Merge pull request #2 from ibm-messaging/tls-connections

matrober-uk · web-flow · commit 1718dec78b8a · 2019-09-07T19:05:28.000+01:00
Support anonymous and mutual TLS connections
diff --git a/README.md b/README.md
@@ -112,6 +112,7 @@ generally replace the various "assert" calls that test the successful execution
 your own error handling or logging.
 * Creating a ConnectionFactory that uses a client connection to a remote queue manager - [connectionfactory_test.go](connectionfactory_test.go)
 * Creating a ConnectionFactory that uses a bindings connection to a local queue manager - [local_bindings_test.go](local_bindings_test.go)
+* Create a connection using anonymous (one-way) TLS encryption or mutual TLS authentication - [tls_connections_test.go](tls_connections_test.go)
 * Send/receive a text string - [sample_sendreceive_test.go](sample_sendreceive_test.go)
 * Send a message as Persistent or NonPersistent - [deliverymode_test.go](deliverymode_test.go)
 * Get by CorrelationID - [getbycorrelid_test.go](getbycorrelid_test.go)
diff --git a/mqjms/ConnectionFactoryImpl.go b/mqjms/ConnectionFactoryImpl.go
@@ -30,6 +30,15 @@ type ConnectionFactoryImpl struct {
 	Password    string
 
 	TransportType int // Default to TransportType_CLIENT (0)
+
+	// Equivalent to SSLCipherSpec and SSLClientAuth in the MQI client, however
+	// the names have been updated here to reflect that SSL protocols have all
+	// been discredited.
+	TLSCipherSpec string
+	TLSClientAuth string // Default to TLSClientAuth_NONE
+
+	KeyRepository    string
+	CertificateLabel string
 }
 
 // CreateContext implements the JMS method to create a connection to an IBM MQ
@@ -50,6 +59,34 @@ func (cf ConnectionFactoryImpl) CreateContext() (jms20subset.JMSContext, jms20su
 		cd.ConnectionName = cf.Hostname + "(" + strconv.Itoa(cf.PortNumber) + ")"
 		cno.ClientConn = cd
 
+		// Fill in the fields relating to TLS channel connections
+		if cf.TLSCipherSpec != "" {
+			cd.SSLCipherSpec = cf.TLSCipherSpec
+		}
+
+		switch cf.TLSClientAuth {
+		case TLSClientAuth_REQUIRED:
+			cd.SSLClientAuth = ibmmq.MQSCA_REQUIRED
+		case TLSClientAuth_NONE:
+		case "":
+			cd.SSLClientAuth = ibmmq.MQSCA_OPTIONAL
+		default:
+			cd.SSLClientAuth = -1 // Trigger an error message
+		}
+
+		// Set up the reference to the key repository file, if it has been specified.
+		if cf.KeyRepository != "" {
+			sco := ibmmq.NewMQSCO()
+			sco.KeyRepository = cf.KeyRepository
+
+			if cf.CertificateLabel != "" {
+				sco.CertificateLabel = cf.CertificateLabel
+			}
+
+			cno.SSLConfig = sco
+
+		}
+
 	} else if cf.TransportType == TransportType_BINDINGS {
 
