Skip to main content
Version: v2.18.x LTS

Configuring security

Configuring security

During the initial installation of Zowe server-side components, it is necessary for your organization's security administrator to perform a range of tasks that require elevated security permissions. As a security administrator, follow the procedures outlined in this article to configure Zowe and your z/OS system to run Zowe with z/OS.

Required roles: system programmer, security administrator

Validate and re-run zwe init commands

During installation, the system programmer customizes values in the zowe.yaml file. However, due to insufficient permissions of the system programmer, the zwe init security command may fail. Consult with your security administrator to review your ZWESECUR job content so that your security adminstrator can re-submit this JCL.

Initialize Zowe security configurations

Choose from the following methods to initialize Zowe security configurations:

  • Configuring with zwe init security
  • Configuring with ZWESECUR JCL

For more information about both of these methods, see Initialize Zowe security configurations.

Perform APF authorization of load libraries

Zowe contains load modules that require access to make privileged z/OS security manager calls. These load modules are held in two load libraries which must be APF authorized. For more information about how to issue the zwe init apfauth command to perform APF authority commands, see Performing APF authorization of load libraries.

Configure the z/OS system for Zowe

Review and perform z/OS configuration steps based on your settings. For a detailed table of configuration procedures and associated purposes for performing these procedures, see Configuring the z/OS system for Zowe.

Assign security permissions to users

Assign users (ZWESVUSR and ZWESIUSR) and the ZWEADMIN security group permissions required to perform specific tasks. For more information see, Assign security permissions to users.

Zowe Feature specific configuration tasks

Depending on the specific Zowe server-side components that your organization is wishing to utilize, specific security configuration settings may apply. Review the following table of Zowe server-side component features and their associated configuration tasks, and perform the tasks that apply to your use case.

Feature of a Zowe server-side componentConfiguration Task
If using Top Secret as your security manager
Note: No specific configuration is necessary for security managers other than Top Secret.
Configuring multi-user address space (for TSS only)
High AvailabilityConfiguring ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID
z/OSMF authentication or onboarding of z/OSMF serviceGranting users permission to access z/OSMF
ZSS component enabled (required for API ML certificate and identity mapping)Configuring an ICSF cryptographic services environment
and
Configuring security environment switching
API Mediation Layer certificate mappingConfiguring main Zowe server to use client certificate identity mapping
API Mediation Layer identity mappingConfiguring main Zowe server to use distributed identity mapping
API Mediation Layer Identity Tokens (IDT)Configuring signed SAF Identity tokens (IDT)
Cross memory server (ZIS)Configuring the cross memory server for SAF
and
Configuring cross memory server load module
and
Configuring cross-memory server SAF configuration

Next steps

After these security configuration steps are completed, and Zowe z/OS runtime is initialized, the next step is Configuring certificates. Note that configuring certificates requires security administrator authorization.

note

For more information about security administrator tasks, see: