Install the IBM z/OS Connect Server zosConnect-3.0 feature image to an offline Red Hat OpenShift Container Platform

How to build and deploy a IBM® z/OS Connect zosConnect-3.0 API by using a zosConnect-3.0 API project and the z/OS Connect Server image to install z/OS Connect to an OCI-compliant container platform in a bastion host (airgapped, disconnected) environment.

About this task

zosConnect-3.0 Applies to zosConnect-3.0.

Containers Applies to z/OS Connect container deployments.

Image to show the end to end z/OS Connect Server image installation process in an offline (airgap) environment using docker to build the API image, (using the API project and the z/OS Connect Server image), storing the z/OS Connect API image in a private container registry and deploying to Red Hat OpenShift Container Platform.

Important: The z/OS Connect Server zosConnect-3.0 image hosts z/OS Connect API projects in z/OS/s390x, Linux®, and amd64 OCI-compliant container environments. For more information, see IBM z/OS Connect system requirements.

Throughout this topic, Docker is used as an example for image build technology and Red Hat® OpenShift® Container Platform is used as an example for the container deployment. Note, Red Hat OpenShift 4.9 is supported on Linux/s390x and amd64. The z/OS Connect Server and IBM z/OS Connect Designer zosConnect-3.0 images are supported by Open Container Initiative (OCI) compliant runtimes and other OCI-compliant container runtimes and container registries can be used.

Note: The z/OS Connect Server zosConnect-3.0 can be installed in an online or offline (bastion host airgapped) environment.

To install and deploy the z/OS Connect API image in an offline environment, complete the installation steps in Table 1 in sequence. For information about preparing to install IBM z/OS Connect in offline airgapped environments, see Preparing for offline (airgapped) installation.
Important: The private Container Registry, where your z/OS Connect API image is stored, must be accessible by the Red Hat OpenShift Container Platform cluster.
To install and deploy the z/OS Connect API image in an online environment, see Install the IBM z/OS Connect Server zosConnect-3.0 feature image to a Red Hat OpenShift Container Platform.
The z/OS Connect documentation is available in the IBM Document offline tool should you require an offline copy. For more information, see IBM z/OS Connect offline documentation.

Table 1. Offline steps to install a z/OS Connect API image with required roles
IBM z/OS Connect Server image zosConnect-3.0 installation steps
Download the z/OS Connect Server image.
Verify the z/OS Connect Server image (Optional).
Build the z/OS Connect API image.
Install the z/OS Connect Catalog.
Install the IBM z/OS Connect Operator.
Configure an image pull secret.
Configure environment variables (Optional).
Configure Transport Layer Security (TLS networking capability) (Optional).
Create a `ZosConnect` Custom Resource instance.
Invoke z/OS Connect API.

The following tasks must be completed.

Access to an OCI-compliant container platform.
In this procedure, Red Hat OpenShift Container Platform is used as an example.
1. For detailed steps about how to install Red Hat OpenShift, see Installing Red Hat OpenShift Container Platform.
2. Ensure that you have a supported version of Red Hat OpenShift installed. For more information about Red Hat OpenShift compatibility, see Supported OpenShift and Kubernetes versions.
Access to an OCI-compliant container runtime.
In this procedure, Docker is used as an example. For more information about installing Docker, see Download and Install Docker Desktop. The example commands in the following procedure use docker. If you are using Podman as your container platform, use podman instead of docker in the example commands.
Create a z/OS Connect API project. For more information, see Developing API provider with zosConnect-3.0.
zosConnect-3.0 artifacts (WAR files) can be deployed in a z/OS Connect Server container that is at the same release level or later than the release level of the z/OS Connect Designer that was used to generate the artifacts. For more information, see Developing API provider with zosConnect-3.0 and zosConnect-3.0 artifact compatibility.
Restriction: WAR files should not be deployed in a z/OS Connect Server container that is an older release level than the release level of the z/OS Connect Designer.
Configure the Container Platform cluster with Role Based Access-Control (RBAC) ready for the deployment of z/OS Connect APIs. For more information about how to configure cluster-admin and application developer roles for z/OS Connect on Red Hat OpenShift Container Platform, see Authorizing users for z/OS Connect by using role-based access control (RBAC). For more information about RBAC, see RBAC overview.
Important: RBAC must be configured on the cluster before starting the installation procedure.
Verify that the z/OS Connect Server image signature is an optional step. If you need to verify the z/OS Connect signed images, you need to install the following command-line tools:
- Gnu Privacy Guard
- OpenSSL
- skopeo
  Note: These command-line tools can usually be installed on Linux by using the package manager.
If using z/OS Connect policies to adjust how an API request is processed in z/OS Connect, see Configuring IBM z/OS Connect policies. When building the WAR file in Build IBM z/OS Connect API image as part of this procedure, you must include the policy configuration and rules file within the image.

Download a z/OS Connect Server zosConnect-3.0 feature image

Before you begin

The following tasks must be completed.

Download and install an OCI-compliant container runtime.

Note: Docker is used as an example container tool. Docker 19.0.3 or higher is supported.
Other OCI-compliant container tools, such as Podman are also supported.
To get access to the z/OS Connect Server image, you must have an IBM entitlement registry key to pull the images from the IBM Cloud Container Registry icr.io. Refer to your license document for specific instructions on obtaining the entitlement key.
Note: If you don't have the license document with the entitlement key, place a new order for the product in ShopZ where the additional documentation contains the entitlement key. As an existing customer, if you already have a license for IBM z/OS Connect Unlimited, no charge is incurred when the new order is placed.

Procedure

Start your container tool.
For example, Docker.
Log in to IBM Cloud Container Registry.
```
docker login icr.io
```
Provide your username and password login credentials. Instructions for obtaining these credentials can be found in your license documents.

Pull the z/OS Connect Server image.

docker pull icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100

Results

The IBM Cloud Container Registry image is in your local docker registry. Validate by running the following command

docker image ls

REPOSITORY                                  TAG        IMAGE ID    CREATED     SIZE
icr.io/zosconnectunlimited/ibm-zcon-server 3.0.100    6d2af17d10bd  1 days ago   979MB

Note: Image size and ID alter depending on the release.

What to do next

Optional

z/OS Connect images are signed. You must have downloaded an z/OS Connect Server image before continuing with the installation procedure. For more information on verifying image signatures, see Verify an z/OS Connect Server image signature (Optional).

If you don't need to verify your image signatures, build your z/OS Connect API image by using a z/OS Connect API project and the z/OS Connect Server image that is downloaded in this step. For more information, see Build IBM z/OS Connect API image.

Verify a z/OS Connect image signature (Optional)

Digital signatures provide a way to ensure that an image is both authentic (it originated from the expected source) and has integrity (it is what is expected). z/OS Connect images are signed and this topic describes how to verify the signatures on those images.

Before you begin

The following tasks must be completed.

The z/OS Connect public keys must exist on the same machine as the command-line tools.

