Keyring support

[vit-tomica]

SAF keyring configuration for Zowe

This PR enhances certificate configuration scripts to store certificates in keyrings.
The idea is to provide analogous actions for keyrings to what we currently have for keystores, i.e. generating a local zowe CA and zowe cert, importing external certs, delete certs or generally doing certs cleanup

Motivation:

• run Zowe on keyrings
• when configuring keyrings, do as much automation as possible
• if possible avoid writing a lot of documenation (commands for each ESMs etc...)

How much java keytool can handle SAF keyrings
it can:

• generate and connect a certificate with a keyring, creates the keyring if does not exist.
• import/export a certificate from/to a keystore, creates the keyring if does not exist.
• disconnect a certifice from a keyring.
• there is also a java hwkeytool utility that can take advantage of crypto hardware.

it can't:

• delete keyring
• delete a certificate from RACF database.

The keyring-util program (leverages R_datalib API) provides keyring actions that the Java keytool can't do.
it can:

• delete keyring
• delete a certificates from RACF database
• refresh DIGTCERT class

The keyring-util's functions could be useful in scenarios like:

• cleanup keyring configuration
• renewing certs
• automation
• if keyring configuration fails in the middle of the process, we can cleanup partial setup and start from scratch

---

• Tests for the changes have been added (for bug fixes / features)
• Necessary documentation (if appropriate) have been added / updated
• DCO signoffs have been added to all commits, including this PR

PR type

What type of changes does your PR introduce to Zowe? Put an x in the box that applies to this PR. If you're unsure about any of them, don't hesitate to ask.

• Bugfix
• Feature
• Other... Please describe:

Relevant issues

Fixes

Changes proposed in this PR

Does this PR introduce a breaking change?

• Yes
• No

Does this PR do something the person installing Zowe should know about?

---

• Affected function: general area of interest *

---

• Description: 1 line description *

---

• Part: name of customizable file involved *

---

multi-line description

Is there a related doc issue or Pull Request?

Doc issue/PR number:
zowe/docs-site#1214

Other information

[OnnoVdT]

assigned myself to have a closer look when I have some time as this is interesting stuff

[vit-tomica]

Thanks Onno.
From user perspective, the action should be simple - setting a keyring name for the ZOWE_KEYRING= variable in the zowe-setup-certificates.env, the rest should be handled by the zowe-setup-certificates.sh script

[OnnoVdT]

Do ACF2 and TSS support the R_datalib API ? I thought this was RACF only (but could be mistaken).
Also, we heard that they current script for keystores is extremely slow on ZD&T (takes about an hour),. This is likely because we drive several invocations of the keytool utility, which in turn drives Java.
We are using keytool here as well, so the keyring support might end up being slow as well. We should try this out and maybe consider to see if something can be doen with direct RACF/ACF2/TSS commands. That would be another issue/pull request, just bringing it to your attention here.

[vit-tomica]

Yes, they do. The Java keytool leverages R_datalib API and we recently used this in Zowe to read zosmf keyring to get and trust the zosmf cert. However, I have found a bug in TSS/ACF2 when creating/deleting keyring using R_datalib. Security team is working on the fix and this PR will not work for TSS/ACF2 until it's fixed.

You're right about the ZD&T. It'll be slow because of the keytool commands. In this case, usual security commands make sense.

[1000TurquoisePogs]

@timgerstel @vit-tomica Tim's working on using the JWT key info to enable SSO on our other servers. Can you two please collaborate on if these changes will work with ongoing SSO efforts? We don't want the way SAF keyring support is done to hold back SSO work, so just double-check on the files & formats.

[timgerstel]

@vit-tomica @1000TurquoisePogs I do not believe this pull request will interfere with the work to enable SSO. All necessary files will still exist and are in the correct format.

[plavjanik]

This looks great. What privileges does a user need to have to be able to run it? Is there a related documentation PR?

[vit-tomica]

@plavjanik I don't know exactly what all the privileges are but READ access to all of the IRR.DIGTCERT.* resources is enough + UPDATE access to IRR.DIGTCERT.CONNECT is needed to set up trust with z/OSMF. The READ access to all IRR.DIGTCERT.* resources is a bit excessive but it generally allows to perform actions only on certificates and keyrings owned by the ACID that has the READ access

There is no doc yet.

I'm also working on JCL configuration. I plan to remove the part that compile/link the keyring-util program and I'll replace it with the prebuilt program instead.

[plavjanik]

My latest comments have been addressed. It looks ok to me after a high-level review and no testing.

[OnnoVdT]

this did not exist in 2018, so copyright should say 2020, 2020

[vit-tomica]

Done.

[OnnoVdT]

... by the &ZOWEUSER user ID.

[vit-tomica]

Done.

[OnnoVdT]

keep it product neutral, so use 'security database'

[vit-tomica]

Done.

[OnnoVdT]

We cannot use 'desired', at this point the ID must already exist.
... match the (existing)

[vit-tomica]

Done.

[OnnoVdT]

ZOWE -> Zowe

[vit-tomica]

Done.

[OnnoVdT]

had to think again what and where this was. Can you update this line to say the following and remove all doubt
# expected input workspace layout ($ROOT_DIR):

[vit-tomica]

Done.

[OnnoVdT]

keep 'm in alphabetical order so it lines up with output of ls

[vit-tomica]

Done.

[OnnoVdT]

keep 'm in alphabetical order

[vit-tomica]

Done.

[vit-tomica]

@OnnoVdT Hi Onno, just a reminder that all your comments have been addressed.

[OnnoVdT]

sorry, I saw you did but forgot to approve. That is corrected now