From 384aedb471322eb10cbdebcdbbbccba313cc9cdd Mon Sep 17 00:00:00 2001 From: achmelo Date: Wed, 26 Jun 2024 17:20:23 +0200 Subject: [PATCH 1/3] apidoc for generate and validate, return correct status code Signed-off-by: ac892247 --- .../gateway/controllers/AuthController.java | 21 +-- .../src/main/resources/gateway-api-doc.json | 121 +++++++++++++++++- 2 files changed, 123 insertions(+), 19 deletions(-) diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/controllers/AuthController.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/controllers/AuthController.java index 0fe1eab3a6..ba622dd8fd 100644 --- a/gateway-service/src/main/java/org/zowe/apiml/gateway/controllers/AuthController.java +++ b/gateway-service/src/main/java/org/zowe/apiml/gateway/controllers/AuthController.java @@ -29,14 +29,7 @@ import org.springframework.lang.Nullable; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.web.bind.annotation.DeleteMapping; -import org.springframework.web.bind.annotation.GetMapping; -import org.springframework.web.bind.annotation.PostMapping; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.ResponseBody; -import org.springframework.web.bind.annotation.RestController; +import org.springframework.web.bind.annotation.*; import org.zowe.apiml.gateway.security.service.AuthenticationService; import org.zowe.apiml.gateway.security.service.JwtSecurity; import org.zowe.apiml.gateway.security.service.token.OIDCTokenProvider; @@ -53,15 +46,9 @@ import java.io.IOException; import java.io.StringWriter; import java.security.PublicKey; -import java.util.Collections; -import java.util.LinkedList; -import java.util.List; -import java.util.Map; -import java.util.Optional; +import java.util.*; -import static org.apache.http.HttpStatus.SC_NO_CONTENT; -import static org.apache.http.HttpStatus.SC_OK; -import static org.apache.http.HttpStatus.SC_SERVICE_UNAVAILABLE; +import static org.apache.http.HttpStatus.*; /** * Controller offer method to control security. It can contains method for user and also method for calling services @@ -195,7 +182,7 @@ public ResponseEntity validateAccessToken(@RequestBody ValidateRequestMo String serviceId = validateRequestModel.getServiceId(); if (tokenProvider.isValidForScopes(token, serviceId) && !tokenProvider.isInvalidated(token)) { - return new ResponseEntity<>(HttpStatus.OK); + return new ResponseEntity<>(HttpStatus.NO_CONTENT); } return new ResponseEntity<>(HttpStatus.UNAUTHORIZED); } diff --git a/gateway-service/src/main/resources/gateway-api-doc.json b/gateway-service/src/main/resources/gateway-api-doc.json index 9f3583aa39..0bb73019e8 100644 --- a/gateway-service/src/main/resources/gateway-api-doc.json +++ b/gateway-service/src/main/resources/gateway-api-doc.json @@ -212,8 +212,6 @@ } } }, - - "/auth/logout": { "post": { "tags": ["Security"], @@ -258,6 +256,94 @@ } } }, + "/auth/access-token/generate": { + "post": { + "tags": ["Security"], + "summary": "Authenticate mainframe user credentials and return personal access token.", + "description": "Use the `/access-token/generate` API to authenticate mainframe user credentials and return personal access token. It is also possible to authenticate using the x509 client certificate authentication, if enabled.\n\n**Request:**\n\nThe generate request requires the user credentials in one of the following formats:\n * Basic authentication\n * Client certificate\n\n**Response:**\n\nThe response is a plain text body`.\n", + "operationId": "accessTokenGeneratePOST", + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PATRequest" + } + } + }, + "description": "Specifies the user credentials to be authenticated." + }, + "security": [ + { + "LoginBasicAuth": [] + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "text/plain": { + "schema": { + "type": "string" + } + } + } + }, + "400": { + "description": "Bad request" + }, + "401": { + "description": "Unauthorized" + }, + "404": { + "description": "Not Found" + }, + "405": { + "description": "Method Not Allowed" + }, + "500": { + "description": "Internal error" + } + } + } + }, + "/auth/access-token/validate": { + "post": { + "tags": ["Security"], + "summary": "Validate personal access token.", + "description": "Use the `/access-token/validate` API to verify that personal access token is valid. \n\n**Response:**\n\nThe response is a plain text body`.\n", + "operationId": "accessTokenValidatePOST", + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PATValidate" + } + } + }, + "description": "Specifies the personal access token and service ID for validation." + }, + "responses": { + "204": { + "description": "No content" + }, + "400": { + "description": "Bad request" + }, + "401": { + "description": "Unauthorized" + }, + "404": { + "description": "Not Found" + }, + "405": { + "description": "Method Not Allowed" + }, + "500": { + "description": "Internal error" + } + } + } + }, "/auth/keys/public/all": { "get": { "tags": ["Security"], @@ -671,6 +757,37 @@ "ticket": "LZTKEEDQ" } }, + "PATRequest": { + "type": "object", + "title": "PersonalAccessToken", + "properties": { + "validity": { + "type": "string", + "description": "Amount in Days for how long the PAT is valid." + }, + "scopes": { + "type": "array", + "description": "List of service IDs for which the token is valid.", + "items": { + "type": "string" + } + } + } + }, + "PATValidate": { + "type": "object", + "title": "PersonalAccessTokenValidate", + "properties": { + "token": { + "type": "string", + "description": "Personal access token." + }, + "serviceId": { + "type": "string", + "description": "Service ID for validation against the token." + } + } + }, "ServiceInfo": { "type": "object", "description": "Represents information about a service registered to API ML", From 4ab9529759980914a2154a1a83ff4dd8cdc618da Mon Sep 17 00:00:00 2001 From: ac892247 Date: Mon, 13 Jan 2025 10:05:37 +0100 Subject: [PATCH 2/3] tls version and cipher configuration Signed-off-by: ac892247 --- .../src/main/resources/bin/start.sh | 53 ++++++++++++++++++- .../src/main/resources/bin/start.sh | 52 +++++++++++++++++- .../src/main/resources/bin/start.sh | 48 +++++++++++++++++ .../src/main/resources/bin/start.sh | 52 +++++++++++++++++- .../src/main/resources/bin/start.sh | 51 +++++++++++++++++- .../src/main/resources/bin/start.sh | 52 +++++++++++++++++- 6 files changed, 299 insertions(+), 9 deletions(-) diff --git a/api-catalog-package/src/main/resources/bin/start.sh b/api-catalog-package/src/main/resources/bin/start.sh index 8745267bab..e9c015dea2 100755 --- a/api-catalog-package/src/main/resources/bin/start.sh +++ b/api-catalog-package/src/main/resources/bin/start.sh @@ -160,6 +160,52 @@ if [ "${ATTLS_CLIENT_ENABLED}" = "true" ]; then internalProtocol=http fi + +get_enabled_protocol_limit() { + target=$1 + type=$2 + key_component="ZWE_configs_zowe_network_${target}_tls_${type}Tls" + value_component=$(eval echo \$$key_component) + key_gateway="ZWE_components_gateway_zowe_network_${target}_tls_${type}Tls" + value_gateway=$(eval echo \$$key_gateway) + key_zowe="ZWE_zowe_network_${target}_tls_${type}Tls" + value_zowe=$(eval echo \$$key_zowe) + enabled_protocol_limit=${value_component:-${value_gateway:-${value_zowe:-}}} +} + +extract_between() { + echo "$1" | sed -e "s/.*$2,//" -e "s/$3.*//" +} + +get_enabled_protocol() { + target=$1 + get_enabled_protocol_limit "${target}" "min" + enabled_protocols_min=${enabled_protocol_limit} + get_enabled_protocol_limit "${target}" "max" + enabled_protocols_max=${enabled_protocol_limit} + + if [ "${enabled_protocols_min:-}" = "${enabled_protocols_max:-}" ]; then + result="${enabled_protocols_max:-}" + elif [ -z "${enabled_protocols_min:-}" ]; then + result="${enabled_protocols_max:-}" + else + enabled_protocols_max=${enabled_protocols_max:-"TLSv1.2"} + enabled_protocols=,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3,TLSv1.4, + # Extract protocols between min and max (inclusive) + result=$(extract_between "$enabled_protocols" "$enabled_protocols_min" "$enabled_protocols_max") + result="$enabled_protocols_min,$result$enabled_protocols_max" + fi +} + +get_enabled_protocol_limit "server" "max" +server_protocol=${enabled_protocol_limit:-"TLS"} +get_enabled_protocol "server" +server_enabled_protocols=${result:-"TLSv1.2"} +server_ciphers=${ZWE_configs_zowe_network_server_tls_ciphers:-${ZWE_components_gateway_zowe_network_server_tls_ciphers:-${ZWE_zowe_network_server_tls_ciphers:-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384}}} +get_enabled_protocol "client" +client_enabled_protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-${result:-${server_enabled_protocols}}} +client_ciphers=${ZWE_configs_zowe_network_client_tls_ciphers:-${ZWE_components_gateway_zowe_network_client_tls_ciphers:-${ZWE_zowe_network_client_tls_ciphers:-${server_ciphers}}}} + keystore_type="${ZWE_configs_certificate_keystore_type:-${ZWE_zowe_certificate_keystore_type:-PKCS12}}" keystore_pass="${ZWE_configs_certificate_keystore_password:-${ZWE_zowe_certificate_keystore_password}}" key_alias="${ZWE_configs_certificate_keystore_alias:-${ZWE_zowe_certificate_keystore_alias}}" @@ -251,11 +297,9 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${CATALOG_CODE} java \ -Dapiml.catalog.customStyle.headerColor=${ZWE_configs_apiml_catalog_customStyle_headerColor:-} \ -Dapiml.catalog.customStyle.textColor=${ZWE_configs_apiml_catalog_customStyle_textColor:-} \ -Dapiml.catalog.customStyle.docLink=${ZWE_configs_apiml_catalog_customStyle_docLink:-} \ - -Dapiml.httpclient.ssl.enabled-protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-"TLSv1.2"} \ -Dspring.profiles.include=$LOG_LEVEL \ -Dserver.address=0.0.0.0 \ -Dserver.ssl.enabled=${ZWE_configs_server_ssl_enabled:-true} \ - -Dserver.ssl.protocol=${ZWE_configs_server_ssl_protocol:-"TLSv1.2"} \ -Dserver.ssl.keyStore="${keystore_location}" \ -Dserver.ssl.keyStoreType="${keystore_type}" \ -Dserver.ssl.keyStorePassword="${keystore_pass}" \ @@ -264,6 +308,11 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${CATALOG_CODE} java \ -Dserver.ssl.trustStore="${truststore_location}" \ -Dserver.ssl.trustStoreType="${truststore_type}" \ -Dserver.ssl.trustStorePassword="${truststore_pass}" \ + -Dserver.ssl.ciphers=${server_ciphers} \ + -Dserver.ssl.protocol=${ZWE_configs_server_ssl_protocol:-${server_protocol}} \ + -Dserver.ssl.enabled-protocols=${server_enabled_protocols} \ + -Dapiml.httpclient.ssl.enabled-protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-${client_enabled_protocols}} \ + -Djdk.tls.client.cipherSuites=${client_ciphers} \ -Djava.protocol.handler.pkgs=com.ibm.crypto.provider \ -Dloader.path=${COMMON_LIB} \ -Djava.library.path=${LIBPATH} \ diff --git a/caching-service-package/src/main/resources/bin/start.sh b/caching-service-package/src/main/resources/bin/start.sh index c308da9128..12f736ed25 100755 --- a/caching-service-package/src/main/resources/bin/start.sh +++ b/caching-service-package/src/main/resources/bin/start.sh @@ -138,6 +138,51 @@ if [ "${ATTLS_ENABLED}" = "true" -o "${ATTLS_CLIENT_ENABLED}" = "true" ]; then ZWE_DISCOVERY_SERVICES_LIST=$(echo "${ZWE_DISCOVERY_SERVICES_LIST=}" | sed -e 's|https://|http://|g') fi +get_enabled_protocol_limit() { + target=$1 + type=$2 + key_component="ZWE_configs_zowe_network_${target}_tls_${type}Tls" + value_component=$(eval echo \$$key_component) + key_gateway="ZWE_components_gateway_zowe_network_${target}_tls_${type}Tls" + value_gateway=$(eval echo \$$key_gateway) + key_zowe="ZWE_zowe_network_${target}_tls_${type}Tls" + value_zowe=$(eval echo \$$key_zowe) + enabled_protocol_limit=${value_component:-${value_gateway:-${value_zowe:-}}} +} + +extract_between() { + echo "$1" | sed -e "s/.*$2,//" -e "s/$3.*//" +} + +get_enabled_protocol() { + target=$1 + get_enabled_protocol_limit "${target}" "min" + enabled_protocols_min=${enabled_protocol_limit} + get_enabled_protocol_limit "${target}" "max" + enabled_protocols_max=${enabled_protocol_limit} + + if [ "${enabled_protocols_min:-}" = "${enabled_protocols_max:-}" ]; then + result="${enabled_protocols_max:-}" + elif [ -z "${enabled_protocols_min:-}" ]; then + result="${enabled_protocols_max:-}" + else + enabled_protocols_max=${enabled_protocols_max:-"TLSv1.2"} + enabled_protocols=,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3,TLSv1.4, + # Extract protocols between min and max (inclusive) + result=$(extract_between "$enabled_protocols" "$enabled_protocols_min" "$enabled_protocols_max") + result="$enabled_protocols_min,$result$enabled_protocols_max" + fi +} + +get_enabled_protocol_limit "server" "max" +server_protocol=${enabled_protocol_limit:-"TLS"} +get_enabled_protocol "server" +server_enabled_protocols=${result:-"TLSv1.2"} +server_ciphers=${ZWE_configs_zowe_network_server_tls_ciphers:-${ZWE_components_gateway_zowe_network_server_tls_ciphers:-${ZWE_zowe_network_server_tls_ciphers:-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384}}} +get_enabled_protocol "client" +client_enabled_protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-${result:-${server_enabled_protocols}}} +client_ciphers=${ZWE_configs_zowe_network_client_tls_ciphers:-${ZWE_components_gateway_zowe_network_client_tls_ciphers:-${ZWE_zowe_network_client_tls_ciphers:-${server_ciphers}}}} + keystore_type="${ZWE_configs_certificate_keystore_type:-${ZWE_zowe_certificate_keystore_type:-PKCS12}}" keystore_pass="${ZWE_configs_certificate_keystore_password:-${ZWE_zowe_certificate_keystore_password}}" key_alias="${ZWE_configs_certificate_keystore_alias:-${ZWE_zowe_certificate_keystore_alias}}" @@ -214,7 +259,6 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${CACHING_CODE} java \ -Dapiml.service.customMetadata.apiml.gatewayPort=${ZWE_components_gateway_port:-7554} \ -Dapiml.service.ssl.verifySslCertificatesOfServices=${verifySslCertificatesOfServices:-false} \ -Dapiml.service.ssl.nonStrictVerifySslCertificatesOfServices=${nonStrictVerifySslCertificatesOfServices:-false} \ - -Dapiml.httpclient.ssl.enabled-protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-"TLSv1.2"} \ -Dcaching.storage.evictionStrategy=${ZWE_configs_storage_evictionStrategy:-reject} \ -Dcaching.storage.size=${ZWE_configs_storage_size:-10000} \ -Dcaching.storage.mode=${ZWE_configs_storage_mode:-inMemory} \ @@ -227,7 +271,9 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${CACHING_CODE} java \ -Dcaching.storage.infinispan.initialHosts=${ZWE_configs_storage_infinispan_initialHosts:-localhost[7098]} \ -Dserver.address=0.0.0.0 \ -Dserver.ssl.enabled=${ZWE_configs_server_ssl_enabled:-true} \ - -Dserver.ssl.protocol=${ZWE_configs_server_ssl_protocol:-"TLSv1.2"} \ + -Dserver.ssl.protocol=${ZWE_configs_server_ssl_protocol:-${server_protocol}} \ + -Dserver.ssl.ciphers=${server_ciphers} \ + -Dserver.ssl.enabled-protocols=${server_enabled_protocols} \ -Dserver.ssl.keyStore="${keystore_location}" \ -Dserver.ssl.keyStoreType="${keystore_type}" \ -Dserver.ssl.keyStorePassword="${keystore_pass}" \ @@ -236,6 +282,8 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${CACHING_CODE} java \ -Dserver.ssl.trustStore="${truststore_location}" \ -Dserver.ssl.trustStoreType="${truststore_type}" \ -Dserver.ssl.trustStorePassword="${truststore_pass}" \ + -Dapiml.httpclient.ssl.enabled-protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-${client_enabled_protocols}} \ + -Djdk.tls.client.cipherSuites=${client_ciphers} \ -Djava.protocol.handler.pkgs=com.ibm.crypto.provider \ -Djavax.net.debug=${ZWE_configs_sslDebug:-""} \ -Djava.library.path=${LIBPATH} \ diff --git a/cloud-gateway-package/src/main/resources/bin/start.sh b/cloud-gateway-package/src/main/resources/bin/start.sh index 5aa469b7c9..0dfe99ef93 100755 --- a/cloud-gateway-package/src/main/resources/bin/start.sh +++ b/cloud-gateway-package/src/main/resources/bin/start.sh @@ -102,6 +102,49 @@ if [ "${ATTLS_ENABLED}" = "true" -o "${ATTLS_CLIENT_ENABLED}" = "true" ]; then ZWE_DISCOVERY_SERVICES_LIST=$(echo "${ZWE_DISCOVERY_SERVICES_LIST=}" | sed -e 's|https://|http://|g') fi +get_enabled_protocol_limit() { + target=$1 + type=$2 + key_component="ZWE_configs_zowe_network_${target}_tls_${type}Tls" + value_component=$(eval echo \$$key_component) + key_zowe="ZWE_zowe_network_${target}_tls_${type}Tls" + value_zowe=$(eval echo \$$key_zowe) + enabled_protocol_limit=${value_component:-${value_zowe:-}} +} + +extract_between() { + echo "$1" | sed -e "s/.*$2,//" -e "s/$3.*//" +} + +get_enabled_protocol() { + target=$1 + get_enabled_protocol_limit "${target}" "min" + enabled_protocols_min=${enabled_protocol_limit} + get_enabled_protocol_limit "${target}" "max" + enabled_protocols_max=${enabled_protocol_limit} + + if [ "${enabled_protocols_min:-}" = "${enabled_protocols_max:-}" ]; then + result="${enabled_protocols_max:-}" + elif [ -z "${enabled_protocols_min:-}" ]; then + result="${enabled_protocols_max:-}" + else + enabled_protocols_max=${enabled_protocols_max:-"TLSv1.2"} + enabled_protocols=,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3,TLSv1.4, + # Extract protocols between min and max (inclusive) + result=$(extract_between "$enabled_protocols" "$enabled_protocols_min" "$enabled_protocols_max") + result="$enabled_protocols_min,$result$enabled_protocols_max" + fi +} + +get_enabled_protocol_limit "server" "max" +server_protocol=${enabled_protocol_limit:-"TLS"} +get_enabled_protocol "server" +server_enabled_protocols=${result:-"TLSv1.2"} +server_ciphers=${ZWE_configs_zowe_network_server_tls_ciphers:-${ZWE_components_gateway_zowe_network_server_tls_ciphers:-${ZWE_zowe_network_server_tls_ciphers:-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384}}} +get_enabled_protocol "client" +client_enabled_protocols=${ZWE_configs_apiml_httpclient_ssl_enabled_protocols:-${result:-${server_enabled_protocols}}} +client_ciphers=${ZWE_configs_zowe_network_client_tls_ciphers:-${ZWE_components_gateway_zowe_network_client_tls_ciphers:-${ZWE_zowe_network_client_tls_ciphers:-${server_ciphers}}}} + keystore_type="${ZWE_configs_certificate_keystore_type:-${ZWE_zowe_certificate_keystore_type:-PKCS12}}" keystore_pass="${ZWE_configs_certificate_keystore_password:-${ZWE_zowe_certificate_keystore_password}}" key_alias="${ZWE_configs_certificate_keystore_alias:-${ZWE_zowe_certificate_keystore_alias}}" @@ -188,6 +231,11 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${CLOUD_GATEWAY_CODE} java \ -Dserver.ssl.trustStore="${truststore_location}" \ -Dserver.ssl.trustStoreType="${truststore_type}" \ -Dserver.ssl.trustStorePassword="${truststore_pass}" \ + -Dserver.ssl.ciphers=${server_ciphers} \ + -Dserver.ssl.protocol=${ZWE_configs_server_ssl_protocol:-${server_protocol}} \ + -Dserver.ssl.enabled-protocols=${server_enabled_protocols} \ + -Dapiml.httpclient.ssl.enabled-protocols=${client_enabled_protocols} \ + -Djdk.tls.client.cipherSuites=${client_ciphers} \ -Djava.protocol.handler.pkgs=com.ibm.crypto.provider \ -Djavax.net.debug=${ZWE_configs_sslDebug:-""} \ -Djava.library.path=${LIBPATH} \ diff --git a/discovery-package/src/main/resources/bin/start.sh b/discovery-package/src/main/resources/bin/start.sh index 98f85590f9..38f3b23c11 100755 --- a/discovery-package/src/main/resources/bin/start.sh +++ b/discovery-package/src/main/resources/bin/start.sh @@ -148,6 +148,51 @@ LIBPATH="$LIBPATH":"${JAVA_HOME}/lib/s390/default" LIBPATH="$LIBPATH":"${JAVA_HOME}/lib/s390/j9vm" LIBPATH="$LIBPATH":"${LIBRARY_PATH}" +get_enabled_protocol_limit() { + target=$1 + type=$2 + key_component="ZWE_configs_zowe_network_${target}_tls_${type}Tls" + value_component=$(eval echo \$$key_component) + key_gateway="ZWE_components_gateway_zowe_network_${target}_tls_${type}Tls" + value_gateway=$(eval echo \$$key_gateway) + key_zowe="ZWE_zowe_network_${target}_tls_${type}Tls" + value_zowe=$(eval echo \$$key_zowe) + enabled_protocol_limit=${value_component:-${value_gateway:-${value_zowe:-}}} +} + +extract_between() { + echo "$1" | sed -e "s/.*$2,//" -e "s/$3.*//" +} + +get_enabled_protocol() { + target=$1 + get_enabled_protocol_limit "${target}" "min" + enabled_protocols_min=${enabled_protocol_limit} + get_enabled_protocol_limit "${target}" "max" + enabled_protocols_max=${enabled_protocol_limit} + + if [ "${enabled_protocols_min:-}" = "${enabled_protocols_max:-}" ]; then + result="${enabled_protocols_max:-}" + elif [ -z "${enabled_protocols_min:-}" ]; then + result="${enabled_protocols_max:-}" + else + enabled_protocols_max=${enabled_protocols_max:-"TLSv1.2"} + enabled_protocols=,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3,TLSv1.4, + # Extract protocols between min and max (inclusive) + result=$(extract_between "$enabled_protocols" "$enabled_protocols_min" "$enabled_protocols_max") + result="$enabled_protocols_min,$result$enabled_protocols_max" + fi +} + +get_enabled_protocol_limit "server" "max" +server_protocol=${enabled_protocol_limit:-"TLS"} +get_enabled_protocol "server" +server_enabled_protocols=${result:-"TLSv1.2"} +server_ciphers=${ZWE_configs_zowe_network_server_tls_ciphers:-${ZWE_components_gateway_zowe_network_server_tls_ciphers:-${ZWE_zowe_network_server_tls_ciphers:-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384}}} +get_enabled_protocol "client" +client_enabled_protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-${result:-${server_enabled_protocols}}} +client_ciphers=${ZWE_configs_zowe_network_client_tls_ciphers:-${ZWE_components_gateway_zowe_network_client_tls_ciphers:-${ZWE_zowe_network_client_tls_ciphers:-${server_ciphers}}}} + keystore_type="${ZWE_configs_certificate_keystore_type:-${ZWE_zowe_certificate_keystore_type:-PKCS12}}" keystore_pass="${ZWE_configs_certificate_keystore_password:-${ZWE_zowe_certificate_keystore_password}}" key_alias="${ZWE_configs_certificate_keystore_alias:-${ZWE_zowe_certificate_keystore_alias}}" @@ -231,9 +276,12 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${DISCOVERY_CODE} java \ -Dapiml.security.ssl.verifySslCertificatesOfServices=${verifySslCertificatesOfServices:-false} \ -Dapiml.security.ssl.nonStrictVerifySslCertificatesOfServices=${nonStrictVerifySslCertificatesOfServices:-false} \ -Dapiml.security.auth.cookieProperties.cookieName=${cookieName:-apimlAuthenticationToken} \ - -Dapiml.httpclient.ssl.enabled-protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-"TLSv1.2"} \ -Dserver.ssl.enabled=${ZWE_configs_server_ssl_enabled:-true} \ - -Dserver.ssl.protocol=${ZWE_configs_server_ssl_protocol:-"TLSv1.2"} \ + -Dapiml.httpclient.ssl.enabled-protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-${client_enabled_protocols}} \ + -Djdk.tls.client.cipherSuites=${client_ciphers} \ + -Dserver.ssl.ciphers=${server_ciphers} \ + -Dserver.ssl.protocol=${ZWE_configs_server_ssl_protocol:-${server_protocol}} \ + -Dserver.ssl.enabled-protocols=${server_enabled_protocols} \ -Dserver.ssl.keyStore="${keystore_location}" \ -Dserver.ssl.keyStoreType="${keystore_type}" \ -Dserver.ssl.keyStorePassword="${keystore_pass}" \ diff --git a/gateway-package/src/main/resources/bin/start.sh b/gateway-package/src/main/resources/bin/start.sh index aa9d76a4cd..b2563284b5 100755 --- a/gateway-package/src/main/resources/bin/start.sh +++ b/gateway-package/src/main/resources/bin/start.sh @@ -67,6 +67,7 @@ # - ZWE_configs_certificate_keystore_type - The keystore type to use for SSL certificates # - ZWE_configs_certificate_truststore_file # - ZWE_configs_certificate_truststore_type +# - ZWE_configs_certificate_ciphers / ZWE_configs_ciphers # - ZWE_configs_debug # - ZWE_configs_port - the port the api gateway service will use # - ZWE_configs_apimlId @@ -222,6 +223,49 @@ then LIBPATH="$LIBPATH":"${ZWE_GATEWAY_LIBRARY_PATH}" fi +get_enabled_protocol_limit() { + target=$1 + type=$2 + key_component="ZWE_configs_zowe_network_${target}_tls_${type}Tls" + value_component=$(eval echo \$$key_component) + key_zowe="ZWE_zowe_network_${target}_tls_${type}Tls" + value_zowe=$(eval echo \$$key_zowe) + enabled_protocol_limit=${value_component:-${value_zowe:-}} +} + +extract_between() { + echo "$1" | sed -e "s/.*$2,//" -e "s/$3.*//" +} + +get_enabled_protocol() { + target=$1 + get_enabled_protocol_limit "${target}" "min" + enabled_protocols_min=${enabled_protocol_limit} + get_enabled_protocol_limit "${target}" "max" + enabled_protocols_max=${enabled_protocol_limit} + + if [ "${enabled_protocols_min:-}" = "${enabled_protocols_max:-}" ]; then + result="${enabled_protocols_max:-}" + elif [ -z "${enabled_protocols_min:-}" ]; then + result="${enabled_protocols_max:-}" + else + enabled_protocols_max=${enabled_protocols_max:-"TLSv1.2"} + enabled_protocols=,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3,TLSv1.4, + # Extract protocols between min and max (inclusive) + result=$(extract_between "$enabled_protocols" "$enabled_protocols_min" "$enabled_protocols_max") + result="$enabled_protocols_min,$result$enabled_protocols_max" + fi +} + +get_enabled_protocol_limit "server" "max" +server_protocol=${enabled_protocol_limit:-"TLS"} +get_enabled_protocol "server" +server_enabled_protocols=${result:-"TLSv1.2"} +server_ciphers=${ZWE_configs_zowe_network_server_tls_ciphers:-${ZWE_components_gateway_zowe_network_server_tls_ciphers:-${ZWE_zowe_network_server_tls_ciphers:-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384}}} +get_enabled_protocol "client" +client_enabled_protocols=${ZWE_configs_apiml_httpclient_ssl_enabled_protocols:-${result:-${server_enabled_protocols}}} +client_ciphers=${ZWE_configs_zowe_network_client_tls_ciphers:-${ZWE_components_gateway_zowe_network_client_tls_ciphers:-${ZWE_zowe_network_client_tls_ciphers:-${server_ciphers}}}} + keystore_type="${ZWE_configs_certificate_keystore_type:-${ZWE_zowe_certificate_keystore_type:-PKCS12}}" keystore_pass="${ZWE_configs_certificate_keystore_password:-${ZWE_zowe_certificate_keystore_password}}" key_alias="${ZWE_configs_certificate_keystore_alias:-${ZWE_zowe_certificate_keystore_alias}}" @@ -313,7 +357,6 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} java \ -Dapiml.security.auth.passticket.customUserHeader=${ZWE_configs_apiml_security_auth_passticket_customUserHeader:-} \ -Dapiml.security.auth.passticket.customAuthHeader=${ZWE_configs_apiml_security_auth_passticket_customAuthHeader:-} \ -Dapiml.security.personalAccessToken.enabled=${ZWE_configs_apiml_security_personalAccessToken_enabled:-false} \ - -Dapiml.httpclient.ssl.enabled-protocols=${ZWE_configs_apiml_httpclient_ssl_enabled_protocols:-"TLSv1.2"} \ -Dapiml.zoweManifest=${ZWE_zowe_runtimeDirectory}/manifest.json \ -Dserver.address=0.0.0.0 \ -Dserver.maxConnectionsPerRoute=${ZWE_configs_server_maxConnectionsPerRoute:-100} \ @@ -324,7 +367,6 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} java \ -Dserver.webSocket.asyncWriteTimeout=${ZWE_configs_server_webSocket_asyncWriteTimeout:-60000} \ -Dserver.webSocket.requestBufferSize=${ZWE_configs_server_webSocket_requestBufferSize:-8192} \ -Dserver.ssl.enabled=${ZWE_configs_server_ssl_enabled:-true} \ - -Dserver.ssl.protocol=${ZWE_configs_server_ssl_protocol:-"TLSv1.2"} \ -Dserver.ssl.keyStore="${keystore_location}" \ -Dserver.ssl.keyStoreType="${keystore_type}" \ -Dserver.ssl.keyStorePassword="${keystore_pass}" \ @@ -333,6 +375,11 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} java \ -Dserver.ssl.trustStore="${truststore_location}" \ -Dserver.ssl.trustStoreType="${truststore_type}" \ -Dserver.ssl.trustStorePassword="${truststore_pass}" \ + -Dserver.ssl.ciphers=${server_ciphers} \ + -Dserver.ssl.protocol=${ZWE_configs_server_ssl_protocol:-${server_protocol}} \ + -Dserver.ssl.enabled-protocols=${server_enabled_protocols} \ + -Dapiml.httpclient.ssl.enabled-protocols=${client_enabled_protocols} \ + -Djdk.tls.client.cipherSuites=${client_ciphers} \ -Dserver.internal.enabled=${ZWE_configs_server_internal_enabled:-false} \ -Dserver.internal.ssl.enabled=${ZWE_configs_server_internal_ssl_enabled:-true} \ -Dserver.internal.port=${ZWE_configs_server_internal_port:-10017} \ diff --git a/metrics-service-package/src/main/resources/bin/start.sh b/metrics-service-package/src/main/resources/bin/start.sh index 3acd8ea13b..0c2ffa03fe 100755 --- a/metrics-service-package/src/main/resources/bin/start.sh +++ b/metrics-service-package/src/main/resources/bin/start.sh @@ -102,6 +102,52 @@ if [ "$ATTLS_CLIENT_ENABLED" = "true" -o "$ATTLS_ENABLED" = "true" ]; then ZWE_DISCOVERY_SERVICES_LIST=$(echo "${ZWE_DISCOVERY_SERVICES_LIST=}" | sed -e 's|https://|http://|g') fi + +get_enabled_protocol_limit() { + target=$1 + type=$2 + key_component="ZWE_configs_zowe_network_${target}_tls_${type}Tls" + value_component=$(eval echo \$$key_component) + key_gateway="ZWE_components_gateway_zowe_network_${target}_tls_${type}Tls" + value_gateway=$(eval echo \$$key_gateway) + key_zowe="ZWE_zowe_network_${target}_tls_${type}Tls" + value_zowe=$(eval echo \$$key_zowe) + enabled_protocol_limit=${value_component:-${value_gateway:-${value_zowe:-}}} +} + +extract_between() { + echo "$1" | sed -e "s/.*$2,//" -e "s/$3.*//" +} + +get_enabled_protocol() { + target=$1 + get_enabled_protocol_limit "${target}" "min" + enabled_protocols_min=${enabled_protocol_limit} + get_enabled_protocol_limit "${target}" "max" + enabled_protocols_max=${enabled_protocol_limit} + + if [ "${enabled_protocols_min:-}" = "${enabled_protocols_max:-}" ]; then + result="${enabled_protocols_max:-}" + elif [ -z "${enabled_protocols_min:-}" ]; then + result="${enabled_protocols_max:-}" + else + enabled_protocols_max=${enabled_protocols_max:-"TLSv1.2"} + enabled_protocols=,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3,TLSv1.4, + # Extract protocols between min and max (inclusive) + result=$(extract_between "$enabled_protocols" "$enabled_protocols_min" "$enabled_protocols_max") + result="$enabled_protocols_min,$result$enabled_protocols_max" + fi +} + +get_enabled_protocol_limit "server" "max" +server_protocol=${enabled_protocol_limit:-"TLS"} +get_enabled_protocol "server" +server_enabled_protocols=${result:-"TLSv1.2"} +server_ciphers=${ZWE_configs_zowe_network_server_tls_ciphers:-${ZWE_components_gateway_zowe_network_server_tls_ciphers:-${ZWE_zowe_network_server_tls_ciphers:-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384}}} +get_enabled_protocol "client" +client_enabled_protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-${result:-${server_enabled_protocols}}} +client_ciphers=${ZWE_configs_zowe_network_client_tls_ciphers:-${ZWE_components_gateway_zowe_network_client_tls_ciphers:-${ZWE_zowe_network_client_tls_ciphers:-${server_ciphers}}}} + keystore_type="${ZWE_configs_certificate_keystore_type:-${ZWE_zowe_certificate_keystore_type:-PKCS12}}" keystore_pass="${ZWE_configs_certificate_keystore_password:-${ZWE_zowe_certificate_keystore_password}}" key_alias="${ZWE_configs_certificate_keystore_alias:-${ZWE_zowe_certificate_keystore_alias}}" @@ -179,7 +225,9 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${METRICS_CODE} java \ -Dapiml.httpclient.ssl.enabled-protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-"TLSv1.2"} \ -Dserver.address=0.0.0.0 \ -Dserver.ssl.enabled=${ZWE_components_gateway_server_ssl_enabled:-true} \ - -Dserver.ssl.protocol=${ZWE_components_gateway_server_ssl_protocol:-"TLSv1.2"} \ + -Dserver.ssl.protocol=${ZWE_configs_server_ssl_protocol:-${server_protocol}} \ + -Dserver.ssl.ciphers=${server_ciphers} \ + -Dserver.ssl.enabled-protocols=${server_enabled_protocols} \ -Dserver.ssl.keyStore="${keystore_location}" \ -Dserver.ssl.keyStoreType="${keystore_type}" \ -Dserver.ssl.keyStorePassword="${keystore_pass}" \ @@ -188,6 +236,8 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${METRICS_CODE} java \ -Dserver.ssl.trustStore="${truststore_location}" \ -Dserver.ssl.trustStoreType="${truststore_type}" \ -Dserver.ssl.trustStorePassword="${truststore_pass}" \ + -Dapiml.httpclient.ssl.enabled-protocols=${ZWE_components_gateway_apiml_httpclient_ssl_enabled_protocols:-${client_enabled_protocols}} \ + -Djdk.tls.client.cipherSuites=${client_ciphers} \ -Djava.protocol.handler.pkgs=com.ibm.crypto.provider \ -Dloader.path=${COMMON_LIB} \ -Djavax.net.debug=${ZWE_configs_sslDebug:-""} \ From 9fb0a6881d7bd5154b46880f029f19cacd2b2f2b Mon Sep 17 00:00:00 2001 From: ac892247 Date: Tue, 14 Jan 2025 10:07:40 +0100 Subject: [PATCH 3/3] list missing variables in the header Signed-off-by: ac892247 --- .../src/main/resources/bin/start.sh | 34 ++++++++++++------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/gateway-package/src/main/resources/bin/start.sh b/gateway-package/src/main/resources/bin/start.sh index b2563284b5..a8972525d1 100755 --- a/gateway-package/src/main/resources/bin/start.sh +++ b/gateway-package/src/main/resources/bin/start.sh @@ -13,26 +13,39 @@ # Variables required on shell: # - JAVA_HOME # - ZWE_STATIC_DEFINITIONS_DIR -# - ZWE_zowe_certificate_keystore_alias - The default alias of the key within the keystore -# - ZWE_zowe_certificate_keystore_file - The default keystore to use for SSL certificates -# - ZWE_zowe_certificate_keystore_password - The default password to access the keystore supplied by KEYSTORE -# - ZWE_zowe_certificate_truststore_file +# - ZWE_configs_certificate_keystore_alias / ZWE_zowe_certificate_keystore_alias - The default alias of the key within the keystore +# - ZWE_configs_certificate_keystore_file / ZWE_zowe_certificate_keystore_file - The default keystore to use for SSL certificates +# - ZWE_configs_certificate_keystore_password / ZWE_zowe_certificate_keystore_password - The default password to access the keystore supplied by KEYSTORE +# - ZWE_configs_certificate_truststore_file / ZWE_zowe_certificate_truststore_file +# - ZWE_zowe_externalDomains_0 +# - ZWE_zowe_externalPort # - ZWE_zowe_job_prefix # - ZWE_zowe_logDirectory # - ZWE_zowe_runtimeDirectory # - ZWE_zowe_workspaceDirectory # Optional variables: +# - LAUNCH_COMPONENT # - CMMN_LB # - LIBPATH # - LIBRARY_PATH +# - QUICK_START +# - TMPDIR +# - ZWE_GATEWAY_SHARED_LIBS +# - ZWE_haInstance_hostname # - ZWE_components_discovery_port - the port the discovery service will use # - ZWE_configs_heap_max # - ZWE_configs_heap_init +# - ZWE_configs_sslDebug +# - ZWE_configs_apimlId # - ZWE_configs_apiml_catalog_serviceId # - ZWE_configs_apiml_gateway_timeoutMillis # - ZWE_configs_apiml_gateway_externalProtocol +# - ZWE_configs_apiml_health_protected # - ZWE_configs_apiml_security_auth_provider +# - ZWE_configs_apiml_security_auth_jwt_customAuthHeader +# - ZWE_configs_apiml_security_auth_passticket_customUserHeader +# - ZWE_configs_apiml_security_auth_passticket_customAuthHeader # - ZWE_configs_apiml_security_allowtokenrefresh # - ZWE_configs_apiml_security_auth_zosmf_jwtAutoconfiguration # - ZWE_configs_apiml_security_auth_zosmf_serviceId @@ -61,16 +74,13 @@ # - ZWE_configs_apiml_security_oidc_validationType # - ZWE_configs_apiml_service_allowEncodedSlashes - Allows encoded slashes on on URLs through gateway # - ZWE_configs_apiml_service_corsEnabled -# - ZWE_configs_certificate_keystore_alias - The alias of the key within the keystore -# - ZWE_configs_certificate_keystore_file - The keystore to use for SSL certificates -# - ZWE_configs_certificate_keystore_password - The password to access the keystore supplied by KEYSTORE -# - ZWE_configs_certificate_keystore_type - The keystore type to use for SSL certificates -# - ZWE_configs_certificate_truststore_file -# - ZWE_configs_certificate_truststore_type +# - ZWE_configs_certificate_keystore_type / ZWE_zowe_certificate_keystore_type - The keystore type to use for SSL certificates +# - ZWE_configs_certificate_key_password / ZWE_zowe_certificate_key_password +# - ZWE_configs_certificate_truststore_type / ZWE_zowe_certificate_truststore_type +# - ZWE_configs_certificate_truststore_password / ZWE_zowe_certificate_truststore_password # - ZWE_configs_certificate_ciphers / ZWE_configs_ciphers # - ZWE_configs_debug # - ZWE_configs_port - the port the api gateway service will use -# - ZWE_configs_apimlId # - ZWE_configs_server_internal_ssl_certificate_keystore_alias # - ZWE_configs_server_internal_ssl_certificate_keystore_file # - ZWE_configs_server_internal_enabled @@ -81,8 +91,6 @@ # - ZWE_configs_server_ssl_enabled # - ZWE_configs_spring_profiles_active # - ZWE_DISCOVERY_SERVICES_LIST -# - ZWE_GATEWAY_SHARED_LIBS -# - ZWE_haInstance_hostname # - ZWE_zowe_network_server_tls_attls # - ZWE_zowe_network_client_tls_attls # - ZWE_zowe_certificate_keystore_type - The default keystore type to use for SSL certificates