What’s the difference between RACDCERT MAP and RACMAP?

I was trying to set up digital certificate authentication into RACF and was having problems.  I had used a command

RACDCERT MAP ID(ADCDC ) - 
   SDNFILTER('CN=colinpaicesECp256r1.O=cpwebuser.C=GB') - 
   WITHLABEL('colinpaicesECp256r2') 

but it was hard to find out why I could not connect.  I started looking into this and got confused because the MQWEB liberty trace talked about userid in realms, but I did not have a realm.

I took a couple of days to write a program to use the RACF callable service to query the userid given a DN, but it kept reporting the certificate was not found.

Eventually I found that RACF has two ways of mapping a DN string to a userid

  • RACDCERT MAP ID(ADCDC ) SDNFILTER(‘CN=colinpaicesECp256r1.O=cpwebuser.C=GB’) WITHLABEL(‘colinpaicesECp256r2’)
  • RACMAP MAP ID(ADCDC ) USERDIDFILTER( NAME(‘CN=colinpaicesECp256r1.O=cpwebuser.C=GB’)) REGISTRY(NAME(‘ADCDPL’))
    WITHLABEL(‘COLIN5’)

RACDCERT MAP

This is used so that when someone logs on using a certificate, the certificate DN is looked up in the RACDCERT MAP, and if found, the matching userid is returned.

This is not very usable.

  • You can map a DN string to  a user.
  • You can list the DN string associated with a userid
  • You cannot query to see if a DN string exists, and which userid it is mapped to
  • If you try to add it, and it already exists, it just reports that  it exists, and does not tell you which userid it is mapped to. So you cannot easily delete it
  • For an application to query the userid, you need to use the initACEE interface which is complex and requires  your code to run authorised.

If the system is unable to map a certificate to a userid you get a message…

ICH408I USER(START1 ) GROUP(SYS1 ) NAME(####################)
DIGITAL CERTIFICATE IS NOT DEFINED. CERTIFICATE SERIAL NUMBER(0162)
SUBJECT(CN=colinpaicesECp256r1.O=cpwebuser.C=GB) ISSUER(CN=SSCA8.OU=CA.O=SSS.C=GB).

RACMAP MAP

This has been designed for enterprise identity propagation.  You can have userid information in different realms, for example in RACF or in one oe more LDAPs.

  • You can map a DN string to  a userid
  • You can list the DN strings associated with a userid
  • You can query a DN string and get the associated userid
  • You can use the r_usermap (IRRSIM00) callable service to map a DN string to a user.   You need access to some RACF profiles.

They are not interchangable

You cannot define a mapping using RACDCERT MAP and use the r_usermap interface, or the other way around.

 

How to use RACF callable services from C

Trying to use the RACF callable services was like trying to find treasure with an incomplete map.  I found it hard to create a C program to query a repository for ID information.   This post is mainly about using the RACF callable services.

I was trying to understand the mapping of a digital certificate to a z/OS userid, but with little success.  I found a RACF callable service which appeared to do what I wanted – but it did not give the answers – because,  like many treasure maps, I was looking in the wrong place.

RACF has two repositories for mapping identities to userid.

  • RACDCERT MAP which was the original way of mapping names.  As far as I can tell, the only way of getting the certificate to userid mapping programmatically, is to use the certificate to logon, and then find the userid!   This is used by Liberty Web Server.
  • RACMAP MAP which is part of Enterprise wide identification.   It maps identity strings, as you may get from LDAP,  to a userid. You can use the r_usermap callable service to get this information.

It took me some time to realise that these are different entities, and explains why there was no documentation on getting Liberty to work with RACMAP to handle certificates.  I found out RACMAP does not map certificate, after I got my program working.

The r_usermap service documentation is accurate – but incomplete, so I’ll document some of the things I learned in getting this to work.

The callable service to extract the userid  from identity information is documented here.  In essence you call the assembler routine r_usermap or IRRSIM00.

Building it

When you compile it, you need to provide the stub IRRSIM00 at bind time.  I used JCL

//S1 JCLLIB ORDER=CBC.SCCNPRC 
//DOCLG EXEC PROC=EDCCBG,INFILE='ADCD.C.SOURCE(C)', 
// CPARM='OPTF(DD:COPTS)' 
//COMPILE.COPTS DD * 
LIST,SSCOMM,SOURCE,LANGLVL(EXTENDED) 
TEST 
/* 
//COMPILE.SYSIN DD * 
  Source program goes here
//BIND.CSS DD DISP=SHR,DSN=SYS1.CSSLIB 
//BIND.SYSIN DD * 
INCLUDE CSS(IRRSIM00) 
/*

You need code like

#pragma linkage(IRRSIM00, OS) 
int main(){...
...
char * workarea ; 
workarea = (char *) malloc(1024)   ; 
long ALET1= 0; 
...
long SAF_RC,RACF_RC,RACF_RS; 
...
rc=  IRRSIM00(workarea, // WORKAREA 
             &ALET1  , // ALET 
             &SAF_RC, // SAF RC 
...

Some fields are in UTF-8.

To covert from EBCDIC to UTF-8, (it looks like ASCII )  I used

cd = iconv_open("UTF-8", "IBM-1047"); 
...
struct 
{ 
  short length ; // length of string following or 0 if ommitted 
  char value[248]; 
} DN; 
char * sDN= "CN=COLIN.C=GB"; 
size_t llinput= strlen(sDN); 
size_t lloutput= sizeof(DN.value); 
char * pOutValue= &DN.value[0]; 
rc = iconv(cd,        // from  iconv_open
           &sDN,      // input string
           &llinput,  // length of input 
           &pOutValue,// output 
           &lloutput);// length of output 
if (rc == -1) // problem
{ 
  perror("iconv"); 
  exit(99); 
} 
DN.length  =sizeof(DN.value) - ll2; // calculate true length

What access do I need?

You need

permit IRR.RUSERMAP class(FACILITY) access(READ) ID(....)
SETROPTS RACLIST(facility ) REFRESH

Output

Once I had got the program to compile and bind, and got the authorisation it worked great.

It only works with the RACFMAP …  command, not the RACFDCERT command, obvious now I know!  To get the information from the RACDCERT MAP, you need to use initACEE.

Why is MQWEB not accepting my certificate ? An end to head banging

I found there were many reasons why a browser’s or curl application’s digital certificate did not work with MQWEB, from an option missing, to unsupported handshake option.  Often there the messages were the vague “A problem has occurred”.

I tried to cause as many problems as possible, and blogged what you get, and the resolution; but event then I found there were even more ways of it failing.

 

I’ve written some java programs called checkTLS which act as a client or a server.

  • You can use your web browser into the server application and see information about what is being used, and if it can detect any problems (such as expired CA)
  • You can extract your certificates from the browser, and then talk to MQWEB, and see what happens in the handshake

This is alpha code.   I would be interested in any comments

  • Is this useful?
  • Does it work for you?
  • Is it too verbose?

I can’t get my web browser talking to mqweb on z/OS

I was trying to get my Linux machine talking to MQWeb browser on z/OS, but I was getting

curl .. Failed to connect to 10.1.1.2 port 9443: Connection refused.

For this to work you have to edit the mqwebuser.xml file and uncomment

<variable name="httpHost" value="*"/> 
<!-- 
-->

It then worked a treat.  Like most things it is easy when you know how to fix it.

Using firefox browser then gave me

Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for 10.1.1.2:9443.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

Which proves I was accessing the site. That is a certificate set up issue, and a whole different ball game.

Did you read the sentence just once? The work of words – the PEE test.

I was investigating purchasing something expensive like a car, and found a web site which was hard to read.  The long forgotten words of my English teacher from over 50 years ago came into my mind.

For a well written document,

  1. every sentence should be read just once
  2. it should be easy for the reader

For example words on a web page for selling a new car

  1. The Supervandex model-95 has twin cam, 16 valve supercharged petrol engine with a vanadium gismo, has a 16 speaker all round system.  It has 2 seats and enough space for some small suitcases, and looks really cool.
  2. The Supervandex model-96 has single cam, 8 valve supercharged petrol engine with a vanadium gismo, has a 8 speaker all round system.  It has 4 seats and enough space for some small suitcases, a dog and a set of golf clubs.  This is a practical car.

What is wrong with those statements?

For the car sales person this is very clear as he or she needs to know the details of each model.  For the average punter like me, who wants a petrol car  with space for 2 dogs and my mother’s walking frame; the sentences are hard to read and require a lot of work. My thoughts would be

  1. “Supervandex-95 … blah blah Petrol – that’s good’… what model ? (reread the sentence) the Supervandex-95 blah blah blah… 2 seats – that’s no good for me”
  2. “Supervandex-96 … blah blah Petrol – that’s good’… what model ? (reread the sentence) the Supervandex-96 blah blah blah… 4 seats – and it looks like a big enough boot.  Supervandex 96 sounds like the one I need”

I had to read parts of each sentence more than once, and had to keep information in my short term memory, and then forget it when it was no longer needed.

For someone wanting to buy a car (and did not care what the model number was), I think the following would be clearer.

  1. The two seater petrol car with space for a couple of suitcases (The Supervandex-95) has twin cam, 16 valve supercharged petrol engine with a vanadium gismo, has a 16 speaker all round system.
  2. The four seater petrol car  with enough space for some small suitcases, a dog and a set of golf clubs (the Supervandex-96) has single cam, 8 valve supercharged petrol engine with a vanadium gismo, has a 8 speaker all round system.

