Zowe: How to save connection parameters: zowe CLI client configuration files

A Zowe client needs information to be able to invoke a service on Zowe on z/OS. Typically these are

host address
the host port
the service
the client public key .pem file
the client private key .pem file
whether to not allow self signed certificates sent from the host
the file containing the CA from the host servers.

These options can be given on the zowe cli command, or can be stored in profile files.

You can have multiple profiles, for example, tso, ssh, z/OSMF, production z/OSMF and test z/OSMF.

The above information may be different for different Zowe server instances- such as development, test and production, and for different applications within a Zowe instance.

Some configuration files are stored in the directory pointed to by the environment variable ZOWE_CLI_HOME, on Linux this defaults to ~/.zowe. These files are available where ever your working directory is. You can also have a configuration file in your working directory so is “application specific”.

Zowe supports a hierarchy of configuration files.

zowe.config.json within the current directory. If you change directory you will not use it.
zowe.config.user.json , the global user file in the ZOWE_CLI_HOME environment variable ( or it might default to ~/.zowe ). This is used for any user specific options (if any)
zowe.config.json the global file in the ZOWE_CLI_HOME environment variable ( or it might default to ~/.zowe ). This is used for project wide options.

The Zowe CLI command will start at the top of the hierarchy and go down until it finds the attributes. If it cannot find an attribute it may have a default.

Within the configuration file are different sections, for example

a base section with common parameters,
ftp, with specific parameters such as the FTP port number,
zOSMF, with with specific parameters such as the z/OSMF port number

You can edit the files manually, or use the Zowe config command to make changes.

Sigh

To specify a Certificate Authority(CA) certificate to a zowe cli command, you have to use an environment variable, for example

export NODE_EXTRA_CA_CERTS=/home/colinpaice/ssl/ssl2/doczosca.pem

You need to allow for this when writing your scripts, because different backend servers may have different CA certificates.

See here.

Getting started

Once you are familiar with Zowe and have a better idea of your Zowe configuration, you can develop the various configuration files; what information is user specific, what information is project specific, and what information is Zowe instance specific. Some files are stored in the direction in the ZOWE_CLI_HOME environment variable which defaults to ~/.zowe (on Linux).

If you may have more than one Zowe instance, you may decide NOT to use ~/.zowe, but have directories like ~/.zoweproduction and ~/.zowetest. This means you have to explicitly specify the location.

Get started by creating zowe.config.json in your working directory. See below, or use cut and paste from here, step 3. If you use an IDE such as slickedit or vscode, these have syntax assist, and can highlight errors as you type.

This is a good blog post on initial configuration. But does not cover use of certificates.

The Zowe config command

You can use the zowe config command to create and update the configuration files. The command has options including

This page has a good description of the options.

–dry-run : display the changes, but do not apply the changes
–edit and –editor name : this opens the file in the specified editor.

Create a zowe.config.json in the current directory

The command

zowe config init

will create a file zowe.config.json in the current directory.

I created a minimum (hand crafted) file to illustrate how the zowe config commands work.

{
    "$schema": "./zowe.schema.json",
    "profiles": {
        "zosmfcp": {
            "type": "zosmf",
            "properties": {
                "port": 443
            },
            "secure": []
        },
    
        "project_base": {
            "type": "base",
            "properties": {
                "host": "10.1.1.2",
                "rejectUnauthorized": true
            },
            "secure": [
                "user",
                "password"
            ]
        }
    },
    "defaults": {
        "zosmf": "zosmfcp",
        "base": "project_base"
    },
    "autoStore": true
}

Key elements of this file

“defaults”:
- zosmf : For a z/OSMF request,if --base-profile is not specified, use the referenced profile – zosmfcp.
- common parameters are defined in the base: profile -> project_base
“profiles”: There are two profiles defined
- zosmfcp with the zosmf specific parameters
- project_base with the common parameters.

When a zowe command is used, the parameter –base-profile can specify which profile to use.

Commands to display and set profile information

list the file names zowe config list –locations –root
list the file names and their contents zowe config list –locations
change a parameter in the file in the current directory
add a profile (and content) to the the file in the current directory
set a parameter in the file in the user configuration file
set a parameter in the file in the global configuration file
display profiles

My working directory is /home/colinpaice/ssl/ssl2/ .

zowe config list –locations –root

This lists the only the file names used by Zowe CLI.

