feat: Use networking standard config #3637
Conversation
…andardized way Signed-off-by: 1000TurquoisePogs <[email protected]>
Signed-off-by: 1000TurquoisePogs <[email protected]>
Signed-off-by: 1000TurquoisePogs <[email protected]>
Signed-off-by: 1000TurquoisePogs <[email protected]>
…at way Signed-off-by: 1000TurquoisePogs <[email protected]>
| -Dserver.ssl.enabled=${ZWE_configs_server_ssl_enabled:-true} \ | ||
| -Dserver.ssl.protocol=${ZWE_configs_server_ssl_protocol:-"TLSv1.2"} \ | ||
| -Dserver.ssl.protocol=${server_tls} \ | ||
| -Dserver.ssl.ciphers=${ZWE_configs_zowe_network_server_tls_ciphers:-${ZWE_zowe_network_server_tls_ciphers:-}} \ |
There was a problem hiding this comment.
does it make sense to have a default list of protocols?
There was a problem hiding this comment.
do you mean protocols or ciphers?
for ciphers, it seems the default comes from within the server's code.
putting it here could be nice though - it would be more visible to users what the defaults are.
There was a problem hiding this comment.
I am sorry, I meant ciphers. This property is setting ciphers for Tomcat and we don't have direct access to that part of the code. I think we can define them on the top of the script so it is better visible.
There was a problem hiding this comment.
This line allows it to be possible to define such a standard cipher list within "defaults.yaml" here https://github.com/zowe/zowe-install-packaging/blob/v2.x/staging/files/defaults.yaml
An advantage of this is so that the default ciphers are visible in 1 place.
Otherwise you'd have defaults for APIML, app-server, and ZSS all in separate places that people don't know about (which is the current state)
There was a problem hiding this comment.
Hi Sean, so if I understood correctly, there will be a new property zowe_network_server_tls_ciphers in this default.yaml, that's what you're proposing?
There was a problem hiding this comment.
@1000TurquoisePogs , I would like to mention that there is a PR that is clashing with your one - #3689.
I understand you want to use the global configuration (I welcome it), but I'm not sure about a few things.
Why is the change not using the min tls? I assume we should construct 2 different values: protocol and enabledProtocols (see protocol=TLSv1.3, enabledProtocols=TLSv1.2,TLSv1.3). Then you are reusing the same structure as in the global configuration for the GW (and other components), even if we have a different structure of SSL configuration. Do you want to ensure that all components will use the same structure?
In all cases, we should merge your and min PR in the one new because they are modifying the same properties.
There was a problem hiding this comment.
After a discussion with @taban03 we have decided to make changes in PR #3689. @1000TurquoisePogs , could you please check if it could be ok from zour point of view? It is just an example for GW now.
| client_max_tls=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-${ZWE_configs_zowe_network_client_tls_maxTls:-${ZWE_zowe_network_client_tls_maxTls:-${ZWE_configs_zowe_network_server_tls_maxTls:-${ZWE_zowe_network_server_tls_maxTls:-\ | ||
| "TLSv1.3"}}}}} | ||
| client_min_tls=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-${ZWE_configs_zowe_network_client_tls_minTls:-${ZWE_zowe_network_client_tls_minTls:-${ZWE_configs_zowe_network_server_tls_minTls:-${ZWE_zowe_network_server_tls_minTls:-\ | ||
| "TLSv1.2"}}}}} | ||
|
|
||
| server_max_tls=${ZWE_configs_server_ssl_protocol:-${ZWE_configs_zowe_network_server_tls_maxTls:-${ZWE_zowe_network_server_tls_maxTls:-"TLSv1.2,TLSv1.3"}}} | ||
| server_min_tls=${ZWE_configs_server_ssl_protocol:-${ZWE_configs_zowe_network_server_tls_maxTls:-${ZWE_zowe_network_server_tls_maxTls:-"TLSv1.2,TLSv1.3"}}} |
There was a problem hiding this comment.
@achmelo defaults are here but... as you say I guess it cannot be a list?
There was a problem hiding this comment.
yes, this would break the tomcat. we need to choose one version. I think that for Java it's OK to specify "TLS" only
Signed-off-by: 1000TurquoisePogs <[email protected]>
Signed-off-by: 1000TurquoisePogs <[email protected]>
Signed-off-by: Pavel Jareš <[email protected]>
Signed-off-by: Pavel Jareš <[email protected]>
|
Signed-off-by: Pavel Jareš <[email protected]>
Signed-off-by: Pavel Jareš <[email protected]>
* draft Signed-off-by: Pavel Jareš <[email protected]> * fixes Signed-off-by: Pavel Jareš <[email protected]> * fix oidc Signed-off-by: Pavel Jareš <[email protected]> * corrections by zowe.yaml Signed-off-by: Pavel Jareš <[email protected]> * fixes Signed-off-by: Pavel Jareš <[email protected]> * fixes Signed-off-by: Pavel Jareš <[email protected]> * fixes Signed-off-by: Pavel Jareš <[email protected]> * fix Signed-off-by: Pavel Jareš <[email protected]> * fix ciphers Signed-off-by: Pavel Jareš <[email protected]> * support protocols and ciphers by #3637 Signed-off-by: Pavel Jareš <[email protected]> * add description of network configuration Signed-off-by: Pavel Jareš <[email protected]> * address comment Signed-off-by: Andrea Tabone <[email protected]> * address comment pt.2 Signed-off-by: Andrea Tabone <[email protected]> * add zowe config to other components schemas Signed-off-by: Andrea Tabone <[email protected]> * add ciphers and protocol setup logic to the other scripts Signed-off-by: Andrea Tabone <[email protected]> * revert back zowe configuration from the schema Signed-off-by: Andrea Tabone <[email protected]> * add fall back to gw config and add missing variables Signed-off-by: Andrea Tabone <[email protected]> * change the string comparison to use = for POSIX-compliant sh Signed-off-by: Andrea Tabone <[email protected]> * avoid using echo Signed-off-by: Andrea Tabone <[email protected]> * fix Signed-off-by: Andrea Tabone <[email protected]> * revert back Signed-off-by: Andrea Tabone <[email protected]> * comment tls version for dc Signed-off-by: Andrea Tabone <[email protected]> * fix Signed-off-by: Andrea Tabone <[email protected]> * use double quotes Signed-off-by: Andrea Tabone <[email protected]> * revert back Signed-off-by: Andrea Tabone <[email protected]> * remove unsupported protocols from schema property Signed-off-by: Andrea Tabone <[email protected]> * initialize variable Signed-off-by: Andrea Tabone <[email protected]> --------- Signed-off-by: Pavel Jareš <[email protected]> Signed-off-by: Andrea Tabone <[email protected]> Co-authored-by: Andrea Tabone <[email protected]>
|
I'm closing this since #3765 appears to accomplish the same goals, thanks all! |
Description
This PR attempts to implement configuring TLS according to the standard seen in this documentation https://github.com/zowe/docs-site/pull/3685/files#diff-411b1247ea1c2f1ca7f9db385604ed4a570f310b98aa375aed11184efe36e444R1
The standard has already been implemented by zss and app-server since v2.13, but I had uncertainty about how to configure the same things in APIML.
Discussion within #3601 revealed a solution which I implemented here.
Testing:
Linked to #3569
Type of change
Checklist: