Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TSS: Detect zOSMF Root CA #3725

Merged
merged 4 commits into from
Feb 15, 2024
Merged

TSS: Detect zOSMF Root CA #3725

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
eceee78
TSS: Detect zOSMF Root CA
Martin-Zeithaml Feb 2, 2024
6fc4275
Parameters updated
Martin-Zeithaml Feb 2, 2024
8de332b
Minor text change
Martin-Zeithaml Feb 2, 2024
f9a4d26
Merge branch 'v2.x/staging' into v2.x/bugfix/detectZosmfRootCA
MarkAckert Feb 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion bin/commands/certificate/keyring-jcl/connect/.parameters
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@ trust-cas||string|||||Labels of extra certificate authorities should be trusted,
connect-user||string|required||||Certificate owner. Can be `SITE` or a user ID.
connect-label||string|required||||Certificate label to connect.
trust-zosmf||boolean|||||Whether to trust z/OSMF CA.
zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify "_auto_" to let Zowe to detect automatically. This only works for RACF.
zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify `_auto_` to let Zowe to detect automatically. This works for RACF and TSS.
zosmf-user||string||IZUSVR|||z/OSMF user name. This is used to automatically detect z/OSMF root certificate authorities.
ignore-security-failures||boolean|||||Whether to ignore security setup job failures.
2 changes: 1 addition & 1 deletion bin/commands/certificate/keyring-jcl/generate/.parameters
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,6 @@ country||string|||||Country of certificate and certificate authority.
validity||string|||||Validity days of certificate.
trust-cas||string|||||Labels of extra certificate authorities should be trusted, separated by comma (Maximum 2).
trust-zosmf||boolean|||||Whether to trust z/OSMF CA.
zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify "_auto_" to let Zowe to detect automatically. This only works for RACF.
zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify `_auto_` to let Zowe to detect automatically. This works for RACF and TSS.
zosmf-user||string||IZUSVR|||z/OSMF user name. This is used to automatically detect z/OSMF root certificate authorities.
ignore-security-failures||boolean|||||Whether to ignore security setup job failures.
2 changes: 1 addition & 1 deletion bin/commands/certificate/keyring-jcl/import-ds/.parameters
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ keyring-name||string|required||||Name of the keyring.
alias|a|string|required|localhost|||Certificate alias name.
trust-cas||string|||||Labels of extra certificate authorities should be trusted, separated by comma (Maximum 2).
trust-zosmf||boolean|||||Whether to trust z/OSMF CA.
zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify "_auto_" to let Zowe to detect automatically. This only works for RACF.
zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify `_auto_` to let Zowe to detect automatically. This works for RACF and TSS.
zosmf-user||string||IZUSVR|||z/OSMF user name. This is used to automatically detect z/OSMF root certificate authorities.
import-ds-name||string|required||||Name of the data set holds certificate to import into keyring.
import-ds-password||string|required||||Password of the data set holds certificate to import.
Expand Down
80 changes: 76 additions & 4 deletions bin/libs/certificate.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -876,7 +876,15 @@ EOF

if [ "${trust_zosmf}" = "1" ]; then
if [ "${zosmf_root_ca}" = "_auto_" ]; then
zosmf_root_ca=$(detect_zosmf_root_ca "${ZWE_PRIVATE_ZOSMF_USER}")
if [ "${security_product}" = "RACF" ]; then
zosmf_root_ca=$(detect_zosmf_root_ca_racf "${ZWE_PRIVATE_ZOSMF_USER}")
fi
if [ "${security_product}" = "TSS" ]; then
zosmf_root_ca=$(detect_zosmf_root_ca_tss "${ZWE_PRIVATE_ZOSMF_USER}")
fi
if [ "${security_product}" = "ACF2" ]; then
zosmf_root_ca=$(detect_zosmf_root_ca_acf2 "${ZWE_PRIVATE_ZOSMF_USER}")
fi
fi
if [ -z "${zosmf_root_ca}" ]; then
print_error_and_exit "Error ZWEL0137E: z/OSMF root certificate authority is not provided (or cannot be detected) with trusting z/OSMF option enabled." "" 137
Expand Down Expand Up @@ -1397,12 +1405,76 @@ EOF
"${labels_with_private_key}"
}

