Is your feature request related to a problem? Please describe.
After we added SSO and PKCS#11 token and this is the suggested way to configure Zowe, we need to modify PKCS11_TOKEN_NAME and PKCS11_TOKEN_LABEL defined in bin/zowe-setup-certificates.env during installation test to properly enable SSO.
Describe the solution you'd like
We need to:
pre-define PKCS11_TOKEN_NAME on the testing server
apply proper permission
create PKCS11_TOKEN_LABEL on the fly or pre-define it
remove PKCS11_TOKEN_LABEL during uninstallation if we decide to create PKCS11_TOKEN_LABEL for each test
Additional context
This appears in docs may help on how to configure the values:
===
Using web tokens for SSO on for ZLUX and ZSS
Users must create a PKCS#11 token before continuing. This can be done through the USS utility, "gskkyman".
Creating a PKCS#11 Token
Ensure that the SO.TOKEN_NAME profile exists in CRYPTOZ, and that the user who will be creating tokens has either UPDATE or CONTROL access.
Define profile: "RDEFINE CRYPTOZ SO.TOKEN_NAME"
Add user with UPDATE access: "PERMIT SO.** ACCESS(UPDATE) CLASS(CRYPTOZ) ID(USERID)"
Ensure profile was created: "RLIST CRYPTOZ *"
Activate class with new profile:
"SETROPTS RACLIST(CRYPTOZ)"
"SETROPTS CLASSACT(CRYPTOZ)"
A user should now be able to use "gskkyman" to create a token.
Accessing token
Ensure USER.TOKEN_NAME profile exists in CRYPTOZ:
Define profile: "RDEFINE CRYPTOZ USER.TOKEN_NAME"
Add user with READ access: "PERMIT USER.TOKEN_NAME ACCESS(UPDATE) CLASS(CRYPTOZ) ID(USERID)"
Ensure profile was created: "RLIST CRYPTOZ *"
Activate class with new profile:
"SETROPTS RACLIST(CRYPTOZ)"
"SETROPTS CLASSACT(CRYPTOZ)"
Configure zowe-setup-certifcates.env using the following parameters. Both are required to enable SSO.
PKCS#11 token name for SSO. Must already exist.
PKCS11_TOKEN_NAME=<newly created token name>
PKCS#11 token label for SSO. Must not already exist.
PKCS11_TOKEN_LABEL=<unique label>
Enabling SSO
Run zowe-setup-certificates.sh.
If you are upgrading from an older of version of Zowe that has the apiml configured: "rerun zowe-setup-certificates.sh"
If upgrading, point the zowe instance to the newly generated keystore, or overwrite the previous one.
In the ZSS server configuration, enable SSO and input your token name/label:
"agent": {
//host is for zlux to know, not zss
"host": "localhost",
"http": {
"ipAddresses": ["0.0.0.0"],
"port": 0000
},
"jwt": {
"enabled": true,
"fallback": false,
"key": {
"token": "TOKEN.NAME",
"label": "KEY_NAME"
}
},
},
Customer content
Is your feature request related to a problem? Please describe.
After we added SSO and PKCS#11 token and this is the suggested way to configure Zowe, we need to modify
PKCS11_TOKEN_NAME
andPKCS11_TOKEN_LABEL
defined inbin/zowe-setup-certificates.env
during installation test to properly enable SSO.Describe the solution you'd like
We need to:
PKCS11_TOKEN_NAME
on the testing serverPKCS11_TOKEN_LABEL
on the fly or pre-define itPKCS11_TOKEN_LABEL
during uninstallation if we decide to create PKCS11_TOKEN_LABEL for each testAdditional context
This appears in docs may help on how to configure the values:
===
Using web tokens for SSO on for ZLUX and ZSS
Users must create a PKCS#11 token before continuing. This can be done through the USS utility, "gskkyman".
Creating a PKCS#11 Token
Ensure that the SO.TOKEN_NAME profile exists in CRYPTOZ, and that the user who will be creating tokens has either UPDATE or CONTROL access.
Define profile: "RDEFINE CRYPTOZ SO.TOKEN_NAME"
Add user with UPDATE access: "PERMIT SO.** ACCESS(UPDATE) CLASS(CRYPTOZ) ID(USERID)"
Ensure profile was created: "RLIST CRYPTOZ *"
Activate class with new profile:
"SETROPTS RACLIST(CRYPTOZ)"
"SETROPTS CLASSACT(CRYPTOZ)"
A user should now be able to use "gskkyman" to create a token.
Accessing token
Ensure USER.TOKEN_NAME profile exists in CRYPTOZ:
Define profile: "RDEFINE CRYPTOZ USER.TOKEN_NAME"
Add user with READ access: "PERMIT USER.TOKEN_NAME ACCESS(UPDATE) CLASS(CRYPTOZ) ID(USERID)"
Ensure profile was created: "RLIST CRYPTOZ *"
Activate class with new profile:
Configure zowe-setup-certifcates.env using the following parameters. Both are required to enable SSO.
PKCS#11 token name for SSO. Must already exist.
PKCS11_TOKEN_NAME=<newly created token name>
PKCS#11 token label for SSO. Must not already exist.
PKCS11_TOKEN_LABEL=<unique label>
Enabling SSO
Run zowe-setup-certificates.sh.
In the ZSS server configuration, enable SSO and input your token name/label: