Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

global AT-TLS configuration #3668

Merged
merged 13 commits into from
May 23, 2024
Merged

global AT-TLS configuration #3668

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
ed1a983
configure infinispan with zowe yaml
achmelo Dec 21, 2023
b52c77e
Merge branch 'docs-staging' of https://github.com/zowe/docs-site into…
achmelo Feb 19, 2024
398799a
Merge branch 'docs-staging' of https://github.com/zowe/docs-site into…
achmelo Apr 23, 2024
fd22722
Merge branch 'docs-staging' of https://github.com/zowe/docs-site into…
achmelo May 16, 2024
890f8fd
restructure AT-TLS conf to use global parameters
achmelo May 17, 2024
d240e0d
fix typo
achmelo May 17, 2024
a2d6c4c
minor language refactor
janan07 May 21, 2024
bacc57a
required role
achmelo May 21, 2024
fff1e3c
align with config update
achmelo May 21, 2024
3f0dc5d
Merge branch 'reboot/attls-conf' of https://github.com/zowe/docs-site…
achmelo May 21, 2024
d2e5af3
Merge branch 'docs-staging' into reboot/attls-conf
janan07 May 21, 2024
d7e8a43
minor language refactoring
janan07 May 22, 2024
13515ac
change title
janan07 May 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 8 additions & 39 deletions docs/user-guide/api-mediation/configuration-at-tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,9 @@
# Configuring AT-TLS for API Mediation Layer

The communication server on z/OS provides a functionality to encrypt HTTP communication for on-platform running jobs. This functionality is refered to as Application Transparent Transport Layer Security (AT-TLS).

Review this article for descriptions of the configuration parameters required to make the Zowe API Mediation Layer work with AT-TLS, and security recommendations.
Review this article for descriptions of the configuration parameters required to make Zowe API Mediation Layer work with AT-TLS, including AT-TLS inbound and outbound rules, Using AT-TLS in high availability, and troubleshooting. Security recommendations are also provided.

:::info Role: security administrator
:::
:::

- [AT-TLS configuration for Zowe](#at-tls-configuration-for-zowe)
- [AT-TLS rules](#at-tls-rules)
Expand All @@ -24,50 +22,19 @@ Review this article for descriptions of the configuration parameters required to
Support for AT-TLS was introduced in Zowe v1.24. In this early version, startup was not possible in some versions of Zowe. For full support, we recommend that you upgrade to v2.13 or a later version of Zowe.
:::

Follow these steps to configure Zowe to support AT-TLS:

1. Enable the AT-TLS profile and disable the TLS application in API ML.
Update `zowe.yaml` with the following values under `gateway`, `discovery`, `api-catalog`, `caching-service` and `metrics-service` in the `zowe.components` section.

**Example:**

```yaml
zowe:
components:
gateway:
spring:
profiles:
active: attls
server:
ssl:
enabled: false
server:
internal:
ssl:
enabled: false

discovery:
spring:
profiles:
active: attls
server:
ssl:
enabled: false
```
While API ML does not handle TLS on its own with AT-TLS enabled, API ML requires information about the server certificate that is defined in the AT-TLS rule. Ensure that the server certificates provided by the AT-TLS layer are trusted in the configured Zowe keyring. Ideally, AT-TLS should be configured with the same Zowe keyring.

While API ML does not handle TLS on its own with AT-TLS enabled, API ML requires information about the server certificate that is defined in the AT-TLS rule. Esure that the server certificates provided by the AT-TLS layer are trusted in the configured Zowe keyring. Ideally, AT-TLS should be configured with the same Zowe keyring.

2. If there is an outbound AT-TLS rule configured for the link between the API Gateway and z/OSMF, set the `zowe.zOSMF.scheme` property to `http`.
If there is an outbound AT-TLS rule configured for the link between the API Gateway and z/OSMF, set the `zowe.zOSMF.scheme` property to `http`.

:::note Notes
* Currently, AT-TLS is not supported in the API Cloud Gateway Mediation Layer component.
* AT-TLS is supported in the API Cloud Gateway Mediation Layer component beginning with version 2.17.

* As the Gateway is a core component of API ML, other components that need to interact with the Gateway, such as Zowe ZLUX App Server, also require AT-TLS configuration.
:::

:::caution Important security consideration

Configuring AT-TLS for the Zowe API Mediation Layer requires careful consideration of security settings, specifically as these settings apply to the Client Certificate authentication feature in Zowe API Mediation Layer components, as well as for onboarded services that support the x.509 client certificates authentication scheme.
Configuring AT-TLS for the Zowe API Mediation Layer requires careful consideration of security settings. These security settings apply to the Client Certificate authentication feature in Zowe API Mediation Layer components, as well as for onboarded services that support the x.509 client certificates authentication scheme.

Outbound AT-TLS rules (i.e. to make a transparent https call through http) that are configured to send the server certificate should be limited to the services that __require__ service to service authentication. If an API ML-onboarded southbound service needs to support x.509 client certificate authentication, we recommend to use the integrated TLS handshake capabilities of API ML. Do not configure an outbound AT-TLS rule for these services.

Expand Down Expand Up @@ -124,6 +91,8 @@ The `PortRange` of this inbound rule is taken from the list of API Mediation Lay
- API Catalog: default port 7552
- Metrics Service: default port 7551

**Follow this step:**

Replace `ApimlKeyring` with the keyring configured for your installation. Follow [the SAF keyring instructions](../../getting-started/zowe-certificates-overview.md#saf-keyring) in the article _Zowe Certificates overview_ to configure keyrings for your Zowe instance.

Note the setting `HandshakeRole`. This setting applies to core services which authenticate through certificates with each other. This setting allows the API Gateway to receive and accept X.509 client certificates from API Clients.
Expand Down
23 changes: 23 additions & 0 deletions docs/user-guide/at-tls-configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Enabling AT-TLS across your Zowe environment

The communication server on z/OS provides functionality to encrypt HTTP communication for on-platform jobs. This functionality is referred to as Application Transparent Transport Layer Security (AT-TLS).

:::info Required roles: security administrator
:::

## Configuration Parameters

To enable AT-TLS for Zowe components, configure the following parameters:
```yaml
zowe:
network:
server:
tls:
attls: true
```

## Component-Specific Configuration

For detailed configuration instructions specific to each component, refer to the following guides:
- [Configuring AT-TLS for API Mediation Layer](../user-guide/api-mediation/configuration-at-tls.md)
- [Using AT-TLS in the App Framework](../user-guide/mvd-configuration#using-at-tls-in-the-app-framework)
1 change: 1 addition & 0 deletions sidebars.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,7 @@ module.exports = {
"user-guide/generate-certificates",
"user-guide/use-certificates",
"user-guide/certificates-setup",
"user-guide/at-tls-configuration",
],
},
{
Expand Down
Loading