Version 3.3.0 (September 2025)

Welcome to the Zowe Version 3.3.0 release!

See New features and enhancements for a full list of changes to the functionality. See Bug fixes for a list of issues addressed in this release.

Download v3.3.0 build: Want to try new features as soon as possible? You can download the v3.3.0 build from Zowe.org.

New features and enhancements

Zowe Version 3.3.0 contains the enhancements that are described in the following topics:

Server Install

• A new utility certificate-analyser.jar has been added to the folder zowe/bin/utils. This tool will eventually be used to verify correct certificates for use by Zowe, as well as correct connectivity to servers Zowe communicates with such as z/OSMF. In a future release, the tool is intended to be used by Zowe under specific circumstances to verify whether the network setup is correct. (#4354)
• Enhanced the ZWEGENER job to support Configuration Manager path elements of type PARMLIB that can contain one or multiple members with different names within the same PARMLIB dataset. The new format is PARMLIB(DATA.SET(member)). This is an alternative format to the older format. (#4332)
• Updated the zowe-yaml-schema.json and defaults.yaml to support a new configuration parameter zowe.sysMessageTrim and set a default value. This parameter is used to trim syslog messages and print only from the sys-message-id. (#4294)
• zwe install and zwe init commands can alternatively use ZWEGENER to create and submit JCL during Zowe's install and configuration, rather than using USS commands and utilities. --dry-run can be used to generate JCL without submitting it, allowing users to review the JCL and optionally submit it themselves. This is a technical preview feature. (#4282, #4107, #4429, #4427)
• A new parameter zowe.setup.jcl.header can now be used to specify Job Card information in the JCL generated by ZWEGENER. (#4423)
• Support has been added for API Mediation Layer (API ML) in modulith mode, allowing it to run as a single JVM process. This feature is provided as a technical preview. (#4254)

Zowe Application Framework

Zlux Server Framework

• The App-server no longer prints codes ZWED0036I, 54I, 55I, 62I-68I. These codes are now only shown in bootstrap or install debug logs, to clean up the job log. (#608)

Zlux App-Server

• App-server now handles when the components.apiml.enabled option is set to true as an alternative to enabling gateway, discovery, and caching-service components. (#345)

Zowe Common C

• Added a new function copyConfigurationAndDeleteKey to Configuration Manager for making revisions to configurations. (#524)
• Configuration Manager path elements of type PARMLIB can now contain one or multiple members with different names within the same PARMLIB dataset. The new format is PARMLIB(DATA.SET(member)). This is an alternative format to the older format wherein the member name was specified in a separate argument. The old format was to specify PARMLIB(DATA.SET) and then specify the member name. See https://docs.zowe.org/stable/user-guide/configmgr-using for more information. (#522)

ZSS

• Added a utility zis-test that determines whether ZIS is running and accessible by Zowe before starting ZSS. This utility is located within the bin/utils folder of the Zowe runtime directory and can be used by extenders or during troubleshooting to check the ZIS status as needed. (#764)
• The bind-test utility is now available in Zowe. This utility is located within the bin/utils folder of the Zowe runtime directory and can be used by extenders or during troubleshooting to validate the network and network permissions as needed. (#764)
• ZSS now handles when the components.apiml.enabled option is set to true as an alternative to enabling gateway, discovery, and caching-service components. (#787)

Basic TN3270 Display Emulator

• The Logical Unit name is now displayed in the TN3270 window title, making it easier for users to identify the session they are working with. (#101)

Zowe API Mediation Layer

• You can now deploy API ML as a single service. For more information about single-service deployment using modulith architecture, see Enabling Single-Service deployment of API Mediation Layer(#3973)
• Added the configuration property apiml.security.forwardHeader.trustedProxies to specify the regular expression pattern used to identify trusted proxies from which X-Forwarded-* headers are accepted and forwarded. Mitigates CVE-2025-41235. (#4171)
• Zowe now supports an independent response time route setting. (#3981)
• Added a check of the certificate signing algorithm in the Certificate Analyzer tool. (#4121)
• Made certificate validation improvements. (#4017)
• Added the Onboarding Python Enabler. (#4068)
• Users are now allowed to configure the connect and read timeout for the Eureka HTTP client. (#4045)

Zowe CLI

Zowe CLI (Core)

