ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Security error integrating the JCLCheck REST API service with Zowe API Mediation Layer (API ML)

book

Article ID: 227280

calendar_today

Updated On:

Products

JCLCheck Workload Automation

Issue/Introduction

Trying to integrate the JCLCheck REST API with the Zowe API Mediation Layer, and gets errors when starting the JCLCheck RESP API service. 

First error:

2021-10-22 19:04:45.354 ERROR 33624627 --- [           main] c.n.d.s.t.d.RedirectingEurekaHttpClient  : Request execution error. end 
 point=DefaultEndpoint{ serviceUrl='https://99.99.99.9:1111/eureka}                                                                                                                                                                                                     
 com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X 
 509TrustManager implementation available at ...    

 

Cause

The Zowe API Mediation Layer (Zower API ML) is configured for SSL, but JCLCheck is not configured for SSL. 

Environment

Release : 12.0

Component : JCLCheck Workload Automation

 

Resolution

Enable a secure TLS/HTTPS connection for JCLCheck by following the instructions in the JCLCheck online documentation:

    https://techdocs.broadcom.com/us/en/ca-mainframe-software/automation/ca-jclcheck-workload-automation/12-0/using/install-configure-and-deploy-the-jclcheck-rest-api/configure-and-deploy-the-jclcheck-rest-api.html

Here's a template for how to configure JCLCheck to specify a Truststore, and Keystore for holding certificates.  These properties are specified in the "jclcheck.yml" configuration file:  

server:
    address: xxx
    port: xxx
    ssl:
        enabled: true
        keyAlias: server
        keyPassword: xxx
        keyStore: config/keystore.p12
        keyStorePassword: xxx
        keyStoreType: PKCS12
        trustStore: config/truststore.p12
        trustStorePassword: xxx
        trustStoreType: PKCS12
 
Note: One TLS certificate for the JCLCheck server should work for either a direct-to-service connection or when connected through the API ML.   The API ML must have its own certificate.

Additional Information

At this time, the JCLCheck REST API service does NOT support RACF SAF keyring for managing certificates.  Only Keystore Truststore combination is currently supported.

Using TLS Certificates:

https://techdocs.broadcom.com/us/en/ca-mainframe-software/automation/ca-jclcheck-workload-automation/12-0/using/install-configure-and-deploy-the-jclcheck-rest-api/using-tls-certificates.html