Merge pull request #291 from parrobe/sing2

Add non-root to singularity branch
fix broken devsecure test
2019-03-19 16:06:26 +00:00 · 2019-03-19 14:46:42 +00:00 · 2019-03-19 13:45:40 +00:00 · 2019-03-19 13:19:54 +00:00 · 2019-03-19 11:29:33 +00:00 · 2019-03-18 13:21:39 +00:00
50 changed files with 513 additions and 431 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # Change log
-## 9.1.2.0 (2019-03-21)
+## vNext
 * Now runs using the "mqm" user instead of root.  See new [security doc](https://github.com/ibm-messaging/mq-container/blob/master/docs/security.md)
 * New [IGNSTATE](https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.pro.doc/q132310_.htm#q132310___ignstateparm) parameter used in default developer config
@@ -8,9 +8,6 @@
 * Fixes for the following issues:
    * Brackets no longer appear in termination log
    * Test timeouts weren't being used correctly
    * Building on subscribed and unsubscribed hosts ([#273](https://github.com/ibm-messaging/mq-container/pull/273))
    * Gosec failures ([#286](https://github.com/ibm-messaging/mq-container/pull/286))
    * Security fix for perl-base ([#253](https://github.com/ibm-messaging/mq-container/pull/253))
 ## 9.1.1.0 (2018-11-30)
--- a/10
+++ b/10
@@ -13,7 +13,7 @@
 # limitations under the License.
 ARG BASE_IMAGE=ubuntu:16.04
-ARG BUILDER_IMAGE=mq-golang-sdk:9.1.2.0-x86_64-ubuntu-16.04
+ARG BUILDER_IMAGE=mq-golang-sdk:9.1.1.0-x86_64-ubuntu-16.04
 ###############################################################################
 # Build stage to build Go code
@@ -70,12 +70,16 @@ RUN chmod ug+x /usr/local/bin/runmqserver \
  && chown mqm:mqm /usr/local/bin/*mq* \
  && chmod ug+xs /usr/local/bin/chkmq* \
  && install --directory --mode 0775 --owner mqm --group root /run/runmqserver \
  && install --directory --mode 0775 --owner mqm --group root /run/tls \
  && touch /run/termination-log \
  && chown mqm:root /run/termination-log \
  && chmod 0660 /run/termination-log
-# Always use port 1414 for MQ & 9157 for the metrics
+# Always use port 1414 for MQ, 9157 for the metrics & 9443 for the web console
-EXPOSE 1414 9157
+EXPOSE 1414 9157 9443
 # Copy web XML files
 COPY web /etc/mqm/web
 ENV LANG=en_US.UTF-8 AMQ_DIAGNOSTIC_MSG_SEVERITY=1 AMQ_ADDITIONAL_JSON_LOG=1 LOG_FORMAT=basic
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2018
+# © Copyright IBM Corporation 2018, 2019
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
--- a/15
+++ b/15
@@ -19,7 +19,7 @@
 # BASE_IMAGE is the base image to use for MQ, for example "ubuntu" or "rhel"
 BASE_IMAGE ?= rhel
 # MQ_VERSION is the fully qualified MQ version number to build
-MQ_VERSION ?= 9.1.2.0
+MQ_VERSION ?= 9.1.1.0
 # MQ_ARCHIVE is the name of the file, under the downloads directory, from which MQ Advanced can
 # be installed. The default value is derived from MQ_VERSION, BASE_IMAGE and architecture
 # Does not apply to MQ Advanced for Developers.
@@ -28,19 +28,19 @@ MQ_ARCHIVE ?= IBM_MQ_$(MQ_VERSION_VRM)_LINUX_$(MQ_ARCHIVE_ARCH).tar.gz
 # for Developers can be installed
 MQ_ARCHIVE_DEV ?= $(MQ_ARCHIVE_DEV_$(MQ_VERSION))
 # MQ_SDK_ARCHIVE specifies the archive to use for the MQ redistributable client, which is used for building the golang programs.
-MQ_SDK_ARCHIVE ?= 9.1.2.0-IBM-MQC-Redist-LinuxX64.tar.gz
+MQ_SDK_ARCHIVE ?= 9.1.1.0-IBM-MQC-Redist-LinuxX64.tar.gz
 # Options to `go test` for the Docker tests
 TEST_OPTS_DOCKER ?=
 # MQ_IMAGE_ADVANCEDSERVER is the name and tag of the built MQ Advanced image
-MQ_IMAGE_ADVANCEDSERVER ?=mqadvanced-server:$(MQ_VERSION)-RHEL-$(ARCH)
+MQ_IMAGE_ADVANCEDSERVER ?=mqadvanced-server:$(MQ_VERSION)-integration-$(ARCH)
 # MQ_IMAGE_DEVSERVER is the name and tag of the built MQ Advanced for Developers image
-MQ_IMAGE_DEVSERVER ?=mqadvanced-server-dev:$(MQ_VERSION)-RHEL-$(ARCH)
+MQ_IMAGE_DEVSERVER ?=mqadvanced-server-dev:$(MQ_VERSION)-integration-$(ARCH)
 # MQ_IMAGE_SDK is the name and tag of the built MQ Advanced for Developers SDK image
 MQ_IMAGE_SDK ?=mq-sdk:$(MQ_VERSION)-$(ARCH)-$(BASE_IMAGE_TAG)
 # MQ_IMAGE_GOLANG_SDK is the name and tag of the built MQ Advanced for Developers SDK image, plus Go tools
 MQ_IMAGE_GOLANG_SDK ?=mq-golang-sdk:$(MQ_VERSION)-$(ARCH)-$(BASE_IMAGE_TAG)
 # MQ_PACKAGES specifies the MQ packages to install.  Defaults vary on base image.
-MQ_PACKAGES ?= MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm
+MQ_PACKAGES ?= MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm MQSeriesWeb-*.rpm
 ###############################################################################
 # Other variables
@@ -58,7 +58,7 @@ IMAGE_SOURCE=$(shell git config --get remote.origin.url)
 MQDEV=
 EMPTY:=
 SPACE:= $(EMPTY) $(EMPTY)
-# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.2 instead of 9.1.2.0
+# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.1 instead of 9.1.1.0
 MQ_VERSION_VRM=$(subst $(SPACE),.,$(wordlist 1,3,$(subst .,$(SPACE),$(MQ_VERSION))))
@@ -80,9 +80,9 @@ else ifeq "$(ARCH)" "s390x"
    MQ_DEV_ARCH=s390x
 endif
 # Archive names for IBM MQ Advanced for Developers
 MQ_ARCHIVE_DEV_9.0.5.0=mqadv_dev905_linux_x86-64.tar.gz
 MQ_ARCHIVE_DEV_9.1.0.0=mqadv_dev910_linux_$(MQ_DEV_ARCH).tar.gz
 MQ_ARCHIVE_DEV_9.1.1.0=mqadv_dev911_linux_$(MQ_DEV_ARCH).tar.gz
 MQ_ARCHIVE_DEV_9.1.2.0=mqadv_dev912_linux_$(MQ_DEV_ARCH).tar.gz
 ###############################################################################
 # Build targets
@@ -166,7 +166,6 @@ build-advancedserver: check-prereqs downloads/$(MQ_ARCHIVE) build-go-programs
 .PHONY: build-devserver
 build-devserver: MQDEV=TRUE
 build-devserver: MQ_PACKAGES=MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm MQSeriesWeb-*.rpm
 build-devserver: check-prereqs downloads/$(MQ_ARCHIVE_DEV) build-go-programs
 	$(info $(SPACER)$(shell printf $(TITLE)"Build $(MQ_IMAGE_DEVSERVER)"$(END)))
 	sudo mq-advanced-server-rhel/mq-buildah.sh "$(MQ_ARCHIVE_DEV)" "$(MQ_PACKAGES)" "$(MQ_IMAGE_DEVSERVER_BASE)" "$(MQ_VERSION)" "$(MQDEV)"
--- a/22
+++ b/22
@@ -19,7 +19,7 @@
 # BASE_IMAGE is the base image to use for MQ, for example "ubuntu" or "rhel"
 BASE_IMAGE ?= ubuntu:16.04
 # MQ_VERSION is the fully qualified MQ version number to build
-MQ_VERSION ?= 9.1.2.0
+MQ_VERSION ?= 9.1.1.0
 # MQ_ARCHIVE is the name of the file, under the downloads directory, from which MQ Advanced can
 # be installed. The default value is derived from MQ_VERSION, BASE_IMAGE and architecture
 # Does not apply to MQ Advanced for Developers.
@@ -32,9 +32,9 @@ MQ_SDK_ARCHIVE ?= $(MQ_ARCHIVE_DEV_$(MQ_VERSION))
 # Options to `go test` for the Docker tests
 TEST_OPTS_DOCKER ?=
 # MQ_IMAGE_ADVANCEDSERVER is the name and tag of the built MQ Advanced image
-MQ_IMAGE_ADVANCEDSERVER ?=mqadvanced-server:$(MQ_VERSION)-$(ARCH)-$(BASE_IMAGE_TAG)
+MQ_IMAGE_ADVANCEDSERVER ?=mqadvanced-server:$(MQ_VERSION)-integration-$(ARCH)
 # MQ_IMAGE_DEVSERVER is the name and tag of the built MQ Advanced for Developers image
-MQ_IMAGE_DEVSERVER ?=mqadvanced-server-dev:$(MQ_VERSION)-$(ARCH)-$(BASE_IMAGE_TAG)
+MQ_IMAGE_DEVSERVER ?=mqadvanced-server-dev:$(MQ_VERSION)-integration-$(ARCH)
 # MQ_IMAGE_SDK is the name and tag of the built MQ Advanced for Developers SDK image
 MQ_IMAGE_SDK ?=mq-sdk:$(MQ_VERSION)-$(ARCH)-$(BASE_IMAGE_TAG)
 # MQ_IMAGE_GOLANG_SDK is the name and tag of the built MQ Advanced for Developers SDK image, plus Go tools
@@ -64,7 +64,7 @@ IMAGE_REVISION=$(shell git rev-parse HEAD)
 IMAGE_SOURCE=$(shell git config --get remote.origin.url)
 EMPTY:=
 SPACE:= $(EMPTY) $(EMPTY)
-# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.2 instead of 9.1.2.0
+# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.1 instead of 9.1.1.0
 MQ_VERSION_VRM=$(subst $(SPACE),.,$(wordlist 1,3,$(subst .,$(SPACE),$(MQ_VERSION))))
 ifneq (,$(findstring Microsoft,$(shell uname -r)))
@@ -95,9 +95,9 @@ else ifeq "$(ARCH)" "s390x"
 	MQ_DEV_ARCH=s390x
 endif
 # Archive names for IBM MQ Advanced for Developers
 MQ_ARCHIVE_DEV_9.0.5.0=mqadv_dev905_$(MQ_ARCHIVE_DEV_PLATFORM)_x86-64.tar.gz
 MQ_ARCHIVE_DEV_9.1.0.0=mqadv_dev910_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
 MQ_ARCHIVE_DEV_9.1.1.0=mqadv_dev911_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
 MQ_ARCHIVE_DEV_9.1.2.0=mqadv_dev912_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
 ###############################################################################
 # Build targets
@@ -134,7 +134,7 @@ downloads/$(MQ_ARCHIVE_DEV):
 downloads/$(MQ_SDK_ARCHIVE):
 	$(info $(SPACER)$(shell printf $(TITLE)"Downloading IBM MQ Advanced for Developers "$(MQ_VERSION)$(END)))
 	mkdir -p downloads
-	cd downloads; curl -LO https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/$(MQ_SDK_ARCHIVE) 
+	cd downloads; curl -LO https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/$(MQ_SDK_ARCHIVE)
 .PHONY: downloads
 downloads: downloads/$(MQ_ARCHIVE_DEV) downloads/$(MQ_SDK_ARCHIVE)
@@ -236,12 +236,6 @@ build-advancedserver: downloads/$(MQ_ARCHIVE) docker-version build-golang-sdk-ex
 	$(call docker-build-mq,$(MQ_IMAGE_ADVANCEDSERVER),Dockerfile-server,$(MQ_ARCHIVE),"4486e8c4cc9146fd9b3ce1f14a2dfc5b","IBM MQ Advanced",$(MQ_VERSION))
 .PHONY: build-devserver
 # Target-specific variable to add web server into devserver image
 ifeq "$(findstring ubuntu,$(BASE_IMAGE))" "ubuntu"
 build-devserver: MQ_PACKAGES=ibmmq-server ibmmq-java ibmmq-jre ibmmq-gskit ibmmq-msg-.* ibmmq-samples ibmmq-ams ibmmq-web
 else 
 build-devserver: MQ_PACKAGES=MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm MQSeriesWeb-*.rpm
 endif
 build-devserver: MQ_SDK_ARCHIVE=$(MQ_ARCHIVE_DEV)
 build-devserver: downloads/$(MQ_ARCHIVE_DEV) docker-version build-golang-sdk-ex
 	$(info $(shell printf $(TITLE)"Build $(MQ_IMAGE_DEVSERVER_BASE)"$(END)))
@@ -267,7 +261,7 @@ build-sdk: downloads/$(MQ_SDK_ARCHIVE) build-sdk-ex
 .PHONY: build-sdk-ex
 ifeq "$(findstring ubuntu,$(BASE_IMAGE))" "ubuntu"
 build-sdk-ex: MQ_PACKAGES=ibmmq-sdk ibmmq-samples build-essential
-else 
+else
 build-sdk-ex: MQ_PACKAGES=MQSeriesRuntime-*.rpm MQSeriesSDK-*.rpm MQSeriesSamples*.rpm
 endif
 build-sdk-ex: docker-version docker-pull
@@ -280,9 +274,7 @@ build-golang-sdk: downloads/$(MQ_SDK_ARCHIVE) build-golang-sdk-ex
 .PHONY: build-golang-sdk-ex
 build-golang-sdk-ex: docker-version build-sdk-ex
 	$(info $(shell printf $(TITLE)"Build $(MQ_IMAGE_GOLANG_SDK)"$(END)))
 	@echo hello
 	$(DOCKER) build --build-arg BASE_IMAGE=$(MQ_IMAGE_SDK) -t $(MQ_IMAGE_GOLANG_SDK) -f incubating/mq-golang-sdk/Dockerfile .
 	@echo goodbye
 .PHONY: docker-pull
 docker-pull:
--- a/README.md
+++ b/README.md
@@ -2,8 +2,8 @@
 [![Build Status](https://travis-ci.org/ibm-messaging/mq-container.svg?branch=master)](https://travis-ci.org/ibm-messaging/mq-container)
-**Note**: The `master` branch may be in an *unstable or even broken state* during development.
+**Note**: The `singularity` branch may be in an *unstable or even broken state* during development.
-To get a stable version, please use the correct [branch](https://github.com/ibm-messaging/mq-container/branches) for your MQ version, instead of the `master` branch.
+To get a stable version, please use the correct [branch](https://github.com/ibm-messaging/mq-container/branches) for your MQ version, instead of the `singularity` branch.
 <img src="https://raw.githubusercontent.com/IBM/charts/master/logo/ibm-mq-icon.svg?sanitize=true" width="100" alt="IBM MQ logo" />
--- a/cmd/chkmqhealthy/main.go
+++ b/cmd/chkmqhealthy/main.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017
+© Copyright IBM Corporation 2017, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/cmd/chkmqready/main.go
+++ b/cmd/chkmqready/main.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2018
+© Copyright IBM Corporation 2017, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/cmd/runmqdevserver/main.go
+++ b/cmd/runmqdevserver/main.go
@@ -24,6 +24,7 @@ import (
 	"github.com/ibm-messaging/mq-container/internal/command"
 	"github.com/ibm-messaging/mq-container/internal/logger"
 	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 	"github.com/ibm-messaging/mq-container/internal/name"
 )
@@ -90,7 +91,7 @@ func configureLogger() error {
 func configureWeb(qmName string) error {
 	out := "/etc/mqm/web/installations/Installation1/angular.persistence/admin.json"
-	return processTemplateFile("/etc/mqm/admin.json.tpl", out, map[string]string{"QueueManagerName": qmName})
+	return mqtemplate.ProcessTemplateFile("/etc/mqm/admin.json.tpl", out, map[string]string{"QueueManagerName": qmName}, log)
 }
 func logTerminationf(format string, args ...interface{}) {
--- a/cmd/runmqdevserver/mqsc.go
+++ b/cmd/runmqdevserver/mqsc.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,6 +17,8 @@ package main
 import (
 	"os"
 	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
 func updateMQSC(appPasswordRequired bool) error {
@@ -30,7 +32,7 @@ func updateMQSC(appPasswordRequired bool) error {
 	if os.Getenv("MQ_DEV") == "true" {
 		const mqscTemplate string = mqsc + ".tpl"
 		// Re-configure channel if app password not set
-		err := processTemplateFile(mqsc+".tpl", mqsc, map[string]string{"ChckClnt": checkClient})
+		err := mqtemplate.ProcessTemplateFile(mqsc+".tpl", mqsc, map[string]string{"ChckClnt": checkClient}, log)
 		if err != nil {
 			return err
 		}
--- a/cmd/runmqdevserver/tls.go
+++ b/cmd/runmqdevserver/tls.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -21,20 +21,22 @@ import (
 	"path/filepath"
 	"github.com/ibm-messaging/mq-container/internal/command"
 	"github.com/ibm-messaging/mq-container/internal/keystore"
 	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
-func configureWebTLS(cms *KeyStore) error {
+func configureWebTLS(cms *keystore.KeyStore) error {
 	dir := "/run/runmqdevserver/tls"
-	ks := NewJKSKeyStore(filepath.Join(dir, "key.jks"), cms.Password)
+	ks := keystore.NewJKSKeyStore(filepath.Join(dir, "key.jks"), cms.Password)
-	ts := NewJKSKeyStore(filepath.Join(dir, "trust.jks"), cms.Password)
+	ts := keystore.NewJKSKeyStore(filepath.Join(dir, "trust.jks"), cms.Password)
 	log.Debug("Creating key store")
-	err := ks.Create()
+	err := ks.Create(log)
 	if err != nil {
 		return err
 	}
 	log.Debug("Creating trust store")
-	err = ts.Create()
+	err = ts.Create(log)
 	if err != nil {
 		return err
 	}
@@ -56,24 +58,19 @@ func configureWebTLS(cms *KeyStore) error {
 	if err != nil {
 		return err
 	}
 	mqmUID, mqmGID, err := command.LookupMQM()
 	if err != nil {
 		log.Error(err)
 		return err
 	}
 	err = os.Chown(tlsConfig, mqmUID, mqmGID)
 	if err != nil {
 		log.Error(err)
 		return err
 	}
 	return nil
 }
 func configureTLS(qmName string, inputFile string, passPhrase string) error {
 	err := createDevTLSDir()
 	if err != nil {
 		return err
 	}
 	log.Debug("Configuring TLS")
-	_, err := os.Stat(inputFile)
+	_, err = os.Stat(inputFile)
 	if err != nil {
 		return err
 	}
@@ -82,37 +79,14 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 	dir := "/run/runmqdevserver/tls"
 	keyFile := filepath.Join(dir, "key.kdb")
-	_, err = os.Stat(dir)
+	cms := keystore.NewCMSKeyStore(keyFile, passPhrase)
 	if err != nil {
 		if os.IsNotExist(err) {
 			// #nosec G301
 			err = os.MkdirAll(dir, 0770)
 			if err != nil {
 				return err
 			}
 			mqmUID, mqmGID, err := command.LookupMQM()
 			if err != nil {
 				log.Error(err)
 				return err
 			}
 			err = os.Chown(dir, mqmUID, mqmGID)
 			if err != nil {
 				log.Error(err)
 				return err
 			}
 		} else {
 			return err
 		}
 	}
-	cms := NewCMSKeyStore(keyFile, passPhrase)
+	err = cms.Create(log)
 	err = cms.Create()
 	if err != nil {
 		return err
 	}
-	err = cms.CreateStash()
+	err = cms.CreateStash(log)
 	if err != nil {
 		return err
 	}
@@ -146,11 +120,11 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 	const mqsc string = "/etc/mqm/20-dev-tls.mqsc"
 	const mqscTemplate string = mqsc + ".tpl"
-	err = processTemplateFile(mqscTemplate, mqsc, map[string]string{
+	err = mqtemplate.ProcessTemplateFile(mqscTemplate, mqsc, map[string]string{
 		"SSLKeyR":          filepath.Join(dir, "key"),
 		"CertificateLabel": newLabel,
 		"SSLCipherSpec":    sslCipherSpec,
-	})
+	}, log)
 	if err != nil {
 		return err
 	}
@@ -162,3 +136,32 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 	return nil
 }
 func createDevTLSDir() error {
 	// TODO: Use a persisted file (on the volume) instead?
