Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Troubleshooting tip Keeping ZSS secure with TLS #1883 #1946

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/user-guide/cli-usingcli.md
Original file line number Diff line number Diff line change
Expand Up @@ -236,13 +236,13 @@ To access services through API ML using the token in your base profile, specify
The following example illustrates a complete path for a z/OSMF instance registered to API ML. The format of base path can vary based on how API ML is configured at your site:

```
https://myapilayerhost:port/api/v1/zosmf
https://myapilayerhost:port/ibmzosmf/api/v1
```

To access that API ML instance, create a service profile (or issue a command) with the `--base-path` value of `api/v1`. Your service profile uses the token and credentials stored in your default base profile.

```
zowe profiles create zosmf myprofile123 --base-path api/v1 --disable-defaults
zowe profiles create zosmf myprofile123 --base-path ibmzosmf/api/v1 --disable-defaults
```

Commands issued with this profile are routed through the layer to access an appropriate z/OSMF instance.
Expand Down
4 changes: 2 additions & 2 deletions docs/user-guide/install-ha-sysplex.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ Review the installation diagram and the high-level instructions in this topic to
</figure>
<map name="home_map1" id="home_map1">
<area href="https://docs.zowe.org/stable/user-guide/installandconfig" target="_blank" alt="Plan and prepare for the installation" title="Plan and prepare for the installation" shape="rect" coords="326, 63, 474, 105" />
<area href="https://docs.zowe.org/stable/user-guide/systemrequirements-zos/" target="_blank" alt="Configure system requirements" title="Configure system requirements" shape="rect" coords="318, 183, 467, 224" />
<area href="https://docs.zowe.org/stable/user-guide/configure-sysplex/#sysplex-environment-requirements" target="_blank" alt="Configure system requirements" title="Configure system requirements" shape="rect" coords="318, 183, 467, 224" />

<area href="https://www.zowe.org/download.html" target="_blank" alt="Download Zowe SMP/E build" title="Download the Zowe SMP/E build from zowe.org" shape="rect" coords="111,327,304,374" />
<area href="https://docs.zowe.org/stable/user-guide/install-zowe-smpe" target="_blank" alt="Install the Zowe SMP/E build using JCLs" title="Install the Zowe SMP/E build using JCLs" shape="rect" coords="20,546,167,610" />
Expand Down Expand Up @@ -49,7 +49,7 @@ Before you start the installation, review the information on hardware and softwa

## Stage 2: Install the Zowe runtime

1. Ensure that the software requirements are met. The prerequisites are described in [Zowe high availability requirements (host)](systemrequirements.md).
1. Ensure that the software requirements are met. The prerequisites are described in [Zowe high availability requirements (host)](configure-sysplex.md#sysplex-environment-requirements).

1. Choose the method of installing Zowe high availability instances on a Sysplex.

Expand Down
18 changes: 18 additions & 0 deletions docs/user-guide/mvd-configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -452,6 +452,24 @@ The following steps assume you have installed a Zowe runtime instance (which inc

`ZIS status - Ok (name='ZWESIS_MYSRV ', cmsRC=0, description='Ok', clientVersion=2)`


## Keeping ZSS secure with TLS

ZSS log shows message
```
** WARNING: Connection is insecure! TLS needed but not found on socket. **
```

ZSS is a webserver that performs certain system calls for data management and even security. It is important to have a configuration that keeps the network traffic for ZSS secure at all times. When TLS is not active on ZSS, at startup and periodically the warning will be shown. If there is no need for ZSS communication to a client outside the z/OS system, it is possible to make ZSS accessible only internal to z/OS, but if TLS is not activated, the warning will remain.

There are two ways to ensure ZSS has TLS.
The default, when the environment variable ZOWE_ZSS_SERVER_TLS=true is set. This will use the Zowe keystore for TLS certificate management.

AT-TLS, as described here: https://docs.zowe.org/stable/user-guide/mvd-configuration/#configuring-zss-for-https
Note that AT-TLS and ZOWE_ZSS_SERVER_TLS=true are mutually exclusive, but perform the same task of making ZSS use HTTPS.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would rephrase this to say, "AT-TLS must be disabled if TLS is enabled, and vice versa" instead of "mutually exclusive" just for clarity.


When TLS is enabled, it is fine to have ZSS be externally accessible, but it is still recommended to access it via the API Mediation Layer Gateway for additional benefits such as high availability. When using containers, the Gateway may be external to z/OS, requiring ZSS to be externally accessible.

## Controlling access to applications

You can control which applications are accessible (visible) to all Zowe desktop users, and which are accessible only to individual users. For example, you can make an application that is under development only visible to the team working on it.
Expand Down
4 changes: 2 additions & 2 deletions docs/user-guide/scripted-configure-server.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,9 @@ The script `<RUNTIME_DIR>/scripts/utils/zowe-install-xmem.sh -d <dataSetPrefix>

**Example:**

Executing the command `zowe-install-xmem.sh -d MYUSERID.ZWE -a SYS1.PARMLIB -r USER.PROCLIB` copies:
Executing the command `zowe-install-xmem.sh -d MYUSERID.ZWE -a USER.PARMLIB -r USER.PROCLIB` copies:

- the PARMLIB member `MYUSERID.ZWE.SZWESAMP(ZWESIP00)` to `SYS1.PARMLIB(ZWESIP00)`
- the PARMLIB member `MYUSERID.ZWE.SZWESAMP(ZWESIP00)` to `USER.PARMLIB(ZWESIP00)`
- the PROCLIB member `MYUSERID.ZWE.SZWESAMP(ZWESISTC)` to `USER.PROCLIB(ZWESISTC)` and `MYUSERID.ZWESAMP(ZWESASTC)` to `USER.PROCLIB(ZWESASTC)`

The script `zowe-install-xmem.sh` moves and modifies files, but does not perform the steps needed to APF-authorize the PDSE containing the load module `ZWESIS00` and does not enable it to run in key(4) non-swappable. The steps required to do this are described in [Installing and configuring the Zowe cross memory server: APF authorize](configure-xmem-server.md#apf-authorize) and [Installing and configuring the Zowe cross memory server: Key 4 non-swappable](configure-xmem-server.md#key-4-non-swappable).
Expand Down