zowe · MarkAckert · Feb 25, 2025 · Jan 9, 2024 · Jan 10, 2024 · Jan 10, 2024
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
@@ -2,7 +2,8 @@ name: Build and Test Workflow
 on:
   push:
     branches:
-      - v2.x/staging 
+      - v3.x/staging
+      - v3.x/rc      
   pull_request:
     types: [opened, reopened, synchronize]
   workflow_dispatch:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,10 +2,16 @@
 
 All notable changes to the ZSS package will be documented in this file.
 
-## Recent Changes
+## `3.0.0`
+
+
+## `2.13.0`
+- Enhancement: Added support for using "zowe.network" and "components.zss.zowe.network" to set listener IP and TLS version properties. (#659)
+- Enhancement: Added support for using "zowe.network" and "components.zss.zowe.network" to set cipher suites.
+- Enhancement: Change pattern matching for keyrings to allow more types of keyrings in the future (#581)
+- Enhancement: Consolidate JWK warnings into improved ZWES1606W message (#663)
 - Bugfix:  Corrected build environment file's use of IP address to github.com (#660)
 
-## `3.0.0`
 
 ## `2.10.0`
 - This action making a CHANGELOG note via special syntax from the GitHub PR commit message, like it could automatically update CHANGELOG.md with the message. First job checks if PR body has changelog note or not if it's not there then it asked them to add it and second job is to check if changelog note has been added in changelog.md file or not. (#636)

diff --git a/Jenkinsfile b/Jenkinsfile
diff --git a/c/datasetjson.c b/c/datasetjson.c
@@ -1575,7 +1575,7 @@ void updateDataset(HttpResponse* response, char* absolutePath, int jsonMode) {
 
   if(returnCode == 0) {  
     int blockSize = 0x10000;
-    int maxBlockCount = (translationLength*2)/blockSize;
+    int maxBlockCount = (translationLength*4)/blockSize;
     if (!maxBlockCount){
       maxBlockCount = 0x10;
     }

diff --git a/c/jwk.c b/c/jwk.c
@@ -1,4 +1,3 @@
-
 /*
   This program and the accompanying materials are
   made available under the terms of the Eclipse Public License v2.0 which accompanies
@@ -41,12 +40,13 @@
 #include "jwk.h"
 
 static Json *receiveResponse(ShortLivedHeap *slh, HttpClientContext *httpClientContext, HttpClientSession *session, int *statusOut);
-static Json *doRequest(ShortLivedHeap *slh, HttpClientSettings *clientSettings, TlsEnvironment *tlsEnv, char *path, int *statusOut);
+static Json *doRequest(ShortLivedHeap *slh, HttpClientSettings *clientSettings, TlsEnvironment *tlsEnv, char *path, int *rc, int *rsn);
 static void getPublicKey(Json *jwk, x509_public_key_info *publicKeyOut, int *statusOut);
-static int getJwk(JwkContext *context);
+static void getJwk(JwkContext *context, int *rc, int *rsn);
 static int checkJwtSignature(JwsAlgorithm algorithm, int sigLen, const uint8_t *signature, int msgLen, const uint8_t *message, void *userData);
 static bool decodeBase64Url(const char *data, char *resultBuf, int *lenOut);
 static int jwkTaskMain(RLETask *task);
+static const char *jwkHttpClientGetStrStatus(int status);
 
 void configureJwt(HttpServer *server, JwkSettings *settings) {
   int rc = 0;
@@ -86,26 +86,33 @@ static int jwkTaskMain(RLETask *task) {
   JwkSettings *settings = context->settings;
   const int maxAttempts = 1000;
   const int retryIntervalSeconds = settings->retryIntervalSeconds;
+  const int warnInterval = 10;
   bool success = false;
 
