New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL_ERROR_NO_CYPHER_OVERLAP when calling port 7554 #565
Comments
Hi @MichaelErichsen Can you open API Gateway port ("GATEWAY_PORT": "7554", API Gateway homepage looks like this The error you are experiencing is most likely related to IBM Java on your ZD&T does not support the TLS encryption algorithms that Zowe has configured. You can reference the documentation: https://docs.zowe.org/stable/extend/extend-apiml/api-mediation-security.html#setting-ciphers-for-api-ml-services |
You can try to run apiml in debug mode https://docs.zowe.org/stable/troubleshoot/troubleshoot-apiml.html#enable-api-ml-debug-mode and perform the steps i mentioned. That should give you plenty of debug information in the log to be able to see the exact cause of the issue. |
https://zos02.xact.dk:7554/ returns |
Curl -k -u ibmuser https://zos02.xact.dk:7554 returns an HTML page with |
In the log I have |
From the log: (node:33620868) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification. 2020-03-20 08:57:42.646 ZWEADS1:https-jsse-nio-0.0.0.0-7553-exec-3:66431 ZWESVUSR DEBUG (o.a.h.c.s.SSLConnectionSocketFactory) Enabled protocols: ÝTLSv1.2¨ 2020-03-20 08:57:51.191 ZWEADS1:TaskBatchingWorker-target_zos02.xact.dk-12:66431 ZWESVUSR DEBUG (o.a.h.c.s.SSLConnectionSocketFactory) Enabled protocols: ÝTLSv1, TLSv1.1, TLSv1.2¨ 2020-03-20 08:57:51.284 ZWEADS1:TaskBatchingWorker-target_zos02.xact.dk-12:66431 ZWESVUSR DEBUG (o.a.h.c.s.SSLConnectionSocketFactory) Secure session established |
It seems that both Mozilla and z/OS accepts TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 In the log I have |
The z/OS documentations seems to point to the cipher suite, only with the comment: |
Could this be my problem? |
In /usr/lpp/java/J8.0_64/lib/security/java.security I have jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, |
From what you stated, it seems that your ZLUX is working, as you can log in
your gateway is having cipher mismatch when accessed from browser, yet curl does not have the problem.
It seems to me that your java on ZD&T is not able to get the ciphers right for some reason. We have seen this happen before. Please note that curl, java and Node can all have different cipher set available to them. We explicitly set ciphers for apiml services, and you can override them. (documented here https://docs.zowe.org/stable/extend/extend-apiml/api-mediation-security.html#setting-ciphers-for-api-ml-services) I suggest that you
tips |
I ran this program on z:
Returning Default Cipher
|
Off for weekend now. Conitnuing on Monday |
I run analysis on your data I am not sure what it means if cipher is valid or supported from your analysis. I included all the ciphers you mentioned. |
This was a useful method. I did a similar comparison between the java program output, the list in the ZWESVSTC log, and the result from pointing the browser at https://www.howsmyssl.com/ I then followed the advice from the other issue mentioned and changed jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, **3DES_EDE_CBC, DESede, Now understanding that it was Now the GCM is not disabled in the Zowe log, and everything works: Web Interface, CLI and Visual Studio Code. Thank you very much. |
I have a brand new Zowe 1.9.0 installation on z/OS 2.3 on emulated z14 hardware on a ZD&T system. version 1.9.0+20200226
I imagine to have followed the installation instractions carefully.
It is a convenience build, not the SMP/E installation.
Node.js is version v12.15.0.
Browser is Firefox 74.0 64-bit
O/S is Windows 10 Pro, 1909, 18363.720
I log on to the desktop, and the editor, TN3270 and User tasks/Workflows all work fine.
CLI works only with --reject-unauthorized false
The other explorers and the catalog as well as calls from Visual Studio Code fails with this error:
Secure Connection Failed
An error occurred during a connection to zos02.xact.dk:7554. Cannot communicate securely with peer: no common encryption algorithm(s).
