Refactor certificate documentation - bring your own key ring

docs/appendix/zowe-security-glossary.md

@@ -74,6 +74,7 @@ If you do not yet have certificates, Zowe can create self-signed certificates fo
 - [Extended key usage](#extended-key-usage)
 - [Hostname validity](#hostname-validity)
 - [z/OSMF access](#zosmf-access)
+
 ### Extended key usage
 Zowe server certificates must either not have the `Extended Key Usage` (EKU) attribute, or have both the `TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)` and `TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)` values present within.
 
@@ -88,29 +89,21 @@ The z/OSMF certificate is verified according to Zowe [Certificate verification s
 
 
 ## Certificate setup types
-Whether importing or letting Zowe generate certificates, the setup for Zowe certificate automation and the configuration to use an existing keystore and truststore depends upon the content format: file-based (`PKCS12`) or z/OS key ring-based.
+Zowe requires certificates in one of two formats: file-based (`PKCS12`) or z/OS key ring-based. If you are bringing your own previously defined certificates to Zowe, you can configure `zowe.certificate` with this information directly. Key rings are required for Zowe AT-TLS configurations. If you are not bringing your own certificates, [Zowe can assist](../user-guide/certificates-configuration-scenarios.md) with certificate generation.
 
 - [File-based (PKCS12) certificate setup](#file-based-pkcs12-certificate-setup)
 - [z/OS key ring-based certificate setup](#zos-key-ring-based-certificate-setup)
+
 ### File-based (PKCS12) certificate setup
 
 Zowe is able to use PKCS12 certificates that are stored in USS. Zowe uses a `keystore` directory to contain its certificates primarily in PKCS12 (`.p12`, `.pfx`) file format, but also in PEM (`.pem`) format. The truststore is in the `truststore` directory that holds the public keys and CA chain of servers which Zowe communicates with (for example z/OSMF).
 
-### z/OS key ring-based certificate setup
-
-Zowe is able to work with certificates held in a **z/OS Key ring**.
+Generating PKCS12 certificates is covered in [Certificate configuration scenarios](../user-guide/certificates-configuration-scenarios.md) Scenario 1 and Scenario 2.
+Configuring PKCS12 certificates is covered in [Finalize certificate configuration](../user-guide/certificates-finalize-configuration.md).
 
-The JCL member `.SZWESAMP(ZWEKRING)` contains security commands to create a SAF keyring. By default, this key ring is named `ZoweKeyring`. You can use the security commands in this JCL member to generate a Zowe certificate authority (CA) and sign the server certificate with this CA. The JCL contains commands for all three z/OS security managers: RACF, TopSecret, and ACF2.
-
-There are two ways to configure and submit `ZWEKRING`:
-
-- Copy the JCL `ZWEKRING` member and customize its values.
-- Customize the `zowe.setup.certificate` section in `zowe.yaml` and use the `zwe init certificate` command.
-
-  You can also use the `zwe init certificate` command to prepare a customized JCL member using `ZWEKRING` as a template.
+### z/OS key ring-based certificate setup
 
-A number of key ring scenarios are supported:
+Zowe is able to work with certificates held in a **z/OS key ring**.
 
-- Creation of a local certificate authority (CA) which is used to sign a locally generated certificate. Both the CA and the certificate are placed in the `ZoweKeyring`.
-- Import of an existing certificate already held in z/OS to the `ZoweKeyring` for use by Zowe.
-- Creation of a locally generated certificate and signed by an existing certificate authority. The certificate is placed in the key ring.
+Generating key rings with certificates is covered in [Certificate configuration scenarios](../user-guide/certificates-configuration-scenarios.md), Scenarios 3-5.
+Configuring key rings with certificates is covered in [Finalize certificate configuration](../user-guide/certificates-finalize-configuration.md).

docs/extend/extend-apiml/certificate-management-in-zowe-apiml.md

@@ -63,8 +63,8 @@ There are two ways to set up certificates on a z/OS machine:
 - [Certificates in SAF keyring](#api-ml-saf-keyring)
 
 For detailed instructions about how to set up certificates during installation, see the following articles:
-* [Use PKCS12 certificates](../../user-guide/use-certificates.md#use-pkcs12-certificates)
-* [Use JCERACFS certificates](../../user-guide/use-certificates.md#use-jceracfks-certificates) in a keyring 
+* [Use PKCS12 certificates](../../user-guide/certificates-configuration-scenarios.md#scenario-overview)
+* [Use JCERACFS certificates](../../user-guide/certificates-configuration-scenarios.md#scenario-overview) in a keyring 
 
 Follow the procedure in the applicable section in this article during installation.
 

docs/getting-started/zowe-certificates-overview.md

@@ -39,8 +39,6 @@ X.509 Digital certificates are primarly used to implement the following function
 Zowe uses digital certificates as a foundational element for both communication and for identity security.
 Additionally, Zowe provides a client identity validation functionality based on the ownership of the provided x.509 client certificate and the mainframe security authentication mechanism.
 
