T, cli *client.Client, ID string, tls bool, user, password string, ibmjre string, cipherName string) {
 	containerConfig := container.Config{
@@ -201,7 +205,7 @@ func createTLSConfig(t *testing.T, certFile, password string) *tls.Config {
 	}
 }
 
-func testRESTAdmin(t *testing.T, cli *client.Client, ID string, tlsConfig *tls.Config) {
+func testRESTAdmin(t *testing.T, cli *client.Client, ID string, tlsConfig *tls.Config, errorExpected string) {
 	httpClient := http.Client{
 		Timeout: time.Duration(30 * time.Second),
 		Transport: &http.Transport{
@@ -213,9 +217,15 @@ func testRESTAdmin(t *testing.T, cli *client.Client, ID string, tlsConfig *tls.C
 	req.SetBasicAuth("admin", defaultAdminPassword)
 	resp, err := httpClient.Do(req)
 	if err != nil {
-		t.Fatal(err)
+		if len(errorExpected) > 0 {
+			if !strings.Contains(err.Error(), errorExpected) {
+				t.Fatal(err)
+			}
+		} else {
+			t.Fatal(err)
+		}
 	}
-	if resp.StatusCode != http.StatusOK {
+	if resp != nil && resp.StatusCode != http.StatusOK {
 		t.Errorf("Expected HTTP status code %v from 'GET installation'; got %v", http.StatusOK, resp.StatusCode)
 	}
 }
@@ -238,7 +248,7 @@ func logHTTPResponse(t *testing.T, resp *http.Response) {
 	t.Logf("HTTP response: %v", string(d))
 }
 
-func testRESTMessaging(t *testing.T, cli *client.Client, ID string, tlsConfig *tls.Config, qmName string, user string, password string) {
+func testRESTMessaging(t *testing.T, cli *client.Client, ID string, tlsConfig *tls.Config, qmName string, user string, password string, errorExpected string) {
 	httpClient := http.Client{
 		Timeout: time.Duration(30 * time.Second),
 		Transport: &http.Transport{
@@ -255,10 +265,19 @@ func testRESTMessaging(t *testing.T, cli *client.Client, ID string, tlsConfig *t
 	logHTTPRequest(t, req)
 	resp, err := httpClient.Do(req)
 	if err != nil {
-		t.Fatal(err)
+		if len(errorExpected) > 0 {
+			if strings.Contains(err.Error(), errorExpected) {
+				t.Logf("Error contains expected '%s' value", errorExpected)
+				return
+			} else {
+				t.Fatal(err)
+			}
+		} else {
+			t.Fatal(err)
+		}
 	}
 	logHTTPResponse(t, resp)
-	if resp.StatusCode != http.StatusCreated {
+	if resp != nil && resp.StatusCode != http.StatusCreated {
 		t.Errorf("Expected HTTP status code %v from 'POST to queue'; got %v", http.StatusOK, resp.StatusCode)
 		t.Logf("HTTP response: %+v", resp)
 		t.Fail()
@@ -286,3 +305,28 @@ func testRESTMessaging(t *testing.T, cli *client.Client, ID string, tlsConfig *t
 		t.Errorf("Expected payload to be \"%s\"; got \"%s\"", putMessage, gotMessage)
 	}
 }
+
+// createTLSConfig creates a tls.Config which trusts the specified certificate
+func createTLSConfigWithCipher(t *testing.T, certFile, password string, ciphers []uint16) *tls.Config {
+	// Get the SystemCertPool, continue with an empty pool on error
+	certs, err := x509.SystemCertPool()
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Read in the cert file
+	cert, err := ioutil.ReadFile(certFile)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Append our cert to the system pool
+	ok := certs.AppendCertsFromPEM(cert)
+	if !ok {
+		t.Fatal("No certs appended")
+	}
+	// Trust the augmented cert pool in our client
+	return &tls.Config{
+		InsecureSkipVerify: false,
+		RootCAs:            certs,
+		CipherSuites:       ciphers,
+	}
+}

test/docker/docker_api_test.go

@@ -52,8 +52,8 @@ func TestLicenseNotSet(t *testing.T) {
 	expectTerminationMessage(t, cli, id)
 }
 
