SSL_ERROR_NO_CYPHER_OVERLAP when calling port 7554

[MichaelErichsen]

I have a brand new Zowe 1.9.0 installation on z/OS 2.3 on emulated z14 hardware on a ZD&T system. version 1.9.0+20200226
I imagine to have followed the installation instractions carefully.
It is a convenience build, not the SMP/E installation.
Node.js is version v12.15.0.
Browser is Firefox 74.0 64-bit
O/S is Windows 10 Pro, 1909, 18363.720

I log on to the desktop, and the editor, TN3270 and User tasks/Workflows all work fine.
CLI works only with --reject-unauthorized false
The other explorers and the catalog as well as calls from Visual Studio Code fails with this error:

Secure Connection Failed

An error occurred during a connection to zos02.xact.dk:7554. Cannot communicate securely with peer: no common encryption algorithm(s).

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

I am not sure what to look for, but here is an awful lot of log data:

Environment variables:
{
"_EDC_ADD_ERRNO2": "1",
"EXTERNAL_COMPONENTS": "",
"ZOWE_ZSS_XMEM_SERVER_NAME": "ZWESIS_STD",
"APIML_ENABLE_SSO": "false",
"ZOSMF_PORT": "10443",
"LAUNCH_COMPONENT_GROUPS": "GATEWAY,DESKTOP",
"ZOWE_PREFIX": "ZWE1",
"PATH": "/usr/lpp/nodejs/node-v12.15.0-os390-s390x/bin:/bin:.:/usr/lpp/java/J8.0_64/bin:/usr/lpp/nodejs/node-v12.15.0-os390-s390x/bin",
"KEYSTORE_KEY": "/global/zowe/keystore/localhost/localhost.keystore.key",
"INSTANCE_DIR": "/S0W1/etc/zowe",
"_TAG_REDIR_IN": "txt",
"ZWED_node_mediationLayer_enabled": "true",
"_BPXK_AUTOCVT": "ON",
"DEBUG": "*",
"ZWED_privilegedServerName": "ZWESIS_STD",
"ZOWE_ZLUX_SERVER_HTTPS_PORT": "8544",
"NODE_HOME": "/usr/lpp/nodejs/node-v12.15.0-os390-s390x",
"ZLUX_MIN_WORKERS": "2",
"ZOWE_APIM_VERIFY_CERTIFICATES": "false",
"ZOWE_ZLUX_SECURITY_TYPE": "tls",
"ZOWE_ZSS_SERVER_PORT": "8542",
"ZOWE_EXPLORER_HOST": "zos02.xact.dk",
"MVS_EXPLORER_UI_PORT": "8548",
"ROOT_DIR": "/var/zowe/zowe-1.9.0",
"CEE_RUNOPTS": "XPLINK(ON),HEAPPOOLS(ON) POS(ON) FILET(AUTOCVT,AUTOTAG)",
"ZWED_node_https_keys": "/global/zowe/keystore/localhost/localhost.keystore.key,",
"KEY_ALIAS": "localhost",
"KEYSTORE_CERTIFICATE_AUTHORITY": "/global/zowe/keystore/local_ca/localca.cer-ebcdic",
"ZOWE_ZLUX_SSH_PORT": "22",
"ZWED_node_mediationLayer_server_hostname": "zos02.xact.dk",
"": "/usr/lpp/nodejs/node-v12.15.0-os390-s390x/bin/node",
"CATALOG_PORT": "7552",
"JOBS_API_PORT": "8545",
"ZOWE_IP_ADDRESS": "192.168.10.182",
"LOGNAME": "ZWESVUSR",
"_BPX_JOBNAME": "ZWE1DS1",
"ZWED_agent_http_port": "8542",
"_TAG_REDIR_OUT": "txt",
"ZWED_node_https_port": "8544",
"ZLUX_LOG_PATH": "/S0W1/etc/zowe/logs/appServer-2020-03-19-13-45.log",
"ZWED_node_mediationLayer_server_port": "7553",
"ZWED_node_https_certificates": "/global/zowe/keystore/localhost/localhost.keystore.cer-ebcdic,",
"NODE_PATH": "../..:../../zlux-server-framework/node_modules:../..:../../zlux-server-framework/node_modules:",
"GATEWAY_PORT": "7554",
"ZWEAD_EXTERNAL_STATIC_DEF_DIRECTORIES": "",
"HOME": "/tmp",
"KEYSTORE": "/global/zowe/keystore/localhost/localhost.keystore.p12",
"USS_EXPLORER_UI_PORT": "8550",
"JES_EXPLORER_UI_PORT": "8546",
"ZOWE_INSTANCE": "1",
"ZOWE_ZLUX_TELNET_PORT": "23",
"DISCOVERY_PORT": "7553",
"KEYSTORE_PASSWORD": "password",
"ZWED_dataserviceAuthentication_implementationDefaults_apiml_plugins": ",",
"ZOSMF_HOST": "zos02.xact.dk",
"JAVA_HOME": "/usr/lpp/java/J8.0_64",
"KEYSTORE_CERTIFICATE": "/global/zowe/keystore/localhost/localhost.keystore.cer-ebcdic",
"FILES_API_PORT": "8547",
"KEYSTORE_DIRECTORY": "/global/zowe/keystore",
"_TAG_REDIR_ERR": "txt",
"ZWED_node_https_certificateAuthorities": "/global/zowe/keystore/local_ca/localca.cer-ebcdic,",
"TRUSTSTORE": "/global/zowe/keystore/localhost/localhost.truststore.p12",
"__UNTAGGED_READ_MODE": "V6",
"LIBPATH": ":/Z23B/usr/lpp/nodejs/node-v12.15.0-os390-s390x/bin/obj.target/:/Z23B/usr/lpp/nodejs/node-v12.15.0-os390-s390x/lib/:/Z23B/usr/lpp/nodejs/node-v12.15.0-os390-s390x/bin"
}

Processing CLI arguments:
--config=/S0W1/etc/zowe/workspace/app-server/serverConfig/server.json

Processed environment variables:
{
"node": {
"mediationLayer": {
"enabled": true,
"server": {
"hostname": "zos02.xact.dk",
"port": 7553
}
},
"https": {
"keys": Ý
"/global/zowe/keystore/localhost/localhost.keystore.key"
¨,
"port": 8544,
"certificates": Ý
"/global/zowe/keystore/localhost/localhost.keystore.cer-ebcdic"
¨,
"certificateAuthorities": Ý
"/global/zowe/keystore/local_ca/localca.cer-ebcdic"
¨
}
},
"privilegedServerName": "ZWESIS_STD",
"agent": {
"http": {
"port": 8542
}
},
"dataserviceAuthentication": {
"implementationDefaults": {
"apiml": {
"plugins": ݨ
}
}
}
}

Initializing with configuration:
{
"productDir": "/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-app-server/defaults",
"siteDir": "/S0W1/etc/zowe/workspace/app-server/site",
"instanceDir": "/S0W1/etc/zowe/workspace/app-server",
"groupsDir": "/S0W1/etc/zowe/workspace/app-server/groups",
"usersDir": "/S0W1/etc/zowe/workspace/app-server/users",
"pluginsDir": "/S0W1/etc/zowe/workspace/app-server/plugins",
"node": {
"rootRedirectURL": "/ZLUX/plugins/org.zowe.zlux.bootstrap/web/",
"allowInvalidTLSProxy": false,
"noChild": false,
"noPrompt": false,
"https": {
"ipAddresses": Ý
"0.0.0.0"
¨,
"port": 8544,
"keys": Ý
"/global/zowe/keystore/localhost/localhost.keystore.key"
¨,
"certificates": Ý
"/global/zowe/keystore/localhost/localhost.keystore.cer-ebcdic"
¨,
"certificateAuthorities": Ý
"/global/zowe/keystore/local_ca/localca.cer-ebcdic"
¨
},
"mediationLayer": {
"server": {
"hostname": "zos02.xact.dk",
"port": 7553,
"isHttps": false
},
"enabled": true
},
"childProcesses": Ý
{
"path": "../bin/zssServer.sh",
"once": true
}
¨
},
"dataserviceAuthentication": {
"rbac": false,
"defaultAuthentication": "zss",
"implementationDefaults": {
"fallback": {
"plugins": Ý
"org.zowe.zlux.auth.trivial"
¨
},
"zosmf": {},
"zss": {
"plugins": Ý
"org.zowe.zlux.auth.zss"
¨
},
"apiml": {
"plugins": ݨ
}
}
},
"agent": {
"host": "localhost",
"http": {
"ipAddresses": Ý
"127.0.0.1"
¨,
"port": 8542
}
},
"privilegedServerName": "ZWESIS_STD"
}
ZWED0156W - 1 function initLoggerMessages - ERROR - Error: Cannot find module './assets/i18n/log/messages_undefined.json'
Require stack:

• /S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/util.js
• /S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/clusterManager.js
• /S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-app-server/lib/zluxCluster.js
  at Function.Module._resolveFilename (internal/modules/cjs/loader.js:793:17)
  at Function.Module._load (internal/modules/cjs/loader.js:686:27)
  at Module.require (internal/modules/cjs/loader.js:848:19)
  at require (internal/modules/cjs/helpers.js:74:18)
  at Object.initLoggerMessages (/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/util.js:48:19)
  at new Server (/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/index.js:34:8)
  at ClusterManager.createProxyServerWorker (/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/clusterManager.js:428:25)
  at ClusterManager.start (/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/clusterManager.js:540:10)
  at Object. (/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-app-server/lib/zluxCluster.js:16:16)
  at Module._compile (internal/modules/cjs/loader.js:955:30)
  at Object.Module._extensions..js (internal/modules/cjs/loader.js:991:10)
  at Module.load (internal/modules/cjs/loader.js:811:32)
  at Function.Module._load (internal/modules/cjs/loader.js:723:14)
  at Function.Module.runMain (internal/modules/cjs/loader.js:1043:10)
  at internal/main/run_main_module.js:17:11 {
  code: 'MODULE_NOT_FOUND',
  requireStack: Ý
  '/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/util.js',
  '/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/clusterManager.js',
  '/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-app-server/lib/zluxCluster.js'
  Problem making eureka request Error: connect ECONNREFUSED 192.168.10.182:7553
  at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '192.168.10.182',
  port: 7553
  }
  Error registering with eureka client. Error: connect ECONNREFUSED 192.168.10.182:7553
  at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '192.168.10.182',
  port: 7553
  }
  Error starting the Eureka Client Error: connect ECONNREFUSED 192.168.10.182:7553
  at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '192.168.10.182',
  port: 7553
  }
  2020-03-19 13:48:48.426 ZWED:16843593 ZWESVUSR WARN (_zsf.apiml,apiml.js:195) ZWED0005W Error: connect ECONNREFUSED 192.168.10.182:7553
  at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '192.168.10.182',
  port: 7553
  }
  ZWED0151W - unhandledRejection Error: connect ECONNREFUSED 192.168.10.182:7553
  at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '192.168.10.182',
  port: 7553
  }
  2020-03-19 13:48:48.485 ZWED:16843593 ZWESVUSR WARN (_zsf.bootstrap,process.js:39) ZWED0151W - unhandledRejection Error: connect ECONNREFUSED 192.168.10.182:7553
  at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '192.168.10.182',
  port: 7553
  }

[jandadav]

Hi @MichaelErichsen Can you open API Gateway port ("GATEWAY_PORT": "7554",
) and see the Gateway homepage? Can you navigate from the Gateway homepage to the API Catalog and perform sign in?

API Gateway homepage looks like this

The error you are experiencing is most likely related to IBM Java on your ZD&T does not support the TLS encryption algorithms that Zowe has configured. You can reference the documentation: https://docs.zowe.org/stable/extend/extend-apiml/api-mediation-security.html#setting-ciphers-for-api-ml-services

[jandadav]

You can try to run apiml in debug mode https://docs.zowe.org/stable/troubleshoot/troubleshoot-apiml.html#enable-api-ml-debug-mode and perform the steps i mentioned. That should give you plenty of debug information in the log to be able to see the exact cause of the issue.

[MichaelErichsen]

https://zos02.xact.dk:7554/ returns
Secure Connection Failed
An error occurred during a connection to zos02.xact.dk:7554. Cannot communicate securely with peer: no common encryption algorithm(s).
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem

[MichaelErichsen]

Curl -k -u ibmuser https://zos02.xact.dk:7554 returns an HTML page with
API Mediation Layer
API Mediation Layer
API Catalog status icon
The API Catalog is running
Discovery service running icon
The Discovery Service is running
Authentication service running icon
The Authentication service is running
Version 1.3.2 build # 113

[MichaelErichsen]

In the log I have
Will not accept JWTs: JWT keystore configuration missing
But from the code it seems that
If jwtKeystore is present in the config, this will initialize the server to use the specified keystore and public key, with or without fallback to session tokens, as specified. Otherwise we would just use session tokens.

[MichaelErichsen]

From the log:

(node:33620868) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
Problem making eureka request Error: connect ECONNREFUSED 192.168.10.182:7553
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1140:16) {
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: '192.168.10.182',
port: 7553
}

2020-03-20 08:57:42.646 ZWEADS1:https-jsse-nio-0.0.0.0-7553-exec-3:66431 ZWESVUSR DEBUG (o.a.h.c.s.SSLConnectionSocketFactory) Enabled protocols: ÝTLSv1.2¨

2020-03-20 08:57:51.191 ZWEADS1:TaskBatchingWorker-target_zos02.xact.dk-12:66431 ZWESVUSR DEBUG (o.a.h.c.s.SSLConnectionSocketFactory) Enabled protocols: ÝTLSv1, TLSv1.1, TLSv1.2¨

2020-03-20 08:57:51.284 ZWEADS1:TaskBatchingWorker-target_zos02.xact.dk-12:66431 ZWESVUSR DEBUG (o.a.h.c.s.SSLConnectionSocketFactory) Secure session established
2020-03-20 08:57:51.285 ZWEADS1:TaskBatchingWorker-target_zos02.xact.dk-12:66431 ZWESVUSR DEBUG (o.a.h.c.s.SSLConnectionSocketFactory) negotiated protocol: TLSv1.2
2020-03-20 08:57:51.287 ZWEADS1:TaskBatchingWorker-target_zos02.xact.dk-12:66431 ZWESVUSR DEBUG (o.a.h.c.s.SSLConnectionSocketFactory) negotiated cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256

[MichaelErichsen]

It seems that both Mozilla and z/OS accepts TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
And that

In the following list, the string "SSL" is interchangeable with "TLS" and vice versa. For example, where SSL_RSA_WITH_AES_128_CBC_SHA is specified, TLS_RSA_WITH_AES_128_CBC_SHA also applies

In the log I have
+- Protocol Selections
| +- Enabled (size=3)
| | +- TLSv1
| | +- TLSv1.1
| | +- TLSv1.2
| +- Disabled (size=0)
+- Cipher Suite Selections
+- Enabled (size=15)
| +- SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
| +- SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
| +- SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
| +- SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
| +- SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| +- SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
| +- SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| +- SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| +- SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| +- SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
| +- SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
| +- SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
| +- SSL_RSA_WITH_AES_128_CBC_SHA256
| +- SSL_RSA_WITH_AES_256_CBC_SHA256
| +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+- Disabled (size=41)
+- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
+- SSL_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security
+- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_RSA_FIPS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.(MD5|SHA|SHA1)$'
+- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*(MD5|SHA|SHA1)$'
+- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^._(MD5|SHA|SHA1)$'
+- SSL_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

[MichaelErichsen]

The z/OS documentations seems to point to the cipher suite, only with the comment:
1 Cipher suites with SHA384 and SHA256 are available only for TLS 1.2 or later.

[MichaelErichsen]

Could this be my problem?
zowe/zlux#144

[MichaelErichsen]

In /usr/lpp/java/J8.0_64/lib/security/java.security I have

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer,
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

[jandadav]

From what you stated, it seems that your ZLUX is working, as you can log in

I log on to the desktop, and the editor, TN3270 and User tasks/Workflows all work fine.

your gateway is having cipher mismatch when accessed from browser, yet curl does not have the problem.
Desktop is having problem negotiating with gateway as well.

2020-03-19 13:48:48.426 ZWED:16843593 ZWESVUSR WARN (_zsf.apiml,apiml.js:195) ZWED0005W Error: connect ECONNREFUSED 192.168.10.182:7553

It seems to me that your java on ZD&T is not able to get the ciphers right for some reason. We have seen this happen before. Please note that curl, java and Node can all have different cipher set available to them. We explicitly set ciphers for apiml services, and you can override them. (documented here https://docs.zowe.org/stable/extend/extend-apiml/api-mediation-security.html#setting-ciphers-for-api-ml-services)

I suggest that you

1. Find which ciphers can your java support
2. Find mutual ciphers that work in your env. for Node and Java and Browser
3. Adjust the cipher setting on apiml

tips
Apiml supports TLSv1.2 protocol only
You might need some tool to debug TLS like https://testssl.sh/

[MichaelErichsen]

I ran this program on z:

import java.util.Iterator;
import java.util.Map;
import java.util.TreeMap;

import javax.net.ssl.SSLServerSocketFactory;

public class Ciphers {
	@SuppressWarnings({ "rawtypes", "unchecked" })
	public static void main(String[] args) throws Exception {
		SSLServerSocketFactory ssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();

		String[] defaultCiphers = ssf.getDefaultCipherSuites();
		String[] availableCiphers = ssf.getSupportedCipherSuites();

		TreeMap ciphers = new TreeMap();

		for (int i = 0; i < availableCiphers.length; ++i)
			ciphers.put(availableCiphers[i], Boolean.FALSE);

		for (int i = 0; i < defaultCiphers.length; ++i)
			ciphers.put(defaultCiphers[i], Boolean.TRUE);

		System.out.println("Default\tCipher");
		for (Iterator i = ciphers.entrySet().iterator(); i.hasNext();) {

			Map.Entry cipher = (Map.Entry) i.next();

			if (Boolean.TRUE.equals(cipher.getValue()))
				System.out.print('*');
			else
				System.out.print(' ');

			System.out.print('\t');
			System.out.println(cipher.getKey());
		}
	}
}

Returning

Default Cipher

        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*       SSL_DHE_DSS_WITH_AES_128_CBC_SHA
*       SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
*       SSL_DHE_DSS_WITH_AES_256_CBC_SHA
*       SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
        SSL_DHE_DSS_WITH_DES_CBC_SHA
        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*       SSL_DHE_RSA_WITH_AES_128_CBC_SHA
*       SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
*       SSL_DHE_RSA_WITH_AES_256_CBC_SHA
*       SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
        SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
        SSL_DH_anon_WITH_AES_128_CBC_SHA
        SSL_DH_anon_WITH_AES_128_CBC_SHA256
        SSL_DH_anon_WITH_AES_256_CBC_SHA
        SSL_DH_anon_WITH_AES_256_CBC_SHA256
        SSL_DH_anon_WITH_DES_CBC_SHA
*       SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
*       SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
*       SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
*       SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        SSL_ECDHE_ECDSA_WITH_NULL_SHA
*       SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
*       SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*       SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
*       SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        SSL_ECDHE_RSA_WITH_NULL_SHA
*       SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
*       SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
*       SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
*       SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
        SSL_ECDH_ECDSA_WITH_NULL_SHA
*       SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
*       SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
*       SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
*       SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
        SSL_ECDH_RSA_WITH_NULL_SHA
        SSL_ECDH_anon_WITH_AES_128_CBC_SHA
        SSL_ECDH_anon_WITH_AES_256_CBC_SHA
        SSL_ECDH_anon_WITH_NULL_SHA
        SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5
        SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA
        SSL_KRB5_WITH_DES_CBC_MD5
        SSL_KRB5_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_RSA_FIPS_WITH_DES_CBC_SHA

[MichaelErichsen]

Off for weekend now. Conitnuing on Monday

[jandadav]

I run analysis on your data
You can leverage the sheet for your convenience
zdt tls compatibility matrix michaelErichsen.xlsx

I am not sure what it means if cipher is valid or supported from your analysis. I included all the ciphers you mentioned.
I'd recommend doing the analysis with a TLS debugger, because that is the real negotiation example which tells you what is really happening.

[MichaelErichsen]

This was a useful method.

I did a similar comparison between the java program output, the list in the ZWESVSTC log, and the result from pointing the browser at https://www.howsmyssl.com/
It showed indeed that there was no cipher suite overlap.

I then followed the advice from the other issue mentioned and changed
/usr/lpp/java/J8.0_64/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, **3DES_EDE_CBC, DESede,
EC keySize < 224
instead of
EC keySize < 224, GCM

Now understanding that it was
jdk.tls.disabledAlgorithms
and not
jdk.certpath.disabledAlgorithms
I should look at.

Now the GCM is not disabled in the Zowe log, and everything works: Web Interface, CLI and Visual Studio Code.

Thank you very much.