Zowe Suite v2.18.1

CHANGELOG.md

@@ -3,6 +3,11 @@
 All notable changes to the Zlux Server Framework package will be documented in this file..
 This repo is part of the app-server Zowe Component, and the change logs here may appear on Zowe.org in that section.
 
+## 2.18.1
+- Bugfix: App-server could not register with discovery server when AT-TLS was enabled for app-server. (#581)
+- Bugfix: App-server /server/environment endpoint was missing the "agent" object, causing the Desktop to choose an indirect route to accessing ZSS. This fix improves latency and high availability behavior of ZSS APIs in the Desktop. (#589)
+- Bugfix: When eureka registration experienced a network failure, troubleshooting information was not available. The property `components.app-server.node.mediationLayer.traceTls` now exists for troubleshooting TLS issues. (#591)
+
 ## 2.17.0
 - Enhancement: Added function `isClientAttls(zoweConfig)` within `libs/util.js`. Whenever a plugin makes a network request, it should always use this to determine if a normally HTTPS request should instead be made as HTTP due to AT-TLS handling the TLS when enabled. (#544)
 - Bugfix: Fixed function `isServerAttls(zoweConfig)` within `libs/util.js`, which was preventing using AT-TLS with app-server. (#544)

lib/apiml.js

@@ -79,9 +79,22 @@ const MEDIATION_LAYER_INSTANCE_DEFAULTS = (zluxProto, zluxHostname, zluxPort) =>
 }};
 
 function ApimlConnector({ hostName, port, discoveryUrls,
-                          discoveryPort, tlsOptions, eurekaOverrides, isClientAttls }) {
+                          discoveryPort, tlsOptions, eurekaOverrides, isClientAttls, traceTls }) {
   Object.assign(this, { hostName, port, discoveryUrls,
-                        discoveryPort, tlsOptions, eurekaOverrides, isClientAttls });
+                        discoveryPort, tlsOptions, eurekaOverrides, isClientAttls, traceTls });
+  //TODO config should never be checked through env var, but is temporarily needed to temporarily read gateway's ATTLS state to provide it with Eureka info it can work with.
+  const clientGlobalAttls = process.env['ZWE_zowe_network_client_tls_attls'];
+  const clientGatewayAttls = process.env['ZWE_components_gateway_zowe_network_client_tls_attls'];
+  const clientAttls = (clientGlobalAttls == 'true') || (clientGatewayAttls == 'true');
+  this.isGatewayClientAttls = false;
+  if ((clientGlobalAttls === undefined) && (clientGatewayAttls === undefined)) {
+    // If client attls env vars are not set, have client follow server attls variable. it simplifies common case in which users want both.
+    const serverGlobalAttls = process.env['ZWE_zowe_network_server_tls_attls'] == 'true';
+    const serverGatewayAttls = process.env['ZWE_components_gateway_zowe_network_server_tls_attls'] == 'true';
+    this.isGatewayClientAttls = serverGlobalAttls || serverGatewayAttls;
+  } else {
+    this.isGatewayClientAttls = clientAttls;
+  }
   this.vipAddress = hostName;
 }
 
@@ -168,24 +181,29 @@ ApimlConnector.prototype = {
       // If the HTTP port is set to 0 then the API ML doesn't load zlux
       httpPort: Number(this.port),
       httpsPort: Number(this.port),
-      httpEnabled: false,
-      httpsEnabled: true
+      // TODO while the server should always be HTTPS for security,
+      // When AT-TLS is used, programs need to know when AT-TLS will add TLS to their traffic
+      // To align with the correct amount of TLS (Avoid no TLS and double TLS)
+      // It seems the gateway wants to be told app-server is 'http' when client TLS is set on it
+      // So this eureka object will be based upon that setting.
+      // This may change in the future, revisit.
+      httpEnabled: this.isGatewayClientAttls,
+      httpsEnabled: !this.isGatewayClientAttls
     };
-    const proto = 'https';
 
-    log.debug("ZWED0141I", proto, this.port); //"Protocol:", proto, "Port", port);
+    log.debug("ZWED0141I", 'https', this.port); //"Protocol:", proto, "Port", port);
     log.debug("ZWED0142I", JSON.stringify(protocolObject)); //"Protocol Object:", JSON.stringify(protocolObject));
 