 	dir := "/run/runmqdevserver/tls"
 	_, err := os.Stat(dir)
 	if err != nil {
 		if os.IsNotExist(err) {
 			// #nosec G301
 			err = os.MkdirAll(dir, 0770)
 			if err != nil {
 				return err
 			}
 			mqmUID, mqmGID, err := command.LookupMQM()
 			if err != nil {
 				log.Error(err)
 				return err
 			}
 			err = os.Chown(dir, mqmUID, mqmGID)
 			if err != nil {
 				log.Error(err)
 				return err
 			}
 		} else {
 			return err
 		}
 	}
 	return nil
 }
--- a/cmd/runmqserver/crtmqvol.go
+++ b/cmd/runmqserver/crtmqvol.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2018
+© Copyright IBM Corporation 2017, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -60,3 +60,61 @@ func createVolume(path string) error {
 	}
 	return nil
 }
 func createWebConsoleTLSDirStructure() error {
 	// Create tls directory
 	dir := "/run/tls"
 	_, err := os.Stat(dir)
 	if err != nil {
 		if os.IsNotExist(err) {
 			err = os.MkdirAll(dir, 0770)
 			if err != nil {
 				return err
 			}
 			mqmUID, mqmGID, err := command.LookupMQM()
 			if err != nil {
 				log.Error(err)
 				return err
 			}
 			err = os.Chown(dir, mqmUID, mqmGID)
 			if err != nil {
 				log.Error(err)
 				return err
 			}
 		} else {
 			return err
 		}
 	}
 	return nil
 }
 /* TODO: remove duplicated code */
 func createDevTLSDir() error {
 	// TODO: Use a persisted file (on the volume) instead?
 	dir := "/run/runmqdevserver/tls"
 	_, err := os.Stat(dir)
 	if err != nil {
 		if os.IsNotExist(err) {
 			// #nosec G301
 			err = os.MkdirAll(dir, 0770)
 			if err != nil {
 				return err
 			}
 			mqmUID, mqmGID, err := command.LookupMQM()
 			if err != nil {
 				log.Error(err)
 				return err
 			}
 			err = os.Chown(dir, mqmUID, mqmGID)
 			if err != nil {
 				log.Error(err)
 				return err
 			}
 		} else {
 			return err
 		}
 	}
 	return nil
 }
--- a/cmd/runmqserver/license.go
+++ b/cmd/runmqserver/license.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2018
+© Copyright IBM Corporation 2017, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/cmd/runmqserver/logging.go
+++ b/cmd/runmqserver/logging.go
@@ -138,6 +138,9 @@ func logDiagnostics() {
 	out, _, _ = command.Run("ls", "-l", "/mnt/mqm/data")
 	log.Debugf("/mnt/mqm/data:\n%s", out)
 	// #nosec G104
 	out, _, _ = command.Run("ls", "-l", "/etc/mqm")
 	log.Debugf("/etc/mqm:\n%s", out)
 	// #nosec G104
 	out, _, _ = command.Run("ls", "-l", "/var/mqm")
 	log.Debugf("/var/mqm:\n%s", out)
 	// #nosec G104
--- a/cmd/runmqserver/main.go
+++ b/cmd/runmqserver/main.go
@@ -104,6 +104,20 @@ func doMain() error {
 		return err
 	}
 	err = createWebConsoleTLSDirStructure()
 	if err != nil {
 		logTermination(err)
 		return err
 	}
 	if *devFlag == true {
 		err = createDevTLSDir()
 		if err != nil {
 			logTermination(err)
 			return err
 		}
 	}
 	// If init flag is set, exit now
 	if *initFlag {
 		return nil
--- a/cmd/runmqserver/mirror.go
+++ b/cmd/runmqserver/mirror.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/cmd/runmqserver/post_init_dev.go
+++ b/cmd/runmqserver/post_init_dev.go
@@ -1,5 +1,3 @@
 // +build mqdev
 /*
 © Copyright IBM Corporation 2018
@@ -22,18 +20,26 @@ import (
 )
 // postInit is run after /var/mqm is set up
 // This version of postInit is only included as part of the MQ Advanced for Developers build
 func postInit(name string) error {
 	disable := os.Getenv("MQ_DISABLE_WEB_CONSOLE")
 	if disable != "true" && disable != "1" {
 		// Configure Single-Sign-On for the web server (if enabled)
 		enableSSO := os.Getenv("MQ_ENABLE_SSO")
 		if enableSSO == "true" || enableSSO == "1" {
 			err := configureSSO()
 			if err != nil {
 				return err
 			}
 		}
 		// Configure the web server (if installed)
 		err := configureWebServer()
 		if err != nil {
 			return err
 		}
 		// Start the web server, in the background (if installed)
-		// WARNING: No error handling or health checking available for the web server,
+		// WARNING: No error handling or health checking available for the web server
 		// which is why it's limited to use with MQ Advanced for Developers only
 		go func() {
 			startWebServer()
 		}()
--- a/cmd/runmqserver/post_init_other.go
+++ b/cmd/runmqserver/post_init_other.go
@@ -1,22 +0,0 @@
 // +build !mqdev
 /*
 © Copyright IBM Corporation 2018
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
 http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 func postInit(name string) error {
 	return nil
 }
--- a/cmd/runmqserver/process.go
+++ b/cmd/runmqserver/process.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/cmd/runmqserver/qmgr.go
+++ b/cmd/runmqserver/qmgr.go
@@ -16,12 +16,11 @@ limitations under the License.
 package main
 import (
-	"bytes"
+	"io"
 	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"github.com/ibm-messaging/mq-container/internal/command"
@@ -35,6 +34,7 @@ func createDirStructure() error {
 		return err
 	}
 	log.Println("Created directory structure under /var/mqm")
 	return nil
 }
@@ -87,35 +87,43 @@ func configureQueueManager() error {
 		log.Println(err)
 		return err
 	}
 	for _, file := range files {
 		if strings.HasSuffix(file.Name(), ".mqsc") {
 			abs := filepath.Join(configDir, file.Name())
 			// #nosec G204
 			cmd := exec.Command("runmqsc")
-			// Read mqsc file into variable
+			stdin, err := cmd.StdinPipe()
 			mqsc, err := ioutil.ReadFile(abs)
 			if err != nil {
-				log.Printf("Error reading file %v: %v", abs, err)
+				log.Println(err)
-				continue
+				return err
 			}
-			// Write mqsc to buffer
+			// Open the MQSC file for reading
-			var buffer bytes.Buffer
+			// #nosec G304
-			_, err = buffer.Write(mqsc)
+			f, err := os.Open(abs)
 			if err != nil {
-				log.Printf("Error writing MQSC file %v to buffer: %v", abs, err)
+				log.Printf("Error opening %v: %v", abs, err)
 				continue
 			}
-			// Buffer mqsc to stdin of runmqsc
+			// Copy the contents to stdin of the runmqsc process
-			cmd.Stdin = &buffer
+			_, err = io.Copy(stdin, f)
-			// Run runmqsc command
+			if err != nil {
 				log.Errorf("Error reading %v: %v", abs, err)
 			}
 			err = f.Close()
 			if err != nil {
 				log.Errorf("Failed to close MQSC file handle: %v", err)
 			}
 			err = stdin.Close()
 			if err != nil {
 				log.Errorf("Failed to close MQSC stdin: %v", err)
 			}
 			// Run the command and wait for completion
 			out, err := cmd.CombinedOutput()
 			if err != nil {
-				log.Errorf("Error running MQSC file %v (%v):\n\t%v", file.Name(), err, formatMQSCOutput(string(out)))
+				log.Errorf("Error running MQSC file %v (%v):\n\t%v", file.Name(), err, strings.Replace(string(out), "\n", "\n\t", -1))
 				continue
 			} else {
 				// Print the runmqsc output, adding tab characters to make it more readable as part of the log
 				log.Printf("Output for \"runmqsc\" with %v:\n\t%v", abs, formatMQSCOutput(string(out)))
 			}
 			// Print the runmqsc output, adding tab characters to make it more readable as part of the log
 			log.Printf("Output for \"runmqsc\" with %v:\n\t%v", abs, strings.Replace(string(out), "\n", "\n\t", -1))
 		}
 	}
 	return nil
@@ -131,16 +139,3 @@ func stopQueueManager(name string) error {
 	log.Println("Stopped queue manager")
 	return nil
 }
 func formatMQSCOutput(out string) string {
 	// redact sensitive information
 	pattern, _ := regexp.Compile("(?i)LDAPPWD\\s*?\\((.*?)\\)")
 	out = pattern.ReplaceAllString(out, "LDAPPWD(*********)")
 	pattern, _ = regexp.Compile("(?i)PASSWORD\\s*?\\((.*?)\\)")
 	out = pattern.ReplaceAllString(out, "PASSWORD(*********)")
 	pattern, _ = regexp.Compile("(?i)SSLCRYP\\s*?\\((.*?)\\)")
 	out = pattern.ReplaceAllString(out, "SSLCRYP(*********)")
 	// add tab characters to make it more readable as part of the log
 	return strings.Replace(string(out), "\n", "\n\t", -1)
 }
--- a/cmd/runmqserver/signals.go
+++ b/cmd/runmqserver/signals.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2018
+© Copyright IBM Corporation 2017, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/cmd/runmqserver/version.go
+++ b/cmd/runmqserver/version.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/cmd/runmqserver/webserver.go
+++ b/cmd/runmqserver/webserver.go
@@ -1,5 +1,3 @@
 // +build mqdev
 /*
 © Copyright IBM Corporation 2018, 2019
@@ -25,9 +23,12 @@ import (
 	"os/user"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"syscall"
 	"github.com/ibm-messaging/mq-container/internal/command"
 	"github.com/ibm-messaging/mq-container/internal/keystore"
 	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
 func startWebServer() error {
@@ -90,6 +91,82 @@ func CopyFile(src, dest string) error {
 	return err
 }
 func configureSSO() error {
 	// Ensure all required environment variables are set for SSO
 	requiredEnvVars := []string{
 		"MQ_WEB_ADMIN_USERS",
 		"MQ_OIDC_CLIENT_ID",
 		"MQ_OIDC_CLIENT_SECRET",
 		"MQ_OIDC_UNIQUE_USER_IDENTIFIER",
 		"MQ_OIDC_AUTHORIZATION_ENDPOINT",
 		"MQ_OIDC_TOKEN_ENDPOINT",
 		"MQ_OIDC_JWK_ENDPOINT",
 		"MQ_OIDC_ISSUER_IDENTIFIER",
 		"MQ_OIDC_CERTIFICATE",
 	}
 	for _, envVar := range requiredEnvVars {
 		if len(os.Getenv(envVar)) == 0 {
 			return fmt.Errorf("%v must be set when MQ_ENABLE_SSO=true", envVar)
 		}
 	}
 	// Check mqweb directory exists
 	const mqwebDir string = "/etc/mqm/web/installations/Installation1/servers/mqweb"
 	_, err := os.Stat(mqwebDir)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil
 		}
 		return err
 	}
 	// Process SSO template for generating file mqwebuser.xml
 	adminUsers := strings.Split(os.Getenv("MQ_WEB_ADMIN_USERS"), "\n")
 	err = mqtemplate.ProcessTemplateFile(mqwebDir+"/mqwebuser.xml.tpl", mqwebDir+"/mqwebuser.xml", map[string][]string{"AdminUser": adminUsers}, log)
 	if err != nil {
 		return err
 	}
 	// Configure SSO TLS
 	return configureSSO_TLS()
 }
 func configureSSO_TLS() error {
 	// Create tls directory
 	dir := "/run/tls"
 	mntdir := "/mnt/tls/"
 	// Setup key store & trust store
 	ks := keystore.NewJKSKeyStore(filepath.Join(dir, "key.jks"), "password")
 	ts := keystore.NewJKSKeyStore(filepath.Join(dir, "trust.jks"), "password")
 	log.Debug("Creating key store")
 	err := ks.Create(log)
 	if err != nil {
 		return err
 	}
 	log.Debug("Creating trust store")
 	err = ts.Create(log)
 	if err != nil {
 		return err
 	}
 	log.Debug("Generating PKCS12 file")
 	err = ks.GeneratePKCS12(filepath.Join(mntdir, "tls.key"), filepath.Join(mntdir, "tls.crt"), filepath.Join(dir, "tls.p12"), "default", "password")
 	if err != nil {
 		return err
 	}
 	log.Debug("Importing certificate into key store")
 	err = ks.Import(filepath.Join(dir, "tls.p12"), "password")
 	if err != nil {
 		return err
 	}
 	log.Debug("Adding OIDC certificate to trust store")
 	err = ts.Add(os.Getenv("MQ_OIDC_CERTIFICATE"), "OIDC")
 	return err
 }
 func configureWebServer() error {
 	_, err := os.Stat("/opt/mqm/bin/strmqweb")
 	if err != nil {
@@ -106,10 +183,6 @@ func configureWebServer() error {
 		}
 		return err
 	}
 	uid, gid, err := command.LookupMQM()
 	if err != nil {
 		return err
 	}
 	const prefix string = "/etc/mqm/web"
 	err = filepath.Walk(prefix, func(from string, info os.FileInfo, err error) error {
 		if err != nil {
@@ -145,10 +218,6 @@ func configureWebServer() error {
 				return err
 			}
 		}
 		err = os.Chown(to, uid, gid)
 		if err != nil {
 			return err
 		}
 		return nil
 	})
 	return err
--- a/docs/security.md
+++ b/docs/security.md
@@ -16,10 +16,10 @@ docker run \
  --env LICENSE=accept \
  --env MQ_QMGR_NAME=QM1 \
  --detach \
-  mqadvanced-server:9.1.2.0-x86_64-ubuntu-16.04
+  mqadvanced-server:9.1.1.0-x86_64-ubuntu-16.04
 ```
-The MQ Advanced for Developers image does require the "chown", "setuid", "setgid" and "audit_write" capabilities (plus "dac_override" if you're using an image based on Red Hat Enterprise Linux).  This is because it uses the "sudo" command to change passwords inside the container.  For example, in Docker, you could do the following:
+The MQ Advanced for Developers image does requires the "chown", "setuid", "setgid" and "audit_write" capabilities (plus "dac_override" if you're using an image based on Red Hat Enterprise Linux).  This is because it uses the "sudo" command to change passwords inside the container.  For example, in Docker, you could do the following:
 ```sh
 docker run \
@@ -31,7 +31,7 @@ docker run \
  --env LICENSE=accept \
  --env MQ_QMGR_NAME=QM1 \
  --detach \
-  mqadvanced-server-dev:9.1.2.0-x86_64-ubuntu-16.04
+  mqadvanced-server-dev:9.1.1.0-x86_64-ubuntu-16.04
 ```
 ### SELinux
--- a/docs/testing.md
+++ b/docs/testing.md
@@ -31,7 +31,7 @@ make test-advancedserver
 You can specify the image to use directly by using the `MQ_IMAGE_ADVANCEDSERVER` or `MQ_IMAGE_DEVSERVER` variables, for example:
 ```
-MQ_IMAGE_ADVANCEDSERVER=mqadvanced-server:9.1.2.0-x86_64-ubuntu-16.04 make test-advancedserver
+MQ_IMAGE_ADVANCEDSERVER=mqadvanced-server:9.1.1.0-x86_64-ubuntu-16.04 make test-advancedserver
 ```
