From 143dc24e91442005bfc29fc75b3c1a7169cba291 Mon Sep 17 00:00:00 2001 From: 1000TurquoisePogs Date: Wed, 9 Oct 2024 15:56:51 -0400 Subject: [PATCH 1/4] Updated advanced configuration for app framework page for v3 Signed-off-by: 1000TurquoisePogs --- docs/user-guide/mvd-configuration.md | 333 +++++++-------------------- docs/user-guide/mvd-using.md | 7 + 2 files changed, 92 insertions(+), 248 deletions(-) diff --git a/docs/user-guide/mvd-configuration.md b/docs/user-guide/mvd-configuration.md index b68b0f4414..b756015616 100644 --- a/docs/user-guide/mvd-configuration.md +++ b/docs/user-guide/mvd-configuration.md @@ -1,4 +1,4 @@ -# Configuring Zowe Application Framework +# Advanced Application Framework Configuration The Zowe Application ("App") Framework is configured in the Zowe configuration file. Configuration can be used to change things such as verbosity of logs, the way in which the App server communicates with the Mediation Layer, how ZSS operates, whether to use HTTPS or AT-TLS, what language the logs should be set, and many more attributes. @@ -6,24 +6,6 @@ When you install Zowe™, the App Framework is configured as a Mediation Lay You can modify the Zowe App Server and Zowe System Services (ZSS) configuration, as needed, or configure connections for the Terminal app plugins. -## Accessing the App Server - -When the server is enabled and given a port within [the configuration file](#configuration-file), the App server will print a message ZWED0031I in the log output. At that time, it is ready to accept network communication. When using the API Mediation Layer (recommended), app-server URLs should be reached from the Gateway, and you should additionally wait for the message ZWEAM000I for the Gateway to be ready. - -When Zowe is ready, the app-server can be found at `https://:/zlux/ui/v1` - -(Not recommended): If the API Mediation Layer is not used, or you need to contact the App server directly, the ZWED0031I message states which port it is accessible from, though generally it will be the same value as specified within `components.app-server.port`. In that case, the server would be available at `https://:/` - -### Accessing the Desktop - -The `app-server` should be accessed through the `gateway` when both are present. When both are ready, the Desktop can be accessed from the API Mediation Layer Gateway, such as - -`https://:/zlux/ui/v1/`, which redirects to `https://:/zlux/ui/v1/ZLUX/plugins/org.zowe.zlux.bootstrap/web/index.html`. - -Although you access the App server via the Gateway port, the App server still needs a port assigned to it which is the value of the *components.app-server.port* variable in the Zowe configuration file. - -(Not recommended): If the mediation layer is not used, the Desktop is accessible from the App server directly at `/ZLUX/plugins/org.zowe.zlux.bootstrap/web/index.html`. - ## Accessing ZSS The `zss` server should be accessed through the `gateway` when both are present. When both are ready, ZSS can be accessed from the API Mediation Layer Gateway, such as @@ -38,16 +20,12 @@ If the mediation layer is not used, ZSS directly at `https://.port` can be used to set the port for any Zowe server. By default, the following is used but can be overridden: -Both `app-server` and `zss` server components use HTTPS by default, and the `port` parameters `components.app-server.port` and `components.zss.port` control which port they are accessible from. However, each have advanced configuration options to control their HTTPS behavior. +```yaml +components: + app-server: + port: 7556 + zss: + port: 7557 +``` -The `app-server` component configuration can be used to customize its HTTPS connection such as which certificate and ciphers to use, and these parameters are to be set within `components.app-server.node.https` as defined within the [json-schema file](https://github.com/zowe/zlux-app-server/blob/v2.x/staging/schemas/app-server-config.json#L15) +### IP configuration -The `zss` component configuration can be used to customize its HTTPS connection such as which certificate and ciphers to use, and these parameters are to be set within `components.zss.agent.https` as defined within the [json-schema file](https://github.com/zowe/zss/blob/v2.x/staging/schemas/zss-config.json#L81) +By default, all Zowe servers listen on the IP address `0.0.0.0`. This can be customized. +The Zowe