search

zowe / api-layer

The API Mediation Layer provides a single point of access for mainframe service REST APIs.
Eclipse Public License 2.0
54 stars 63 forks source link

apiml_cm.sh Self Signed Certificates #416

Closed dkelosky closed 4 years ago

dkelosky commented 4 years ago

https://github.com/zowe/api-layer/blob/master/keystore/README.md#self-signed-certificate steps show a script to create a self-signed certificate.

It seems like localhost is hard coded in this - is that accurate? If so, can the ability to supply host names be exposed? (answered)

For step 2 in this section, it says "Trust it in the APIML" - does APIML here refer to each component? I.e. are certs imported into discovery, security, and gateway services? (answered)

Is it possible to provide an example of how to generate a self-certificate for a service that will run on z/OS and then import into API ML using the keytool directly? apiml_cm.sh is interesting but it seems we ultimately need to look at the keytool command that it generates to see what it is doing.

plavjanik commented 4 years ago

Hello Dan,

the documentation in the api-layer repository documents the process for localhost so it does not explain how to change the hostnames.

The default is "SAN=dns:localhost.localdomain,dns:localhost" and it can be changed by the --service-ext parameter, e.g. --service-ext "SAN=dns:river.zowe.org".

I do not know about the documentation of this process for z/OS. The recommended way is to obtain a signed certificate. What is the main advantage of using a self-signed certificate in your case? If you have your instance of Zowe on z/OS then it can be easier to use a self-signed certificate and import it without waiting. If you have an instance managed by someone else, you will not be able to import a certificate to it without having access rights to the truststore. It might be useful to have this documentation for customers who do not have an internal CA.

All APIML services are sharing one truststore. So there is only one import needed.

VitekVlcek-Broadcom commented 4 years ago

alternatively from https://hub.docker.com/r/vvvlc/zowe look at : Preparation and Start, step 1, 2, 3

dkelosky commented 4 years ago

Excellent info - thank you both for responding!

What is the main advantage of using a self-signed certificate in your case?

Perhaps there is no advantage, and I have limited experience in this area. In the past, I only worked with customers that used self-signed certificates, so I was going down the only path I knew (which also involved generating certs via gskkyman).

If you have your instance of Zowe on z/OS then it can be easier to use a self-signed certificate and import it without waiting.

I was also considering our own instances of API ML (perhaps not full Zowe) for development testing. It seems like there are certain cases (like after cert imports) that API ML needed to be recycled. Can we recycle our shared instance as needed or is there a process around that?

We may recycle in other cases when testing too - I seem to remember some UI data being cached and unchangeable after first load.

dkelosky commented 4 years ago

@VitekVlcek-Broadcom your suggestion might be best in testing automation (as long as we also know the process customers may use when setting up API ML on z/OS). I'm curious, do you have an image with just API ML?

VitekVlcek-Broadcom commented 4 years ago

Yes and No, zowe image contains both Desktop & APIML but you can start only API ML using

--env LAUNCH_COMPONENT_GROUPS=GATEWAY

on docker run command

On Thu, Oct 24, 2019 at 12:02 PM Dan Kelosky notifications@github.com wrote:

@VitekVlcek-Broadcom https://github.com/VitekVlcek-Broadcom your suggestion might be best in testing automation (as long as we also know the process customers may use). I'm curious, do you have an image with just API ML?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/zowe/api-layer/issues/416?email_source=notifications&email_token=AKLNOKECDQHHLVTIO7DTJK3QQFXEHA5CNFSM4JEM2DQ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECEPB4Y#issuecomment-545845491, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKLNOKA5TIEXSK7ROMPTK43QQFXEHANCNFSM4JEM2DQQ .

--

Regards

Vitek

Vitezslav Vit VLCEK

Open Mainframe Architect Zowe | Mainframe

Broadcom

office: +420 226.207.767 | ext.: 7767

V Parku 2316/12 | Praha 4, Chodov, 148 00

VitezslavVit.Vlcek@broadcom.com | broadcom.com http://www.broadcom.com/

P Please consider the environment before printing this e-mail.

