From c079c1b60d39b8ae553c463597ad4478c3b8cb3b Mon Sep 17 00:00:00 2001
From: Stephen Marshall <stmarsh@uk.ibm.com>
Date: Fri, 10 May 2019 10:53:48 +0100
Subject: [PATCH] Merge CIP code

---
 Dockerfile-server                             |   8 +-
 cmd/runmqdevserver/main.go                    |   3 +-
 cmd/runmqdevserver/mqsc.go                    |   6 +-
 cmd/runmqdevserver/tls.go                     |  24 +++--
 cmd/runmqserver/logging.go                    |   9 ++
 cmd/runmqserver/post_init.go                  |  16 ++-
 cmd/runmqserver/webserver.go                  | 100 ++++++++++++++++++
 docs/developer-config.md                      |   2 +-
 install-mq-server-prereqs.sh                  |   5 +-
 .../keystore}/keystore.go                     |  38 ++++++-
 .../mqtemplate/mqtemplate.go                  |   9 +-
 mq-advanced-server-rhel/mq-buildah.sh         |   9 ++
 mq-advanced-server-rhel/mqdev-buildah.sh      |   3 +-
 test/docker/devconfig_test.go                 |   2 +-
 .../Installation1/servers/mqweb/mqwebuser.xml |  25 +++++
 .../servers/mqweb/mqwebuser.xml.tpl           |  47 ++++++++
 .../Installation1/servers/mqweb/tls.xml       |   0
 17 files changed, 274 insertions(+), 32 deletions(-)
 rename {cmd/runmqdevserver => internal/keystore}/keystore.go (78%)
 rename cmd/runmqdevserver/template.go => internal/mqtemplate/mqtemplate.go (84%)
 create mode 100644 web/installations/Installation1/servers/mqweb/mqwebuser.xml
 create mode 100644 web/installations/Installation1/servers/mqweb/mqwebuser.xml.tpl
 rename {incubating/mqadvanced-server-dev/web => web}/installations/Installation1/servers/mqweb/tls.xml (100%)

diff --git a/Dockerfile-server b/Dockerfile-server
index dd3a643..28bca29 100644
--- a/Dockerfile-server
+++ b/Dockerfile-server
@@ -78,10 +78,14 @@ RUN mkdir -p /run/runmqserver \
 COPY --from=builder /opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/runmqserver /usr/local/bin/
 COPY --from=builder /opt/app-root/src/go/src/github.com/ibm-messaging/mq-container/chkmq* /usr/local/bin/
 COPY NOTICES.txt /opt/mqm/licenses/notices-container.txt
+# Copy web XML files
+COPY web /etc/mqm/web
 RUN chmod ug+x /usr/local/bin/runmqserver \
   && chown mqm:mqm /usr/local/bin/*mq* \
   && chmod ug+xs /usr/local/bin/chkmq* \
+  && chown -R mqm:mqm /etc/mqm/* \
   && install --directory --mode 0775 --owner mqm --group root /run/runmqserver \
+  && install --directory --mode 0775 --owner mqm --group root /run/tls \
   && touch /run/termination-log \
   && chown mqm:root /run/termination-log \
   && chmod 0660 /run/termination-log
@@ -133,6 +137,6 @@ COPY incubating/mqadvanced-server-dev/web /etc/mqm/web
 RUN chown -R mqm:mqm /etc/mqm/* \
   && chmod +x /usr/local/bin/runmq* \
   && install --directory --mode 0775 --owner mqm --group root /run/runmqdevserver
-ENV MQ_BETA_ENABLE_WEB_SERVER=1
+ENV MQ_ENABLE_EMBEDDED_WEB_SERVER=1
 USER $MQM_UID
-ENTRYPOINT ["runmqdevserver"]
\ No newline at end of file
+ENTRYPOINT ["runmqdevserver"]
diff --git a/cmd/runmqdevserver/main.go b/cmd/runmqdevserver/main.go
index 5ffa939..ca5b17d 100644
--- a/cmd/runmqdevserver/main.go
+++ b/cmd/runmqdevserver/main.go
@@ -25,6 +25,7 @@ import (
 	"github.com/ibm-messaging/mq-container/internal/command"
 	containerruntimelogger "github.com/ibm-messaging/mq-container/internal/containerruntimelogger"
 	"github.com/ibm-messaging/mq-container/internal/logger"
+	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 	"github.com/ibm-messaging/mq-container/internal/name"
 )
 
@@ -91,7 +92,7 @@ func configureLogger() error {
 
 func configureWeb(qmName string) error {
 	out := "/etc/mqm/web/installations/Installation1/angular.persistence/admin.json"
-	return processTemplateFile("/etc/mqm/admin.json.tpl", out, map[string]string{"QueueManagerName": qmName})
+	return mqtemplate.ProcessTemplateFile("/etc/mqm/admin.json.tpl", out, map[string]string{"QueueManagerName": qmName}, log)
 }
 
 func logTerminationf(format string, args ...interface{}) {
diff --git a/cmd/runmqdevserver/mqsc.go b/cmd/runmqdevserver/mqsc.go
index 93d58ea..f35512d 100644
--- a/cmd/runmqdevserver/mqsc.go
+++ b/cmd/runmqdevserver/mqsc.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,6 +17,8 @@ package main
 
 import (
 	"os"
+
+	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
 
 func updateMQSC(appPasswordRequired bool) error {
@@ -30,7 +32,7 @@ func updateMQSC(appPasswordRequired bool) error {
 	if os.Getenv("MQ_DEV") == "true" {
 		const mqscTemplate string = mqsc + ".tpl"
 		// Re-configure channel if app password not set
-		err := processTemplateFile(mqsc+".tpl", mqsc, map[string]string{"ChckClnt": checkClient})
+		err := mqtemplate.ProcessTemplateFile(mqsc+".tpl", mqsc, map[string]string{"ChckClnt": checkClient}, log)
 		if err != nil {
 			return err
 		}
diff --git a/cmd/runmqdevserver/tls.go b/cmd/runmqdevserver/tls.go
index 8e21ed6..69f7a1b 100644
--- a/cmd/runmqdevserver/tls.go
+++ b/cmd/runmqdevserver/tls.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -21,20 +21,22 @@ import (
 	"path/filepath"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/keystore"
+	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
 
-func configureWebTLS(cms *KeyStore) error {
+func configureWebTLS(cms *keystore.KeyStore) error {
 	dir := "/run/runmqdevserver/tls"
-	ks := NewJKSKeyStore(filepath.Join(dir, "key.jks"), cms.Password)
-	ts := NewJKSKeyStore(filepath.Join(dir, "trust.jks"), cms.Password)
+	ks := keystore.NewJKSKeyStore(filepath.Join(dir, "key.jks"), cms.Password)
+	ts := keystore.NewJKSKeyStore(filepath.Join(dir, "trust.jks"), cms.Password)
 
 	log.Debug("Creating key store")
-	err := ks.Create()
+	err := ks.Create(log)
 	if err != nil {
 		return err
 	}
 	log.Debug("Creating trust store")
-	err = ts.Create()
+	err = ts.Create(log)
 	if err != nil {
 		return err
 	}
@@ -105,14 +107,14 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 		}
 	}
 
-	cms := NewCMSKeyStore(keyFile, passPhrase)
+	cms := keystore.NewCMSKeyStore(keyFile, passPhrase)
 
-	err = cms.Create()
+	err = cms.Create(log)
 	if err != nil {
 		return err
 	}
 
-	err = cms.CreateStash()
+	err = cms.CreateStash(log)
 	if err != nil {
 		return err
 	}
@@ -146,11 +148,11 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 	const mqsc string = "/etc/mqm/20-dev-tls.mqsc"
 	const mqscTemplate string = mqsc + ".tpl"
 
-	err = processTemplateFile(mqscTemplate, mqsc, map[string]string{
+	err = mqtemplate.ProcessTemplateFile(mqscTemplate, mqsc, map[string]string{
 		"SSLKeyR":          filepath.Join(dir, "key"),
 		"CertificateLabel": newLabel,
 		"SSLCipherSpec":    sslCipherSpec,
-	})
+	}, log)
 	if err != nil {
 		return err
 	}
diff --git a/cmd/runmqserver/logging.go b/cmd/runmqserver/logging.go
index 1b35d3c..b27eb74 100644
--- a/cmd/runmqserver/logging.go
+++ b/cmd/runmqserver/logging.go
@@ -167,11 +167,20 @@ func logDiagnostics() {
 	out, _, _ = command.Run("ls", "-l", "/mnt/mqm/data")
 	log.Debugf("/mnt/mqm/data:\n%s", out)
 	// #nosec G104
+	out, _, _ = command.Run("ls", "-l", "/mnt/mqm-log/log")
+	log.Debugf("/mnt/mqm-log/log:\n%s", out)
+	// #nosec G104
+	out, _, _ = command.Run("ls", "-l", "/mnt/mqm-data/qmgrs")
+	log.Debugf("/mnt/mqm-data/qmgrs:\n%s", out)
+	// #nosec G104
 	out, _, _ = command.Run("ls", "-l", "/var/mqm")
 	log.Debugf("/var/mqm:\n%s", out)
 	// #nosec G104
 	out, _, _ = command.Run("ls", "-l", "/var/mqm/errors")
 	log.Debugf("/var/mqm/errors:\n%s", out)
+	// #nosec G104
+	out, _, _ = command.Run("ls", "-l", "/etc/mqm")
+	log.Debugf("/etc/mqm:\n%s", out)
 
 	// Print out summary of any FDCs
 	// #nosec G204
diff --git a/cmd/runmqserver/post_init.go b/cmd/runmqserver/post_init.go
index 17854ff..c4c992a 100644
--- a/cmd/runmqserver/post_init.go
+++ b/cmd/runmqserver/post_init.go
@@ -21,9 +21,19 @@ import (
 
 // postInit is run after /var/mqm is set up
 func postInit(name string) error {
-	web := os.Getenv("MQ_BETA_ENABLE_WEB_SERVER")
-	if web == "true" || web == "1" {
-		// Configure the web server (if installed)
+	enableWebServer := os.Getenv("MQ_ENABLE_EMBEDDED_WEB_SERVER")
+	if enableWebServer == "true" || enableWebServer == "1" {
+
+		// Configure Single-Sign-On for the web server (if enabled)
+		enableSSO := os.Getenv("MQ_BETA_ENABLE_SSO")
+		if enableSSO == "true" || enableSSO == "1" {
+			err := configureSSO()
+			if err != nil {
+				return err
+			}
+		}
+
+		// Configure the web server (if enabled)
 		err := configureWebServer()
 		if err != nil {
 			return err
diff --git a/cmd/runmqserver/webserver.go b/cmd/runmqserver/webserver.go
index c42849a..ae6f24a 100644
--- a/cmd/runmqserver/webserver.go
+++ b/cmd/runmqserver/webserver.go
@@ -23,9 +23,12 @@ import (
 	"os/user"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"syscall"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/keystore"
+	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
 
 func startWebServer() error {
@@ -88,6 +91,103 @@ func CopyFile(src, dest string) error {
 	return err
 }
 
+func configureSSO() error {
+
+	// Ensure all required environment variables are set for SSO
+	requiredEnvVars := []string{
+		"MQ_WEB_ADMIN_USERS",
+		"MQ_OIDC_CLIENT_ID",
+		"MQ_OIDC_CLIENT_SECRET",
+		"MQ_OIDC_UNIQUE_USER_IDENTIFIER",
+		"MQ_OIDC_AUTHORIZATION_ENDPOINT",
+		"MQ_OIDC_TOKEN_ENDPOINT",
+		"MQ_OIDC_JWK_ENDPOINT",
+		"MQ_OIDC_ISSUER_IDENTIFIER",
+		"MQ_OIDC_CERTIFICATE",
+	}
+	for _, envVar := range requiredEnvVars {
+		if len(os.Getenv(envVar)) == 0 {
+			return fmt.Errorf("%v must be set when MQ_BETA_ENABLE_SSO=true", envVar)
+		}
+	}
+
+	// Check mqweb directory exists
+	const mqwebDir string = "/etc/mqm/web/installations/Installation1/servers/mqweb"
+	_, err := os.Stat(mqwebDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	// Process SSO template for generating file mqwebuser.xml
+	adminUsers := strings.Split(os.Getenv("MQ_WEB_ADMIN_USERS"), "\n")
+	err = mqtemplate.ProcessTemplateFile(mqwebDir+"/mqwebuser.xml.tpl", mqwebDir+"/mqwebuser.xml", map[string][]string{"AdminUser": adminUsers}, log)
+	if err != nil {
+		return err
+	}
+
+	// Configure SSO TLS
+	return configureSSO_TLS()
+}
+
+func configureSSO_TLS() error {
+
+	// Create tls directory
+	dir := "/run/tls"
+	mntdir := "/mnt/tls/"
+	_, err := os.Stat(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			err = os.MkdirAll(dir, 0770)
+			if err != nil {
+				return err
+			}
+			mqmUID, mqmGID, err := command.LookupMQM()
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+			err = os.Chown(dir, mqmUID, mqmGID)
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+		} else {
+			return err
+		}
+	}
+
+	// Setup key store & trust store
+	ks := keystore.NewJKSKeyStore(filepath.Join(dir, "key.jks"), "password")
+	ts := keystore.NewJKSKeyStore(filepath.Join(dir, "trust.jks"), "password")
+
+	log.Debug("Creating key store")
+	err = ks.Create(log)
+	if err != nil {
+		return err
+	}
+	log.Debug("Creating trust store")
+	err = ts.Create(log)
+	if err != nil {
+		return err
+	}
+	log.Debug("Generating PKCS12 file")
+	err = ks.GeneratePKCS12(filepath.Join(mntdir, "tls.key"), filepath.Join(mntdir, "tls.crt"), filepath.Join(dir, "tls.p12"), "default", "password")
+	if err != nil {
+		return err
+	}
+	log.Debug("Importing certificate into key store")
+	err = ks.Import(filepath.Join(dir, "tls.p12"), "password")
+	if err != nil {
+		return err
+	}
+	log.Debug("Adding OIDC certificate to trust store")
+	err = ts.Add(os.Getenv("MQ_OIDC_CERTIFICATE"), "OIDC")
+	return err
+}
+
 func configureWebServer() error {
 	_, err := os.Stat("/opt/mqm/bin/strmqweb")
 	if err != nil {
diff --git a/docs/developer-config.md b/docs/developer-config.md
index 4e094f7..88fd648 100644
--- a/docs/developer-config.md
+++ b/docs/developer-config.md
@@ -52,4 +52,4 @@ If you choose to accept the security warning, you will be presented with the log
 
 If you wish to change the password for the admin user, this can be done using the `MQ_ADMIN_PASSWORD` environment variable. If you supply a PKCS#12 keystore using the `MQ_TLS_KEYSTORE` environment variable, then the web console will be configured to use the certificate inside the keystore for HTTPS operations.
 
-If you do not wish the web console to run, you can disable it by setting the environment variable `MQ_BETA_ENABLE_WEB_SERVER` to `false`.
+If you do not wish the web console to run, you can disable it by setting the environment variable `MQ_ENABLE_EMBEDDED_WEB_SERVER` to `false`.
diff --git a/install-mq-server-prereqs.sh b/install-mq-server-prereqs.sh
index 8282fb4..7d46faa 100644
--- a/install-mq-server-prereqs.sh
+++ b/install-mq-server-prereqs.sh
@@ -59,11 +59,12 @@ if ($UBUNTU); then
     procps \
     sed \
     tar \
-    util-linux
+    util-linux \
+    openssl
 fi
 
 if ($RPM); then
-  EXTRA_RPMS="bash bc ca-certificates coreutils file findutils gawk glibc-common grep passwd procps-ng sed shadow-utils tar util-linux which"
+  EXTRA_RPMS="bash bc ca-certificates coreutils file findutils gawk glibc-common grep passwd procps-ng sed shadow-utils tar util-linux which openssl"
   # Install additional packages required by MQ, this install process and the runtime scripts
   $YUM && yum -y install --setopt install_weak_deps=false ${EXTRA_RPMS}
   $MICRODNF && microdnf install --nodocs ${EXTRA_RPMS}
diff --git a/cmd/runmqdevserver/keystore.go b/internal/keystore/keystore.go
similarity index 78%
rename from cmd/runmqdevserver/keystore.go
rename to internal/keystore/keystore.go
index 5027ead..296477e 100644
--- a/cmd/runmqdevserver/keystore.go
+++ b/internal/keystore/keystore.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -13,7 +13,9 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-package main
+
+// Package keystore contains code to create and update keystores
+package keystore
 
 import (
 	"bufio"
@@ -23,6 +25,7 @@ import (
 	"strings"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/logger"
 )
 
