Recommend split keyring for new configurations

[pablocarle]

• Tests for the changes have been added (for bug fixes / features)
• Necessary documentation (if appropriate) have been added / updated
• DCO signoffs have been added to all commits, including this PR

PR type

• Bugfix

Changes proposed in this PR

Split keyrings into two:

1. Contains the private key and full chain of the CA used to sign Zowe's certificate.
2. Contains the trusted certificates (Zowe server chain, z/OSMF certificate, other trusted certificates such as southbound services')

The reason behind it lies in AT-TLS configurations.
Currently, AT-TLS configuration uses keyring to set up handshakes between services; the problem lies in that some connections may be using the PERSONAL certificate from the keyring to authenticate without knowing it, since AT-TLS will pick up certificates marked as DEFAULT.
The chosen way to deal with this is to split the configuration in AT-TLS to have a keyring that contains the private key and another one that only has trusted certificates acting as a truststore.'

This PR aims at updating the recommendations for new installations, since it's not known at the beginning if the installation will use AT-TLS or not.

Documentation is being updated for the AT-TLS article, targeting the 3.4.0 release.

Does this PR introduce a breaking change?

• No

Does this PR add or change a YAML parameter?

• No

Is there a related doc issue or Pull Request?

Doc issue/PR number:

Other information

[github-actions]

build 9484 SUCCEEDED.
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20721429621

[github-actions]

Test workflow 7997 is started.
Running install test: Convenience Pax
The zowe artifact being used by this test workflow: libs-snapshot-local/org/zowe/3.4.0-PR-4645/zowe-3.4.0-pr-4645-9484-20260105161658.pax
Running on machine: zzow09
Result: SUCCESS
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20721634685

[arxioly]

Strange that there is nothing about intemediate z/OSMF's certificate at all...

[pablocarle]

Should we add something? any suggestion?

[arxioly]

If you think it make sence, then we could add something similar like for Zowe's:

   RACDCERT CONNECT(CERTAUTH +
            LABEL('&ITRMZFCA.') +
            RING(&ZOWETRST.) USAGE(CERTAUTH)) +
            ID(&ZOWEUSER.)

and add new parameter ITRMZFCA in SET section.

[github-actions]

build 9490 SUCCEEDED.
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20753544215

[github-actions]

Test workflow 8003 is started.
Running install test: Convenience Pax
The zowe artifact being used by this test workflow: libs-snapshot-local/org/zowe/3.4.0-PR-4645/zowe-3.4.0-pr-4645-9490-20260106155149.pax
Running on machine: zzow10
Result: SUCCESS
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20753724786

[Martin-Zeithaml]

This sample is kept due to the SMP/E installation. It is deprecated, but updates are of course possible.
Those changes must be reflected in split versions of this sample:

• Keyring ACF2
  • ZWEIKRA1
  • ZWEIKRA2
  • ZWEIKRA3
• Keyring RACF
  • ZWEIKRR1
  • ZWEIKRR2
  • ZWEIKRR3
• Keyring Top Secret
  • ZWEIKRT1
  • ZWEIKRT2
  • ZWEIKRT3

[pablocarle]

Thank you, I'll bring the updates there

[github-actions]

build 9493 SUCCEEDED.
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20779633839

[github-actions]

Test workflow 8006 is started.
Running install test: Convenience Pax
The zowe artifact being used by this test workflow: libs-snapshot-local/org/zowe/3.4.0-PR-4645/zowe-3.4.0-pr-4645-9493-20260107111958.pax
Running on machine: zzow10
Result: SUCCESS
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20779766819

[github-actions]

build 9496 SUCCEEDED.
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20815909315

[pablocarle]

Based on discussion in z/OS squad call, I made changes to files/SZWESAMP/ZWEIKRA1 as a sample, to discuss if these are appropriate changes, once decided I can port to other files
@Martin-Zeithaml @MarkAckert
cc @1000TurquoisePogs @arxioly

[github-actions]

Test workflow 8009 is started.
Running install test: Convenience Pax
The zowe artifact being used by this test workflow: libs-snapshot-local/org/zowe/3.4.0-PR-4645/zowe-3.4.0-pr-4645-9496-20260108115950.pax
Running on machine: zzow09
Result: SUCCESS
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20816080985

[Martin-Zeithaml]

I am not sure about this:

2 //       SET IFTRSTST=0              
3 //IF1    IF (&IFTRSTST = 1) THEN     
  IEFC653I SUBSTITUTION JCL - (0 = 1)  
4 //IEFBR15  EXEC PGM=IEFBR15          
5 //       ELSE                        
6 //IEFBR14  EXEC PGM=IEFBR14          
7 //       ENDIF                                           

This JCL ended with ABEND806-04, which means an attempt to call IEFBR15 (which does not exist).

Based on the doc, only predefined operands could be used (RC, ABEND, ABENDCC, RUN).

[arxioly]

The problem might be in empty lines w/o *.

[pablocarle]

How can I try out these JCLs?

[MarkAckert]

Running zwe init generate will give you the rendered JCL in your zowe.setup.dataset.jcllib dataset.