From 8eb937b8e07898b33bff4182053d20b237b02600 Mon Sep 17 00:00:00 2001 From: Rob Parker Date: Mon, 30 Apr 2018 10:36:55 +0100 Subject: [PATCH 1/2] ensure we use '' round blank for SSLCIPH --- cmd/runmqdevserver/tls.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/runmqdevserver/tls.go b/cmd/runmqdevserver/tls.go index b0aa314d..c49c7a27 100644 --- a/cmd/runmqdevserver/tls.go +++ b/cmd/runmqdevserver/tls.go @@ -128,7 +128,7 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error { if os.Getenv("MQ_DEV") == "true" { sslCipherSpec = "TLS_RSA_WITH_AES_128_CBC_SHA256" } else { - sslCipherSpec = "" + sslCipherSpec = "' '" } const mqsc string = "/etc/mqm/20-dev-tls.mqsc" From 04bb404eeeeedd22edf398a3112dcae3106692c7 Mon Sep 17 00:00:00 2001 From: Rob Parker Date: Mon, 30 Apr 2018 13:54:09 +0100 Subject: [PATCH 2/2] Fix TLS logic so containers can be started multiple times --- cmd/runmqdevserver/keystore.go | 43 ++++++++++++++++++++++++---------- cmd/runmqdevserver/tls.go | 13 +++++++++- 2 files changed, 42 insertions(+), 14 deletions(-) diff --git a/cmd/runmqdevserver/keystore.go b/cmd/runmqdevserver/keystore.go index 7a57b477..87eac87c 100644 --- a/cmd/runmqdevserver/keystore.go +++ b/cmd/runmqdevserver/keystore.go @@ -56,14 +56,31 @@ func NewCMSKeyStore(filename, password string) *KeyStore { // Create a key store, if it doesn't already exist func (ks *KeyStore) Create() error { _, err := os.Stat(ks.Filename) - if err != nil { - if os.IsNotExist(err) { - _, _, err := command.Run(ks.command, "-keydb", "-create", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password, "-stash") - if err != nil { - return fmt.Errorf("error running \"%v -keydb -create\": %v", ks.command, err) - } + if err == nil { + // Keystore already exists so we should refresh it by deleting it. + extension := filepath.Ext(ks.Filename) + log.Debugf("Refreshing keystore: %v", ks.Filename) + if ks.keyStoreType == "cms" { + // Only delete these when we are refreshing the kdb keystore + stashFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".sth" + rdbFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".rdb" + crlFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".crl" + os.Remove(stashFile) + os.Remove(rdbFile) + os.Remove(crlFile) } + os.Remove(ks.Filename) + } else if !os.IsNotExist(err) { + // If the keystore exists but cannot be accessed then return the error + return err } + + // Create the keystore now we're sure it doesn't exist + out, _, err := command.Run(ks.command, "-keydb", "-create", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password, "-stash") + if err != nil { + return fmt.Errorf("error running \"%v -keydb -create\": %v %s", ks.command, err, out) + } + mqmUID, mqmGID, err := command.LookupMQM() if err != nil { log.Error(err) @@ -85,9 +102,9 @@ func (ks *KeyStore) CreateStash() error { _, err := os.Stat(stashFile) if err != nil { if os.IsNotExist(err) { - _, _, err := command.Run(ks.command, "-keydb", "-stashpw", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password) + out, _, err := command.Run(ks.command, "-keydb", "-stashpw", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password) if err != nil { - return fmt.Errorf("error running \"%v -keydb -stashpw\": %v", ks.command, err) + return fmt.Errorf("error running \"%v -keydb -stashpw\": %v %s", ks.command, err, out) } } return err @@ -107,9 +124,9 @@ func (ks *KeyStore) CreateStash() error { // Import imports a certificate file in the keystore func (ks *KeyStore) Import(inputFile, password string) error { - _, _, err := command.Run(ks.command, "-cert", "-import", "-file", inputFile, "-pw", password, "-target", ks.Filename, "-target_pw", ks.Password, "-target_type", ks.keyStoreType) + out, _, err := command.Run(ks.command, "-cert", "-import", "-file", inputFile, "-pw", password, "-target", ks.Filename, "-target_pw", ks.Password, "-target_type", ks.keyStoreType) if err != nil { - return fmt.Errorf("error running \"%v -cert -import\": %v", ks.command, err) + return fmt.Errorf("error running \"%v -cert -import\": %v %s", ks.command, err, out) } return nil } @@ -118,7 +135,7 @@ func (ks *KeyStore) Import(inputFile, password string) error { func (ks *KeyStore) GetCertificateLabels() ([]string, error) { out, _, err := command.Run(ks.command, "-cert", "-list", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password) if err != nil { - return nil, fmt.Errorf("error running \"%v -cert -list\": %v", ks.command, err) + return nil, fmt.Errorf("error running \"%v -cert -list\": %v %s", ks.command, err, out) } scanner := bufio.NewScanner(strings.NewReader(out)) var labels []string @@ -138,9 +155,9 @@ func (ks *KeyStore) GetCertificateLabels() ([]string, error) { // RenameCertificate renames the specified certificate func (ks *KeyStore) RenameCertificate(from, to string) error { - _, _, err := command.Run(ks.command, "-cert", "-rename", "-db", ks.Filename, "-pw", ks.Password, "-label", from, "-new_label", to) + out, _, err := command.Run(ks.command, "-cert", "-rename", "-db", ks.Filename, "-pw", ks.Password, "-label", from, "-new_label", to) if err != nil { - return fmt.Errorf("error running \"%v -cert -rename\": %v", ks.command, err) + return fmt.Errorf("error running \"%v -cert -rename\": %v %s", ks.command, err, out) } return nil } diff --git a/cmd/runmqdevserver/tls.go b/cmd/runmqdevserver/tls.go index c49c7a27..7e6ed2c0 100644 --- a/cmd/runmqdevserver/tls.go +++ b/cmd/runmqdevserver/tls.go @@ -51,10 +51,21 @@ func configureWebTLS(cms *KeyStore) error { if err != nil { return err } - err = os.Rename(newTLSConfig, tlsConfig) + // we symlink here to prevent issues on restart + err = os.Symlink(newTLSConfig, tlsConfig) if err != nil { return err } + mqmUID, mqmGID, err := command.LookupMQM() + if err != nil { + log.Error(err) + return err + } + err = os.Chown(tlsConfig, mqmUID, mqmGID) + if err != nil { + log.Error(err) + return err + } return nil }