Skip to content
Open
Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
6cdbfed
initial draft
MarkAckert Jan 21, 2026
720a121
checkpoint doc changes for certs
MarkAckert Jan 23, 2026
03b8dc5
Merge branch 'docs-staging' into user/markackert/cert-scenarios
MarkAckert Jan 23, 2026
fd0f267
Fix typos in certificates configuration documentation
Martin-Zeithaml Jan 26, 2026
d3280b6
Fix typos in generate-certificates.md
Martin-Zeithaml Jan 26, 2026
d776cbc
Correct formatting in certificates configuration guide
Martin-Zeithaml Jan 26, 2026
24a1a50
code review updates
MarkAckert Jan 28, 2026
2c2c66d
better glossary info, code review feedback
MarkAckert Jan 28, 2026
c9a5355
fix review steps after configuring certs
MarkAckert Jan 28, 2026
fc12b3e
remove generate certificates article, and rewire markdown links
MarkAckert Jan 29, 2026
6831adb
re-structure off-platform article a little bit
MarkAckert Jan 29, 2026
4e44d4e
few more touches for clarity
MarkAckert Jan 29, 2026
30d8bde
fix some broken links
MarkAckert Jan 30, 2026
ab6aee3
Make a quick note that keyrings and AT-TLS go together in the glossary
MarkAckert Jan 30, 2026
1c8fed6
Update docs/appendix/zowe-security-glossary.md
MarkAckert Feb 2, 2026
9ccf429
Apply suggestions from code review
MarkAckert Feb 2, 2026
a37317a
key ring format
MarkAckert Feb 2, 2026
dcc5568
code review comments, fix broken links
MarkAckert Feb 2, 2026
143ce6b
Update docs/user-guide/configuring-at-tls-for-zowe-server-single-serv…
MarkAckert Feb 2, 2026
871324a
Update docs/user-guide/certificates-trust-off-platform.md
MarkAckert Feb 2, 2026
cbb4337
Update docs/user-guide/certificates-trust-off-platform.md
MarkAckert Feb 2, 2026
31b9289
Update docs/user-guide/certificates-trust-off-platform.md
MarkAckert Feb 2, 2026
e1c4ec0
add admonition
MarkAckert Feb 2, 2026
2a0f1c4
changes from code review comments
MarkAckert Feb 2, 2026
cd1f5fe
one more suggested change
MarkAckert Feb 2, 2026
db102ac
Keyring to key ring
Martin-Zeithaml Feb 3, 2026
0800dcf
Typos
Martin-Zeithaml Feb 3, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 6 additions & 15 deletions docs/appendix/zowe-security-glossary.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ If you do not yet have certificates, Zowe can create self-signed certificates fo
- [Extended key usage](#extended-key-usage)
- [Hostname validity](#hostname-validity)
- [z/OSMF access](#zosmf-access)

### Extended key usage
Zowe server certificates must either not have the `Extended Key Usage` (EKU) attribute, or have both the `TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)` and `TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)` values present within.

Expand All @@ -88,29 +89,19 @@ The z/OSMF certificate is verified according to Zowe [Certificate verification s


## Certificate setup types
Whether importing or letting Zowe generate certificates, the setup for Zowe certificate automation and the configuration to use an existing keystore and truststore depends upon the content format: file-based (`PKCS12`) or z/OS key ring-based.
Whether importing or letting Zowe generate certificates, the setup for Zowe certificate automation and the configuration to use an existing keystore and truststore depends upon the content format: file-based (`PKCS12`) or z/OS key ring-based. If you are bringing your own previously defined certificates and keyrings to Zowe, you can configure `zowe.certificate` with this information directly and bypass `zwe init certificate` completely.

- [File-based (PKCS12) certificate setup](#file-based-pkcs12-certificate-setup)
- [z/OS key ring-based certificate setup](#zos-key-ring-based-certificate-setup)

### File-based (PKCS12) certificate setup

Zowe is able to use PKCS12 certificates that are stored in USS. Zowe uses a `keystore` directory to contain its certificates primarily in PKCS12 (`.p12`, `.pfx`) file format, but also in PEM (`.pem`) format. The truststore is in the `truststore` directory that holds the public keys and CA chain of servers which Zowe communicates with (for example z/OSMF).
Configuring PKCS12 certificates is covered under [Certificate Configuration](../user-guide/configure-certificates.md) and [Reviewing Certificate Configuration](../user-guide/certificates-finalize-configuration.md).

### z/OS key ring-based certificate setup

Zowe is able to work with certificates held in a **z/OS Key ring**.

The JCL member `.SZWESAMP(ZWEKRING)` contains security commands to create a SAF keyring. By default, this key ring is named `ZoweKeyring`. You can use the security commands in this JCL member to generate a Zowe certificate authority (CA) and sign the server certificate with this CA. The JCL contains commands for all three z/OS security managers: RACF, TopSecret, and ACF2.

There are two ways to configure and submit `ZWEKRING`:

- Copy the JCL `ZWEKRING` member and customize its values.
- Customize the `zowe.setup.certificate` section in `zowe.yaml` and use the `zwe init certificate` command.

You can also use the `zwe init certificate` command to prepare a customized JCL member using `ZWEKRING` as a template.
Zowe is able to work with certificates held in a **z/OS key ring**.

A number of key ring scenarios are supported:

- Creation of a local certificate authority (CA) which is used to sign a locally generated certificate. Both the CA and the certificate are placed in the `ZoweKeyring`.
- Import of an existing certificate already held in z/OS to the `ZoweKeyring` for use by Zowe.
- Creation of a locally generated certificate and signed by an existing certificate authority. The certificate is placed in the key ring.
If you are not bringing your own certificate and keyring, and instead would like Zowe to create these for you, then you should follow the instructions under [Zowe Assisted Certificate Setup](../user-guide/certificates-configuration-questionnaire.md).
12 changes: 6 additions & 6 deletions docs/user-guide/certificates-configuration-questionnaire.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Zowe certificates configuration questionnaire

To properly configure Zowe to use certificates for server-side component installation, review the certificate setup options presented in this article.
To properly configure Zowe with certificates for server-side component installation, review the certificate setup options presented in this article.
Understanding these options makes it possible to select the best certificate configuration scenario that fits your Zowe deployment use case.

:::info Required roles: system programmer, security administrator
Expand Down Expand Up @@ -42,19 +42,19 @@ If you plan to use Zowe generated self-signed certificates and your target envir
Decide if you want to store the certificate in a z/OS keyring or to a file based keystore/truststore.

:::tip
While using a keystore/truststore pair is possible to store your certificates, we recommend that you use z/OS keyrings for production deployments.
While using a keystore/truststore pair is possible to store your certificates, we recommend that you use z/OS key rings for production deployments.
:::

**Question 4:** Do you plan to use an existing certificate from another keyring or from a dataset?
If you have an existing certificate, you can import or connect this certificate to the planned z/OS keyring based storage.

Before you import your certificates, check to make sure that the certificate format, type, and properties correspond to the required protection and acceptability depending on the planned deployment environment (DEV, TEST, PROD).
For example, use Zowe generated self-signed certificates only with development or testing environments and not with production environments.
Before you import your certificates, check to make sure that the certificate format, type, and properties meet your security requirements depending on the planned deployment environment (DEV, TEST, PROD). For example, Zowe generated self-signed certificates may be acceptable with development or testing environments, but not with production environments.

Required certificate properties are covered in [the Zowe Security Glossary](../appendix/zowe-security-glossary.md#zowe-certificate-requirements).

For more information, see [Import and configure an existing certificate](./import-certificates.md).
## Next steps

After you select your applicable certificate configuration scenario and review the certificate configurate sample in the article [Certificate configuration scenarios](./certificate-configuration-scenarios.md), you can continue to [Configure Zowe Certificates](./configure-certificates.md).
After you select your applicable certificate configuration scenario, you can proceed to [Certificate configuration scenarios](./certificates-configuration-scenarios.md).

:::tip
If you encounter issues when configuring your certificate, see [Troubleshooting the certificate configuration](../troubleshoot/troubleshoot-zos-certificate.md), to find resolution of errors.
Expand Down
Loading
Loading