Open-source Languages & Tools for z/OS

 View Only
Expand all | Collapse all

cURL on z/OS

  • 1.  cURL on z/OS

    Posted 01-26-2023 04:04
    Hi,

    The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
    curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem 

    But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.

    I tried 3 different ways:
    1) When I issue the command without specifying --cacert and --capath, I got error
    curl: (60) SSL certificate problem: self signed certificate in certificate chain

    2) When I issue the command specifying --cacert and --capath, I got error
    curl: (77) error setting certificate verify locations:
    CAfile: cacert.pem
    CApath: /u/mvsbuild/py361z/python36/etc/ssl

    3) When I copy the cacert.pem file to the current directory, it works.

    Questions:
    1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?

    2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?

    3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?

    4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

    ------------------------------
    Wai Choi
    MS
    IBM
    POUGHKEEPSIE NY US
    ------------------------------


  • 2.  RE: cURL on z/OS

    Posted 01-30-2023 11:03
    Hello Wai,
    Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?

    ------------------------------
    Tatiana Balaburkina
    Engineering Manager
    Rocket Internal - All Brands
    ------------------------------



  • 3.  RE: cURL on z/OS

    Posted 01-30-2023 17:23
    I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?

    Would those problems I reported go away with the latest version?

    ------------------------------
    Wai Choi
    MS
    IBM / Tivoli Software
    POUGHKEEPSIE NY US
    ------------------------------



  • 4.  RE: cURL on z/OS

    ROCKETEER
    Posted 01-31-2023 06:11
    Edited by Sergey Rezepin 01-31-2023 06:14
    Hi Wai,
    I see that your path contains 'python361'.
    The Rocket python 3.6.1 we were built might be included in 2 projects:
    1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM
    2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.
    In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.
    export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem
    In your case it might be like
    export CURL_CA_BUNDLE=/u/python/python36/etc/ssl
    So, I recommend trying of setting this variable instead of using --capath and --cacert options.

    Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.
    export _BPXK_AUTOCVT=ON
    You can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:
    cat /u/python/python36/etc/ssl/cacert.pem
    Currently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.
    If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.
    After that you can install cURL as a z/OS Miniconda package.
    There is a video guide.
    Thanks,
    Sergei


    ------------------------------
    Sergey Rezepin
    Rocket Software
    ------------------------------



  • 5.  RE: cURL on z/OS

    Posted 01-31-2023 19:55
    Hi Sergey,

    Thanks for the response. I managed to find a newer version of curl from another system.
    curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
    Release-Date: 2022-05-11

    Seems CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command.

    And do you have an answer to my question 4:
    4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?

    ------------------------------
    Wai Choi
    MS
    IBM / Tivoli Software
    POUGHKEEPSIE NY US
    ------------------------------



  • 6.  RE: cURL on z/OS

    Posted 02-01-2023 04:45
    Hi Wai,
    Keyring support is not available at the moment, but it is on the table.

    ------------------------------
    Tatiana Balaburkina
    Engineering Manager
    Rocket Internal - All Brands
    ------------------------------



  • 7.  RE: cURL on z/OS

    Posted 02-01-2023 11:09
    Tatiana,

    Glad to know keyring support for z/OS curl is on the table.

    A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?

    ------------------------------
    Wai Choi
    MS
    IBM
    POUGHKEEPSIE NY US
    ------------------------------



  • 8.  RE: cURL on z/OS

    Posted 02-01-2023 16:58
    Isn't the "AT" in AT-TLS "Application Transparent"? So curl should be unaware of its use, and that is an AT-TLS question.

    I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?

    ------------------------------
    Andrew Rowley
    Self Registered
    Ballarat AU
    ------------------------------



  • 9.  RE: cURL on z/OS

    Posted 02-03-2023 16:12

    I have the same understanding on AT. But I can't get it work for curl. Not sure if there is some set up needed. That's why I asked.

    When I use the CURL_CA_BUNDLE to specify the CA root cert and go to a site whose cert is not originated from that CA (just for testing), I got

    TLSv1.2 (OUT), TLS alert, unknown CA (560):
    SSL certificate problem: self signed certificate in certificate chain
    curl: (60) SSL certificate problem: self signed certificate in certificate chain
    ...
    Unknown CA is expected. But  'self signed certificate in certificate chain' refers to which cert?



    ------------------------------
    Wai Choi
    MS
    IBM / Tivoli Software
    POUGHKEEPSIE NY US
    ------------------------------



  • 10.  RE: cURL on z/OS

    Posted 02-06-2023 07:28
    The top-level certificate (the root CA) is usually self-signed.

    You can see this with
    openssl x509 -inform PEM -in <root ca>.pem -text -out certdata

    The issuer of the root CA will be the root CA, hence it is self-signed, hence the error message about a self-signed certificate in the chain.


    AT-TLS should be transparent, although I think it is possible that AT-TLS rules can be configured such that they only apply for traffic originating from outside the mainframe and not for traffic that originate from the mainframe

    ------------------------------
    Jorn Thyssen
    Solutions Advisor
    Rocket Internal - All Brands
    Waltham MA US
    ------------------------------



  • 11.  RE: cURL on z/OS

    Posted 02-06-2023 13:50
    My point is root CA cert is self-signed. Why does it appear as an error. The chain validation would end up to the root. This message is misleading if it complains about the root.

    ------------------------------
    Wai Choi
    MS
    IBM / Tivoli Software
    POUGHKEEPSIE NY US
    ------------------------------



  • 12.  RE: cURL on z/OS

    Posted 02-06-2023 13:59
    Another question on z/OS curl: how to specify the data as an input file? From Windows, I can specify --data @filename, but on z/OS, it is treated as the content, not the file that contains the content.​ I have tried --data-raw @filename, doesn't work neither.


    ------------------------------
    Wai Choi
    MS
    IBM / Tivoli Software
    POUGHKEEPSIE NY US
    ------------------------------



  • 13.  RE: cURL on z/OS

    Posted 02-06-2023 14:17
    Maybe I misunderstood: do you get the self-signed message when you pass the correct or incorrect root ca?
    If the latter, then that is expected, as the reply from your web server now contains a self-signed certificate in the chain (namely the root ca).

    --data works fine for me:

    curl --user abc:def -X PUT --data @genreq "http://rs01:11443/zosmf/restfiles/ds/'TS5941.WORK.JCL(TEST1)'"


    ------------------------------
    Jorn Thyssen
    Solutions Advisor
    Rocket Internal - All Brands
    Waltham MA US
    ------------------------------



  • 14.  RE: cURL on z/OS

    Posted 02-06-2023 20:07
    Sorry for the false alarm. z/OS curl does accept --data @filename. It is the application rejecting it, not curl.

    When I pass an incorrect CA, I got:
    TLSv1.2 (OUT), TLS alert, unknown CA (560): <==this is expected
    ...
    curl: (60) SSL certificate problem: self signed certificate in certificate chain <==this is misleading. A complete cert chain must contain a root cert, which is self-signed.

    ------------------------------
    Wai Choi
    MS
    IBM / Tivoli Software
    POUGHKEEPSIE NY US
    ------------------------------



  • 15.  RE: cURL on z/OS

    Posted 02-07-2023 05:33