Merge pull request #301 from ibm-messaging/master

Backport fixes to 9.1.2

CHANGELOG.md

@@ -1,6 +1,6 @@
 # Change log
 
-## vNext
+## 9.1.2.0 (2019-03-21)
 
 * Now runs using the "mqm" user instead of root.  See new [security doc](https://github.com/ibm-messaging/mq-container/blob/master/docs/security.md)
 * New [IGNSTATE](https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.pro.doc/q132310_.htm#q132310___ignstateparm) parameter used in default developer config
@@ -8,6 +8,9 @@
 * Fixes for the following issues:
     * Brackets no longer appear in termination log
     * Test timeouts weren't being used correctly
+    * Building on subscribed and unsubscribed hosts ([#273](https://github.com/ibm-messaging/mq-container/pull/273))
+    * Gosec failures ([#286](https://github.com/ibm-messaging/mq-container/pull/286))
+    * Security fix for perl-base ([#253](https://github.com/ibm-messaging/mq-container/pull/253))
 
 ## 9.1.1.0 (2018-11-30)
 

Dockerfile-server

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 ARG BASE_IMAGE=ubuntu:16.04
-ARG BUILDER_IMAGE=mq-golang-sdk:9.1.1.0-x86_64-ubuntu-16.04
+ARG BUILDER_IMAGE=mq-golang-sdk:9.1.2.0-x86_64-ubuntu-16.04
 
 ###############################################################################
 # Build stage to build Go code
@@ -70,16 +70,12 @@ RUN chmod ug+x /usr/local/bin/runmqserver \
   && chown mqm:mqm /usr/local/bin/*mq* \
   && chmod ug+xs /usr/local/bin/chkmq* \
   && install --directory --mode 0775 --owner mqm --group root /run/runmqserver \
-  && install --directory --mode 0775 --owner mqm --group root /run/tls \
   && touch /run/termination-log \
   && chown mqm:root /run/termination-log \
   && chmod 0660 /run/termination-log
 
-# Always use port 1414 for MQ, 9157 for the metrics & 9443 for the web console
+# Always use port 1414 for MQ & 9157 for the metrics
-EXPOSE 1414 9157 9443
+EXPOSE 1414 9157
-
-# Copy web XML files
-COPY web /etc/mqm/web
 
 ENV LANG=en_US.UTF-8 AMQ_DIAGNOSTIC_MSG_SEVERITY=1 AMQ_ADDITIONAL_JSON_LOG=1 LOG_FORMAT=basic
 

Makefile

@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2018, 2019
+# © Copyright IBM Corporation 2018
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

Makefile-RHEL

@@ -19,7 +19,7 @@
 # BASE_IMAGE is the base image to use for MQ, for example "ubuntu" or "rhel"
 BASE_IMAGE ?= rhel
 # MQ_VERSION is the fully qualified MQ version number to build
-MQ_VERSION ?= 9.1.1.0
+MQ_VERSION ?= 9.1.2.0
 # MQ_ARCHIVE is the name of the file, under the downloads directory, from which MQ Advanced can
 # be installed. The default value is derived from MQ_VERSION, BASE_IMAGE and architecture
 # Does not apply to MQ Advanced for Developers.
@@ -28,19 +28,19 @@ MQ_ARCHIVE ?= IBM_MQ_$(MQ_VERSION_VRM)_LINUX_$(MQ_ARCHIVE_ARCH).tar.gz
 # for Developers can be installed
 MQ_ARCHIVE_DEV ?= $(MQ_ARCHIVE_DEV_$(MQ_VERSION))
 # MQ_SDK_ARCHIVE specifies the archive to use for the MQ redistributable client, which is used for building the golang programs.
-MQ_SDK_ARCHIVE ?= 9.1.1.0-IBM-MQC-Redist-LinuxX64.tar.gz
+MQ_SDK_ARCHIVE ?= 9.1.2.0-IBM-MQC-Redist-LinuxX64.tar.gz
 # Options to `go test` for the Docker tests
 TEST_OPTS_DOCKER ?=
 # MQ_IMAGE_ADVANCEDSERVER is the name and tag of the built MQ Advanced image
-MQ_IMAGE_ADVANCEDSERVER ?=mqadvanced-server:$(MQ_VERSION)-integration-$(ARCH)
+MQ_IMAGE_ADVANCEDSERVER ?=mqadvanced-server:$(MQ_VERSION)-RHEL-$(ARCH)
 # MQ_IMAGE_DEVSERVER is the name and tag of the built MQ Advanced for Developers image
-MQ_IMAGE_DEVSERVER ?=mqadvanced-server-dev:$(MQ_VERSION)-integration-$(ARCH)
+MQ_IMAGE_DEVSERVER ?=mqadvanced-server-dev:$(MQ_VERSION)-RHEL-$(ARCH)
 # MQ_IMAGE_SDK is the name and tag of the built MQ Advanced for Developers SDK image
 MQ_IMAGE_SDK ?=mq-sdk:$(MQ_VERSION)-$(ARCH)-$(BASE_IMAGE_TAG)
 # MQ_IMAGE_GOLANG_SDK is the name and tag of the built MQ Advanced for Developers SDK image, plus Go tools
 MQ_IMAGE_GOLANG_SDK ?=mq-golang-sdk:$(MQ_VERSION)-$(ARCH)-$(BASE_IMAGE_TAG)
 # MQ_PACKAGES specifies the MQ packages to install.  Defaults vary on base image.
-MQ_PACKAGES ?= MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm MQSeriesWeb-*.rpm
+MQ_PACKAGES ?= MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm
 
 ###############################################################################
 # Other variables
@@ -58,7 +58,7 @@ IMAGE_SOURCE=$(shell git config --get remote.origin.url)
 MQDEV=
 EMPTY:=
 SPACE:= $(EMPTY) $(EMPTY)
-# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.1 instead of 9.1.1.0
+# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.2 instead of 9.1.2.0
 MQ_VERSION_VRM=$(subst $(SPACE),.,$(wordlist 1,3,$(subst .,$(SPACE),$(MQ_VERSION))))
 
 
@@ -80,9 +80,9 @@ else ifeq "$(ARCH)" "s390x"
     MQ_DEV_ARCH=s390x
 endif
 # Archive names for IBM MQ Advanced for Developers
-MQ_ARCHIVE_DEV_9.0.5.0=mqadv_dev905_linux_x86-64.tar.gz
 MQ_ARCHIVE_DEV_9.1.0.0=mqadv_dev910_linux_$(MQ_DEV_ARCH).tar.gz
 MQ_ARCHIVE_DEV_9.1.1.0=mqadv_dev911_linux_$(MQ_DEV_ARCH).tar.gz
+MQ_ARCHIVE_DEV_9.1.2.0=mqadv_dev912_linux_$(MQ_DEV_ARCH).tar.gz
 
 ###############################################################################
 # Build targets
@@ -166,6 +166,7 @@ build-advancedserver: check-prereqs downloads/$(MQ_ARCHIVE) build-go-programs
 
 .PHONY: build-devserver
 build-devserver: MQDEV=TRUE
+build-devserver: MQ_PACKAGES=MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm MQSeriesWeb-*.rpm
 build-devserver: check-prereqs downloads/$(MQ_ARCHIVE_DEV) build-go-programs
 	$(info $(SPACER)$(shell printf $(TITLE)"Build $(MQ_IMAGE_DEVSERVER)"$(END)))
 	sudo mq-advanced-server-rhel/mq-buildah.sh "$(MQ_ARCHIVE_DEV)" "$(MQ_PACKAGES)" "$(MQ_IMAGE_DEVSERVER_BASE)" "$(MQ_VERSION)" "$(MQDEV)"

Makefile-UBUNTU

@@ -19,7 +19,7 @@
 # BASE_IMAGE is the base image to use for MQ, for example "ubuntu" or "rhel"
 BASE_IMAGE ?= ubuntu:16.04
 # MQ_VERSION is the fully qualified MQ version number to build
-MQ_VERSION ?= 9.1.1.0
+MQ_VERSION ?= 9.1.2.0
 # MQ_ARCHIVE is the name of the file, under the downloads directory, from which MQ Advanced can
 # be installed. The default value is derived from MQ_VERSION, BASE_IMAGE and architecture
 # Does not apply to MQ Advanced for Developers.
@@ -32,9 +32,9 @@ MQ_SDK_ARCHIVE ?= $(MQ_ARCHIVE_DEV_$(MQ_VERSION))
 # Options to `go test` for the Docker tests
 TEST_OPTS_DOCKER ?=
 # MQ_IMAGE_ADVANCEDSERVER is the name and tag of the built MQ Advanced image
-MQ_IMAGE_ADVANCEDSERVER ?=mqadvanced-server:$(MQ_VERSION)-integration-$(ARCH)
+MQ_IMAGE_ADVANCEDSERVER ?=mqadvanced-server:$(MQ_VERSION)-$(ARCH)-$(BASE_IMAGE_TAG)
 # MQ_IMAGE_DEVSERVER is the name and tag of the built MQ Advanced for Developers image
-MQ_IMAGE_DEVSERVER ?=mqadvanced-server-dev:$(MQ_VERSION)-integration-$(ARCH)
+MQ_IMAGE_DEVSERVER ?=mqadvanced-server-dev:$(MQ_VERSION)-$(ARCH)-$(BASE_IMAGE_TAG)
 # MQ_IMAGE_SDK is the name and tag of the built MQ Advanced for Developers SDK image
 MQ_IMAGE_SDK ?=mq-sdk:$(MQ_VERSION)-$(ARCH)-$(BASE_IMAGE_TAG)
 # MQ_IMAGE_GOLANG_SDK is the name and tag of the built MQ Advanced for Developers SDK image, plus Go tools
@@ -64,7 +64,7 @@ IMAGE_REVISION=$(shell git rev-parse HEAD)
 IMAGE_SOURCE=$(shell git config --get remote.origin.url)
 EMPTY:=
 SPACE:= $(EMPTY) $(EMPTY)
-# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.1 instead of 9.1.1.0
+# MQ_VERSION_VRM is MQ_VERSION with only the Version, Release and Modifier fields (no Fix field).  e.g. 9.1.2 instead of 9.1.2.0
 MQ_VERSION_VRM=$(subst $(SPACE),.,$(wordlist 1,3,$(subst .,$(SPACE),$(MQ_VERSION))))
 
