Zowe CLI: Providing NODE_EXTRA_CA_CERTS

Dan Kelosky
Zowe
Published in
3 min readApr 5, 2019

When using Zowe CLI to connect to z/OSMF, you may get an error unable to verify the first certificate (different from “self-signed certificate in certificate chain”):

In my case, this seemed strange, because whenever I access z/OSMF through my Chrome browser directly, I do NOT get any warning like the following:

Instead, I get a normal logon:

Workarounds

One potential work around: zowe CLI surfaces the rejectUnauthorized option via the --reject-unauthorized=[true|false] command line argument when creating / updating a profile which could “resolve” this error (strictly meaning that it makes the error go away — in the same way that disabling compiler warnings makes type mismatch messages go away 😃). rejectUnauthorized implications should be understood before use.

Mozilla Certificate Authorities (CAs)

Zowe CLI is built on Node.js, and by default is bundled to trust “CAs curated by Mozilla”. However, through environment variables, like NODE_EXTRA_CA_CERTS, you can extend trusted CAs.

Example

Although this may not be the most efficient route, you can follow these steps to make use of the NODE_EXTRA_CA_CERTS environment variable without using --reject-unauthorized=false to “fix” the error mentioned above.

Export Certificates

Click on the 🔒 symbol and click “Certificate” (using Chrome).

There are 4 certificates in this path. On the “Details” tab, click “Copy to File…”.

Export to DER format and save the file on your workstation.

Swap back to the “Certificate Path” view, pick the next certificate in line (second from the bottom), and click “View Certificate”.

For this certificate and each remainder in the path, copy to your work station.

Convert

In my experience, this needed to be in PEM format, so you can convert the certificates on your workstation from DER to PEM using the openssl command line program (with syntax like this):

openssl x509 -inform der -in certificate.der.cer -out certificate.pem

Concatenate

Lastly, concatenate the certificates:

cat cert1.pem cert2.pem cert3.pem cert4.prem > bundled.perm

In Bash, you can define environmental variables prior to invoking an application for them to take effect. In this screenshot, I’m using a zowe jobs list jobs command without specifying --reject-unauthorized=false:

--

--

Zowe
Zowe

Published in Zowe

Zowe is the modern open source interface for the mainframe and z/OS. The Zowe blog has how-to’s, tips & tricks and other helpful insights for mainframe devops. Zowe is a project within the Linux Foundation’s Open Mainframe Project (OMP). Download @ Zowe.org.

Dan Kelosky
Dan Kelosky

Written by Dan Kelosky

Likes programming/automation in mainframe (assembler, C/C++), distributed (Node.js), and web development (Firebase, Angular).

Responses (1)