Open achmelo opened 3 years ago
This issue is blocked by https://github.com/zowe/community/issues/970.
@achmelo could you please help to check if all the required changes are applied on ACF2 server (marist-2)? Thanks!
@jackjia-ibm I tried to create token on ACF-2 server but without success. Can you please verify with system admin if the commands are correct or if they are submitted under correct user?
Commands: SET PROFILE(USER) DIV(CERTDATA) P11TOKEN ADD TOKEN(ZWETOKEN) P11TOKEN BIND TOKEN(ZWETOKEN) CERTDATA(ZWESVUSR) LABEL(JWTSECRET) P11TOKEN LIST TOKEN(ZWETOKEN)
Job output: SET PROFILE(USER) DIV(CERTDATA) ? P11TOKEN ADD TOKEN(ZWETOKEN) ACF68104 Token not defined to ICSF or you lack CSFSERV/CRYPTOZ authorization ? P11TOKEN BIND TOKEN(ZWETOKEN) CERTDATA(ZWESVUSR) LABEL(JWTSECRET) ACF0A005 RECORD(S) NOT FOUND ACF68007 Unable to validate the CERTDATA record being BOUND ? P11TOKEN LIST TOKEN(ZWETOKEN) ACF68104 Token not defined to ICSF or you lack CSFSERV/CRYPTOZ authorization
Similar to #1778 , please update the labels used to generate the certificates and bind it to the P11TOKEN
P11TOKEN BIND TOKEN(ZWETOKEN) CERTDATA(ZWESVUSR) LABEL(JWTSECRET)
ACF0A005 RECORD(S) NOT FOUND
ACF68007 Unable to validate the CERTDATA record being BOUND
We can now create token and bind jwtsecret but ZSS is not able to find this token. Do you have any idea what could be wrong? Error message: ZWES1030W Server startup problem: Could not load the JWT key 'ZWETOKEN' from token 'jwtsecret': rc '12', p11rc '0', p11Rsn '0' configuration: "agent": { "jwt": { "enabled": true, "token": { "label": "jwtsecret", "name": "ZWETOKEN" }, "fallback": true },
Token list: Token name: ZWETOKEN
Sequence Labels Attributes
-------- ------------------------------------- -----------------------------
00000001 TKDS:jwtsecret Usage(Personal) Default(No)
ACF2:jwtsecret PubKey(Yes) PvtKey(Yes)
ACF2USER(ZWESVUSR)
Can you please verify if ZWESVUSR has SAF authority to list this token? ZSS is using this tool https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.csfb400/trl.htm there is requirement: The caller must have SAF authority to the token for a particular token to be listed.
Token ZWETOKEN is not on the list returned by CSFPTRL.
attempting to address the token ZWETOKEN... findToken iteration
CSFPTRL rc=0, rsn=0x0, hc=1, oll=116, ol:
xxxx|SYSTOK-SESSION-ONLY |
xxxx|IBM Corporation |
xxxx |HCR77C1
findTokenRc 7773003, out_p11rc 0, out_p11rsn 0
ZWES1030W Server startup problem: Could not load the JWT key 'ZWETOKEN' from token 'jwtsecret': rc '12', p11rc '0', p11Rsn '0'
Any updates?
Customer content
Is your feature request related to a problem? Please describe. API ML can provide authentication with valid client certificate. This is being tested on marist-1 with RACF. To be sure that users with ACF2 can leverage this functionality, this needs to be tested also on ACF2. There are some prerequisites in security system configuration before we can run the tests.
Describe the solution you'd like There are few steps:
Describe alternatives you've considered client certificate will not be tested on ACF2 - this is not recommended
Additional context This setup has been done for RACF as a part of #1713 Issue related to this: #1778
Engineering team info (eg https://github.com/zowe/explorer-jes/issues/4)
As a [type of user],
I want [some goal]
so that [some reason].
Details/notes
[Detail - implementation notes]
Acceptance Criteria
*Scenario 1: [Title]
Given [context]
And [some more context]...
When [event]
Then [outcome]
And [another outcome]...