Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document additional steps for users of third-party certificate management tools #4015

Closed
Andrew-J-Metzger opened this issue Nov 21, 2024 · 2 comments · Fixed by #4035
Closed

Comments

@Andrew-J-Metzger
Copy link
Contributor

Description

Users of third-party certificate management tools, such as Venafi, might need to take additional steps to get Zowe working. I've included a draft addition to the docs below.

If using a third-party tool to generate a self-signed intermediate certificate for Zowe, you might need to take the following extra steps during configuration:

Ask your Security Administrator to:

  • Note the specific root certificate with which the generated intermediate certificate was self-signed.
  • Add the generated intermediate certificate to Zowe's Keyring.
  • Add the root certificate to Zowe's Keyring.

Once the keyring has been configured, add the root certificate in the Default Zowe certificate section under pem.certificateAuthorities. Since this can have (at most) two entries ...

  • The first entry should be your generated intermediate certificate authority.
  • The second, final, entry should be the root certificate authority.

Example:

  pem:                                                               
    # key: /global/zowe/keystore/localhost/localhost.key                                      
    # certificate: /global/zowe/keystore/localhost/localhost.cer                                  
    # if keyrings, the format is "safkeyring:////stcusername/KeyName&ca name"                           
    key:                                                              
    certificate:                                                          
    certificateAuthorities:
      - "safkeyring:////ZWESVUSR/ZWEKEYRING.ZWEDFLT&CERTAUTH.AJMCA1"
      - "safkeyring:////ZWESVUSR/ZWEKEYRING.ZWEDFLT&CERTAUTH.AJMROOT"

Without adding the root certificate as described above, users will not be able to set verifyCertificates: STRICT.

Pages to Update

This seems like a decent canadate for inclusion on Troubleshooting certificate configuration.

@janan07
Copy link
Collaborator

janan07 commented Nov 28, 2024

Hi Andrew, I can address this issue as you suggest. Thanks for the draft! You target the v2.18 version of this troubleshooting article. Should this be applied to v3.0 as well?

@Andrew-J-Metzger
Copy link
Contributor Author

Yes, please! Thanks, Andrew. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants