search cancel

Security error integrating the JCLCheck REST API service with Zowe API Mediation Layer (API ML)

book

Article ID: 227280

calendar_today

Updated On:

Products

JCLCheck Workload Automation

Issue/Introduction

Trying to integrate the JCLCheck REST API with the Zowe API Mediation Layer, and gets errors when starting the JCLCheck RESP API service. 

First error:

2021-10-22 19:04:45.354 ERROR 33624627 --- [           main] c.n.d.s.t.d.RedirectingEurekaHttpClient  : Request execution error. end 
 point=DefaultEndpoint{ serviceUrl='https://99.99.99.9:1111/eureka}                                                                                                                                                                                                     
 com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X 
 509TrustManager implementation available at ...    

 

Environment

Release : 12.0

Component : JCLCheck Workload Automation

 

Cause

The Zowe API Mediation Layer (Zower API ML) is configured for SSL, but JCLCheck is not configured for SSL. 

Resolution

Enable a secure TLS/HTTPS connection for JCLCheck by following the instructions in the JCLCheck online documentation:

    https://techdocs.broadcom.com/us/en/ca-mainframe-software/automation/ca-jclcheck-workload-automation/12-0/using/install-configure-and-deploy-the-jclcheck-rest-api/configure-and-deploy-the-jclcheck-rest-api.html

Here's a template for how to configure JCLCheck to specify a Truststore, and Keystore for holding certificates.  These properties are specified in the "jclcheck.yml" configuration file:  

server:
    address: xxx
    port: xxx
    ssl:
        enabled: true
        keyAlias: server
        keyPassword: xxx
        keyStore: config/keystore.p12
        keyStorePassword: xxx
        keyStoreType: PKCS12
        trustStore: config/truststore.p12
        trustStorePassword: xxx
        trustStoreType: PKCS12
 
Note: One TLS certificate for the JCLCheck server should work for either a direct-to-service connection or when connected through the API ML.   The API ML must have its own certificate.