 You can pass parameters to `go test` with an environment variable.  For example, to run the "TestGoldenPath" test, run the following command::
@@ -40,10 +40,10 @@ You can pass parameters to `go test` with an environment variable.  For example,
 TEST_OPTS_DOCKER="-run TestGoldenPath" make test-advancedserver
 ```
-You can also use the same environment variables you specified when [building](./building), for example, the following will try and test an image called `mqadvanced-server:9.1.2.0-x86_64-ubuntu-16.04`:
+You can also use the same environment variables you specified when [building](./building), for example, the following will try and test an image called `mqadvanced-server:9.1.0.0-x86_64-ubuntu-16.04`:
 ```
-MQ_VERSION=9.1.2.0 make test-advancedserver
+MQ_VERSION=9.1.0.0 make test-advancedserver
 ```
 ### Running the Docker tests with code coverage
--- a/incubating/mqadvanced-server-dev/Dockerfile
+++ b/incubating/mqadvanced-server-dev/Dockerfile
@@ -12,8 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
-ARG BASE_IMAGE=mqadvanced-server-dev-base:9.1.2.0-x86_64-ubuntu-16.04
+ARG BASE_IMAGE=mqadvanced-server-dev-base:9.1.1.0-x86_64-ubuntu-16.04
-ARG BUILDER_IMAGE=mq-golang-sdk:9.1.2.0-x86_64-ubuntu-16.04
+ARG BUILDER_IMAGE=mq-golang-sdk:9.1.1.0-x86_64-ubuntu-16.04
 ###############################################################################
 # Build stage to build Go code
@@ -79,8 +79,6 @@ RUN chown -R mqm:mqm /etc/mqm/* \
  && chmod +x /usr/local/bin/runmq* \
  && install --directory --mode 0775 --owner mqm --group root /run/runmqdevserver
 EXPOSE 9443
 USER $MQM_UID
 ENTRYPOINT ["runmqdevserver"]
--- a/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebuser.xml
+++ b/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebuser.xml
@@ -1,5 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <server>
 	<!-- ****************************************************************** -->
 	<!--                                                                    -->
 	<!--  IBM MQ security configuration for MQ Console and REST API.        -->
 	<!--                                                                    -->
 	<!--  Name: mqwebuser.xml                                               -->
 	<!--                                                                    -->
 	<!--  Description:  Default webconsole configuration                    -->
 	<!--                                                                    -->
 	<!-- ****************************************************************** -->
 	<!-- <copyright                                                         -->
 	<!--     notice='lm-source-program'                                     -->
 	<!--     pids='5724-H72'                                                -->
 	<!--     years='2018,2019'                                              -->
 	<!--     crc='0' >                                                      -->
 	<!--                                                                    -->
 	<!--     Licensed Materials - Property of IBM                           -->
 	<!--                                                                    -->
 	<!--     5724-H72                                                       -->
 	<!--                                                                    -->
 	<!--     (C) Copyright IBM Corp. 2018, 2019 All Rights Reserved.        -->
 	<!--                                                                    -->
 	<!--     US Government Users Restricted Rights - Use, duplication or    -->
 	<!--     disclosure restricted by GSA ADP Schedule Contract with        -->
 	<!--     IBM Corp.                                                      -->
 	<!-- </copyright>                                                       -->
    <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>basicAuthenticationMQ-1.0</feature>
--- a/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/tls-dev.xml
+++ b/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/tls-dev.xml
@@ -1,5 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <server>
 	<!-- ****************************************************************** -->
 	<!--                                                                    -->
 	<!--  IBM MQ security configuration for MQ Console and REST API.        -->
 	<!--                                                                    -->
 	<!--  Name: mqwebuser.xml                                               -->
 	<!--                                                                    -->
 	<!--  Description:  Default webconsole configuration                    -->
 	<!--                                                                    -->
 	<!-- ****************************************************************** -->
 	<!-- <copyright                                                         -->
 	<!--     notice='lm-source-program'                                     -->
 	<!--     pids='5724-H72'                                                -->
 	<!--     years='2018,2019'                                              -->
 	<!--     crc='0' >                                                      -->
 	<!--                                                                    -->
 	<!--     Licensed Materials - Property of IBM                           -->
 	<!--                                                                    -->
 	<!--     5724-H72                                                       -->
 	<!--                                                                    -->
 	<!--     (C) Copyright IBM Corp. 2018, 2019 All Rights Reserved.        -->
 	<!--                                                                    -->
 	<!--     US Government Users Restricted Rights - Use, duplication or    -->
 	<!--     disclosure restricted by GSA ADP Schedule Contract with        -->
 	<!--     IBM Corp.                                                      -->
 	<!-- </copyright>                                                       -->
    <keyStore id="MQWebKeyStore" location="/run/runmqdevserver/tls/key.jks" type="JKS" password="${env.MQ_TLS_PASSPHRASE}"/>
    <keyStore id="MQWebTrustStore" location="/run/runmqdevserver/tls/trust.jks" type="JKS" password="${env.MQ_TLS_PASSPHRASE}"/>
    <ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="MQWebKeyStore" trustStoreRef="MQWebTrustStore" sslProtocol="TLSv1.2" serverKeyAlias="devcert"/>
--- a/install-mq.sh
+++ b/install-mq.sh
@@ -25,8 +25,8 @@ test -f /usr/bin/apt-get && UBUNTU=true || UBUNTU=false
 # If MQ_PACKAGES isn't specifically set, then choose a valid set of defaults
 if [ -z "$MQ_PACKAGES" ]; then
-  $UBUNTU && MQ_PACKAGES="ibmmq-server ibmmq-java ibmmq-jre ibmmq-gskit ibmmq-msg-.* ibmmq-samples ibmmq-ams"
+  $UBUNTU && MQ_PACKAGES="ibmmq-server ibmmq-java ibmmq-jre ibmmq-gskit ibmmq-msg-.* ibmmq-samples ibmmq-ams ibmmq-web"
-  $RHEL && MQ_PACKAGES="MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm"
+  $RHEL && MQ_PACKAGES="MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm MQSeriesWeb-*.rpm"
 fi
 if ($UBUNTU); then
@@ -65,7 +65,8 @@ if ($UBUNTU); then
    procps \
    sed \
    tar \
-    util-linux
+    util-linux \
    openssl
 fi
 # Install additional packages required by MQ, this install process and the runtime scripts
@@ -84,7 +85,8 @@ $RHEL && yum -y install \
  procps-ng \
  sed \
  tar \
-  util-linux
+  util-linux \
  openssl
 # Download and extract the MQ installation files
 DIR_EXTRACT=/tmp/mq
--- a/internal/command/command.go
+++ b/internal/command/command.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2018
+© Copyright IBM Corporation 2017, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/cmd/runmqdevserver/keystore.go
+++ b/cmd/runmqdevserver/keystore.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -13,7 +13,9 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-package main
+
 // Package keystore contains code to create and update keystores
 package keystore
 import (
 	"bufio"
@@ -23,6 +25,7 @@ import (
 	"strings"
 	"github.com/ibm-messaging/mq-container/internal/command"
 	"github.com/ibm-messaging/mq-container/internal/logger"
 )
 // KeyStore describes information about a keystore file
@@ -54,7 +57,7 @@ func NewCMSKeyStore(filename, password string) *KeyStore {
 }
 // Create a key store, if it doesn't already exist
-func (ks *KeyStore) Create() error {
+func (ks *KeyStore) Create(log *logger.Logger) error {
 	_, err := os.Stat(ks.Filename)
 	if err == nil {
 		// Keystore already exists so we should refresh it by deleting it.
@@ -96,22 +99,11 @@ func (ks *KeyStore) Create() error {
 	if err != nil {
 		return fmt.Errorf("error running \"%v -keydb -create\": %v %s", ks.command, err, out)
 	}
 	mqmUID, mqmGID, err := command.LookupMQM()
 	if err != nil {
 		log.Error(err)
 		return err
 	}
 	err = os.Chown(ks.Filename, mqmUID, mqmGID)
 	if err != nil {
 		log.Error(err)
 		return err
 	}
 	return nil
 }
 // CreateStash creates a key stash, if it doesn't already exist
-func (ks *KeyStore) CreateStash() error {
+func (ks *KeyStore) CreateStash(log *logger.Logger) error {
 	extension := filepath.Ext(ks.Filename)
 	stashFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".sth"
 	log.Debugf("TLS stash file: %v", stashFile)
@@ -125,15 +117,14 @@ func (ks *KeyStore) CreateStash() error {
 		}
 		return err
 	}
-	mqmUID, mqmGID, err := command.LookupMQM()
+	return nil
 }
 // GeneratePKCS12 generates a PKCS12 file
 func (ks *KeyStore) GeneratePKCS12(keyFile, crtFile, pkcs12File, label, password string) error {
 	out, _, err := command.Run("openssl", "pkcs12", "-export", "-inkey", keyFile, "-in", crtFile, "-out", pkcs12File, "-name", label, "-passout", "pass:"+password)
 	if err != nil {
-		log.Error(err)
+		return fmt.Errorf("error running \"openssl pkcs12 -export\": %v %s", err, out)
 		return err
 	}
 	err = os.Chown(stashFile, mqmUID, mqmGID)
 	if err != nil {
 		log.Error(err)
 		return err
 	}
 	return nil
 }
@@ -147,6 +138,24 @@ func (ks *KeyStore) Import(inputFile, password string) error {
 	return nil
 }
 // CreateSelfSignedCertificate creates a self-signed certificate in the keystore
 func (ks *KeyStore) CreateSelfSignedCertificate(label, dn string) error {
 	out, _, err := command.Run(ks.command, "-cert", "-create", "-db", ks.Filename, "-pw", ks.Password, "-label", label, "-dn", dn)
 	if err != nil {
 		return fmt.Errorf("error running \"%v -cert -create\": %v %s", ks.command, err, out)
 	}
 	return nil
 }
 // Add adds a CA certificate to the keystore
 func (ks *KeyStore) Add(inputFile, label string) error {
 	out, _, err := command.Run(ks.command, "-cert", "-add", "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password, "-file", inputFile, "-label", label)
 	if err != nil {
 		return fmt.Errorf("error running \"%v -cert -add\": %v %s", ks.command, err, out)
 	}
 	return nil
 }
 // GetCertificateLabels returns the labels of all certificates in the key store
 func (ks *KeyStore) GetCertificateLabels() ([]string, error) {
 	out, _, err := command.Run(ks.command, "-cert", "-list", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/internal/metrics/update.go
+++ b/internal/metrics/update.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/internal/mqtemplate/mqtemplate.go
+++ b/internal/mqtemplate/mqtemplate.go
@@ -13,20 +13,21 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-package main
+
 // Package mqtemplate contains code to process template files
 package mqtemplate
 import (
 	"os"
 	"path"
 	"text/template"
-	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/logger"
 )
-// processTemplateFile takes a Go templateFile, and processes it with the
+// ProcessTemplateFile takes a Go templateFile, and processes it with the
 // supplied data, writing to destFile
-func processTemplateFile(templateFile, destFile string, data interface{}) error {
+func ProcessTemplateFile(templateFile, destFile string, data interface{}, log *logger.Logger) error {
 	// Re-configure channel if app password not set
 	t, err := template.ParseFiles(templateFile)
 	if err != nil {
 		log.Error(err)
@@ -42,16 +43,6 @@ func processTemplateFile(templateFile, destFile string, data interface{}) error
 				log.Error(err)
 				return err
 			}
 			mqmUID, mqmGID, err := command.LookupMQM()
 			if err != nil {
 				log.Error(err)
 				return err
 			}
 			err = os.Chown(dir, mqmUID, mqmGID)
 			if err != nil {
 				log.Error(err)
 				return err
 			}
 		} else {
 			return err
 		}
@@ -64,15 +55,5 @@ func processTemplateFile(templateFile, destFile string, data interface{}) error
 		log.Error(err)
 		return err
 	}
 	mqmUID, mqmGID, err := command.LookupMQM()
 	if err != nil {
 		log.Error(err)
 		return err
 	}
 	err = os.Chown(destFile, mqmUID, mqmGID)
 	if err != nil {
 		log.Error(err)
 		return err
 	}
 	return nil
 }
--- a/manifests/dockerhub/manifest-9.1.2.yaml
+++ b/manifests/dockerhub/manifest-9.1.2.yaml
@@ -1,29 +0,0 @@
 # © Copyright IBM Corporation 2018, 2019
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 image: ibmcom/mq:9.1.2.0
 manifests:
  - image: ibmcom/mq:9.1.2.0-x86_64
    platform:
      architecture: amd64
      os: linux
  - image: ibmcom/mq:9.1.2.0-ppc64le
    platform:
      architecture: ppc64le
      os: linux
  - image: ibmcom/mq:9.1.2.0-s390x
    platform:
      architecture: s390x
      os: linux
--- a/manifests/dockerhub/manifest-latest.yaml
+++ b/manifests/dockerhub/manifest-latest.yaml
@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2018, 2019
+# © Copyright IBM Corporation 2018
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,15 +14,15 @@
 image: ibmcom/mq:latest
 manifests:
-  - image: ibmcom/mq:9.1.2.0-x86_64
+  - image: ibmcom/mq:9.1.1.0-x86_64
    platform:
      architecture: amd64
      os: linux
-  - image: ibmcom/mq:9.1.2.0-ppc64le
+  - image: ibmcom/mq:9.1.1.0-ppc64le
    platform:
      architecture: ppc64le
      os: linux
-  - image: ibmcom/mq:9.1.2.0-s390x
+  - image: ibmcom/mq:9.1.1.0-s390x
    platform:
      architecture: s390x
      os: linux
--- a/manifests/dockerstore/manifest-9.1.2.yaml
+++ b/manifests/dockerstore/manifest-9.1.2.yaml
@@ -1,29 +0,0 @@
 # © Copyright IBM Corporation 2018, 2019
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 image: ibmcorp/mqadvanced-server-dev:9.1.2.0
 manifests:
  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-x86_64
    platform:
      architecture: amd64
      os: linux
  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-ppc64le
    platform:
      architecture: ppc64le
      os: linux
  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-s390x
    platform:
      architecture: s390x
      os: linux
--- a/mq-advanced-server-rhel/mq-buildah.sh
+++ b/mq-advanced-server-rhel/mq-buildah.sh
@@ -86,6 +86,7 @@ buildah run ${ctr_mq} -- microdnf ${microdnf_opts} install \
  shadow-utils \
  tar \
  util-linux \
  openssl \
  which
 # Install "sudo" if using MQ Advanced for Developers
@@ -121,6 +122,12 @@ buildah run --user root $ctr_mq -- chmod 0660 /run/termination-log
 install --mode 0550 --owner root --group root ./mq-advanced-server-rhel/writePackages.sh ${mnt_mq}/usr/local/bin/writePackages
 buildah run --user root $ctr_mq -- /usr/local/bin/writePackages
 # Copy web XML files
 cp -R web ${mnt_mq}/etc/mqm/web
 # Copy web XML files
 cp -R web ${mnt_mq}/etc/mqm/web
 ###############################################################################
 # Final Buildah commands
 ###############################################################################
@@ -138,6 +145,7 @@ fi
 buildah config \
  --port 1414/tcp \
  --port 9157/tcp \
  --port 9443/tcp \
  --os linux \
  --label architecture=x86_64 \
  --label io.openshift.tags="$OSTAG" \
--- a/mq-advanced-server-rhel/mqdev-buildah.sh
+++ b/mq-advanced-server-rhel/mqdev-buildah.sh
@@ -78,12 +78,7 @@ install --directory --mode 0775 --owner ${mqm_uid} --group 0 ${mnt_mq}/run/runmq
 cp ./incubating/mqadvanced-server-dev/*.tpl ${mnt_mq}/etc/mqm/
 # Copy web XML files for default developer configuration
-mkdir --parents ${mnt_mq}/etc/mqm/web
+cp -R incubating/mqadvanced-server-dev/web/ ${mnt_mq}/etc/mqm/web
 cp --recursive ./incubating/mqadvanced-server-dev/web/* ${mnt_mq}/etc/mqm/web/
 # Make "mqm" the owner of all the config files
 chown --recursive ${mqm_uid}:${mqm_gid} ${mnt_mq}/etc/mqm/*
 chmod --recursive 0750 ${mnt_mq}/etc/mqm/*
 ###############################################################################
 # Final Buildah commands
--- a/test/docker/Gopkg.toml
+++ b/test/docker/Gopkg.toml
@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2017, 2018
+# © Copyright IBM Corporation 2017, 2019
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
--- a/test/docker/docker_api_test.go
+++ b/test/docker/docker_api_test.go
@@ -554,102 +554,6 @@ func TestMQSC(t *testing.T) {
 	}
 }
 // TestLargeMQSC creates a new image with a large MQSC file in, starts a container based
 // on that image, and checks that the MQSC has been applied correctly.
 func TestLargeMQSC(t *testing.T) {
 	t.Parallel()
 	cli, err := client.NewEnvClient()
 	if err != nil {
 		t.Fatal(err)
 	}
 	const numQueues = 1000
 	var buf bytes.Buffer
 	for i := 1; i <= numQueues; i++ {
 		fmt.Fprintf(&buf, "* Test processing of a large MQSC file, defining queue test%v\nDEFINE QLOCAL(test%v)\n", i, i)
 	}
 	var files = []struct {
 		Name, Body string
 	}{
 		{"Dockerfile", fmt.Sprintf(`
          FROM %v
          USER root
          RUN rm -f /etc/mqm/*.mqsc
          ADD test.mqsc /etc/mqm/
          RUN chmod 0660 /etc/mqm/test.mqsc
          USER mqm`, imageName())},
 		{"test.mqsc", buf.String()},
 	}
 	tag := createImage(t, cli, files)
 	defer deleteImage(t, cli, tag)
 	containerConfig := container.Config{
 		Env:   []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
 		Image: tag,
 	}
 	id := runContainer(t, cli, &containerConfig)
 	defer cleanContainer(t, cli, id)
 	waitForReady(t, cli, id)
 	rc, mqscOutput := execContainer(t, cli, id, "mqm", []string{"bash", "-c", "echo 'DISPLAY QLOCAL(test" + strconv.Itoa(numQueues) + ")' | runmqsc"})
 	if rc != 0 {
 		r := regexp.MustCompile("AMQ[0-9][0-9][0-9][0-9]E")
 		t.Fatalf("Expected runmqsc to exit with rc=0, got %v with error %v", rc, r.FindString(mqscOutput))
 	}
 }
 // TestRedactMQSC creates a new image with a MQSC file that contains sensitive information, starts a container based
 // on that image, and checks that the MQSC has been redacted in the logs.
 func TestRedactMQSC(t *testing.T) {
 	t.Parallel()
 	cli, err := client.NewEnvClient()
 	if err != nil {
 		t.Fatal(err)
 	}
 	var buf bytes.Buffer
 	sslcryp := "GSK_PKCS11=/usr/lib/pkcs11/PKCS11_API.so;token-label;token-password;SYMMETRIC_CIPHER_ON;"
 	fmt.Fprintf(&buf, "*TEST-REDACT-MQSC: A(1) LDAPPWD(abcdefgh) B(2) PASSWORD(abcdefgh) C(3) SSLCRYP(%v) D(4)\n", sslcryp)
 	fmt.Fprintf(&buf, "*TEST-REDACT-MQSC: A(1) ldappwd(12345678) B(2) password(12345678) C(3) sslcryp(%v) D(4)\n", sslcryp)
 	fmt.Fprintf(&buf, "*TEST-REDACT-MQSC: A(1) LdapPwd('12?@!$Gh') B(2) Password('12?@!$Gh') C(3) SSLCryp(%v) D(4)\n", sslcryp)
 	fmt.Fprintf(&buf, "*TEST-REDACT-MQSC: A(1) LDAPPWD (abcdefgh) B(2) PASSWORD\t(abcdefgh) C(3) SSLCRYP \t (%v) D(4)", sslcryp)
 	var files = []struct {
 		Name, Body string
 	}{
 		{"Dockerfile", fmt.Sprintf(`
 		  FROM %v
 		  USER root
 		  RUN rm -f /etc/mqm/*.mqsc
 		  ADD test.mqsc /etc/mqm/
 		  RUN chmod 0660 /etc/mqm/test.mqsc
 		  USER mqm`, imageName())},
 		{"test.mqsc", buf.String()},
 	}
 	tag := createImage(t, cli, files)
 	defer deleteImage(t, cli, tag)
 	containerConfig := container.Config{
 		Env:   []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
 		Image: tag,
 	}
 	id := runContainer(t, cli, &containerConfig)
 	defer cleanContainer(t, cli, id)
 	waitForReady(t, cli, id)
 	stopContainer(t, cli, id)
 	scanner := bufio.NewScanner(strings.NewReader(inspectLogs(t, cli, id)))
 	expectedOutput := "*TEST-REDACT-MQSC: A(1) LDAPPWD(*********) B(2) PASSWORD(*********) C(3) SSLCRYP(*********) D(4)"
 	for scanner.Scan() {
 		s := scanner.Text()
 		if strings.Contains(s, "*TEST-REDACT-MQSC:") && !strings.Contains(s, expectedOutput) {
 			t.Fatalf("Expected redacted MQSC output, got: %v", s)
 		}
 	}
 	err = scanner.Err()
 	if err != nil {
 		t.Fatal(err)
 	}
 }
 // TestInvalidMQSC creates a new image with an MQSC file containing invalid MQSC,
 // tries to start a container based on that image, and checks that container terminates
 // func TestInvalidMQSC(t *testing.T) {
--- a/test/messaging/pom.xml
+++ b/test/messaging/pom.xml
@@ -1,5 +1,5 @@
 <!--
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/test/tls/client-trust.jks
+++ b/test/tls/client-trust.jks
--- a/test/tls/generate-test-cert.sh
+++ b/test/tls/generate-test-cert.sh
@@ -23,7 +23,7 @@ PASSWORD=passw0rd
 openssl req \
       -newkey rsa:2048 -nodes -keyout ${KEY} \
       -subj "/CN=localhost" \
-       -x509 -days 3650 -out ${CERT}
+       -x509 -days 365 -out ${CERT}
 # Add the key and certificate to a PKCS #12 key store, for the server to use
 openssl pkcs12 \
--- a/test/tls/server.crt
+++ b/test/tls/server.crt
@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICpDCCAYwCCQC6vpJFnfYO6TANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
+MIICpDCCAYwCCQDft9xlN4fNFTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
-b2NhbGhvc3QwHhcNMTkwMzIxMTYxMzUxWhcNMjkwMzE4MTYxMzUxWjAUMRIwEAYD
+b2NhbGhvc3QwHhcNMTgwMzIwMTUxODMwWhcNMTkwMzIwMTUxODMwWjAUMRIwEAYD
-VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCu
+VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk
-48qtIDwmihFqj2HY3dZjPfROA1MJ+D0c6aEA08ooOczthLB7XdZBQDapj8LFldyt
+XzX0xQIZzKVX8/lDQh5lSHr5U9cBL+kURA3fEgl3ks9KjZPggfxWl4Y5dekChW/s
-4ZMbTkqtF5QtPXmJY0wi39foLYlcGXPL1b7y3mypaFou88BcSM3VmfILKXhNeAlt
+iknVssoNw9vI1W25qtQ81zRFQbHbpej0lLdYsS8/yZCuAVjMTp6Q9IswTwhVA6OD
-rXevnuT5kDU7sLVgKGhGwas20T1MU7d0I3bQ5z5c7egL76Hk9fYucjN6RkbwlrJ3
+5orag5dH3XQH+GsnmGXRCY7Gs93onAe3i3ShX9qpUFOJXyxCX+pLAC6kWQ3f/HI8
-TrCXrGIziofn3Zq1t51ygv21c80JD3XJ44YmuCrede4rhOS/4NpwRuZyiwpJ6tlv
+dujVXKsg1vHgOgGqQGwnh8gm5OeWUeuTMdD2v7Hn1OxilgNMbcewA7bpvipgm2xt
-0L0QSDGCmt2JT3ty28UAsGznFzC5Qu9KyaR+9Gk4aftiyKxrYWZkgtJmMRU+C1X2
+ZD0PKFDmtQ4comr25Oo+eUf1N7jSpRPOWJNxoyS9/coQUPp1Gpbk7khYHjGn7f5a
-kFLOHsucGmJswjwubSR7AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEdlmXVGy86P
+EZqQ4Hmwwh50uT+vKVxDAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAHaywC7ZLOi
-XIX5a4ZmHQ5Ns4wm7rY8vzUxlymEQ86En1PN1zAO9gV94tLyNeMptjsFEEo/uJhC
+3PKlidj6PWe33dEVsDL6RRb3cOqR86Ld2aD91oLrpELRhz4v2mt/GfQMIg7rc6z7
-Yvg3l5TIr/WCiY2+2XsSHvnbXrlbF3S0fRHa9VaCMRKjzRT68uq2Y891906YGtUE
+26SuPzV/7zZAv1N/vGoIFyvBXWLYP5qCwUrmykcH/wfFM80S6FJxz5Wy5MA5UzTB
-m6fCjHqVzX8qaplDf79aVkPydYaYOIZ1a/mCfQcD9XMZ/v5zI9IUDhdoq97bgPhB
+HdpiQCPu4U0IKgATLDraz0xlQ61Rog56YhgJI8ulHuav5iYxqV2mwU09Hs0kXPJ7
-gBOzWLI+hkzyU8jxKAFw1Hwi9lD/P6RXL5arNb/+arOgA3vTW+xGWGevgjVK1Ay9
+g0PLRaSyidsXafxBKukeM9QHl8z8HN8er23oqecYo59b/Bt0c6jSrJCK39EUcoLP
-81beWiQmn0KbeLZxj+WJ9Nntlf1M4EqPYgsSYs/IlJTYS8W1B0mDJEoovPdFTryY
+HxR+Ma1SPhVKGqa3lPmaoAzsFTqaJ6fsIcbp+oEFAq0LPeqMPK7u3ygT4iTblAl8
-GyIuQEVcjUE=
+q3isCz4Ytx4=
 -----END CERTIFICATE-----
--- a/test/tls/server.key
+++ b/test/tls/server.key
@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCu48qtIDwmihFq
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkXzX0xQIZzKVX
-j2HY3dZjPfROA1MJ+D0c6aEA08ooOczthLB7XdZBQDapj8LFldyt4ZMbTkqtF5Qt
+8/lDQh5lSHr5U9cBL+kURA3fEgl3ks9KjZPggfxWl4Y5dekChW/siknVssoNw9vI
-PXmJY0wi39foLYlcGXPL1b7y3mypaFou88BcSM3VmfILKXhNeAltrXevnuT5kDU7
+1W25qtQ81zRFQbHbpej0lLdYsS8/yZCuAVjMTp6Q9IswTwhVA6OD5orag5dH3XQH
-sLVgKGhGwas20T1MU7d0I3bQ5z5c7egL76Hk9fYucjN6RkbwlrJ3TrCXrGIziofn
+GsnmGXRCY7Gs93onAe3i3ShX9qpUFOJXyxCX+pLAC6kWQ3f/HI8dujVXKsg1vHg
-3Zq1t51ygv21c80JD3XJ44YmuCrede4rhOS/4NpwRuZyiwpJ6tlv0L0QSDGCmt2J
+OgGqQGwnh8gm5OeWUeuTMdD2v7Hn1OxilgNMbcewA7bpvipgm2xtZD0PKFDmtQ4c
-T3ty28UAsGznFzC5Qu9KyaR+9Gk4aftiyKxrYWZkgtJmMRU+C1X2kFLOHsucGmJs
+omr25Oo+eUf1N7jSpRPOWJNxoyS9/coQUPp1Gpbk7khYHjGn7f5aEZqQ4Hmwwh50
-wjwubSR7AgMBAAECggEAH9t6teKjUlngJksMBdcTEGzerb9JRw2jBDtCisYJkx5E
+uT+vKVxDAgMBAAECggEBAL91kybChCBdEcHLKQ7aP+FqAq9FOtwj7qSu6XI7DPTS
-SBfdlftX5fbufiCj2B4eXsYyZ8zxKWqcIUmLdA1Udx3TVIXG+bHhOAYtjEwb+xf5
+gDdgurleQM/X+Q/zaoZSmKMWzQ/79KnVqk2VoYgnUAgx5ACsMxCS59slUxFoetRf
-JYhdR/IzHG+4eXQKaAIvpXztyl3lU9iC+eaMg4GYzRrGN2wSAG9XgZ5cLF2TLJYU
+iIxZVLj0sLuWSZsWp0We51eN0Juh9xKo9r435p4rhjDacnjkEwcQyOd4Yy9nzUpk
-jPxp7goz9X6V57aL2G/EFlbFsMaI/6cW7+XoRdo0I4N2Z766gz7GgyxtTVwR5Peq
+GDD5Vu1J9bOOKUQZ0qgjPyl/xWiwD1yfGJ0nHpQ5ucfrCO9p+n7SYsx01WcAkC8J
-LjOpqSNS0W57KJxReURfySok9CP1DfyigopsYW8O4jGVDDRLdiN3I8+JhWya2E0j
+WP9XSXgi5uIefTWb/4m2b32jzjIgzAHkNx6yktRTjBJ7QILnKq1P8JjkNA/Awj4P
-96hHpN04Oz6HnMm7bdZDVtkZCOiu6xIzLJJxZ4o+kQKBgQDYqOA/hSod7s7w4LBE
+OxAz9hHHnVRuq4ZlEqfvo9p9YAbN2IH5TnmN3rGCXwECgYEA9JitVIeXCS0qIMFA
-A6Mp+e0//PYH6/N9SKmSIgQNec9bMGI4yanoblMbg4GM1g7pkvjlC0nTdjnUbLkB
+dKCmm9CT7JXccdpVllwaaYCNTb+G2RBrJqAvQEetoYJodWTIm1mNwSEORFFw0W+N
-vIvtVh3XwTIlrZ/4lc7VB23/hmKU+lRc+NJP5fgasAQu0W3+qp2cXo0pnHVwBEku
+eaMzibJoJ+MZHRhiulDJaY0vwAKHkSJjDPJrPLgGMCUOLiWSAAnR4z35WfeY0e//
-Z7FwDPX0JNDIi/Or2I7dt8JojQKBgQDOpU1AnIXv1/cToYK4nz8BWLxRxwLTxy5A
+JbdZZemrJRyzy3o6rkRN9TQcUMUCgYEA7wTj5w5GZ8NQ7Nn8nIS2ayk+woIMHS+g
-ucafNKacPlxb5luZRCExiPZwAM8Z3zI9o99rYXOPQmsnknZWJV66Zx0Vo0yTD1CT
+RVFufJoBeopsNJfNzGak0s+nz5q0nMGMzQsxXkbmAOLMTU3woQ7cEGjkLAfoch23
-DWMUj0ugI1wORNMhwZP6YBYWjAeupyU9a7FyU1Geg4sdQt5rMyAEQOoECc8x8foP
+ACOe7M4rZbIk6kVNOlFESWdVdWViVd/B2a7oBqOIykoqX6VSqqrw+xghAUmd/2W1
-rySHuO/TJwKBgBjMM2ZxymFErQDa5rHSLMGoLmRtgodjlSnYwDfOluIn9/i67/MJ
+uxjg9v01OWcCgYApE5LYRUUKF3mhspKeg3Q3apnM+4Xf4OjKrYEKArq4OdftkCJO
-+d11iyOSCKji8y/+t2gXw6plVLcgfohZWTaf7ah9H006sx2Tn+m4APoHGo9sm21M
+hEwrIV55Zysfu+Mso6d4rZJ1yq+FnJRHvy6ii0GOoUbQag36eCK7BSjluAcISpwT
-uV2Vt7DuRnxJUiqcwo9cLxH9K1/Xzbx299MYWKpJ8G+TvR8FGUz9NE4dAoGAM5gs
+yopT0hvH7hEpksmoE/4ZiYjcoQYbC5DvxpDO2qURQHa5TzeXmIT3Dt9KeQKBgQC6
-KKSsAE1QwFMEG2qPRZvNMTHaL9w8XSbFQ7zWmI4tazihyCutifujZCWfj9sdZSyE
+UKeOXrRHAhs85ZdiMpk340jGujTTM2LNZfKoMixg5zH9tS9427IzmicHT2LmpoEo
-PQBQ5QT1UiUMbMfZ1fqm1V83YERjnsOp6Fk6zZnmgx2GBZiahNn2ydxekqni72nz
+/EaZZM65dhEnWU/vW/Py3rCuGeP5wGv8Mcgac4OknD7mVusiQGLojSIyhrsmkWs8
-HRNWfphjZIPsmqFiLg2zIBz+4X6EK+RT35s6LeMCgYEAwF/9jX8kONW5KKZdoNHa
+UnkPY76nYTSypd5Qpzt9n4tqw4XjpdcJZxVFso8glQKBgQCHlb15As73En/Q2AxL
-opkLpa9qkwTGQ9M3AZiRUjM4rtvggYt8FBEP+3BLDLHqfUOkPq82MCRXm+6Cz+sT
+5FY1Q1lLuO8y33ZZIRK4eynOKkbiuAh7X+ONZ4T9NtTm2J7mnltvTHZ7yeOI+VLS
-gyPnsPlAh/sr3Pys3olJbUDE9H24k1LU0CI/sSwAFkka0+Q7PVTTe/Dcavitrcrm
+LrTTBwnnNfdpp8UVPQlwzeizoDqSbr1sjFYvKOfdDDfxuzieT/4tfW9VTAxn4uOg
-+fyiT2oSPZeHSjQE9iIW3OY=
+qpg7aRMUYUuLAH+S5atdOqXB+g==
 -----END PRIVATE KEY-----
--- a/test/tls/server.p12
+++ b/test/tls/server.p12
--- a/web/installations/Installation1/servers/mqweb/mqwebuser.xml
+++ b/web/installations/Installation1/servers/mqweb/mqwebuser.xml
@@ -0,0 +1,25 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <server>
    <featureManager>
        <feature>appSecurity-2.0</feature>
    </featureManager>
    <enterpriseApplication id="com.ibm.mq.console">
        <application-bnd>
            <security-role name="MQWebAdmin">
                <group name="MQWebUI" realm="defaultRealm"/>
            </security-role>
        </application-bnd>
    </enterpriseApplication>
    <enterpriseApplication id="com.ibm.mq.rest">
        <application-bnd>
            <security-role name="MQWebAdmin">
                <group name="MQWebUI" realm="defaultRealm"/>
            </security-role>
            <security-role name="MQWebUser">
                <group name="MQWebMessaging" realm="defaultRealm"/>
            </security-role>
        </application-bnd>
    </enterpriseApplication>
    <variable name="httpHost" value="*"/>
    <include location="tls.xml"/>
 </server>
--- a/web/installations/Installation1/servers/mqweb/mqwebuser.xml.tpl
+++ b/web/installations/Installation1/servers/mqweb/mqwebuser.xml.tpl
@@ -0,0 +1,47 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <server>
    <featureManager>
        <feature>openidConnectClient-1.0</feature>
        <feature>ssl-1.0</feature>
    </featureManager>
    <enterpriseApplication id="com.ibm.mq.console">
        <application-bnd>
            <security-role name="MQWebAdmin">
                <group name="MQWebUI" realm="defaultRealm"/>
                {{- range $index, $element := .AdminUser}}
                <user name="admin{{$index}}" access-id="{{.}}"/>
                {{- end}}
            </security-role>
        </application-bnd>
    </enterpriseApplication>
    <enterpriseApplication id="com.ibm.mq.rest">
        <application-bnd>
            <security-role name="MQWebAdmin">
                <group name="MQWebUI" realm="defaultRealm"/>
            </security-role>
            <security-role name="MQWebUser">
                <group name="MQWebMessaging" realm="defaultRealm"/>
            </security-role>
        </application-bnd>
    </enterpriseApplication>
    <openidConnectClient id="mqclient"
        clientId="${env.MQ_OIDC_CLIENT_ID}"
        clientSecret="${env.MQ_OIDC_CLIENT_SECRET}"
        uniqueUserIdentifier="${env.MQ_OIDC_UNIQUE_USER_IDENTIFIER}"
        authorizationEndpointUrl="${env.MQ_OIDC_AUTHORIZATION_ENDPOINT}"
        tokenEndpointUrl="${env.MQ_OIDC_TOKEN_ENDPOINT}"
        scope="openid profile email"
        inboundPropagation="supported"
        jwkEndpointUrl="${env.MQ_OIDC_JWK_ENDPOINT}"
        signatureAlgorithm="RS256"
        issuerIdentifier="${env.MQ_OIDC_ISSUER_IDENTIFIER}">
    </openidConnectClient>
    <variable name="httpHost" value="*"/>
    <variable name="managementMode" value="externallyprovisioned"/>
    <jndiEntry jndiName="xframeAllowedSourceList" value="${env.MQ_HOSTS}"/>
    <keyStore id="MQWebKeyStore" location="/run/tls/key.jks" type="JKS" password="password"/>
    <keyStore id="MQWebTrustStore" location="/run/tls/trust.jks" type="JKS" password="password"/>
    <ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="MQWebKeyStore" trustStoreRef="MQWebTrustStore" sslProtocol="TLSv1.2" serverKeyAlias="default"/>
    <sslDefault sslRef="thisSSLConfig"/>
    <httpDispatcher enableWelcomePage="false" appOrContextRootMissingMessage='&lt;script&gt;document.location.href="/ibmmq/console";&lt;/script&gt;' />
 </server>
--- a/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/tls.xml
+++ b/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/tls.xml
Author	SHA1	Message	Date
Rob Parker	869ee6492d	Merge pull request #291 from parrobe/sing2 Add non-root to singularity branch	2019-03-19 16:06:26 +00:00
Robert Parker	cad3eb5dd9	fix broken devsecure test	2019-03-19 14:46:42 +00:00
Robert Parker	7b5e34e59e	update copyright dates	2019-03-19 13:45:40 +00:00
Rob Parker	3ae41d52d3	Merge branch 'singularity' into sing2	2019-03-19 13:19:54 +00:00
Robert Parker	c3f40c84a7	Extra changes to support non-root in CIP	2019-03-19 11:29:33 +00:00
Stephen Marshall	350b8318ee	Add TLS support (#243 ) * Add TLS support * Security fix for libsystemd0 systemd systemd-sysv libudev1	2019-03-18 13:21:39 +00:00
Stephen Marshall	fd262b173e	Add uniqueUserIdentifier	2019-03-18 13:18:58 +00:00
Stephen Marshall	227db5875a	Fix for iframe issue with web console (#238 )	2019-03-18 13:18:58 +00:00
Rob Parker	6f1268ffec	add integration into the docker tag (#233 )	2019-03-18 13:18:58 +00:00
Stephen Marshall	c455d696b2	Split SSO admin user list on newlines (#229 )	2019-03-18 13:18:06 +00:00
Stephen Marshall	4c1d124484	Configure Single-Sign-On for the web server	2019-03-18 13:18:06 +00:00
Stephen Marshall	9b3b1f7b9e	Move template and keystore functions to internal packages	2019-03-18 13:16:44 +00:00
Stephen Marshall	568ae6e34e	Enable web console for mqadvanced-server	2019-03-18 13:16:44 +00:00
Arthur Barr	0dd5f9c818	Replace master with singularity	2019-03-18 13:05:46 +00:00
Rob Parker	00a0ce0e0a	Merge pull request #254 from parrobe/sing update perl-base to fix security vulnerability	2018-12-05 13:55:50 +00:00
Robert Parker	e74ba3fd75	update perl-base to fix security vulnerability	2018-12-05 13:34:58 +00:00
Stephen Marshall	3064699198	Add TLS support (#243 ) * Add TLS support * Security fix for libsystemd0 systemd systemd-sysv libudev1	2018-11-07 11:47:41 +00:00
Stephen Marshall	b8227abf7f	Add uniqueUserIdentifier	2018-10-29 13:48:25 +00:00
Stephen Marshall	c88329d779	Fix for iframe issue with web console (#238 )	2018-10-25 10:17:02 +01:00
Rob Parker	e6049ecb93	add integration into the docker tag (#233 )	2018-10-18 13:43:48 +01:00
Stephen Marshall	574386fe82	Split SSO admin user list on newlines (#229 )	2018-10-12 14:13:20 +01:00
Robert Parker	5ba73c1d2a	update apparmor	2018-10-09 09:39:12 +01:00
Stephen Marshall	149915d587	Configure Single-Sign-On for the web server	2018-10-03 16:34:28 +01:00
Stephen Marshall	77eb7381e7	Move template and keystore functions to internal packages	2018-10-03 16:34:28 +01:00
Stephen Marshall	6abbbb0394	Enable web console for mqadvanced-server	2018-10-01 11:27:52 +01:00
Stephen Marshall	e7ba32d849	Merge pull request #215 from arthurbarr/singularity Fix .gitignore and README	2018-10-01 11:05:55 +01:00
Arthur Barr	0e567ccea7	Remove dynamic Prometheus files	2018-10-01 10:18:49 +01:00
Arthur Barr	80e7707deb	Replace master with singularity	2018-10-01 10:17:38 +01:00