YAML property `zowe.network.server.tls.listenAddresses` can be used to instruct both `app-server` and `zss` of which IP to listen on. This property can be nested within each component if it is desired to customize them individually. Alternatively, TCPIP port rules can be used to control the assignment of `0.0.0.0` into a particular alternative IP address. +[You can read more about this in the network requirements page](./address-network-requirements.md). +### AT-TLS -### HTTP +You can instruct Zowe servers to expect TLS using the property `zowe.network.server.tls.attls: true`. This is for setting AT-TLS for all the Zowe servers. For more granular control, you can set the following: + +```yaml +components: + app-server: + zowe: + network: + server: + tls: + attls: true + client: + tls: + attls: true +``` -The `app-server` can be configured for HTTP via the `components.app-server.node.http` section of the Zowe configuration file, as specified within the `app-server` [json-schema file](https://github.com/zowe/zlux-app-server/blob/v2.x/staging/schemas/app-server-config.json#L73). +Which would instruct only the `app-server` Component to expect AT-TLS for both inbound and outbound traffic. The same configuration can be done for `zss`, though `zowe.network.server.tls.attls: true` is a simplified way to instruct both servers to expect AT-TLS altogether. [You can read more about this in the Zowe AT-TLS configuration page](./at-tls-configuration.md) -The `zss` server can be configured for HTTP via the `components.zss.agent.http` section of the Zowe configuration file, as specified within the `zss` [json-schema file](https://github.com/zowe/zss/blob/v2.x/staging/schemas/zss-config.json#L99). Note that `components.zss.tls` must be set to false for HTTP to take effect, and that `components.zss.agent.http.attls` must be set to true for AT-TLS to be recognized correctly. +#### AT-TLS Rule Suggestions +The `app-server` and `zss` Components of Zowe are servers that may accept incoming connections from each other, other Zowe servers, and clients outside z/OS such as browsers either directly or indirectly such as when APIML is used. + +Due to this, both Inbound and Outbound direction AT-TLS rules are needed for these servers. +The Inbound rules can be filtered by the listening ports of the servers, but Outbound rules may need to be set by either jobnames or destination ports. + + + +The ports and jobnames can be found in the [Addressing network requirements](./address-network-requirements.md) documentation. + +The Outbound rules can have HandshakeRole of Client, but when APIML is enabled, it is required that `app-server` and `zss` include their server certificates as client certificates using the `CertificateLabel` property of a `TTLSConnectionAdvancedParms` rule. [You can read more about this in the APIML AT-TLS documentation](api-mediation/configuration-at-tls#for-communication-between-api-gateway-and-other-core-services) + +The Inbound rules can have a HandshakeRole of Server or ServerWithClientAuth. + + + +### Native TLS + +The configuration object `zowe.network.server.tls` and `zowe.network.client.tls` can be set to control all Zowe components, or just `app-server` or `zss` but nesting the object within them. This object can control ciphers by listing IANA cipher names, minimum and maximum TLS levels, and for some servers even curves can be customized via a list. + +An example for configuration is given below, but the specification for all options is found [within the Zowe YAML schema](https://github.com/zowe/zowe-install-packaging/blob/fdcdb2618080cf87031c070aed7e90503699ab5f/schemas/zowe-yaml-schema.json#L939) + +```yaml +zowe: + network: + server: + tls: # This sets all servers to default only to use TLSv1.3, with only specific ciphers + minTls: "TLSv1.3" + maxTls: "TLSv1.3" + ciphers: + - "TLS_AES_128_GCM_SHA256" + - "TLS_AES_256_GCM_SHA384" +components: + app-server: + zowe: + network: + client: + tls: # This customizes the app-server specifically to have a different minimum TLS for client requests + minTls: "TLSv1.2" +``` ## Configuration Directories @@ -178,29 +218,8 @@ If the directory or file specified cannot be created, the server will run (but i ## ZSS configuration -Running ZSS requires a Zowe configuration file configuration that is similar to the one used for the Zowe App Server (by structure and