diff --git a/bin/apiml_cm.sh b/bin/apiml_cm.sh index 6098ddf573..6bed316392 100644 --- a/bin/apiml_cm.sh +++ b/bin/apiml_cm.sh @@ -423,6 +423,22 @@ function export_jwt_from_keyring { function zosmf_jwt_public_key { echo "Retrieves z/OSMF JWT public key and stores it to ${SERVICE_KEYSTORE}.${JWT_ALIAS}.pem" + + # If Zowe local CA keystore file does not exist (e.g. is defined in a keyring) then we have to create another CA + # whose sole purpose is to help forging a fake certificate that encapsulates JWT token from z/OSMF so that it can be + # connected with PKCS11 token. + if [[ ! -f ${LOCAL_CA_FILENAME}.keystore.p12 ]]; then + echo "Generate keystore with the CA private key and CA public certificate:" + pkeytool -genkeypair $V -alias ${LOCAL_CA_ALIAS} -keyalg RSA -keysize 2048 -keystore ${LOCAL_CA_FILENAME}.keystore.p12 \ + -dname "${LOCAL_CA_DNAME}" -keypass ${LOCAL_CA_PASSWORD} -storepass ${LOCAL_CA_PASSWORD} -storetype PKCS12 -validity ${LOCAL_CA_VALIDITY} \ + -ext KeyUsage="keyCertSign" -ext BasicConstraints:"critical=ca:true" + chmod 600 ${LOCAL_CA_FILENAME}.keystore.p12 + + echo "Export the CA public certificate:" + pkeytool -export $V -alias ${LOCAL_CA_ALIAS} -file ${LOCAL_CA_FILENAME}.cer -keystore ${LOCAL_CA_FILENAME}.keystore.p12 -rfc \ + -keypass ${LOCAL_CA_PASSWORD} -storepass ${LOCAL_CA_PASSWORD} -storetype PKCS12 + fi + java -Xms16m -Xmx32m -Xquickstart \ -Dfile.encoding=UTF-8 \ -Djava.io.tmpdir=${TEMP_DIR} \