Copy the following text block exactly as shown into a text editor, and save it in a file named PRD0012028key.pub.asc:

About this task

z/OS Connect images are signed. If you need to verify the image signatures, complete the following procedure.

Enabling signature verification when container images are pulled to a host system can be automated. For information on automating image signature verification, see A launch icon to indicate a link opens a new tab or window. Verifying image signing for Red Hat Container Registry.

Some of the steps in this procedure use gpg. GPG2 is the extended version of GPG and gpg2 can be used instead of gpg.

Procedure

Import the z/OS Connect public key on the machine that you prepared according to the Prerequisites section:
```
sudo gpg --import PRD0012028key.pub.asc
```
This step needs to be done only once on each machine you use for signature verification.
Calculate the fingerprints:
```
fingerprint=$(sudo gpg --fingerprint --with-colons | grep -B1 'IBM z/OS Connect Enterprise Edition Unlimited' | grep fpr | tr -d ‘fpr:’)
```
This command stores the keys' fingerprint in an environment variable that is called fingerprint, which is needed to verify the signature. When you exit your shell session, the variable is deleted. The next time that you log in to your machine, you can set it again by rerunning the command.
Log in to Skopeo.
```
sudo skopeo login icr.io
```
Create a directory for the image and use skopeo to pull it into local storage:
```
mkdir images
```
```
sudo skopeo copy docker://icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100 dir:./images -a
```
This command downloads the image as a set of files and places them in the images directory (or another directory that you choose). If the source image is a list of images for different architectures, the -a attribute copies all of the images.

Tip: One of these files is a manifest file that is named images/manifest.json, and a signature file named images/signature-1. You reference both these files in the next step (in the command to verify the signature).

Verify the signature:

sudo skopeo standalone-verify ./images/manifest.json icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100 ${fingerprint} ./images/signature-1

The confirmation output should be similar to the following where the sha256 value is a 64-byte hexadecimal string.

Signature verified, digest sha256:0000000000000000000000000000000000000000000000000000000000000000

Results

The z/OS Connect Server image signature has been successfully verified.

Build IBM z/OS Connect API image

About this task

To build a z/OS Connect API image from your API project, you must use the container platform tool of your choice to build an image FROM the z/OS Connect Server image.

To prepare your z/OS Connect API project image for a container environment, you must use the z/OS Connect Server image. For more information, see Download z/OS Connect server image.

Procedure

Make sure that your container build environment is running.
Go to the root of your z/OS Connect API project.
Ensure that the Dockerfile within the z/OS Connect API project references your downloaded z/OS Connect Server image in the FROM instruction.
For example,
```
FROM icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100
```
Note: The tag references the specific version of the z/OS Connect Server image that is being used. Using the tag `latest` adds the risk of updating the image automatically, and a newer version is used on later builds.
Log in to the private Container Registry.

Note: This is not the IBM Cloud Container Registry, but the registry where you host your z/OS Connect API image.
For example,
```
docker login example.io
```
From the same location as the Dockerfile, build the z/OS Connect API image locally.
By using Docker, the following command is an example where,
- example.io is the Container Registry.
- zcon-employees-api is the chosen image name.
- v1.0.0 is the image tag.
The command is run from the same location as the Dockerfile.
```
docker build -t example.io/zcon-employees-api:v1.0.0 .
```
Note: The trailing period '.' in the command states to use the current directory as the build context.
This z/OS Connect API image is now stored locally in the private container. In this example, the z/OS Connect API image is stored locally in the Docker private container.
Important: The z/OS Connect API image is a multi-architecture image and defaults to an architecture that matches the system on which it is built. To build a z/OS Connect API image with a different architecture to your build system, use docker build --platform <os/arch> to specify the target platform for the build output. For example,
```
docker build --platform linux/amd64 -t example.io/zcon-employees-api:v1.0.0 .
```
For more information, see Building multi-platform images.
Push the z/OS Connect API image to the remote private Container Registry.
For example,
```
docker push example.io/zcon-employees-api:v1.0.0
```
Note: Using the tag latest adds the risk of updating the image automatically when deployed with Red Hat OpenShift.

Results

The container runtime, for example Docker, validates a successful push. The z/OS Connect API image is now hosted in the private Container Registry registry to access externally with valid login credentials.

Install the z/OS Connect Catalog in Red Hat OpenShift with bastion host

If your cluster is in a restricted environment (not connected to the internet), use a bastion host to mirror the z/OS Connect images to a target registry within the restricted environment. The z/OS Connect Catalog is then installed on the cluster, ready for installing the IBM z/OS Connect Operator in the next step.

Before you begin

Before you begin, you need:

A Red Hat OpenShift Container Platform cluster on s390x or amd64 architecture that is hosted in a restricted (air gap) environment.
Ensure that you log in as cluster-admin. If you do not have a cluster-admin role, see Authorizing users for IBM z/OS Connect by using role-based access control (RBAC).
A bastion host that is both connected to the internet and to the restricted network with access to the Red Hat OpenShift Container Platform cluster.
Install the following prerequisites on the bastion host.
- An OCI-compliant container platform. In this procedure, Red Hat OpenShift CLI (oc) (version 4.4.0 or later) is used to interface with the Red Hat OpenShift Platform cluster. For more information, see Getting started with the OpenShift CLI.
- The IBM/ibm-pak (ibm-pak). The IBM Catalog Management Plug-in for IBM Cloud Pak® (IBM/ibm-pak) is used for the deployment of IBM Cloud® Paks in a disconnected (airgapped) environment. It simplifies the process for discovering required IBM product images and uses standard tools for registry and cluster access. The IBM/ibm-pak also extends the Red Hat OpenShift CLI (oc) capability to streamline the process of delivering installation images to the IBM Cloud Pak in an airgapped environment.
  
  Follow the instructions in the README.md file at /IBM/IBM-pak to download and install IBM/ibm-pak.
  
  Confirm the IBM/ibm-pak is installed by running the following command to see the plug-in usage display on the screen.
```
oc ibm-pak --help
```
- Download and install an OCI-compliant container runtime. In this procedure, Docker is used.
  You must have a local Docker type production-grade registry available to store the IBM Cloud Pak for the z/OS Connect.

Procedure

Download the CatalogSource Container Application Software for Enterprises (CASE) bundle to your Red Hat OpenShift Container Platform cluster.
1. Check that the CASE repository URL is pointing to the default https://github.com/IBM/cloud-pak/raw/master/repo/case/ location by running the following command.
  
  CASE is a specification that defines the metadata and structure for packaging, managing, and unpacking containerized applications. In this procedure, a target registry is configured on the bastion host from the z/OS Connect CASE package by using the ibm-pak-plugin tool. The z/OS Connect images hosted in the public online IBM Cloud Container Registry (icr) are mirrored to the target registry by using IBM/ibm-pak (ibm-pak).
  
  This enables the z/OS Connect resources to be installed on the Red Hat OpenShift Container Platform cluster in an offline environment.
```
oc ibm-pak config
```
  Example output:
```
Repository Config

Name                        CASE Repo URL
----                        -------------
IBM Cloud-Pak Github Repo * https://github.com/IBM/cloud-pak/raw/master/repo/case/
```
  If the repository is not pointing to the default location (asterisk indicates default URL), then run the following command:
```
oc ibm-pak config repo 'IBM Cloud-Pak Github Repo' --enable
```
  If the URL is not displayed, then add the repository by running the following command:
```
oc ibm-pak config repo 'IBM Cloud-Pak Github Repo' --url https://github.com/IBM/cloud-pak/raw/master/repo/case/
```
2. Declare generic environment variables to configure them for the z/OS Connect Catalog.
  From a terminal session, set the following environment variables with the export command.
```
export CASE_NAME=ibm-zcon-zosconnect
export CASE_VERSION=1.0.9
export NAMESPACE=openshift-marketplace
export INVENTORY=ibmZconZosconnectOperatorSetup

export TARGET_REGISTRY_HOST=<IP_or_FQDN_of_target_registry>
export TARGET_REGISTRY_PORT=<port_number_of_target_registry>
export TARGET_REGISTRY=$TARGET_REGISTRY_HOST:$TARGET_REGISTRY_PORT

export TARGET_REGISTRY_PATH=/tmp/docker-registry
export TARGET_REGISTRY_USER=<username>
export TARGET_REGISTRY_PASSWORD=<password>
```
3. Download the z/OS Connect CASE bundle ibm-zcon-zosconnect to your Red Hat OpenShift Container Platform cluster.
```
oc ibm-pak get $CASE_NAME --version $CASE_VERSION
```
4. From a command window, log in to the Red Hat OpenShift Container Platform cluster as cluster-admin with the following command. You need to provide the Red Hat OpenShift Container Platform server URL.
```
oc login https://Mycluster_hostName:Mycluster_port
```
  Note: You need to provide cluster-admin credentials for your environment.
Optional: If you use an insecure registry, you must add the target registry to the cluster insecureRegistries list. Run the following command.
```
oc patch image.config.openshift.io/cluster --type=merge -p   '{"spec":{"registrySources":{"insecureRegistries":["'${TARGET_REGISTRY}'"]}}}'
```
Successful completion of the command presents the following output.
```
image.config.openshift.io/cluster patched
```
Important: Depending on the version of the Red Hat OpenShift Container Platform cluster, the nodes might be restarted to apply the patch. Wait until all nodes are READY before the next step.
Authenticate with the registry.
1. Log in to the target internal registry with your authentication credentials and run the following command.
```
docker login $TARGET_REGISTRY --username $TARGET_REGISTRY_USER --password $TARGET_REGISTRY_PASSWORD
```
  Tip: If the registry is insecure, add the following flag to the command.
```
--tls-verify=false
```
2. Export the registry authentication credentials for the source and target to the docker_auth_file file in preparation to mirror the images.
  Run the following command to export the REGISTRY_AUTH_FILE environment variable where <docker_auth_file> is the path to the file containing the authentication credentials that are generated on Docker login.
```
export REGISTRY_AUTH_FILE=<docker_auth_file>
```

Generate the mirror manifests for the z/OS Connect images by using

oc
ibm-pak

Run the following command to generate mirror manifests.

oc ibm-pak generate mirror-manifests $CASE_NAME $TARGET_REGISTRY --version $CASE_VERSION

Mirror the images from their current source location to the target registry by using oc image mirror.

oc image mirror -f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping.txt --filter-by-os '.*' -a $REGISTRY_AUTH_FILE --insecure --skip-multiple-scopes --max-per-registry=1

Configure the cluster.
Now that your images are internal, the cluster needs to be updated so that if there is a request to pull an image from any of the external repositories specified by your CASE, the Red Hat OpenShift cluster knows to pull them from the internal repository instead.

Red Hat OpenShift Container Platform includes a custom resource, called ImageContentSourcePolicy that accepts a reference to a catalog of operators and automatically redirects image pull requests from a specified registry location to an alternative location.
1. View ImageContentSourcePolicy.
```
cat ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/image-content-source-policy.yaml
```
2. Apply ImageContentSourcePolicy.
```
oc apply -f  ~/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/image-content-source-policy.yaml
```

Create the CatalogSource.

Now that the images are mirrored to your airgapped environment, you can deploy the IBM Cloud Pak for z/OS Connect to that environment.

Create and configure the CatalogSource.

oc ibm-pak launch \
${CASE_NAME} \
--version ${CASE_VERSION} \
--action install-catalog \
--inventory ${INVENTORY} \
--namespace openshift-marketplace \
--args "--registry ${TARGET_REGISTRY} --recursive \
--inputDir ~/.ibm-pak/data/cases/${CASE_NAME}/${CASE_VERSION}"

Verify the CatalogSource.

cat ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml

Successful completion of the command presents the following output.

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
 name: ibm-zcon-zosconnect-catalog
 namespace: openshift-marketplace
spec:
 displayName: ibm-zcon-zosconnect-1.0.14
 publisher: IBM
 image: <image_name>
 sourceType: grpc
 updateStrategy:
  registryPoll:
   interval: 30m0s

Apply and configure the CatalogSource to the Red Hat OpenShift Container Platform cluster.
```
oc apply -f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/catalog-sources.yaml
```
Successful completion of the command presents the following output.
```
catalogsource.operators.coreos.com/ibm-zcon-zosconnect-catalog configured
```

Verify the CatalogSource is successfully installed.

Now that the CatalogSource has been applied and configured to the airgapped Red Hat OpenShift Container Platform cluster, run the following commands to verify that the CatalogSource is successfully installed.

oc get catalogsource ibm-zcon-zosconnect-catalog -n openshift-marketplace

Successful completion of the command presents the following output.

 NAME                                           DISPLAY                                                 TYPE   PUBLISHER   AGE
ibm-zcon-zosconnect-catalog                    ibm-zcon-zosconnect-1.0.14                               grpc   IBM         3d2h

Verify that the ibm-zcon-zosconnect-catalog Pod is running, run the following command.

oc get pod -l=olm.catalogSource=ibm-zcon-zosconnect-catalog -n openshift-marketplace

Successful completion of the command presents the following output.

NAME READY STATUS RESTARTS AGE
ibm-zcon-zosconnect-catalog-wvpjr 1/1 Running 0 44h

Results

You successfully installed the z/OS Connect Catalog on the bastion host.

Install the IBM z/OS Connect Operator

Install the IBM z/OS Connect Operator to deploy z/OS Connect APIs in a Container Platform.

About this task

The IBM z/OS Connect Operator is an application that is deployed to the Red Hat OpenShift Container Platform, by using Red Hat OpenShift Web Console OperatorHub. Once installed, the ZosConnect Custom Resource (CR) is available on the cluster, where the z/OS Connect API deployment details are defined. The IBM z/OS Connect Operator watches for the ZosConnect CR, and uses it to create the resources needed for the deployment of a z/OS Connect API in Red Hat OpenShift Container Platform.

