IBM Explorer for z/OS

Expand all | Collapse all

has anyone go RSEAPI working with TLS and a keyring?

  • 1.  has anyone go RSEAPI working with TLS and a keyring?

    IBM Champion
    Posted Tue August 01, 2023 07:39 AM

    I've spent a couple of days on this, and I change the product files to get it to work.

    I had to edit  /usr/lpp/IBM/rseapi/tomcat.base/bin/rseapi.final.env to add

    catalina_AddOn="$catalina_AddOn -Djava.protocol.handler.pkgs=com.ibm.crypto.provider" 

    without it, rseapi cannot process the keyring statement safkeyring://START1/MQRING    



    ------------------------------
    Colin Paice
    ------------------------------


  • 2.  RE: has anyone go RSEAPI working with TLS and a keyring?

    Posted Tue August 01, 2023 10:16 AM

    Hi Colin,

    Which version of Java and RSEAPI do you have?

    Regards,

    David



    ------------------------------
    Dave McKnight
    ------------------------------



  • 3.  RE: has anyone go RSEAPI working with TLS and a keyring?

    IBM Champion
    Posted Wed August 02, 2023 03:21 AM

    Hi Dave,

    Thanks for your reply, I have

    IBMUSER:/u/ibmuser: >java -version                                                                                             
    java version "1.8.0_261"                                                                                                       
    Java(TM) SE Runtime Environment (build 8.0.6.16 - pmz6480sr6fp16-20200902_01(SR6 FP16))                                        
    IBM J9 VM (build 2.9, JRE 1.8.0 z/OS s390x-64-Bit Compressed References 20200901_454898 (JIT enabled, AOT enabled)             
    OpenJ9   - 2799ddf                                                                                                             
    OMR      - b348d97                                                                                                             
    IBM      - 5371022)                                                                                                            
    JCL - 20200831_01 based on Oracle jdk8u261-b13        

    it was hard to find the version of RSEAPI.  The proc has 5655-EXP Copyright IBM Corp. 2020, 2020.

    The ZFS   is HUH100.ZFS  

    /usr/lpp/IBM/rseapi/tomcat.base/bin/current_version.txt    has  v1.0.5 created 15 Jun 2021                                                                        



    ------------------------------
    Colin Paice
    ------------------------------



  • 4.  RE: has anyone go RSEAPI working with TLS and a keyring?

    IBM Champion
    Posted Wed August 02, 2023 09:06 AM

    Also see https://serverfault.com/questions/1120624/configuring-tomcat-for-customized-protocol-handler with the same problem



    ------------------------------
    Colin Paice
    ------------------------------



  • 5.  RE: has anyone go RSEAPI working with TLS and a keyring?

    Posted Wed August 02, 2023 09:26 AM

    Hi Colin,

    Yes, tomcat.base/bin/current_version.txt  will give you the correct version of RSEAPI (you can also find it via the info/serverdetails API).   You're using v1.0.5 which is pretty old and that version did not officially support RACF keyring.  Newer versions (v1.0.13 and v1.1.2) provide keyring support out of the box (which does involve bringing in -Djava.protocol.handler.pkgs=com.ibm.crypto.provider) along with other improvements and features.  You can get it updated via ShopZ or from here: https://ibm.github.io/mainframe-downloads/host-components.html.

    I hope this helps!



    ------------------------------
    Dave McKnight
    ------------------------------



  • 6.  RE: has anyone go RSEAPI working with TLS and a keyring?

