From 9371b60477178b537acf43730f3aadab8ba40dd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Hern=C3=A1n=20Carle?= Date: Tue, 12 Nov 2024 18:14:54 +0100 Subject: [PATCH 1/4] add missing block, remove redundant table of contents MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Pablo Hernán Carle --- .../configuring-at-tls-for-zowe-server.md | 29 +++++-------------- .../configuring-at-tls-for-zowe-server.md | 28 +++++------------- 2 files changed, 16 insertions(+), 41 deletions(-) diff --git a/docs/user-guide/configuring-at-tls-for-zowe-server.md b/docs/user-guide/configuring-at-tls-for-zowe-server.md index 96ac2bac77..ecd9adf2c1 100644 --- a/docs/user-guide/configuring-at-tls-for-zowe-server.md +++ b/docs/user-guide/configuring-at-tls-for-zowe-server.md @@ -5,27 +5,6 @@ You can configure parameters in the Zowe server to enable Zowe to work with AT-T :::info Role: security administrator ::: -- [Configuring AT-TLS for Zowe Server](#configuring-at-tls-for-zowe-server) - - [AT-TLS configuration for Zowe](#at-tls-configuration-for-zowe) - - [Limitations](#limitations) - - [AT-TLS rules](#at-tls-rules) - - [Inbound rules](#inbound-rules) - - [Outbound rules](#outbound-rules) - - [For z/OSMF](#for-zosmf) - - [For communication between API Gateway and other core services](#for-communication-between-api-gateway-and-other-core-services) - - [For communication between API Gateway and southbound services](#for-communication-between-api-gateway-and-southbound-services) - - [Services that validate tokens against the API Mediation Layer](#services-that-validate-tokens-against-the-api-mediation-layer) - - [Ciphers](#ciphers) - - [Using AT-TLS for API ML in High Availability](#using-at-tls-for-api-ml-in-high-availability) - - [Multi-tenancy deployment](#multi-tenancy-deployment) - - [AT-TLS Troubleshooting](#at-tls-troubleshooting) - - [The message `This combination of port requires SSL` is thrown when accesing an API ML service through a Browser](#the-message-this-combination-of-port-requires-ssl-is-thrown-when-accesing-an-api-ml-service-through-a-browser) - - [AT-TLS rules are not applied](#at-tls-rules-are-not-applied) - - [Non matching ciphers / protocols](#non-matching-ciphers--protocols) - - [Additional troubleshooting](#additional-troubleshooting) - - [Full example of AT-TLS configuration](#full-example-of-at-tls-configuration) - - [Additional Zowe feature configuration with AT-TLS](#additional-zowe-feature-configuration-with-at-tls) - ## AT-TLS configuration for Zowe Follow these steps to configure Zowe to support AT-TLS: @@ -110,6 +89,14 @@ TTLSConnectionAction ZoweServerConnectionAction TTLSCipherParmsRef CipherParms TTLSConnectionAdvancedParmsRef ZoweConnectionAdvParms } + +TTLSConnectionAdvancedParms ZoweConnectionAdvParms +{ + ApplicationControlled Off + ServerCertificateLabel apimlcert # Specify the personal server certificate used for the Zowe Server + CertificateLabel apimlcert # Specify the personal server certificate used for the Zowe Server + SecondaryMap Off +} ``` The `PortRange` of this inbound rule is taken from the list of API Mediation Layer components in the `zowe.yaml` file. The `PortRange` should cover the following components: diff --git a/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md b/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md index 32122e89e8..54faafb993 100644 --- a/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md +++ b/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md @@ -5,26 +5,6 @@ You can configure parameters in the Zowe server to enable Zowe to work with AT-T :::info Role: security administrator ::: -- [AT-TLS configuration for Zowe](#at-tls-configuration-for-zowe) - - [Limitations](#limitations) -- [AT-TLS rules](#at-tls-rules) - - [Inbound rules](#inbound-rules) - - [Outbound rules](#outbound-rules) - - [For z/OSMF](#for-zosmf) - - [For communication between API Gateway and other core services](#for-communication-between-api-gateway-and-other-core-services) - - [For communication between API Gateway and southbound services](#for-communication-between-api-gateway-and-southbound-services) - - [Services that validate tokens against the API Mediation Layer](#services-that-validate-tokens-against-the-api-mediation-layer) - - [Ciphers](#ciphers) -- [Using AT-TLS for API ML in High Availability](#using-at-tls-for-api-ml-in-high-availability) -- [Multi-tenancy deployment](#multi-tenancy-deployment) -- [AT-TLS Troubleshooting](#at-tls-troubleshooting) - - [The message `This combination of port requires SSL` is thrown when accesing an API ML service through a Browser](#the-message-this-combination-of-port-requires-ssl-is-thrown-when-accesing-an-api-ml-service-through-a-browser) - - [AT-TLS rules are not applied](#at-tls-rules-are-not-applied) - - [Non matching ciphers / protocols](#non-matching-ciphers--protocols) - - [Additional troubleshooting](#additional-troubleshooting) -- [Full example of AT-TLS configuration](#full-example-of-at-tls-configuration) -- [Additional Zowe feature configuration with AT-TLS](#additional-zowe-feature-configuration-with-at-tls) - ## AT-TLS configuration for Zowe :::tip @@ -118,6 +98,14 @@ TTLSConnectionAction ZoweServerConnectionAction TTLSCipherParmsRef CipherParms TTLSConnectionAdvancedParmsRef ZoweConnectionAdvParms } + +TTLSConnectionAdvancedParms ZoweConnectionAdvParms +{ + ApplicationControlled Off + ServerCertificateLabel apimlcert # Specify the personal server certificate used for the Zowe Server + CertificateLabel apimlcert # Specify the personal server certificate used for the Zowe Server + SecondaryMap Off +} ``` The `PortRange` of this inbound rule is taken from the list of API Mediation Layer components in the `zowe.yaml` file. The `PortRange` should cover the following components: From 41baf88c7b812859014bc2306d65addc20b3f394 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Wed, 13 Nov 2024 15:08:31 +0100 Subject: [PATCH 2/4] minor language refactoring Signed-off-by: Andrew Jandacek --- .../configuring-at-tls-for-zowe-server.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/user-guide/configuring-at-tls-for-zowe-server.md b/docs/user-guide/configuring-at-tls-for-zowe-server.md index ecd9adf2c1..c14ab267f9 100644 --- a/docs/user-guide/configuring-at-tls-for-zowe-server.md +++ b/docs/user-guide/configuring-at-tls-for-zowe-server.md @@ -124,7 +124,7 @@ For more granularity in the AT-TLS rules, separate the rules that need to suppor Outbound rules in this section allow Zowe services to communicate with each other and to other southbound services using HTTP. :::caution Important: -Careful consideration needs to be set especially regarding which rules are to be configured to send a Client Certificate. Since configuration cannot be performed on a per-request basis it is essential not to configure the rule to send the Zowe Server certificate to the API Gateway or to a southbound service that supports X.509 Client Certificate authentication. Doing so will result in unintentionally authenticating the server ACID. +Careful consideration needs to be made regarding which rules are to be configured to send a Client Certificate. Since configuration cannot be performed on a per-request basis, it is essential not to configure the rule to send the Zowe Server certificate to the API Gateway or to a southbound service that supports X.509 Client Certificate authentication. Doing so will result in unintentionally authenticating the server ACID. ::: @@ -222,7 +222,7 @@ TTLSConnectionAdvancedParms ApimlClientX509ConnAdvParms In this example, the rule covers all outbound connections originating from the API Gateway to an example southbound service listening on port 8080. This rule applies for Zowe services as well, such as the ZSS and app-server if they are enabled. -This covers routing scenarios. +This example covers routing scenarios. ```bash TTLSRule ApimlServiceClientRule @@ -255,19 +255,19 @@ TTLSConnectionAdvancedParms ApimlClientNoX509ConnAdvParms :::caution Important -Outbound connections from the Gateway to southbound services (onboarded services) must not send the server certificate if the service accepts X.509 Client Certificate authentication. If the server certificate is sent, it is the server user who would be authenticated. +Outbound connections from the Gateway to southbound services (onboarded services) must not send the server certificate if the service accepts X.509 Client Certificate authentication. If the server certificate is sent, the server user is subsequently authenticated. ::: #### Services that validate tokens against the API Mediation Layer -In this scenario, the services will issue a request against the API Gateway to validate the received authentication token. +In this scenario, the services issue a request against the API Gateway to validate the received authentication token. -This scenario includes services that set `zoweJwt` as authentication scheme, those that require an Open ID Connect (OIDC) token, or forwarded X.509 certificates. +This scenario includes services that set `zoweJwt` as the authentication scheme, those that require an Open ID Connect (OIDC) token, or forwarded X.509 certificates. -In this case it is necessary to have an Outbound rule from the service to the API Gateway. +In this case, it is necessary to have an Outbound rule from the service to the API Gateway. -These service will also already have an outbound rule set for the onboarding process against the Discovery Service. +These service also already have an outbound rule set for the onboarding process against the Discovery Service. Ensure these rules are followed: From b2a677e3bd8ec6a954b98e95de975b65dbd58b63 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Wed, 13 Nov 2024 15:14:48 +0100 Subject: [PATCH 3/4] minor language refactoring Signed-off-by: Andrew Jandacek --- .../user-guide/configuring-at-tls-for-zowe-server.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md b/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md index 54faafb993..507438ffed 100644 --- a/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md +++ b/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md @@ -133,7 +133,7 @@ For more granularity in the AT-TLS rules, separate the rules that need to suppor Outbound rules in this section allow Zowe services to communicate with each other and to other southbound services using HTTP. :::caution Important: -Careful consideration needs to be set especially regarding which rules are to be configured to send a Client Certificate. Since configuration cannot be performed on a per-request basis it is essential not to configure the rule to send the Zowe Server certificate to the API Gateway or to a southbound service that supports X.509 Client Certificate authentication. Doing so will result in unintentionally authenticating the server ACID. +Careful consideration needs to be made regarding which rules are to be configured to send a Client Certificate. Since configuration cannot be performed on a per-request basis, it is essential not to configure the rule to send the Zowe Server certificate to the API Gateway or to a southbound service that supports X.509 Client Certificate authentication. Doing so results in unintentionally authenticating the server ACID. ::: @@ -231,7 +231,7 @@ TTLSConnectionAdvancedParms ApimlClientX509ConnAdvParms In this example, the rule covers all outbound connections originating from the API Gateway to an example southbound service listening on port 8080. This rule applies for Zowe services as well, such as the ZSS and app-server if they are enabled. -This covers routing scenarios. +This example covers routing scenarios. ```bash TTLSRule ApimlServiceClientRule @@ -264,19 +264,19 @@ TTLSConnectionAdvancedParms ApimlClientNoX509ConnAdvParms :::caution Important -Outbound connections from the Gateway to southbound services (onboarded services) must not send the server certificate if the service accepts X.509 Client Certificate authentication. If the server certificate is sent, it is the server user who would be authenticated. +Outbound connections from the Gateway to southbound services (onboarded services) must not send the server certificate if the service accepts X.509 Client Certificate authentication. If the server certificate is sent, the server user is subsequently authenticated. ::: #### Services that validate tokens against the API Mediation Layer -In this scenario, the services will issue a request against the API Gateway to validate the received authentication token. +In this scenario, the services issue a request against the API Gateway to validate the received authentication token. This scenario includes services that set `zoweJwt` as authentication scheme, those that require an Open ID Connect (OIDC) token, or forwarded X.509 certificates. In this case it is necessary to have an Outbound rule from the service to the API Gateway. -These service will also already have an outbound rule set for the onboarding process against the Discovery Service. +These service also already have an outbound rule set for the onboarding process against the Discovery Service. Ensure these rules are followed: From 55d13ab70f7db0ac9323a218cc5c8222cef8dce9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Hern=C3=A1n=20Carle?