Skip to main content
Version: v2.10.x

Use certificates

Use certificates

Once you have generated or imported your certificates, you can now use the certificates with Zowe. Use the procedure that corresponds to the type of certificates you generated or imported:

Use PKCS12 certificatesā€‹

To use PKCS12 certificates, run the command zwe start -c ./zowe.yaml in the directory with the zowe.yaml file to start Zowe.

The details about the PKCS12 certificate used when Zowe is launched, are specified in the zowe.yaml section certificates. This section contains information about the certificate name and the location of the certificate, together with the truststore location.

The two most common scenarios for using a PKCS12 certificate are:

  • You have an existing certificate and wish to configure Zowe to use the certificate.

  • You do not have a certificate and wish to generate a new certificate.

    The zwe init certificate command supports both scenarios. The input parameters that control certificate configuration are specified in the section zowe.setup.certificates.

To troubleshoot issues during Zowe startup, see Troubleshooting startup of Zowe z/OS components.

Use JCERACFKS certificatesā€‹

The details about the JCERACFKS certificate used when Zowe is launched, are specified in the zowe.yaml section certificates. This contains information about the certificate name and its location, together with the truststore location.

The two most common scenarios for using a JCERACFKS certificate are:

  • You have been given an existing certificate and wish to configure Zowe to use it.

  • You do not have a certificate and wish to generate a new one.

    The zwe init certificate command supports both scenarios. The input parameters that control certificate configuration are specified in the section zowe.setup.certificates. See the example of connecting a JCERACFKS certificate below.

Example:

Alt text

Note: In this example, the command zwe init certificate -cĀ ./zowe.yaml --security-dry-run allows the JCL to be inspected before submission, as well as handed off to a security administrator who has privileges to submit the JCL under their user ID. Or by defult, the JCL will be submitted immediately. For details about this example, check out the playlist here.

Use multiple certificate authoritiesā€‹

If you use mutiple certificate authorites, the syntax in the zowe.yaml is shown as below.

certificate:
pem:
key: ""
certificate: ""
certificateAuthorities:
- "safkeyring:////stcusername/KeyName&ca name 1"
- "safkeyring:////stcusername/KeyName&ca name 2"

If you receive the error message, <ZWED:527259> ZOWE CRITICAL unable to get issuer certificate, check this section in your zowe.yaml file and verify that the syntax is correct.