    IBM Champion
    Posted Thu August 03, 2023 03:23 AM

    Hi Dave,

    Thanks for your reply. I got it to work using 

    j1=" -Djava.protocol.handler.pkgs=com.ibm.crypto.provider" 
    j2=" -Djavax.net.ssl.keyStoreType=JCERACFKS" 
    j3=" -Djavax.net.ssl.keyStore=safkeyringjce://START1/MQRING" 
    j4=" -DkeystoreFile=safkeyringjce://START1/MQRING" 
    j5=" -Djava.security.properties==/etc/zexpl/java.security" 
    JAVA_OPTS="$j1 $j2 $j3 $j4 $j5" 
    CATALINA_OPTS="$j5 " 
    export JAVA_OPTS 
    export CATALINA_OPTS 

    and the java.security with

    security.provider.1=com.ibm.crypto.provider.IBMJCE 
    security.provider.2=com.ibm.crypto.zsecurity.provider.safkeyring 
    security.provider.3=com.ibm.crypto.zsecurity.provider.safkeyring.Provider 
    security.provider.4=com.ibm.crypto.provider.IBMJCE 
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider 
    security.provider.6=com.ibm.security.cert.IBMCertPath 
    security.provider.7=com.ibm.security.sasl.IBMSASL 
    security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider 
    security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider 
    security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO 
    security.provider.11=sun.security.provider.Sun 
    security.provider.12=com.ibm.jsse2.IBMJSSEProvider2 

    I run on z/PDT with downloads of the ADCD package.  I expect no one has asked them to upgrade to a newer version

    I'll download the aqua 3.3 and see how that goes.

    BTW is there any difference between RSEAPI and RSED ...   RSEAPI  seems to include some of the RSED configuration.

    Colin



    ------------------------------
    Colin Paice
    ------------------------------



  • 7.  RE: has anyone go RSEAPI working with TLS and a keyring?

    IBM Champion
    Posted Thu August 03, 2023 07:15 AM

    Hi Dave,

    I downloaded the file you pointed to and installed it. 

    There was a minor hitch in the apply (which may well be a user error - it took me several goes to get the install done cleanly)

    GIM54701E ** ALLOCATION FAILED FOR SHUHZFS - IKJ56228I PATH /usr/lpp/IBM/rseapi1/IBM/ NOT IN CATALOG OR CATALOG CAN NOT 
                 BE ACCESSED.                                                                                               

    I did makedir  for /usr/lpp/IBM/rseapi1/IBM/ and the apply worked.

    I changed my rseapi proc to point to the new libraries and tried to start it.

    When I tried to use it it failed with (after I added some debug code) in

        /usr/lpp/IBM/rseapi1/tomcat.base/bin/setenv.sh
     ===>                                                                       
     echo  "COLIN" 
     echo RSE_HOME=$($CATALINA_BASE/bin/envvars.sh -SRSE_HOME \ 
       -O${RSE_CFG:-/etc/zexpl}/rse.env | sed -n 's:.*"\(.*\)":\1:p') 

    RSE_HOME=$($CATALINA_BASE/bin/envvars.sh -SRSE_HOME \ 
      -O${RSE_CFG:-/etc/zexpl}/rse.env | sed -n 's:.*"\(.*\)":\1:p') 

    with 

    Using server configuration at /Z24C/usr/lpp/IBM/rseapi1/tomcat.base/conf/sserver.xml                  
    COLIN                                                                                                 
    RSE_HOME=\(.*\):\1:p                                                                                  
    ERROR -- RSE \(.*\):\1:p/bin/envvars.sh cannot be executed                                            
    ls -l \(.*\):\1:p/bin/                                                                                

    This may be a user error. 

    I do not need it fixed, as I'll use the older version for what I wanted to do.  I just wanted to play with RSEAPI, it was not thing serious.
     

    Colin



    ------------------------------
    Colin Paice
    ------------------------------



  • 8.  RE: has anyone go RSEAPI working with TLS and a keyring?

    IBM Champion
    Posted Thu August 03, 2023 09:34 AM

    I must have screwed up somewhere, as I get 

    Using server configuration at /Z24C/usr/lpp/IBM/rseapi/tomcat.base/conf/sserver.xml                
    /usr/lpp/IBM/rseapi/tomcat.base/bin/setenv.sh                                                      
    ERROR -- RSE \(.*\):\1:p/bin/envvars.sh cannot be executed                                         
    ls -l \(.*\):\1:p/bin/                                                                             
    ls: FSUM6785 File or directory "\(.*\):\1:p/bin/" is not found                                     

    when I go back to the originally installed level



    ------------------------------
    Colin Paice
    ------------------------------



  • 9.  RE: has anyone go RSEAPI working with TLS and a keyring?