The IBM z/OS Connect Operator supports two installation modes that determine its scope in the cluster.

Default - The AllNamespaces installation mode supports a single IBM z/OS Connect Operator to be installed in the cluster, which watches for ZosConnect CR instances that are created in any namespace.
The OwnNamespace installation mode supports multiple IBM z/OS Connect Operators to be installed in the cluster, however it only watches for ZosConnect CR instances that are created in its own namespace.

The two installation modes depend on your workload and are mutually exclusive in a single Red Hat OpenShift Cluster.

Important: You can install only one IBM z/OS Connect Operator per namespace. Therefore, a single IBM z/OS Connect Operator can manage multiple instances of the ZosConnect CR, therefore multiple z/OS Connect API deployments.

Procedure

Log in as cluster-admin to the Red Hat OpenShift Container Platform web console. Ensure that you are using the Administrator perspective by using the left navigation.
Click Operators > OperatorHub in the left navigation.
Search for z/OS Connect and click the IBM z/OS Connect tile.
Click Install.
From the Install Operator page, complete the fields as follows:
1. Installation Mode
  
  All namespaces on the cluster (default)
  
  For the AllNamespaces install mode, the IBM z/OS Connect Operator is installed to the openshift-operators namespace and watches all namespaces on the cluster for instances of the ZosConnect CR. This means that a IBM z/OS Connect Operator can be installed only once in this mode.
  
  For the OwnNamespace install mode, the IBM z/OS Connect Operator is installed to a namespace of your choice and watches all instances of a ZosConnect CR in isolation to this namespace. This means that an IBM z/OS Connect Operator can be installed multiple times in this mode.
2. Installed Namespace Select a namespace from this list or create a new namespace.
  Note: Installed Namespace is only an option if you selected OwnNamespace for the installation mode.
3. Update Approval To automatically update the running instance of your IBM z/OS Connect Operator whenever new updates are made available to the channel, select Automatic (the default). If you want to review and approve an update manually, select Manual.
  Note:
  
  You can change the approval strategy later.
  
  Automatic Update Approval updates the IBM z/OS Connect Operator in a connected environment. Automatic updates aren't applicable for offline (airgapped) environments.
Click Install.
If you selected Manual for the Approval Strategy field, manually review and approve the install plan.
Verify the IBM z/OS Connect Operator installation.
A message is displayed on the Operators > OperatorHub page, similar to Figure 1, confirming the successful installation of the IBM z/OS Connect Operator to the Red Hat OpenShift Container Platform.
Figure 1. Successful Operator installation

Tip: To view the installation status of the IBM z/OS Connect Operator after the installation procedure is complete, navigate to Operators > Installed Operators, and select your project from the Projects drop-down. IBM z/OS Connect is listed with a status of Succeeded.
View the deployed IBM z/OS Connect Operator Pods.
To view the deployed IBM z/OS Connect Operator Pods, click View Operator to see the Operator details page. Scroll to the ClusterServiceVersion details section and click the ibm-zcon-zosconnect-controller-manager deployment that is listed under Operator Deployments.
From the Deployment details page, click the Pods tab where the IBM z/OS Connect Operator Pod is shown as Status > Running and Ready > 2/2.

Configure an image pull secret in the Container Platform

About this task

In this task, an image pull secret is created in Red Hat OpenShift Container Platform that contains the Container Registry location and credentials for the z/OS Connect API built in Build IBM z/OS Connect API image. For more information, see A launch icon to indicate a link opens a new tab or window. Using image pull secrets.

Procedure

Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Ensure that you are in the Developer perspective by using the left navigation.
Click Secrets in the left navigation.
Select a Project to view the list of Secrets or create a Project.

Note: This Project is the environment where your z/OS Connect APIs are deployed. Your Administrator might have created it depending on the IBM z/OS Connect Operator installModes configuration. If a Project does not exist, you must create a Project.
Click Create in the upper right of the Secrets page and select Image pull secret.
Enter a Secret name.
For example, zosconnect-pull-secret.

Note: The Secret name is used as a reference in Create a ZosConnect Custom Resource (CR) instance.
Enter the Registry server address for the location of the z/OS Connect API.
For example, privateregistry.example.com.
Enter the Username for the Container Registry defined in Step 6.
Enter the Password for the Container Registry defined in Step 6.
Click Create.
The Secret is added to the Secrets page and is ready for use.

Results

Click Reveal values in the Data section. Your credentials are appended to the .dockerconfigjson file.

What to do next

If your API project requires environment variables for the connection and credential details, go to Configure environment variables (Optional).

If you need to configure TLS, see Configure Transport Layer Security (TLS) in a Container Platform (Optional). For more information about TLS, see A launch icon to indicate a link opens a new tab or window. Self-Serviced End-to-end Encryption Approaches for Applications Deployed in OpenShift

If you use volumes in a container platform to mount keystores for your z/OS Connect API image to use, see Configure volumes (Optional).

Otherwise, you have completed the preparation steps and are ready to deploy your z/OS Connect API image. For more information, see Create a ZosConnect Custom Resource (CR) instance.

Configure environment variables (Optional)

Use ConfigMap and Secret Objects in a Container Platform to store the connection and credential configuration values for your z/OS Connect API image to use.

About this task

If the z/OS Connect API image built in Build IBM z/OS Connect API image contains a z/OS Connect API project with connection and credential environment variables, you must use a ConfigMap, and optionally a Secret in the Red Hat OpenShift Container Platform.

The ConfigMap and Secret Objects store the connection and credential configuration values in the Red Hat OpenShift Container Platform. These are then mapped to your z/OS Connect API image in the Create a ZosConnect Custom Resource (CR) instance.

The z/OS Connect API project connection and credential configurations are in the ../liberty/config directory.

A ConfigMap is used to store connection information. For example, a ../liberty/config/db2.xml with
```
<zosconnect_db2Connection id="db2Conn" host="${DB2_HOST}" port="${DB2_PORT}" credentialRef="commonCredentials" />
```
To create a ConfigMap, follow the ConfigMap steps in the following procedure.
A Secret is used to store credential information. For example, ../liberty/config/db2.xml with
```
<zosconnect_credential user="${DB2_USERNAME}" password="${DB2_PASSWORD}" id="commonCredentials" />
```
To create a Secret, follow the Secret steps in the following procedure.

Note: This procedure demonstrates how the connection and credential environment variables that are shown in the db2.xml examples can be added to a ConfigMap and Secret in Red Hat OpenShift.

If you require environment variables, complete the procedure in order.

Procedure

ConfigMap
1. Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Ensure that you are in the Developer perspective by using the left navigation.
2. Click ConfigMaps in the left navigation.
3. Select the Project to view the list of ConfigMaps or Create a Project.
  
