-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't Logging in Zlux since upgrade to 1.13 #499
Comments
Another point i could use Jes, Mvs and Uss Explorer directly : https://your-server-domain:7554/ui/v1/explorer-jes/ |
But the direct acces failed https://your-server-domain:8546/ui/v1/explorer-jes/ Unexpected token F in JSON at position 0 |
Hello @deltombf |
Hi, Thank you for your help I try this URL but : I also try https://domain:7554/ui/v1/ZLUX/plugins/org.zowe.zlux.bootstrap/web/ and And that's not working :( I can't finf the Zlux part when i search it in https://domain:7554/ui/v1/apicatalog/ Regards, |
This has to do with the certificates in Zowe's keystore being self-signed. When the server configuration has node.https.certificateAuthorities defined, then certificate verification is turned on, and those authorities are used for verification. Changing the certificate that the APIML uses, or the list of certificate authorities that the app server uses, can effect if the server allows or rejects the certificates due to self-signing. To alter the list to include certificate authorities that may pass validation, you can set ZWED_node_https_certificateAuthorities in instance.env file to a list of files or keyring objects, such as
A comma is always needed even if there is only one entry, because it signifies the value is an array. If none of this works, I think it is possible to revert to the older behavior for accessing the desktop. |
By the way, to access the desktop through the mediation layer, the url is actually |
Hi, Thank you for your help ! First I try the two access method but with no success {"messages":[{"messageType":"ERROR","messageNumber":"ZWEAM104E","messageContent":"The endpoint you are looking for '/ui/v1/zlux/' could not be located","messageKey":"org.zowe.apiml.common.endPointNotFound"}]} Next i add at the end of the instance.env a line with my external certification authorities and recycle the ZWESVSTC I have the same error message of self signed certificate :'( Last i delete the json file safsso and create the old plgin by using I recycle the ZWESVSTC and see this error message on the log When I try to log in to Zlux, The site is not reachable with ERR_CONNECTION_REFUSED Regards, |
For self-signed certificate errors, could it be that the APIML certificate is not using the certificate authorities in the For zss, I failed to mention that ZSS is authentication type "zss".
|
Hi, Thanks again for your help £ optional - Path to a PKCS12 keystore with a server certificate for API By adding ZWED_dataserviceAuthentication_defaultAuthentication=zss on instance.env and recycle the CV Regards, |
The CA you have, "/etc/zowe/certificats/UINTD41A /etc/zowe/certificats/URACD41A", can you print it?
If it's possible to convert to that format, then it would be good to know if that allows everything to work properly. If it's in another format, do you know which format? Perhaps we can add support. |
Hi, -----BEGIN CERTIFICATE----- ..... and finishing with : MTPLmPr9nX9hsEYSk1rfF8CgWAOcGhWLOJlkOqttFbVHxFMu2pqVG18+a5cg Regards, |
For me it's not a certificate issue since the old zss plugin work like a charm i think the new sso plugin broke the Zss part and only use Token |
Thank you for the workaround. This worked great for me as well. |
Hi Steve,
I'm back from vacation sorry for the delay for the answer.
First stop your ZWE* STC after a first start.
What you need to do is to add ZWED_dataserviceAuthentication_defaultAuthentication=zs at the bottom of the instance.env file the other parameter doesn’t work.
After that you need to delete the json file in $INSTANCE_DIR/workspace/app-server/plugins/org.zowe.zlux.auth.safsso and create the Zss json file which is the older version by issuing >install-app.sh /usr/lpp/zowe/1.13.0/components/app-server/share/zss-auth
After that you can launch ZWE* STC and it should work.
Regards
De : Steve Bohn <[email protected]>
Envoyé : mardi 18 août 2020 22:30
À : zowe/zlux <[email protected]>
Cc : DELTOMBE Francois ResgGtsRcrMfrScl <[email protected]>; Mention <[email protected]>
Objet : Re: [zowe/zlux] Can't Logging in Zlux since upgrade to 1.13 (#499)
@deltombf<https://github.com/deltombf> @1000TurquoisePogs<https://github.com/1000TurquoisePogs>
Could you please provide a succinct description of how you go this to work? I am having the exact same issue... external CAs... APIML is fully functional and I can login to the explorers directly... but I get the failure message when trying to login to the Desktop.
I tried setting
ZWED_dataserviceAuthentication_defaultAuthentication=zss
and set
ZWED_node_https_certificateAuthorities="/var/usr/lpp/zowe/keystore/local_ca/extca.1.cer-ebcdic","/var/usr/lpp/zowe/keystore/local_ca/extca.2.cer-ebcdic"
but I still get
_
2020-08-18 20:14:09.784 ZWED:16778680 IZUSVR WARN (_zsf.auth,webauth.js:325) ZWED0003W - XcF9E0lM7dTIQe931_kYr-bA52cxNnwO: Session security call authenticate failed for auth handler org.zowe.zlux.auth.safsso. Plugin response: {"success":false,"reason":"Unknown","error":{"message":"APIMLself signed certificate in certificate chain"},"apiml":true,"zss":true,"sso":false,"canChangePassword":true}
2020-08-18 20:14:09.784 ZWED:16778680 IZUSVR INFO (_zsf.auth,webauth.js:322) ZWED0070I - XcF9E0lM7dTIQe931_kYr-bA52cxNnwO: Session security call authenticate succesful for auth handler org.zowe.zlux.auth.trivial. Plugin response: {"success":true}
_
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#499 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AOXBZR2A4QH3BFEUTOT4HUDSBLQERANCNFSM4PB6L75Q>.
=========================================================
Ce message et toutes les pieces jointes (ci-apres le "message")
sont confidentiels et susceptibles de contenir des informations
couvertes par le secret professionnel. Ce message est etabli
a l'intention exclusive de ses destinataires. Toute utilisation
ou diffusion non autorisee interdite.
Tout message electronique est susceptible d'alteration. La SOCIETE GENERALE
et ses filiales declinent toute responsabilite au titre de ce message
s'il a ete altere, deforme falsifie.
=========================================================
This message and any attachments (the "message") are confidential,
intended solely for the addresses, and may contain legally privileged
information. Any unauthorized use or dissemination is prohibited.
E-mails are susceptible to alteration. Neither SOCIETE GENERALE nor any
of its subsidiaries or affiliates shall be liable for the message
if altered, changed or falsified.
=========================================================
|
Hi, Bypass with Any indication if this solved in 1.15? Thanks, Wieb Pilon |
Not in 1.15, but we're continuing to work on automating this solution and I see PRs zowe/zlux-app-server#138 and zowe/zowe-install-packaging#1674 which when merged should resolve some or all issues seen in this ticket. This may be in 1.16 or 1.17 due to timing (1.16 is getting built next week) |
hi @1000TurquoisePogs, To alter the list to include certificate authorities that may pass validation, you can set ZWED_node_https_certificateAuthorities in instance.env file to a list of files or keyring objects, such as
|
I tried Zowe external certificate configured with Zowe 1.16 RC1. I see that External Certificate is added to server.json: "certificateAuthorities": Ý But not able to logon into Zowe Desktop, ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:264) APIML query error: self signed certificate in certificate chain I added ZWED_node_https_certificateAuthorities into instance.enc, but still getting the same error |
Hi,
I upgraded 2 instance from 1.11 to 1.13, in 1.11 all is working fine
Since the upgrade i can't Log to Zlux on the 2 instance with the same message :
L'authentification a échoué pour 3 types. Les types: ["saf","apiml","zss"]
in the AppServer log i find :
2020-07-20 06:40:19.948 ZWED:50331766 ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:338) APIML login has failed:
2020-07-20 06:40:19.948 ZWED:50331766 ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:339) é Error: self signed certificate in certificate cha
at TLSSocket. (_tls_wrap.js:1116:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:643:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:473:38) code: 'SELF_SIGNED_CERT_IN_CHAIN' è
2020-07-20 06:40:19.984 ZWED:50331766 ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:264) APIML query error: self signed certificate in certificate chain
2020-07-20 06:40:20.023 ZWED:50331766 ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:338) APIML login has failed:
2020-07-20 06:40:20.023 ZWED:50331766 ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:339) é Error: self signed certificate in certificate chain
at TLSSocket. (_tls_wrap.js:1116:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:643:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:473:38) code: 'SELF_SIGNED_CERT_IN_CHAIN' è
2020-07-20 06:40:20.024 ZWED:50331766 ZWESVUSR INFO (zsf.auth,webauth.js:322) ZWED0070I - 9F054kAKmm0VIaTZ3fsZ-v3BiCo5Mby: Session security call refreshStatus succesful for auth handler org.zowe.zlux.auth.trivial. Plugin response: é"success":trueè
2020-07-20 06:40:24.064 ZWED:50331766 ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:338) APIML login has failed:
2020-07-20 06:40:24.064 ZWED:50331766 ZWESVUSR WARN (org.zowe.zlux.auth.safssoapimlHandler.js:339) é Error: self signed certificate in certificate chain
at TLSSocket. (_tls_wrap.js:1116:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:643:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:473:38) code: 'SELF_SIGNED_CERT_IN_CHAIN' è
2020-07-20 06:40:24.099 ZWED:50331766 ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:264) APIML query error: self signed certificate in certificate in certificate chain
2020-07-20 06:40:24.134 ZWED:50331766 ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:338) APIML login has failed:
2020-07-20 06:40:24.134 ZWED:50331766 ZWESVUSR WARN (org.zowe.zlux.auth.safsso,apimlHandler.js:339) é Error: self signed certificate in certificate chain
at TLSSocket. (_tls_wrap.js:1116:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:643:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:473:38) code: 'SELF_SIGNED_CERT_IN_CHAIN' è
2020-07-20 06:40:24.135 ZWED:50331766 ZWESVUSR WARN (zsf.auth,webauth.js:325) ZWED0003W - 9F054kAKmm0VIaTZ3fsZ-v3BiCo5Mby: Session security call authenticate failed for auth handler org.zowe.zlux.auth.safsso. Plugin response: é"success":false,"reason":"Unknown","error":é"message":"APIML self signed certificate in certificate chain"è,"apiml":true,"zss":true,"sso":false,"canChangePassword":trueè
2020-07-20 06:40:24.135 ZWED:50331766 ZWESVUSR INFO (zsf.auth,webauth.js:322) ZWED0070I - 9F054kAKmm0VIaTZ3fsZ-v3BiCo5Mby: Session security call authenticate succesful for auth handler org.zowe.zlux.auth.trivial. Plugin response: é"success":trueè
It seems to be a certificate issue but i don't use self signed certificate so i don't understand.
I have tried to generate the Keystore that doesnt solved the problem.
Any idea how to solve this problem ?
Regards
The text was updated successfully, but these errors were encountered: