IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this forum will no longer be available. More details available on our FAQ.
Topic
  • 2 replies
  • Latest Post - ‏2018-04-19T12:06:15Z by aklinger
EricHiggins
EricHiggins
1 Post

Pinned topic Swagger UI not displaying response from API

‏2018-04-18T18:53:20Z | zosconnect

We are having an issue using the Swagger UI "Try it Out" feature for testing APIs.  This is what we are seeing:

  • Using the default jks keystore located in /resources/security/key.jks:
    • User is able to connect and authenticate to the z/OS Connect Server using RACF credentials
    • User is prompted to trust a "localhost" certificate (looks like default cert from above)
    • API calls receive an expected response from server
    • No issues invoking a simple API through an external standard web browser
  • Using a RACF Keyring with a server certificate with its' private key stored in ICSF:
    • User is able to connect and authenticate to the z/OS Connect Server using RACF credentials
    • User is not prompted to trust any certificates (likely not flagged due to matching information)
    • API calls receive "no response from server"; trace seems to show:
      • SSL handshake establishing a TLS v1.2 connection to the server
      • Certificate information from the RACF Keyring being passed
      • API call information being sent
      • No response showing in the UI interface
    • No issues invoking a simple API through an external standard web browser

Can you explain why we are seeing this behavior?

 

This has been submitted on behalf of a customer using the Open Beta

  • cipresso
    cipresso
    24 Posts

    Re: Swagger UI not displaying response from API

    ‏2018-04-18T20:38:49Z  

    Hi.  Swagger UI is a HTML/JavaScript application that runs in a different security context (Web browser) from z/OS Connect Host Connections (Java/JVM).  To successfully use the embedded Swagger UI with z/OS Connect servers that have a self-signed certificate, the self-signed certificate needs to be installed and trusted at the operating system level on the client computer.  Please have a look at https://www.ibm.com/support/knowledgecenter/SS4SVW_3.0.0/com.ibm.zosconnect.doc/designing/api_install_cert.html on how to do the necessary configuration.  In general it's recommended to configure your z/OS Connect server with a certificate that uses a hostname other than localhost that way you can more easily identify it later.  -Ted

    Updated on 2018-04-18T20:40:58Z at 2018-04-18T20:40:58Z by cipresso
  • aklinger
    aklinger
    1 Post

    Re: Swagger UI not displaying response from API

    ‏2018-04-19T12:06:15Z  
    • cipresso
    • ‏2018-04-18T20:38:49Z

    Hi.  Swagger UI is a HTML/JavaScript application that runs in a different security context (Web browser) from z/OS Connect Host Connections (Java/JVM).  To successfully use the embedded Swagger UI with z/OS Connect servers that have a self-signed certificate, the self-signed certificate needs to be installed and trusted at the operating system level on the client computer.  Please have a look at https://www.ibm.com/support/knowledgecenter/SS4SVW_3.0.0/com.ibm.zosconnect.doc/designing/api_install_cert.html on how to do the necessary configuration.  In general it's recommended to configure your z/OS Connect server with a certificate that uses a hostname other than localhost that way you can more easily identify it later.  -Ted

    Thanks (customer here) -- where can we see a more descriptive error from the embedded Swagger UI?

    We are using a certificate created and signed in our standard fashion (Root CA --> Intermediate CA --> Server Certificate) on the RACF side of the equation. In step "d" there is a reference to "ZCEE-CERT" which I do not see an exact correlation to in step "a" or step "b". Which certificate is supposed to be imported? Our CAs are already stored in the Windows keystores by default.

    We also store all of our private keys in ICSF per company policy, so extracting the certificates into a .p12 file which contains them is not a viable option.