From 527763db99626188c9964c5264c813e7df4e3a41 Mon Sep 17 00:00:00 2001 From: Andrea Tabone Date: Wed, 6 Nov 2024 15:20:51 +0100 Subject: [PATCH 01/32] fix commands and add note Signed-off-by: Andrea Tabone --- .../configuration-extender-passtickets.md | 15 +++++++++------ .../configuration-extender-passtickets.md | 15 +++++++++------ 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index b9783ab2ec..0f89aae563 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -29,7 +29,7 @@ Since the Zowe 2.17 release, it is no longer necessary to disable replay protect This section applies to users who do not already have PassTickets enabled in the system, or users who need to define a PassTicket for a new APPLID. If you already have an APPLID that you intend to use to define your API service, skip to the section [Configuring security to allow the Zowe API Gateway to generate PassTickets for an API service](#configuring-security-to-allow-zowe-api-gateway-to-generate-passtickets-for-an-api-service). :::tip -To validate if a PassTicket is already defined, list the APPL and PKTDATA with a command corresponding to your ESM. Output indicates if a PassTicket is already defined. No results after issuing an ESM command indicates that a PassTicket is not defined. If a PassTicket is defined, the access of the zoweuser can be determined. +To validate if a PassTicket is already defined, list the APPL and PTKTDATA with a command corresponding to your ESM. Output indicates if a PassTicket is already defined. No results after issuing an ESM command indicates that a PassTicket is not defined. If a PassTicket is defined, the access of the zoweuser can be determined. - **Validating an existing PassTicket for ACF2** @@ -74,6 +74,7 @@ To validate if a PassTicket is already defined, list the APPL and PKTDATA with a TSS WHOHAS PTKTDATA() TSS WHOHAS PTKTDATA(IRRPTAUTH..) ``` + If APPL and PTKTDATA are not defined yet, follow the instruction to create them as described in the [Enabling PassTickets with Top Secret](#enabling-passtickets-with-top-secret) section. - **`.`** A wildcard symbol that lists all resources @@ -98,7 +99,7 @@ To validate if a PassTicket is already defined, list the APPL and PKTDATA with a RLIST PTKTDATA IRRPTAUTH..* ALL ``` - Ensure that you validate PKTDATA access for APPL. + Ensure that you validate PTKTDATA access for APPL. - **`*`** A wildcard symbol that resturns all resources @@ -164,7 +165,7 @@ You configured Zowe to use PassTickets for single sign on using ACF2. Click here for command details about configuring Zowe to use PassTickets using Top Secret. -Before you begin this procedure, verify that the `PTKTDATA` class and ownership for the PassTicket resource (`IRRPTAUT`) have not already been defined as described in the previous tip. +Before you begin this procedure, verify that the `PTKTDATA` class and ownership for the PassTicket resource (`IRRPTAUTH`) have not already been defined as described in the previous tip. 1. Update the resource descriptor table (RDT) to define the `PTKTDATA` class by entering the following commands: @@ -181,11 +182,13 @@ Before you begin this procedure, verify that the `PTKTDATA` class and ownership Include `RESCODE(n)` in the range of 101 to 13F to make `PTKTDATA` a prefixed resource class. ::: -2. Assign ownership for the PassTicket resource (`IRRPTAUT`). Execute the following commands: +2. Assign ownership for the PassTicket resource (`IRRPTAUTH`). Execute the following commands: ``` - TSS ADDTO(department) PTKTDATA(IRRPTAUT) + TSS ADDTO() PTKTDATA(IRRPTAUTH) ``` - +- **`department`** + Specifies the department for Zowe. The default department is `TSODEPT1`. + 3. Define PassTicket for application ID _applid_: ```tss diff --git a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md index 1fec5ba946..57127f13a5 100644 --- a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md @@ -29,7 +29,7 @@ Since the Zowe 2.17 release, it is no longer necessary to disable replay protect This section applies to users who do not already have PassTickets enabled in the system, or users who need to define a PassTicket for a new APPLID. If you already have an APPLID that you intend to use to define your API service, skip to the section [Configuring security to allow the Zowe API Gateway to generate PassTickets for an API service](#configuring-security-to-allow-zowe-api-gateway-to-generate-passtickets-for-an-api-service). :::tip -To validate if a PassTicket is already defined, list the APPL and PKTDATA with a command corresponding to your ESM. Output indicates if a PassTicket is already defined. No results after issuing an ESM command indicates that a PassTicket is not defined. If a PassTicket is defined, the access of the zoweuser can be determined. +To validate if a PassTicket is already defined, list the APPL and PTKTDATA with a command corresponding to your ESM. Output indicates if a PassTicket is already defined. No results after issuing an ESM command indicates that a PassTicket is not defined. If a PassTicket is defined, the access of the zoweuser can be determined. - **Validating an existing PassTicket for ACF2** @@ -74,6 +74,7 @@ To validate if a PassTicket is already defined, list the APPL and PKTDATA with a TSS WHOHAS PTKTDATA() TSS WHOHAS PTKTDATA(IRRPTAUTH..) ``` + If APPL and PTKTDATA are not defined yet, follow the instruction to create them as described in the [Enabling PassTickets with Top Secret](#enabling-passtickets-with-top-secret) section. - **`.`** A wildcard symbol that lists all resources @@ -98,7 +99,7 @@ To validate if a PassTicket is already defined, list the APPL and PKTDATA with a RLIST PTKTDATA IRRPTAUTH..* ALL ``` - Ensure that you validate PKTDATA access for APPL. + Ensure that you validate PTKTDATA access for APPL. - **`*`** A wildcard symbol that resturns all resources @@ -164,7 +165,7 @@ You configured Zowe to use PassTickets for single sign on using ACF2. Click here for command details about configuring Zowe to use PassTickets using Top Secret. -Before you begin this procedure, verify that the `PTKTDATA` class and ownership for the PassTicket resource (`IRRPTAUT`) have not already been defined as described in the previous tip. +Before you begin this procedure, verify that the `PTKTDATA` class and ownership for the PassTicket resource (`IRRPTAUTH`) have not already been defined as described in the previous tip. 1. Update the resource descriptor table (RDT) to define the `PTKTDATA` class by entering the following commands: @@ -181,11 +182,13 @@ Before you begin this procedure, verify that the `PTKTDATA` class and ownership Include `RESCODE(n)` in the range of 101 to 13F to make `PTKTDATA` a prefixed resource class. ::: -2. Assign ownership for the PassTicket resource (`IRRPTAUT`). Execute the following commands: +2. Assign ownership for the PassTicket resource (`IRRPTAUTH`). Execute the following commands: ``` - TSS ADDTO(department) PTKTDATA(IRRPTAUT) + TSS ADDTO() PTKTDATA(IRRPTAUTH) ``` - +- **`department`** + Specifies the department for Zowe. The default department is `TSODEPT1`. + 3. Define PassTicket for application ID _applid_: ```tss From 5130f516b04145b462af1c7ee0cd93ddfb8939a9 Mon Sep 17 00:00:00 2001 From: Andrea Tabone Date: Thu, 7 Nov 2024 13:40:13 +0100 Subject: [PATCH 02/32] add missing commands for ACF2 and TSS Signed-off-by: Andrea Tabone --- docs/user-guide/configure-zos-system.md | 91 ++++++++++++++---- .../user-guide/configure-zos-system.md | 92 ++++++++++++++----- 2 files changed, 142 insertions(+), 41 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index 64ca26a40e..e787b36ab7 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -353,31 +353,82 @@ If you have run `ZWESECUR`, you do not need to perform the steps described in th If you have not run `ZWESECUR` and are manually creating the user ID and groups in your z/OS environment, the commands are described below for reference. - To create the `ZWEADMIN` group, issue the following command: - ``` - ADDGROUP ZWEADMIN OMVS(AUTOGID) - - DATA('STARTED TASK GROUP WITH OMVS SEGEMENT') - ``` + **RACF:** + ``` + ADDGROUP ZWEADMIN OMVS(AUTOGID) - + DATA('STARTED TASK GROUP WITH OMVS SEGEMENT') + ``` + **TSS:** + ``` + TSS CREATE() TYPE(GROUP) + + NAME('ZOWE ADMINISTRATORS') + + DEPT() + TSS ADD() GID() + ``` + **ACF2:** + ``` + SET PROFILE(GROUP) DIV(OMVS) + INSERT AUTOGID + F ACF2,REBUILD(GRP),CLASS(P) + ``` - To create the `ZWESVUSR` user ID for the main Zowe started task, issue the following command: - ``` - ADDUSER ZWESVUSR - - NOPASSWORD - - DFLTGRP(ZWEADMIN) - - OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - - NAME('ZOWE SERVER') - - DATA('ZOWE MAIN SERVER') - ``` + + **RACF:** + ``` + ADDUSER - + NOPASSWORD - + DFLTGRP() - + OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - + NAME('ZOWE SERVER') - + DATA('ZOWE MAIN SERVER') + ``` + **TSS:** + ``` + TSS CREATE() TYPE(USER) PROTECTED + + NAME('ZOWE MAIN SERVER') + + DEPT() + TSS ADD() GROUP() + + DFLTGRP() + + HOME(/tmp) OMVSPGM(/bin/sh) UID() + ``` + **ACF2:** + ``` + SET LID + INSERT STC GROUP() + SET PROFILE(USER) DIV(OMVS) + INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) + F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) + ``` - To create the `ZWESIUSR` group for the Zowe cross memory server started task, issue the following command: - ``` - ADDUSER ZWESIUSR - - NOPASSWORD - - DFLTGRP(ZWEADMIN) - - OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - - NAME('ZOWE XMEM SERVER') - - DATA('ZOWE XMEM CROSS MEMORY SERVER') - ``` + **RACF:** + ``` + ADDUSER - + NOPASSWORD - + DFLTGRP() - + OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - + NAME('ZOWE XMEM SERVER') - + DATA('ZOWE XMEM CROSS MEMORY SERVER') + ``` + **TSS:** + ``` + TSS CREATE() TYPE(USER) PROTECTED + + NAME('ZOWE ZIS CROSS MEMORY SERVER') + + DEPT() + TSS ADD() GROUP() + + DFLTGRP() + + HOME(/tmp) OMVSPGM(/bin/sh) UID(&ZISUID.) + ``` + **ACF2:** + ``` + SET LID + INSERT STC GROUP() + SET PROFILE(USER) DIV(OMVS) + INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) + F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) + ``` ### Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID diff --git a/versioned_docs/version-v2.18.x/user-guide/configure-zos-system.md b/versioned_docs/version-v2.18.x/user-guide/configure-zos-system.md index 420692b9e6..9709b347b7 100644 --- a/versioned_docs/version-v2.18.x/user-guide/configure-zos-system.md +++ b/versioned_docs/version-v2.18.x/user-guide/configure-zos-system.md @@ -353,31 +353,81 @@ If you have run `ZWESECUR`, you do not need to perform the steps described in th If you have not run `ZWESECUR` and are manually creating the user ID and groups in your z/OS environment, the commands are described below for reference. - To create the `ZWEADMIN` group, issue the following command: - ``` - ADDGROUP ZWEADMIN OMVS(AUTOGID) - - DATA('STARTED TASK GROUP WITH OMVS SEGEMENT') - ``` + + **RACF:** + ``` + ADDGROUP ZWEADMIN OMVS(AUTOGID) - + DATA('STARTED TASK GROUP WITH OMVS SEGEMENT') + ``` + **TSS:** + ``` + TSS CREATE() TYPE(GROUP) + + NAME('ZOWE ADMINISTRATORS') + + DEPT() + TSS ADD() GID() + ``` + **ACF2:** + ``` + SET PROFILE(GROUP) DIV(OMVS) + INSERT AUTOGID + F ACF2,REBUILD(GRP),CLASS(P) - To create the `ZWESVUSR` user ID for the main Zowe started task, issue the following command: - ``` - ADDUSER ZWESVUSR - - NOPASSWORD - - DFLTGRP(ZWEADMIN) - - OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - - NAME('ZOWE SERVER') - - DATA('ZOWE MAIN SERVER') - ``` -- To create the `ZWESIUSR` group for the Zowe cross memory server started task, issue the following command: - ``` - ADDUSER ZWESIUSR - - NOPASSWORD - - DFLTGRP(ZWEADMIN) - - OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - - NAME('ZOWE XMEM SERVER') - - DATA('ZOWE XMEM CROSS MEMORY SERVER') - ``` + **RACF:** + ``` + ADDUSER - + NOPASSWORD - + DFLTGRP() - + OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - + NAME('ZOWE SERVER') - + DATA('ZOWE MAIN SERVER') + ``` + **TSS:** + ``` + TSS CREATE() TYPE(USER) PROTECTED + + NAME('ZOWE MAIN SERVER') + + DEPT() + TSS ADD() GROUP() + + DFLTGRP() + + HOME(/tmp) OMVSPGM(/bin/sh) UID() + ``` + **ACF2:** + ``` + SET LID + INSERT STC GROUP() + SET PROFILE(USER) DIV(OMVS) + INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) + F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) + ``` +- To create the `ZWESIUSR` group for the Zowe cross memory server started task, issue the following command: + **RACF:** + ``` + ADDUSER - + NOPASSWORD - + DFLTGRP() - + OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - + NAME('ZOWE XMEM SERVER') - + DATA('ZOWE XMEM CROSS MEMORY SERVER') + ``` + **TSS:** + ``` + TSS CREATE() TYPE(USER) PROTECTED + + NAME('ZOWE ZIS CROSS MEMORY SERVER') + + DEPT() + TSS ADD() GROUP() + + DFLTGRP() + + HOME(/tmp) OMVSPGM(/bin/sh) UID(&ZISUID.) + ``` + **ACF2:** + ``` + SET LID + INSERT STC GROUP() + SET PROFILE(USER) DIV(OMVS) + INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) + F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) + ``` ### Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID From 2c291944f5f10a40063b4cc5cd48d25d17a00389 Mon Sep 17 00:00:00 2001 From: Andrea Tabone Date: Thu, 7 Nov 2024 14:50:02 +0100 Subject: [PATCH 03/32] add missing commands for ACF2 and TSS for passticket verification Signed-off-by: Andrea Tabone --- .../configuration-extender-passtickets.md | 18 ++++++++++++++++-- .../configuration-extender-passtickets.md | 18 ++++++++++++++++-- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index 0f89aae563..147e00eae4 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -355,9 +355,23 @@ Grant the Zowe started task user ID permission to generate PassTickets for users In your ESM command line interface or other security environment, execute the following commands: +**RACF:** ```racf - RLIST APPL ALL - RLIST PTKTDATA IRRPTAUTH..* ALL + RLIST APPL ALL + RLIST PTKTDATA IRRPTAUTH..* ALL +``` +**TSS:** +```tss +TSS WHOHAS APPL() +TSS WHOHAS PTKTDATA(IRRPTAUTH.) +``` + +**ACF2:** +```acf2 +SET RESOURCE(SAF) +LIST LIKE(-) +SET RESOURCE(PTK) +LIST LIKE(IRRPTAUTH-) ``` * **`applid`** diff --git a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md index 57127f13a5..51112bd52d 100644 --- a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md @@ -355,9 +355,23 @@ Grant the Zowe started task user ID permission to generate PassTickets for users In your ESM command line interface or other security environment, execute the following commands: +**RACF:** ```racf - RLIST APPL ALL - RLIST PTKTDATA IRRPTAUTH..* ALL + RLIST APPL ALL + RLIST PTKTDATA IRRPTAUTH..* ALL +``` +**TSS:** +```tss +TSS WHOHAS APPL() +TSS WHOHAS PTKTDATA(IRRPTAUTH.) +``` + +**ACF2:** +```acf2 +SET RESOURCE(SAF) +LIST LIKE(-) +SET RESOURCE(PTK) +LIST LIKE(IRRPTAUTH-) ``` * **`applid`** From 76d99f8a482661ac70a45a5cabf4c94fb967588f Mon Sep 17 00:00:00 2001 From: Andrea Tabone Date: Thu, 7 Nov 2024 16:40:55 +0100 Subject: [PATCH 04/32] address pr review pt.1 Signed-off-by: Andrea Tabone --- .../api-mediation/configuration-extender-passtickets.md | 4 ++-- .../api-mediation/configuration-extender-passtickets.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index 147e00eae4..2fec6f99f6 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -29,7 +29,7 @@ Since the Zowe 2.17 release, it is no longer necessary to disable replay protect This section applies to users who do not already have PassTickets enabled in the system, or users who need to define a PassTicket for a new APPLID. If you already have an APPLID that you intend to use to define your API service, skip to the section [Configuring security to allow the Zowe API Gateway to generate PassTickets for an API service](#configuring-security-to-allow-zowe-api-gateway-to-generate-passtickets-for-an-api-service). :::tip -To validate if a PassTicket is already defined, list the APPL and PTKTDATA with a command corresponding to your ESM. Output indicates if a PassTicket is already defined. No results after issuing an ESM command indicates that a PassTicket is not defined. If a PassTicket is defined, the access of the zoweuser can be determined. +To validate if a PassTicket is already defined, list the APPL and PTKTDATA with a command corresponding to your ESM. Output indicates if a PassTicket is already defined. No results after issuing an ESM command indicates that a PassTicket is not defined. If a PassTicket is defined, the access of the ZWESVUSR can be determined. - **Validating an existing PassTicket for ACF2** @@ -187,7 +187,7 @@ Before you begin this procedure, verify that the `PTKTDATA` class and ownership TSS ADDTO() PTKTDATA(IRRPTAUTH) ``` - **`department`** - Specifies the department for Zowe. The default department is `TSODEPT1`. + Specifies the department for `PTKTDATA(IRRPTAUTH`. The default department is `TSODEPT1`. 3. Define PassTicket for application ID _applid_: diff --git a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md index 51112bd52d..a5fca2d9ad 100644 --- a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md @@ -29,7 +29,7 @@ Since the Zowe 2.17 release, it is no longer necessary to disable replay protect This section applies to users who do not already have PassTickets enabled in the system, or users who need to define a PassTicket for a new APPLID. If you already have an APPLID that you intend to use to define your API service, skip to the section [Configuring security to allow the Zowe API Gateway to generate PassTickets for an API service](#configuring-security-to-allow-zowe-api-gateway-to-generate-passtickets-for-an-api-service). :::tip -To validate if a PassTicket is already defined, list the APPL and PTKTDATA with a command corresponding to your ESM. Output indicates if a PassTicket is already defined. No results after issuing an ESM command indicates that a PassTicket is not defined. If a PassTicket is defined, the access of the zoweuser can be determined. +To validate if a PassTicket is already defined, list the APPL and PTKTDATA with a command corresponding to your ESM. Output indicates if a PassTicket is already defined. No results after issuing an ESM command indicates that a PassTicket is not defined. If a PassTicket is defined, the access of the ZWESVUSR can be determined. - **Validating an existing PassTicket for ACF2** @@ -187,7 +187,7 @@ Before you begin this procedure, verify that the `PTKTDATA` class and ownership TSS ADDTO() PTKTDATA(IRRPTAUTH) ``` - **`department`** - Specifies the department for Zowe. The default department is `TSODEPT1`. + Specifies the department for `PTKTDATA(IRRPTAUTH`. The default department is `TSODEPT1`. 3. Define PassTicket for application ID _applid_: From 71e2ffe2ce0a1beb3770d14b16ccbdb32cedcd64 Mon Sep 17 00:00:00 2001 From: Andrea Tabone Date: Fri, 8 Nov 2024 14:19:51 +0100 Subject: [PATCH 05/32] address pr review pt.2 Signed-off-by: Andrea Tabone --- .../configuration-extender-passtickets.md | 29 +++++++++++----- .../configuration-extender-passtickets.md | 34 +++++++++++++------ 2 files changed, 44 insertions(+), 19 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index 2fec6f99f6..d19e1ae135 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -39,19 +39,26 @@ To validate if a PassTicket is already defined, list the APPL and PTKTDATA with In your ESM command line interface or other security environment, execute the following commands: - ```acf2 - SET RESOURCE(SAF) - LIST LIKE(-) + 1. Issue a SHOW CLASMAP command in TSO ACF to verify whether or not the APPL resource is defined in the GSO. Take note of the 3 character type code associated with APPL. If APPL does not appear in the SHOW CLASMAP listing, run the following commands: - SET RESOURCE(SAF) - LIST LIKE(-) + ```acf2 + SET CONTROL(GSO) + INSERT CLASMAP.appl RESOURCE(APPL) RSRCTYPE(APL) + F ACF2,REFRESH(CLASMAP) + ``` + 2. Replace 'APL' with the type code listed in the SHOW CLASMAP output: + ``` + SET RESOURCE(APL) + LIST LIKE(-) + ``` + 3. Verify whether PTKTDATA is defined, by executing the following commands: + ``` SET PROFILE(PTKTDATA) DIVISION(SSIGNON) LIST LIKE(-) - SET RESOURCE(PTK) LIST LIKE(IRRPTAUTH-) - ``` + ``` - **`-`** A wildcard symbol that lists all resources @@ -122,7 +129,13 @@ Follow these steps to enable PassTicket Support specific to your ESM. Click here for command details about configuring Zowe to use PassTickets using ACF2. -1. In your ESM command line interface or other security environment, define the application session key by entering the following commands, if the session key is not already defined. +1. Issue a SHOW CLASMAP command in TSO ACF to to identity the 3 character type code associated with APPL. Replace 'APL' with the type code listed in the SHOW CLASMAP output: + ``` + SET RESOURCE(APL) + RECKEY ADD(UID() ALLOW) + F ACF2,REBUILD(APL) + ``` +2. In your ESM command line interface or other security environment, define the application session key by entering the following commands, if the session key is not already defined. ```acf2 SET PROFILE(PTKTDATA) DIV(SSIGNON) diff --git a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md index a5fca2d9ad..7a23b3ebcf 100644 --- a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md @@ -38,20 +38,26 @@ To validate if a PassTicket is already defined, list the APPL and PTKTDATA with Click here for command details about validating an existing PassTicket for ACF2. In your ESM command line interface or other security environment, execute the following commands: - - ```acf2 - SET RESOURCE(SAF) - LIST LIKE(-) - - SET RESOURCE(SAF) + 1. Issue a SHOW CLASMAP command in TSO ACF to verify whether or not the APPL resource is defined in the GSO. Take note of the 3 character type code associated with APPL. If APPL does not appear in the SHOW CLASMAP listing, run the following commands: + + ```acf2 + SET CONTROL(GSO) + INSERT CLASMAP.appl RESOURCE(APPL) RSRCTYPE(APL) + F ACF2,REFRESH(CLASMAP) + ``` + + 2. Replace 'APL' with the type code listed in the SHOW CLASMAP output: + ``` + SET RESOURCE(APL) LIST LIKE(-) - + ``` + 3. Verify whether PTKTDATA is defined, by executing the following commands: + ``` SET PROFILE(PTKTDATA) DIVISION(SSIGNON) LIST LIKE(-) - SET RESOURCE(PTK) LIST LIKE(IRRPTAUTH-) - ``` + ``` - **`-`** A wildcard symbol that lists all resources @@ -122,8 +128,14 @@ Follow these steps to enable PassTicket Support specific to your ESM. Click here for command details about configuring Zowe to use PassTickets using ACF2. -1. In your ESM command line interface or other security environment, define the application session key by entering the following commands, if the session key is not already defined. - +1. Issue a SHOW CLASMAP command in TSO ACF to to identity the 3 character type code associated with APPL. Replace 'APL' with the type code listed in the SHOW CLASMAP output: + ``` + SET RESOURCE(APL) + RECKEY ADD(UID() ALLOW) + F ACF2,REBUILD(APL) + ``` +2. In your ESM command line interface or other security environment, define the application session key by entering the following commands, if the session key is not already defined. + ```acf2 SET PROFILE(PTKTDATA) DIV(SSIGNON) INSERT SSKEY() From 64d1c660d91fb5f991e610d914bf37f6167c849c Mon Sep 17 00:00:00 2001 From: Andrea Tabone Date: Fri, 8 Nov 2024 14:24:02 +0100 Subject: [PATCH 06/32] fix indentation Signed-off-by: Andrea Tabone --- .../configuration-extender-passtickets.md | 8 ++++---- .../configuration-extender-passtickets.md | 20 +++++++++---------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index d19e1ae135..7d77174323 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -130,7 +130,7 @@ Follow these steps to enable PassTicket Support specific to your ESM. Click here for command details about configuring Zowe to use PassTickets using ACF2. 1. Issue a SHOW CLASMAP command in TSO ACF to to identity the 3 character type code associated with APPL. Replace 'APL' with the type code listed in the SHOW CLASMAP output: - ``` + ```acf2 SET RESOURCE(APL) RECKEY ADD(UID() ALLOW) F ACF2,REBUILD(APL) @@ -138,9 +138,9 @@ Follow these steps to enable PassTicket Support specific to your ESM. 2. In your ESM command line interface or other security environment, define the application session key by entering the following commands, if the session key is not already defined. ```acf2 - SET PROFILE(PTKTDATA) DIV(SSIGNON) - INSERT SSKEY() - F ACF2,REBUILD(PTK),CLASS(P) + SET PROFILE(PTKTDATA) DIV(SSIGNON) + INSERT SSKEY() + F ACF2,REBUILD(PTK),CLASS(P) ``` * **`applid`** diff --git a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md index 7a23b3ebcf..f5f54f8aa2 100644 --- a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md @@ -47,12 +47,12 @@ To validate if a PassTicket is already defined, list the APPL and PTKTDATA with ``` 2. Replace 'APL' with the type code listed in the SHOW CLASMAP output: - ``` + ```acf2 SET RESOURCE(APL) LIST LIKE(-) ``` 3. Verify whether PTKTDATA is defined, by executing the following commands: - ``` + ```acf2 SET PROFILE(PTKTDATA) DIVISION(SSIGNON) LIST LIKE(-) SET RESOURCE(PTK) @@ -129,17 +129,17 @@ Follow these steps to enable PassTicket Support specific to your ESM. Click here for command details about configuring Zowe to use PassTickets using ACF2. 1. Issue a SHOW CLASMAP command in TSO ACF to to identity the 3 character type code associated with APPL. Replace 'APL' with the type code listed in the SHOW CLASMAP output: - ``` - SET RESOURCE(APL) - RECKEY ADD(UID() ALLOW) - F ACF2,REBUILD(APL) - ``` + ```acf2 + SET RESOURCE(APL) + RECKEY ADD(UID() ALLOW) + F ACF2,REBUILD(APL) + ``` 2. In your ESM command line interface or other security environment, define the application session key by entering the following commands, if the session key is not already defined. ```acf2 - SET PROFILE(PTKTDATA) DIV(SSIGNON) - INSERT SSKEY() - F ACF2,REBUILD(PTK),CLASS(P) + SET PROFILE(PTKTDATA) DIV(SSIGNON) + INSERT SSKEY() + F ACF2,REBUILD(PTK),CLASS(P) ``` * **`applid`** From 2bc69af2399d68319aa40bc762526fe412ec5bcb Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Fri, 8 Nov 2024 15:54:23 +0100 Subject: [PATCH 07/32] language refactor configuration-extender-passtickets Signed-off-by: Andrew Jandacek --- .../configuration-extender-passtickets.md | 38 +++++++++++++------ 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index 7d77174323..52aaf08126 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -35,11 +35,11 @@ To validate if a PassTicket is already defined, list the APPL and PTKTDATA with
- Click here for command details about validating an existing PassTicket for ACF2. + Click here for procedure details about validating an existing PassTicket for ACF2. - In your ESM command line interface or other security environment, execute the following commands: + In your ESM command line interface or other security environment, perform the following steps: - 1. Issue a SHOW CLASMAP command in TSO ACF to verify whether or not the APPL resource is defined in the GSO. Take note of the 3 character type code associated with APPL. If APPL does not appear in the SHOW CLASMAP listing, run the following commands: + 1. Issue a `SHOW CLASMAP` command in TSO ACF to verify if the APPL resource is defined in the GSO. Note the 3 character type code associated with APPL. If APPL does not appear in the SHOW CLASMAP listing, run the following commands: ```acf2 SET CONTROL(GSO) @@ -52,7 +52,7 @@ To validate if a PassTicket is already defined, list the APPL and PTKTDATA with SET RESOURCE(APL) LIST LIKE(-) ``` - 3. Verify whether PTKTDATA is defined, by executing the following commands: + 3. Verify if PTKTDATA is defined, by executing the following commands: ``` SET PROFILE(PTKTDATA) DIVISION(SSIGNON) LIST LIKE(-) @@ -74,14 +74,14 @@ To validate if a PassTicket is already defined, list the APPL and PTKTDATA with Click here for command details about validating an existing PassTicket for Top Secret. - In your ESM command line interface or other security environment, execute the following commands: + 1. In your ESM command line interface or other security environment, execute the following commands: ```tss TSS WHOHAS APPL() TSS WHOHAS PTKTDATA() TSS WHOHAS PTKTDATA(IRRPTAUTH..) ``` - If APPL and PTKTDATA are not defined yet, follow the instruction to create them as described in the [Enabling PassTickets with Top Secret](#enabling-passtickets-with-top-secret) section. + 2. If APPL and PTKTDATA are not yet defined, follow the steps to create them as described in the [Enabling PassTickets with Top Secret](#enabling-passtickets-with-top-secret) section. - **`.`** A wildcard symbol that lists all resources @@ -129,13 +129,14 @@ Follow these steps to enable PassTicket Support specific to your ESM. Click here for command details about configuring Zowe to use PassTickets using ACF2. -1. Issue a SHOW CLASMAP command in TSO ACF to to identity the 3 character type code associated with APPL. Replace 'APL' with the type code listed in the SHOW CLASMAP output: +1. Issue the `SHOW CLASMAP` command in TSO ACF to identity the 3 character type code associated with APPL. Replace 'APL' with the type code listed in the SHOW CLASMAP output: + ```acf2 SET RESOURCE(APL) RECKEY ADD(UID() ALLOW) F ACF2,REBUILD(APL) ``` -2. In your ESM command line interface or other security environment, define the application session key by entering the following commands, if the session key is not already defined. +2. In your ESM command line interface or other security environment, define the application session key by entering the following commands if the session key is not already defined. ```acf2 SET PROFILE(PTKTDATA) DIV(SSIGNON) @@ -149,7 +150,7 @@ Specifies the application ID used for PassTicket validation to authenticate conn * **`key-description`** Specifies the secured sign-on hexadecimal application key of 16 hexadecimal digits (8-byte or 64-bit key). Each application key must be the same on all systems in the configuration and the values must be kept secret and secured. -2. Complete the PassTicket setup by entering the following commands: +3. Complete the PassTicket setup by entering the following commands: ```acf2 F ACF2,REBUILD(PTK),CLASS(P) @@ -157,7 +158,7 @@ Specifies the application ID used for PassTicket validation to authenticate conn The PassTicket record is now active in the system. -3. Enable the started task user ID to generate PassTickets for the application by entering commands similar to the following: +4. Enable the started task user ID to generate PassTickets for the application by entering commands similar to the following: ``` SET RESOURCE(PTK) @@ -366,19 +367,33 @@ Grant the Zowe started task user ID permission to generate PassTickets for users ### Verifying your PassTicket Application -In your ESM command line interface or other security environment, execute the following commands: +In your ESM command line interface or other security environment, execute the commands that correspond to your ESM: + +
+Click here for command details for RACF **RACF:** ```racf RLIST APPL ALL RLIST PTKTDATA IRRPTAUTH..* ALL ``` + +
+ +
+Click here for command details for Top Secret. + **TSS:** ```tss TSS WHOHAS APPL() TSS WHOHAS PTKTDATA(IRRPTAUTH.) ``` +
+ +
+Click here for command details for ACF2. + **ACF2:** ```acf2 SET RESOURCE(SAF) @@ -386,6 +401,7 @@ LIST LIKE(-) SET RESOURCE(PTK) LIST LIKE(IRRPTAUTH-) ``` +
* **`applid`** Specifies the application ID used for PassTicket validation to authenticate connections to the server From dce055c1ea627a0a8ad203c5475543d92f6bb2af Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Fri, 8 Nov 2024 15:59:20 +0100 Subject: [PATCH 08/32] fix ESM formatting Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 93 ++++++++++++++----------- 1 file changed, 53 insertions(+), 40 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index e787b36ab7..f7be103420 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -66,47 +66,60 @@ Define or check the following configurations depending on whether ICSF is alread - Create CKDS, PKDS, TKDS VSAM data sets. - Define and activate the CSFSERV class: - - If you use RACF, issue the following commands: - ``` - RDEFINE CSFSERV profile-name UACC(NONE) - ``` - ``` - PERMIT profile-name CLASS(CSFSERV) ID(tcpip-stackname) ACCESS(READ) - ``` - ``` - PERMIT profile-name CLASS(CSFSERV) ID(userid-list) ... [for - userids IKED, NSSD, and Policy Agent] - ``` - ``` - SETROPTS CLASSACT(CSFSERV) - ``` - ``` - SETROPTS RACLIST(CSFSERV) REFRESH - ``` - - If you use ACF2, issue the following commands (note that `profile-prefix` and `profile-suffix` are user-defined): - ``` - SET CONTROL(GSO) - ``` - ``` - INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) - ``` - ``` - F ACF2,REFRESH(CLASMAP) - ``` - ``` - SET RESOURCE(CSF) - ``` - ``` - RECKEY profile-prefix ADD(profile-suffix uid(UID string for tcpip-stackname) SERVICE(READ) ALLOW) - ``` - ``` - RECKEY profile-prefix ADD(profile-suffix uid(UID string for IZUSVR) SERVICE(READ) ALLOW) - ``` - (repeat for userids IKED, NSSD, and Policy Agent) +
+Click here for command details for RACF. + +If you use RACF, issue the following commands: +``` +RDEFINE CSFSERV profile-name UACC(NONE) +``` +``` +PERMIT profile-name CLASS(CSFSERV) ID(tcpip-stackname) ACCESS(READ) +``` +``` +PERMIT profile-name CLASS(CSFSERV) ID(userid-list) ... [for +userids IKED, NSSD, and Policy Agent] +``` +``` +SETROPTS CLASSACT(CSFSERV) +``` +``` +SETROPTS RACLIST(CSFSERV) REFRESH +``` + +
+ +
+Click here for command details for ACF2. + +If you use ACF2, issue the following commands (note that `profile-prefix` and `profile-suffix` are user-defined): +``` +SET CONTROL(GSO) +``` +``` +INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) +``` +``` +F ACF2,REFRESH(CLASMAP) +``` +``` +SET RESOURCE(CSF) +``` +``` +RECKEY profile-prefix ADD(profile-suffix uid(UID string for tcpip-stackname) SERVICE(READ) ALLOW) +``` +``` +RECKEY profile-prefix ADD(profile-suffix uid(UID string for IZUSVR) SERVICE(READ) ALLOW) +``` +(repeat for userids IKED, NSSD, and Policy Agent) + +``` +F ACF2,REBUILD(CSF) +``` + +
+ - ``` - F ACF2,REBUILD(CSF) - ``` - If you use Top Secret, issue the following command (note that `profile-prefix` and `profile-suffix` are user defined): ``` TSS ADDTO(owner-acid) RESCLASS(CSFSERV) From 8c41e981e0b8f24a7b4e0fb73dcbd59c1d5efef7 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Fri, 8 Nov 2024 17:29:05 +0100 Subject: [PATCH 09/32] add collapsible content for ESMs Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 258 ++++++++++++++---------- 1 file changed, 150 insertions(+), 108 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index f7be103420..707e480943 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -119,22 +119,25 @@ F ACF2,REBUILD(CSF)
+
