Split ZWENOKYR, fix bug on submitting right job for ZWEKRING replacem…

…ents, and update workflows to reference right job names Signed-off-by: 1000TurquoisePogs <[email protected]>
zowe · Feb 12, 2024 · c9aa8b1 · c9aa8b1
1 parent 10e8340
commit c9aa8b1
Show file tree

Hide file tree

Showing 7 changed files with 207 additions and 96 deletions.
diff --git a/bin/libs/certificate.sh b/bin/libs/certificate.sh
@@ -816,11 +816,7 @@ keyring_run_zwekring_jcl() {
   jcllib="${2}"
   # should be 1, 2 or 3
   jcloption="${3}"
-  keyring_owner="${4}"
-  keyring_name="${5}"
   domains="${6}"
-  alias="${7}"
-  ca_alias="${8}"
   # external CA labels separated by comma (label can have spaces)
   ext_cas="${9}"
   # set to 1 or true to import z/OSMF CA
@@ -829,12 +825,6 @@ keyring_run_zwekring_jcl() {
     trust_zosmf=1
   fi
   zosmf_root_ca="${11}"
-  # option 2 - connect existing
-  connect_user="${12}"
-  connect_label="${13}"
-  # option 3 - import from data set
-  import_ds_name="${14}"
-  import_ds_password="${15}"
   validity="${16:-${ZWE_PRIVATE_DEFAULT_CERTIFICATE_VALIDITY}}"
   security_product=${17:-RACF}
 
@@ -963,10 +953,10 @@ EOF
     ###############################
     # submit job
     print_message "Submitting Job ${member_name})"
-    jobid=$(submit_job "//'${jcllib}(${tmpdsm})'")
+    jobid=$(submit_job "${tmpfile}")
     code=$?
     if [ ${code} -ne 0 ]; then
-      print_error "Error ZWEL0161E: Failed to run JCL ${jcllib}(${tmpdsm})."
+      print_error "Error ZWEL0161E: Failed to run JCL ${jcllib}(${member_name})."
       return 161
     fi
     print_debug "- job id ${jobid}"
@@ -997,15 +987,21 @@ EOF
 keyring_run_zwenokyr_jcl() {
   prefix="${1}"
   jcllib="${2}"
-  keyring_owner="${3}"
-  keyring_name="${4}"
-  alias="${5}"
-  ca_alias="${6}"
-  security_product=${7:-RACF}
+  security_product="${3}"
 
-  jcl_contents=$(cat "//'${jcllib}(ZWENOKYR)'")
+  member_prefix="ZWEINOKR"
+  if [ "${security_product}" = "TSS" ]; then
+    member_name="${member_prefix}T"
+  elif [ "${security_product}" = "ACF2" ]; then
+    member_name="${member_prefix}A"
+  else
+    member_name="${member_prefix}R"
+  fi
+
+
+  jcl_contents=$(cat "//'${jcllib}(${member_name})'")
 
-  print_message "Template JCL: ${prefix}.SZWESAMP(ZWENOKYR) , Executable JCL: ${jcllib}(ZWENOKYR)"
+  print_message "Template JCL: ${prefix}.SZWESAMP(${member_name}) , Executable JCL: ${jcllib}(${member_name})"
   print_message "--- JCL Content ---"
   print_message "$jcl_contents"
   print_message "--- End of JCL ---"
@@ -1016,11 +1012,11 @@ keyring_run_zwenokyr_jcl() {
     print_message "JCL not submitted, command run with dry run flag."
     print_message "To perform command, re-run command without dry run flag, or submit the JCL directly"
   else
-    print_message "Submitting Job ZWENOKYR"
-    jobid=$(submit_job "//'${jcllib}(${tmpdsm})'")
+    print_message "Submitting Job ${member_name}"
+    jobid=$(submit_job "//'${jcllib}(${member_name}})'")
     code=$?
     if [ ${code} -ne 0 ]; then
-      print_error "Error ZWEL0161E: Failed to run JCL ${jcllib}(${tmpdsm})."
+      print_error "Error ZWEL0161E: Failed to run JCL ${jcllib}(${member_name})."
       return 161
     fi
     print_debug "- job id ${jobid}"

diff --git a/files/SZWEEXEC/ZWEGEN00 b/files/SZWEEXEC/ZWEGEN00
@@ -185,6 +185,8 @@ if COMPARE('RCVT', CVTRAC_VAL) = 0 then do
   x = DeleteDataSet(jclCopy'(ZWEIKRT3)')
   x = DeleteDataSet(jclCopy'(ZWEIACF2)')
   x = DeleteDataSet(jclCopy'(ZWEITSS)')
+  x = DeleteDataSet(jclCopy'(ZWENOKRA)')
+  x = DeleteDataSet(jclCopy'(ZWENOKRT)')
 end
 if COMPARE('RTSS', CVTRAC_VAL) = 0 then do
   x = DeleteDataSet(jclCopy'(ZWEIKRA1)')
@@ -195,6 +197,8 @@ if COMPARE('RTSS', CVTRAC_VAL) = 0 then do
   x = DeleteDataSet(jclCopy'(ZWEIKRR3)')
   x = DeleteDataSet(jclCopy'(ZWEIACF2)')
   x = DeleteDataSet(jclCopy'(ZWEIRACF)')
+  x = DeleteDataSet(jclCopy'(ZWENOKRA)')
+  x = DeleteDataSet(jclCopy'(ZWENOKRR)')
 end
 if COMPARE('ACF2', CVTRAC_VAL) = 0 then do
   x = DeleteDataSet(jclCopy'(ZWEIKRT1)')
@@ -205,6 +209,8 @@ if COMPARE('ACF2', CVTRAC_VAL) = 0 then do
   x = DeleteDataSet(jclCopy'(ZWEIKRR3)')      
   x = DeleteDataSet(jclCopy'(ZWEIRACF)')
   x = DeleteDataSet(jclCopy'(ZWEITSS)')
+  x = DeleteDataSet(jclCopy'(ZWENOKRT)')
+  x = DeleteDataSet(jclCopy'(ZWENOKRR)')
 end
 
 say jcl' has been copied to 'jclCopy'.'

diff --git a/files/SZWESAMP/ZWENOKRA b/files/SZWESAMP/ZWENOKRA
@@ -0,0 +1,79 @@
+//ZWENOKRA JOB
+//*
+//* This program and the accompanying materials are made available
+//* under the terms of the Eclipse Public License v2.0 which
+//* accompanies this distribution, and is available at
+//* https://www.eclipse.org/legal/epl-v20.html
+//*
+//* SPDX-License-Identifier: EPL-2.0
+//*
+//* Copyright Contributors to the Zowe Project. 2020, 2020
+//*
+//*********************************************************************
+//*
+//* Zowe Open Source Project
+//* This JCL can be used to remove key ring and certificates for Zowe
+//*
+//*
+//* CAUTION: This is neither a JCL procedure nor a complete job.
+//* Before using this JCL, you will have to make the following
+//* modifications:
+//*
+//* 1) Add job name and job parameters to the JOB statement, to
+//*    meet your system requirements.
+//*
+//* Note(s):
+//*
+//* 1. THE USER ID THAT RUNS THIS JOB MUST HAVE SUFFICIENT AUTHORITY
+//*    TO ALTER SECURITY DEFINITIONS
+//*
+//* 2. This job WILL complete with return code 0.
+//*    The results of each command must be verified after completion.
+//*
+//*******************************************************************
+//         EXPORT SYMLIST=*
+//*
+//*********************************************************************
+//*
+//* EXECUTE COMMANDS FOR SELECTED SECURITY PRODUCT
+//*
+//RUN      EXEC PGM=IKJEFT01,REGION=0M
+//SYSTSPRT DD SYSOUT=*
+//SYSTSIN  DD DDNAME=ACF2
+//*
+//*********************************************************************
+//*
+//* ACF2 ONLY, customize to meet your system requirements
+//*
+//ACF2     DD DATA,DLM=$$,SYMBOLS=JCLONLY
+ACF
+
+* Remove permit to use SITE owned certificate's private key
+  SET RESOURCE(FAC)
+  RECKEY IRR DEL(DIGTCERT.GENCERT +
+  ROLE({zowe.setup.security.groups.stc}) +
+  SERVICE(CONTROL) ALLOW)
+
+* Remove permit to read keyring ....................................*/
+  RECKEY IRR DEL(DIGTCERT.LISTRING +
+  ROLE({zowe.setup.security.groups.stc}) +
+  SERVICE(READ) ALLOW)
+
+  F ACF2,REBUILD(FAC)
+
+* Delete LABEL certificate ........................................*/
+  DELETE {zowe.setup.security.users.zowe}.ZOWECERT
+
+* Delete LOCALCA certificate ......................................*/
+  DELETE CERTAUTH.ZOWECA
+
+* Delete keyring ...................................................*/
+  SET PROFILE(USER) DIVISION(KEYRING)
+  DELETE {zowe.setup.security.users.zowe}.ZOWERING
+
+  F ACF2,REBUILD(USR),CLASS(P),DIVISION(KEYRING)
+
+END
+$$
+//*
+
diff --git a/files/SZWESAMP/ZWENOKYR → files/SZWESAMP/ZWENOKRR b/files/SZWESAMP/ZWENOKYR → files/SZWESAMP/ZWENOKRR
@@ -1,4 +1,4 @@
-//ZWENOKYR JOB
+//ZWENOKRR JOB
 //*
 //* This program and the accompanying materials are made available
 //* under the terms of the Eclipse Public License v2.0 which
@@ -22,9 +22,6 @@
 //* 1) Add job name and job parameters to the JOB statement, to
 //*    meet your system requirements.
 //*
-//* 2) Customize the commands in the DD statement that matches your
-//*    security product so that they meet your system requirements.
-//*
 //* Note(s):
 //*
 //* 1. THE USER ID THAT RUNS THIS JOB MUST HAVE SUFFICIENT AUTHORITY
@@ -49,7 +46,7 @@
 //*
 //RUN      EXEC PGM=IKJEFT01,REGION=0M
 //SYSTSPRT DD SYSOUT=*
-//SYSTSIN  DD DDNAME={zowe.setup.security.product}
+//SYSTSIN  DD DDNAME=RACF
 //*
 //*********************************************************************
 //*
@@ -99,67 +96,4 @@
 PROFILE
 $$
 //*
-//*********************************************************************
-//*
-//* ACF2 ONLY, customize to meet your system requirements
-//*
-//ACF2     DD DATA,DLM=$$,SYMBOLS=JCLONLY
-ACF
-
-* Remove permit to use SITE owned certificate's private key
-  SET RESOURCE(FAC)
-  RECKEY IRR DEL(DIGTCERT.GENCERT +
-  ROLE({zowe.setup.security.groups.stc}) +
-  SERVICE(CONTROL) ALLOW)
-
-* Remove permit to read keyring ....................................*/
-  RECKEY IRR DEL(DIGTCERT.LISTRING +
-  ROLE({zowe.setup.security.groups.stc}) +
-  SERVICE(READ) ALLOW)
-
-  F ACF2,REBUILD(FAC)
-
-* Delete LABEL certificate ........................................*/
-  DELETE {zowe.setup.security.users.zowe}.ZOWECERT
-
-* Delete LOCALCA certificate ......................................*/
-  DELETE CERTAUTH.ZOWECA
-
-* Delete keyring ...................................................*/
-  SET PROFILE(USER) DIVISION(KEYRING)
-  DELETE {zowe.setup.security.users.zowe}.ZOWERING
-
-  F ACF2,REBUILD(USR),CLASS(P),DIVISION(KEYRING)
-
-END
-$$
-//*
-//*********************************************************************
-//*
-//* Top Secret ONLY, customize to meet your system requirements
-//*
-//TSS      DD DATA,DLM=$$,SYMBOLS=JCLONLY
-
-/* Remove permit to use SITE owned certificate's private key */
-   TSS REVOKE({zowe.setup.security.users.zowe}) +
-       IBMFAC(IRR.DIGTCERT.GENCERT) ACCESS(CONTROL)
-
-/* Remove permit to read keyring ................................... */
-   TSS REVOKE({zowe.setup.security.users.zowe}) +
-       IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(READ)
-
-/* Delete LABEL certificate ........................................*/
-   TSS REM({zowe.setup.security.users.zowe}) DIGICERT(ZOWECERT)
-
-/* Delete LOCALCA certificate ......................................*/
-   TSS REM(CERTAUTH) DIGICERT(ZOWECA)
-
-/* Delete keyring ...................................................*/
-   TSS REM({zowe.setup.security.users.zowe}) KEYRING(ZOWERING)
-
-/* ................................................................. */
-/* only the last RC is returned, this command ensures it is a 0      */
-PROFILE
-$$
-//*
 