+  int rc = 0;
+  int rsn = 0;
+
   for (int i = 0; i < maxAttempts; i++) {
-    int status = getJwk(context);
-    if (status == JWK_STATUS_OK) {
+    getJwk(context, &rc, &rsn);
+    if (rc == JWK_STATUS_OK) {
       success = true;
       context->isPublicKeyInitialized = true;
       break;
-    } else if (status == JWK_STATUS_UNRECOGNIZED_FMT_ERROR) {
+    } else if (rc == JWK_STATUS_UNRECOGNIZED_FMT_ERROR) {
       zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, ZSS_LOG_JWK_UNRECOGNIZED_MSG);
       break;
-    } else if (status == JWK_STATUS_PUBLIC_KEY_ERROR) {
+    } else if (rc == JWK_STATUS_PUBLIC_KEY_ERROR) {
       zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, ZSS_LOG_JWK_PUBLIC_KEY_ERROR_MSG);
       break;
-    } else if (status == JWK_STATUS_HTTP_CONTEXT_ERROR) {
+    } else if (rc == JWK_STATUS_HTTP_CONTEXT_ERROR) {
       zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, ZSS_LOG_JWK_HTTP_CTX_ERROR_MSG);
       break;
     } else {
-      zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, ZSS_LOG_JWK_RETRY_MSG,
-              jwkGetStrStatus(status), retryIntervalSeconds);
+      //+1 to skip first round, with good timing message may be skipped entirely.
+      if ((i+1) % warnInterval == 0) {
+        zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, ZSS_LOG_JWK_RETRY_MSG,
+                jwkGetStrStatus(rc), rc, jwkHttpClientGetStrStatus(rsn), rsn, retryIntervalSeconds);
+      }
       sleep(retryIntervalSeconds);
     }
   }
@@ -117,32 +124,28 @@ static int jwkTaskMain(RLETask *task) {
   fflush(stdout);
 }
 
-static int getJwk(JwkContext *context) {
+static void getJwk(JwkContext *context, int *rc, int *rsn) {
   JwkSettings *settings = context->settings;
-  int status = 0;
   ShortLivedHeap *slh = makeShortLivedHeap(0x40000, 0x40);
 
   HttpClientSettings clientSettings = {0};
   clientSettings.host = settings->host;
   clientSettings.port = settings->port;
   clientSettings.recvTimeoutSeconds = (settings->timeoutSeconds > 0) ? settings->timeoutSeconds : 10;
 
-  Json *jwkJson = doRequest(slh, &clientSettings, settings->tlsEnv, settings->path, &status);
-  if (status) {
-    zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, "failed to obtain JWK, status = %d\n", status);
-  } else {
+  Json *jwkJson = doRequest(slh, &clientSettings, settings->tlsEnv, settings->path, rc, rsn);
+  if (*rc == 0) {
     x509_public_key_info publicKey;
-    getPublicKey(jwkJson, &publicKey, &status);
-    if (status == 0) {
+    getPublicKey(jwkJson, &publicKey, rc);
+    if (*rc == 0) {
       context->publicKey = publicKey;
     }
   }
   SLHFree(slh);
-  return status; 
 }
 
-static Json *doRequest(ShortLivedHeap *slh, HttpClientSettings *clientSettings, TlsEnvironment *tlsEnv, char *path, int *statusOut) {
-  int status = 0;
+static Json *doRequest(ShortLivedHeap *slh, HttpClientSettings *clientSettings, TlsEnvironment *tlsEnv, char *path, int *rc, int *rsn) {
+  *rsn = 0;
   HttpClientContext *httpClientContext = NULL;
   HttpClientSession *session = NULL;
   LoggingContext *loggingContext = makeLoggingContext();
@@ -151,40 +154,35 @@ static Json *doRequest(ShortLivedHeap *slh, HttpClientSettings *clientSettings,
   do {
     zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_DEBUG, "JWK request to https://%s:%d%s\n",
             clientSettings->host, clientSettings->port, path);
-    status = httpClientContextInitSecure(clientSettings, loggingContext, tlsEnv, &httpClientContext);
-    if (status) {
-      zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, "error in httpcb ctx init: %d\n", status);
-      *statusOut = JWK_STATUS_HTTP_CONTEXT_ERROR;
+    *rsn = httpClientContextInitSecure(clientSettings, loggingContext, tlsEnv, &httpClientContext);
+    if (*rsn) {
+      *rc = JWK_STATUS_HTTP_CONTEXT_ERROR;
       break;
     }
-    status = httpClientSessionInit(httpClientContext, &session);
-    if (status) {
-      zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, "error initing session: %d\n", status);
-      *statusOut = JWK_STATUS_HTTP_REQUEST_ERROR;
+    *rsn = httpClientSessionInit(httpClientContext, &session);
+    if (*rsn) {
+      *rc = JWK_STATUS_HTTP_REQ_INIT_ERROR;
       break;
     }
-    status = httpClientSessionStageRequest(httpClientContext, session, "GET", path, NULL, NULL, NULL, 0);
-    if (status) {
-      zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, "error staging request: %d\n", status);
-      *statusOut = JWK_STATUS_HTTP_REQUEST_ERROR;
+    *rsn = httpClientSessionStageRequest(httpClientContext, session, "GET", path, NULL, NULL, NULL, 0);
+    if (*rsn) {
+      *rc = JWK_STATUS_HTTP_REQ_STAGING_ERROR;
       break;
     }
     requestStringHeader(session->request, TRUE, "accept", "application/json");
-    status = httpClientSessionSend(httpClientContext, session);
-    if (status) {
-      zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, "error sending request: %d\n", status);
-      *statusOut = JWK_STATUS_HTTP_REQUEST_ERROR;
+    *rsn = httpClientSessionSend(httpClientContext, session);
+    if (*rsn) {
+      *rc = JWK_STATUS_HTTP_REQ_SEND_ERROR;
       break;
     }
-    jsonBody = receiveResponse(slh, httpClientContext, session, &status);
-    if (status) {
-      *statusOut = status;
+    jsonBody = receiveResponse(slh, httpClientContext, session, rc);
+    if (*rc) {
+      *rsn = *rc;
       break;
     }
     int statusCode = session->response->statusCode;
     if (statusCode != 200) {
-      zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, "HTTP status %d\n", statusCode);
-      *statusOut = JWK_STATUS_RESPONSE_ERROR;
+      *rc = JWK_STATUS_RESPONSE_ERROR;
       break;
     }
   } while (0);
@@ -372,18 +370,53 @@ static const char *MESSAGES[] = {
   [JWK_STATUS_UNRECOGNIZED_FMT_ERROR] = "JWK is in unrecognized format",
   [JWK_STATUS_PUBLIC_KEY_ERROR] = "failed to create public key",
   [JWK_STATUS_HTTP_CONTEXT_ERROR] = "failed to init HTTP context",
-  [JWK_STATUS_HTTP_REQUEST_ERROR] = "failed to send HTTP request"
+  [JWK_STATUS_HTTP_REQ_INIT_ERROR] = "failed to init HTTP request",
+  [JWK_STATUS_HTTP_REQ_STAGING_ERROR] = "failed on staging HTTP request",
+  [JWK_STATUS_HTTP_REQ_SEND_ERROR] = "failed to send HTTP request"
+};
+
+static const char *HTTP_CLIENT_MESSAGES[] = {
+  [HTTP_CLIENT_INVALID_ARGUMENT] = "Invalid argument to client",
+  [HTTP_CLIENT_OUTPUT_WOULD_OVERFLOW] = "Output would overflow",
+  [HTTP_CLIENT_INVALID_PORT] = "Invalid port",
+  [HTTP_CLIENT_REQDSETTING_MISSING] = "Required setting missing",
+  [HTTP_CLIENT_LOOKUP_FAILED] = "Lookup failed",
+  [HTTP_CLIENT_CONNECT_FAILED] = "Connect failed",
+  [HTTP_CLIENT_SESSION_ERR] = "Client session error",
+  [HTTP_CLIENT_ADDRBYNAME_ERR] = "Hostname to IP error",
+  [HTTP_CLIENT_SEND_ERROR] = "Failed to send",
+  [HTTP_CLIENT_SOCK_UNREGISTERED] = "Socket unregistered",
+  [HTTP_CLIENT_SXREAD_ERROR] = "SelectX Read Error",
+  [HTTP_CLIENT_NO_REQUEST] = "No request",
+  [HTTP_CLIENT_NO_SOCKET] = "No Socket", 
+  [HTTP_CLIENT_RESP_PARSE_FAILED] = "Response parsing failed",
+  [HTTP_CLIENT_READ_ERROR] = "Read error",
+  [HTTP_CLIENT_RESPONSE_ZEROLEN] = "Response is zero length",
+  [HTTP_CLIENT_TLS_ERROR] = "TLS error",
+  [HTTP_CLIENT_TLS_NOT_CONFIGURED] = "TLS not configured",
 };
 
+
 #define MESSAGE_COUNT sizeof(MESSAGES)/sizeof(MESSAGES[0])
 
 const char *jwkGetStrStatus(int status) {
   if (status >= MESSAGE_COUNT || status < 0) {
-    return "Unknown status code";
+    return "Unknown rc";
   }
   const char *message = MESSAGES[status];
   if (!message) {
-    return "Unknown status code";
+    return "Unknown rc";
+  }
+  return message;
+}
+
+static const char *jwkHttpClientGetStrStatus(int status) {
+  if (status >= HTTP_CLIENT_TLS_NOT_CONFIGURED || status < 0) {
+    return "Unknown reason";
+  }
+  const char *message = HTTP_CLIENT_MESSAGES[status];
+  if (!message) {
+    return "Unknown reason";
   }
   return message;
 }

diff --git a/c/zss.c b/c/zss.c
@@ -1147,6 +1147,8 @@ static char* generateCookieName(JsonObject *envConfig, int port) {
 #define AGENT_HTTPS_PREFIX       "ZWED_agent_https_"
 #define ENV_AGENT_HTTPS_KEY(key) AGENT_HTTPS_PREFIX key
 
+TLS_IANA_CIPHER_MAP(ianaCipherMap)
+
 static bool readAgentHttpsSettingsV2(ShortLivedHeap *slh,
                                      ConfigManager *configmgr,
                                      char **outAddress,
@@ -1161,13 +1163,46 @@ static bool readAgentHttpsSettingsV2(ShortLivedHeap *slh,
   JsonObject *httpsConfigObject = jsonAsObject(httpsConfig);
   TlsSettings *settings = (TlsSettings*)SLHAlloc(slh, sizeof(*settings));
   settings->maxTls = jsonObjectGetString(httpsConfigObject, "maxTls");
-  char *ciphers = jsonObjectGetString(httpsConfigObject, "ciphers");
+  settings->minTls = jsonObjectGetString(httpsConfigObject, "minTls");
+
+  Json *cipherJson = jsonObjectGetPropertyValue(httpsConfigObject, "ciphers");
+  char *ciphers = NULL;
+  if (jsonIsString(cipherJson)) {
   /* 
-   * Takes a string of ciphers. This isn't ideal, but any other methods are
-   * going to be fairly complicated.
-   *
+   * Takes a string of ciphers.
    * ciphers: 13021303003500380039002F00320033
    */
+    ciphers = jsonObjectGetString(httpsConfigObject, "ciphers");
+    zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_DEBUG, "Cipher string override to %s\n", ciphers);
+  } else {
+    JsonArray *cipherArray = jsonObjectGetArray(httpsConfigObject, "ciphers");
+    int count = jsonArrayGetCount(cipherArray);
+
+    int cipherCharLength = 4;
+    ciphers = (char *)safeMalloc((sizeof(char) * cipherCharLength * count)+1, "cipher list");
+
+    for (int i = 0; i < count; i++) {
+      char *ianaName = jsonArrayGetString(cipherArray, i);
+      zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_DEBUG, "Cipher request=%s\n", ianaName);
+      CipherMap *cipher = (CipherMap *)ianaCipherMap;
+      bool found = false;
+      while (cipher->suiteId != NULL) {
+        if (!strcmp(ianaName, cipher->name)) {
+          strcat(ciphers, cipher->suiteId);
+          zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_DEBUG, "Cipher match=%s\n", cipher->suiteId);
+          found = true;
+          break;
+        }
+        ++cipher;
+      }
+      if (!found) {
+        zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_WARNING, ZSS_LOG_CIPHER_INVALID_MSG, ianaName);
+      }
+    }
+    zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_DEBUG, "Cipher array override to %s\n", ciphers);    
+
+  }
+
   ECVT *ecvt = getECVT();
   /*
      2.3 (1020300) no tls 1.3