property names). The attributes that are needed for ZSS (*components.zss*) at minimum, are: *port*, *crossMemoryServerName*. +ZSS provides APIs that any server or client can use. By default, the Zowe Desktop includes Apps which rely upon ZSS APIs, and therefore it's recommended that whenever the `app-server` is enabled in the Zowe YAML, that `zss` is also enabled. -By default, ZSS is configured to use HTTPS with the same certificate information and port specification as the other Zowe services. If you are looking to use AT-TLS instead, then you must set either *zowe.network.server.tls.attls* or *component.zss.zowe.network.tls.attls* to true. - -(Recommended) Example of default ZSS with native TLS: -``` -zss: - enabled: true - port: 7557 - crossMemoryServerName: ZWESIS_STD -``` - -(Not recommended) Example with AT-TLS: -``` -zss: - enabled: true - port: 7557 - crossMemoryServerName: ZWESIS_STD - zowe: - network: - tls: - attls: true -``` ### ZSS 64 or 31 bit modes @@ -255,165 +274,6 @@ It is possible that a user specified in this file is also in a group specified i If a user authenticates to ZSS and their user or group is not found in this file, then the default value of 1 hour is used. If this file is missing, Zowe will print a message about it missing, but it does not harm Zowe as the default value of 1 hour would be used for all direct authentications to ZSS. -## Using AT-TLS in the App Framework - -By default, both ZSS and the App server use HTTPS regardless of platform. However, some may wish to use AT-TLS on z/OS as an alternative way to provide HTTPS. -In order to do this, the servers must run in HTTP mode instead, and utilize AT-TLS for HTTPS. **The servers should never use HTTP without AT-TLS, it would be insecure**. -If you want to use AT-TLS, you must have a basic knowledge of your security product and you must have Policy Agent configured. For more information on [AT-TLS](https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.halx001/transtls.htm) and [Policy Agent](https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.halz002/pbn_pol_agnt.htm), see the [z/OS Knowledge Center](https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2/en/homepage.html). - -There are a few requirements to working with AT-TLS: -* You must have the authority to alter security definitions related to certificate management, and you must be authorized to work with and update the Policy Agent. -* AT-TLS needs a TLS rule and keyring. The next section will cover that information. - -**Note:** Bracketed values below (including the brackets) are variables. Replace them with values relevant to your organization. Always use the same value when substituting a variable that occurs multiple times. - -### Creating AT-TLS certificates and keyring using RACF -In the following commands and examples you will create a root CA certificate and a server certificate signed by it. These will be placed within a keyring which is owned by the user that runs the Zowe server. -**Note: These actions can be done for various Zowe servers, but in these examples we set up ZSS for AT-TLS. You can subsitute ZSS for another server if desired.** - - -Key variables: - -| Variable | Value | -| --------- | ------ | -| `[ca_common_name]` | | -| `[ca_label]` | | -| `[server_userid]` | | -| `[server_common_name]` | | -| `[server_label]` | | -| `[ring_name]` | | -| `[output_dataset_name]` | | - -**Note**: -- `[server_userid]` must be the server user ID, such as the STC user. -- `[server_common_name]` must be the z/OS hostname that runs Zowe - -1. Enter the following RACF command to generate a CA certificate: - ``` - RACDCERT CERTAUTH GENCERT + - SUBJECTSDN(CN('[ca_common_name]') + - OU('[organizational_unit]') + - O('[organization_name]') + - L('[locality]') SP('[state_or_province]') C('[country]')) + - KEYUSAGE(CERTSIGN) + - WITHLABEL('[ca_label]') + - NOTAFTER(DATE([yyyy/mm/dd])) + - SIZE(2048) - ``` -2. Enter the follow RACF command to generate a server certificate signed by the CA certificate: - ``` - RACDCERT ID('[server_userid]') GENCERT + - SUBJECTSDN(CN('[common_name]') + - OU('[organizational_unit]') + - O('[organization_name]') + - L('[locality]') SP('[state_or_province]') C('[country]')) + - KEYUSAGE(HANDSHAKE) + - WITHLABEL('[server_label]') + - NOTAFTER(DATE([yyyy/mm/dd])) + - SIZE(2048) + - SIGNWITH(CERTAUTH LABEL('[ca_label]')) - ``` - -3. Enter the following RACF commands to create a key ring and connect the certificates to the key ring: - ``` - RACDCERT ID([server_userid]) ADDRING([ring_name]) - RACDCERT ID([server_userid]) CONNECT(ID([server_userid]) + - LABEL('[server_label]') RING([ring_name]) DEFAULT) - RACDCERT ID([server_userid]) CONNECT(CERTAUTH + - LABEL('[ca_label]') RING([ring_name])) - ``` - -4. Enter the following RACF command to refresh the DIGTRING and DIGTCERT classes to activate your changes: - ``` - SETROPTS RACLIST(DIGTRING,DIGTCERT) REFRESH - ``` - -5. Enter the following RACF commands to verify your changes: - ``` - RACDCERT ID([server_userid]) LISTRING([ring_name]) - RACDCERT ID([server_userid]) LISTCHAIN(LABEL(‘[server_label])’) - ``` - -6. Enter the following RACF commands to allow the ZSS server to use the certificates. Only issue the RDEFINE commands if the profiles do not yet exist. - ``` - RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE) - RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) - PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ACCESS(READ) + - ID([server_userid]) - PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ACCESS(READ) + - ID([server_userid]) - SETROPTS RACLIST(FACILITY) REFRESH - ``` - -**Note**: These sample commands use the FACILTY class to manage certificate related authorizations. You can also use the RDATALIB class, which offers granular control over the authorizations. - -7. Enter the following RACF command to export the CA certificate to a dataset so it can be imported by the Zowe server: - ``` - RACDCERT CERTAUTH EXPORT(LABEL('[ca_label]')) + - DSN('[output_dataset_name]') FORMAT(CERTB64) - ``` - -### Defining the AT-TLS rule -To define the AT-TLS rule, use the sample below to specify values in your AT-TLS Policy Agent Configuration file: - -``` -TTLSRule ATTLS1~ZSS -{ - LocalAddr All - RemoteAddr All - LocalPortRange [zss_port] - Jobname * - Userid * - Direction Inbound - Priority 255 - TTLSGroupActionRef gAct1~ZSS - TTLSEnvironmentActionRef eAct1~ZSS - TTLSConnectionActionRef cAct1~ZSS -} -TTLSGroupAction gAct1~ZSS -{ - TTLSEnabled On - Trace 1 -} -TTLSEnvironmentAction eAct1~ZSS -{ - HandshakeRole Server - EnvironmentUserInstance 0 - TTLSKeyringParmsRef key~ZSS - Trace 1 -} -TTLSConnectionAction cAct1~ZSS -{ - HandshakeRole Server - TTLSCipherParmsRef cipherZSS - TTLSConnectionAdvancedParmsRef cAdv1~ZSS - Trace 1 -} -TTLSConnectionAdvancedParms cAdv1~ZSS -{ - SSLv3 Off - TLSv1 Off - TLSv1.1 Off - TLSv1.2 On - CertificateLabel [personal_label] -} -TTLSKeyringParms key~ZSS -{ - Keyring [ring_name] -} -TTLSCipherParms cipher~ZSS -{ - V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -} -``` - ## Using multiple ZIS instances When you install Zowe, it is ready to be used for 1 instance of each component. However, ZIS can have a one-to-many relationship with the Zowe webservers, and so you may wish to have more than one copy of ZIS for testing or to handle different groups of ZIS plugins. @@ -567,13 +427,14 @@ SAF profiles cannot contain more than 246 characters. If the path section of an For information on endpoint URLs, see [Using dataservices with RBAC](../extend/extend-desktop/mvd-dataservices.md#using-dataservices-with-rbac) -## Multi-factor authentication configuration +## Customizing Security Plugins -[Multi-factor authentication](https://www.ibm.com/support/knowledgecenter/SSNR6Z_2.0.0/com.ibm.mfa.v2r0.azfu100/azf_server.htm) is an optional feature for Zowe. +By default, the `app-server` handles security questions by utilizing either the API Mediation Layer, or ZSS, depending on which is present. If the API Mediation Layer is present, it is used to establish an SSO session which ZSS also respects. When RBAC is enabled, ZSS is queried for authorization questions. -The Zowe App Framework, Desktop, and all apps present in the SMP/E or convenience builds support [out-of-band MFA](https://www.ibm.com/support/knowledgecenter/SSNR6Z_2.0.0/com.ibm.mfa.v2r0.azfu100/azf_oobconcepts.htm) by entering an MFA assigned token or passcode into password field of the Desktop login screen, or by accessing the app-server `/auth` REST API endpoint. - -For a list of compatible MFA products, see [Known compatible MFA products](../getting-started/zowe-security-authentication.md#multi-factor-authentication-mfa). +This behavior is performed by an `app-server` security plugin named `sso-auth`. +Security plugins can be installed as part of Zowe extensions, and `app-server` can be customized to prefer them via the Zowe YAML. +Different security plugins could be used to operate in different environments, with different security systems, or with different session characteristics. +For more information, [read the extender's guide on security plugins](../extend/extend-desktop/mvd-authentication-api) ### Session duration and expiration @@ -581,38 +442,14 @@ After successful authentication, a Zowe Desktop session is created by authentica The duration of the session is determined by the plugin used. Some plugins are capable of renewing the session prior to expiration, while others may have a fixed session length. -Zowe is bundled with a few of these plugins: - -* **sso-auth**: Uses either ZSS or the API Mediation Layer for authentication, and ZSS for RBAC authorization. This plugin also supports resetting or changing your password via a ZSS API. Whether ZSS or API Mediation Layer or both are used for authentication depends upon SSO settings. Starting with Zowe 1.28.0, SSO is enabled by default such that only API Mediation Layer is called at authentication time. By default, the Mediation Layer calls z/OSMF to answer the authentication request. The session created mirrors the z/OSMF session. - -* **trivial-auth**: This plugin is used for development and testing, as it always returns true for any function. It could be used if there were specific services you did not need authentication for, while you wanted authentication elsewhere. +The session duration and expiration behavior of the default security plugin, `sso-auth`, is determined by API Medation Layer configuration if present, and otherwise upon ZSS configuration. +If API Medation Layer is enabled, by default it will use z/OSMF as the session provider and the session duration will be based upon z/OSMF settings. [You can read more about API Mediation Layer providers here](authentication-providers-for-apiml.md). +If the API Mediation Layer is not enabled, you can [use or customize ZSS's default session duration of one hour](#customizing-zss-session-duration). When a session expires, the credentials used for the initial login are likely to be invalid for re-use, since MFA credentials are often one-time-use or time-based. In the Desktop, Apps that you opened prior to expiration will remain open so that your work can resume after entering new credentials. -### Configuration - -When you use the default Zowe SMP/E or convenience build configuration, you do not need to change Zowe to get started with MFA. - -To configure Zowe for MFA with a configuration other than the default, take the following steps: - -1. Choose an App Server security plugin that is compatible with MFA. The [sso-auth](#session-duration-and-expiration) plugin is compatible. -2. Locate the App Server's configuration file in `zowe.yaml`. -3. Edit the configuration file to modify the section `components.app-server.dataserviceAuthentication`. - -4. Set `defaultAuthentication` to the same category as the plugin of choice, as seen in its pluginDefinition.json file. For example: - * **sso-auth**: "saf" - * **trivial-auth**: "fallback" - -The following is an example configuration for `sso-auth`, as seen in a default installation of Zowe: -``` -components: - app-server: - dataserviceAuthentication: - defaultAuthentication: saf -``` - ## Administering the servers and plugins using an API The App Server has a REST API to retrieve and edit both the App Server and ZSS server configuration values, and list, add, update, and delete plugins. Most of the features require RBAC to be enabled and for your user to have RBAC access to utilize these endpoints. For more information see documentation on how to [use RBAC](https://docs.zowe.org/stable/user-guide/mvd-configuration.html#controlling-access-to-dataservices) @@ -622,13 +459,13 @@ The API returns the following information in a JSON response: | API | Description | | --------------------------------------------------------- | ------------------------------------------------------------ | | /server (GET) | Returns a list of accessible server endpoints for the Zowe App Server. | -| /server/config (GET) | Returns the Zowe App Server configuration which follows [this