Configuring Zowe via JCL
Configuring Zowe via JCL
One option to configure Zowe is by directly customizing JCLs. The Zowe Runtime Dataset SZWESAMP
contains JCL samples that have templates referencing Zowe YAML parameters. These samples should not be submitted without modification. Samples that are submitted without modification will end unsuccessfully with a JCL ERROR status.
Edit and submit the job SZWESAMP(ZWEGENER)
to validate the contents of your zowe.yaml
before resolving the JCL templates
and placing the resulting JCL into a separate data set created by the job ZWEGENER. The location is specified in zowe.setup.dataset.jcllib
.
When the JCL is prepared, the following jobs can be submitted to perform the following instance configuration actions. In addition to core JCL samples, you can also customize JCL samples for various keyring setup options according to your security manager.
- For sample JCLs corresponding to core tasks, see the table Core Tasks.
- For sample JCLs corresponding to keyring tasks, see the section Keyring Tasks later in this article.
- For JCL samples if you are using VSAM as your storage solution for the Caching service, see the table corresponding to (Deprecated) Caching Service VSAM Task.
Core Tasks
Task | Description | Sample JCL |
---|---|---|
Create Instance Datasets | Purpose: Create datasets for Zowe's PARMLIB content and non-ZFS extension content for a given Zowe Instance Action: 1) Allocate the PDSE FB80 dataset with at least 15 tracks named from Zowe parameter zowe.setup.dataset.parmlib 2) Allocate the PDSE FB80 dataset with at least 30 tracks named from Zowe parameter zowe.setup.dataset.authPluginLib 3) Copy the member ZWESIP00 from zowe.setup.dataset.prefix.SZWESAMP into zowe.setup.dataset.parmlib | ZWEIMVS |
APF Authorize privileged content | Purpose: The majority of Zowe is unprivileged code running in Key 8. Zowe relies on a single component called ZIS to own all of the privileged code logic. The load library for the ZIS component and its extension library must be set as APF authorized and run in Key 4 to use ZIS and components that depend upon it. Action: 1) APF authorize the datasets defined at zowe.setup.dataset.authLoadlib and zowe.setup.dataset.authPluginLib . 2) Define PPT entries for the members ZWESIS01 and ZWESAUX as Key 4, NOSWAP in the SCHEDxx member of the system PARMLIB. | ZWEIAPF |
Grant SAF premissions | Purpose: The STC accounts for Zowe need permissions for operating servers, and users need permissions for interacting with the servers. Action: Set SAF permissions for accounts | RACF: ZWEIRAC TSS: ZWEITSS ACF2: ZWEIACF |
(z/OS v2.4 ONLY) Create Zowe SAF Resource Class | On z/OS v2.4, the SAF resource class for Zowe is not included, and must be created. This step is not needed on z/OS v2.5 and later versions. | RACF: ZWEIRACZ TSS: ZWEITSSZ ACF2: ZWEIACFZ |
Copy STC JCL to PROCLIB | Purpose: The job ZWESLSTC runs Zowe's webservers. The job ZWESISTC runs the APF authorized cross-memory server. The job ZWESASTC is started by ZWESISTC on an as-needed basis. Action: Copy the members ZWESLSTC, ZWESISTC, and ZWESASTC into your desired PROCLIB. If the job names are customized, also modify the YAML values of them in zowe.setup.security.stcs . | ZWEISTC |
Keyring Tasks
Certificate requirements
Ensure that your Zowe keyring has the following elements:
-
Private key & certificate pair
The Zowe Servers will use this certificate. Ensure that the certificate either does not have theExtended Key Usage
attribute, or alternatively, that the certificate does haveExtended Key Usage
with bothServer Authorization
andClient Authorization
values. For more information about extended key usage, see Extended key usage heading in the article Configuring certificates. -
Certificate Authorities
Every intermediate and root Certificate Authority (CA) that Zowe interacts with must be within the Keyring, unless thezowe.yaml
valuezowe.verifyCertificates
is set toDISABLED
. CAs that must be within the keyring include z/OSMF's CAs if using z/OSMF, and Zowe's own certificate's CAs as Zowe servers must be able to verify each other.
There are four options for setting up keyrings: Three scenarios presented in the following table include JCL samples where a keyring is created for you. If you already have a keyring, you can configure Zowe to use this keyring by configuring zowe.yaml
values within zowe.certificate
according to the following example:
zowe:
certificate:
keystore:
type: JCERACFKS
file: "safkeyring://<STC Account Name>/<Ring Name>"
alias: "<Name of your certificate>"
password: "password" #literally "password". keyrings do not use passwords, so this is a placeholder.
truststore:
type: JCERACFKS
file: "safkeyring://<STC Account Name>/<Ring Name>"
password: "password" #literally "password". keyrings do not use passwords, so this is a placeholder.
If you would like Zowe to create a keyring instead, click here for options
Keyring Setup Type | Description | Sample JCL |
---|---|---|
1 | Zowe will create a keyring and populate it with a newly generated certificate and certificate authority. The certificate would be seen as "self-signed" by clients unless import of the CA to clients is performed | RACF: ZWEIKRR1 TSS: ZWEIKRT1 ACF2: ZWEIKRA1 |
2 | Zowe will create a keyring and populate it by connecting pre-existing certificates and CAs that you specify. | RACF: ZWEIKRR2 TSS: ZWEIKRT2 ACF2: ZWEIKRA2 |
3 | Zowe will create a keyring and populate it by importing PKCS12 content from a dataset that you specify. | RACF: ZWEIKRR3 TSS: ZWEIKRT3 ACF2: ZWEIKRA3 |
(Deprecated) Caching Service VSAM Task
The Caching Service is a server of Zowe that improves the high availability and fault tolerance of Zowe. It is enabled by default and uses Infinispan for its backing storage by default.
Using VSAM instead of Infinispan is deprecated, but still possible.
Click here to see how to set up a VSAM dataset for the Caching Service.
Task | Description | Sample JCL |
---|---|---|
Create VSAM Dataset for Caching Service | Action: Create a RLS or NONRLS dataset for the caching service, and set the name into the YAML value components.caching-service.storage.vsam.name | ZWECSVSM |
You can also use JCL samples for removing Zowe configuration:
Action | Sample JCL |
---|---|
Remove Instance Datasets | ZWERMVS |
Remove SAF Permissions | ZWENOSEC |
Remove Keyring | ACF2: ZWENOKRA RACF: ZWENOKRR TSS: ZWENOKRT |
Remove Caching Service VSAM Dataset | ZWECSRVS |