Db2 Tools for z/OS

 View Only

Zowe and UMS certificate - for sandbox system

By Jørn Thyssen posted Fri November 29, 2024 03:01 PM

  

Zowe and UMS certificate - for sandbox system

In a previous blog post, I provided detailed instructions for creating a temporary—but valid—certificate for z/OSMF.

As you know, both Zowe and Unified Management Server (UMS) also require TLS certificates. The best practice is to request a signed certificate from your certificate authority or PKI team, tailored to your system's needs. However, for testing and installation purposes, you can simplify the setup by reusing the same certificate generated for z/OSMF.

Reusing the z/OSMF certificate ensures seamless communication between Zowe, UMS, and z/OSMF without additional configuration challenges.

Setting Up a Keyring for Zowe and UMS

Follow these instructions to create a keyring for Zowe and UMS and connect the certificates to it. These steps assume that you have already completed Steps 1 and 2 from the "Temporary Solution: Creating a Site Certificate" section in the previous blog post.

1: Create the keyring

racdcert id(ZWESVUSR) addring(ZoweKeyring)

2: Connect the sandbox Root CA to the keyring

RACDCERT CONNECT(CERTAUTH LABEL('SANDBOX ROOT CA') +       
   RING(ZoweKeyring) USAGE(CERTAUTH)) ID(ZWESVUSR)         

3: Connect the sandbox TLS certificate to the keyring

RACDCERT CONNECT(SITE LABEL('SITE SANDBOX') +                    
   RING(ZoweKeyring) USAGE(PERSONAL) DEFAULT) ID(ZWESVUSR)       

4: Optional: if you plan to connect from UMS to other downstream services using TLS (e.g., Db2 for z/OS) connect the Root CA(s) to the keyring

RACDCERT CONNECT(CERTAUTH LABEL('<label for downstream service root CA>') +      
   RING(ZoweKeyring) USAGE(CERTAUTH)) ID(ZWESVUSR)         

Repeat this for all relevant Root CAs: Db2 for z/OS, IMS services, Db2 SQL Tuning Service, Db2 Analytics Accelerator Administration Services, etc. 

With the setup above you can use the following values in the zowe.setup.certificate section in your zowe.yaml configuration file:

    certificate:
      type: "JCERACFKS"
      keyring:
        name: "ZoweKeyring"
        label: "SITE SANDBOX"
        caLabel: "SANDBOX ROOT CA"

When you run the zwe init certificate command please add the --security-dry-run option to bypass the submit of the keyring JCL. 

#IBMChampion#db2z/os#Db2Tools#Zowe

0 comments
8 views

Permalink