    Posted Thu August 03, 2023 09:44 AM

    Hi Colin,

    Thanks for your patience here.

    Regarding GIM54701E, it appears that there is some customization for RSEAPI in the ADCD image that doesn't lend itself to a PTF update.   I suppose you could try a fresh install to avoid that issue, and perhaps the issue you're seeing in setenv.sh.  

    For setenv.sh, it seems that some environment variables may not be correctly set.  Could you try echoing RSE_HOME, CATALINA_BASE, RSE_CFG to see if it offers any clues.  Also, if you're using JCL to start the service, can you share that?



    ------------------------------
    Dave McKnight
    ------------------------------



  • 10.  RE: has anyone go RSEAPI working with TLS and a keyring?

    IBM Champion
    Posted Fri August 04, 2023 03:41 AM

    Hi Dave,

    My problem was caused by  the wrong line in /etc/zexpl/rse.env

    RSE_HOME=/usr/lpp/IBM/zexpl 
    #RSE_HOME=/usr/lpp/IBM/rseapi 

    works ... rseapi does not work.



    ------------------------------
    Colin Paice
    ------------------------------



  • 11.  RE: has anyone go RSEAPI working with TLS and a keyring?

    Posted Fri August 04, 2023 09:46 AM

    Hi Colin,

    Right, RSE_HOME needs to point to the base RSED (zexpl) installation directory, not the rseapi installation directory.   The rse.env file is for RSED.   The rseapi.env is for RSEAPI but it inherits the environment produced by rse.env (for picking up common settings and libraries).  Was the ADCD /ect/zexpl/rse.env configured to use /usr/lpp/IBM/rseapi or was that  customization you made?



    ------------------------------
    Dave McKnight
    ------------------------------



  • 12.  RE: has anyone go RSEAPI working with TLS and a keyring?

    IBM Champion
    Posted Fri August 04, 2023 10:13 AM

    Hi Dave,

    "Was the ADCD /ect/zexpl/rse.env configured to use /usr/lpp/IBM/rseapi or was that  customization you made?"

    I cannot remember... I tried so many things.  (grin)

    Please can you tell me the difference between RSED and RSEAPI - do they both do the same thing... except  RSEAPI now uses Java as a web server?

    If I use RSED with a REST request I get authorisation error;  It takes an html header as  a userid, so I wondered if RSED was not for REST requests

    Are you involved in supporting these products,  or do you just have a lot of experience with them?

    Colin



    ------------------------------
    Colin Paice
    ------------------------------



  • 13.  RE: has anyone go RSEAPI working with TLS and a keyring?

    Posted Fri August 04, 2023 11:01 AM

    Hi Colin,

    RSED, which runs on Java, has served IDz and its predecessors for around 20 years.  While it serves these products well, as you may have noticed, it uses a proprietary communications protocol that is not well suited for direct consumption in areas outside of the Aqua product stack.   RSEAPI provides the same underlying services (for MVS, UNIX, TSO, JES, etc.) via standard RESTful APIs.  It is designed so that both RSED and RSEAPI can be maintained and evolved in parallel.  RSEAPI expands the reach of RSE server technologies to new frontiers including the IBM RSE API Plug-in for Zowe CLI, the Java SDK for RSEAPI and general front-end web applications.

    I am architect and lead developer for RSE products and have been involved with them since their inception.

    Best Regards,



    ------------------------------
    Dave McKnight
    ------------------------------



  • 14.  RE: has anyone go RSEAPI working with TLS and a keyring?

    IBM Champion
    Posted Fri August 04, 2023 01:25 PM

    Hi Dave,

    You are architect and Lead Developer - great...

    I retired from IBM about 6 years ago, and have a blog (COLINPAICE) where I cover a wide range of topics from AT-TLS, MQ, TLS etc mainly on z/OS.   I was asked how to access z/OS dataset from a work station using REST or (or Python).  This is where I came across RSED, and RSEAPI.

    I am working on writing a blog post of my experiences of getting a CURL request to work through TLS.  This covers some of the basic problems that beginners make (and explain the differences between RSEAPI and RSED etc).  (For example it takes over 200 second from starting RSEAPI to being able to use it! at first I thought it was broken, then I realised it was running Java)

    I would be happy to share it with you (before publication),and raise documentation comments.

    As lead developer you may be interested in Why do they ship java products on z/OS with the handbrake on? And how to take the brake off. which can make the Java startup much faster.

    BTW I like the way RSEAPI starts using a proc, then uses //STDENV   DD *,SYMBOLS=(JCLONLY) and allows you to pass parameters from the start command into the STDENV file.  Many IBM products are still in the 20th century and do not use these "new" feature.

    Regards

    Colin

    (I'm happy to continue any conversation through email if that would be easier for you)



    ------------------------------
    Colin Paice
    ------------------------------



  • 15.  RE: has anyone go RSEAPI working with TLS and a keyring?

    Posted Fri August 04, 2023 01:56 PM

    Hi Colin,

    Congrats on your career with IBM.  I'm curious about your previous role but I can converse through email.  I'll definitely subscribe and stay tuned to your blog and please do share with me before publication.

    Regarding the long startup time you observed with RSEAPI, that won't be the case on a mainframe.  However, you're using an ADCD image, which is emulated z/OS, and as you know, with that, Java startup performance time can take a hit.  I'm not sure which ADCD version you have, but I know in recent ones there are some performance optimizations along the same lines as the ones you write about.

    Best Regards



    ------------------------------
    Dave McKnight
    ------------------------------



  • 16.  RE: has anyone go RSEAPI working with TLS and a keyring?

    IBM Champion
    Posted Mon August 07, 2023 05:25 AM

    Hi Dave,

    My Email address is COLINPAICE3@gmail.com

    Having played with RSE and got it working,  I have some comments and suggestions for future improvements

    Does RSEAPI support certificates from clients?  I could not get certificate only login to work - it always needed a userid and password see Liberty on z/OS: Mapping an incoming certificate to a z/OS userid for client certificate authentication – and don't forget the cookies!

    When I used a REST request I got CommonUtil WARN : request host doesn't match server - possible host header injection!  in SYSOUT. Do you know what causes this - and how to turn it off?  It looks like the HOST: header does not match the URL.  I do not get it when using via SWAGGER.

    I downloaded version110 from the github site, and went through the SMP/E install ( the first time I had used SMP for over 40 years!)   The SMP/E install seems overkill (it took me half a day to get it working).
    Could you also provide a DFDSS DUMP of the  PDS and the ZFS?, so I just copy it to my system, use DFDSS restore ( with rename), and  mount it in USS? If the original data sets were named something like COLIN.RSEAP110.ZFS and COLIN.RSEAP110.JCL, it should it in with most people's naming conventions. This would be so much easier than the SMP/E install.

    regards

    Colin



    ------------------------------
    Colin Paice
    ------------------------------



  • 17.  RE: has anyone go RSEAPI working with TLS and a keyring?

    Posted Tue August 08, 2023 11:41 AM

    Hi Colin,

    Thanks for your feedback, we really appreciate it and hope to use it to improve the client experience.

    While RSED does support certificate login, RSEAPI currently does not.  It is something we've identified in our backlog and we will likely support that in future releases. 

    Regarding the host header match, the warning is just precautionary and, in almost all cases, should not be cause for concern.  In 1.1.x versions we limit those warning messages (to once per mismatch) and we ought to backport that to the 1.0.x versions.

    Regarding SMP/E, we are looking for alternatives and there are a few approaches on the radar.  DFDSS DUMPs will be considered among other ideas.

    Best Regards,



    ------------------------------
    Dave McKnight
    ------------------------------