 ifneq (,$(findstring Microsoft,$(shell uname -r)))
@@ -95,9 +95,9 @@ else ifeq "$(ARCH)" "s390x"
 	MQ_DEV_ARCH=s390x
 endif
 # Archive names for IBM MQ Advanced for Developers
-MQ_ARCHIVE_DEV_9.0.5.0=mqadv_dev905_$(MQ_ARCHIVE_DEV_PLATFORM)_x86-64.tar.gz
 MQ_ARCHIVE_DEV_9.1.0.0=mqadv_dev910_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
 MQ_ARCHIVE_DEV_9.1.1.0=mqadv_dev911_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
+MQ_ARCHIVE_DEV_9.1.2.0=mqadv_dev912_$(MQ_ARCHIVE_DEV_PLATFORM)_$(MQ_DEV_ARCH).tar.gz
 
 ###############################################################################
 # Build targets
@@ -134,7 +134,7 @@ downloads/$(MQ_ARCHIVE_DEV):
 downloads/$(MQ_SDK_ARCHIVE):
 	$(info $(SPACER)$(shell printf $(TITLE)"Downloading IBM MQ Advanced for Developers "$(MQ_VERSION)$(END)))
 	mkdir -p downloads
-	cd downloads; curl -LO https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/$(MQ_SDK_ARCHIVE)
+	cd downloads; curl -LO https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/messaging/mqadv/$(MQ_SDK_ARCHIVE) 
 
 .PHONY: downloads
 downloads: downloads/$(MQ_ARCHIVE_DEV) downloads/$(MQ_SDK_ARCHIVE)
@@ -236,6 +236,12 @@ build-advancedserver: downloads/$(MQ_ARCHIVE) docker-version build-golang-sdk-ex
 	$(call docker-build-mq,$(MQ_IMAGE_ADVANCEDSERVER),Dockerfile-server,$(MQ_ARCHIVE),"4486e8c4cc9146fd9b3ce1f14a2dfc5b","IBM MQ Advanced",$(MQ_VERSION))
 
 .PHONY: build-devserver
+# Target-specific variable to add web server into devserver image
+ifeq "$(findstring ubuntu,$(BASE_IMAGE))" "ubuntu"
+build-devserver: MQ_PACKAGES=ibmmq-server ibmmq-java ibmmq-jre ibmmq-gskit ibmmq-msg-.* ibmmq-samples ibmmq-ams ibmmq-web
+else 
+build-devserver: MQ_PACKAGES=MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm MQSeriesWeb-*.rpm
+endif
 build-devserver: MQ_SDK_ARCHIVE=$(MQ_ARCHIVE_DEV)
 build-devserver: downloads/$(MQ_ARCHIVE_DEV) docker-version build-golang-sdk-ex
 	$(info $(shell printf $(TITLE)"Build $(MQ_IMAGE_DEVSERVER_BASE)"$(END)))
@@ -261,7 +267,7 @@ build-sdk: downloads/$(MQ_SDK_ARCHIVE) build-sdk-ex
 .PHONY: build-sdk-ex
 ifeq "$(findstring ubuntu,$(BASE_IMAGE))" "ubuntu"
 build-sdk-ex: MQ_PACKAGES=ibmmq-sdk ibmmq-samples build-essential
-else
+else 
 build-sdk-ex: MQ_PACKAGES=MQSeriesRuntime-*.rpm MQSeriesSDK-*.rpm MQSeriesSamples*.rpm
 endif
 build-sdk-ex: docker-version docker-pull
@@ -274,7 +280,9 @@ build-golang-sdk: downloads/$(MQ_SDK_ARCHIVE) build-golang-sdk-ex
 .PHONY: build-golang-sdk-ex
 build-golang-sdk-ex: docker-version build-sdk-ex
 	$(info $(shell printf $(TITLE)"Build $(MQ_IMAGE_GOLANG_SDK)"$(END)))
+	@echo hello
 	$(DOCKER) build --build-arg BASE_IMAGE=$(MQ_IMAGE_SDK) -t $(MQ_IMAGE_GOLANG_SDK) -f incubating/mq-golang-sdk/Dockerfile .
+	@echo goodbye
 
 .PHONY: docker-pull
 docker-pull:

README.md

@@ -2,8 +2,8 @@
 
 [![Build Status](https://travis-ci.org/ibm-messaging/mq-container.svg?branch=master)](https://travis-ci.org/ibm-messaging/mq-container)
 
-**Note**: The `singularity` branch may be in an *unstable or even broken state* during development.
+**Note**: The `master` branch may be in an *unstable or even broken state* during development.
-To get a stable version, please use the correct [branch](https://github.com/ibm-messaging/mq-container/branches) for your MQ version, instead of the `singularity` branch.
+To get a stable version, please use the correct [branch](https://github.com/ibm-messaging/mq-container/branches) for your MQ version, instead of the `master` branch.
 
 <img src="https://raw.githubusercontent.com/IBM/charts/master/logo/ibm-mq-icon.svg?sanitize=true" width="100" alt="IBM MQ logo" />
 

cmd/chkmqhealthy/main.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

cmd/chkmqready/main.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

cmd/runmqdevserver/keystore.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -13,9 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-
+package main
-// Package keystore contains code to create and update keystores
-package keystore
 
 import (
 	"bufio"
@@ -25,7 +23,6 @@ import (
 	"strings"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
-	"github.com/ibm-messaging/mq-container/internal/logger"
 )
 
 // KeyStore describes information about a keystore file
@@ -57,7 +54,7 @@ func NewCMSKeyStore(filename, password string) *KeyStore {
 }
 
 // Create a key store, if it doesn't already exist
-func (ks *KeyStore) Create(log *logger.Logger) error {
+func (ks *KeyStore) Create() error {
 	_, err := os.Stat(ks.Filename)
 	if err == nil {
 		// Keystore already exists so we should refresh it by deleting it.
@@ -99,11 +96,22 @@ func (ks *KeyStore) Create(log *logger.Logger) error {
 	if err != nil {
 		return fmt.Errorf("error running \"%v -keydb -create\": %v %s", ks.command, err, out)
 	}
+
+	mqmUID, mqmGID, err := command.LookupMQM()
+	if err != nil {
+		log.Error(err)
+		return err
+	}
+	err = os.Chown(ks.Filename, mqmUID, mqmGID)
+	if err != nil {
+		log.Error(err)
+		return err
+	}
 	return nil
 }
 
 // CreateStash creates a key stash, if it doesn't already exist
-func (ks *KeyStore) CreateStash(log *logger.Logger) error {
+func (ks *KeyStore) CreateStash() error {
 	extension := filepath.Ext(ks.Filename)
 	stashFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".sth"
 	log.Debugf("TLS stash file: %v", stashFile)
@@ -117,14 +125,15 @@ func (ks *KeyStore) CreateStash(log *logger.Logger) error {
 		}
 		return err
 	}
-	return nil
+	mqmUID, mqmGID, err := command.LookupMQM()
-}
-
-// GeneratePKCS12 generates a PKCS12 file
-func (ks *KeyStore) GeneratePKCS12(keyFile, crtFile, pkcs12File, label, password string) error {
-	out, _, err := command.Run("openssl", "pkcs12", "-export", "-inkey", keyFile, "-in", crtFile, "-out", pkcs12File, "-name", label, "-passout", "pass:"+password)
 	if err != nil {
-		return fmt.Errorf("error running \"openssl pkcs12 -export\": %v %s", err, out)
+		log.Error(err)
+		return err
+	}
+	err = os.Chown(stashFile, mqmUID, mqmGID)
+	if err != nil {
+		log.Error(err)
+		return err
 	}
 	return nil
 }
@@ -138,24 +147,6 @@ func (ks *KeyStore) Import(inputFile, password string) error {
 	return nil
 }
 
