Merge pull request #1654 from zowe/users/stevenh/zip-1603

Keyring vs USS keystore separation
zowe · Sep 24, 2020 · 0a5aec8 · 0a5aec8
2 parents 5640cd2 + 2f8a87c
commit 0a5aec8
Show file tree

Hide file tree

Showing 10 changed files with 123 additions and 31 deletions.
diff --git a/bin/zowe-setup-certificates.env b/bin/zowe-setup-certificates.env
@@ -13,46 +13,34 @@ IPADDRESS=
 VERIFY_CERTIFICATES=true
 
 # optional - Path to a PKCS12 keystore with a server certificate for API
-# Mediaton Layer (APIML). Ignore if you used the ZWEKRING jcl
+# Mediaton Layer (APIML).
 EXTERNAL_CERTIFICATE=
-# optional - Alias of the certificate in the keystore. Ignore if you used
-# the ZWEKRING jcl
+# optional - Alias of the certificate in the keystore. 
 EXTERNAL_CERTIFICATE_ALIAS=
 # optional - Public certificates of trusted CAs - multiple certificates 
 # delimitad with space has to be enclosed with quotes ("cer1 cer2")
-# Ignore if you used the ZWEKRING jcl
 EXTERNAL_CERTIFICATE_AUTHORITIES=
+# Select a password that is used to secure EXTERNAL_CERTIFICATE keystore
+# and that will be also used to secure newly generated keystores for API 
+# Mediation.
+KEYSTORE_PASSWORD=password
 # optional - Public certificates of z/OSMF - multiple certificates 
 # delimited with space has to be enclosed with quotes ("cer1 cer2")
-# Ignore if you used the ZWEKRING jcl
 ZOSMF_CERTIFICATE=
+
 # If APIML SSO token not present, Zowe components are allowed to attempt authentication with other user-provided data
 SSO_FALLBACK_TO_NATIVE_AUTH=true
 # optional - PKCS#11 token name for SSO. Must already exist
 PKCS11_TOKEN_NAME=
 # optional - PKCS#11 token label for SSO. Must not already exist
 PKCS11_TOKEN_LABEL=
 
-# Select a password that is used to secure EXTERNAL_CERTIFICATE keystore
-# and that will be also used to secure newly generated keystores for API 
-# Mediation. Ignore if you used the ZWEKRING jcl
-KEYSTORE_PASSWORD=password
 # Location for generated certificates and/or JWT token
 KEYSTORE_DIRECTORY=/global/zowe/keystore
 # Select an alias for the certificate in the generated keystore.
-# If you used the ZWEKRING jcl, then this variable has to be set to the
-# Zowe certificate's LABEL specified in the JCL.
 KEYSTORE_ALIAS=localhost
 # Specify zowe user id to set up ownership of the generated certificates.
-# This variable is also used for keyring configuration. If you used
-# the ZWEKRING jcl, set the variable to the same user id as in the jcl.
+# This variable is also used for keyring configuration.
 ZOWE_USER_ID=ZWESVUSR
 # Specify zowe group id to set up ownership of the generated certificates
-ZOWE_GROUP_ID=ZWEADMIN
-# Specify zowe keyring that keeps zowe certificates, if not specified then
-# USS keystore files will be created. If you used the ZWEKRING jcl, set
-# the variable to the same keyring that you used in the jcl.
-ZOWE_KEYRING=
-# If you used ZWEKRING jcl to configure the certificates for the keyring
-# then set this variable to false (defaults to false)
-GENERATE_CERTS_FOR_KEYRING=false
+ZOWE_GROUP_ID=ZWEADMIN
diff --git a/bin/zowe-setup-certificates.sh b/bin/zowe-setup-certificates.sh
@@ -79,6 +79,7 @@ set_install_log_file "zowe-setup-certificates"
 
 echo "<zowe-setup-certificates.sh>" >> $LOG_FILE
 
+
 # Load default values
 DEFAULT_CERTIFICATES_CONFIG_FILE=${ZOWE_ROOT_DIR}/bin/zowe-setup-certificates.env
 echo "Loading default variables from ${DEFAULT_CERTIFICATES_CONFIG_FILE} file."
@@ -99,6 +100,11 @@ else
   fi
 fi
 
+# Backwards compatible overloading of KEYSTORE_ALIAS to be ZOWE_CERTIFICATE_LABEL
+if [[ -n ${ZOWE_CERTIFICATE_LABEL} ]] then
+  KEYSTORE_ALIAS=${ZOWE_CERTIFICATE_LABEL}
+fi
+
 # tolerate HOSTNAME, IPADDRESS to have multiple values
 HOSTNAME_FIRST=$(echo $HOSTNAME  | tr "," "\n" | sed '/^[[:space:]]*$/d' | head -1)
 IPADDRESS_FIRST=$(echo $IPADDRESS  | tr "," "\n" | sed '/^[[:space:]]*$/d' | head -1)

diff --git a/bin/zowe-setup-keyring-certificates.env b/bin/zowe-setup-keyring-certificates.env
@@ -0,0 +1,33 @@
+# TODO - do we need a workflow for keyrings?
+
+# The hostname of the system running API Mediation. If the hostname is
+# omitted, the configuration script attempts to calculate the value on 
+# its own. You can specify multiple domains separated by comma.
+HOSTNAME=
+# The IP address of the system running API Mediation. If the IP address 
+# is omitted, the configuration script attempts to calculate the value 
+# on its own. You can specify multiple IPs separated by comma.
+IPADDRESS=
+# Should APIML verify certificates of services it uses - true/false
+VERIFY_CERTIFICATES=true
+
+# If APIML SSO token not present, Zowe components are allowed to attempt authentication with other user-provided data
+SSO_FALLBACK_TO_NATIVE_AUTH=true
+# optional - PKCS#11 token name for SSO. Must already exist
+PKCS11_TOKEN_NAME=
+# optional - PKCS#11 token label for SSO. Must not already exist
+PKCS11_TOKEN_LABEL=
+
+# Location for generated certificates and/or JWT token
+KEYSTORE_DIRECTORY=/global/zowe/keystore
+# This variable has to be set to the Zowe certificate's LABEL specified in the JCL.
+ZOWE_CERTIFICATE_LABEL=localhost
+# Specify zowe user id to set up ownership of the generated certificates.
+# Set the variable to the same user id as in the jcl.
+ZOWE_USER_ID=ZWESVUSR
+# Specify zowe keyring that keeps zowe certificates, set
+# the variable to the same keyring that you used in the jcl.
+ZOWE_KEYRING=ZoweKeyring
+# Option to generate certificates in zowe-setup-certificates, rather than ZWEKRING jcl
+# If ZWEKRING is used then set this variable to false (defaults to false)
+GENERATE_CERTS_FOR_KEYRING=false
diff --git a/playbooks/roles/configure/tasks/create_keyring.yml b/playbooks/roles/configure/tasks/create_keyring.yml
@@ -1,5 +1,11 @@
 ---
 # this playbook runs SZWESAMP(ZWEKRING)
+
+- name: Validate that we were in keyring mode
+  fail:
+    msg: "Error. This play should only be run when in keyring mode"
+  when: zos_keystore_mode is undefined or zos_keystore_mode != 'KEYSTORE_MODE_KEYRING'
+
 - name: Remove ZWEKRING.jcl if exists
   raw: >-
     rm -f "{{ work_dir_remote }}/ZWEKRING.jcl"

diff --git a/playbooks/roles/configure/tasks/main.yml b/playbooks/roles/configure/tasks/main.yml
@@ -69,12 +69,21 @@
 - import_role:
     name: configure
     tasks_from: create_keyring
+  when: zos_keystore_mode is defined and zos_keystore_mode == 'KEYSTORE_MODE_KEYRING'
 
 # ============================================================================
 # Setup certificates for USS keystore (self-signed)
 - import_role:
     name: configure
     tasks_from: setup_certificates
+  when: zos_keystore_mode is undefined or zos_keystore_mode != 'KEYSTORE_MODE_KEYRING'
+
+# ============================================================================
+# Setup certificates for keyring (self-signed)
+- import_role:
+    name: configure
+    tasks_from: setup_keyring_certificates
+  when: zos_keystore_mode is defined and zos_keystore_mode == 'KEYSTORE_MODE_KEYRING'
 
 # ============================================================================
 # Configure Zowe Instance

diff --git a/playbooks/roles/configure/tasks/setup_certificates.yml b/playbooks/roles/configure/tasks/setup_certificates.yml
@@ -16,15 +16,6 @@
     sed -e "s+^ZOWE_USER_ID=.*\$+ZOWE_USER_ID={{ zowe_runtime_user }}+" | \
     sed -e "s+^ZOWE_GROUP_ID=.*\$+ZOWE_GROUP_ID={{ zowe_runtime_group }}+" \
     > "{{ work_dir_remote }}/zowe-setup-certificates.env"
-    
-- name: Update zowe-setup-certificates.env to use keyring mode (if applicable)
-  raw: >-
-    cat "{{ work_dir_remote }}/zowe-setup-certificates.env" | \
-    sed -e "s+^KEYSTORE_ALIAS=.*\$+KEYSTORE_ALIAS={{ zowe_keyring_certname }}+" | \
-    sed -e "s+^ZOWE_KEYRING=.*\$+ZOWE_KEYRING={{ zowe_keyring_alias }}+" \
-    > "{{ work_dir_remote }}/zowe-setup-certificates.tmp" && \
-    mv "{{ work_dir_remote }}/zowe-setup-certificates.tmp" "{{ work_dir_remote }}/zowe-setup-certificates.env"
-  when: zos_keystore_mode is defined and zos_keystore_mode == 'KEYSTORE_MODE_KEYRING'
 
 - name: Show zowe-setup-certificates.env
   raw: cat "{{ work_dir_remote }}/zowe-setup-certificates.env"

diff --git a/playbooks/roles/configure/tasks/setup_keyring_certificates.yml b/playbooks/roles/configure/tasks/setup_keyring_certificates.yml
@@ -0,0 +1,42 @@
+---
+# this playbook runs bin/zowe-setup-certificates.sh to setup certificates for Zowe in Keyring mode 
+
+- name: Validate that we were in keyring mode
+  fail:
+    msg: "Error. This play should only be run when in keyring mode"
+  when: zos_keystore_mode is undefined or zos_keystore_mode != 'KEYSTORE_MODE_KEYRING'
+
+- name: Prepare zowe-setup-keyring-certificates.env
+  raw: >-
+    cat "{{ zowe_root_dir }}/bin/zowe-setup-keyring-certificates.env" | \
+    sed -e "s+^HOSTNAME=.*\$+HOSTNAME={{ zowe_external_domain_name }}+" | \
+    sed -e "s+^IPADDRESS=.*\$+IPADDRESS={{ zowe_external_ip_address }}+" | \
+    sed -e "s+^VERIFY_CERTIFICATES=.*\$+VERIFY_CERTIFICATES={{ zowe_apiml_verify_certficates_of_services|string|lower }}+" | \
+    sed -e "s+^KEYSTORE_DIRECTORY=.*\$+KEYSTORE_DIRECTORY={{ zowe_keystore_dir }}+" | \
+    sed -e "s+^ZOWE_CERTIFICATE_LABEL=.*\$+ZOWE_CERTIFICATE_LABEL={{ zowe_keyring_certname }}+" | \
+    sed -e "s+^ZOWE_USER_ID=.*\$+ZOWE_USER_ID={{ zowe_runtime_user }}+" | \
+    sed -e "s+^ZOWE_KEYRING=.*\$+ZOWE_KEYRING={{ zowe_keyring_alias }}+" \
+    > "{{ work_dir_remote }}/zowe-setup-keyring-certificates.env"
+
+- name: Show zowe-setup-keyring-certificates.env
+  raw: cat "{{ work_dir_remote }}/zowe-setup-keyring-certificates.env"
+
+- name: Setup keyring certificates
+  import_role:
+    name: zos
+    tasks_from: run_script
+  vars:
+    script_chdir: "{{ zowe_root_dir }}/bin"
+    script_filename: ./zowe-setup-certificates.sh
+    script_parameters: "-p \"{{ work_dir_remote }}/zowe-setup-keyring-certificates.env\"  -l \"{{ zowe_install_logs_dir }}\""
+
+- name: List log dir
+  raw: ls -l "{{ zowe_install_logs_dir }}"
+  ignore_errors: True
+
+- name: Show setup certificate log
+  raw: find {{ zowe_install_logs_dir }} -name "zowe-setup-certificates-*.log" -type f | xargs -i sh -c 'echo ">>>>>>>>>>>>>>>>>>>>>>>> {} >>>>>>>>>>>>>>>>>>>>>>>" && cat {}'
+  ignore_errors: True
+
+- name: List certificates directory
+  raw: ls -l "{{ zowe_keystore_dir }}"
diff --git a/tests/installation/package.json b/tests/installation/package.json
@@ -27,5 +27,10 @@
     "test": "jest --no-colors --runInBand",
     "merge-reports": "node dist/merge-test-reports.js",
     "lint": "eslint ."
+  },
+  "jest": {
+    "setupFilesAfterEnv": [
+      "./src/__tests__/beforeTests.js"
+    ]
   }
 }
diff --git a/tests/installation/src/__tests__/beforeTests.js b/tests/installation/src/__tests__/beforeTests.js
@@ -0,0 +1,12 @@
+/*
+* This program and the accompanying materials are made available under the terms of the
+* Eclipse Public License v2.0 which accompanies this distribution, and is available at
+* https://www.eclipse.org/legal/epl-v20.html
+*
+* SPDX-License-Identifier: EPL-2.0
+*
+* Copyright Contributors to the Zowe Project.
+*
+*/
+
+jest.setTimeout(3600000);
diff --git a/tests/installation/src/__tests__/extended/keystore-modes/acf2-keyring.ts b/tests/installation/src/__tests__/extended/keystore-modes/acf2-keyring.ts
@@ -28,7 +28,7 @@ import {
         'ZOWE_BUILD_LOCAL',
       ]);
     });
-  
+
     test('install and verify', async () => {
       await installAndVerifyConvenienceBuild(
         testSuiteName,