After switching ZOWE server certificate can't get ZOWE up and running properly
search cancel

After switching ZOWE server certificate can't get ZOWE up and running properly

book

Article ID: 389721

calendar_today

Updated On:

Products

Zowe

Issue/Introduction

After switching Entrust signed certs to Internal signed Certs, got following error from ZOWE STC log:

ZWES1606W Failed to get JWK. rc=failed to init HTTP request (9), rsn=TLS error  (17). Retry in 10 seconds
ZWES1606W Failed to get JWK. rc=failed to init HTTP request (9), rsn=TLS error (17). Retry in 10 seconds
ZWES1605W Server will not accept JWT

<ZWEADS1:https-jsse-nio-0.0.0.0-7553-exec-10:199382> ZWESVUSR ERROR (javax.net.ssl) Fatal (CERTIFICATE_UNKNOWN): Extended key usage does not permit use for TLS client authentication

Environment

ZOWE 2.18

Cause

For debugging purpose,  update ZOWE.yaml to turn on the SSL trace and reproduce the issue

components:                        
  # >>>>>>>>>>>>>>>>>
  gateway:           
    enabled: true    
    port: <port>       
    sslDebug: all

 

ZOWE STC log with SSL debug turned on shows more information for SSL handshake including the certificate details. 

The certificate listing shows that extended key usage is set to serverAuth only 

   ObjectId: X.X.XX.XX Criticality=false
   ExtendedKeyUsages
     serverAuth

According to ZOWE document: Zowe server certificates must either not have the Extended Key Usage (EKU) attribute, or have both the TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) and TLS Web Client Authentication (1.3.6.1.5.5.7.3.2) values present within.

Resolution

Re-generate the certificate with a valid Extended key usage attribute and restart ZOWE server. 

 

Powered by Wolken Software