• Replaced logic in ApimlAuthHandler.processLogin with a call to a new common function, AuthOrder.putNewAuthsFirstOnDisk. There are no changes to the external API and no changes to the functionality. (#2568)
• Added a search-exact-name option to the zowe zos-files search data-set command to search the contents of one data set or PDS. (#2529)
• Added a new configuration property named authOrder with which a user can specify a desired choice of authentication. (#1794)
• Updated Node.js types for technical currency. (#2511)
• Added the --establish-connection-timeout option to the z/OSMF Connection Options. This allows users to specify a maximum limit for how long the REST client should attempt to establish a connection to the server, and returns an error if the request takes too long. (#2490)
• Added the --completion-timeout option to the z/OSMF Connection Options. This allows users to specify a maximum limit for how long a REST request should take, and returns an error if the request takes too long. (#2490)
• Updated help examples to replace short option aliases (for example, -h) with full option names (for example, --help) for improved clarity and consistency in documentation. (#2484)
• Added the ability to search data sets with regex patterns by passing --regex into the search command. (#2432)
• Added the --overwrite flag to the zowe files copy ds command to allow for overwriting all members of a target data set with source data set members. (#2450)
• Added the ability to see secure properties when running zowe config list when the ZOWE_SHOW_SECURE_ARGS environment variable is set to true. (#2259)
• Added the --data-set-type flag to create sequential data set command to allow for creating extended and large formatted sequential data sets. (#2141)
• Added the --recordRange flag to the zowe jobs download output command to allow users to select a specific range of records to output from a spool file. (#2411)

Zowe CLI Imperative Framework

• Added the following AuthOrder functions: getPropNmFor, putNewAuthsFirstInSess, putNewAuthsFirstOnDisk, formNewAuthOrderArray, authArrayToCfgVal, authCfgValToArray. No external behavior is changed by this addition to/refactoring of the Zowe SDK logic. (#2568)
• When no credentials are available, added prompt for the credentials related to the first entry in the authOrder property instead of arbitrarily prompting for user and password. (#2568)
• Reordered authOrder information in error messages to be easier for a user to follow the effect of the authOrder. (#2568)
• Added --verbose option to the zowe plugins install command to make debugging easier. (#2562)
• Added spawnWithInheritedStdio method to ExecUtils which inherits output instead of piping it. (#2562)
• Updated the Zowe Client REST APIs to obey the choice of authentication specified by a user. (#2491)
• Updated the Logger class to support the winston library, and introduced migration tools to switch from log4js to winston. For more information on how to migrate your logger instance to use the winston library, refer to the "Configuring logging" page on the Zowe CLI wiki. (#2488)
• Added a request timeout to the Imperative REST client. (#2490)
• Added the ZOWE_REQUEST_COMPLETION_TIMEOUT environment variable to the EnvironmentalVariableSettings class to allow extenders to determine how long to wait for a request to complete before timing out. (#2490)
• Added a connection timeout to the Imperative REST Client, with a default of 60 seconds. (#2486)
• Added the ZOWE_SOCKET_CONNECT_TIMEOUT environment variable to the EnvironmentalVariableSettings class to allow extenders to determine how long to wait for a socket connection before timing out. (#2486)
• Updated help examples to replace short option aliases (for example, -h) with full option names (for example, --help) for improved clarity and consistency in documentation. (#2484)
• Exposed the private buildPrefix function as a replacement of moment.format(...). (#2478)

CICS Plug-in for Zowe CLI

• Added the ability to define bundles. (#72)
• Added notices file into package. (#267)

Zowe Explorer

Zowe Explorer (Core)

• See the Zowe Explorer changelog for updates included in this release.

Zowe Explorer API

• See the Zowe Explorer API changelog for updates included in this release.

Zowe Explorer for IBM z/OS FTP

• See the Zowe® Explorer for IBM® z/OS® FTP changelog for updates included in this release.

Zowe Explorer ESLint Plug-in

• See the Zowe Explorer ESLint Plug-in changelog for updates included in this release.

Bug fixes

Zowe Version 3.3.0 contains the bug fixes that are described in the following topics:

Server Install

• YAML lookup for HA instances within haInstances is now case insensitive and works regardless of whether the letters of the HA instance names are in uppercase or lowercase. (#4370)
• ZWEGENER now aborts with an error message if zowe.setup.dataset.prefix or zowe.setup.dataset.jcllib are undefined or identical, preventing potential runtime errors. (#4337)

Zowe Application Framework

Zlux Server Framework

• Introduced a workaround for API Catalog issuing a double-TLS request when the API Catalog was under AT-TLS by changing eureka registration content to match the state of API Catalog. (#610)

Zowe Common C

• Fixed a memory leak in the safeFree64Internal function for 64 bit programs. (#540)

ZSS

• Fixed an issue wherein if AT-TLS was enabled for ZSS and ZSS was unable to communicate with the APIML Gateway, the JWK initialization logic entered a continuous loop and consumed a large amount of CPU resources. (#772)
• ZSS now is compatible with z/OS 3.2. (#781)

