Skip to content

Recommend split keyring for new configurations #4645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
pablocarle wants to merge 4 commits into
base: v3.x/staging
Choose a base branch
from
Draft

Recommend split keyring for new configurations #4645

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
59f05c5
recommend split keyring for new installation / configuration
Jan 5, 2026
ca68d85
pr review 1
Jan 6, 2026
e53b7c8
Merge branch 'v3.x/staging' into reboot/keyring-default
pablocarle Jan 7, 2026
64b7a28
proposal for changes in init certificate steps, new schema property
Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 78 additions & 2 deletions files/SZWESAMP/ZWEIKRA1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,10 @@
//* * IFROZFCA to 1 to connect z/OSMF certificate authority to
//* * Zowe keyring. Otherwise set to 0.
// SET IFROZFCA=0
//* * If you enable splitting of keyring and truststore keyring
//* * set to 1 and define the property
//* * zowe.setup.certificate.keyring.truststore.name in zowe.yaml
// SET IFTRSTST=0
//*******************************************************************
//*
//* * You do NOT need to set USERNAME when running ZWEGENER.
Expand All @@ -97,7 +101,7 @@
//ACF2 DD DATA,DLM=$$,SYMBOLS=JCLONLY
ACF
//
* Create the keyring .............................................. */
* Create Zowe keyring ............................................. */
SET PROFILE(USER) DIVISION(KEYRING)
INSERT {zowe.setup.security.users.zowe}.ZOWERING +
RINGNAME({zowe.setup.certificate.keyring.name})
Expand Down Expand Up @@ -155,6 +159,7 @@ ACF
*
* Option 1 - Default Option - END ................................. */
$$

//*
//IFZWCA IF (&IFZOWECA EQ 1) THEN
//RUNZWCA EXEC PGM=IKJEFT01,REGION=0M
Expand All @@ -176,14 +181,70 @@ ACF
$$
//IFZWCAED ENDIF
//*

//* If truststore is selected, create keyring for it
//* If truststore is selected, connect z/OSMF certificate to it,
//* otherwise, connect to keyring
//IFTRST IF (&IFTRSTST EQ 1) THEN
Copy link
Contributor

@Martin-Zeithaml Martin-Zeithaml Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure about this:

2 //       SET IFTRSTST=0              
3 //IF1    IF (&IFTRSTST = 1) THEN     
  IEFC653I SUBSTITUTION JCL - (0 = 1)  
4 //IEFBR15  EXEC PGM=IEFBR15          
5 //       ELSE                        
6 //IEFBR14  EXEC PGM=IEFBR14          
7 //       ENDIF

This JCL ended with ABEND806-04, which means an attempt to call IEFBR15 (which does not exist).

Based on the doc, only predefined operands could be used (RC, ABEND, ABENDCC, RUN).

Copy link
Contributor

@arxioly arxioly Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem might be in empty lines w/o *.

Copy link
Contributor Author

@pablocarle pablocarle Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can I try out these JCLs?

Copy link
Member

@MarkAckert MarkAckert Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running zwe init generate will give you the rendered JCL in your zowe.setup.dataset.jcllib dataset.

//RUNACF2 EXEC PGM=IKJEFT01,REGION=0M
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD DDNAME=ACF2
//ACF2 DD DATA,DLM=$$,SYMBOLS=JCLONLY
ACF
//
* Create Zowe truststore keyring .................................. */
SET PROFILE(USER) DIVISION(KEYRING)
INSERT {zowe.setup.security.users.zowe}.ZOWETRST +
RINGNAME({zowe.setup.certificate.keyring.truststore.name})

* Connect all CAs of the Zowe certificate's signing chain with the */
* keyring ......................................................... */
SET PROFILE(USER) DIVISION(CERTDATA)
CONNECT CERTDATA(CERTAUTH.&ITRMZWCA.) -
RINGNAME({zowe.setup.certificate.keyring.truststore.name}) -
KEYRING({zowe.setup.security.users.zowe}.ZOWETRST) USAGE(CERTAUTH)
*
CONNECT CERTDATA(CERTAUTH.&ROOTZWCA.) -
RINGNAME({zowe.setup.certificate.keyring.truststore.name}) -
KEYRING({zowe.setup.security.users.zowe}.ZOWETRST) USAGE(CERTAUTH)

* Connect the z/OSMF root CA signed by a recognized certificate ...*/
* authority (CA) with the keyring ................................. */
SET PROFILE(USER) DIVISION(CERTDATA)
CONNECT -
CERTDATA(CERTAUTH.&ROOTZFCA.) -
RINGNAME({zowe.setup.certificate.keyring.truststore.name}) -
KEYRING({zowe.setup.security.users.zowe}.ZOWETRST) -
USAGE(CERTAUTH)

F ACF2,REBUILD(USR),CLASS(P),DIVISION(KEYRING)
$$
//IFTRSTEL ELSE
//RUNZFCA EXEC PGM=IKJEFT01,REGION=0M
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD DDNAME=ACF2
//ACF2 DD DATA,DLM=$$,SYMBOLS=JCLONLY
ACF
//
* Connect the z/OSMF root CA signed by a recognized certificate ...*/
* authority (CA) with the keyring ................................. */
SET PROFILE(USER) DIVISION(CERTDATA)
CONNECT -
CERTDATA(CERTAUTH.&ROOTZFCA.) -
RINGNAME({zowe.setup.certificate.keyring.name}) -
KEYRING({zowe.setup.security.users.zowe}.ZOWERING) -
USAGE(CERTAUTH)
$$
//IFTRSTED ENDIF

//IFZFCA IF (&IFROZFCA EQ 1) THEN
//RUNZFCA EXEC PGM=IKJEFT01,REGION=0M
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD DDNAME=ACF2
//ACF2 DD DATA,DLM=$$,SYMBOLS=JCLONLY
ACF
//
* Connect the z/OSMF root CA signed by a recognized certificate ... */
* Connect the z/OSMF root CA signed by a recognized certificate ...*/
* authority (CA) with the keyring ................................. */
SET PROFILE(USER) DIVISION(CERTDATA)
CONNECT -
Expand All @@ -193,6 +254,7 @@ ACF
USAGE(CERTAUTH)
$$
//IFZFCAED ENDIF

//*
//COMACF2 EXEC PGM=IKJEFT01,REGION=0M
//SYSTSPRT DD SYSOUT=*
Expand Down Expand Up @@ -221,3 +283,17 @@ ACF
* Common part - END ............................................... */
$$
//*

//* If truststore is selected, list it
//IFTRST IF (&IFTRSTST EQ 1) THEN
//COMACF2 EXEC PGM=IKJEFT01,REGION=0M
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD DDNAME=ACF2
//ACF2 DD DATA,DLM=$$,SYMBOLS=JCLONLY
ACF
//
* List the keyring ................................................ */
SET PROFILE(USER) DIVISION(KEYRING)
LIST {zowe.setup.security.users.zowe}.ZOWETRST
//IFTRSTED ENDIF
//*
Loading
Loading