JonFP
commented
2 years ago Here you go.
Open JonFP opened 2 years ago
JonFP
commented
2 years ago Here you go.
ThePrez
commented
2 years ago Thanks. This one is really easy to recreate. Either this is a DCM internal error (PTF?) or something very dumb in my code. Stay tuned.
ThePrez
commented
2 years ago @JonFP please verify you have these PTFs installed 7.3 = SI79678 7.4 = SI79679 7.5 = SI79680
JonFP
commented
2 years ago @ThePrez Just checked and no - that is not installed (7.4). I see it is from back in May and we are pretty much up to date with group PTFs etc. Am I going to have to specifically order that one?
ThePrez
commented
2 years ago Probably. It does seem to correct the problem in my test environment
JonFP
commented
2 years ago OK - I'll get it loaded over the next couple of days and let you know how it goes.
JonFP
commented
2 years ago PTF now loaded but in some ways makes things worse. Now the dcmimport command just says: "Error extracting trusted certificates" interestingly it never asked me for the *System store password
ThePrez
commented
2 years ago @JonFP I just debugged that one though haven't pushed in the fix.
Should be able to circumvent by putting /QOpenSys/usr/bin at the beginning of the path (usually frowned upon!)
PATH=/QOpenSys/usr/bin:$PATH dcmimport --fetch-from=httpbin.org:443Now for more bad/good news.... I found another system where the --fetch-from does still indeed fail with the noted PTFs. This is great because we have an internal recreate and can debug the DCM issue.
However, with the proper PTFs, --installed-certs does now work on that system. And, after doing the --installed-certs, then the `fetch-from works. This has something to do with the parent CA needing to be installed before trusting the specific starfield cert.
So in your case you can try
PATH=/QOpenSys/usr/bin:$PATH dcmimport --installed-certs
PATH=/QOpenSys/usr/bin:$PATH dcmimport --fetch-from=httpbin.org:443And I think you'll finally be workin'!
Thanks for your patience as we clunk around with this new toolset.
ThePrez
commented
2 years ago Assuming those two commands get you to success, my action items are:
--installed-certs was needed in this case and figure out the best way to handle this scenario. JonFP
commented
2 years ago That approach seems to have worked @ThePrez. On the system where I had (eventually) managed to add the cert manually it correctly identified that one cert as already present and just added the extras.
The "dcmimport --installed-certs" added quite a few despite the fact that I had already populated the store with everything the dcm GUI said was available. Not sure why that is but the whole damn thing is a black art to me so ...
Not sure the PTF was actually essential when this approach is used as it appears to have worked on one machine that I now realize did not have the PTF loaded. Should I re-run it on that one?
ThePrez
commented
2 years ago @JonFP , I've cut a new release, v0.3.0, which should make the experience much better
/QOpenSys/pkgs/bin/yum install https://github.com/ThePrez/DCM-tools/releases/download/v0.3.0/dcmtools-0.3.0-0.ibmi7.2.ppc64.rpmLooks good so far @ThePrez - will let you know if I encounter any difficulties. Have you talked to scott F and his merry men? Your one liner install of the Java certs would save folks switching from the old SQL functions to the new a whole heap of trouble. They have a very long script that could very easily be replaced by your tool.
ThePrez
commented
2 years ago Looks good so far @ThePrez - will let you know if I encounter any difficulties. Have you talked to scott F and his merry men? Your one liner install of the Java certs would save folks switching from the old SQL functions to the new a whole heap of trouble. They have a very long script that could very easily be replaced by your tool.
Are you suggesting the doc recommends installing dcmimport and running the one-liner?
During the first pass, we were hesitant to include that in the docs because DCM Tools does require its share of OSS stuff, and many people, sadly, don't have the OSS stack loaded on. But perhaps it's worth revisiting. The message could be, "hey, if you're already an open source user, just do this..."
JonFP
commented
2 years ago I think it should suggest it as an alternative to the script offered. If you looks at that script you'll find that it will scare the living daylights out of most people. Anyone comfortable enough with SQL scripting would I imagine have no problem with installing an OS tool!
ThePrez
commented
2 years ago I think it should suggest it as an alternative to the script offered. If you looks at that script you'll find that it will scare the living daylights out of most people. Anyone comfortable enough with SQL scripting would I imagine have no problem with installing an OS tool!
Noted! I'll queue it up for discussion.
hansbornich
commented
1 year ago I'm testing this on 7.4 with latest PTFs (also SI79679 and the superseeding SI82940). I issued a cert via acme.sh from letsencrypt. When I import to DCM with dcmimport, the client/server cert is imported as a CA cert (inspecting via DCM GUI - I was puzzled why it didn't show up with the client/server filter applied). It sounds like the issue that should be fixed with PTF SI79679?
dcmimport --fetch-from=httpbin.org:443
The above identifies a number of (Amazon) certs and asks if they are to be trusted. It then states that it is processing them. It then reports that "No changes were made to the DCM keystore!" - no error messages.
I originally assumed that the certs must already be in the store (I would expect Amazon to be in the default set) but they are not.
Not sure where to go from here.