Skip to main content
Version: v3.0.x LTS

Configuring Zowe via JCL

Configuring Zowe via JCL

One option to configure Zowe is by directly customizing JCLs. The Zowe Runtime Dataset SZWESAMP contains JCL samples that have templates referencing Zowe YAML parameters. These samples should not be submitted without modification. Samples that are submitted without modification will end unsuccessfully with a JCL ERROR status.

Edit and submit the job SZWESAMP(ZWEGENER) to validate the contents of your zowe.yaml before resolving the JCL templates and placing the resulting JCL into a separate data set created by the job ZWEGENER. The location is specified in zowe.setup.dataset.jcllib.

When the JCL is prepared, the following jobs can be submitted to perform the following instance configuration actions. In addition to core JCL samples, you can also customize JCL samples for various keyring setup options according to your security manager.

  • For sample JCLs corresponding to core tasks, see the table Core Tasks.
  • For sample JCLs corresponding to keyring tasks, see the section Keyring Tasks later in this article.
  • For JCL samples if you are using VSAM as your storage solution for the Caching service, see the table corresponding to (Optional) Caching Service VSAM Task.

Core Tasks

TaskDescriptionSample JCL
Create Instance Datasets
Purpose:
Create datasets for Zowe's PARMLIB content and non-ZFS extension content for a given Zowe Instance
Action:
1) Allocate the PDSE FB80 dataset with at least 15 tracks named from Zowe parameter zowe.setup.dataset.parmlib
2) Allocate the PDSE FB80 dataset with at least 30 tracks named from Zowe parameter zowe.setup.dataset.authPluginLib
3) Copy the member ZWESIP00 from zowe.setup.dataset.prefix.SZWESAMP into zowe.setup.dataset.parmlib
ZWEIMVS
APF Authorize privileged content
Purpose:
The majority of Zowe is unprivileged code running in Key 8. Zowe relies on a single component called ZIS to own all of the privileged code logic. The load library for the ZIS component and its extension library must be set as APF authorized and run in Key 4 to use ZIS and components that depend upon it.
Action:
1) APF authorize the datasets defined at zowe.setup.dataset.authLoadlib and zowe.setup.dataset.authPluginLib.
2) Define PPT entries for the members ZWESIS01 and ZWESAUX as Key 4, NOSWAP in the SCHEDxx member of the system PARMLIB.
ZWEIAPF
Grant SAF premissions
Purpose:
The STC accounts for Zowe need permissions for operating servers, and users need permissions for interacting with the servers.
Action:
Set SAF permissions for accounts
RACF: ZWEIRAC
TSS: ZWEITSS
ACF2: ZWEIACF
(z/OS v2.4 ONLY) Create Zowe SAF Resource ClassOn z/OS v2.4, the SAF resource class for Zowe is not included, and must be created. This step is not needed on z/OS v2.5 and later versions.RACF: ZWEIRACZ
TSS: ZWEITSSZ
ACF2: ZWEIACFZ
Copy STC JCL to PROCLIB
Purpose:
The job ZWESLSTC runs Zowe's webservers. The job ZWESISTC runs the APF authorized cross-memory server. The job ZWESASTC is started by ZWESISTC on an as-needed basis.
Action:
Copy the members ZWESLSTC, ZWESISTC, and ZWESASTC into your desired PROCLIB. If the job names are customized, also modify the YAML values of them in zowe.setup.security.stcs.
ZWEISTC

Keyring Tasks

Certificate requirements
Ensure that your Zowe keyring has the following elements:

  • Private key & certificate pair
    The Zowe Servers will use this certificate. Ensure that the certificate either does not have the Extended Key Usage attribute, or alternatively, that the certificate does have Extended Key Usage with both Server Authorization and Client Authorization values. For more information about extended key usage, see Extended key usage heading in the article Configuring certificates.

  • Certificate Authorities
    Every intermediate and root Certificate Authority (CA) that Zowe interacts with must be within the Keyring, unless the zowe.yaml value zowe.verifyCertificates is set to DISABLED. CAs that must be within the keyring include z/OSMF's CAs if using z/OSMF, and Zowe's own certificate's CAs as Zowe servers must be able to verify each other.

There are four options for setting up keyrings: Three scenarios presented in the following table include JCL samples where a keyring is created for you. If you already have a keyring, you can configure Zowe to use this keyring by configuring zowe.yaml values within zowe.certificate according to the following example:

zowe:
certificate:
keystore:
type: JCERACFKS
file: "safkeyring://<STC Account Name>/<Ring Name>"
alias: "<Name of your certificate>"
password: "password" #literally "password". keyrings do not use passwords, so this is a placeholder.
truststore:
type: JCERACFKS
file: "safkeyring://<STC Account Name>/<Ring Name>"
password: "password" #literally "password". keyrings do not use passwords, so this is a placeholder.

If you would like Zowe to create a keyring, choose from the following three options:

Keyring Setup OptionsDescriptionSample JCL
Option 1Zowe creates a keyring and populates it with a newly generated certificate and certificate authority. The certificate is seen as "self-signed" by clients unless the import of the CA to clients is performed.RACF : ZWEIKRR1
TSS: ZWEIKRT1
ACF2: ZWEIKRA1
Option 2Zowe creates a keyring and populates it by connecting pre-existing certificates and CAs that you specify.RACF : ZWEIKRR2
TSS: ZWEIKRT2
ACF2: ZWEIKRA2
Option 3Zowe creates a keyring and populates it by importing PKCS12 content from a data set that you specify.RACF: ZWEIKRR3
TSS: ZWEIKRT3
ACF2: ZWEIKRA3

(Optional) Caching Service VSAM Task

If you plan to use the Zowe Caching service component, such as for high availability and fault tolerance reasons, it is required to choose a form of database for the service to use. Among the choices is for it to use a VSAM dataset of your choice.

TaskDescriptionSample JCL
Create VSAM Dataset for Caching ServiceAction: Create a RLS or NONRLS dataset for the caching service, and set the name into the YAML value components.caching-service.storage.vsam.nameZWECSVSM

You can also use JCL samples for removing Zowe configuration:

ActionSample JCL
Remove Instance DatasetsZWERMVS
Remove SAF PermissionsZWENOSEC
Remove KeyringACF2:
ZWENOKRA
RACF:
ZWENOKRR
TSS:
ZWENOKRT
Remove Caching Service VSAM DatasetZWECSRVS