feat: support client AT-TLS setting [V3] (#3828)

---------

Signed-off-by: Pablo Hernán Carle <pablo.carle@broadcom.com>
Co-authored-by: Pablo Hernán Carle <pablo.carle@broadcom.com>
Co-authored-by: Jakub Balhar <jakub@balhar.net>

api-catalog-package/src/main/resources/bin/start.sh

@@ -136,10 +136,15 @@ ADD_OPENS="--add-opens=java.base/java.lang=ALL-UNNAMED
         --add-opens=java.base/java.io=ALL-UNNAMED"
 
 ATTLS_ENABLED="false"
-# ZWE_configs_spring_profiles_active for back compatibility, should be removed in v3 - enabling via Spring profile
-if [ "${ZWE_zowe_network_server_tls_attls}" = "true" -o "$(echo ${ZWE_configs_spring_profiles_active:-} | awk '/^(.*,)?attls(,.*)?$/')" ]; then
+ATTLS_CLIENT_ENABLED="false"
+
+if [ "${ZWE_zowe_network_server_tls_attls}" = "true" ]; then
   ATTLS_ENABLED="true"
 fi
+if [ "${ZWE_zowe_network_client_tls_attls}" = "true" ]; then
+  ATTLS_CLIENT_ENABLED="true"
+fi
+
 if [ "${ATTLS_ENABLED}" = "true" ]; then
   ZWE_configs_server_ssl_enabled="false"
   if [ -n "${ZWE_configs_spring_profiles_active}" ]; then
@@ -154,10 +159,11 @@ else
     externalProtocol="http"
 fi
 
-# Verify discovery service URL in case AT-TLS is enabled, assumes outgoing rules are in place
+internalProtocol="https"
 ZWE_DISCOVERY_SERVICES_LIST=${ZWE_DISCOVERY_SERVICES_LIST:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_discovery_port:-7553}/eureka/"}
-if [ "$ATTLS_ENABLED" = "true" ]; then
+if [ "$ATTLS_CLIENT_ENABLED" = "true" ]; then
     ZWE_DISCOVERY_SERVICES_LIST=$(echo "${ZWE_DISCOVERY_SERVICES_LIST=}" | sed -e 's|https://|http://|g')
+    internalProtocol="http"
 fi
 
 get_enabled_protocol_limit() {
@@ -265,7 +271,7 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${CATALOG_CODE} ${JAVA_BIN_DIR}java \
     -Dapiml.security.ssl.nonStrictVerifySslCertificatesOfServices=${nonStrictVerifySslCertificatesOfServices:-false} \
     -Dapiml.security.authorization.provider=${ZWE_components_gateway_apiml_security_authorization_provider:-} \
     -Dapiml.security.authorization.endpoint.enabled=${ZWE_components_gateway_apiml_security_authorization_endpoint_enabled:-false} \
-    -Dapiml.security.authorization.endpoint.url=${ZWE_components_gateway_apiml_security_authorization_endpoint_url:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port}/zss/api/v1/saf-auth"} \
+    -Dapiml.security.authorization.endpoint.url=${ZWE_components_gateway_apiml_security_authorization_endpoint_url:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port}/zss/api/v1/saf-auth"} \
     -Dapiml.security.authorization.resourceClass=${ZWE_components_gateway_apiml_security_authorization_resourceClass:-ZOWE} \
     -Dapiml.security.auth.cookieProperties.cookieName=${cookieName:-apimlAuthenticationToken} \
     -Dapiml.catalog.hide.serviceInfo=${ZWE_configs_apiml_catalog_hide_serviceInfo:-false} \

caching-service-package/src/main/resources/bin/start.sh

@@ -124,10 +124,15 @@ ADD_OPENS="--add-opens=java.base/java.lang=ALL-UNNAMED
         --add-opens=java.base/java.io=ALL-UNNAMED"
 
 ATTLS_ENABLED="false"
-# ZWE_configs_spring_profiles_active for back compatibility, should be removed in v3 - enabling via Spring profile
-if [ "${ZWE_zowe_network_server_tls_attls}" = "true" -o "$(echo ${ZWE_configs_spring_profiles_active:-} | awk '/^(.*,)?attls(,.*)?$/')" ]; then
+ATTLS_CLIENT_ENABLED="false"
+
+if [ "${ZWE_zowe_network_server_tls_attls}" = "true" ]; then
   ATTLS_ENABLED="true"
 fi
+if [ "${ZWE_zowe_network_client_tls_attls}" = "true" ]; then
+  ATTLS_CLIENT_ENABLED="true"
+fi
+
 if [ "${ATTLS_ENABLED}" = "true" ]; then
   ZWE_configs_server_ssl_enabled="false"
   if [ -n "${ZWE_configs_spring_profiles_active}" ]; then
@@ -138,7 +143,7 @@ fi
 
