TLS and HTTPS configuration in default developer config

2018-03-20 16:47:24 +00:00
parent 913465620b
commit ab3b44e84b
21 changed files with 849 additions and 42 deletions
--- a/cmd/runmqdevserver/keystore.go
+++ b/cmd/runmqdevserver/keystore.go
@@ -0,0 +1,136 @@
+/*
+© Copyright IBM Corporation 2018
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/ibm-messaging/mq-container/internal/command"
+)
+
+type KeyStore struct {
+	Filename     string
+	Password     string
+	keyStoreType string
+	command      string
+}
+
+// NewJKSKeyStore creates a new Java Key Store, managed by the runmqckm command
+func NewJKSKeyStore(filename, password string) *KeyStore {
+	return &KeyStore{
+		Filename:     filename,
+		Password:     password,
+		keyStoreType: "jks",
+		command:      "/opt/mqm/bin/runmqckm",
+	}
+}
+
+// NewCMSKeyStore creates a new MQ CMS Key Store, managed by the runmqakm command
+func NewCMSKeyStore(filename, password string) *KeyStore {
+	return &KeyStore{
+		Filename:     filename,
+		Password:     password,
+		keyStoreType: "cms",
+		command:      "/opt/mqm/bin/runmqakm",
+	}
+}
+
+// Create a key store, if it doesn't already exist
+func (ks *KeyStore) Create() error {
+	_, err := os.Stat(ks.Filename)
+	if err != nil {
+		if os.IsNotExist(err) {
+			_, _, err := command.Run(ks.command, "-keydb", "-create", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password, "-stash")
+			if err != nil {
+				return fmt.Errorf("error running \"%v -keydb -create\": %v", ks.command, err)
+			}
+		}
+	}
+	// TODO: Lookup value for MQM user here?
+	err = os.Chown(ks.Filename, 999, 999)
+	if err != nil {
+		log.Error(err)
+		return err
+	}
+	return nil
+}
+
+// Create a key stash, if it doesn't already exist
+func (ks *KeyStore) CreateStash() error {
+	extension := filepath.Ext(ks.Filename)
+	stashFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".sth"
+	log.Debugf("TLS stash file: %v", stashFile)
+	_, err := os.Stat(stashFile)
+	if err != nil {
+		if os.IsNotExist(err) {
+			_, _, err := command.Run(ks.command, "-keydb", "-stashpw", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
+			if err != nil {
+				return fmt.Errorf("error running \"%v -keydb -stashpw\": %v", ks.command, err)
+			}
+		}
+		return err
+	}
+	// TODO: Lookup value for MQM user here?
+	err = os.Chown(stashFile, 999, 999)
+	if err != nil {
+		log.Error(err)
+		return err
+	}
+	return nil
+}
+
+func (ks *KeyStore) Import(inputFile, password string) error {
+	_, _, err := command.Run(ks.command, "-cert", "-import", "-file", inputFile, "-pw", password, "-target", ks.Filename, "-target_pw", ks.Password, "-target_type", ks.keyStoreType)
+	if err != nil {
+		return fmt.Errorf("error running \"%v -cert -import\": %v", ks.command, err)
+	}
+	return nil
+}
+
+// GetCertificateLabels returns the labels of all certificates in the key store
+func (ks *KeyStore) GetCertificateLabels() ([]string, error) {
+	out, _, err := command.Run(ks.command, "-cert", "-list", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
+	if err != nil {
+		return nil, fmt.Errorf("error running \"%v -cert -list\": %v", ks.command, err)
+	}
+	scanner := bufio.NewScanner(strings.NewReader(out))
+	var labels []string
+	for scanner.Scan() {
+		s := scanner.Text()
+		if strings.HasPrefix(s, "-") || strings.HasPrefix(s, "*-") {
+			s := strings.TrimLeft(s, "-*")
+			labels = append(labels, strings.TrimSpace(s))
+		}
+	}
+	err = scanner.Err()
+	if err != nil {
+		return nil, err
+	}
+	return labels, nil
+}
+
+// RenameCertificate renames the specified certificate
+func (ks *KeyStore) RenameCertificate(from, to string) error {
+	_, _, err := command.Run(ks.command, "-cert", "-rename", "-db", ks.Filename, "-pw", ks.Password, "-label", from, "-new_label", to)
+	if err != nil {
+		return fmt.Errorf("error running \"%v -cert -rename\": %v", ks.command, err)
+	}
+	return nil
+}
--- a/cmd/runmqdevserver/main.go
+++ b/cmd/runmqdevserver/main.go
@@ -129,6 +129,19 @@ func doMain() error {
 		return err
 	}

