ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Unable to onboard Vantage REST API services to APIML

book

Article ID: 236783

calendar_today

Updated On:

Products

Vantage Storage Resource Manager

Issue/Introduction

We have been running the VANTREST server HTTP on port 8080.  I attempted to use SSL and onboard to the APIML by enabling ENABLE_AML=true in VNPAMLC,  but I was getting a 'port in use' message or configuration issue.  The port is not in use and was not being used when it was running non-SSL.  I changed the port to 8444 which on a NETSTAT was not in use and not in the reserve list.  

APPLICATION FAILED TO START                                                                                                        
***************************                                                                                                        
Description:                                                                                                                       
The Tomcat connector configured to listen on port 8444 failed to start. The port may already be in use or the connector may be misconfigured.            

So this message comes up if any port is attempted.  I am using the same keyring that is being used for the Vantage WEBUI for this configuration.

The certificates are TopSecret Self Signed certificates for both the Vantage REST server and ESM Server.  I am using the same certificates for the WEB UI.

                                                                                                             

Cause

Incomplete or incorrect configuration of the various digital certificates is causing the reported problem. 

Environment

Release : 14.1

Component : Vantage Storage Resource Manager

Resolution

The following configurations allow successful API processing: 
---------------------------------------------------------------------------------

1) Use the ZOWE keyring and specify the ZOWE certificate, as well as the Vantage certificate and Vantage's signing certificate, all on the same keyring.
2) Use the ZOWE keyring and specify the ZOWE certificate, as well as the Vantage certificate, but not Vantage's signing certificate, all of these on the same keyring.
3) Use the ZOWE keyring and specify the ZOWE certificate, as well as the Vantage certificate (without "USAGE(PERSONAL)"), and specify Vantage's signing certificate, all of these on the same keyring.   
4) Use the ZOWE keyring and specify the ZOWE certificate, as well as the Vantage certificate (with "USAGE(PERSONAL)"), but do not specify Vantage's signing certificate, all of these on the same keyring.   

Note: When adding the Vantage site certificate to the ZOWE keyring it must be added as "USAGE(PERSONAL)".  The ZOWE keyring will not accept a site certificate.  For example: 
TSS ADD(STCxxxx) KEYRING(ZOWERING) RINGDATA(CERTSITE,VANTTEST) USAGE(PERSONAL)

5) Use the VANTAGE keyring and specify the Vantage certificate, as well as the ZOWE certificate and ZOWE's signing certificate, all on the same keyring.
6) Use the VANTAGE keyring with its certificates, and remove the ZOWE signing certificate, but specify the ZOWE certificate.

Note: These configurations require that the following option be set to true in the Vantage VNPAMLC parmlib member:
IJO="$IJO -Dapiml.ssl.verifySslCertificatesOfServices=true"

 

The following configurations will result in errors in API processing (during Vantage Web Client startup): 
---------------------------------------------------------------------------------------------------------------------------------------

1) Use the VANTAGE keyring and specify the Vantage certificate, but do not specify any ZOWE certificates.  The following type of error is generated: 

""2022-03-11 12:52:37 .main. ERROR c.n.d.s.t.d.RedirectingEurekaHttpClient - Request execution error. endpoint=DefaultEndpoint{ serv
iceUrl='https://xyz.company.net:7553/eureka}                                                                               
"com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building fai
led: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target 

2) Use the ZOWE keyring and specify the ZOWE certificates, but do not specify any Vantage certificates.  The following type of error is generated: 

""2022-03-11 13:34:20 .main. ERROR c.n.d.s.t.d.RedirectingEurekaHttpClient - Request execution error. endpoint=DefaultEndpoint{ serv
iceUrl='https://xyz.company.net:7553/eureka}                                                                               
"com.sun.jersey.api.client.ClientHandlerException: java.net.ConnectException: EDC8128I Connection refused. (Connection refused)  

3) Use the ZOWE keyring and specify the ZOWE certificates and the Vantage certificate, but without specifying "USAGE(PERSONAL)" for the Vantage certificate.  The following type of error is generated: 

***************************                                                                                                         
APPLICATION FAILED TO START                                                                                                         
***************************                                                                                                         
Description:                                                                                                                        
The Tomcat connector configured to listen on port 8080 failed to start. The port may already be in use or the connector may be misconfigured.                                                                                                                           
Action:                                                                                                                             
Verify the connector's configuration, identify and stop any process that's listening on port 8080, or configure this application to 
listen on another port. 

4) Use the ZOWE keyring and specify the ZOWE certificates, and only the Vantage signing certificate.  The following type of error is generated: 

"2022-03-11 14:39:37 .DiscoveryClient-CacheRefreshExecutor-0. ERROR c.n.d.s.t.d.RedirectingEurekaHttpClient - Request execution erro
r. endpoint=DefaultEndpoint{ serviceUrl='https://xyz.company.net:7553/eureka}                                              
"com.sun.jersey.api.client.ClientHandlerException: java.net.ConnectException: EDC8128I Connection refused. (Connection refused)  

 

Additional Information

Background doc on API ML configuration: 

Integrate with the API Mediation Layer
https://techdocs.broadcom.com/us/en/ca-mainframe-software/performance-and-storage/ca-vantage-storage-resource-manager/14-1/configuring/configure-the-rest-api-server/integrate-with-the-api-mediation-layer.html
 
Import an API Service Certificate
https://techdocs.broadcom.com/us/en/ca-mainframe-software/devops/ca-brightside/2-0/ca-brightside-api-mediation-layer-api-ml/using-api-ml/import-an-api-service-certificate.html