-// CreateSelfSignedCertificate creates a self-signed certificate in the keystore
-func (ks *KeyStore) CreateSelfSignedCertificate(label, dn string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-create", "-db", ks.Filename, "-pw", ks.Password, "-label", label, "-dn", dn)
-	if err != nil {
-		return fmt.Errorf("error running \"%v -cert -create\": %v %s", ks.command, err, out)
-	}
-	return nil
-}
-
-// Add adds a CA certificate to the keystore
-func (ks *KeyStore) Add(inputFile, label string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-add", "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password, "-file", inputFile, "-label", label)
-	if err != nil {
-		return fmt.Errorf("error running \"%v -cert -add\": %v %s", ks.command, err, out)
-	}
-	return nil
-}
-
 // GetCertificateLabels returns the labels of all certificates in the key store
 func (ks *KeyStore) GetCertificateLabels() ([]string, error) {
 	out, _, err := command.Run(ks.command, "-cert", "-list", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)

cmd/runmqdevserver/main.go

@@ -24,7 +24,6 @@ import (
 
 	"github.com/ibm-messaging/mq-container/internal/command"
 	"github.com/ibm-messaging/mq-container/internal/logger"
-	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 	"github.com/ibm-messaging/mq-container/internal/name"
 )
 
@@ -91,7 +90,7 @@ func configureLogger() error {
 
 func configureWeb(qmName string) error {
 	out := "/etc/mqm/web/installations/Installation1/angular.persistence/admin.json"
-	return mqtemplate.ProcessTemplateFile("/etc/mqm/admin.json.tpl", out, map[string]string{"QueueManagerName": qmName}, log)
+	return processTemplateFile("/etc/mqm/admin.json.tpl", out, map[string]string{"QueueManagerName": qmName})
 }
 
 func logTerminationf(format string, args ...interface{}) {

cmd/runmqdevserver/mqsc.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,8 +17,6 @@ package main
 
 import (
 	"os"
-
-	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
 
 func updateMQSC(appPasswordRequired bool) error {
@@ -32,7 +30,7 @@ func updateMQSC(appPasswordRequired bool) error {
 	if os.Getenv("MQ_DEV") == "true" {
 		const mqscTemplate string = mqsc + ".tpl"
 		// Re-configure channel if app password not set
-		err := mqtemplate.ProcessTemplateFile(mqsc+".tpl", mqsc, map[string]string{"ChckClnt": checkClient}, log)
+		err := processTemplateFile(mqsc+".tpl", mqsc, map[string]string{"ChckClnt": checkClient})
 		if err != nil {
 			return err
 		}

cmd/runmqdevserver/template.go

@@ -13,21 +13,20 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-
+package main
-// Package mqtemplate contains code to process template files
-package mqtemplate
 
 import (
 	"os"
 	"path"
 	"text/template"
 
-	"github.com/ibm-messaging/mq-container/internal/logger"
+	"github.com/ibm-messaging/mq-container/internal/command"
 )
 
-// ProcessTemplateFile takes a Go templateFile, and processes it with the
+// processTemplateFile takes a Go templateFile, and processes it with the
 // supplied data, writing to destFile
-func ProcessTemplateFile(templateFile, destFile string, data interface{}, log *logger.Logger) error {
+func processTemplateFile(templateFile, destFile string, data interface{}) error {
+	// Re-configure channel if app password not set
 	t, err := template.ParseFiles(templateFile)
 	if err != nil {
 		log.Error(err)
@@ -43,6 +42,16 @@ func ProcessTemplateFile(templateFile, destFile string, data interface{}, log *l
 				log.Error(err)
 				return err
 			}
+			mqmUID, mqmGID, err := command.LookupMQM()
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+			err = os.Chown(dir, mqmUID, mqmGID)
+			if err != nil {
+				log.Error(err)
+				return err
+			}
 		} else {
 			return err
 		}
@@ -55,5 +64,15 @@ func ProcessTemplateFile(templateFile, destFile string, data interface{}, log *l
 		log.Error(err)
 		return err
 	}
+	mqmUID, mqmGID, err := command.LookupMQM()
+	if err != nil {
+		log.Error(err)
+		return err
+	}
+	err = os.Chown(destFile, mqmUID, mqmGID)
+	if err != nil {
+		log.Error(err)
+		return err
+	}
 	return nil
 }

cmd/runmqdevserver/tls.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -21,22 +21,20 @@ import (
 	"path/filepath"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
-	"github.com/ibm-messaging/mq-container/internal/keystore"
-	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
 
-func configureWebTLS(cms *keystore.KeyStore) error {
+func configureWebTLS(cms *KeyStore) error {
 	dir := "/run/runmqdevserver/tls"
-	ks := keystore.NewJKSKeyStore(filepath.Join(dir, "key.jks"), cms.Password)
+	ks := NewJKSKeyStore(filepath.Join(dir, "key.jks"), cms.Password)
-	ts := keystore.NewJKSKeyStore(filepath.Join(dir, "trust.jks"), cms.Password)
+	ts := NewJKSKeyStore(filepath.Join(dir, "trust.jks"), cms.Password)
 
 	log.Debug("Creating key store")
-	err := ks.Create(log)
+	err := ks.Create()
 	if err != nil {
 		return err
 	}
 	log.Debug("Creating trust store")
-	err = ts.Create(log)
+	err = ts.Create()
 	if err != nil {
 		return err
 	}
@@ -58,19 +56,24 @@ func configureWebTLS(cms *keystore.KeyStore) error {
 	if err != nil {
 		return err
 	}
+	mqmUID, mqmGID, err := command.LookupMQM()
+	if err != nil {
+		log.Error(err)
+		return err
+	}
+	err = os.Chown(tlsConfig, mqmUID, mqmGID)
+	if err != nil {
+		log.Error(err)
+		return err
+	}
 
 	return nil
 }
 
 func configureTLS(qmName string, inputFile string, passPhrase string) error {
-	err := createDevTLSDir()
-	if err != nil {
-		return err
-	}
-
 	log.Debug("Configuring TLS")
 
-	_, err = os.Stat(inputFile)
+	_, err := os.Stat(inputFile)
 	if err != nil {
 		return err
 	}
@@ -79,14 +82,37 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 	dir := "/run/runmqdevserver/tls"
 	keyFile := filepath.Join(dir, "key.kdb")
 
-	cms := keystore.NewCMSKeyStore(keyFile, passPhrase)
+	_, err = os.Stat(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			// #nosec G301
+			err = os.MkdirAll(dir, 0770)
+			if err != nil {
+				return err
+			}
+			mqmUID, mqmGID, err := command.LookupMQM()
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+			err = os.Chown(dir, mqmUID, mqmGID)
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+		} else {
+			return err
+		}
+	}
 
-	err = cms.Create(log)
+	cms := NewCMSKeyStore(keyFile, passPhrase)
+
+	err = cms.Create()
 	if err != nil {
 		return err
 	}
 
-	err = cms.CreateStash(log)
+	err = cms.CreateStash()
 	if err != nil {
 		return err
 	}
@@ -120,11 +146,11 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 	const mqsc string = "/etc/mqm/20-dev-tls.mqsc"
 	const mqscTemplate string = mqsc + ".tpl"
 
-	err = mqtemplate.ProcessTemplateFile(mqscTemplate, mqsc, map[string]string{
+	err = processTemplateFile(mqscTemplate, mqsc, map[string]string{
 		"SSLKeyR":          filepath.Join(dir, "key"),
 		"CertificateLabel": newLabel,
 		"SSLCipherSpec":    sslCipherSpec,
-	}, log)
+	})
 	if err != nil {
 		return err
 	}
@@ -136,32 +162,3 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 
 	return nil
 }
-
-func createDevTLSDir() error {
-	// TODO: Use a persisted file (on the volume) instead?
-	dir := "/run/runmqdevserver/tls"
-
-	_, err := os.Stat(dir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			// #nosec G301
-			err = os.MkdirAll(dir, 0770)
-			if err != nil {
-				return err
-			}
-			mqmUID, mqmGID, err := command.LookupMQM()
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-			err = os.Chown(dir, mqmUID, mqmGID)
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-		} else {
-			return err
-		}
-	}
-	return nil
-}

cmd/runmqserver/crtmqvol.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -60,61 +60,3 @@ func createVolume(path string) error {
 	}
 	return nil
 }
-
-func createWebConsoleTLSDirStructure() error {
-	// Create tls directory
-	dir := "/run/tls"
-	_, err := os.Stat(dir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			err = os.MkdirAll(dir, 0770)
-			if err != nil {
-				return err
-			}
-			mqmUID, mqmGID, err := command.LookupMQM()
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-			err = os.Chown(dir, mqmUID, mqmGID)
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-		} else {
-			return err
-		}
-	}
-
-	return nil
-}
-
-/* TODO: remove duplicated code */
-func createDevTLSDir() error {
-	// TODO: Use a persisted file (on the volume) instead?
-	dir := "/run/runmqdevserver/tls"
-
-	_, err := os.Stat(dir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			// #nosec G301
-			err = os.MkdirAll(dir, 0770)
-			if err != nil {
-				return err
-			}
-			mqmUID, mqmGID, err := command.LookupMQM()
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-			err = os.Chown(dir, mqmUID, mqmGID)
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-		} else {
-			return err
-		}
-	}
-	return nil
-}

