z/OS Connect supports OAuth 2 but you will need to use a programming
language with a library and provision an authorization server. If you
are already using Java, which you are for z/OS Connect, you have lots of
options. You can script it using
Groovy. You can also use Node.js which has a library and is an IBM
product. Python is an option. Either way, you can write a batch job to
do this with a bit of programming involved.
Auditors are a PITA. They have blanket rules which don't always make
sense. z/OSMF has only just started to support JWTs and I can't find any
doc mentioning OAuth.
On 2020-07-24 1:48 PM, Luke Wilby wrote:
We are using Rocket's cURL. Fully supported and everything.
The primary use case at the moment:
Stop and Start z/OS Connect APIs using the z/OS Connect REST interface, from a
batch job with no password on the user account.
Eventually, we'll want to do similar stuff for other targets and using other
clients not on z/OS (off the top of my head...Jenkins to zOSMF, python on Linux
to DB2 REST, etc).
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On
Behalf Of kekronbekron
Sent: Friday, July 24, 2020 15:03 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: cURL and security
Oh ok ... guess I didn't realize that WET is being provided primarily for
'backward compatibility'.
Thanks for the clarification on the other bits.
Using cURL or libcurl is not inherently dangerous. Any code that goes
into production should be peer reviewed. You can write bad code in any
language using any tool.
Again ... you've over-generalized a very specific scenario I said folks should
be wary of.
I didn't say curl or any other tool is dangerous, piping source-unknown scripts
to bash is!
- KB
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, July 24, 2020 10:15 AM, David Crayford <dcrayf...@gmail.com>
wrote:
On 2020-07-24 12:02 PM, kekronbekron wrote:
I wouldn't. I would recommend using a sophisticated networking
library like Java or whatever your favorite language is on the JVM.
Can't figure out if you're kidding...
No, I'm not kidding! IMO, unless you have a critical requirement to
web enable legacy languages then I would avoid WET at all costs. A
quick browse of the samples is enough to conclude that while it may
work it is hideously complicated compared to similar function in
modern languages. So, why not just use a better language? I almost
died laughing when I saw how complicated it is to parse JSON in REXX
using the WET.
Who told you that? My employer offers a cURL port for z/OS and
it's well maintained with support for production environment.
Ok, Rocket's curl?
What's the percentage of clients that want a separate product for
something that also comes with (or at least used to?) the OS (Ported Tools).
FYI, IBM sold ported tools to Rocket years ago. There is no cURL that
comes with z/OS.
Yes, everything I'm saying is subjective...
Adoption would be much higher if Ported Tools' curl were actively
developed.
It is! And you can download it for free if you just want to write
in-house tooling. If you want to use cURL in production then you will
have to buy support.
Eh ... I didn't say curl-ing a script is dangerous and CWET isn't.
I meant piping any source-unknown script direct for execution is not a
great idea.
Using cURL or libcurl is not inherently dangerous. Any code that goes
into production should be peer reviewed. You can write bad code in any
language using any tool.
- KB
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, July 24, 2020 8:53 AM, David Crayford dcrayf...@gmail.com
wrote:
On 2020-07-24 11:12 AM, kekronbekron wrote:
Just mentioned ASM / COB CWET for options really.
They're a a lot more involved than the Python client (when that's
available).
curl is ok as a user, but when you want to productionize something, I
would think the recommendation would be to use CWET.
I wouldn't. I would recommend using a sophisticated networking
library like Java or whatever your favorite language is on the JVM.
Not saying curl is a bad tool, it is handy & does what it does.
Ease of use does not mean it's the solution of choice in many
controlled environments.
By loved I mean does it get upgrades/improvements?
Who told you that? My employer offers a cURL port for z/OS and
it's well maintained with support for production environment.
I don't know I'm just asking..
curl-ing a shell script directly is bit ... dangerous.
That's purely subjective. I don't see why cURL would be any more
dangerous than writing a Python script or using CWET.
Lots of people are using Git for DevOps on z/OS and that uses cURL
for ssh and https transport.
Not in this case as the script is available to inspect.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO
IBM-MAIN
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
