AT-TLS does not work

[josefRIT]

We have ZOWE upgraded to v2.18.1 under z/OS 3.1 and with java version (see below) active and running in a minimal configuration (active components gateway, discovery, api-catalog)
java version "1.8.0_441"
Java(TM) SE Runtime Environment (build 8.0.8.40 - pmz6480sr8fp40-20250123_01(SR8 FP40))
IBM J9 VM (build 2.9, JRE 1.8.0 z/OS s390x-64-Bit Compressed References 20241212_83587 (JIT enabled, AOT enabled)

All this components are up and running okay.

Than we change in out yaml:

network.server.tls.attls: true
network.client.tls.attls: true
and finished the TCPIP-configuration to change our ZOWE-Ports to use AT-TLS.
When I now start ZOWE-STC I get this error MSG:
2025-05-22 12:55:59.886 ZWEADS1:http-nio-0.0.0.0-7553-exec-1:83951983 AXXZOWEV ERROR (o.a.c.c.C.Ý.Ýlocalhost¨) Exception Processing ÝErrorPageÝerrorCode=0, location=/error¨¨
java.lang.IllegalArgumentException: This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); otherwise, please use requestMatchers(AntPathRequestMatcher).
This is because there is more than one mappable servlet in your servlet context: äcom.netflix.hystrix.contrib.metrics.eventstream.HystrixMetricsStreamServlet=Ý/application/hystrixstream/*¨, org.springframework.web.servlet.DispatcherServlet=Ý/¨ü.
For each MvcRequestMatcher, call MvcRequestMatcher#setServletPath to indicate the servlet path.
at org.springframework.util.Assert.notNull(Assert.java:219)

And on the browser API Mediation Layer show only the Autentication Service is running.

When I call https://q-zowe.r-services.at:7553/ (Gateway) I get:
{
"messages": [
{
"messageType": "ERROR",
"messageNumber": "ZWEAS103E",
"messageContent": "API Gateway Service is not available by URL '/' (API Gateway is required because it provides the authentication functionality)",
"messageAction": "Check that both the service and Gateway are correctly registered in the Discovery service. Allow some time after the services are discovered for the information to propagate to individual services.",
"messageReason": "The security client cannot find a Gateway instance to perform authentication. The API Gateway is required because it provides the authentication functionality.",
"messageKey": "org.zowe.apiml.security.gatewayNotAvailable"
}
]
}

When I call q-zowe.r-services.at:7552/apicatalog/application/info
{
"messages": [
{
"messageType": "ERROR",
"messageNumber": "ZWEAS103E",
"messageContent": "API Gateway Service is not available by URL '/apicatalog/application/info' (API Gateway is required because it provides the authentication functionality)",
"messageAction": "Check that both the service and Gateway are correctly registered in the Discovery service. Allow some time after the services are discovered for the information to propagate to individual services.",
"messageReason": "The security client cannot find a Gateway instance to perform authentication. The API Gateway is required because it provides the authentication functionality.",
"messageKey": "org.zowe.apiml.security.gatewayNotAvailable"
}
]
}

We checked our z/OS TCPIP - LOGs and could not find a problem with our AT-TLS configuration / ZOWE Ports.

Any suggestions what else we can try?

[1000TurquoisePogs]

tcpip logs tend to not tell you whether the attls rules are sufficient for zowe.
v2.18.1 should be fine for at-tls.
send at-tls rules for review, and check https://docs.zowe.org/stable/user-guide/configuring-at-tls-for-zowe-server as a reference.

[josefRIT]

attached the at-tls rules.
we took exact this reference when we tried to activate at-tls.

ZOWE_TTLSRules.txt

[hrishikesh-nalawade]

Hello @josefRIT , can you please share the zowe.yaml configuration file.

[josefRIT]

Hello @hrishikesh-nalawade,
here is the yaml, we used for testing attls.

test.V2181.a03.yaml.txt

[hrishikesh-nalawade]

Hello @josefRIT ,

Thank you for sharing the configuration. Upon reviewing it, I noticed that port 7554 is assigned to the Gateway. However, it appears that the calls are being made using port 7553 (here, "When I call https://q-zowe.r-services.at:7553/ (Gateway) I get:"). Could you please try using port 7554 instead and let me know the results?

Additionally, when accessing the API catalog, kindly use the following path:
https://q-zowe.r-services.at:7552/apicatalog/ui/v1/

Please let me know if you encounter any issues or need further assistance

[josefRIT]

Hello @hrishikesh-nalawade ,
I checked now with our Zowe - non - ATTLS - config:

https://q-zowe.r-services.at:7552/apicatalog/ui/v1/ bring 404 Page Not Found.

https://q-zowe.r-services.at:7554 show the API Mediation Layer.

https://q-zowe.r-services.at:7554/apicatalog/ui/v1/ translate to https://q-zowe.r-services.at:7554/apicatalog/ui/v1/#/login and, when I login it show the API Catalog.

https://q-zowe.r-services.at:7553/ show, after login, the spring Eureka.

[hrishikesh-nalawade]

Hello @josefRIT ,
My sincere apologies for the earlier typo regarding the API Catalog port. You are correct, the correct path is https://q-zowe.r-services.at:7554/apicatalog/ui/v1/, where port 7554 refers to the external/gateway port. This should direct you to the API Catalog login page.
Similarly:

• https://q-zowe.r-services.at:7553/ should take you to the Spring Eureka dashboard, and
• https://q-zowe.r-services.at:7554/ should display the API Mediation Layer landing page.

Based on your comment above, the behavior does appear to be as expected. I noticed you attempted this with AT-TLS disabled , could you please confirm if the same behavior is retained with AT-TLS enabled?

Additionally, you may try logging into the Zowe Desktop at: (both before and after enabling AT-TLS)
https://q-zowe.r-services.at:7554/zlux/ui/v1/ZLUX/plugins/org.zowe.zlux.bootstrap/web/