From 704172255f3f8beb8d0b2cdc2f2d74b41c3756dc Mon Sep 17 00:00:00 2001 From: AbhishekJamhoriya Date: Tue, 21 Sep 2021 23:44:22 +0530 Subject: [PATCH 1/6] Fixed bug 1809 --- docs/user-guide/install-ha-sysplex.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/install-ha-sysplex.md b/docs/user-guide/install-ha-sysplex.md index 3e23816c9c..b6a7b30cba 100644 --- a/docs/user-guide/install-ha-sysplex.md +++ b/docs/user-guide/install-ha-sysplex.md @@ -49,7 +49,7 @@ Before you start the installation, review the information on hardware and softwa ## Stage 2: Install the Zowe runtime -1. Ensure that the software requirements are met. The prerequisites are described in [Zowe high availability requirements (host)](systemrequirements.md). +1. Ensure that the software requirements are met. The prerequisites are described in [Zowe high availability requirements (host)](install-ha-sysplex.md). 1. Choose the method of installing Zowe high availability instances on a Sysplex. From 4d2f59152adf7a38e209ce1f38876ae26e970e46 Mon Sep 17 00:00:00 2001 From: AbhishekJamhoriya Date: Thu, 23 Sep 2021 13:17:18 +0530 Subject: [PATCH 2/6] Updating bug 1809 --- docs/user-guide/install-ha-sysplex.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/install-ha-sysplex.md b/docs/user-guide/install-ha-sysplex.md index b6a7b30cba..3887ca3b77 100644 --- a/docs/user-guide/install-ha-sysplex.md +++ b/docs/user-guide/install-ha-sysplex.md @@ -49,7 +49,7 @@ Before you start the installation, review the information on hardware and softwa ## Stage 2: Install the Zowe runtime -1. Ensure that the software requirements are met. The prerequisites are described in [Zowe high availability requirements (host)](install-ha-sysplex.md). +1. Ensure that the software requirements are met. The prerequisites are described in [Zowe high availability requirements (host)](configure-sysplex.md#sysplex-environment-requirements). 1. Choose the method of installing Zowe high availability instances on a Sysplex. From 5db219a9737df4d429f65785f0a0d8732f0a2e2c Mon Sep 17 00:00:00 2001 From: AbhishekJamhoriya Date: Mon, 27 Sep 2021 04:33:27 +0530 Subject: [PATCH 3/6] Updated bug 1809 --- docs/user-guide/install-ha-sysplex.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/install-ha-sysplex.md b/docs/user-guide/install-ha-sysplex.md index 3887ca3b77..0d3c578238 100644 --- a/docs/user-guide/install-ha-sysplex.md +++ b/docs/user-guide/install-ha-sysplex.md @@ -21,7 +21,7 @@ Review the installation diagram and the high-level instructions in this topic to Plan and prepare for the installation - Configure system requirements + Configure system requirements Download Zowe SMP/E build Install the Zowe SMP/E build using JCLs From dfa63fea36e74eacbf1ad58debc05b26353d2cf7 Mon Sep 17 00:00:00 2001 From: AbhishekJamhoriya Date: Mon, 27 Sep 2021 19:16:04 +0530 Subject: [PATCH 4/6] Fixed bug #1848(Incorrect basePath for CLI profile to APIML) --- docs/user-guide/cli-usingcli.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user-guide/cli-usingcli.md b/docs/user-guide/cli-usingcli.md index dbefff865e..5abb5e8081 100755 --- a/docs/user-guide/cli-usingcli.md +++ b/docs/user-guide/cli-usingcli.md @@ -236,13 +236,13 @@ To access services through API ML using the token in your base profile, specify The following example illustrates a complete path for a z/OSMF instance registered to API ML. The format of base path can vary based on how API ML is configured at your site: ``` -https://myapilayerhost:port/api/v1/zosmf +https://myapilayerhost:port/ibmzosmf/api/v1 ``` To access that API ML instance, create a service profile (or issue a command) with the `--base-path` value of `api/v1`. Your service profile uses the token and credentials stored in your default base profile. ``` -zowe profiles create zosmf myprofile123 --base-path api/v1 --disable-defaults +zowe profiles create zosmf myprofile123 --base-path ibmzosmf/api/v1 --disable-defaults ``` Commands issued with this profile are routed through the layer to access an appropriate z/OSMF instance. From 892d934e4a40c49da2ac565b4e5086e904c9d3d8 Mon Sep 17 00:00:00 2001 From: AbhishekJamhoriya Date: Sun, 3 Oct 2021 06:11:01 +0530 Subject: [PATCH 5/6] fixed bug #1620 (Update docs to not reference SYS1 PDS members) --- docs/user-guide/scripted-configure-server.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user-guide/scripted-configure-server.md b/docs/user-guide/scripted-configure-server.md index 21adbd4c2e..a68003c13e 100644 --- a/docs/user-guide/scripted-configure-server.md +++ b/docs/user-guide/scripted-configure-server.md @@ -53,9 +53,9 @@ The script `/scripts/utils/zowe-install-xmem.sh -d **Example:** - Executing the command `zowe-install-xmem.sh -d MYUSERID.ZWE -a SYS1.PARMLIB -r USER.PROCLIB` copies: + Executing the command `zowe-install-xmem.sh -d MYUSERID.ZWE -a USER.PARMLIB -r USER.PROCLIB` copies: - - the PARMLIB member `MYUSERID.ZWE.SZWESAMP(ZWESIP00)` to `SYS1.PARMLIB(ZWESIP00)` + - the PARMLIB member `MYUSERID.ZWE.SZWESAMP(ZWESIP00)` to `USER.PARMLIB(ZWESIP00)` - the PROCLIB member `MYUSERID.ZWE.SZWESAMP(ZWESISTC)` to `USER.PROCLIB(ZWESISTC)` and `MYUSERID.ZWESAMP(ZWESASTC)` to `USER.PROCLIB(ZWESASTC)` The script `zowe-install-xmem.sh` moves and modifies files, but does not perform the steps needed to APF-authorize the PDSE containing the load module `ZWESIS00` and does not enable it to run in key(4) non-swappable. The steps required to do this are described in [Installing and configuring the Zowe cross memory server: APF authorize](configure-xmem-server.md#apf-authorize) and [Installing and configuring the Zowe cross memory server: Key 4 non-swappable](configure-xmem-server.md#key-4-non-swappable). From 419673b611a5d45552ba035f1956054f456d1fd3 Mon Sep 17 00:00:00 2001 From: AbhishekJamhoriya Date: Sun, 2 Jan 2022 02:15:48 +0530 Subject: [PATCH 6/6] TroubleShooting Keeping ZSS secure with TLS --- docs/user-guide/mvd-configuration.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/user-guide/mvd-configuration.md b/docs/user-guide/mvd-configuration.md index 8e49700bb2..ec4f18a1fb 100644 --- a/docs/user-guide/mvd-configuration.md +++ b/docs/user-guide/mvd-configuration.md @@ -452,6 +452,24 @@ The following steps assume you have installed a Zowe runtime instance (which inc `ZIS status - Ok (name='ZWESIS_MYSRV ', cmsRC=0, description='Ok', clientVersion=2)` + +## Keeping ZSS secure with TLS + +ZSS log shows message +``` + ** WARNING: Connection is insecure! TLS needed but not found on socket. ** +``` + +ZSS is a webserver that performs certain system calls for data management and even security. It is important to have a configuration that keeps the network traffic for ZSS secure at all times. When TLS is not active on ZSS, at startup and periodically the warning will be shown. If there is no need for ZSS communication to a client outside the z/OS system, it is possible to make ZSS accessible only internal to z/OS, but if TLS is not activated, the warning will remain. + +There are two ways to ensure ZSS has TLS. +The default, when the environment variable ZOWE_ZSS_SERVER_TLS=true is set. This will use the Zowe keystore for TLS certificate management. + +AT-TLS, as described here: https://docs.zowe.org/stable/user-guide/mvd-configuration/#configuring-zss-for-https +Note that AT-TLS and ZOWE_ZSS_SERVER_TLS=true are mutually exclusive, but perform the same task of making ZSS use HTTPS. + +When TLS is enabled, it is fine to have ZSS be externally accessible, but it is still recommended to access it via the API Mediation Layer Gateway for additional benefits such as high availability. When using containers, the Gateway may be external to z/OS, requiring ZSS to be externally accessible. + ## Controlling access to applications You can control which applications are accessible (visible) to all Zowe desktop users, and which are accessible only to individual users. For example, you can make an application that is under development only visible to the team working on it.