specification](https://github.com/zowe/zlux-app-server/blob/v2.x/master/schemas/app-server-config.json). | +| /server/config (GET) | Returns the Zowe App Server configuration which follows [this specification](https://github.com/zowe/zlux-app-server/blob/v3.x/master/schemas/app-server-config.json). | | /server/log (GET) | Returns the contents of the Zowe App Server log file. | | /server/loglevels (GET) | Returns the verbosity levels set in the Zowe App Server logger. | | /server/environment (GET) | Returns Zowe App Server environment information, such as the operating system version, node server version, and process ID. | | /server/reload (GET) | Reloads the Zowe App Server. Only available in cluster mode. | | /server/agent (GET) | Returns a list of accessible server endpoints for the ZSS server. | -| /server/agent/config (GET) | Returns the ZSS server configuration which follows [this specification](https://github.com/zowe/zss/blob/v2.x/staging/schemas/zss-config.json). | +| /server/agent/config (GET) | Returns the ZSS server configuration which follows [this specification](https://github.com/zowe/zss/blob/v3.x/staging/schemas/zss-config.json). | | /server/agent/log (GET) | Returns the contents of the ZSS log file. | | /server/agent/loglevels (GET) | Returns the verbosity levels of the ZSS logger. | | /server/agent/environment (GET) | Returns ZSS environment information. | diff --git a/docs/user-guide/mvd-using.md b/docs/user-guide/mvd-using.md index 0fa07c67a1..1e51ac88d1 100644 --- a/docs/user-guide/mvd-using.md +++ b/docs/user-guide/mvd-using.md @@ -2,6 +2,13 @@ You can use the Zowe™ Application Framework to create application plugins for the Zowe Desktop. For more information, see [Extending the Zowe Application Framework](../extend/extend-desktop/mvd-extendingzlux.md). +## Enabling Server Components for the Desktop + +The Zowe Desktop requires the `app-server` Component of Zowe to be enabled. +This is set by default, but can be controlled by the Zowe YAML property `components.app-server.enabled` which should be set to `true`. + +When this server is running, it will print the message `ZWED0031I` when fully ready. + ## Navigating the Zowe Desktop From the Zowe Desktop, you can access Zowe applications. From cc28f66e17f6849e95205d899d7cc6939dc02110 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 10 Oct 2024 12:10:23 +0200 Subject: [PATCH 2/4] add not Signed-off-by: Andrew Jandacek --- docs/user-guide/mvd-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/mvd-configuration.md b/docs/user-guide/mvd-configuration.md index b756015616..900198fde0 100644 --- a/docs/user-guide/mvd-configuration.md +++ b/docs/user-guide/mvd-configuration.md @@ -19,7 +19,7 @@ If the mediation layer is not used, ZSS directly at `https:// The app-server uses the Zowe server configuration file for customizing server behavior. For a full list of parameters, requirements, and descriptions, see [the json-schema document for the app-server](https://github.com/zowe/zlux/blob/v3.x/staging/schemas/zlux-config-schema.json) which describes attributes that can be specified within the configuration file section `components.app-server` ### zss configuration From f6f3a0e610aab896f7222b2963f10be51d79c9d6 Mon Sep 17 00:00:00 2001 From: 1000TurquoisePogs Date: Thu, 10 Oct 2024 17:11:35 +0200 Subject: [PATCH 3/4] Resolved one of a few broken links Signed-off-by: 1000TurquoisePogs --- docs/user-guide/mvd-configuration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user-guide/mvd-configuration.md b/docs/user-guide/mvd-configuration.md index 900198fde0..85712c2b1d 100644 --- a/docs/user-guide/mvd-configuration.md +++ b/docs/user-guide/mvd-configuration.md @@ -19,8 +19,8 @@ If the mediation layer is not used, ZSS directly at `https:// -The app-server uses the Zowe server configuration file for customizing server behavior. For a full list of parameters, requirements, and descriptions, see [the json-schema document for the app-server](https://github.com/zowe/zlux/blob/v3.x/staging/schemas/zlux-config-schema.json) which describes attributes that can be specified within the configuration file section `components.app-server` + +The app-server uses the Zowe server configuration file for customizing server behavior. For a full list of parameters, requirements, and descriptions, see [the json-schema document for the app-server](https://github.com/zowe/zlux-app-server/blob/v3.x/staging/schemas/app-server-config.json) which