From eea5467c89310b8ddd90276442ca2e95a9c6d0bc Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Fri, 1 Nov 2024 16:49:19 +0100 Subject: [PATCH 01/27] initial refactor with title change and collapsable ESM commands Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 792 +++++++++++++++--------- 1 file changed, 501 insertions(+), 291 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index 64ca26a40e..a17526f10a 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -1,10 +1,18 @@ -# Addressing z/OS requirements for Zowe +# Security customization of your z/OS system -As a security administrator it is necessary to configure the z/OS system for Zowe. Review the following article to learn about z/OS prerequisites, and z/OS configuration requirements for specific settings. +As a security administrator configure your z/OS system according to the specific features and functionalities you choose to include in your Zowe installation. Review the following article for specific configuration steps that apply to these features and fuctionalities. :::info Required role: security administrator ::: + +:::note +Before performing configuration steps specific to your use case, ensure that you meet the z/OS system requirements presented in the section _Preparing for installation_. For detailed information, see [Addressing z/OS requirements](./systemrequirements-zos.md). +::: + + of free space for Zowe server components, their keystore, instance configuration files and logs, and third-party plug-ins. +- zFS volume has at least 833 mb of free space for Zowe server components, their keystore, instance configuration files and logs, and third-party plug-ins. - (Optional, recommended) z/OS OpenSSH V2.2.0 or later @@ -25,9 +33,9 @@ Be sure your z/OS system meets the following prerequisites: To deploy Zowe for high availability, a Parallel Sysplex environment is recommended. For more information, see [Configuring Sysplex for high availability](configure-sysplex.md). - ## Settings specific configuration requirements +--> -Configuration of your z/OS system is dependent on the specific Zowe features and functionalities you would like to employ with your Zowe installation. Review the following table to determine which configuration steps are required based on your Zowe use case. + Review the following table to determine which configuration steps are required based on your Zowe use case. | Purpose | Configuration step | | --- | --- | @@ -66,62 +74,85 @@ Define or check the following configurations depending on whether ICSF is alread - Create CKDS, PKDS, TKDS VSAM data sets. - Define and activate the CSFSERV class: - - If you use RACF, issue the following commands: - ``` - RDEFINE CSFSERV profile-name UACC(NONE) - ``` - ``` - PERMIT profile-name CLASS(CSFSERV) ID(tcpip-stackname) ACCESS(READ) - ``` - ``` - PERMIT profile-name CLASS(CSFSERV) ID(userid-list) ... [for - userids IKED, NSSD, and Policy Agent] - ``` - ``` - SETROPTS CLASSACT(CSFSERV) - ``` - ``` - SETROPTS RACLIST(CSFSERV) REFRESH - ``` - - If you use ACF2, issue the following commands (note that `profile-prefix` and `profile-suffix` are user-defined): - ``` - SET CONTROL(GSO) - ``` - ``` - INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) - ``` - ``` - F ACF2,REFRESH(CLASMAP) - ``` - ``` - SET RESOURCE(CSF) - ``` - ``` - RECKEY profile-prefix ADD(profile-suffix uid(UID string for tcpip-stackname) SERVICE(READ) ALLOW) - ``` - ``` - RECKEY profile-prefix ADD(profile-suffix uid(UID string for IZUSVR) SERVICE(READ) ALLOW) - ``` - (repeat for userids IKED, NSSD, and Policy Agent) +
- ``` - F ACF2,REBUILD(CSF) - ``` - - If you use Top Secret, issue the following command (note that `profile-prefix` and `profile-suffix` are user defined): - ``` - TSS ADDTO(owner-acid) RESCLASS(CSFSERV) - ``` - ``` - TSS ADD(owner-acid) CSFSERV(profile-prefix.) - ``` - ``` - TSS PERMIT(tcpip-stackname) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) - ``` - ``` - TSS PERMIT(user-acid) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) - ``` - (repeat for user-acids IKED, NSSD, and Policy Agent) + For RACF, click here for command details. + +If you use RACF, issue the following commands: +``` +RDEFINE CSFSERV profile-name UACC(NONE) +``` +``` +PERMIT profile-name CLASS(CSFSERV) ID(tcpip-stackname) ACCESS(READ) +``` +``` +PERMIT profile-name CLASS(CSFSERV) ID(userid-list) ... [for +userids IKED, NSSD, and Policy Agent] +``` +``` +SETROPTS CLASSACT(CSFSERV) +``` +``` +SETROPTS RACLIST(CSFSERV) REFRESH +``` + +
+ +
+ + For ACF2, click here for command details. + + +If you use ACF2, issue the following commands (note that `profile-prefix` and `profile-suffix` are user-defined): + +``` +SET CONTROL(GSO) +``` +``` +INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) +``` +``` +F ACF2,REFRESH(CLASMAP) +``` +``` +SET RESOURCE(CSF) +``` +``` +RECKEY profile-prefix ADD(profile-suffix uid(UID string for tcpip-stackname) SERVICE(READ) ALLOW) +``` +``` +RECKEY profile-prefix ADD(profile-suffix uid(UID string for IZUSVR) SERVICE(READ) ALLOW) +``` +(repeat for userids IKED, NSSD, and Policy Agent) + +``` +F ACF2,REBUILD(CSF) +``` + +
+ +
+ + For Top Secret, click here for command details. + +If you use Top Secret, issue the following command (note that `profile-prefix` and `profile-suffix` are user defined): + +``` +TSS ADDTO(owner-acid) RESCLASS(CSFSERV) +``` +``` +TSS ADD(owner-acid) CSFSERV(profile-prefix.) +``` +``` +TSS PERMIT(tcpip-stackname) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) +``` +``` +TSS PERMIT(user-acid) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) +``` +(repeat for user-acids IKED, NSSD, and Policy Agent) + +
:::note Notes - Determine whether you want SAF authorization checks against `CSFSERV` and set `CSF.CSFSERV.AUTH.CSFRNG.DISABLE` accordingly. @@ -138,149 +169,212 @@ To enable impersonation, you must grant the user ID `ZWESVUSR` associated with t You can issue the following commands first to check whether you already have the impersonation profiles defined as part of another server configuration, such as the FTPD daemon. Review the output to confirm that the two impersonation profiles exist and the user `ZWESVUSR` who runs the Zowe server started task has UPDATE access to both profiles. -- If you use RACF, issue the following commands: - ``` - RLIST FACILITY BPX.SERVER AUTHUSER - ``` - ``` - RLIST FACILITY BPX.DAEMON AUTHUSER - ``` -- If you use Top Secret, issue the following commands: - ``` - TSS WHOHAS IBMFAC(BPX.SERVER) - ``` - ``` - TSS WHOHAS IBMFAC(BPX.DAEMON) - ``` -- If you use ACF2, issue the following commands: - ``` - SET RESOURCE(FAC) - ``` - ``` - LIST BPX - ``` +
+ + For RACF, click here for command details. + + +If you use RACF, issue the following commands: +``` +RLIST FACILITY BPX.SERVER AUTHUSER +``` +``` +RLIST FACILITY BPX.DAEMON AUTHUSER +``` + +
+ +
+ +For Top Secret, click here for command details. + + +If you use Top Secret, issue the following commands: +``` +TSS WHOHAS IBMFAC(BPX.SERVER) +``` +``` +TSS WHOHAS IBMFAC(BPX.DAEMON) +``` + +
-If the user `ZWESVUSR` who runs the Zowe server started task does not have UPDATE access to both profiles follow the instructions below. +
+ +For ACF2, click here for command details. + -- If you use RACF, complete the following steps: +If you use ACF2, issue the following commands: +``` +SET RESOURCE(FAC) +``` +``` +LIST BPX +``` + +
+ +If the user `ZWESVUSR` who runs the Zowe server started task does not have UPDATE access to both profiles follow the instructions according to your ESM. + +
+ +For RACF, click here for procedure details. + + +If you use RACF, complete the following steps: - 1. Activate and RACLIST the FACILITY class. This may have already been done on the z/OS environment if another z/OS server has been previously configured to take advantage of the ability to change its security environment, such as the FTPD daemon that is included with z/OS Communications Server TCP/IP services. - ``` - SETROPTS GENERIC(FACILITY) - SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) - ``` - 2. Define the impersonation profiles. This may have already been done on behalf of another server such as the FTPD daemon. - ``` - RDEFINE FACILITY BPX.SERVER UACC(NONE) - ``` - ``` - RDEFINE FACILITY BPX.DAEMON UACC(NONE) - ``` - 3. Having activated and RACLIST the FACILITY class, the user ID `ZWESVUSR` who runs the Zowe server started task must be given update access to the BPX.SERVER and BPX.DAEMON profiles in the FACILITY class. - ``` - PERMIT BPX.SERVER CLASS(FACILITY) ID() ACCESS(UPDATE) - ``` - ``` - PERMIT BPX.DAEMON CLASS(FACILITY) ID() ACCESS(UPDATE) - ``` - where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. - - /* Activate these changes */ - - ``` - SETROPTS RACLIST(FACILITY) REFRESH - ``` - 4. Issue the following commands to check whether permission has been successfully granted: - ``` - RLIST FACILITY BPX.SERVER AUTHUSER - ``` - ``` - RLIST FACILITY BPX.DAEMON AUTHUSER - ``` -- If you use Top Secret, complete the following steps: +1. Activate and RACLIST the FACILITY class. This may have already been done on the z/OS environment if another z/OS server has been previously configured to take advantage of the ability to change its security environment, such as the FTPD daemon that is included with z/OS Communications Server TCP/IP services. +``` +SETROPTS GENERIC(FACILITY) +SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) +``` +2. Define the impersonation profiles. This may have already been done on behalf of another server such as the FTPD daemon. +``` +RDEFINE FACILITY BPX.SERVER UACC(NONE) +``` +``` +RDEFINE FACILITY BPX.DAEMON UACC(NONE) +``` +3. Having activated and RACLIST the FACILITY class, the user ID `ZWESVUSR` who runs the Zowe server started task must be given update access to the BPX.SERVER and BPX.DAEMON profiles in the FACILITY class. +``` +PERMIT BPX.SERVER CLASS(FACILITY) ID() ACCESS(UPDATE) +``` +``` +PERMIT BPX.DAEMON CLASS(FACILITY) ID() ACCESS(UPDATE) +``` +where: + +* `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. + +/* Activate these changes */ + +``` +SETROPTS RACLIST(FACILITY) REFRESH +``` +4. Issue the following commands to check whether permission has been successfully granted: +``` +RLIST FACILITY BPX.SERVER AUTHUSER +``` +``` +RLIST FACILITY BPX.DAEMON AUTHUSER +``` + +
+ +
+ For Top Secret, click here for procedure details. + + +If you use Top Secret, complete the following steps: - 1. Define the BPX Resource and access for ``. - ``` - TSS ADD(`owner-acid`) IBMFAC(BPX.) - ``` - ``` - TSS PERMIT() IBMFAC(BPX.SERVER) ACCESS(UPDATE) - ``` - ``` - TSS PERMIT() IBMFAC(BPX.DAEMON) ACCESS(UPDATE) - ``` - where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. - 2. Issue the following commands and review the output to check whether permission has been successfully granted: - ``` - TSS WHOHAS IBMFAC(BPX.SERVER) - ``` - ``` - TSS WHOHAS IBMFAC(BPX.DAEMON) - ``` -- If you use ACF2, complete the following steps: - 1. Define the BPX Resource and access for ``. - ``` - SET RESOURCE(FAC) - ``` - ``` - RECKEY BPX ADD(SERVER ROLE() SERVICE(UPDATE) ALLOW) - ``` - ``` - RECKEY BPX ADD(DAEMON ROLE() SERVICE(UPDATE) ALLOW) - ``` - where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. - ``` - F ACF2,REBUILD(FAC) - ``` - 2. Issue the following commands and review the output to check whether permission has been successfully granted: - ``` - SET RESOURCE(FAC) - ``` - ``` - LIST BPX - ``` +1. Define the BPX Resource and access for ``. +``` +TSS ADD(`owner-acid`) IBMFAC(BPX.) +``` +``` +TSS PERMIT() IBMFAC(BPX.SERVER) ACCESS(UPDATE) +``` +``` +TSS PERMIT() IBMFAC(BPX.DAEMON) ACCESS(UPDATE) +``` +where: +* `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. +2. Issue the following commands and review the output to check whether permission has been successfully granted: +``` +TSS WHOHAS IBMFAC(BPX.SERVER) +``` +``` +TSS WHOHAS IBMFAC(BPX.DAEMON) +``` +
+ +
+ +For ACF2, click here for procedure details. + + +If you use ACF2, complete the following steps: +1. Define the BPX Resource and access for ``. +``` +SET RESOURCE(FAC) +``` +``` +RECKEY BPX ADD(SERVER ROLE() SERVICE(UPDATE) ALLOW) +``` +``` +RECKEY BPX ADD(DAEMON ROLE() SERVICE(UPDATE) ALLOW) +``` +where: +* `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. +``` +F ACF2,REBUILD(FAC) +``` +2. Issue the following commands and review the output to check whether permission has been successfully granted: +``` +SET RESOURCE(FAC) +``` +``` +LIST BPX +``` +
You must also grant READ access to the OMVSAPPL profile in the APPL class to the Zowe STC user as well as **all other Zowe users** using various Zowe features. Skip the following steps when the OMVSAPPL profile is not defined in your environment. -- If you use RACF, complete the following steps: +
+For RACF, click here for procedure details. + - 1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. - ``` - RLIST APPL OMVSAPPL AUTHUSER - ``` +If you use RACF, complete the following steps: - 2. Issue the following commands and review the output to check if permission has been successfully granted: - ``` - PERMIT OMVSAPPL CLASS(APPL) ID() ACCESS(READ) - SETROPTS RACLIST(APPL) REFRESH - ``` +1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. +``` +RLIST APPL OMVSAPPL AUTHUSER +``` -- If you use Top Secret, complete the following steps: +2. Issue the following commands and review the output to check if permission has been successfully granted: +``` +PERMIT OMVSAPPL CLASS(APPL) ID() ACCESS(READ) +SETROPTS RACLIST(APPL) REFRESH +``` - 1. Check if you already have the required access as part of the environment configuration. Skip the following steps if access is already granted. - ``` - TSS WHOHAS APPL(OMVSAPPL) - ``` +
- 2. Issue the following commands and review the output to check if permission has been successfully granted: - ``` - TSS PERMIT() APPL(OMVSAPPL) - ``` +
+For Top Secret, click here for procedure details. + -- If you use ACF2, complete the following steps: +If you use Top Secret, complete the following steps: - 1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. - ``` - SET RESOURCE(APL) - LIST OMVSAAPL - ``` +1. Check if you already have the required access as part of the environment configuration. Skip the following steps if access is already granted. +``` +TSS WHOHAS APPL(OMVSAPPL) +``` - 2. Issue the following commands and review the output to check if permission has been successfully granted: - ``` - SET RESOURCE(APL) - RECKEY OMVSAPPL ADD(SERVICE(READ) ROLE() ALLOW) - F ACF2,REBUILD(APL) - ``` +2. Issue the following commands and review the output to check if permission has been successfully granted: +``` +TSS PERMIT() APPL(OMVSAPPL) +``` +
+ +
+For ACF2, click here for procedure details. + + +If you use ACF2, complete the following steps: + +1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. +``` +SET RESOURCE(APL) +LIST OMVSAAPL +``` + +2. Issue the following commands and review the output to check if permission has been successfully granted: +``` +SET RESOURCE(APL) +RECKEY OMVSAPPL ADD(SERVICE(READ) ROLE() ALLOW) +F ACF2,REBUILD(APL) +``` +
### Configure address space job naming @@ -391,25 +485,46 @@ If you have run `ZWESECUR`, you do not need to perform the steps described in th If you have not run `ZWESECUR` and are configuring your z/OS environment manually, the following steps describe how to configure the started task `ZWESLSTC` to run under the correct user ID and group. -- If you use RACF, issue the following commands: - ``` - RDEFINE STARTED ZWESLSTC.* UACC(NONE) STDATA(USER(ZWESVUSR) GROUP(ZWEADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) - SETROPTS REFRESH RACLIST(STARTED) - ``` +
+ +For RACF, click here for command details. + -- If you use ACF2, issue the following commands: +If you use RACF, issue the following commands: +``` +RDEFINE STARTED ZWESLSTC.* UACC(NONE) STDATA(USER(ZWESVUSR) GROUP(ZWEADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) +SETROPTS REFRESH RACLIST(STARTED) +``` - ``` - SET CONTROL(GSO) - INSERT STC.ZWESLSTC LOGONID(ZWESVUSR) GROUP(ZWEADMIN) STCID(ZWESLSTC) - F ACF2,REFRESH(STC) - ``` +
-- If you use Top Secret, issue the following commands: +
+ +For ACF2, click here for command details. + - ``` - TSS ADDTO(STC) PROCNAME(ZWESLSTC) ACID(ZWESVUSR) - ``` +If you use ACF2, issue the following commands: + +``` +SET CONTROL(GSO) +INSERT STC.ZWESLSTC LOGONID(ZWESVUSR) GROUP(ZWEADMIN) STCID(ZWESLSTC) +F ACF2,REFRESH(STC) +``` + +
+ +
+ +For Top Secret, click here for command details. + + +If you use Top Secret, issue the following commands: + +``` +TSS ADDTO(STC) PROCNAME(ZWESLSTC) ACID(ZWESVUSR) +``` + +
### Configure the cross memory server for SAF @@ -426,60 +541,83 @@ If you have not run `ZWESECUR` and are configuring your z/OS environment manuall Activate the FACILITY class, define a `ZWES.IS` profile, and grant READ access to the user ID `ZWESVUSR`. This is the user ID that the main Zowe started task runs under. -To do this, issue the following commands that are also included in the `ZWESECUR` JCL member. The commands assume that you run the Zowe server under the `ZWESVUSR` user. +Issue the following commands that are also included in the `ZWESECUR` JCL member. The commands assume that you run the Zowe server under the `ZWESVUSR` user. -- If you use RACF, issue the following commands: +
- - To see the current class settings, use: - ``` - SETROPTS LIST - ``` - - To define and activate the FACILITY class, use: - ``` - SETROPTS GENERIC(FACILITY) - SETROPTS CLASSACT(FACILITY) - ``` - - To RACLIST the FACILITY class, use: - ``` - SETROPTS RACLIST(FACILITY) - ``` - - To define the `ZWES.IS` profile in the FACILITY class and grant Zowe's started task userid READ access, issue the following commands: - ``` - RDEFINE FACILITY ZWES.IS UACC(NONE) - ``` - ``` - PERMIT ZWES.IS CLASS(FACILITY) ID() ACCESS(READ) - ``` - where `` is the user ID `ZWESVUSR` under which the Zowe server started task runs. - ``` - SETROPTS RACLIST(FACILITY) REFRESH - ``` - - To check whether the permission has been successfully granted, issue the following command: - ``` - RLIST FACILITY ZWES.IS AUTHUSER - ``` - This shows the user IDs who have access to the `ZWES.IS` class, which should include Zowe's started task user ID with READ access. + +For RACF, click here for command details. + -- If you use ACF2, issue the following commands: +If you use RACF, issue the following commands: +- To see the current class settings, use: ``` - SET RESOURCE(FAC) + SETROPTS LIST + ``` +- To define and activate the FACILITY class, use: ``` + SETROPTS GENERIC(FACILITY) + SETROPTS CLASSACT(FACILITY) ``` - RECKEY ZWES ADD(IS ROLE(IZUSVR) SERVICE(READ) ALLOW) +- To RACLIST the FACILITY class, use: ``` + SETROPTS RACLIST(FACILITY) ``` - F ACF2,REBUILD(FAC) +- To define the `ZWES.IS` profile in the FACILITY class and grant Zowe's started task userid READ access, issue the following commands: ``` - -- If you use Top Secret, issue the following commands, where `owner-acid` can be IZUSVR or a different ACID: - + RDEFINE FACILITY ZWES.IS UACC(NONE) ``` - TSS ADD(`owner-acid`) IBMFAC(ZWES.) ``` + PERMIT ZWES.IS CLASS(FACILITY) ID() ACCESS(READ) + ``` + where: + * `` is the user ID `ZWESVUSR` under which the Zowe server started task runs. ``` - TSS PERMIT(ZWESVUSR) IBMFAC(ZWES.IS) ACCESS(READ) + SETROPTS RACLIST(FACILITY) REFRESH + ``` +- To check whether the permission has been successfully granted, issue the following command: + ``` + RLIST FACILITY ZWES.IS AUTHUSER ``` + This shows the user IDs who have access to the `ZWES.IS` class, which should include Zowe's started task user ID with READ access. + +
+ +
+ +For ACF2, click here for command details. + + +If you use ACF2, issue the following commands: + +``` +SET RESOURCE(FAC) +``` +``` +RECKEY ZWES ADD(IS ROLE(IZUSVR) SERVICE(READ) ALLOW) +``` +``` +F ACF2,REBUILD(FAC) +``` + +
+ +
+ +For Top Secret, click here for command details. + + +If you use Top Secret, issue the following commands, where `owner-acid` can be IZUSVR or a different ACID: + +``` +TSS ADD(`owner-acid`) IBMFAC(ZWES.) +``` +``` +TSS PERMIT(ZWESVUSR) IBMFAC(ZWES.IS) ACCESS(READ) +``` + +
:::note Notes - The cross memory server treats "no decision" style SAF return codes as failures. If there is no covering profile for the `ZWES.IS` resource in the FACILITY class, the request will be denied. @@ -491,7 +629,10 @@ To do this, issue the following commands that are also included in the `ZWESECUR This security configuration is necessary for API ML to be able to map client certificate to a z/OS identity. A user running API Gateway must have read access to the SAF resource `IRR.RUSERMAP` in the `FACILITY` class. To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.18 and lower use the following configuration steps. -#### Using RACF +
+ +For RACF, click here for procedure details. + If you use RACF, verify and update permission in the `FACILITY` class. @@ -511,8 +652,12 @@ If you use RACF, verify and update permission in the `FACILITY` class. ``` SETROPTS RACLIST(FACILITY) REFRESH ``` +
-#### Using ACF2 +
+ +For ACF2, click here for procedure details. + If you use ACF2, verify and update permission in the `FACILITY` class. @@ -534,7 +679,12 @@ If you use ACF2, verify and update permission in the `FACILITY` class. F ACF2,REBUILD(FAC) ``` -#### Using TSS +
+ +
+ +For Top Secret, click here for procedure details. + If you use TSS, verify and update permission in `FACILITY` class. @@ -549,12 +699,17 @@ If you use TSS, verify and update permission in `FACILITY` class. TSS PER(ZWESVUSR) IBMFAC(IRR.RUSERMAP) ACCESS(READ) ``` +
+ ### Configure main Zowe server to use distributed identity mapping This security configuration is necessary for API ML to be able to map the association between a z/OS user ID and a distributed user identity. A user running the API Gateway must have read access to the SAF resource `IRR.IDIDMAP.QUERY` in the `FACILITY` class. To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.28 and lower, use the following configuration steps. -#### Using RACF +
+ +For RACF, click here for procedure details. + If you use RACF, verify and update permission in the `FACILITY` class. @@ -582,7 +737,12 @@ If you use RACF, verify and update permission in the `FACILITY` class. SETROPTS RACLIST(FACILITY) REFRESH ``` -#### Using ACF2 +
+ +
+ +For ACF2, click here for procedure details. + If you use ACF2, verify and update permission in the `FACILITY` class. @@ -604,7 +764,12 @@ If you use ACF2, verify and update permission in the `FACILITY` class. F ACF2,REBUILD(FAC) ``` -#### Using TSS +
+ +
+ +For Top Secret, click here for procedure details. + If you use TSS, verify and update permission in `FACILITY` class. @@ -620,11 +785,13 @@ If you use TSS, verify and update permission in `FACILITY` class. TSS PER(ZWESVUSR) IBMFAC(IRR.IDIDMAP.QUERY) ACCESS(READ) ``` +
+ ### Configure signed SAF Identity tokens (IDT) This section provides a brief description of how to configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation layer ([Implement a new SAF IDT provider](../extend/extend-apiml/implement-new-saf-provider.md)) -Follow these general steps: +**Follow these general steps:** 1. Create PKCS#11 token 2. Generate a secret key for the PKCS#11 token (you can use the sample program ZWESECKG in the SZWESAMP dataset) @@ -644,54 +811,97 @@ To set up this security configuration, submit the `ZWESECUR` JCL member. For use To check whether you already have the auditing profile defined, issue the following command and review the output to confirm that the profile exists and that the user `ZWESVUSR` who runs the `ZWESLSTC` started task has READ access to this profile. -- If you use RACF, issue the following command: - ``` - RLIST FACILITY IRR.RAUDITX AUTHUSER - ``` -- If you use Top Secret, issue the following command: - ``` - TSS WHOHAS IBMFAC(IRR.RAUDITX) - ``` -- If you use ACF2, issue the following commands: +
+ +For RACF, click here for command details. + + +If you use RACF, issue the following command: +``` +RLIST FACILITY IRR.RAUDITX AUTHUSER +``` + +
+ +
+ +For Top Secret, click here for command details. + + +If you use Top Secret, issue the following command: +``` +TSS WHOHAS IBMFAC(IRR.RAUDITX) +``` + +
+ +
+ +For ACF2, click here for command details. + + +If you use ACF2, issue the following commands: +``` +SET RESOURCE(FAC) +``` +``` +LIST LIKE(IRR-) +``` +
+ +If the user `ZWESVUSR` who runs the `ZWESLSTC` started task does not have READ access to this profile, follow the procedure that corresponds to your ESM. + +
+ +For RACF, click here for procedure details. + + +If you use RACF, update permission in the `FACILITY` class. + +**Follow these steps:** + +1. Add user `ZWESVUSR` permission to `READ`. ``` - SET RESOURCE(FAC) + PERMIT IRR.RAUDITX CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR) ``` +2. Activate changes. ``` - LIST LIKE(IRR-) + SETROPTS RACLIST(FACILITY) REFRESH ``` +
+ +
+ +For Top Secret, click here for procedure details. + + +If you use Top Secret, add user `ZWESVUSR` permission to READ. Issue the following command: +``` +TSS PER(ZWESVUSR) IBMFAC(IRR.RAUDITX) ACCESS(READ) +``` + +
+ +
+ +For ACF2, click here for procedure details. + + +If you use ACF2, add user `ZWESVUSR` permission to `READ`. Issue the following commands: +``` +SET RESOURCE(FAC) +``` +``` +RECKEY IRR ADD(RAUDITX ROLE(&STCGRP.) SERVICE(READ) ALLOW) +``` +``` +F ACF2,REBUILD(FAC) +``` + +
-If the user `ZWESVUSR` who runs the `ZWESLSTC` started task does not have READ access to this profile, follow the procedure that corresponds to your ESM: - -- If you use RACF, update permission in the `FACILITY` class. - - **Follow these steps:** - - 1. Add user `ZWESVUSR` permission to `READ`. - ``` - PERMIT IRR.RAUDITX CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR) - ``` - 2. Activate changes. - ``` - SETROPTS RACLIST(FACILITY) REFRESH - ``` - -- If you use Top Secret, add user `ZWESVUSR` permission to READ. Issue the following command: - ``` - TSS PER(ZWESVUSR) IBMFAC(IRR.RAUDITX) ACCESS(READ) - ``` - -- If you use ACF2, add user `ZWESVUSR` permission to `READ`. Issue the following commands: - ``` - SET RESOURCE(FAC) - ``` - ``` - RECKEY IRR ADD(RAUDITX ROLE(&STCGRP.) SERVICE(READ) ALLOW) - ``` - ``` - F ACF2,REBUILD(FAC) - ``` - For more information about SMF records, see [SMF records](../user-guide/api-mediation/api-mediation-smf.md) in the Using Zowe API Mediation Layer documentation. + ### Multi-Factor Authentication (MFA) Multi-factor authentication is supported for several components, such as the Desktop and API Mediation Layer. From 55335a747bcca0015db10e57125c1649e165f2f1 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 4 Nov 2024 12:25:44 +0100 Subject: [PATCH 02/27] initial component listing for security customization Signed-off-by: Andrew Jandacek --- .../assign-security-permissions-to-users.md | 17 ++++++ docs/user-guide/configure-zos-system.md | 57 ++++++------------- docs/user-guide/systemrequirements-zos.md | 3 + 3 files changed, 37 insertions(+), 40 deletions(-) diff --git a/docs/user-guide/assign-security-permissions-to-users.md b/docs/user-guide/assign-security-permissions-to-users.md index 20323ddaac..1cbd26e142 100644 --- a/docs/user-guide/assign-security-permissions-to-users.md +++ b/docs/user-guide/assign-security-permissions-to-users.md @@ -59,6 +59,23 @@ see [zwe init security](../appendix/zwe_server_command_reference/zwe/init/zwe-in | Cross memory server (ZIS) | FACILITY | `ZWES.IS` | READ | Allow Zowe ZWESLSTC processes to access the Zowe ZIS cross memory server. | This parameter permits the Zowe main server to use ZIS cross memory server. Run the command that applies to your ESM.
• [RACF](https://github.com/zowe/zowe-install-packaging/blob/79527166f34e28c205c5f60bf4b4bb7b630bc6a1/workflows/templates/ZWESECUR.vtl#L329)
• [ACF2](https://github.com/zowe/zowe-install-packaging/blob/79527166f34e28c205c5f60bf4b4bb7b630bc6a1/workflows/templates/ZWESECUR.vtl#L560)
• [Top Secret](https://github.com/zowe/zowe-install-packaging/blob/79527166f34e28c205c5f60bf4b4bb7b630bc6a1/workflows/templates/ZWESECUR.vtl#L780) | +## Configuring address space job naming + +The user ID `ZWESVUSR` that is associated with the Zowe started task must have `READ` permission for the `BPX.JOBNAME` profile in the `FACILITY` class. This is to allow setting of the names for the different z/OS UNIX address spaces for the Zowe runtime components. + +1. To display who is authorized to the profile, issue the following command: +``` +RLIST FACILITY BPX.JOBNAME AUTHUSER +``` + +2. Activate the facility class, permit `BPX.JOBNAME`, and refresh facility class: +``` +SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) +PERMIT BPX.JOBNAME CLASS(FACILITY) ID(ZWESVUSR) ACCESS(READ) +SETROPTS RACLIST(FACILITY) REFRESH +``` + +For more information, see [Setting up the UNIX-related FACILITY and SURROGAT class profiles](https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.bpxb200/fclass.htm) in the "z/OS UNIX System Services" documentation. ## Granting users permission to access z/OSMF diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index a17526f10a..5d1400ca99 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -1,6 +1,6 @@ # Security customization of your z/OS system -As a security administrator configure your z/OS system according to the specific features and functionalities you choose to include in your Zowe installation. Review the following article for specific configuration steps that apply to these features and fuctionalities. +As a security administrator, configure your z/OS system according to the specific features and functionalities you choose to include in your Zowe installation. Review the following article for specific configuration steps that apply to these features and fuctionalities. :::info Required role: security administrator ::: @@ -37,23 +37,22 @@ Be sure your z/OS system meets the following prerequisites: Review the following table to determine which configuration steps are required based on your Zowe use case. -| Purpose | Configuration step | -| --- | --- | -| Set the names for the different z/OS UNIX address spaces for the Zowe runtime components.
**Important:** This configuration step is required. | [Configure address space job naming](#configure-address-space-job-naming) | -| To use Zowe desktop. This step generates random numbers for zssServer that the Zowe desktop uses. | [Configure an ICSF cryptographic services environment](#configure-an-icsf-cryptographic-services-environment) | -| To allow users to log on to the Zowe desktop through impersonation. | [Configure security environment switching](#configure-security-environment-switching) | -| Required for TSS only. A TSS FACILITY needs to be defined and assigned to the `ZWESLSTC` started task. | [Configure multi-user address space for TSS only](#configure-multi-user-address-space-for-tss-only) | -| Required if you have not run `ZWESECUR` and are manually creating the user ID and groups in your z/OS environment. | [Configure user IDs and groups for the Zowe started tasks](#configure-user-ids-and-groups-for-the-zowe-started-tasks) | -| Required if you have not run `ZWESECUR` and are configuring your z/OS environment manually. This step describes how to configure the started task ZWESLSTC to run under the correct user ID and group. | [Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID](#configure-zweslstc-to-run-zowe-high-availability-instances-under-zwesvusr-user-id) | -| Required if you have not run `ZWESECUR` and are configuring your z/OS environment manually. This step describes how to configure the cross memory server for SAF to guard against access by non-privileged clients. | [Configure the cross memory server for SAF](#configure-the-cross-memory-server-for-saf) | -| Required for API Mediation Layer to map a client certificate to a z/OS identity. | [Configure main Zowe server to use client certificate identity mapping](#configure-main-zowe-server-to-use-client-certificate-identity-mapping) | -| Required for API ML to map the association between a z/OS user ID and a distributed user identity. | [Configure main Zowe server to use distributed identity mapping](#configure-main-zowe-server-to-use-distributed-identity-mapping) | -| To configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation Layer. | [Configure signed SAF Identity tokens IDT](#configure-signed-saf-identity-tokens-idt) | -| Required for API Mediation Layer to issue SMF records. | [Configure the main Zowe server to issue SMF records](api-mediation/api-mediation-smf.md#configure-the-main-zowe-server-to-issue-smf-records) | -| To use multi-factor authentication (MFA) | [Multi-Factor Authentication (MFA)](#multi-factor-authentication-mfa) | -| To use Single Sign-On (SSO) | [Single Sign-On (SSO)](#single-sign-on-sso) | -| To use OIDC Authentication with API Mediation Layer | [API Mediation Layer OIDC Authentication](#api-mediation-layer-oidc-authentication) | - +| Purpose | Applicable Zowe Component(s) | Configuration step | +| --- | --- | --- | +| Set the names for the different z/OS UNIX address spaces for the Zowe runtime components.
**Important:** This configuration step is required. | All components | [Configure address space job naming](#configure-address-space-job-naming) | +| To use Zowe desktop. This step generates random numbers for zssServer that the Zowe desktop uses. | Application Framework | [Configure an ICSF cryptographic services environment](#configure-an-icsf-cryptographic-services-environment) | +| To allow users to log on to the Zowe desktop through impersonation. | | [Configure security environment switching](#configure-security-environment-switching) | +| Required for TSS only. A TSS FACILITY needs to be defined and assigned to the `ZWESLSTC` started task. | | [Configure multi-user address space for TSS only](#configure-multi-user-address-space-for-tss-only) | +| Required if you have not run `ZWESECUR` and are manually creating the user ID and groups in your z/OS environment. | | [Configure user IDs and groups for the Zowe started tasks](#configure-user-ids-and-groups-for-the-zowe-started-tasks) | +| Required if you have not run `ZWESECUR` and are configuring your z/OS environment manually. This step describes how to configure the started task ZWESLSTC to run under the correct user ID and group. | | [Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID](#configure-zweslstc-to-run-zowe-high-availability-instances-under-zwesvusr-user-id) | +| Required if you have not run `ZWESECUR` and are configuring your z/OS environment manually. This step describes how to configure the cross memory server for SAF to guard against access by non-privileged clients. | Application Framework | [Configure the cross memory server for SAF](#configure-the-cross-memory-server-for-saf) | +| Required for API Mediation Layer to map a client certificate to a z/OS identity. | API ML | [Configure main Zowe server to use client certificate identity mapping](#configure-main-zowe-server-to-use-client-certificate-identity-mapping) | +| Required for API ML to map the association between a z/OS user ID and a distributed user identity. | API ML | [Configure main Zowe server to use distributed identity mapping](#configure-main-zowe-server-to-use-distributed-identity-mapping) | +| To configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation Layer. | | [Configure signed SAF Identity tokens IDT](#configure-signed-saf-identity-tokens-idt) | +| Required for API Mediation Layer to issue SMF records. | API ML | [Configure the main Zowe server to issue SMF records](api-mediation/api-mediation-smf.md#configure-the-main-zowe-server-to-issue-smf-records) | +| To use multi-factor authentication (MFA) | | [Multi-Factor Authentication (MFA)](#multi-factor-authentication-mfa) | +| To use Single Sign-On (SSO) | | [Single Sign-On (SSO)](#single-sign-on-sso) | +| To use OIDC Authentication with API Mediation Layer | API ML | [API Mediation Layer OIDC Authentication](#api-mediation-layer-oidc-authentication) | ### Configure an ICSF cryptographic services environment @@ -376,28 +375,6 @@ F ACF2,REBUILD(APL) ``` -### Configure address space job naming - -The user ID `ZWESVUSR` that is associated with the Zowe started task must have `READ` permission for the `BPX.JOBNAME` profile in the `FACILITY` class. This is to allow setting of the names for the different z/OS UNIX address spaces for the Zowe runtime components. - -:::note -This procedure may require security administrator authorization. Consult with your security administrator. -::: - -To display who is authorized to the profile, issue the following command: -``` -RLIST FACILITY BPX.JOBNAME AUTHUSER -``` - -Additionally, you need to activate facility class, permit `BPX.JOBNAME`, and refresh facility class: -``` -SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) -PERMIT BPX.JOBNAME CLASS(FACILITY) ID(ZWESVUSR) ACCESS(READ) -SETROPTS RACLIST(FACILITY) REFRESH -``` - -For more information, see [Setting up the UNIX-related FACILITY and SURROGAT class profiles](https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.bpxb200/fclass.htm) in the "z/OS UNIX System Services" documentation. - ### Configure multi-user address space (for TSS only) The Zowe server started task `ZWESLSTC` is multi-user address space, and therefore a TSS FACILITY needs to be defined and assigned to the started task. Then, all acids signing on to the started task will need to be authorized to the FACILITY. diff --git a/docs/user-guide/systemrequirements-zos.md b/docs/user-guide/systemrequirements-zos.md index acfd4521fa..ba96d844d9 100644 --- a/docs/user-guide/systemrequirements-zos.md +++ b/docs/user-guide/systemrequirements-zos.md @@ -107,3 +107,6 @@ Zowe consumption reference data were measured with the default Zowe configuratio - For production use of Zowe, we recommend configuring z/OSMF to leverage Zowe functionalities that require z/OSMF. For more information, see [Configuring z/OSMF](systemrequirements-zosmf.md). - For non-production use of Zowe (such as development, proof-of-concept, demo), you can customize the configuration of z/OSMF to create **_z/OS MF Lite_** to simplify your setup of z/OSMF. z/OS MF Lite only supports selected REST services (JES, DataSet/File, TSO and Workflow), resulting in considerable improvements in startup time as well as a reduction in steps to set up z/OSMF. For information about how to set up z/OSMF Lite, see [Configuring z/OSMF Lite (non-production environment)](systemrequirements-zosmf-lite.md). ::: + +:::note +For specific z/OS security configuration options according to your \ No newline at end of file From 8f637e9f2c6bbaf5dbfbf42a00ef5cff70a00bd9 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 4 Nov 2024 12:28:16 +0100 Subject: [PATCH 03/27] readd Configure address space job naming Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index 5d1400ca99..d4a3a7ce34 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -54,6 +54,28 @@ Be sure your z/OS system meets the following prerequisites: | To use Single Sign-On (SSO) | | [Single Sign-On (SSO)](#single-sign-on-sso) | | To use OIDC Authentication with API Mediation Layer | API ML | [API Mediation Layer OIDC Authentication](#api-mediation-layer-oidc-authentication) | +### Configure address space job naming + +The user ID `ZWESVUSR` that is associated with the Zowe started task must have `READ` permission for the `BPX.JOBNAME` profile in the `FACILITY` class. This is to allow setting of the names for the different z/OS UNIX address spaces for the Zowe runtime components. + +:::note +This procedure may require security administrator authorization. Consult with your security administrator. +::: + +To display who is authorized to the profile, issue the following command: +``` +RLIST FACILITY BPX.JOBNAME AUTHUSER +``` + +Additionally, you need to activate facility class, permit `BPX.JOBNAME`, and refresh facility class: +``` +SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) +PERMIT BPX.JOBNAME CLASS(FACILITY) ID(ZWESVUSR) ACCESS(READ) +SETROPTS RACLIST(FACILITY) REFRESH +``` + +For more information, see [Setting up the UNIX-related FACILITY and SURROGAT class profiles](https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.bpxb200/fclass.htm) in the "z/OS UNIX System Services" documentation. + ### Configure an ICSF cryptographic services environment The zssServer uses cookies that require random number generation for security. To learn more about the zssServer, see the [Zowe architecture](../getting-started/zowe-architecture.md#zss). Integrated Cryptographic Service Facility (ICSF) is a secure way to generate random numbers. From d7cb4e91c96abe643ab6278f12ceeeb0f078395f Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 4 Nov 2024 14:04:48 +0100 Subject: [PATCH 04/27] formatting Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 53 +++++++++++++++++++++---- 1 file changed, 45 insertions(+), 8 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index d4a3a7ce34..cdcfe009ee 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -97,7 +97,9 @@ Define or check the following configurations depending on whether ICSF is alread
- For RACF, click here for command details. + +For RACF, click here for command details. + If you use RACF, issue the following commands: ``` @@ -121,7 +123,8 @@ SETROPTS RACLIST(CSFSERV) REFRESH
- For ACF2, click here for command details. + +For ACF2, click here for command details. If you use ACF2, issue the following commands (note that `profile-prefix` and `profile-suffix` are user-defined): @@ -154,7 +157,8 @@ F ACF2,REBUILD(CSF)
- For Top Secret, click here for command details. + +For Top Secret, click here for command details. If you use Top Secret, issue the following command (note that `profile-prefix` and `profile-suffix` are user defined): @@ -192,7 +196,8 @@ You can issue the following commands first to check whether you already have the
- For RACF, click here for command details. + +For RACF, click here for command details. If you use RACF, issue the following commands: @@ -206,6 +211,7 @@ RLIST FACILITY BPX.DAEMON AUTHUSER
+ For Top Secret, click here for command details. @@ -221,6 +227,7 @@ TSS WHOHAS IBMFAC(BPX.DAEMON)
+ For ACF2, click here for command details. @@ -238,6 +245,7 @@ LIST BPX If the user `ZWESVUSR` who runs the Zowe server started task does not have UPDATE access to both profiles follow the instructions according to your ESM.
+ For RACF, click here for procedure details. @@ -283,7 +291,9 @@ RLIST FACILITY BPX.DAEMON AUTHUSER
- For Top Secret, click here for procedure details. + + +For Top Secret, click here for procedure details. If you use Top Secret, complete the following steps: @@ -310,6 +320,7 @@ TSS WHOHAS IBMFAC(BPX.DAEMON)
+ For ACF2, click here for procedure details. @@ -337,12 +348,15 @@ SET RESOURCE(FAC) ``` LIST BPX ``` +
You must also grant READ access to the OMVSAPPL profile in the APPL class to the Zowe STC user as well as **all other Zowe users** using various Zowe features. Skip the following steps when the OMVSAPPL profile is not defined in your environment.
-For RACF, click here for procedure details. + + +For RACF, click here for procedure details. If you use RACF, complete the following steps: @@ -361,7 +375,9 @@ SETROPTS RACLIST(APPL) REFRESH
-For Top Secret, click here for procedure details. + + +For Top Secret, click here for procedure details. If you use Top Secret, complete the following steps: @@ -375,10 +391,13 @@ TSS WHOHAS APPL(OMVSAPPL) ``` TSS PERMIT() APPL(OMVSAPPL) ``` +
-For ACF2, click here for procedure details. + + +For ACF2, click here for procedure details. If you use ACF2, complete the following steps: @@ -395,6 +414,7 @@ SET RESOURCE(APL) RECKEY OMVSAPPL ADD(SERVICE(READ) ROLE() ALLOW) F ACF2,REBUILD(APL) ``` +
### Configure multi-user address space (for TSS only) @@ -485,6 +505,7 @@ If you have run `ZWESECUR`, you do not need to perform the steps described in th If you have not run `ZWESECUR` and are configuring your z/OS environment manually, the following steps describe how to configure the started task `ZWESLSTC` to run under the correct user ID and group.
+ For RACF, click here for command details. @@ -498,6 +519,7 @@ SETROPTS REFRESH RACLIST(STARTED)
+ For ACF2, click here for command details. @@ -513,6 +535,7 @@ F ACF2,REFRESH(STC)
+ For Top Secret, click here for command details. @@ -584,6 +607,7 @@ If you use RACF, issue the following commands:
+ For ACF2, click here for command details. @@ -603,6 +627,7 @@ F ACF2,REBUILD(FAC)
+ For Top Secret, click here for command details. @@ -629,6 +654,7 @@ This security configuration is necessary for API ML to be able to map client cer To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.18 and lower use the following configuration steps.
+ For RACF, click here for procedure details. @@ -654,6 +680,7 @@ If you use RACF, verify and update permission in the `FACILITY` class.
+ For ACF2, click here for procedure details. @@ -681,6 +708,7 @@ If you use ACF2, verify and update permission in the `FACILITY` class.
+ For Top Secret, click here for procedure details. @@ -706,6 +734,7 @@ This security configuration is necessary for API ML to be able to map the associ To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.28 and lower, use the following configuration steps.
+ For RACF, click here for procedure details. @@ -739,6 +768,7 @@ If you use RACF, verify and update permission in the `FACILITY` class.
+ For ACF2, click here for procedure details. @@ -766,6 +796,7 @@ If you use ACF2, verify and update permission in the `FACILITY` class.
+ For Top Secret, click here for procedure details. @@ -811,6 +842,7 @@ To set up this security configuration, submit the `ZWESECUR` JCL member. For use To check whether you already have the auditing profile defined, issue the following command and review the output to confirm that the profile exists and that the user `ZWESVUSR` who runs the `ZWESLSTC` started task has READ access to this profile.
+ For RACF, click here for command details. @@ -823,6 +855,7 @@ RLIST FACILITY IRR.RAUDITX AUTHUSER
+ For Top Secret, click here for command details. @@ -835,6 +868,7 @@ TSS WHOHAS IBMFAC(IRR.RAUDITX)
+ For ACF2, click here for command details. @@ -851,6 +885,7 @@ LIST LIKE(IRR-) If the user `ZWESVUSR` who runs the `ZWESLSTC` started task does not have READ access to this profile, follow the procedure that corresponds to your ESM.
+ For RACF, click here for procedure details. @@ -870,6 +905,7 @@ If you use RACF, update permission in the `FACILITY` class.
+ For Top Secret, click here for procedure details. @@ -882,6 +918,7 @@ TSS PER(ZWESVUSR) IBMFAC(IRR.RAUDITX) ACCESS(READ)
+ For ACF2, click here for procedure details. From e50bbd083a661137f5cf4d5517c43e8bf56de25d Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 4 Nov 2024 15:17:24 +0100 Subject: [PATCH 05/27] formatting Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index cdcfe009ee..5e969836b1 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -121,8 +121,8 @@ SETROPTS RACLIST(CSFSERV) REFRESH
-
+
For ACF2, click here for command details. From 118ec2f5c1d3103b8b745be8f674a78053eb9460 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 4 Nov 2024 15:43:18 +0100 Subject: [PATCH 06/27] formatting Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index 5e969836b1..0028413aee 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -121,11 +121,8 @@ SETROPTS RACLIST(CSFSERV) REFRESH
-
- -For ACF2, click here for command details. - +For ACF2, click here for command details. If you use ACF2, issue the following commands (note that `profile-prefix` and `profile-suffix` are user-defined): From 1faea93204ee6d3aeda3ac3bf3868bac65c290f7 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 4 Nov 2024 15:55:17 +0100 Subject: [PATCH 07/27] remove summary for ACF2 Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index 0028413aee..74ab1a7bcc 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -121,8 +121,8 @@ SETROPTS RACLIST(CSFSERV) REFRESH
-
-For ACF2, click here for command details. +For ACF2, click here for command details. + If you use ACF2, issue the following commands (note that `profile-prefix` and `profile-suffix` are user-defined): @@ -150,8 +150,6 @@ RECKEY profile-prefix ADD(profile-suffix uid(UID string for IZUSVR) SERVICE(READ F ACF2,REBUILD(CSF) ``` -
-
From ef69d938208f8681f18dd54d97f26f0221cc7c5d Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 4 Nov 2024 16:09:58 +0100 Subject: [PATCH 08/27] re add ACF2 collapsable content Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index 74ab1a7bcc..1c40714c4c 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -121,7 +121,11 @@ SETROPTS RACLIST(CSFSERV) REFRESH
+
+ + For ACF2, click here for command details. + If you use ACF2, issue the following commands (note that `profile-prefix` and `profile-suffix` are user-defined): @@ -149,6 +153,7 @@ RECKEY profile-prefix ADD(profile-suffix uid(UID string for IZUSVR) SERVICE(READ ``` F ACF2,REBUILD(CSF) ``` +
From 8affbc37d7d884b41c8fd4952aa8db80fb8fe51b Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 4 Nov 2024 16:33:17 +0100 Subject: [PATCH 09/27] fix note at the bottom of systemrequirements-zos Signed-off-by: Andrew Jandacek --- docs/user-guide/systemrequirements-zos.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/user-guide/systemrequirements-zos.md b/docs/user-guide/systemrequirements-zos.md index ba96d844d9..58930418a5 100644 --- a/docs/user-guide/systemrequirements-zos.md +++ b/docs/user-guide/systemrequirements-zos.md @@ -109,4 +109,5 @@ Zowe consumption reference data were measured with the default Zowe configuratio ::: :::note -For specific z/OS security configuration options according to your \ No newline at end of file +For specific z/OS security configuration options that apply to the specific Zowe server-side components in your configuration, see [Security customization of your z/OS system](./configure-zos-system.md). +::: From afcda3e1c0f2599a7df172a8040ad3a85cb91512 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Tue, 5 Nov 2024 13:49:20 +0100 Subject: [PATCH 10/27] address Sean's comments Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index 1c40714c4c..7f765ed0bc 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -41,17 +41,17 @@ Be sure your z/OS system meets the following prerequisites: | --- | --- | --- | | Set the names for the different z/OS UNIX address spaces for the Zowe runtime components.
**Important:** This configuration step is required. | All components | [Configure address space job naming](#configure-address-space-job-naming) | | To use Zowe desktop. This step generates random numbers for zssServer that the Zowe desktop uses. | Application Framework | [Configure an ICSF cryptographic services environment](#configure-an-icsf-cryptographic-services-environment) | -| To allow users to log on to the Zowe desktop through impersonation. | | [Configure security environment switching](#configure-security-environment-switching) | -| Required for TSS only. A TSS FACILITY needs to be defined and assigned to the `ZWESLSTC` started task. | | [Configure multi-user address space for TSS only](#configure-multi-user-address-space-for-tss-only) | -| Required if you have not run `ZWESECUR` and are manually creating the user ID and groups in your z/OS environment. | | [Configure user IDs and groups for the Zowe started tasks](#configure-user-ids-and-groups-for-the-zowe-started-tasks) | -| Required if you have not run `ZWESECUR` and are configuring your z/OS environment manually. This step describes how to configure the started task ZWESLSTC to run under the correct user ID and group. | | [Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID](#configure-zweslstc-to-run-zowe-high-availability-instances-under-zwesvusr-user-id) | -| Required if you have not run `ZWESECUR` and are configuring your z/OS environment manually. This step describes how to configure the cross memory server for SAF to guard against access by non-privileged clients. | Application Framework | [Configure the cross memory server for SAF](#configure-the-cross-memory-server-for-saf) | +| To allow users to log on to the Zowe desktop through impersonation. | Application Framework | [Configure security environment switching](#configure-security-environment-switching) | +| Required for TSS only. A TSS FACILITY needs to be defined and assigned to the `ZWESLSTC` started task. | ? | [Configure multi-user address space for TSS only](#configure-multi-user-address-space-for-tss-only) | +| Required to manually create the user ID and groups in your z/OS environment. Tasks are performed as part of [Zowe runtime configuration](./configure-zowe-runtime.md) | ? | [Configure user IDs and groups for the Zowe started tasks](#configure-user-ids-and-groups-for-the-zowe-started-tasks) | +| Required to configure the started task ZWESLSTC to run under the correct user ID and group. Tasks are performed as part of [Zowe runtime configuration](./configure-zowe-runtime.md).| ? | [Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID](#configure-zweslstc-to-run-zowe-high-availability-instances-under-zwesvusr-user-id). | +| Required to configure the cross memory server for SAF to guard against access by non-privileged clients. Tasks are performed as part of [Zowe runtime configuration](./configure-zowe-runtime.md).| Application Framework | [Configure the cross memory server for SAF](#configure-the-cross-memory-server-for-saf) | | Required for API Mediation Layer to map a client certificate to a z/OS identity. | API ML | [Configure main Zowe server to use client certificate identity mapping](#configure-main-zowe-server-to-use-client-certificate-identity-mapping) | | Required for API ML to map the association between a z/OS user ID and a distributed user identity. | API ML | [Configure main Zowe server to use distributed identity mapping](#configure-main-zowe-server-to-use-distributed-identity-mapping) | -| To configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation Layer. | | [Configure signed SAF Identity tokens IDT](#configure-signed-saf-identity-tokens-idt) | +| To configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation Layer. | Application Framework
API ML | [Configure signed SAF Identity tokens IDT](#configure-signed-saf-identity-tokens-idt) | | Required for API Mediation Layer to issue SMF records. | API ML | [Configure the main Zowe server to issue SMF records](api-mediation/api-mediation-smf.md#configure-the-main-zowe-server-to-issue-smf-records) | -| To use multi-factor authentication (MFA) | | [Multi-Factor Authentication (MFA)](#multi-factor-authentication-mfa) | -| To use Single Sign-On (SSO) | | [Single Sign-On (SSO)](#single-sign-on-sso) | +| To use multi-factor authentication (MFA) | ? | [Multi-Factor Authentication (MFA)](#multi-factor-authentication-mfa) | +| To use Single Sign-On (SSO) | ? | [Single Sign-On (SSO)](#single-sign-on-sso) | | To use OIDC Authentication with API Mediation Layer | API ML | [API Mediation Layer OIDC Authentication](#api-mediation-layer-oidc-authentication) | ### Configure address space job naming From f0077ec254d985a99b78d697bdb820b008d02109 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Tue, 5 Nov 2024 15:20:52 +0100 Subject: [PATCH 11/27] add link to zwe init security Signed-off-by: Andrew Jandacek --- docs/user-guide/initialize-zos-system.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/user-guide/initialize-zos-system.md b/docs/user-guide/initialize-zos-system.md index 349f87b80c..2af842fdd1 100644 --- a/docs/user-guide/initialize-zos-system.md +++ b/docs/user-guide/initialize-zos-system.md @@ -24,6 +24,8 @@ Configures the VSAM files needed if the Caching service is set to VSAM mode. Thi :::info Recommendation: We recommend you to run these sub commands one by one to clearly see the output of each step. To successfully run `zwe init security`, `zwe init apfauth`, and `zwe init certificate`, it is likely that your organization requires elevated permissions. We recommend you consult with your security administrator to run these commands. For more information about tasks for the security administrator, see the section [Configuring security](./configuring-security.md) in this configuration documentation. + +For information about the `zwe init security` command, see [configuring with `zwe init security` command](./initialize-security-configuration.md#configuring-with-zwe-init-security-command). ::: :::tip From 1839c4b49dc862b2e331220475009bc3cfe26ef7 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Tue, 5 Nov 2024 16:10:40 +0100 Subject: [PATCH 12/27] fix typo and add roles Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zowe-runtime.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/user-guide/configure-zowe-runtime.md b/docs/user-guide/configure-zowe-runtime.md index 53efa6b085..f826ee8cb3 100644 --- a/docs/user-guide/configure-zowe-runtime.md +++ b/docs/user-guide/configure-zowe-runtime.md @@ -10,14 +10,14 @@ Use one of the following options to initialize Zowe z/OS runtime: * Initialize Zowe maunually using zwe init command group * Configure Zowe with z/OSMF workflows -## Initialize Zowe maunually using zwe init command group +## Initialize Zowe manually using zwe init command group After your installation of Zowe runtime, you can run the `zwe init` command to perform the following configurations: * Initialize Zowe with copies of data sets provided with Zowe -* Create user IDs and security manager settings -* Provide APF authorize load libraries -* Configure Zowe to use TLS certificates +* Create user IDs and security manager settings (Security Admin) +* Provide APF authorize load libraries (Security Admin) +* Configure Zowe to use TLS certificates (Security Admin) * Configure VSAM files to run the Zowe caching service used for high availability (HA) * Configure the system to launch the Zowe started task From 9b9f049cc09c87e00a186bb5ee4a2a83b7c33699 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 7 Nov 2024 10:54:05 +0100 Subject: [PATCH 13/27] shuffle content from initializing Zowe security configuration into Configuring security / limit content duplication Signed-off-by: Andrew Jandacek --- docs/user-guide/configuring-security.md | 73 ++++++++++++++++++- .../initialize-security-configuration.md | 3 + docs/user-guide/initialize-zos-system.md | 1 + .../zwe-init-subcommand-overview.md | 40 ++++++++-- 4 files changed, 108 insertions(+), 9 deletions(-) diff --git a/docs/user-guide/configuring-security.md b/docs/user-guide/configuring-security.md index 221504a5c2..6e441a88af 100644 --- a/docs/user-guide/configuring-security.md +++ b/docs/user-guide/configuring-security.md @@ -11,12 +11,79 @@ During installation, the system programmer customizes values in the zowe.yaml fi ## Initialize Zowe security configurations +This security configuration step is required for first time setup of Zowe. If Zowe has already been launched on a z/OS system from a previous release of Zowe v2, and the `zwe init security` subcommand successfully ran when initializing the z/OS subsystem, you can skip this step unless told otherwise in the release documentation. + Choose from the following methods to initialize Zowe security configurations: -* Configuring with `zwe init security` -* Configuring with `ZWESECUR` JCL +* Configuring with `zwe init security` command +* Configuring with `ZWESECUR` JCL + +## Configuring with `zwe init security` command + +The `zwe init security` command reads data from `zowe.yaml` and constructs a JCL member using `ZWESECUR` as a template which is then submitted. This is a convenience step to assist with driving Zowe configuration through a pipeline or when you prefer to use USS commands rather than directly edit and customize JCL members. + +:::note +If you do not have permissions to update your security configurations, use the `security-dry-run` described in the following tip. We recommend you inform your security administrator to review the `ZWESECUR` job content. +::: + +:::tip + +To avoid having to run the `init security` command, you can specify the parameter `--security-dry-run`. This parameter enables you to construct a JCL member containing the security commmands without running the member. This is useful for previewing commands and can also be used to copy and paste commands into a TSO command prompt for step by step manual execution. + +**Example:** + +``` +#>zwe init security -c ./zowe.yaml --security-dry-run +------------------------------------------------------------------------------- +>> Run Zowe security configurations + +Modify ZWESECUR +- IBMUSER.ZWEV2.CUST.JCLLIB(ZW134428) is prepared + +Dry-run mode, security setup is NOT performed on the system. +Please submit IBMUSER.ZWEV2.CUST.JCLLIB(ZW134428) manually. +>> Zowe security configurations are applied successfully. + +#> +``` +::: + + + +## Configuring with `ZWESECUR` JCL + +An alternative to using `zwe init security` is to prepare a JCL member to configure the z/OS system, and edit `ZWESECUR` to make changes. + +The JCL allows you to vary which security manager you use by setting the _PRODUCT_ variable to be one of the following ESMs: +* `RACF` +* `ACF2` +* `TSS`. + +**Example:** +``` +// SET PRODUCT=RACF * RACF, ACF2, or TSS +``` + +If `ZWESECUR` encounters an error or a step that has already been performed, it continues to the end, so it can be run repeatedly in a scenario such as a pipeline automating the configuration of a z/OS environment for Zowe installation. + +:::info Important +It is expected that your security administrator will be required to review, edit where necessary, and either execute `ZWESECUR` as a single job, or execute individual TSO commands to complete the security configuration of a z/OS system in preparation for installing and running Zowe. +::: + +The following video shows how to locate the `ZWESECUR` JCL member and execute it. + + + + + +### Undo security configurations + +To undo all of the z/OS security configuration steps performed by the JCL member `ZWESECUR`, use the reverse member `ZWENOSEC`. This member contains steps that reverse steps performed by `ZWESECUR`. This is useful in the following situations: + +- You are configuring z/OS systems as part of a build pipeline that you want to undo, and redo configuration and installation of Zowe using automation. +- You configured a z/OS system for Zowe that you no longer want to use, and you prefer to delete the Zowe user IDs and undo the security configuration settings rather than leave them enabled. -For more information about both of these methods, see [Initialize Zowe security configurations](./initialize-security-configuration.md). +If you run `ZWENOSEC` on a z/OS system, it is necessary to rerun `ZWESECUR` to reinitialize the z/OS security configuration. Zowe cannot be run until `ZWESECUR` is rerun. ## Perform APF authorization of load libraries diff --git a/docs/user-guide/initialize-security-configuration.md b/docs/user-guide/initialize-security-configuration.md index 965b2590a4..f55102ebdd 100644 --- a/docs/user-guide/initialize-security-configuration.md +++ b/docs/user-guide/initialize-security-configuration.md @@ -1,5 +1,8 @@ # Initializing Zowe security configurations + + + This security configuration step is required for first time setup of Zowe. If Zowe has already been launched on a z/OS system from a previous release of Zowe v2, and the `zwe init security` subcommand successfully ran when initializing the z/OS subsystem, you can skip this step unless told otherwise in the release documentation. :::info Required roles: system programmer, security administrator diff --git a/docs/user-guide/initialize-zos-system.md b/docs/user-guide/initialize-zos-system.md index 2af842fdd1..c96f599fe9 100644 --- a/docs/user-guide/initialize-zos-system.md +++ b/docs/user-guide/initialize-zos-system.md @@ -25,6 +25,7 @@ Configures the VSAM files needed if the Caching service is set to VSAM mode. Thi :::info Recommendation: We recommend you to run these sub commands one by one to clearly see the output of each step. To successfully run `zwe init security`, `zwe init apfauth`, and `zwe init certificate`, it is likely that your organization requires elevated permissions. We recommend you consult with your security administrator to run these commands. For more information about tasks for the security administrator, see the section [Configuring security](./configuring-security.md) in this configuration documentation. + For information about the `zwe init security` command, see [configuring with `zwe init security` command](./initialize-security-configuration.md#configuring-with-zwe-init-security-command). ::: diff --git a/docs/user-guide/zwe-init-subcommand-overview.md b/docs/user-guide/zwe-init-subcommand-overview.md index fa21b906c8..b5ee1db520 100644 --- a/docs/user-guide/zwe-init-subcommand-overview.md +++ b/docs/user-guide/zwe-init-subcommand-overview.md @@ -6,11 +6,15 @@ Review this article to learn about the individual subcommands executed in `zwe i Some of the following `zwe init` subcommands require elevated permissions. See the required roles associated with each of these commands. ::: -* [Initializing Zowe custom data sets (`zwe init mvs`)](#initializing-zowe-custom-data-sets-zwe-init-mvs) -* [Initializing Zowe security configurations (`zwe init security`)](#initializing-zowe-security-configurations-zwe-init-security) -* [Performing APF authorization of load libraries (`zwe init apfauth`)](#performing-apf-authorization-of-load-libraries-zwe-init-apfauth) -* [Configuring Zowe to use TLS certificates (`zwe init certificate`)](#configuring-zowe-to-use-tls-certificates-zwe-init-certificate) -* [Installing Zowe main started tasks (`zwe init stc`)](#installing-zowe-main-started-tasks-zwe-init-stc) +- [zwe init subcommand overview](#zwe-init-subcommand-overview) + - [Initializing Zowe custom data sets (`zwe init mvs`)](#initializing-zowe-custom-data-sets-zwe-init-mvs) + - [Procedure to initialize Zowe custom data sets](#procedure-to-initialize-zowe-custom-data-sets) + - [Initializing Zowe security configurations (`zwe init security`)](#initializing-zowe-security-configurations-zwe-init-security) + - [Performing APF authorization of load libraries (`zwe init apfauth`)](#performing-apf-authorization-of-load-libraries-zwe-init-apfauth) + - [Configuring Zowe to use TLS certificates (`zwe init certificate`)](#configuring-zowe-to-use-tls-certificates-zwe-init-certificate) + - [Installing Zowe main started tasks (`zwe init stc`)](#installing-zowe-main-started-tasks-zwe-init-stc) + - [(Deprecated) Creating VSAM caching service datasets (`zwe init vsam`)](#deprecated-creating-vsam-caching-service-datasets-zwe-init-vsam) + - [Next steps](#next-steps) ## Initializing Zowe custom data sets (`zwe init mvs`) @@ -108,7 +112,31 @@ If Zowe has already been launched on a z/OS system from a previous release of Zo The JCL member `.SZWESAMP(ZWESECUR)` is provided to assist with the security configuration. Before submitting the `ZWESECUR` JCL member, customize this member to match site security rules. For script driven scenarios, you can run the command `zwe init security` which uses `ZWESECUR` as a template to create a customized member in `.CUST.JCLLIB`. This member contains the commands required to perform the security configuration. -For more information about `zwe init security`, see [Initializing Zowe security configurations](./initialize-security-configuration). +For more information about `zwe init security`, see [Configuring with `zwe init security` command](./configuring-security.md#configuring-with-zwe-init-security-command). + +:::tip + +To avoid having to run the `init security` command, you can specify the parameter `--security-dry-run`. This parameter enables you to construct a JCL member containing the security commmands without running the member. This is useful for previewing commands and can also be used to copy and paste commands into a TSO command prompt for step by step manual execution. + +**Example:** + +``` +#>zwe init security -c ./zowe.yaml --security-dry-run +------------------------------------------------------------------------------- +>> Run Zowe security configurations + +Modify ZWESECUR +- IBMUSER.ZWEV2.CUST.JCLLIB(ZW134428) is prepared + +Dry-run mode, security setup is NOT performed on the system. +Please submit IBMUSER.ZWEV2.CUST.JCLLIB(ZW134428) manually. +>> Zowe security configurations are applied successfully. + +#> +``` +For production environments, inform your security administrator to re-submit the `init security` command with proper authorization. + +::: ## Performing APF authorization of load libraries (`zwe init apfauth`) From fa3bf2dd754ba362d72c38fd2236fb943a54fa77 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 7 Nov 2024 11:42:27 +0100 Subject: [PATCH 14/27] create collapsible content for zwe seucity and JCL options Signed-off-by: Andrew Jandacek --- docs/user-guide/configuring-security.md | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/docs/user-guide/configuring-security.md b/docs/user-guide/configuring-security.md index 6e441a88af..e23b8d4d9f 100644 --- a/docs/user-guide/configuring-security.md +++ b/docs/user-guide/configuring-security.md @@ -7,18 +7,18 @@ During the initial installation of Zowe server-side components, it is necessary ## Validate and re-run `zwe init` commands -During installation, the system programmer customizes values in the zowe.yaml file. However, due to insufficient permissions of the system programmer, the `zwe init security` command may fail. Consult with your security administrator to review your `ZWESECUR` job content so that your security adminstrator can re-submit this JCL. +During installation, the system programmer customizes values in the zowe.yaml file. However, due to insufficient permissions of the system programmer, the `zwe init security` command may fail without sufficient user authorization. ## Initialize Zowe security configurations -This security configuration step is required for first time setup of Zowe. If Zowe has already been launched on a z/OS system from a previous release of Zowe v2, and the `zwe init security` subcommand successfully ran when initializing the z/OS subsystem, you can skip this step unless told otherwise in the release documentation. +This security configuration step is required for first time setup of Zowe and may require security autorization. If Zowe has already been launched on a z/OS system from a previous release of Zowe v2, and the `zwe init security` subcommand successfully ran when initializing the z/OS subsystem, you can skip this step unless told otherwise in the release documentation. Choose from the following methods to initialize Zowe security configurations: -* Configuring with `zwe init security` command -* Configuring with `ZWESECUR` JCL +
+Click here to configure with the `zwe init security` command. -## Configuring with `zwe init security` command +**Configure with `zwe init security` command** The `zwe init security` command reads data from `zowe.yaml` and constructs a JCL member using `ZWESECUR` as a template which is then submitted. This is a convenience step to assist with driving Zowe configuration through a pipeline or when you prefer to use USS commands rather than directly edit and customize JCL members. @@ -48,9 +48,15 @@ Please submit IBMUSER.ZWEV2.CUST.JCLLIB(ZW134428) manually. ``` ::: +
+ -## Configuring with `ZWESECUR` JCL +
+Click here to configure with `ZWESECUR` JCL. + + +**Configure with `ZWESECUR` JCL** An alternative to using `zwe init security` is to prepare a JCL member to configure the z/OS system, and edit `ZWESECUR` to make changes. @@ -74,6 +80,8 @@ The following video shows how to locate the `ZWESECUR` JCL member and execute it +
+ ### Undo security configurations From 556b92e97815c3e9048ef6665cb7898d2ea01207 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 7 Nov 2024 15:08:21 +0100 Subject: [PATCH 15/27] note refactoring Signed-off-by: Andrew Jandacek --- docs/user-guide/configuring-security.md | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/docs/user-guide/configuring-security.md b/docs/user-guide/configuring-security.md index e23b8d4d9f..d0113aefe7 100644 --- a/docs/user-guide/configuring-security.md +++ b/docs/user-guide/configuring-security.md @@ -5,13 +5,18 @@ During the initial installation of Zowe server-side components, it is necessary :::info Required roles: system programmer, security administrator ::: +:::note +For initial tasks to be performed by the security administrator before Zowe server-side installation, see [Addressing security requirements](./address-security-requirements.md). + +::: + ## Validate and re-run `zwe init` commands During installation, the system programmer customizes values in the zowe.yaml file. However, due to insufficient permissions of the system programmer, the `zwe init security` command may fail without sufficient user authorization. ## Initialize Zowe security configurations -This security configuration step is required for first time setup of Zowe and may require security autorization. If Zowe has already been launched on a z/OS system from a previous release of Zowe v2, and the `zwe init security` subcommand successfully ran when initializing the z/OS subsystem, you can skip this step unless told otherwise in the release documentation. +This security configuration step is required for first time setup of Zowe and may require security authorization. If Zowe has already been launched on a z/OS system from a previous release of Zowe v2, and the `zwe init security` subcommand successfully ran when initializing the z/OS subsystem, you can skip this step unless told otherwise in the release documentation. Choose from the following methods to initialize Zowe security configurations: @@ -97,9 +102,9 @@ If you run `ZWENOSEC` on a z/OS system, it is necessary to rerun `ZWESECUR` to r Zowe contains load modules that require access to make privileged z/OS security manager calls. These load modules are held in two load libraries which must be APF authorized. For more information about how to issue the `zwe init apfauth` command to perform APF authority commands, see [Performing APF authorization of load libraries](./apf-authorize-load-library.md). -## Configure the z/OS system for Zowe +## Customize security of your z/OS system -Review and perform z/OS configuration steps based on your settings. For a detailed table of configuration procedures and associated purposes for performing these procedures, see [Configuring the z/OS system for Zowe](./configure-zos-system.md). +Review and perform z/OS configuration steps based on your settings. For a detailed table of configuration procedures and associated purposes for performing these procedures, see [Security customization of your z/OS system](./configure-zos-system.md). ## Assign security permissions to users @@ -123,15 +128,4 @@ Depending on the specific Zowe server-side components that your organization is ## Next steps -After these security configuration steps are completed, and [Zowe z/OS runtime is initialized](./configure-zowe-runtime.md), the next step is [Configuring certificates](./configure-certificates.md). -Note that configuring certificates requires security administrator authorization. - -:::note -For more information about security administrator tasks, see: -* [Addressing security requirements](./address-security-requirements.md) -* [Configuring security](./configuring-security.md) -* [Configuring certificates](./configure-certificates.md) -::: - - - \ No newline at end of file +After Zowe z/OS runtime is initialized, and you complete other procedures in the Configuring security section, the next step is [Configuring certificates](./configure-certificates.md). From b0ff7b36fbef4dcbd3d4c800c53bff7a67aa1d6c Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Fri, 8 Nov 2024 11:11:45 +0100 Subject: [PATCH 16/27] fix link Signed-off-by: Andrew Jandacek --- docs/user-guide/zwe-init-subcommand-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/zwe-init-subcommand-overview.md b/docs/user-guide/zwe-init-subcommand-overview.md index b5ee1db520..44a6164100 100644 --- a/docs/user-guide/zwe-init-subcommand-overview.md +++ b/docs/user-guide/zwe-init-subcommand-overview.md @@ -112,7 +112,7 @@ If Zowe has already been launched on a z/OS system from a previous release of Zo The JCL member `.SZWESAMP(ZWESECUR)` is provided to assist with the security configuration. Before submitting the `ZWESECUR` JCL member, customize this member to match site security rules. For script driven scenarios, you can run the command `zwe init security` which uses `ZWESECUR` as a template to create a customized member in `.CUST.JCLLIB`. This member contains the commands required to perform the security configuration. -For more information about `zwe init security`, see [Configuring with `zwe init security` command](./configuring-security.md#configuring-with-zwe-init-security-command). +For more information about `zwe init security`, see _Configure with `zwe init security` command_ in [Configuring security](./configuring-security.md). :::tip From 95d090a4f3fdb481a036b7e3c236f84429172abb Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 18 Nov 2024 14:57:13 +0100 Subject: [PATCH 17/27] add tip for apfauth and links to reference section Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 10 ++-- docs/user-guide/configuring-security.md | 12 ++++- docs/user-guide/initialize-zos-system.md | 4 +- .../zwe-init-subcommand-overview.md | 46 +++++++++++++++++-- 4 files changed, 58 insertions(+), 14 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index 72b75372cc..b99daa75ed 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -42,16 +42,16 @@ Be sure your z/OS system meets the following prerequisites: | Set the names for the different z/OS UNIX address spaces for the Zowe runtime components.
**Important:** This configuration step is required. | All components | [Configure address space job naming](#configure-address-space-job-naming) | | To use Zowe desktop. This step generates random numbers for zssServer that the Zowe desktop uses. | Application Framework | [Configure an ICSF cryptographic services environment](#configure-an-icsf-cryptographic-services-environment) | | To allow users to log on to the Zowe desktop through impersonation. | Application Framework | [Configure security environment switching](#configure-security-environment-switching) | -| Required for TSS only. A TSS FACILITY needs to be defined and assigned to the `ZWESLSTC` started task. | ? | [Configure multi-user address space for TSS only](#configure-multi-user-address-space-for-tss-only) | -| Required to manually create the user ID and groups in your z/OS environment. Tasks are performed as part of [Zowe runtime configuration](./configure-zowe-runtime.md) | ? | [Configure user IDs and groups for the Zowe started tasks](#configure-user-ids-and-groups-for-the-zowe-started-tasks) | -| Required to configure the started task ZWESLSTC to run under the correct user ID and group. Tasks are performed as part of [Zowe runtime configuration](./configure-zowe-runtime.md).| ? | [Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID](#configure-zweslstc-to-run-zowe-high-availability-instances-under-zwesvusr-user-id). | +| Required for TSS only. A TSS FACILITY needs to be defined and assigned to the `ZWESLSTC` started task. | All components | [Configure multi-user address space for TSS only](#configure-multi-user-address-space-for-tss-only) | +| Required to manually create the user ID and groups in your z/OS environment. Tasks are performed as part of [Zowe runtime configuration](./configure-zowe-runtime.md) | All components | [Configure user IDs and groups for the Zowe started tasks](#configure-user-ids-and-groups-for-the-zowe-started-tasks) | +| Required to configure the started task ZWESLSTC to run under the correct user ID and group. Tasks are performed as part of [Zowe runtime configuration](./configure-zowe-runtime.md).| All components | [Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID](#configure-zweslstc-to-run-zowe-high-availability-instances-under-zwesvusr-user-id). | | Required to configure the cross memory server for SAF to guard against access by non-privileged clients. Tasks are performed as part of [Zowe runtime configuration](./configure-zowe-runtime.md).| Application Framework | [Configure the cross memory server for SAF](#configure-the-cross-memory-server-for-saf) | | Required for API Mediation Layer to map a client certificate to a z/OS identity. | API ML | [Configure main Zowe server to use client certificate identity mapping](#configure-main-zowe-server-to-use-client-certificate-identity-mapping) | | Required for API ML to map the association between a z/OS user ID and a distributed user identity. | API ML | [Configure main Zowe server to use distributed identity mapping](#configure-main-zowe-server-to-use-distributed-identity-mapping) | | To configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation Layer. | Application Framework
API ML | [Configure signed SAF Identity tokens IDT](#configure-signed-saf-identity-tokens-idt) | | Required for API Mediation Layer to issue SMF records. | API ML | [Configure the main Zowe server to issue SMF records](api-mediation/api-mediation-smf.md#configure-the-main-zowe-server-to-issue-smf-records) | -| To use multi-factor authentication (MFA) | ? | [Multi-Factor Authentication (MFA)](#multi-factor-authentication-mfa) | -| To use Single Sign-On (SSO) | ? | [Single Sign-On (SSO)](#single-sign-on-sso) | +| To use multi-factor authentication (MFA) | All components | [Multi-Factor Authentication (MFA)](#multi-factor-authentication-mfa) | +| To use Single Sign-On (SSO) | All components | [Single Sign-On (SSO)](#single-sign-on-sso) | | To use OIDC Authentication with API Mediation Layer | API ML | [API Mediation Layer OIDC Authentication](#api-mediation-layer-oidc-authentication) | ### Configure address space job naming diff --git a/docs/user-guide/configuring-security.md b/docs/user-guide/configuring-security.md index d0113aefe7..0302df491c 100644 --- a/docs/user-guide/configuring-security.md +++ b/docs/user-guide/configuring-security.md @@ -2,7 +2,7 @@ During the initial installation of Zowe server-side components, it is necessary for your organization's security administrator to perform a range of tasks that require elevated security permissions. As a security administrator, follow the procedures outlined in this article to configure Zowe and your z/OS system to run Zowe with z/OS. -:::info Required roles: system programmer, security administrator +:::info Required role: security administrator (elevated permissions required) ::: :::note @@ -88,8 +88,12 @@ The following video shows how to locate the `ZWESECUR` JCL member and execute it
+:::tip + +If an error occured in performing security configuration, these configurations can be undone. +
+Click here for details about undoing security configurations. -### Undo security configurations To undo all of the z/OS security configuration steps performed by the JCL member `ZWESECUR`, use the reverse member `ZWENOSEC`. This member contains steps that reverse steps performed by `ZWESECUR`. This is useful in the following situations: @@ -98,6 +102,10 @@ To undo all of the z/OS security configuration steps performed by the JCL member If you run `ZWENOSEC` on a z/OS system, it is necessary to rerun `ZWESECUR` to reinitialize the z/OS security configuration. Zowe cannot be run until `ZWESECUR` is rerun. +
+ +::: + ## Perform APF authorization of load libraries Zowe contains load modules that require access to make privileged z/OS security manager calls. These load modules are held in two load libraries which must be APF authorized. For more information about how to issue the `zwe init apfauth` command to perform APF authority commands, see [Performing APF authorization of load libraries](./apf-authorize-load-library.md). diff --git a/docs/user-guide/initialize-zos-system.md b/docs/user-guide/initialize-zos-system.md index c96f599fe9..0d992d9a3b 100644 --- a/docs/user-guide/initialize-zos-system.md +++ b/docs/user-guide/initialize-zos-system.md @@ -23,10 +23,8 @@ Configures the system to launch the Zowe started task. Configures the VSAM files needed if the Caching service is set to VSAM mode. This is not required nor the default, and exists for compatibility. :::info Recommendation: -We recommend you to run these sub commands one by one to clearly see the output of each step. To successfully run `zwe init security`, `zwe init apfauth`, and `zwe init certificate`, it is likely that your organization requires elevated permissions. We recommend you consult with your security administrator to run these commands. For more information about tasks for the security administrator, see the section [Configuring security](./configuring-security.md) in this configuration documentation. +We recommend you to run these sub commands one by one to clearly see the output of each step. To successfully run `zwe init security`, `zwe init apfauth`, and `zwe init certificate`, it is likely that your organization requires elevated permissions. We recommend you consult with your security administrator to run these commands. For more information about tasks for the security administrator, and details about the `zwe init security` command, see the section [Configuring security](./configuring-security.md) in this configuration documentation - -For information about the `zwe init security` command, see [configuring with `zwe init security` command](./initialize-security-configuration.md#configuring-with-zwe-init-security-command). ::: :::tip diff --git a/docs/user-guide/zwe-init-subcommand-overview.md b/docs/user-guide/zwe-init-subcommand-overview.md index 44a6164100..97aae1cdb0 100644 --- a/docs/user-guide/zwe-init-subcommand-overview.md +++ b/docs/user-guide/zwe-init-subcommand-overview.md @@ -112,11 +112,14 @@ If Zowe has already been launched on a z/OS system from a previous release of Zo The JCL member `.SZWESAMP(ZWESECUR)` is provided to assist with the security configuration. Before submitting the `ZWESECUR` JCL member, customize this member to match site security rules. For script driven scenarios, you can run the command `zwe init security` which uses `ZWESECUR` as a template to create a customized member in `.CUST.JCLLIB`. This member contains the commands required to perform the security configuration. -For more information about `zwe init security`, see _Configure with `zwe init security` command_ in [Configuring security](./configuring-security.md). +For more information about `zwe init security`, see: + +* _Configure with `zwe init security` command_ in [Configuring security](./configuring-security.md). +* [`zwe init security`](../appendix/zwe_server_command_reference/zwe/init/zwe-init-security.md) in the Reference section. :::tip -To avoid having to run the `init security` command, you can specify the parameter `--security-dry-run`. This parameter enables you to construct a JCL member containing the security commmands without running the member. This is useful for previewing commands and can also be used to copy and paste commands into a TSO command prompt for step by step manual execution. +To avoid having to run the `init security` command, you can specify the flag `--security-dry-run`. This flag enables you to construct a JCL member containing the security commmands without running the member. This is useful for previewing commands and can also be used to copy and paste commands into a TSO command prompt for step by step manual execution. **Example:** @@ -153,7 +156,40 @@ Specifies the user custom load library, containing the ZWELNCH, ZWESIS01 and ZWE * **zowe.setup.dataset.authPluginLib** References the load library for ZIS plugins. -For more information about `zwe init apfauth` see [Performing APF authorization of load libraries](./apf-authorize-load-library). +For more information about `zwe init apfauth` see: +* [Performing APF authorization of load libraries](./apf-authorize-load-library). +* [`zwe init apfauth`](../appendix/zwe_server_command_reference/zwe/init/zwe-init-apfauth.md) in the Reference section. + +:::tip + +To avoid having to run the `init apfauth` command, you can specify the flag `--security-dry-run` as in the following example. + +**Example:** + +``` +zwe init apfauth --security-dry-run -c /path/to/zowe.yaml +------------------------------------------------------------------------------- +>> APF authorize load libraries + +APF authorize IBMUSER.ZWEV2.SZWEAUTH +- Dry-run mode, security setup is NOT performed on the system. + Please apply this operator command manually: + + SETPROG APF,ADD,DSNAME=IBMUSER.ZWEV2.SZWEAUTH,SMS + +APF authorize IBMUSER.ZWEV2.CUST.ZWESAPL +- Dry-run mode, security setup is NOT performed on the system. + Please apply this operator command manually: + + SETPROG APF,ADD,DSNAME=IBMUSER.ZWEV2.CUST.ZWESAPL,SMS + + +>> Zowe load libraries are APF authorized successfully. + +``` +For production environments, inform your security administrator to re-submit the `init apfauth` command with proper authorization. + +::: ## Configuring Zowe to use TLS certificates (`zwe init certificate`) @@ -164,7 +200,9 @@ Zowe uses digital certificates for secure, encrypted network communication over Zowe supports using either file-based (PKCS12) or z/OS key ring-based (when on z/OS) keystores and truststores, and can reuse compatible stores. You can use the `zwe init certificate` command to create keystores and truststores by either generating certificates or by allowing users to import their own compatible certificates. -For more information, see [Configuring certificates](./configure-certificates). +For more information about `init certificate`, see: +* [Configuring certificates](./configure-certificates). +* [`zwe init certificate`](../appendix/zwe_server_command_reference/zwe/init/zwe-init-certificate.md) in the Reference section. ## Installing Zowe main started tasks (`zwe init stc`) From 55025cbb162aaa974207e78d4b224c98723d2cac Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 18 Nov 2024 16:41:01 +0100 Subject: [PATCH 18/27] change title of Customization of z/OS system Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index b99daa75ed..0eb5044faf 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -1,4 +1,4 @@ -# Security customization of your z/OS system +# Customizing z/OS system security As a security administrator, configure your z/OS system according to the specific features and functionalities you choose to include in your Zowe installation. Review the following article for specific configuration steps that apply to these features and fuctionalities. @@ -10,7 +10,7 @@ As a security administrator, configure your z/OS system according to the specifi Before performing configuration steps specific to your use case, ensure that you meet the z/OS system requirements presented in the section _Preparing for installation_. For detailed information, see [Addressing z/OS requirements](./systemrequirements-zos.md). ::: - - To work with USS, this user ID must have a valid OMVS segment. For more information about OMVS segments, see the - article _The OMVS segment in user profiles_ in the IBM documentation. For detailed information about which permissions - are - required to run Zowe core services as well as specific individual components, see - the [Security Permissions Reference Table](#security-permissions-reference-table) in this article. + components. + * **ZWESIUSR** This user runs the cross memory server (ZIS). This is a started task ID used to run the PROCLIB `ZWESISTC` that - launches the [cross memory server (ZIS)](./configure-xmem-server.md). This started task ID must have a valid OMVS - segment. + launches the [cross memory server (ZIS)](./configure-xmem-server.md). + +:::caution Important! +To work with USS, the user ID must have a valid OMVS segment. For more information about OMVS segments, see the article _The OMVS segment in user profiles_ in the IBM documentation. For detailed information about which permissions are required to run Zowe core services as well as specific individual components, see the [Security Permissions Reference Table](#security-permissions-reference-table) in this article. + +::: The security administrator also assigns permissions to the security group **ZWEADMIN**. `ZWEADMIN` is a group consisting of `ZWESVUSR` and `ZWESIUSR`. This group must have a valid OMVS segment. @@ -92,12 +92,20 @@ You can skip this section if you use Zowe without z/OSMF. Zowe can operate with To grant permissions to the user ID to access z/OSMF, issue the command(s) that corresponds to your ESM. +
+Click here for command details for RACF. + - If you use RACF, issue the following command: ``` CONNECT (userid) GROUP(IZUUSER) ``` +
+ +
+Click here for command details for ACF2. + - If you use ACF2, issue the following commands: ``` @@ -105,12 +113,18 @@ To grant permissions to the user ID to access z/OSMF, issue the command(s) that F ACF2,REBUILD(TGR) ``` +
+ +
+Click here for command details for Top Secret. + - If you use Top Secret, issue the following commands: ``` TSS ADD(userid) PROFILE(IZUUSER) TSS ADD(userid) GROUP(IZUUSRGP) ``` +
## Next step diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index e0eaece83e..372e67b9f7 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -56,7 +56,7 @@ Be sure your z/OS system meets the following prerequisites: ### Configure address space job naming -The user ID `ZWESVUSR` that is associated with the Zowe started task must have `READ` permission for the `BPX.JOBNAME` profile in the `FACILITY` class. This is to allow setting of the names for the different z/OS UNIX address spaces for the Zowe runtime components. +The user ID `ZWESVUSR` that is associated with the Zowe started task must have READ permission for the `BPX.JOBNAME` profile in the `FACILITY` class. This is to allow setting of the names for the different z/OS UNIX address spaces for the Zowe runtime components. :::note This procedure may require security administrator authorization. Consult with your security administrator. @@ -386,7 +386,7 @@ F ACF2,REBUILD(APL) ### Configure address space job naming -The user ID `ZWESVUSR` that is associated with the Zowe started task must have `READ` permission for the `BPX.JOBNAME` profile in the `FACILITY` class. This is to allow setting of the names for the different z/OS UNIX address spaces for the Zowe runtime components. +The user ID `ZWESVUSR` that is associated with the Zowe started task must have READ permission for the `BPX.JOBNAME` profile in the `FACILITY` class. This is to allow setting of the names for the different z/OS UNIX address spaces for the Zowe runtime components. :::note This procedure may require security administrator authorization. Consult with your security administrator. @@ -491,7 +491,7 @@ If you have not run `ZWESECUR` and are manually creating the user ID and groups
- * To create the `ZWESVUSR` user ID for the main Zowe started task, issue the following command: + * To create the `ZWESVUSR` user ID for the main Zowe started task, issue the following command according to your ESM:
@@ -536,7 +536,7 @@ If you have not run `ZWESECUR` and are manually creating the user ID and groups ```
-- To create the `ZWESIUSR` group for the Zowe cross memory server started task, issue the following command: +- To create the `ZWESIUSR` group for the Zowe cross memory server started task, issue the following command according to your ESM:
Click here for command details for RACF. @@ -591,7 +591,7 @@ If you have run `ZWESECUR`, you do not need to perform the steps described in th ... ``` -If you have not run `ZWESECUR` and are configuring your z/OS environment manually, the following steps describe how to configure the started task `ZWESLSTC` to run under the correct user ID and group. +If you have not run `ZWESECUR` and are configuring your z/OS environment manually, the following steps describe how to configure the started task `ZWESLSTC` to run under the correct user ID and group. Issue the following commands according to your ESM:
Click here for command details for RACF. @@ -718,7 +718,7 @@ If you use Top Secret, issue the following commands, where `owner-acid` can be I ### Configure main Zowe server to use client certificate identity mapping -This security configuration is necessary for API ML to be able to map client certificate to a z/OS identity. A user running API Gateway must have read access to the SAF resource `IRR.RUSERMAP` in the `FACILITY` class. +This security configuration is necessary for API ML to be able to map client certificate to a z/OS identity. A user running API Gateway must have READ access to the SAF resource `IRR.RUSERMAP` in the `FACILITY` class. To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.18 and lower use the following configuration steps according to your ESM:
@@ -728,12 +728,12 @@ If you use RACF, verify and update permission in the `FACILITY` class. **Follow these steps:** -1. Verify user `ZWESVUSR` has read access. +1. Verify user `ZWESVUSR` has READ access. ``` RLIST FACILITY IRR.RUSERMAP AUTHUSER ``` -2. Add user `ZWESVUSR` permission to read. +2. Add user `ZWESVUSR` permission to READ. ``` PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR) ``` @@ -752,13 +752,13 @@ If you use ACF2, verify and update permission in the `FACILITY` class. **Follow these steps:** -1. Verify user `ZWESVUSR` has read access. +1. Verify user `ZWESVUSR` has READ access. ``` SET RESOURCE(FAC) LIST LIKE(IRR-) ``` -2. Add user `ZWESVUSR` permission to read. +2. Add user `ZWESVUSR` permission to READ. ``` RECKEY IRR.RUSERMAP ADD(SERVICE(READ) ROLE(&STCGRP.) ALLOW) ``` @@ -777,11 +777,11 @@ If you use TSS, verify and update permission in `FACILITY` class. **Follow these steps:** -1. Verify user `ZWESVUSR` has read access. +1. Verify user `ZWESVUSR` has READ access. ``` TSS WHOHAS IBMFAC(IRR.RUSERMAP) ``` -2. Add user `ZWESVUSR` permission to read. +2. Add user `ZWESVUSR` permission to READ. ``` TSS PER(ZWESVUSR) IBMFAC(IRR.RUSERMAP) ACCESS(READ) ``` @@ -800,7 +800,7 @@ If you use RACF, verify and update permission in the `FACILITY` class. **Follow these steps:** -1. Verify that user `ZWESVUSR` has read access. +1. Verify that user `ZWESVUSR` has READ access. ``` RLIST FACILITY IRR.IDIDMAP.QUERY AUTHUSER ``` diff --git a/docs/user-guide/configuring-security.md b/docs/user-guide/configuring-security.md index 0302df491c..aa84dfe5d2 100644 --- a/docs/user-guide/configuring-security.md +++ b/docs/user-guide/configuring-security.md @@ -112,11 +112,11 @@ Zowe contains load modules that require access to make privileged z/OS security ## Customize security of your z/OS system -Review and perform z/OS configuration steps based on your settings. For a detailed table of configuration procedures and associated purposes for performing these procedures, see [Security customization of your z/OS system](./configure-zos-system.md). +Review and perform z/OS configuration steps based on your settings. For a detailed table of configuration procedures and associated purposes for performing these procedures, see [Customizing z/OS system security](./configure-zos-system.md). ## Assign security permissions to users -Assign users (ZWESVUSR and ZWESIUSR) and the ZWEADMIN security group permissions required to perform specific tasks. For more information see, [Assign security permissions to users](./assign-security-permissions-to-users.md). +Assign users (ZWESVUSR and ZWESIUSR) and the ZWEADMIN security group permissions required to perform specific tasks. For more information see, [Assigning security permissions to users](./assign-security-permissions-to-users.md). ## Zowe Feature specific configuration tasks From 8495cbfc3a210bde386e260cd9e3da68894fa7b6 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Tue, 19 Nov 2024 14:28:32 +0100 Subject: [PATCH 23/27] fix link Signed-off-by: Andrew Jandacek --- docs/user-guide/zos-components-installation-checklist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/zos-components-installation-checklist.md b/docs/user-guide/zos-components-installation-checklist.md index ded54dccdb..bfdea575b1 100644 --- a/docs/user-guide/zos-components-installation-checklist.md +++ b/docs/user-guide/zos-components-installation-checklist.md @@ -82,7 +82,7 @@ You can configure your system to enable HA. This configuration is not required t | Verification Step | Task | Results | Time Estimate | |----|-----------|----|-------------| | [Verify Zowe Application Framework installation](../user-guide/verify-zowe-runtime-install.md#verifying-zowe-application-framework-installation) | Open the Zowe Desktop from a supported browser | You should be able to open the Zowe Desktop from a supported browser. | 20 minutes| -| [Verify API Mediation installation](../user-guide/verify-zowe-runtime-install.md#verifying-api-mediation-installation) |Use a REST API client to review the value of the status variable of the API Catalog service routed through the API Gateway | See the example presented in Verify API Mediation installation | 15 minutes | +| [Verify API Mediation installation](../user-guide/verify-zowe-runtime-install.md#verifying-api-mediation-layer-installation) |Use a REST API client to review the value of the status variable of the API Catalog service routed through the API Gateway | See the example presented in Verify API Mediation installation | 15 minutes | |[Verify z/OS Services installation](../user-guide/verify-zowe-runtime-install.md#verifying-zos-services-installation) |Zowe z/OS services usually are registered with Zowe APIML Discovery| You should see JSON format data of all jobs running on the system | 15 minutes | From 7c061b77ddf3694de985b4227e919a4e451eeb01 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 21 Nov 2024 10:45:48 +0100 Subject: [PATCH 24/27] remove duplication of COnfiguring address space naming from assign security permissions Signed-off-by: Andrew Jandacek --- .../assign-security-permissions-to-users.md | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/docs/user-guide/assign-security-permissions-to-users.md b/docs/user-guide/assign-security-permissions-to-users.md index a1f0db428e..700ede0f6c 100644 --- a/docs/user-guide/assign-security-permissions-to-users.md +++ b/docs/user-guide/assign-security-permissions-to-users.md @@ -58,25 +58,6 @@ see [zwe init security](../appendix/zwe_server_command_reference/zwe/init/zwe-in | ZSS | CSFSERV | `Multiple` | READ | Generate symmetric keys using ICSF that is used by [Zowe Desktop cookies](./configure-zos-system.md#configure-an-icsf-cryptographic-services-environment). | The list of IDs to enable include `CSF1TRD` , `CSF1TRC` , `CSF1SKE` , `CSF1SKD`. The full list of IDs is described in the z/OS Cryptographic Services user guide for your z/OS release level: [2.2](https://www.ibm.com/docs/en/zos/2.2.0?topic=ssl-racf-csfserv-resource-requirements), [2.3](https://www.ibm.com/docs/en/zos/2.3.0?topic=ssl-racf-csfserv-resource-requirements), [2.4](https://www.ibm.com/docs/en/zos/2.4.0?topic=ssl-racf-csfserv-resource-requirements) and [2.5](https://www.ibm.com/docs/en/zos/2.5.0?topic=ssl-racf-csfserv-resource-requirements). | | | | | | | Cross memory server (ZIS) | FACILITY | `ZWES.IS` | READ | Allow Zowe ZWESLSTC processes to access the Zowe ZIS cross memory server. | This parameter permits the Zowe main server to use ZIS cross memory server. Run the command that applies to your ESM.
• [RACF](https://github.com/zowe/zowe-install-packaging/blob/79527166f34e28c205c5f60bf4b4bb7b630bc6a1/workflows/templates/ZWESECUR.vtl#L329)
• [ACF2](https://github.com/zowe/zowe-install-packaging/blob/79527166f34e28c205c5f60bf4b4bb7b630bc6a1/workflows/templates/ZWESECUR.vtl#L560)
• [Top Secret](https://github.com/zowe/zowe-install-packaging/blob/79527166f34e28c205c5f60bf4b4bb7b630bc6a1/workflows/templates/ZWESECUR.vtl#L780) | - -## Configuring address space job naming - -The user ID `ZWESVUSR` that is associated with the Zowe started task must have `READ` permission for the `BPX.JOBNAME` profile in the `FACILITY` class. This is to allow setting of the names for the different z/OS UNIX address spaces for the Zowe runtime components. - -1. To display who is authorized to the profile, issue the following command: -``` -RLIST FACILITY BPX.JOBNAME AUTHUSER -``` - -2. Activate the facility class, permit `BPX.JOBNAME`, and refresh facility class: -``` -SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) -PERMIT BPX.JOBNAME CLASS(FACILITY) ID(ZWESVUSR) ACCESS(READ) -SETROPTS RACLIST(FACILITY) REFRESH -``` - -For more information, see [Setting up the UNIX-related FACILITY and SURROGAT class profiles](https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.bpxb200/fclass.htm) in the "z/OS UNIX System Services" documentation. - ## Granting users permission to access z/OSMF Each TSO user ID that logs on to Zowe and uses Zowe services that use z/OSMF requires permission to access these z/OSMF services. It is necessary that every user ID be added to the group with the appropriate z/OSMF privileges, `IZUUSER` or `IZUADMIN` (default). From 81677bbfb951b3698c126a7747383837146269f7 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 21 Nov 2024 11:05:58 +0100 Subject: [PATCH 25/27] reformat init commands and remove items that are not applicable Signed-off-by: Andrew Jandacek --- docs/user-guide/zwe-init-subcommand-overview.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/user-guide/zwe-init-subcommand-overview.md b/docs/user-guide/zwe-init-subcommand-overview.md index 9cf0faa2f8..075a006b77 100644 --- a/docs/user-guide/zwe-init-subcommand-overview.md +++ b/docs/user-guide/zwe-init-subcommand-overview.md @@ -7,13 +7,12 @@ Some of the following `zwe init` subcommands require elevated permissions. See t ::: - [Initializing Zowe custom data sets (`zwe init mvs`)](#initializing-zowe-custom-data-sets-zwe-init-mvs) -- [Procedure to initialize Zowe custom data sets](#procedure-to-initialize-zowe-custom-data-sets) + - [Procedure to initialize Zowe custom data sets](#procedure-to-initialize-zowe-custom-data-sets) - [Initializing Zowe security configurations (`zwe init security`)](#initializing-zowe-security-configurations-zwe-init-security) - [Performing APF authorization of load libraries (`zwe init apfauth`)](#performing-apf-authorization-of-load-libraries-zwe-init-apfauth) - [Configuring Zowe to use TLS certificates (`zwe init certificate`)](#configuring-zowe-to-use-tls-certificates-zwe-init-certificate) - [Installing Zowe main started tasks (`zwe init stc`)](#installing-zowe-main-started-tasks-zwe-init-stc) -- [(Deprecated) Creating VSAM caching service datasets (`zwe init vsam`)](#deprecated-creating-vsam-caching-service-datasets-zwe-init-vsam) -- [Next steps](#next-steps) + ## Initializing Zowe custom data sets (`zwe init mvs`) From 62b388cb882ba413d99b16282baba97c0bf66cf3 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 21 Nov 2024 11:32:20 +0100 Subject: [PATCH 26/27] fix link Signed-off-by: Andrew Jandacek --- docs/getting-started/zowe-high-availability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/zowe-high-availability.md b/docs/getting-started/zowe-high-availability.md index dbc37749d0..adac3adfab 100644 --- a/docs/getting-started/zowe-high-availability.md +++ b/docs/getting-started/zowe-high-availability.md @@ -30,7 +30,7 @@ If you are running the Caching Service on z/OS, there are three storage methods - Part of the Caching service - Does not need separate processes - Highly performant -- [VSAM (*deprecated*)](../user-guide/configure-caching-service-ha.md#vsam) +- [VSAM (*deprecated*)](../user-guide/configure-caching-service-ha.md#vsam-deprecated) - Familiar to z/OS engineers - Slow - [Redis](../extend/extend-apiml/api-mediation-redis.md#redis-configuration) From 2342ac8abf267f537fbb78ef99f3d1aa5c0ad50a Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 21 Nov 2024 14:09:48 +0100 Subject: [PATCH 27/27] remove initialize-security-configuration.md. COntent has been moved to parent topic configuring-security Signed-off-by: Andrew Jandacek --- sidebars.js | 1 - 1 file changed, 1 deletion(-) diff --git a/sidebars.js b/sidebars.js index aaad3e4a69..b11c847785 100644 --- a/sidebars.js +++ b/sidebars.js @@ -207,7 +207,6 @@ module.exports = { label: "Configuring security", link: { type: "doc", id: "user-guide/configuring-security" }, items: [ - "user-guide/initialize-security-configuration", "user-guide/apf-authorize-load-library", "user-guide/configure-zos-system", "user-guide/assign-security-permissions-to-users",