Improve logging message when certificate is not forwarded (#3927)

Signed-off-by: Richard Salac <[email protected]>

apiml-security-common/src/main/java/org/zowe/apiml/security/common/verify/CertificateValidator.java

@@ -16,8 +16,6 @@
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
-import org.zowe.apiml.message.log.ApimlLogger;
-import org.zowe.apiml.product.logging.annotations.InjectApimlLogger;
 
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
@@ -36,9 +34,6 @@ public class CertificateValidator {
 
     final TrustedCertificatesProvider trustedCertificatesProvider;
 
-    @InjectApimlLogger
-    private final ApimlLogger apimlLog = ApimlLogger.empty();
-
     @Getter
     @Value("${apiml.security.x509.acceptForwardedCert:false}")
     private boolean forwardingEnabled;
@@ -72,8 +67,7 @@ public boolean isTrusted(X509Certificate[] certs) {
             .toList();
         for (X509Certificate cert : certs) {
             if (!trustedCerts.contains(cert)) {
-                apimlLog.log("org.zowe.apiml.security.common.verify.untrustedCert");
-                log.debug("Untrusted certificate is {}", cert);
+                log.debug("Certificate is not trusted by endpoint {}. Untrusted certificate is {}", proxyCertificatesEndpoints, cert);
                 return false;
             }
         }

apiml-security-common/src/main/resources/security-common-log-messages.yml

@@ -123,13 +123,6 @@ messages:
       reason: "The string sent by the central Gateway was not recognized as valid DER-encoded certificates in the Base64 printable form."
       action: "Check that the URL configured in apiml.security.x509.certificatesUrls responds with valid DER-encoded certificates in the Base64 printable form."
 
-    - key: org.zowe.apiml.security.common.verify.untrustedCert
-      number: ZWEAT505
-      type: ERROR
-      text: "Incoming request certificate is not one of the trusted certificates provided by the central Gateway."
-      reason: "The Gateway performs additional check of request certificates when the central Gateway forwards incoming client certificate to the domain Gateway. This check may fail when the certificatesUrl parameter does not point to proper central Gateway certificates endpoint."
-      action: "Check that the URL configured in apiml.security.x509.certificatesUrls points to the central Gateway and it responds with valid DER-encoded certificates in the Base64 printable form."
-
     # Various messages
     # 600-699
 

apiml-security-common/src/test/resources/security-service-messages.yml

@@ -93,13 +93,6 @@ messages:
       reason: "The string sent by the central Gateway was not recognized as valid DER-encoded certificates in the Base64 printable form."
       action: "Check that the URL configured in apiml.security.x509.certificatesUrls responds with valid DER-encoded certificates in the Base64 printable form."
 
-    - key: org.zowe.apiml.security.common.verify.untrustedCert
-      number: ZWEAT505
-      type: ERROR
-      text: "Incoming request certificate is not one of the trusted certificates provided by the central Gateway."
-      reason: "The Gateway performs additional check of request certificates when the central Gateway forwards incoming client certificate to the domain Gateway. This check may fail when the certificatesUrl parameter does not point to proper central Gateway certificates endpoint."
-      action: "Check that the URL configured in apiml.security.x509.certificatesUrls points to the central Gateway and it responds with valid DER-encoded certificates in the Base64 printable form."
-
     # Personal access token messages
     - key: org.zowe.apiml.security.query.invalidAccessTokenBody
       number: ZWEAT605