From 81c0b70a6f619410c472f28101bc7a4c4238cb79 Mon Sep 17 00:00:00 2001 From: Robert Parker Date: Fri, 31 May 2019 10:21:14 +0100 Subject: [PATCH 1/3] Set password length to meet VA scan requirements --- Dockerfile-server | 1 - install-mq.sh | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile-server b/Dockerfile-server index 4677db6..b9afb9d 100644 --- a/Dockerfile-server +++ b/Dockerfile-server @@ -86,7 +86,6 @@ RUN chmod ug+x /usr/local/bin/runmqserver \ && chmod ug+xs /usr/local/bin/chkmq* \ && chown -R mqm:mqm /etc/mqm/* \ && install --directory --mode 0775 --owner mqm --group root /run/runmqserver \ - && install --directory --mode 0775 --owner mqm --group root /run/tls \ && touch /run/termination-log \ && chown mqm:root /run/termination-log \ && chmod 0660 /run/termination-log diff --git a/install-mq.sh b/install-mq.sh index 901ab80..4ca54b2 100644 --- a/install-mq.sh +++ b/install-mq.sh @@ -90,6 +90,8 @@ ln -s /mnt/mqm/data /var/mqm # Optional: Ensure any passwords expire in a timely manner sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t1/' /etc/login.defs +sed -i 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t8/' /etc/login.defs +sed -i 's/# minlen = 9/minlen = 8/' /etc/security/pwquality.conf $UBUNTU && PAM_FILE=/etc/pam.d/common-password $RPM && PAM_FILE=/etc/pam.d/password-auth From 3c9ec5f14cd32df6d286bcdbbb86a39ba67dc340 Mon Sep 17 00:00:00 2001 From: Robert Parker Date: Fri, 31 May 2019 11:36:04 +0100 Subject: [PATCH 2/3] Add fix for OIDC error --- internal/tls/tls.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/internal/tls/tls.go b/internal/tls/tls.go index 856d692..f6b149e 100644 --- a/internal/tls/tls.go +++ b/internal/tls/tls.go @@ -346,6 +346,23 @@ func processTrustCertificates(trustDir string, cmsKeyDB, p12TrustDB *KeyStoreDat if err != nil { return fmt.Errorf("Could not add certificates to PKCS#12 Truststore: %v", err) } + + // We need to relabel everything because liberty doesn't play nicely with autolabelled certs + allCerts, err := p12TrustDB.Keystore.ListAllCertificates() + if err != nil || len(allCerts) <= 0 { + return fmt.Errorf("Could not get all certificates from PKCS#12 Truststore: %v", err) + } + + for i, cert := range allCerts { + cert = strings.Trim(cert, "\"") + cert = strings.TrimSpace(cert) + newLabel := fmt.Sprintf("Trust%d", i) + + err = p12TrustDB.Keystore.RenameCertificate(cert, newLabel) + if err != nil || len(allCerts) <= 0 { + return fmt.Errorf("Could not get rename certificate %s to %s in PKCS#12 Truststore: %v", cert, newLabel, err) + } + } } if len(cmsKeyDB.TrustedCerts) > 0 { From b3fd5f7562d068ccfcc89e09581cc538ba0bd479 Mon Sep 17 00:00:00 2001 From: Robert Parker Date: Fri, 31 May 2019 11:47:02 +0100 Subject: [PATCH 3/3] typos --- internal/tls/tls.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/tls/tls.go b/internal/tls/tls.go index f6b149e..d1faba7 100644 --- a/internal/tls/tls.go +++ b/internal/tls/tls.go @@ -350,7 +350,7 @@ func processTrustCertificates(trustDir string, cmsKeyDB, p12TrustDB *KeyStoreDat // We need to relabel everything because liberty doesn't play nicely with autolabelled certs allCerts, err := p12TrustDB.Keystore.ListAllCertificates() if err != nil || len(allCerts) <= 0 { - return fmt.Errorf("Could not get all certificates from PKCS#12 Truststore: %v", err) + return fmt.Errorf("Could not get any certificates from PKCS#12 Truststore: %v", err) } for i, cert := range allCerts { @@ -360,7 +360,7 @@ func processTrustCertificates(trustDir string, cmsKeyDB, p12TrustDB *KeyStoreDat err = p12TrustDB.Keystore.RenameCertificate(cert, newLabel) if err != nil || len(allCerts) <= 0 { - return fmt.Errorf("Could not get rename certificate %s to %s in PKCS#12 Truststore: %v", cert, newLabel, err) + return fmt.Errorf("Could not rename certificate %s to %s in PKCS#12 Truststore: %v", cert, newLabel, err) } } }