zowe cli _ I must specify a --mq-p profile. Broken because of bad apiml... token sent #2586
Description
Describe the bug
If I do not specify --mq-p profile,
zowe --cert-key-file ./colinpaice.key.pem --cert-file ./colinpaice.pem --host 10.1.1.2 --port 9443 mq run mqsc CSQ9 "DIS QMGR" gives me
_Unable to perform this operation due to the following problem.
MQ REST API Error:
error:
msgId: MQWB0104E
action: Provide credentials using a client certificate, LTPA security token, or username and password via HTTP basic authentication header. On z/OS, if the mqweb server has been configured for SAF authentication, check the messages.log file for messages indicating that SAF authentication is not available. Start the Liberty angel process if it is not already running. You might need to restart the mqweb server for any changes to take effect.
completionCode: 0
reasonCode: 0
type: rest
message: MQWB0104E: The REST API request to 'v1/admin/action/qmgr/CSQ9/mqsc' is not authenticated.
explanation: The REST API request cannot be completed because credentials were omitted from the request. On z/OS, if the mqweb server has been configured for SAF authentication, this can be caused by the Liberty angel process not being active.
Response From Service
error:
msgId: MQWB0104E
action: Provide credentials using a client certificate, LTPA security token, or username and password via HTTP basic authentication header. On z/OS, if the mqweb server has been configured for SAF authentication, check the messages.log file for messages indicating that SAF authentication is not available. Start the Liberty angel process if it is not already running. You might need to restart the mqweb server for any changes to take effect.
completionCode: 0
reasonCode: 0
type: rest
message: MQWB0104E: The REST API request to 'v1/admin/action/qmgr/CSQ9/mqsc' is not authenticated.
explanation: The REST API request cannot be completed because credentials were omitted from the request. On z/OS, if the mqweb server has been configured for SAF authentication, this can be caused by the Liberty angel process not being active.
Diagnostic Information
Received HTTP(S) error 401 = Unauthorized.
Protocol: https
Host: 10.1.1.2
Port: 9443
Base Path:
Resource: /ibmmq/rest/v1/admin/action/qmgr/CSQ9/mqsc
Request: POST
Headers: [{"Content-Type":"application/json"},{"ibm-mq-rest-csrf-token":"true"}]
Payload: { type: 'runCommand', parameters: { command: 'DIS QMGR' } }
Auth type: token
Auth order: basic,token,bearer,cert-pem
Available creds: tokenType,tokenValue,cert,certKey
Allow Unauth Cert: true_
Expected and actual results
Describe your environment
If I specify --mq-p pointing to
"mq": {
"type": "mq",
"properties": {
// "certKeyFile": "/home/colinpaice/ssl/ssl2/colinpaice.key.pem",
// "certFile": "/home/colinpaice/ssl/ssl2/colinpaice.pem",
"port": 9443,
"host": "10.1.1.2",
"rejectUnauthorized": false,
"authOrder": "cert-pem"
}
},
it works.
I think the problem is
Auth order: basic,token,bearer,cert-pem
because I can see a token being passed in ... and my certificates are being ignored.
When "authOrder": "cert-pem" is used - it has to use my certificates - and so works.
I think that if certificates are specified - then they should go at the front of the list of auth order.
if I specify export NODE_DEBUG='tls,https'
I get
Running MQSC command: 'DIS QMGR' against CSQ9
HTTPS 17242: createConnection [Object: null prototype] {
headers: {
Cookie: 'apimlAuthenticationToken=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJJQk1VU0VSIiwiaWF0IjoxNzUyMTQ1MDQ2LCJleHAiOjE3NTIxNzM4NDYsImlzcyI6IkFQSU1MIiwianRpIjoiMzQ0NmFhMTgtN2YwOC00MjFkLTk2YzUtY2I5OTE4YWVhYTA5IiwiZG9tIjoic2VjdXJpdHktZG9tYWluIn0.A4tWpt4CB9BN6Heloghh54ThGiC7sbZSr_Y9j8MC1mDK1uYq6n1MH59vBMdP04dLXRzr_WLQkQM4wpp2azlLx0P7JppCY3kOsdsFPxhR3WXZ-PH1HkPAFnlW1Vn9upzIFsVolq2UIraUK3sA-nwP8GE4nRj7lnWn3YFHPTKV7NB6KR6BNGr5fkwO9VcdejUkI3JKRIZhNuTb8xeyAFEQ8qWyNTuXEoCblFN-YFgnNY0Wzz1X0NA_ika7pwRacftO9doQvbGZj-d2pBZl4CBa7h2sCO88Vo1MTuEHQzqtmZOQ_FFeSziuCnn4yeWF44NpoN1p6jds-Xg_nim-kYKrtg',
'Content-Type': 'application/json',
'ibm-mq-rest-csrf-token': 'true'
},
hostname: '10.1.1.2',
method: 'POST',
The apiml token is dated July 10! so very very old
If I use the cert-pem the trace has certificates in it as expected
Additional context