# this only works for RACF
detect_zosmf_root_ca() {
# FIXME
# - Support for multiple? | long | special characters entries
detect_zosmf_root_ca_tss() {
zosmf_user=${1:-IZUSVR}
zosmf_root_ca=

print_trace "- Detect z/OSMF keyring by listing ID(${zosmf_user}) [TSS]"
zosmf_certs=$(tsocmd "TSS LIST(${zosmf_user}) KEYRING(ALL)" 2>&1)
code=$?
if [ ${code} -ne 0 ]; then
print_trace " * Exit code: ${code}"
print_trace " * Output:"
if [ -n "${zosmf_certs}" ]; then
print_trace "$(padding_left "${zosmf_certs}" " ")"
fi
return 1
fi

# Output example:
# KEYRING LABEL = KEYRING.IZUDFLT
zosmf_keyring_name=$(echo "${zosmf_certs}" | grep "KEYRING LABEL = " | awk -F= '{ print $2 }' | head -n 1)
if [ -n "${zosmf_keyring_name}" ]; then
print_trace " * z/OSMF keyring name is ${zosmf_keyring_name}"
# Output example:
# ACID(CERTAUTH) DIGICERT(ABCDEFGH) DEFAULT(NO ) USAGE(CERTAUTH)
# LABLCERT(ZOSMF_ROOT_CA )
zosmf_root_ca=$(echo "${zosmf_certs}" | grep -A 1 "ACID(CERTAUTH)" | grep "LABLCERT(" | head -n 1)
zosmf_root_ca=$(echo "${zosmf_root_ca}" | awk '{ print substr( $0, 12, length($0)-13) }')
zosmf_root_ca=$(echo "${zosmf_root_ca}" | sed -e 's/^[[:space:]]*//;s/[[:space:]]*$//')
Comment on lines +1435 to +1436
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for the awk command: are you sure this is the right offset? in your above output example where LABLCERT has 3 spaces before, the result because (ZOSMF_ROOT_CA
maybe it has 4 spaces and the example was just missing spaces?
Just double checking on it...

For the sed command: is this just removing whitespace? it's hard to read since i'm only a sed novice. could try xargs instead? it trims spaces too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. I am automatically placing 1 space after the comment char #
 # Output example:
    #   ACID(CERTAUTH)  DIGICERT(ABCDEFGH)  DEFAULT(NO )  USAGE(CERTAUTH)
    #   LABLCERT(ZOSMF_ROOT_CA                   )

is in output

  ACID(CERTAUTH)  DIGICERT(ABCDEFGH)  DEFAULT(NO )  USAGE(CERTAUTH)
  LABLCERT(ZOSMF_ROOT_CA                   )

I was testing this with raw output and it seems to work fine.

  1. xargs explained here. It is working unexpectedly comparing to trim from JS or other languages.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay thanks, now i understand it and this comment chain will help others know in the future.

if [ -n "${zosmf_root_ca}" ]; then
print_trace " * z/OSMF root certificate authority found: ${zosmf_root_ca}"
echo "${zosmf_root_ca}"
return 0
else
print_trace " * Error: cannot detect z/OSMF root certificate authority"
return 2
fi
else
print_trace " * Error: failed to detect z/OSMF keyring name"
return 3
fi
}

# FIXME
# - add similar code using ACFUNIX instead of tsocmd
# - or use JCLs to be sure it will always works
detect_zosmf_root_ca_acf2() {
zosmf_user=${1:-IZUSVR}
zosmf_root_ca=

print_trace "- Detect z/OSMF keyring by listing ID(${zosmf_user}) [ACF2]"
echo "${zosmf_root_ca}"
return 1
}

# FIXME
# - Support for multiple? | long | special characters entries
# - RACDCERT LISTRING will be confused if label contains 'CERTAUTH' word:
#
# Certificate Label Name Cert Owner USAGE DEFAULT
# -------------------------------- ------------ -------- -------
# CERTAUTH_FOR_T800 ID(SKYNET) DEADLY YES
# JOHN_CONNOR CERTAUTH CERTAUTH NO
#
# Will return CERTAUTH_FOR_T800 instead of JOHN_CONNOR
detect_zosmf_root_ca_racf() {
zosmf_user=${1:-IZUSVR}
zosmf_root_ca=

print_trace "- Detect z/OSMF keyring by listing ID(${zosmf_user})"
print_trace "- Detect z/OSMF keyring by listing ID(${zosmf_user}) [RACF]"
zosmf_certs=$(tsocmd "RACDCERT LIST ID(${zosmf_user})" 2>&1)
code=$?
if [ ${code} -ne 0 ]; then
Expand Down
Loading