PR for FIPS implemenation (#351)
* Part 1 of FIPS Compliance * MQ Web Server FIPSs changes * Remove function param * Updates to FIPS MQ WebServer * Fix build error * Merge latest code from private-master * Rename fips variable * Fix build break * Fix build break * Fix build break * Add new docker tests * First cut of fips metrics * First cut of fips metrics * Second part of metrics fips * Second part of metrics fips * Added NativeHA FIPS * Updated test * Add Native HA tests * Optimze FIPS handling * Update comments * Apply changes from private-master * Undo metrics changes * Merge latest changes * Pull in changes from master * Update copyright year * Resolve merge conflicts
This commit is contained in:
SHASHIKANTH THAMBRAHALLI
committed by
GitHub Enterprise
GitHub Enterprise
parent
1ead807326
commit
794d1ed2b2
@@ -16,9 +16,9 @@ limitations under the License.
|
||||
package main
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/docker/docker/client"
|
||||
"strings"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// TestNativeHABasic creates 3 containers in a Native HA queue manager configuration
|
||||
@@ -217,3 +217,96 @@ func TestNativeHASecureCipherSpec(t *testing.T) {
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// TestNativeHASecure creates 3 containers in a Native HA queue manager configuration
|
||||
// with HA TLS FIPS enabled, overrides the default CipherSpec, and ensures the queue manger
|
||||
// and replicas start as expected. This test uses FIPS compliant cipher.
|
||||
func TestNativeHASecureCipherSpecFIPS(t *testing.T) {
|
||||
cli, err := client.NewClientWithOpts(client.FromEnv)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
version, err := getMQVersion(t, cli)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if version < "9.2.2.0" {
|
||||
t.Skipf("Skipping %s as test requires at least MQ 9.2.2.0, but image is version %s", t.Name(), version)
|
||||
}
|
||||
|
||||
containerNames := [3]string{"QM1_1", "QM1_2", "QM1_3"}
|
||||
qmReplicaIDs := [3]string{}
|
||||
qmNetwork, err := createBridgeNetwork(cli, t)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer removeBridgeNetwork(cli, qmNetwork.ID)
|
||||
|
||||
for i := 0; i <= 2; i++ {
|
||||
containerConfig := getNativeHAContainerConfig(containerNames[i], containerNames, defaultHAPort)
|
||||
// MQ_NATIVE_HA_CIPHERSPEC is set a FIPS compliant cipherspec.
|
||||
containerConfig.Env = append(containerConfig.Env, "MQ_NATIVE_HA_TLS=true", "MQ_NATIVE_HA_CIPHERSPEC=TLS_RSA_WITH_AES_128_GCM_SHA256", "MQ_ENABLE_FIPS=true")
|
||||
hostConfig := getNativeHASecureHostConfig(t)
|
||||
networkingConfig := getNativeHANetworkConfig(qmNetwork.ID)
|
||||
|
||||
ctr := runContainerWithAllConfig(t, cli, &containerConfig, &hostConfig, &networkingConfig, containerNames[i])
|
||||
defer cleanContainer(t, cli, ctr)
|
||||
qmReplicaIDs[i] = ctr
|
||||
}
|
||||
|
||||
waitForReadyHA(t, cli, qmReplicaIDs)
|
||||
// Display the contents of qm.ini
|
||||
_, qmini := execContainer(t, cli, qmReplicaIDs[0], "", []string{"cat", "/var/mqm/qmgrs/QM1/qm.ini"})
|
||||
if !strings.Contains(qmini, "SSLFipsRequired=Yes") {
|
||||
t.Errorf("Expected SSLFipsRequired=Yes but it is not; got \"%v\"", qmini)
|
||||
}
|
||||
|
||||
_, err = getActiveReplicaInstances(t, cli, qmReplicaIDs)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestNativeHASecure creates 3 containers in a Native HA queue manager configuration
|
||||
// with HA TLS FIPS enabled with non-FIPS cipher, overrides the default CipherSpec, and
|
||||
// ensures the queue manger and replicas don't start as expected
|
||||
func TestNativeHASecureCipherSpecNonFIPSCipher(t *testing.T) {
|
||||
cli, err := client.NewClientWithOpts(client.FromEnv)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
version, err := getMQVersion(t, cli)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if version < "9.2.2.0" {
|
||||
t.Skipf("Skipping %s as test requires at least MQ 9.2.2.0, but image is version %s", t.Name(), version)
|
||||
}
|
||||
|
||||
containerNames := [3]string{"QM1_1", "QM1_2", "QM1_3"}
|
||||
qmReplicaIDs := [3]string{}
|
||||
qmNetwork, err := createBridgeNetwork(cli, t)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer removeBridgeNetwork(cli, qmNetwork.ID)
|
||||
|
||||
for i := 0; i <= 2; i++ {
|
||||
containerConfig := getNativeHAContainerConfig(containerNames[i], containerNames, defaultHAPort)
|
||||
// MQ_NATIVE_HA_CIPHERSPEC is set a FIPS non-compliant cipherspec - SSL_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||
containerConfig.Env = append(containerConfig.Env, "MQ_NATIVE_HA_TLS=true", "MQ_NATIVE_HA_CIPHERSPEC=TLS_RSA_WITH_AES_128_GCM_SHA256", "MQ_ENABLE_FIPS=true")
|
||||
hostConfig := getNativeHASecureHostConfig(t)
|
||||
networkingConfig := getNativeHANetworkConfig(qmNetwork.ID)
|
||||
|
||||
ctr, err := runContainerWithAllConfigError(t, cli, &containerConfig, &hostConfig, &networkingConfig, containerNames[i])
|
||||
defer cleanContainer(t, cli, ctr)
|
||||
// We expect container to fail in this case because the cipher is non-FIPS and we have asked for FIPS compliance
|
||||
// by setting MQ_ENABLE_FIPS=true
|
||||
if err == nil {
|
||||
t.Logf("Container start expected to fail but did not. %v", err)
|
||||
}
|
||||
qmReplicaIDs[i] = ctr
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user