-For more information about how Zowe leverages certificates, see [Zowe certificate usage](../user-guide/use-certificates.md).
-
 To review the various Zowe certificate configuration options, see the [Zowe certificate configuration overview](../user-guide/configure-certificates.md).
 
 ## Public key infrastructure

docs/getting-started/zowe-security-overview.md

@@ -49,8 +49,7 @@ Review digital certificates terminology in the [Zowe security glossary](../appen
 Zowe uses digital certificates to secure the communication channel between Zowe components as well as between Zowe clients and Zowe services. Digital client certificates can also be used to validate that the identity of a client-user (the service user) is known to the mainframe security facility.   
 
 **Next Steps:**
-- For more information about the mechanics of digital certificate, see [Using certificates](../user-guide/use-certificates.md).
-- To learn more about the various options for Zowe certificate configuration, see [Zowe certificate configuration overview](../user-guide/configure-certificates.md) under the _Use_ tab.
+- To learn more about the various options for Zowe certificate configuration, see [Zowe certificate configuration overview](../user-guide/configure-certificates.md).
 
 ## User Authentication
 Zowe always authenticates the users accessing its interfaces and services. 
@@ -82,8 +81,6 @@ For more information about the SAF resource check, see [Configuring SAF resource
 ## Additional resources
 For more information about getting started with certificates including determining your certificate configuration use case, importing certificates, generating certificates and using certificates, see the following resources:  
 
-- [Certificate configuration scenarios](../user-guide/certificate-configuration-scenarios.md)
-- [Generating a certificate](../user-guide/generate-certificates.md)
-- [Importing and configuring a certificate](../user-guide/import-certificates.md)
+- [Certificate configuration scenarios](../user-guide/certificates-configuration-scenarios.md)
 - [Configuring certificates](../user-guide/configure-certificates.md)
 

docs/troubleshoot/known-issues-with-apiml.md

@@ -201,6 +201,6 @@ Request a new certificate that contains a valid z/OSMF host name in the subject
 
 ### Re-create the Zowe keystore
 
-Re-create the Zowe keystore by deleting it and re-creating it. For more information, see [Importing a file-based PKCS12 certificate](../user-guide/import-certificates.md#importing-an-existing-pkcs12-certificate).  The Zowe keystore directory is the value of the `KEYSTORE_DIRECTORY` variable in the `zowe.yaml` file that is used to launch Zowe.
+Recreate the Zowe keystore by deleting it and recreating it. For more information, see [Scenario 2: Importing a file-based PKCS12 certificate](../user-guide/certificates-configuration-scenarios.md#scenario-2-use-a-file-based-pkcs12-keystore-and-import-a-certificate-generated-by-another-ca).  The Zowe keystore directory is the value of the `KEYSTORE_DIRECTORY` variable in the `zowe.yaml` file that is used to launch Zowe.
 
 

docs/user-guide/api-mediation/configuration-client-certificates.md

@@ -105,7 +105,7 @@ The following steps are only required if the ZSS hostname or default Zowe user n
   :::
 
    * **components.gateway.apiml.security.x509.externalMapperUser**  
-   To authenticate to the mapping API, a JWT is sent with the request. The token represents the user that is configured with this property. The user authorization is required to use the `IRR.RUSERMAP` resource within the `FACILITY` class. The default value is `ZWESVUSR`. Permissions are set up during installation with the `ZWESECUR` JCL or workflow.
+   To authenticate to the mapping API, a JWT is sent with the request. The token represents the user that is configured with this property. The user authorization is required to use the `IRR.RUSERMAP` resource within the `FACILITY` class. The default value is: `ZWESVUSR`. Permissions are set up during installation with the `ZWESECUR` JCL or workflow.
 
    If you customized the `ZWESECUR` JCL or workflow (the customization of zowe runtime user: `// SET ZOWEUSER=ZWESVUSR * userid for Zowe started task`) and changed the default USERID, create the `components.gateway.apiml.security.x509.externalMapperUser` property and set the value by adding a new line as in the following example: