Re: cURL and security

David Crayford Fri, 24 Jul 2020 00:03:25 -0700

If you're using Jira Server you can use OAuthhttps://developer.atlassian.com/server/jira/platform/oauth/?_ga=2.40787751.465693275.1595561515-1486646620.1590036113.

While not impossible it's tricky to use cURL. There are client librariesin several programming languageshttps://bitbucket.org/atlassianlabs/atlassian-oauth-examples/src/master/.


On 2020-07-24 1:42 PM, Luke Wilby wrote:

Thanks David.

Sadly, for us, it uses basic auth and the base64 encoded token is as good as a 
password. Our auditors would make life difficult.

-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On
Behalf Of David Crayford
Sent: Friday, July 24, 2020 13:33 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: cURL and security

Use tokens
https://developer.atlassian.com/cloud/jira/platform/basic-auth-for-rest-
apis/

On 2020-07-24 11:21 AM, Luke Wilby wrote:

Hey David

Do you authenticate to Jira when using cURL? How?

-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On
Behalf Of David Crayford
Sent: Friday, July 24, 2020 12:29 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: cURL and security

On 2020-07-23 2:17 PM, kekronbekron wrote:

It would be best to consider switching to the z/OS Client Web
Enablement

Toolkit.

There are sample programs for REXX / ASM / COB .. and I'm positive
there'll

be a Python client pretty soon (IBM Open Enterprise Python for z/OS).

To me the idea of writing a web client in assembler is preposterous.
COBOL is almost as bad and I would opt to use bpxwunix() with curl
over the Web Enabelment Toolkit any day.
I can create a Jira ticket with a couple of lines of curl. I would
suggest writing a REXX script using the WET would be considerably more

effort.

Don't think cURL is loved that much on Z.

Are you speaking from experience? Not loved by who? Anybody who

knows

how to use z/OS UNIX shells knows how to use curl. I used curl only
yesterday to install a shell utility from github with a simple one-liner.

sh -c "$(curl -fsSL
https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

Hmm .. unless client auth is required at the cURL target, you don't
need to

worry about client certs, right?

Just plop on the target server's CA cert (interim & root CA) public
keys in a

user keyring, and point CWET to the user keyring.

Server auth will work just fine.

- KB

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, July 23, 2020 10:20 AM, Filip Palian
<s3...@pjwstk.edu.pl>

wrote:

Hey,

You can read login credentials from within a script at run time
from a separate file containing password. This file should have an
adequate permissions and ownership set of course.

Alternatively, if you control the target, perhaps you can whitelist
your curl/client.

I hope that helps.

Cheers,
F

W dniu czwartek, 23 lipca 2020 Luke akal...@hotmail.com napisał(a):

Hi All
I'm wondering if anyone is using cURL on z/OS in a production setting?
I'm interested how to utilise cURL when the target URL requires
authentication.
We can't use Basic Auth because we are not able to store usernames

and

password in scripts or batch jobs.
We can't easily use certificates because our users on z/OS do not
have certificates and our Windows based corporate certificate
management

doesn't

allow users access to the private keys of their Windows certificates.
Anyone else using cURL for DevOps on z/OS and how are you securing

it?

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-

MAIN

--

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO
IBM-MAIN

--------------------------------------------------------------------
-- For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO
IBM-MAIN

---------------------------------------------------------------------
- For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO
IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: cURL and security

Reply via email to