z/OS Tools & Language

Expand all | Collapse all

cURL Certificate Question

  • 1.  cURL Certificate Question

    Posted 08-04-2016 10:46

    I am using the cURL line command with the insecure option and would like to remove this option. What do I have to do to install a certificate and is there any way to use CA’s Top Secret for this authentication?

    Thanks



  • 2.  RE: cURL Certificate Question

    Posted 08-05-2016 02:25

    Hi,

    I will write “small” instruction.

    1. You have to know about two cURL’s keywords:
      –cacert
      Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typically used to alter that default file.
      curl recognizes the environment variable named ‘CURL_CA_BUNDLE’ if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable.
      The windows version of curl will automatically look for a CA certs file named ´curl-ca-bundle.crt´, either in the same directory as curl.exe, or in the Current Working Directory, or in any folder along your PATH.
      If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly.
      If this option is used several times, the last one will be used.

    –capath
    Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with “:” (e.g. “path1:path2:path3”). The certificates must be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates.
    If this option is set, the default capath value will be ignored, and if it is used several times, the last one will be used.

    1. You have to copy useful certificates to any directory you like and then use --cacert (–capath) keywords in cURL commands.

    2. Examples:
      a) CURL_CA_BUNDLE isn’t set.

    curl -v https://godaddy.com
    curl: (60) SSL certificate problem: unable to get local issuer certificate

    Failed.

    b) CURL_CA_BUNDLE isn’t set.

    curl -kv https://godaddy.com

    c) CURL_CA_BUNDLE isn’t set.
    Nearly all unix system has certificates in /etc/ssl/certs. I copied “ca-certificates.crt” from /etc/ssl/certs to my home directory.

    curl -v https://godaddy.com --cacert /u/csprok/tmp/ca-certificates.crt

    d) CURL_CA_BUNDLE set.

    export CURL_CA_BUNDLE=/u/csprok/tmp/ca-certificates.crt
    curl -v https://godaddy.com

    1. Links - useful information:
      https://curl.haxx.se/docs/manpage.html#--cacert
      https://curl.haxx.se/docs/sslcerts.html

    Thanks,
    Andrey



  • 3.  RE: cURL Certificate Question

    Posted 04-12-2020 02:09

    This is a great description of the process. One thing I don’t understand know is if RACF, TopSecret and ACF2 certificates are in PEM format? Also - since they are normally in datasets, what’s the right way to get them into these directories so they can be read by curl?



  • 4.  RE: cURL Certificate Question

    Posted 04-13-2020 03:26

    Hello Mike,

    I’m not sure whether you can access RACF certificates directly and if yes, what their format would be.

    You can probably export them with the RACDCERT EXPORT command as described here:

    https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/le-export.htm

    It supports multiple output formats. PEM is called ‘base64’ in the RACF doc - PEM is actually a base64-encoded binary certificate, with a header and a footer line appended to it. I haven’t tried it myself but I guess CERTB64 (the default) should be fine for curl.

    Regards,
    Vladimir



  • 5.  RE: cURL Certificate Question

    Posted 11-16-2020 10:37

    Hi Vladimir

    We are integrating Curl to copy Jenkins Agent in our setup for a pipeline with IBM DBB.

    As we understand we can setup CA certificate store on USS file system.
    Normally we use RACF keyrings

    We understand that linking to RACF is not possible at this moment

    Are there plans to support linking to RACF keyrings?
    If this is not the correct place to ask, who should I contact for this questions

    Regards

    Dirk



    ------------------------------
    Dirk Thielens
    KBC
    ------------------------------



  • 6.  RE: cURL Certificate Question

    Posted 11-30-2020 12:18
    Hi Dirk,
    This forum is a good place to request enhancements of this sort.  Your request does make sense and I will add it to our backlog.  However, our backlog does get prioritized with an eye towards our customers that are paying support and their priorities.  If this is really important to your business needs I would recommend getting on support.  See https://www.rocketsoftware.com/openappdev-for-z
    Regards,
    -Peter

    ------------------------------
    Peter Fandel
    Rocket Software
    ------------------------------