api-layer icon indicating copy to clipboard operation
api-layer copied to clipboard
verified publisher icon zowe

java.net.MalformedURLException: unknown protocol: safkeyring during service startup - Need keyring support

Open recaph opened this issue 3 years ago • 13 comments

Describe the bug Service startup fails when keyrings are used with API Catalog Discovery enabled. Turning off discovery works fine. Keyring Logic seems broken in api-layer.

Steps to Reproduce Attempt to start a REST API service with API Catalog discovery with something like.

apiml:
    enabled: true
    service:
        ssl:
            keyStore: safkeyring://SDKSERV/SDKRING
            keyStoreType: JCERACFKS
            trustStore: safkeyring://SDKSERV/SDKRING
            trustStoreType: JCERACFKS

Tried with onboarding-enabler-spring but issue seems to affect any callers of common-service-core SecurityUtils and HttpsFactory classes.

Also, system/Unit Test don't seem to cover any keyring scenarios in api-layer.

Expected behavior Service starts up without errors with API Catalog Discovery enabled and keyrings are used.

Screenshots java.net.URL may not have support for 'safkeyring://*' pattern. But java.net.URL class seems to be used to process keyring parameters.

image

https://github.com/zowe/api-layer/blob/15c887c1ed264f065fb5b1a1f731508997841039/common-service-core/src/main/java/org/zowe/apiml/security/SecurityUtils.java#L209-L215

Details

  • Version and build number: Latest
  • Test environment: z/OS 2.5 with JDK SR7FP10.

REST API client (in case of REST API issue):

  • Technology: Spring Boot with embedded tomcat.

recaph avatar Sep 28 '22 18:09 recaph

zaas client also seems to have similar issue with processing safkeyring

https://github.com/zowe/api-layer/blob/15c887c1ed264f065fb5b1a1f731508997841039/zaas-client/src/main/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProvider.java#L131-L137

image

recaph avatar Sep 28 '22 22:09 recaph

@recaph your keyring definition is missing two slashes, it should be safkeyring:////SDKSERV/SDKRING . You also can't use = sign in yaml, it needs to be enabled: true

achmelo avatar Sep 30 '22 07:09 achmelo

@achmelo I am confused why four slashes are required. Other configuration seem to allow 2 slashes like below on.

https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-common-services-for-z-os/15-0/installing/complete-configuration-tasks/perform-post-deployment-tasks/configure-apache-tomcat-to-use-ssl-with-keyrings.html

That this documentation by IBM seems to have a different prefix format altogether but with 2 slashes. https://public.dhe.ibm.com/software/Java/Java11/IBMJCECCA/JSSEzOSRefGuide.html

recaph avatar Oct 03 '22 13:10 recaph

or this one in IBM FAQs https://public.dhe.ibm.com/software/Java/Java11/IBMJCECCA/zJavaSecurityFAQ.html#cca_q07a 58BABB6A-98DF-4901-AC17-9829E5E32936

recaph avatar Oct 03 '22 13:10 recaph

Any update?

recaph avatar Nov 02 '22 04:11 recaph

We plan to fix it, It's acknowledged as a bug and the expectation is that the fix will be either in 2.5 or 2.6 version of Zowe.

balhar-jakub avatar Nov 02 '22 13:11 balhar-jakub

Hi @recaph, just to confirm, did you provide also the -Djava.protocol.handler.pkgs=com.ibm.crypto.provider property to handle the RACF keyring?

taban03 avatar Nov 03 '22 14:11 taban03

@taban03 I am not sure what is being asked.. I think apiml code should set the required properties before processing keyring string… provider could be determined by store type…

recaph avatar Nov 04 '22 01:11 recaph

We plan to fix it, It's acknowledged as a bug and the expectation is that the fix will be either in 2.5 or 2.6 version of Zowe.

Any ETAs for 2.5/2.6?

recaph avatar Nov 04 '22 01:11 recaph

@recaph I think you should provide this system property when running your service , or at least that's my understanding. https://docs.zowe.org/stable/extend/extend-apiml/api-mediation-security/#api-ml-saf-keyring

taban03 avatar Nov 04 '22 08:11 taban03

@taban03 I know what zowe asks currently… I was just suggesting that the requirement can be removed…

recaph avatar Nov 04 '22 13:11 recaph

@taban03 The issue here is to make sure that two slashes in the name of the safkeyring work as well as two slashes, which is relevant as this seems to be more standard despite different Java ono zOS implementations.

@recaph As for the 2.5 the GA is 2022/12/12 The 2.6 GA is 2023/01/23

balhar-jakub avatar Nov 09 '22 12:11 balhar-jakub

#2686

anton-brezina avatar Nov 30 '22 13:11 anton-brezina

@balhar-jakub ... noticed 2.6 release today... wondering if this issue will be resolved if I upgrade...

recaph avatar Jan 12 '23 20:01 recaph

@taban03 I believe that the issue wasn't resolved yet as we are waiting for verification of the fix on internal systems and as such will be in 2.7. Am I correct?

balhar-jakub avatar Jan 13 '23 03:01 balhar-jakub

@balhar-jakub Yes, that's correct, currently under testing.

taban03 avatar Jan 13 '23 09:01 taban03

Just checking in… if it’s still on track for 2.7?

recaph avatar Feb 13 '23 15:02 recaph

Yes, I believe it is.

balhar-jakub avatar Feb 20 '23 15:02 balhar-jakub

@taban03 I believe we fixed this one and merged it in time for 2.7 am I correct?

balhar-jakub avatar Mar 08 '23 10:03 balhar-jakub

@taban03 I believe we fixed this one and merged it in time for 2.7 am I correct?

Yes, that's correct.

taban03 avatar Mar 08 '23 10:03 taban03

@recaph Please take a look whether 2.7 release fixes the issue. If not, feel free to reopen.

balhar-jakub avatar Mar 08 '23 13:03 balhar-jakub

@balhar-jakub @taban03 Am I missing something, or change log not updated. Even Zowe.org seems to mention the four slashes and doesn’t mention I can provide two slashes.. (unable to reopen too)

recaph avatar Mar 10 '23 13:03 recaph

It will be published as part of 2.7 during this week when the changelog will be also updated.

@taban03 Did you update also the docs-site with the changes?

balhar-jakub avatar Mar 13 '23 08:03 balhar-jakub

I will verify it with @pj892031

taban03 avatar Mar 13 '23 08:03 taban03