+Click here for command details for Top Secret - - If you use Top Secret, issue the following command (note that `profile-prefix` and `profile-suffix` are user defined): - ``` - TSS ADDTO(owner-acid) RESCLASS(CSFSERV) - ``` - ``` - TSS ADD(owner-acid) CSFSERV(profile-prefix.) - ``` - ``` - TSS PERMIT(tcpip-stackname) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) - ``` - ``` - TSS PERMIT(user-acid) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) - ``` - (repeat for user-acids IKED, NSSD, and Policy Agent) +If you use Top Secret, issue the following command (note that `profile-prefix` and `profile-suffix` are user defined): +``` +TSS ADDTO(owner-acid) RESCLASS(CSFSERV) +``` +``` +TSS ADD(owner-acid) CSFSERV(profile-prefix.) +``` +``` +TSS PERMIT(tcpip-stackname) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) +``` +``` +TSS PERMIT(user-acid) CSFSERV(profile-prefix.profile-suffix) ACCESS(READ) +``` +(repeat for user-acids IKED, NSSD, and Policy Agent) +
:::note Notes - Determine whether you want SAF authorization checks against `CSFSERV` and set `CSF.CSFSERV.AUTH.CSFRNG.DISABLE` accordingly. @@ -151,107 +154,146 @@ To enable impersonation, you must grant the user ID `ZWESVUSR` associated with t You can issue the following commands first to check whether you already have the impersonation profiles defined as part of another server configuration, such as the FTPD daemon. Review the output to confirm that the two impersonation profiles exist and the user `ZWESVUSR` who runs the Zowe server started task has UPDATE access to both profiles. -- If you use RACF, issue the following commands: - ``` - RLIST FACILITY BPX.SERVER AUTHUSER - ``` - ``` - RLIST FACILITY BPX.DAEMON AUTHUSER - ``` -- If you use Top Secret, issue the following commands: - ``` - TSS WHOHAS IBMFAC(BPX.SERVER) - ``` - ``` - TSS WHOHAS IBMFAC(BPX.DAEMON) - ``` -- If you use ACF2, issue the following commands: - ``` - SET RESOURCE(FAC) - ``` - ``` - LIST BPX - ``` +
+Click here for command details for RACF. + +If you use RACF, issue the following commands: +``` +RLIST FACILITY BPX.SERVER AUTHUSER +``` +``` +RLIST FACILITY BPX.DAEMON AUTHUSER +``` + +
+ +
+Click here for command details for Top Secret. + +If you use Top Secret, issue the following commands: +``` +TSS WHOHAS IBMFAC(BPX.SERVER) +``` +``` +TSS WHOHAS IBMFAC(BPX.DAEMON) +``` + +
+ +
+Click here for command details for ACF2. + +If you use ACF2, issue the following commands: +``` +SET RESOURCE(FAC) +``` +``` +LIST BPX +``` + +
If the user `ZWESVUSR` who runs the Zowe server started task does not have UPDATE access to both profiles follow the instructions below. -- If you use RACF, complete the following steps: +
+Click here for procedure details for RACF. + +If you use RACF, complete the following steps: - 1. Activate and RACLIST the FACILITY class. This may have already been done on the z/OS environment if another z/OS server has been previously configured to take advantage of the ability to change its security environment, such as the FTPD daemon that is included with z/OS Communications Server TCP/IP services. - ``` - SETROPTS GENERIC(FACILITY) - SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) - ``` - 2. Define the impersonation profiles. This may have already been done on behalf of another server such as the FTPD daemon. - ``` - RDEFINE FACILITY BPX.SERVER UACC(NONE) - ``` - ``` - RDEFINE FACILITY BPX.DAEMON UACC(NONE) - ``` - 3. Having activated and RACLIST the FACILITY class, the user ID `ZWESVUSR` who runs the Zowe server started task must be given update access to the BPX.SERVER and BPX.DAEMON profiles in the FACILITY class. - ``` - PERMIT BPX.SERVER CLASS(FACILITY) ID() ACCESS(UPDATE) - ``` - ``` - PERMIT BPX.DAEMON CLASS(FACILITY) ID() ACCESS(UPDATE) - ``` - where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. +1. Activate and RACLIST the FACILITY class. This may have already been done on the z/OS environment if another z/OS server has been previously configured to take advantage of the ability to change its security environment, such as the FTPD daemon that is included with z/OS Communications Server TCP/IP services. + +``` +SETROPTS GENERIC(FACILITY) +SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) +``` +1. Define the impersonation profiles. This may have already been done on behalf of another server such as the FTPD daemon. +``` +RDEFINE FACILITY BPX.SERVER UACC(NONE) +``` +``` +RDEFINE FACILITY BPX.DAEMON UACC(NONE) +``` +1. Having activated and RACLIST the FACILITY class, the user ID `ZWESVUSR` who runs the Zowe server started task must be given update access to the BPX.SERVER and BPX.DAEMON profiles in the FACILITY class. +``` +PERMIT BPX.SERVER CLASS(FACILITY) ID() ACCESS(UPDATE) +``` +``` +PERMIT BPX.DAEMON CLASS(FACILITY) ID() ACCESS(UPDATE) +``` +where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. - /* Activate these changes */ +/* Activate these changes */ - ``` - SETROPTS RACLIST(FACILITY) REFRESH - ``` - 4. Issue the following commands to check whether permission has been successfully granted: - ``` - RLIST FACILITY BPX.SERVER AUTHUSER - ``` - ``` - RLIST FACILITY BPX.DAEMON AUTHUSER - ``` -- If you use Top Secret, complete the following steps: +``` +SETROPTS RACLIST(FACILITY) REFRESH +``` + 1. Issue the following commands to check whether permission has been successfully granted: +``` +RLIST FACILITY BPX.SERVER AUTHUSER +``` +``` +RLIST FACILITY BPX.DAEMON AUTHUSER +``` + +
+ +
+Click here for procedure details for Top Secret. + +If you use Top Secret, complete the following steps: - 1. Define the BPX Resource and access for ``. - ``` - TSS ADD(`owner-acid`) IBMFAC(BPX.) - ``` - ``` - TSS PERMIT() IBMFAC(BPX.SERVER) ACCESS(UPDATE) - ``` - ``` - TSS PERMIT() IBMFAC(BPX.DAEMON) ACCESS(UPDATE) - ``` - where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. - 2. Issue the following commands and review the output to check whether permission has been successfully granted: - ``` - TSS WHOHAS IBMFAC(BPX.SERVER) - ``` - ``` - TSS WHOHAS IBMFAC(BPX.DAEMON) - ``` -- If you use ACF2, complete the following steps: - 1. Define the BPX Resource and access for ``. - ``` - SET RESOURCE(FAC) - ``` - ``` - RECKEY BPX ADD(SERVER ROLE() SERVICE(UPDATE) ALLOW) - ``` - ``` - RECKEY BPX ADD(DAEMON ROLE() SERVICE(UPDATE) ALLOW) - ``` - where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. - ``` - F ACF2,REBUILD(FAC) - ``` - 2. Issue the following commands and review the output to check whether permission has been successfully granted: - ``` - SET RESOURCE(FAC) - ``` - ``` - LIST BPX - ``` +1. Define the BPX Resource and access for ``. +``` +TSS ADD(`owner-acid`) IBMFAC(BPX.) +``` +``` +TSS PERMIT() IBMFAC(BPX.SERVER) ACCESS(UPDATE) +``` +``` +TSS PERMIT() IBMFAC(BPX.DAEMON) ACCESS(UPDATE) +``` +where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. + +2. Issue the following commands and review the output to check whether permission has been successfully granted: +``` +TSS WHOHAS IBMFAC(BPX.SERVER) +``` +``` +TSS WHOHAS IBMFAC(BPX.DAEMON) +``` + +
+ +
+Click here for procedure details for ACF2. + +If you use ACF2, complete the following steps: + +1. Define the BPX Resource and access for ``. +``` +SET RESOURCE(FAC) +``` +``` +RECKEY BPX ADD(SERVER ROLE() SERVICE(UPDATE) ALLOW) +``` +``` +RECKEY BPX ADD(DAEMON ROLE() SERVICE(UPDATE) ALLOW) +``` +where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. +``` +F ACF2,REBUILD(FAC) +``` + +2. Issue the following commands and review the output to check whether permission has been successfully granted: +``` +SET RESOURCE(FAC) +``` +``` +LIST BPX +``` + +
+ You must also grant READ access to the OMVSAPPL profile in the APPL class to the Zowe STC user as well as **all other Zowe users** using various Zowe features. Skip the following steps when the OMVSAPPL profile is not defined in your environment. From cebbd790390f576eff5ba270f8e02c1672a631a1 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 11 Nov 2024 10:04:54 +0100 Subject: [PATCH 10/32] Update docs/user-guide/api-mediation/configuration-extender-passtickets.md Co-authored-by: Elena Kubantseva Signed-off-by: Andrew Jandacek --- .../api-mediation/configuration-extender-passtickets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index 52aaf08126..62add62025 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -201,7 +201,7 @@ Before you begin this procedure, verify that the `PTKTDATA` class and ownership TSS ADDTO() PTKTDATA(IRRPTAUTH) ``` - **`department`** - Specifies the department for `PTKTDATA(IRRPTAUTH`. The default department is `TSODEPT1`. + Specifies the department for `PTKTDATA(IRRPTAUTH)`. The default department is `TSODEPT1`. 3. Define PassTicket for application ID _applid_: From 3c5de6fb8998c1d74a8fce7d2693a0476e648c03 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 11 Nov 2024 10:26:02 +0100 Subject: [PATCH 11/32] Update versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md Co-authored-by: Elena Kubantseva Signed-off-by: Andrew Jandacek --- .../api-mediation/configuration-extender-passtickets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md index f5f54f8aa2..d88714b851 100644 --- a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md @@ -38,7 +38,7 @@ To validate if a PassTicket is already defined, list the APPL and PTKTDATA with Click here for command details about validating an existing PassTicket for ACF2. In your ESM command line interface or other security environment, execute the following commands: - 1. Issue a SHOW CLASMAP command in TSO ACF to verify whether or not the APPL resource is defined in the GSO. Take note of the 3 character type code associated with APPL. If APPL does not appear in the SHOW CLASMAP listing, run the following commands: + 1. Issue a `SHOW CLASMAP` command in TSO ACF to verify whether or not the APPL resource is defined in the GSO. Take note of the 3 character type code associated with APPL. If APPL does not appear in the `SHOW CLASMAP` listing, run the following commands: ```acf2 SET CONTROL(GSO) From 97054542c91b24d342e3c19f43076cc4529e4a34 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 11 Nov 2024 10:46:26 +0100 Subject: [PATCH 12/32] add collapsible content Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 330 +++++++++++++++++------- 1 file changed, 237 insertions(+), 93 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index 707e480943..c8b9448042 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -206,28 +206,31 @@ If you use RACF, complete the following steps: SETROPTS GENERIC(FACILITY) SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) ``` -1. Define the impersonation profiles. This may have already been done on behalf of another server such as the FTPD daemon. +2. Define the impersonation profiles. This may have already been done on behalf of another server such as the FTPD daemon. ``` RDEFINE FACILITY BPX.SERVER UACC(NONE) ``` ``` RDEFINE FACILITY BPX.DAEMON UACC(NONE) ``` -1. Having activated and RACLIST the FACILITY class, the user ID `ZWESVUSR` who runs the Zowe server started task must be given update access to the BPX.SERVER and BPX.DAEMON profiles in the FACILITY class. +3. Having activated and RACLIST the FACILITY class, the user ID `ZWESVUSR` who runs the Zowe server started task must be given update access to the BPX.SERVER and BPX.DAEMON profiles in the FACILITY class. ``` PERMIT BPX.SERVER CLASS(FACILITY) ID() ACCESS(UPDATE) ``` ``` PERMIT BPX.DAEMON CLASS(FACILITY) ID() ACCESS(UPDATE) ``` -where `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. +where: + +* `` is `ZWESVUSR` unless a different user ID is being used for the z/OS environment. /* Activate these changes */ ``` SETROPTS RACLIST(FACILITY) REFRESH ``` - 1. Issue the following commands to check whether permission has been successfully granted: +4. Issue the following commands to check whether permission has been successfully granted: + ``` RLIST FACILITY BPX.SERVER AUTHUSER ``` @@ -297,45 +300,60 @@ LIST BPX You must also grant READ access to the OMVSAPPL profile in the APPL class to the Zowe STC user as well as **all other Zowe users** using various Zowe features. Skip the following steps when the OMVSAPPL profile is not defined in your environment. -- If you use RACF, complete the following steps: +
+Click here for procedure details for RACF. - 1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. - ``` - RLIST APPL OMVSAPPL AUTHUSER - ``` +If you use RACF, complete the following steps: - 2. Issue the following commands and review the output to check if permission has been successfully granted: - ``` - PERMIT OMVSAPPL CLASS(APPL) ID() ACCESS(READ) - SETROPTS RACLIST(APPL) REFRESH - ``` +1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. +``` +RLIST APPL OMVSAPPL AUTHUSER +``` -- If you use Top Secret, complete the following steps: +2. Issue the following commands and review the output to check if permission has been successfully granted: +``` +PERMIT OMVSAPPL CLASS(APPL) ID() ACCESS(READ) +SETROPTS RACLIST(APPL) REFRESH +``` - 1. Check if you already have the required access as part of the environment configuration. Skip the following steps if access is already granted. - ``` - TSS WHOHAS APPL(OMVSAPPL) - ``` +
- 2. Issue the following commands and review the output to check if permission has been successfully granted: - ``` - TSS PERMIT() APPL(OMVSAPPL) - ``` +
+Click here for procedure details for Top Secret. -- If you use ACF2, complete the following steps: +If you use Top Secret, complete the following steps: - 1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. - ``` - SET RESOURCE(APL) - LIST OMVSAAPL - ``` +1. Check if you already have the required access as part of the environment configuration. Skip the following steps if access is already granted. +``` +TSS WHOHAS APPL(OMVSAPPL) +``` - 2. Issue the following commands and review the output to check if permission has been successfully granted: - ``` - SET RESOURCE(APL) - RECKEY OMVSAPPL ADD(SERVICE(READ) ROLE() ALLOW) - F ACF2,REBUILD(APL) - ``` +2. Issue the following commands and review the output to check if permission has been successfully granted: +``` +TSS PERMIT() APPL(OMVSAPPL) +``` + +
+ +
+Click here for procedure details for ACF2. + +If you use ACF2, complete the following steps: + +1. Check if you already have the required access defined as part of the environment configuration. Skip the following steps if access is already granted. +``` +SET RESOURCE(APL) +LIST OMVSAAPL +``` + +2. Issue the following commands and review the output to check if permission has been successfully granted: +``` +SET RESOURCE(APL) +RECKEY OMVSAPPL ADD(SERVICE(READ) ROLE() ALLOW) +F ACF2,REBUILD(APL) +``` + +
### Configure address space job naming @@ -407,13 +425,21 @@ If you have run `ZWESECUR`, you do not need to perform the steps described in th If you have not run `ZWESECUR` and are manually creating the user ID and groups in your z/OS environment, the commands are described below for reference. -- To create the `ZWEADMIN` group, issue the following command: +- To create the `ZWEADMIN` group, issue the following command according to your ESM: + +
+Click here for command details for RACF. **RACF:** ``` ADDGROUP ZWEADMIN OMVS(AUTOGID) - DATA('STARTED TASK GROUP WITH OMVS SEGEMENT') ``` +
+ +
+Click here for command details for Top Secret. + **TSS:** ``` TSS CREATE() TYPE(GROUP) + @@ -421,16 +447,29 @@ If you have not run `ZWESECUR` and are manually creating the user ID and groups DEPT() TSS ADD() GID() ``` + +
+ +
+Click here for command details for ACF2. + **ACF2:** ``` SET PROFILE(GROUP) DIV(OMVS) INSERT AUTOGID F ACF2,REBUILD(GRP),CLASS(P) ``` -- To create the `ZWESVUSR` user ID for the main Zowe started task, issue the following command: + +
+ + To create the `ZWESVUSR` user ID for the main Zowe started task, issue the following command: + +
+ +Click here for command details for RACF. **RACF:** - ``` + ``` ADDUSER - NOPASSWORD - DFLTGRP() - @@ -438,6 +477,11 @@ If you have not run `ZWESECUR` and are manually creating the user ID and groups NAME('ZOWE SERVER') - DATA('ZOWE MAIN SERVER') ``` +
+ +
+Click here for command details for Top Secret. + **TSS:** ``` TSS CREATE() TYPE(USER) PROTECTED + @@ -447,6 +491,12 @@ If you have not run `ZWESECUR` and are manually creating the user ID and groups DFLTGRP() + HOME(/tmp) OMVSPGM(/bin/sh) UID() ``` + +
+ +
+Click here for command details for ACF2. + **ACF2:** ``` SET LID @@ -455,9 +505,13 @@ If you have not run `ZWESECUR` and are manually creating the user ID and groups INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) ``` +
- To create the `ZWESIUSR` group for the Zowe cross memory server started task, issue the following command: +
+Click here for command details for RACF. + **RACF:** ``` ADDUSER - @@ -467,6 +521,12 @@ If you have not run `ZWESECUR` and are manually creating the user ID and groups NAME('ZOWE XMEM SERVER') - DATA('ZOWE XMEM CROSS MEMORY SERVER') ``` + +
+ +
+Click here for command details for Top Secret. + **TSS:** ``` TSS CREATE() TYPE(USER) PROTECTED + @@ -476,6 +536,11 @@ If you have not run `ZWESECUR` and are manually creating the user ID and groups DFLTGRP() + HOME(/tmp) OMVSPGM(/bin/sh) UID(&ZISUID.) ``` +
+ +
+Click here for command details for ACF2. + **ACF2:** ``` SET LID @@ -483,7 +548,9 @@ If you have not run `ZWESECUR` and are manually creating the user ID and groups SET PROFILE(USER) DIV(OMVS) INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) - ``` + ``` + +
### Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID @@ -495,13 +562,20 @@ If you have run `ZWESECUR`, you do not need to perform the steps described in th ... ``` -If you have not run `ZWESECUR` and are configuring your z/OS environment manually, the following steps describe how to configure the started task `ZWESLSTC` to run under the correct user ID and group. +If you have not run `ZWESECUR` and are configuring your z/OS environment manually, the following steps describe how to configure the started task `ZWESLSTC` to run under the correct user ID and group. + +
+Click here for command details for RACF. - If you use RACF, issue the following commands: ``` RDEFINE STARTED ZWESLSTC.* UACC(NONE) STDATA(USER(ZWESVUSR) GROUP(ZWEADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) SETROPTS REFRESH RACLIST(STARTED) ``` +
+ +
+Click here for command details for ACF2. - If you use ACF2, issue the following commands: @@ -511,12 +585,19 @@ If you have not run `ZWESECUR` and are configuring your z/OS environment manuall F ACF2,REFRESH(STC) ``` +
+ +
+Click here for command details for Top Secret. + - If you use Top Secret, issue the following commands: ``` TSS ADDTO(STC) PROCNAME(ZWESLSTC) ACID(ZWESVUSR) ``` +
+ ### Configure the cross memory server for SAF Zowe has a cross memory server that runs as an APF-authorized program with key 4 storage. Client processes accessing the cross memory server's services must have READ access to a security profile `ZWES.IS` in the `FACILITY` class. This authorization step is used to guard against access by non-priviledged clients. @@ -534,7 +615,10 @@ Activate the FACILITY class, define a `ZWES.IS` profile, and grant READ access t To do this, issue the following commands that are also included in the `ZWESECUR` JCL member. The commands assume that you run the Zowe server under the `ZWESVUSR` user. -- If you use RACF, issue the following commands: +
+Click here for command details for RACF. + +If you use RACF, issue the following commands: - To see the current class settings, use: ``` @@ -566,7 +650,12 @@ To do this, issue the following commands that are also included in the `ZWESECUR ``` This shows the user IDs who have access to the `ZWES.IS` class, which should include Zowe's started task user ID with READ access. -- If you use ACF2, issue the following commands: +
+ +
+Click here for command details for ACF2. + +If you use ACF2, issue the following commands: ``` SET RESOURCE(FAC) @@ -578,7 +667,12 @@ To do this, issue the following commands that are also included in the `ZWESECUR F ACF2,REBUILD(FAC) ``` -- If you use Top Secret, issue the following commands, where `owner-acid` can be IZUSVR or a different ACID: +
+ +
+Click here for command details for Top Secret. + +If you use Top Secret, issue the following commands, where `owner-acid` can be IZUSVR or a different ACID: ``` TSS ADD(`owner-acid`) IBMFAC(ZWES.) @@ -586,6 +680,7 @@ To do this, issue the following commands that are also included in the `ZWESECUR ``` TSS PERMIT(ZWESVUSR) IBMFAC(ZWES.IS) ACCESS(READ) ``` +
:::note Notes - The cross memory server treats "no decision" style SAF return codes as failures. If there is no covering profile for the `ZWES.IS` resource in the FACILITY class, the request will be denied. @@ -597,7 +692,8 @@ To do this, issue the following commands that are also included in the `ZWESECUR This security configuration is necessary for API ML to be able to map client certificate to a z/OS identity. A user running API Gateway must have read access to the SAF resource `IRR.RUSERMAP` in the `FACILITY` class. To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.18 and lower use the following configuration steps. -#### Using RACF +
+Click here for procedure details for RACF. If you use RACF, verify and update permission in the `FACILITY` class. @@ -618,7 +714,10 @@ If you use RACF, verify and update permission in the `FACILITY` class. SETROPTS RACLIST(FACILITY) REFRESH ``` -#### Using ACF2 +
+ +
+Click here for procedure details for ACF2. If you use ACF2, verify and update permission in the `FACILITY` class. @@ -640,7 +739,10 @@ If you use ACF2, verify and update permission in the `FACILITY` class. F ACF2,REBUILD(FAC) ``` -#### Using TSS +
+ +
+Click here for procedure details for Top Secret. If you use TSS, verify and update permission in `FACILITY` class. @@ -655,12 +757,15 @@ If you use TSS, verify and update permission in `FACILITY` class. TSS PER(ZWESVUSR) IBMFAC(IRR.RUSERMAP) ACCESS(READ) ``` +
+ ### Configure main Zowe server to use distributed identity mapping This security configuration is necessary for API ML to be able to map the association between a z/OS user ID and a distributed user identity. A user running the API Gateway must have read access to the SAF resource `IRR.IDIDMAP.QUERY` in the `FACILITY` class. To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.28 and lower, use the following configuration steps. -#### Using RACF +
+Click here for procedure details for RACF. If you use RACF, verify and update permission in the `FACILITY` class. @@ -688,7 +793,10 @@ If you use RACF, verify and update permission in the `FACILITY` class. SETROPTS RACLIST(FACILITY) REFRESH ``` -#### Using ACF2 +
+ +
+Click here for procedure details for ACF2. If you use ACF2, verify and update permission in the `FACILITY` class. @@ -709,8 +817,10 @@ If you use ACF2, verify and update permission in the `FACILITY` class. ``` F ACF2,REBUILD(FAC) ``` +
-#### Using TSS +
+Click here for procedure details for Top Secret. If you use TSS, verify and update permission in `FACILITY` class. @@ -726,20 +836,22 @@ If you use TSS, verify and update permission in `FACILITY` class. TSS PER(ZWESVUSR) IBMFAC(IRR.IDIDMAP.QUERY) ACCESS(READ) ``` +
+ ### Configure signed SAF Identity tokens (IDT) This section provides a brief description of how to configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation layer ([Implement a new SAF IDT provider](../extend/extend-apiml/implement-new-saf-provider.md)) -Follow these general steps: +**Follow these steps:** 1. Create PKCS#11 token 2. Generate a secret key for the PKCS#11 token (you can use the sample program ZWESECKG in the SZWESAMP dataset) 3. Define a SAF resource profile under the IDTDATA SAF resource class Details with examples can be found in documentation of external security products: -* **RACF** - **_Signed and Unsigned Identity Tokens_** and **_IDT Configuration_** subsections in _z/OS Security Server RACROUTE Macro Reference_ book, [link](https://www.ibm.com/docs/en/zos/2.4.0?topic=reference-activating-using-idta-parameter-in-racroute-requestverify). -* **Top Secret** - _**Maintain Identity Token (IDT) Records**_ subsection in _Administrating_ chapter, [link](https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/administrating/maintaining-special-security-records/maintain-identity-token-(idt)-records.html). -* **ACF2** - _**IDTDATA Profile Records**_ subsection in _Administrating_ chapter, [link](https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-records/profile-records/idtdata-profile-records.html). +* **RACF** - **_Signed and Unsigned Identity Tokens_** and **_IDT Configuration_** subsections in _z/OS Security Server RACROUTE Macro Reference_ in the article [Activating and using the IDTA parameter in RACROUTE REQUEST=VERIFY](https://www.ibm.com/docs/en/zos/2.4.0?topic=reference-activating-using-idta-parameter-in-racroute-requestverify). +* **Top Secret** - _**Maintain Identity Token (IDT) Records**_ subsection in _Administrating_ chapter, in the article [Maintain Identity Token (IDT) Records](https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/administrating/maintaining-special-security-records/maintain-identity-token-(idt)-records.html). +* **ACF2** - _**IDTDATA Profile Records**_ subsection in _Administrating_ chapter, in the article [IDTDATA Profile Records](https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-records/profile-records/idtdata-profile-records.html). A part of the Signed SAF Identity token configuration is a nontrivial step that has to generate a secret key for the PKCS#11 token. The secret key is generated in ICSF by calling the PKCS#11 Generate Secret Key (CSFPGSK) or Token Record Create (CSFPTRC) callable services. An example of the CSFPGSK callable service can be found in the SZWESAMP dataset as the ZWESECKG job. @@ -750,54 +862,86 @@ To set up this security configuration, submit the `ZWESECUR` JCL member. For use To check whether you already have the auditing profile defined, issue the following command and review the output to confirm that the profile exists and that the user `ZWESVUSR` who runs the `ZWESLSTC` started task has READ access to this profile. -- If you use RACF, issue the following command: - ``` - RLIST FACILITY IRR.RAUDITX AUTHUSER - ``` -- If you use Top Secret, issue the following command: - ``` - TSS WHOHAS IBMFAC(IRR.RAUDITX) - ``` -- If you use ACF2, issue the following commands: - ``` - SET RESOURCE(FAC) - ``` - ``` - LIST LIKE(IRR-) - ``` +
+Click here for command details for RACF. + +If you use RACF, issue the following command: +``` +RLIST FACILITY IRR.RAUDITX AUTHUSER +``` +
+ +
+Click here for command details for Top Secret. + +If you use Top Secret, issue the following command: +``` +TSS WHOHAS IBMFAC(IRR.RAUDITX) +``` + +
+ +
+Click here for command details for ACF2. + +If you use ACF2, issue the following commands: +``` +SET RESOURCE(FAC) +``` +``` +LIST LIKE(IRR-) +``` + +
If the user `ZWESVUSR` who runs the `ZWESLSTC` started task does not have READ access to this profile, follow the procedure that corresponds to your ESM: -- If you use RACF, update permission in the `FACILITY` class. +
+Click here for procedure details for RACF. - **Follow these steps:** +If you use RACF, update permission in the `FACILITY` class. - 1. Add user `ZWESVUSR` permission to `READ`. - ``` - PERMIT IRR.RAUDITX CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR) - ``` - 2. Activate changes. - ``` - SETROPTS RACLIST(FACILITY) REFRESH - ``` +**Follow these steps:** -- If you use Top Secret, add user `ZWESVUSR` permission to READ. Issue the following command: - ``` - TSS PER(ZWESVUSR) IBMFAC(IRR.RAUDITX) ACCESS(READ) - ``` +1. Add user `ZWESVUSR` permission to `READ`. +``` +PERMIT IRR.RAUDITX CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR) +``` +2. Activate changes. +``` +SETROPTS RACLIST(FACILITY) REFRESH +``` + +
+ +
+Click here for command details for Top Secret. + +If you use Top Secret, add user `ZWESVUSR` permission to READ. Issue the following command: +``` +TSS PER(ZWESVUSR) IBMFAC(IRR.RAUDITX) ACCESS(READ) +``` + +
+ +
+Click here for command details for ACF2. + +If you use ACF2, add user `ZWESVUSR` permission to `READ`. Issue the following commands: +``` +SET RESOURCE(FAC) +``` +``` +RECKEY IRR ADD(RAUDITX ROLE(&STCGRP.) SERVICE(READ) ALLOW) +``` +``` +F ACF2,REBUILD(FAC) +``` + +
-- If you use ACF2, add user `ZWESVUSR` permission to `READ`. Issue the following commands: - ``` - SET RESOURCE(FAC) - ``` - ``` - RECKEY IRR ADD(RAUDITX ROLE(&STCGRP.) SERVICE(READ) ALLOW) - ``` - ``` - F ACF2,REBUILD(FAC) - ``` - For more information about SMF records, see [SMF records](../user-guide/api-mediation/api-mediation-smf.md) in the Using Zowe API Mediation Layer documentation. + ### Multi-Factor Authentication (MFA) Multi-factor authentication is supported for several components, such as the Desktop and API Mediation Layer. From 5ed0fa90b7141df88e4fd3be0259ef796ecc059d Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Mon, 11 Nov 2024 11:33:18 +0100 Subject: [PATCH 13/32] formatting Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 30 ++++++++++++------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index c8b9448042..58ad29188d 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -567,34 +567,34 @@ If you have not run `ZWESECUR` and are configuring your z/OS environment manuall
Click here for command details for RACF. -- If you use RACF, issue the following commands: - ``` - RDEFINE STARTED ZWESLSTC.* UACC(NONE) STDATA(USER(ZWESVUSR) GROUP(ZWEADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) - SETROPTS REFRESH RACLIST(STARTED) - ``` +If you use RACF, issue the following commands: +``` +RDEFINE STARTED ZWESLSTC.* UACC(NONE) STDATA(USER(ZWESVUSR) GROUP(ZWEADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) +SETROPTS REFRESH RACLIST(STARTED) +```
Click here for command details for ACF2. -- If you use ACF2, issue the following commands: +If you use ACF2, issue the following commands: - ``` - SET CONTROL(GSO) - INSERT STC.ZWESLSTC LOGONID(ZWESVUSR) GROUP(ZWEADMIN) STCID(ZWESLSTC) - F ACF2,REFRESH(STC) - ``` +``` +SET CONTROL(GSO) +INSERT STC.ZWESLSTC LOGONID(ZWESVUSR) GROUP(ZWEADMIN) STCID(ZWESLSTC) +F ACF2,REFRESH(STC) +```
Click here for command details for Top Secret. -- If you use Top Secret, issue the following commands: +If you use Top Secret, issue the following commands: - ``` - TSS ADDTO(STC) PROCNAME(ZWESLSTC) ACID(ZWESVUSR) - ``` +``` +TSS ADDTO(STC) PROCNAME(ZWESLSTC) ACID(ZWESVUSR) +```
From 432180bd7e7d3683067e4645ab2ff3c341392164 Mon Sep 17 00:00:00 2001 From: Andrea Tabone Date: Tue, 12 Nov 2024 10:58:54 +0100 Subject: [PATCH 14/32] address PR comments Signed-off-by: Andrea Tabone --- .../configuration-extender-passtickets.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md index d88714b851..2e1a6a2cf8 100644 --- a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md @@ -38,7 +38,7 @@ To validate if a PassTicket is already defined, list the APPL and PTKTDATA with Click here for command details about validating an existing PassTicket for ACF2. In your ESM command line interface or other security environment, execute the following commands: - 1. Issue a `SHOW CLASMAP` command in TSO ACF to verify whether or not the APPL resource is defined in the GSO. Take note of the 3 character type code associated with APPL. If APPL does not appear in the `SHOW CLASMAP` listing, run the following commands: + 1. Issue a `SHOW CLASMAP` command in TSO ACF to verify whether the APPL resource is defined in the GSO. Take note of the 3 character type code associated with APPL. If APPL does not appear in the `SHOW CLASMAP` listing, run the following commands: ```acf2 SET CONTROL(GSO) @@ -46,7 +46,7 @@ To validate if a PassTicket is already defined, list the APPL and PTKTDATA with F ACF2,REFRESH(CLASMAP) ``` - 2. Replace 'APL' with the type code listed in the SHOW CLASMAP output: + 2. Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: ```acf2 SET RESOURCE(APL) LIST LIKE(-) @@ -128,7 +128,7 @@ Follow these steps to enable PassTicket Support specific to your ESM. Click here for command details about configuring Zowe to use PassTickets using ACF2. -1. Issue a SHOW CLASMAP command in TSO ACF to to identity the 3 character type code associated with APPL. Replace 'APL' with the type code listed in the SHOW CLASMAP output: +1. Issue a `SHOW CLASMAP` command in TSO ACF to to identity the 3 character type code associated with APPL. Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: ```acf2 SET RESOURCE(APL) RECKEY ADD(UID() ALLOW) @@ -199,7 +199,7 @@ Before you begin this procedure, verify that the `PTKTDATA` class and ownership TSS ADDTO() PTKTDATA(IRRPTAUTH) ``` - **`department`** - Specifies the department for `PTKTDATA(IRRPTAUTH`. The default department is `TSODEPT1`. + Specifies the department for `PTKTDATA(IRRPTAUTH)`. The default department is `TSODEPT1`. 3. Define PassTicket for application ID _applid_: @@ -379,8 +379,10 @@ TSS WHOHAS PTKTDATA(IRRPTAUTH.) ``` **ACF2:** + +Replace 'APL' with the type code listed in the `SHOW CLASMAP` output ```acf2 -SET RESOURCE(SAF) +SET RESOURCE(APL) LIST LIKE(-) SET RESOURCE(PTK) LIST LIKE(IRRPTAUTH-) From bf7142099f383b4e022ee83a5761aa0a9d07d7a4 Mon Sep 17 00:00:00 2001 From: Andrea Tabone Date: Tue, 12 Nov 2024 11:27:58 +0100 Subject: [PATCH 15/32] address PR comments Signed-off-by: Andrea Tabone --- .../configuration-extender-passtickets.md | 10 ++++++---- .../configuration-extender-passtickets.md | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index 62add62025..964b87f410 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -39,7 +39,7 @@ To validate if a PassTicket is already defined, list the APPL and PTKTDATA with In your ESM command line interface or other security environment, perform the following steps: - 1. Issue a `SHOW CLASMAP` command in TSO ACF to verify if the APPL resource is defined in the GSO. Note the 3 character type code associated with APPL. If APPL does not appear in the SHOW CLASMAP listing, run the following commands: + 1. Issue a `SHOW CLASMAP` command in TSO ACF to verify if the APPL resource is defined in the GSO. Note the 3 character type code associated with APPL. If APPL does not appear in the `SHOW CLASMAP` listing, run the following commands: ```acf2 SET CONTROL(GSO) @@ -47,7 +47,7 @@ To validate if a PassTicket is already defined, list the APPL and PTKTDATA with F ACF2,REFRESH(CLASMAP) ``` - 2. Replace 'APL' with the type code listed in the SHOW CLASMAP output: + 2. Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: ``` SET RESOURCE(APL) LIST LIKE(-) @@ -129,7 +129,7 @@ Follow these steps to enable PassTicket Support specific to your ESM. Click here for command details about configuring Zowe to use PassTickets using ACF2. -1. Issue the `SHOW CLASMAP` command in TSO ACF to identity the 3 character type code associated with APPL. Replace 'APL' with the type code listed in the SHOW CLASMAP output: +1. Issue the `SHOW CLASMAP` command in TSO ACF to identity the 3 character type code associated with APPL. Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: ```acf2 SET RESOURCE(APL) @@ -395,8 +395,10 @@ TSS WHOHAS PTKTDATA(IRRPTAUTH.) Click here for command details for ACF2. **ACF2:** + +Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: ```acf2 -SET RESOURCE(SAF) +SET RESOURCE(APL) LIST LIKE(-) SET RESOURCE(PTK) LIST LIKE(IRRPTAUTH-) diff --git a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md index 2e1a6a2cf8..ad729c7bbf 100644 --- a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md @@ -380,7 +380,7 @@ TSS WHOHAS PTKTDATA(IRRPTAUTH.) **ACF2:** -Replace 'APL' with the type code listed in the `SHOW CLASMAP` output +Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: ```acf2 SET RESOURCE(APL) LIST LIKE(-) From d4c91a44197619880c0d0c5e154b08e5ef348899 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Wed, 13 Nov 2024 12:12:57 +0100 Subject: [PATCH 16/32] Update configuration-extender-passtickets.md --- .../api-mediation/configuration-extender-passtickets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index 964b87f410..c42166b5d7 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -14,7 +14,7 @@ The API Gateway uses the PassTicket to access that API service. The API Gateway ## Configuring Zowe to use PassTickets -Configuring Zowe to use PassTickets involves two processes: +Configuring Zowe to use PassTickets involves two processes: - Enabling the use of PassTickets in your External Security Manager (ESM) - Configuring security to allow the Zowe API Gateway to generate PassTickets for an API service From 459bfa264dc140d82032591811da8e50aa68f7d7 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Wed, 13 Nov 2024 12:28:51 +0100 Subject: [PATCH 17/32] text commit Signed-off-by: Andrew Jandacek --- .../api-mediation/configuration-extender-passtickets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index c42166b5d7..74070acb51 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -4,7 +4,7 @@ One option to enable single sign-on (SSO) to your extending REST API services is :::info Required Role: security administrator ::: - + ## Overview of PassTickets API clients can use various supported methods to access an API service such as a Zowe JWT token or a client certificate even if the API service itself does not support the JWT token or a client certificate. An intermediary for support of JWT or a client certificate can be through the use of PassTickets. From 588b0ab9ad5df47899e5427c0e2f6a5b52912e1b Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Wed, 13 Nov 2024 13:03:50 +0100 Subject: [PATCH 18/32] fix formatting Signed-off-by: Andrew Jandacek --- docs/user-guide/configure-zos-system.md | 284 ++++++++++++------------ 1 file changed, 142 insertions(+), 142 deletions(-) diff --git a/docs/user-guide/configure-zos-system.md b/docs/user-guide/configure-zos-system.md index 58ad29188d..3bcd4a2e92 100644 --- a/docs/user-guide/configure-zos-system.md +++ b/docs/user-guide/configure-zos-system.md @@ -427,20 +427,20 @@ If you have not run `ZWESECUR` and are manually creating the user ID and groups - To create the `ZWEADMIN` group, issue the following command according to your ESM: -
-Click here for command details for RACF. +
+ Click here for command details for RACF. - **RACF:** - ``` - ADDGROUP ZWEADMIN OMVS(AUTOGID) - - DATA('STARTED TASK GROUP WITH OMVS SEGEMENT') - ``` -
+ **RACF:** + ``` + ADDGROUP ZWEADMIN OMVS(AUTOGID) - + DATA('STARTED TASK GROUP WITH OMVS SEGEMENT') + ``` +
-
-Click here for command details for Top Secret. +
+ Click here for command details for Top Secret. - **TSS:** + **TSS:** ``` TSS CREATE() TYPE(GROUP) + NAME('ZOWE ADMINISTRATORS') + @@ -448,109 +448,109 @@ If you have not run `ZWESECUR` and are manually creating the user ID and groups TSS ADD() GID() ``` -
+
-
-Click here for command details for ACF2. +
+ Click here for command details for ACF2. - **ACF2:** + **ACF2:** ``` SET PROFILE(GROUP) DIV(OMVS) INSERT AUTOGID F ACF2,REBUILD(GRP),CLASS(P) ``` -
+
- To create the `ZWESVUSR` user ID for the main Zowe started task, issue the following command: + * To create the `ZWESVUSR` user ID for the main Zowe started task, issue the following command: -
+
-Click here for command details for RACF. + Click here for command details for RACF. - **RACF:** - ``` - ADDUSER - - NOPASSWORD - - DFLTGRP() - - OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - - NAME('ZOWE SERVER') - - DATA('ZOWE MAIN SERVER') - ``` -
+ **RACF:** + ``` + ADDUSER - + NOPASSWORD - + DFLTGRP() - + OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - + NAME('ZOWE SERVER') - + DATA('ZOWE MAIN SERVER') + ``` +
-
-Click here for command details for Top Secret. +
+ Click here for command details for Top Secret. - **TSS:** - ``` - TSS CREATE() TYPE(USER) PROTECTED + - NAME('ZOWE MAIN SERVER') + - DEPT() - TSS ADD() GROUP() + - DFLTGRP() + - HOME(/tmp) OMVSPGM(/bin/sh) UID() - ``` + **TSS:** + ``` + TSS CREATE() TYPE(USER) PROTECTED + + NAME('ZOWE MAIN SERVER') + + DEPT() + TSS ADD() GROUP() + + DFLTGRP() + + HOME(/tmp) OMVSPGM(/bin/sh) UID() + ``` -
+
-
-Click here for command details for ACF2. +
+ Click here for command details for ACF2. - **ACF2:** - ``` - SET LID - INSERT STC GROUP() - SET PROFILE(USER) DIV(OMVS) - INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) - F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) - ``` -
+ **ACF2:** + ``` + SET LID + INSERT STC GROUP() + SET PROFILE(USER) DIV(OMVS) + INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) + F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) + ``` +
- To create the `ZWESIUSR` group for the Zowe cross memory server started task, issue the following command: -
-Click here for command details for RACF. +
+ Click here for command details for RACF. - **RACF:** - ``` - ADDUSER - - NOPASSWORD - - DFLTGRP() - - OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - - NAME('ZOWE XMEM SERVER') - - DATA('ZOWE XMEM CROSS MEMORY SERVER') - ``` + **RACF:** + ``` + ADDUSER - + NOPASSWORD - + DFLTGRP() - + OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) - + NAME('ZOWE XMEM SERVER') - + DATA('ZOWE XMEM CROSS MEMORY SERVER') + ``` -
+
-
-Click here for command details for Top Secret. +
+ Click here for command details for Top Secret. - **TSS:** - ``` - TSS CREATE() TYPE(USER) PROTECTED + + **TSS:** + ``` + TSS CREATE() TYPE(USER) PROTECTED + NAME('ZOWE ZIS CROSS MEMORY SERVER') + DEPT() - TSS ADD() GROUP() + + TSS ADD() GROUP() + DFLTGRP() + HOME(/tmp) OMVSPGM(/bin/sh) UID(&ZISUID.) - ``` -
+ ``` +
-
-Click here for command details for ACF2. +
+ Click here for command details for ACF2. - **ACF2:** - ``` - SET LID - INSERT STC GROUP() - SET PROFILE(USER) DIV(OMVS) - INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) - F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) - ``` + **ACF2:** + ``` + SET LID + INSERT STC GROUP() + SET PROFILE(USER) DIV(OMVS) + INSERT AUTOUID HOME(/tmp) OMVSPGM(/bin/sh) + F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS) + ``` -
+
### Configure ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID @@ -860,85 +860,85 @@ A part of the Signed SAF Identity token configuration is a nontrivial step that This security configuration is necessary for API ML to be able to issue SMF records. A user running the API Gateway must have READ access to the RACF general resource `IRR.RAUDITX` in the `FACILITY` class. To set up this security configuration, submit the `ZWESECUR` JCL member. For users upgrading from version 1.18 and lower, use the configuration steps that correspond to the ESM. -To check whether you already have the auditing profile defined, issue the following command and review the output to confirm that the profile exists and that the user `ZWESVUSR` who runs the `ZWESLSTC` started task has READ access to this profile. +* To check whether you already have the auditing profile defined, issue the following command and review the output to confirm that the profile exists and that the user `ZWESVUSR` who runs the `ZWESLSTC` started task has READ access to this profile. -
-Click here for command details for RACF. +
+ Click here for command details for RACF. -If you use RACF, issue the following command: -``` -RLIST FACILITY IRR.RAUDITX AUTHUSER -``` -
+ If you use RACF, issue the following command: + ``` + RLIST FACILITY IRR.RAUDITX AUTHUSER + ``` +
-
-Click here for command details for Top Secret. +
+ Click here for command details for Top Secret. -If you use Top Secret, issue the following command: -``` -TSS WHOHAS IBMFAC(IRR.RAUDITX) -``` + If you use Top Secret, issue the following command: + ``` + TSS WHOHAS IBMFAC(IRR.RAUDITX) + ``` -
+
-
-Click here for command details for ACF2. +
+ Click here for command details for ACF2. -If you use ACF2, issue the following commands: -``` -SET RESOURCE(FAC) -``` -``` -LIST LIKE(IRR-) -``` + If you use ACF2, issue the following commands: + ``` + SET RESOURCE(FAC) + ``` + ``` + LIST LIKE(IRR-) + ``` -
+
-If the user `ZWESVUSR` who runs the `ZWESLSTC` started task does not have READ access to this profile, follow the procedure that corresponds to your ESM: +* If the user `ZWESVUSR` who runs the `ZWESLSTC` started task does not have READ access to this profile, follow the procedure that corresponds to your ESM: -
-Click here for procedure details for RACF. +
+ Click here for procedure details for RACF. -If you use RACF, update permission in the `FACILITY` class. + If you use RACF, update permission in the `FACILITY` class. -**Follow these steps:** + **Follow these steps:** -1. Add user `ZWESVUSR` permission to `READ`. -``` -PERMIT IRR.RAUDITX CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR) -``` -2. Activate changes. -``` -SETROPTS RACLIST(FACILITY) REFRESH -``` + 1. Add user `ZWESVUSR` permission to `READ`. + ``` + PERMIT IRR.RAUDITX CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR) + ``` + 2. Activate changes. + ``` + SETROPTS RACLIST(FACILITY) REFRESH + ``` -
+
-
-Click here for command details for Top Secret. +
+ Click here for command details for Top Secret. -If you use Top Secret, add user `ZWESVUSR` permission to READ. Issue the following command: -``` -TSS PER(ZWESVUSR) IBMFAC(IRR.RAUDITX) ACCESS(READ) -``` + If you use Top Secret, add user `ZWESVUSR` permission to READ. Issue the following command: + ``` + TSS PER(ZWESVUSR) IBMFAC(IRR.RAUDITX) ACCESS(READ) + ``` -
+
-
-Click here for command details for ACF2. +
+ Click here for command details for ACF2. -If you use ACF2, add user `ZWESVUSR` permission to `READ`. Issue the following commands: -``` -SET RESOURCE(FAC) -``` -``` -RECKEY IRR ADD(RAUDITX ROLE(&STCGRP.) SERVICE(READ) ALLOW) -``` -``` -F ACF2,REBUILD(FAC) -``` + If you use ACF2, add user `ZWESVUSR` permission to `READ`. Issue the following commands: + ``` + SET RESOURCE(FAC) + ``` + ``` + RECKEY IRR ADD(RAUDITX ROLE(&STCGRP.) SERVICE(READ) ALLOW) + ``` + ``` + F ACF2,REBUILD(FAC) + ``` -
+
For more information about SMF records, see [SMF records](../user-guide/api-mediation/api-mediation-smf.md) in the Using Zowe API Mediation Layer documentation. From ddf8fd7999e2c9e49f6763ed7ef65ad92b1b67ac Mon Sep 17 00:00:00 2001 From: anaxceron Date: Wed, 13 Nov 2024 15:33:54 -0500 Subject: [PATCH 19/32] adding powershell troubleshoot doc Signed-off-by: anaxceron --- .../cli/PowerShell_developer_setting.png | Bin 0 -> 20834 bytes docs/troubleshoot/cli/known-cli.md | 29 ++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 docs/images/troubleshoot/cli/PowerShell_developer_setting.png diff --git a/docs/images/troubleshoot/cli/PowerShell_developer_setting.png b/docs/images/troubleshoot/cli/PowerShell_developer_setting.png new file mode 100644 index 0000000000000000000000000000000000000000..e25f909823276ea3a792a439fee994934a3338ff GIT binary patch literal 20834 zcmd43XHZjX{4T1}R6tPN(u<-X3PgGjvgu6(R6t4u1Pl-msi6cB6%gq?lvpUD^b$I# zAfbgoLJv(!kPZpO5CV6x|7Y%(`{B-=IdkTIfSD|kEY@3}-&5Y0`}g$O&-0x>b?Owm zp@ELYsZ(dhPn|k#dzKlva%w7h0Qh~{*Fyi_Q)T@E%fJgpH!V}GQ>Q8uSPvbUfY;}q z8`$`sI(6m7$YJhAWv`XyEdYOr$4pvDle;9JpwKVXFe(lONCf)EIav zDA$z^yhqhFQR?J_egC^Z$hY)^MYx32mzDCCeevDxGJ{pk!>#sJ2@mY+L*Rz&PXBXX z&rYUsb7LDm5)K8)eg5;@uwdY%Ij9uzWmjYVz1-K9y$KIH74p$5R_QMeLBHPw8=m~L z&_}~h%N<%88@!xdL*q!{(~h1=Dv&39=`RJMx~rYG%K6{~>L&?YRDTj&Fal5PTuY{rAr|P+s?^ z-p$*cJC8q?HElFjB0XNMek*TPRj7=SRVR0eelwPC$PeCVSnBLC2fk_w>CXZ7s>Uh~ zE46ON9oRpd3LwIUySfbM_eLE;V0^*>V~!H_UfL=LOuEU}p}~EPBK(Zej7cAI(IZvr zK<_Cw+weYJns{a84lV93&`);VyuQ{r~K_m&sW5=clIZJaq@bMZ)6gt4IY&~PIE8d{bMgGwD;LV z?bU!C<1fb4g4u*wMUE@NVLO8d!;gn1J7uE;UKsGPyt*f(!w46(z5#g;=NO?cg2Gi= zyeNYS2ziB!7@XYJebFFgdH3q^&al04H+*epDhILNbG*tOi&TJWq`JuuUoBUEX7dwW zg)nik1tyPcfy1oa=foRtZy2W!S&j^|ree}pnP9s^NlCh~SK>@JnId`FtHqmP?|e2}B8PK3-*`Q0;Jl`b!OGeE+|Y7n~+eJ|7rwqf#;T72MzI+voh`xZ24&B`zn6=(?_nH`!uDV@k zVVX5x9k1(u9rf8}R4jWolW#)(dndt6Gq>|ly#346#*$JvMTwy7?Hu<^-}DZWWx$-s zrxm1rJxeo`CjxvL=D=`B?gfpOe_i>`z#*`|_)$eC7?{v{d`h|%>KAu5F8&B$L=PQs zoUb9ef24KSr9}xD6M5P{{5M-lT|E;`Eg4=d^UR&rLu&1?9wA%eYQ_i&w3%ZBpS~2;FIogHdlo%j`0SGQhuqPBfpxl= zA6T!vj%;@kuoB+_Ax)#{;MLND;l^tQ@vdz03?I)i{(uf86FgYH#Kq+qe2VD??v~Mc zW9TMVDhJ<2<7(Lf*VHEs|Ga={u@;X*zWWns(jEJgo~rrS*GResL+o0GE5t#M%vTWQ z67IRiSkSXr6W_N%12V{WI$ReQj{TEeuMJ+wBHh9&60*Hp;qG@k9ldk#cRs;vek&;<^m?3d@Sl&B zd^;AwLqGL{fd$rJo?VLEH2lc6z{iRVYoYHE3D&^KwyYjx9G9Pub`>&Cm*m|aaN;_? zq#i7xLR+gQ)Jq)QP(3Yw8cuQ4)8V+*7d{)of?vgl!x>u&UIq-%k5t$c<_>N5yRXgU z58@O??d0~pFKMv|rgqvthWs~5En)Iniqb7R_y@5@rwq3Y?&Pu%hm5#hlR-azgv)xa z#=Opx;p{~Z-{%VDs?gjUbA~>qw5h*MF$2R(py#LlUbG{@=M@Og_URp5W1%f-jK@`mMvC2aDgT9Oq z;CWYyJ=mLs#TrZ7Nhb?|_QV(WDy{VwJLd#B_Lr;afjgRwW(=W93P(o1Wanot1CpBbI(Yn7B)-%deZ7F7u70SxgWb zTD!@?-%Q6#&Q_iKTmQTdrP-GEX}N>x;LGQDqjFH&A$es$o5QsH29&dG7#ndn_SAFd zb2VcZ(BikQk$-@`CjSIJ*+yUYwmLyckIEhFHFk$AcZcFwxLu@2oHObp5XriEnV zuSrQs?#J}~@}j;_w;Uh6iASb=Cv$TBpDPp+))+FtdqwK;gO;O%)!~Mvylh0;ymB_S zo@Kp;a1R<%|F$DQ+OGc2RFS-c)hKb-XVS<%ds|CUftfJ`MVnm0zscr;Ia7egdzhek z6h!xG51ES*#|L2q15KQA?;cWcMNhI7Ks_udBQh(_Mm4(CymKBx5UybmEvvaYad(N*8$KQj#hHSP3))Kv%hApobdv>yn z&m5AJ2xdPIhx`CsT7(iLo`E6W<(mrpHO!f~JWUy3;s{V6GT_xCsgk{BFH6KHhS>?B zk$k-A_GnKV4VUJi%#zX=;}R4~(C7PUmiMJ?63EjXq2y7}6sf8`ROO?9_0dMt=Dp2% z3Y>DLCvp8MZ=Sro$;Pd$4kAH(jzGu>;#p!-(`N$y7c?ziw;QYspK59Sd=^5 zOo;4!jhjfYQzQ=@3M~HGZdZTn7+(;2>{HU|mJLl=QeVGW9W!U$OK?1v?}Y+5*LEp0 zUvdlq&gOT8Fc->{m%jgG2Q3>IlJxCtF53GiNoX-^-Z!NI!G<5PdkM1xANt~FZkq2#DwL6jPtrfGOW!UuDmxM&FeBF%A74Uzb8qQEDu7d z%|(lL7An-$!pr05(QwGMsk;t;=eQ_HYKmg!v}s`H<68HB;`a3(l~|jb@$zOVc~5u! ze8ajLI4=mGZYUMNa|MgRN_p}fJ4~!shK%DMH@t8`-V1JFbvqE~1vxY;w|JNFn}}-c zNPqw3#{hqp9X0&TDxnurg1V}606*f9%Z27A*|vsKt%XEO4K&T_UX!2jk_CI^?g*|W z+{{ofuT)=5cNQYdQ=(3efd%5r zo2<;~y%}!dX<$MJIO|$Bja_|LJzEG_<9X!{9bIO}$O*4oO41wbei^ zUOTlgE%5@pYqWiD3(QT8S$Ao$PWOq1Nv2tu05E!?Ql9c6#)abRH{hc-z8YNv?)xL6 zCM~T}=<}~aq;bc&$LD{lWMyT{+@BNc7-+t`#JwQUTb1{{F>|EPEI+rroSmB?UCN#( ztN;6(>)fdBB44fRI8P5Qxa;)o@@5M&DEH#nWvG1b`R%Mwek0;Pi^-5v&W|N#WI!NF z{kg@PQT1n+Tz(>;_in==CLW}#BQxrS6Fsl?C2@(~frgCoSkMcsbBuo_mdbvmJ>C1s zbdHMeJBktXR}HBV=#Y&_>sEMQbtoc|&7{}6@S~qsMxq14?ln5}B^>55aM{IXLI|w^ zQKH?MX;t1pu4Z+$J{?D|pH0FzzFOlveb3U}Ar z^(stk;kq`9*QOjdhi?`{*2e=-U2Qkj92;uD|FcnljqRr)vH6rfX9~pg-<;P4DY3DS zDf#iNR?F8C&i{=lP2{q2)`iV_o94#hKzuE1NmBbI#F`;y4yNU9orI;LT*k~F_QE#HaH(&t4 zN1AAt>DqM~kU5KYy18yl?rXLah-{z!W^TmdW2X@52^Gt%gjGS!bZM)f6TppmvhSiy zgT){Cuh))_SdKhg`6qJkWlQXXN~Kr83iA=6aPrS(bb7bZ1Nbro00N;nP6&qatr1+a z&ncXQU3^wPa+#Rvjic|+pgMtlWZjxr!}DooHNzoTB2Ikeca-ow=LvjThxXk;xo#bx zMAmq?d1m7ABVbq7=hFmmGPJKMT73|auot{mJ|C~FIlri z_Iz3oa#sZaE}>GpF1SWpvbN#9f8{ZfmP&um4GB$BGYi%bM9&~-Kv`WG=i@a1&XxUi zXlw+{37m!(*S##8ICQ!XzDvY922+05KW%Vrkh2S3E`Vl*q6TA`!AIK(Mb29XtL4Ih zCYaU*09 zZJ=U0>JMy9=`4u7CVpA_Xlw9}Sn%mFr&y^KEBZwf-_!3|ABJlE9m9arr^`V;=8er8 zb+z)%`z@QMy(U9Ikz>=g;vn?>LL|SqQuNvLbFSaH^Xe~RDu2W^uZ9;A9@;!te=#X} zf=aBz+8CT&tUIq(}5Pnu-a- zy0~fi4@fc#XL-iV7()c2uw|2Pr!t~lqFR{!9Wz(;C9EZ(>BM*c+_u;cpk_?%!l%vh z*TmmFp#k8?*tsz+$MXX>Mw)2RBiw#cd8cQ6jj;kTS4 zSWEi={w2`S#w{A<9>U#s!1dX>bw+GgdSD*mA zq`jTSNj`GVG@f}#4?Zwz6E3q|Q|k`{XDcz>O&z~uibgIH#n5%Jq-*s4h!~ML#~#?g zi-qiY1yE#n-hO+!TXeH&{<(kUeY@(4XM(dS6MI(K786`k_ja20gJ|i}6asE3fj>AAz#Jx|QBAYAXsfEAHd;kW@O~a-1 zZ|C%71u?bFW?#O#k8j@`4m^GBZ<#&#Fs@xkAav^oR9(=Xd%bD16)JGdUM1mv*Jx4A zU~?|Z{n&`cZU&}4;tD1 z;!to>mb_OZm6W||)&BWP>O2yaH(sX9!kk7kxkwY+dr0_jXvu0|Dz4x@c-dL@(_Z}y zc(#5vRPgD5&$!#zB*7YSX)A_YvK_6g^*!^>ffPdaJS- zvj62?Kdo8a&{x%DCj(#T7(caKakX57tHp`~KkTow((|6J>fEEc3HNV1a!>fZp5#Pt zr#Nl^1YHTF^q(+uR4BO{nj?C%KU|D~+vjNc`zPJ@+HYc-hlc@E{-Xu^HSp{&__!C> zoN~GC{RUOJLCC6sJ+CSy9E7y68$Oe^QCmDTF3bL z(xLt!YkItWd>yGl!KT33{n}_=naPer9I4W#hp1C7im&;o8X^``$lVfas!I6)K?8+X_259HqD(uIYoFXyZcYH-1r6s$5THOla~2ih&$HfxKAMC_u@~JD%im>2J16 zh0D#De6~Z;37>PJoYYpHb25~z*-M&WCTTVi zDz>NKf|2>5zGt5=OiOBJ2Udm>C5Z6ig!%<48&OEJEi$azY|C6MA5&igBKFtatmbs- zJ#gm5d)&r7W9DAoqH;nNaN6V_+#KZM)EAeeDVg9kl@7&3?!qNnj$c-%%ta&AW?id5Z{?Kv1-6omtGMF|j0lCe z2TwJXM#fgy!&Q>S3zwi#=y^p{=l4}tJ|8=!>yWzf#U> zFz9%Lj94@h=jOgf@|Bg!zzc{RhR@v&YKrDGXXQ;Ae``HW&6c0RM4 zVysfpiVw)RqltHoo|oq6In&#@{p(<>SB%qZq+A>I7jF0}xJpQCp=_V3QK2 zdn5{~T+`_nL~HaURP}21%Ct8YCWDQZEBe)Q$EGc8I>;*N`~i>)A+1Rm>$f|~N=7b1 zzz~Ujazh@c?U2%0G0FiZOp*}DRncSmh|)Mks6AbSGWOOY5xZ@|M+HM~ix$eXHM9*V zmN(#d>((ixC0Z#6bEq8XBxtF^oHc^RIcqeWt&%7|w9XeW-d{-s@nfV2PHp;pSjwb` zEq{-|(awd|xPLc0Of|VLG#MW5bhaTk>@zKFH;X@M@T|)$_ZwzQBOVoLJlSN%!!6Us z-;plwTpnub-i0xXLFe`Ni`26#F1``A7<|9}(;NK}06=HY)zm`gl{1yR^G*kl_K4nQ z^BkeG3{Xi!d}qH%lPKhHj+^jztr~aF8HW7w%b_KBmwDOVweZuG?5Ls(YHJk|8kfZY z?ZC-5NkX3cH^tAp!*YZ1Vk|f4p8ZwmJa?OQNBCz(d+$NH@2{9xEtD*>`GWBuSZn{B zzu?!dhdr8X@U|1oC&e^BH850F~_TNOvr`<yt{W&Vb|5(|Xn+ih4eGZ)i%2}E;sKd z?zv{e6s2LC{&+E-r=Y`8+Xvy4@qH`E@mAZ{BEQH}b4ZUe-X@vF_CqRVwcxtpsxfi* z?|Zra|IsXq$2U9qy(PWAo!;2_)caeb^~i~SkE@cv4f&$j_D6r1QhwyC;WA%i$TZG4 zHlw10(RI}aliQW6Z5AYWmCu8>!CbU$0q^q`Pz{Hmv3 z2%`Ysm~0rv7Z`s7IF7!9yV*U0@ta&`>M|{^w6S{|TGJt7n?FM!hCk%A{J=S(tH)NL ztL$zm=c*{DXupMzn-A6t!XdaUzB6l)9AM=Z2Y@0uUsc|Eu(ATEqK2nO0Em-T2%YaV zr2(Abml&04-4MzvhKG$ZlRlPKENEWV!xSz#;R23MrZ8lBLPzn`(P$VbZ75;S?9?i z?`dDRP3smq74nVbO#!V)@E4h0>&h!Tm5q!{KfDzvkeFsx>3Q#DTsBbX`; zTe=o)BKDi0b_f5Ma_#R%IhaN42@5xyoawyNftn^=?DfFiuT7Qt7=+8)27AO0{KS5L3Y&RBiKgLuo%3)>ac$|VM0?4!Y zzB;8n+iYb`XImbneHgLwj=d2!(L#AUC(FH$LvwP9@w_TgkKu79vAn-!CsWbGe;)+O!Dubt8IDHp7*=)l$ z-%8u~20r}FVRa%ryKC#yRNNodcgtTCxo?S>hA$PkP}#6t{pysy;F#@`>eI?heOu>o z9!eX^5i(@1U+U|)p!a-0i{;^orfjW7e#6TBNIcii!k>aw8Z|EcrJH#uWm9!siW_!Z zf7bH0eBYZq|0>DVzPhL<(V;AbzFOW#IkYTXXdzO`+hKPchd}4a26KIQ|E%oC5>I^u z&^Pdu_+3iY7&CJ-pd>=oFQN{HiaNn&t=C$@_NSCgJ=(FUVLuUZxaR_u5a`TI^WZD; zjm^m?HhERz6>h?1Hr0g=?iJ#wP}wjs{KxmyDg$0c2JIf`{#2mZ{GkoQo-m>4l7R*D zny3zMg<01OzzZloB3P@Id9~5^DoXn})j77%=}RU%9zz3~KRPQ-At_ z_cYCQOk@X;1&uMX5eE5M@MJx?F}@KUfT(c}!}_2251^p{SzqK6v@@tr_!})6Z!jP8 z1X7W!9{yA13eosOmr7r=82Tfe-MNqUy|x%GIS_!9C$<{+!^UKb{=HFl)l_EvgqxV( z0!rch?IeAntj?5%bo@???A+g{-^Del-ST2m@ez(D3)AfyZ~aLaMOqxaL56u^^N9QN z=-Zf))+0}M9H-e#C` zI|GaY6Lk1OUGGnKTeTwaw`&!OV)R=Dh&qTfl&qst%#6vV8NE83#}+-)%n6(Jm5GB{ z*B^>Q)c^`xqV7`R()tn{tC)^wAsPi!$!l#;Iob9HOB%%PimkV(_lG;EV|^n^`SFq4 zFBh_-Y_L*9(lnF%LT=!6aS0QiWQixJ{%cW5?nsmM zsHNU7)evrq58MTg{@4JXu2yG2vA3{#`cMr})W{v_1<{u5uKLhOoZ{#x>x)j)6Vh0< z7hpx*z2ux|PWJCZB3yjv~FG_?YbHV&V z0j%2`Q9$pb_PF_C$ty)Q?0=Z@p{k=gIt>?WNo!VM)Mg-n;bjy2w0-$pbb?_RQ-`SZu2f! zW^3+GB6)|cZ>|KoY*Rz&C7-DcnypK1`HPuCz1v7=Gcz1pgxQnZ$>w%)kS>&QeL|i0 z4w6V?CzOZn>;`w6C*fS-Rq6!fa&@Um>|vr}uL5Bm-)Mzme}5+WcbIXWFqP5<51FiS zd>g|&#+LGf=`}0%>8mx1m*0QAhZnFyE$xB~K^5Jw?lXv~MzPiG*W!sG&si zWDYsj>)h(Xzb5wwI^JaOE^;p%Iti6$E0v$^FjBfQlH$#I#YOyuRGf4DOr-(B$<|PS48hSQ7m0;_4p{t=f@pX>~h52cqn5KR?WCiw1Vwo z^HSYaeC(`@S@s9CO6hC=>d6E?Vrn?=lMowFuVRuWY0>2p@$vZwG;HikRc-=uHJ*Ic z;6jpFPjN%SO_p>VAwkyZnDp0^La|2IaPc3^tGPC(8v>C;$lyL+;PTde8(Gm;Pu{Q#1`tuYHm@w?5;$ZK;g%F6<88 z!W)AMWHeFx@zj+>?F)vRN|zCcjVVssrW&Gif(HKYxEsoJ{yW(7U6@8vo~aQ=2qdt|<*T1rv8!iH{{)|=j3M%#Wl<7CK$(K0 zm!tB)&t6@`JdiJnCaL&LWv$iLKqx|FZJXUQL_aSbLas%1isPn+fZ0Mpsy;d1q8dFO zA0=2$r$g?w#0*USu4~PuAV+fE?_1`B%Lbk7YX8ucyOUy+$(*d;3kQeqFI0D%Uf$%6RP~32RvV6ZZx6 z%(q9oQ{A4GtM(c)$EdDv3VgIS$i@|2yXJ~5AtH~x23!gFT1-M zS+e3E;z5dQfoCkv{671AK9+sGavc5l)8Mb#8urz~+nRV0O>T!EM-8{RvA~6x)B!*=K(!{^0we2un6z&kZlQ*mw2S28xMopw^!0G0t|l z$eSAV@yt5Ad8Dc7>Dqq@)Kgt2v}otIN2NyGxId9Ro%gxn!dNG;Ssze$Ges57BfqszkfUSAvhicxODDI%bI*> z`G}0p0UVG}6EkkukC_J-pIEG3*7SJWZ1d~s8h{m{lUJ-2LbzkH^@~T79CZ`;4^uVR zdQzv=&R+3q*&Vs897^qllr6=-3ulx!0dWKNh1~YNX!D68b1vn7JUO%gU0!>WZw$Va zOQ`pN)z)tl0!uPx*YU;?)oa};02Pq4SFm9Nl{^YR8T08nl!!mP zq9%)OJ6agO;zSBU_;>@n2tV=)qC--@GfE)X_F5v2!=NlZ)HohSimHTStpNHKR zY%`f><$&i&?g^${f{hmM4%g0^R8m3rr0hNw|2s`;T-Nu{D-y1mpD4V<*sn=n3bcsZ z?P;UIcRzYgZxHEDUw_2!jR}vt)C7cBGxppz3xOPXr!Ppj|N5*K+UOBfA}n`y$0&!6slcN5zAM`MoHo3RGsyVW<4@XrN#bM-`<*t! z>NR$y$;5PQoeKJ@m*=F24Tno&MsJ#xgGyPtw7%4pu%`sHP{(-M0}ij#RadS zl1SJhvy!0lJqkHtw+dULbl;%{0!!z1o{og@h(+#J3HY|IW-lB4Y!`Cf?o2tWJ@inF9@JylEdVoul`7mDY$Fxu^w!gz|*e$buxRqUX? zaIQntGffk!uIb9tnsp@y%CFb+sxz7}j4JVGNC&r2|Na=qdtPRG@<3X5x=QUPW3?UO zS_SiRrD-a>xENT|ECvv{^BFkZJPFF*f848<#0{dtu&urO3Iq!1GC$XWt27hLB&3X+ zQAxNkJNh&D&SQc}N{XvC%b7_Q$RYfE5Ji!AQJFGu9czjRJertrKjU?#d$VP$x)s*q zTL6m%arn;cY8Lp^5L@>Kl}4!l-Yr#ec|h*O5wqKOvXyMiuVhTOc`ZIFw&8$#d*MRR zJX5Ga&4U_)u=jl;gX>1b#6TSP+x5conL7{ttcIGh-utuv8fdy(un|ixn>g_Ic!0#X z8P)}A2^pt&I!U3aKvW9Rf- z|BoQPTY6T(xFvS2M!|OAK-W~GrEY+gnL`RIb|`z79Rm8oLvztiZqzZ|tP=_sRcQZ^ zEBB?P@Ep@rk3vX`h{MM#S$PJ?3DP!%%R6*sz4Gxxye1i-7;}$5!rs*mhVK9vpeQ5#e8=dZX3T?3*kT#f13W4VHwq--|xImML`1esl6fJx2RWjbRZ9p-Rle^#DPS ziDR!#sc$oMQux;*lQ^xtpl!>IgWxR#g0~{exKKiJzT=?pdGgC}?Mww&Rra&bQx9L3 zZvT%Yl1jUl-pI-EJ?u9tMy=*Y;^K$vAocRWif8C%6%S=#O>K(Abp@Nbi*+0qMg3w#YTzAfhl&rr=yC$M6&sQ0#q${H=pxt z8I?tOm4<>oJHVnvLI88$d`#_-8dJ;Tzn(9zOALtR?vb}=1fd@E?=y7uS{w=0KOnyM z)-}<-+7yrq@N0JiUzr^(pgM*689C$-K}%TM*7C;twdy{B<6dkr|cr0 z>8M@8#aMH0W#q(dySEI4a~_*z@ha-Hy3YA@w!Enlfuu&|djSzCJlhpW1v%nn^zqoi zkfqtMu_2dsML57A7K~;<5O9Bh$SxdBZgk$fmdz>s6-8fj`vwZ9_6{G>HX&xYjUHtU zg^lE%+uwlAy*2Ms_Xn}S?YUpeGm}ckqM{L3j>dQE7`QRH z0(`t2AmQqQNp0N?zF=g_KJJRRb?&(YP7|(ECZ9%wzZ+nXdGF zn`qKC!1TM-8-E>ppLyJ}BT^Lbt?paf8VX%=e9UF4P%nW`m-V*fC9@FcPG@D}+~6q9 zznNyA?ZtY@c@gS&G&`zJs)?`LspU?om1((_2VVJDL<}FswKWKb zI8BS$XQLu?BydX8LCydRXr1nItpz-8tn?4jv)YvIu0CQ2uXJGE3nBUd zMl^C!voS`e4?9H>nFM~U#{OgqscsxFnh>f^yw#hc zShKJd%ViA%Utoj@XDGt2!wNH`C+MMv^TNVSD$RiH1gdV6|I4g!jg`CuNMQx^tQkh* zc<{j=`PLJgmU0KpwZX^N4J80fv1Qi>|2EtQKhe~+soH!|ppFWfix~!-N-Hxsdp|XmX!z71p0ejVr~4XByiuwntlPAhPlDj&m?9t>UCz#R_Fd&db?|i|Q9IPh~ zZHXN+*ko2B_p5CVS?cYc`Fb$iWw1%qc$figQ1BQ5l3l}1UkVouQg92`;-=pK)Jgzf zI|pJbGI-_7!*7q``f}Bj3ex5&Eh65zJ3y*155LUh4j3+}0Xu}IKSemD%9e%CHS017 zA0Z8l_=FlH)k$daWOlerH6@K$>gi_fd6n#@%93p#$M2`AP{vrU_9&q`X|AnCG!>n^ z>{ZWRxn4^Ls;YK=nlOt@X})|p#KHKjMyK`L-Ngy?8^Ec0Lc|YQ>L>UXDkL-=X7>If z!{HqbvV-zt{Q|uh85vI-h1&IOfEX^V?(c$7#`IF>0Xt0cG^VP6B8T@X%h<=#xd3Ab zJYiM0&BMM}pxcAk$bjKOZ8D7jPZA2A>9lCg>{LAvbb}*A%L{Ni2h<(BkK(wz(V`qM zyXC#d=1U$hKfBG+;YNl-$<)Io&9;6tC65K2dE6zMFl0${ zwm}y9?SAM7I5zt>KHY|WuR{h8tL~6Z*XsTkYtHWAi?!>2m|hlhM@t94j7GNI?~$YB z>}JHX?|8j~{!hl?;Lf;n$qc%~XPV>-Hybxgbb$Bu+f0N))fg~+jgX3e0 zKarG}0SCM$edmF3cDY=CLoBGZKCcQemgT0AGywPIa#$OM0?Y~iZ_7E-1s+omt?Y*% z$FHp(Hs68+WF#STy=R+BQY00=$VnO{xy_9>M+qa8<5-}^k&srhe7d9!{xP^93~X-M z5U}-Mi}5}+JFQ8$*oD86fU-Bv?AP@f`@RJ{c?pEwElM!prlQsuU?#;Yd#Ta|028Rh z*@Yr7;=CtXAy2aLiZ)Sky{cClI_c>^c>5ha6Zhhi5$&~NG?w45TOUkLsTS30WGa;Q_>vOtkNuOd%rzOsXST{mL{C6!+Wl5L7s^X&zH7@D zEw9XcGaSi~mWt10L*DJUONjwi;YS&EFAOyTALRI+(54gpq0!(Z2w)AB7xF{Aurn>f z2dh|(p?g*>=b!GS4k1k;)G$7~|^7ATK+uad;nN#98k&1gH zd^pQOQ1&va18l5g8K=%{eesFi8)Fd)dJ^0QHmNN=@H=@juDSx~*vqi5dU|^JyU(%Q zS0=U;8Tyr%zW8|ZPt&IN3te32sNK8C&Yx2^d6=mLO*)}+3H%I$&3L1QLj>i-A=wv2 zuwo~BD9%~^K{c@P`uToHhu-2y^Iyzz%PWSkNAX#>Pn|p4pmp&&ne)C??F2u+yWiN1 zIe!;>?kwNMmzJ@6e?BJ^jt)KdUQzFC)Z$`|S36@NbV;(CHsp1I3mT8U%6U11EZF`5 z!bJU7pZyr{{AS$Jnu{RCfS*bkTDl}oT|^*5*D5g0;< zsspUvMcWni5k8S~#tce66R>+DKt?;K6Q)%6_gckjSySQmgVdhDuL|3d_ir1kd5&n$ z@2GJ2)bqv?NoE=Be?*sUGo;Xi#i+dAbiI74gia;ldkqZQj#p_dI?KUo3Ns7Aw+6v_ACm8Ou61XCb33TH&Th&4q| zzUY+~(xY@5sM*>14eGA;&C{t%C{$~zNsVAI*AHnWJSkx7$)ex8fX$Mq^)8RGzj)my zPj@fk#C>$uiWz$Q&eP?wQ*G$kg%q=U&N@<|a|YDsZbExBnGZyq0WlY37Nu*M{ZOMJMJ=TC6fT@wfE3l9!;D4EKar)YGZ zl`I3C9S`EEGCI>d2fGIq;K5Y};?D-|MNl& z#XW%sly9GVh;F6c?K~V)yjh_FjU5ENeayMqM{sxW4#FN7k1`c5EnT3!S)3SA8}=>b z-nl|x&re&Dz{8r*B;~xD30j!YHrQ%l&f;?Fp2tmWwh5m=Bo@x4(tiNG&0w-HagmsY zicHqS{x;iW9F){9y;{rL!fF@HV=!^qJQgFzS>8-GT0wh>eL^EyHiIJuQnU3+&4x}{ z`Yua3t^177&Lq0GxP2NA&N1Yd%Z@cb);>e2dQUg=^8bCgA-EmE5h@a=K_4EE7~=( zCN~&mmp}fFWqR&vDNoQ?Y*dij`F;$EAyB=Zn}exek1q6{$OF$YTtO=Q&q)`aDgPf1 zwea{{0i3q*5FkJOcmE4m0!A}Mf&X=M#*rM~!;{qFE&z@n{#S#z5L|2wlJljlQ%c>J z@dd;D-p%H1#2T9`KvX!d^{e_?5lpe_zunrS@5qBJ#Imi(V&aotnCYU(z7 zy2ZkhktB%t`+K?iJscMqYGvo6i^MU6$-6vxoS#xIj@b#dVI~jQfkz?%vw4W;xV5-7 zXw#W!kWvFVISV7^2uXD{aX>n0cv>w)j-C|3EgciGPUBrPAYhq7S|nZ~L$R>>*;lL< zs*ageA|N_h+%WmFCjh+|2UrB2->nVWo*U|$1qwtnf>oKF&3fDMkwhkVyMyan`vtWU z)xWcmgl5261Y+`GBrWCm-a|6KLc=Mff>Bm(>5`N6cZHPgT_zNMxLqSz?gPYFA9}Y^ zUHwl^+&BqG0>V>+do~PhNa0+4I{isE)Mjqb`)T5nf(B2Qg-}x1Aze$?%Ke)n3DFRa2^nRn*Uta3<8as7OmLW0ny~YK z^>U?AO=MYE1($Z|sCY!c1{E4a$7a+317U}tX$VmfMG$eJfkYOCAhHFC3igp05F`+U zxBwAB0S%&}M1>X+140OBXqIjPLqdoF!k%PqVW0We=giDG-GA#;y?XVk-mQDT`+Xne z$O6yyADSP;2rtF(6jbsXPc6yODai8$!0|Y$(d*>Y@*3aEY%j%87@OgfVy90SHr6yP;YG7Bd7?1z>w(PlGc$D=eOEcZsCU36h+P z2Y;E{+P)zbSlyH*@rYoc!gzH>6U=1?Ef++!3^eHC+5E=_!f>tqt8ZA0HaqaIAn?eM zr>PM+nCLK4jgy{eA7&U32um6rsX_HGm}wVAh}mnFWGwPulPtycfnLpx7Z{v^=dT7x zhyo=wPBWaN6Q+lVlsND9_c??s zN{VsFEZVsEJM#PY&okWF;NQTZm|y36V73Xm&HQU@5{~t5#F0dRRWXryjX6}RD%)(1A*PL#5j z(;s~r`_bu!A4vwWEFjGme=Bbs>G*i0?bZaX*bYa(m5SI@2)$`Xb!7VOn`EqJo4 zc*PDsVavs1_B_gyRXitA6H0SbvxL0N+oxt3(#lnmwvle0Mp`?k?{C{2e(Sl_c@WrV zIF6$?W*5e2I&Mk8@+pj@#CNYWqR}jouB4zSJ8Brp7}K<%ywn)_9ml4YKxT8@h#YmK z$!=z-VzG8ZbchB@-4Zkgksv?oq%(h|YQB3xJGvXlZ}s<5bWgnY z#NOK(`qI#E#HBm5<^v2QnL6^4tvgUs&Wl}=TP!FS|Vkc-yb&Z!T| z(I3TCXR?g5ekL#Ozx_l%c_23Xz!t;0*of`42gcIfjD+_?)fmpTg)A0`e;=bqBAjGy zUd)axfG36INdtq*mMu!{-SC+yUJh*fa|ZRm98S5fzO*3=CjOThD*gEc{wfQn|Mrd_ zuBYcuD^kB8UKnKs@^PS6B5du}cYz4f`*+z;#TjyrzNCs#>MtlsG)XZZunh*Fkl zzp$!)eWbfBSSaCgx11lkQtDlCYns+GNfQ?`j@$)Ouz|o6HZ8|=$D837i2Sb$3M&E5 zByWExRJsC|@*_(S2@mr11b?N#-wTOymCbfD`w<@M(#OcvgUHn^^%RTU8w&_UDPs_ys*7&SKowvXLa+x2OOrVTp z5GnR;cOQoMO06XUHTc7D=cgyqY_Xbb@UBVp{O;6?`Gd+brLe5f*supG)7BXa@JPWW z$z*DkjQt{x;diFEMsY8^a(wAXt%0iCS~D^l7MEPZZxQTY9q%Vb>J9TsIb%(r1 zeee>*SD?g0BwePLcr5{%96?wl@GaWQ+5ynqtIHt0{N_b&CGT0#^bLLd6>ISwG^HXAa5oK(FNB1U7RQLFC#b(S~E*a^Q)KincrLZUdcoZXS&j+rulbfgS67sE0_NCyf z+e;zj7s0;)3Au-*X0e|v4KXDH-2vixqu+Xu7gW5yckJpy=URHSH+CN0(? zPCIVs9?C)$5;-MBXCS~u-)EO9=;}$jqC}3QS!jxS2K2z8!LOVs!8=|7SHPp$7@0`E z-qk~mLLmM07c|%aF-4L9_vGyFHZlU(!G^z@g7KndwL!gyaAa68>#~i{h zsT^!OhawGZf&<0d-*jJy|BUIubt#da_napj(Ry7#cwcbXtJ#)c{VbKy@Xm;_Q@ytXR~W=+8sQ#Z{G;6X-yLyw4zpUojSlxP@Bbd+ mKcxoJ8~Zy<{XD%CY7J?)kHfJr)n@QToQK1DxZHO-O8qxOthZbM literal 0 HcmV?d00001 diff --git a/docs/troubleshoot/cli/known-cli.md b/docs/troubleshoot/cli/known-cli.md index 705dfc7a37..aaa651b249 100644 --- a/docs/troubleshoot/cli/known-cli.md +++ b/docs/troubleshoot/cli/known-cli.md @@ -211,3 +211,32 @@ When the `zowe zos-files search data-sets` command is issued with the `--mainfra **Solution:** Issue the `zowe files search ds` command without the `--mainframe-search` option. This returns results that include data sets in binary format. + +## Error message with PowerShell scripts + +**Valid on Windows** + +**Symptom:** + +PowerShell users on Windows can encounter an error when they try to run Zowe CLI with certain execution policies in place. + +Example of an error message: + +``` +PS C:\> zowe +zowe : File C:\Users\user\AppData\Roaming\npm\zowe.ps1 cannot be loaded because running scripts is disabled on this +system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170. +At line:1 char:1 ++ zowe ++ ~~~~ + + CategoryInfo : SecurityError: (:) [], PSSecurityException + + FullyQualifiedErrorId : UnauthorizedAccess +``` + +**Solutions:** + +- Update developer settings in Windows to enable running local scripts without signing: + +![PowerShell setting](../../images/troubleshoot/cli/PowerShell_developer_setting.png) + +- Run PowerShell as an administrator and use the `Set-ExecutionPolicy` command to change the execution policy to a less-restrictive setting, for example: `Set-ExecutionPolicy RemoteSigned -scope CurrentUser`. From a6af5cd3000cc08be5f8d702d77fac5ae1bfc6c0 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 14 Nov 2024 17:06:37 +0100 Subject: [PATCH 20/32] fix formatting Signed-off-by: Andrew Jandacek --- .../configuration-extender-passtickets.md | 116 +++++++++--------- 1 file changed, 58 insertions(+), 58 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index 74070acb51..81079afe31 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -16,8 +16,8 @@ The API Gateway uses the PassTicket to access that API service. The API Gateway Configuring Zowe to use PassTickets involves two processes: -- Enabling the use of PassTickets in your External Security Manager (ESM) -- Configuring security to allow the Zowe API Gateway to generate PassTickets for an API service +1. Enabling the use of PassTickets in your External Security Manager (ESM) +2. Configuring security to allow the Zowe API Gateway to generate PassTickets for an API service ### Enabling the use of PassTickets in your External Security Manager (ESM) @@ -31,93 +31,93 @@ This section applies to users who do not already have PassTickets enabled in the :::tip To validate if a PassTicket is already defined, list the APPL and PTKTDATA with a command corresponding to your ESM. Output indicates if a PassTicket is already defined. No results after issuing an ESM command indicates that a PassTicket is not defined. If a PassTicket is defined, the access of the ZWESVUSR can be determined. -- **Validating an existing PassTicket for ACF2** +**Validating an existing PassTicket for ACF2** -
+
- Click here for procedure details about validating an existing PassTicket for ACF2. +Click here for procedure details about validating an existing PassTicket for ACF2. - In your ESM command line interface or other security environment, perform the following steps: +In your ESM command line interface or other security environment, perform the following steps: - 1. Issue a `SHOW CLASMAP` command in TSO ACF to verify if the APPL resource is defined in the GSO. Note the 3 character type code associated with APPL. If APPL does not appear in the `SHOW CLASMAP` listing, run the following commands: +1. Issue a `SHOW CLASMAP` command in TSO ACF to verify if the APPL resource is defined in the GSO. Note the 3 character type code associated with APPL. If APPL does not appear in the `SHOW CLASMAP` listing, run the following commands: - ```acf2 - SET CONTROL(GSO) - INSERT CLASMAP.appl RESOURCE(APPL) RSRCTYPE(APL) - F ACF2,REFRESH(CLASMAP) - ``` + ```acf2 + SET CONTROL(GSO) + INSERT CLASMAP.appl RESOURCE(APPL) RSRCTYPE(APL) + F ACF2,REFRESH(CLASMAP) + ``` - 2. Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: - ``` - SET RESOURCE(APL) - LIST LIKE(-) - ``` - 3. Verify if PTKTDATA is defined, by executing the following commands: - ``` - SET PROFILE(PTKTDATA) DIVISION(SSIGNON) - LIST LIKE(-) - SET RESOURCE(PTK) - LIST LIKE(IRRPTAUTH-) - ``` +2. Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: + ``` + SET RESOURCE(APL) + LIST LIKE(-) + ``` +3. Verify if PTKTDATA is defined, by executing the following commands: + ``` + SET PROFILE(PTKTDATA) DIVISION(SSIGNON) + LIST LIKE(-) + SET RESOURCE(PTK) + LIST LIKE(IRRPTAUTH-) + ``` - - **`-`** - A wildcard symbol that lists all resources +- **`-`** + A wildcard symbol that lists all resources - - **`-`** - Lists everything related to specified applid in a resource (in this case, SAF), or specified in a profile (in this case, PTKTDATA) +- **`-`** + Lists everything related to specified applid in a resource (in this case, SAF), or specified in a profile (in this case, PTKTDATA) -
+
-- **Validating an existing PassTicket for Top Secret** +**Validating an existing PassTicket for Top Secret** -
+
- Click here for command details about validating an existing PassTicket for Top Secret. +Click here for command details about validating an existing PassTicket for Top Secret. - 1. In your ESM command line interface or other security environment, execute the following commands: +1. In your ESM command line interface or other security environment, execute the following commands: ```tss - TSS WHOHAS APPL() - TSS WHOHAS PTKTDATA() - TSS WHOHAS PTKTDATA(IRRPTAUTH..) + TSS WHOHAS APPL() + TSS WHOHAS PTKTDATA() + TSS WHOHAS PTKTDATA(IRRPTAUTH..) ``` - 2. If APPL and PTKTDATA are not yet defined, follow the steps to create them as described in the [Enabling PassTickets with Top Secret](#enabling-passtickets-with-top-secret) section. +2. If APPL and PTKTDATA are not yet defined, follow the steps to create them as described in the [Enabling PassTickets with Top Secret](#enabling-passtickets-with-top-secret) section. - - **`.`** - A wildcard symbol that lists all resources +- **`.`** + A wildcard symbol that lists all resources - - **`IRRPTAUTH..`** - Returns everything about the specified applid for IRRPTAUTH +- **`IRRPTAUTH..`** + Returns everything about the specified applid for IRRPTAUTH -
+
-- **Validating an existing PassTicket for RACF** +**Validating an existing PassTicket for RACF** -
+
- Click here for command details about validating an existing PassTicket for RACF. +Click here for command details about validating an existing PassTicket for RACF. - In your ESM command line interface or other security environment, execute the following commands: +In your ESM command line interface or other security environment, execute the following commands: ```racf - RLIST APPL * ALL - RLIST APPL ALL - RLIST PTKTDATA SSIGNON ALL - RLIST PTKTDATA IRRPTAUTH..* ALL + RLIST APPL * ALL + RLIST APPL ALL + RLIST PTKTDATA SSIGNON ALL + RLIST PTKTDATA IRRPTAUTH..* ALL ``` - Ensure that you validate PTKTDATA access for APPL. +Ensure that you validate PTKTDATA access for APPL. - - **`*`** - A wildcard symbol that resturns all resources +- **`*`** + A wildcard symbol that resturns all resources - - **`RLIST PTKTDATA SSIGNON ALL`** - Validates all applid for PTKDATA class +- **`RLIST PTKTDATA SSIGNON ALL`** + Validates all applid for PTKDATA class - - **`RLIST PTKTDATA IRRPTAUTH..* ALL`** - Validates all applid permissions for PTKDATA class +- **`RLIST PTKTDATA IRRPTAUTH..* ALL`** + Validates all applid permissions for PTKDATA class -
+
::: From 0629b281a790f0ee88acaf90c8f21753171184d8 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 14 Nov 2024 17:12:05 +0100 Subject: [PATCH 21/32] fix formatting Signed-off-by: Andrew Jandacek --- .../api-mediation/configuration-extender-passtickets.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index 81079afe31..9cdd045356 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -369,6 +369,8 @@ Grant the Zowe started task user ID permission to generate PassTickets for users In your ESM command line interface or other security environment, execute the commands that correspond to your ESM: +#### Verifying PassTickets using RACF +
Click here for command details for RACF @@ -380,6 +382,8 @@ In your ESM command line interface or other security environment, execute the co
+#### Verifying PassTickets using Top Secret +
Click here for command details for Top Secret. @@ -391,6 +395,8 @@ TSS WHOHAS PTKTDATA(IRRPTAUTH.)
