-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security doc org refactor #3978
Conversation
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
😺 Thank you for creating this PR! To publish your content to Zowe Docs, follow these required steps.
Need help? Contact the Doc Squad in the #zowe-doc Slack channel. |
📁 The PR description is missing the file name(s) for the updated content. List all the files included in this PR so this information displays in our Zowe Docs GitHub Slack channel. If you have addressed this issue already, refresh this page in your browser to remove this comment. |
🔍 The review label is missing. Add a If you have addressed this issue already, refresh this page in your browser to remove this comment. |
💾 The release label is missing. Add a If you have addressed this issue already, refresh this page in your browser to remove this comment. |
📌 The subject area label is missing. Add an If you have addressed this issue already, refresh this page in your browser to remove this comment. |
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
…ity-doc-org-refactor' of https://github.com/zowe/docs-site into janan07-security-doc-org-refactor
Signed-off-by: Andrew Jandacek <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Loving the use of <details>
to hide all the commands because they're quite similar and routine throughout the page.
I'm focusing on the table contents... the contents and how we explain them could guide what this page covers and how.
| --- | --- | --- | | ||
| Set the names for the different z/OS UNIX address spaces for the Zowe runtime components. <br/>**Important:** This configuration step is required. | All components | [Configure address space job naming](#configure-address-space-job-naming) | | ||
| To use Zowe desktop. This step generates random numbers for zssServer that the Zowe desktop uses. | Application Framework | [Configure an ICSF cryptographic services environment](#configure-an-icsf-cryptographic-services-environment) | | ||
| To allow users to log on to the Zowe desktop through impersonation. | | [Configure security environment switching](#configure-security-environment-switching) | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Application Framework
| To use Zowe desktop. This step generates random numbers for zssServer that the Zowe desktop uses. | Application Framework | [Configure an ICSF cryptographic services environment](#configure-an-icsf-cryptographic-services-environment) | | ||
| To allow users to log on to the Zowe desktop through impersonation. | | [Configure security environment switching](#configure-security-environment-switching) | | ||
| Required for TSS only. A TSS FACILITY needs to be defined and assigned to the `ZWESLSTC` started task. | | [Configure multi-user address space for TSS only](#configure-multi-user-address-space-for-tss-only) | | ||
| Required if you have not run `ZWESECUR` and are manually creating the user ID and groups in your z/OS environment. | | [Configure user IDs and groups for the Zowe started tasks](#configure-user-ids-and-groups-for-the-zowe-started-tasks) | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All mention of "ZWESECUR" in this table should be rethought.
- ZWESECUR is not the recommended job to run anymore.
- It was also ever only one of now 4 ways to perform its actions (zwe, jcl, zosmf workflow, install wizard)
- Because the operations of ZWESECUR are instructed to be done within a prior doc page, care should be taken not to present this as something that needs to be done again.
You may wish to reword all "Required if you have not run ZWESECUR
" entries to
"Required. Tasks are done within zwe, workflow, install wizard or jcl-based security setup.
Or
"Required. Tasks are done within Zowe runtime configuration"
Or to call them out in a separate table or list by saying "The following tasks are needed by Zowe, and are normally handled during Zowe runtime configuration. Read each link to learn more about the tasks performed by that configuration"
| Required if you have not run `ZWESECUR` and are configuring your z/OS environment manually. This step describes how to configure the cross memory server for SAF to guard against access by non-privileged clients. | Application Framework | [Configure the cross memory server for SAF](#configure-the-cross-memory-server-for-saf) | | ||
| Required for API Mediation Layer to map a client certificate to a z/OS identity. | API ML | [Configure main Zowe server to use client certificate identity mapping](#configure-main-zowe-server-to-use-client-certificate-identity-mapping) | | ||
| Required for API ML to map the association between a z/OS user ID and a distributed user identity. | API ML | [Configure main Zowe server to use distributed identity mapping](#configure-main-zowe-server-to-use-distributed-identity-mapping) | | ||
| To configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation Layer. | | [Configure signed SAF Identity tokens IDT](#configure-signed-saf-identity-tokens-idt) | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Meaning it is optional.
Our text in each box calls out "Required" a little differently for each but Maybe better to make a row of checkboxes for Required/Optional?
| Required for API Mediation Layer to map a client certificate to a z/OS identity. | API ML | [Configure main Zowe server to use client certificate identity mapping](#configure-main-zowe-server-to-use-client-certificate-identity-mapping) | | ||
| Required for API ML to map the association between a z/OS user ID and a distributed user identity. | API ML | [Configure main Zowe server to use distributed identity mapping](#configure-main-zowe-server-to-use-distributed-identity-mapping) | | ||
| To configure SAF Identity tokens on z/OS so that they can be used by Zowe components like zss or API Mediation Layer. | | [Configure signed SAF Identity tokens IDT](#configure-signed-saf-identity-tokens-idt) | | ||
| Required for API Mediation Layer to issue SMF records. | API ML | [Configure the main Zowe server to issue SMF records](api-mediation/api-mediation-smf.md#configure-the-main-zowe-server-to-issue-smf-records) | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wording could mislead here. This action is required if you want to use an optional feature.
Thus it is optional.
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
…nfiguring security / limit content duplication Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
``` | ||
RLIST FACILITY BPX.JOBNAME AUTHUSER | ||
``` | ||
|
||
2. Activate the facility class, permit `BPX.JOBNAME`, and refresh facility class: | ||
``` | ||
SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) | ||
PERMIT BPX.JOBNAME CLASS(FACILITY) ID(ZWESVUSR) ACCESS(READ) | ||
SETROPTS RACLIST(FACILITY) REFRESH | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's only RACF commands here, shouldn't be also provided commands for other ESMs?
| To use Single Sign-On (SSO) | All components | [Single Sign-On (SSO)](#single-sign-on-sso) | | ||
| To use OIDC Authentication with API Mediation Layer | API ML | [API Mediation Layer OIDC Authentication](#api-mediation-layer-oidc-authentication) | | ||
|
||
### Configure address space job naming |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sub-article is complete duplication of same sub-article in docs/user-guide/assign-security-permissions-to-users.md. Is it some need in it? Can we maybe to have a link to here from assign-security-permissions-to-users.md?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sorry, I don't follow your point here. Can you explain which sections are duplicates?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Configure address space job naming" in both docs/user-guide/configure-zos-system.md
and ocs/user-guide/assign-security-permissions-to-users.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Sorry. You are correct. I didn't see the duplication. I've corrected this.
- [Initializing Zowe custom data sets (`zwe init mvs`)](#initializing-zowe-custom-data-sets-zwe-init-mvs) | ||
- [Procedure to initialize Zowe custom data sets](#procedure-to-initialize-zowe-custom-data-sets) | ||
- [Initializing Zowe security configurations (`zwe init security`)](#initializing-zowe-security-configurations-zwe-init-security) | ||
- [Performing APF authorization of load libraries (`zwe init apfauth`)](#performing-apf-authorization-of-load-libraries-zwe-init-apfauth) | ||
- [Configuring Zowe to use TLS certificates (`zwe init certificate`)](#configuring-zowe-to-use-tls-certificates-zwe-init-certificate) | ||
- [Installing Zowe main started tasks (`zwe init stc`)](#installing-zowe-main-started-tasks-zwe-init-stc) | ||
- [(Deprecated) Creating VSAM caching service datasets (`zwe init vsam`)](#deprecated-creating-vsam-caching-service-datasets-zwe-init-vsam) | ||
- [Next steps](#next-steps) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it TOC or list of commands? Because the sentence above refers to the list of subcommands:
Some of the following
zwe init
subcommands...
If this is intended to be TOC, I would add some indentations to follow the structure:
- [Initializing Zowe custom data sets (`zwe init mvs`)](#initializing-zowe-custom-data-sets-zwe-init-mvs) | |
- [Procedure to initialize Zowe custom data sets](#procedure-to-initialize-zowe-custom-data-sets) | |
- [Initializing Zowe security configurations (`zwe init security`)](#initializing-zowe-security-configurations-zwe-init-security) | |
- [Performing APF authorization of load libraries (`zwe init apfauth`)](#performing-apf-authorization-of-load-libraries-zwe-init-apfauth) | |
- [Configuring Zowe to use TLS certificates (`zwe init certificate`)](#configuring-zowe-to-use-tls-certificates-zwe-init-certificate) | |
- [Installing Zowe main started tasks (`zwe init stc`)](#installing-zowe-main-started-tasks-zwe-init-stc) | |
- [(Deprecated) Creating VSAM caching service datasets (`zwe init vsam`)](#deprecated-creating-vsam-caching-service-datasets-zwe-init-vsam) | |
- [Next steps](#next-steps) | |
- [Initializing Zowe custom data sets (`zwe init mvs`)](#initializing-zowe-custom-data-sets-zwe-init-mvs) | |
- [Procedure to initialize Zowe custom data sets](#procedure-to-initialize-zowe-custom-data-sets) | |
- [Initializing Zowe security configurations (`zwe init security`)](#initializing-zowe-security-configurations-zwe-init-security) | |
- [Performing APF authorization of load libraries (`zwe init apfauth`)](#performing-apf-authorization-of-load-libraries-zwe-init-apfauth) | |
- [Configuring Zowe to use TLS certificates (`zwe init certificate`)](#configuring-zowe-to-use-tls-certificates-zwe-init-certificate) | |
- [Installing Zowe main started tasks (`zwe init stc`)](#installing-zowe-main-started-tasks-zwe-init-stc) | |
- [(Deprecated) Creating VSAM caching service datasets (`zwe init vsam`)](#deprecated-creating-vsam-caching-service-datasets-zwe-init-vsam) | |
- [Next steps](#next-steps) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I addressed this comment with the removal of the non init command section headers.
…curity permissions Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
Signed-off-by: Andrew Jandacek <[email protected]>
…o parent topic configuring-security Signed-off-by: Andrew Jandacek <[email protected]>
Describe your pull request here:
List the file(s) included in this PR:
After creating the PR, follow the instructions in the comments.