Installing zowe 1.19.1 with external CA failed, CA certificates was not exported to truststore.

[rjmaomao]

Installing zowe 1.19.1 , when running zowe-setup-certificates.sh saw following error code.

Unable to store /zowe/keystore/v1.19.1.ex.sso/localhost/localhost.keystore.jwtsecret.p12 in token ZOWESVR with label ZOWE2LBL. See /u/renjing/zowe/logs/zowe-setup-certificates-2021-03-22-21-15-41.log for more details. If you are not atte.
Detecting external root CA... STARTED
Detecting external root CA... DONE
Trying to change an owner of the /zowe/keystore/v1.19.1.ex.sso.

After creating instance and start server, I failed to logon desktop. I asked about this issue in slack channel, Jack Jia pointed out there maybe some issue with external CAs not exported correctly.

Gateway received 403 {"timestamp":"2021-03-22T03:26:26.844+0000","status":403,"error":"Forbidden","message":"Access Denied","path":"/eurek when registering on Discovery

I checked certificates setup log, seems in 1.19.1 version, extca1 and extca2 were missing in truststore. I ran certificates set up script several times, all failed. I was sure the external CA set in zowe-setup-certificates.env EXTERNAL_CERTIFICATE_AUTHORITIES was correct, I have used it for 1.17 and previous version. Could you please help to take a look?

Following was the three certificates in 1.17 truststore, in 1.19 I only have extca0.

Alias name: extca1
Creation date: Mar 22, 2021
Entry type: trustedCertEntry
Owner: CN=IBM Internal Root CA, O=International Business Machines Corporation, C=US
Issuer: CN=IBM Internal Root CA, O=International Business Machines Corporation, C=US
Serial number: 14
Alias name: extca2
Creation date: Mar 22, 2021
Entry type: trustedCertEntry
Owner: CN=IBM INTERNAL INTERMEDIATE CA, O=International Business Machines Corporation, C=US
Issuer: CN=IBM Internal Root CA, O=International Business Machines Corporation, C=US
Serial number: 11
Alias name: extca0
Creation date: Mar 22, 2021
Entry type: trustedCertEntry
Owner: OID.0.9.2342.19200300.100.1.3=renjbj@cn.ibm.com, UID=918111672, CN=z2pub.pok.stglabs.ibm.com, OU=IBM Poughkeepsie, O=ibm.com, L="New York, NY", ST="New York, NY", C=US
Issuer: CN=IBM INTERNAL INTERMEDIATE CA, O=International Business Machines Corporation, C=US
Serial number: 12aa5

In 1.17 certificate setup log, we can see following step was executed. But in 1.19.1 there's no such step.

Import the external Certificate Authorities to the truststore:
Calling keytool -importcert -v -trustcacerts -noprompt -file /zowe/keystore/v1.17.ex/local_ca/extca.1.cer -alias extca1 -keystore /zowe/keystore/v1.17.ex/localhost/localhost.truststore.p12 -storepass  -storetype PKCS12
Certificate was added to keystore
[Storing /zowe/keystore/v1.17.ex/localhost/localhost.truststore.p12]
keytool returned: 0
Calling keytool -importcert -v -trustcacerts -noprompt -file /zowe/keystore/v1.17.ex/local_ca/extca.2.cer -alias extca2 -keystore /zowe/keystore/v1.17.ex/localhost/localhost.truststore.p12 -storepass  -storetype PKCS12
Certificate was added to keystore
[Storing /zowe/keystore/v1.17.ex/localhost/localhost.truststore.p12]

Please let me know if this is not the correct place to report this issue. Thanks!

[rjmaomao]

The following error reported in certificates setup script may not directly related to the failure of logon to desktop.

Unable to store /zowe/keystore/v1.19.1.ex.sso/localhost/localhost.keystore.jwtsecret.p12 in token ZOWESVR with label ZOWE2LBL. 

This may be a different problem? I saw following message in certificate setup log.

Retrieves z/OSMF JWT public key and stores it to /zowe/keystore/v1.19.1.ex.sso/localhost/localhost.keystore.jwtsecret.pem
Loading public key of z/OSMF at https://zpetplx2zosmf.pok.stglabs.ibm.com:34211
Public key of z/OSMF at stored as a certificate to /zowe/keystore/v1.19.1.ex.sso/localhost/localhost.keystore.jwtsecret.pem
apiml_cm.sh --action trust-zosmf returned: 0
Certificate was added to keystore
Certificate was added to keystore
Enter import file password (press ENTER to cancel):


Unable to import certificate and key.
Status 0x0335301e - Duplicate certificate.

[jackjia-ibm]

I can confirm this is a bug introduced in v1.18.0 release related to the quotation marks applied to this line https://github.com/zowe/zowe-install-packaging/blob/master/bin/apiml_cm.sh#L246. I will work on a fix and also move this issue to zowe-install-packaging. Thanks Jing Ren for reporting the issue!

[jackjia-ibm]

Also applied to staging branch.