 // KeyStore describes information about a keystore file
@@ -54,7 +57,7 @@ func NewCMSKeyStore(filename, password string) *KeyStore {
 }
 
 // Create a key store, if it doesn't already exist
-func (ks *KeyStore) Create() error {
+func (ks *KeyStore) Create(log *logger.Logger) error {
 	_, err := os.Stat(ks.Filename)
 	if err == nil {
 		// Keystore already exists so we should refresh it by deleting it.
@@ -111,7 +114,7 @@ func (ks *KeyStore) Create() error {
 }
 
 // CreateStash creates a key stash, if it doesn't already exist
-func (ks *KeyStore) CreateStash() error {
+func (ks *KeyStore) CreateStash(log *logger.Logger) error {
 	extension := filepath.Ext(ks.Filename)
 	stashFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".sth"
 	log.Debugf("TLS stash file: %v", stashFile)
@@ -138,6 +141,15 @@ func (ks *KeyStore) CreateStash() error {
 	return nil
 }
 
+// GeneratePKCS12 generates a PKCS12 file
+func (ks *KeyStore) GeneratePKCS12(keyFile, crtFile, pkcs12File, label, password string) error {
+	out, _, err := command.Run("openssl", "pkcs12", "-export", "-inkey", keyFile, "-in", crtFile, "-out", pkcs12File, "-name", label, "-passout", "pass:"+password)
+	if err != nil {
+		return fmt.Errorf("error running \"openssl pkcs12 -export\": %v %s", err, out)
+	}
+	return nil
+}
+
 // Import imports a certificate file in the keystore
 func (ks *KeyStore) Import(inputFile, password string) error {
 	out, _, err := command.Run(ks.command, "-cert", "-import", "-file", inputFile, "-pw", password, "-target", ks.Filename, "-target_pw", ks.Password, "-target_type", ks.keyStoreType)
@@ -147,6 +159,24 @@ func (ks *KeyStore) Import(inputFile, password string) error {
 	return nil
 }
 
+// CreateSelfSignedCertificate creates a self-signed certificate in the keystore
+func (ks *KeyStore) CreateSelfSignedCertificate(label, dn string) error {
+	out, _, err := command.Run(ks.command, "-cert", "-create", "-db", ks.Filename, "-pw", ks.Password, "-label", label, "-dn", dn)
+	if err != nil {
+		return fmt.Errorf("error running \"%v -cert -create\": %v %s", ks.command, err, out)
+	}
+	return nil
+}
+
+// Add adds a CA certificate to the keystore
+func (ks *KeyStore) Add(inputFile, label string) error {
+	out, _, err := command.Run(ks.command, "-cert", "-add", "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password, "-file", inputFile, "-label", label)
+	if err != nil {
+		return fmt.Errorf("error running \"%v -cert -add\": %v %s", ks.command, err, out)
+	}
+	return nil
+}
+
 // GetCertificateLabels returns the labels of all certificates in the key store
 func (ks *KeyStore) GetCertificateLabels() ([]string, error) {
 	out, _, err := command.Run(ks.command, "-cert", "-list", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
diff --git a/cmd/runmqdevserver/template.go b/internal/mqtemplate/mqtemplate.go
similarity index 84%
rename from cmd/runmqdevserver/template.go
rename to internal/mqtemplate/mqtemplate.go
index de68393..ab4c71a 100644
--- a/cmd/runmqdevserver/template.go
+++ b/internal/mqtemplate/mqtemplate.go
@@ -13,7 +13,9 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-package main
+
+// Package mqtemplate contains code to process template files
+package mqtemplate
 
 import (
 	"os"
@@ -21,11 +23,12 @@ import (
 	"text/template"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/logger"
 )
 
-// processTemplateFile takes a Go templateFile, and processes it with the
+// ProcessTemplateFile takes a Go templateFile, and processes it with the
 // supplied data, writing to destFile
-func processTemplateFile(templateFile, destFile string, data interface{}) error {
+func ProcessTemplateFile(templateFile, destFile string, data interface{}, log *logger.Logger) error {
 	// Re-configure channel if app password not set
 	t, err := template.ParseFiles(templateFile)
 	if err != nil {
diff --git a/mq-advanced-server-rhel/mq-buildah.sh b/mq-advanced-server-rhel/mq-buildah.sh
index c96bd62..2e33c0c 100755
--- a/mq-advanced-server-rhel/mq-buildah.sh
+++ b/mq-advanced-server-rhel/mq-buildah.sh
@@ -86,6 +86,7 @@ buildah run ${ctr_mq} -- microdnf ${microdnf_opts} install \
   shadow-utils \
   tar \
   util-linux \
+  openssl \
   which
 
 # Install "sudo" if using MQ Advanced for Developers
@@ -121,6 +122,13 @@ buildah run --user root $ctr_mq -- chmod 0660 /run/termination-log
 install --mode 0550 --owner root --group root ./mq-advanced-server-rhel/writePackages.sh ${mnt_mq}/usr/local/bin/writePackages
 buildah run --user root $ctr_mq -- /usr/local/bin/writePackages
 
+# Copy web XML files
+cp -R web ${mnt_mq}/etc/mqm/web
+
+# Make "mqm" the owner of all the config files
+chown --recursive ${mqm_uid}:${mqm_gid} ${mnt_mq}/etc/mqm/*
+chmod --recursive 0750 ${mnt_mq}/etc/mqm/*
+
 ###############################################################################
 # Final Buildah commands
 ###############################################################################
@@ -138,6 +146,7 @@ fi
 buildah config \
   --port 1414/tcp \
   --port 9157/tcp \
+  --port 9443/tcp \
   --os linux \
   --label architecture=x86_64 \
   --label io.openshift.tags="$OSTAG" \
diff --git a/mq-advanced-server-rhel/mqdev-buildah.sh b/mq-advanced-server-rhel/mqdev-buildah.sh
index 1e7c84a..36ff96f 100755
--- a/mq-advanced-server-rhel/mqdev-buildah.sh
+++ b/mq-advanced-server-rhel/mqdev-buildah.sh
@@ -78,8 +78,7 @@ install --directory --mode 0775 --owner ${mqm_uid} --group 0 ${mnt_mq}/run/runmq
 cp ./incubating/mqadvanced-server-dev/*.tpl ${mnt_mq}/etc/mqm/
 
 # Copy web XML files for default developer configuration
-mkdir --parents ${mnt_mq}/etc/mqm/web
-cp --recursive ./incubating/mqadvanced-server-dev/web/* ${mnt_mq}/etc/mqm/web/
+cp -R incubating/mqadvanced-server-dev/web/ ${mnt_mq}/etc/mqm/web
 
 # Make "mqm" the owner of all the config files
 chown --recursive ${mqm_uid}:${mqm_gid} ${mnt_mq}/etc/mqm/*
diff --git a/test/docker/devconfig_test.go b/test/docker/devconfig_test.go
index 66a2740..f39d8ae 100644
--- a/test/docker/devconfig_test.go
+++ b/test/docker/devconfig_test.go
@@ -138,7 +138,7 @@ func TestDevWebDisabled(t *testing.T) {
 		Env: []string{
 			"LICENSE=accept",
 			"MQ_QMGR_NAME=qm1",
-			"MQ_BETA_ENABLE_WEB_SERVER=false",
+			"MQ_ENABLE_EMBEDDED_WEB_SERVER=false",
 		},
 	}
 	id := runContainer(t, cli, &containerConfig)
diff --git a/web/installations/Installation1/servers/mqweb/mqwebuser.xml b/web/installations/Installation1/servers/mqweb/mqwebuser.xml
new file mode 100644
index 0000000..7bb6ae1
--- /dev/null
+++ b/web/installations/Installation1/servers/mqweb/mqwebuser.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<server>
+    <featureManager>
+        <feature>appSecurity-2.0</feature>
+    </featureManager>
+    <enterpriseApplication id="com.ibm.mq.console">
+        <application-bnd>
+            <security-role name="MQWebAdmin">
+                <group name="MQWebUI" realm="defaultRealm"/>
+            </security-role>
+        </application-bnd>
+    </enterpriseApplication>
+    <enterpriseApplication id="com.ibm.mq.rest">
+        <application-bnd>
+            <security-role name="MQWebAdmin">
+                <group name="MQWebUI" realm="defaultRealm"/>
+            </security-role>
+            <security-role name="MQWebUser">
+                <group name="MQWebMessaging" realm="defaultRealm"/>
+            </security-role>
+        </application-bnd>
+    </enterpriseApplication>
+    <variable name="httpHost" value="*"/>
+    <include location="tls.xml"/>
+</server>
diff --git a/web/installations/Installation1/servers/mqweb/mqwebuser.xml.tpl b/web/installations/Installation1/servers/mqweb/mqwebuser.xml.tpl
new file mode 100644
index 0000000..5cebb71
--- /dev/null
+++ b/web/installations/Installation1/servers/mqweb/mqwebuser.xml.tpl
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<server>
+    <featureManager>
+        <feature>openidConnectClient-1.0</feature>
+        <feature>ssl-1.0</feature>
+    </featureManager>
+    <enterpriseApplication id="com.ibm.mq.console">
+        <application-bnd>
+            <security-role name="MQWebAdmin">
+                <group name="MQWebUI" realm="defaultRealm"/>
+                {{- range $index, $element := .AdminUser}}
+                <user name="admin{{$index}}" access-id="{{.}}"/>
+                {{- end}}
+            </security-role>
+        </application-bnd>
+    </enterpriseApplication>
+    <enterpriseApplication id="com.ibm.mq.rest">
+        <application-bnd>
+            <security-role name="MQWebAdmin">
+                <group name="MQWebUI" realm="defaultRealm"/>
+            </security-role>
+            <security-role name="MQWebUser">
+                <group name="MQWebMessaging" realm="defaultRealm"/>
+            </security-role>
+        </application-bnd>
+    </enterpriseApplication>
+    <openidConnectClient id="mqclient"
+        clientId="${env.MQ_OIDC_CLIENT_ID}"
+        clientSecret="${env.MQ_OIDC_CLIENT_SECRET}"
+        uniqueUserIdentifier="${env.MQ_OIDC_UNIQUE_USER_IDENTIFIER}"
+        authorizationEndpointUrl="${env.MQ_OIDC_AUTHORIZATION_ENDPOINT}"
+        tokenEndpointUrl="${env.MQ_OIDC_TOKEN_ENDPOINT}"
+        scope="openid profile email"
+        inboundPropagation="supported"
+        jwkEndpointUrl="${env.MQ_OIDC_JWK_ENDPOINT}"
+        signatureAlgorithm="RS256"
+        issuerIdentifier="${env.MQ_OIDC_ISSUER_IDENTIFIER}">
+    </openidConnectClient>
+    <variable name="httpHost" value="*"/>
+    <variable name="managementMode" value="externallyprovisioned"/>
+    <jndiEntry jndiName="xframeAllowedSourceList" value="${env.MQ_HOSTS}"/>
+    <keyStore id="MQWebKeyStore" location="/run/tls/key.jks" type="JKS" password="password"/>
+    <keyStore id="MQWebTrustStore" location="/run/tls/trust.jks" type="JKS" password="password"/>
+    <ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="MQWebKeyStore" trustStoreRef="MQWebTrustStore" sslProtocol="TLSv1.2" serverKeyAlias="default"/>
+    <sslDefault sslRef="thisSSLConfig"/>
+    <httpDispatcher enableWelcomePage="false" appOrContextRootMissingMessage='&lt;script&gt;document.location.href="/ibmmq/console";&lt;/script&gt;' />
+</server>
diff --git a/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/tls.xml b/web/installations/Installation1/servers/mqweb/tls.xml
similarity index 100%
rename from incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/tls.xml
rename to web/installations/Installation1/servers/mqweb/tls.xml