  Note: This Project is the environment where your z/OS Connect APIs are deployed. Your Administrator might have created it depending on the IBM z/OS Connect Operator installModes configuration. If a Project does not exist, you must Create a Project.
4. Click Create ConfigMap in the upper right of the ConfigMaps page.
5. Switch Config via value to YAML view using the radio-buttons.
6. Add the ConfigMap name and your connection information to the Create ConfigMap page.
  In this example, DB2_HOST and DB2_PORT are specified as Key-Value pairs. Customize the values as appropriate.
```
apiVersion: v1
kind: ConfigMap
metadata:
  name: <unique ConfigMap name>
  namespace: <project name>
data:
  DB2_HOST: <db2 host address> 
  DB2_PORT: '<db2 port>'
```
  Note:
  - Integer values must be represented as 'string'.
  - The ConfigMap name is used as a reference in Creating a z/OS Connect Custom Resource (CR) instance - Operand Deployment.
  - Selecting the Project in step 1.c before creating the ConfigMap will automatically complete the namespace value in the ConfigMap.
7. Click Create.
8. The ConfigMap is added to the ConfigMaps page and is ready for use.
Secret
1. Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Ensure that you are in the Developer perspective by using the left navigation.
2. Click Secrets in the left navigation.
3. Select a Project to view the list of Secrets or Create a Project.
  
  Note: This Project is the environment where your z/OS Connect APIs are deployed. Your Administrator might have created it depending on the IBM z/OS Connect Operator installModes configuration. If a Project does not exist, you must Create a Project.
4. Click Create in the upper right of the Secrets page and select Key/value secret.
5. Enter a Secret name.
  For example, sample-db2-cred.
  
  Note: The Secret name is used as a reference in Create a ZosConnect Custom Resource (CR) - Operand Deployment.
6. Enter the username key in the Key field.
  For example, DB2_USERNAME.
7. Enter the username credential in the Value field.
  For example, JoeSmith.
  This is the DB2_USERNAME for the DB2_HOST defined in Step 1.
8. Click Add key/value.
9. Enter the password key in the Key field.
  For example, DB2_PASSWORD.
10. Enter the password credential in the Value field.
  In this example, the DB2_PASSWORD is the Value for DB2_USERNAME JoeSmith.
  Note: The Secret values should be encrypted at rest. For more information, see Encrypting Confidential Data at Rest.
11. Click Create.
12. The Secret is added to the Secrets page and is ready for use.

What to do next

If you need to configure TLS (secure networking configuration options), see Configure Transport Layer Security (TLS) in a Container Platform (Optional). For more information, see A launch icon to indicate a link opens a new tab or window. Self-Serviced End-to-end Encryption Approaches for Applications Deployed in OpenShift.

If you use volumes in a container platform to mount keystores for your z/OS Connect API image to use, see Configure volumes (Optional).

Otherwise, the preparation steps are complete and you are ready to deploy your z/OS Connect API image. For more information, see Create a ZosConnect Custom Resource (CR) instance.

Configure Transport Layer Security (TLS) in a Container Platform (Optional)

Configuring TLS (secure networking configuration options) for a z/OS Connect API deployed to a Container Platform with the IBM z/OS Connect Operator.

Before you begin

This page outlines the secure networking (TLS) configuration options for a z/OS Connect API deployed to a Container Platform with the IBM z/OS Connect Operator.

If your z/OS Connect API requires environment variable configuration for connection and credential details, you must complete the configuration preparation steps before starting this section. For more information, see Configure environment variables (Optional).

Important: This page does not describe how to configure security (Transport Layer Security) for a z/OS Connect Server. For more information on securing z/OS Connect resources, see Securing IBM z/OS Connect resources for zosConnect-3.0.

About this task

At the end of this topic, you will understand the methods of configuring TLS for a z/OS Connect API deployed to a Container Platform. You will have completed the preparation steps required for the next topic, Create a ZosConnect Custom Resource (CR) instance.

If the platform is Red Hat OpenShift, you will know about the TLS termination types that are offered by Red Hat OpenShift Routes, and might or might not have created a certificateSecret object containing TLS certificates, in preparation for creating a secured Route in the next topic.

If the platform is native Kubernetes, you will know about the TLS configuration method that is offered by Kubernetes Ingress, and will have created a certificateSecret object containing TLS certificates, in preparation for creating a secured Ingress in the next page.

The procedure as part of this page outlines how to create the certificateSecret Secret object for Red Hat OpenShift Routes and native Kubernetes Ingress, if this is required for your chosen configuration.

Routes

In Red Hat OpenShift, a router is deployed to the cluster that functions as the ingress endpoint for external network traffic. This route exposes the service for an application so that any external device can access it. It can either be secure or unsecured, depending on the network security configuration of your application. The focus of this section is on secured routes as these require additional steps in storing TLS keys and/or certificates.

There are three types of secured routes, each defined by the TLS termination type:

Edge, which requires an insecure z/OS Connect Server.
Passthrough, which requires a secure z/OS Connect Server. For more information, see Securing IBM z/OS Connect resources.
Re-encrypt, which requires a secure z/OS Connect Server. For more information, see Securing IBM z/OS Connect resources.

Note: Where an application is referenced, this is the Pod resource on the Container Platform containing the z/OS Connect API.

Edge

With Edge termination, a TLS connection is established between the client and the router, and then terminated at the router. The connection between the router and the application is unencrypted. This is shown by TLS and clear in the diagram.

The TLS connection is created with a certificate/key pair in PEM-encoded format, where the certificate is valid for the route host. Also, a separate CA certificate in a PEM-encoded format can be used to complete the certificate chain. In Red Hat OpenShift, the router provides its own certificate/key pair and CA certificate defaults in PEM-encoded format. To provide your own values, see A launch icon to indicate a link opens a new tab or window.

Replacing the default ingress certificate and add tls.key, tls.crt and optionally ca.crt from Table 2 to the certificateSecret in the procedure. If not specified, the router defaults are used.

As the TLS connection terminates at the router, there is no method of providing trust between the router and the application with Edge. Therefore, the z/OS Connect Server must not have TLS enabled. However, the Re-encrypt termination type provides this functionality, see Reencrypt.

Image showing Edge Route end to end encryption

Table 2. Edge key/value pairs for `certificateSecret`
Key	Value	Note	Required
tls.key	TLS key in PEM-encoded format as part of certificate/key pairing.	If not specified, the Red Hat OpenShift router defaults are used.	Optional
tls.crt	TLS certificate in PEM-encoded format as part of certificate/key pairing.	If not specified, the Red Hat OpenShift router defaults are used.	Optional
ca.crt	TLS CA certificate in PEM-encoded format that completes the certificate chain.	If not specified, the Red Hat OpenShift router defaults are used.	Optional

If you are not using the router default values for tls.key, tls.crt, and optionally ca.crt, follow the steps in the procedure to configure the certificateSecret for Edge with the key/values in the Table 2. This certificateSecret is referenced in the certificateSecretRef field in step 6.f when creating the z/OS Connect Custom Resource instance. This is where the Edge route is created by the IBM z/OS Connect Operator for z/OS Connect API deployment.

Pass-through

With Passthrough termination, encrypted traffic is sent straight to the destination without the router providing TLS termination. Therefore, no key or certificate is required on the route. The application is responsible for serving certificates for the traffic at the endpoint, therefore the z/OS Connect Server must have TLS enabled. Currently, this is the only method that can support requiring client certificates, also known as two-way authentication.

There are no additional configuration steps that are required for TLS when implementing pass-through. You have completed the preparation steps and are ready to for z/OS Connect API deployment. For more information, see Create a ZosConnect Custom Resource (CR) instance.

Reencrypt

With Re-encrypt termination, a TLS connection is established between the client and the router, and then terminated at the router. The TLS connection is then reencrypted, establishing a new TLS connection between the router and the application. This is shown by TLS1 and TLS2 in the diagram respectively.

TLS1 is created with a certificate/key pair in PEM-encoded format, where the certificate is valid for the route host. Also, a separate CA certificate in a PEM-encoded format can be used to complete the certificate chain. In Red Hat OpenShift, the router provides its own certificate/key pair and CA certificate defaults in PEM-encoded format. To provide your own values, see A launch icon to indicate a link opens a new tab or window.

Replacing the default ingress certificate and add tls.key, tls.crt and optionally ca.crt in the Table 3 to the certificateSecret in the procedure. If not specified, the router defaults are used.

TLS2 is created with a separate destination CA certificate in PEM-encoded format. This certificate belongs to the application, therefore the z/OS Connect Server must have TLS enabled. Because the router reencrypts the connection, it acts as an internal consumer and it trusts the internal certificate by the application. To provide this certificate, add destCA.crt the certificateSecret in the procedure.

Image showing Re-encrypt Route key/value pairs for SecretRef

Table 3. Re-encrypt key/value pairs for `certificateSecretRef`
Key	Value	Note	Required
tls.key	TLS key in PEM-encoded format as part of certificate/key pairing.	If not specified, the Red Hat OpenShift router defaults are used.	Optional
tls.crt	TLS certificate in PEM-encoded format as part of certificate/key pairing.	If not specified, the Red Hat OpenShift router defaults are used.	Optional
ca.crt	TLS CA certificate in PEM-encoded format that completes the certificate chain.	If not specified, the Red Hat OpenShift router defaults are used.	Optional
destCA.crt	TLS CA certificate of the application in PEM-encoded format.	This certificate is inside the z/OS Connect Server and configured in Config TLS PKCS12.	Yes

Follow the steps in the procedure to configure the certificateSecret for Re-encrypt with the key/values in the Re-encrypt key/value pairs for certificateSecretRef.

This certificateSecret is referenced in the certificateSecretRef field in step 6.f when creating the z/OS Connect Custom Resource instance.

This is where the Re-encrypt route is created by the IBM z/OS Connect Operator for z/OS Connect API deployment.

Ingress

Note: The IBM z/OS Connect Operator does not support Ingress on Red Hat OpenShift Container Platform.

Ingress resources are Kubernetes-native resources that play the same role as Red Hat OpenShift Routes. The Kubernetes Ingress definition only currently supports a single TLS port, 443, and assumes Edge TLS termination. The TLS connection is created with a certificate/key pair in PEM-encoded format, where the certificate is valid for the ingress host.

Table 4. Ingress key/value pairs for `certificateSecretRef`
Key	Value	Note	Required
tls.key	TLS key in PEM-encoded format as part of certificate/key pairing.	If not specified, the Red Hat OpenShift router defaults are used.	Yes
tls.crt	TLS certificate in PEM-encoded format as part of certificate/key pairing.	If not specified, the Red Hat OpenShift router defaults are used.	Yes

Follow the steps in the procedure to configure the certificateSecret for Ingress with the key/values in the Ingress key/value pairs certificateSecretRef. This certificateSecret is referenced in the certificateSecretRef field in step 6.f when creating the z/OS Connect Custom Resource instance.

This is where the Ingress is created by the IBM z/OS Connect Operator for z/OS Connect API deployment.

Procedure

Red Hat OpenShift Routes

Note: Use the following procedure to create the certificateSecret depending on the TLS Termination type and configuration, if required.
1. Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Ensure that you are in the Developer perspective by using the left navigation.
2. Click Secrets in the left navigation.
3. Select a Project to view the list of Secrets or create a Project.
  Note: This Project is the environment where your z/OS Connect APIs are deployed. Your Administrator might have created it depending on the IBM z/OS Connect Operator installModes configuration. If a Project does not exist, you must create a Project.
4. Click Create in the upper right of the Secrets page and select Key/value secret.
5. Enter a Secret name.
  Note: The Secret name is used as a reference in Operand Routes for the certificateSecretRef field.
6. Enter the Key from the table into the Key field and enter the Value from the table into the Value field. Repeat for all applicable Key/Value pairs in the table for your chosen TLS Termination Type.
7. Click Create.
Native Kubernetes Ingress
1. Install Kubernetes CLI (kubectl). For more information, see Installing the CLI.
2. Log in to your Kubernetes cluster.
3. Add tls.key and tls.crt to separate files.
4. Run the following command to create the secret in the namespace where the z/OS Connect API is to be deployed.
  Note: This namespace is the environment where your z/OS Connect APIs are deployed. Your Administrator might have created it depending on the IBM z/OS Connect Operator installModes configuration. If a namespace does not exist, you must create one.
```
kubectl create secret <secret-name> --namespace <your_namespace> --key /path/to/tls.key --cert /path/to/tls.crt
```

Results

The certificateSecret is added to the Secrets page and is ready for use in the Operand Routes for the certificateSecretRef field.

You have completed the preparation steps and are ready for z/OS Connect API deployment.

What to do next

If you use volumes in a container platform to mount keystores for your z/OS Connect API image to use, see Configure volumes (Optional).

If you don't use volumes in a container platform, you are ready to deploy your z/OS Connect API. For more information, see Create a ZosConnect Custom Resource (CR) instance.

Configure volumes (Optional)

Use volumes in a container platform to mount keystores for your z/OS Connect API image to use. Volumes are mounted file systems available to pods and their containers.

About this task

In this task, all artifacts that are required for SSL configuration in a z/OS Connect Server are stored in Secret objects in Red Hat OpenShift. This includes keystores, truststores, and certificate passwords. These are mounted to the z/OS Connect API pod through volumes in the Create a ZosConnect Custom Resource (CR) instance section.

The following example shows a configuration file with SSL within a z/OS Connect Server and keystore elements configured. In the procedure, CERTIFICATE_PASSWORD, clientKey.p12 and clientTrust.p12 are stored as Secret Objects in Red Hat OpenShift Container Platform.