diff --git a/files/SZWESAMP/ZWENOKRT b/files/SZWESAMP/ZWENOKRT
@@ -0,0 +1,72 @@
+//ZWENOKRT JOB
+//*
+//* This program and the accompanying materials are made available
+//* under the terms of the Eclipse Public License v2.0 which
+//* accompanies this distribution, and is available at
+//* https://www.eclipse.org/legal/epl-v20.html
+//*
+//* SPDX-License-Identifier: EPL-2.0
+//*
+//* Copyright Contributors to the Zowe Project. 2020, 2020
+//*
+//*********************************************************************
+//*
+//* Zowe Open Source Project
+//* This JCL can be used to remove key ring and certificates for Zowe
+//*
+//*
+//* CAUTION: This is neither a JCL procedure nor a complete job.
+//* Before using this JCL, you will have to make the following
+//* modifications:
+//*
+//* 1) Add job name and job parameters to the JOB statement, to
+//*    meet your system requirements.
+//*
+//* Note(s):
+//*
+//* 1. THE USER ID THAT RUNS THIS JOB MUST HAVE SUFFICIENT AUTHORITY
+//*    TO ALTER SECURITY DEFINITIONS
+//*
+//* 2. This job WILL complete with return code 0.
+//*    The results of each command must be verified after completion.
+//*
+//*******************************************************************
+//         EXPORT SYMLIST=*
+//*
+//*********************************************************************
+//*
+//* EXECUTE COMMANDS FOR SELECTED SECURITY PRODUCT
+//*
+//RUN      EXEC PGM=IKJEFT01,REGION=0M
+//SYSTSPRT DD SYSOUT=*
+//SYSTSIN  DD DDNAME=TSS
+//*
+//*********************************************************************
+//*
+//* Top Secret ONLY, customize to meet your system requirements
+//*
+//TSS      DD DATA,DLM=$$,SYMBOLS=JCLONLY
+
+/* Remove permit to use SITE owned certificate's private key */
+   TSS REVOKE({zowe.setup.security.users.zowe}) +
+       IBMFAC(IRR.DIGTCERT.GENCERT) ACCESS(CONTROL)
+
+/* Remove permit to read keyring ................................... */
+   TSS REVOKE({zowe.setup.security.users.zowe}) +
+       IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(READ)
+
+/* Delete LABEL certificate ........................................*/
+   TSS REM({zowe.setup.security.users.zowe}) DIGICERT(ZOWECERT)
+
+/* Delete LOCALCA certificate ......................................*/
+   TSS REM(CERTAUTH) DIGICERT(ZOWECA)
+
+/* Delete keyring ...................................................*/
+   TSS REM({zowe.setup.security.users.zowe}) KEYRING(ZOWERING)
+
+/* ................................................................. */
+/* only the last RC is returned, this command ensures it is a 0      */
+PROFILE
+$$
+//*
+
diff --git a/playbooks/roles/configure/tasks/show_logs.yml b/playbooks/roles/configure/tasks/show_logs.yml
@@ -37,9 +37,21 @@
   vars:
     show_jobs_name: "{{ job_name_to_show }}"
   loop:
-  - ZWESECUR
-  - ZWEKRING
-  - ZWENOKYR
+  - ZWEIACF2
+  - ZWEIRACF
+  - ZWEITSS
+  - ZWEIKRR1
+  - ZWEIKRR2
+  - ZWEIKRR3
+  - ZWEIKRA1
+  - ZWEIKRA2
+  - ZWEIKRA3
+  - ZWEIKRT1
+  - ZWEIKRT2
+  - ZWEIKRT3
+  - ZWENOKRR
+  - ZWENOKRT
+  - ZWENOKRA
   - ZWECSVSM
   loop_control:
     loop_var: job_name_to_show