Install the IBM z/OS Connect Server zosConnect-3.0 feature image to a Red Hat OpenShift Container Platform

How to build and deploy an IBM® z/OS Connect zosConnect-3.0 API by using a zosConnect-3.0 API project and the z/OS Connect Server image to install z/OS Connect to an OCI-compliant container platform in an online environment.

About this task

zosConnect-3.0 Applies to zosConnect-3.0.

Containers Applies to z/OS Connect container deployments.

Image to show the end to end z/OS Connect Server image installation process in an online environment using docker to build the API image, (using the API project and the z/OS Connect Server image), storing the z/OS Connect API image in a private container registry and deploying to Red Hat OpenShift Container Platform.
Important: The z/OS Connect Server image hosts z/OS Connect API projects in z/OS/s390x, Linux®, and amd64 OCI-compliant container environments. For more information, see IBM z/OS Connect system requirements.

Throughout this topic, Docker is used as an example for image build technology and Red Hat® OpenShift® Container Platform is used as an example for the container deployment. Note, Red Hat OpenShift 4.9 is supported on Linux/s390x and amd64.

The z/OS Connect Server and IBM z/OS Connect Designer images are supported by Open Container Initiative (OCI) compliant runtimes and other OCI-compliant container runtimes and container registries can be used.

Note: The z/OS Connect Server can be installed in an online or offline (bastion host airgapped) environment.
  1. To install and deploy the z/OS Connect API image in an online environment, complete the installation steps in Table 1 in sequence.
  2. To install and deploy the z/OS Connect API image in an offline environment, see Install the IBM z/OS Connect Server zosConnect-3.0 feature image to an offline Red Hat OpenShift Container Platform.
  3. The z/OS Connect documentation is available in the IBM Document offline tool, should you require an offline copy. For more information, see A launch icon to indicate a link opens a new tab or window. IBM z/OS Connect offline documentation.

The following topic describes the steps that are required to build and deploy the IBM z/OS Connect Server API image with Red Hat OpenShift. For information on how-to build and deploy the z/OS Connect API images with Podman, see Installing and uninstalling an IBM z/OS Connect Server image with Podman.

Table 1. Steps to install a z/OS Connect API image with required roles
z/OS Connect installation steps
Download the z/OS Connect Server image.
Verify the z/OS Connect Server image (Optional).
Build the z/OS Connect API image.
Install the IBM Operator Catalog.
Install the IBM z/OS Connect Operator.
Configure an image pull secret.
Configure environment variables. (Optional)
Configure Transport Layer Security (TLS networking capability) (Optional).
Create a ZosConnect Custom Resource instance.
Invoke z/OS Connect API.

The following tasks must be completed.

  1. Access to an OCI-compliant container platform.

    In this procedure, the Red Hat OpenShift Container Platform is used as an example.

    1. For detailed steps about how to install Red Hat OpenShift, see A launch icon to indicate a link opens a new tab or window. Installing Red Hat OpenShift Container Platform.
    2. Ensure that you have a supported version of Red Hat OpenShift installed. For more information about Red Hat OpenShift compatibility, see A launch icon to indicate a link opens a new tab or window. Supported OpenShift and Kubernetes versions
  2. Access to an OCI-compliant container runtime.

    The example commands in the following procedure use docker. If you are using Podman as your container platform, use podman instead of docker in the example commands. For more information about installing Docker, see A launch icon to indicate a link opens a new tab or window. Download and Install Docker Desktop.

  3. Create a z/OS Connect API project.
    zosConnect-3.0 artifacts (WAR files) can be deployed in a z/OS Connect Server container that is at the same release level or later than the release level of the z/OS Connect Designer that was used to generate the artifacts. For more information, see Developing API provider with zosConnect-3.0 and z/OS Connect artifact compatibility.
    Restriction: WAR files should not be deployed in a z/OS Connect Server container that is an older release level than the release level of the z/OS Connect Designer.
  4. Configure the Container Platform cluster with Role Based Access-Control (RBAC) ready for the deployment of z/OS Connect APIs. For more information about how to configure cloud admin and application developer roles for z/OS Connect on Red Hat OpenShift Container Platform, see A launch icon to indicate a link opens a new tab or window. Authorizing users for z/OS Connect by using role-based access control (RBAC). For more information about RBAC, see A launch icon to indicate a link opens a new tab or window. RBAC overview.
    Important: RBAC must be configured on the cluster before starting the installation procedure.
  5. Optional: Verify that the z/OS Connect Server image signature is an optional step. If you need to verify the z/OS Connect signed images, you need to install the following command-line tools:
  6. Optional: If using z/OS Connect policies to adjust how an API request is processed in z/OS Connect, see Configuring IBM z/OS Connect policies. When building the WAR file in Build a z/OS Connect API image as part of this procedure, you must include the policy configuration and rules file within the image.

Download a z/OS Connect Server zosConnect-3.0 feature image

Before you begin

The following tasks must be completed.

  1. Download and install an OCI-compliant container runtime.

    Note: Docker is used as an example container tool. Docker 19.0.3 or higher is supported.

    Other OCI-compliant container tools, such as Podman are also supported.

  2. To get access to the z/OS Connect Server image, you must have an IBM entitlement registry key to pull the images from the IBM Cloud Container Registry icr.io. Refer to your license document for specific instructions on obtaining the entitlement key.
    Note: If you don't have the license document with the entitlement key, place a new order for the product in A launch icon to indicate a link opens a new tab or window. ShopZ where the additional documentation contains the entitlement key. As an existing customer, if you already have a license for IBM z/OS Connect Unlimited, no charge is incurred when the new order is placed.

Procedure

  1. Start your container tool.
    For example, Docker.
  2. Log in to IBM Cloud Container Registry. 
    docker login icr.io
    Provide your username and password login credentials. Instructions for obtaining these credentials can be found in your license documents.
  3. Pull the z/OS Connect Server image. 
    docker pull icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100

Results

The IBM Cloud Container Registry image is in your local docker registry. Validate by running the following command
docker image ls

REPOSITORY                                  TAG        IMAGE ID    CREATED     SIZE
icr.io/zosconnectunlimited/ibm-zcon-server 3.0.100    6d2af17d10bd  1 days ago   979MB
Note: Image size and ID alter depending on the release.

What to do next

Optional: z/OS Connect images are signed. You must have downloaded an z/OS Connect Server image to continue the installation procedure. For more information on verifying image signatures, see Verify a z/OS Connect image signature (Optional).

If you don't need to verify your image signatures, build your z/OS Connect API image by using a z/OS Connect API project and the z/OS Connect Server image that is downloaded in this step. For more information, see Build a z/OS Connect API image.

Verify a z/OS Connect image signature (Optional)

Digital signatures provide a way to ensure that an image is both authentic (it originated from the expected source) and has integrity (it is what is expected). z/OS Connect images are signed and this topic describes how to verify the signatures on those images.

Before you begin

The following tasks must be completed.

