zowe / community

Zowe Community - Sub-projects, Squads, Contribution Guidelines, Meeting Minutes, and more
53 stars 41 forks source link

Cross squad and community initiative to look at issues around common support problems with launching Zowe #1857

Open Joe-Winchester opened 1 year ago

Joe-Winchester commented 1 year ago

Many of us supporting customers are seeing areas that cover the theme of:

Unable to launch Zowe because of incorrect configuration to read certificates from keyrings.

This proposal is to tackle this from a cross squad cross company to revisit the way that the docs, the product, the error messages, the end to end experience with certificates.

hockeyrob commented 1 year ago

Thank you, Joe, this would be great. I'm struggling with error (and other) messages that are confusing and contradictory, debug output that helps not at all, and when I search for documentation I get doc that describes how V1 works while I'm trying to get V2.6 running. And then...certificates.

Thanks!!! R;

balhar-jakub commented 1 year ago

@Joe-Winchester I will be bringing it as a topic to TSC this week to figure out how do we want to approach it. I believe we want to approach it, but I am not sure how do we want to handle and manage the whole topic.

Joe-Winchester commented 1 year ago

Thank you, Joe, this would be great. I'm struggling with error (and other) messages that are confusing and contradictory, debug output that helps not at all, and when I search for documentation I get doc that describes how V1 works while I'm trying to get V2.6 running. And then...certificates.

We're aware that the area of certificates needs improving. For background, are you trying to use Zowe with an existing SAF certificate and then connect that to a new keyring ? Is the issue that we don't describe well enough how to do that, or are there other things related to your certificate such as errors when the SAN doesn't match, or the EKU is incorrect, or other ... ? Love to hear more.
Cheers !

hockeyrob commented 1 year ago

Joe:

In z/OS I have no RACF authority to manipulate keyrings. I can load certificates so someone else can create/modify a keyring, but…that’s down the road. In z/VM I’m able to create the necessary CA and server certificates to, say, enable 3270 access over a certificate-capable client, like x3270. To do that I create a key database with GSKKYMAN, create the desired certificates, distribute them as necessary.

So, I’m trying to follow that similar procedure in OMVS to create certificates for Zowe to…work, just to work. I created a key database, imported my local CA cert, created a server cert for Zowe to use….but there’s no indication how to configure Zowe to use those certs; it seems to know about A CA cert, but I can’t say whether that’s the one I created, and it seems certain Zowe doesn’t like the server cert I created for it.

Backing up just a little….There are 5 scenarios for the certificate configuration (specification?) in zowe.yaml; three say they are for keyrings, so I skip those for now. I have certificates, the server certificate for Zowe and the (ok, self-signed) CA certificate for it, the .kdb key database where they reside…How do those fit into the configuration specifications?

After a lot of experimentation I decided to trash all that and just start over with however Zowe wants to configure its certs, and after the dust settles, figure out how that meshes with what I’ve seen and done already. I did the “zwe init certificate --verbose --config /etc/zowe.yaml” and made the suggested updates to zowe.yaml. It didn’t want the .kdb I defined, and I’m not sure any of the files it generated work with…anything anywhere else. There was no doc talking about these certs much at all, and I don’t want to mess with them with GSKKYMAN, or anything else, to figure out what I have now. Do I make these same key files available on other LPARs, or do I have to rerun the zwe init certificate there as well? Do those certs need the CA cert I created? What pieces of these keys might I have to distribute to a client that wants to connect to Zowe? I wanted to create just enough certificates so I could get Zowe to start, and to talk to its subtasks, like the cross-memory guy; does what I have so far enable…everything??? And most importantly, how can I determine that??? I don’t feel I know enough to ask more questions yet; maybe this is enough. Oh, one question I’ll have when this all works…can I move those certs into RACF, or do I have to create all new…things to put into a RACF keyring???

R;

Rob Hamilton Infrastructure Engineer Chemical Abstracts Service A Division of the American Chemical Society

From: Joe Winchester @.> Sent: Thursday, March 23, 2023 11:10 AM To: zowe/community @.> Cc: Hamilton, Robert @.>; Comment @.> Subject: [EXT] Re: [zowe/community] Cross squad and community initiative to look at issues around common support problems with launching Zowe (Issue #1857)

[Actual Sender is @.**@.>]

Thank you, Joe, this would be great. I'm struggling with error (and other) messages that are confusing and contradictory, debug output that helps not at all, and when I search for documentation I get doc that describes how V1 works while I'm trying to get V2.6 running. And then...certificates.

We're aware that the area of certificates needs improving. For background, are you trying to use Zowe with an existing SAF certificate and then connect that to a new keyring ? Is the issue that we don't describe well enough how to do that, or are there other things related to your certificate such as errors when the SAN doesn't match, or the EKU is incorrect, or other ... ? Love to hear more. Cheers !

— Reply to this email directly, view it on GitHubhttps://github.com/zowe/community/issues/1857#issuecomment-1481369869, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A2B6KPUIUZUHK3PUV5DMUTLW5RRU5ANCNFSM6AAAAAAVK3722E. You are receiving this because you commented.Message ID: @.**@.>> Confidentiality Notice: This electronic message transmission, including any attachment(s), may contain confidential, proprietary, or privileged information from CAS, a division of the American Chemical Society ("ACS"). If you have received this transmission in error, be advised that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. Please destroy all copies of the message and contact the sender immediately by either replying to this message or calling 614-447-3600.