diff --git a/defaults.yaml b/defaults.yaml
@@ -14,14 +14,17 @@ components:
         fallback: true
         retryIntervalSeconds: 10
       https:
-        keyring: ${{ ()=> { if (components.zss.tls) { if (zowe.certificate.keystore.type == "JCERACFKS") { return zowe.certificate.keystore.file.replace(/safkeyring:\/+/,"") } else { return zowe.certificate.keystore.file } } else { return null } }() }}
-        password: ${{ ()=> { if (components.zss.tls) { if (zowe.certificate.keystore.type == "JCERACFKS") { return null } else { return zowe.certificate.keystore.password } } else { return null } }() }}
+        keyring: ${{ ()=> { if (components.zss.tls) { if (zowe.certificate.keystore.type.match(/JCE.*KS/)) { return zowe.certificate.keystore.file.replace(/safkeyring.*:\/+/,"") } else { return zowe.certificate.keystore.file } } else { return null } }() }}
+        password: ${{ ()=> { if (components.zss.tls) { if (zowe.certificate.keystore.type.match(/JCE.*KS/)) { return null } else { return zowe.certificate.keystore.password } } else { return null } }() }}
         label: ${{ ()=> { if (components.zss.tls) { return zowe.certificate.keystore.alias } else { return null } }() }}
         port: ${{ ()=> { if (components.zss.tls) { return  components.zss.port } else { return null } }() }}
-        ipAddresses: ${{ ()=> { if (components.zss.tls){ if (zowe.environments?.ZWED_agent_https_ipAddresses){ return zowe.environments.ZWED_agent_https_ipAddresses.split(',') } else { return [ '0.0.0.0' ] } } else { return null } }() }}
+        ipAddresses: "${{ ()=> { if (components.zss.tls){ if (zowe.environments?.ZWED_agent_https_ipAddresses){ return zowe.environments.ZWED_agent_https_ipAddresses.split(',') } else if (components.zss.zowe?.network?.server?.listenAddresses) { return components.zss.zowe.network.server.listenAddresses } else if (zowe.network?.server?.listenAddresses) { return zowe.network.server.listenAddresses } else { return [ '0.0.0.0' ] } } else { return null } }() }}"
+        maxTls: "${{ ()=> { let maxTls = components.zss.zowe?.network?.server?.tls?.maxTls || zowe.network?.server?.tls?.maxTls; return maxTls ? maxTls : 'TLSv1.3'; }() }}"
+        minTls: "${{ ()=> { let minTls = components.zss.zowe?.network?.server?.tls?.minTls || zowe.network?.server?.tls?.minTls; return minTls ? minTls : 'TLSv1.2'; }() }}"
+        ciphers: "${{ ()=> { let ciphers = components.zss.zowe?.network?.server?.tls?.ciphers || zowe.network?.server?.tls?.ciphers; if (typeof ciphers == 'string') { return ciphers; } else if (Array.isArray(ciphers)) { return ciphers.map(cipher => cipher.toUpperCase()); } else { return [ 'TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' ]; } }() }}"  
       http:
         port: ${{ ()=> { if (components.zss.tls) { return null } else { return components.zss.port } }() }}
-        ipAddresses: ${{ () => { if (components.zss.tls) { return null } else { if (zowe.environments?.ZWED_agent_http_ipAddresses) {  return zowe.environments.ZWED_agent_http_ipAddresses.split(',') } else { return [ '127.0.0.1' ] } } }() }}
+        ipAddresses: "${{ () => { if (components.zss.tls) { return null } else { if (zowe.environments?.ZWED_agent_http_ipAddresses) {  return zowe.environments.ZWED_agent_http_ipAddresses.split(',') } else if (components.zss.zowe?.network?.server?.listenAddresses) { return components.zss.zowe.network.server.listenAddresses } else if (zowe.network?.server?.listenAddresses) { return zowe.network.server.listenAddresses } else { return [ '127.0.0.1' ] } } }() }}"
       mediationLayer:
         server:
           isHttps: true

diff --git a/h/jwk.h b/h/jwk.h
@@ -41,7 +41,9 @@ struct JwkContext_tag {
 #define JWK_STATUS_UNRECOGNIZED_FMT_ERROR  4
 #define JWK_STATUS_PUBLIC_KEY_ERROR        7
 #define JWK_STATUS_HTTP_CONTEXT_ERROR      8
-#define JWK_STATUS_HTTP_REQUEST_ERROR      9
+#define JWK_STATUS_HTTP_REQ_INIT_ERROR      9
+#define JWK_STATUS_HTTP_REQ_STAGING_ERROR      10
+#define JWK_STATUS_HTTP_REQ_SEND_ERROR      11
 
 void configureJwt(HttpServer *server, JwkSettings *jwkSettings);
 const char *jwkGetStrStatus(int status);

diff --git a/h/zis/message.h b/h/zis/message.h
@@ -250,34 +250,34 @@
 #define ZISAUX_LOG_LEGACY_API_MSG_TEXT          "Legacy API has been detected, some functionality may be limited"
 #define ZISAUX_LOG_LEGACY_API_MSG               ZISAUX_LOG_LEGACY_API_MSG_ID" "ZISAUX_LOG_LEGACY_API_MSG_TEXT
 
-/* ZIS dynamic linkage plugin messages */
+/* ZIS dynamic linkage plug-in messages */
 
 #define ZISDYN_LOG_STARTUP_MSG_ID               ZIS_MSG_PRFX"0700I"
-#define ZISDYN_LOG_STARTUP_MSG_TEXT             "ZIS Dynamic Base plugin starting, version %d.%d.%d+%d, stub version %d"
+#define ZISDYN_LOG_STARTUP_MSG_TEXT             "ZIS Dynamic Base plug-in starting, version %d.%d.%d+%d, stub version %d"
 #define ZISDYN_LOG_STARTUP_MSG                  ZISDYN_LOG_STARTUP_MSG_ID" "ZISDYN_LOG_STARTUP_MSG_TEXT
 
 #define ZISDYN_LOG_STARTED_MSG_ID               ZIS_MSG_PRFX"0701I"
-#define ZISDYN_LOG_STARTED_MSG_TEXT             "ZIS Dynamic Base plugin successfully started"
+#define ZISDYN_LOG_STARTED_MSG_TEXT             "ZIS Dynamic Base plug-in successfully started"
 #define ZISDYN_LOG_STARTED_MSG                  ZISDYN_LOG_STARTED_MSG_ID" "ZISDYN_LOG_STARTED_MSG_TEXT
 
 #define ZISDYN_LOG_STARTUP_FAILED_MSG_ID        ZIS_MSG_PRFX"0702E"
-#define ZISDYN_LOG_STARTUP_FAILED_MSG_TEXT      "ZIS Dynamic Base plugin startup failed, status = %d"
+#define ZISDYN_LOG_STARTUP_FAILED_MSG_TEXT      "ZIS Dynamic Base plug-in startup failed, status = %d"
 #define ZISDYN_LOG_STARTUP_FAILED_MSG           ZISDYN_LOG_STARTUP_FAILED_MSG_ID" "ZISDYN_LOG_STARTUP_FAILED_MSG_TEXT
 
 #define ZISDYN_LOG_INIT_ERROR_MSG_ID            ZIS_MSG_PRFX"0703E"
-#define ZISDYN_LOG_INIT_ERROR_MSG_TEXT          "ZIS Dynamic Base plugin init error -"
+#define ZISDYN_LOG_INIT_ERROR_MSG_TEXT          "ZIS Dynamic Base plug-in init error -"
 #define ZISDYN_LOG_INIT_ERROR_MSG               ZISDYN_LOG_INIT_ERROR_MSG_ID" "ZISDYN_LOG_INIT_ERROR_MSG_TEXT
 
 #define ZISDYN_LOG_TERM_MSG_ID                  ZIS_MSG_PRFX"0704I"
-#define ZISDYN_LOG_TERM_MSG_TEXT                "ZIS Dynamic Base plugin terminating"
+#define ZISDYN_LOG_TERM_MSG_TEXT                "ZIS Dynamic Base plug-in terminating"
 #define ZISDYN_LOG_TERM_MSG                     ZISDYN_LOG_TERM_MSG_ID" "ZISDYN_LOG_TERM_MSG_TEXT
 
 #define ZISDYN_LOG_TERMED_MSG_ID                ZIS_MSG_PRFX"0705I"
-#define ZISDYN_LOG_TERMED_MSG_TEXT              "ZIS Dynamic Base plugin successfully terminated"
+#define ZISDYN_LOG_TERMED_MSG_TEXT              "ZIS Dynamic Base plug-in successfully terminated"
 #define ZISDYN_LOG_TERMED_MSG                   ZISDYN_LOG_TERMED_MSG_ID" "ZISDYN_LOG_TERMED_MSG_TEXT
 
 #define ZISDYN_LOG_TERM_FAILED_MSG_ID           ZIS_MSG_PRFX"0706E"
-#define ZISDYN_LOG_TERM_FAILED_MSG_TEXT         "ZIS Dynamic Base plugin terminated with error"
+#define ZISDYN_LOG_TERM_FAILED_MSG_TEXT         "ZIS Dynamic Base plug-in terminated with error"
 #define ZISDYN_LOG_TERM_FAILED_MSG              ZISDYN_LOG_TERM_FAILED_MSG_ID" "ZISDYN_LOG_TERM_FAILED_MSG_TEXT
 
 #define ZISDYN_LOG_CMD_RESP_MSG_ID              ZIS_MSG_PRFX"0707I"
@@ -301,7 +301,7 @@
 #define ZISDYN_LOG_STUB_DISCARDED_MSG           ZISDYN_LOG_STUB_DISCARDED_MSG_ID" "ZISDYN_LOG_STUB_DISCARDED_MSG_TEXT
 
 #define ZISDYN_LOG_DEV_MODE_MSG_ID              ZIS_MSG_PRFX"0713W"
-#define ZISDYN_LOG_DEV_MODE_MSG_TEXT            "ZIS Dynamic base plugin development mode is enabled"
+#define ZISDYN_LOG_DEV_MODE_MSG_TEXT            "ZIS Dynamic base plug-in development mode is enabled"
 #define ZISDYN_LOG_DEV_MODE_MSG                 ZISDYN_LOG_DEV_MODE_MSG_ID" "ZISDYN_LOG_DEV_MODE_MSG_TEXT
 
 #define ZISDYN_LOG_BAD_ZIS_VERSION_MSG_ID       ZIS_MSG_PRFX"0714E"

diff --git a/h/zssLogging.h b/h/zssLogging.h
@@ -297,6 +297,13 @@ bool isLogLevelValid(int level);
 #define ZSS_LOG_HTTPS_INVALID_MSG_TEXT        "Failed to configure https server, check agent https settings\n"
 #define ZSS_LOG_HTTPS_INVALID_MSG             ZSS_LOG_HTTPS_INVALID_MSG_ID" "ZSS_LOG_HTTPS_INVALID_MSG_TEXT
 
+#ifndef ZSS_LOG_CIPHER_INVALID_MSG_ID
+#define ZSS_LOG_CIPHER_INVALID_MSG_ID          ZSS_LOG_MSG_PRFX"1066W"
+#endif
+#define ZSS_LOG_CIPHER_INVALID_MSG_TEXT        "Requested cipher '%s' not available.\n"
+#define ZSS_LOG_CIPHER_INVALID_MSG             ZSS_LOG_CIPHER_INVALID_MSG_ID" "ZSS_LOG_CIPHER_INVALID_MSG_TEXT
+
+
 /* registerProduct */
 
 #ifndef ZSS_LOG_PROD_REG_ENABLED_MSG_ID
@@ -515,7 +522,7 @@ bool isLogLevelValid(int level);
 #ifndef ZSS_LOG_JWK_RETRY_MSG_ID
 #define ZSS_LOG_JWK_RETRY_MSG_ID     ZSS_LOG_MSG_PRFX"1606W"
 #endif
-#define ZSS_LOG_JWK_RETRY_MSG_TEXT   "Failed to get JWK - %s, retry in %d seconds\n"
+#define ZSS_LOG_JWK_RETRY_MSG_TEXT   "Failed to get JWK. rc=%s (%d), rsn=%s (%d). Retry in %d seconds\n"
 #define ZSS_LOG_JWK_RETRY_MSG        ZSS_LOG_JWK_RETRY_MSG_ID" "ZSS_LOG_JWK_RETRY_MSG_TEXT
 
 #endif /* MVD_H_ZSSLOGGING_H_ */

diff --git a/schemas/zss-config.json b/schemas/zss-config.json
@@ -124,19 +124,35 @@
               "description": "The password to the keyring"
             },
             "ciphers": {
-              "type": [ "string", "null" ],
-              "description": "The list of ciphers in order of priority"
+              "oneOf": [
+                { "type": "string",
+                  "description": "A set of cipher suite IDs as a number string without separators. The numbers are in order of priority."
+                },
+                { "type": "array",
+                  "description": "A set of IANA names for cipher suites, in order of priority",
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              ]
             },
             "keyshares": {
               "type": [ "string", "null" ],
               "description": "The list of key shares in order of priority"
             },
             "maxTls": {
               "type": [ "string", "null" ],
-              "enum": ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"],
+              "enum": ["TLSv1.2", "TLSv1.3"],
               "default": "TLSv1.3",
               "description": "Maximum tls version allowed."
+            },
+            "minTls": {
+              "type": [ "string", "null" ],
+              "enum": ["TLSv1.2", "TLSv1.3"],
+              "default": "TLSv1.2",
+              "description": "Minimum tls version allowed."
             }
+
           }
         },
         "http": {