Skip to main content
Version: v2.0.x LTS

zwe init certificate

zwe init certificate

zwe > init > certificate

zwe init certificate [parameter [parameter]...]

Description#

This command will generate certificate used by Zowe services.

If you specify --update-config with this command, these configurations could be written back to your Zowe YAML configuration file:

  • zowe.certificate based on your zowe.setup.certificate configuration.

These Zowe YAML configurations showing with sample values are used:

zowe:  setup:    dataset:      prefix: IBMUSER.ZWE      jcllib: IBMUSER.ZWE.CUST.JCLLIB    security:      product: RACF      groups:        admin: ZWEADMIN      users:        zowe: ZWESVUSR    certificate:      type: PKCS12      dname:        caCommonName:        commonName:        orgUnit:        org:        locality:        state:        country:      validity: 3650      pkcs12:        directory: /global/zowe/keystore        lock: true        name: localhost        password: password        caAlias: local_ca        caPassword: local_ca_password        import:          keystore:          password:          alias:      keyring:        owner:        name: ZoweKeyring        label: localhost        caLabel: localca        import:          dsName:          password:        connect:          user:          label:        zOSMF:          ca:          user: IZUSVR      san:        - zos.my-company.com        - internal-lpar1.zos.my-company.com        - internal-lpar2.zos.my-company.com        - internal-lpar3.zos.my-company.com      importCertificateAuthorities:        -   externalDomains:   - zos.my-company.com  verifyCertificates: STRICTzOSMF:  host: zosmf.my-company.com  port: 443
  • zowe.setup.certificate.type is the type of certificate. Valid values are "PKCS12" (USS keystore) or "JCERACFKS" (z/OS keyring).
  • zowe.setup.certificate.dname is the distinguished name of the certificate. You can define caCommonName, commonName, orgUnit, org, locality, state, and / or country. These configurations are optional.
  • zowe.setup.certificate.validity is the validity days of the certificate. This is optional.
  • zowe.setup.certificate.san is the Subject Alternative Name(s) of the certificate if they are different from zowe.externalDomains. Please note, for `JCERACFKS`` type, with limitation of RACDCERT command, this should contain exact one hostname (domain) and one IP address.
  • zowe.setup.certificate.importCertificateAuthorities is the list of certificate authorities will be imported to Zowe PKCS12 keystore or JCERACFKS keyring. Please note, for JCERACFKS type, only maximum 2 CAs is supported. If you are using PKCS12 certificate, this should be USS files in PEM format. If you are using JCERACFKS certificate, this should be certificate labels on the z/OS system.
  • zOSMF.host and zOSMF.port is the z/OSMF service information. This is required if you are using z/OSMF as authentication service.
  • zowe.verifyCertificates indicates how Zowe should validate the certificate of services registered under Zowe APIML. Valid values are "STRICT", "NONSTRICT" or "DISABLED". If this is "STRICT", this command will try to validate the z/OSMF service certificate if z/OSMF is defined.

For PKCS12 certificate users,

  • zowe.setup.certificate.pkcs12.directory is the directory where you plan to store the PKCS12 keystore and truststore. This is required if zowe.setup.certificate.type is PKCS12.
  • zowe.setup.certificate.pkcs12.lock is a boolean configuration to tell if we should lock the PKCS12 keystore directory only for Zowe runtime user and group. Default value is true.
  • zowe.setup.security.groups.admin and zowe.setup.security.users.zowe will be the default owner of keystore directory.
  • You can also define name, password, caAlias and caPassword under zowe.setup.certificate.pkcs12 to customized keystore and truststore. These configurations are optional, but it is recommended to update them from default values.
  • Define zowe.setup.certificate.pkcs12.import.keystore if you already acquired certificate from other CA, stored them in PKCS12 format, and want to import into Zowe PKCS12 keystore.
  • zowe.setup.certificate.pkcs12.import.password is the password for keystore defined in zowe.setup.certificate.pkcs12.import.keystore.
  • zowe.setup.certificate.pkcs12.import.alias is the original certificate alias defined in zowe.setup.certificate.pkcs12.import.keystore. After imported, the certificate will be saved as alias specified in zowe.setup.certificate.pkcs12.name.

For JCERACFKS certificate (z/OS keyring) users,

  • zowe.setup.certificate.keyring.owner is the keyring owner. It's optional and default value is zowe.setup.security.users.zowe. If it's also not defined, the default value is ZWESVUSR.
  • zowe.setup.certificate.keyring.name is the keyring name will be created on z/OS. This is required if zowe.setup.certificate.type is JCERACFKS.
  • If you want to let Zowe to generate new certificate,
    • You can also customize label and caLabel under zowe.setup.certificate.keyring if you want to generate new certificate. Default value of label is localhost and default value of caLabel is localca.
  • If you want to import certificate stored in MVS data set into Zowe keyring,
    • zowe.setup.certificate.keyring.connect.dsName is required in this case. It tells Zowe the data set where the certificate stored.
    • zowe.setup.certificate.keyring.connect.password is the password when importing the certificate.
    • The certificate will be imported with label defined in zowe.setup.certificate.keyring.label.
  • If you want to connect existing certificate into Zowe keyring,
    • zowe.setup.certificate.keyring.connect.user is required and tells Zowe the owner of existing certificate. This field can have value of SITE.
    • zowe.setup.certificate.keyring.connect.label is also required and tells Zowe the label of existing certificate.
  • If zowe.verifyCertificates is not DISABLED, and z/OSMF host (zOSMF.host) is provided, Zowe will try to trust z/OSMF certificate.
    • If you are using RACF security manager, Zowe will try to automatically detect the z/OSMF CA based on certificate owner specified by zowe.setup.certificate.keyring.zOSMF.user. Default value of this field is IZUSVR. If the automatic detection failed, you will need to define zowe.setup.certificate.keyring.zOSMF.ca indicates what is the label of z/OSMF root certificate authority.
    • If you are using ACF2 or TSS (Top Secret) security manager, zowe.setup.certificate.keyring.zOSMF.ca is required to indicates what is the label of z/OSMF root certificate authority.

Examples#

zwe init certificate -v -c /path/to/zowe.yaml

Parameters#

Full nameAliasTypeRequiredHelp message
--allow-overwrite,--allow-overwrittenbooleanno
--update-configbooleanno
--ignore-security-failuresbooleanno

Inherited from parent command#

Full nameAliasTypeRequiredHelp message
--allow-overwrite,--allow-overwrittenbooleanno
--skip-security-setupbooleanno
--security-dry-runbooleanno
--ignore-security-failuresbooleanno
--update-configbooleanno
--help-hbooleanno
--debug,--verbose-vbooleanno
--trace-vvbooleanno
--silent-sbooleanno
--log-dir,--log-lstringno
--config-cstringno

Errors#

Error codeExit codeError message
ZWEL0157E157%s (%s) is not defined in Zowe YAML configuration file.
ZWEL0164E164Value of %s (%s) defined in Zowe YAML configuration file is invalid. Valid values are %s.

Inherited from parent command#

Error codeExit codeError message
100If the user pass --help or -h parameter, the zwe command always exits with 100 code.
ZWEL0101E101ZWE_zowe_runtimeDirectory is not defined.
ZWEL0102E102Invalid parameter %s.
ZWEL0103E103Invalid type of parameter %s.
ZWEL0104E104Invalid command %s.
ZWEL0105E105The Zowe YAML config file is associated to Zowe runtime "%s", which is not same as where zwe command is located.
ZWEL0106E106%s parameter is required.
ZWEL0107E107No handler defined for command %s.
ZWEL0108E108Zowe YAML config file is required.
ZWEL0109E109The Zowe YAML config file specified does not exist.
ZWEL0110E110Doesn't have write permission on %s directory.
ZWEL0111E111Command aborts with error.
ZWEL0112E112Zowe runtime environment must be prepared first with "zwe internal start prepare" command.
ZWEL0120E120This command must run on a z/OS system.
ZWEL0121E121Cannot find node. Please define NODE_HOME environment variable.
ZWEL0122E122Cannot find java. Please define JAVA_HOME environment variable.
ZWEL0123E123This function is only available in Zowe Containerization deployment.
ZWEL0131E131Cannot find key %s defined in file %s.
ZWEL0132E132No manifest file found in component %s.
ZWEL0133E133Data set %s already exists.
ZWEL0134E134Failed to find SMS status of data set %s.
ZWEL0135E135Failed to find volume of data set %s.
ZWEL0136E136Failed to APF authorize data set %s.
ZWEL0137E137z/OSMF root certificate authority is not provided (or cannot be detected) with trusting z/OSMF option enabled.
ZWEL0138E138Failed to update key %s of file %s.
ZWEL0139E139Failed to create directory %s.
ZWEL0140E140Failed to translate Zowe configuration (%s).
ZWEL0142E142Failed to refresh APIML static registrations.
ZWEL0172EComponent %s has %s defined but the file is missing.