This blog post covers problems experienced when testing the curl interface from Redhat into z/OS using digital certificate.
The blog is not designed for reading end to end, but for web search tools to find the error messages and the actions I took to resolve my problems.

The first place to look for problems is the //STDOUT and //STDERR output.  //STDERR tends to have error messages.
In the ../servers/mqweb/logs directory there is a file messages.log which contain more information about problems
My configuration directory was /u/paice/mqweb so I used the USS command  oe /u/paice/mqweb/servers/mqweb/logs/messages.log
to view it.

Once you get back JSON data from the request you have successfully connected to the MQ Web server.  You may get messages like

{“error”: [{
“action”: “Map one or more roles to the principal and resubmit the request.”,
“explanation”: “The REST API request failed as the authenticated principal is not associated with any of the roles.”,
“message”: “MQWB0108E: The authenticated principal ‘SCENSTC’ is not granted access to any of the required roles: ‘[MQWebAdmin,MQWebAdminRO,MQWebUser]’.”,
“msgId”: “MQWB0108E”,
“type”: “rest”
}]}

In this case the message id  is MQWB0108E.    The explanation and action given are the same as in the knowledge centre.


Some of the options of the curl and openssl command have a single -, and some options have two -.  Check the syntax if things do not behave as you expect.


Some security manager profiles just need to exist, and other security profiles need a userid to be given permission to access the profile.


Certificate problems

I found I was sometimes using the wrong certificates.  You can check the certificate files using the openssl command

Check the CA certificate

My CA certificate was in ./zzzzzzzz.pem
openssl x509 -in ./zzzzzzzz.pem -purpose -issuer -subject -noout
gave me
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes

issuer= /O=IBM/CN=ZZZZZZZZ
subject= /O=IBM/CN=ZZZZZZZZ

Check the user certificate

My user certificate was in new.crt.pem
openssl x509 -in ./new.crt.pem -subject -issuer -purpose -noout
gave me
subject= /C=GB/O=CONSOLE3/CN=CONS4096
issuer= /O=IBM/CN=SCENCA
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes

Curl trace

The –trace option allows you to trace to a file
curl –trace trace.txt ….
In the trace.txt file it gave me

== Info: About to connect() to winmvsca.hursley.ibm.com port 9444 (#0)
== Info:¬†¬† Trying 9.20.4.159…
== Info: Connected to winmvsca.hursley.ibm.com (9.20.4.159) port 9444 (#0)
== Info: Initializing NSS with certpath: sql:/etc/pki/nssdb
== Info:   CAfile: ./zzzzzzzz.pem
CApath: none
== Info: NSS: client certificate from file
== Info: subject: CN=CONS4096,O=CONSOLE3,C=GB
== Info: start date: Sep 07 23:00:00 2017 GMT
== Info: expire date: Sep 08 22:59:59 2018 GMT
== Info: common name: CONS4096
== Info: issuer: CN=SCENCA,O=IBM
== Info: SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
== Info: Server certificate:
== Info: subject: CN=YYYYYYYY,C=GB
== Info: start date: Dec 31 23:00:00 2016 GMT
== Info: expire date: Jan 01 22:59:59 2018 GMT
== Info: common name: YYYYYYYY
== Info: issuer: CN=ZZZZZZZZ,O=IBM

So you can see the certificate
from the server  (subject: CN=YYYYYYYY,C=GB) and the CA(issuer: CN=ZZZZZZZZ,O=IBM)
the client certificate  (subject: CN=CONS4096,O=CONSOLE3,C=GB) and the CA ( issuer: CN=SCENCA,O=IBM)


Messages (for search engines to find)

CWWKS2911E: SAF Service RACROUTE_FASTAUTH did not succeed because the resource profile BBGCCP.com.ibm.mq.rest.MQWebAdmin in class EJBROLE does not
exist. SAF return code 0x00000004. RACF return code 0x00000004. RACF reason code 0x00000000.

Check the BBGCCP matches the safCredentials definition.
<server>
<featureManager>
<feature>zosSecurity-1.0</feature>
</featureManager>
<safAuthorization racRouteLog=”ASIS”/>
<safRegistry id=”saf” />
<safAuthorization id=”saf” />
<safCredentials unauthenticatedUser=”WSGUEST”
profilePrefix=”BBGCCP” />


curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
You need to split the user certificate into two parts, and specify the –key
need to split the downloaded private end user certificate certificate (in p12 format) and specify –key … and –cert …


Curl message

Failed connect to winmvsca.hursley.ibm.com:9444; Connection refused  wrong port or IP address specified

NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
== Info: Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
needs altname and domain in the server’s certificate.


curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.
You need to get the CA from the server and specify –cacert


You can use openssl to talk to the MQWEB server and do the SSL handshake

openssl s_client -debug -CAfile ./zzzzzzzz.pem  -connect  winmvsca.hursley.ibm.com:9444  -cert  ./new.crt.pem -key ./new.key.pem  > aa

This give you information about
the certificate sent down to the client
certificates in the keyring on z/OS

If you get  140790E5:SSL
You need to specify the -cert and -key statements


In the …/mqweb/logs/messages.log

message CWWKS2932I: The {0} version of the SAF user registry is activated. Authentication will proceed using unauthorized native services.

Need angel task started for the unauthorized problem
Need security profiles defined class(SERVER)

RDEF SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(SCENSTC)

RDEF SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED  UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(SCENSTC)

and STC userid needs read access to it

Fpr messages like
CWWKB0104I: Authorized service group ….. is not available.
CWWKB0104I: Authorized service group ZOSDUMP is not available.
You need to define a class(SERVER) profile   BBG.AUTHMOD.BBGZSAFM.ZOSDUMP


curl
“action”: “Provide credentials using a client certificate, LTPA security token or username and password via HTTP basic authentication header.”,
“explanation”: “The REST API request cannot be completed because credentials were omitted from the request.”,
“message”: “MQWB0104E: The REST API request to ‘https://winmvsca.hursley.ibm.com:9444/ibmmq/rest/v1/admin/qmgr/MQ7A/queue’ is not authenticated.”,
“msgId”: “MQWB0104E”,
“type”: “rest”

Browser – asked for choice of certificate certificate – then asked for userid and password


STDOUT

CWWKS2930W: A SAF authentication attempt using authorized SAF services was rejected because the server is not authorized to access the APPL-ID BBGCCP. Authentication will proceed using unauthorized SAF services.

MQWB0104E: The REST API request to ‘https://winmvsca.hursley.ibm.com:9444/ibmmq/rest/v1/admin/qmgr/MQ7A/queue’ is not authenticated.

CWWKS2960W: Cannot create the default credential for SAF authorization of unauthenticated users. All authorization checks for unauthenticated users will fail. The default credential could not be created due to the following error:
CWWKS2909E: A SAF authentication or authorization attempt was rejected because the server is not authorized to access the following SAF resource: APPL-ID BBGCCP. Internal error code 0x03008108.

Problem the profile with class(SERVER) and profile(BBG.SECPFX.BBGCCP) is  missing
Action: define profile
RDEFINE SERVER BBG.SECPFX.BBGCCP OWNER(SYS1)
PERMIT BBG.SECPFX.BBGCCP CLASS(SERVER) ID(SCENSTC) ACC(READ)


Curl JSON error

“action”: “Map one or more roles to the principal and resubmit the request.”,
“explanation”: “The REST API request failed as the authenticated principal is not associated with any of the roles.”,
“message”: “MQWB0108E: The authenticated principal ‘SCENSTC’ is not granted access to any of the required roles: ‘[MQWebAdmin,MQWebAdminRO,MQWebUser]’.”,
“msgId”: “MQWB0108E”,
“type”: “rest”

browser:
403 Forbidden
You do not have sufficient authority to access the MQ Console.

messages.log
CWWKS2911E: SAF Service RACROUTE_FASTAUTH did not succeed because the resource profile BBGCCP.com.ibm.mq.rest.MQWebAdmin in class EJBROLE does not exist. SAF return code 0x00000004. RACF return code 0x00000004. RACF reason code 0x00000000.

MQWB0108E: The authenticated principal ‘SCENSTC’ is not granted access to any of the required roles: ‘MQWebAdmin, MQWebAdminRO,MQWebUser’.
This message has explaination The REST API request failed as the authenticated principal is not associated with any of the roles.
CWWKS9104A: Authorization failed for user SCENSTC while invoking com.ibm.mq.console on /. The user is not granted access to o any of the required roles: MQWebAdmin, MQWebAdminRO, MQWebUser.

Action:
Define the profiles,
rdef EJBROLE BBGCCP.com.ibm.mq.console.MQWebAdminRO            uacc(none)
rdef EJBROLE BBGCCP.com.ibm.mq.rest.MQWebAdmin        uacc(none)
give the users access to the profile,
permit BBGCCP.com.ibm.mq.console.MQWebAdminRO   class(EJBROLE) access(read) id(SCENSTC)
permit BBGCCP.com.ibm.mq.rest.MQWebAdmin  class(EJBROLE) access(read) id(PAICE2 )
refresh the profiles  SETROPTS RACLIST(EJBROLE) REFRESH


The domain name don’t match between the URL and the CN in the certificate.
You specified

ALTNAME( –
DOMAIN(‘winmvsca.Hursley.ibm.com’) –
)

when you created your certificate.

In the MQWEB Job output you should have

CWWKT0016I: Web application available (default_host): http://winmvsca.hursley.ibm.com:9081/api/docs/

etc…
This winmvsca.hursley.ibm.com should match the ALTNAME DOMAIN of your certificate used by MQWEB.   The address may be numeric instead of a name.
The IP address you use in your URL may be an alias to a different one within TCPIP

Join The Discussion

Your email address will not be published.