+	name, err := name.GetQueueManagerName()
+	if err != nil {
+		logTerminationf("Error getting queue manager name: %v", err)
+	}
+	ks, set := os.LookupEnv("MQ_TLS_KEYSTORE")
+	if set {
+		err = configureTLS(name, ks, os.Getenv("MQ_TLS_PASSPHRASE"))
+		if err != nil {
+			logTerminationf("Error configuring TLS: %v", err)
+			return err
+		}
+	}
+
 	return nil
 }

--- a/cmd/runmqdevserver/mqsc.go
+++ b/cmd/runmqdevserver/mqsc.go
@@ -27,7 +27,7 @@ func updateMQSC(appPasswordRequired bool) error {
 	} else {
 		checkClient = "ASQMGR"
 	}
-	const mqsc string = "/etc/mqm/dev.mqsc"
+	const mqsc string = "/etc/mqm/10-dev.mqsc"
 	if os.Getenv("MQ_DEV") == "true" {
 		const mqscTemplate string = mqsc + ".tpl"
 		// Re-configure channel if app password not set
--- a/cmd/runmqdevserver/tls.go
+++ b/cmd/runmqdevserver/tls.go
@@ -0,0 +1,140 @@
+/*
+© Copyright IBM Corporation 2018
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
+func configureWebTLS(cms *KeyStore) error {
+	dir := "/run/runmqdevserver/tls"
+	ks := NewJKSKeyStore(filepath.Join(dir, "key.jks"), cms.Password)
+	ts := NewJKSKeyStore(filepath.Join(dir, "trust.jks"), cms.Password)
+
+	log.Debug("Creating key store")
+	err := ks.Create()
+	if err != nil {
+		return err
+	}
+	log.Debug("Creating trust store")
+	err = ts.Create()
+	if err != nil {
+		return err
+	}
+	log.Debug("Importing keys")
+	err = ks.Import(cms.Filename, cms.Password)
+	if err != nil {
+		return err
+	}
+
+	webConfigDir := "/etc/mqm/web/installations/Installation1/servers/mqweb"
+	tlsConfig := filepath.Join(webConfigDir, "tls.xml")
+	newTLSConfig := filepath.Join(webConfigDir, "tls-dev.xml")
+	err = os.Remove(tlsConfig)
+	if err != nil {
+		return err
+	}
+	err = os.Rename(newTLSConfig, tlsConfig)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func configureTLS(qmName string, inputFile string, passPhrase string) error {
+	log.Debug("Configuring TLS")
+
+	_, err := os.Stat(inputFile)
+	if err != nil {
+		return err
+	}
+
+	// TODO: Use a persisted file (on the volume) instead?
+	dir := "/run/runmqdevserver/tls"
+	keyFile := filepath.Join(dir, "key.kdb")
+
+	_, err = os.Stat(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			err = os.MkdirAll(dir, 0770)
+			if err != nil {
+				return err
+			}
+			err = os.Chown(dir, 999, 999)
+			if err != nil {
+				log.Debug(err)
+				return err
+			}
+		} else {
+			return err
+		}
+	}
+
+	cms := NewCMSKeyStore(keyFile, passPhrase)
+
+	err = cms.Create()
+	if err != nil {
+		return err
+	}
+
+	err = cms.CreateStash()
+	if err != nil {
+		return err
+	}
+
+	err = cms.Import(inputFile, passPhrase)
+	if err != nil {
+		return err
+	}
+
+	labels, err := cms.GetCertificateLabels()
+	if err != nil {
+		return err
+	}
+	if len(labels) == 0 {
+		return fmt.Errorf("unable to find certificate label")
+	}
+	log.Debugf("Renaming certificate from %v", labels[0])
+	const newLabel string = "devcert"
+	err = cms.RenameCertificate(labels[0], newLabel)
+	if err != nil {
+		return err
+	}
+
+	if os.Getenv("MQ_DEV") == "true" {
+		f, err := os.OpenFile("/etc/mqm/20-dev-tls.mqsc", os.O_WRONLY|os.O_CREATE, 0770)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+		// Change the Queue Manager's Key Repository to point at the new TLS key store
+		fmt.Fprintf(f, "ALTER QMGR SSLKEYR('%s')\n", filepath.Join(dir, "key"))
+		fmt.Fprintf(f, "ALTER QMGR CERTLABL('%s')\n", newLabel)
+		// Alter the DEV channels to use TLS
+		fmt.Fprintln(f, "ALTER CHANNEL('DEV.APP.SVRCONN') CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(OPTIONAL)")
+		fmt.Fprintln(f, "ALTER CHANNEL('DEV.ADMIN.SVRCONN') CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(OPTIONAL)")
+	}
+
+	err = configureWebTLS(cms)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/cmd/runmqserver/post_init_dev.go
+++ b/cmd/runmqserver/post_init_dev.go
@@ -17,7 +17,10 @@ limitations under the License.
 */
 package main

-import "os"
+import (
+	"os"
+	"path/filepath"
+)

 // postInit is run after /var/mqm is set up
 // This version of postInit is only included as part of the MQ Advanced for Developers build
@@ -32,5 +35,26 @@ func postInit(name string) error {
 			startWebServer()
 		}()
 	}
+
+	dir := "/etc/mqm/tls"
+	keyFile := filepath.Join(dir, "key.kdb")
+	stashFile := filepath.Join(dir, "key.sth")
+
+	_, err := os.Stat(keyFile)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	_, err = os.Stat(stashFile)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
 	return nil
 }
--- a/cmd/runmqserver/webserver.go
+++ b/cmd/runmqserver/webserver.go
@@ -19,6 +19,7 @@ package main

 import (
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"

@@ -41,6 +42,26 @@ func startWebServer() error {
 	return nil
 }

+// CopyFile copies the specified file
+func CopyFile(src, dest string) error {
+	log.Debugf("Copying file %v to %v", src, dest)
+	in, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer in.Close()
+
+	out, err := os.OpenFile(dest, os.O_CREATE|os.O_WRONLY, 0770)
+	defer out.Close()
+
+	_, err = io.Copy(out, in)
+	if err != nil {
+		return err
+	}
+	err = out.Close()
+	return err
+}
+
 func configureWebServer() error {
 	_, err := os.Stat("/opt/mqm/bin/strmqweb")
 	if err != nil {
@@ -76,7 +97,6 @@ func configureWebServer() error {
 				return err
 			}
 		}
-
 		if info.IsDir() {
 			if !exists {
 				err := os.MkdirAll(to, 0770)
@@ -84,7 +104,6 @@ func configureWebServer() error {
 					return err
 				}
 			}
-			log.Printf("Directory: %v --> %v", from, to)
 		} else {
 			if exists {
 				err := os.Remove(to)
@@ -92,13 +111,11 @@ func configureWebServer() error {
 					return err
 				}
 			}
-			// TODO: Permissions.  Can't rely on them being set in Dockerfile
-			err := os.Link(from, to)
+			err := CopyFile(from, to)
 			if err != nil {
 				log.Debug(err)
 				return err
 			}
-			log.Printf("File: %v", from)
 		}
 		err = os.Chown(to, uid, gid)
 		if err != nil {