search

zowe / zowe-explorer-vscode

Visual Studio Code Extension for Zowe, which lets users interact with z/OS Data Sets, Unix System Services, and Jobs on a remote mainframe instance. Powered by Zowe SDKs.
Eclipse Public License 2.0
173 stars 92 forks source link

Provide Client Side z/OSMF Certificate Support Zowe Explorer #2373

Open EnsonoStevenPerva opened 1 year ago

EnsonoStevenPerva commented 1 year ago

Would like to use zOSMF Client Certificates to authenticate without a password to zOSMF with Zowe Explorer extension. With all the necessary profiling setup, I am still prompted for my UserID and Password which seems to get rejected by zOS as a valid login. This would be especially helpful when trying to use Zowe Explorer when leveraging one time use passwords.

Discussed in https://github.com/zowe/vscode-extension-for-zowe/discussions/2314

Originally posted by **travatine** May 27, 2023 Hi, Please, I've set up client side certificates for authenticating with z/OSMF. This works with the zowe-cli , for example, I can use the "list data set " command: ``` travatine@penguin:~$ zowe zos-files list data-set "travist.**" --host pthsvz1.21csw.com.au TRAVIST TRAVIST.DDIR TRAVIST.DDIR.D TRAVIST.DDIR.I TRAVIST.DIGICERT.CERT.TODAY ``` This is my config : ``` { "$schema": "./zowe.schema.json", "profiles": { "zosmf_x-pthtsx1": { "type": "zosmf", "properties": { "host": "pthtsx1.21csw.com.au", "port": 443, "rejectUnauthorized": false, "certFile": "/home/travatine/jmirror/python-zosmf/certs/pthtsx1.21csw.com.au-TRAVIST.clientCert.pem", "certKeyFile": "/home/travatine/jmirror/python-zosmf/certs/pthtsx1.21csw.com.au-TRAVIST.clientCert.pem", "protocol": "https" }, "secure": [] }, "zosmf_z-pthsvz1": { "type": "zosmf", "properties": { "host": "pthsvz1.21csw.com.au", "port": 443, "rejectUnauthorized": false, "certFile": "/home/travatine/jmirror/python-zosmf/certs/pthsvz1.21csw.com.au-TRAVIST.clientCert.pem", "certKeyFile": "/home/travatine/jmirror/python-zosmf/certs/pthsvz1.21csw.com.au-TRAVIST.clientCert.pem", "protocol": "https" }, "secure": [] } }, "defaults": { "zosmf": "zosmf_z-pthsvz1" }, "autoStore": true } ``` The profiles appear in vs code , however when I attempt to run a data set search, I am asked to supply a user name and password . Is this expected? ( or have I configured something incorrectly?) ![image](https://github.com/zowe/vscode-extension-for-zowe/assets/17565183/70332368-76f4-403f-92d0-5d2a2931a693) I'm running this version of the extension , V2.8.1 ![image](https://github.com/zowe/vscode-extension-for-zowe/assets/17565183/95e32656-4167-4387-aa51-da8fb0c4e8c8) and this vs code : ``` Version: 1.78.2 Commit: b3e4e68a0bc097f0ae7907b217c1119af9e03435 Date: 2023-05-10T14:47:05.613Z Electron: 22.5.2 Chromium: 108.0.5359.215 Node.js: 16.17.1 V8: 10.8.168.25-electron.0 OS: Linux x64 5.15.103-17409-g07029265d738 Sandboxed: Yes ``` In case it is relevant , I ran the following to set up the CA and the client side certificates: ``` /* Create CERTAUTH */ RACDCERT CERTAUTH GENCERT - SUBJECTSDN(CN('zOSMF Client Cert CA') - OU('IZUDFLT')) WITHLABEL('zOSMF Client Cert CA') - SIZE(2048) - TRUST NOTAFTER(DATE(2099/01/01)) /* connect the CERTAUTH to the IZUSVR ( zos MF user ) keyring */ RACDCERT ID( IZUSVR ) CONNECT (LABEL('('zOSMF Client Cert CA') - RING(IZUKeyringG.letsenc) CERTAUTH) /* restarted z/OSMF to force it to re-read the keyring & new certauth certificates */ /p izusvr1 /s izusvr1 /* Create client certificate */ RACDCERT ID(TRAVIST) GENCERT - SUBJECTSDN( - CN('PTHSVZ1 TRAVIST Client Cert') - O('21st Century Software') - C('AU')) - WITHLABEL('PTHSVZ1 TRAVIST Client Cert') - SIZE(2048) - NOTAFTER(DATE(2098-01-01)) - SIGNWITH(CERTAUTH LABEL('zOSMF Client Cert CA')) /* Mark client certificate as trusted */ RACDCERT ALTER (LABEL('PTHSVZ1 TRAVIST Client Cert')) TRUST /* Refresh in-store profiles */ setropts raclist(DIGTCERT) refresh /* Export the certificate to data set */ RACDCERT ID(TRAVIST) EXPORT( - LABEL('PTHSVZ1 TRAVIST Client Cert')) - DSN('TRAVIST.CLIENT.CERT') - FORMAT(PKCS12DER) PASSWORD('{self.exportKey}') /* ftp as binary the exported certificate */ ftp ... /* convert the p12 format certificate to pem using openssl */ e.g. openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes /* Create a V1 profile using the zowe cli & and then convert to V2 format profile */ zowe profiles create zosmf-profile z-pthsvz1 --host pthsvz1.21csw.com.au --port 443 --reject-unauthorized false --cert-file ~/jmirror/python-zosmf/certs/pthsvz1.21csw.com.au-TRAVIST.clientCert.pem --cert-key-file ~/jmirror/python-zosmf/certs/pthsvz1.21csw.com.au-TRAVIST.clientCert.pem zowe config convert ```
github-actions[bot] commented 1 year ago

Thank you for raising this enhancement request. The community has 90 days to vote on it. If the enhancement receives at least 10 upvotes, it is added to our development backlog. If it receives fewer votes, the issue is closed.

lbdyck commented 1 year ago

I'd like to vote +1 for this.

MikeFultonDev commented 1 year ago

This makes a lot of sense. I struggled with this a few years back

gjtully commented 1 year ago

I too desire this enhancement

travatine commented 1 year ago

+1

michael-froend commented 1 year ago

+1

zFernand0 commented 1 year ago

Don't forget to 👍🏽 the issue 😉

Number of 👍🏽: 13 (including myself) 😋

github-actions[bot] commented 7 months ago

Thank you for raising this enhancement request. The community has 90 days to vote on it. If the enhancement receives at least 10 upvotes, it is added to our development backlog. If it receives fewer votes, the issue is closed.

travatine commented 7 months ago

Hi,

Our racf password rules require password changes every 30 days - In the last year, my team have received literally dozens of password reset request tickets within my organization. If our dev teams could use "password less" certificates instead, it would undoubtedly reduce the number of times zowe users revoke their TSO accounts due to incorrect password attempts.