Re: cURL and security

2020-07-26 Thread Timothy Sipples
Luke Wilby wrote (aggregating previous posts): >I'm wondering if anyone is using cURL on z/OS in a >production setting? >I'm interested how to utilise cURL when the target >URL requires authentication. >We can't use Basic Auth because we are not able to >store usernames and password in scripts or b

Re: cURL and security

2020-07-24 Thread David Crayford
How is that any different to using AT-TLS? On 2020-07-24 8:48 PM, Dave Jones wrote: Would this be of any use here: https://www.stunnel.org/ Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. Its architectur

Re: cURL and security

2020-07-24 Thread Dave Jones
Would this be of any use here: https://www.stunnel.org/ Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. Its architecture is optimized for security, portability, and scalability (including load-balancing),

Re: cURL and security

2020-07-24 Thread David Crayford
5:03 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: cURL and security Oh ok ... guess I didn't realize that WET is being provided primarily for 'backward compatibility'. Thanks for the clarification on the other bits. Using cURL or libcurl is not inherently dangerous. Any code that

Re: cURL and security

2020-07-24 Thread David Crayford
Mainframe Discussion List On Behalf Of David Crayford Sent: Friday, July 24, 2020 13:33 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: cURL and security Use tokens https://developer.atlassian.com/cloud/jira/platform/basic-auth-for-rest- apis/ On 2020-07-24 11:21 AM, Luke Wilby wrote: Hey David Do you au

Re: cURL and security

2020-07-23 Thread Luke Wilby
and using other clients not on z/OS (off the top of my head...Jenkins to zOSMF, python on Linux to DB2 REST, etc). > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of kekronbekron > Sent: Friday, July 24, 2020 15:03 PM > To: IBM-MAIN@LISTSERV.UA.ED

Re: cURL and security

2020-07-23 Thread Luke Wilby
t; To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: cURL and security > > Use tokens > https://developer.atlassian.com/cloud/jira/platform/basic-auth-for-rest- > apis/ > > On 2020-07-24 11:21 AM, Luke Wilby wrote: > > Hey David > > > > Do you authenticate to Jir

Re: cURL and security

2020-07-23 Thread kekronbekron
Oh ok ... guess I didn't realize that WET is being provided primarily for 'backward compatibility'. Thanks for the clarification on the other bits. > Using cURL or libcurl is not inherently dangerous. Any code that goes > into production should be peer reviewed. You can write bad code in any > la

Re: cURL and security

2020-07-23 Thread kekronbekron
Ah sorry.. just realising that ID certs (& client auth) require private key lol. I'm sure others will correct me if I'm wrong... afraid you've to use GENCERT, GENREQ and then get it signed by your off-mainframe PKI. That way, private keys for ID certificates exist on mainframe... which isn't an

Re: cURL and security

2020-07-23 Thread David Crayford
On 2020-07-24 12:02 PM, kekronbekron wrote: I wouldn't. I would recommend using a sophisticated networking library like Java or whatever your favorite language is on the JVM. Can't figure out if you're kidding... No, I'm not kidding! IMO, unless you have a critical requirement to web enable l

Re: cURL and security

2020-07-23 Thread kekronbekron
> I wouldn't. I would recommend using a sophisticated networking library > like Java or whatever your favorite language is on the JVM. Can't figure out if you're kidding... > Who told you that? My employer offers a cURL port for z/OS and it's well > maintained with support for production environm

Re: cURL and security

2020-07-23 Thread David Crayford
: Friday, July 24, 2020 12:29 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: cURL and security On 2020-07-23 2:17 PM, kekronbekron wrote: It would be best to consider switching to the z/OS Client Web Enablement Toolkit. There are sample programs for REXX / ASM / COB .. and I'm positive there

Re: cURL and security

2020-07-23 Thread David Crayford
On 2020-07-24 11:12 AM, kekronbekron wrote: Just mentioned ASM / COB CWET for options really. They're a a lot more involved than the Python client (when that's available). curl is ok as a user, but when you want to productionize something, I would think the recommendation would be to use CWET.

Re: cURL and security

2020-07-23 Thread Luke Wilby
Hey David Do you authenticate to Jira when using cURL? How? > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of David Crayford > Sent: Friday, July 24, 2020 12:29 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: cURL and security > &g

Re: cURL and security

2020-07-23 Thread Luke Wilby
cURL requires the client's private key for mutual auth. I'm not familiar with CWET but I imagine the security considerations are the same. My clients need to authenticate to the server. The server then needs to perform authorization checks. It's the authentication part that we need to sort out

Re: cURL and security

2020-07-23 Thread kekronbekron
Just mentioned ASM / COB CWET for options really. They're a a lot more involved than the Python client (when that's available). curl is ok as a user, but when you want to productionize something, I would think the recommendation would be to use CWET. Not saying curl is a bad tool, it is handy &

Re: cURL and security

2020-07-23 Thread kekronbekron
Hmm ... for client auth, isn't it just the public key of the client that has to be sent to the server? And the server checks that against the client cert's CAs? In which case, you only need a copy of the client pub key from Windows, and add it to a user keyring ... not the private key? - KB ‐‐‐

Re: cURL and security

2020-07-23 Thread David Crayford
On 2020-07-23 2:17 PM, kekronbekron wrote: It would be best to consider switching to the z/OS Client Web Enablement Toolkit. There are sample programs for REXX / ASM / COB .. and I'm positive there'll be a Python client pretty soon (IBM Open Enterprise Python for z/OS). To me the idea of writ

Re: cURL and security

2020-07-23 Thread Luke Wilby
I'm not sure use CWET will make any difference. The cURL targets require client authentication. The cURL targets live on z/OS (z/OS Connect, zOSMF, DB2, etc) The clients may be TSO users, batch jobs, Windows, Mac or Linux clients. The batch jobs may run under userids that do not have passwords.

Re: cURL and security

2020-07-22 Thread kekronbekron
It would be best to consider switching to the z/OS Client Web Enablement Toolkit. There are sample programs for REXX / ASM / COB .. and I'm positive there'll be a Python client pretty soon (IBM Open Enterprise Python for z/OS). Don't think cURL is loved that much on Z. Hmm .. unless client auth

Re: cURL and security

2020-07-22 Thread Filip Palian
Hey, You can read login credentials from within a script at run time from a separate file containing password. This file should have an adequate permissions and ownership set of course. Alternatively, if you control the target, perhaps you can whitelist your curl/client. I hope that helps. Chee