cURL on z/OS

5. RE: cURL on z/OS

Like

Wai Choi

Posted 01-31-2023 19:55

Hi Sergey,

Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11

Seems

CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------

Original Message

6. RE: cURL on z/OS

Like

ROCKETEER

Tatiana Balaburkina

Posted 02-01-2023 04:45

Hi Wai,
Keyring support is not available at the moment, but it is on the table.

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands
------------------------------

Original Message

Original Message:
Sent: 01-31-2023 19:55
From: Wai Choi
Subject: cURL on z/OS

Hi Sergey,

Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11

Seems

CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-31-2023 06:10
From: Sergey Rezepin
Subject: cURL on z/OS

Hi Wai,

I see that your path contains 'python361'.

The Rocket python 3.6.1 we were built might be included in 2 projects:

1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM

2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.

In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.

export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem

In your case it might be like

export CURL_CA_BUNDLE=/u/python/python36/etc/ssl

So, I recommend trying of setting this variable instead of using --capath and --cacert options.

Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.

export _BPXK_AUTOCVT=ON

You can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:

cat /u/python/python36/etc/ssl/cacert.pem

Currently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.

If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.

After that you can install cURL as a z/OS Miniconda package.

There is a video guide.

And there is a documentation about the installation.

Thanks,

Sergei

------------------------------
Sergey Rezepin
Rocket Software

Original Message:
Sent: 01-30-2023 17:22
From: Wai Choi
Subject: cURL on z/OS

I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?

Would those problems I reported go away with the latest version?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-30-2023 11:03
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hello Wai,
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-25-2023 18:48
From: Wai Choi
Subject: cURL on z/OS

Hi,

The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem

But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.

I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain

2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl

3) When I copy the cacert.pem file to the current directory, it works.

Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?

2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?

3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?

4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------

7. RE: cURL on z/OS

Like

Wai Choi

Posted 02-01-2023 11:09

Tatiana,

Glad to know keyring support for z/OS curl is on the table.

A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------

Original Message

Original Message:
Sent: 02-01-2023 04:44
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hi Wai,
Keyring support is not available at the moment, but it is on the table.

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-31-2023 19:55
From: Wai Choi
Subject: cURL on z/OS

Hi Sergey,

Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11

Seems

CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-31-2023 06:10
From: Sergey Rezepin
Subject: cURL on z/OS

Hi Wai,

I see that your path contains 'python361'.

The Rocket python 3.6.1 we were built might be included in 2 projects:

1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM

2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.

In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.

export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem

In your case it might be like

export CURL_CA_BUNDLE=/u/python/python36/etc/ssl

So, I recommend trying of setting this variable instead of using --capath and --cacert options.

Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.

export _BPXK_AUTOCVT=ON

You can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:

cat /u/python/python36/etc/ssl/cacert.pem

Currently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.

If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.

After that you can install cURL as a z/OS Miniconda package.

There is a video guide.

And there is a documentation about the installation.

Thanks,

Sergei

------------------------------
Sergey Rezepin
Rocket Software

Original Message:
Sent: 01-30-2023 17:22
From: Wai Choi
Subject: cURL on z/OS

I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?

Would those problems I reported go away with the latest version?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-30-2023 11:03
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hello Wai,
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-25-2023 18:48
From: Wai Choi
Subject: cURL on z/OS

Hi,

The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem

But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.

I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain

2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl

3) When I copy the cacert.pem file to the current directory, it works.

Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?

2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?

3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?

4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------

8. RE: cURL on z/OS

Like

Andrew Rowley

Posted 02-01-2023 16:58

Isn't the "AT" in AT-TLS "Application Transparent"? So curl should be unaware of its use, and that is an AT-TLS question.

I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?

------------------------------
Andrew Rowley
Self Registered
Ballarat AU
------------------------------

Original Message

Original Message:
Sent: 02-01-2023 11:09
From: Wai Choi
Subject: cURL on z/OS

Tatiana,

Glad to know keyring support for z/OS curl is on the table.

A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 04:44
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hi Wai,
Keyring support is not available at the moment, but it is on the table.

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-31-2023 19:55
From: Wai Choi
Subject: cURL on z/OS

Hi Sergey,

Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11

Seems

CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-31-2023 06:10
From: Sergey Rezepin
Subject: cURL on z/OS

Hi Wai,

I see that your path contains 'python361'.

The Rocket python 3.6.1 we were built might be included in 2 projects:

1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM

2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.

In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.

export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem

In your case it might be like

export CURL_CA_BUNDLE=/u/python/python36/etc/ssl

So, I recommend trying of setting this variable instead of using --capath and --cacert options.

Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.

export _BPXK_AUTOCVT=ON

You can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:

cat /u/python/python36/etc/ssl/cacert.pem

Currently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.

If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.

After that you can install cURL as a z/OS Miniconda package.

There is a video guide.

And there is a documentation about the installation.

Thanks,

Sergei

------------------------------
Sergey Rezepin
Rocket Software

Original Message:
Sent: 01-30-2023 17:22
From: Wai Choi
Subject: cURL on z/OS

I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?

Would those problems I reported go away with the latest version?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-30-2023 11:03
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hello Wai,
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-25-2023 18:48
From: Wai Choi
Subject: cURL on z/OS

Hi,

The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem

But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.

I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain

2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl

3) When I copy the cacert.pem file to the current directory, it works.

Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?

2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?

3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?

4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------

9. RE: cURL on z/OS

Like

Wai Choi

Posted 02-03-2023 16:12

I have the same understanding on AT. But I can't get it work for curl. Not sure if there is some set up needed. That's why I asked.

When I use the CURL_CA_BUNDLE to specify the CA root cert and go to a site whose cert is not originated from that CA (just for testing), I got

TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
curl: (60) SSL certificate problem: self signed certificate in certificate chain
...
Unknown CA is expected. But 'self signed certificate in certificate chain' refers to which cert?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------

Original Message

Original Message:
Sent: 02-01-2023 16:58
From: Andrew Rowley
Subject: cURL on z/OS

Isn't the "AT" in AT-TLS "Application Transparent"? So curl should be unaware of its use, and that is an AT-TLS question.

I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?

------------------------------
Andrew Rowley
Self Registered
Ballarat AU

Original Message:
Sent: 02-01-2023 11:09
From: Wai Choi
Subject: cURL on z/OS

Tatiana,

Glad to know keyring support for z/OS curl is on the table.

A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 04:44
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hi Wai,
Keyring support is not available at the moment, but it is on the table.

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-31-2023 19:55
From: Wai Choi
Subject: cURL on z/OS

Hi Sergey,

Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11

Seems

CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-31-2023 06:10
From: Sergey Rezepin
Subject: cURL on z/OS

Hi Wai,

I see that your path contains 'python361'.

The Rocket python 3.6.1 we were built might be included in 2 projects:

1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM

2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.

In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.

export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem

In your case it might be like

export CURL_CA_BUNDLE=/u/python/python36/etc/ssl

So, I recommend trying of setting this variable instead of using --capath and --cacert options.

Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.

export _BPXK_AUTOCVT=ON

You can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:

cat /u/python/python36/etc/ssl/cacert.pem

Currently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.

If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.

After that you can install cURL as a z/OS Miniconda package.

There is a video guide.

And there is a documentation about the installation.

Thanks,

Sergei

------------------------------
Sergey Rezepin
Rocket Software

Original Message:
Sent: 01-30-2023 17:22
From: Wai Choi
Subject: cURL on z/OS

I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?

Would those problems I reported go away with the latest version?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-30-2023 11:03
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hello Wai,
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-25-2023 18:48
From: Wai Choi
Subject: cURL on z/OS

Hi,

The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem

But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.

I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain

2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl

3) When I copy the cacert.pem file to the current directory, it works.

Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?

2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?

3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?

