Document additional steps for users of third-party certificate management tools

[Andrew-J-Metzger]

Description

Users of third-party certificate management tools, such as Venafi, might need to take additional steps to get Zowe working. I've included a draft addition to the docs below.

If using a third-party tool to generate a self-signed intermediate certificate for Zowe, you might need to take the following extra steps during configuration:

Ask your Security Administrator to:

• Note the specific root certificate with which the generated intermediate certificate was self-signed.
• Add the generated intermediate certificate to Zowe's Keyring.
• Add the root certificate to Zowe's Keyring.

Once the keyring has been configured, add the root certificate in the Default Zowe certificate section under pem.certificateAuthorities. Since this can have (at most) two entries ...

• The first entry should be your generated intermediate certificate authority.
• The second, final, entry should be the root certificate authority.

Example:

  pem:                                                               
    # key: /global/zowe/keystore/localhost/localhost.key                                      
    # certificate: /global/zowe/keystore/localhost/localhost.cer                                  
    # if keyrings, the format is "safkeyring:////stcusername/KeyName&ca name"                           
    key:                                                              
    certificate:                                                          
    certificateAuthorities:
      - "safkeyring:////ZWESVUSR/ZWEKEYRING.ZWEDFLT&CERTAUTH.AJMCA1"
      - "safkeyring:////ZWESVUSR/ZWEKEYRING.ZWEDFLT&CERTAUTH.AJMROOT"

Without adding the root certificate as described above, users will not be able to set verifyCertificates: STRICT.

Pages to Update

This seems like a decent canadate for inclusion on Troubleshooting certificate configuration.