+#### Verifying PassTickets using ACF2 +
Click here for command details for ACF2. @@ -403,13 +409,14 @@ LIST LIKE(-) SET RESOURCE(PTK) LIST LIKE(IRRPTAUTH-) ``` -
* **`applid`** Specifies the application ID used for PassTicket validation to authenticate connections to the server Successful execution of this validation command shows your application and the specific access of the application. + + **Output example:** ``` CLASS NAME From a008030165ff6150278e3304acd9c975a12c5fd9 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 14 Nov 2024 17:35:46 +0100 Subject: [PATCH 22/32] fix order of ESMs in verifying section Signed-off-by: Andrew Jandacek --- .../configuration-extender-passtickets.md | 42 ++--- .../configuration-extender-passtickets.md | 154 ++++++++++-------- 2 files changed, 109 insertions(+), 87 deletions(-) diff --git a/docs/user-guide/api-mediation/configuration-extender-passtickets.md b/docs/user-guide/api-mediation/configuration-extender-passtickets.md index 9cdd045356..05646518bf 100644 --- a/docs/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/docs/user-guide/api-mediation/configuration-extender-passtickets.md @@ -369,17 +369,26 @@ Grant the Zowe started task user ID permission to generate PassTickets for users In your ESM command line interface or other security environment, execute the commands that correspond to your ESM: -#### Verifying PassTickets using RACF +#### Verifying PassTickets using ACF2
-Click here for command details for RACF +Click here for command details for ACF2. -**RACF:** -```racf - RLIST APPL ALL - RLIST PTKTDATA IRRPTAUTH..* ALL +**ACF2:** + +Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: +```acf2 +SET RESOURCE(APL) +LIST LIKE(-) +SET RESOURCE(PTK) +LIST LIKE(IRRPTAUTH-) ``` +* **`applid`** +Specifies the application ID used for PassTicket validation to authenticate connections to the server + +Successful execution of this validation command shows your application and the specific access of the application. +
#### Verifying PassTickets using Top Secret @@ -395,26 +404,17 @@ TSS WHOHAS PTKTDATA(IRRPTAUTH.) -#### Verifying PassTickets using ACF2 +#### Verifying PassTickets using RACF
-Click here for command details for ACF2. - -**ACF2:** +Click here for command details for RACF -Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: -```acf2 -SET RESOURCE(APL) -LIST LIKE(-) -SET RESOURCE(PTK) -LIST LIKE(IRRPTAUTH-) +**RACF:** +```racf + RLIST APPL ALL + RLIST PTKTDATA IRRPTAUTH..* ALL ``` -* **`applid`** -Specifies the application ID used for PassTicket validation to authenticate connections to the server - -Successful execution of this validation command shows your application and the specific access of the application. -
**Output example:** diff --git a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md index ad729c7bbf..18037b35e4 100644 --- a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md @@ -31,92 +31,92 @@ This section applies to users who do not already have PassTickets enabled in the :::tip To validate if a PassTicket is already defined, list the APPL and PTKTDATA with a command corresponding to your ESM. Output indicates if a PassTicket is already defined. No results after issuing an ESM command indicates that a PassTicket is not defined. If a PassTicket is defined, the access of the ZWESVUSR can be determined. -- **Validating an existing PassTicket for ACF2** +**Validating an existing PassTicket for ACF2** -
+
- Click here for command details about validating an existing PassTicket for ACF2. +Click here for command details about validating an existing PassTicket for ACF2. - In your ESM command line interface or other security environment, execute the following commands: - 1. Issue a `SHOW CLASMAP` command in TSO ACF to verify whether the APPL resource is defined in the GSO. Take note of the 3 character type code associated with APPL. If APPL does not appear in the `SHOW CLASMAP` listing, run the following commands: +In your ESM command line interface or other security environment, execute the following commands: +1. Issue a `SHOW CLASMAP` command in TSO ACF to verify whether the APPL resource is defined in the GSO. Take note of the 3 character type code associated with APPL. If APPL does not appear in the `SHOW CLASMAP` listing, run the following commands: - ```acf2 - SET CONTROL(GSO) - INSERT CLASMAP.appl RESOURCE(APPL) RSRCTYPE(APL) - F ACF2,REFRESH(CLASMAP) - ``` + ```acf2 + SET CONTROL(GSO) + INSERT CLASMAP.appl RESOURCE(APPL) RSRCTYPE(APL) + F ACF2,REFRESH(CLASMAP) + ``` - 2. Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: - ```acf2 - SET RESOURCE(APL) - LIST LIKE(-) - ``` - 3. Verify whether PTKTDATA is defined, by executing the following commands: - ```acf2 - SET PROFILE(PTKTDATA) DIVISION(SSIGNON) - LIST LIKE(-) - SET RESOURCE(PTK) - LIST LIKE(IRRPTAUTH-) - ``` +2. Replace 'APL' with the type code listed in the `SHOW CLASMAP` output: + ```acf2 + SET RESOURCE(APL) + LIST LIKE(-) + ``` +3. Verify whether PTKTDATA is defined, by executing the following commands: + ```acf2 + SET PROFILE(PTKTDATA) DIVISION(SSIGNON) + LIST LIKE(-) + SET RESOURCE(PTK) + LIST LIKE(IRRPTAUTH-) + ``` - - **`-`** - A wildcard symbol that lists all resources +- **`-`** + A wildcard symbol that lists all resources - - **`-`** - Lists everything related to specified applid in a resource (in this case, SAF), or specified in a profile (in this case, PTKTDATA) +- **`-`** + Lists everything related to specified applid in a resource (in this case, SAF), or specified in a profile (in this case, PTKTDATA) -
+
-- **Validating an existing PassTicket for Top Secret** +**Validating an existing PassTicket for Top Secret** -
+
- Click here for command details about validating an existing PassTicket for Top Secret. +Click here for command details about validating an existing PassTicket for Top Secret. - In your ESM command line interface or other security environment, execute the following commands: +In your ESM command line interface or other security environment, execute the following commands: ```tss - TSS WHOHAS APPL() - TSS WHOHAS PTKTDATA() - TSS WHOHAS PTKTDATA(IRRPTAUTH..) + TSS WHOHAS APPL() + TSS WHOHAS PTKTDATA() + TSS WHOHAS PTKTDATA(IRRPTAUTH..) ``` If APPL and PTKTDATA are not defined yet, follow the instruction to create them as described in the [Enabling PassTickets with Top Secret](#enabling-passtickets-with-top-secret) section. - - **`.`** - A wildcard symbol that lists all resources +- **`.`** + A wildcard symbol that lists all resources - - **`IRRPTAUTH..`** - Returns everything about the specified applid for IRRPTAUTH +- **`IRRPTAUTH..`** + Returns everything about the specified applid for IRRPTAUTH -
+
-- **Validating an existing PassTicket for RACF** +**Validating an existing PassTicket for RACF** -
+
- Click here for command details about validating an existing PassTicket for RACF. +Click here for command details about validating an existing PassTicket for RACF. - In your ESM command line interface or other security environment, execute the following commands: +In your ESM command line interface or other security environment, execute the following commands: ```racf - RLIST APPL * ALL - RLIST APPL ALL - RLIST PTKTDATA SSIGNON ALL - RLIST PTKTDATA IRRPTAUTH..* ALL + RLIST APPL * ALL + RLIST APPL ALL + RLIST PTKTDATA SSIGNON ALL + RLIST PTKTDATA IRRPTAUTH..* ALL ``` - Ensure that you validate PTKTDATA access for APPL. +Ensure that you validate PTKTDATA access for APPL. - - **`*`** - A wildcard symbol that resturns all resources +- **`*`** + A wildcard symbol that resturns all resources - - **`RLIST PTKTDATA SSIGNON ALL`** - Validates all applid for PTKDATA class +- **`RLIST PTKTDATA SSIGNON ALL`** + Validates all applid for PTKDATA class - - **`RLIST PTKTDATA IRRPTAUTH..* ALL`** - Validates all applid permissions for PTKDATA class +- **`RLIST PTKTDATA IRRPTAUTH..* ALL`** + Validates all applid permissions for PTKDATA class -
+
::: @@ -365,18 +365,12 @@ Grant the Zowe started task user ID permission to generate PassTickets for users ### Verifying your PassTicket Application -In your ESM command line interface or other security environment, execute the following commands: +In your ESM command line interface or other security environment, execute the commands that correspond to your ESM: -**RACF:** -```racf - RLIST APPL ALL - RLIST PTKTDATA IRRPTAUTH..* ALL -``` -**TSS:** -```tss -TSS WHOHAS APPL() -TSS WHOHAS PTKTDATA(IRRPTAUTH.) -``` +#### Verifyinging PassTickets using ACF2 + +
+Click here for command details for ACF2. **ACF2:** @@ -391,6 +385,34 @@ LIST LIKE(IRRPTAUTH-) * **`applid`** Specifies the application ID used for PassTicket validation to authenticate connections to the server +
+ +#### Verifyinging PassTickets using Top Secret + +
+Click here for command details for Top Secret. + +**TSS:** +```tss +TSS WHOHAS APPL() +TSS WHOHAS PTKTDATA(IRRPTAUTH.) +``` + +
+ +#### Verifyinging PassTickets using RACF + +
+Click here for command details for RACF. + +**RACF:** +```racf + RLIST APPL ALL + RLIST PTKTDATA IRRPTAUTH..* ALL +``` + +
+ Successful execution of this validation command shows your application and the specific access of the application. **Output example:** From 6890cac6872706cab1f136fbb9af207b3bf01d97 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Thu, 14 Nov 2024 17:43:53 +0100 Subject: [PATCH 23/32] minor numeration fix Signed-off-by: Andrew Jandacek --- .../api-mediation/configuration-extender-passtickets.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md index 18037b35e4..20952c5e44 100644 --- a/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md +++ b/versioned_docs/version-v2.18.x/user-guide/api-mediation/configuration-extender-passtickets.md @@ -16,8 +16,8 @@ The API Gateway uses the PassTicket to access that API service. The API Gateway Configuring Zowe to use PassTickets involves two processes: -- Enabling the use of PassTickets in your External Security Manager (ESM) -- Configuring security to allow the Zowe API Gateway to generate PassTickets for an API service +1. Enabling the use of PassTickets in your External Security Manager (ESM) +2. Configuring security to allow the Zowe API Gateway to generate PassTickets for an API service ### Enabling the use of PassTickets in your External Security Manager (ESM) From 186d047725a376dfdec114ed98eaa1cfd8f0f6a4 Mon Sep 17 00:00:00 2001 From: anaxceron Date: Thu, 14 Nov 2024 16:12:25 -0500 Subject: [PATCH 24/32] initial draft https://github.com/openmainframeproject/foundation/releases/download/zowe_conformant_zowe_v3_20240910/Zowe.Support.Provider.-.Test.Evaluation.Guide.Table.pdf --- docs/whats-new/release-notes/v3_0_0.md | 2 -- .../whats-new/zowe-compatibility-statement.md | 25 +++++++++++++++++++ sidebars.js | 1 + 3 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 docs/whats-new/zowe-compatibility-statement.md diff --git a/docs/whats-new/release-notes/v3_0_0.md b/docs/whats-new/release-notes/v3_0_0.md index a081b1d56b..6c98afa05d 100644 --- a/docs/whats-new/release-notes/v3_0_0.md +++ b/docs/whats-new/release-notes/v3_0_0.md @@ -233,8 +233,6 @@ For a complete list of enhancements and bug fixes, see the following changelogs: - [IBM z/OS FTP Plug-in Zowe CLI](https://github.com/zowe/zowe-cli-ftp-plugin/blob/master/CHANGELOG.md) - [IBM MQ Plug-in Zowe CLI](https://github.com/zowe/zowe-cli-mq-plugin/blob/master/CHANGELOG.md) - - ## Conformance and release compatibility ### Backward compatibility diff --git a/docs/whats-new/zowe-compatibility-statement.md b/docs/whats-new/zowe-compatibility-statement.md new file mode 100644 index 0000000000..bcaa7943b1 --- /dev/null +++ b/docs/whats-new/zowe-compatibility-statement.md @@ -0,0 +1,25 @@ +# Zowe conformance and release compatibility + +## Backward compatibility + +Zowe V2 conformant extensions/plug-ins are not guaranteed to be compatible with Zowe V3 and therefore may not be operable. In general, plug-ins/extensions which leverage V3 APIs that have known breaking changes are at high risk of incompatibility and unpredictable results. + +**Recommendation:** All V2 extenders test with Zowe V3, identify any issues, and disclose results to consumers to clearly indicate backward compatibility status in the extension documentation. If unable to test, clearly document as such. + +## Forward compatibility + +Zowe V3 conformant (planning to earn conformance) extensions/plug-ins are not guaranteed to be compatible with Zowe V2 LTS. In general, plug-ins/extensions with no known dependency on any newly introduced Zowe V2 functions are at minimum risk. + +**Recommendation:** All V3 extenders test with Zowe V2 LTS, identify any issues, and disclose results to consumers to clearly indicate forward compatibility status in the extension documentation. If unable to test, clearly document as such. + +## Conformance compatibility + +Zowe V2 conformant extensions/plug-ins are likely to require changes to meet Zowe V3 conformance criteria. All extensions (regardless of V2 conformance status) must apply for V3 conformance and satisfy all required V3 testing criteria. You can find the V3 Conformance Criteria [here](https://github.com/openmainframeproject/foundation/releases/download/zowe_conformant_zowe_v3_20240910/Zowe.Support.Provider.-.Test.Evaluation.Guide.Table.pdf). + +:::tip Recommendation +All extenders interested in earning V3 conformance review the V3 conformance criteria, determine if technical changes are necessary, make appropriate modifications, and prepare to apply for V3 conformance. +::: + +## Need help? + +For assistance with reviewing or completing the Zowe Conformance Zowe V3 application, reach out to members of the Zowe Onboarding Squad on Slack at https://slack.openmainframeproject.org in the `#zowe-onboarding` channel. \ No newline at end of file diff --git a/sidebars.js b/sidebars.js index a59ee2b523..6b1b598ad6 100644 --- a/sidebars.js +++ b/sidebars.js @@ -41,6 +41,7 @@ module.exports = { "whats-new/release-notes/v2_0_0", ], }, + "whats-new/zowe-compatibility-statement", ], "getting-started": [ { From 39be38ca1b822f7130db2cb13e882732b5ca0cc8 Mon Sep 17 00:00:00 2001 From: ac892247 Date: Fri, 15 Nov 2024 09:52:19 +0100 Subject: [PATCH 25/32] validate oidc method in zaas client Signed-off-by: ac892247 --- docs/extend/extend-apiml/zaas-client.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/extend/extend-apiml/zaas-client.md b/docs/extend/extend-apiml/zaas-client.md index 29c3f3c216..2fca121a59 100644 --- a/docs/extend/extend-apiml/zaas-client.md +++ b/docs/extend/extend-apiml/zaas-client.md @@ -33,6 +33,7 @@ public interface ZaasClient { String login(String authorizationHeader) throws ZaasClientException; ZaasToken query(String token) throws ZaasClientException; ZaasToken query(HttpServletRequest request) throws ZaasClientException; + ZaasOidcValidationResult validateOidc(String token) throws ZaasClientException; String passTicket(String jwtToken, String applicationId) throws ZaasClientException, ZaasConfigurationException; void logout(String token) throws ZaasClientException, ZaasConfigurationException; } @@ -88,6 +89,21 @@ cookie or in an Authorization header. You then receive the `ZaasToken` Object in ZaasToken query(HttpServletRequest request) throws ZaasClientException; ``` +### Validate the OIDC token (`validateOidc`) + +Use the `validateOidc` method to get the validity information about the OIDC token. + +Call the `validateOidc` method from your API in the following format: + +```java +ZaasOidcValidationResult validateOidc(String token) throws ZaasClientException; +``` + +In return, you receive the `ZaasOidcValidationResult` Object in JSON format. + +This method automatically uses the truststore file to add a security layer, which you configured in the `ConfigProperties` class. + + ### Invalidate a JWT token (`logout`) The `logout` method is used to invalidate the JWT token. The token must be provided in the Cookie header and must follow the format accepted by the API ML. From b7bd20d50a6d56ec2e9c678005b902c0799a8a19 Mon Sep 17 00:00:00 2001 From: ac892247 Date: Fri, 15 Nov 2024 10:02:52 +0100 Subject: [PATCH 26/32] update status code Signed-off-by: ac892247 --- docs/extend/extend-apiml/api-mediation-oidc-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/extend/extend-apiml/api-mediation-oidc-authentication.md b/docs/extend/extend-apiml/api-mediation-oidc-authentication.md index dec5a517fb..465157b7b9 100644 --- a/docs/extend/extend-apiml/api-mediation-oidc-authentication.md +++ b/docs/extend/extend-apiml/api-mediation-oidc-authentication.md @@ -259,7 +259,7 @@ Use the following curl command to make a REST request with the OIDC token to the curl --location 'https://"$HOSTNAME:$PORT"/gateway/api/v1/auth/oidc-token/validate --data '{"token": "$OIDC_TOKEN","serviceId": "$SERVICE_ID"}' ``` -An HTTP `200` code is returned if the validation passes. Failure to validate returns an HTTP `40x` error. +An HTTP `204` code is returned if the validation passes. Failure to validate returns an HTTP `40x` error. ::: :::note Azure Entra ID OIDC notes: From 1750859a5aad8d4b3d37a7c8d3f2326f8a8439f0 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Fri, 15 Nov 2024 12:43:38 +0100 Subject: [PATCH 27/32] create collapsible content for Gradle and Maven commands Signed-off-by: Andrew Jandacek --- docs/extend/extend-apiml/zaas-client.md | 92 ++++++++++++++----------- 1 file changed, 51 insertions(+), 41 deletions(-) diff --git a/docs/extend/extend-apiml/zaas-client.md b/docs/extend/extend-apiml/zaas-client.md index 2fca121a59..2b5448e670 100644 --- a/docs/extend/extend-apiml/zaas-client.md +++ b/docs/extend/extend-apiml/zaas-client.md @@ -140,65 +140,75 @@ To use this library, use the procedure described in this section. 1. Add `zaas-client` as a dependency in your project. You will need to specify the version of the `zaas-client` you want. `zaas-client` versioning following the semantic versioning format of `major.minor.patch`. For example, `1.22.0`. +
+ Click here for procedural details using Gradle. + **Gradle:** - 1. Create a `gradle.properties` file in the root of your project if one does not already exist. + 1. Create a `gradle.properties` file in the root of your project if one does not already exist. - 2. In the `gradle.properties` file, set the URL of the specific Artifactory containing the _SpringEnabler_ artifact. + 2. In the `gradle.properties` file, set the URL of the specific Artifactory containing the _SpringEnabler_ artifact. - ``` - # Repository URL for getting the enabler-java artifact - artifactoryMavenRepo=https://zowe.jfrog.io/zowe/libs-release/ - ``` + ``` + # Repository URL for getting the enabler-java artifact + artifactoryMavenRepo=https://zowe.jfrog.io/zowe/libs-release/ + ``` - 3. Add the following _Gradle_ code block to the `repositories` section of your `build.gradle` file: + 3. Add the following _Gradle_ code block to the `repositories` section of your `build.gradle` file: - ```gradle - repositories { - ... + ```gradle + repositories { + ... - maven { + maven { url artifactoryMavenRepo - } } - ``` + } + ``` - 4. Add the following _Gradle_ dependency: + 4. Add the following _Gradle_ dependency: - ```groovy - dependencies { - compile 'org.zowe.apiml.sdk:zaas-client:{{version}}' - } - ``` + ```groovy + dependencies { + compile 'org.zowe.apiml.sdk:zaas-client:{{version}}' + } + ``` + +
+ +
+ Click here for procedural details using Maven. **Maven:** - 1. Add the following _XML_ tags within the newly created `pom.xml` file: - - ```xml - - - libs-release - libs-release - https://zowe.jfrog.io/zowe/libs-release/ - - false - - - - ``` + 1. Add the following _XML_ tags within the newly created `pom.xml` file: + + ```xml + + + libs-release + libs-release + https://zowe.jfrog.io/zowe/libs-release/ + + false + + + + ``` **Tip:** If you want to use snapshot version, replace libs-release with libs-snapshot in the repository url and change snapshots->enabled to true. - 2. Then add the following _Maven_ dependency: + 2. Then add the following _Maven_ dependency: - ```xml - - org.zowe.apiml.sdk - zaas-client - {{version}} - - ``` + ```xml + + org.zowe.apiml.sdk + zaas-client + {{version}} + + ``` + +
