Closed dkelosky closed 4 years ago
Hello Dan,
the documentation in the api-layer
repository documents the process for localhost so it does not explain how to change the hostnames.
The default is "SAN=dns:localhost.localdomain,dns:localhost"
and it can be changed by the --service-ext
parameter, e.g. --service-ext "SAN=dns:river.zowe.org"
.
I do not know about the documentation of this process for z/OS. The recommended way is to obtain a signed certificate. What is the main advantage of using a self-signed certificate in your case? If you have your instance of Zowe on z/OS then it can be easier to use a self-signed certificate and import it without waiting. If you have an instance managed by someone else, you will not be able to import a certificate to it without having access rights to the truststore. It might be useful to have this documentation for customers who do not have an internal CA.
All APIML services are sharing one truststore. So there is only one import needed.
alternatively from https://hub.docker.com/r/vvvlc/zowe look at : Preparation and Start, step 1, 2, 3
Excellent info - thank you both for responding!
What is the main advantage of using a self-signed certificate in your case?
Perhaps there is no advantage, and I have limited experience in this area. In the past, I only worked with customers that used self-signed certificates, so I was going down the only path I knew (which also involved generating certs via gskkyman).
If you have your instance of Zowe on z/OS then it can be easier to use a self-signed certificate and import it without waiting.
I was also considering our own instances of API ML (perhaps not full Zowe) for development testing. It seems like there are certain cases (like after cert imports) that API ML needed to be recycled. Can we recycle our shared instance as needed or is there a process around that?
We may recycle in other cases when testing too - I seem to remember some UI data being cached and unchangeable after first load.
@VitekVlcek-Broadcom your suggestion might be best in testing automation (as long as we also know the process customers may use when setting up API ML on z/OS). I'm curious, do you have an image with just API ML?
Yes and No, zowe image contains both Desktop & APIML but you can start only API ML using
--env LAUNCH_COMPONENT_GROUPS=GATEWAY
on docker run command
On Thu, Oct 24, 2019 at 12:02 PM Dan Kelosky notifications@github.com wrote:
@VitekVlcek-Broadcom https://github.com/VitekVlcek-Broadcom your suggestion might be best in testing automation (as long as we also know the process customers may use). I'm curious, do you have an image with just API ML?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/zowe/api-layer/issues/416?email_source=notifications&email_token=AKLNOKECDQHHLVTIO7DTJK3QQFXEHA5CNFSM4JEM2DQ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECEPB4Y#issuecomment-545845491, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKLNOKA5TIEXSK7ROMPTK43QQFXEHANCNFSM4JEM2DQQ .
--
Regards
Vitek
Vitezslav Vit VLCEK
Open Mainframe Architect Zowe | Mainframe
Broadcom
office: +420 226.207.767 | ext.: 7767
V Parku 2316/12 | Praha 4, Chodov, 148 00
VitezslavVit.Vlcek@broadcom.com | broadcom.com http://www.broadcom.com/
P Please consider the environment before printing this e-mail.
Id. Císlo 25694073, z obchodního rejstříku, vedeného Městským soudem v Praze, oddíl C, vložka 61808 / Id. No. 25694073, registered in the Commercial Register maintained by the Municipal Court in Praque, Section C, File 61808
Hi @dkelosky
Please review this script. It generates new keypair, signs it using zowe development CA and imports it into keystore. You can clearly see the keytool commands from it. It is derived from apiml_cm.sh. Please let us know if it answers your question and we can close the issue
#!/bin/sh
V=
LOG=
LOCAL_CA_ALIAS="localca"
LOCAL_CA_FILENAME="keystore/local_ca/localca"
LOCAL_CA_PASSWORD="local_ca_password"
SERVICE_ALIAS="localhost"
SERVICE_PASSWORD="password"
SERVICE_KEYSTORE="keystore/localhost/localhost.keystore"
SERVICE_DNAME="CN=Zowe Service, OU=API Mediation Layer, O=Zowe Sample, L=Prague, S=Prague, C=CZ"
SERVICE_EXT="SAN=dns:localhost.localdomain,dns:localhost"
SERVICE_VALIDITY=3650
function generate_new_signed_cert {
echo "Generate service private key and service:"
pkeytool -genkeypair $V -alias ${SERVICE_ALIAS} -keyalg RSA -keysize 2048 -keystore ${SERVICE_KEYSTORE}.p12 -keypass ${SERVICE_PASSWORD} -storepass ${SERVICE_PASSWORD} -storetype PKCS12 -dname "${SERVICE_DNAME}" -validity ${SERVICE_VALIDITY}
echo "Generate CSR for the the service certificate:"
pkeytool -certreq $V -alias ${SERVICE_ALIAS} -keystore ${SERVICE_KEYSTORE}.p12 -storepass ${SERVICE_PASSWORD} -file ${SERVICE_KEYSTORE}.csr -keyalg RSA -storetype PKCS12 -dname "${SERVICE_DNAME}" -validity ${SERVICE_VALIDITY}
echo "Sign the CSR using the Certificate Authority:"
pkeytool -gencert $V -infile ${SERVICE_KEYSTORE}.csr -outfile ${SERVICE_KEYSTORE}_signed.cer -keystore ${LOCAL_CA_FILENAME}.keystore.p12 -alias ${LOCAL_CA_ALIAS} -keypass ${LOCAL_CA_PASSWORD} -storepass ${LOCAL_CA_PASSWORD} -storetype PKCS12 -ext ${SERVICE_EXT} -ext KeyUsage:critical=keyEncipherment,digitalSignature,nonRepudiation,dataEncipherment -ext ExtendedKeyUsage=clientAuth,serverAuth -rfc -validity ${SERVICE_VALIDITY}
echo "Import the Certificate Authority to the keystore:"
pkeytool -importcert $V -trustcacerts -noprompt -file ${LOCAL_CA_FILENAME}.cer -alias ${LOCAL_CA_ALIAS} -keystore ${SERVICE_KEYSTORE}.p12 -storepass ${SERVICE_PASSWORD} -storetype PKCS12
echo "Import the signed CSR to the keystore:"
pkeytool -importcert $V -trustcacerts -noprompt -file ${SERVICE_KEYSTORE}_signed.cer -alias ${SERVICE_ALIAS} -keystore ${SERVICE_KEYSTORE}.p12 -storepass ${SERVICE_PASSWORD} -storetype PKCS12
}
function pkeytool {
ARGS=$@
echo "Calling keytool $ARGS"
if [ "$LOG" != "" ]; then
keytool "$@" >> $LOG 2>&1
else
keytool "$@"
fi
RC=$?
echo "keytool returned: $RC"
if [ "$RC" -ne "0" ]; then
exit 1
fi
}
generate_new_signed_cert
https://github.com/zowe/api-layer/blob/master/keystore/README.md#self-signed-certificate steps show a script to create a self-signed certificate.
It seems like localhost is hard coded in this - is that accurate? If so, can the ability to supply host names be exposed?(answered)For step 2 in this section, it says "Trust it in the APIML" - does APIML here refer to each component? I.e. are certs imported into discovery, security, and gateway services?(answered)Is it possible to provide an example of how to generate a self-certificate for a service that will run on z/OS and then import into API ML using the
keytool
directly?apiml_cm.sh
is interesting but it seems we ultimately need to look at thekeytool
command that it generates to see what it is doing.