4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------

10. RE: cURL on z/OS

Like

IBMCHAMPION .

Jorn Thyssen

Posted 02-06-2023 07:28

The top-level certificate (the root CA) is usually self-signed.

You can see this with
openssl x509 -inform PEM -in <root ca>.pem -text -out certdata

The issuer of the root CA will be the root CA, hence it is self-signed, hence the error message about a self-signed certificate in the chain.

AT-TLS should be transparent, although I think it is possible that AT-TLS rules can be configured such that they only apply for traffic originating from outside the mainframe and not for traffic that originate from the mainframe

------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US
------------------------------

Original Message

Original Message:
Sent: 02-03-2023 16:11
From: Wai Choi
Subject: cURL on z/OS

I have the same understanding on AT. But I can't get it work for curl. Not sure if there is some set up needed. That's why I asked.

When I use the CURL_CA_BUNDLE to specify the CA root cert and go to a site whose cert is not originated from that CA (just for testing), I got

TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
curl: (60) SSL certificate problem: self signed certificate in certificate chain
...
Unknown CA is expected. But 'self signed certificate in certificate chain' refers to which cert?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 16:58
From: Andrew Rowley
Subject: cURL on z/OS

Isn't the "AT" in AT-TLS "Application Transparent"? So curl should be unaware of its use, and that is an AT-TLS question.

I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?

------------------------------
Andrew Rowley
Self Registered
Ballarat AU

Original Message:
Sent: 02-01-2023 11:09
From: Wai Choi
Subject: cURL on z/OS

Tatiana,

Glad to know keyring support for z/OS curl is on the table.

A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 04:44
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hi Wai,
Keyring support is not available at the moment, but it is on the table.

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-31-2023 19:55
From: Wai Choi
Subject: cURL on z/OS

Hi Sergey,

Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11

Seems

CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-31-2023 06:10
From: Sergey Rezepin
Subject: cURL on z/OS

Hi Wai,

I see that your path contains 'python361'.

The Rocket python 3.6.1 we were built might be included in 2 projects:

1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM

2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.

In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.

export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem

In your case it might be like

export CURL_CA_BUNDLE=/u/python/python36/etc/ssl

So, I recommend trying of setting this variable instead of using --capath and --cacert options.

Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.

export _BPXK_AUTOCVT=ON

You can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:

cat /u/python/python36/etc/ssl/cacert.pem

Currently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.

If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.

After that you can install cURL as a z/OS Miniconda package.

There is a video guide.

And there is a documentation about the installation.

Thanks,

Sergei

------------------------------
Sergey Rezepin
Rocket Software

Original Message:
Sent: 01-30-2023 17:22
From: Wai Choi
Subject: cURL on z/OS

I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?

Would those problems I reported go away with the latest version?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-30-2023 11:03
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hello Wai,
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-25-2023 18:48
From: Wai Choi
Subject: cURL on z/OS

Hi,

The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem

But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.

I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain

2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl

3) When I copy the cacert.pem file to the current directory, it works.

Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?

2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?

3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?

4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------

11. RE: cURL on z/OS

Like

Wai Choi

Posted 02-06-2023 13:50

My point is root CA cert is self-signed. Why does it appear as an error. The chain validation would end up to the root. This message is misleading if it complains about the root.

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------

Original Message

Original Message:
Sent: 02-06-2023 07:28
From: Jorn Thyssen
Subject: cURL on z/OS

The top-level certificate (the root CA) is usually self-signed.

You can see this with
openssl x509 -inform PEM -in <root ca>.pem -text -out certdata

The issuer of the root CA will be the root CA, hence it is self-signed, hence the error message about a self-signed certificate in the chain.

AT-TLS should be transparent, although I think it is possible that AT-TLS rules can be configured such that they only apply for traffic originating from outside the mainframe and not for traffic that originate from the mainframe

------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US

Original Message:
Sent: 02-03-2023 16:11
From: Wai Choi
Subject: cURL on z/OS

I have the same understanding on AT. But I can't get it work for curl. Not sure if there is some set up needed. That's why I asked.

When I use the CURL_CA_BUNDLE to specify the CA root cert and go to a site whose cert is not originated from that CA (just for testing), I got

TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
curl: (60) SSL certificate problem: self signed certificate in certificate chain
...
Unknown CA is expected. But 'self signed certificate in certificate chain' refers to which cert?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 16:58
From: Andrew Rowley
Subject: cURL on z/OS

Isn't the "AT" in AT-TLS "Application Transparent"? So curl should be unaware of its use, and that is an AT-TLS question.

I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?

------------------------------
Andrew Rowley
Self Registered
Ballarat AU

Original Message:
Sent: 02-01-2023 11:09
From: Wai Choi
Subject: cURL on z/OS

Tatiana,

Glad to know keyring support for z/OS curl is on the table.

A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 04:44
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hi Wai,
Keyring support is not available at the moment, but it is on the table.

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-31-2023 19:55
From: Wai Choi
Subject: cURL on z/OS

Hi Sergey,

Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11

Seems

CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-31-2023 06:10
From: Sergey Rezepin
Subject: cURL on z/OS

Hi Wai,

I see that your path contains 'python361'.

The Rocket python 3.6.1 we were built might be included in 2 projects:

1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM

2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.

In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.

export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem

In your case it might be like

export CURL_CA_BUNDLE=/u/python/python36/etc/ssl

So, I recommend trying of setting this variable instead of using --capath and --cacert options.

Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.

export _BPXK_AUTOCVT=ON

You can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:

cat /u/python/python36/etc/ssl/cacert.pem

Currently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.

If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.

After that you can install cURL as a z/OS Miniconda package.

There is a video guide.

And there is a documentation about the installation.

Thanks,

Sergei

------------------------------
Sergey Rezepin
Rocket Software

Original Message:
Sent: 01-30-2023 17:22
From: Wai Choi
Subject: cURL on z/OS

I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?

Would those problems I reported go away with the latest version?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-30-2023 11:03
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hello Wai,
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-25-2023 18:48
From: Wai Choi
Subject: cURL on z/OS

Hi,

The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem

But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.

I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain

2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl

3) When I copy the cacert.pem file to the current directory, it works.

Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?

2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?

3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?

4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------

12. RE: cURL on z/OS

Like

Wai Choi

Posted 02-06-2023 13:59

Another question on z/OS curl: how to specify the data as an input file? From Windows, I can specify --data @filename, but on z/OS, it is treated as the content, not the file that contains the content. I have tried --data-raw @filename, doesn't work neither.

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------

Original Message

Original Message:
Sent: 02-06-2023 13:50
From: Wai Choi
Subject: cURL on z/OS

My point is root CA cert is self-signed. Why does it appear as an error. The chain validation would end up to the root. This message is misleading if it complains about the root.

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 02-06-2023 07:28
From: Jorn Thyssen
Subject: cURL on z/OS

The top-level certificate (the root CA) is usually self-signed.

You can see this with
openssl x509 -inform PEM -in <root ca>.pem -text -out certdata

The issuer of the root CA will be the root CA, hence it is self-signed, hence the error message about a self-signed certificate in the chain.

AT-TLS should be transparent, although I think it is possible that AT-TLS rules can be configured such that they only apply for traffic originating from outside the mainframe and not for traffic that originate from the mainframe

------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US

Original Message:
Sent: 02-03-2023 16:11
From: Wai Choi
Subject: cURL on z/OS

I have the same understanding on AT. But I can't get it work for curl. Not sure if there is some set up needed. That's why I asked.

When I use the CURL_CA_BUNDLE to specify the CA root cert and go to a site whose cert is not originated from that CA (just for testing), I got

TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
curl: (60) SSL certificate problem: self signed certificate in certificate chain
...
Unknown CA is expected. But 'self signed certificate in certificate chain' refers to which cert?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 16:58
From: Andrew Rowley
Subject: cURL on z/OS

Isn't the "AT" in AT-TLS "Application Transparent"? So curl should be unaware of its use, and that is an AT-TLS question.