2. In your application, create your Java class which will be used to create an instance of `ZaasClient`, which enables you to use its method to login, query, and to issue a PassTicket. From cbba4cb69543ee11899f68328706c96f3a49a58d Mon Sep 17 00:00:00 2001 From: ac892247 Date: Fri, 15 Nov 2024 13:26:45 +0100 Subject: [PATCH 28/32] same status code for v2 Signed-off-by: ac892247 --- .../extend/extend-apiml/api-mediation-oidc-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versioned_docs/version-v2.18.x/extend/extend-apiml/api-mediation-oidc-authentication.md b/versioned_docs/version-v2.18.x/extend/extend-apiml/api-mediation-oidc-authentication.md index 22e4f5ab71..bb6bd63d1b 100644 --- a/versioned_docs/version-v2.18.x/extend/extend-apiml/api-mediation-oidc-authentication.md +++ b/versioned_docs/version-v2.18.x/extend/extend-apiml/api-mediation-oidc-authentication.md @@ -242,7 +242,7 @@ Use the following curl command to make a REST request with the OIDC token to the curl --location 'https://"$HOSTNAME:$PORT"/gateway/api/v1/auth/oidc-token/validate --data '{"token": "$OIDC_TOKEN","serviceId": "$SERVICE_ID"}' ``` -An HTTP `200` code is returned if the validation passes. Failure to validate returns an HTTP `40x` error. +An HTTP `204` code is returned if the validation passes. Failure to validate returns an HTTP `40x` error. ::: :::note Azure Entra ID OIDC notes: From 3a8bf87726b7e88e0a54af63e37e9537e1b96d7d Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Fri, 15 Nov 2024 14:43:43 +0100 Subject: [PATCH 29/32] minor language clarification Signed-off-by: Andrew Jandacek --- .../whats-new/zowe-compatibility-statement.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/docs/whats-new/zowe-compatibility-statement.md b/docs/whats-new/zowe-compatibility-statement.md index bcaa7943b1..27ca8cd0cb 100644 --- a/docs/whats-new/zowe-compatibility-statement.md +++ b/docs/whats-new/zowe-compatibility-statement.md @@ -4,20 +4,29 @@ Zowe V2 conformant extensions/plug-ins are not guaranteed to be compatible with Zowe V3 and therefore may not be operable. In general, plug-ins/extensions which leverage V3 APIs that have known breaking changes are at high risk of incompatibility and unpredictable results. -**Recommendation:** All V2 extenders test with Zowe V3, identify any issues, and disclose results to consumers to clearly indicate backward compatibility status in the extension documentation. If unable to test, clearly document as such. +:::tip Recommendation for backward compatibility + +We recommend that all V2 extenders test with Zowe V3, identify any issues, and disclose results to consumers to clearly indicate backward compatibility status in the extension documentation. Testing limitations should be clearly documented. + +::: ## Forward compatibility Zowe V3 conformant (planning to earn conformance) extensions/plug-ins are not guaranteed to be compatible with Zowe V2 LTS. In general, plug-ins/extensions with no known dependency on any newly introduced Zowe V2 functions are at minimum risk. -**Recommendation:** All V3 extenders test with Zowe V2 LTS, identify any issues, and disclose results to consumers to clearly indicate forward compatibility status in the extension documentation. If unable to test, clearly document as such. +:::tip Recommendation for forward compatibility + +We recommend that all V3 extenders test with Zowe V2 LTS, identify any issues, and disclose results to consumers to clearly indicate forward compatibility status in the extension documentation. Testing limitations should be clearly documented. + +::: ## Conformance compatibility -Zowe V2 conformant extensions/plug-ins are likely to require changes to meet Zowe V3 conformance criteria. All extensions (regardless of V2 conformance status) must apply for V3 conformance and satisfy all required V3 testing criteria. You can find the V3 Conformance Criteria [here](https://github.com/openmainframeproject/foundation/releases/download/zowe_conformant_zowe_v3_20240910/Zowe.Support.Provider.-.Test.Evaluation.Guide.Table.pdf). +Zowe V2 conformant extensions/plug-ins are likely to require changes to meet Zowe V3 conformance criteria. All extensions (regardless of V2 conformance status) must apply for V3 conformance and satisfy all required V3 testing criteria. For more information about V3 Conformance Criteria, see the [Zowe Support Provider Conformance Guide](https://github.com/openmainframeproject/foundation/releases/download/zowe_conformant_zowe_v3_20240910/Zowe.Support.Provider.-.Test.Evaluation.Guide.Table.pdf). + +:::tip Recommendation for V3 conformance -:::tip Recommendation -All extenders interested in earning V3 conformance review the V3 conformance criteria, determine if technical changes are necessary, make appropriate modifications, and prepare to apply for V3 conformance. +We recommend that all extenders interested in earning V3 conformance review the V3 conformance criteria, determine if technical changes are necessary, make appropriate modifications, and prepare to apply for V3 conformance. ::: ## Need help? From 53bbd1dcb06f1ba5baca8caf95d8f2318c516517 Mon Sep 17 00:00:00 2001 From: Andrew Jandacek Date: Fri, 15 Nov 2024 16:46:59 +0100 Subject: [PATCH 30/32] remove consumer header in V3 OH Signed-off-by: Andrew Jandacek --- docs/whats-new/zowe-v3-office-hours.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/whats-new/zowe-v3-office-hours.md b/docs/whats-new/zowe-v3-office-hours.md index 221719ee40..146e698bd2 100644 --- a/docs/whats-new/zowe-v3-office-hours.md +++ b/docs/whats-new/zowe-v3-office-hours.md @@ -6,7 +6,6 @@ Zowe squads go over their upcoming projects and answer your questions about Zowe Missed a session? Catch up here. Office hours are recorded and made available with videos posted to the [Open Mainframe Project](https://www.youtube.com/@OpenMainframeProject) YouTube channel. -## Consumer focused Office Hours | Date | Topic | Link to the meeting | Link to the recording | Links to the materials | | ------------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |--------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| From f2ef92ca2f7a63c9eef75e9dfc9b34b42c0c4e2a Mon Sep 17 00:00:00 2001 From: anaxceron Date: Fri, 15 Nov 2024 14:05:48 -0500 Subject: [PATCH 31/32] reworked draft per squad feedback Signed-off-by: anaxceron --- docs/whats-new/release-notes/v3_0_0.md | 22 -------------- ....md => zowe-compatibility-statement-v3.md} | 10 +++++-- sidebars.js | 2 +- .../zowe-compatibility-statement-v2.md | 29 +++++++++++++++++++ .../zowe-compatibility-statement-v2.md | 29 +++++++++++++++++++ .../zowe-compatibility-statement-v2.md | 29 +++++++++++++++++++ .../zowe-compatibility-statement-v2.md | 29 +++++++++++++++++++ .../version-v2.15.x-sidebars.json | 1 + .../version-v2.16.x-sidebars.json | 1 + .../version-v2.17.x-sidebars.json | 1 + .../version-v2.18.x-sidebars.json | 1 + 11 files changed, 128 insertions(+), 26 deletions(-) rename docs/whats-new/{zowe-compatibility-statement.md => zowe-compatibility-statement-v3.md} (74%) create mode 100644 versioned_docs/version-v2.15.x/whats-new/zowe-compatibility-statement-v2.md create mode 100644 versioned_docs/version-v2.16.x/whats-new/zowe-compatibility-statement-v2.md create mode 100644 versioned_docs/version-v2.17.x/whats-new/zowe-compatibility-statement-v2.md create mode 100644 versioned_docs/version-v2.18.x/whats-new/zowe-compatibility-statement-v2.md diff --git a/docs/whats-new/release-notes/v3_0_0.md b/docs/whats-new/release-notes/v3_0_0.md index 6c98afa05d..c9c21ac365 100644 --- a/docs/whats-new/release-notes/v3_0_0.md +++ b/docs/whats-new/release-notes/v3_0_0.md @@ -232,25 +232,3 @@ For a complete list of enhancements and bug fixes, see the following changelogs: - [IBM Db2 Databse Plug-in Zowe CLI](https://github.com/zowe/zowe-cli-db2-plugin/blob/master/CHANGELOG.md) - [IBM z/OS FTP Plug-in Zowe CLI](https://github.com/zowe/zowe-cli-ftp-plugin/blob/master/CHANGELOG.md) - [IBM MQ Plug-in Zowe CLI](https://github.com/zowe/zowe-cli-mq-plugin/blob/master/CHANGELOG.md) - -## Conformance and release compatibility - -### Backward compatibility - -Zowe V2 conformant extensions/plug-ins are not guaranteed to be compatible with Zowe V3 and therefore may not be operable. In general, plug-ins/extensions which leverage V3 APIs that have known breaking changes are at high risk of incompatibility and unpredictable results. - -**Recommendation:** All V2 extenders test with Zowe V3, identify any issues, and disclose results to consumers to clearly indicate backward compatibility status in the extension documentation. If unable to test, clearly document as such. - -### Forward compatibility - -Zowe V3 conformant (planning to earn conformance) extensions/plug-ins are not guaranteed to be compatible with Zowe V2 LTS. In general, plug-ins/extensions with no known dependency on any newly introduced Zowe V2 functions are at minimum risk. - -**Recommendation:** All V3 extenders test with Zowe V2 LTS, identify any issues, and disclose results to consumers to clearly indicate forward compatibility status in the extension documentation. If unable to test, clearly document as such. - -### Conformance compatibility - -Zowe V2 conformant extensions/plug-ins are likely to require changes to meet Zowe V3 conformance criteria. All extensions (regardless of V2 conformance status) must apply for V3 conformance and satisfy all required V3 testing criteria. You can find the V3 Conformance Criteria [here](https://github.com/openmainframeproject/foundation/files/8489757/Zowe.Conformance.Program.-.Test.Evaluation.Guide.Table.pdf). - -**Recommendation:** All extenders interested in earning V3 conformance review the V3 conformance criteria, determine if technical changes are necessary, make appropriate modifications and prepare to apply for V3 conformance. - -**Need help?** For assistance with reviewing or completing the Zowe Conformance Zowe V3 application, reach out to members of the Zowe Onboarding Squad on Slack at https://slack.openmainframeproject.org in the `#zowe-onboarding` channel. diff --git a/docs/whats-new/zowe-compatibility-statement.md b/docs/whats-new/zowe-compatibility-statement-v3.md similarity index 74% rename from docs/whats-new/zowe-compatibility-statement.md rename to docs/whats-new/zowe-compatibility-statement-v3.md index bcaa7943b1..87e5b86c78 100644 --- a/docs/whats-new/zowe-compatibility-statement.md +++ b/docs/whats-new/zowe-compatibility-statement-v3.md @@ -4,13 +4,17 @@ Zowe V2 conformant extensions/plug-ins are not guaranteed to be compatible with Zowe V3 and therefore may not be operable. In general, plug-ins/extensions which leverage V3 APIs that have known breaking changes are at high risk of incompatibility and unpredictable results. -**Recommendation:** All V2 extenders test with Zowe V3, identify any issues, and disclose results to consumers to clearly indicate backward compatibility status in the extension documentation. If unable to test, clearly document as such. +:::tip Recommendation +All V2 extenders test with Zowe V3, identify any issues, and disclose results to consumers to clearly indicate backward compatibility status in the extension documentation. If unable to test, clearly document as such. +::: ## Forward compatibility Zowe V3 conformant (planning to earn conformance) extensions/plug-ins are not guaranteed to be compatible with Zowe V2 LTS. In general, plug-ins/extensions with no known dependency on any newly introduced Zowe V2 functions are at minimum risk. -**Recommendation:** All V3 extenders test with Zowe V2 LTS, identify any issues, and disclose results to consumers to clearly indicate forward compatibility status in the extension documentation. If unable to test, clearly document as such. +:::tip Recommendation +All V3 extenders test with Zowe V2 LTS, identify any issues, and disclose results to consumers to clearly indicate forward compatibility status in the extension documentation. If unable to test, clearly document as such. +::: ## Conformance compatibility @@ -22,4 +26,4 @@ All extenders interested in earning V3 conformance review the V3 conformance cri ## Need help? -For assistance with reviewing or completing the Zowe Conformance Zowe V3 application, reach out to members of the Zowe Onboarding Squad on Slack at https://slack.openmainframeproject.org in the `#zowe-onboarding` channel. \ No newline at end of file +For assistance with reviewing or completing the Zowe Conformance Zowe V3 application, reach out to members of the Zowe Onboarding Squad on Slack at https://slack.openmainframeproject.org in the **#zowe-onboarding** channel. diff --git a/sidebars.js b/sidebars.js index 6b1b598ad6..aaad3e4a69 100644 --- a/sidebars.js +++ b/sidebars.js @@ -41,7 +41,6 @@ module.exports = { "whats-new/release-notes/v2_0_0", ], }, - "whats-new/zowe-compatibility-statement", ], "getting-started": [ { @@ -106,6 +105,7 @@ module.exports = { }, ], }, + "whats-new/zowe-compatibility-statement-v3", "getting-started/cli-getting-started", ], "setup": [ diff --git a/versioned_docs/version-v2.15.x/whats-new/zowe-compatibility-statement-v2.md b/versioned_docs/version-v2.15.x/whats-new/zowe-compatibility-statement-v2.md new file mode 100644 index 0000000000..29a848f747 --- /dev/null +++ b/versioned_docs/version-v2.15.x/whats-new/zowe-compatibility-statement-v2.md @@ -0,0 +1,29 @@ +# Zowe conformance and release compatibility + +## Backward compatibility + +Zowe V1 conformant extensions/plug-ins are not guaranteed to be compatible with Zowe V2 and therefore may not be operable. In general, plug-ins/extensions which leverage V2 APIs that have known breaking changes are at high risk of incompatibility and unpredictable results. + +:::tip Recommendation +All V1 extenders test with Zowe V2, identify any issues, and disclose results to consumers to clearly indicate backward compatibility status in the extension documentation. If unable to test, clearly document as such. +::: + +## Forward compatibility + +Zowe V2 conformant (planning to earn conformance) extensions/plug-ins are not guaranteed to be compatible with Zowe V1 LTS. In general, plug-ins/extensions with no known dependency on any newly introduced Zowe V1 functions are at minimum risk. + +:::tip Recommendation +All V2 extenders test with Zowe V1 LTS, identify any issues, and disclose results to consumers to clearly indicate forward compatibility status in the extension documentation. If unable to test, clearly document as such. +::: + +## Conformance compatibility + +Zowe V1 conformant extensions/plug-ins are likely to require changes to meet Zowe V2 conformance criteria. All extensions (regardless of V1 conformance status) must apply for V2 conformance and satisfy all required V2 testing criteria. You can find the V2 Conformance Criteria [here](https://github.com/openmainframeproject/foundation/files/8489757/Zowe.Conformance.Program.-.Test.Evaluation.Guide.Table.pdf). + +:::tip Recommendation +All extenders interested in earning V2 conformance review the V2 conformance criteria, determine if technical changes are necessary, make appropriate modifications, and prepare to apply for V2 conformance. +::: + +## Need help? + +For assistance with reviewing or completing the Zowe Conformance Zowe V2 application, reach out to members of the Zowe Onboarding Squad on Slack at https://slack.openmainframeproject.org in the **#zowe-onboarding** channel. diff --git a/versioned_docs/version-v2.16.x/whats-new/zowe-compatibility-statement-v2.md b/versioned_docs/version-v2.16.x/whats-new/zowe-compatibility-statement-v2.md new file mode 100644 index 0000000000..29a848f747 --- /dev/null +++ b/versioned_docs/version-v2.16.x/whats-new/zowe-compatibility-statement-v2.md @@ -0,0 +1,29 @@ +# Zowe conformance and release compatibility + +## Backward compatibility + +Zowe V1 conformant extensions/plug-ins are not guaranteed to be compatible with Zowe V2 and therefore may not be operable. In general, plug-ins/extensions which leverage V2 APIs that have known breaking changes are at high risk of incompatibility and unpredictable results. + +:::tip Recommendation +All V1 extenders test with Zowe V2, identify any issues, and disclose results to consumers to clearly indicate backward compatibility status in the extension documentation. If unable to test, clearly document as such. +::: + +## Forward compatibility + +Zowe V2 conformant (planning to earn conformance) extensions/plug-ins are not guaranteed to be compatible with Zowe V1 LTS. In general, plug-ins/extensions with no known dependency on any newly introduced Zowe V1 functions are at minimum risk. + +:::tip Recommendation +All V2 extenders test with Zowe V1 LTS, identify any issues, and disclose results to consumers to clearly indicate forward compatibility status in the extension documentation. If unable to test, clearly document as such. +::: + +## Conformance compatibility + +Zowe V1 conformant extensions/plug-ins are likely to require changes to meet Zowe V2 conformance criteria. All extensions (regardless of V1 conformance status) must apply for V2 conformance and satisfy all required V2 testing criteria. You can find the V2 Conformance Criteria [here](https://github.com/openmainframeproject/foundation/files/8489757/Zowe.Conformance.Program.-.Test.Evaluation.Guide.Table.pdf). + +:::tip Recommendation +All extenders interested in earning V2 conformance review the V2 conformance criteria, determine if technical changes are necessary, make appropriate modifications, and prepare to apply for V2 conformance. +::: + +## Need help? + +For assistance with reviewing or completing the Zowe Conformance Zowe V2 application, reach out to members of the Zowe Onboarding Squad on Slack at https://slack.openmainframeproject.org in the **#zowe-onboarding** channel. diff --git a/versioned_docs/version-v2.17.x/whats-new/zowe-compatibility-statement-v2.md b/versioned_docs/version-v2.17.x/whats-new/zowe-compatibility-statement-v2.md new file mode 100644 index 0000000000..29a848f747 --- /dev/null +++ b/versioned_docs/version-v2.17.x/whats-new/zowe-compatibility-statement-v2.md @@ -0,0 +1,29 @@ +# Zowe conformance and release compatibility + +## Backward compatibility + +Zowe V1 conformant extensions/plug-ins are not guaranteed to be compatible with Zowe V2 and therefore may not be operable. In general, plug-ins/extensions which leverage V2 APIs that have known breaking changes are at high risk of incompatibility and unpredictable results. + +:::tip Recommendation +All V1 extenders test with Zowe V2, identify any issues, and disclose results to consumers to clearly indicate backward compatibility status in the extension documentation. If unable to test, clearly document as such. +::: + +## Forward compatibility + +Zowe V2 conformant (planning to earn conformance) extensions/plug-ins are not guaranteed to be compatible with Zowe V1 LTS. In general, plug-ins/extensions with no known dependency on any newly introduced Zowe V1 functions are at minimum risk. + +:::tip Recommendation +All V2 extenders test with Zowe V1 LTS, identify any issues, and disclose results to consumers to clearly indicate forward compatibility status in the extension documentation. If unable to test, clearly document as such. +::: + +## Conformance compatibility + +Zowe V1 conformant extensions/plug-ins are likely to require changes to meet Zowe V2 conformance criteria. All extensions (regardless of V1 conformance status) must apply for V2 conformance and satisfy all required V2 testing criteria. You can find the V2 Conformance Criteria [here](https://github.com/openmainframeproject/foundation/files/8489757/Zowe.Conformance.Program.-.Test.Evaluation.Guide.Table.pdf). + +:::tip Recommendation +All extenders interested in earning V2 conformance review the V2 conformance criteria, determine if technical changes are necessary, make appropriate modifications, and prepare to apply for V2 conformance. +::: + +## Need help? + +For assistance with reviewing or completing the Zowe Conformance Zowe V2 application, reach out to members of the Zowe Onboarding Squad on Slack at https://slack.openmainframeproject.org in the **#zowe-onboarding** channel. diff --git a/versioned_docs/version-v2.18.x/whats-new/zowe-compatibility-statement-v2.md b/versioned_docs/version-v2.18.x/whats-new/zowe-compatibility-statement-v2.md new file mode 100644 index 0000000000..29a848f747 --- /dev/null +++ b/versioned_docs/version-v2.18.x/whats-new/zowe-compatibility-statement-v2.md @@ -0,0 +1,29 @@ +# Zowe conformance and release compatibility + +## Backward compatibility + +Zowe V1 conformant extensions/plug-ins are not guaranteed to be compatible with Zowe V2 and therefore may not be operable. In general, plug-ins/extensions which leverage V2 APIs that have known breaking changes are at high risk of incompatibility and unpredictable results. + +:::tip Recommendation +All V1 extenders test with Zowe V2, identify any issues, and disclose results to consumers to clearly indicate backward compatibility status in the extension documentation. If unable to test, clearly document as such. +::: + +## Forward compatibility + +Zowe V2 conformant (planning to earn conformance) extensions/plug-ins are not guaranteed to be compatible with Zowe V1 LTS. In general, plug-ins/extensions with no known dependency on any newly introduced Zowe V1 functions are at minimum risk. + +:::tip Recommendation +All V2 extenders test with Zowe V1 LTS, identify any issues, and disclose results to consumers to clearly indicate forward compatibility status in the extension documentation. If unable to test, clearly document as such. +::: + +## Conformance compatibility + +Zowe V1 conformant extensions/plug-ins are likely to require changes to meet Zowe V2 conformance criteria. All extensions (regardless of V1 conformance status) must apply for V2 conformance and satisfy all required V2 testing criteria. You can find the V2 Conformance Criteria [here](https://github.com/openmainframeproject/foundation/files/8489757/Zowe.Conformance.Program.-.Test.Evaluation.Guide.Table.pdf). + +:::tip Recommendation +All extenders interested in earning V2 conformance review the V2 conformance criteria, determine if technical changes are necessary, make appropriate modifications, and prepare to apply for V2 conformance. +::: + +## Need help? + +For assistance with reviewing or completing the Zowe Conformance Zowe V2 application, reach out to members of the Zowe Onboarding Squad on Slack at https://slack.openmainframeproject.org in the **#zowe-onboarding** channel. diff --git a/versioned_sidebars/version-v2.15.x-sidebars.json b/versioned_sidebars/version-v2.15.x-sidebars.json index 6dba58eaa8..7e32875c2f 100644 --- a/versioned_sidebars/version-v2.15.x-sidebars.json +++ b/versioned_sidebars/version-v2.15.x-sidebars.json @@ -108,6 +108,7 @@ "className": "ToCitemcolor", "id": "extend/migrate-extensions" }, + "whats-new/zowe-compatibility-statement-v2", { "type": "doc", "label": "Zowe learning resources", diff --git a/versioned_sidebars/version-v2.16.x-sidebars.json b/versioned_sidebars/version-v2.16.x-sidebars.json index cdff456095..dc6ee7d552 100644 --- a/versioned_sidebars/version-v2.16.x-sidebars.json +++ b/versioned_sidebars/version-v2.16.x-sidebars.json @@ -109,6 +109,7 @@ "className": "ToCitemcolor", "id": "extend/migrate-extensions" }, + "whats-new/zowe-compatibility-statement-v2", { "type": "doc", "label": "Zowe learning resources", diff --git a/versioned_sidebars/version-v2.17.x-sidebars.json b/versioned_sidebars/version-v2.17.x-sidebars.json index 2996581ea8..9aa06a6076 100644 --- a/versioned_sidebars/version-v2.17.x-sidebars.json +++ b/versioned_sidebars/version-v2.17.x-sidebars.json @@ -112,6 +112,7 @@ "className": "ToCitemcolor", "id": "extend/migrate-extensions" }, + "whats-new/zowe-compatibility-statement-v2", { "type": "doc", "label": "Zowe learning resources", diff --git a/versioned_sidebars/version-v2.18.x-sidebars.json b/versioned_sidebars/version-v2.18.x-sidebars.json index 268a0626df..fef86e4c45 100644 --- a/versioned_sidebars/version-v2.18.x-sidebars.json +++ b/versioned_sidebars/version-v2.18.x-sidebars.json @@ -113,6 +113,7 @@ "className": "ToCitemcolor", "id": "extend/migrate-extensions" }, + "whats-new/zowe-compatibility-statement-v2", { "type": "doc", "label": "Zowe learning resources", From 621ce6b902a494c5649621c967b3a034ebada95d Mon Sep 17 00:00:00 2001 From: anaxceron Date: Fri, 15 Nov 2024 14:58:46 -0500 Subject: [PATCH 32/32] fixing broken link Signed-off-by: anaxceron --- docs/whats-new/release-notes/v3_0_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/whats-new/release-notes/v3_0_0.md b/docs/whats-new/release-notes/v3_0_0.md index c9c21ac365..028ca3bafe 100644 --- a/docs/whats-new/release-notes/v3_0_0.md +++ b/docs/whats-new/release-notes/v3_0_0.md @@ -5,7 +5,7 @@ Welcome to the Version 3.0.0 release of Zowe! Version 3.0 introduced breaking changes and a number of new features. - See [Important updates](#important-updates) for a full list of changes to the functionality. -- See [Conformance and release compatibility](#conformance-and-release-compatibility) for V3 Conformance Criteria updates and compatibility with V2. +- See [Conformance and release compatibility](../zowe-compatibility-statement-v3.md) for V3 Conformance Criteria updates and compatibility with V2. **Download v3.0.0 build:** Want to try new features as soon as possible? You can download the v3.0.0 build from [Zowe.org](https://www.zowe.org/download.html).