search

zowe / zss

Zowe System Services Server for enabling low-level microservices
Eclipse Public License 2.0
13 stars 45 forks source link

Help needed: use own certificates held in RACF keystore #545

Closed lv198 closed 1 year ago

lv198 commented 1 year ago

Hello,

I have trouble getting Zowe V2.5 to work with our own certificates generated by our own CA. We are not using any certificate configuration provided by Zowe, because we have our own processes for that purpose.

What's working: I can access Zowe Desktop via Browser (and our valid certificate) and I can log on. So it seems that it can read the correct certificate from the keystore. What's not working: everything else. For example, I get these messages every 10 seconds:

error initing session: 17                                                     
failed to obtain JWK, status = 9                                              
ZWES1606W Failed to get JWK - failed to send HTTP request, retry in 10 seconds

But I also can not use any app on the desktop (for example, opening JES Explorer results in a useless logon-screen).

This is my current certificate configuration in zowe.yaml (a bit anonymised):

certificate:                                         
  keystore:                                          
    alias: ZOWE_SERVER                               
    password: password                               
    file: safkeyring://ZWESVUSR/Keyring          
    type: JCERACFKS                                  
  truststore:                                        
    type: JCERACFKS                                  
    file: safkeyring://ZWESVUSR/Keyring          
    password: password                               
  pem:                                               
    key:                                             
    certificate:                                     
    certificateAuthorities:                          
      - safkeyring://ZWESVUSR/Keyring&OUR ROOT CA
      - safkeyring://ZWESVUSR/Keyring&OUR SSL CA 
verifyCertificates: DISABLED
JoeNemo commented 1 year ago

Hi, can you post GSK tracing - or set up a debugging session meeting?

lv198 commented 1 year ago

Hi, that's a bit difficult for me as our internal policies don't allow to share those information with third parties :(

Is there a documentation/reference how the certificate section should look like in a working installation (I don't use the Zowe delivered jobs so I have to configure it manually)? In the past, I only find exapmples for PKCS12 keystore...

1000TurquoisePogs commented 1 year ago

Your certificate setup is potentially correct but usually I see it slightly differently, like this:

certificate:                                         
  keystore:                                          
    alias: ZOWE_SERVER                               
    password: password
    # safkeyring should have 4 slashes. newer zowe may tolerate only 2, but older needs 4.                            
    file: safkeyring:////ZWESVUSR/Keyring          
    type: JCERACFKS                                  
  truststore:                                        
    type: JCERACFKS                                  
    file: safkeyring:////ZWESVUSR/Keyring          
    password: password                               
  pem:
    # these seem to need to be empty quotes for keyrings.
    key: ""
    certificate: ""
    # only the root is needed, not an array.
    certificateAuthorities: "safkeyring:////ZWESVUSR/Keyring&OUR ROOT CA"
verifyCertificates: DISABLED
1000TurquoisePogs commented 1 year ago

Because you have an error 17, the reason may be buried within GSK. To enable GSK tracing,

Edit zowe/components/zss/bin/zssServer.sh Toward the top, add

export GSK_TRACE_FILE=/path/to/trace.trc
export GSK_TRACE=0xFF

This will make such a trace file at the path of your choosing.

Then this command outputs the trace file in human readable format

gsktrace /path/to/trace.trc

This may reveal errors such as lack of permission or encryption incompatibilities.

Unfortunately I think that's as much as we can help you without seeing such trace logs either in a meeting or sent to one of us, but I hope this helps!

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs, but can be reopened if needed. Thank you for your contributions.

github-actions[bot] commented 1 year ago

This issue has been automatically closed due to lack of activity. If this issue is still valid and important to you, it can be reopened.