Id. Císlo 25694073, z obchodního rejstříku, vedeného Městským soudem v Praze, oddíl C, vložka 61808 / Id. No. 25694073, registered in the Commercial Register maintained by the Municipal Court in Praque, Section C, File 61808

jandadav commented 4 years ago

Hi @dkelosky

Please review this script. It generates new keypair, signs it using zowe development CA and imports it into keystore. You can clearly see the keytool commands from it. It is derived from apiml_cm.sh. Please let us know if it answers your question and we can close the issue

#!/bin/sh
V=
LOG=

LOCAL_CA_ALIAS="localca"
LOCAL_CA_FILENAME="keystore/local_ca/localca"
LOCAL_CA_PASSWORD="local_ca_password"

SERVICE_ALIAS="localhost"
SERVICE_PASSWORD="password"
SERVICE_KEYSTORE="keystore/localhost/localhost.keystore"
SERVICE_DNAME="CN=Zowe Service, OU=API Mediation Layer, O=Zowe Sample, L=Prague, S=Prague, C=CZ"
SERVICE_EXT="SAN=dns:localhost.localdomain,dns:localhost"
SERVICE_VALIDITY=3650

function generate_new_signed_cert {
echo "Generate service private key and service:"
pkeytool -genkeypair $V -alias ${SERVICE_ALIAS} -keyalg RSA -keysize 2048 -keystore ${SERVICE_KEYSTORE}.p12 -keypass ${SERVICE_PASSWORD} -storepass ${SERVICE_PASSWORD} -storetype PKCS12 -dname "${SERVICE_DNAME}" -validity ${SERVICE_VALIDITY}

echo "Generate CSR for the the service certificate:"
pkeytool -certreq $V -alias ${SERVICE_ALIAS} -keystore ${SERVICE_KEYSTORE}.p12 -storepass ${SERVICE_PASSWORD} -file ${SERVICE_KEYSTORE}.csr -keyalg RSA -storetype PKCS12 -dname "${SERVICE_DNAME}" -validity ${SERVICE_VALIDITY}

echo "Sign the CSR using the Certificate Authority:"
pkeytool -gencert $V -infile ${SERVICE_KEYSTORE}.csr -outfile ${SERVICE_KEYSTORE}_signed.cer -keystore ${LOCAL_CA_FILENAME}.keystore.p12 -alias ${LOCAL_CA_ALIAS} -keypass ${LOCAL_CA_PASSWORD} -storepass ${LOCAL_CA_PASSWORD} -storetype PKCS12 -ext ${SERVICE_EXT} -ext KeyUsage:critical=keyEncipherment,digitalSignature,nonRepudiation,dataEncipherment -ext ExtendedKeyUsage=clientAuth,serverAuth -rfc -validity ${SERVICE_VALIDITY}

echo "Import the Certificate Authority to the keystore:"
pkeytool -importcert $V -trustcacerts -noprompt -file ${LOCAL_CA_FILENAME}.cer -alias ${LOCAL_CA_ALIAS} -keystore ${SERVICE_KEYSTORE}.p12 -storepass ${SERVICE_PASSWORD} -storetype PKCS12

echo "Import the signed CSR to the keystore:"
pkeytool -importcert $V -trustcacerts -noprompt -file ${SERVICE_KEYSTORE}_signed.cer -alias ${SERVICE_ALIAS} -keystore ${SERVICE_KEYSTORE}.p12 -storepass ${SERVICE_PASSWORD} -storetype PKCS12
}

function pkeytool {
    ARGS=$@
    echo "Calling keytool $ARGS"
    if [ "$LOG" != "" ]; then
        keytool "$@" >> $LOG 2>&1
    else
        keytool "$@"
    fi
    RC=$?
    echo "keytool returned: $RC"
    if [ "$RC" -ne "0" ]; then
        exit 1
    fi
}

generate_new_signed_cert
ilkinabdullayev commented 4 years ago

Moved to https://github.com/zowe/zowe-install-packaging/issues/1214