Add more helpful and actionable description to message ZWEAM511E

[plavjanik]

Is your feature request related to a problem? Please describe.

A user was having the following problem:

We got an 502 error when doing a GET request after installing our API on SYS3

{
"messages": [
{
"messageType": "ERROR",
"messageNumber": "ZWEAM511E",
"messageContent": "The certificate of the service accessed using URL '/api/v1/datacom/svw/dashboard' is not trusted by the API Gateway: Certificate for <sys3.acme.net> doesn't match any of the subject alternative names: [sys1.lvn.broadcom.net, ussys1.lvn.broadcom.net]",
"messageKey": "org.zowe.apiml.common.tlsError"
}
]
}
I found this information:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/traditional-management/ca-xcom-data-transport-for-unix-linux/11-6-1/using/generating-tls-ssl-certificates/use-tls-ssl-mode.html
https://knowledge.broadcom.com/external/article?articleId=42945
Just from what I found it seems to be an issue relating to TSL, we moved to a different system from SYS1 to SYS3 and updated the application.yml file accordingly. Was there something else we needed to do?

The documentation https://docs.zowe.org/stable/troubleshoot/troubleshoot-apiml-error-codes.html#zweam511e for does not say the right action that should be done.

The documentation says:

The certificate of the service is missing from the truststore of the API Mediation Layer.

This is not the reason for this failure and other possible failures that can cause ZWEAM511E. The reason that API ML could not trust the certificate provided by the service. That can happen for many reasons - some of them:

• Missing certificate
• Invalid certificate
• A certificate signed by CA that is not trusted by API ML (CA or certificate is not in the API ML trust store, or some part of the certificate chain is not known to API ML because the service provides only its certificate but not the intermediary ones)
• The certificate is issued for a different hostname
• ...

Adding the certificate to the truststore will not help in this case and it should not be done in most of the cases, since the root CA certificate should be added instead.

Action: Contact your administrator to verify API Mediation Layer truststore configuration.

There can be different actions for each reason. In this case, the solution is to change the certificate used by the service to match the hostname.

Describe the solution you'd like
A clear and concise description of what you want to happen.

Comprehensive and actionable documentation for the error message, that will provide a correct explanation of the reason and provide actions on what to do for each major reason.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

The alternative is to support individually each user that has problems and help them.

Additional context
Add any other context or screenshots about the feature request here.

[achmelo]

Hi, how can we reproduce the problem with invalid or missing certificate? Isn't it the same outcome as issued for different hostname and not trusted?