Skip to content

Recommend split keyring for new configurations#4645

Draft
pablocarle wants to merge 4 commits intov3.x/stagingfrom
reboot/keyring-default
Draft

Recommend split keyring for new configurations#4645
pablocarle wants to merge 4 commits intov3.x/stagingfrom
reboot/keyring-default

Conversation

@pablocarle
Copy link
Contributor

  • Tests for the changes have been added (for bug fixes / features)
  • Necessary documentation (if appropriate) have been added / updated
  • DCO signoffs have been added to all commits, including this PR

PR type

  • Bugfix

Changes proposed in this PR

Split keyrings into two:

  1. Contains the private key and full chain of the CA used to sign Zowe's certificate.
  2. Contains the trusted certificates (Zowe server chain, z/OSMF certificate, other trusted certificates such as southbound services')

The reason behind it lies in AT-TLS configurations.
Currently, AT-TLS configuration uses keyring to set up handshakes between services; the problem lies in that some connections may be using the PERSONAL certificate from the keyring to authenticate without knowing it, since AT-TLS will pick up certificates marked as DEFAULT.
The chosen way to deal with this is to split the configuration in AT-TLS to have a keyring that contains the private key and another one that only has trusted certificates acting as a truststore.'

This PR aims at updating the recommendations for new installations, since it's not known at the beginning if the installation will use AT-TLS or not.

Documentation is being updated for the AT-TLS article, targeting the 3.4.0 release.

Does this PR introduce a breaking change?

  • No

Does this PR add or change a YAML parameter?

  • No

Is there a related doc issue or Pull Request?

Doc issue/PR number:

Other information

Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
@github-actions
Copy link

github-actions bot commented Jan 5, 2026

build 9484 SUCCEEDED.
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20721429621

@github-actions
Copy link

github-actions bot commented Jan 5, 2026

Test workflow 7997 is started.
Running install test: Convenience Pax
The zowe artifact being used by this test workflow: libs-snapshot-local/org/zowe/3.4.0-PR-4645/zowe-3.4.0-pr-4645-9484-20260105161658.pax
Running on machine: zzow09
Result: SUCCESS
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20721634685

Comment on lines 353 to 358
/* Connect the z/OSMF root CA signed by a recognized certificate ... */
/* authority (CA) with the keyring ................................. */
RACDCERT CONNECT(CERTAUTH +
LABEL('&ROOTZFCA.') +
RING(&ZOWERING.) USAGE(CERTAUTH)) +
RING(&ZOWETRST.) USAGE(CERTAUTH)) +
ID(&ZOWEUSER.)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strange that there is nothing about intemediate z/OSMF's certificate at all...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add something? any suggestion?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you think it make sence, then we could add something similar like for Zowe's:

   RACDCERT CONNECT(CERTAUTH +
            LABEL('&ITRMZFCA.') +
            RING(&ZOWETRST.) USAGE(CERTAUTH)) +
            ID(&ZOWEUSER.)

and add new parameter ITRMZFCA in SET section.

Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
@github-actions
Copy link

github-actions bot commented Jan 6, 2026

build 9490 SUCCEEDED.
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20753544215

@github-actions
Copy link

github-actions bot commented Jan 6, 2026

Test workflow 8003 is started.
Running install test: Convenience Pax
The zowe artifact being used by this test workflow: libs-snapshot-local/org/zowe/3.4.0-PR-4645/zowe-3.4.0-pr-4645-9490-20260106155149.pax
Running on machine: zzow10
Result: SUCCESS
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20753724786

//*********************************************************************
//* ATTENTION!
//*
//* This sample is DEPRECATED.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sample is kept due to the SMP/E installation. It is deprecated, but updates are of course possible.
Those changes must be reflected in split versions of this sample:

  • Keyring ACF2
    • ZWEIKRA1
    • ZWEIKRA2
    • ZWEIKRA3
  • Keyring RACF
    • ZWEIKRR1
    • ZWEIKRR2
    • ZWEIKRR3
  • Keyring Top Secret
    • ZWEIKRT1
    • ZWEIKRT2
    • ZWEIKRT3

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, I'll bring the updates there

@github-actions
Copy link

github-actions bot commented Jan 7, 2026

build 9493 SUCCEEDED.
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20779633839

@github-actions
Copy link

github-actions bot commented Jan 7, 2026

Test workflow 8006 is started.
Running install test: Convenience Pax
The zowe artifact being used by this test workflow: libs-snapshot-local/org/zowe/3.4.0-PR-4645/zowe-3.4.0-pr-4645-9493-20260107111958.pax
Running on machine: zzow10
Result: SUCCESS
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20779766819

Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
@github-actions
Copy link

github-actions bot commented Jan 8, 2026

build 9496 SUCCEEDED.
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20815909315

@pablocarle
Copy link
Contributor Author

Based on discussion in z/OS squad call, I made changes to files/SZWESAMP/ZWEIKRA1 as a sample, to discuss if these are appropriate changes, once decided I can port to other files
@Martin-Zeithaml @MarkAckert
cc @1000TurquoisePogs @arxioly

@github-actions
Copy link

github-actions bot commented Jan 8, 2026

Test workflow 8009 is started.
Running install test: Convenience Pax
The zowe artifact being used by this test workflow: libs-snapshot-local/org/zowe/3.4.0-PR-4645/zowe-3.4.0-pr-4645-9496-20260108115950.pax
Running on machine: zzow09
Result: SUCCESS
Link to workflow run: https://github.com/zowe/zowe-install-packaging/actions/runs/20816080985

//* If truststore is selected, create keyring for it
//* If truststore is selected, connect z/OSMF certificate to it,
//* otherwise, connect to keyring
//IFTRST IF (&IFTRSTST EQ 1) THEN
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure about this:

2 //       SET IFTRSTST=0              
3 //IF1    IF (&IFTRSTST = 1) THEN     
  IEFC653I SUBSTITUTION JCL - (0 = 1)  
4 //IEFBR15  EXEC PGM=IEFBR15          
5 //       ELSE                        
6 //IEFBR14  EXEC PGM=IEFBR14          
7 //       ENDIF                                           

This JCL ended with ABEND806-04, which means an attempt to call IEFBR15 (which does not exist).

Based on the doc, only predefined operands could be used (RC, ABEND, ABENDCC, RUN).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem might be in empty lines w/o *.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can I try out these JCLs?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running zwe init generate will give you the rendered JCL in your zowe.setup.dataset.jcllib dataset.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

5 participants