Zowe certificates configuration questionnaire
Twitter
LinkedIn
Facebook
EmailZowe certificates configuration questionnaire
If you know that you will be using certificates in a production deployment environment, and that you will be using an external certificate authority (CA), we recommend you consult with your organization's security administrator before you start certificate configuration.
Zowe's assisted certificate setup provides scripts and automation for five different common certificate configurations, with each configuration separated into distinct scenarios. To identify which scenario best meets your site requirements, review the Configure Zowe Certificates diagram and answer the questions presented in the questionnaire at the end of this article. The five different certificate setup scenarios we support are:
- Scenario 1: Use a file-based (PKCS12) keystore with Zowe generated certificates
- Scenario 2: Use a file-based (PKCS12) keystore and import a certificate generated by another CA
- Scenario 3: Use a z/OS keyring-based keystore with Zowe generated certificates
- Scenario 4: Use a z/OS keyring-based keystore and connect an existing certificate
- Scenario 5: Use a z/OS keyring-based keystore and import a certificate stored in a data set
After completing the questionnaire, if you find that none of the certificate setup scenarios here satisfy to your site requirements, you should instead proceed by contacting your security administrator and bringing your own certificates to Zowe.
Before answering the questionnaire, it is useful to have a general understanding of the certificate configuration basics and Zowe certificates configuration overview. For more information, see the following articles:
The numerated decision blocks (yellow diamonds) in the following diagram correspond to the questions in the questionnaire. Follow this sequence of questions to determine which certificate configuration scenario best suits your certificate use case.
Certificate configuration questionnaire
Answer each question and find which scenarios are relevant for the selected option:
Question 1: What is your target deployment environment?
Depending on your target environment type (DEV/TEST or PROD), you can create your certificates (self-signed option), acquire new ones from a trusted CA, or use existing certificates.
Question 2: Do you need to use a certificate signed by the CA of the company or by an external CA?
If you plan to use Zowe generated self-signed certificates and your target environment is production, we strongly recommend that you acquire new certificates from your trusted CA.
Question 3: Do you plan to use a keyring?
Decide if you want to store the certificate in a z/OS keyring or to a file based keystore/truststore.
While using a keystore/truststore pair is possible to store your certificates, we recommend that you use z/OS key rings for production deployments.
Question 4: Do you plan to use an existing certificate from another keyring or from a dataset?
If you have an existing certificate, you can import or connect this certificate to the planned z/OS keyring based storage.
Before you import your certificates, check to make sure that the certificate format, type, and properties meet your security requirements depending on the planned deployment environment (DEV, TEST, PROD). For example, Zowe generated self-signed certificates might be acceptable with development or testing environments, but not with production environments.
Required certificate properties are covered in the Zowe Security Glossary.
Next steps
After you have completed the questionnaire and selected a certificate configuration scenario, proceed to Certificate configuration scenarios.