= Date: Wed, 13 Nov 2024 16:36:57 +0100 Subject: [PATCH 4/4] address pr review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Pablo Hernán Carle --- .../configuring-at-tls-for-zowe-server.md | 17 +++++++---------- .../configuring-at-tls-for-zowe-server.md | 17 +++++++---------- 2 files changed, 14 insertions(+), 20 deletions(-) diff --git a/docs/user-guide/configuring-at-tls-for-zowe-server.md b/docs/user-guide/configuring-at-tls-for-zowe-server.md index c14ab267f9..e65749fa80 100644 --- a/docs/user-guide/configuring-at-tls-for-zowe-server.md +++ b/docs/user-guide/configuring-at-tls-for-zowe-server.md @@ -97,6 +97,12 @@ TTLSConnectionAdvancedParms ZoweConnectionAdvParms CertificateLabel apimlcert # Specify the personal server certificate used for the Zowe Server SecondaryMap Off } + +# Keyring, used for TLS, will be used also to load trusted certificates +TTLSKeyringParms ZoweKeyring +{ + Keyring ZWEKRNG +} ``` The `PortRange` of this inbound rule is taken from the list of API Mediation Layer components in the `zowe.yaml` file. The `PortRange` should cover the following components: @@ -412,7 +418,6 @@ TTLSEnvironmentAction ZoweServerEnvironmentAction EnvironmentUserInstance 0 TTLSEnvironmentAdvancedParmsRef ServerEnvironmentAdvParms TTLSKeyringParmsRef ZoweKeyring - TTLSSignatureParmsRef TNESigParms } # Environment action for sample southbound service @@ -422,7 +427,6 @@ TTLSEnvironmentAction ZoweDCServerEnvironmentAction EnvironmentUserInstance 0 TTLSEnvironmentAdvancedParmsRef ServerEnvironmentAdvParms TTLSKeyringParmsRef ZoweKeyring - TTLSSignatureParmsRef TNESigParms } # Keyring, used for TLS, will be used also to load trusted certificates @@ -451,7 +455,6 @@ TTLSConnectionAction ZoweServerConnectionAction HandshakeRole ServerWithClientAuth # API ML Core Services use Client Certificate authentication TTLSCipherParmsRef CipherParms TTLSConnectionAdvancedParmsRef ZoweConnectionAdvParms - TTLSSignatureParmsRef TNESigParms } # API ML Server connection action. @@ -539,10 +542,9 @@ TTLSRule ApimlZLUXClientRule TTLSEnvironmentAction ApimlClientEnvironmentAction { HandshakeRole Client - TTLSKeyringParmsRef ApimlKeyring + TTLSKeyringParmsRef ZoweKeyring TTLSEnvironmentAdvancedParmsRef ClientEnvironmentAdvParms EnvironmentUserInstance 0 - TTLSSignatureParmsRef TNESigParms } TTLSEnvironmentAdvancedParms ClientEnvironmentAdvParms @@ -602,11 +604,6 @@ TTLSConnectionAdvancedParms ZoweClientX509ConnAdvParms TLSv1.3 On } -TTLSSignatureParms TNESigParms -{ - CLientECurves Any -} - # Example list of supported ciphers in handshake. Validate and filter this list based on local setup TTLSCipherParms CipherParms { diff --git a/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md b/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md index 507438ffed..0f3f56ca33 100644 --- a/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md +++ b/versioned_docs/version-v2.18.x/user-guide/configuring-at-tls-for-zowe-server.md @@ -106,6 +106,12 @@ TTLSConnectionAdvancedParms ZoweConnectionAdvParms CertificateLabel apimlcert # Specify the personal server certificate used for the Zowe Server SecondaryMap Off } + +# Keyring, used for TLS, will be used also to load trusted certificates +TTLSKeyringParms ZoweKeyring +{ + Keyring ZWEKRNG +} ``` The `PortRange` of this inbound rule is taken from the list of API Mediation Layer components in the `zowe.yaml` file. The `PortRange` should cover the following components: @@ -420,7 +426,6 @@ TTLSEnvironmentAction ZoweServerEnvironmentAction EnvironmentUserInstance 0 TTLSEnvironmentAdvancedParmsRef ServerEnvironmentAdvParms TTLSKeyringParmsRef ZoweKeyring - TTLSSignatureParmsRef TNESigParms } # Environment action for sample southbound service @@ -430,7 +435,6 @@ TTLSEnvironmentAction ZoweDCServerEnvironmentAction EnvironmentUserInstance 0 TTLSEnvironmentAdvancedParmsRef ServerEnvironmentAdvParms TTLSKeyringParmsRef ZoweKeyring - TTLSSignatureParmsRef TNESigParms } # Keyring, used for TLS, will be used also to load trusted certificates @@ -459,7 +463,6 @@ TTLSConnectionAction ZoweServerConnectionAction HandshakeRole ServerWithClientAuth # API ML Core Services use Client Certificate authentication TTLSCipherParmsRef CipherParms TTLSConnectionAdvancedParmsRef ZoweConnectionAdvParms - TTLSSignatureParmsRef TNESigParms } # API ML Server connection action. @@ -533,10 +536,9 @@ TTLSRule ApimlZLUXClientRule TTLSEnvironmentAction ApimlClientEnvironmentAction { HandshakeRole Client - TTLSKeyringParmsRef ApimlKeyring + TTLSKeyringParmsRef ZoweKeyring TTLSEnvironmentAdvancedParmsRef ClientEnvironmentAdvParms EnvironmentUserInstance 0 - TTLSSignatureParmsRef TNESigParms } TTLSEnvironmentAdvancedParms ClientEnvironmentAdvParms @@ -596,11 +598,6 @@ TTLSConnectionAdvancedParms ZoweClientX509ConnAdvParms TLSv1.3 On } -TTLSSignatureParms TNESigParms -{ - CLientECurves Any -} - # Example list of supported ciphers in handshake. Validate and filter this list based on local setup TTLSCipherParms CipherParms {