search

ThePrez / DCM-tools

Command-line tools for working with Digital Certificate Manager (DCM) on IBM i
Apache License 2.0
22 stars 5 forks source link

Is DCM-tools only available for 7.4? #1

Closed chrjorgensen closed 2 years ago

chrjorgensen commented 2 years ago

I was hoping to use the DCM-tools to import the CA certificates provided by Mozilla to the *SYSTEM certificate store (the new QSYS2.HTTP_GET will not connect to https://www.ibm.com - certificate is not signed by trusted CA). So I installed the DCM-tools using the yum command as provided in the instructions.

But I get this error:

Transaction Check Error:
  package dcmtools-0.0.1-0.ppc64 is intended for a different operating system

And now I see the package is named "dcmtools-0.0.1-0.ibmi7.4.ppc64" - so apparantly it is only build for IBM i 7.4. And I was trying to install it on a system with IBM i 7.3...

Will there be a version available for 7.3 as well?

ThePrez commented 2 years ago

DCM Tools relies on some APIs that are new in 7.4. I haven't yet quantified which ones those are. I've opened #3 to track that. I've added a 7.2 RPM for you to try (https://github.com/ThePrez/DCM-tools/releases/download/v0.0.1/dcmtools-0.0.1-0.ibmi7.2.ppc64.rpm). I'm pretty sure the dcmimport functionality should all work but can't guarantee it until we finish up #3

chrjorgensen commented 2 years ago

I managed to download and install your version for 7.2 - but now I get another error:

→ dcmimport --ca-only --installed-certs
Successfully extracted installed certificates
Sanity check successful
Exception in thread "main" java.io.IOError: java.io.IOException: Qyj9SetEcho failed
        at java.io.Console.readPassword(Console.java:328)
        at com.github.ibmioss.dcmtools.utils.ConsoleUtils.askUserForPwd(ConsoleUtils.java:29)
        at com.github.ibmioss.dcmtools.DcmUserOpts.getDcmPassword(DcmUserOpts.java:30)
        at com.github.ibmioss.dcmtools.utils.DcmChangeTracker.<init>(DcmChangeTracker.java:92)
        at com.github.ibmioss.dcmtools.CertFileImporter.doImport(CertFileImporter.java:95)
        at com.github.ibmioss.dcmtools.DcmImportCmd.main(DcmImportCmd.java:128)
Caused by: java.io.IOException: Qyj9SetEcho failed
        at java.io.Console.echo(Native Method)
        at java.io.Console.readPassword(Console.java:326)
        ... 5 more
chrjorgensen commented 2 years ago

Ah, got it - had to make the DCM Tools use Java11:

→ export JAVA_HOME=/QOpenSys/pkgs/lib/jvm/openjdk-11
→ dcmimport --installed-certs --ca-only
Successfully extracted installed certificates
Sanity check successful
Enter DCM keystore password: ******************
Enter IBM i password: <<<here_was_my_password_in_clear_text>>>
checking for conflicting cert to the one with alias digicertassuredidrootca
cert has no alias
checking for conflicting cert to the one with alias affirmtrustcommercial
cert has no alias
checking for conflicting cert to the one with alias t-telesecglobalrootclass3
cert has no alias
.
.
.
The following certificates will be processed:
    Certificate ID 'digicertassuredidrootca':
        Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
        Subject: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
        Is CA? true
    Certificate ID 'affirmtrustcommercial':
        Issuer: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
        Subject: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
        Is CA? true
.
.
.
Do you want to import ALL of the above certificates into DCM? [y/N] y
Enter IBM i password: <<<here_was_my_password_in_clear_text>>>
Enter IBM i password: <<<here_was_my_password_in_clear_text>>>
The following changes were made on the DCM keystore:
Enter IBM i password: <<<here_was_my_password_in_clear_text>>>
    The following certificate was added with certificate with ID 'digicertassuredidrootca':
            Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
            Subject: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
            Is CA? true
    The following certificate was added with certificate with ID 'affirmtrustcommercial':
            Issuer: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
            Subject: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
            Is CA? true
    The following certificate was added with certificate with ID 'letsencryptauthorityx3':
            Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
            Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
            Is CA? true
SUCCESS!!!

Great - it works!

I have also created issue #10 to have the problem with the password being shown in clear text fixed.

chrjorgensen commented 2 years ago

Another go - now after installing Java11 from ESS:

→ export JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk11/64bit
→ dcmimport --installed-certs --ca-only
Successfully extracted installed certificates
Sanity check successful
Exception in thread "main" java.io.IOError: java.io.IOException: A specified file does not support the ioctl system call.
        at java.base/java.io.Console.readPassword(Console.java:318)
        at com.github.ibmioss.dcmtools.utils.ConsoleUtils.askUserForPwd(ConsoleUtils.java:29)
        at com.github.ibmioss.dcmtools.DcmUserOpts.getDcmPassword(DcmUserOpts.java:30)
        at com.github.ibmioss.dcmtools.utils.DcmChangeTracker.<init>(DcmChangeTracker.java:92)
        at com.github.ibmioss.dcmtools.CertFileImporter.doImport(CertFileImporter.java:95)
        at com.github.ibmioss.dcmtools.DcmImportCmd.main(DcmImportCmd.java:128)
Caused by: java.io.IOException: A specified file does not support the ioctl system call.
        at java.base/java.io.Console.echo(Native Method)
        at java.base/java.io.Console.readPassword(Console.java:316)
        ... 5 more

The java version is

→ java -version
openjdk version "11.0.11" 2021-04-20
OpenJDK Runtime Environment 11.0.11.0-IBM (build 11.0.11+9)
Eclipse OpenJ9 VM 11.0.11.0-IBM (build openj9-0.26.0, JRE 11 OS/400 ppc64-64-Bit Compressed References 20210427_000000 (JIT enabled, AOT enabled)
OpenJ9   - b4cc246
OMR      - 162e6f7
JCL      - 7796c80 based on jdk-11.0.11+9)
jwoehr commented 2 years ago

On Tue, Sep 28, 2021 at 1:23 PM Christian Jorgensen < @.***> wrote:

Caused by: java.io.IOException: A specified file does not support the ioctl system call.

