From 0d38ae64257fc62c480496803ecce1fd7cf2908d Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 21 Nov 2024 14:09:48 +0100 Subject: [PATCH 1/2] remove initialize-security-configuration.md. COntent has been moved to parent topic configuring-security Signed-off-by: Andrew Jandacek From ac47dee901cfd22ec7372fe03c8ae5f46a45c888 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Fri, 22 Nov 2024 17:02:57 +0100 Subject: [PATCH 2/2] apply security doc reorg to v2.18 Signed-off-by: Andrew Jandacek --- .../user-guide/apf-authorize-load-library.md | 6 +- .../user-guide/configure-zos-system.md | 947 +++++++++++------- .../user-guide/configure-zowe-runtime.md | 8 +- .../user-guide/configuring-overview.md | 4 +- .../user-guide/configuring-security.md | 101 +- .../user-guide/initialize-zos-system.md | 2 +- .../user-guide/systemrequirements-zos.md | 4 + .../user-guide/verify-zowe-runtime-install.md | 39 +- .../zos-components-installation-checklist.md | 4 +- .../zwe-init-subcommand-overview.md | 74 +- .../version-v2.18.x-sidebars.json | 1 - 11 files changed, 772 insertions(+), 418 deletions(-) diff --git a/versioned_docs/version-v2.18.x/user-guide/apf-authorize-load-library.md b/versioned_docs/version-v2.18.x/user-guide/apf-authorize-load-library.md index f95c51b891..317be16aaf 100644 --- a/versioned_docs/version-v2.18.x/user-guide/apf-authorize-load-library.md +++ b/versioned_docs/version-v2.18.x/user-guide/apf-authorize-load-library.md @@ -27,10 +27,8 @@ APF authorize IBMUSER.ZWEV2.CUST.ZWESAPL #> ``` :::note -If you do not have permissions to update your security configurations, use `security-dry-run`. We recommend you inform your security administrator to review your job content. -::: - -Specify `--security-dry-run` to have the command echo the commands that need to be run without executing the command. +If you do not have permissions to update your security configurations, append the flag `--security-dry-run` to have the command echo the commands that need to be run without executing the command. We recommend you inform your security administrator to review your job content. +::: ``` SETPROG APF,ADD,DSNAME=IBMUSER.ZWEV2.SZWEAUTH,SMS diff --git a/versioned_docs/version-v2.18.x/user-guide/configure-zos-system.md b/versioned_docs/version-v2.18.x/user-guide/configure-zos-system.md index 9709b347b7..c08ef3f344 100644 --- a/versioned_docs/version-v2.18.x/user-guide/configure-zos-system.md +++ b/versioned_docs/version-v2.18.x/user-guide/configure-zos-system.md @@ -1,51 +1,55 @@ -# Addressing z/OS requirements for Zowe +# Customizing z/OS system security -As a security administrator it is necessary to configure the z/OS system for Zowe. Review the following article to learn about z/OS prerequisites, and z/OS configuration requirements for specific settings. +As a security administrator, configure your z/OS system according to the specific features and functionalities you choose to include in your Zowe installation. Review the following article for specific configuration steps that apply to these features and fuctionalities. :::info Required role: security administrator ::: -## z/OS prerequisites -Be sure your z/OS system meets the following prerequisites: - -- z/OS version is in active support, such as Version 2.3, Version 2.4, Version 2.5 and Version 3.1 +:::note +Before performing configuration steps specific to your use case, ensure that you meet the z/OS system requirements presented in the section _Preparing for installation_. For detailed information, see [Addressing z/OS requirements](./systemrequirements-zos.md). +::: + + Review the following table to determine which configuration steps are required based on your Zowe use case. + +| Purpose | Applicable Zowe Component(s) | Configuration step | +| --- | --- | --- | +| Set the names for the different z/OS UNIX address spaces for the Zowe runtime components.
**Important:** This configuration step is required. | All components | [Configure address space job naming](#configure-address-space-job-naming) | +| To use Zowe desktop. This step generates random numbers for zssServer that the Zowe desktop uses. | Application Framework | [Configure an ICSF cryptographic services environment](#configure-an-icsf-cryptographic-services-environment) | +| To allow users to log on to the Zowe desktop through impersonation. | Application Framework | [Configure security environment switching](#configure-security-environment-switching) | +| Required for TSS only. A TSS FACILITY needs to be defined and assigned to the `ZWESLSTC` started task. | All components | [Configure multi-user address space for TSS only](#configure-multi-user-address-space-for-tss-only) | +| Required to manually create the user ID and groups in your z/OS environment. Tasks are performed as part of [Zowe runtime configuration](./configure-zowe-runtime.md) | All components | [Configure user IDs and groups for the Zowe started tasks](#configure-user-ids-and-groups-for-the-zowe-started-tasks) | +| Required to configure the started task ZWESLSTC to run under the correct user ID and group. Tasks are performed as part of [Zowe runtime configuration](./configure-zowe-runtime.md).| All components | [Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID](#configure-zweslstc-to-run-zowe-high-availability-instances-under-zwesvusr-user-id). | +| Required to configure the cross memory server for SAF to guard against access by non-privileged clients. Tasks are performed as part of [Zowe runtime configuration](./configure-zowe-runtime.md).| Application Framework | [Configure the cross memory server for SAF](#configure-the-cross-memory-server-for-saf) | +| Required for API Mediation Layer to map a client certificate to a z/OS identity. | API ML | [Configure main Zowe server to use client certificate identity mapping](#configure-main-zowe-server-to-use-client-certificate-identity-mapping) | +| Required for API ML to map the association between a z/OS user ID and a distributed user identity. | API ML | [Configure main Zowe server to use distributed identity mapping](#configure-main-zowe-server-to-use-distributed-identity-mapping) | +| To configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation Layer. | Application Framework
API ML | [Configure signed SAF Identity tokens IDT](#configure-signed-saf-identity-tokens-idt) | +| Required for API Mediation Layer to issue SMF records. | API ML | [Configure the main Zowe server to issue SMF records](api-mediation/api-mediation-smf.md#configure-the-main-zowe-server-to-issue-smf-records) | +| To use multi-factor authentication (MFA) | All components | [Multi-Factor Authentication (MFA)](#multi-factor-authentication-mfa) | +| To use Single Sign-On (SSO) | All components | [Single Sign-On (SSO)](#single-sign-on-sso) | +| To use OIDC Authentication with API Mediation Layer | API ML | [API Mediation Layer OIDC Authentication](#api-mediation-layer-oidc-authentication) | - :::note - z/OS V2.2 reached end of support on 30 September, 2020. For more information, see the z/OS v2.2 lifecycle details [https://www.ibm.com/support/lifecycle/details?q45=Z497063S01245B61](https://www.ibm.com/support/lifecycle/details?q45=Z497063S01245B61). - ::: +### Configure address space job naming -- zFS volume has at least 833 mb of free space for Zowe server components, their keystore, instance configuration files and logs, and third-party plug-ins. +The user ID `ZWESVUSR` that is associated with the Zowe started task must have READ permission for the `BPX.JOBNAME` profile in the `FACILITY` class. This is to allow setting of the names for the different z/OS UNIX address spaces for the Zowe runtime components. -- (Optional, recommended) z/OS OpenSSH V2.2.0 or later - - Some features of Zowe require SSH, such as the Desktop's SSH terminal. Install and manage Zowe via SSH, as an alternative to OMVS over TN3270. +:::note +This procedure may require security administrator authorization. Consult with your security administrator. +::: -- (Optional, recommended) Parallel Sysplex. - - To deploy Zowe for high availability, a Parallel Sysplex environment is recommended. For more information, see [Configuring Sysplex for high availability](configure-sysplex.md). +To display who is authorized to the profile, issue the following command: +``` +RLIST FACILITY BPX.JOBNAME AUTHUSER +``` - ## Settings specific configuration requirements - -Configuration of your z/OS system is dependent on the specific Zowe features and functionalities you would like to employ with your Zowe installation. Review the following table to determine which configuration steps are required based on your Zowe use case. - -| Purpose | Configuration step | -| --- | --- | -| Set the names for the different z/OS UNIX address spaces for the Zowe runtime components.
**Important:** This configuration step is required. | [Configure address space job naming](#configure-address-space-job-naming) | -| To use Zowe desktop. This step generates random numbers for zssServer that the Zowe desktop uses. | [Configure an ICSF cryptographic services environment](#configure-an-icsf-cryptographic-services-environment) | -| To allow users to log on to the Zowe desktop through impersonation. | [Configure security environment switching](#configure-security-environment-switching) | -| Required for TSS only. A TSS FACILITY needs to be defined and assigned to the `ZWESLSTC` started task. | [Configure multi-user address space for TSS only](#configure-multi-user-address-space-for-tss-only) | -| Required if you have not run `ZWESECUR` and are manually creating the user ID and groups in your z/OS environment. | [Configure user IDs and groups for the Zowe started tasks](#configure-user-ids-and-groups-for-the-zowe-started-tasks) | -| Required if you have not run `ZWESECUR` and are configuring your z/OS environment manually. This step describes how to configure the started task ZWESLSTC to run under the correct user ID and group. | [Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID](#configure-zweslstc-to-run-zowe-high-availability-instances-under-zwesvusr-user-id) | -| Required if you have not run `ZWESECUR` and are configuring your z/OS environment manually. This step describes how to configure the cross memory server for SAF to guard against access by non-privileged clients. | [Configure the cross memory server for SAF](#configure-the-cross-memory-server-for-saf) | -| Required for API Mediation Layer to map a client certificate to a z/OS identity. | [Configure main Zowe server to use client certificate identity mapping](#configure-main-zowe-server-to-use-client-certificate-identity-mapping) | -| Required for API ML to map the association between a z/OS user ID and a distributed user identity. | [Configure main Zowe server to use distributed identity mapping](#configure-main-zowe-server-to-use-distributed-identity-mapping) | -| To configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation Layer. | [Configure signed SAF Identity tokens IDT](#configure-signed-saf-identity-tokens-idt) | -| Required for API Mediation Layer to issue SMF records. | [Configure the main Zowe server to issue SMF records](api-mediation/api-mediation-smf.md#configure-the-main-zowe-server-to-issue-smf-records) | -| To use multi-factor authentication (MFA) | [Multi-Factor Authentication (MFA)](#multi-factor-authentication-mfa) | -| To use Single Sign-On (SSO) | [Single Sign-On (SSO)](#single-sign-on-sso) | -| To use OIDC Authentication with API Mediation Layer | [API Mediation Layer OIDC Authentication](#api-mediation-layer-oidc-authentication) | +Additionally, you need to activate facility class, permit `BPX.JOBNAME`, and refresh facility class: +``` +SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) +PERMIT BPX.JOBNAME CLASS(FACILITY) ID(ZWESVUSR) ACCESS(READ) +SETROPTS RACLIST(FACILITY) REFRESH +``` +For more information, see [Setting up the UNIX-related FACILITY and SURROGAT class profiles](https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.bpxb200/fclass.htm) in the "z/OS UNIX System Services" documentation. ### Configure an ICSF cryptographic services environment @@ -66,62 +70,78 @@ Define or check the following configurations depending on whether ICSF is alread - Create CKDS, PKDS, TKDS VSAM data sets. - Define and activate the CSFSERV class: - - If you use RACF, issue the following commands: - ``` - RDEFINE CSFSERV profile-name UACC(NONE) - ``` - ``` - PERMIT profile-name CLASS(CSFSERV) ID(tcpip-stackname) ACCESS(READ) - ``` - ``` - PERMIT profile-name CLASS(CSFSERV) ID(userid-list) ... [for - userids IKED, NSSD, and Policy Agent] - ``` - ``` - SETROPTS CLASSACT(CSFSERV) - ``` - ``` - SETROPTS RACLIST(CSFSERV) REFRESH - ``` - - If you use ACF2, issue the following commands (note that `profile-prefix` and `profile-suffix` are user-defined): - ``` - SET CONTROL(GSO) - ``` - ``` - INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) - ``` - ``` - F ACF2,REFRESH(CLASMAP) - ``` - ``` - SET RESOURCE(CSF) - ``` - ``` - RECKEY profile-prefix ADD(profile-suffix uid(UID string for tcpip-stackname) SERVICE(READ) ALLOW) - ``` - ``` - RECKEY profile-prefix ADD(profile-suffix uid(UID string for IZUSVR) SERVICE(READ) ALLOW) - ``` - (repeat for userids IKED, NSSD, and Policy Agent) +
+Click here for command details for RACF. - ``` - F ACF2,REBUILD(CSF) - ``` - - If you use Top Secret, issue the following command (note that `profile-prefix` and `profile-suffix` are user defined): - ``` - TSS ADDTO(owner-acid) RESCLASS(CSFSERV) - ``` - ``` - TSS ADD(owner-acid) CSFSERV(profile-prefix.) - ``` - ``` - TSS PERMIT(tcpip-stackname) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) - ``` - ``` - TSS PERMIT(user-acid) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) - ``` - (repeat for user-acids IKED, NSSD, and Policy Agent) +If you use RACF, issue the following commands: +``` +RDEFINE CSFSERV profile-name UACC(NONE) +``` +``` +PERMIT profile-name CLASS(CSFSERV) ID(tcpip-stackname) ACCESS(READ) +``` +``` +PERMIT profile-name CLASS(CSFSERV) ID(userid-list) ... [for +userids IKED, NSSD, and Policy Agent] +``` +``` +SETROPTS CLASSACT(CSFSERV) +``` +``` +SETROPTS RACLIST(CSFSERV) REFRESH +``` + +
+ +
+Click here for command details for ACF2. + +If you use ACF2, issue the following commands (note that `profile-prefix` and `profile-suffix` are user-defined): +``` +SET CONTROL(GSO) +``` +``` +INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) +``` +``` +F ACF2,REFRESH(CLASMAP) +``` +``` +SET RESOURCE(CSF) +``` +``` +RECKEY profile-prefix ADD(profile-suffix uid(UID string for tcpip-stackname) SERVICE(READ) ALLOW) +``` +``` +RECKEY profile-prefix ADD(profile-suffix uid(UID string for IZUSVR) SERVICE(READ) ALLOW) +``` +(repeat for userids IKED, NSSD, and Policy Agent) + +``` +F ACF2,REBUILD(CSF) +``` + +
+ +
+Click here for command details for Top Secret + +If you use Top Secret, issue the following command (note that `profile-prefix` and `profile-suffix` are user defined): +``` +TSS ADDTO(owner-acid) RESCLASS(CSFSERV) +``` +``` +TSS ADD(owner-acid) CSFSERV(profile-prefix.) +``` +``` +TSS PERMIT(tcpip-stackname) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) +``` +``` +TSS PERMIT(user-acid) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) +``` +(repeat for user-acids IKED, NSSD, and Policy Agent) +
:::note Notes - Determine whether you want SAF authorization checks against `CSFSERV` and set `CSF.CSFSERV.AUTH.CSFRNG.DISABLE` accordingly. @@ -138,153 +158,210 @@ To enable impersonation, you must grant the user ID `ZWESVUSR` associated with t You can issue the following commands first to check whether you already have the impersonation profiles defined as part of another server configuration, such as the FTPD daemon. Review the output to confirm that the two impersonation profiles exist and the user `ZWESVUSR` who runs the Zowe server started task has UPDATE access to both profiles. -- If you use RACF, issue the following commands: - ``` - RLIST FACILITY BPX.SERVER AUTHUSER - ``` - ``` - RLIST FACILITY BPX.DAEMON AUTHUSER - ``` -- If you use Top Secret, issue the following commands: - ``` - TSS WHOHAS IBMFAC(BPX.SERVER) - ``` - ``` - TSS WHOHAS IBMFAC(BPX.DAEMON) - ``` -- If you use ACF2, issue the following commands: - ``` - SET RESOURCE(FAC) - ``` - ``` - LIST BPX - ``` +
+Click here for command details for RACF. + +If you use RACF, issue the following commands: +``` +RLIST FACILITY BPX.SERVER AUTHUSER +``` +``` +RLIST FACILITY BPX.DAEMON AUTHUSER +``` + +
+ +
+Click here for command details for Top Secret. + +If you use Top Secret, issue the following commands: +``` +TSS WHOHAS IBMFAC(BPX.SERVER) +``` +``` +TSS WHOHAS IBMFAC(BPX.DAEMON) +``` + +
+ +
+Click here for command details for ACF2. + +If you use ACF2, issue the following commands: +``` +SET RESOURCE(FAC) +``` +``` +LIST BPX +``` + +
If the user `ZWESVUSR` who runs the Zowe server started task does not have UPDATE access to both profiles follow the instructions below. -- If you use RACF, complete the following steps: +
+Click here for procedure details for RACF. + +If you use RACF, complete the following steps: - 1. Activate and RACLIST the FACILITY class. This may have already been done on the z/OS environment if another z/OS server has been previously configured to take advantage of the ability to change its security environment, such as the FTPD daemon that is included with z/OS Communications Server TCP/IP services. - ``` - SETROPTS GENERIC(FACILITY) - SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) - ``` - 2. Define the impersonation profiles. This may have already been done on behalf of another server such as the FTPD daemon. - ``` - RDEFINE FACILITY BPX.SERVER UACC(NONE) - ``` - ``` - RDEFINE FACILITY BPX.DAEMON UACC(NONE) - ``` - 3. Having activated and RACLIST the FACILITY class, the user ID `ZWESVUSR` who runs the Zowe server started task must be given update access to the BPX.SERVER and BPX.DAEMON profiles in the FACILITY class. - ``` - PERMIT BPX.SERVER CLASS(FACILITY) ID() ACCESS(UPDATE) - ``` - ``` - PERMIT BPX.DAEMON CLASS(FACILITY) ID() ACCESS(UPDATE) - ``` - where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. - - /* Activate these changes */ - - ``` - SETROPTS RACLIST(FACILITY) REFRESH - ``` - 4. Issue the following commands to check whether permission has been successfully granted: - ``` - RLIST FACILITY BPX.SERVER AUTHUSER - ``` - ``` - RLIST FACILITY BPX.DAEMON AUTHUSER - ``` -- If you use Top Secret, complete the following steps: +1. Activate and RACLIST the FACILITY class. This may have already been done on the z/OS environment if another z/OS server has been previously configured to take advantage of the ability to change its security environment, such as the FTPD daemon that is included with z/OS Communications Server TCP/IP services. + +``` +SETROPTS GENERIC(FACILITY) +SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) +``` +2. Define the impersonation profiles. This may have already been done on behalf of another server such as the FTPD daemon. +``` +RDEFINE FACILITY BPX.SERVER UACC(NONE) +``` +``` +RDEFINE FACILITY BPX.DAEMON UACC(NONE) +``` +3. Having activated and RACLIST the FACILITY class, the user ID `ZWESVUSR` who runs the Zowe server started task must be given update access to the BPX.SERVER and BPX.DAEMON profiles in the FACILITY class. +``` +PERMIT BPX.SERVER CLASS(FACILITY) ID() ACCESS(UPDATE) +``` +``` +PERMIT BPX.DAEMON CLASS(FACILITY) ID() ACCESS(UPDATE) +``` +where: + +* `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. + +/* Activate these changes */ + +``` +SETROPTS RACLIST(FACILITY) REFRESH +``` +4. Issue the following commands to check whether permission has been successfully granted: + +``` +RLIST FACILITY BPX.SERVER AUTHUSER +``` +``` +RLIST FACILITY BPX.DAEMON AUTHUSER +``` + +
