[Troubleshooting tip] Keeping ZSS secure with TLS

[1000TurquoisePogs]

2. Choose a title

Keeping ZSS secure with TLS

3. Symptom

ZSS log shows message ** WARNING: Connection is insecure! TLS needed but not found on socket. **

4. Solution

ZSS is a webserver that performs certain system calls for data management and even security. It is important to have a configuration that keeps the network traffic for ZSS secure at all times. When TLS is not active on ZSS, at startup and periodically the warning will be shown. If there is no need for ZSS communication to a client outside the z/OS system, it is possible to make ZSS accessible only internal to z/OS, but if TLS is not activated, the warning will remain.

There are two ways to ensure ZSS has TLS.
The default, when the environment variable ZOWE_ZSS_SERVER_TLS=true is set. This will use the Zowe keystore for TLS certificate management.

AT-TLS, as described here: https://docs.zowe.org/stable/user-guide/mvd-configuration/#configuring-zss-for-https
Note that AT-TLS and ZOWE_ZSS_SERVER_TLS=true are mutually exclusive, but perform the same task of making ZSS use HTTPS.

When TLS is enabled, it is fine to have ZSS be externally accessible, but it is still recommended to access it via the API Mediation Layer Gateway for additional benefits such as high availability. When using containers, the Gateway may be external to z/OS, requiring ZSS to be externally accessible.

[nannanli]

@AbhishekJamhoriya Would you like to take this issue as well? Thanks!

[AbhishekJamhoriya]

of course why not, Please assign me this work and let me work on it.

[AbhishekJamhoriya]

Hi, @nannanli I made a PR please check it out, and sorry for taking this much time. I was busy with other stuff.

[1000TurquoisePogs]

this is v1 specific.
which pr is made for this issue?

[1000TurquoisePogs]

It took so long for this to be put into the documentation that dev has worked around it - this isnt needed for v2.18.0 or v3 because ways to disable TLS that this is no longer a footgun that needs documentation.