Zowe: Setting up the Zowe side for a web browser

ZOWE 2 Minutes

If you want to use your web browser to connect to a Zowe server, it is just like connecting to any other back end server.

  • The browser need the CA certificate used to sign the Zowe server’s certificate.
  • The server needs the CA used to sign the browser’s certificate, in the server’s trust store.

The browser need the CA certificate used to sign the Zowe server certificate.

If you do not have a copy of the exported certificate you can export it

//COLINEXP JOB 1,MSGCLASS=H 
//S1  EXEC PGM=IKJEFT01,REGION=0M 
//STEPLIB  DD  DISP=SHR,DSN=SYS1.MIGLIB 
//SYSPRINT DD SYSOUT=* 
//SYSTSPRT DD SYSOUT=* 
//SYSTSIN DD * 
RACDCERT CERTAUTH   EXPORT(LABEL('DOCZOSCA'))   - 
       DSN('COLIN.CERT.DOC.CA.PEM') 
//

This will delete the dataset, recreate it and export the certificate.

This exported certificate will look like

-----BEGIN CERTIFICATE-----                                          
MIIBtzCCAV6gAwIBAgIUb0N8Xwb/WNulhgjzRcIwVBmfAXwwCgYIKoZIzj0EAwMw     
...
S9QFQcy5vKGFFAQ=                                                     
-----END CERTIFICATE-----

Copy this file to where ever it is needed.

On Linux you can use the command

openssl x509 -in cbt.ca.pem -text -noout|less

to display the contents

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = COLIN, OU = CA, CN = DOCZOSCA
        Validity
            Not Before: May  2 05:00:00 2025 GMT
            Not After : Jul  3 04:59:59 2029 GMT
        Subject: O = COLIN, OU = CA, CN = DOCZOSCA
...

Note: The base64 command does not decode the base64 content properly.

Import this file into your browser

For example with Chrome. Settings, search for certificates, click on security, click on Manage Certificates. Click on Customised, Trusted certificates, Import. Select the file name. You may have to select All Files at the bottom to get your file included in the list.

The file should now be installed, and be listed under Trusted certificates. Click on the pen icon to display it.

The server needs the CA used to sign the browser’s certificate it the server’s trust store.

Create a VB data set on the Zowe z/OS machine. Copy the contents of the client’s CA into this data set. I used cut and paste.

//COLINADD JOB 1,MSGCLASS=H 
//* ADD ORKENY CA CERTIFICATE 
//S1  EXEC PGM=IKJEFT01,REGION=0M 
//SYSPRINT DD SYSOUT=* 
//SYSTSPRT DD SYSOUT=* 
//SYSTSIN DD * 
RACDCERT CHECKCERT('COLIN.CERT.DOC.CA.ORK') 
RACDCERT DELETE - 
  (LABEL('ORKCA256')) CERTAUTH 
RACDCERT CERTAUTH     ADD('COLIN.CERT.DOC.CA.ORK')- 
  WITHLABEL('ORKCA256')  TRUST 
RACDCERT CERTAUTH LISTCHAIN(LABEL('ORKCA256')) 
                                                                  
RACDCERT ID(COLIN) CONNECT(RING(ZOWE) - 
                            CERTAUTH   - 
                            LABEL('ORKCA256')) 
SETROPTS RACLIST(DIGTNMAP, DIGTCRIT) REFRESH

When this is successful, you will need to shutdown and restart Zowe.

Unknown's avatar

Published by Colin Paice

I retired from IBM where I worked on MQ on z/OS, and did customer stuff. I retired, and keep my hand in with MQ, by playing with it! I'm now an #IBMChampion from my work trying to make z/OS product more usable.

Published

One thought on “Zowe: Setting up the Zowe side for a web browser

  1. Pingback: Zowe: Start here for my blog posts – ColinPaice

Leave a comment