-
Notifications
You must be signed in to change notification settings - Fork 51
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1654 from zowe/users/stevenh/zip-1603
Keyring vs USS keystore separation
- Loading branch information
Showing
10 changed files
with
123 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# TODO - do we need a workflow for keyrings? | ||
|
||
# The hostname of the system running API Mediation. If the hostname is | ||
# omitted, the configuration script attempts to calculate the value on | ||
# its own. You can specify multiple domains separated by comma. | ||
HOSTNAME= | ||
# The IP address of the system running API Mediation. If the IP address | ||
# is omitted, the configuration script attempts to calculate the value | ||
# on its own. You can specify multiple IPs separated by comma. | ||
IPADDRESS= | ||
# Should APIML verify certificates of services it uses - true/false | ||
VERIFY_CERTIFICATES=true | ||
|
||
# If APIML SSO token not present, Zowe components are allowed to attempt authentication with other user-provided data | ||
SSO_FALLBACK_TO_NATIVE_AUTH=true | ||
# optional - PKCS#11 token name for SSO. Must already exist | ||
PKCS11_TOKEN_NAME= | ||
# optional - PKCS#11 token label for SSO. Must not already exist | ||
PKCS11_TOKEN_LABEL= | ||
|
||
# Location for generated certificates and/or JWT token | ||
KEYSTORE_DIRECTORY=/global/zowe/keystore | ||
# This variable has to be set to the Zowe certificate's LABEL specified in the JCL. | ||
ZOWE_CERTIFICATE_LABEL=localhost | ||
# Specify zowe user id to set up ownership of the generated certificates. | ||
# Set the variable to the same user id as in the jcl. | ||
ZOWE_USER_ID=ZWESVUSR | ||
# Specify zowe keyring that keeps zowe certificates, set | ||
# the variable to the same keyring that you used in the jcl. | ||
ZOWE_KEYRING=ZoweKeyring | ||
# Option to generate certificates in zowe-setup-certificates, rather than ZWEKRING jcl | ||
# If ZWEKRING is used then set this variable to false (defaults to false) | ||
GENERATE_CERTS_FOR_KEYRING=false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
42 changes: 42 additions & 0 deletions
42
playbooks/roles/configure/tasks/setup_keyring_certificates.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
--- | ||
# this playbook runs bin/zowe-setup-certificates.sh to setup certificates for Zowe in Keyring mode | ||
|
||
- name: Validate that we were in keyring mode | ||
fail: | ||
msg: "Error. This play should only be run when in keyring mode" | ||
when: zos_keystore_mode is undefined or zos_keystore_mode != 'KEYSTORE_MODE_KEYRING' | ||
|
||
- name: Prepare zowe-setup-keyring-certificates.env | ||
raw: >- | ||
cat "{{ zowe_root_dir }}/bin/zowe-setup-keyring-certificates.env" | \ | ||
sed -e "s+^HOSTNAME=.*\$+HOSTNAME={{ zowe_external_domain_name }}+" | \ | ||
sed -e "s+^IPADDRESS=.*\$+IPADDRESS={{ zowe_external_ip_address }}+" | \ | ||
sed -e "s+^VERIFY_CERTIFICATES=.*\$+VERIFY_CERTIFICATES={{ zowe_apiml_verify_certficates_of_services|string|lower }}+" | \ | ||
sed -e "s+^KEYSTORE_DIRECTORY=.*\$+KEYSTORE_DIRECTORY={{ zowe_keystore_dir }}+" | \ | ||
sed -e "s+^ZOWE_CERTIFICATE_LABEL=.*\$+ZOWE_CERTIFICATE_LABEL={{ zowe_keyring_certname }}+" | \ | ||
sed -e "s+^ZOWE_USER_ID=.*\$+ZOWE_USER_ID={{ zowe_runtime_user }}+" | \ | ||
sed -e "s+^ZOWE_KEYRING=.*\$+ZOWE_KEYRING={{ zowe_keyring_alias }}+" \ | ||
> "{{ work_dir_remote }}/zowe-setup-keyring-certificates.env" | ||
- name: Show zowe-setup-keyring-certificates.env | ||
raw: cat "{{ work_dir_remote }}/zowe-setup-keyring-certificates.env" | ||
|
||
- name: Setup keyring certificates | ||
import_role: | ||
name: zos | ||
tasks_from: run_script | ||
vars: | ||
script_chdir: "{{ zowe_root_dir }}/bin" | ||
script_filename: ./zowe-setup-certificates.sh | ||
script_parameters: "-p \"{{ work_dir_remote }}/zowe-setup-keyring-certificates.env\" -l \"{{ zowe_install_logs_dir }}\"" | ||
|
||
- name: List log dir | ||
raw: ls -l "{{ zowe_install_logs_dir }}" | ||
ignore_errors: True | ||
|
||
- name: Show setup certificate log | ||
raw: find {{ zowe_install_logs_dir }} -name "zowe-setup-certificates-*.log" -type f | xargs -i sh -c 'echo ">>>>>>>>>>>>>>>>>>>>>>>> {} >>>>>>>>>>>>>>>>>>>>>>>" && cat {}' | ||
ignore_errors: True | ||
|
||
- name: List certificates directory | ||
raw: ls -l "{{ zowe_keystore_dir }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
/* | ||
* This program and the accompanying materials are made available under the terms of the | ||
* Eclipse Public License v2.0 which accompanies this distribution, and is available at | ||
* https://www.eclipse.org/legal/epl-v20.html | ||
* | ||
* SPDX-License-Identifier: EPL-2.0 | ||
* | ||
* Copyright Contributors to the Zowe Project. | ||
* | ||
*/ | ||
|
||
jest.setTimeout(3600000); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters