search

zowe / zowe-install-packaging

Packaging repository for the Zowe install scripts and files
Eclipse Public License 2.0
26 stars 52 forks source link

Certificate issue after update to version 2.16 #3872

Closed rudatp closed 1 day ago

rudatp commented 1 week ago

We are using SAF keyrings, yaml section:

certificate: keystore: type: JCERACFKS file: "safkeyring:////STCZOWE/ZOWE" password: "password" alias: "ZOWE25" truststore: type: JCERACFKS file: "safkeyring:////STCZOWE/ZOWE" password: "password" pem: key: certificate: certificateAuthorities:

I updated ZOWE today to version 2.16 and startup fails with:

Validity Exceptions(s) with object at Validity Exceptions(s) with object at /zowe Schema at '/zowe/certificate' invalid not oneOf schemas at '/zowe/certificate' are valid, 0 are Validity Exceptions(s) with object at /zowe/certificate Validity Exceptions(s) with object at /zowe/certificate/keystore unequal constant value at /zowe/certificate/keystore/type; expecting value 'PKCS12' of type 'string' Validity Exceptions(s) with object at /zowe/certificate/truststore unequal constant value at /zowe/certificate/truststore/type; expecting value 'PKCS12' of type 'string' Validity Exceptions(s) with object at /zowe/certificate/pem type 'null' not permitted at /zowe/certificate/pem/key; expecting type 'string' type 'null' not permitted at /zowe/certificate/pem/certificate; expecting type 'string' Validity Exceptions(s) with object at /zowe/certificate Validity Exceptions(s) with object at /zowe/certificate/pem type 'null' not permitted at /zowe/certificate/pem/key; expecting type 'string' type 'null' not permitted at /zowe/certificate/pem/certificate; expecting type 'string'

Can someone help?

Martin-Zeithaml commented 5 days ago

Hi, the problem is, there is no value provided for /zowe/certificate/pem/key and zowe/certificate/pem/certificate. The schema validation is strict and requires a value. To avoid the schema validation problem, remove unused fields:

certificate:
  keystore:
    type: JCERACFKS
    file: "safkeyring:////STCZOWE/ZOWE"
    password: "password"
    alias: "ZOWE25"
  truststore:
    type: JCERACFKS
    file: "safkeyring:////STCZOWE/ZOWE"
    password: "password"
  pem:
    certificateAuthorities:
    - "safkeyring:////STCZOWE/CA1"
    - "safkeyring:////STCZOWE/CA2"
rudatp commented 2 days ago

Hi Martin

Thanks! That was it, now it works.

1000TurquoisePogs commented 2 days ago

The pem section was needed up until v2.9 but at that point became unused. Recently v2.16.0 fixed incorrect validation of empty entries which triggered the empty key and certificate fields to be seen as invalid, as they're literally null when previously the validation logic thought them to be empty strings.

I'd like to see a compatibility fix here, but for now you should also just remove the pem section entirely. It hasnt been needed in some time.

MarkAckert commented 1 day ago

Another issue will address this moving forward: https://github.com/zowe/zowe-common-c/issues/458 . Since the initial question was resolved, I'll close this.