12.0.1.0-r4 update (#169)

Author: IBMRob

README.md

@@ -14,8 +14,7 @@ For information of building images with IBM MQ Advanced please refer to [IBM App
 
 The IBM App Connect operator now supports a single image which includes both the ACE server runtime as well as an MQ client. This readme will describe how you can build an equivalent image.
 
-A pre-built developer edition image can be found at dockerhub - [ibmcom/ace-server](https://hub.docker.com/r/ibmcom/ace-server)
-A pre-built production edition image can be found on IBM Entitled Registry - [Obtaining the IBM App Connect Enterprise server image from the IBM Cloud Container Registry](https://www.ibm.com/docs/en/app-connect/11.0.0?topic=aciccd-obtaining-app-connect-enterprise-server-image-from-cloud-container-registry)
+Pre-built developer and production edition image can be found on IBM Container Registry - [Obtaining the IBM App Connect Enterprise server image from the IBM Cloud Container Registry](https://www.ibm.com/support/knowledgecenter/en/SSTTDS_11.0.0/com.ibm.ace.icp.doc/certc_install_obtaininstallationimageser.html)
 
 
 ## Building a container image
@@ -28,7 +27,19 @@ Choose if you want to have an image with just App Connect Enterprise or an image
 
 ### Building a container image which contains an IBM Service provided fix for ACE
 
-You may have been provided with a fix for App Connect Enterprise by IBM Support, this fix will have a name of the form `12.0.X.Y-ACE-LinuxX64-TF12345.tar.gz`. In order to apply this fix follow these steps.
+You may have been provided with a fix for App Connect Enterprise by IBM Support, this fix will have a name of the form `12.0.X.Y-ACE-LinuxX64-TF12345.tar.gz`. This fix can be used to create a container image in one of two different ways:
+
+#### Installation during container image build
+This method builds a new container image derived from an existing ACE container image and applies the ifix using the standard `mqsifixinst.sh` script. The ifix image can be built from any existing ACE container image, e.g. `ace-only`, `ace-mqclient`, or another ifix image. Simply build `Dockerfile.ifix` passing in the full `BASE_IMAGE` name and the `IFIX_ID` arguments set:
+
+```bash
+docker build -t ace-server:12.0.x.y-r1-tfit12345 --build-arg BASE_IMAGE=ace-server:12.0.x.y-1 --build-arg IFIX_ID=12.0.X.Y-ACE-LinuxX64-TFIT12345 --file ubi/Dockerfile.ifix path/to/folder/containing/ifix
+```
+
+#### Pre-applying the fix to the ACE install image
+This method applies the ifix directly to the ACE installation image that is consumed to make the full container image. **NB**: Only follow these instructions if you have been instructed by IBM Support to "manually install" the ifix, or that the above method is not applicable to your issue. If you follow these instructions then the ifix ID will _not_ appear in the output of `mqsiservice -v`.
+
+In order to apply this fix manually follow these steps.
  - On a local system extract the App Connect Enterprise archive
    `tar -xvf ace-12.0.1.0.tar.gz`
  - Extract the fix package into expanded App Connect Enterprise installation
@@ -103,6 +114,8 @@ In the `sample` folder there is an example on how to build a server image with a
 - **ACE_ADMIN_SERVER_CERT** - Set this to your Integration Server SSL certificate.
 - **ACE_ADMIN_SERVER_KEY** - Set this to your Integration Server SSL key certificate.
 
+- **FORCE_FLOW_HTTPS** - Set to 'true' and the *.key and *.crt present in `/home/aceuser/httpsNodeCerts/` are used to force all your flows to use https 
+
 ## How to dynamically configure the ACE Integration Server
 
 To enable dynamic configuration of the ACE Integration Server, this setup supports configuration injected into the image as files.

ace_config_bar_overrides.sh

@@ -14,7 +14,10 @@ fi
 if ls /home/aceuser/initial-config/bar_overrides/*.properties >/dev/null 2>&1; then
   for propertyFile in /home/aceuser/initial-config/bar_overrides/*.properties
   do
-    mqsiapplybaroverride -b /home/aceuser/initial-config/bars/barfile.bar -p $propertyFile -r 
-    echo $propertyFile >> /home/aceuser/initial-config/bar_overrides/logs.txt
+    for bar in /home/aceuser/initial-config/bars/*.bar
+    do
+      mqsiapplybaroverride -b $bar -p $propertyFile -r 
+      echo $propertyFile >> /home/aceuser/initial-config/bar_overrides/logs.txt
+    done
   done
-fi
+fi

ace_config_webusers.sh

@@ -25,23 +25,87 @@ VIEWERUSERSFILE=/home/aceuser/initial-config/webusers/viewer-users.txt
 if [ -s $ADMINUSERSFILE ] || [ -s $OPERATORUSERSFILE ] || [ -s $EDITORUSERSFILE ] || [ -s $AUDITUSERSFILE ] || [ -s $VIEWERUSERSFILE ]; then
   OUTPUT=$(mqsichangeauthmode -w /home/aceuser/ace-server -s active -m file 2>&1)
   logAndExitIfError $? "${OUTPUT}"
+fi
 
-  OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r admin -p all+ 2>&1)
-  logAndExitIfError $? "${OUTPUT}"
-  OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r admin -o Data -p all+ 2>&1)
-  logAndExitIfError $? "${OUTPUT}"
+if [ -f $ADMINUSERSFILE ]; then
+  if [ -s $ADMINUSERSFILE ]; then
+    if [ -r $ADMINUSERSFILE ]; then
+      OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r admin -p all+ 2>&1)
+      logAndExitIfError $? "${OUTPUT}"
+
+      OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r admin -o Data -p all+ 2>&1)
+      logAndExitIfError $? "${OUTPUT}"
+    else
+      log "ERROR: $ADMINUSERSFILE is not readable"
+      exit 66
+    fi
+  else
+    log "ERROR: $ADMINUSERSFILE is empty"
+    exit 67
+  fi
+fi
 
-  OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r operator -p read+,write-,execute+ 2>&1)
-  logAndExitIfError $? "${OUTPUT}"
-  
-  OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r editor -p read+,write+,execute- 2>&1)
-  logAndExitIfError $? "${OUTPUT}"
+if [ -f $OPERATORUSERSFILE ]; then
+  if [ -s $OPERATORUSERSFILE ]; then
+    if [ -r $OPERATORUSERSFILE ]; then
+      OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r operator -p read+,write-,execute+ 2>&1)
+      logAndExitIfError $? "${OUTPUT}"
+    else
+      log "ERROR: $OPERATORUSERSFILE is not readable"
+      exit 66
+    fi
+  else
+    log "ERROR: $OPERATORUSERSFILE is empty"
+    exit 67
+  fi
+fi
 
-  OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r audit -p read+,write-,execute- 2>&1)
-  logAndExitIfError $? "${OUTPUT}"
+if [ -f $EDITORUSERSFILE ]; then
+  if [ -s $EDITORUSERSFILE ]; then
+    if [ -r $EDITORUSERSFILE ]; then
+      OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r editor -p read+,write+,execute- 2>&1)
+      logAndExitIfError $? "${OUTPUT}"
+    else
+      log "ERROR: $EDITORUSERSFILE is not readable"
+      exit 66
+    fi
+  else
+    log "ERROR: $EDITORUSERSFILE is empty"
+    exit 67
+  fi
+fi
 
-  OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r viewer -p read+,write-,execute- 2>&1)
-  logAndExitIfError $? "${OUTPUT}"
+if [ -f $AUDITUSERSFILE ]; then
+  if [ -s $AUDITUSERSFILE ]; then
+    if [ -r $AUDITUSERSFILE ]; then
+      OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r audit -p read+,write-,execute- 2>&1)
+      logAndExitIfError $? "${OUTPUT}"
+    else
+      log "ERROR: $AUDITUSERSFILE is not readable"
+      exit 66
+    fi
+  else
+    log "ERROR: $AUDITUSERSFILE is empty"
+    exit 67
+  fi
+fi
+
+if [ -f $VIEWERUSERSFILE ]; then
+  if [ -s $VIEWERUSERSFILE ]; then
+    if [ -r $VIEWERUSERSFILE ]; then
+      OUTPUT=$(mqsichangefileauth -w /home/aceuser/ace-server -r viewer -p read+,write-,execute- 2>&1)
+      logAndExitIfError $? "${OUTPUT}"
+    else
+      log "ERROR: $VIEWERUSERSFILE is not readable"
+      exit 66
+    fi
+  else
+    log "ERROR: $VIEWERUSERSFILE is empty"
+    exit 67
+  fi
+fi
+
+if [ -s $ADMINUSERSFILE ] || [ -s $OPERATORUSERSFILE ] || [ -s $EDITORUSERSFILE ] || [ -s $AUDITUSERSFILE ] || [ -s $VIEWERUSERSFILE ]; then
 
   OLDIFS=${IFS}
 

ace_forceflowhttps.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+
+# © Copyright IBM Corporation 2021.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v2.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v20.html
+
+if [ -z "$MQSI_VERSION" ]; then
+  source /opt/ibm/ace-12/server/bin/mqsiprofile
+fi
+
+SCRIPT_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source ${SCRIPT_DIR}/ace_config_logging.sh
+
+log "Creating force flows to be https keystore"
+
+if [ -f /home/aceuser/ace-server/https-keystore.p12 ]; then
+  OUTPUT=$(rm /home/aceuser/ace-server/https-keystore.p12 2>&1)
+  logAndExitIfError $? "${OUTPUT}"
+fi
+
+IFS=$'\n'
+KEYTOOL=/opt/ibm/ace-12/common/jdk/jre/bin/keytool
+if [ ! -f "$KEYTOOL" ]; then
+  KEYTOOL=/opt/ibm/ace-12/common/jre/bin/keytool
+fi
+
+if [ ! -f /home/aceuser/httpsNodeCerts/*.key ]; then
+      log "No keystore files found at location /home/aceuser/httpsNodeCerts/*.key cannot create Force Flows HTTPS keystore"
+      exit 1
+fi
+
+for keyfile in `ls /home/aceuser/httpsNodeCerts/*.key`; do
+  if [ -s "${keyfile}" ]; then
+    if [ -z "${1}" ]; then
+      log "No keystore password defined"
+      exit 1
+    fi
+
+    filename=$(basename ${keyfile})
+    dirname=$(dirname ${keyfile})
+    alias=$(echo ${filename} | sed -e 's/\.key$'//)
+    certfile=${dirname}/${alias}.crt
+    passphrasefile=${dirname}/${alias}.pass
+
+    if [ ! -f ${certfile} ]; then
+      log "Certificate file ${certfile} not found."
+      exit 1
+    fi
+
+    OUTPUT=$(openssl pkcs12 -export -in ${certfile} -inkey ${keyfile} -out /home/aceuser/ace-server/https-keystore.p12 -name ${alias} -password pass:${1} 2>&1)
+    logAndExitIfError $? "${OUTPUT}"
+
+    log "Setting https keystore password"
+    cmd="mqsisetdbparms -w /home/aceuser/ace-server -n brokerHTTPSKeystore::password -u anything -p \"${1}\" 2>&1"
+    OUTPUT=`eval "$cmd"`
+    echo $OUTPUT
+
+  fi
+done
+
+log "Force flows to be https keystore creation complete"