 # Verify discovery service URL in case AT-TLS is enabled, assumes outgoing rules are in place
 ZWE_DISCOVERY_SERVICES_LIST=${ZWE_DISCOVERY_SERVICES_LIST:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_discovery_port:-7553}/eureka/"}
-if [ "${ATTLS_ENABLED}" = "true" ]; then
+if [ "${ATTLS_CLIENT_ENABLED}" = "true" ]; then
     ZWE_DISCOVERY_SERVICES_LIST=$(echo "${ZWE_DISCOVERY_SERVICES_LIST=}" | sed -e 's|https://|http://|g')
 fi
 

discovery-package/src/main/resources/bin/configure.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+################################################################################
+# This program and the accompanying materials are made available under the terms of the
+# Eclipse Public License v2.0 which accompanies this distribution, and is available at
+# https://www.eclipse.org/legal/epl-v20.html
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Copyright IBM Corporation 2021
+################################################################################
+
+if [ -z "$ZWE_zowe_workspaceDirectory" ]; then
+    echo "Workspace directory is not defined"
+    exit 1
+fi
+
+echo "$(env)" > $ZWE_zowe_workspaceDirectory/api-mediation/api-defs/env
+
+INSTANCE_ID=$ZWE_haInstance_id
+
+if [ -z "$INSTANCE_ID" ]; then
+    SOURCE_FILE=$ZWE_zowe_workspaceDirectory/api-mediation/api-defs/discovery.zosmf_static_definition_yaml_template.yml
+else
+    SOURCE_FILE=$ZWE_zowe_workspaceDirectory/api-mediation/api-defs/discovery.zosmf_static_definition_yaml_template.$INSTANCE_ID.yml
+fi
+
+DEST_FILE="$ZWE_zowe_workspaceDirectory/api-mediation/api-defs/zosmf.temp"
+
+ZOSMF_SCHEME=https
+
+if [ "$ZWE_zowe_network_client_tls_attls" = "true" ]; then
+    ZOSMF_SCHEME=http
+fi
+
+if [ -e "$SOURCE_FILE" ]; then
+    chtag -tc ISO8859-1 $SOURCE_FILE
+    sed -e "s|%ZOSMF_SCHEME%|${ZOSMF_SCHEME}|g" $SOURCE_FILE > $DEST_FILE
+    iconv -f IBM-1047 -t ISO8859-1 $DEST_FILE > $SOURCE_FILE
+    chtag -tc ISO8859-1 $SOURCE_FILE
+    rm -f $DEST_FILE
+else
+    echo "File $SOURCE_FILE not found"
+fi

discovery-package/src/main/resources/bin/start.sh

@@ -101,10 +101,15 @@ if [ "$(uname)" = "OS/390" ]; then
 fi
 
 ATTLS_ENABLED="false"
-# ZWE_configs_spring_profiles_active for back compatibility, should be removed in v3 - enabling via Spring profile
-if [ "${ZWE_zowe_network_server_tls_attls}" = "true" -o "$(echo ${ZWE_configs_spring_profiles_active:-} | awk '/^(.*,)?attls(,.*)?$/')" ]; then
+ATTLS_CLIENT_ENABLED="false"
+
+if [ "${ZWE_zowe_network_server_tls_attls}" = "true" ]; then
   ATTLS_ENABLED="true"
 fi
+if [ "${ZWE_zowe_network_client_tls_attls}" = "true" ]; then
+  ATTLS_CLIENT_ENABLED="true"
+fi
+
 if [ "${ATTLS_ENABLED}" = "true" ]; then
   ZWE_configs_server_ssl_enabled="false"
   if [ -n "${ZWE_configs_spring_profiles_active}" ]; then
@@ -113,9 +118,8 @@ if [ "${ATTLS_ENABLED}" = "true" ]; then
   ZWE_configs_spring_profiles_active="${ZWE_configs_spring_profiles_active}attls"
 fi
 