<ssl id="sslCertificates" keyStoreRef="clientKeyStore" trustStoreRef="clientTrustStore"/>

<keyStore id="clientKeyStore" password="${CERTIFICATE_PASSWORD}" location="${server.config.dir}/resources/security/clientKey.p12" type="PKCS12"/>  
<keyStore id="clientTrustStore" password="${CERTIFICATE_PASSWORD}" location="${server.config.dir}/resources/security/clientTrust.p12" type="PKCS12"/>

Where

clientKey.p12 and clientTrust.p12 are example PKCS12 certificate files that were preconfigured in the procedure How to configure a TLS connection with PKCS12 keystores. The .p12 format is used here for illustration purposes; other certificate formats are also supported.
CERTIFICATE_PASSWORD is the password for the clientKey.p12 and clientTrust.p12 certificates.

Procedure

Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Make sure that you are in the Developer perspective by using the navigation.
Click Secrets in the navigation.
Select a Project to view the list of Secrets or Create a Project.
If a Project does not exist, you must Create a Project.
Click Create on the Secrets panel and select Key/value secret.
Enter a Secret name.
For example, keystore-secret.
Enter the keystore key in the Key field.
For example, clientKey.p12.
Enter the keystore contents in the Value field.
For example, the clientKey.p12 certificate in plain text.
Click Create.
Click Secrets in the navigation.
Click Create on the Secrets panel and select Key/value secret.
Enter a Secret name for the truststore certificate.
For example, truststore-secret
Enter the truststore key in the Key field.
For example, clientTrust.p12
Enter the truststore contents in the Value field.
For example, clientTrust.p12 certificate in plain text.
Click Create.

To create the CERTIFICATE_PASSWORD, complete the following steps:

Click Secrets in the navigation.
Click Create on the Secrets panel and select Key/value secret.
Enter a Secret name for the certificate password.
For example, certificate-password.
Enter the certificate key in the Key field.
For example, CERTIFICATE_PASSWORD.
Enter the certificate credential in the Value field.
For example, the CERTIFICATE_PASSWORD in plain text.

Results

Check the Secrets panel to view the Secret you created.

What to do next

You are ready to deploy your z/OS Connect API. For more information, see Create a ZosConnect Custom Resource (CR) instance.

If you have configured volumes in the container platform, you must also complete the Optional - Volume steps that are part of the Create a ZosConnect Custom Resource (CR) instance steps. These steps ensure that:

The CERTIFICATE_PASSWORD is mapped to the z/OS Connect API pod as an environment variable.
The clientKey.p12 and clientTrust.p12 files are mounted to the z/OS Connect API pod as volumes at the defined location.

Complete the Create a ZosConnect Custom Resource (CR) instance steps, including the Optional - Volume steps when you reach them in the following procedure.

Create a `ZosConnect` Custom Resource (CR) instance

Creating a ZosConnect Custom Resource (CR) instance to enable deployment of your z/OS Connect API project.

About this task

In this section, a z/OS Connect API is deployed to the Red Hat OpenShift Container Platform. This is done by creating an instance of the ZosConnect Custom Resource (CR) that is enabled on the Red Hat OpenShift Cluster by the IBM z/OS Connect Operator.

To create an instance of the ZosConnect CR, you must specify the configuration details for the z/OS Connect API to be deployed.

The IBM z/OS Connect Operator automatically creates the necessary resources for the z/OS Connect API to run as specified in the ZosConnect CR.

Important: A single IBM z/OS Connect Operator can manage multiple instances of the ZosConnect CR, therefore multiple z/OS Connect API deployments.

Procedure

Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Ensure you are in the Developer perspective by using the left navigation.
From the navigation, click +Add.
Select the project that you are creating a ZosConnect CR instance for. Create a project if one doesn't exist.
In the Add page, select Operator Backed from the Developer Catalog section.
Search for ZosConnect, and then click the ZosConnect tile.
From the ZosConnect panel, click Create.

Complete the following fields on the Create ZosConnect page to define the ZosConnect Custom Resource:

Specify a Name for your ZosConnect CR instance to associate it with your API.
Optional: Specify extra Labels for your ZosConnect CR instance.
Operand License Structure

Expand the Operand License Structure section by using to the right of the page.

Accept Operand License - Click the check-box, or in later versions of Red Hat OpenShift toggle the radio button to reflect true to accept the license.

Note: Accept the license for the IBM z/OS Connect Operator to create the resources.

Operand Deployment

Expand the Operand Deployment section by using

to the right of the page and complete the fields as detailed in Table 5.

Table 5. Operand Deployment
Field	Value	Note
`Container Port`	For HTTP, `9080`. For HTTPS, `9443`.	This value maps to the available ports defined in a z/OS Connect API. Note: This value must be consistent with the `Port` and `Target Port` values in the Operand Service step.
`Image`	Enter the image for the z/OS Connect API to deploy.	You can find the steps to build a z/OS Connect API image here Build IBM z/OS Connect API image.
`Pull Policy`	Defaults to `IfNotPresent`.	The image is updated when it is not already present on the cluster. Note: For more information about this native Kubernetes feature, see Image Pull Policy.
`Pull Secret`	Name of the Secret to use to pull images from the specified repository.	For more information, see Configure an image pull secret in the Container Platform.
`Replicas`	Number of Pod replicas to be deployed to the cluster for the z/OS Connect API.	Note: This value can be scaled up or down manually after the deployment if needed. More details on Pod replication can be found here.

Optional - Environment variables

If you completed Configure environment variables (Optional), you must complete the following steps for the data within the ConfigMap and Secret objects to be mapped to the connection and credential tags in the z/OS Connect API image.

Go to the start of the page, switch the view using the Configure via: YAML view to manually edit the ZosConnect CR.
Add the values to the spec.deployment.env field in the ZosConnect CR.
Note: Do not save the yaml file. It is done automatically.

For example,
```
spec:
  deployment:
    env:
      - name: DB2_HOST
        valueFrom:
          configMapKeyRef:
            key: DB2_HOST
            name: sample-db2-conn
      - name: DB2_PORT
        valueFrom:
          configMapKeyRef:
            key: DB2_PORT
            name: sample-db2-conn
      - name: DB2_USERNAME
        valueFrom:
          secretKeyRef:
            key: DB2_USERNAME
            name: sample-db2-cred
      - name: DB2_PASSWORD
        valueFrom:
          secretKeyRef:
            key: DB2_PASSWORD
            name: sample-db2-cred
```
This adds DB2_HOST and DB2_PORT values from the sample-db2-conn ConfigMap and adds DB2_USERNAME and DB2_PASSWORD values from the sample-db2-cred Secret. These environment variables are exported inside the z/OS Connect API image at run time.
Note: Substitute the values for sample-db2-conn and sample-db2-cred to match the ConfigMap and or Secret created in Configure environment variables (Optional). If you do not require the optional Secret, remove the respective fields from the example.
Switch the view back to using the Form view using Configure via:

Optional - Volumes

If you completed Configure volumes (Optional), you must complete the following steps for the data within the Secret objects to be mapped to the keystore tags in the z/OS Connect API image.