-    const instance = Object.assign({}, MEDIATION_LAYER_INSTANCE_DEFAULTS(proto, this.hostName, this.port));
+    const instance = Object.assign({}, MEDIATION_LAYER_INSTANCE_DEFAULTS('https', this.hostName, this.port));
     Object.assign(instance, overrides);
     Object.assign(instance,  {
        instanceId: `${this.hostName}:zlux:${this.port}`,
        hostName:  this.hostName,
        ipAddr: this.ipAddr,
        vipAddress: "zlux",//this.vipAddress,
-       statusPageUrl: `${proto}://${this.hostName}:${this.port}/server/eureka/info`,
-       healthCheckUrl: `${proto}://${this.hostName}:${this.port}/server/eureka/health`,
-       homePageUrl: `${proto}://${this.hostName}:${this.port}/`,
+       statusPageUrl: `https://${this.hostName}:${this.port}/server/eureka/info`,
+       healthCheckUrl: `https://${this.hostName}:${this.port}/server/eureka/health`,
+       homePageUrl: `https://${this.hostName}:${this.port}/`,
        port: {
          "$": protocolObject.httpPort, // This is a workaround for the mediation layer
          "@enabled": ''+protocolObject.httpEnabled
@@ -228,7 +246,11 @@ ApimlConnector.prototype = {
   },*/
 
   registerMainServerInstance() {
-    const overrideOptions = Object.assign({},this.tlsOptions);
+    const overrideOptions = this.isClientAttls
+          ? {}
+    //Use server's own TLS options except for TLS tracing.
+          : Object.assign(Object.assign({},this.tlsOptions), {enableTrace: this.traceTls ? true : false});
+
     if (!this.tlsOptions.rejectUnauthorized) {
       //Keeping these certs causes an openssl error 46, unknown cert error in a dev environment
       delete overrideOptions.cert;
@@ -240,7 +262,8 @@ ApimlConnector.prototype = {
       eureka: Object.assign({}, MEDIATION_LAYER_EUREKA_DEFAULTS, this.eurekaOverrides),
       requestMiddleware: function (requestOpts, done) {
         done(Object.assign(requestOpts, overrideOptions));
-      }
+      },
+      ssl: !this.isClientAttls
     }
     log.debug("ZWED0144I", JSON.stringify(zluxProxyServerInstanceConfig, null, 2)); //log.debug("zluxProxyServerInstanceConfig: " 
         //+ JSON.stringify(zluxProxyServerInstanceConfig, null, 2))
@@ -280,7 +303,12 @@ ApimlConnector.prototype = {
   },
 
   getServiceUrls() {
-    return this.discoveryUrls.map(url => url + (url.endsWith('/') ? '' : '/') + 'apps');
+    let urls = this.discoveryUrls.map(url => url + (url.endsWith('/') ? '' : '/') + 'apps');
+    if (this.isClientAttls) {
+      return urls.map(url => url.replaceAll('https', 'http'));
+    } else {
+      return urls;
+    }
   },
 
   getRequestOptionsArray(method, path) {

lib/index.js

@@ -220,6 +220,7 @@ Server.prototype = {
           port: this.port,
           discoveryUrls: apimlConfig.server.discoveryUrls || [`https://${apimlConfig.server.hostname}:${apimlConfig.server.port}/eureka/`],
           tlsOptions: this.tlsOptions,
+          traceTls: apimlConfig.traceTls,
           eurekaOverrides: apimlConfig.eureka,
           isClientAttls: util.isClientAttls(this.zoweConfig)
         });

lib/webapp.js

@@ -234,7 +234,8 @@ const hostname = os.hostname();
 function getUserEnv(rbac, zoweConfig){
   var date = new Date();
   return new Promise(function(resolve, reject){
-    const nodeConfig = zoweConfig.components['app-server'].node;
+    const serverConfig = zoweConfig.components['app-server'];
+    const nodeConfig = serverConfig.node;
     if (rbac) {
       resolve({
         "timestamp": date.toUTCString(),
@@ -248,7 +249,7 @@ function getUserEnv(rbac, zoweConfig){
         "hostname": hostname,
         "userEnvironment": process.env,
         "agent": {
-          "mediationLayer": nodeConfig.agent?.mediationLayer
+          "mediationLayer": serverConfig.agent?.mediationLayer
         },
         "PID": process.pid,
         "PPID": process.ppid,
@@ -279,7 +280,7 @@ function getUserEnv(rbac, zoweConfig){
           "GATEWAY_PORT": nodeConfig.mediationLayer.server.gatewayPort,
         },
         "agent": {
-          "mediationLayer": nodeConfig.agent?.mediationLayer
+          "mediationLayer": serverConfig.agent?.mediationLayer
         }
       })
     }