-# Verify discovery service URL in case AT-TLS is enabled, assumes outgoing rules are in place
 ZWE_DISCOVERY_SERVICES_LIST=${ZWE_DISCOVERY_SERVICES_LIST:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_discovery_port:-7553}/eureka/"}
-if [ "${ATTLS_ENABLED}" = "true" ]; then
+if [ "${ATTLS_CLIENT_ENABLED}" = "true" ]; then
     ZWE_DISCOVERY_SERVICES_LIST=$(echo "${ZWE_DISCOVERY_SERVICES_LIST=}" | sed -e 's|https://|http://|g')
 fi
 

discovery-package/src/main/resources/manifest.yaml

@@ -21,6 +21,7 @@ build:
 commands:
   start: bin/start.sh
   validate: bin/validate.sh
+  configure: bin/configure.sh
 # if we need to automatically tag file encoding on z/OS during installation
 autoEncoding:
   # tag all files

discovery-package/src/main/resources/zosmf-static-definition.yaml.template

@@ -9,7 +9,7 @@ services:
       description: 'IBM z/OS Management Facility REST API service. Once configured you can access z/OSMF via the API gateway: https://${ZOWE_EXPLORER_HOST}:${GATEWAY_PORT}/ibmzosmf/api/v1/info'
       catalogUiTileId: zosmf
       instanceBaseUrls:
-        - ${ZWE_zOSMF_scheme:-https}://${ZOSMF_HOST}:${ZOSMF_PORT}/
+        - %ZOSMF_SCHEME%://${ZOSMF_HOST}:${ZOSMF_PORT}/"
       homePageRelativeUrl:  # Home page is at the same URL
       routedServices:
         - gatewayUrl: api/v1
@@ -20,7 +20,7 @@ services:
         - apiId: ibm.zosmf
           gatewayUrl: api/v1
           documentationUrl: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.4.0/com.ibm.zos.v2r4.izua700/IZUHPINFO_RESTServices.htm
-          swaggerUrl: ${ZWE_zOSMF_scheme:-https}://${ZOSMF_HOST}:${ZOSMF_PORT}/zosmf/api/docs
+          swaggerUrl: %ZOSMF_SCHEME%://${ZOSMF_HOST}:${ZOSMF_PORT}/zosmf/api/docs"
       customMetadata:
           apiml:
               enableUrlEncodedCharacters: true

gateway-package/src/main/resources/bin/start.sh

@@ -146,10 +146,15 @@ fi
 echo "Setting loader path: "${GATEWAY_LOADER_PATH}
 
 ATTLS_ENABLED="false"
-# ZWE_configs_spring_profiles_active for back compatibility, should be removed in v3 - enabling via Spring profile
-if [ "${ZWE_zowe_network_server_tls_attls}" = "true" -o "$(echo ${ZWE_configs_spring_profiles_active:-} | awk '/^(.*,)?attls(,.*)?$/')" ]; then
+ATTLS_CLIENT_ENABLED="false"
+
+if [ "${ZWE_zowe_network_server_tls_attls}" = "true" ]; then
   ATTLS_ENABLED="true"
 fi
+if [ "${ZWE_zowe_network_client_tls_attls}" = "true" ]; then
+  ATTLS_CLIENT_ENABLED="true"
+fi
+
 if [ "${ATTLS_ENABLED}" = "true" ]; then
   ZWE_configs_server_ssl_enabled="false"
   if [ -n "${ZWE_configs_spring_profiles_active}" ]; then
@@ -158,10 +163,11 @@ if [ "${ATTLS_ENABLED}" = "true" ]; then
   ZWE_configs_spring_profiles_active="${ZWE_configs_spring_profiles_active}attls"
 fi
 
-# Verify discovery service URL in case AT-TLS is enabled, assumes outgoing rules are in place
+internalProtocol="https"
 ZWE_DISCOVERY_SERVICES_LIST=${ZWE_DISCOVERY_SERVICES_LIST:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_discovery_port:-7553}/eureka/"}
-if [ "${ATTLS_ENABLED}" = "true" ]; then
+if [ "${ATTLS_CLIENT_ENABLED}" = "true" ]; then
     ZWE_DISCOVERY_SERVICES_LIST=$(echo "${ZWE_DISCOVERY_SERVICES_LIST=}" | sed -e 's|https://|http://|g')
+    internalProtocol=http
     ZWE_configs_apiml_service_corsEnabled=true
 fi
 

zaas-package/src/main/resources/bin/start.sh

@@ -70,6 +70,7 @@
 # - ZWE_DISCOVERY_SERVICES_LIST
 # - ZWE_haInstance_hostname
 # - ZWE_zowe_network_server_tls_attls
+# - ZWE_zowe_network_client_tls_attls
 # - ZWE_zowe_certificate_keystore_type - The default keystore type to use for SSL certificates
 # - ZWE_zowe_verifyCertificates - if we accept only verified certificates
 
@@ -147,10 +148,15 @@ fi
 echo "Setting loader path: "${ZAAS_LOADER_PATH}
 
 ATTLS_ENABLED="false"
-# ZWE_configs_spring_profiles_active for back compatibility, should be removed in v3 - enabling via Spring profile
-if [ "${ZWE_zowe_network_server_tls_attls}" = "true" -o "$(echo ${ZWE_configs_spring_profiles_active:-} | awk '/^(.*,)?attls(,.*)?$/')" ]; then
+ATTLS_CLIENT_ENABLED="false"
+
+if [ "${ZWE_zowe_network_server_tls_attls}" = "true" ]; then
   ATTLS_ENABLED="true"
 fi
+if [ "${ZWE_zowe_network_client_tls_attls}" = "true" ]; then
+  ATTLS_CLIENT_ENABLED="true"
+fi
+
 if [ "${ATTLS_ENABLED}" = "true" ]; then
   ZWE_configs_server_ssl_enabled="false"
   if [ -n "${ZWE_configs_spring_profiles_active}" ]; then
@@ -159,10 +165,11 @@ if [ "${ATTLS_ENABLED}" = "true" ]; then
   ZWE_configs_spring_profiles_active="${ZWE_configs_spring_profiles_active}attls"
 fi
 
-# Verify discovery service URL in case AT-TLS is enabled, assumes outgoing rules are in place
+internalProtocol="https"
 ZWE_DISCOVERY_SERVICES_LIST=${ZWE_DISCOVERY_SERVICES_LIST:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_discovery_port:-7553}/eureka/"}
-if [ "${ATTLS_ENABLED}" = "true" ]; then
+if [ "${ATTLS_CLIENT_ENABLED}" = "true" ]; then
     ZWE_DISCOVERY_SERVICES_LIST=$(echo "${ZWE_DISCOVERY_SERVICES_LIST=}" | sed -e 's|https://|http://|g')
+    internalProtocol=http
 fi
 
