search cancel

zowe Certificate Setup

book

Article ID: 253614

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

How to setup certificate for zowe API per zowe documentation:

  •  
  •  

Environment

    • * Ensure that you have an external Certificate Authority and signed client certificates, or generate these certificates in SAF. The client certificate has to have correct Extended Key Usage metadata to allow being used for TLS client authentication. (OID: 1.3.6.1.5.5.7.3.2)

      Answer:
      Top Secret cannot generate a certificate with Extended Key Usage metadata. Use an external certificate utility that can generate a certificate with one then import the certificate into Top Secret.

       

      * Import the client certificates to SAF, or add them to a user profile. (Examples: RACDCERT ADD or RACDCERT GENCERT). For more information, see your security system documentation.

      Answer:

      To add the client certificate generated externally from a 3rd party certificate utility:

      TSS ADD(CERTSITE) DIGICERT(digicertname) DCDSN(datasetname) PKCSPASSpassword)

      If the CA certificate for your client doesnt come with the client certificate dataset and is a different dataset, use the following command:

      TSS ADD(CERTAUTH) DIGICERT(digicertname) DCDSN(datasetname)

    •  
    •  

      * Import the external CA to the truststore or keyring of the API Mediation Layer.

      Answer:
      Create keyring if it doesnt already exist. Skip if it does.
      TSS ADD(acid) KEYRING(8-char-keyringname) LABLRINGupto-255-char-(keyring_label_name)


    • Add client and CA certificates to keyring:
      TSS ADD(acid) KEYRING(8-char-keyringname) RINGDATA(CERTSITE,client_digicertname) USAGE(PERSONAL) DEFAULT

      TSS ADD(acid) KEYRING(8-char-keyringname) RINGDATA(CERTAUTH,ca_digicertname) USAGE(CERTAUTH) DEFAULT   <----if more than one CA, repeat for other CAs in the chain.

       

       

       

Resolution

Per zowe product doc:

https://docs.zowe.org/v1.28.x/extend/extend-apiml/api-mediation-security/ 

.client and root certs need to be on the keyring.

The client cert didnt have a private key. They need to get a version of the certificate with a private key.