Go to the start of the page, switch the view using the Configure via: YAML view to manually edit the ZosConnect CR.
Add an environment variable for the certificate password by using the spec.deployment.env field.
Add a volume for the keystore and truststore in the spec.deployment.volumes field.
Mount the volume for the keystore and truststore to the container at defined location by using the spec.deployment.volumeMount field.

The following example is a sample configuration for the SSL example that is shown in Configure volumes (Optional). Customize these values for your own configuration.

spec:
  deployment:
    env:
      - name: CERTIFICATE_PASSWORD
        valueFrom:
          secretKeyRef:
            name: certificate-password
            key: CERTIFICATE_PASSWORD

    volumes:
      - name: truststore
        secret:
          secretName: truststore-secret
      - name: keystore
        secret:
          secretName: keystore-secret

    volumeMounts:
      - mountPath: /opt/ibm/wlp/usr/servers/defaultServer/resources/security/clientTrust.p12
        name: truststore
        subPath: clientTrust.p12
      - mountPath: /opt/ibm/wlp/usr/servers/defaultServer/resources/security/clientKey.p12
        name: keystore
        subPath: clientKey.p12

Switch back to the Form view by selecting Configure via: and verify that the volume mounts and environment variables are correctly configured.

Each certificate (clientTrust.p12 and clientKey.p12) is referenced from its respective secrets (truststore-secret and keystore-secret) and is stored in a volume (truststore and keystore). The volume is mounted by defining its mountPath that refers to the path inside the z/OS Connect API where the volume is mounted. The subPath property ensures that only the specific certificate file is mounted rather than the entire volume and the name under volumeMount matches the corresponding volume name.

Operand Service

Expand the Operand Service section by using the

to the right of the page.

Table 6. Operand Service Config
Field	Value	Note
`Port`	The port is exposed by the container. For HTTP, `9080` For HTTPS, `9443`	This allows a Service resource to communicate with the z/OS Connect API for Routes / Ingress. Note: This must be consistent with the `Container Port` value in the Operand Deployment step.
`Target Port`	The port that the operator assigns to containers inside pods. Defaults to the value of `Operand Service Port`.
`Type`	`ClusterIP`

Note: The values for Port and Target Port must match.

Operand Route

Important:

Use the Expose toggle to set the field to true. This displays the Operand Route section and enables the IBM z/OS Connect Operator to create the Route / Ingress resources, which are required for invoking the z/OS Connect.
If you completed Configure Transport Layer Security (TLS) in a Container Platform (Optional), you must complete values for Termination and Certificate Secret Ref for the operand config to create a secured Route or Ingress.
The following table defines fields that support both Red Hat OpenShift Routes and native Kubernetes Ingress. Select the fields that apply for your chosen configuration. If you do not require transport security, all of the Operand Route fields can be left blank.

Expand the Operand Route section by using

to the right of the page.

Table 7. Operand Routes Config
Field	Value	Note
`Termination` (Route)	TLS termination policy for Route. Can be one of the `edge`, `reencrypt`, and, `passthrough`.	Define the Red Hat OpenShift Route Transport Layer Security (TLS) termination policy. Required secured Route field. For an insecure Route, do not enter a value.
`Insecure Edge Termination Policy` (Route)	HTTP traffic policy with TLS enabled for Route. Can be one of `Allow`, `Redirect` and `None`.	Defaults to `Allow`.
`Path` (Route) (Ingress)	Path to be used for Route or Ingress.	This defaults to `/`.
`Certificate Secret Ref` (Route) (Ingress)	The name of a secret that already contains TLS key, certificate, and CA to be used for the Route or Ingress. It can also contain a destination CA certificate for Route. The following keys are valid in the secret: `ca.crt`, `destCA.crt`, `tls.crt`, `tls.key`.	Optional for a secured Route field. Required for a secured Ingress field. For an insecure Route or Ingress, do not enter a value.
`Hostname` (Ingress)	Hostname to be used for the Ingress.	Required Ingress field.
`Path Type` (Ingress)	Path Type to be used for the Ingress. Can be one of `Prefix`, `Exact`, or `ImplementationSpecific`.	Required Ingress field. For more information about Ingress Path Types, see Ingress Path Types.

Click Create to create your ZosConnect CR instance.

Important: To install another z/OS Connect API to the Red Hat OpenShift cluster, repeat the procedure for step 6.

The IBM z/OS Connect Operator is designed to manage many ZosConnect Custom Resource instances, therefore many z/OS Connect API deployments. The following image shows a IBM z/OS Connect Operator managing 3 ZosConnect instances. Each ZosConnect instance is configured with a different z/OS Connect API image. These represent 3 separate z/OS Connect API deployments in Red Hat OpenShift.

Figure 2. IBM z/OS Connect Operator with 3 separate ZosConnect instances

Results

When the ZosConnect Custom Resource is created, the IBM z/OS Connect Operator creates the resources that are required for your chosen configuration, based on the fields completed in this page.

To view these resources, open the Topology page where the ZosConnect instance is created. In the example, the name of the ZosConnect Custom Resource is zosconnect-sample.

Click inside the dotted area to view the resources that are associated with the created ZosConnect Custom Resource.

Red Hat OpenShift Topology page displaying the ZosConnect instance.

The Pod containing the z/OS Connect API is created by the zosconnect-sample-deployment Deployment.

To view this Pod, click zosconnect-sample-deployment, where the Deployment details are shown. Here you can navigate to the Pods tab to view the Pod. You see that the Pod Status is Running and 1/1 replicas are Ready. In this example, only 1 Deployment>Replicas was specified for the ZosConnect Custom Resource.

Note: The Pods might take a few seconds to become ready.

Invoke z/OS Connect APIs

About this task

In this task, the z/OS Connect API is deployed to the Red Hat OpenShift Container Platform by using a Red Hat OpenShift Route configured earlier in the procedure.

Note: You must have exposed the z/OS Connect API by checking the expose flag in the ZosConnect Custom Resource.

Procedure

Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Make sure that you are using the Developer perspective by using the left navigation.
From the navigation, click Topology.
Select the project where your ZosConnect instance is created.
For example, zosconnect-sample-deployment.
Click inside the dotted line around the ZosConnect instance.
From the panel that opened to the side of the screen, make sure that you are viewing the Resources tab.
Click Red Hat OpenShift Route listed in the Resources tab to navigate to the Route > Route details page.
Click the link in the Location field to invoke the z/OS Connect API that uses the Red Hat OpenShift Route.
The Location value is the external URL path to the Pod. This is expected to return a 404 response. The z/OS Connect API operation URI values need to be appended to this value to invoke the API operations.
Optional: Append a valid URI for the deployed z/OS Connect API onto the provided Route Location value to invoke the z/OS Connect API operation.
The Red Hat OpenShift Route returns successfully.

Results

You successfully invoked a z/OS Connect API deployed to the Red Hat OpenShift Container Platform that uses a Red Hat OpenShift Route.