Question: Is this in a 5250 session?

-- Jack Woehr, IBM Champion 2021 https://www.youracclaim.com/badges/528d23d6-087f-4698-8d17-d59688106ac4/public_url Absolute Performance, Inc. 12303 Airport Way, Suite 100 Broomfield, CO 80021

NON-DISCLOSURE NOTICE: This communication including any and all attachments is for the intended recipient(s) only and may contain confidential and privileged information. If you are not the intended recipient of this communication, any disclosure, copying further distribution or use of this communication is prohibited. If you received this communication in error, please contact the sender and delete/destroy all copies of this communication immediately.

chrjorgensen commented 2 years ago

Question: Is this in a 5250 session?

No, it's from a bash shell accessed via SSH.

jwoehr commented 2 years ago

What's your terminal setting for your ssh session?

@.***:~$ echo $TERM xterm

On Tue, Sep 28, 2021 at 3:37 PM Christian Jorgensen < @.***> wrote:

Question: Is this in a 5250 session?

No, it's from a bash shell accessed via SSH.

-- Jack Woehr, IBM Champion 2021 https://www.youracclaim.com/badges/528d23d6-087f-4698-8d17-d59688106ac4/public_url Absolute Performance, Inc. 12303 Airport Way, Suite 100 Broomfield, CO 80021

NON-DISCLOSURE NOTICE: This communication including any and all attachments is for the intended recipient(s) only and may contain confidential and privileged information. If you are not the intended recipient of this communication, any disclosure, copying further distribution or use of this communication is prohibited. If you received this communication in error, please contact the sender and delete/destroy all copies of this communication immediately.

chrjorgensen commented 2 years ago 
→ echo $TERM
xterm-256color
jwoehr commented 2 years ago

Try this just to be sure: export TERM=xterm Then try your java command again.

On Tue, Sep 28, 2021 at 6:57 PM Christian Jorgensen < @.***> wrote:

→ echo $TERM

xterm-256color

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ThePrez/DCM-tools/issues/1#issuecomment-929735153, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDEBBH4JB6225HOBCKZFFLUEJP7TANCNFSM5ECPIA7A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

-- Jack Woehr, IBM Champion 2021 https://www.youracclaim.com/badges/528d23d6-087f-4698-8d17-d59688106ac4/public_url Absolute Performance, Inc. 12303 Airport Way, Suite 100 Broomfield, CO 80021

NON-DISCLOSURE NOTICE: This communication including any and all attachments is for the intended recipient(s) only and may contain confidential and privileged information. If you are not the intended recipient of this communication, any disclosure, copying further distribution or use of this communication is prohibited. If you received this communication in error, please contact the sender and delete/destroy all copies of this communication immediately.

chrjorgensen commented 2 years ago

That worked!

→ export JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk11/64bit
→ export TERM=xterm
→ dcmimport --installed-certs --ca-only
Successfully extracted installed certificates
Sanity check successful
Enter DCM keystore password:
checking for conflicting cert to the one with alias digicertassuredidrootca

It wasn't necessary to change the TERM value when using the Java11 EA jvm, but with the version from ESS it is...?

jwoehr commented 2 years ago

I don't know the full details, I just discovered some time ago that xterm-color seems problematic in PASE.

On Wed, Sep 29, 2021 at 3:19 AM Christian Jorgensen < @.***> wrote:

That worked!

→ export JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk11/64bit

→ export TERM=xterm

→ dcmimport --installed-certs --ca-only

Successfully extracted installed certificates

Sanity check successful

Enter DCM keystore password:

checking for conflicting cert to the one with alias digicertassuredidrootca

It wasn't necessary to change the TERM value when using the Java11 EA jvm, but with the version from ESS it is...?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ThePrez/DCM-tools/issues/1#issuecomment-929999828, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDEBBFF64ONX3MZW247BF3UELKZJANCNFSM5ECPIA7A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

-- Jack Woehr, IBM Champion 2021 https://www.youracclaim.com/badges/528d23d6-087f-4698-8d17-d59688106ac4/public_url Absolute Performance, Inc. 12303 Airport Way, Suite 100 Broomfield, CO 80021

NON-DISCLOSURE NOTICE: This communication including any and all attachments is for the intended recipient(s) only and may contain confidential and privileged information. If you are not the intended recipient of this communication, any disclosure, copying further distribution or use of this communication is prohibited. If you received this communication in error, please contact the sender and delete/destroy all copies of this communication immediately.

ThePrez commented 2 years ago

The launch scripts now try to account for this, so I think it works properly in QSH, QP2TERM, and SSH, and is part of the new v0.1.0 release