From 0e76d6e2fabe3c8b1e097ec14583a6eb53b65b50 Mon Sep 17 00:00:00 2001
From: "Jack (T.) Jia" <39711029+jackjia-ibm@users.noreply.github.com>
Date: Wed, 5 Aug 2020 11:19:59 -0400
Subject: [PATCH] Merge pull request #1570 from zowe/users/vitek/1.14_RC_fix

create CA to encapsulate z/osmf JWT in a certificate

(cherry picked from commit 4fbebf52cf676614ea29567eb9050fb02384fc81)
---
 bin/apiml_cm.sh | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/bin/apiml_cm.sh b/bin/apiml_cm.sh
index 6098ddf573..6bed316392 100644
--- a/bin/apiml_cm.sh
+++ b/bin/apiml_cm.sh
@@ -423,6 +423,22 @@ function export_jwt_from_keyring {
 
 function zosmf_jwt_public_key {
     echo "Retrieves z/OSMF JWT public key and stores it to ${SERVICE_KEYSTORE}.${JWT_ALIAS}.pem"
+
+    # If Zowe local CA keystore file does not exist (e.g. is defined in a keyring) then we have to create another CA
+    # whose sole purpose is to help forging a fake certificate that encapsulates JWT token from z/OSMF so that it can be
+    # connected with PKCS11 token.
+    if [[ ! -f ${LOCAL_CA_FILENAME}.keystore.p12 ]]; then
+        echo "Generate keystore with the CA private key and CA public certificate:"
+        pkeytool -genkeypair $V -alias ${LOCAL_CA_ALIAS} -keyalg RSA -keysize 2048 -keystore ${LOCAL_CA_FILENAME}.keystore.p12 \
+            -dname "${LOCAL_CA_DNAME}" -keypass ${LOCAL_CA_PASSWORD} -storepass ${LOCAL_CA_PASSWORD} -storetype PKCS12 -validity ${LOCAL_CA_VALIDITY} \
+            -ext KeyUsage="keyCertSign" -ext BasicConstraints:"critical=ca:true"
+        chmod 600 ${LOCAL_CA_FILENAME}.keystore.p12
+
+        echo "Export the CA public certificate:"
+        pkeytool -export $V -alias ${LOCAL_CA_ALIAS} -file ${LOCAL_CA_FILENAME}.cer -keystore ${LOCAL_CA_FILENAME}.keystore.p12 -rfc \
+            -keypass ${LOCAL_CA_PASSWORD} -storepass ${LOCAL_CA_PASSWORD} -storetype PKCS12
+    fi
+
     java -Xms16m -Xmx32m -Xquickstart \
         -Dfile.encoding=UTF-8 \
         -Djava.io.tmpdir=${TEMP_DIR} \