Skip to content

Commit

Permalink
support protocols and ciphers by #3637
Browse files Browse the repository at this point in the history
Signed-off-by: Pavel Jareš <[email protected]>
  • Loading branch information
pj892031 committed Aug 23, 2024
1 parent 2b9be75 commit c92bcdf
Show file tree
Hide file tree
Showing 2 changed files with 84 additions and 14 deletions.
51 changes: 48 additions & 3 deletions gateway-package/src/main/resources/bin/start.sh
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,50 @@ ADD_OPENS="--add-opens=java.base/java.lang=ALL-UNNAMED
--add-opens=java.base/sun.nio.ch=ALL-UNNAMED
--add-opens=java.base/java.io=ALL-UNNAMED"

get_enabled_protocol_limit()
{
target=$1
type=$2
key_component=ZWE_configs_zowe_network_${target}_tls_${type}Tls
key_zowe=ZWE_zowe_network_${target}_tls_${type}Tls
echo ${!key_component:-${!key_zowe:-}}
}

get_enabled_protocol()
{
target=$1
enabled_protocols_min=$(get_enabled_protocol_limit "${target}" "min")
enabled_protocols_max=$(get_enabled_protocol_limit "${target}" "max")

if [ "${enabled_protocols_min:-}" == "${enabled_protocols_max:-}" ]; then
echo "${enabled_protocols_max:-}"
elif [ -z "${enabled_protocols_min:-}" ]; then
echo "${enabled_protocols_max:-}"
else
enabled_protocols_max=${enabled_protocols_max:-TLSv1.3}

enabled_protocols=,SSLv3,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3,TLSv1.4,
enabled_protocols=${enabled_protocols%%,${enabled_protocols_max}*}
enabled_protocols=${enabled_protocols#*${enabled_protocols_min},}
if [ ! -z ${enabled_protocols} ]; then
enabled_protocols=",${enabled_protocols}"
fi
echo "${enabled_protocols_min}${enabled_protocols},${enabled_protocols_max}"
fi
}

server_protocol=$(get_enabled_protocol_limit "server" "max")
server_protocol=${server_protocol:-TLS}
server_enabled_protocols=$(get_enabled_protocol "server")
server_enabled_protocols=${server_enabled_protocols:-TLSv1.3}
server_ciphers=${ZWE_configs_network_server_tls_ciphers:-${ZWE_zowe_network_server_tls_ciphers:-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384}}

client_protocol=$(get_enabled_protocol_limit "client" "max")
client_protocol=${client_protocol:-${server_protocol}}
client_enabled_protocols=$(get_enabled_protocol "client")
client_enabled_protocols=${client_enabled_protocols:-${server_enabled_protocols}}
client_ciphers=${ZWE_configs_network_server_tls_ciphers:-${ZWE_zowe_network_server_tls_ciphers:-${server_ciphers}}}

keystore_type="${ZWE_configs_certificate_keystore_type:-${ZWE_zowe_certificate_keystore_type:-PKCS12}}"
keystore_pass="${ZWE_configs_certificate_keystore_password:-${ZWE_zowe_certificate_keystore_password}}"
key_alias="${ZWE_configs_certificate_keystore_alias:-${ZWE_zowe_certificate_keystore_alias}}"
Expand All @@ -196,8 +240,6 @@ elif [ "${keystore_type}" = "JCEHYBRIDRACFKS" ]; then
truststore_location=$(echo "${truststore_location}" | sed s_safkeyring://_safkeyringjcehybrid://_)
fi

ciphers=${ZWE_configs_certificate_ciphers:-${ZWE_configs_ciphers:-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384}}

if [ "${ATTLS_ENABLED}" = "true" -a "${APIML_ATTLS_LOAD_KEYRING:-false}" = "true" ]; then
keystore_type=
keystore_pass=
Expand Down Expand Up @@ -266,7 +308,10 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} java \
-Dserver.ssl.trustStore="${truststore_location}" \
-Dserver.ssl.trustStoreType="${truststore_type}" \
-Dserver.ssl.trustStorePassword="${truststore_pass}" \
-Dserver.ssl.ciphers=${ciphers:-} \
-Dserver.ssl.ciphers=${server_ciphers} \
-Dserver.ssl.protocol=${server_protocol} \
-Dserver.ssl.enabled-protocols=${server_enabled_protocols} \
-Dapiml.httpclient.ssl.enabled-protocols=${client_enabled_protocols} \
-Djava.protocol.handler.pkgs=com.ibm.crypto.provider \
-Djavax.net.debug=${ZWE_configs_sslDebug:-""} \
-Djava.library.path=${LIBPATH} \
Expand Down
47 changes: 36 additions & 11 deletions schemas/gateway-schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -54,12 +54,6 @@
"type": "object",
"description": "Network encryption for gateway service connections.",
"properties": {
"ciphers": {
"type": "string",
"description": "Specifies list of SSL/tls ciphers used during the secured communication.",
"default": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384",
"pattern": "^[A-Z0-9_]+(,[A-Z0-9_]+)*$"
},
"enabled": {
"type": "boolean",
"description": "Should gateway use encrypted communication?",
Expand Down Expand Up @@ -151,11 +145,6 @@
}
}
]
},
"protocol": {
"type": "string",
"description": "This parameter specifies the TLS protocol version currently used by Zowe API ML Discovery Service.",
"default": "TLSv1.2"
}
}
},
Expand Down Expand Up @@ -570,6 +559,38 @@
}
}
}
},
"zowe": {
"type": "object",
"properties": {
"network": {
"type": "object",
"properties": {
"client": {
"type": "object",
"properties": {
"tls": {
"type": "object",
"properties": {
"minTls": {
"$ref": "#/$defs/tlsType"
},
"maxTls": {
"$ref": "#/$defs/tlsType"
},
"ciphers": {
"type": "string",
"description": "Specifies list of SSL/tls ciphers used during the secured communication.",
"default": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384",
"pattern": "^[A-Z0-9_]+(,[A-Z0-9_]+)*$"
}
}
}
}
}
}
}
}
}
}
}
Expand Down Expand Up @@ -604,6 +625,10 @@
},
"required": ["gatewayUrl","serviceUrl"]
}
},
"tlsType": {
"type": "string",
"enum": ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3", "TLSv1.4"]
}
}
}

0 comments on commit c92bcdf

Please sign in to comment.