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
I am not sure what to look for, but here is an awful lot of log data:
Environment variables:
{
"_EDC_ADD_ERRNO2": "1",
"EXTERNAL_COMPONENTS": "",
"ZOWE_ZSS_XMEM_SERVER_NAME": "ZWESIS_STD",
"APIML_ENABLE_SSO": "false",
"ZOSMF_PORT": "10443",
"LAUNCH_COMPONENT_GROUPS": "GATEWAY,DESKTOP",
"ZOWE_PREFIX": "ZWE1",
"PATH": "/usr/lpp/nodejs/node-v12.15.0-os390-s390x/bin:/bin:.:/usr/lpp/java/J8.0_64/bin:/usr/lpp/nodejs/node-v12.15.0-os390-s390x/bin",
"KEYSTORE_KEY": "/global/zowe/keystore/localhost/localhost.keystore.key",
"INSTANCE_DIR": "/S0W1/etc/zowe",
"_TAG_REDIR_IN": "txt",
"ZWED_node_mediationLayer_enabled": "true",
"_BPXK_AUTOCVT": "ON",
"DEBUG": "*",
"ZWED_privilegedServerName": "ZWESIS_STD",
"ZOWE_ZLUX_SERVER_HTTPS_PORT": "8544",
"NODE_HOME": "/usr/lpp/nodejs/node-v12.15.0-os390-s390x",
"ZLUX_MIN_WORKERS": "2",
"ZOWE_APIM_VERIFY_CERTIFICATES": "false",
"ZOWE_ZLUX_SECURITY_TYPE": "tls",
"ZOWE_ZSS_SERVER_PORT": "8542",
"ZOWE_EXPLORER_HOST": "zos02.xact.dk",
"MVS_EXPLORER_UI_PORT": "8548",
"ROOT_DIR": "/var/zowe/zowe-1.9.0",
"CEE_RUNOPTS": "XPLINK(ON),HEAPPOOLS(ON) POS(ON) FILET(AUTOCVT,AUTOTAG)",
"ZWED_node_https_keys": "/global/zowe/keystore/localhost/localhost.keystore.key,",
"KEY_ALIAS": "localhost",
"KEYSTORE_CERTIFICATE_AUTHORITY": "/global/zowe/keystore/local_ca/localca.cer-ebcdic",
"ZOWE_ZLUX_SSH_PORT": "22",
"ZWED_node_mediationLayer_server_hostname": "zos02.xact.dk",
"": "/usr/lpp/nodejs/node-v12.15.0-os390-s390x/bin/node",
"CATALOG_PORT": "7552",
"JOBS_API_PORT": "8545",
"ZOWE_IP_ADDRESS": "192.168.10.182",
"LOGNAME": "ZWESVUSR",
"_BPX_JOBNAME": "ZWE1DS1",
"ZWED_agent_http_port": "8542",
"_TAG_REDIR_OUT": "txt",
"ZWED_node_https_port": "8544",
"ZLUX_LOG_PATH": "/S0W1/etc/zowe/logs/appServer-2020-03-19-13-45.log",
"ZWED_node_mediationLayer_server_port": "7553",
"ZWED_node_https_certificates": "/global/zowe/keystore/localhost/localhost.keystore.cer-ebcdic,",
"NODE_PATH": "../..:../../zlux-server-framework/node_modules:../..:../../zlux-server-framework/node_modules:",
"GATEWAY_PORT": "7554",
"ZWEAD_EXTERNAL_STATIC_DEF_DIRECTORIES": "",
"HOME": "/tmp",
"KEYSTORE": "/global/zowe/keystore/localhost/localhost.keystore.p12",
"USS_EXPLORER_UI_PORT": "8550",
"JES_EXPLORER_UI_PORT": "8546",
"ZOWE_INSTANCE": "1",
"ZOWE_ZLUX_TELNET_PORT": "23",
"DISCOVERY_PORT": "7553",
"KEYSTORE_PASSWORD": "password",
"ZWED_dataserviceAuthentication_implementationDefaults_apiml_plugins": ",",
"ZOSMF_HOST": "zos02.xact.dk",
"JAVA_HOME": "/usr/lpp/java/J8.0_64",
"KEYSTORE_CERTIFICATE": "/global/zowe/keystore/localhost/localhost.keystore.cer-ebcdic",
"FILES_API_PORT": "8547",
"KEYSTORE_DIRECTORY": "/global/zowe/keystore",
"_TAG_REDIR_ERR": "txt",
"ZWED_node_https_certificateAuthorities": "/global/zowe/keystore/local_ca/localca.cer-ebcdic,",
"TRUSTSTORE": "/global/zowe/keystore/localhost/localhost.truststore.p12",
"__UNTAGGED_READ_MODE": "V6",
"LIBPATH": ":/Z23B/usr/lpp/nodejs/node-v12.15.0-os390-s390x/bin/obj.target/:/Z23B/usr/lpp/nodejs/node-v12.15.0-os390-s390x/lib/:/Z23B/usr/lpp/nodejs/node-v12.15.0-os390-s390x/bin"
}
Processing CLI arguments:
--config=/S0W1/etc/zowe/workspace/app-server/serverConfig/server.json
Processed environment variables:
{
"node": {
"mediationLayer": {
"enabled": true,
"server": {
"hostname": "zos02.xact.dk",
"port": 7553
}
},
"https": {
"keys": Ý
"/global/zowe/keystore/localhost/localhost.keystore.key"
¨,
"port": 8544,
"certificates": Ý
"/global/zowe/keystore/localhost/localhost.keystore.cer-ebcdic"
¨,
"certificateAuthorities": Ý
"/global/zowe/keystore/local_ca/localca.cer-ebcdic"
¨
}
},
"privilegedServerName": "ZWESIS_STD",
"agent": {
"http": {
"port": 8542
}
},
"dataserviceAuthentication": {
"implementationDefaults": {
"apiml": {
"plugins": ݨ
}
}
}
}
Initializing with configuration:
{
"productDir": "/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-app-server/defaults",
"siteDir": "/S0W1/etc/zowe/workspace/app-server/site",
"instanceDir": "/S0W1/etc/zowe/workspace/app-server",
"groupsDir": "/S0W1/etc/zowe/workspace/app-server/groups",
"usersDir": "/S0W1/etc/zowe/workspace/app-server/users",
"pluginsDir": "/S0W1/etc/zowe/workspace/app-server/plugins",
"node": {
"rootRedirectURL": "/ZLUX/plugins/org.zowe.zlux.bootstrap/web/",
"allowInvalidTLSProxy": false,
"noChild": false,
"noPrompt": false,
"https": {
"ipAddresses": Ý
"0.0.0.0"
¨,
"port": 8544,
"keys": Ý
"/global/zowe/keystore/localhost/localhost.keystore.key"
¨,
"certificates": Ý
"/global/zowe/keystore/localhost/localhost.keystore.cer-ebcdic"
¨,
"certificateAuthorities": Ý
"/global/zowe/keystore/local_ca/localca.cer-ebcdic"
¨
},
"mediationLayer": {
"server": {
"hostname": "zos02.xact.dk",
"port": 7553,
"isHttps": false
},
"enabled": true
},
"childProcesses": Ý
{
"path": "../bin/zssServer.sh",
"once": true
}
¨
},
"dataserviceAuthentication": {
"rbac": false,
"defaultAuthentication": "zss",
"implementationDefaults": {
"fallback": {
"plugins": Ý
"org.zowe.zlux.auth.trivial"
¨
},
"zosmf": {},
"zss": {
"plugins": Ý
"org.zowe.zlux.auth.zss"
¨
},
"apiml": {
"plugins": ݨ
}
}
},
"agent": {
"host": "localhost",
"http": {
"ipAddresses": Ý
"127.0.0.1"
¨,
"port": 8542
}
},
"privilegedServerName": "ZWESIS_STD"
}
ZWED0156W - 1 function initLoggerMessages - ERROR - Error: Cannot find module './assets/i18n/log/messages_undefined.json'
Require stack:
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:793:17)
at Function.Module._load (internal/modules/cjs/loader.js:686:27)
at Module.require (internal/modules/cjs/loader.js:848:19)
at require (internal/modules/cjs/helpers.js:74:18)
at Object.initLoggerMessages (/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/util.js:48:19)
at new Server (/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/index.js:34:8)
at ClusterManager.createProxyServerWorker (/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/clusterManager.js:428:25)
at ClusterManager.start (/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/clusterManager.js:540:10)
at Object. (/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-app-server/lib/zluxCluster.js:16:16)
at Module._compile (internal/modules/cjs/loader.js:955:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:991:10)
at Module.load (internal/modules/cjs/loader.js:811:32)
at Function.Module._load (internal/modules/cjs/loader.js:723:14)
at Function.Module.runMain (internal/modules/cjs/loader.js:1043:10)
at internal/main/run_main_module.js:17:11 {
code: 'MODULE_NOT_FOUND',
requireStack: Ý
'/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/util.js',
'/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-server-framework/lib/clusterManager.js',
'/S0W1/var/zowe/zowe-1.9.0/components/app-server/share/zlux-app-server/lib/zluxCluster.js'
Problem making eureka request Error: connect ECONNREFUSED 192.168.10.182:7553
at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: '192.168.10.182',
port: 7553
}
Error registering with eureka client. Error: connect ECONNREFUSED 192.168.10.182:7553
at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: '192.168.10.182',
port: 7553
}
Error starting the Eureka Client Error: connect ECONNREFUSED 192.168.10.182:7553
at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: '192.168.10.182',
port: 7553
}
2020-03-19 13:48:48.426 ZWED:16843593 ZWESVUSR WARN (_zsf.apiml,apiml.js:195) ZWED0005W Error: connect ECONNREFUSED 192.168.10.182:7553
at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: '192.168.10.182',
port: 7553
}
ZWED0151W - unhandledRejection Error: connect ECONNREFUSED 192.168.10.182:7553
at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: '192.168.10.182',
port: 7553
}
2020-03-19 13:48:48.485 ZWED:16843593 ZWESVUSR WARN (_zsf.bootstrap,process.js:39) ZWED0151W - unhandledRejection Error: connect ECONNREFUSED 192.168.10.182:7553
at TCPConnectWrap.afterConnect Ýas oncomplete¨ (net.js:1140:16) {
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: '192.168.10.182',
port: 7553
}
The text was updated successfully, but these errors were encountered: