From 75b0dcbba0c8ad77571b5b1ee085d71ee11fa336 Mon Sep 17 00:00:00 2001 From: 1000TurquoisePogs Date: Fri, 20 Dec 2024 14:29:58 +0100 Subject: [PATCH 1/5] Update apiml.js for attls Signed-off-by: 1000TurquoisePogs --- lib/apiml.js | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/apiml.js b/lib/apiml.js index afd21566..0ffe62c2 100644 --- a/lib/apiml.js +++ b/lib/apiml.js @@ -171,7 +171,7 @@ ApimlConnector.prototype = { httpEnabled: false, httpsEnabled: true }; - const proto = 'https'; + const proto = this.isClientAttls ? 'http' : 'https'; log.debug("ZWED0141I", proto, this.port); //"Protocol:", proto, "Port", port); log.debug("ZWED0142I", JSON.stringify(protocolObject)); //"Protocol Object:", JSON.stringify(protocolObject)); @@ -228,7 +228,7 @@ ApimlConnector.prototype = { },*/ registerMainServerInstance() { - const overrideOptions = Object.assign({},this.tlsOptions); + const overrideOptions = this.isClientAttls ? {} : Object.assign({},this.tlsOptions) if (!this.tlsOptions.rejectUnauthorized) { //Keeping these certs causes an openssl error 46, unknown cert error in a dev environment delete overrideOptions.cert; @@ -240,7 +240,8 @@ ApimlConnector.prototype = { eureka: Object.assign({}, MEDIATION_LAYER_EUREKA_DEFAULTS, this.eurekaOverrides), requestMiddleware: function (requestOpts, done) { done(Object.assign(requestOpts, overrideOptions)); - } + }, + ssl: !this.isClientAttls } log.debug("ZWED0144I", JSON.stringify(zluxProxyServerInstanceConfig, null, 2)); //log.debug("zluxProxyServerInstanceConfig: " //+ JSON.stringify(zluxProxyServerInstanceConfig, null, 2)) @@ -280,7 +281,12 @@ ApimlConnector.prototype = { }, getServiceUrls() { - return this.discoveryUrls.map(url => url + (url.endsWith('/') ? '' : '/') + 'apps'); + let urls = this.discoveryUrls.map(url => url + (url.endsWith('/') ? '' : '/') + 'apps'); + if (this.isClientAttls) { + return urls.map(url => url.replaceAll('https', 'http')); + } else { + return urls; + } }, getRequestOptionsArray(method, path) { From de26485e32c626ccb304c4fe3616386dee9a84c9 Mon Sep 17 00:00:00 2001 From: 1000TurquoisePogs Date: Fri, 20 Dec 2024 14:30:31 +0100 Subject: [PATCH 2/5] Update CHANGELOG.md Signed-off-by: 1000TurquoisePogs --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a37b2d5..e36e18ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,9 @@ All notable changes to the Zlux Server Framework package will be documented in this file.. This repo is part of the app-server Zowe Component, and the change logs here may appear on Zowe.org in that section. +## 2.18.1 +- Bugfix: App-server could not register with discovery server when AT-TLS was enabled for app-server. (#581) + ## 2.17.0 - Enhancement: Added function `isClientAttls(zoweConfig)` within `libs/util.js`. Whenever a plugin makes a network request, it should always use this to determine if a normally HTTPS request should instead be made as HTTP due to AT-TLS handling the TLS when enabled. (#544) - Bugfix: Fixed function `isServerAttls(zoweConfig)` within `libs/util.js`, which was preventing using AT-TLS with app-server. (#544) From 183bfcf9d34776e08623019799ac23fa0170629a Mon Sep 17 00:00:00 2001 From: 1000TurquoisePogs Date: Thu, 26 Dec 2024 10:14:49 +0100 Subject: [PATCH 3/5] Update apiml.js Signed-off-by: 1000TurquoisePogs --- lib/apiml.js | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/lib/apiml.js b/lib/apiml.js index 0ffe62c2..6c02a188 100644 --- a/lib/apiml.js +++ b/lib/apiml.js @@ -171,9 +171,8 @@ ApimlConnector.prototype = { httpEnabled: false, httpsEnabled: true }; - const proto = this.isClientAttls ? 