Set password length to meet VA scan requirements

Dockerfile-server

@@ -86,7 +86,6 @@ RUN chmod ug+x /usr/local/bin/runmqserver \
   && chmod ug+xs /usr/local/bin/chkmq* \
   && chown -R mqm:mqm /etc/mqm/* \
   && install --directory --mode 0775 --owner mqm --group root /run/runmqserver \
-  && install --directory --mode 0775 --owner mqm --group root /run/tls \
   && touch /run/termination-log \
   && chown mqm:root /run/termination-log \
   && chmod 0660 /run/termination-log

install-mq.sh

@@ -90,6 +90,8 @@ ln -s /mnt/mqm/data /var/mqm
 # Optional: Ensure any passwords expire in a timely manner
 sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs
 sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t1/' /etc/login.defs
+sed -i 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t8/' /etc/login.defs
+sed -i 's/# minlen = 9/minlen = 8/' /etc/security/pwquality.conf
 
 $UBUNTU && PAM_FILE=/etc/pam.d/common-password
 $RPM && PAM_FILE=/etc/pam.d/password-auth

internal/tls/tls.go

@@ -346,6 +346,23 @@ func processTrustCertificates(trustDir string, cmsKeyDB, p12TrustDB *KeyStoreDat
 		if err != nil {
 			return fmt.Errorf("Could not add certificates to PKCS#12 Truststore: %v", err)
 		}
+
+		// We need to relabel everything because liberty doesn't play nicely with autolabelled certs
+		allCerts, err := p12TrustDB.Keystore.ListAllCertificates()
+		if err != nil || len(allCerts) <= 0 {
+			return fmt.Errorf("Could not get any certificates from PKCS#12 Truststore: %v", err)
+		}
+
+		for i, cert := range allCerts {
+			cert = strings.Trim(cert, "\"")
+			cert = strings.TrimSpace(cert)
+			newLabel := fmt.Sprintf("Trust%d", i)
+
+			err = p12TrustDB.Keystore.RenameCertificate(cert, newLabel)
+			if err != nil || len(allCerts) <= 0 {
+				return fmt.Errorf("Could not rename certificate %s to %s in PKCS#12 Truststore: %v", cert, newLabel, err)
+			}
+		}
 	}
 
 	if len(cmsKeyDB.TrustedCerts) > 0 {