I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?

------------------------------
Andrew Rowley
Self Registered
Ballarat AU

Original Message:
Sent: 02-01-2023 11:09
From: Wai Choi
Subject: cURL on z/OS

Tatiana,

Glad to know keyring support for z/OS curl is on the table.

A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 04:44
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hi Wai,
Keyring support is not available at the moment, but it is on the table.

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-31-2023 19:55
From: Wai Choi
Subject: cURL on z/OS

Hi Sergey,

Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11

Seems

CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-31-2023 06:10
From: Sergey Rezepin
Subject: cURL on z/OS

Hi Wai,

I see that your path contains 'python361'.

The Rocket python 3.6.1 we were built might be included in 2 projects:

1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM

2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.

In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.

export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem

In your case it might be like

export CURL_CA_BUNDLE=/u/python/python36/etc/ssl

So, I recommend trying of setting this variable instead of using --capath and --cacert options.

Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.

export _BPXK_AUTOCVT=ON

You can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:

cat /u/python/python36/etc/ssl/cacert.pem

Currently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.

If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.

After that you can install cURL as a z/OS Miniconda package.

There is a video guide.

And there is a documentation about the installation.

Thanks,

Sergei

------------------------------
Sergey Rezepin
Rocket Software

Original Message:
Sent: 01-30-2023 17:22
From: Wai Choi
Subject: cURL on z/OS

I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?

Would those problems I reported go away with the latest version?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-30-2023 11:03
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hello Wai,
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-25-2023 18:48
From: Wai Choi
Subject: cURL on z/OS

Hi,

The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem

But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.

I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain

2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl

3) When I copy the cacert.pem file to the current directory, it works.

Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?

2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?

3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?

4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------

13. RE: cURL on z/OS

Like

IBMCHAMPION .

Jorn Thyssen

Posted 02-06-2023 14:17

Maybe I misunderstood: do you get the self-signed message when you pass the correct or incorrect root ca?
If the latter, then that is expected, as the reply from your web server now contains a self-signed certificate in the chain (namely the root ca).

--data works fine for me:

curl --user abc:def -X PUT --data @genreq "http://rs01:11443/zosmf/restfiles/ds/'TS5941.WORK.JCL(TEST1)'"

------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US
------------------------------

Original Message

Original Message:
Sent: 02-06-2023 13:50
From: Wai Choi
Subject: cURL on z/OS

My point is root CA cert is self-signed. Why does it appear as an error. The chain validation would end up to the root. This message is misleading if it complains about the root.

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 02-06-2023 07:28
From: Jorn Thyssen
Subject: cURL on z/OS

The top-level certificate (the root CA) is usually self-signed.

You can see this with
openssl x509 -inform PEM -in <root ca>.pem -text -out certdata

The issuer of the root CA will be the root CA, hence it is self-signed, hence the error message about a self-signed certificate in the chain.

AT-TLS should be transparent, although I think it is possible that AT-TLS rules can be configured such that they only apply for traffic originating from outside the mainframe and not for traffic that originate from the mainframe

------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US

Original Message:
Sent: 02-03-2023 16:11
From: Wai Choi
Subject: cURL on z/OS

I have the same understanding on AT. But I can't get it work for curl. Not sure if there is some set up needed. That's why I asked.

When I use the CURL_CA_BUNDLE to specify the CA root cert and go to a site whose cert is not originated from that CA (just for testing), I got

TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
curl: (60) SSL certificate problem: self signed certificate in certificate chain
...
Unknown CA is expected. But 'self signed certificate in certificate chain' refers to which cert?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 16:58
From: Andrew Rowley
Subject: cURL on z/OS

Isn't the "AT" in AT-TLS "Application Transparent"? So curl should be unaware of its use, and that is an AT-TLS question.

I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?

------------------------------
Andrew Rowley
Self Registered
Ballarat AU

Original Message:
Sent: 02-01-2023 11:09
From: Wai Choi
Subject: cURL on z/OS

Tatiana,

Glad to know keyring support for z/OS curl is on the table.

A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 04:44
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hi Wai,
Keyring support is not available at the moment, but it is on the table.

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-31-2023 19:55
From: Wai Choi
Subject: cURL on z/OS

Hi Sergey,

Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11

Seems

CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-31-2023 06:10
From: Sergey Rezepin
Subject: cURL on z/OS

Hi Wai,

I see that your path contains 'python361'.

The Rocket python 3.6.1 we were built might be included in 2 projects:

1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM

2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.

In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.

export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem

In your case it might be like

export CURL_CA_BUNDLE=/u/python/python36/etc/ssl

So, I recommend trying of setting this variable instead of using --capath and --cacert options.

Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.

export _BPXK_AUTOCVT=ON

You can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:

cat /u/python/python36/etc/ssl/cacert.pem

Currently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.

If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.

After that you can install cURL as a z/OS Miniconda package.

There is a video guide.

And there is a documentation about the installation.

Thanks,

Sergei

------------------------------
Sergey Rezepin
Rocket Software

Original Message:
Sent: 01-30-2023 17:22
From: Wai Choi
Subject: cURL on z/OS

I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?

Would those problems I reported go away with the latest version?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-30-2023 11:03
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hello Wai,
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-25-2023 18:48
From: Wai Choi
Subject: cURL on z/OS

Hi,

The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem

But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.

I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain

2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl

3) When I copy the cacert.pem file to the current directory, it works.

Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?

2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?

3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?

4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------

14. RE: cURL on z/OS

Like

Wai Choi

Posted 02-06-2023 20:07

Sorry for the false alarm. z/OS curl does accept --data @filename. It is the application rejecting it, not curl.

When I pass an incorrect CA, I got:
TLSv1.2 (OUT), TLS alert, unknown CA (560): <==this is expected
...
curl: (60) SSL certificate problem: self signed certificate in certificate chain <==this is misleading. A complete cert chain must contain a root cert, which is self-signed.

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------

Original Message

Original Message:
Sent: 02-06-2023 14:17
From: Jorn Thyssen
Subject: cURL on z/OS

Maybe I misunderstood: do you get the self-signed message when you pass the correct or incorrect root ca?
If the latter, then that is expected, as the reply from your web server now contains a self-signed certificate in the chain (namely the root ca).

--data works fine for me:

curl --user abc:def -X PUT --data @genreq "http://rs01:11443/zosmf/restfiles/ds/'TS5941.WORK.JCL(TEST1)'"

------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US

Original Message:
Sent: 02-06-2023 13:50
From: Wai Choi
Subject: cURL on z/OS

My point is root CA cert is self-signed. Why does it appear as an error. The chain validation would end up to the root. This message is misleading if it complains about the root.

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 02-06-2023 07:28
From: Jorn Thyssen
Subject: cURL on z/OS

The top-level certificate (the root CA) is usually self-signed.

You can see this with
openssl x509 -inform PEM -in <root ca>.pem -text -out certdata

The issuer of the root CA will be the root CA, hence it is self-signed, hence the error message about a self-signed certificate in the chain.

AT-TLS should be transparent, although I think it is possible that AT-TLS rules can be configured such that they only apply for traffic originating from outside the mainframe and not for traffic that originate from the mainframe

------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US

Original Message:
Sent: 02-03-2023 16:11
From: Wai Choi
Subject: cURL on z/OS

I have the same understanding on AT. But I can't get it work for curl. Not sure if there is some set up needed. That's why I asked.

When I use the CURL_CA_BUNDLE to specify the CA root cert and go to a site whose cert is not originated from that CA (just for testing), I got

TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
curl: (60) SSL certificate problem: self signed certificate in certificate chain
...
Unknown CA is expected. But 'self signed certificate in certificate chain' refers to which cert?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 16:58
From: Andrew Rowley
Subject: cURL on z/OS

Isn't the "AT" in AT-TLS "Application Transparent"? So curl should be unaware of its use, and that is an AT-TLS question.

I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?

------------------------------
Andrew Rowley
Self Registered
Ballarat AU

Original Message:
Sent: 02-01-2023 11:09
From: Wai Choi
Subject: cURL on z/OS

Tatiana,

Glad to know keyring support for z/OS curl is on the table.

A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 04:44
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hi Wai,
Keyring support is not available at the moment, but it is on the table.

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-31-2023 19:55
From: Wai Choi
Subject: cURL on z/OS

Hi Sergey,

Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11

Seems

CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-31-2023 06:10
From: Sergey Rezepin
Subject: cURL on z/OS

Hi Wai,

I see that your path contains 'python361'.

The Rocket python 3.6.1 we were built might be included in 2 projects:

1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM

2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.

In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.

export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem

In your case it might be like

export CURL_CA_BUNDLE=/u/python/python36/etc/ssl

So, I recommend trying of setting this variable instead of using --capath and --cacert options.

Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.

export _BPXK_AUTOCVT=ON

You can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:

cat /u/python/python36/etc/ssl/cacert.pem

Currently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.

If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.

After that you can install cURL as a z/OS Miniconda package.

There is a video guide.

And there is a documentation about the installation.

Thanks,

Sergei

------------------------------
Sergey Rezepin
Rocket Software

Original Message:
Sent: 01-30-2023 17:22
From: Wai Choi
Subject: cURL on z/OS

I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?

Would those problems I reported go away with the latest version?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-30-2023 11:03
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hello Wai,
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-25-2023 18:48
From: Wai Choi
Subject: cURL on z/OS

Hi,

The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem

But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.

I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain

2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl

3) When I copy the cacert.pem file to the current directory, it works.

Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?

2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?

3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?

4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------

15. RE: cURL on z/OS

Like

IBMCHAMPION .

Jorn Thyssen

Posted 02-07-2023 05:33

I think that would be a question for the curl community. I get the same behavior on my windows workstation and USS.

------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US
------------------------------

Original Message

Original Message:
Sent: 02-06-2023 20:06
From: Wai Choi
Subject: cURL on z/OS

Sorry for the false alarm. z/OS curl does accept --data @filename. It is the application rejecting it, not curl.

When I pass an incorrect CA, I got:
TLSv1.2 (OUT), TLS alert, unknown CA (560): <==this is expected
...
curl: (60) SSL certificate problem: self signed certificate in certificate chain <==this is misleading. A complete cert chain must contain a root cert, which is self-signed.

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 02-06-2023 14:17
From: Jorn Thyssen
Subject: cURL on z/OS

Maybe I misunderstood: do you get the self-signed message when you pass the correct or incorrect root ca?
If the latter, then that is expected, as the reply from your web server now contains a self-signed certificate in the chain (namely the root ca).

--data works fine for me:

curl --user abc:def -X PUT --data @genreq "http://rs01:11443/zosmf/restfiles/ds/'TS5941.WORK.JCL(TEST1)'"

------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US

Original Message:
Sent: 02-06-2023 13:50
From: Wai Choi
Subject: cURL on z/OS

My point is root CA cert is self-signed. Why does it appear as an error. The chain validation would end up to the root. This message is misleading if it complains about the root.

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 02-06-2023 07:28
From: Jorn Thyssen
Subject: cURL on z/OS

The top-level certificate (the root CA) is usually self-signed.

You can see this with
openssl x509 -inform PEM -in <root ca>.pem -text -out certdata

The issuer of the root CA will be the root CA, hence it is self-signed, hence the error message about a self-signed certificate in the chain.

