search

zowe / api-layer

The API Mediation Layer provides a single point of access for mainframe service REST APIs.
Eclipse Public License 2.0
56 stars 64 forks source link

verifyCertificates DISABLED and NONSTRICT gives different errors for the same problem #3748

Open dkelosky opened 2 months ago

dkelosky commented 2 months ago

For a newly installed Zowe 2.18 instance, I configured zwe init with "Certificate setup scenario 3" without specifying a "SAN".

At startup with verifyCertificates: DISABLED I get:

ZWESVUSR WARN  (o.z.a.s.HttpsFactory) ZWEAM500W The service is not verifying the TLS/SSL certificates of the services       
ZWESVUSR WARN  (o.z.a.s.HttpsFactory) ZWEAM500W The service is not verifying the TLS/SSL certificates of the services       
ZWESVUSR WARN  (o.z.a.s.HttpsFactory) ZWEAM500W The service is not verifying the TLS/SSL certificates of the services       
ZWESVUSR ERROR (o.z.a.p.w.HttpConfig) Cannot construct configuration of HTTPs: null                                         
ZWESVUSR ERROR (o.z.a.p.w.HttpConfig) Cannot construct configuration of HTTPs: null                                         
ZWESVUSR ERROR (o.z.a.p.w.HttpConfig) Cannot construct configuration of HTTPs: null                                         
USR INFO ZWEL0014I termination command received

At startup with verifyCertificates: NONSTRICT I get:

ZWESVUSR ERROR (o.z.a.s.HttpsFactory) ZWEAM510E Invalid key alias 'localhost'                       
ZWESVUSR ERROR (o.z.a.p.w.HttpConfig) Invalid configuration of HTTPs: Invalid key alias 'localhost' 
ZWESVUSR ERROR (o.z.a.s.HttpsFactory) ZWEAM510E Invalid key alias 'localhost'                       
ZWESVUSR ERROR (o.z.a.p.w.HttpConfig) Invalid configuration of HTTPs: Invalid key alias 'localhost' 
ZWESVUSR ERROR (o.z.a.s.HttpsFactory) ZWEAM510E Invalid key alias 'localhost'                       
ZWESVUSR ERROR (o.z.a.p.w.HttpConfig) Invalid configuration of HTTPs: Invalid key alias 'localhost'

The latter gives some insight into the true problem I was facing. However, I'm curious: is it possible to give a better (and consistent) error for the scenario I faced? That is where no certificate appears to have been generated?

balhar-jakub commented 2 months ago

@dkelosky This seems to be a bug in the disabled scenario. In a disabled scenario, we shouldn't be loading the key at all. As the disabled scenario is not usually used and definitely not recommended to be used, I believe it's of a Low priority.