Provide Client Side z/OSMF Certificate Support Zowe Explorer

Question

Provide Client Side z/OSMF Certificate Support Zowe Explorer

Opened this issue a year ago · 9 comments

Would like to use zOSMF Client Certificates to authenticate without a password to zOSMF with Zowe Explorer extension. With all the necessary profiling setup, I am still prompted for my UserID and Password which seems to get rejected by zOS as a valid login. This would be especially helpful when trying to use Zowe Explorer when leveraging one time use passwords.

Discussed in #2314

^{Originally posted by travatine May 27, 2023}
Hi,

Please, I've set up client side certificates for authenticating with z/OSMF.

This works with the zowe-cli , for example, I can use the "list data set " command:

 travatine@penguin:~$ zowe zos-files list data-set "travist.**" --host pthsvz1.21csw.com.au 
TRAVIST
TRAVIST.DDIR
TRAVIST.DDIR.D
TRAVIST.DDIR.I
TRAVIST.DIGICERT.CERT.TODAY

This is my config :

    "$schema": "./zowe.schema.json",
    "profiles": {
        "zosmf_x-pthtsx1": {
            "type": "zosmf",
            "properties": {
                "host": "pthtsx1.21csw.com.au",
                "port": 443,
                "rejectUnauthorized": false,
                "certFile": "/home/travatine/jmirror/python-zosmf/certs/pthtsx1.21csw.com.au-TRAVIST.clientCert.pem",
                "certKeyFile": "/home/travatine/jmirror/python-zosmf/certs/pthtsx1.21csw.com.au-TRAVIST.clientCert.pem",
                "protocol": "https"
            },
            "secure": []
        },
        "zosmf_z-pthsvz1": {
            "type": "zosmf",
            "properties": {
                "host": "pthsvz1.21csw.com.au",
                "port": 443,
                "rejectUnauthorized": false,
                "certFile": "/home/travatine/jmirror/python-zosmf/certs/pthsvz1.21csw.com.au-TRAVIST.clientCert.pem",
                "certKeyFile": "/home/travatine/jmirror/python-zosmf/certs/pthsvz1.21csw.com.au-TRAVIST.clientCert.pem",
                "protocol": "https"
            },
            "secure": []
        }
    },
    "defaults": {
        "zosmf": "zosmf_z-pthsvz1"
    },
    "autoStore": true
}

The profiles appear in vs code , however when I attempt to run a data set search, I am asked to supply a user name and password .
Is this expected? ( or have I configured something incorrectly?)

I'm running this version of the extension , V2.8.1

and this vs code :

Version: 1.78.2
Commit: b3e4e68a0bc097f0ae7907b217c1119af9e03435
Date: 2023-05-10T14:47:05.613Z
Electron: 22.5.2
Chromium: 108.0.5359.215
Node.js: 16.17.1
V8: 10.8.168.25-electron.0
OS: Linux x64 5.15.103-17409-g07029265d738
Sandboxed: Yes

In case it is relevant , I ran the following to set up the CA and the client side certificates:

/* Create CERTAUTH */
RACDCERT CERTAUTH GENCERT  -
    SUBJECTSDN(CN('zOSMF Client Cert CA') -
     OU('IZUDFLT')) WITHLABEL('zOSMF Client Cert CA') -
     SIZE(2048) -
     TRUST NOTAFTER(DATE(2099/01/01))  

/* connect the CERTAUTH to the IZUSVR ( zos MF user ) keyring */
RACDCERT ID( IZUSVR ) CONNECT (LABEL('('zOSMF Client Cert CA') -
     RING(IZUKeyringG.letsenc) CERTAUTH)

/* restarted z/OSMF to force it to re-read the keyring & new certauth certificates */
/p izusvr1
/s izusvr1

/* Create client certificate */
RACDCERT ID(TRAVIST) GENCERT -
       SUBJECTSDN( -
       CN('PTHSVZ1 TRAVIST Client Cert') -
        O('21st Century Software') -
        C('AU')) -
        WITHLABEL('PTHSVZ1 TRAVIST Client Cert') -
        SIZE(2048)  -
        NOTAFTER(DATE(2098-01-01)) - 
       SIGNWITH(CERTAUTH LABEL('zOSMF Client Cert CA'))

/* Mark client certificate as trusted */
RACDCERT ALTER  (LABEL('PTHSVZ1 TRAVIST Client Cert')) TRUST

/* Refresh in-store profiles */
setropts raclist(DIGTCERT) refresh

/* Export the certificate to data set */
RACDCERT ID(TRAVIST) EXPORT( - 
        LABEL('PTHSVZ1 TRAVIST Client Cert')) -
        DSN('TRAVIST.CLIENT.CERT') -
      FORMAT(PKCS12DER) PASSWORD('{self.exportKey}')

/* ftp as binary the exported certificate */
ftp ...

/* convert the p12 format certificate to pem using openssl */
e.g.
openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes

/* Create a V1 profile using the zowe cli & and then convert to V2 format profile */

zowe profiles create zosmf-profile z-pthsvz1 --host pthsvz1.21csw.com.au --port 443 --reject-unauthorized false --cert-file ~/jmirror/python-zosmf/certs/pthsvz1.21csw.com.au-TRAVIST.clientCert.pem  --cert-key-file ~/jmirror/python-zosmf/certs/pthsvz1.21csw.com.au-TRAVIST.clientCert.pem

zowe config convert

travatine commented a year ago

+1

👍1
🎉2

michael-froend commented a year ago

+1

🎉1

Answer 1 · 2023-07-07T19:16:13.000Z

Thank you for raising this enhancement request.
The community has 90 days to vote on it.
If the enhancement receives at least 10 upvotes, it is added to our development backlog.
If it receives fewer votes, the issue is closed.

Answer 2 · 2023-07-07T19:53:05.000Z

I'd like to vote +1 for this.

Answer 3 · 2023-07-07T20:42:15.000Z

This makes a lot of sense. I struggled with this a few years back

Answer 4 · 2023-07-08T23:37:35.000Z

I too desire this enhancement

Answer 5 · 2023-07-25T13:18:11.000Z

Don't forget to 👍🏽 the issue 😉

Number of 👍🏽: 13 (including myself) 😋

Answer 6 · 2024-04-11T18:16:06.000Z

Thank you for raising this enhancement request.
The community has 90 days to vote on it.
If the enhancement receives at least 10 upvotes, it is added to our development backlog.
If it receives fewer votes, the issue is closed.

Answer 7 · 2024-04-11T22:55:37.000Z

Hi,

Our racf password rules require password changes every 30 days -
In the last year, my team have received literally dozens of password reset request tickets within my organization.
If our dev teams could use "password less" certificates instead, it would undoubtedly reduce the number of times zowe users revoke their TSO accounts due to incorrect password attempts.