Now, my thoughts are

  1. “Two seater… not big enough I’ll skip the rest of the sentence and go to the next item
  2. “Four seater, and enough space in the boot, this looks interesting.   The Supervandex-96… boring boring boring.   So it is the Supervandex 96 for me”

I did not have to read the whole of the first sentence, and from the second sentence I could quickly see that it met my requirements.  I only had to remember Supervandex-96.

For me the second text was better than the first text.

There is the automated readability index = 4.71 *( number of characters/number of words) + 0.5* (number of words/number of sentences) – 21.43.  A score of 1 is for kindergarten, a score of 14+ is Professors.

We could have the PEE test – the Paice’s Eyeball Energy test – compare texts by monitoring the movement of the eyeball, and work out the energy in micro-joules for each text. Every time the eye had to go back it would take energy to stop the eyeball, go back, and reread the text.  ( Of course you would have to have a standard eyeball mass, and the text read from a fixed distance, so the energy to move the eyeball is the same – nothing insurmountable.)

We could take this further and take an electroencephalogram (EEG – a swimming cap with lots of electrodes detecting brain activity), and see how much electrical activity was generated when trying to parse statements.   I remember being in China, when someone from the UK was trying to explain something to the Chinese managers (who could understand English – but not speak it), using one very long statement; many ifs, and whethers, and depending ons.  My short term memory overflowed, and I was writing down what the person was saying.    The amount of electrical energy I used to parse and process the nested conditional text would have powered a light bulb!  I pitied the poor Chinese who ignored the statement and then said “thank you, our next question is …”. 

I had a mentor who said before you send an email or go into a meeting, ask yourself “why are you telling your audience this information?” is it

  1. just for information
  2. for action
  3. it is such good news – Ive got to tell every one

then in the meeting tell them “I am telling you this because … you need to take an action”, or “for information”.    If it is for information only, then they can only half listen.  If they need to take action, for example spend money, they will give it their full attention.

Why am I telling you about the PEE test?

When you write emails of documents you need to understand who your audience is, and what they want out of the information. People should be able to read the information without going back and rereading it.

Am I going to buy the Supervandex-96 model ?  I don’t know  – they only gave the price of the Supervandex-95 model. This goes to show a low PEE value is not the perfect solution.

 

 

 

 

 

 

Why cant I logoff from mqconsole?

If you are using mqweb using certificates to identify yourself, if you logoff, or close the tab, then open a new tab, you will get a session using the same certificate as before.

This little problem has been a tough one to investigate, and turns out to be lack of function in Chromium browser.

The scenario is you connect to mqweb using a digital certificate. You want to logoff and logon again with a different certificate, for example you do most of your work with a read only userid, and want to logon with a more powerful id to make a change.  You click logoff, and your screen flashes and logs you on again with the same userid as before.

At first glance this may look like a security hole, but if someone has access to your web browser, then the can click on the mqweb site, and just pick a certificate – so it is no different.

Under the covers,  the TLS handshake can pass up the previous session ID.   If the server  recognises this, then it is a short handshake instead of a full hand shake, so helping performance.

To reset the certificate if you are using Firefox

To clear your SSL session state in Firefox choose History -> Clear Recent History… and then select “Active Logins” and click “OK”. Then the next time you connect to your SSL server Firefox will prompt for which certificate to use, you may need to reset the URL.

You should check Firefox preferences, certificates, “Ask you every time” is selected, rather than “Select one automatically”.

Chrome does not support this reset of the certificate.

There has been discussion over the last 9 years along the lines of, seeing as Internet Explorer, and Firefox have there, should we do it to met the end user demand?

If you set up an additional browser instance, you get the same problem. With Chrome you have to close down all instances of the browser and restart chrome to be able to select a different certificate.

It looks like there is code which has a cache of url, and certificate to use.   If you open up another tab using the same IP address you will reuse the same certificate.

If you localhost instead of 127.0.0.1 – it will prompt for certificate, and then cache it, so you can have one tab open with one certificate, and another tab, with a different URL and another certificate.

GUIs ain’t what they used to be

I’ve recently had to use some “improved” applications (one of which was internet banking) and it made me realize how different GUIs are these days compared to when I were a lad, and you only had a choice of text colours green or bright green.  (I remember a banking customer being shown the pre-release 3279 displays which could display 8 colours.  The customer asked “why do we need so many colours”, and someone said “you can show overdrawn balances in red” – the banker was convinced; and put in a big order).

You need to know your audience for example

  1. People who only use the app once a week, for example internet banking.   You want the user to do things easily and without problems. They may just want to look at the top few entries in their bank statement
  2. People who use the interface 100 times a day – for example, programmers and administrators.  These people want to do their job – and one key press is better than multiple key-presses.  They need to process large  numbers of items(hundreds) and take actions.

I feel that modern interfaces try to use one interface for both sets of users.

As a professional programmer I wanted any interface to be efficient.  For example

  • small movements – press just one key if possible
  • have important fields together.   For example for a list of left justified items, have the action field/icon in front of the list instead of at  the right hand side, being the wrong end of the line.  They eye should only have small movements.
  • display “more” – with one key press
  • use screen space efficiently

I thought the ISPF interface on z/OS was very good.

  • I could efficiently move around it, for example, when looking at job output, I could type =L;3;4;(enter) to get to the place in the GUI hierarchy to list the files.
  • You press F7 andF8 to scroll within the file
  • You have a local command area in front of each item in a list and you can use E to edit, B for Browse, D for delete etc.
  • You can have thousands of entries in the list, and can you the “find” command to locate entries of interest.
  • I can could organise fields in the display, so I can display the start of job/file/queue name, and %cpu/depth/depth and so the important information was in the left 20 %of the screen – and then stack up 4 screens from different systems all showing this information.

Compare this with “the modern GUI” in a web browser

  • Often you have a big picture or icon at the top of the screen – wasting valuable space.   The first thing you have to do is scroll past it. To get to the top you press “home” and “page down” – two key strokes
  • Lines are widely spaced – for example one row of output per centimeter of screen space, showing 10 lines per window, a third the density compared to the mainframe
  • “Actions” icons are at the right hand end of the lines – it is harder to match up the line of interest with the action icon – coloured backgrounds help with this.  Sometimes the “Action icon” is off the side of the screen – so is invisible.  It would help to have an action icon at each end to make it easier.   (I remember a “new” tool in IBM that we had to use, which had the “save” button off the side of the screen.  It was only visible if the window was very wide.   I lost a lot of data as I foolishly assumed the lack of a visible “save” button meant the tool saved automatically! – and pressing the “help” button lost what you had typed.)   The minimum you want displayed is the item, and the action.  Having the action icon only at the right means you will lose it if you make the window narrower.
  • Can we have “right click” for data rows?
  • I tend to work with a “messy desk” with several narrow windows displayed, many on automatic refresh.   This allows me to quickly see if things have changed.   If I am forced to have wide windows, then I need an even wider display which is less efficient
  • You have to click on “Next” and “Back” to navigate.  Some times “Up” is at the top of the screen, and “Down” is at the bottom of the screen so you have to move your mouse a large distance to be able to scroll.  Having up and down buttons adjacent,  is much more efficient as  it means you need a small movement to be able to scroll.
    • Some times the “next” or “back” button move as you move through the pages.  This means you have to move the mouse, and so slows you down!
  • It displays a small number of items at a time  (up to 50) to display more, you have have to scroll – for example I have 500 user queues on one of my queue managers – that would be 10 “next page” actions to get to the end.  Personally I would allow up to 1000 items on the page.

I remember watching some Chinese programmers who could drive their systems properly by chaining all of the commands together and they could type faster than the eye could follow.

Ive seen other people who program their 3270 emulator so Alt+Ctrl+6 logged on to another system, issued commands, copied data to a clip board, jumped to another session and pasted the data in a file.  This was a joy to watch.

Ive seen other people who use the cursor to scroll up and down a web page to get to the bottom, to find the “next” key, and it takes them 10 seconds a page.  I did not show my frustrations but suggested they use the “home” and “end” keys – for which they were very grateful.

On my laptop I use  Ctrl+up instead of the home key and Ctrl+down instead of the end key, as my hands to not need to move so far, which means it is more accurate.   I doubt if modern web GUI designers think about this sort of design.

What is the connection between MQ, a thatched cottage, a museum, an aeroplane and a factory?

Do you give up on the question – so do I!

I upgraded to 915 and used the “improved” mqconsole web interface.  This has several problems. Under “MQ Basics, what is messaging?” you get some pictures.  For example, we seem to have random meteors going to random places,

It is hard to understand, as it uses a white background and off-white colours for connections.   I took the source of this, and by a bit of python magic changed the html and produced

This is clearer, but I am non the wiser.  We have  icons for Home,  Shopping Trolley, Thatched cottage, High rise building with garage, Factory, Aeroplane, and Museum.  The aeroplane sends stuff to the blue box( queue manager?) but messages are not processed.

My blog posts from the old IBM community

The old IBM community site is being replaced by a new IBM community web site, and old blogs are not being copied across.

I’ve managed to copy the posts I wrote when I worked for IBM and copied them to this web site. It has been a trip down memory lane reading the posts, and the topic I covered.