 		// Indicate to use Bindings connections.
diff --git a/mqjms/Constants.go b/mqjms/Constants.go
@@ -16,3 +16,11 @@ const TransportType_CLIENT int = 0
 // Used to configure the TransportType property of the ConnectionFactory,
 // to use a local bindings connection to the queue manager
 const TransportType_BINDINGS int = 1
+
+// Used to configure the TLSClientAuth property to indicate that a client
+// certificate should not be sent.
+const TLSClientAuth_NONE string = "NONE"
+
+// Used to configure the TLSClientAuth property to indicate that a client
+// certificate must be sent to the queue manager, as part of mutual TLS.
+const TLSClientAuth_REQUIRED string = "REQUIRED"
diff --git a/tls-samples/DigiCertRootCA.pem b/tls-samples/DigiCertRootCA.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
+CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
+nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
+43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
+T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
+gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
+TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
+DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
+hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
+06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
+PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
+YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
+CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
+-----END CERTIFICATE-----
diff --git a/tls-samples/README.md b/tls-samples/README.md
@@ -0,0 +1,107 @@
+# Running the TLS tests
+The TLS connection tests found in [tls_connections_test.go](../tls_connections_test.go)
+demonstrate how to configure two different patterns of TLS;
+- Anonymous ("one way") TLS to encrypt traffic between the client application
+and the queue manager
+- Mutual TLS authentication, where the client application also authenticates itself
+to the queue manager by providing a client certificate
+
+In order to successfully run the TLS examples you must first apply some specific
+configuration to your queue manager using the following three steps;
+
+
+## Step 1: Define the queue manager channels
+The tests assume that two new channels have been created on the queue manager - one
+to demonstrate anonymous TLS, and the other for mutual TLS.
+
+You can define the necessary channels by executing the following runmqsc commands
+against your queue manager. Note that if your queue manager is configured to block
+all access by default (for example a queue manager hosted by the [IBM MQ on Cloud service](https://cloud.ibm.com/catalog/services/mq) or using the developer configuration for the [public MQ Docker container](https://github.com/ibm-messaging/mq-container/blob/6c72c894f775752a8ec8944d73dde4264711f0ff/incubating/mqadvanced-server-dev/10-dev.mqsc.tpl#L42))
+then you will also need to execute the `SET CHLAUTH` command associated with each
+channel, otherwise you will receive a `MQRC_NOT_AUTHORIZED` after the TLS
+connection has been established.
+```
+DEFINE CHANNEL(TLS.ANON.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(ANY_TLS12) SSLCAUTH(OPTIONAL) REPLACE
+SET CHLAUTH(TLS.ANON.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED) DESCR('Allow applications to connect') ACTION(REPLACE)
+
+DEFINE CHANNEL(TLS.MUTUAL.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(ANY_TLS12) SSLCAUTH(REQUIRED) REPLACE
+SET CHLAUTH(TLS.MUTUAL.SVRCONN) TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(REQUIRED) DESCR('Allow applications to connect') ACTION(REPLACE)
+```
+
+
+## Step 2: Import the queue manager certificate into the client key store
+The [anon-tls.kdb](anon-tls.kdb) and [mutual-tls.kdb](mutual-tls.kdb) files are
+keystores that contain certificates that are used when the test applications
+connect to the queue manager.
+
+The keystores have been configured to contain the public certificate for the DigiCert Root
+certificate authority (CA) so that the tests will automatically work against any
+queue manager that presents a certificate issued by DigiCert (such as queue
+managers hosted by the IBM MQ on Cloud service), however if your queue manager
+uses a certificate issued by a different certificate authority then you will need
+to import the public part of that certificate into both of the keystores in order
+for the tests to pass.
+
+To do this, obtain a copy of the public certificate for your queue manager in PEM
+format, and import it into each of the keystores as follows;
+```
+gsk8capicmd -cert -add -db anon-tls.kdb -file MyQMgrCert.pem -label MyQMgrCert -stashed -type kdb -format ascii
+gsk8capicmd -cert -add -db mutual-tls.kdb -file MyQMgrCert.pem -label MyQMgrCert -stashed -type kdb -format ascii
+```
+Note that the `gsk8capicmd` command is included in the [IBM MQ redistributable client installation](https://ibm.biz/mq91cdredistclients)
+in the `./gskit8/bin` directory, or if you have a local queue manager installation
+then you can substitute that command for the `ikeycmd` command instead.
+
+
+## Step 3: Import the client certificate into the queue manager key store