Zowe API Mediation Layer

• The Gateway now returns empty auth keys from z/OSMF when apiml.security.auth.zosmf.jwtAutoconfiguration is set to jwt. (#4092)
• Updated start.sh settings for the Caching service. (#4226)
• Fixed API ML startup message not appearing in modulith mode. (#4216)
• Fixed SAF auth check in non-modulith. (#4212)
• Fixed configuration values for the Eureka server and client that caused an overload and making Eureka unresponsive. (#4223)
• Fixed modulith OpenAPI documentation to show the correct logout endpoint. (#4191)
• Disabled infinispan diagnostics by default. (#4157)
• Fixed obtaining public keys if there is unsupported type of key. (#4154)
• Generated git properties file before release build. (#4173)
• Released build without cache. (#4179)
• Removed duplicate log messages. (#4147)
• Fixed detection of connection issue. (#4142)
• Set memory limit for javap. (#4141)
• Applied Config change for Gateway Endlessly Spamming Issue. (#4095)
• Added HSTS header when AT-TLS enabled for V3. (#4052)
• Fixed SSL configuration for non-strict hostname verification mode in Jetty HTTP Client. (#4073)
• Fixed SSO issue in the API Catalog. (#4070)

Zowe CLI

Zowe CLI (Core)

• Added a warning to users using a TSO command. It now warns them that a logon procedure is not being used when a non default logon procedure and --ssm option is used. (#2528)
• Fixed an issue where inconsistent formatting for an example in the zowe zos-files create data-set-sequential command caused the example to be improperly displayed in the Zowe web help. Now, the full example command is shown in the code block when displayed through the web help. (#2557)
• Updated the brace-expansion dependency for technical currency. (#2523)
• Added update to avoid prompting for a password when a token is available for authentication. (#2500)
• Updated the zowe auth login apiml command to place its retrieved token into the specified (or default) base profile instead of creating a new base profile. The update also places a directive to use token authentication for the default zosmf profile if that profile is configured to connect to API-ML. (#2181, #1650)
• Updated the Daemon binary version for technical currency. (#2479)
• Fixed a bug that resulted in daemon commands running slower with every additional command. (#2470)
• Fixed the --show-inputs-only option on commands with chained command handlers, such as zowe zos-files copy data-set-cross-lpar. (#2446)
• When using the copy command, if a target partitioned data set has a smaller record length than a source partitioned data set, the operation for subsequent members no longer stops. The user can now view the affected members in a local file. (#2349)
• Fixed a bug where users were not warned when copying partitioned data sets with identical member names. Now, the user is prompted to confirm before continuing the copy operation to avoid potential data loss. (#2349)
• Fixed a bug where the zowe zos-files copy data-set command would overwrite the contents of the target data set without user confirmation. A --safe-replace option was added which prompts the user to confirm before overwriting the contents of the target data set. (#2369)

Zowe CLI Imperative Framework

• Added a validity check in the ProfileInfo class mergeArgsForProfile method to ensure the base profile exists before merging its values. This prevents Zowe Explorer UI loading errors when a non-existent base profile is referenced. (#2575)
• Fixed invalid value for npm log level when --verbose option is true on the zowe plugins install command. (#2571)
• Updated the web help generator logic to fix links with special characters. (#2553, #2308)
• Resolved an issue where streaming uploads of special characters could result in data corruption at chunk boundaries. (#2556)
• Fixed an issue with the zowe config commands to ensure correct user input handling. (#2519)
• Updated the brace-expansion dependency for technical currency. (#2523)
• Fixed an issue where Imperative integration tests can fail due to a missing glob dependency. (#2511)
• Fixed an issue where downstream dependencies using log4js have their log output redirected after creating an instance of the ProfileInfo class. (#2488)
• Added checks to the AbstractRestClient abstract class to ensure the hostname parameter does not contain a protocol. (#2486)

DB2 Plug-in for Zowe CLI

• Updated the form-data dependency for technical currency. (#185)
• Updated the ibm_db dependency to fix an issue with offline installation. (#183)
• Updated the tar-fs dependency for technical currency. (#178)

Zowe Explorer

Zowe Explorer (Core)

• See the Zowe Explorer changelog for updates included in this release.

Zowe Explorer API

• See the Zowe Explorer API changelog for updates included in this release.

Zowe Explorer for IBM z/OS FTP

• See the Zowe® Explorer for IBM® z/OS® FTP changelog for updates included in this release.

Zowe Explorer ESLint Plug-in

• See the Zowe Explorer ESLint Plug-in changelog for updates included in this release.

Vulnerabilities fixed

Zowe discloses fixed vulnerabilities in a timely manner giving you sufficient time to plan your upgrades. Zowe does not disclose the vulnerabilities fixed in the latest release as we respect the need for at least 45 days to decide when and how you upgrade Zowe. When a new release is published, Zowe publishes the vulnerabilities fixed in the previous release. For more information about the Zowe security policy, see the Security page on the Zowe website.

The following security issues were fixed by the Zowe security group in version 3.2:

• BDSA-2025-0723
• CVE-2025-0736