describes attributes that can be specified within the configuration file section `components.app-server` ### zss configuration From 225f7d4c4b1dddf42f792efc1ec0f84e964699cc Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Fri, 11 Oct 2024 15:56:57 +0200 Subject: [PATCH 4/4] remove links to mvd-congiration.md#multi-factor-authentication after this section was removed Signed-off-by: Andrew Jandacek --- docs/getting-started/zowe-security-authentication.md | 2 -- docs/user-guide/address-authentication-requirements.md | 2 -- .../api-mediation/using-multi-factor-authentication.md | 2 +- docs/user-guide/configure-zos-system.md | 2 -- 4 files changed, 1 insertion(+), 7 deletions(-) diff --git a/docs/getting-started/zowe-security-authentication.md b/docs/getting-started/zowe-security-authentication.md index 05e0eb23a9..9da8b749db 100644 --- a/docs/getting-started/zowe-security-authentication.md +++ b/docs/getting-started/zowe-security-authentication.md @@ -40,8 +40,6 @@ Multi-factor authentication is provided by third-party products which Zowe is co Additionally, Zowe API ML can be configured to accept OIDC/OAuth2 user authentication tokens. In this particular case, MFA support is built into the OIDC provider system. It does not rely on the mainframe MFA technology, but is equally secure. -For details about multi-factor authentication, see [the MFA documentation here](../user-guide/mvd-configuration.md#multi-factor-authentication-configuration). - ## Advanced Authentication Mainframe (AAM) To add a dynamic element to the authentication, you can configure the Advanced Authentication Mainframe to enable multi-factor authentication. For more information about AAM, see the [Advanced Authentication Mainframe documentation](https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-advanced-authentication-mainframe/2-0.html). diff --git a/docs/user-guide/address-authentication-requirements.md b/docs/user-guide/address-authentication-requirements.md index 48b2ba06f1..d103010a6a 100644 --- a/docs/user-guide/address-authentication-requirements.md +++ b/docs/user-guide/address-authentication-requirements.md @@ -15,8 +15,6 @@ Multi-factor authentication is provided by third-party products with which Zowe To support the multi-factor authentication, it is necessary to apply z/OSMF APAR [PH39582](https://www.ibm.com/support/pages/apar/PH39582). -For information about using MFA in Zowe Application Framework, see [Application Framework Multi-Factor Authentication](mvd-configuration.md#multi-factor-authentication-configuration). - :::important Multi-factor authentication requires configuration with Single-Sign-On (SSO). Ensure that SSO is configured before you use MFA in Zowe. diff --git a/docs/user-guide/api-mediation/using-multi-factor-authentication.md b/docs/user-guide/api-mediation/using-multi-factor-authentication.md index 021216d115..0b11516171 100644 --- a/docs/user-guide/api-mediation/using-multi-factor-authentication.md +++ b/docs/user-guide/api-mediation/using-multi-factor-authentication.md @@ -25,7 +25,7 @@ Update the z/OSMF configuration with the following parameter: `allowBasicAuthLookup="false"` After applying this change, each authentication call results in generating a new JWT. -For more information, see [Configuring z/OSMF](../systemrequirements-zosmf.md) to properly work with API ML, and [Multi-factor authentication configuration](../mvd-configuration.md#multi-factor-authentication-configuration) in Configuring Zowe Application Framework. +For more information, see [Configuring z/OSMF](../systemrequirements-zosmf.md) to properly work with API ML. ### No Notification when Additional Input is Required diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index fcb1444021..64ca26a40e 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -703,8 +703,6 @@ Multi-factor authentication is provided by third-party products which Zowe is co :::note Notes * To support the multi-factor authentication, it is necessary to apply z/OSMF APAR [PH39582](https://www.ibm.com/support/pages/apar/PH39582). -* For information on using MFA in Zowe, see [Multi-Factor Authentication](mvd-configuration.md#multi-factor-authentication-configuration). - * MFA must work with Single-Sign-On (SSO). Make sure that [SSO](#single-sign-on-sso) is configured before you use MFA in Zowe. :::