/home/colinpaice/ssl/ssl2/zowe.config.json
/home/colinpaice/.zowe/zowe.config.json

zowe config list –locations

This shows the file names and their contents

/home/colinpaice/ssl/ssl2/zowe.config.json: 
  $schema:   ./zowe.schema.json
  profiles: 
    zosmf: 
      type:       zosmf
      properties: 
        port: 10443
      secure: 
        (empty array)
    project_base: 
     ...
/home/colinpaice/.zowe/zowe.config.json: 
  $schema:   ./zowe.schema.json
  profiles: 
    zosmf: 
      type:       zosmf
      properties: 
        port: 10443
      secure: 
        (empty array)
    tso: 
      type:       tso
....
   global_base: 
      type:       base
      properties: 
        host:               10.1.1.2
        rejectUnauthorized: true
        user:               (secure value)
        password:           (secure value)
      secure: 
        - user
        - password
  defaults: 
    zosmf: zosmf
    tso:   tso
    ssh:   ssh
    base:  global_base
  autoStore: true

Change a parameter in the file in the current directory

zowe config set “profiles.zosmf.properties.port “30443”

Change/Add a profile (and content) to the the file in the current directory

zowe config set “profiles.zosmf2.properties.port” “40443”

If the profile zosmf2 did not exist before, it will create it, and add the property port

{
    "$schema": "./zowe.schema.json",
    "profiles": {
         ...
        "zosmf2": {
            "properties": {
                "port": 40443
            }
        }
    },
    ...
}

Set a parameter in the file in the user configuration file

zowe config set “profiles.zosmf2.properties.port” “40443” –user-config

set a parameter in the file in the global configuration file

zowe config set “profiles.zosmf2.properties.port” “50443” –global-config

Example of using the set commands

zowe config set “profiles.zosmf2.properties.port” “50443” –global-config
zowe config set “profiles.zosmf2.properties.port” “4444” –user-config
zowe config set “profiles.zosmf2.properties.port” “1111”

file zowe.config.user.json has zosmf2.properties.port:4444
file zowe.config.json: has zosmf2.properties.port: 1111
file ~/.zowe/zowe.config.json: has zosmf2.properties.port: 50443

Using the list commands, and displaying only the above fields I have

zowe config list gives

profiles: 
  ...
  zosmf2: 
    properties: 
      port: 4444

zowe config list –locations gives

/home/colinpaice/ssl/ssl2/zowe.config.user.json: 
  profiles: 
    zosmf2: 
      properties: 
        port: 4444
  defaults: 
/home/colinpaice/ssl/ssl2/zowe.config.json:
  profiles:
    ...
    zosmf2: 
      properties: 
        port: 1111
    ... 
/home/colinpaice/.zowe/zowe.config.json: 
  $schema:   ./zowe.schema.json
  profiles: 
   ...
   zosmf2: 
      properties: 
        port: 50443

So we can see the profile /home/colinpaice/ssl/ssl2/zowe.config.user.json: provided the port value 444.

If I use –base-profile zosmf2, the port used will be 4444.

If I add

zowe config set “profiles.zosmf2.properties.ca” “MYCA”

This create property zosmf2:properties:ca:”MYCA” in file zowe.config.json.

zowe config list gives

profiles:
  zosmf2: 
    properties: 
      port: 4444
      ca:   MYCA

so we can see what is being used.

If I use zowe config list –locations I can see the definition is in /home/colinpaice/ssl/ssl2/zowe.config.json

display profiles

zowe config profiles gave

zosmf
tso
ssh
global_base
zosmf2

What are the valid options?

If you used the zowe config init command, then this generated a schema file.

For zosmf this schema has

“host”: “The z/OSMF server host name.”
“port”: “default”: 443
“user”: “Mainframe (z/OSMF) user name, which can be the same as your TSO login.”
“password”: “Mainframe (z/OSMF) password, which can be the same as your TSO password.”
“rejectUnauthorized”:”Reject self-signed certificates.”, “default”: true
“certFile”: “The file path to a certificate file to use for authentication” “certKeyFile”: “The file path to a certificate key file to use for authentication”
“basePath”: “The base path for your API mediation layer instance. Specify this option to prepend the base path to all z/OSMF resources when making REST requests. Do not specify this option if you are not using an API mediation layer.”
“protocol”: “The protocol used (HTTP or HTTPS)” “default”: “https”, “http”, “https”
“encoding”: “The encoding for download and upload of z/OS data set and USS files. The default encoding if not specified is IBM-1047.”
“responseTimeout”: “The maximum amount of time in seconds the z/OSMF Files TSO servlet should run before returning a response. Any request exceeding this amount of time will be terminated and return an error. Allowed values: 5 – 600”

The CA certificate to use is specified by an environment variable, and is not a parameter in the profiles.

Zowe: Client start here

The Zowe Command Level Interface running on the work station allows you to issue REST requests to the back end, and capture the output.

There is a Zowe plugin for VSCode IDE which allows you to z/OS files, etc from within VSCode.

Before you can use the Zowe Command Level Interface(CLI), or the Zowe extensions to VSCode you need to install code on your work station.

Follow Zowe CLI quick start.

I executed Installing Zowe CLI core from public npm, but did not install any plugins.

Displaying help

The command zowe –help-web did not work for me on Linux (known bug – caused by browser security).

Issuing commands

My z/OS servers are TLS enabled. The Zowe documentation is for configurations without TLS enabled.

I needed to use

export NODE_EXTRA_CA_CERTS=./cert.doc.ca.ec.pem
zowe zos-files list data-set "COLIN.Z*" --host 10.1.1.2 --port 10443 ...

Because the CA certificate is validated as part of the TLS handshake. If the CA sent from the server, does not match that in the NODE_EXTRA_CA_CERTS file, you will get a message

Response From Service: Error: self-signed certificate in certificate chain

You should specify the CA certificate location – but you could (for a test system) specify –reject-unauthorized false to override it.

Authenticating

If configured you can logon with certificate (and no password) or userid and password.

Certificate logon

If you have configured z/OSMF to use certificate logon, you map a certificate to a userid using the RACDCERT MAP command.

RACDCERT DELMAP(LABEL('IBMUSER1Label'))ID(IBMUSER) 
RACDCERT MAP ID(IBMUSER)  - 
   WITHLABEL('IBMUSER1Label') - 
   SDNFILTER('CN=colinpaice.O=cpwebuser.C=GB') 
RACDCERT LISTMAP ID(IBMUSER) 
SETROPTS RACLIST(DIGTNMAP, DIGTCRIT) REFRESH

You can specify the exact Distinguished Name CN=colinpaice.O=cpwebuser.C=GB You need to get the parts in the right order, and use ‘.’ between components.
You can select parts of the DN to map to a userid.
You can specify the CA which maps to a userid (so all userid signed by O=MYORGCA.C=GB) map to userid MYORGID.

If a certificate did not have a mapping I got

ICH408I USER(IZUSVR  ) GROUP(IZUADMIN) NAME(ZOSMF STARTED TASK O) 560   
  DIGITAL CERTIFICATE IS NOT DEFINED.  CERTIFICATE SERIAL NUMBER(02AF)  
  SUBJECT(CN=zzz.O=cporg.C=GB) ISSUER(CN=SSCA256.OU=CA.O=SSS.C=GB).

Userid and password logon

If z/OSMF is not configured for certificate logon, You specify a userid and password on the request. The format depends on the tool used. For example

httpie (https)

https GET https://10.1.1.2:10443/zosmf/restfiles/ds/IBMUSER.ABC –verify ./ca.pem –auth colin:passw0rd

cURL

curl –cacert ca.pem –basic –user colin:passw0rd https://10.1.1.2:10443

Issue a command!

+ NODE_EXTRA_CA_CERTS=./cert.doc.ca.ec.pem
+ zowe zos-files list data-set 'COLIN.Z*' --cert-file zzcolinpaice.pem --cert-key-file zzcolinpaice.key.pem --host 10.1.1.2 --port 10443

Saving the logon parameters.

Once you have managed to get a session to z/OSMF working, you can store the connection parameters in profiles.

See How to save connection parameters: zowe CLI client configuration files

To uninstall Zowe

The command

npm list -g --depth=0

Lists all of the installed packages. This gave me

/usr/lib
├── @zowe/cli@8.23.1
├── corepack@0.32.0
└── npm@11.3.0

To uninstall it I used

 npm uninstall -g @zowe/cli

The list command gave me

/usr/lib
├── corepack@0.32.0
└── npm@11.3.0

Zowe: Planning

See Preparing for installation in Zowe publications for detailed information on the structure of Zowe files and data sets.

Topic covered

Required products

Z/OS 2.5 or later
Java 17 IBM® Semeru Runtime Certified Edition for z/OS® version 17
Node.js version v18. or later. See here.

Optional products

z/OSMF. This is used for Authentication and REST API services.
SDSF. This is used to issue console commands, and capture the output

Disk storage

For the Zowe product. This typically is in a directory like /usr/lpp/zowe. It needs about 1300 MB, or 1600 CYL.
For each instance use Primary 118, Secondary 18 Cylinders.
For the .pax file 440 MB
Some PDSs are generated. Together they use about 20 Cyl of DASD

CPU

There is a CPU spike when Zowe is started up. It starts several address spaces running Java. Once active the CPU costs depend on how much Zowe is used, plus a steady low overhead.

TCP/IP Interfaces

A TCP/IP configuration can have multiple IP addresses. When Zowe initiates a connection to one of its components, it needs the correct IP address.

This is configured in zowe.externalDomains and can be a domain name or IP address.

Ports

The default ports in the configuration are

gateway 7554
zaas 7552
discovery 7553
caching services 7555
app server 7556
zss 7557
infinispan in memory caching, port 7600
infinispan in memory caching key exchange, port 7600

These ports can be used by clients outside of z/OS, and between the Zowe started tasks. You need to configure your network and firewalls to allow traffic on these ports.

High level directory structures

The product libraries have a name including the release, such as /usr/lpp/zowe/zowe32. The directory is used within the zowe.yaml file and shell scripts such as the bash .profile. You might want to consider an alias for the product libraries. Such as /global/zoweprod -> /usr/lpp/zowe/zowe32. To upgrade all users, just change the alias, and they will not need to change their scripts.

By default

log files are stored in /global/zowe/logs
instance specific internal information is stored in /global/zowe/workspace
extensions are stored in /global/zowe/extensions.

The /global directory, also known as the global filesystem, serves as a centralized location for storing and sharing files across multiple systems and users. There may be a different file system for /u on each system and so a Zowe instance configured in /u/… may not be visible across systems. If you may run Zowe instance on more than one machine you need to ensure the file system is available on all potential machines.

If you are going to use more than one Zowe instance, you need to plan for this. For example use the Zowe instance name as part of the directory. Perhaps use /global/zowe/logs/ZOWE1, or /u/zowec/ZOWE1/logs.

Having the system name SYS1 as part of the file path can be confusing if you will start the Zowe instance on more than one LPAR.

Where to store extensions

You may want to share the same instance of /global/zowe/extensions across all Zowe instances, or have each Zowe instances to use their own directory.

Automation and monitoring

Zowe can be configured so that important messages like Zowe has started and Zowe is stopping are written to the system log. You may need to change your automation to react to these messages. For example

+ZWEL0018I Zowe instance prepared successfully                        
+ZWEL0006I starting components                                        
+ZWEL0001I component gateway started                                  
                                            
+ZWEL0008I stopping components                                        
+ZWEL0002I component gateway stopped                                  
+ZWEL0022I Zowe Launcher stopped

See Which messages to automate?

Understanding the configuration process

z/OS system configuration

As part of the installation, one of the first steps is to run a script which extracts PDS from the Zowe files.

There are two load libraries which will need to be APF authorised.

Two started task procedures will be created. One started task is a server which can run authorised code. The other runs a Java program.
When Zowe starts up it spawns threads that run as BPXAS address spaces. The names of the spawned threads are like ZWE1AD. The prefix ZWE1 can be changed in the configuration file.

The cross memory server started task needs parameters. These can be put in the SYS1.PARMLIB concatenation, or in a Zowe PDS.
An update is needed to parmlib for PPT entries to set the storage key for Zowe.

The Zowe default dataset names have a prefix IBMUSER.ZOWEV3. You can use your own names, such as PP.ZOWEV3 (for Program Products).

Workload manager definitions

You should set up WorkLoad Manager definitions for the address spaces.
Note: If a WLM definition has discretionary, any Java work will not run on GCPs if the ZIIPS are busy, so you need care in specifying which rule applies to the address spaces.

Security definitions

You should protect the data sets produced by Zowe configuration; the sample library is not sensitive, but the load libraries are APF authorised, and these APF authorised libraries should be protected from being changed by an unauthorised user.

What global FACILITY profiles are used

BPX.DAEMON and BPX.SERVER Allow Zowe to run code on behalf of the API requester’s TSO user ID. For more information, see Security Environment Switching.
IRR.RUSERMAP is optional and allows Zowe to map an X.509 client certificate to a z/OS identity.
IRR.IDIDMAP.QUERY is optional and allows Zowe to map a distributed identity to a z/OS identity.
BPX.JOBNAME allow z/OS address spaces for unix processes to be renamed for ease of identification. For example the BPXAS address spaces running Java would be named like ZWE1GW. Without this the BPXAS address space is named based on the started task job name.
IRR.RAUDITX Optional Allows API Mediation Layer to issue SMF 83 records about activity of Personal Access Tokens. For more information about configuring the main Zowe server to issue SMF records, see Configure the main Zowe server to issue SMF records.

As part of the configuration, security definitions are created.

Some changes are global, enabling some system wide facilities. Most systems will typically have these already enabled, but if not, you may want to configure them early to give plenty of time to test them.
- Activate classes STARTED and FACILITY
- Define FACILITY BPX.DAEMON
- Define FACILITY BPX.SERVER
- Define FACILITY BPX.JOBNAME
- Define FACILITY IRR.RUSERMAP
- Define FACILITY IRR.IDIDMAP
- Define FACILITY IRR.RAUDITX
Some changes are Zowe related, such as userid for Zowe. This defaults to ZWEUSR
and group ZWEGRP.
- Add group ZWEADMIN.
- Add userid definitions for ZWESVUSR and ZWESIUSR.
- Defines started task profiles for STARTED; ZWESLSTC, ZWESISTC, and ZWESASTC* (where ZWE is configurable).
Other changes
- A data set profile IBMUSER.ZWEV3..* for the data sets that Zowe install creates.

You should consider how user’s will authenticate.
As part of the TLS session initialisation the server can request the client’s certificate and use information from the certificate to determine the userid to be used.
You can authenticate using:

Userid and password
using z/OSMF
Multi Factor authentication – such as having a widget or mobile phone
application which generates a code as a one off, time limited code as a password.

You can use AT-TLS.

How do I protect what Zowe users can do on z/OS?

Zowe is a transport mechanism like a 3270 emulator. You control what a userid can do, not what the transport mechanism can do. See here

TLS levels

The levels from the example .yaml file is

tls: 
  attls: false 
  # TLS settings only apply when attls=false 
  # Else you must use AT-TLS configuration for TLS customization. 
  minTls:  TLSv1.2 
  maxTls:  TLSv1.3

If you are not at TLS v1.3 you may want to start at TLS 1.2, and convert to TLS 1.3 at a later date.

Certificates

See a whole blog post on planning for certificates.

PPT entries

Two modules have to be defined in a SCHED member with properties KEY(4) NOSWAP.

Operations

You need to start the two started tasks. The authorised server is active and does not do much. You can start it at IPL and leave it running.

You start the Zowe main task when you want to use Zowe. This spawns several threads in BPXAS address spaces. These are called ZWE1xx – where the ZWE1 can be customised.
You use the stop z/OS command (P …) to terminate the main task.
When it shuts down, it terminates the services running in BPXAS address spaces.

Data management

Zowe does not hold any state information. The configuration files in the Zowe instance home directory should be backed up regularly, as well as the proclib and parmlib members.

Running in a sysplex

The Zowe product libraries can be shared across all LPARs in a Sysplex. You may want to consider mounting it read only.
A Zowe instance can be started on any LPAR, provided the instance home directory, and other directories it uses, are available and writable.

You can create more Zowe instances on one LPAR ( why would you?) or for availability you can create a Zowe instance on more than one LPAR.

High availability

If you have a Zowe instance running on more than one LPAR, if one instance is shutdown, you can (re)connect to a different solution, and logon.
You can also configure a Zowe HA environment, where you can reconnect to an alternate instance, without needing to logon.

Migrating to a new level of Zowe

Install the new level of Zowe into a different directory to your current system.
The process will update the Zowe PDS datasets:

…SZWEAUTH,
…SZWEEXEC,
…SZWELOAD,
…SZWESAMP

so you should back these up, or change the config file to use a different data set prefix.
To overwrite these datasets you need to explicitly set an option.

Backup the configuration files, so if you need to go back to the current level of code, you just rename the files and data sets and restart Zowe.

Before you start – what configuration path to take?

I was talking to someone about installing software on z/OS and how it could be made easier, and they said the biggest challenge is getting changes past the grey haired person in the corner office whose job is to say No. As in

No: You cannot “move quickly and break things”. You must move carefully and keep safe.
No: You cannot install untested stuff on production machines, without installing it first on test or development machines
No: You cannot install products where you have to type commands or information onto the production machines. You have to provide files of information, or a document where commands or information is reviewed and can be copied using cut-and-paste. For example people have had problems with the letter o (for Orange) and zero, and i (for India) 1’s and l (for Lima).
No: You cannot just run a script or command which changes z/OS configuration. All changes have to be reviewed. For example some changes to the security configuration affect all address spaces.
No: You cannot run something that is “one way” for example adding a column to a data base table, to sort data, or delete something without a tested process for restoring and recovering the data.
No: You cannot have the authority to issue commands, because you may issue commands outside of the documented install script, without going through change control.
No: You cannot install something until we know the impact of running it. For example, the amount of CPU, real, virtual, disk storage.

Zowe

Zowe is a project which provides a command level interface from outside of z/OS to z/OS services. This means people do not need to know about ISPF, or the operator console to be able to use z/OS. Zowe has several Java address spaces which provide the facilities.

As part of the aim to make z/OS more accessible, the Zowe installation and configuration has command scripts which can be used to define the resources needed for Zowe to run.

I feel the “recommended” processes for configuring Zowe is fit for a test or development system, not for an important system, and so I recommend using a more traditional approach, which fits in the “No:… above”

Not all the configuration changes needed are listed in the documentation, for example you should configure WLM to give the address spaces appropriate priority. You need to backup data sets and files.

The security definitions enable a global facility which can impact many subsystems. This change alone would need careful roll out to all systems.

APF definitions are made using dynamic APF command interface on the console. They are not saved across IPL, so the changes have to be made to the SYS1.PARMLIB concatenation at some point. My view is just do the parmlib definitions once.

Zowe: Start here for my blog posts

I have a lot of blog posts on Zowe. Some are ready to make available, some are works in progress. In the link below, if there is an active link it points to the published topic. If there is no link, it is a place holder.

I do not find the Zowe documentation very easy to use. The documentation expects you to go down a certain path. If you do not follow this path, there is not much to help you. I tend to search the web, get to a page, and then get lost!

The start of the official documentation for server installation is here.

What is Zowe ? This gives a back ground in modern system architecture, and how Zowe fits into this
Planning. This provides a road map of the set up you will need to do. For example the security changes may take a week to implement system wide, before customising Zowe.
Installing and configuring z/OS system definitions.
- Create the security definitions
- Set up message. Messages I have encountered setting up a Zowe instance.
Configuring a run time instance
Starting Zowe on z/OS. This starts a minimal system, and helps you check out your definitions.
Message using Zowe. End user messages I have experienced
Debugging Zowe
- What does this message mean?
Setting up a web browser to use Zowe
Configuring end user userids
Setting up logon with certificates – TBA
Which messages to automate
Using VSCODE with Zowe – TBA
Problem determination
What are good tools for working with a backend? – HTTPie.
Specifying Java ove r rides
Zowe on the client
Zowe explorer
- Zowe explorer: first baby steps to submitting jobs
JSON Web Tokens(JWT)