z/OS Tools & Language

Expand all | Collapse all

On Z/os running Python secure connection to Linux Server fails

  • 1.  On Z/os running Python secure connection to Linux Server fails

    Posted 04-11-2019 14:10

    When attempting to connect to a server using TLS we get UNKNOWN_PROTOCOL. We attempted to debug by issuing OPENSSL commands:
    openssl s_client -msg -connect :443
    Message returned: wrong version number

    343598475400:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:./
    s3_pkt.c:365:

    Issued openssl version command:
    OpenSSL 1.0.2k 26 Jan 2017

    I then confirmed that python is pointed to the same version OpenSSL 1.0.2k 26 Jan 2017

    I’m not sure how to proceed in my setup.



  • 2.  RE: On Z/os running Python secure connection to Linux Server fails

    Posted 04-12-2019 08:58

    I can’t tell what it is that you are trying to do. Can you provide the python code that is failing, the version of python you are running, etc.?



  • 3.  RE: On Z/os running Python secure connection to Linux Server fails

    Posted 04-12-2019 10:56

    Python 2.7.13

    The script is connecting to a Linux server that will take in parms from a file to build certificates. However when the script attempts to connect to the server using TLS for security it fails to establish the connection and we get UKNOWN_PROTOCOL.

    Where would python be looking to get the certs for creating the secure connection?



  • 4.  RE: On Z/os running Python secure connection to Linux Server fails

    Posted 04-16-2019 10:52

    I think I need the intermediate Certificate to be presented when connecting to the server. Where do we install the certs we want python scripts to use for HTTPS connections?



  • 5.  RE: On Z/os running Python secure connection to Linux Server fails

    Posted 04-17-2019 14:42

    I’ve stepped back and attempted connection to the server using openssl commands and I’m getting


    no peer certificate available

    No client certificate CA names sent

    I think I will start looking at the OPENSSL discussion. I’m assuming OPENSSL is needed for PYTHON to make a secure connection.



  • 6.  RE: On Z/os running Python secure connection to Linux Server fails

    Posted 04-19-2019 11:38

    After we did the isolated install it allowed us to discover that all traffic for port 443 was being routed through comservr’s default keyring /* AUTH */. We now have the connection working.

    We have gotten further but the scipt is still failing:

    <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>



  • 7.  RE: On Z/os running Python secure connection to Linux Server fails

    Posted 05-09-2019 16:30

    I found that you can disable the certificate verification using command
    export PYTHONHTTPSVERIFY=0

    However this is not a recommended state but allows you to get further.

    What this means is that our script is not able to validate the signing certificate coming back from the server we are connecting to. It means we need to point to a certificate bundle that contains all our signing and root certs for the our organization.

    I’ve been unable to find where we can override the default path to point it to our cert bundle. If anyone has that information please share it.

    I got it to work by prefixing the execution of the script with setting a program environment variable SSL_CERT_FILE=

    **** works ***
    SSL_CERT_FILE=/u/c06u/opt_cst/sf-bundle.crt python2 certRequest.py -r sampleXML --urllib2

    I would prefer ever person running a python script on Z/os would not have to perform this setting and have the entire environment set to point to the same location for the certificate bundle.

    Any help would be appreciated.



  • 8.  RE: On Z/os running Python secure connection to Linux Server fails

    Posted 05-22-2019 15:39

    **** conclusion ****
    I put in my .profile
    export SSL_CERT_FILE=/u/c06u/opt_cst/sf-bundle.crt

    I would recommend you setup a common location for the cert bundles and then each person running the script will have to include this in the .profile

    Here are the entire list of environment variables. We installed it using the same directory structure Rocket used:

    export _BPXK_AUTOCVT=ON
    export PATH=$PATH:/usr_local/bin;
    #Python
    export INSTALL=/rsusr/rocket
    export RELEASE_NAME=python-2.7.13-anaconda-2017-04-12
    export RELEASE_TYPE=py27
    export RELEASE_DIR=$INSTALL/$RELEASE_NAME
    export PYTHON_ENV=python27
    export PYTHON_HOME=$RELEASE_DIR/$PYTHON_ENV
    export PATH=$PYTHON_HOME/bin:$PATH
    export LIBPATH=$PYTHON_HOME/lib:$LIBPATH
    export FFI_LIB=$PYTHON_HOME/lib/ffi
    export TERMINFO=$PYTHON_HOME/share/terminfo
    export PKG_CONFIG_PATH=$PYTHON_HOME/lib/pkgconfig:$PYTHON_HOME/share/pkg
    export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem
    export SSL_CERT_FILE=/u/c06u/opt_cst/sf-bundle.crt

    #Openssl
    export PATH=$PATH:/rsusr/rocket/python-2.7.13-anaconda-2017-04-12/pkgs/o
    export MANPATH=$MANPATH:/rsusr/rocket/ssl/man
    export OPENSSL_CONF=/rsusr/rocket/python-2.7.13-anaconda-2017-04-12/pkgs
    #bash
    export PATH=$PATH:/rsusr/rocket/bin
    export MANPATH=$MANPATH:/rsusr/rocket/man/
    export _CEE_RUNOPTS=“FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)”
    export _BPXK_AUTOCVT=ON
    export _TAG_REDIR_ERR=txt
    export _TAG_REDIR_IN=txt
    export _TAG_REDIR_OUT=txt
    #Perl
    export PATH=$PATH:/rsusr/rocket/bin
    export MANPATH=$MANPATH:/rsusr/rocket/man/
    export PERL5LIB=$PERL5LIB:/rsusr/rocket/lib/perl5
    export LIBPATH=$LIBPATH:/rsusr/rocket/lib/perl5/5.24.0/os390/CORE

    Additionally I would recommend the following to display the directory path you are working on.
    export PS1=’$LOGNAME’:’$PWD’:’ >’

    This has been a long and difficult path. I wish the forum was more active and could have found some help form someone. I posted all these steps for others. I really hope it could help all mainframe shops to integrate with open systems. Have python, perl… makes the mainframe even more approachable.

    I don’t think these forums are being monitored the Rocket Open Source team as posted in the forum description * Monitored by the Rocket Open Source team!!
    https://www.rocketsoftware.com/zos-open-source-tools-support



  • 9.  RE: On Z/os running Python secure connection to Linux Server fails

    Posted 09-11-2019 10:23

    Hi, i’m new here. What’s the best way to stay connected?