api-layer icon indicating copy to clipboard operation
api-layer copied to clipboard

Invalid warning when AT-TLS is used

Open JirkaAichler opened this issue 2 years ago • 6 comments

Describe the bug The onboarding enabler generates the following warning even when the AT-TLS is used. This is very confusing for admins since it looks like they are doing something unsecure.

Steps to Reproduce

Use plain Java enabler in AT-TLS enabled service.

Expected behavior If the service knows that AT-TLS is used, it should not display this message.

Logs

2021-03-12 16:37:53.525 <SDKATJ:main:393579> SDKSERV (org.zowe.apiml.security.HttpsFactory:118) WARN ZWEAM501W Service is connecting
 to Discovery service using the non-secure HTTP protocol.

JirkaAichler avatar May 19 '22 13:05 JirkaAichler

The service can't know that it is connecting to a DS with AT-TLS. It is unaware of it. The awareness has been implemented only for core components.

anton-brezina avatar Jun 01 '22 12:06 anton-brezina

I think that the enabler can be aware of this situation. But I would happy if the message would be simply removed to not claim incorrect information.

JirkaAichler avatar Jun 02 '22 08:06 JirkaAichler

The issue with removing the message is that it is relevant in case HTTP is used. I don't think there is a general way for any service, including one running off-platform, to verify whether the service is using AT-TLS. Of course, unless you know of one?

balhar-jakub avatar Jul 19 '22 07:07 balhar-jakub

You can check it on Z and in case AT-TLS is used, remove the message, Off Z, it can stay displayed. But it requires the native code and it is probably too complicated. Can you just make it configurable? Service developers can switch it off when they don't want it. Or even tight it to the configuration of service AT-TLS.

JirkaAichler avatar Jul 19 '22 07:07 JirkaAichler

@achmelo @CarsonCook Don't we already have some way how to remove specific messages via configuration from the enablers?

balhar-jakub avatar Jul 20 '22 12:07 balhar-jakub

I'm not aware of the ability to remove specific messages via config we provide, they could create some custom functionality based on their logging framework, e.g. TurboFilter in the Logback framework.

We do have our own custom log filters, but they aren't exposed to end users via config.

CarsonCook avatar Jul 20 '22 13:07 CarsonCook