Problems in ZOWE 2.12 using a certificate signed by a CA Intermediate and a CA Root

[mhernandezf]

We installed Zowe 2.12 in z/OS 2.5 several months ago, and configured using zowe.yaml scenario 1 “PKCS12 (keystore) with Zowe generated certificates”, without any problems.

We also configured Zowe using scenario 3 “z/OS Keyring with Zowe generated certificates”, and after manually adding to the keyring (used as keystore and truststore) the CA Intermediate and CA-Root who signed the z/OSMF certificate, everything worked correctly.

The problems began trying to use in Zowe a certificate signed by our internal PKI, with CA Intermediate and CA Root (the same as z/OSMF). We configured Zowe using zowe.yaml scenario 4 “z/OS Keyring and connect to existing certificate”. All the other zowe.yaml parameters except certificate parameters are the same in scenario 1, 3 and 4.

We are using a RACF keyring with Zowe certificate, CA Intermediate and CA Root.

With this configuration, we got the following error message:

ZWEAG108E z/OSMF instance 'zosmf' not found or incorrectly configured. Gateway is shutting down.

We solved this initial problem setting to DISABLED the “verifyCertificates” parameter in zowe.yaml. Notice that we got the same message using STRICT and NONSTRICT values, so the problem was validating if the certificate is trusted in truststore.
After that change Zowe started and we validated API ML using https://domain:port

But we have problems trying to access Desktop using https://domain:port/zlux/ui/v1/

We are getting the following messages in Zowe joblog:

2024-08-07 06:51:53.226 <ZWED:83952223> IZUSVR WARN (org.zowe.zlux.auth.safsso, apimlHandler.js:324) APIML login has failed:
2024-08-07 06:51:53.227 <ZWED:83952223> IZUSVR WARN (org.zowe.zlux.auth.safsso, apimlHandler.js:325)  ÝError: 4471D00000000001:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46
~ {                                                                            
  library: 'SSL routines',                                                     
  reason: 'sslv3 alert certificate unknown',                                   
  code: 'ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN'                              
}                                                                              
2024-08-07 06:51:53.227 <ZWED:83952223> IZUSVR WARN (_zsf.auth,webauth.js:378) ZWED0003W - User=undefined (org.zowe.zlux.auth.safsso): Session authenticate failed. Plugin response: {"success":false,"reason":"Unknown","error":{"message":"APIML 4471D00000000001:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586: SSL alert number 46\n"},"apiml":true,"zss":false,"sso":true,"canChangePassword":false}

We think that the problem is around certificates, but we are not able to found what is wrong.
Maybe Zowe cannot work with two CAs?

[1000TurquoisePogs]

Zowe can and does work with intermediate CAs, but a common issue can be certificates that aren't valid for Zowe's use as seen here https://docs.zowe.org/stable/user-guide/configure-certificates/#zowe-certificate-requirements