The following information contains procedures and tips for meeting z/OSMF requirements. For complete information, go to IBM Knowledge Center and read the following documents.
z/OS requirements for z/OSMF configuration
Ensure that the z/OS system meets the following requirements:
|Requirements||Description||Resources in IBM Knowledge Center|
|AXR (System REXX)||z/OS uses AXR (System REXX) component to perform Incident Log tasks. The component enables REXX executable files to run outside of conventional TSO and batch environments.||System REXX|
|Common Event Adapter (CEA) server||The CEA server, which is a co-requisite of the Common Information Model (CIM) server, enables the ability for z/OSMF to deliver z/OS events to C-language clients.||Customizing for CEA|
|Common Information Model (CIM) server||z/OSMF uses the CIM server to perform capacity-provisioning and workload-management tasks. Start the CIM server before you start z/OSMF (the IZU* started tasks).||Reviewing your CIM server setup|
|CONSOLE and CONSPROF commands||The CONSOLE and CONSPROF commands must exist in the authorized command table.||Customizing the CONSOLE and CONSPROF commands|
|Java level||IBM® 64-bit SDK for z/OS®, Java Technology Edition V8 or later is required.||Software prerequisites for z/OSMF|
|TSO region size||To prevent exceeds maximum region size errors, verify that the TSO maximum region size is a minimum of 65536 KB for the z/OS system.||N/A|
|User IDs||User IDs require a TSO segment (access) and an OMVS segment. During workflow processing and REST API requests, z/OSMF might start one or more TSO address spaces under the following job names: userid; substr(userid, 1, 6) CN (Console).||N/A|
Follow these steps:
From the console, issue the following command to verify the version of z/OS:
Part of the output contains the release, for example,
RELEASE z/OS 02.02.00.
z/OSMF is a base element of z/OS V2.2 and V2.3, so it is already installed. But it might not be configured and running on every z/OS V2.2 and V2.3 system.
In short, to configure an instance of z/OSMF, run the IBM-supplied jobs IZUSEC and IZUMKFS, and then start the z/OSMF server. The z/OSMF configuration process occurs in three stages, and in the following order:
Stage 1 - Security setup
Stage 2 - Configuration
Stage 3 - Server initialization
This stage sequence is critical to a successful configuration. For complete information about how to configure z/OSMF, see Configuring z/OSMF for the first time if you use z/OS V2.2 or Setting up z/OSMF for the first time if V2.3.
Note: In z/OS V2.3, the base element z/OSMF is started by default at system initial program load (IPL). Therefore, z/OSMF is available for use as soon as you set up the system. If you prefer not to start z/OSMF automatically, disable the autostart function by checking for
START commands for the z/OSMF started procedures in the COMMNDxx parmlib member.
The z/OS Operator Consoles task is new in Version 2.3. Applications that depend on access to the operator console such as Zowe™ CLI's RestConsoles API require Version 2.3.
Verify that the z/OSMF server and angel processes are running. From the command line, issue the following command:
If jobs IZUANG1 and IZUSVR1 are not active, issue the following command to start the angel process:
After you see the message ""CWWKB0056I INITIALIZATION COMPLETE FOR ANGEL"", issue the following command to start the server:
The server might take a few minutes to initialize. The z/OSMF server is available when the message ""CWWKF0011I: The server zosmfServer is ready to run a smarter planet."" is displayed.
Issue the following command to find the startup messages in the SDSF log of the z/OSMF server:
You could see a message similar to the following message, which indicates the port number:
IZUG349I: The z/OSMF STANDALONE Server home page can be accessed at https://mvs.hursley.ibm.com:443/zosmf after the z/OSMF server is started on your system.
In this example, the port number is 443. You will need this port number later.
Point your browser at the nominated z/OSMF STANDALONE Server home page and you should see its Welcome Page where you can log in.
Note: If your implementation uses an external security manager other than RACF (for example, Top Secret for z/OS or ACF2 for z/OS), you provide equivalent commands for your environment. For more information, see the following product documentation:
z/OSMF REST services for the Zowe CLI
The Zowe CLI uses z/OSMF Representational State Transfer (REST) APIs to work with system resources and extract system data. Ensure that the following REST services are configured and available.
|z/OSMF REST services||Requirements||Resources in IBM knowledge Center|
|Cloud provisioning services||Cloud provisioning services are required for the Zowe CLI CICS and Db2 command groups. Endpoints begin with ||Cloud provisioning services|
|TSO/E address space services||TSO/E address space services are required to issue TSO commands in the Zowe CLI. Endpoints begin with ||TSO/E address space services|
|z/OS console services||z/OS console services are required to issue console commands in the Zowe CLI. Endpoints begin with ||z/OS console services|
|z/OS data set and file REST interface||z/OS data set and file REST interface is required to work with mainframe data sets and UNIX System Services files in the Zowe CLI. Endpoints begin with ||z/OS data set and file REST interface|
|z/OS jobs REST interface||z/OS jobs REST interface is required to use the zos-jobs command group in the Zowe CLI. Endpoints begin with ||z/OS jobs REST interface|
|z/OSMF workflow services||z/OSMF workflow services is required to create and manage z/OSMF workflows on a z/OS system. Endpoints begin with ||z/OSMF workflow services|
Zowe uses symbolic links to the z/OSMF
ltpa.keys files. Zowe reuses SAF, SSL, and LTPA configurations; therefore, they must be valid and complete.
For more information, see Using the z/OSMF REST services in IBM z/OSMF documentation.
To verify that z/OSMF REST services are configured correctly in your environment, enter the REST endpoint into your browser. For example:
- Browsing z/OSMF endpoints requests your user ID and password for defaultRealm; these are your TSO user credentials.
- The browser returns the status code 200 and a list of all jobs on the z/OS system. The list is in raw JSON format.
Configuration of z/OSMF to properly work with API ML
There is an issue observed in z/OSMF which leads to a stuck JSON web token(JWT). It manifests as the endpoint
/zosmf/services/authenticate issuing a JWT with success RC that is not valid for API calls, resulting in 401 response status code. This is a persistent condition.
To get the token unstuck, perform a logout with the LTPA token from the login request. This causes logins to start serving unique JWTs again.
Until this issue is properly fixed in z/OSMF, we propose a possible temporary workaround. Update z/OSMF configuration with
allowBasicAuthLookup="false". After applying this change, each authentication call results in generating a new JWT.