Closed achmelo closed 3 years ago
jackjia-ibm
commented
3 years ago An update on the progress. The change request had been sent Marist support team in Nov 26. The most recent update was Dec 3, they have converted RACF commands to ACF2 and was working on TSS. But none of the changes have been applied to real servers yet.
jackjia-ibm
commented
3 years ago @MarkAckert I asked about the progress about a month ago but didn't get any response. Do you mind check with the team and see if there are anything need our side? There is similar task on ACF2 https://github.com/zowe/zowe-install-packaging/issues/1779. Thank you!
jackjia-ibm
commented
3 years ago This issue is blocked by https://github.com/zowe/community/issues/970.
jackjia-ibm
commented
3 years ago @achmelo please also verify if this has been resolved. Thank you!
achmelo
commented
3 years ago @jackjia-ibm it seems the same situation as ACF-2 server, when I try to add token, I get error response
commands: TSS P11TOKEN TOKENADD LABLCTKN(ZWETOKEN) TSS P11TOKEN BIND LABLCTKN(ZWETOKEN) TOKNUSER(ZWESVUSR) LABLCERT('JWTSECRET') TSS P11TOKEN TOKENLST LABLCTKN(ZWETOKEN)
add token: TSS P11TOKEN TOKENADD LABLCTKN(ZWETOKEN) TSS0207E INSUFFICIENT AUTHORITY FOR FUNCTION list token: TSS P11TOKEN TOKENLST LABLCTKN(ZWETOKEN) TSS0207E INSUFFICIENT AUTHORITY FOR FUNCTION
MarkAckert
commented
3 years ago We added token creation authority, but there's still errors being returned:
TSS P11TOKEN TOKENADD LABLCTKN(ZWETOKEN) TSS0300I TSS FUNCTION SUCCESSFUL
TSS P11TOKEN BIND LABLCTKN(ZWETOKEN) TOKNUSER(ZWESVUSR) LABLCERT('JWTSECRET') TSS0443E DIGITAL CERTIFICATE NOT FOUND TSS0301I TSS FUNCTION FAILED, RETURN CODE = 4
Are we missing more configuration on the system, or is this a bug in the automation? Thanks
achmelo
commented
3 years ago For some reason JWTSECRET is not valid certificate for TSS and ACF2. Currently we are using this certificate within RACF. Do you have any idea how we can get more information about why it is not valid?
TSS CHKCERT DCDSN('ZOWEAD3.ZWE.CERT.JWTSCRT') TSS0942I INVALID CERTIFICATE DATA - LENGTH TSS0301I CHKCERT FUNCTION FAILED, RETURN CODE = 4
achmelo
commented
3 years ago Would you be able to verify correctness of current procedure? This case is for TSS with keyring. The procedure is: Generate certificate TSS GENCERT(ZWESVUSR) DIGICERT(ZOWEJWT) SUBJECTN( 'CN="Zowe Development Instances JWT" OU="API Mediation Layer" O="Zowe Sample" L="Prague" SP="Prague" C="CZ" ') KEYSIZE(2048) NADATE(05/01/30) LABLCERT(jwtsecret) certificate in keyring ACID(ZWESVUSR) KEYRING(ZOWERING) DIGICERT = ZOWEJWT ACCESSORID = ZWESVUSR ADMIN BY= BY(ZOWEAD3 ) SMFID(2964) ON(03/11/2021) AT(06:26:56) LABEL = jwtsecret STATUS = TRUST SERIAL# = 00 ISSUER DISTINGUISHED NAME: .CN=Zowe Development Instances JWT.OU=API Mediation Layer. - O=Zowe Sample.L=Prague.ST=Prague.C=CZ SUBJECT DISTINGUISHED NAME: CN=Zowe Development Instances JWT.OU=API Mediation Layer.O - =Zowe Sample.L=Prague.ST=Prague.C=CZ PRIVATE KEY SIZE = 2048 PRIVATE KEY TYPE = RSA ALGORITHM = sha256WithRSAEncryption NOT BEFORE = 2021/03/11 00:00:00 UTC NOT AFTER = 2030/05/01 23:59:59 UTC
Define token TSS P11TOKEN TOKENADD LABLCTKN(ZWETOKEN) Bind certificate to token TSS P11TOKEN BIND LABLCTKN(ZWETOKEN) TOKNUSER(ZWESVUSR) LABLCERT('jwtsecret')
The last step is unsuccessful: TSS P11TOKEN BIND LABLCTKN(ZWETOKEN) TOKNUSER(ZWESVUSR) LABLCERT('jwtsecret') TSS0390E UNEXPECTED ERROR, CODE = 004
MarkAckert
commented
3 years ago We fixed up CSF on the system, which was blocking proper Token creation (despite a success message).
The automation is still failing at the bind step, and it looks like it is due to a mismatched label in the automation between the DIGICERT creation and P11TOKEN bind actions:
tsocmd "TSS ADDTO({{ zowe_runtime_user }}) DIGICERT({{ dataset }}) LABLCERT('{{ label }}') DCDSN('{{ zowe_dataset_prefix }}.CERT.{{ dataset }}') TRUST"
and
TSS P11TOKEN BIND LABLCTKN({{ zowe_token_name }}) TOKNUSER({{ zowe_runtime_user }}) LABLCERT('{{ zowe_token_label }}')
The LABELCERT('{{ label }}') must use the same string in both commands. We were able to bind the P11TOKEN manually with the right label name, so it should work once the variables are updated :-)
achmelo
commented
3 years ago Client certificate authentication on TSS with keyring now works fine, the tests are passing. There is still some problem with keystore. Certificate that is being exported from keystore is not valid for some reason: TSS CHKCERT DCDSN('ZOWEAD3.ZWE.CERT.JWTSCRT') TSS0942I INVALID CERTIFICATE DATA - LENGTH TSS0301I CHKCERT FUNCTION FAILED, RETURN CODE = 4
On the other hand, this certificate is valid for RACF on marist-1.
MarkAckert
commented
3 years ago According to TSS doc, a common cause of TSS0942I INVALID CERT DATA is newlines within the certificate. The certificate must be a single-line string with no spaces or trailing whitespace when its added to TSS. Can you check the cert format?
achmelo
commented
3 years ago I was verifying this and I cant see any spaces or any other signs. Here is one of the generated jwtsecret certificate: -----BEGIN CERTIFICATE----- MIIDkzCCAnugAwIBAgIEP2iHujANBgkqhkiG9w0BAQsFADB6MQswCQYDVQQGEwJDWjEPMA0GA1UE CBMGUHJhZ3VlMQ8wDQYDVQQHEwZQcmFndWUxFDASBgNVBAoTC1pvd2UgU2FtcGxlMRwwGgYDVQQL ExNBUEkgTWVkaWF0aW9uIExheWVyMRUwEwYDVQQDEwxab3dlIFNlcnZpY2UwHhcNMjEwMzExMTk1 OTI2WhcNMzEwMzA5MTk1OTI2WjB6MQswCQYDVQQGEwJDWjEPMA0GA1UECBMGUHJhZ3VlMQ8wDQYD VQQHEwZQcmFndWUxFDASBgNVBAoTC1pvd2UgU2FtcGxlMRwwGgYDVQQLExNBUEkgTWVkaWF0aW9u IExheWVyMRUwEwYDVQQDEwxab3dlIFNlcnZpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCbq7bZCH933cbGAMLquRtV21RksYDkLNOW/nJdMFaej9FKgDTmF/nn8cAua9WLy8g/U4Q/ YlG86Wy3AyTzjqouoYf/Al75ZmqtTO3FDzJIKIzBvVEyI1ZmAt8BMDB66OQo79SFNiIsno/pD8kG lN2SCiFvsjQH41YikDcC4ia7SQmKOjmodX5T6oQmNCVS8F/F8W3GSosCnZq2IZtr4LnoJn2sSk5v RsQs/GvuvfcGW+tFDFJKEZnO9z/aWhlPU3U14w4E+jCm56PI1rMQ4FCOmp2hLsPE7pQdsuKpg8PV fnf8HGUBYuhHvKFz6pyzn1h0mPgyikxJChDfHbQCHqwRAgMBAAGjITAfMB0GA1UdDgQWBBQe81pC UPLsC0xIVJ5xiozo9qdt8TANBgkqhkiG9w0BAQsFAAOCAQEAcx45MtPL53xToJoTgAeR3nXV1O40 varYlqPJqcDfhiI2LAo8+VP8OAzTLrunuk+ceLqhH45+WNVAc9TMwCqqPJUSn+xexR725PggGszF Xd2xS4unVuJkI04qeOZq/GwJvkrvHoWR1qPpQn6pxKePmwiqBL51CT7PpBlSt/ZNziZmhzaD0MxW EOqZ+MW5WuW9mEVI7SwtYYa2VWczPe0MjgP2ZXLwwvOZVhELZ9GgkbjQ4MgkJ4nRl7p1M1iPQst+ jaT8iOEz5mkGso4BrufHc9zc9/nxZilBN+31lvVj26C0rnKDc9ZI0nQncoW+fZQv8jjzbmVXJO++ 7iY/SDicpg== -----END CERTIFICATE-----
achmelo
commented
3 years ago I verified that this token is valid and can be added to TSS. It is possible that problem could be in TSS. We faced similar issue in the past and this was solved with PTF SO06666. Could you please check if this PTF has been applied?
MarkAckert
commented
3 years ago I verified the certificate has extra spaces when its placed in the dataset on the mainframe - removing them manually leads to CHKCERT passing.
On the mainframe it was in form as below:
text\n
\n
text\n
\n
text\nIt works when adjusted to:
text\n
text\nDo you have any idea how it can be fixed with command line? Could we add this certificate to dataset in different way?
achmelo
commented
3 years ago I think that we can close this issue. Please reopen if something is missing.
Customer content
Is your feature request related to a problem? Please describe. API ML can provide authentication with valid client certificate. This is being tested on marist-1 with RACF. To be sure that users with TSS can leverage this functionality, this needs to be tested also on TSS. There are some prerequisites in security system configuration before we can run the tests.
Describe the solution you'd like There are few steps:
Describe alternatives you've considered client certificate will not be tested on TSS - this is not recommended
Additional context This setup has been done for RACF as a part of #1713
Engineering team info (eg https://github.com/zowe/explorer-jes/issues/4)
As a [type of user],
I want [some goal]
so that [some reason].
Details/notes
[Detail - implementation notes]
Acceptance Criteria
*Scenario 1: [Title]
Given [context]
And [some more context]...
When [event]
Then [outcome]
And [another outcome]...