Skip to main content

I am using the cURL line command with the insecure option and would like to remove this option. What do I have to do to install a certificate and is there any way to use CA’s Top Secret for this authentication?

Thanks

I am using the cURL line command with the insecure option and would like to remove this option. What do I have to do to install a certificate and is there any way to use CA’s Top Secret for this authentication?

Thanks

Hi,

I will write “small” instruction.

  1. You have to know about two cURL’s keywords:
    –cacert
    Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typically used to alter that default file.
    curl recognizes the environment variable named ‘CURL_CA_BUNDLE’ if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable.
    The windows version of curl will automatically look for a CA certs file named ´curl-ca-bundle.crt´, either in the same directory as curl.exe, or in the Current Working Directory, or in any folder along your PATH.
    If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly.
    If this option is used several times, the last one will be used.

–capath
Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with “:” (e.g. “path1:path2:path3”). The certificates must be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates.
If this option is set, the default capath value will be ignored, and if it is used several times, the last one will be used.

  1. You have to copy useful certificates to any directory you like and then use --cacert (–capath) keywords in cURL commands.

  2. Examples:
    a) CURL_CA_BUNDLE isn’t set.

curl -v https://godaddy.com
curl: (60) SSL certificate problem: unable to get local issuer certificate

Failed.

b) CURL_CA_BUNDLE isn’t set.

curl -kv https://godaddy.com

c) CURL_CA_BUNDLE isn’t set.
Nearly all unix system has certificates in /etc/ssl/certs. I copied “ca-certificates.crt” from /etc/ssl/certs to my home directory.

curl -v https://godaddy.com --cacert /u/csprok/tmp/ca-certificates.crt

d) CURL_CA_BUNDLE set.

export CURL_CA_BUNDLE=/u/csprok/tmp/ca-certificates.crt
curl -v https://godaddy.com

  1. Links - useful information:
    https://curl.haxx.se/docs/manpage.html#--cacert
    https://curl.haxx.se/docs/sslcerts.html

Thanks,
Andrey

Hi,

I will write “small” instruction.

  1. You have to know about two cURL’s keywords:
    –cacert
    Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typically used to alter that default file.
    curl recognizes the environment variable named ‘CURL_CA_BUNDLE’ if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable.
    The windows version of curl will automatically look for a CA certs file named ´curl-ca-bundle.crt´, either in the same directory as curl.exe, or in the Current Working Directory, or in any folder along your PATH.
    If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly.
    If this option is used several times, the last one will be used.

–capath
Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with “:” (e.g. “path1:path2:path3”). The certificates must be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates.
If this option is set, the default capath value will be ignored, and if it is used several times, the last one will be used.

  1. You have to copy useful certificates to any directory you like and then use --cacert (–capath) keywords in cURL commands.

  2. Examples:
    a) CURL_CA_BUNDLE isn’t set.

curl -v https://godaddy.com
curl: (60) SSL certificate problem: unable to get local issuer certificate

Failed.

b) CURL_CA_BUNDLE isn’t set.

curl -kv https://godaddy.com

c) CURL_CA_BUNDLE isn’t set.
Nearly all unix system has certificates in /etc/ssl/certs. I copied “ca-certificates.crt” from /etc/ssl/certs to my home directory.

curl -v https://godaddy.com --cacert /u/csprok/tmp/ca-certificates.crt

d) CURL_CA_BUNDLE set.

export CURL_CA_BUNDLE=/u/csprok/tmp/ca-certificates.crt
curl -v https://godaddy.com

  1. Links - useful information:
    https://curl.haxx.se/docs/manpage.html#--cacert
    https://curl.haxx.se/docs/sslcerts.html

Thanks,
Andrey

This is a great description of the process. One thing I don’t understand know is if RACF, TopSecret and ACF2 certificates are in PEM format? Also - since they are normally in datasets, what’s the right way to get them into these directories so they can be read by curl?

I am using the cURL line command with the insecure option and would like to remove this option. What do I have to do to install a certificate and is there any way to use CA’s Top Secret for this authentication?

Thanks

Hello Mike,

I’m not sure whether you can access RACF certificates directly and if yes, what their format would be.

You can probably export them with the RACDCERT EXPORT command as described here:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/le-export.htm

It supports multiple output formats. PEM is called ‘base64’ in the RACF doc - PEM is actually a base64-encoded binary certificate, with a header and a footer line appended to it. I haven’t tried it myself but I guess CERTB64 (the default) should be fine for curl.

Regards,
Vladimir

Hello Mike,

I’m not sure whether you can access RACF certificates directly and if yes, what their format would be.

You can probably export them with the RACDCERT EXPORT command as described here:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/le-export.htm

It supports multiple output formats. PEM is called ‘base64’ in the RACF doc - PEM is actually a base64-encoded binary certificate, with a header and a footer line appended to it. I haven’t tried it myself but I guess CERTB64 (the default) should be fine for curl.

Regards,
Vladimir

Hi Vladimir

We are integrating Curl to copy Jenkins Agent in our setup for a pipeline with IBM DBB.

As we understand we can setup CA certificate store on USS file system.
Normally we use RACF keyrings

We understand that linking to RACF is not possible at this moment

Are there plans to support linking to RACF keyrings?
If this is not the correct place to ask, who should I contact for this questions

Regards

Dirk



------------------------------
Dirk Thielens
KBC
------------------------------

Hi Vladimir

We are integrating Curl to copy Jenkins Agent in our setup for a pipeline with IBM DBB.

As we understand we can setup CA certificate store on USS file system.
Normally we use RACF keyrings

We understand that linking to RACF is not possible at this moment

Are there plans to support linking to RACF keyrings?
If this is not the correct place to ask, who should I contact for this questions

Regards

Dirk



------------------------------
Dirk Thielens
KBC
------------------------------
Hi Dirk,
This forum is a good place to request enhancements of this sort.  Your request does make sense and I will add it to our backlog.  However, our backlog does get prioritized with an eye towards our customers that are paying support and their priorities.  If this is really important to your business needs I would recommend getting on support.  See https://www.rocketsoftware.com/openappdev-for-z
Regards,
-Peter

------------------------------
Peter Fandel
Rocket Software
------------------------------
Terms & ConditionsAccessibility statement