From d48d9ed3d2d70548f024f7d365e91cf34e114cd2 Mon Sep 17 00:00:00 2001
From: 1000TurquoisePogs <sgrady@rocketsoftware.com>
Date: Wed, 19 Nov 2025 15:25:42 +0100
Subject: [PATCH 1/3] Improve JWK messages

Signed-off-by: 1000TurquoisePogs <sgrady@rocketsoftware.com>
---
 CHANGELOG.md   |  3 +++
 c/jwk.c        | 16 +++++++++++++++-
 h/zssLogging.h |  4 +++-
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 45d40e5d9..a6c8b58ec 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 All notable changes to the ZSS package will be documented in this file.
 
+## `3.5.0`
+- Bugfix: Common JWK error messages contain more information about how to further diagnose their cause. [(#???)](https://github.com/zowe/zss/pull/???)
+
 ## `3.4.0`
 - Bugfix: Fixed hostname to IP address lookup for "bind-test" program. [(#801)](https://github.com/zowe/zss/pull/801)
 
diff --git a/c/jwk.c b/c/jwk.c
index 40df29a32..1792025e7 100644
--- a/c/jwk.c
+++ b/c/jwk.c
@@ -118,6 +118,9 @@ static int jwkTaskMain(RLETask *task) {
       if ((i+1) % warnInterval == 0) {
         zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, ZSS_LOG_JWK_RETRY_MSG,
                 jwkGetStrStatus(rc), rc, jwkHttpClientGetStrStatus(rsn), rsn, retryIntervalSeconds);
+        if (rc == HTTP_CLIENT_TLS_ERROR) {
+          zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, "If TLS error persists, trace GSK for more detail using YAML property 'components.zss.agent.https.trace: true'\n");
+        }
       }
       sleep(retryIntervalSeconds);
     }
@@ -125,7 +128,12 @@ static int jwkTaskMain(RLETask *task) {
   if (success) {
     zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_INFO, ZSS_LOG_JWK_READY_MSG, settings->fallback ? "with" : "without");
   } else {
-    zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, ZSS_LOG_JWK_FAILED_MSG);
+    if (indexOf(settings->host, strlen(settings->host), ':', 0) != -1) {
+      //wraps ipv6 address in []
+      zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, ZSS_LOG_JWK_FAILED_IPV6_MSG, settings->host, settings->port, settings->path);
+    } else {
+      zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, ZSS_LOG_JWK_FAILED_MSG, settings->host, settings->port, settings->path);
+    }
   }
   fflush(stdout);
 }
@@ -280,6 +288,12 @@ static void getPublicKey(Json *jwk, x509_public_key_info *publicKeyOut, int *sta
   if (!keyObject) {
     zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, "JWK doesn't contain key\n");
     *statusOut = JWK_STATUS_UNRECOGNIZED_FMT_ERROR;
+
+    zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, "JWK response:\n");
+    //Often enough, the destination has some error message that can be printed
+    jsonPrinter *jp = makeJsonPrinter(STDOUT_FILENO);
+    jsonPrintObject(jp, jwkObject);
+    freeJsonPrinter(jp);
     return;
   }
 
diff --git a/h/zssLogging.h b/h/zssLogging.h
index 74a0f400f..fbbf29c79 100644
--- a/h/zssLogging.h
+++ b/h/zssLogging.h
@@ -518,8 +518,10 @@ bool isLogLevelValid(int level);
 #ifndef ZSS_LOG_JWK_FAILED_MSG_ID
 #define ZSS_LOG_JWK_FAILED_MSG_ID     ZSS_LOG_MSG_PRFX"1605W"
 #endif
-#define ZSS_LOG_JWK_FAILED_MSG_TEXT   "Server will not accept JWT\n"
+#define ZSS_LOG_JWK_FAILED_MSG_TEXT   "Server will not accept JWT\nCheck URL https://%s:%d%s for errors.\n"
 #define ZSS_LOG_JWK_FAILED_MSG        ZSS_LOG_JWK_FAILED_MSG_ID" "ZSS_LOG_JWK_FAILED_MSG_TEXT
+#define ZSS_LOG_JWK_FAILED_IPV6_MSG_TEXT   "Server will not accept JWT\nCheck URL https://[%s]:%d%s for errors.\n"
+#define ZSS_LOG_JWK_FAILED_IPV6_MSG        ZSS_LOG_JWK_FAILED_MSG_ID" "ZSS_LOG_JWK_FAILED_MSG_TEXT
 
 #ifndef ZSS_LOG_JWK_RETRY_MSG_ID
 #define ZSS_LOG_JWK_RETRY_MSG_ID     ZSS_LOG_MSG_PRFX"1606W"

From b720d896cce611ca7db55e4af553271347f3e423 Mon Sep 17 00:00:00 2001
From: 1000TurquoisePogs <sgrady@rocketsoftware.com>
Date: Wed, 19 Nov 2025 15:27:26 +0100
Subject: [PATCH 2/3] Update CHANGELOG.md

Signed-off-by: 1000TurquoisePogs <sgrady@rocketsoftware.com>
---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a6c8b58ec..bb4e080c8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,7 +3,7 @@
 All notable changes to the ZSS package will be documented in this file.
 
 ## `3.5.0`
-- Bugfix: Common JWK error messages contain more information about how to further diagnose their cause. [(#???)](https://github.com/zowe/zss/pull/???)
+- Bugfix: Common JWK error messages contain more information about how to further diagnose their cause. [(#807)](https://github.com/zowe/zss/pull/807)
 
 ## `3.4.0`
 - Bugfix: Fixed hostname to IP address lookup for "bind-test" program. [(#801)](https://github.com/zowe/zss/pull/801)

From b977b89ea2985392651652b2f6d6c87fa1fc5418 Mon Sep 17 00:00:00 2001
From: 1000TurquoisePogs <sgrady@rocketsoftware.com>
Date: Wed, 19 Nov 2025 15:28:45 +0100
Subject: [PATCH 3/3] TLS error is a RSN not an RC

Signed-off-by: 1000TurquoisePogs <sgrady@rocketsoftware.com>
---
 c/jwk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/c/jwk.c b/c/jwk.c
index 1792025e7..87be2f61a 100644
--- a/c/jwk.c
+++ b/c/jwk.c
@@ -118,7 +118,7 @@ static int jwkTaskMain(RLETask *task) {
       if ((i+1) % warnInterval == 0) {
         zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, ZSS_LOG_JWK_RETRY_MSG,
                 jwkGetStrStatus(rc), rc, jwkHttpClientGetStrStatus(rsn), rsn, retryIntervalSeconds);
-        if (rc == HTTP_CLIENT_TLS_ERROR) {
+        if (rsn == HTTP_CLIENT_TLS_ERROR) {
           zowelog(NULL, LOG_COMP_ID_JWK, ZOWE_LOG_WARNING, "If TLS error persists, trace GSK for more detail using YAML property 'components.zss.agent.https.trace: true'\n");
         }
       }