+For the mutual TLS scenario you must also configure the queue manager so that it
+trusts the certificate that will be presented by the client application. The client
+will present the certificate with the label `SampleClientA` in [mutual-tls.kdb](mutual-tls.kdb),
+but for convenience the same certificate is also included in this directory
+as [SampleClientA.pem](SampleClientA.pem).
+
+The technique for importing the client certificate into the queue manager keystore
+depends on the type of queue manager you are using, for example;
+- For IBM MQ on Cloud queue managers you can import the certificate into the Trust
+Store as [described here](https://cloud.ibm.com/docs/services/mqcloud?topic=mqcloud-mqoc_jms_tls#twoway_mqoc_jms_tls)
+- For software installed MQ queue managers on Linux, use the `runmqckm` command [as described here](https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q012830_.htm)
+
+Note that in both cases you must refresh the queue manager security configuration
+in order for the new certificate to take effect - for example by executing the
+runmqsc command `REFRESH SECURITY TYPE(SSL)` or equivalent.
+
+
+## Reference: Creating your own key store files
+The [anon-tls.kdb](anon-tls.kdb) and [mutual-tls.kdb](mutual-tls.kdb) files in
+this directory have been pre-defined for use with the TLS tests defined in this
+repository, however you will create equivalent files for use with your own
+applications.
+
+The following commands demonstrate how the pre-defined files were created using
+the `gsk8capicmd` command. As noted above this command is supplied with the IBM
+MQ redistributable client installation, but if you have a local queue manager
+installation then you can substitute the `ikeycmd` command instead.
+
+```
+# Create the anon-tls key store
+gsk8capicmd -keydb -create -db anon-tls.kdb -pw myKeystorePW -type kdb -expire 0 -stash
+
+# Import the DigiCert Root CA certificate so that queue managers with certificates
+# issued by that CA will be trusted by default
+gsk8capicmd -cert -add -db anon-tls.kdb -file DigiCertRootCA.pem -label DigiCertRootCA -stashed -type kdb -format ascii
+
+# Create the mutual-tls key store
+gsk8capicmd -keydb -create -db mutual-tls.kdb -pw myMutualKeystorePW -type kdb -expire 0 -stash
+
+# Import the DigiCert Root CA certificate so that queue managers with certificates
+# issued by that CA will be trusted by default
+gsk8capicmd -cert -add -db mutual-tls.kdb -file DigiCertRootCA.pem -label DigiCertRootCA -stashed -type kdb -format ascii
+
+# Create a new self-signed private key and certificate inside the mutual-tls keystore.
+# The client will present this certificate to identify itself to the queue manager
+gsk8capicmd -cert -create -db mutual-tls.kdb -pw myMutualKeystorePW -sig_alg SHA256WithRSA -expire 3650 -label SampleClientA -dn "O=Sample Client Corporation, C=UK"
+
+# Extract the public part of the self-signed certificate so that it can be added
+# to the queue manager keystore in order that the queue manager trust the client
+gsk8capicmd -cert -extract -db mutual-tls.kdb -pw myMutualKeystorePW -label SampleClientA -target SampleClientA.pem
+```
diff --git a/tls-samples/SampleClientA.pem b/tls-samples/SampleClientA.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICITCCAYqgAwIBAgIIOQlzLC+tO3cwDQYJKoZIhvcNAQELBQAwMTELMAkGA1UE
+BhMCVUsxIjAgBgNVBAoTGVNhbXBsZSBDbGllbnQgQ29ycG9yYXRpb24wHhcNMTkw
+OTA0MTgzNjA4WhcNMjkwOTAyMTgzNjA4WjAxMQswCQYDVQQGEwJVSzEiMCAGA1UE
+ChMZU2FtcGxlIENsaWVudCBDb3Jwb3JhdGlvbjCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAv+dovBFeunMYwf+iN3viHwx5LJ4zgR0YLdedFXBiWocSs5P2TXfg
+JXtSTqHYKXnfD25JXc2EJP6mqftvRovHWoOZ0p2EM1V1my4erojvEiEZJaK3yHIT
+VNkF5ceTpco6VK++GJl7ElTbnpSs5YlIMsfwIpknpYzPp4F6J+RI4PsCAwEAAaNC
+MEAwHQYDVR0OBBYEFHpB4uZu1Wfqy1IgWKmsQHhhLHZ9MB8GA1UdIwQYMBaAFHpB
+4uZu1Wfqy1IgWKmsQHhhLHZ9MA0GCSqGSIb3DQEBCwUAA4GBAKJmISVSOOYkgU8T
+z+PYZyNgmxInnO8CPHyOXSCSwNPhQEh++5bwUt7+Ogvfmq5Xtl1m0u479L46yosd
+j7M3q4CizNcpyQBLzgP5BbCoebcnNqakbeZ9MmA+fWnFyKSWtT2868LbKg2mezvA
+MgcCMXwzVgAQQfVQFevRdPLgVbdl
+-----END CERTIFICATE-----
diff --git a/tls-samples/anon-tls.kdb b/tls-samples/anon-tls.kdb
diff --git a/tls-samples/anon-tls.sth b/tls-samples/anon-tls.sth
@@ -0,0 +1 @@
+��5��(<9<늳Y�DoS��~NM�耒�Q�k�@�>m�(\h���� "&b*ï|&:B��Lw�S�#.d��?kR����U�'�	�/��S��,�k�?CwTԡUo�&�y�jJ�J��Wh��=�ec.��#�	I�-���Zʀ���]���9�G�M�	BË�&�n�)��H���,�'��3�`
diff --git a/tls-samples/mutual-tls.kdb b/tls-samples/mutual-tls.kdb
diff --git a/tls-samples/mutual-tls.sth b/tls-samples/mutual-tls.sth
@@ -0,0 +1,3 @@
+�	Sh���b�4w�������q��n0[��숛�14Y��-�
+�V�78�2�@�,e��s��G�"K%q�'����X#:�&îq��P^jZQ���G$d�,�в�ƖV)c���\�tճ��@�I���
+49c9'zN�ǈ���}�6�9�ZpH���߹�:��&ϫ~4��Ã�"Exі�~
diff --git a/tls_connections_test.go b/tls_connections_test.go

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+��5��(<9<늳Y�DoS��~NM�耒�Q�k�@�>m�(\h�� "&b*ï\|&:B��Lw�S�#.d��?kR��U�'� �/��S��,�k�?CwTԡUo�&�y�jJ�J��Wh��=�ec.��#� I�-��Zʀ��]��9�G�M� BË�&�n�)��H��,�'��3�`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+� Sh��b�4w��q��n0[��숛�14Y��-�`
	`2`	`+�V�78�2�@�,e��s��G�"K%q�'��X#:�&îq��P^jZQ��G$d�,�в�ƖV)c��\�tճ��@�I��`
	`3`	`+49c9'zN�ǈ��}�6�9�ZpH��߹�:��&ϫ~4��Ã�"Exі�~`