-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What options and defaults exists for APIML outbound https requests #3601
Comments
@pj892031 Can you please provide further information on the topic? |
If there is no strong preference for the version of TLS, it is possible to provide The list of ciphers in the APIML is currently basically this one: It is set on a general level (hardcoded in Java), see api-layer/common-service-core/src/main/java/org/zowe/apiml/security/HttpsConfig.java Line 36 in bd4e738
The list of ciphers is set again in services internal configuration (mock-service, api-catalog-service, caching-service, discoverable-client, discovery-service, onboarding-enabler-spring-micronaut-sample-app, onboarding-sample-app, gateway). Each service uses the property To change ciphers used by APIML is necessary to set the system environment To control outgoing communication it is possible to use also configuration value Example on how to configure zowe.yaml: zowe:
environments:
SERVER_SSL_PROTOCOL: TLS
SERVER_SSL_CIPHERS: TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ENABLED_PROTOCOLS: TLSv1.2,TLSv1.3
APIML_HTTPCLIENT_SSL_ENABLED_PROTOCOLS: TLSv1.2,TLSv1.3 Note: System environment I hope this summary could help, if not, please do not hesitate to ask for any detail. |
When I turn on gateway debugging I see the following ciphers: ZWEAGW1:main:... ZWESVUSR INFO (o.z.a.p.w.HttpConfig) Using HTTPS configuration: HttpsConfig(protocol=TLSv1.3, enabledProtocols=[TLSv1.3], trustStore=..., trustStoreType=JCERACFKS, trustStoreRequired=false, keyAlias=..., keyStore=..., cipherSuite=[TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384], This matches your list. But later on, it switches to a different list: ZWEAGW1:main:... ZWESVUSR DEBUG (o.a.h.c.s.SSLConnectionSocketFactory) Enabled cipher suites:[SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Where does SSLConnectionSocketFactory get this list from? |
Could it be that the content within here does not honor the cipher customization? https://github.com/zowe/api-layer/blob/v2.x.x/common-service-core/src/main/java/org/zowe/apiml/security/HttpsFactory.java |
I found that adding |
It feels like we miss configuration property for ciphers if I am looking correctly on the code above and that within the API ML we need to propagate it to two places:
|
The cipher property already exists in the zowe.yaml. The content needs to be converted to the state that API ML can consume. We may be missing other places where the configuration needs to happen. |
Coincidentally was just checking on this If you set
You get ZWE_zowe_network_server_tls_ciphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384 So... pretty convenient to match up with what start.sh does. |
I believe this captures it, but needs testing |
I'm working with a user who aims to disable TLS 1.2 everywhere, but is encountering issue with APIML being then unable to connect to z/OSMF.
I see here
api-layer/gateway-package/src/main/resources/bin/start.sh
Line 269 in b8976cd
And/or here
api-layer/gateway-package/src/main/resources/bin/start.sh
Line 279 in b8976cd
References to TLS v1.2 defaults which if I switch to "TLSv1.3", I do get different behavior.
But these aren't documented in the schema, so I don't really know what they are.
Hopefully the answers to these questions assist in making #3569 have great behaviors.
The text was updated successfully, but these errors were encountered: