I had set up my certificates and private key so I could use them to work with a web server on z/OS. I set them up on Linux and copied them to z/OS. My tests all worked. It wasn’t till this morning when I thought, those test should have failed.
With Python and the requests package you can send REST requests to a backend server, using digital certificates for authentication. You configure which private key to use, but you are unable to specify the password for the private key. As this worked, there must be no password on the key file – whoops.
This is a bit like leaving your front door unlocked with a note “If we are not here, please come in and make yourself at home”.
To generate a private key I had used
openssl ecparam -name prime256v1 -genkey -noout -out $name.key.pem
but there is no way of specifying a password. With hindsight it was obvious there was no password protection.
I had to use
Where the first part of the command generated a private key, and wrote it to the output stream. The second part does nothing with the data, but wrote it to the output file using the password in password.file.
When I used this private key, the python requests failed because it needed a password!
I should have remembered
I remember helping with some security testing many years ago.
- Userid1 was able to use resource1, good, that worked
- Userid2 was able to use resource2, good, that worked
- Userid1 was able to use resource2, good ,that worked – hang on… that should have failed.
The person customising security had missed one configuration step, so all users had access to all resources, and the test plan did not have any negative testing.