diff --git a/gateway-package/src/main/resources/bin/start.sh b/gateway-package/src/main/resources/bin/start.sh index 2f74130ac0..5957329436 100755 --- a/gateway-package/src/main/resources/bin/start.sh +++ b/gateway-package/src/main/resources/bin/start.sh @@ -13,36 +13,71 @@ # Variables required on shell: # - JAVA_HOME # - ZWE_STATIC_DEFINITIONS_DIR -# - ZWE_zowe_certificate_keystore_alias - The default alias of the key within the keystore -# - ZWE_zowe_certificate_keystore_file - The default keystore to use for SSL certificates -# - ZWE_zowe_certificate_keystore_password - The default password to access the keystore supplied by KEYSTORE -# - ZWE_zowe_certificate_truststore_file +# - ZWE_configs_certificate_keystore_alias / ZWE_zowe_certificate_keystore_alias - The default alias of the key within the keystore +# - ZWE_configs_certificate_keystore_file / ZWE_zowe_certificate_keystore_file - The default keystore to use for SSL certificates +# - ZWE_configs_certificate_keystore_password / ZWE_zowe_certificate_keystore_password - The default password to access the keystore supplied by KEYSTORE +# - ZWE_configs_certificate_truststore_file / ZWE_zowe_certificate_truststore_file +# - ZWE_zowe_externalDomains_0 +# - ZWE_zowe_externalPort # - ZWE_zowe_job_prefix # - ZWE_zowe_logDirectory # - ZWE_zowe_runtimeDirectory # - ZWE_zowe_workspaceDirectory # Optional variables: +# - LAUNCH_COMPONENT # - CMMN_LB # - LIBPATH # - LIBRARY_PATH +# - QUICK_START +# - TMPDIR +# - ZWE_GATEWAY_SHARED_LIBS +# - ZWE_haInstance_hostname # - ZWE_components_discovery_port - the port the discovery service will use # - ZWE_configs_heap_max # - ZWE_configs_heap_init +# - ZWE_configs_sslDebug # - ZWE_configs_apimlId +# - ZWE_configs_apiml_connection_timeout +# - ZWE_configs_apiml_connection_idleConnectionTimeoutSeconds +# - ZWE_configs_apiml_connection_timeToLive +# - ZWE_configs_apiml_health_protected # - ZWE_configs_apiml_service_forwardClientCertEnabled -# - ZWE_configs_gateway_registry_enabled -# - ZWE_configs_certificate_keystore_alias - The alias of the key within the keystore -# - ZWE_configs_certificate_keystore_file - The keystore to use for SSL certificates -# - ZWE_configs_certificate_keystore_password - The password to access the keystore supplied by KEYSTORE -# - ZWE_configs_certificate_keystore_type - The keystore type to use for SSL certificates -# - ZWE_configs_certificate_truststore_file -# - ZWE_configs_certificate_truststore_type +# - ZWE_configs_apiml_security_auth_jwt_customAuthHeader +# - ZWE_configs_apiml_security_auth_passticket_customUserHeader +# - ZWE_configs_apiml_security_auth_passticket_customAuthHeader +# - ZWE_configs_apiml_security_authorization_endpoint_enabled +# - ZWE_configs_apiml_security_authorization_endpoint_url +# - ZWE_configs_apiml_security_authorization_provider +# - ZWE_configs_apiml_security_x509_enabled +# - ZWE_configs_apiml_security_x509_acceptForwardedCert +# - ZWE_configs_apiml_security_x509_certificatesUrl +# - ZWE_configs_apiml_security_x509_registry_allowedUsers +# - ZWE_configs_apiml_service_allowEncodedSlashes +# - ZWE_configs_apiml_service_corsEnabled +# - ZWE_configs_apiml_gateway_registry_enabled +# - ZWE_configs_apiml_gateway_registry_cachePeriodSec +# - ZWE_configs_apiml_gateway_registry_maxSimultaneousRequests +# - ZWE_configs_apiml_gateway_registry_metadataKeyAllowList +# - ZWE_configs_apiml_gateway_registry_refreshIntervalMs +# - ZWE_configs_certificate_keystore_alias / ZWE_zowe_certificate_keystore_alias - The alias of the key within the keystore +# - ZWE_configs_certificate_keystore_file / ZWE_zowe_certificate_keystore_file - The keystore to use for SSL certificates +# - ZWE_configs_certificate_keystore_password / ZWE_zowe_certificate_keystore_password - The password to access the keystore supplied by KEYSTORE +# - ZWE_configs_certificate_keystore_type / ZWE_zowe_certificate_keystore_type - The keystore type to use for SSL certificates +# - ZWE_configs_certificate_key_password / ZWE_zowe_certificate_key_password +# - ZWE_configs_certificate_truststore_file / ZWE_zowe_certificate_truststore_file +# - ZWE_configs_certificate_truststore_type / ZWE_zowe_certificate_truststore_type +# - ZWE_configs_certificate_truststore_password / ZWE_zowe_certificate_truststore_password +# - ZWE_configs_certificate_ciphers / ZWE_configs_ciphers # - ZWE_configs_debug # - ZWE_configs_port - the port the api gateway service will use # - ZWE_configs_server_maxConnectionsPerRoute # - ZWE_configs_server_maxTotalConnections # - ZWE_configs_server_ssl_enabled +# - ZWE_configs_server_webSocket_maxIdleTimeout +# - ZWE_configs_server_webSocket_connectTimeout +# - ZWE_configs_server_webSocket_asyncWriteTimeout +# - ZWE_configs_server_webSocket_requestBufferSize # - ZWE_configs_spring_profiles_active # - ZWE_zowe_network_server_tls_attls # - ZWE_DISCOVERY_SERVICES_LIST @@ -113,13 +148,14 @@ else externalProtocol="http" fi +GATEWAY_LOADER_PATH="" # Check if the directory containing the ZAAS shared JARs was set and append it to the ZAAS loader path if [ -n "${ZWE_GATEWAY_SHARED_LIBS}" ] then GATEWAY_LOADER_PATH=${ZWE_GATEWAY_SHARED_LIBS} fi -echo "Setting loader path: "${ZAAS_LOADER_PATH} +echo "Setting loader path: "${GATEWAY_LOADER_PATH} LIBPATH="$LIBPATH":"/lib" LIBPATH="$LIBPATH":"/usr/lib" @@ -184,12 +220,14 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} ${JAVA_BIN_DIR}java \ -Dfile.encoding=UTF-8 \ -Djava.io.tmpdir=${TMPDIR:-/tmp} \ -Dspring.profiles.active=${ZWE_configs_spring_profiles_active:-} \ - -Dspring.profiles.include=$LOG_LEVEL \ + -Dspring.profiles.include=${LOG_LEVEL} \ -Dapiml.service.apimlId=${ZWE_configs_apimlId:-} \ - -Dapiml.security.x509.registry.allowedUsers=${ZWE_configs_apiml_security_x509_registry_allowedUsers:-} \ -Dapiml.service.hostname=${ZWE_haInstance_hostname:-localhost} \ -Dapiml.service.port=${ZWE_configs_port:-7554} \ -Dapiml.service.forwardClientCertEnabled=${ZWE_configs_apiml_security_x509_enabled:-false} \ + -Dapiml.security.x509.enabled=${ZWE_configs_apiml_security_x509_enabled:-false} \ + -Dapiml.security.x509.acceptForwardedCert=${ZWE_configs_apiml_security_x509_acceptForwardedCert:-false} \ + -Dapiml.security.x509.certificatesUrl=${ZWE_configs_apiml_security_x509_certificatesUrl:-} \ -Dapiml.service.externalUrl="${externalProtocol}://${ZWE_zowe_externalDomains_0}:${ZWE_zowe_externalPort}" \ -Dapiml.service.corsEnabled=${ZWE_configs_apiml_service_corsEnabled:-false} \ -Dapiml.security.x509.registry.allowedUsers=${ZWE_configs_apiml_security_x509_registry_allowedUsers:-} \ @@ -205,12 +243,23 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} ${JAVA_BIN_DIR}java \ -Dapiml.security.auth.jwt.customAuthHeader=${ZWE_configs_apiml_security_auth_jwt_customAuthHeader:-} \ -Dapiml.security.auth.passticket.customUserHeader=${ZWE_configs_apiml_security_auth_passticket_customUserHeader:-} \ -Dapiml.security.auth.passticket.customAuthHeader=${ZWE_configs_apiml_security_auth_passticket_customAuthHeader:-} \ + -Dapiml.security.authorization.endpoint.enabled=${ZWE_configs_apiml_security_authorization_endpoint_enabled:-false} \ + -Dapiml.security.authorization.endpoint.url=${ZWE_configs_apiml_security_authorization_endpoint_url:-} \ + -Dapiml.security.authorization.provider=${ZWE_configs_apiml_security_authorization_provider:-} \ -Dapiml.zoweManifest=${ZWE_zowe_runtimeDirectory}/manifest.json \ + -Dapiml.gateway.cachePeriodSec=${ZWE_configs_apiml_gateway_registry_cachePeriodSec:-120} \ -Dapiml.gateway.registry.enabled=${ZWE_configs_apiml_gateway_registry_enabled:-false} \ + -Dapiml.gateway.maxSimultaneousRequests=${ZWE_configs_gateway_registry_maxSimultaneousRequests:-20} \ + -Dapiml.gateway.registry.metadata-key-allow-list=${ZWE_configs_gateway_registry_metadataKeyAllowList:-} \ + -Dapiml.gateway.refresh-interval-ms=${ZWE_configs_gateway_registry_refreshIntervalMs:-30000} \ -Dserver.address=0.0.0.0 \ -Deureka.client.serviceUrl.defaultZone=${ZWE_DISCOVERY_SERVICES_LIST} \ -Dserver.maxConnectionsPerRoute=${ZWE_configs_server_maxConnectionsPerRoute:-100} \ -Dserver.maxTotalConnections=${ZWE_configs_server_maxTotalConnections:-1000} \ + -Dserver.webSocket.maxIdleTimeout=${ZWE_configs_server_webSocket_maxIdleTimeout:-3600000} \ + -Dserver.webSocket.connectTimeout=${ZWE_configs_server_webSocket_connectTimeout:-45000} \ + -Dserver.webSocket.asyncWriteTimeout=${ZWE_configs_server_webSocket_asyncWriteTimeout:-60000} \ + -Dserver.webSocket.requestBufferSize=${ZWE_configs_server_webSocket_requestBufferSize:-8192} \ -Dserver.ssl.enabled=${ZWE_configs_server_ssl_enabled:-true} \ -Dserver.ssl.keyStore="${keystore_location}" \ -Dserver.ssl.keyStoreType="${keystore_type}" \ @@ -220,10 +269,6 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} ${JAVA_BIN_DIR}java \ -Dserver.ssl.trustStore="${truststore_location}" \ -Dserver.ssl.trustStoreType="${truststore_type}" \ -Dserver.ssl.trustStorePassword="${truststore_pass}" \ - -Dserver.webSocket.maxIdleTimeout=${ZWE_configs_server_webSocket_maxIdleTimeout:-3600000} \ - -Dserver.webSocket.connectTimeout=${ZWE_configs_server_webSocket_connectTimeout:-45000} \ - -Dserver.webSocket.asyncWriteTimeout=${ZWE_configs_server_webSocket_asyncWriteTimeout:-60000} \ - -Dserver.webSocket.requestBufferSize=${ZWE_configs_server_webSocket_requestBufferSize:-8192} \ -Djava.protocol.handler.pkgs=com.ibm.crypto.provider \ -Djavax.net.debug=${ZWE_configs_sslDebug:-""} \ -Djava.library.path=${LIBPATH} \ diff --git a/gateway-service/src/main/resources/application.yml b/gateway-service/src/main/resources/application.yml index 1d6d9d8719..d23625da9d 100644 --- a/gateway-service/src/main/resources/application.yml +++ b/gateway-service/src/main/resources/application.yml @@ -70,6 +70,7 @@ springdoc: apiml: catalog: serviceId: apicatalog + gateway: registry: enabled: false metadata-key-allow-list: zos.sysname,zos.system,zos.sysplex,zos.cpcName,zos.zosName,zos.lpar diff --git a/schemas/gateway-schema.json b/schemas/gateway-schema.json index 009f0701b8..f5774eb6f0 100644 --- a/schemas/gateway-schema.json +++ b/schemas/gateway-schema.json @@ -22,7 +22,12 @@ }, "debug": { "type": "boolean", - "description": "Enable debug logs in gateway service" + "description": "Enable debug logs in gateway service", + "default": false + }, + "sslDebug": { + "type": "string", + "description": "Configure attributes fro SSL config, see java property javax.net.debug." }, "heap": { "type": "object", @@ -30,11 +35,116 @@ "properties": { "init": { "type": "integer", - "description": "Initial heap size in MB." + "description": "Initial heap size in MB.", + "default": 32 }, "max": { "type": "integer", - "description": "Maximum heap size in MB." + "description": "Maximum heap size in MB.", + "max": 512 + } + } + }, + "apimlId": { + "type": "string", + "pattern": "^[a-z0-9]{1,64}$", + "description": "Specifies identifier of the domain gateway for routing purpose in the central Gateway." + }, + "certificate": { + "type": "object", + "description": "Network encryption for gateway service connections.", + "properties": { + "enabled": { + "type": "boolean", + "description": "Should gateway use encrypted communication?", + "default": true + }, + "keystore": { + "type": "object", + "properties": { + "alias": { + "type": "string", + "description": "Specifies the alias used to address the private key in the keystore." + }, + "key": { + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Specifies the password associated with the private key." + } + } + }, + "file": { + "type": "string", + "description": "Specifies the keystore file used to store the private key. When using keyring, the value should be set to the SAF keyring location. For information about required certificates." + }, + "password": { + "type": "string", + "description": "Specifies the password used to unlock the keystore." + }, + "type": { + "type": "string", + "pattern": "^((PKCS12)|(JCE.*RACFKS))$", + "description": "Specifies the type of the keystore.", + "default": "PKCS12" + } + }, + "allOf": [ + { + "if": { + "properties": { + "type": { + "pattern": "^JCE.*RACFKS$" + } + } + }, + "then": { + "properties": { + "file": { + "pattern": "^safkeyring[^:]*://" + } + } + } + } + ] + }, + "truststore": { + "type": "object", + "properties": { + "file": { + "type": "string", + "description": "Specifies the truststore file used to keep other parties public keys and certificates. When using keyring, this value should be set to the SAF keyring location. For information about required certificates." + }, + "password": { + "type": "string", + "description": "Specifies the password used to unlock the truststore." + }, + "type": { + "type": "string", + "pattern": "^((PKCS12)|(JCE.*RACFKS))$", + "description": "Specifies the truststore type. The default for this parameter is PKCS12.", + "default": "PKCS12" + } + }, + "allOf": [ + { + "if": { + "properties": { + "type": { + "pattern": "^JCE.*RACFKS$" + } + } + }, + "then": { + "properties": { + "file": { + "pattern": "^safkeyring[^:]*://" + } + } + } + } + ] } } }, @@ -42,36 +152,258 @@ "type": "object", "description": "Zowe API ML specific properties.", "properties": { - "service": { + "connection": { "type": "object", "properties": { - "allowEncodedSlashes": { + "idleConnectionTimeoutSeconds" : { + "type": "integer", + "description": "Specifies a timeout limit for idle client connections, in seconds.", + "default": 5 + }, + "timeout": { + "type": "integer", + "description": "Specifies a timeout limit for a connection, in milliseconds.", + "default": 60000 + }, + "timeToLive": { + "type": "integer", + "description": "Specifies a timeout limit how long to keep open connection to be reused, in milliseconds.", + "default": 60000 + } + } + }, + "gateway": { + "type": "object", + "properties": { + "registry": { + "type": "object", + "description": "Gateway configuration of a service registry endpoint.", + "properties": { + "cachePeriodSec": { + "type": "integer", + "description": "Specifies time in seconds to expired of cached data about /registry endpoint.", + "default": 120 + }, + "enabled": { + "type": "boolean", + "description": "Specifies whether the /registry endpoint is enabled.", + "default": false + }, + "maxSimultaneousRequests": { + "type": "integer", + "description": "Specifies amount of parallel connection to obtain information from other APIML instances about services to construct response of /registry endpoint.", + "default": 20 + }, + "metadataKeyAllowList": { + "type": "string", + "description": "Specifies what custom metadata are displayed in the /registry endpoint.", + "pattern": "^[^,]+(,[^,]+)*$" + }, + "refreshIntervalMs": { + "type": "integer", + "description": "Specifies time period in milliseconds for how often to update data in /registry endpoint.", + "default": 30000 + } + } + } + } + }, + "health": { + "type": "object", + "properties": { + "protected": { "type": "boolean", - "description": "Allow URLs on gateway to contain encoded slashes.", + "description": "Specifies if the /application/health endpoint is protected or accessible without any credentials.", "default": true + } + } + }, + "security": { + "type": "object", + "description": "Security configuration of the Gateway", + "properties": { + "auth": { + "type": "object", + "description": "Detail configuration of authentication schemes.", + "properties": { + "jwt": { + "type": "object", + "description": "Detail configuration of zoweJwt scheme.", + "properties": { + "customAuthHeader": { + "type": "string", + "description": "Additional header to set JWT token in case of zoweJwt scheme." + } + } + }, + "passticket": { + "type": "object", + "description": "Detail configuration of httpBasicPassTicket scheme.", + "properties": { + "customAuthHeader": { + "type": "string", + "description": "Additional header to set passticket in case of httpBasicPassTicket scheme." + }, + "customUserHeader": { + "type": "string", + "description": "Additional header to set userId in case of httpBasicPassTicket scheme." + } + } + }, + "uniqueCookie": { + "type": "boolean", + "default": false + } + } }, - "additionalRegistration": { - "type": "array", - "description": "List of additional Discovery Services URLs to register with and the routing patterns.", - "minItems": 1, - "items": { - "type": "object", - "properties": { - "discoveryServiceUrls": { - "type": "string", - "description": "List of Discovery Services URLs in one security domain. You can separate multiple urls by comma or semicolon." + "authorization": { + "type": "object", + "description": "Authorization configuration.", + "properties": { + "endpoint": { + "type": "object", + "description": "Configuration of SAF resource to check authorization via HTTP call.", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable provider based on endpoint. to verify SAF authorization.", + "default": false + }, + "url": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "URL of endpoint to verify SAF resource. Ie. https://<zss hostname>:<zss port>/saf-auth" + } + }, + "allOf": [ + { + "if": { + "properties": { + "enabled": { + "const": true + } + } + }, + "then": { + "required": [ + "url" + ] + } + } + ] + }, + "provider": { + "type": "string", + "enum": ["endpoint", "native", "dummy"], + "description": "Specifies security provider to be used by the Gateway." + } + }, + "allOf": [ + { + "if": { + "properties": { + "provider": { + "const": "endpoint" + } + } }, - "routes": { - "$ref": "#/$defs/routes" + "then": { + "required": [ + "endpoint" + ] } + } + ] + }, + "x509": { + "type": "object", + "description": "Client certificate configuration.", + "properties": { + "acceptForwardedCert": { + "type": "boolean", + "description": "To enable accepting client certificate from request header. It is used in domain APIML to accept forwarded client certificate by the caller.", + "default": false + }, + "certificatesUrl": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "URL of the trusted caller to obtain used certificate. Request signed by this certificate are authorized to accept client certificate provided in the header." + }, + "enabled": { + "type": "boolean", + "default": false, + "description": "To enable accepting client certificate in the Gateway." }, - "required": ["discoveryServiceUrls","routes"] + "registry": { + "type": "object", + "description": "Security configuration of /registry endpoint.", + "properties": { + "allowedUsers": { + "type": "string", + "pattern": "^[*]?|([a-zA-Z0-9]+(,[a-zA-Z0-9]+)*)$", + "description": "Specifies the comma-separated list of users that are permitted to use /registry endpoints. The user is obtained from the common name in the provided client certificate." + } + } + } + }, + "allOf": [ + { + "if": { + "properties": { + "acceptForwardedCert": { + "const": true + } + } + }, + "then": { + "required": [ + "certificatesUrl" + ] + } + } + ] + } + } + }, + "service": { + "type": "object", + "description": "General configuration of the Gateway.", + "properties": { + "additionalRegistration": { + "type": "object", + "description": "List of additional Discovery Services URLs to register with and the routing patterns.", + "patternProperties": { + "^[0-9]+$": { + "type": "object", + "properties": { + "discoveryServiceUrls": { + "type": "string", + "description": "List of Discovery Services URLs in one security domain. You can separate multiple urls by comma or semicolon." + }, + "routes": { + "$ref": "#/$defs/routes" + } + }, + "required": ["discoveryServiceUrls","routes"] + } } }, + "allowEncodedSlashes": { + "type": "boolean", + "description": "When this parameter is set to true, the Gateway allows encoded characters to be part of URL requests redirected through the Gateway.", + "default": true + }, "corsEnabled": { "type": "boolean", "description": "Allow CORS on gateway.", - "default": true + "default": false + }, + "forwardClientCertEnabled": { + "type": "boolean", + "description": "Enable forwarding client certificate to the next service or APIML.", + "default": false } } } @@ -103,32 +435,30 @@ "connectTimeout": { "type": "integer", "description": "The gateway acts as a server and client. This parameters customizes the default connect timeout for its client role.", - "default": 15000 - }, - "stopTimeout": { - "type": "integer", - "description": "The gateway acts as a server and client. This parameters customizes the default stop timeout for its client role.", - "default": 30000 + "default": 45000 }, "asyncWriteTimeout": { "type": "integer", "description": "The gateway acts as a server and client. This parameters customizes the default async write timeout for its client role.", "default": 60000 + }, + "requestBufferSize": { + "type": "integer", + "description": "Specifies the buffer size in bytes to load request headers.", + "default": 8192 } } }, "ssl": { "type": "object", - "description": "Network encryption for gateway service connections.", "properties": { "enabled": { "type": "boolean", - "description": "Should gateway use encrypted communication?", + "description": "To enable SSL/tls layer.", "default": true } } } - } }, "spring": { @@ -141,7 +471,90 @@ "properties": { "active": { "type": "string", - "description": "List of the active configuration profiles." + "description": "List of the active configuration profiles.", + "pattern": "^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$" + } + } + }, + "security": { + "type": "object", + "description": "Security configuration.", + "properties": { + "oauth2": { + "type": "object", + "description": "OAuth2 configuration values.", + "properties": { + "client": { + "type": "object", + "description": "Configuration of OAuth2 communication.", + "properties": { + "registration": { + "type": "object", + "description": "Provider specific values.", + "patternProperties": { + "^.+$": { + "clientId": { + "type": "string", + "description": "The client identifier." + }, + "clientSecret":{ + "type": "string", + "description": "The client secret." + }, + "redirectUri": { + "type": "string", + "description": "The client’s registered redirect URI that the Authorization Server redirects the end-user’s user-agent to after the end-user has authenticated and authorized access to the client." + }, + "scope": { + "type": "array", + "description": "The scope(s) requested by the client during the Authorization Request flow, such as openid, email, or profile.", + "items": { + "type": "string", + "description": "The scope identifier." + } + } + } + } + }, + "provider": { + "type": "object", + "description": "Provider specific values.", + "patternProperties": { + "^.+$": { + "authorizationUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The Authorization Endpoint URI for the Authorization Server." + }, + "tokenUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The Token Endpoint URI for the Authorization Server." + }, + "userInfoUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The URL of endpoint to obtain details about user by provided token." + }, + "userNameAttribute": { + "type": "string", + "description": "The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user." + }, + "jwkSetUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The URI used to retrieve the JSON Web Key (JWK) Set from the Authorization Server, which contains the cryptographic key(s) used to verify the JSON Web Signature (JWS) of the ID Token and optionally the UserInfo Response." + } + } + } + } + } + } + } } } } @@ -180,6 +593,11 @@ }, "required": ["gatewayUrl","serviceUrl"] } + }, + "tlsType": { + "type": "string", + "description": "List of supported SSL/TLS protocols", + "enum": ["TLSv1.1", "TLSv1.2", "TLSv1.3", "TLSv1.4"] } } }