fix: Requirement of client certificate on ZAAS call when AT-TLS is used & add AT-TLS support to DC #4347
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-project-automation
bot
moved this to New
in API Mediation Layer Backlog Management
achmelo
reviewed
Oct 10, 2025
EvaJavornicka
moved this from New
to In Progress
in API Mediation Layer Backlog Management
github-actions
bot
added
the
Sensitive
Signed-off-by: Andrea Tabone <andrea.tabone@broadcom.com>
Signed-off-by: Andrea Tabone <andrea.tabone@broadcom.com>
Signed-off-by: Andrea Tabone <andrea.tabone@broadcom.com> # Conflicts: # apiml-tomcat-common/src/main/java/org/zowe/apiml/product/web/TomcatKeyringFix.java
taban03
force-pushed
the
reboot/add_attls_to_dc
branch
from
62a5360 to
5b7d2a2
Compare
taban03
changed the title
Signed-off-by: Andrea Tabone <andrea.tabone@broadcom.com>
Signed-off-by: Andrea Tabone <andrea.tabone@broadcom.com>
Signed-off-by: Andrea Tabone <andrea.tabone@broadcom.com>
Signed-off-by: Andrea Tabone <andrea.tabone@broadcom.com>
achmelo
reviewed
Oct 17, 2025
apiml-tomcat-common/src/main/java/org/zowe/apiml/filter/AttlsFilter.java
Outdated
Show resolved
Hide resolved
achmelo
approved these changes
Oct 17, 2025
Signed-off-by: Andrea Tabone <andrea.tabone@broadcom.com>
|
github-project-automation
bot
moved this from In Progress
to Done
in API Mediation Layer Backlog Management
Goutham024
pushed a commit
to Joe-Winchester/api-layer-OIDC-POC
that referenced
this pull request
Oct 29, 2025
…ed & add AT-TLS support to DC (zowe#4347) Signed-off-by: Pavel Jareš <Pavel.Jares@broadcom.com> Signed-off-by: Andrea Tabone <andrea.tabone@broadcom.com> Co-authored-by: Pavel Jareš <Pavel.Jares@broadcom.com> Signed-off-by: Gowtham Selvaraj <Gowtham.Selvaraj1@ibm.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
There is a conflict on how client certificate is used between GW and ZAAS. In general there are endpoint that requires credentials (basic, JWT), requires any trusted certificate, trusted client certificate and Zowe certificate. The behaviour is little bit different for each type of authentication. The specific impact is from the AT-TLS. Documentation suggest to use an outbound rule signed by certificate. It means that services that requires any trusted certificate starts receiving x509 from AT-TLS layer even it is missing in the original request. It is a known issue that there is no way how to programatically control signing by x509. For these case this fix allows to define header Client-cert (it is used to forward client certificate) with empty value. Empty valud means forward no certificate - actually to remove / ignore the certificate. The usage is only in resending of calls between gateway and ZAAS, but it could be use elsewhere.
Add spring components and config to support AT-TLS in DC
Linked to # (issue)
Part of the # (epic)
Type of change
Please delete options that are not relevant.
Checklist:
For more details about how should the code look like read the Contributing guideline