cmd/runmqserver/license.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

cmd/runmqserver/logging.go

@@ -138,9 +138,6 @@ func logDiagnostics() {
 	out, _, _ = command.Run("ls", "-l", "/mnt/mqm/data")
 	log.Debugf("/mnt/mqm/data:\n%s", out)
 	// #nosec G104
-	out, _, _ = command.Run("ls", "-l", "/etc/mqm")
-	log.Debugf("/etc/mqm:\n%s", out)
-	// #nosec G104
 	out, _, _ = command.Run("ls", "-l", "/var/mqm")
 	log.Debugf("/var/mqm:\n%s", out)
 	// #nosec G104

cmd/runmqserver/main.go

@@ -104,20 +104,6 @@ func doMain() error {
 		return err
 	}
 
-	err = createWebConsoleTLSDirStructure()
-	if err != nil {
-		logTermination(err)
-		return err
-	}
-
-	if *devFlag == true {
-		err = createDevTLSDir()
-		if err != nil {
-			logTermination(err)
-			return err
-		}
-	}
-
 	// If init flag is set, exit now
 	if *initFlag {
 		return nil

cmd/runmqserver/mirror.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

cmd/runmqserver/post_init_dev.go

@@ -1,3 +1,5 @@
+// +build mqdev
+
 /*
 © Copyright IBM Corporation 2018
 
@@ -20,26 +22,18 @@ import (
 )
 
 // postInit is run after /var/mqm is set up
+// This version of postInit is only included as part of the MQ Advanced for Developers build
 func postInit(name string) error {
 	disable := os.Getenv("MQ_DISABLE_WEB_CONSOLE")
 	if disable != "true" && disable != "1" {
-
-		// Configure Single-Sign-On for the web server (if enabled)
-		enableSSO := os.Getenv("MQ_ENABLE_SSO")
-		if enableSSO == "true" || enableSSO == "1" {
-			err := configureSSO()
-			if err != nil {
-				return err
-			}
-		}
-
 		// Configure the web server (if installed)
 		err := configureWebServer()
 		if err != nil {
 			return err
 		}
 		// Start the web server, in the background (if installed)
-		// WARNING: No error handling or health checking available for the web server
+		// WARNING: No error handling or health checking available for the web server,
+		// which is why it's limited to use with MQ Advanced for Developers only
 		go func() {
 			startWebServer()
 		}()

cmd/runmqserver/post_init_other.go

@@ -0,0 +1,22 @@
+// +build !mqdev
+
+/*
+© Copyright IBM Corporation 2018
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package main
+
+func postInit(name string) error {
+	return nil
+}

cmd/runmqserver/process.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

cmd/runmqserver/qmgr.go

@@ -16,11 +16,12 @@ limitations under the License.
 package main
 
 import (
-	"io"
+	"bytes"
 	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"regexp"
 	"strings"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
@@ -34,7 +35,6 @@ func createDirStructure() error {
 		return err
 	}
 	log.Println("Created directory structure under /var/mqm")
-
 	return nil
 }
 
@@ -87,43 +87,35 @@ func configureQueueManager() error {
 		log.Println(err)
 		return err
 	}
-
 	for _, file := range files {
 		if strings.HasSuffix(file.Name(), ".mqsc") {
 			abs := filepath.Join(configDir, file.Name())
 			// #nosec G204
 			cmd := exec.Command("runmqsc")
-			stdin, err := cmd.StdinPipe()
+			// Read mqsc file into variable
+			mqsc, err := ioutil.ReadFile(abs)
 			if err != nil {
-				log.Println(err)
+				log.Printf("Error reading file %v: %v", abs, err)
-				return err
+				continue
 			}
-			// Open the MQSC file for reading
+			// Write mqsc to buffer
-			// #nosec G304
+			var buffer bytes.Buffer
-			f, err := os.Open(abs)
+			_, err = buffer.Write(mqsc)
 			if err != nil {
-				log.Printf("Error opening %v: %v", abs, err)
+				log.Printf("Error writing MQSC file %v to buffer: %v", abs, err)
+				continue
 			}
-			// Copy the contents to stdin of the runmqsc process
+			// Buffer mqsc to stdin of runmqsc
-			_, err = io.Copy(stdin, f)
+			cmd.Stdin = &buffer
-			if err != nil {
+			// Run runmqsc command
-				log.Errorf("Error reading %v: %v", abs, err)
-			}
-			err = f.Close()
-			if err != nil {
-				log.Errorf("Failed to close MQSC file handle: %v", err)
-			}
-			err = stdin.Close()
-			if err != nil {
-				log.Errorf("Failed to close MQSC stdin: %v", err)
-			}
-			// Run the command and wait for completion
 			out, err := cmd.CombinedOutput()
 			if err != nil {
-				log.Errorf("Error running MQSC file %v (%v):\n\t%v", file.Name(), err, strings.Replace(string(out), "\n", "\n\t", -1))
+				log.Errorf("Error running MQSC file %v (%v):\n\t%v", file.Name(), err, formatMQSCOutput(string(out)))
+				continue
+			} else {
+				// Print the runmqsc output, adding tab characters to make it more readable as part of the log
+				log.Printf("Output for \"runmqsc\" with %v:\n\t%v", abs, formatMQSCOutput(string(out)))
 			}
-			// Print the runmqsc output, adding tab characters to make it more readable as part of the log
-			log.Printf("Output for \"runmqsc\" with %v:\n\t%v", abs, strings.Replace(string(out), "\n", "\n\t", -1))
 		}
 	}
 	return nil
@@ -139,3 +131,16 @@ func stopQueueManager(name string) error {
 	log.Println("Stopped queue manager")
 	return nil
 }
+
+func formatMQSCOutput(out string) string {
+	// redact sensitive information
+	pattern, _ := regexp.Compile("(?i)LDAPPWD\\s*?\\((.*?)\\)")
+	out = pattern.ReplaceAllString(out, "LDAPPWD(*********)")
+	pattern, _ = regexp.Compile("(?i)PASSWORD\\s*?\\((.*?)\\)")
+	out = pattern.ReplaceAllString(out, "PASSWORD(*********)")
+	pattern, _ = regexp.Compile("(?i)SSLCRYP\\s*?\\((.*?)\\)")
+	out = pattern.ReplaceAllString(out, "SSLCRYP(*********)")
+
+	// add tab characters to make it more readable as part of the log
+	return strings.Replace(string(out), "\n", "\n\t", -1)
+}

cmd/runmqserver/signals.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

cmd/runmqserver/version.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

cmd/runmqserver/webserver.go

@@ -1,3 +1,5 @@
+// +build mqdev
+
 /*
 © Copyright IBM Corporation 2018, 2019
 
@@ -23,12 +25,9 @@ import (
 	"os/user"
 	"path/filepath"
 	"strconv"
-	"strings"
 	"syscall"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
-	"github.com/ibm-messaging/mq-container/internal/keystore"
-	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
 
 func startWebServer() error {
@@ -91,82 +90,6 @@ func CopyFile(src, dest string) error {
 	return err
 }
 
-func configureSSO() error {
-
-	// Ensure all required environment variables are set for SSO
-	requiredEnvVars := []string{
-		"MQ_WEB_ADMIN_USERS",
-		"MQ_OIDC_CLIENT_ID",
-		"MQ_OIDC_CLIENT_SECRET",
-		"MQ_OIDC_UNIQUE_USER_IDENTIFIER",
-		"MQ_OIDC_AUTHORIZATION_ENDPOINT",
-		"MQ_OIDC_TOKEN_ENDPOINT",
-		"MQ_OIDC_JWK_ENDPOINT",
-		"MQ_OIDC_ISSUER_IDENTIFIER",
-		"MQ_OIDC_CERTIFICATE",
-	}
-	for _, envVar := range requiredEnvVars {
-		if len(os.Getenv(envVar)) == 0 {
-			return fmt.Errorf("%v must be set when MQ_ENABLE_SSO=true", envVar)
-		}
-	}
-
-	// Check mqweb directory exists
-	const mqwebDir string = "/etc/mqm/web/installations/Installation1/servers/mqweb"
-	_, err := os.Stat(mqwebDir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return err
-	}
-
-	// Process SSO template for generating file mqwebuser.xml
-	adminUsers := strings.Split(os.Getenv("MQ_WEB_ADMIN_USERS"), "\n")
-	err = mqtemplate.ProcessTemplateFile(mqwebDir+"/mqwebuser.xml.tpl", mqwebDir+"/mqwebuser.xml", map[string][]string{"AdminUser": adminUsers}, log)
-	if err != nil {
-		return err
-	}
-
-	// Configure SSO TLS
-	return configureSSO_TLS()
-}
-
-func configureSSO_TLS() error {
-
-	// Create tls directory
-	dir := "/run/tls"
-	mntdir := "/mnt/tls/"
-
-	// Setup key store & trust store
-	ks := keystore.NewJKSKeyStore(filepath.Join(dir, "key.jks"), "password")
-	ts := keystore.NewJKSKeyStore(filepath.Join(dir, "trust.jks"), "password")
-
-	log.Debug("Creating key store")
-	err := ks.Create(log)
-	if err != nil {
-		return err
-	}
-	log.Debug("Creating trust store")
-	err = ts.Create(log)
-	if err != nil {
-		return err
-	}
-	log.Debug("Generating PKCS12 file")
-	err = ks.GeneratePKCS12(filepath.Join(mntdir, "tls.key"), filepath.Join(mntdir, "tls.crt"), filepath.Join(dir, "tls.p12"), "default", "password")
-	if err != nil {
-		return err
-	}
-	log.Debug("Importing certificate into key store")
-	err = ks.Import(filepath.Join(dir, "tls.p12"), "password")
-	if err != nil {
-		return err
-	}
-	log.Debug("Adding OIDC certificate to trust store")
-	err = ts.Add(os.Getenv("MQ_OIDC_CERTIFICATE"), "OIDC")
-	return err
-}
-
 func configureWebServer() error {
 	_, err := os.Stat("/opt/mqm/bin/strmqweb")
 	if err != nil {
@@ -183,6 +106,10 @@ func configureWebServer() error {
 		}
 		return err
 	}
+	uid, gid, err := command.LookupMQM()
+	if err != nil {
+		return err
+	}
 	const prefix string = "/etc/mqm/web"
 	err = filepath.Walk(prefix, func(from string, info os.FileInfo, err error) error {
 		if err != nil {
@@ -218,6 +145,10 @@ func configureWebServer() error {
 				return err
 			}
 		}
+		err = os.Chown(to, uid, gid)
+		if err != nil {
+			return err
+		}
 		return nil
 	})
 	return err

docs/security.md

@@ -16,10 +16,10 @@ docker run \
   --env LICENSE=accept \
   --env MQ_QMGR_NAME=QM1 \
   --detach \
-  mqadvanced-server:9.1.1.0-x86_64-ubuntu-16.04
+  mqadvanced-server:9.1.2.0-x86_64-ubuntu-16.04
 ```
 
-The MQ Advanced for Developers image does requires the "chown", "setuid", "setgid" and "audit_write" capabilities (plus "dac_override" if you're using an image based on Red Hat Enterprise Linux).  This is because it uses the "sudo" command to change passwords inside the container.  For example, in Docker, you could do the following:
+The MQ Advanced for Developers image does require the "chown", "setuid", "setgid" and "audit_write" capabilities (plus "dac_override" if you're using an image based on Red Hat Enterprise Linux).  This is because it uses the "sudo" command to change passwords inside the container.  For example, in Docker, you could do the following:
 
 ```sh
 docker run \
@@ -31,7 +31,7 @@ docker run \
   --env LICENSE=accept \
   --env MQ_QMGR_NAME=QM1 \
   --detach \
-  mqadvanced-server-dev:9.1.1.0-x86_64-ubuntu-16.04
+  mqadvanced-server-dev:9.1.2.0-x86_64-ubuntu-16.04
 ```
 
 ### SELinux

docs/testing.md

@@ -31,7 +31,7 @@ make test-advancedserver
 You can specify the image to use directly by using the `MQ_IMAGE_ADVANCEDSERVER` or `MQ_IMAGE_DEVSERVER` variables, for example:
 
 ```
-MQ_IMAGE_ADVANCEDSERVER=mqadvanced-server:9.1.1.0-x86_64-ubuntu-16.04 make test-advancedserver
+MQ_IMAGE_ADVANCEDSERVER=mqadvanced-server:9.1.2.0-x86_64-ubuntu-16.04 make test-advancedserver
 ```
 
 You can pass parameters to `go test` with an environment variable.  For example, to run the "TestGoldenPath" test, run the following command::
@@ -40,10 +40,10 @@ You can pass parameters to `go test` with an environment variable.  For example,
 TEST_OPTS_DOCKER="-run TestGoldenPath" make test-advancedserver
 ```
 
-You can also use the same environment variables you specified when [building](./building), for example, the following will try and test an image called `mqadvanced-server:9.1.0.0-x86_64-ubuntu-16.04`:
+You can also use the same environment variables you specified when [building](./building), for example, the following will try and test an image called `mqadvanced-server:9.1.2.0-x86_64-ubuntu-16.04`:
 
 ```
-MQ_VERSION=9.1.0.0 make test-advancedserver
+MQ_VERSION=9.1.2.0 make test-advancedserver
 ```
 
 ### Running the Docker tests with code coverage

incubating/mqadvanced-server-dev/Dockerfile

@@ -12,8 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-ARG BASE_IMAGE=mqadvanced-server-dev-base:9.1.1.0-x86_64-ubuntu-16.04
+ARG BASE_IMAGE=mqadvanced-server-dev-base:9.1.2.0-x86_64-ubuntu-16.04
-ARG BUILDER_IMAGE=mq-golang-sdk:9.1.1.0-x86_64-ubuntu-16.04
+ARG BUILDER_IMAGE=mq-golang-sdk:9.1.2.0-x86_64-ubuntu-16.04
 
 ###############################################################################
 # Build stage to build Go code
@@ -79,6 +79,8 @@ RUN chown -R mqm:mqm /etc/mqm/* \
   && chmod +x /usr/local/bin/runmq* \
   && install --directory --mode 0775 --owner mqm --group root /run/runmqdevserver
 
+EXPOSE 9443
+
 USER $MQM_UID
 
 ENTRYPOINT ["runmqdevserver"]

incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebuser.xml

@@ -1,30 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <server>
-	<!-- ****************************************************************** -->
-	<!--                                                                    -->
-	<!--  IBM MQ security configuration for MQ Console and REST API.        -->
-	<!--                                                                    -->
-	<!--  Name: mqwebuser.xml                                               -->
-	<!--                                                                    -->
-	<!--  Description:  Default webconsole configuration                    -->
-	<!--                                                                    -->
-	<!-- ****************************************************************** -->
-	<!-- <copyright                                                         -->
-	<!--     notice='lm-source-program'                                     -->
-	<!--     pids='5724-H72'                                                -->
-	<!--     years='2018,2019'                                              -->
-	<!--     crc='0' >                                                      -->
-	<!--                                                                    -->
-	<!--     Licensed Materials - Property of IBM                           -->
-	<!--                                                                    -->
-	<!--     5724-H72                                                       -->
-	<!--                                                                    -->
-	<!--     (C) Copyright IBM Corp. 2018, 2019 All Rights Reserved.        -->
-	<!--                                                                    -->
-	<!--     US Government Users Restricted Rights - Use, duplication or    -->
-	<!--     disclosure restricted by GSA ADP Schedule Contract with        -->
-	<!--     IBM Corp.                                                      -->
-	<!-- </copyright>                                                       -->
     <featureManager>
         <feature>appSecurity-2.0</feature>
         <feature>basicAuthenticationMQ-1.0</feature>

incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/tls-dev.xml

@@ -1,30 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <server>
-	<!-- ****************************************************************** -->
-	<!--                                                                    -->
-	<!--  IBM MQ security configuration for MQ Console and REST API.        -->
-	<!--                                                                    -->
-	<!--  Name: mqwebuser.xml                                               -->
-	<!--                                                                    -->
-	<!--  Description:  Default webconsole configuration                    -->
-	<!--                                                                    -->
-	<!-- ****************************************************************** -->
-	<!-- <copyright                                                         -->
-	<!--     notice='lm-source-program'                                     -->
-	<!--     pids='5724-H72'                                                -->
-	<!--     years='2018,2019'                                              -->
-	<!--     crc='0' >                                                      -->
-	<!--                                                                    -->
-	<!--     Licensed Materials - Property of IBM                           -->
-	<!--                                                                    -->
-	<!--     5724-H72                                                       -->
-	<!--                                                                    -->
-	<!--     (C) Copyright IBM Corp. 2018, 2019 All Rights Reserved.        -->
-	<!--                                                                    -->
-	<!--     US Government Users Restricted Rights - Use, duplication or    -->
-	<!--     disclosure restricted by GSA ADP Schedule Contract with        -->
-	<!--     IBM Corp.                                                      -->
-	<!-- </copyright>                                                       -->
     <keyStore id="MQWebKeyStore" location="/run/runmqdevserver/tls/key.jks" type="JKS" password="${env.MQ_TLS_PASSPHRASE}"/>
     <keyStore id="MQWebTrustStore" location="/run/runmqdevserver/tls/trust.jks" type="JKS" password="${env.MQ_TLS_PASSPHRASE}"/>
     <ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="MQWebKeyStore" trustStoreRef="MQWebTrustStore" sslProtocol="TLSv1.2" serverKeyAlias="devcert"/>

install-mq.sh

@@ -25,8 +25,8 @@ test -f /usr/bin/apt-get && UBUNTU=true || UBUNTU=false
 
 # If MQ_PACKAGES isn't specifically set, then choose a valid set of defaults
 if [ -z "$MQ_PACKAGES" ]; then
-  $UBUNTU && MQ_PACKAGES="ibmmq-server ibmmq-java ibmmq-jre ibmmq-gskit ibmmq-msg-.* ibmmq-samples ibmmq-ams ibmmq-web"
+  $UBUNTU && MQ_PACKAGES="ibmmq-server ibmmq-java ibmmq-jre ibmmq-gskit ibmmq-msg-.* ibmmq-samples ibmmq-ams"
-  $RHEL && MQ_PACKAGES="MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm MQSeriesWeb-*.rpm"
+  $RHEL && MQ_PACKAGES="MQSeriesRuntime-*.rpm MQSeriesServer-*.rpm MQSeriesJava*.rpm MQSeriesJRE*.rpm MQSeriesGSKit*.rpm MQSeriesMsg*.rpm MQSeriesSamples*.rpm MQSeriesAMS-*.rpm"
 fi
 
 if ($UBUNTU); then
@@ -65,8 +65,7 @@ if ($UBUNTU); then
     procps \
     sed \
     tar \
-    util-linux \
+    util-linux
-    openssl
 fi
 
 # Install additional packages required by MQ, this install process and the runtime scripts
@@ -85,8 +84,7 @@ $RHEL && yum -y install \
   procps-ng \
   sed \
   tar \
-  util-linux \
+  util-linux
-  openssl
 
 # Download and extract the MQ installation files
 DIR_EXTRACT=/tmp/mq

internal/command/command.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

internal/metrics/metrics.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

internal/metrics/update.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

manifests/dockerhub/manifest-9.1.2.yaml

@@ -0,0 +1,29 @@
+# © Copyright IBM Corporation 2018, 2019
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+image: ibmcom/mq:9.1.2.0
+manifests:
+  - image: ibmcom/mq:9.1.2.0-x86_64
+    platform:
+      architecture: amd64
+      os: linux
+  - image: ibmcom/mq:9.1.2.0-ppc64le
+    platform:
+      architecture: ppc64le
+      os: linux
+  - image: ibmcom/mq:9.1.2.0-s390x
+    platform:
+      architecture: s390x
+      os: linux
+

manifests/dockerhub/manifest-latest.yaml

@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2018
+# © Copyright IBM Corporation 2018, 2019
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,15 +14,15 @@
 
 image: ibmcom/mq:latest
 manifests:
-  - image: ibmcom/mq:9.1.1.0-x86_64
+  - image: ibmcom/mq:9.1.2.0-x86_64
     platform:
       architecture: amd64
       os: linux
-  - image: ibmcom/mq:9.1.1.0-ppc64le
+  - image: ibmcom/mq:9.1.2.0-ppc64le
     platform:
       architecture: ppc64le
       os: linux
-  - image: ibmcom/mq:9.1.1.0-s390x
+  - image: ibmcom/mq:9.1.2.0-s390x
     platform:
       architecture: s390x
       os: linux

manifests/dockerstore/manifest-9.1.2.yaml

@@ -0,0 +1,29 @@
+# © Copyright IBM Corporation 2018, 2019
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+image: ibmcorp/mqadvanced-server-dev:9.1.2.0
+manifests:
+  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-x86_64
+    platform:
+      architecture: amd64
+      os: linux
+  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-ppc64le
+    platform:
+      architecture: ppc64le
+      os: linux
+  - image: ibmcorp/mqadvanced-server-dev:9.1.2.0-s390x
+    platform:
+      architecture: s390x
+      os: linux
+

mq-advanced-server-rhel/mq-buildah.sh

@@ -86,7 +86,6 @@ buildah run ${ctr_mq} -- microdnf ${microdnf_opts} install \
   shadow-utils \
   tar \
   util-linux \
-  openssl \
   which
 
 # Install "sudo" if using MQ Advanced for Developers
@@ -122,12 +121,6 @@ buildah run --user root $ctr_mq -- chmod 0660 /run/termination-log
 install --mode 0550 --owner root --group root ./mq-advanced-server-rhel/writePackages.sh ${mnt_mq}/usr/local/bin/writePackages
 buildah run --user root $ctr_mq -- /usr/local/bin/writePackages
 
-# Copy web XML files
-cp -R web ${mnt_mq}/etc/mqm/web
-
-# Copy web XML files
-cp -R web ${mnt_mq}/etc/mqm/web
-
 ###############################################################################
 # Final Buildah commands
 ###############################################################################
@@ -145,7 +138,6 @@ fi
 buildah config \
   --port 1414/tcp \
   --port 9157/tcp \
-  --port 9443/tcp \
   --os linux \
   --label architecture=x86_64 \
   --label io.openshift.tags="$OSTAG" \

mq-advanced-server-rhel/mqdev-buildah.sh

@@ -78,7 +78,12 @@ install --directory --mode 0775 --owner ${mqm_uid} --group 0 ${mnt_mq}/run/runmq
 cp ./incubating/mqadvanced-server-dev/*.tpl ${mnt_mq}/etc/mqm/
 
 # Copy web XML files for default developer configuration
-cp -R incubating/mqadvanced-server-dev/web/ ${mnt_mq}/etc/mqm/web
+mkdir --parents ${mnt_mq}/etc/mqm/web
+cp --recursive ./incubating/mqadvanced-server-dev/web/* ${mnt_mq}/etc/mqm/web/
+
+# Make "mqm" the owner of all the config files
+chown --recursive ${mqm_uid}:${mqm_gid} ${mnt_mq}/etc/mqm/*
+chmod --recursive 0750 ${mnt_mq}/etc/mqm/*
 
 ###############################################################################
 # Final Buildah commands

test/docker/Gopkg.toml

@@ -1,4 +1,4 @@
-# © Copyright IBM Corporation 2017, 2019
+# © Copyright IBM Corporation 2017, 2018
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

test/docker/docker_api_test.go

@@ -554,6 +554,102 @@ func TestMQSC(t *testing.T) {
 	}
 }
 
+// TestLargeMQSC creates a new image with a large MQSC file in, starts a container based
+// on that image, and checks that the MQSC has been applied correctly.
+func TestLargeMQSC(t *testing.T) {
+	t.Parallel()
+
+	cli, err := client.NewEnvClient()
+	if err != nil {
+		t.Fatal(err)
+	}
+	const numQueues = 1000
+	var buf bytes.Buffer
+	for i := 1; i <= numQueues; i++ {
+		fmt.Fprintf(&buf, "* Test processing of a large MQSC file, defining queue test%v\nDEFINE QLOCAL(test%v)\n", i, i)
+	}
+	var files = []struct {
+		Name, Body string
+	}{
+		{"Dockerfile", fmt.Sprintf(`
+          FROM %v
+          USER root
+          RUN rm -f /etc/mqm/*.mqsc
+          ADD test.mqsc /etc/mqm/
+          RUN chmod 0660 /etc/mqm/test.mqsc
+          USER mqm`, imageName())},
+		{"test.mqsc", buf.String()},
+	}
+	tag := createImage(t, cli, files)
+	defer deleteImage(t, cli, tag)
+
+	containerConfig := container.Config{
+		Env:   []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
+		Image: tag,
+	}
+	id := runContainer(t, cli, &containerConfig)
+	defer cleanContainer(t, cli, id)
+	waitForReady(t, cli, id)
+
+	rc, mqscOutput := execContainer(t, cli, id, "mqm", []string{"bash", "-c", "echo 'DISPLAY QLOCAL(test" + strconv.Itoa(numQueues) + ")' | runmqsc"})
+	if rc != 0 {
+		r := regexp.MustCompile("AMQ[0-9][0-9][0-9][0-9]E")
+		t.Fatalf("Expected runmqsc to exit with rc=0, got %v with error %v", rc, r.FindString(mqscOutput))
+	}
+}
+
+// TestRedactMQSC creates a new image with a MQSC file that contains sensitive information, starts a container based
+// on that image, and checks that the MQSC has been redacted in the logs.
+func TestRedactMQSC(t *testing.T) {
+	t.Parallel()
+
+	cli, err := client.NewEnvClient()
+	if err != nil {
+		t.Fatal(err)
+	}
+	var buf bytes.Buffer
+	sslcryp := "GSK_PKCS11=/usr/lib/pkcs11/PKCS11_API.so;token-label;token-password;SYMMETRIC_CIPHER_ON;"
+	fmt.Fprintf(&buf, "*TEST-REDACT-MQSC: A(1) LDAPPWD(abcdefgh) B(2) PASSWORD(abcdefgh) C(3) SSLCRYP(%v) D(4)\n", sslcryp)
+	fmt.Fprintf(&buf, "*TEST-REDACT-MQSC: A(1) ldappwd(12345678) B(2) password(12345678) C(3) sslcryp(%v) D(4)\n", sslcryp)
+	fmt.Fprintf(&buf, "*TEST-REDACT-MQSC: A(1) LdapPwd('12?@!$Gh') B(2) Password('12?@!$Gh') C(3) SSLCryp(%v) D(4)\n", sslcryp)
+	fmt.Fprintf(&buf, "*TEST-REDACT-MQSC: A(1) LDAPPWD (abcdefgh) B(2) PASSWORD\t(abcdefgh) C(3) SSLCRYP \t (%v) D(4)", sslcryp)
+	var files = []struct {
+		Name, Body string
+	}{
+		{"Dockerfile", fmt.Sprintf(`
+		  FROM %v
+		  USER root
+		  RUN rm -f /etc/mqm/*.mqsc
+		  ADD test.mqsc /etc/mqm/
+		  RUN chmod 0660 /etc/mqm/test.mqsc
+		  USER mqm`, imageName())},
+		{"test.mqsc", buf.String()},
+	}
+	tag := createImage(t, cli, files)
+	defer deleteImage(t, cli, tag)
+
+	containerConfig := container.Config{
+		Env:   []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
+		Image: tag,
+	}
+	id := runContainer(t, cli, &containerConfig)
+	defer cleanContainer(t, cli, id)
+	waitForReady(t, cli, id)
+	stopContainer(t, cli, id)
+	scanner := bufio.NewScanner(strings.NewReader(inspectLogs(t, cli, id)))
+	expectedOutput := "*TEST-REDACT-MQSC: A(1) LDAPPWD(*********) B(2) PASSWORD(*********) C(3) SSLCRYP(*********) D(4)"
+	for scanner.Scan() {
+		s := scanner.Text()
+		if strings.Contains(s, "*TEST-REDACT-MQSC:") && !strings.Contains(s, expectedOutput) {
+			t.Fatalf("Expected redacted MQSC output, got: %v", s)
+		}
+	}
+	err = scanner.Err()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 // TestInvalidMQSC creates a new image with an MQSC file containing invalid MQSC,
 // tries to start a container based on that image, and checks that container terminates
 // func TestInvalidMQSC(t *testing.T) {

test/messaging/pom.xml

@@ -1,5 +1,5 @@
 <!--
-© Copyright IBM Corporation 2018, 2019
+© Copyright IBM Corporation 2018
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

test/tls/generate-test-cert.sh

@@ -23,7 +23,7 @@ PASSWORD=passw0rd
 openssl req \
        -newkey rsa:2048 -nodes -keyout ${KEY} \
        -subj "/CN=localhost" \
-       -x509 -days 365 -out ${CERT}
+       -x509 -days 3650 -out ${CERT}
 
 # Add the key and certificate to a PKCS #12 key store, for the server to use
 openssl pkcs12 \

test/tls/server.crt

@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICpDCCAYwCCQDft9xlN4fNFTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
+MIICpDCCAYwCCQC6vpJFnfYO6TANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
-b2NhbGhvc3QwHhcNMTgwMzIwMTUxODMwWhcNMTkwMzIwMTUxODMwWjAUMRIwEAYD
+b2NhbGhvc3QwHhcNMTkwMzIxMTYxMzUxWhcNMjkwMzE4MTYxMzUxWjAUMRIwEAYD
-VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk
+VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCu
-XzX0xQIZzKVX8/lDQh5lSHr5U9cBL+kURA3fEgl3ks9KjZPggfxWl4Y5dekChW/s
+48qtIDwmihFqj2HY3dZjPfROA1MJ+D0c6aEA08ooOczthLB7XdZBQDapj8LFldyt
-iknVssoNw9vI1W25qtQ81zRFQbHbpej0lLdYsS8/yZCuAVjMTp6Q9IswTwhVA6OD
+4ZMbTkqtF5QtPXmJY0wi39foLYlcGXPL1b7y3mypaFou88BcSM3VmfILKXhNeAlt
-5orag5dH3XQH+GsnmGXRCY7Gs93onAe3i3ShX9qpUFOJXyxCX+pLAC6kWQ3f/HI8
+rXevnuT5kDU7sLVgKGhGwas20T1MU7d0I3bQ5z5c7egL76Hk9fYucjN6RkbwlrJ3
-dujVXKsg1vHgOgGqQGwnh8gm5OeWUeuTMdD2v7Hn1OxilgNMbcewA7bpvipgm2xt
+TrCXrGIziofn3Zq1t51ygv21c80JD3XJ44YmuCrede4rhOS/4NpwRuZyiwpJ6tlv
-ZD0PKFDmtQ4comr25Oo+eUf1N7jSpRPOWJNxoyS9/coQUPp1Gpbk7khYHjGn7f5a
+0L0QSDGCmt2JT3ty28UAsGznFzC5Qu9KyaR+9Gk4aftiyKxrYWZkgtJmMRU+C1X2
-EZqQ4Hmwwh50uT+vKVxDAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAHaywC7ZLOi
+kFLOHsucGmJswjwubSR7AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEdlmXVGy86P
-3PKlidj6PWe33dEVsDL6RRb3cOqR86Ld2aD91oLrpELRhz4v2mt/GfQMIg7rc6z7
+XIX5a4ZmHQ5Ns4wm7rY8vzUxlymEQ86En1PN1zAO9gV94tLyNeMptjsFEEo/uJhC
-26SuPzV/7zZAv1N/vGoIFyvBXWLYP5qCwUrmykcH/wfFM80S6FJxz5Wy5MA5UzTB
+Yvg3l5TIr/WCiY2+2XsSHvnbXrlbF3S0fRHa9VaCMRKjzRT68uq2Y891906YGtUE
-HdpiQCPu4U0IKgATLDraz0xlQ61Rog56YhgJI8ulHuav5iYxqV2mwU09Hs0kXPJ7
+m6fCjHqVzX8qaplDf79aVkPydYaYOIZ1a/mCfQcD9XMZ/v5zI9IUDhdoq97bgPhB
-g0PLRaSyidsXafxBKukeM9QHl8z8HN8er23oqecYo59b/Bt0c6jSrJCK39EUcoLP
+gBOzWLI+hkzyU8jxKAFw1Hwi9lD/P6RXL5arNb/+arOgA3vTW+xGWGevgjVK1Ay9
-HxR+Ma1SPhVKGqa3lPmaoAzsFTqaJ6fsIcbp+oEFAq0LPeqMPK7u3ygT4iTblAl8
+81beWiQmn0KbeLZxj+WJ9Nntlf1M4EqPYgsSYs/IlJTYS8W1B0mDJEoovPdFTryY
-q3isCz4Ytx4=
+GyIuQEVcjUE=
 -----END CERTIFICATE-----

test/tls/server.key

@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkXzX0xQIZzKVX
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCu48qtIDwmihFq
-8/lDQh5lSHr5U9cBL+kURA3fEgl3ks9KjZPggfxWl4Y5dekChW/siknVssoNw9vI
+j2HY3dZjPfROA1MJ+D0c6aEA08ooOczthLB7XdZBQDapj8LFldyt4ZMbTkqtF5Qt
-1W25qtQ81zRFQbHbpej0lLdYsS8/yZCuAVjMTp6Q9IswTwhVA6OD5orag5dH3XQH
+PXmJY0wi39foLYlcGXPL1b7y3mypaFou88BcSM3VmfILKXhNeAltrXevnuT5kDU7
-+GsnmGXRCY7Gs93onAe3i3ShX9qpUFOJXyxCX+pLAC6kWQ3f/HI8dujVXKsg1vHg
+sLVgKGhGwas20T1MU7d0I3bQ5z5c7egL76Hk9fYucjN6RkbwlrJ3TrCXrGIziofn
-OgGqQGwnh8gm5OeWUeuTMdD2v7Hn1OxilgNMbcewA7bpvipgm2xtZD0PKFDmtQ4c
+3Zq1t51ygv21c80JD3XJ44YmuCrede4rhOS/4NpwRuZyiwpJ6tlv0L0QSDGCmt2J
-omr25Oo+eUf1N7jSpRPOWJNxoyS9/coQUPp1Gpbk7khYHjGn7f5aEZqQ4Hmwwh50
+T3ty28UAsGznFzC5Qu9KyaR+9Gk4aftiyKxrYWZkgtJmMRU+C1X2kFLOHsucGmJs
-uT+vKVxDAgMBAAECggEBAL91kybChCBdEcHLKQ7aP+FqAq9FOtwj7qSu6XI7DPTS
+wjwubSR7AgMBAAECggEAH9t6teKjUlngJksMBdcTEGzerb9JRw2jBDtCisYJkx5E
-gDdgurleQM/X+Q/zaoZSmKMWzQ/79KnVqk2VoYgnUAgx5ACsMxCS59slUxFoetRf
+SBfdlftX5fbufiCj2B4eXsYyZ8zxKWqcIUmLdA1Udx3TVIXG+bHhOAYtjEwb+xf5
-iIxZVLj0sLuWSZsWp0We51eN0Juh9xKo9r435p4rhjDacnjkEwcQyOd4Yy9nzUpk
+JYhdR/IzHG+4eXQKaAIvpXztyl3lU9iC+eaMg4GYzRrGN2wSAG9XgZ5cLF2TLJYU
-GDD5Vu1J9bOOKUQZ0qgjPyl/xWiwD1yfGJ0nHpQ5ucfrCO9p+n7SYsx01WcAkC8J
+jPxp7goz9X6V57aL2G/EFlbFsMaI/6cW7+XoRdo0I4N2Z766gz7GgyxtTVwR5Peq
-WP9XSXgi5uIefTWb/4m2b32jzjIgzAHkNx6yktRTjBJ7QILnKq1P8JjkNA/Awj4P
+LjOpqSNS0W57KJxReURfySok9CP1DfyigopsYW8O4jGVDDRLdiN3I8+JhWya2E0j
-OxAz9hHHnVRuq4ZlEqfvo9p9YAbN2IH5TnmN3rGCXwECgYEA9JitVIeXCS0qIMFA
+96hHpN04Oz6HnMm7bdZDVtkZCOiu6xIzLJJxZ4o+kQKBgQDYqOA/hSod7s7w4LBE
-dKCmm9CT7JXccdpVllwaaYCNTb+G2RBrJqAvQEetoYJodWTIm1mNwSEORFFw0W+N
+A6Mp+e0//PYH6/N9SKmSIgQNec9bMGI4yanoblMbg4GM1g7pkvjlC0nTdjnUbLkB
-eaMzibJoJ+MZHRhiulDJaY0vwAKHkSJjDPJrPLgGMCUOLiWSAAnR4z35WfeY0e//
+vIvtVh3XwTIlrZ/4lc7VB23/hmKU+lRc+NJP5fgasAQu0W3+qp2cXo0pnHVwBEku
-JbdZZemrJRyzy3o6rkRN9TQcUMUCgYEA7wTj5w5GZ8NQ7Nn8nIS2ayk+woIMHS+g
+Z7FwDPX0JNDIi/Or2I7dt8JojQKBgQDOpU1AnIXv1/cToYK4nz8BWLxRxwLTxy5A
-RVFufJoBeopsNJfNzGak0s+nz5q0nMGMzQsxXkbmAOLMTU3woQ7cEGjkLAfoch23
+ucafNKacPlxb5luZRCExiPZwAM8Z3zI9o99rYXOPQmsnknZWJV66Zx0Vo0yTD1CT
-ACOe7M4rZbIk6kVNOlFESWdVdWViVd/B2a7oBqOIykoqX6VSqqrw+xghAUmd/2W1
+DWMUj0ugI1wORNMhwZP6YBYWjAeupyU9a7FyU1Geg4sdQt5rMyAEQOoECc8x8foP
-uxjg9v01OWcCgYApE5LYRUUKF3mhspKeg3Q3apnM+4Xf4OjKrYEKArq4OdftkCJO
+rySHuO/TJwKBgBjMM2ZxymFErQDa5rHSLMGoLmRtgodjlSnYwDfOluIn9/i67/MJ
-hEwrIV55Zysfu+Mso6d4rZJ1yq+FnJRHvy6ii0GOoUbQag36eCK7BSjluAcISpwT
++d11iyOSCKji8y/+t2gXw6plVLcgfohZWTaf7ah9H006sx2Tn+m4APoHGo9sm21M
-yopT0hvH7hEpksmoE/4ZiYjcoQYbC5DvxpDO2qURQHa5TzeXmIT3Dt9KeQKBgQC6
+uV2Vt7DuRnxJUiqcwo9cLxH9K1/Xzbx299MYWKpJ8G+TvR8FGUz9NE4dAoGAM5gs
-UKeOXrRHAhs85ZdiMpk340jGujTTM2LNZfKoMixg5zH9tS9427IzmicHT2LmpoEo
+KKSsAE1QwFMEG2qPRZvNMTHaL9w8XSbFQ7zWmI4tazihyCutifujZCWfj9sdZSyE
-/EaZZM65dhEnWU/vW/Py3rCuGeP5wGv8Mcgac4OknD7mVusiQGLojSIyhrsmkWs8
+PQBQ5QT1UiUMbMfZ1fqm1V83YERjnsOp6Fk6zZnmgx2GBZiahNn2ydxekqni72nz
-UnkPY76nYTSypd5Qpzt9n4tqw4XjpdcJZxVFso8glQKBgQCHlb15As73En/Q2AxL
+HRNWfphjZIPsmqFiLg2zIBz+4X6EK+RT35s6LeMCgYEAwF/9jX8kONW5KKZdoNHa
-5FY1Q1lLuO8y33ZZIRK4eynOKkbiuAh7X+ONZ4T9NtTm2J7mnltvTHZ7yeOI+VLS
+opkLpa9qkwTGQ9M3AZiRUjM4rtvggYt8FBEP+3BLDLHqfUOkPq82MCRXm+6Cz+sT
-LrTTBwnnNfdpp8UVPQlwzeizoDqSbr1sjFYvKOfdDDfxuzieT/4tfW9VTAxn4uOg
+gyPnsPlAh/sr3Pys3olJbUDE9H24k1LU0CI/sSwAFkka0+Q7PVTTe/Dcavitrcrm
-qpg7aRMUYUuLAH+S5atdOqXB+g==
++fyiT2oSPZeHSjQE9iIW3OY=
 -----END PRIVATE KEY-----

web/installations/Installation1/servers/mqweb/mqwebuser.xml

@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<server>
-    <featureManager>
-        <feature>appSecurity-2.0</feature>
-    </featureManager>
-    <enterpriseApplication id="com.ibm.mq.console">
-        <application-bnd>
-            <security-role name="MQWebAdmin">
-                <group name="MQWebUI" realm="defaultRealm"/>
-            </security-role>
-        </application-bnd>
-    </enterpriseApplication>
-    <enterpriseApplication id="com.ibm.mq.rest">
-        <application-bnd>
-            <security-role name="MQWebAdmin">
-                <group name="MQWebUI" realm="defaultRealm"/>
-            </security-role>
-            <security-role name="MQWebUser">
-                <group name="MQWebMessaging" realm="defaultRealm"/>
-            </security-role>
-        </application-bnd>
-    </enterpriseApplication>
-    <variable name="httpHost" value="*"/>
-    <include location="tls.xml"/>
-</server>

web/installations/Installation1/servers/mqweb/mqwebuser.xml.tpl

@@ -1,47 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<server>
-    <featureManager>
-        <feature>openidConnectClient-1.0</feature>
-        <feature>ssl-1.0</feature>
-    </featureManager>
-    <enterpriseApplication id="com.ibm.mq.console">
-        <application-bnd>
-            <security-role name="MQWebAdmin">
-                <group name="MQWebUI" realm="defaultRealm"/>
-                {{- range $index, $element := .AdminUser}}
-                <user name="admin{{$index}}" access-id="{{.}}"/>
-                {{- end}}
-            </security-role>
-        </application-bnd>
-    </enterpriseApplication>
-    <enterpriseApplication id="com.ibm.mq.rest">
-        <application-bnd>
-            <security-role name="MQWebAdmin">
-                <group name="MQWebUI" realm="defaultRealm"/>
-            </security-role>
-            <security-role name="MQWebUser">
-                <group name="MQWebMessaging" realm="defaultRealm"/>
-            </security-role>
-        </application-bnd>
-    </enterpriseApplication>
-    <openidConnectClient id="mqclient"
-        clientId="${env.MQ_OIDC_CLIENT_ID}"
-        clientSecret="${env.MQ_OIDC_CLIENT_SECRET}"
-        uniqueUserIdentifier="${env.MQ_OIDC_UNIQUE_USER_IDENTIFIER}"
-        authorizationEndpointUrl="${env.MQ_OIDC_AUTHORIZATION_ENDPOINT}"
-        tokenEndpointUrl="${env.MQ_OIDC_TOKEN_ENDPOINT}"
-        scope="openid profile email"
-        inboundPropagation="supported"
-        jwkEndpointUrl="${env.MQ_OIDC_JWK_ENDPOINT}"
-        signatureAlgorithm="RS256"
-        issuerIdentifier="${env.MQ_OIDC_ISSUER_IDENTIFIER}">
-    </openidConnectClient>
-    <variable name="httpHost" value="*"/>
-    <variable name="managementMode" value="externallyprovisioned"/>
-    <jndiEntry jndiName="xframeAllowedSourceList" value="${env.MQ_HOSTS}"/>
-    <keyStore id="MQWebKeyStore" location="/run/tls/key.jks" type="JKS" password="password"/>
-    <keyStore id="MQWebTrustStore" location="/run/tls/trust.jks" type="JKS" password="password"/>
-    <ssl id="thisSSLConfig" clientAuthenticationSupported="true" keyStoreRef="MQWebKeyStore" trustStoreRef="MQWebTrustStore" sslProtocol="TLSv1.2" serverKeyAlias="default"/>
-    <sslDefault sslRef="thisSSLConfig"/>
-    <httpDispatcher enableWelcomePage="false" appOrContextRootMissingMessage='&lt;script&gt;document.location.href="/ibmmq/console";&lt;/script&gt;' />
-</server>