zowe / zowe-install-packaging

Packaging repository for the Zowe install scripts and files
Eclipse Public License 2.0
27 stars 51 forks source link

Truststore does not contain external certificate #1277

Open jthyssenrocket opened 4 years ago

jthyssenrocket commented 4 years ago

Slack thread: https://openmainframeproject.slack.com/archives/CC08782AG/p1586975266034300

I have an external signed certificate with a CA chain with two certificates.

I run zowe-setup-certicates.env with input:

[...]
VERIFY_CERTIFICATES=false
# optional - Path to a PKCS12 keystore with a server certificate for API
# Mediaton Layer (APIML)
EXTERNAL_CERTIFICATE=/proj/ndx/var/zowe/certs/RS01.PFX
# optional - Alias of the certificate in the keystore
EXTERNAL_CERTIFICATE_ALIAS=rs01
# optional - Public certificates of trusted CAs - multiple certificates
# delimitad with space has to be enclosed with quotes ("cer1 cer2")
EXTERNAL_CERTIFICATE_AUTHORITIES="/proj/ndx/var/zowe/certs/RS01.ISSUE.BASE64 /proj/ndx/var/zowe/certs/RS01.ROCKET.BASE64"
# optional - Public certificates of z/OSMF - multiple certificates
# delimited with space has to be enclosed with quotes ("cer1 cer2")
ZOSMF_CERTIFICATE=
[...]

Problem:

When I start Zowe I get SSL errors:

Problem making eureka request { Error: write EPROTO 2390030415529246721:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/ssl/s3_pkt.c:1498:SSL alert number 46         
2390030415529246721:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:659:                                
    at WriteWrap.afterWrite  as oncomplete  (net.js:868:14) errno: 'EPROTO', code: 'EPROTO', syscall: 'write' }  

The solution (suggested by Petr P) was to add the public server certificate to the truststore:

keytool -import -alias public1 -file public.cer-ebcdic -storetype PKCS12 -storepass xxxxxx -keystore localhost.truststore.p12

I copied the public server certificate from my browser pointed to the Zowe homepage.

The zowe-setup-certificates.sh script chain should be updated to perform this automatically.

Another potential issue is that despite having two external CA certs then zowe-setup-certificates.sh generates:

KEYSTORE_CERTIFICATE_AUTHORITY=/proj/ndx/var/zowe/keystore/local_ca/localca.cer-ebcdic

where localca.cer-ebcdic is Zowe's own CA. Shouldn't it contain my CA's as well? E.g.,

KEYSTORE_CERTIFICATE_AUTHORITY="/proj/ndx/var/zowe/keystore/local_ca/localca.cer-ebcdic,/proj/ndx/var/zowe/keystore/local_ca/extca.1.cer-ebcdic,/proj/ndx/var/zowe/keystore/local_ca/extca.2.cer-ebcdic"

NayerNajafi commented 4 years ago

We are getting the same issue (error message) after configuring Zowe 1.9.0 certificate with an external certificate signed by an external certificate authority (CA). We ran zowe-setup-certificates.sh with the following external certificate parameters: _VERIFY_CERTIFICATES=false KEYSTORE_DIRECTORY=/u/ibmuser/zowe/keystore EXTERNAL_CERTIFICATE=/u/ibmuser/zowe/externalkeystore/ZoweTutorial.p12 EXTERNAL_CERTIFICATE_AUTHORITIES="/u/ibmuser/zowe/externalkeystore/carootcert.cer /u/ibmuser/zowe/externalkeystore/caintermediatecert.cer" EXTERNAL_CERTIFICATE_ALIAS=zowe-tutorial KEYSTOREPASSWORD=password

zowe-setup-certificates.sh was successfully ran. I have this message in Zowe log while restarting Zowe: _ ZWESVUSR WARN (_zsf.apiml,apiml.js:195) Error: write EPROTO 1976209423206449153:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46 at WriteWrap.onWriteComplete Ýas oncomplete¨ (internal/stream_basecommons.js:87:16) { errno: 'EPROTO',
code: 'EPROTO',
syscall: 'write'

I am able to logon to Zowe Desktop, the certificate presented in the browser is correct, but APIML services are not started, API Catalog, and the explorers are not working.

image

Thanks for opening this issue.

FYI: @NakulManchanda

jthyssenrocket commented 4 years ago

@NayerNajafi The solution for me was: a) Download the external certificate using my browser when pointed to the Zowe virtual desktop. b) Save the certificate in a USS file (e.g., public.cer-ebcdic) c) Import the external certificate into the truststore: keytool -import -alias public1 -file public.cer-ebcdic -storetype PKCS12 -storepass xxxxxx -keystore localhost.truststore.p12 d) Recycle Zowe

bohns commented 4 years ago

@vit-tomica I have been trying to figure out why importing EXTERNAL_CERTIFICATE in to the truststore would make things work. The only thing I can think of is if EXTERNAL_CERTIFICATE is being presented as a client certificate. And looking at the certificate_unknown error I am getting (in my other issue), it looks to me like that is the case: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

If the self-signed Zowe certificate is used, apparently this client certificate is not presented (because the Zowe cert is not in the truststore) when the session is established. It's only when an EXTERNAL_CERTIFICATE is used.

vit-tomica commented 4 years ago

@bohns The APIML in Zowe consists of three components that are talking to each other over https using a certificate (either external or one created by Zowe). I think that could explain the error message that you see; one component wants to talk to another one so it behaves like a client. I don't know where the nuance is that EXTERNAL_CERTIFICATE has to be in truststore whereas a certificate created by Zowe does not. I think it could be because of a problem with establishing a chain of trust for the EXTERNAL_CERTIFICATE.