'http' : 'https'; - log.debug("ZWED0141I", proto, this.port); //"Protocol:", proto, "Port", port); + log.debug("ZWED0141I", 'https', this.port); //"Protocol:", proto, "Port", port); log.debug("ZWED0142I", JSON.stringify(protocolObject)); //"Protocol Object:", JSON.stringify(protocolObject)); const instance = Object.assign({}, MEDIATION_LAYER_INSTANCE_DEFAULTS(proto, this.hostName, this.port)); @@ -183,9 +182,9 @@ ApimlConnector.prototype = { hostName: this.hostName, ipAddr: this.ipAddr, vipAddress: "zlux",//this.vipAddress, - statusPageUrl: `${proto}://${this.hostName}:${this.port}/server/eureka/info`, - healthCheckUrl: `${proto}://${this.hostName}:${this.port}/server/eureka/health`, - homePageUrl: `${proto}://${this.hostName}:${this.port}/`, + statusPageUrl: `https://${this.hostName}:${this.port}/server/eureka/info`, + healthCheckUrl: `https://${this.hostName}:${this.port}/server/eureka/health`, + homePageUrl: `https://${this.hostName}:${this.port}/`, port: { "$": protocolObject.httpPort, // This is a workaround for the mediation layer "@enabled": ''+protocolObject.httpEnabled From 9a71198c950dcf6df0708c8b179651d23f7f31b9 Mon Sep 17 00:00:00 2001 From: 1000TurquoisePogs Date: Tue, 7 Jan 2025 14:16:58 +0100 Subject: [PATCH 4/5] Remove 'proto' reference Signed-off-by: 1000TurquoisePogs --- lib/apiml.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/apiml.js b/lib/apiml.js index 6c02a188..85e87b73 100644 --- a/lib/apiml.js +++ b/lib/apiml.js @@ -175,7 +175,7 @@ ApimlConnector.prototype = { log.debug("ZWED0141I", 'https', this.port); //"Protocol:", proto, "Port", port); log.debug("ZWED0142I", JSON.stringify(protocolObject)); //"Protocol Object:", JSON.stringify(protocolObject)); - const instance = Object.assign({}, MEDIATION_LAYER_INSTANCE_DEFAULTS(proto, this.hostName, this.port)); + const instance = Object.assign({}, MEDIATION_LAYER_INSTANCE_DEFAULTS('https', this.hostName, this.port)); Object.assign(instance, overrides); Object.assign(instance, { instanceId: `${this.hostName}:zlux:${this.port}`, From 755e2c66f7b5a97aad5f6c598853accfec78a59f Mon Sep 17 00:00:00 2001 From: 1000TurquoisePogs Date: Fri, 7 Feb 2025 14:46:58 -0500 Subject: [PATCH 5/5] Update apiml.js from v3 code Signed-off-by: 1000TurquoisePogs --- lib/apiml.js | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/lib/apiml.js b/lib/apiml.js index 85e87b73..f08c6a25 100644 --- a/lib/apiml.js +++ b/lib/apiml.js @@ -82,6 +82,19 @@ function ApimlConnector({ hostName, port, discoveryUrls, discoveryPort, tlsOptions, eurekaOverrides, isClientAttls }) { Object.assign(this, { hostName, port, discoveryUrls, discoveryPort, tlsOptions, eurekaOverrides, isClientAttls }); + //TODO config should never be checked through env var, but is temporarily needed to temporarily read gateway's ATTLS state to provide it with Eureka info it can work with. + const clientGlobalAttls = process.env['ZWE_zowe_network_client_tls_attls']; + const clientGatewayAttls = process.env['ZWE_components_gateway_zowe_network_client_tls_attls']; + const clientAttls = (clientGlobalAttls == 'true') || (clientGatewayAttls == 'true'); + this.isGatewayClientAttls = false; + if ((clientGlobalAttls === undefined) && (clientGatewayAttls === undefined)) { + // If client attls env vars are not set, have client follow server attls variable. it simplifies common case in which users want both. + const serverGlobalAttls = process.env['ZWE_zowe_network_server_tls_attls'] == 'true'; + const serverGatewayAttls = process.env['ZWE_components_gateway_zowe_network_server_tls_attls'] == 'true'; + this.isGatewayClientAttls = serverGlobalAttls || serverGatewayAttls; + } else { + this.isGatewayClientAttls = clientAttls; + } this.vipAddress = hostName; } @@ -168,8 +181,14 @@ ApimlConnector.prototype = { // If the HTTP port is set to 0 then the API ML doesn't load zlux httpPort: Number(this.port), httpsPort: Number(this.port), - httpEnabled: false, - httpsEnabled: true + // TODO while the server should always be HTTPS for security, + // When AT-TLS is used, programs need to know when AT-TLS will add TLS to their traffic + // To align with the correct amount of TLS (Avoid no TLS and double TLS) + // It seems the gateway wants to be told app-server is 'http' when client TLS is set on it + // So this eureka object will be based upon that setting. + // This may change in the future, revisit. + httpEnabled: this.isGatewayClientAttls, + httpsEnabled: !this.isGatewayClientAttls }; log.debug("ZWED0141I", 'https', this.port); //"Protocol:", proto, "Port", port);