-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keyring support #1177
Keyring support #1177
Conversation
Signed-off-by: Vit Tomica <[email protected]>
Signed-off-by: Vit Tomica <[email protected]>
Signed-off-by: Vit Tomica <[email protected]>
# Conflicts: # bin/apiml_cm.sh # bin/zowe-setup-certificates.sh
Signed-off-by: Vit Tomica <[email protected]>
Signed-off-by: Vit Tomica <[email protected]>
Signed-off-by: Vit Tomica <[email protected]>
assigned myself to have a closer look when I have some time as this is interesting stuff |
Thanks Onno. |
Signed-off-by: Vit Tomica <[email protected]>
Do ACF2 and TSS support the R_datalib API ? I thought this was RACF only (but could be mistaken). |
Yes, they do. The Java keytool leverages R_datalib API and we recently used this in Zowe to read zosmf keyring to get and trust the zosmf cert. However, I have found a bug in TSS/ACF2 when creating/deleting keyring using R_datalib. Security team is working on the fix and this PR will not work for TSS/ACF2 until it's fixed. You're right about the ZD&T. It'll be slow because of the keytool commands. In this case, usual security commands make sense. |
@timgerstel @vit-tomica Tim's working on using the JWT key info to enable SSO on our other servers. Can you two please collaborate on if these changes will work with ongoing SSO efforts? We don't want the way SAF keyring support is done to hold back SSO work, so just double-check on the files & formats. |
@vit-tomica @1000TurquoisePogs I do not believe this pull request will interfere with the work to enable SSO. All necessary files will still exist and are in the correct format. |
# Conflicts: # bin/zowe-setup-certificates.sh
This looks great. What privileges does a user need to have to be able to run it? Is there a related documentation PR? |
@plavjanik I don't know exactly what all the privileges are but READ access to all of the IRR.DIGTCERT.* resources is enough + UPDATE access to IRR.DIGTCERT.CONNECT is needed to set up trust with z/OSMF. The READ access to all IRR.DIGTCERT.* resources is a bit excessive but it generally allows to perform actions only on certificates and keyrings owned by the ACID that has the READ access There is no doc yet. I'm also working on JCL configuration. I plan to remove the part that compile/link the keyring-util program and I'll replace it with the prebuilt program instead. |
Signed-off-by: Vit Tomica <[email protected]>
fd72a91
to
7f5268b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My latest comments have been addressed. It looks ok to me after a high-level review and no testing.
# Conflicts: # bin/zowe-setup-certificates.sh
Signed-off-by: Vit Tomica <[email protected]>
Signed-off-by: Vit Tomica <[email protected]>
* add keyring to artifactory build Signed-off-by: MarkAckert <[email protected]> * fix keyring version Signed-off-by: MarkAckert <[email protected]> * fix keyring manifest, add gitignore Signed-off-by: MarkAckert <[email protected]> * setup keyring-util as binary Signed-off-by: MarkAckert <[email protected]> * fix keyring during prepare-workspace, chmod in pre-package Signed-off-by: MarkAckert <[email protected]> * fix dir Signed-off-by: MarkAckert <[email protected]> * set keyring version to 1.0.1 Signed-off-by: MarkAckert <[email protected]>
Signed-off-by: Vit Tomica <[email protected]>
Signed-off-by: Vit Tomica <[email protected]>
Signed-off-by: Vit Tomica <[email protected]>
files/jcl/ZWEKRING.jcl
Outdated
//* | ||
//* SPDX-License-Identifier: EPL-2.0 | ||
//* | ||
//* Copyright Contributors to the Zowe Project. 2018, 2020 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this did not exist in 2018, so copyright should say 2020, 2020
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
files/jcl/ZWEKRING.jcl
Outdated
//* user ID for the ZOWE started task. | ||
//* | ||
//* 4) Update the SET ZOWERING= statement to match the desired | ||
//* name of the keyring owned by the ZOWEUSER. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... by the &ZOWEUSER user ID.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
files/jcl/ZWEKRING.jcl
Outdated
//* name of the keyring owned by the ZOWEUSER. | ||
//* | ||
//* 5) Update the SET LABEL= statement with the name of the Zowe | ||
//* certificate that will be added to the RACF database or that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
keep it product neutral, so use 'security database'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
files/jcl/ZWEKRING.jcl
Outdated
//* 2) Update the SET PRODUCT= statement to match your security | ||
//* product. | ||
//* | ||
//* 3) Update the SET ZOWEUSER= statement to match the desired |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We cannot use 'desired', at this point the ID must already exist.
... match the (existing)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
files/jcl/ZWEKRING.jcl
Outdated
//* product. | ||
//* | ||
//* 3) Update the SET ZOWEUSER= statement to match the desired | ||
//* user ID for the ZOWE started task. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ZOWE -> Zowe
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
.pax/prepare-workspace.sh
Outdated
@@ -23,6 +23,7 @@ set -x | |||
|
|||
# expected workspace layout: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
had to think again what and where this was. Can you update this line to say the following and remove all doubt
# expected input workspace layout ($ROOT_DIR):
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -23,6 +23,7 @@ set -x | |||
|
|||
# expected workspace layout: | |||
# ./.pax/mediation/ | |||
# ./.pax/keyring-util/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
keep 'm in alphabetical order so it lines up with output of ls
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -199,5 +209,5 @@ echo "[$SCRIPT_NAME] done" | |||
# ${PAX_WORKSPACE_DIR}/ascii/zowe-${ZOWE_VERSION}/ | |||
# ${PAX_WORKSPACE_DIR}/content/zowe-${ZOWE_VERSION}/ | |||
# ${PAX_WORKSPACE_DIR}/mediation/ # already present | |||
|
|||
# ${PAX_WORKSPACE_DIR}/keyring-util/ # already present |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
keep 'm in alphabetical order
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@OnnoVdT Hi Onno, just a reminder that all your comments have been addressed. |
sorry, I saw you did but forgot to approve. That is corrected now |
SAF keyring configuration for Zowe
This PR enhances certificate configuration scripts to store certificates in keyrings.
The idea is to provide analogous actions for keyrings to what we currently have for keystores, i.e. generating a local zowe CA and zowe cert, importing external certs, delete certs or generally doing certs cleanup
Motivation:
How much java keytool can handle SAF keyrings
it can:
it can't:
The keyring-util program (leverages R_datalib API) provides keyring actions that the Java keytool can't do.
it can:
The keyring-util's functions could be useful in scenarios like:
PR type
What type of changes does your PR introduce to Zowe? Put an
x
in the box that applies to this PR. If you're unsure about any of them, don't hesitate to ask.Relevant issues
Fixes
Changes proposed in this PR
Does this PR introduce a breaking change?
Does this PR do something the person installing Zowe should know about?
multi-line description
Is there a related doc issue or Pull Request?
Doc issue/PR number:
zowe/docs-site#1214
Other information