-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Native TLS documentation #3685
base: master
Are you sure you want to change the base?
Native TLS documentation #3685
Changes from 3 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
# Customizing Native TLS | ||
|
||
Zowe's servers have built-in TLS support to enable HTTPS connections. | ||
1000TurquoisePogs marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
This is the default, and an alternative to using AT-TLS which is [documented here](./at-tls-configuration). | ||
|
||
:::info Required role: security administrator | ||
::: | ||
|
||
## Server Parameters | ||
|
||
Each Zowe server can be customized either by defining attributes within the `zowe.network.server` object of the Zowe YAML configuration file. The same object can be put within an individual component's configuration, such as `components.zss.zowe.network.server` for ZSS, which will allow you to customize each component separate from others. | ||
|
||
Extensions are recommended to adhere to this configuration, but you must check with documentation for extensions to be sure. | ||
1000TurquoisePogs marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
### IP Addresses | ||
|
||
Zowe's servers by default use the TCP IP address `0.0.0.0` which assigns the servers to be available on all network interfaces available to the jobs. | ||
|
||
If this default is not desired, you can either change it either within Zowe or by setting [TCPIP port assignment statements](./address-network-requirements#ip-addresses). | ||
|
||
To customize this within Zowe, define the parameter `zowe.network.server.listenAddresses`. For example, to have all Zowe servers use IP `1.2.3.4`, except for App Server which will use IP `2.3.4.5`, set the following in your Zowe YAML: | ||
|
||
```yaml | ||
zowe: | ||
network: | ||
server: | ||
listenAddresses: | ||
- 1.2.3.4 | ||
components: | ||
app-server: | ||
zowe: | ||
network: | ||
server: | ||
listenAddresses: | ||
- 2.3.4.5 | ||
``` | ||
|
||
|
||
### TLS Versions | ||
|
||
By default, Zowe servers use TLSv1.3. | ||
1000TurquoisePogs marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
To customize this, you can use the parameters `zowe.network.server.tls.minTls` and `zowe.network.server.tls.maxTls`. The following values are allowed: | ||
|
||
* TLSv1.2 | ||
* TLSv1.3 | ||
|
||
Zowe defaults to the following configuration: | ||
|
||
```yaml | ||
zowe: | ||
network: | ||
tls: | ||
minTls: "TLSv1.2" | ||
maxTls: "TLSv1.3" | ||
Comment on lines
+55
to
+56
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this still exclusive with attls being enabled? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The schema does have these as exclusive. Maybe the doc should make this clear? It's a good point about a hybrid scenario. It's also difficult to make intuitive because people might think these settings would control AT-TLS when AT-TLS is enabled, but they're unrelated. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think so if we are not planning on removing this exclusion, although I think we should. |
||
``` | ||
|
||
### TLS Ciphers | ||
|
||
Zowe is always updating the ciphers used to follow industry best practice. | ||
|
||
Usually, the ciphers used by Zowe will match Mozilla's recommendations: https://wiki.mozilla.org/Security/Server_Side_TLS | ||
|
||
To customize which ciphers Zowe uses, you can define a list of IANA cipher names within the Zowe YAML parameter `zowe.network.server.tls.ciphers`. A list of [IANA ciphers can be found here](https://testssl.sh/openssl-iana.mapping.html). | ||
|
||
|
||
## Client parameters | ||
|
||
The properties within `zowe.network.server.tls` can also be specified within `zowe.network.client.tls`. | ||
|
||
## Default and example | ||
The default TLS configuration changes regularly as needed for industry standards, however below is an example of the defaults: | ||
|
||
```yaml | ||
zowe: | ||
network: | ||
server: | ||
listenAddresses: | ||
- "0.0.0.0" | ||
tls: | ||
maxTls: "TLSv1.3" | ||
minTls: "TLSv1.2" | ||
ciphers: | ||
- "TLS_AES_128_GCM_SHA256" | ||
- "TLS_AES_256_GCM_SHA384" | ||
- "TLS_CHACHA20_POLY1305_SHA256" | ||
client: # Template below assigns same attributes as seen in server section | ||
tls: ${{ zowe.network.server.tls }} | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the title changes I think it should change the name of the file and the item in sidebars cc. @janan07
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think changing filenames can break bookmarks and google indexing so in the past I have left filenames outdated just so users still end up on the right page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could be, we already changed this one once, since the original title was API ML only. I think the search is not working properly in stable version atm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a note: if we want to change the names of the files, we should move the file and keep only the link to the new file on the original page.