z/OS curl headers not always working.

curl, z/OSMF 1 Minute

I had problems using cURL trying to get to a back end server (z/OSMF). Once it did work, I realised it should not have worked – because I had not defined a security profile!

My basic bash script was 

set -x 
trace=" " 
ca="--cacert /u/colin/ssl/zosmfca.pem" 
key="--cert  key.pem:12345678              " 
insecure="--insecure" 
cert=" " 
header='-H "X-CSRF-ZOSMF-HEADER: Dummy "' 
userid="--basic --user colin2:password" 
url="https://127.0.0.1:10443/zosmf/rest/mvssubs"

If I hard coded the header statement it worked

curl -v  -H "X-CSRF-ZOSMF-HEADER: dummy" $trace $cert $key $insecure $userid $ca  $url

If I used the bash variable in $header it did not work, even though it looked as if was identical to the case above.

curl  -v  -H  $header $trace $cert $key $insecure  $userid $ca  $url

{ “errorID”:”IZUG846W”,”errorMsg”:”IZUG846W: An HTTP request for a z/OSMF REST service was received from a remote site. The request was rejected, however, because the remote site “” is not permitted to z/OSMF server “IZUSVR” on target system “127.0.0.1:10443″ .”}

If I put the parameter in a config file (curl.config below) it worked

-H "X-CSRF-ZOSMF-HEADER: Dummy"

and I used 

curl -v --config ./curl.config $trace $cert $key $insecure $userid $ca $url

I think it is all to do with an interaction between curl, bash and double quotes.

It worked – when it should not have worked!

The documentation says you need a security profile set up see Enabling cross-origin resource sharing (CORS) for REST services.

On my system, there was no profile IZUDFLT.REST…. so I do not understand how it works, as the documentation implies I need an allow list!

Unknown's avatar

Published by Colin Paice

I retired from IBM where I worked on MQ on z/OS, and did customer stuff. I retired, and keep my hand in with MQ, by playing with it! I'm now an #IBMChampion from my work trying to make z/OS product more usable.

Published

2 thoughts on “z/OS curl headers not always working.

  1. Hi Colin, I believe you become a victim to the shell expansions.

    When the header variable is defined as

    header=’-H “X-CSRF-ZOSMF-HEADER: Dummy “‘

    It gets expanded as (you can use set -x to see the actual command):
    > curl -v -H $header $trace $cert $key $insecure $userid $ca $url

    curl -v -H -H ‘”X-CSRF-ZOSMF-HEADER:’ Dummy ‘”‘

    Notice the double -H and the apostrophes inserted to the variable value because the default shell expansion handles spaces in variables as individual tokens. This renders an invalid header that is not understood by zosmf.

    Bash operates on tokens separated by space and wraps individual parts with extra quotes. If you set your header like an array of tokens:

    header=(-H “X-CSRF-ZOSMF-HEADER: Dummy “) 

    and then expand it like an array (and remove the extra -H):
    > curl -v “${header[@]}” …

    you get valid curl command
    curl -v -H ‘X-CSRF-ZOSMF-HEADER: Dummy ‘ …

    I agree this is far from intuitive but neither z/OS nor curl issue.

    Disclaimer: I am the Zowe APIML developer.

    Like

    Reply

Leave a comment