Hi,
The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem
But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.
I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain
2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl
3) When I copy the cacert.pem file to the current directory, it works.
Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?
2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?
3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?
------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------
Page 1 / 1
Hi,
The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem
But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.
I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain
2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl
3) When I copy the cacert.pem file to the current directory, it works.
Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?
2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?
3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?
------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------
The version of cURL in my z/OS system is: curl 7.52.1 (i370-ibm-openedition)
curl-config --ca returns: /u/mvsbuild/py361z/python36/etc/ssl/cacert.pem
But I can't find that directory. Instead I found cacert.pem is under /u/python/python36/etc/ssl. So I created that directory and copy cacert.pem there.
I tried 3 different ways:
1) When I issue the command without specifying --cacert and --capath, I got error
curl: (60) SSL certificate problem: self signed certificate in certificate chain
2) When I issue the command specifying --cacert and --capath, I got error
curl: (77) error setting certificate verify locations:
CAfile: cacert.pem
CApath: /u/mvsbuild/py361z/python36/etc/ssl
3) When I copy the cacert.pem file to the current directory, it works.
Questions:
1. Is there something wrong with the build process that made the cacert.pem stored in a wrong location?
2. After manually copied the cacert.pem to the desired location, why can't it be used, even specifying the location explicitly?
3. Is it a requirement that cacert.pem has to be in the current directory and it needs to be specified explicitly?
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?
------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?
------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands
------------------------------
Hello Wai,
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?
------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands
------------------------------
Curl 7.52.2 is a pretty old version. Could you tell us how did you install it?
------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands
------------------------------
Would those problems I reported go away with the latest version?
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
I didn't install it. Our build team did. I don't know how they got the latest source from Rocket. Is there a process to get the latest version for curl?
Would those problems I reported go away with the latest version?
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
Would those problems I reported go away with the latest version?
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
Hi Wai,
I see that your path contains 'python361'.
The Rocket python 3.6.1 we were built might be included in 2 projects:
1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM
2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.
In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.
export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem
In your case it might be like
export CURL_CA_BUNDLE=/u/python/python36/etc/sslSo, I recommend trying of setting this variable instead of using --capath and --cacert options.
Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.
export _BPXK_AUTOCVT=ONYou can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:
cat /u/python/python36/etc/ssl/cacert.pemCurrently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.
If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.
After that you can install cURL as a z/OS Miniconda package.
There is a video guide.
And there is a documentation about the installation.
Thanks,
Sergei------------------------------
Sergey Rezepin
Rocket Software
------------------------------
Hi Wai,
I see that your path contains 'python361'.
The Rocket python 3.6.1 we were built might be included in 2 projects:
1) IBM Open Data Analytics for z/OS (IzODA) - currently maintained by IBM
2) The Rocket python 3.6.1 (and 2.7.6) was supported by Rocket and published on Rocket Community portal. It was a bundle of the packages that are also included cURL.
In case, if the python was installed by the old Rocket's way, there was an instruction in PYTHON_README.ZOS to specify CURL_CA_BUNDLE variable.
export CURL_CA_BUNDLE=$PYTHON_HOME/etc/ssl/cacert.pem
In your case it might be like
export CURL_CA_BUNDLE=/u/python/python36/etc/sslSo, I recommend trying of setting this variable instead of using --capath and --cacert options.
Also check if the _BPXK_AUTOCVT variable is set by using 'env | sort' command. It it is not set, specify it to ON.
export _BPXK_AUTOCVT=ONYou can also check if your certificate is readable. There is a need to exclude a chance that it has no match between encoding and tag:
cat /u/python/python36/etc/ssl/cacert.pemCurrently, these bundles of packages with python 3.6.1 (and 2.7.6) are out of support, and we are delivering Python a part of z/OS Miniconda and cURL as a package for z/OS Miniconda.
If you are interested, you can try to download z/OS Miniconda from the Rocket Community portal. The latest version of z/OS Miniconda includes IBM Python 3.10.7.
After that you can install cURL as a z/OS Miniconda package.
There is a video guide.
And there is a documentation about the installation.
Thanks,
Sergei------------------------------
Sergey Rezepin
Rocket Software
------------------------------
Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11
Seems
CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command. And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
Hi Sergey,
Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11
Seems
And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
Thanks for the response. I managed to find a newer version of curl from another system.
curl 7.83.1 (i370-ibm-openedition) libcurl/7.83.1 OpenSSL/1.1.1s
Release-Date: 2022-05-11
Seems
CURL_CA_BUNDLE needs to include the CA file name together with the full path, like /tmp/cafile/cacert.pem, not just /tmp/cafile so that --cacert can be omitted from the command. And do you have an answer to my question 4:
4. Is there a way to use a RACF keyring specified in the configured AT-TLS policy file that contains the CA certs instead of using the pem file?
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
Keyring support is not available at the moment, but it is on the table.
------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands
------------------------------
Hi Wai,
Keyring support is not available at the moment, but it is on the table.
------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands
------------------------------
Keyring support is not available at the moment, but it is on the table.
------------------------------
Tatiana Balaburkina
Engineering Manager
Rocket Internal - All Brands
------------------------------
Glad to know keyring support for z/OS curl is on the table.
A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?
------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------
Tatiana,
Glad to know keyring support for z/OS curl is on the table.
A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?
------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------
Glad to know keyring support for z/OS curl is on the table.
A related question: Do you know if curl on z/OS can make use of AT-TLS? If yes, how? Can I specify -k to bypass the build in validation mechanism from curl to force it to use AT-TLS?
------------------------------
Wai Choi
MS
IBM
POUGHKEEPSIE NY US
------------------------------
I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?
------------------------------
Andrew Rowley
Self Registered
Ballarat AU
------------------------------
Isn't the "AT" in AT-TLS "Application Transparent"? So curl should be unaware of its use, and that is an AT-TLS question.
I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?
------------------------------
Andrew Rowley
Self Registered
Ballarat AU
------------------------------
I might be misunderstanding completely, but what I would expect is that curl would specify a non-encrypted connection e.g. http, and AT-TLS implements the TLS. So there is no certificate for curl to validate, certificate validation is done by AT-TLS?
------------------------------
Andrew Rowley
Self Registered
Ballarat AU
------------------------------
I have the same understanding on AT. But I can't get it work for curl. Not sure if there is some set up needed. That's why I asked.
When I use the CURL_CA_BUNDLE to specify the CA root cert and go to a site whose cert is not originated from that CA (just for testing), I got
TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
curl: (60) SSL certificate problem: self signed certificate in certificate chain
...
Unknown CA is expected. But 'self signed certificate in certificate chain' refers to which cert?
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
I have the same understanding on AT. But I can't get it work for curl. Not sure if there is some set up needed. That's why I asked.
When I use the CURL_CA_BUNDLE to specify the CA root cert and go to a site whose cert is not originated from that CA (just for testing), I got
TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self signed certificate in certificate chain
curl: (60) SSL certificate problem: self signed certificate in certificate chain
...
Unknown CA is expected. But 'self signed certificate in certificate chain' refers to which cert?
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
You can see this with
openssl x509 -inform PEM -in <root ca>.pem -text -out certdata
The issuer of the root CA will be the root CA, hence it is self-signed, hence the error message about a self-signed certificate in the chain.
AT-TLS should be transparent, although I think it is possible that AT-TLS rules can be configured such that they only apply for traffic originating from outside the mainframe and not for traffic that originate from the mainframe
------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US
------------------------------
The top-level certificate (the root CA) is usually self-signed.
You can see this with
openssl x509 -inform PEM -in <root ca>.pem -text -out certdata
The issuer of the root CA will be the root CA, hence it is self-signed, hence the error message about a self-signed certificate in the chain.
AT-TLS should be transparent, although I think it is possible that AT-TLS rules can be configured such that they only apply for traffic originating from outside the mainframe and not for traffic that originate from the mainframe
------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US
------------------------------
You can see this with
openssl x509 -inform PEM -in <root ca>.pem -text -out certdata
The issuer of the root CA will be the root CA, hence it is self-signed, hence the error message about a self-signed certificate in the chain.
AT-TLS should be transparent, although I think it is possible that AT-TLS rules can be configured such that they only apply for traffic originating from outside the mainframe and not for traffic that originate from the mainframe
------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US
------------------------------
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
My point is root CA cert is self-signed. Why does it appear as an error. The chain validation would end up to the root. This message is misleading if it complains about the root.
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
My point is root CA cert is self-signed. Why does it appear as an error. The chain validation would end up to the root. This message is misleading if it complains about the root.
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
If the latter, then that is expected, as the reply from your web server now contains a self-signed certificate in the chain (namely the root ca).
--data works fine for me:
curl --user abc:def -X PUT --data @genreq "http://rs01:11443/zosmf/restfiles/ds/'TS5941.WORK.JCL(TEST1)'"
------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US
------------------------------
Maybe I misunderstood: do you get the self-signed message when you pass the correct or incorrect root ca?
If the latter, then that is expected, as the reply from your web server now contains a self-signed certificate in the chain (namely the root ca).
--data works fine for me:
------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US
------------------------------
If the latter, then that is expected, as the reply from your web server now contains a self-signed certificate in the chain (namely the root ca).
--data works fine for me:
curl --user abc:def -X PUT --data @genreq "http://rs01:11443/zosmf/restfiles/ds/'TS5941.WORK.JCL(TEST1)'"
------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US
------------------------------
When I pass an incorrect CA, I got:
TLSv1.2 (OUT), TLS alert, unknown CA (560): <==this is expected
...
curl: (60) SSL certificate problem: self signed certificate in certificate chain <==this is misleading. A complete cert chain must contain a root cert, which is self-signed.
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
Sorry for the false alarm. z/OS curl does accept --data @filename. It is the application rejecting it, not curl.
When I pass an incorrect CA, I got:
TLSv1.2 (OUT), TLS alert, unknown CA (560): <==this is expected
...
curl: (60) SSL certificate problem: self signed certificate in certificate chain <==this is misleading. A complete cert chain must contain a root cert, which is self-signed.
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
When I pass an incorrect CA, I got:
TLSv1.2 (OUT), TLS alert, unknown CA (560): <==this is expected
...
curl: (60) SSL certificate problem: self signed certificate in certificate chain <==this is misleading. A complete cert chain must contain a root cert, which is self-signed.
------------------------------
Wai Choi
MS
IBM / Tivoli Software
POUGHKEEPSIE NY US
------------------------------
------------------------------
Jorn Thyssen
Solutions Advisor
Rocket Internal - All Brands
Waltham MA US
------------------------------
Sign up
Already have an account? Login
Welcome to the Rocket Forum!
Please log in or register:
Employee Login | Registration Member Login | RegistrationEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.
77 4th Avenue
Waltham, MA 02451 USA