-//Start container with LICENSE environment variable set to view.
-//Check that container starts and display license text
+// Start container with LICENSE environment variable set to view.
+// Check that container starts and display license text
 func TestLicenseView(t *testing.T) {
 	t.Parallel()
 
@@ -77,8 +77,8 @@ func TestLicenseView(t *testing.T) {
 	}
 }
 
-//Start a container with qm grace set to x seconds
-//Check that when the container is stopped that the command endmqm has option -tp and x
+// Start a container with qm grace set to x seconds
+// Check that when the container is stopped that the command endmqm has option -tp and x
 func TestEndMQMOpts(t *testing.T) {
 	t.Parallel()
 	cli, err := client.NewClientWithOpts(client.FromEnv)
@@ -134,7 +134,6 @@ func goldenPath(t *testing.T, metric bool) {
 	stopContainer(t, cli, id)
 }
 
-
 func utilTestNoQueueManagerName(t *testing.T, hostName string, expectedName string) {
 	search := "QMNAME(" + expectedName + ")"
 	cli, err := client.NewClientWithOpts(client.FromEnv)

test/docker/docker_api_test_util.go

@@ -889,3 +889,42 @@ func getMQVersion(t *testing.T, cli *client.Client) (string, error) {
 	version := inspect.ContainerConfig.Labels["version"]
 	return version, nil
 }
+
+// runContainerWithAllConfig creates and starts a container, using the supplied ContainerConfig, HostConfig,
+// NetworkingConfig, and container name (or the value of t.Name if containerName="").
+func runContainerWithAllConfigError(t *testing.T, cli *client.Client, containerConfig *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, containerName string) (string, error) {
+	if containerName == "" {
+		containerName = t.Name()
+	}
+	if containerConfig.Image == "" {
+		containerConfig.Image = imageName()
+	}
+	// Always run as a random user, unless the test has specified otherwise
+	if containerConfig.User == "" {
+		containerConfig.User = generateRandomUID()
+	}
+	// if coverage
+	containerConfig.Env = append(containerConfig.Env, "COVERAGE_FILE="+t.Name()+".cov")
+	containerConfig.Env = append(containerConfig.Env, "EXIT_CODE_FILE="+getExitCodeFilename(t))
+	t.Logf("Running container (%s)", containerConfig.Image)
+	ctr, err := cli.ContainerCreate(context.Background(), containerConfig, hostConfig, networkingConfig, containerName)
+	if err != nil {
+		return "", err
+	}
+	err = startContainerError(t, cli, ctr.ID)
+	if err != nil {
+		return "", err
+	}
+	return ctr.ID, nil
+}
+
+func startContainerError(t *testing.T, cli *client.Client, ID string) error {
+	t.Logf("Starting container: %v", ID)
+	startOptions := types.ContainerStartOptions{}
+	err := cli.ContainerStart(context.Background(), ID, startOptions)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

test/docker/mq_native_ha_test.go

@@ -16,9 +16,9 @@ limitations under the License.
 package main
 
 import (
-	"testing"
-
 	"github.com/docker/docker/client"
+	"strings"
+	"testing"
 )
 
 // TestNativeHABasic creates 3 containers in a Native HA queue manager configuration
@@ -217,3 +217,96 @@ func TestNativeHASecureCipherSpec(t *testing.T) {
 	}
 
 }
+
+// TestNativeHASecure creates 3 containers in a Native HA queue manager configuration
+// with HA TLS FIPS enabled, overrides the default CipherSpec, and ensures the queue manger
+// and replicas start as expected. This test uses FIPS compliant cipher.
+func TestNativeHASecureCipherSpecFIPS(t *testing.T) {
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	version, err := getMQVersion(t, cli)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if version < "9.2.2.0" {
+		t.Skipf("Skipping %s as test requires at least MQ 9.2.2.0, but image is version %s", t.Name(), version)
+	}
+
+	containerNames := [3]string{"QM1_1", "QM1_2", "QM1_3"}
+	qmReplicaIDs := [3]string{}
+	qmNetwork, err := createBridgeNetwork(cli, t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer removeBridgeNetwork(cli, qmNetwork.ID)
+
+	for i := 0; i <= 2; i++ {
+		containerConfig := getNativeHAContainerConfig(containerNames[i], containerNames, defaultHAPort)
+		// MQ_NATIVE_HA_CIPHERSPEC is set a FIPS compliant cipherspec.
+		containerConfig.Env = append(containerConfig.Env, "MQ_NATIVE_HA_TLS=true", "MQ_NATIVE_HA_CIPHERSPEC=TLS_RSA_WITH_AES_128_GCM_SHA256", "MQ_ENABLE_FIPS=true")
+		hostConfig := getNativeHASecureHostConfig(t)
+		networkingConfig := getNativeHANetworkConfig(qmNetwork.ID)
+
+		ctr := runContainerWithAllConfig(t, cli, &containerConfig, &hostConfig, &networkingConfig, containerNames[i])
+		defer cleanContainer(t, cli, ctr)
+		qmReplicaIDs[i] = ctr
+	}
+
+	waitForReadyHA(t, cli, qmReplicaIDs)
+	// Display the contents of qm.ini
+	_, qmini := execContainer(t, cli, qmReplicaIDs[0], "", []string{"cat", "/var/mqm/qmgrs/QM1/qm.ini"})
+	if !strings.Contains(qmini, "SSLFipsRequired=Yes") {
+		t.Errorf("Expected SSLFipsRequired=Yes but it is not; got \"%v\"", qmini)
+	}
+
+	_, err = getActiveReplicaInstances(t, cli, qmReplicaIDs)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TestNativeHASecure creates 3 containers in a Native HA queue manager configuration
+// with HA TLS FIPS enabled with non-FIPS cipher, overrides the default CipherSpec, and
+// ensures the queue manger and replicas don't start as expected
+func TestNativeHASecureCipherSpecNonFIPSCipher(t *testing.T) {
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	version, err := getMQVersion(t, cli)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if version < "9.2.2.0" {
+		t.Skipf("Skipping %s as test requires at least MQ 9.2.2.0, but image is version %s", t.Name(), version)
+	}
+
+	containerNames := [3]string{"QM1_1", "QM1_2", "QM1_3"}
+	qmReplicaIDs := [3]string{}
+	qmNetwork, err := createBridgeNetwork(cli, t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer removeBridgeNetwork(cli, qmNetwork.ID)
+
+	for i := 0; i <= 2; i++ {
+		containerConfig := getNativeHAContainerConfig(containerNames[i], containerNames, defaultHAPort)
+		// MQ_NATIVE_HA_CIPHERSPEC is set a FIPS non-compliant cipherspec - SSL_ECDHE_ECDSA_WITH_RC4_128_SHA
+		containerConfig.Env = append(containerConfig.Env, "MQ_NATIVE_HA_TLS=true", "MQ_NATIVE_HA_CIPHERSPEC=TLS_RSA_WITH_AES_128_GCM_SHA256", "MQ_ENABLE_FIPS=true")
+		hostConfig := getNativeHASecureHostConfig(t)
+		networkingConfig := getNativeHANetworkConfig(qmNetwork.ID)
+
+		ctr, err := runContainerWithAllConfigError(t, cli, &containerConfig, &hostConfig, &networkingConfig, containerNames[i])
+		defer cleanContainer(t, cli, ctr)
+		// We expect container to fail in this case because the cipher is non-FIPS and we have asked for FIPS compliance
+		// by setting MQ_ENABLE_FIPS=true
+		if err == nil {
+			t.Logf("Container start expected to fail but did not. %v", err)
+		}
+		qmReplicaIDs[i] = ctr
+	}
+}

test/docker/mq_native_ha_test_util.go

@@ -106,7 +106,7 @@ func getActiveReplicaInstances(t *testing.T, cli *client.Client, qmReplicaIDs [3
 
 func waitForReadyHA(t *testing.T, cli *client.Client, qmReplicaIDs [3]string) {
 
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	ctx, cancel := context.WithTimeout(context.Background(), 4*time.Minute)
 	defer cancel()
 
 	for {