From e6c644e18e8af59be2e44120865b596280ad19b8 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Tue, 14 Jan 2025 14:12:51 +0100 Subject: [PATCH] formatting improvements Signed-off-by: Andrew Jandacek --- .../configuring-at-tls-for-zowe-server.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/user-guide/configuring-at-tls-for-zowe-server.md b/docs/user-guide/configuring-at-tls-for-zowe-server.md index fafbd12698..a761661e4e 100644 --- a/docs/user-guide/configuring-at-tls-for-zowe-server.md +++ b/docs/user-guide/configuring-at-tls-for-zowe-server.md @@ -129,12 +129,11 @@ Assign the `PortRange` of this inbound rule based on the list of API Mediation L Replace `ZoweKeyring` with the keyring configured for your installation. -To configure keyrings for your Zowe instance, see [SAF keyring](../getting-started/zowe-certificates-overview.md#saf-keyring) in the article _Zowe Certificates overview_. - +To configure keyrings for your Zowe instance, see [Use a z/OS keyring-based keystore with Zowe generated certificates](../user-guide/certificate-configuration-scenarios.md#scenario-3-use-a-zos-keyring-based-keystore-with-zowe-generated-certificates). Note the setting `HandshakeRole`. This setting applies to core services which authenticate through certificates with each other. This setting allows the API Gateway to receive and accept X.509 client certificates from API Clients. -For more granularity in the AT-TLS rules, separate the rules that need to support Client Certificate authentication (Discovery Service, Gateway Service) from the rules that do not need to support Client Certificate authentication(for example a rule covering API Gateway to an onboarded service). +For more granularity in the AT-TLS rules, separate the rules that need to support Client Certificate authentication (Discovery Service, Gateway Service) from the rules that do not need to support Client Certificate authentication, for example a rule that applies to communication between the API Gateway and an onboarded service. ### Outbound rules @@ -159,9 +158,9 @@ TTLSConnectionAction ClientConnectionAction #### Outbound rule for z/OSMF -This example rule covers the connection between the API Gateway and the z/OSMF instance. This connection is made to authenticate users in z/OS. +The following example rule applies to the connection between the API Gateway and the z/OSMF instance. This connection is made to authenticate users in z/OS. -If `zowe.network.client.tls.attls` is `true`, this rule is assumed set. The requests to z/OSMF are issued using `http`. +THis rule is set when `zowe.network.client.tls.attls` is set to `true`. The requests to z/OSMF are issued using `http`. ```bash TTLSRule ApimlZosmfClientRule @@ -239,7 +238,9 @@ TTLSConnectionAdvancedParms ApimlClientX509ConnAdvParms In this example, the rule covers all outbound connections originating from the API Gateway to an example southbound service listening on port 8080. This rule applies for Zowe services as well, such as the ZSS and app-server if they are enabled. -This example covers routing scenarios. +The following example covers routing scenarios. + +**Example:** ```bash TTLSRule ApimlServiceClientRule @@ -288,8 +289,8 @@ These service also already have an outbound rule set for the onboarding process Ensure these rules are followed: -- Outbound rule to Discovery Service: Sends X.509 Client Certificate to authorize the onboarding. -- Outbound rule to API Gateway: __Do not__ set a Client Certificate. +- Outbound rule to Discovery Service: Sends X.509 Client Certificate to authorize the onboarding +- Outbound rule to API Gateway: __Do not__ set a Client Certificate ### Ciphers