 if [ "${ZWE_configs_server_ssl_enabled:-true}" = "true" -o "$ATTLS_ENABLED" = "true" ]; then
@@ -323,24 +330,24 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${ZAAS_CODE} ${JAVA_BIN_DIR}java \
     -Dapiml.security.jwtInitializerTimeout=${ZWE_configs_apiml_security_jwtInitializerTimeout:-${ZWE_components_gateway_apiml_security_jwtInitializerTimeout:-5}} \
     -Dapiml.security.useInternalMapper=${ZWE_configs_apiml_security_useInternalMapper:-${ZWE_components_gateway_apiml_security_useInternalMapper:-true}} \
     -Dapiml.security.x509.enabled=${ZWE_configs_apiml_security_x509_enabled:-${ZWE_components_gateway_apiml_security_x509_enabled:-false}} \
-    -Dapiml.security.x509.externalMapperUrl=${ZWE_configs_apiml_security_x509_externalMapperUrl:-${ZWE_components_gateway_apiml_security_x509_externalMapperUrl:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/certificate/x509/map"}} \
+    -Dapiml.security.x509.externalMapperUrl=${ZWE_configs_apiml_security_x509_externalMapperUrl:-${ZWE_components_gateway_apiml_security_x509_externalMapperUrl:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/certificate/x509/map"}} \
     -Dapiml.security.x509.externalMapperUser=${ZWE_configs_apiml_security_x509_externalMapperUser:-${ZWE_components_gateway_apiml_security_x509_externalMapperUser:-${ZWE_zowe_setup_security_users_zowe:-ZWESVUSR}}} \
     -Dapiml.security.x509.acceptForwardedCert=${ZWE_configs_apiml_security_x509_enabled:-${ZWE_components_gateway_apiml_security_x509_enabled:-${ZWE_components_gateway_apiml_security_x509_enabled:-true}}} \
-    -Dapiml.security.x509.certificatesUrl=${ZWE_configs_apiml_security_x509_certificatesUrl:-${ZWE_components_gateway_apiml_security_x509_certificatesUrl:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/gateway/certificates"}} \
+    -Dapiml.security.x509.certificatesUrl=${ZWE_configs_apiml_security_x509_certificatesUrl:-${ZWE_components_gateway_apiml_security_x509_certificatesUrl:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/gateway/certificates"}} \
     -Dapiml.security.authorization.provider=${ZWE_configs_apiml_security_authorization_provider:-${ZWE_components_gateway_apiml_security_authorization_provider:-}} \
     -Dapiml.security.authorization.endpoint.enabled=${ZWE_configs_apiml_security_authorization_endpoint_enabled:-${ZWE_components_gateway_apiml_security_authorization_endpoint_enabled:-false}} \
-    -Dapiml.security.authorization.endpoint.url=${ZWE_configs_apiml_security_authorization_endpoint_url:-${ZWE_components_gateway_apiml_security_authorization_endpoint_url:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/saf-auth"}} \
+    -Dapiml.security.authorization.endpoint.url=${ZWE_configs_apiml_security_authorization_endpoint_url:-${ZWE_components_gateway_apiml_security_authorization_endpoint_url:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/saf-auth"}} \
     -Dapiml.security.saf.provider=${ZWE_configs_apiml_security_saf_provider:-${ZWE_components_gateway_apiml_security_saf_provider:-"rest"}} \
-    -Dapiml.security.saf.urls.authenticate=${ZWE_configs_apiml_security_saf_urls_authenticate:-${ZWE_components_gateway_apiml_security_saf_urls_authenticate:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/saf/authenticate"}} \
-    -Dapiml.security.saf.urls.verify=${ZWE_configs_apiml_security_saf_urls_verify:-${ZWE_components_gateway_apiml_security_saf_urls_verify:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/saf/verify"}} \
+    -Dapiml.security.saf.urls.authenticate=${ZWE_configs_apiml_security_saf_urls_authenticate:-${ZWE_components_gateway_apiml_security_saf_urls_authenticate:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/saf/authenticate"}} \
+    -Dapiml.security.saf.urls.verify=${ZWE_configs_apiml_security_saf_urls_verify:-${ZWE_components_gateway_apiml_security_saf_urls_verify:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/saf/verify"}} \
     -Dapiml.security.authorization.resourceClass=${ZWE_configs_apiml_security_authorization_resourceClass:-${ZWE_components_gateway_apiml_security_authorization_resourceClass:-ZOWE}} \
     -Dapiml.security.authorization.resourceNamePrefix=${ZWE_configs_apiml_security_authorization_resourceNamePrefix:-${ZWE_components_gateway_apiml_security_authorization_resourceNamePrefix:-APIML.}} \
     -Dapiml.security.zosmf.applid=${ZWE_configs_apiml_security_zosmf_applid:-${ZWE_components_gateway_apiml_security_zosmf_applid:-IZUDFLT}} \
     -Dapiml.security.oidc.enabled=${ZWE_configs_apiml_security_oidc_enabled:-${ZWE_components_gateway_apiml_security_oidc_enabled:-false}} \
     -Dapiml.security.oidc.clientId=${ZWE_configs_apiml_security_oidc_clientId:-${ZWE_components_gateway_apiml_security_oidc_clientId:-}} \
     -Dapiml.security.oidc.clientSecret=${ZWE_configs_apiml_security_oidc_clientSecret:-${ZWE_components_gateway_apiml_security_oidc_clientSecret:-}} \
     -Dapiml.security.oidc.registry=${ZWE_configs_apiml_security_oidc_registry:-${ZWE_components_gateway_apiml_security_oidc_registry:-}} \
-    -Dapiml.security.oidc.identityMapperUrl=${ZWE_configs_apiml_security_oidc_identityMapperUrl:-${ZWE_components_gateway_apiml_security_oidc_identityMapperUrl:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/certificate/dn"}} \
+    -Dapiml.security.oidc.identityMapperUrl=${ZWE_configs_apiml_security_oidc_identityMapperUrl:-${ZWE_components_gateway_apiml_security_oidc_identityMapperUrl:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/certificate/dn"}} \
     -Dapiml.security.oidc.identityMapperUser=${ZWE_configs_apiml_security_oidc_identityMapperUser:-${ZWE_components_gateway_apiml_security_oidc_identityMapperUser:-${ZWE_zowe_setup_security_users_zowe:-ZWESVUSR}}} \
     -Dapiml.security.oidc.jwks.uri=${ZWE_configs_apiml_security_oidc_jwks_uri:-${ZWE_components_gateway_apiml_security_oidc_jwks_uri:-}} \
     -Dapiml.security.oidc.jwks.refreshInternalHours=${ZWE_configs_apiml_security_oidc_jwks_refreshInternalHours:-${ZWE_components_gateway_apiml_security_oidc_jwks_refreshInternalHours:-1}} \