+ +
+Click here for procedure details for Top Secret. + +If you use Top Secret, complete the following steps: - 1. Define the BPX Resource and access for ``. - ``` - TSS ADD(`owner-acid`) IBMFAC(BPX.) - ``` - ``` - TSS PERMIT() IBMFAC(BPX.SERVER) ACCESS(UPDATE) - ``` - ``` - TSS PERMIT() IBMFAC(BPX.DAEMON) ACCESS(UPDATE) - ``` - where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. - 2. Issue the following commands and review the output to check whether permission has been successfully granted: - ``` - TSS WHOHAS IBMFAC(BPX.SERVER) - ``` - ``` - TSS WHOHAS IBMFAC(BPX.DAEMON) - ``` -- If you use ACF2, complete the following steps: - 1. Define the BPX Resource and access for ``. - ``` - SET RESOURCE(FAC) - ``` - ``` - RECKEY BPX ADD(SERVER ROLE() SERVICE(UPDATE) ALLOW) - ``` - ``` - RECKEY BPX ADD(DAEMON ROLE() SERVICE(UPDATE) ALLOW) - ``` - where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. - ``` - F ACF2,REBUILD(FAC) - ``` - 2. Issue the following commands and review the output to check whether permission has been successfully granted: - ``` - SET RESOURCE(FAC) - ``` - ``` - LIST BPX - ``` +1. Define the BPX Resource and access for ``. +``` +TSS ADD(`owner-acid`) IBMFAC(BPX.) +``` +``` +TSS PERMIT() IBMFAC(BPX.SERVER) ACCESS(UPDATE) +``` +``` +TSS PERMIT() IBMFAC(BPX.DAEMON) ACCESS(UPDATE) +``` +where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. + +2. Issue the following commands and review the output to check whether permission has been successfully granted: +``` +TSS WHOHAS IBMFAC(BPX.SERVER) +``` +``` +TSS WHOHAS IBMFAC(BPX.DAEMON) +``` + +
+ +
+Click here for procedure details for ACF2. + +If you use ACF2, complete the following steps: + +1. Define the BPX Resource and access for ``. +``` +SET RESOURCE(FAC) +``` +``` +RECKEY BPX ADD(SERVER ROLE() SERVICE(UPDATE) ALLOW) +``` +``` +RECKEY BPX ADD(DAEMON ROLE() SERVICE(UPDATE) ALLOW) +``` +where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. +``` +F ACF2,REBUILD(FAC) +``` + +2. Issue the following commands and review the output to check whether permission has been successfully granted: +``` +SET RESOURCE(FAC) +``` +``` +LIST BPX +``` + +
+ You must also grant READ access to the OMVSAPPL profile in the APPL class to the Zowe STC user as well as **all other Zowe users** using various Zowe features. Skip the following steps when the OMVSAPPL profile is not defined in your environment. -- If you use RACF, complete the following steps: +
+Click here for procedure details for RACF. - 1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. - ``` - RLIST APPL OMVSAPPL AUTHUSER - ``` +If you use RACF, complete the following steps: - 2. Issue the following commands and review the output to check if permission has been successfully granted: - ``` - PERMIT OMVSAPPL CLASS(APPL) ID() ACCESS(READ) - SETROPTS RACLIST(APPL) REFRESH - ``` +1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. +``` +RLIST APPL OMVSAPPL AUTHUSER +``` -- If you use Top Secret, complete the following steps: +2. Issue the following commands and review the output to check if permission has been successfully granted: +``` +PERMIT OMVSAPPL CLASS(APPL) ID() ACCESS(READ) +SETROPTS RACLIST(APPL) REFRESH +``` - 1. Check if you already have the required access as part of the environment configuration. Skip the following steps if access is already granted. - ``` - TSS WHOHAS APPL(OMVSAPPL) - ``` +
- 2. Issue the following commands and review the output to check if permission has been successfully granted: - ``` - TSS PERMIT() APPL(OMVSAPPL) - ``` +
+Click here for procedure details for Top Secret. -- If you use ACF2, complete the following steps: +If you use Top Secret, complete the following steps: - 1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. - ``` - SET RESOURCE(APL) - LIST OMVSAAPL - ``` +1. Check if you already have the required access as part of the environment configuration. Skip the following steps if access is already granted. +``` +TSS WHOHAS APPL(OMVSAPPL) +``` - 2. Issue the following commands and review the output to check if permission has been successfully granted: - ``` - SET RESOURCE(APL) - RECKEY OMVSAPPL ADD(SERVICE(READ) ROLE() ALLOW) - F ACF2,REBUILD(APL) - ``` +2. Issue the following commands and review the output to check if permission has been successfully granted: +``` +TSS PERMIT() APPL(OMVSAPPL) +``` + +
+ +
+Click here for procedure details for ACF2. + +If you use ACF2, complete the following steps: + +1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. +``` +SET RESOURCE(APL) +LIST OMVSAAPL +``` + +2. Issue the following commands and review the output to check if permission has been successfully granted: +``` +SET RESOURCE(APL) +RECKEY OMVSAPPL ADD(SERVICE(READ) ROLE() ALLOW) +F ACF2,REBUILD(APL) +``` + +
### Configure address space job naming -The user ID `ZWESVUSR` that is associated with the Zowe started task must have `READ` permission for the `BPX.JOBNAME` profile in the `FACILITY` class. This is to allow setting of the names for the different z/OS UNIX address spaces for the Zowe runtime components. +The user ID `ZWESVUSR` that is associated with the Zowe started task must have READ permission for the `BPX.JOBNAME` profile in the `FACILITY` class. This is to allow setting of the names for the different z/OS UNIX address spaces for the Zowe runtime components. :::note This procedure may require security administrator authorization. Consult with your security administrator. @@ -352,82 +429,132 @@ If you have run `ZWESECUR`, you do not need to perform the steps described in th If you have not run `ZWESECUR` and are manually creating the user ID and groups in your z/OS environment, the commands are described below for reference. -- To create the `ZWEADMIN` group, issue the following command: +- To create the `ZWEADMIN` group, issue the following command according to your ESM: - **RACF:** - ``` - ADDGROUP ZWEADMIN OMVS(AUTOGID) - - DATA('STARTED TASK GROUP WITH OMVS SEGEMENT') - ``` - **TSS:** +
+ Click here for command details for RACF. + + **RACF:** + ``` + ADDGROUP ZWEADMIN OMVS(AUTOGID) - + DATA('STARTED TASK GROUP WITH OMVS SEGEMENT') + ``` +
+ +
+ Click here for command details for Top Secret. + + **TSS:** ``` TSS CREATE() TYPE(GROUP) + NAME('ZOWE ADMINISTRATORS') + DEPT() TSS ADD() GID() ``` - **ACF2:** + +
+ +
+ Click here for command details for ACF2. + + **ACF2:** ``` SET PROFILE(GROUP) DIV(OMVS) INSERT AUTOGID F ACF2,REBUILD(GRP),CLASS(P) + ``` -- To create the `ZWESVUSR` user ID for the main Zowe started task, issue the following command: +
- **RACF:** - ``` - ADDUSER - - NOPASSWORD - - DFLTGRP() - - OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - - NAME('ZOWE SERVER') - - DATA('ZOWE MAIN SERVER') - ``` - **TSS:** - ``` - TSS CREATE() TYPE(USER) PROTECTED + - NAME('ZOWE MAIN SERVER') + - DEPT() - TSS ADD() GROUP() + - DFLTGRP() + - HOME(/tmp) OMVSPGM(/bin/sh) UID() - ``` - **ACF2:** - ``` - SET LID - INSERT STC GROUP() - SET PROFILE(USER) DIV(OMVS) - INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) - F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) - ``` - -- To create the `ZWESIUSR` group for the Zowe cross memory server started task, issue the following command: - **RACF:** - ``` - ADDUSER - - NOPASSWORD - - DFLTGRP() - - OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - - NAME('ZOWE XMEM SERVER') - - DATA('ZOWE XMEM CROSS MEMORY SERVER') - ``` - **TSS:** - ``` - TSS CREATE() TYPE(USER) PROTECTED + + * To create the `ZWESVUSR` user ID for the main Zowe started task, issue the following command according to your ESM: + +
+ + Click here for command details for RACF. + + **RACF:** + ``` + ADDUSER - + NOPASSWORD - + DFLTGRP() - + OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - + NAME('ZOWE SERVER') - + DATA('ZOWE MAIN SERVER') + ``` +
+ +
+ Click here for command details for Top Secret. + + **TSS:** + ``` + TSS CREATE() TYPE(USER) PROTECTED + + NAME('ZOWE MAIN SERVER') + + DEPT() + TSS ADD() GROUP() + + DFLTGRP() + + HOME(/tmp) OMVSPGM(/bin/sh) UID() + ``` + +
+ +
+ Click here for command details for ACF2. + + **ACF2:** + ``` + SET LID + INSERT STC GROUP() + SET PROFILE(USER) DIV(OMVS) + INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) + F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) + ``` +
+ +- To create the `ZWESIUSR` group for the Zowe cross memory server started task, issue the following command according to your ESM: + +
+ Click here for command details for RACF. + + **RACF:** + ``` + ADDUSER - + NOPASSWORD - + DFLTGRP() - + OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - + NAME('ZOWE XMEM SERVER') - + DATA('ZOWE XMEM CROSS MEMORY SERVER') + ``` + +
+ +
+ Click here for command details for Top Secret. + + **TSS:** + ``` + TSS CREATE() TYPE(USER) PROTECTED + NAME('ZOWE ZIS CROSS MEMORY SERVER') + DEPT() - TSS ADD() GROUP() + + TSS ADD() GROUP() + DFLTGRP() + HOME(/tmp) OMVSPGM(/bin/sh) UID(&ZISUID.) - ``` - **ACF2:** - ``` - SET LID - INSERT STC GROUP() - SET PROFILE(USER) DIV(OMVS) - INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) - F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) - ``` + ``` +
+ +
+ Click here for command details for ACF2. + + **ACF2:** + ``` + SET LID + INSERT STC GROUP() + SET PROFILE(USER) DIV(OMVS) + INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) + F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) + ``` + +
### Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID @@ -439,27 +566,41 @@ If you have run `ZWESECUR`, you do not need to perform the steps described in th ... ``` -If you have not run `ZWESECUR` and are configuring your z/OS environment manually, the following steps describe how to configure the started task `ZWESLSTC` to run under the correct user ID and group. +If you have not run `ZWESECUR` and are configuring your z/OS environment manually, the following steps describe how to configure the started task `ZWESLSTC` to run under the correct user ID and group. Issue the following commands according to your ESM: -- If you use RACF, issue the following commands: - ``` - RDEFINE STARTED ZWESLSTC.* UACC(NONE) STDATA(USER(ZWESVUSR) GROUP(ZWEADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) - SETROPTS REFRESH RACLIST(STARTED) - ``` +
+Click here for command details for RACF. -- If you use ACF2, issue the following commands: +If you use RACF, issue the following commands: +``` +RDEFINE STARTED ZWESLSTC.* UACC(NONE) STDATA(USER(ZWESVUSR) GROUP(ZWEADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) +SETROPTS REFRESH RACLIST(STARTED) +``` +
+ +
+Click here for command details for ACF2. + +If you use ACF2, issue the following commands: - ``` - SET CONTROL(GSO) - INSERT STC.ZWESLSTC LOGONID(ZWESVUSR) GROUP(ZWEADMIN) STCID(ZWESLSTC) - F ACF2,REFRESH(STC) - ``` +``` +SET CONTROL(GSO) +INSERT STC.ZWESLSTC LOGONID(ZWESVUSR) GROUP(ZWEADMIN) STCID(ZWESLSTC) +F ACF2,REFRESH(STC) +``` -- If you use Top Secret, issue the following commands: +
+ +
+Click here for command details for Top Secret. + +If you use Top Secret, issue the following commands: + +``` +TSS ADDTO(STC) PROCNAME(ZWESLSTC) ACID(ZWESVUSR) +``` - ``` - TSS ADDTO(STC) PROCNAME(ZWESLSTC) ACID(ZWESVUSR) - ``` +
### Configure the cross memory server for SAF @@ -474,11 +615,14 @@ If you have run `ZWESECUR` you do not need to perform the steps described in thi If you have not run `ZWESECUR` and are configuring your z/OS environment manually, the following steps describe how to configure the cross memory server for SAF. -Activate the FACILITY class, define a `ZWES.IS` profile, and grant READ access to the user ID `ZWESVUSR`. This is the user ID that the main Zowe started task runs under. +Activate the FACILITY class, define a `ZWES.IS` profile, and grant READ access to the user ID `ZWESVUSR`. This is the user ID that the main Zowe started task runs under. -To do this, issue the following commands that are also included in the `ZWESECUR` JCL member. The commands assume that you run the Zowe server under the `ZWESVUSR` user. +To perform these steps, issue the following commands that are also included in the `ZWESECUR` JCL member. The commands assume that you run the Zowe server under the `ZWESVUSR` user. + +
+Click here for command details for RACF. -- If you use RACF, issue the following commands: +If you use RACF, issue the following commands: - To see the current class settings, use: ``` @@ -510,7 +654,12 @@ To do this, issue the following commands that are also included in the `ZWESECUR ``` This shows the user IDs who have access to the `ZWES.IS` class, which should include Zowe's started task user ID with READ access. -- If you use ACF2, issue the following commands: +
+ +
+Click here for command details for ACF2. + +If you use ACF2, issue the following commands: ``` SET RESOURCE(FAC) @@ -522,7 +671,12 @@ To do this, issue the following commands that are also included in the `ZWESECUR F ACF2,REBUILD(FAC) ``` -- If you use Top Secret, issue the following commands, where `owner-acid` can be IZUSVR or a different ACID: +
+ +
+Click here for command details for Top Secret. + +If you use Top Secret, issue the following commands, where `owner-acid` can be IZUSVR or a different ACID: ``` TSS ADD(`owner-acid`) IBMFAC(ZWES.) @@ -530,6 +684,7 @@ To do this, issue the following commands that are also included in the `ZWESECUR ``` TSS PERMIT(ZWESVUSR) IBMFAC(ZWES.IS) ACCESS(READ) ``` +
:::note Notes - The cross memory server treats "no decision" style SAF return codes as failures. If there is no covering profile for the `ZWES.IS` resource in the FACILITY class, the request will be denied. @@ -538,21 +693,22 @@ To do this, issue the following commands that are also included in the `ZWESECUR ### Configure main Zowe server to use client certificate identity mapping -This security configuration is necessary for API ML to be able to map client certificate to a z/OS identity. A user running API Gateway must have read access to the SAF resource `IRR.RUSERMAP` in the `FACILITY` class. -To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.18 and lower use the following configuration steps. +This security configuration is necessary for API ML to be able to map client certificate to a z/OS identity. A user running API Gateway must have READ access to the SAF resource `IRR.RUSERMAP` in the `FACILITY` class. +To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.18 and lower use the following configuration steps according to your ESM: -#### Using RACF +
+Click here for procedure details for RACF. If you use RACF, verify and update permission in the `FACILITY` class. **Follow these steps:** -1. Verify user `ZWESVUSR` has read access. +1. Verify user `ZWESVUSR` has READ access. ``` RLIST FACILITY IRR.RUSERMAP AUTHUSER ``` -2. Add user `ZWESVUSR` permission to read. +2. Add user `ZWESVUSR` permission to READ. ``` PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR) ``` @@ -562,19 +718,22 @@ If you use RACF, verify and update permission in the `FACILITY` class. SETROPTS RACLIST(FACILITY) REFRESH ``` -#### Using ACF2 +
+ +
+Click here for procedure details for ACF2. If you use ACF2, verify and update permission in the `FACILITY` class. **Follow these steps:** -1. Verify user `ZWESVUSR` has read access. +1. Verify user `ZWESVUSR` has READ access. ``` SET RESOURCE(FAC) LIST LIKE(IRR-) ``` -2. Add user `ZWESVUSR` permission to read. +2. Add user `ZWESVUSR` permission to READ. ``` RECKEY IRR.RUSERMAP ADD(SERVICE(READ) ROLE(&STCGRP.) ALLOW) ``` @@ -584,33 +743,39 @@ If you use ACF2, verify and update permission in the `FACILITY` class. F ACF2,REBUILD(FAC) ``` -#### Using TSS +
+ +
+Click here for procedure details for Top Secret. If you use TSS, verify and update permission in `FACILITY` class. **Follow these steps:** -1. Verify user `ZWESVUSR` has read access. +1. Verify user `ZWESVUSR` has READ access. ``` TSS WHOHAS IBMFAC(IRR.RUSERMAP) ``` -2. Add user `ZWESVUSR` permission to read. +2. Add user `ZWESVUSR` permission to READ. ``` TSS PER(ZWESVUSR) IBMFAC(IRR.RUSERMAP) ACCESS(READ) ``` +
+ ### Configure main Zowe server to use distributed identity mapping -This security configuration is necessary for API ML to be able to map the association between a z/OS user ID and a distributed user identity. A user running the API Gateway must have read access to the SAF resource `IRR.IDIDMAP.QUERY` in the `FACILITY` class. -To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.28 and lower, use the following configuration steps. +This security configuration is necessary for API ML to map the association between a z/OS user ID and a distributed user identity. A user running the API Gateway must have READ access to the SAF resource `IRR.IDIDMAP.QUERY` in the `FACILITY` class. +To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.28 and lower, use the following configuration steps according to your ESM: -#### Using RACF +
+Click here for procedure details for RACF. If you use RACF, verify and update permission in the `FACILITY` class. **Follow these steps:** -1. Verify that user `ZWESVUSR` has read access. +1. Verify that user `ZWESVUSR` has READ access. ``` RLIST FACILITY IRR.IDIDMAP.QUERY AUTHUSER ``` @@ -622,7 +787,7 @@ If you use RACF, verify and update permission in the `FACILITY` class. ``` RDEFINE FACILITY IRR.IDIDMAP.QUERY ``` -4. Add user `ZWESVUSR` permission to read. +4. Add user `ZWESVUSR` permission to with READ access. ``` PERMIT IRR.IDIDMAP.QUERY CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR) ``` @@ -632,19 +797,22 @@ If you use RACF, verify and update permission in the `FACILITY` class. SETROPTS RACLIST(FACILITY) REFRESH ``` -#### Using ACF2 +
+ +
+Click here for procedure details for ACF2. If you use ACF2, verify and update permission in the `FACILITY` class. **Follow these steps:** -1. Verify that user `ZWESVUSR` has read access. +1. Verify that user `ZWESVUSR` has READ access. ``` SET RESOURCE(FAC) LIST LIKE(IRR-) ``` -2. Add user `ZWESVUSR` permission to read. +2. Add user `ZWESVUSR` permission with READ access. ``` RECKEY IRR.IDIDMAP.QUERY ADD(SERVICE(READ) ROLE(&STCGRP.) ALLOW) ``` @@ -653,95 +821,139 @@ If you use ACF2, verify and update permission in the `FACILITY` class. ``` F ACF2,REBUILD(FAC) ``` +
-#### Using TSS +
+Click here for procedure details for Top Secret. If you use TSS, verify and update permission in `FACILITY` class. **Follow these steps:** -1. Verify that user `ZWESVUSR` has read access. +1. Verify that user `ZWESVUSR` has READ access. ``` TSS WHOHAS IBMFAC(IRR.IDIDMAP.QUERY) ``` -2. Add user `ZWESVUSR` permission to read. +2. Add user `ZWESVUSR` permission with READ access. ``` TSS PER(ZWESVUSR) IBMFAC(IRR.IDIDMAP.QUERY) ACCESS(READ) ``` +
+ ### Configure signed SAF Identity tokens (IDT) -This section provides a brief description of how to configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation layer ([Implement a new SAF IDT provider](../extend/extend-apiml/implement-new-saf-provider.md)) +This section provides a brief description of how to configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API ML. See [Implement a new SAF IDT provider](../extend/extend-apiml/implement-new-saf-provider.md). -Follow these general steps: +**Follow these steps:** -1. Create PKCS#11 token -2. Generate a secret key for the PKCS#11 token (you can use the sample program ZWESECKG in the SZWESAMP dataset) -3. Define a SAF resource profile under the IDTDATA SAF resource class +1. Create a PKCS#11 token. +2. Generate a secret key for the PKCS#11 token (you can use the sample program ZWESECKG in the SZWESAMP dataset). +3. Define a SAF resource profile under the IDTDATA SAF resource class. Details with examples can be found in documentation of external security products: -* **RACF** - **_Signed and Unsigned Identity Tokens_** and **_IDT Configuration_** subsections in _z/OS Security Server RACROUTE Macro Reference_ book, [link](https://www.ibm.com/docs/en/zos/2.4.0?topic=reference-activating-using-idta-parameter-in-racroute-requestverify). -* **Top Secret** - _**Maintain Identity Token (IDT) Records**_ subsection in _Administrating_ chapter, [link](https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/administrating/maintaining-special-security-records/maintain-identity-token-(idt)-records.html). -* **ACF2** - _**IDTDATA Profile Records**_ subsection in _Administrating_ chapter, [link](https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-records/profile-records/idtdata-profile-records.html). + +* **RACF** +See **_Signed and Unsigned Identity Tokens_** and **_IDT Configuration_** subsections in _z/OS Security Server RACROUTE Macro Reference_ in the article [Activating and using the IDTA parameter in RACROUTE REQUEST=VERIFY](https://www.ibm.com/docs/en/zos/2.4.0?topic=reference-activating-using-idta-parameter-in-racroute-requestverify). + +* **ACF2** +See **_IDTDATA Profile Records_** subsection in _Administrating_ chapter, in the article [IDTDATA Profile Records](https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-records/profile-records/idtdata-profile-records.html). + +* **Top Secret** +See **_Maintain Identity Token (IDT) Records_** subsection in _Administrating_ chapter, in the article [Maintain Identity Token (IDT) Records](https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/administrating/maintaining-special-security-records/maintain-identity-token-(idt)-records.html). A part of the Signed SAF Identity token configuration is a nontrivial step that has to generate a secret key for the PKCS#11 token. The secret key is generated in ICSF by calling the PKCS#11 Generate Secret Key (CSFPGSK) or Token Record Create (CSFPTRC) callable services. An example of the CSFPGSK callable service can be found in the SZWESAMP dataset as the ZWESECKG job. ### Configure the main Zowe server to issue SMF records -This security configuration is necessary for API ML to be able to issue SMF records. A user running the API Gateway must have _read_ access to the RACF general resource `IRR.RAUDITX` in the `FACILITY` class. +This security configuration is necessary for API ML to be able to issue SMF records. A user running the API Gateway must have READ access to the RACF general resource `IRR.RAUDITX` in the `FACILITY` class. To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.18 and lower, use the configuration steps that correspond to the ESM. -To check whether you already have the auditing profile defined, issue the following command and review the output to confirm that the profile exists and that the user `ZWESVUSR` who runs the `ZWESLSTC` started task has `READ` access to this profile. +* To check whether you already have the auditing profile defined, issue the following command and review the output to confirm that the profile exists and that the user `ZWESVUSR` who runs the `ZWESLSTC` started task has READ access to this profile. -- If you use RACF, issue the following command: +
+ Click here for command details for RACF. + + If you use RACF, issue the following command: ``` RLIST FACILITY IRR.RAUDITX AUTHUSER ``` -- If you use Top Secret, issue the following command: +
+ +
+ Click here for command details for ACF2. + + If you use ACF2, issue the following commands: + ``` + SET RESOURCE(FAC) + ``` + ``` + LIST LIKE(IRR-) + ``` + +
+ +
+ Click here for command details for Top Secret. + + If you use Top Secret, issue the following command: ``` TSS WHOHAS IBMFAC(IRR.RAUDITX) ``` -- If you use ACF2, issue the following commands: + +
+ +* If the user `ZWESVUSR` who runs the `ZWESLSTC` started task does not have READ access to this profile, follow the procedure that corresponds to your ESM: + +
+ Click here for procedure details for RACF. + + If you use RACF, update permission in the `FACILITY` class. + + **Follow these steps:** + + 1. Add user `ZWESVUSR` permission to `READ`. + ``` + PERMIT IRR.RAUDITX CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR) + ``` + 2. Activate changes. + ``` + SETROPTS RACLIST(FACILITY) REFRESH + ``` + +
+ +
+ Click here for command details for ACF2. + + If you use ACF2, add user `ZWESVUSR` permission to `READ`. Issue the following commands: ``` SET RESOURCE(FAC) ``` ``` - LIST LIKE(IRR-) + RECKEY IRR ADD(RAUDITX ROLE(&STCGRP.) SERVICE(READ) ALLOW) + ``` + ``` + F ACF2,REBUILD(FAC) ``` -If the user `ZWESVUSR` who runs the `ZWESLSTC` started task does not have `READ` access to this profile, follow the procedure that corresponds to your ESM: - -- If you use RACF, update permission in the `FACILITY` class. - - **Follow these steps:** - - 1. Add user `ZWESVUSR` permission to `READ`. - ``` - PERMIT IRR.RAUDITX CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR) - ``` - 2. Activate changes. - ``` - SETROPTS RACLIST(FACILITY) REFRESH - ``` - -- If you use Top Secret, add user `ZWESVUSR` permission to `READ`. Issue the following command: - ``` - TSS PER(ZWESVUSR) IBMFAC(IRR.RAUDITX) ACCESS(READ) - ``` - -- If you use ACF2, add user `ZWESVUSR` permission to `READ`. Issue the following commands: - ``` - SET RESOURCE(FAC) - ``` - ``` - RECKEY IRR ADD(RAUDITX ROLE(&STCGRP.) SERVICE(READ) ALLOW) - ``` - ``` - F ACF2,REBUILD(FAC) - ``` - +
+ +
+ Click here for command details for Top Secret. + + If you use Top Secret, add user `ZWESVUSR` permission to READ. Issue the following command: + ``` + TSS PER(ZWESVUSR) IBMFAC(IRR.RAUDITX) ACCESS(READ) + ``` + +
+ + + For more information about SMF records, see [SMF records](../user-guide/api-mediation/api-mediation-smf.md) in the Using Zowe API Mediation Layer documentation. + ### Multi-Factor Authentication (MFA) Multi-factor authentication is supported for several components, such as the Desktop and API Mediation Layer. @@ -753,8 +965,6 @@ Multi-factor authentication is provided by third-party products which Zowe is co :::note Notes * To support the multi-factor authentication, it is necessary to apply z/OSMF APAR [PH39582](https://www.ibm.com/support/pages/apar/PH39582). -* For information on using MFA in Zowe, see [Multi-Factor Authentication](mvd-configuration.md#multi-factor-authentication-configuration). - * MFA must work with Single-Sign-On (SSO). Make sure that [SSO](#single-sign-on-sso) is configured before you use MFA in Zowe. ::: @@ -768,5 +978,4 @@ Zowe has an SSO scheme with the goal that each time you use multiple Zowe compon ### API Mediation Layer OIDC Authentication -Zowe requires ACF2 APAR LU01316 to be applied when using the ACF2 security manager. - +Zowe requires ACF2 APAR LU01316 to be applied when using the ACF2 security manager. \ No newline at end of file diff --git a/versioned_docs/version-v2.18.x/user-guide/configure-zowe-runtime.md b/versioned_docs/version-v2.18.x/user-guide/configure-zowe-runtime.md index bc95048b0c..565f3d31bb 100644 --- a/versioned_docs/version-v2.18.x/user-guide/configure-zowe-runtime.md +++ b/versioned_docs/version-v2.18.x/user-guide/configure-zowe-runtime.md @@ -10,14 +10,14 @@ Use one of the following options to initialize Zowe z/OS runtime: * Initialize Zowe maunually using zwe init command group * Configure Zowe with z/OSMF workflows -## Initialize Zowe maunually using zwe init command group +## Initialize Zowe manually using zwe init command group After your installation of Zowe runtime, you can run the `zwe init` command to perform the following configurations: * Initialize Zowe with copies of data sets provided with Zowe -* Create user IDs and security manager settings -* Provide APF authorize load libraries -* Configure Zowe to use TLS certificates +* Create user IDs and security manager settings (Security Admin) +* Provide APF authorize load libraries (Security Admin) +* Configure Zowe to use TLS certificates (Security Admin) * Configure VSAM files to run the Zowe caching service used for high availability (HA) * Configure the system to launch the Zowe started task diff --git a/versioned_docs/version-v2.18.x/user-guide/configuring-overview.md b/versioned_docs/version-v2.18.x/user-guide/configuring-overview.md index d2f4ab568c..44654c5947 100644 --- a/versioned_docs/version-v2.18.x/user-guide/configuring-overview.md +++ b/versioned_docs/version-v2.18.x/user-guide/configuring-overview.md @@ -23,12 +23,12 @@ To cofigure Zowe runtime, choose from the following options: * **Option 1: Configure Zowe manually using the `zwe init` command group** To run the `zwe init` command, it is necessary to create a Zowe configuration file. For more information about this file, see the [Runtime directory](./installandconfig.md#runtime-directory) which details all of the started tasks in the article _Preparing for installation_. -Once your configuration file is prepared, see [Configuring Zowe with zwe init](./initialize-zos-system.md), for more information about using the `zwe init` command group. + Once your configuration file is prepared, see [Configuring Zowe with zwe init](./initialize-zos-system.md), for more information about using the `zwe init` command group. * **Option 2: Configure Zowe with z/OSMF workflows** You can execute the Zowe configuration workflow either from a PSWI during deployment, or later from a created software instance in z/OSMF. Alternatively, you can execute the configuration workflow z/OSMF during the workflow registration process. -For more information, see [Configure Zowe with z/OSMF Workflows](./configure-zowe-zosmf-workflow.md). + For more information, see [Configure Zowe with z/OSMF Workflows](./configure-zowe-zosmf-workflow.md). ## Configuring the z/OS system for Zowe diff --git a/versioned_docs/version-v2.18.x/user-guide/configuring-security.md b/versioned_docs/version-v2.18.x/user-guide/configuring-security.md index 8f9adc9c77..3a289f64d0 100644 --- a/versioned_docs/version-v2.18.x/user-guide/configuring-security.md +++ b/versioned_docs/version-v2.18.x/user-guide/configuring-security.md @@ -2,7 +2,12 @@ During the initial installation of Zowe server-side components, it is necessary for your organization's security administrator to perform a range of tasks that require elevated security permissions. As a security administrator, follow the procedures outlined in this article to configure Zowe and your z/OS system to run Zowe with z/OS. -:::info Required roles: system programmer, security administrator +:::info Required role: security administrator (elevated permissions required) +::: + +:::note +For initial tasks to be performed by the security administrator before Zowe server-side installation, see [Addressing security requirements](./address-security-requirements.md). + ::: ## Validate and re-run `zwe init` commands @@ -11,24 +16,104 @@ During installation, the system programmer customizes values in the zowe.yaml fi ## Initialize Zowe security configurations +This security configuration step is required for first time setup of Zowe and may require security authorization. If Zowe has already been launched on a z/OS system from a previous release of Zowe v2, and the `zwe init security` subcommand successfully ran when initializing the z/OS subsystem, you can skip this step unless told otherwise in the release documentation. + Choose from the following methods to initialize Zowe security configurations: -* Configuring with `zwe init security` -* Configuring with `ZWESECUR` JCL +
+Click here to configure with the `zwe init security` command. + +**Configure with `zwe init security` command** + +The `zwe init security` command reads data from `zowe.yaml` and constructs a JCL member using `ZWESECUR` as a template which is then submitted. This is a convenience step to assist with driving Zowe configuration through a pipeline or when you prefer to use USS commands rather than directly edit and customize JCL members. + +:::note +If you do not have permissions to update your security configurations, use the `security-dry-run` described in the following tip. We recommend you inform your security administrator to review the `ZWESECUR` job content. +::: + +:::tip + +To avoid having to run the `init security` command, you can specify the parameter `--security-dry-run`. This parameter enables you to construct a JCL member containing the security commmands without running the member. This is useful for previewing commands and can also be used to copy and paste commands into a TSO command prompt for step by step manual execution. + +**Example:** + +``` +#>zwe init security -c ./zowe.yaml --security-dry-run +------------------------------------------------------------------------------- +>> Run Zowe security configurations +Modify ZWESECUR +- IBMUSER.ZWEV2.CUST.JCLLIB(ZW134428) is prepared +Dry-run mode, security setup is NOT performed on the system. +Please submit IBMUSER.ZWEV2.CUST.JCLLIB(ZW134428) manually. +>> Zowe security configurations are applied successfully. +#> +``` +::: + +
+ + + +
+Click here to configure with `ZWESECUR` JCL. + + +**Configure with `ZWESECUR` JCL** -For more information about both of these methods, see [Initialize Zowe security configurations](./initialize-security-configuration.md). +An alternative to using `zwe init security` is to prepare a JCL member to configure the z/OS system, and edit `ZWESECUR` to make changes. + +The JCL allows you to vary which security manager you use by setting the _PRODUCT_ variable to be one of the following ESMs: +* `RACF` +* `ACF2` +* `TSS`. + +**Example:** +``` +// SET PRODUCT=RACF * RACF, ACF2, or TSS +``` + +If `ZWESECUR` encounters an error or a step that has already been performed, it continues to the end, so it can be run repeatedly in a scenario such as a pipeline automating the configuration of a z/OS environment for Zowe installation. + +:::info Important +It is expected that your security administrator will be required to review, edit where necessary, and either execute `ZWESECUR` as a single job, or execute individual TSO commands to complete the security configuration of a z/OS system in preparation for installing and running Zowe. +::: + +The following video shows how to locate the `ZWESECUR` JCL member and execute it. + + + +
+ + +:::tip + +If an error occured in performing security configuration, these configurations can be undone. +
+Click here for details about undoing security configurations. + + +To undo all of the z/OS security configuration steps performed by the JCL member `ZWESECUR`, use the reverse member `ZWENOSEC`. This member contains steps that reverse steps performed by `ZWESECUR`. This is useful in the following situations: + +- You are configuring z/OS systems as part of a build pipeline that you want to undo, and redo configuration and installation of Zowe using automation. +- You configured a z/OS system for Zowe that you no longer want to use, and you prefer to delete the Zowe user IDs and undo the security configuration settings rather than leave them enabled. + +If you run `ZWENOSEC` on a z/OS system, it is necessary to rerun `ZWESECUR` to reinitialize the z/OS security configuration. Zowe cannot be run until `ZWESECUR` is rerun. + +
+ +::: ## Perform APF authorization of load libraries Zowe contains load modules that require access to make privileged z/OS security manager calls. These load modules are held in two load libraries which must be APF authorized. For more information about how to issue the `zwe init apfauth` command to perform APF authority commands, see [Performing APF authorization of load libraries](./apf-authorize-load-library.md). -## Configure the z/OS system for Zowe +## Customize security of your z/OS system -Review and perform z/OS configuration steps based on your settings. For a detailed table of configuration procedures and associated purposes for performing these procedures, see [Configuring the z/OS system for Zowe](./configure-zos-system.md). +Review and perform z/OS configuration steps based on your settings. For a detailed table of configuration procedures and associated purposes for performing these procedures, see [Customizing z/OS system security](./configure-zos-system.md). ## Assign security permissions to users -Assign users (ZWESVUSR and ZWESIUSR) and the ZWEADMIN security group permissions required to perform specific tasks. For more information see, [Assign security permissions to users](./assign-security-permissions-to-users.md). +Assign users (ZWESVUSR and ZWESIUSR) and the ZWEADMIN security group permissions required to perform specific tasks. For more information see, [Assigning security permissions to users](./assign-security-permissions-to-users.md). ## Zowe Feature specific configuration tasks @@ -48,7 +133,7 @@ Depending on the specific Zowe server-side components that your organization is ## Next step -After these aforementioned security configuration steps are completed, the next step is to [install Zowe main started tasks](./zwe-init-subcommand-overview.md#installing-zowe-main-started-tasks-zwe-init-stc). +After Zowe z/OS runtime is initialized, and you complete other procedures in the Configuring security section, the next step is [Configuring certificates](./configure-certificates.md). \ No newline at end of file diff --git a/versioned_docs/version-v2.18.x/user-guide/initialize-zos-system.md b/versioned_docs/version-v2.18.x/user-guide/initialize-zos-system.md index 02006b7959..587b848eea 100644 --- a/versioned_docs/version-v2.18.x/user-guide/initialize-zos-system.md +++ b/versioned_docs/version-v2.18.x/user-guide/initialize-zos-system.md @@ -23,7 +23,7 @@ Configures the VSAM files needed to run the Zowe caching service used for high a Configures the system to launch the Zowe started task. :::info Recommendation: -We recommend you to run these sub commands one by one to clearly see the output of each step. To successfully run `zwe init security`, `zwe init apfauth`, and `zwe init certificate`, it is likely that your organization requires elevated permissions. We recommend you consult with your security administrator to run these commands. For more information about tasks for the security administrator, see the section [Configuring security](./configuring-security.md) in this configuration documentation. +We recommend you to run these sub commands one by one to clearly see the output of each step. To successfully run `zwe init security`, `zwe init apfauth`, and `zwe init certificate`, it is likely that your organization requires elevated permissions. We recommend you consult with your security administrator to run these commands. For more information about tasks for the security administrator, and details about the `zwe init security` command, see the section [Configuring security](./configuring-security.md) in this configuration documentation ::: :::tip diff --git a/versioned_docs/version-v2.18.x/user-guide/systemrequirements-zos.md b/versioned_docs/version-v2.18.x/user-guide/systemrequirements-zos.md index 86ade0b307..7a2d8fe15f 100644 --- a/versioned_docs/version-v2.18.x/user-guide/systemrequirements-zos.md +++ b/versioned_docs/version-v2.18.x/user-guide/systemrequirements-zos.md @@ -107,3 +107,7 @@ Zowe consumption reference data were measured with the default Zowe configuratio - For production use of Zowe, we recommend configuring z/OSMF to leverage Zowe functionalities that require z/OSMF. For more information, see [Configuring z/OSMF](systemrequirements-zosmf.md). - For non-production use of Zowe (such as development, proof-of-concept, demo), you can customize the configuration of z/OSMF to create **_z/OS MF Lite_** to simplify your setup of z/OSMF. z/OS MF Lite only supports selected REST services (JES, DataSet/File, TSO and Workflow), resulting in considerable improvements in startup time as well as a reduction in steps to set up z/OSMF. For information about how to set up z/OSMF Lite, see [Configuring z/OSMF Lite (non-production environment)](systemrequirements-zosmf-lite.md). ::: + +:::note +For specific z/OS security configuration options that apply to the specific Zowe server-side components in your configuration, see [Customizing z/OS system security](./configure-zos-system.md). +::: \ No newline at end of file diff --git a/versioned_docs/version-v2.18.x/user-guide/verify-zowe-runtime-install.md b/versioned_docs/version-v2.18.x/user-guide/verify-zowe-runtime-install.md index 8af891f364..8c98e29208 100644 --- a/versioned_docs/version-v2.18.x/user-guide/verify-zowe-runtime-install.md +++ b/versioned_docs/version-v2.18.x/user-guide/verify-zowe-runtime-install.md @@ -1,9 +1,9 @@ # Verifying Zowe installation on z/OS -After the Zowe™ started task `ZWESLSTC` is running, follow the instructions in the following sections to verify that the components are functional. +After the Zowe™ started task `ZWESLSTC` is running, follow the procedures applicable to your installation to verify that the components are functional. - [Verifying Zowe Application Framework installation](#verifying-zowe-application-framework-installation) -- [Verifying API Mediation installation](#verifying-api-mediation-installation) +- [Verifying API Mediation Layer installation](#verifying-api-mediation-layer-installation) - [Verifying z/OS Services installation](#verifying-zos-services-installation) :::note @@ -23,17 +23,19 @@ If the Zowe Application Framework is installed correctly, you can open the Zowe From a supported browser, open the Zowe Desktop at `https://myhost:httpsPort` -where, +where: -- _myHost_ is the host on which you installed the Zowe Application Server. -- _httpsPort_ is the port number value `components.app-server.port` in `zowe.yaml`. For more information, see [Configure component app-server](../appendix/zowe-yaml-configuration#configure-component-app-server). +- **_myHost_** +is the host on which you installed the Zowe Application Server. +- **_httpsPort_** +is the port number value `components.app-server.port` in `zowe.yaml`. For more information, see [Configure component app-server](../appendix/zowe-yaml-configuration#configure-component-app-server). For example, if the Zowe Application Server runs on host _myhost_ and the port number that is assigned to `components.app-server.port` is 12345, you specify `https://myhost:12345`. The web desktop uses page direct to the actual initial page which is `https://myhost:12345/ZLUX/plugins/org.zowe.zlux.bootstrap/web/index.html`. If the redirect fails, try the full URL. If the desktop appears but you are unable to log on, check [Cannot log into the Zowe desktop](../troubleshoot/app-framework/app-troubleshoot.md#cannot-log-in-to-the-zowe-desktop) for troubleshooting tips. -## Verifying API Mediation installation +## Verifying API Mediation Layer installation Use your preferred REST API client to review the value of the status variable of the API Catalog service that is routed through the API Gateway using the following URL: @@ -41,29 +43,33 @@ Use your preferred REST API client to review the value of the status variable of https://myhost:httpsPort/apicatalog/api/v1/application/health ``` -where, +where: -- _myHost_ is the host on which you installed the Zowe API Mediation Layer. -- _httpsPort_ is the port number value `zowe.externalPort` in `zowe.yaml`. For more information, see [Domain and port to access Zowe](../appendix/zowe-yaml-configuration#domain-and-port-to-access-zowe). +- **_myHost_** +is the host on which you installed the Zowe API Mediation Layer. +- **_httpsPort_** +is the port number value `zowe.externalPort` in `zowe.yaml`. For more information, see [Domain and port to access Zowe](../appendix/zowe-yaml-configuration#domain-and-port-to-access-zowe). **Example:** -The following example illustrates how to use the **curl** utility to invoke API Mediation Layer endpoint and the **grep** utility to parse out the response status variable value. The `curl` command is a powerful tool used for making HTTP requests from the command line. It allows you to send and receive data from various protocols, including HTTP, HTTPS, FTP, and more. +The following example illustrates how to use the **curl** utility to invoke an API Mediation Layer endpoint and the **grep** utility to parse out the response status variable value. The `curl` command is a powerful tool used for making HTTP requests from the command line. It allows you to send and receive data from various protocols, including HTTP, HTTPS, FTP, and more. ``` $ curl -v -k --silent https://myhost:httpsPort/apicatalog/api/v1/application/health 2>&1 | awk '/"status":"UP"/' | awk -F\" '{print$4;}' UP ``` -- `-v`: The `-v` option stands for "verbose." When you include this option, curl provides more detailed information during the request and response process. It displays additional information such as the request headers, response headers, and other debugging details. +- **`-v`** +The `-v` option stands for "verbose." When you include this option, curl provides more detailed information during the request and response process. It displays additional information such as the request headers, response headers, and other debugging details. -- `-k`: The `-k` option stands for "insecure" or "insecure SSL." When you include this option, curl allows insecure connections and bypasses SSL certificate verification. It is useful when making requests to HTTPS URLs with self-signed certificates or when dealing with SSL certificate issues. However, it's important to note that using `-k` removes security checks and may expose you to potential security risks. Exercise caution when using this option, especially in production environments. +- **`-k`** +The `-k` option stands for "insecure" or "insecure SSL." When you include this option, curl allows insecure connections and bypasses SSL certificate verification. It is useful when making requests to HTTPS URLs with self-signed certificates or when dealing with SSL certificate issues. However, it is important to note that using `-k` removes security checks and may expose you to potential security risks. Exercise caution when using this option, especially in production environments. -The response `UP` confirms that API Mediation Layer is installed and is running properly. For more instructions about `curl` command, please see the [tutorial](https://curl.se/docs/manual.html). +The response `UP` confirms that API Mediation Layer is installed and is running properly. For more instructions about `curl` command, see the [tutorial](https://curl.se/docs/manual.html). ## Verifying z/OS Services installation -Zowe z/OS services usually are registered with Zowe APIML Discovery and exposed with certain service url like `//api/v1`. +Zowe z/OS services usually are registered with Zowe API ML Discovery and exposed with a certain service url like `//api/v1`. Here we give an example of verifying `jobs-api` shipped with Zowe. Please be aware that `jobs-api` is not enabled by default if you created your Zowe configuration file from `example-zowe.yaml`. To enable `jobs-api`, you need to set `components.jobs-api.enabled` to be `true` and restart Zowe. You can verify the installation of `jobs-api` service from an internet browser by entering the following case-sensitive URL: @@ -71,8 +77,9 @@ Here we give an example of verifying `jobs-api` shipped with Zowe. Please be awa https://hostName:gatewayPort/jobs/api/v1/jobs?prefix=* ``` -where, +where: -`gatewayPort` is the port number that is assigned to `zowe.externalPort` in the `zowe.yaml` file used to launch Zowe. For more information, see [Domain and port to access Zowe](../appendix/zowe-yaml-configuration#domain-and-port-to-access-zowe). +* **`gatewayPort`** +is the port number that is assigned to `zowe.externalPort` in the `zowe.yaml` file used to launch Zowe. For more information, see [Domain and port to access Zowe](../appendix/zowe-yaml-configuration#domain-and-port-to-access-zowe). The above link should prompt you to login. After you input correct user name and password of your target z/OS system, you should see JSON format data of all jobs running on the system. diff --git a/versioned_docs/version-v2.18.x/user-guide/zos-components-installation-checklist.md b/versioned_docs/version-v2.18.x/user-guide/zos-components-installation-checklist.md index 2e3840d970..fb137690f5 100644 --- a/versioned_docs/version-v2.18.x/user-guide/zos-components-installation-checklist.md +++ b/versioned_docs/version-v2.18.x/user-guide/zos-components-installation-checklist.md @@ -33,7 +33,7 @@ Configure Zowe and your z/OS system to run Zowe with z/OS. | Task | Results | Time Estimate | |--------------------|----|------| |[Review Configuring security](./configuring-security.md) | Knowledge about which tasks need to be performed by the security administrator. | 10 minutes| -[Initialize Zowe security configurations](./initialize-security-configuration) | The JCL member to configure the z/OS system is created. | 10 minutes | +[Initialize Zowe security configurations](./configuring-security.md) | The JCL member to configure the z/OS system is created. | 10 minutes | [Perform APF authorization of load libraries](./apf-authorize-load-library.md) | APF authorization is granted to load libraries. | 10 minutes | [Address z/OS requirements for Zowe](./configure-zos-system.md) | Your z/OS and security product are configured. | 2 hours | [Assign security permissions to users](./assign-security-permissions-to-users.md) | Zowe user is created and is assigned all required permissions. | 30 minutes | @@ -82,7 +82,7 @@ You can configure your system to enable HA. This configuration is not required t | Verification Step | Task | Results | Time Estimate | |----|-----------|----|-------------| | [Verify Zowe Application Framework installation](../user-guide/verify-zowe-runtime-install.md#verifying-zowe-application-framework-installation) | Open the Zowe Desktop from a supported browser | You should be able to open the Zowe Desktop from a supported browser. | 20 minutes| -| [Verify API Mediation installation](../user-guide/verify-zowe-runtime-install.md#verifying-api-mediation-installation) |Use a REST API client to review the value of the status variable of the API Catalog service routed through the API Gateway | See the example presented in Verify API Mediation installation | 15 minutes | +| [Verify API Mediation installation](../user-guide/verify-zowe-runtime-install.md#verifying-api-mediation-layer-installation) |Use a REST API client to review the value of the status variable of the API Catalog service routed through the API Gateway | See the example presented in Verify API Mediation installation | 15 minutes | |[Verify z/OS Services installation](../user-guide/verify-zowe-runtime-install.md#verifying-zos-services-installation) |Zowe z/OS services usually are registered with Zowe APIML Discovery| You should see JSON format data of all jobs running on the system | 15 minutes | diff --git a/versioned_docs/version-v2.18.x/user-guide/zwe-init-subcommand-overview.md b/versioned_docs/version-v2.18.x/user-guide/zwe-init-subcommand-overview.md index 7ded39da9f..62a303484c 100644 --- a/versioned_docs/version-v2.18.x/user-guide/zwe-init-subcommand-overview.md +++ b/versioned_docs/version-v2.18.x/user-guide/zwe-init-subcommand-overview.md @@ -6,12 +6,12 @@ Review this article to learn about the individual subcommands executed in `zwe i Some of the following `zwe init` subcommands require elevated permissions. See the required roles associated with each of these commands. ::: -* [Initializing Zowe custom data sets (`zwe init mvs`)](#initializing-zowe-custom-data-sets-zwe-init-mvs) -* [Initializing Zowe security configurations (`zwe init security`)](#initializing-zowe-security-configurations-zwe-init-security) -* [Performing APF authorization of load libraries (`zwe init apfauth`)](#performing-apf-authorization-of-load-libraries-zwe-init-apfauth) -* [Configuring Zowe to use TLS certificates (`zwe init certificate`)](#configuring-zowe-to-use-tls-certificates-zwe-init-certificate) -* [Creating VSAM caching service datasets (`zwe init vsam`)](#creating-vsam-caching-service-datasets-zwe-init-vsam) -* [Installing Zowe main started tasks (`zwe init stc`)](#installing-zowe-main-started-tasks-zwe-init-stc) +- [Initializing Zowe custom data sets (`zwe init mvs`)](#initializing-zowe-custom-data-sets-zwe-init-mvs) + - [Procedure to initialize Zowe custom data sets](#procedure-to-initialize-zowe-custom-data-sets) +- [Initializing Zowe security configurations (`zwe init security`)](#initializing-zowe-security-configurations-zwe-init-security) +- [Performing APF authorization of load libraries (`zwe init apfauth`)](#performing-apf-authorization-of-load-libraries-zwe-init-apfauth) +- [Configuring Zowe to use TLS certificates (`zwe init certificate`)](#configuring-zowe-to-use-tls-certificates-zwe-init-certificate) +- [Installing Zowe main started tasks (`zwe init stc`)](#installing-zowe-main-started-tasks-zwe-init-stc) ## Initializing Zowe custom data sets (`zwe init mvs`) @@ -29,7 +29,7 @@ The contents of these data sets represent the original files that were provided For modification and execution, it is necessary to create custom data sets by using the `zwe init mvs` command. For detailed information about this command, see the [`zwe init mvs` command reference](../appendix/zwe_server_command_reference/zwe/init/zwe-init-mvs). -The `zowe.yaml` section that contains the parameters for the data set names is: +The folowing `zowe.yaml` section contains the parameters for the data set names: ```yaml zowe: @@ -84,7 +84,7 @@ Copy components/launcher/bin/zowe_launcher to USER.ZWEV2.SZWEAUTH(ZWELNCH) Successful execution of `zwe init mvs` has the following results: -* In the `zowe.yaml` file, three custom data sets are created that have matching values with the follwoing libraries: +* In the `zowe.yaml` file, three custom data sets are created that have matching values with the following libraries: * `zowe.setup.dataset.parmlib` * `zowe.setup.dataset.jcllib` * `zowe.setup.dataset.authPluginLib`. @@ -109,7 +109,31 @@ If Zowe has already been launched on a z/OS system from a previous release of Zo The JCL member `.SZWESAMP(ZWESECUR)` is provided to assist with the security configuration. Before submitting the `ZWESECUR` JCL member, customize this member to match site security rules. For script driven scenarios, you can run the command `zwe init security` which uses `ZWESECUR` as a template to create a customized member in `.CUST.JCLLIB`. This member contains the commands required to perform the security configuration. -For more information about `zwe init security`, see [Initializing Zowe security configurations](./initialize-security-configuration). +For more information about `zwe init security`, see: + +* _Configure with `zwe init security` command_ in [Configuring security](./configuring-security.md). +* [`zwe init security`](../appendix/zwe_server_command_reference/zwe/init/zwe-init-security.md) in the Reference section. + +:::tip + +To avoid having to run the `init security` command, you can specify the flag `--security-dry-run`. This flag enables you to construct a JCL member containing the security commmands without running the member. This is useful for previewing commands and can also be used to copy and paste commands into a TSO command prompt for step by step manual execution. + +**Example:** + +``` +#>zwe init security -c ./zowe.yaml --security-dry-run +------------------------------------------------------------------------------- +>> Run Zowe security configurations +Modify ZWESECUR +- IBMUSER.ZWEV2.CUST.JCLLIB(ZW134428) is prepared +Dry-run mode, security setup is NOT performed on the system. +Please submit IBMUSER.ZWEV2.CUST.JCLLIB(ZW134428) manually. +>> Zowe security configurations are applied successfully. +#> +``` +For production environments, inform your security administrator to re-submit the `init security` command with proper authorization. + +::: ## Performing APF authorization of load libraries (`zwe init apfauth`) @@ -126,7 +150,33 @@ Specifies the user custom load library, containing the ZWELNCH, ZWESIS01 and ZWE * **zowe.setup.dataset.authPluginLib** References the load library for ZIS plugins. -For more information about `zwe init apfauth` see [Performing APF authorization of load libraries](./apf-authorize-load-library). +For more information about `zwe init apfauth` see: +* [Performing APF authorization of load libraries](./apf-authorize-load-library). +* [`zwe init apfauth`](../appendix/zwe_server_command_reference/zwe/init/zwe-init-apfauth.md) in the Reference section. + +:::tip + +To avoid having to run the `init apfauth` command, you can specify the flag `--security-dry-run` as in the following example. + +**Example:** + +``` +zwe init apfauth --security-dry-run -c /path/to/zowe.yaml +------------------------------------------------------------------------------- +>> APF authorize load libraries +APF authorize IBMUSER.ZWEV2.SZWEAUTH +- Dry-run mode, security setup is NOT performed on the system. + Please apply this operator command manually: + SETPROG APF,ADD,DSNAME=IBMUSER.ZWEV2.SZWEAUTH,SMS +APF authorize IBMUSER.ZWEV2.CUST.ZWESAPL +- Dry-run mode, security setup is NOT performed on the system. + Please apply this operator command manually: + SETPROG APF,ADD,DSNAME=IBMUSER.ZWEV2.CUST.ZWESAPL,SMS +>> Zowe load libraries are APF authorized successfully. +``` +For production environments, inform your security administrator to re-submit the `init apfauth` command with proper authorization. + +::: ## Configuring Zowe to use TLS certificates (`zwe init certificate`) @@ -137,7 +187,9 @@ Zowe uses digital certificates for secure, encrypted network communication over Zowe supports using either file-based (PKCS12) or z/OS key ring-based (when on z/OS) keystores and truststores, and can reuse compatible stores. You can use the `zwe init certificate` command to create keystores and truststores by either generating certificates or by allowing users to import their own compatible certificates. -For more information, see [Configuring certificates](./configure-certificates). +For more information about `init certificate`, see: +* [Configuring certificates](./configure-certificates). +* [`zwe init certificate`](../appendix/zwe_server_command_reference/zwe/init/zwe-init-certificate.md) in the Reference section. ## Creating VSAM caching service datasets (`zwe init vsam`) diff --git a/versioned_sidebars/version-v2.18.x-sidebars.json b/versioned_sidebars/version-v2.18.x-sidebars.json index fef86e4c45..8c7df5d498 100644 --- a/versioned_sidebars/version-v2.18.x-sidebars.json +++ b/versioned_sidebars/version-v2.18.x-sidebars.json @@ -233,7 +233,6 @@ "id": "user-guide/configuring-security" }, "items": [ - "user-guide/initialize-security-configuration", "user-guide/apf-authorize-load-library", "user-guide/configure-zos-system", "user-guide/assign-security-permissions-to-users"