Open jthyssenrocket opened 4 years ago
We are getting the same issue (error message) after configuring Zowe 1.9.0 certificate with an external certificate signed by an external certificate authority (CA). We ran zowe-setup-certificates.sh with the following external certificate parameters: _VERIFY_CERTIFICATES=false KEYSTORE_DIRECTORY=/u/ibmuser/zowe/keystore EXTERNAL_CERTIFICATE=/u/ibmuser/zowe/externalkeystore/ZoweTutorial.p12 EXTERNAL_CERTIFICATE_AUTHORITIES="/u/ibmuser/zowe/externalkeystore/carootcert.cer /u/ibmuser/zowe/externalkeystore/caintermediatecert.cer" EXTERNAL_CERTIFICATE_ALIAS=zowe-tutorial KEYSTOREPASSWORD=password
zowe-setup-certificates.sh was successfully ran. I have this message in Zowe log while restarting Zowe:
_
code: 'EPROTO',
syscall: 'write'
I am able to logon to Zowe Desktop, the certificate presented in the browser is correct, but APIML services are not started, API Catalog, and the explorers are not working.
Thanks for opening this issue.
FYI: @NakulManchanda
@NayerNajafi The solution for me was: a) Download the external certificate using my browser when pointed to the Zowe virtual desktop. b) Save the certificate in a USS file (e.g., public.cer-ebcdic) c) Import the external certificate into the truststore: keytool -import -alias public1 -file public.cer-ebcdic -storetype PKCS12 -storepass xxxxxx -keystore localhost.truststore.p12 d) Recycle Zowe
@vit-tomica I have been trying to figure out why importing EXTERNAL_CERTIFICATE in to the truststore would make things work. The only thing I can think of is if EXTERNAL_CERTIFICATE is being presented as a client certificate. And looking at the certificate_unknown error I am getting (in my other issue), it looks to me like that is the case:
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
If the self-signed Zowe certificate is used, apparently this client certificate is not presented (because the Zowe cert is not in the truststore) when the session is established. It's only when an EXTERNAL_CERTIFICATE is used.
@bohns The APIML in Zowe consists of three components that are talking to each other over https using a certificate (either external or one created by Zowe). I think that could explain the error message that you see; one component wants to talk to another one so it behaves like a client. I don't know where the nuance is that EXTERNAL_CERTIFICATE has to be in truststore whereas a certificate created by Zowe does not. I think it could be because of a problem with establishing a chain of trust for the EXTERNAL_CERTIFICATE.
Slack thread: https://openmainframeproject.slack.com/archives/CC08782AG/p1586975266034300
I have an external signed certificate with a CA chain with two certificates.
I run zowe-setup-certicates.env with input:
Problem:
When I start Zowe I get SSL errors:
The solution (suggested by Petr P) was to add the public server certificate to the truststore:
keytool -import -alias public1 -file public.cer-ebcdic -storetype PKCS12 -storepass xxxxxx -keystore localhost.truststore.p12
I copied the public server certificate from my browser pointed to the Zowe homepage.
The zowe-setup-certificates.sh script chain should be updated to perform this automatically.
Another potential issue is that despite having two external CA certs then zowe-setup-certificates.sh generates:
KEYSTORE_CERTIFICATE_AUTHORITY=/proj/ndx/var/zowe/keystore/local_ca/localca.cer-ebcdic
where localca.cer-ebcdic is Zowe's own CA. Shouldn't it contain my CA's as well? E.g.,
KEYSTORE_CERTIFICATE_AUTHORITY="/proj/ndx/var/zowe/keystore/local_ca/localca.cer-ebcdic,/proj/ndx/var/zowe/keystore/local_ca/extca.1.cer-ebcdic,/proj/ndx/var/zowe/keystore/local_ca/extca.2.cer-ebcdic"