AT-TLS should be transparent, although I think it is possible that AT-TLS rules can be configured such that they only apply for traffic originating from outside the mainframe and not for traffic that originate from the mainframe

------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US

Original Message:
Sent: 02-03-2023 16:11
From: Wai Choi
Subject: cURL on z/OS

I have the same understanding on AT. But I can't get it work for curl. Not sure if there is some set up needed. That's why I asked.

When I use the CURL_CA_BUNDLE to specify the CA root cert and go to a site whose cert is not originated from that CA (just for testing), I got

TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
curl: (60) SSL certificate problem: self signed certificate in certificate chain
...
Unknown CA is expected. But 'self signed certificate in certificate chain' refers to which cert?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 16:58
From: Andrew Rowley
Subject: cURL on z/OS

Isn't the "AT" in AT-TLS "Application Transparent"? So curl should be unaware of its use, and that is an AT-TLS question.

I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?

------------------------------
Andrew Rowley
Self Registered
Ballarat AU

Original Message:
Sent: 02-01-2023 11:09
From: Wai Choi
Subject: cURL on z/OS

Tatiana,

Glad to know keyring support for z/OS curl is on the table.

A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US

Original Message:
Sent: 02-01-2023 04:44
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hi Wai,
Keyring support is not available at the moment, but it is on the table.

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-31-2023 19:55
From: Wai Choi
Subject: cURL on z/OS

Hi Sergey,

Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11

Seems

CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-31-2023 06:10
From: Sergey Rezepin
Subject: cURL on z/OS

Hi Wai,

I see that your path contains 'python361'.

The Rocket python 3.6.1 we were built might be included in 2 projects:

1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM

2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.

In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.

export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem

In your case it might be like

export CURL_CA_BUNDLE=/u/python/python36/etc/ssl

So, I recommend trying of setting this variable instead of using --capath and --cacert options.

Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.

export _BPXK_AUTOCVT=ON

You can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:

cat /u/python/python36/etc/ssl/cacert.pem

Currently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.

If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.

After that you can install cURL as a z/OS Miniconda package.

There is a video guide.

And there is a documentation about the installation.

Thanks,

Sergei

------------------------------
Sergey Rezepin
Rocket Software

Original Message:
Sent: 01-30-2023 17:22
From: Wai Choi
Subject: cURL on z/OS

I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?

Would those problems I reported go away with the latest version?

------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US

Original Message:
Sent: 01-30-2023 11:03
From: Tatiana Balaburkina
Subject: cURL on z/OS

Hello Wai,
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?

------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands

Original Message:
Sent: 01-25-2023 18:48
From: Wai Choi
Subject: cURL on z/OS

Hi,

The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem

But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.

I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain

2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl

3) When I copy the cacert.pem file to the current directory, it works.

Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?

2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?

3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?

4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------

Open-source Languages & Tools for z/OS

Wai Choi01-26-2023 04:04

Tatiana Balaburkina01-30-2023 11:03

Wai Choi01-30-2023 17:23

Sergey Rezepin01-31-2023 06:11

Wai Choi01-31-2023 19:55

Tatiana Balaburkina02-01-2023 04:45

Wai Choi02-01-2023 11:09

Andrew Rowley02-01-2023 16:58

Wai Choi02-03-2023 16:12

Jorn Thyssen02-06-2023 07:28

Wai Choi02-06-2023 13:50

Wai Choi02-06-2023 13:59

Jorn Thyssen02-06-2023 14:17

Wai Choi02-06-2023 20:07

Jorn Thyssen02-07-2023 05:33

1. cURL on z/OS

2. RE: cURL on z/OS

3. RE: cURL on z/OS

4. RE: cURL on z/OS

5. RE: cURL on z/OS

6. RE: cURL on z/OS

7. RE: cURL on z/OS

8. RE: cURL on z/OS

9. RE: cURL on z/OS

10. RE: cURL on z/OS

11. RE: cURL on z/OS

12. RE: cURL on z/OS

13. RE: cURL on z/OS

14. RE: cURL on z/OS

15. RE: cURL on z/OS

Contact Us

Quick Links