  1. The z/OS Connect public keys must exist on the same machine as the command-line tools.

    Copy the following text block exactly as shown into a text editor, and save it in a file named PRD0012028key.pub.asc:
    -----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQU0cUBEACqSHOnQ2HyQRdr0dkcYpehWGz/OSXLpOiKpmgqcvLEm2ZIGpZu
pzN5wc57XOxhz5YNodODFysewjqKntgQg1EbQ85g8BmV14iZJZ/8oVMCQGe6yt2G
efpD1+qY/QxK+JBB45Y5E6TEudNPzhhNY/9BsImPvHLSD95ikMYHVs2jCIquTXdT
UC1fyaXKU5T1qQZd1XxTX+HEaFGIInRHRWvjw2z92LNM35Ul6vJU5R8f8yVZIRAG
Y+J8/4qBRd2w23uUupNWQw6QYdW3Q3K6LVZc3K9ykJ8/zNaYBLT/dUXd3L2UYPO7
glWmO3oJynGc0kQczq/ohtCiUtKkXigYZ1feFC0nrFsVa7+Edzao5LOCYNhd9ASM
KZBL11VYvQ9pdjeWa4yd/VuTtG6l3GwN1AHXY+dLYdG3lrB0UmTNfyHZoJtIJ+yd
cmTZHhfvQ5djjCDwuNxN6NLuAKkzBzUNK3CMi7swKwym7agidMtf4G/WUAy981+P
502RGEtEDO98egA7yEXjGNB0vh7wuqyUKtugsCpGYQhuto42L8nEUogM69JK8Z9J
d2xs9PM/N8DEFdOXc73MMYnZejstoZ71t79MyEKw/3flKMADJE3x1xebnOMIj4CI
32Mnc0YHnmeADuYRtbk8omEOQAlWJrCFRUMr8+uSfvUb8QChuhKZDURRKQARAQAB
tEBJQk0gei9PUyBDb25uZWN0IEVudGVycHJpc2UgRWRpdGlvbiBVbmxpbWl0ZWQg
PHBzaXJ0QHVzLmlibS5jb20+iQI6BBMBCAAkBQJkFNHFAhsPBQsJCAcCBhUKCQgL
AgQWAgMBAh4BBQkAAAAAAAoJELBRtMIty7kNhqwP/1YQPQECXMUqno1z0OfQK+Wn
+eVQlS8cwvgarpKMv/a3tjFwggJvTaB6TRzdEcBHMSaXqY0+ljnHn7pHWtIQA3uR
FZszNWWzsRG9ahlne2NqjIwzCrvIN0BNKL3LSsJWOOptSTSjCxqeg9UmThdtXBu4
8DBCjHSsvtNa0hnSJG2tC5HQ3bnoduU1D7v9jZIP2SEg/lL6iZkKAz1HLxT9oqLL
KMpoUAVwRFN/wTFpQy83loxkU+xqXHgcq0htZWWspeqRrTSGkhtqEDcO8Bt3jSQ0
p9U7Bq9chpmEwngN5WwtvxXcrMMerlbaVJ6jLbNnJwERv+Q5N36Wl1hoNffV6Itw
LOYp4rfqO6eV5yFmC2gYLq6xMEHHM4q8nUQ1KhmwoARzwXJuRxocDl62kjq2YBOR
6H8WLZmHuE0ba0dp4JR+Wg99no2Sud4dT6Rs/ZylezyJGaFEEK7NNrl+G1JYVbms
Ynq6McZVz+Hcqow5k7PsZ4KviFb+F/DlP/lNCDlabFy+IC0gD4gjoKYbyOed+rKc
ZUd4DDxLl2KqEUiItn3aIU3epLAf9MtrGd+tugwMQPaq0v2Gep8zntuWew2TWEoy
c7C0udUwdjw1q4SwyJzYwiapwz6LCu+dlu7sf2Kxds5USYBWsrTxVzga3/BtRghK
V7Pi5/oMEPjk9O7eoOnL
=2ZDV
-----END PGP PUBLIC KEY BLOCK----

About this task

z/OS Connect images are signed. If you need to verify the image signatures, complete the following procedure.

Enabling signature verification when container images are pulled to a host system can be automated. For information on automating image signature verification, see A launch icon to indicate a link opens a new tab or window. Verifying image signing for Red Hat Container Registry.

Some of the steps in this procedure use gpg. GPG2 is the extended version of GPG and gpg2 can be used instead of gpg.

Procedure

  1. Import the z/OS Connect public key on the machine that you prepared according to the Prerequisites section: 
    sudo gpg --import PRD0012028key.pub.asc
    This step needs to be done only once on each machine you use for signature verification.
  2. Calculate the fingerprints: 
    fingerprint=$(sudo gpg --fingerprint --with-colons | grep -B1 'IBM z/OS Connect Enterprise Edition Unlimited' | grep fpr | tr -d ‘fpr:’)

    This command stores the keys' fingerprint in an environment variable that is called fingerprint, which is needed to verify the signature. When you exit your shell session, the variable is deleted. The next time that you log in to your machine, you can set it again by rerunning the command.

  3. Log in to Skopeo. 
    sudo skopeo login icr.io
  4. Create a directory for the image and use skopeo to pull it into local storage: 
    mkdir images

    sudo skopeo copy docker://icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100 dir:./images -a

    This command downloads the image as a set of files and places them in the images directory (or another directory that you choose). If the source image is a list of images for different architectures, the -a attribute copies all of the images.

    Tip: One of these files is a manifest file that is named images/manifest.json, and a signature file named images/signature-1. You reference both these files in the next step (in the command to verify the signature).
  5. Verify the signature: 

    sudo skopeo standalone-verify ./images/manifest.json icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100 ${fingerprint} ./images/signature-1

    The confirmation output should be similar to the following where the sha256 value is a 64-byte hexadecimal string. 

    Signature verified, digest sha256:0000000000000000000000000000000000000000000000000000000000000000

Results

The z/OS Connect Server image signature has been successfully verified.

Build a z/OS Connect API image

About this task

To build a z/OS Connect API image from your API project, you must use the container platform tool of your choice to build an image FROM the z/OS Connect Server image.

To prepare your z/OS Connect API project image for a container environment, you must use the z/OS Connect Server image. For more information, see Download a z/OS Connect Server zosConnect-3.0 feature image.

Procedure

  1. Make sure that your container build environment is running.
  2. Go to the root of your z/OS Connect API project.
  3. Ensure that the Dockerfile within the z/OS Connect API project references your downloaded z/OS Connect Server image in the FROM instruction.
    For example, 
    
FROM icr.io/zosconnectunlimited/ibm-zcon-server:3.0.100
    Note: The tag references the specific version of the z/OS Connect Server image that is being used. Using the tag `latest` adds the risk of updating the image automatically, and a newer version is used on later builds.
  4. Log in to the private Container Registry.
    Note: This is not the IBM Cloud Container Registry, but the registry where you host your z/OS Connect API image.
    For example, 
    docker login example.io
  5. From the same location as the Dockerfile, build the z/OS Connect API image locally.
    By using Docker, the following command is an example where,
    • example.io is the Container Registry.
    • zcon-employees-api is the chosen image name.
    • v1.0.0 is the image tag.
    The command is run from the same location as the Dockerfile.
    docker build -t example.io/zcon-employees-api:v1.0.0 .
    Note: The trailing period '.' in the command states to use the current directory as the build context.
    This z/OS Connect API image is now stored locally in the private container. In this example, the z/OS Connect API image is stored locally in the Docker private container.
    Important: The z/OS Connect API image is a multi-architecture image and defaults to an architecture that matches the system on which it is built. To build a z/OS Connect API image with a different architecture to your build system, use docker build --platform <os/arch> to specify the target platform for the build output. For example, 

    docker build --platform linux/amd64 -t example.io/zcon-employees-api:v1.0.0 .

    For more information, see A launch icon to indicate a link opens a new tab or window. Building multi-platform images.

  6. Push the z/OS Connect API image to the remote private Container Registry.

    For example, 
    docker push example.io/zcon-employees-api:v1.0.0
    Note: Using the tag latest adds the risk of updating the image automatically when deployed with Red Hat OpenShift.

Results

The container runtime, for example Docker, validates a successful push. The z/OS Connect API image is now hosted in the private Container Registry registry to access externally with valid login credentials.

Log in to your private Container Registry to verify the successful push of the z/OS Connect API image.

Install the IBM Operator Catalog in Red Hat OpenShift

Installing the IBM Operator Catalog in Red Hat OpenShift Container Platform OperatorHub.

Before you begin

The following tasks must be completed.

About this task

Create and apply the ibm-operator-catalog CatalogSource resource to the cluster to enable the IBM Operator Catalog to include all IBM Operators, such as the IBM z/OS Connect Operator.

After you complete this task, the IBM z/OS Connect Operator is available in the OperatorHub section of the Red Hat OpenShift Container Platform.

Procedure

  1. Log in as cluster-admin to the Red Hat OpenShift Container Platform web console, and ensure that you are using the Administrator perspective by using the left navigation.
  2. Click The plus icon is located on the header at the top of the perspective. to open the import YAML page.
  3. Click Project. From the drop-down menu, make sure that Show default projects is on and select openshift-marketplace.
  4. Copy the following CatalogSource YAML file into the editor. 
    apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
 name: ibm-operator-catalog
 namespace: openshift-marketplace
spec:
 displayName: IBM Operator Catalog
 publisher: IBM
 sourceType: grpc
 image: icr.io/cpopen/ibm-operator-catalog
 updateStrategy:
   registryPoll:
       interval: 45m
  5. Click Create.
  6. Verify that the CatalogSource is successfully applied:
    1. Wait for the status field in the Details section to become READY.
    2. Ensure that the IBM z/OS Connect Operator appears in the Operators section.

Results

The IBM Operator CatalogSource is successfully applied and the z/OS Connect tile that is used in the next task is available in the Red Hat OpenShift Container Platform OperatorHub.

Install the IBM z/OS Connect Operator

Install the IBM z/OS Connect Operator to deploy z/OS Connect APIs in a Container Platform.

About this task

The IBM z/OS Connect Operator is an application that is deployed to the Red Hat OpenShift Container Platform, by using Red Hat OpenShift Web Console OperatorHub. Once installed, the ZosConnect Custom Resource (CR) is available on the cluster, where the z/OS Connect API deployment details are defined. The IBM z/OS Connect Operator watches for the ZosConnect CR, and uses it to create the resources needed for the deployment of a z/OS Connect API in Red Hat OpenShift Container Platform.

The IBM z/OS Connect Operator supports two installation modes that determine its scope in the cluster.
  • Default - The AllNamespaces installation mode supports a single IBM z/OS Connect Operator to be installed in the cluster, which watches for ZosConnect CR instances that are created in any namespace.
  • The OwnNamespace installation mode supports multiple IBM z/OS Connect Operators to be installed in the cluster, however it only watches for ZosConnect CR instances that are created in its own namespace.
The two installation modes depend on your workload and are mutually exclusive in a single Red Hat OpenShift Cluster.
Important: You can install only one IBM z/OS Connect Operator per namespace. Therefore, a single IBM z/OS Connect Operator can manage multiple instances of the ZosConnect CR, therefore multiple z/OS Connect API deployments.

Procedure

  1. Log in as cluster-admin to the Red Hat OpenShift Container Platform web console. Ensure that you are using the Administrator perspective by using the left navigation.
  2. Click Operators > OperatorHub in the left navigation.
  3. Search for z/OS Connect and click the IBM z/OS Connect tile.
  4. Click Install.
  5. From the Install Operator page, complete the fields as follows:
    1. Installation Mode
      All namespaces on the cluster (default)
      For the AllNamespaces install mode, the IBM z/OS Connect Operator is installed to the openshift-operators namespace and watches all namespaces on the cluster for instances of the ZosConnect CR. This means that a IBM z/OS Connect Operator can be installed only once in this mode.
      For the OwnNamespace install mode, the IBM z/OS Connect Operator is installed to a namespace of your choice and watches all instances of a ZosConnect CR in isolation to this namespace. This means that an IBM z/OS Connect Operator can be installed multiple times in this mode.
    2. Installed Namespace Select a namespace from this list or create a new namespace.
      Note: Installed Namespace is only an option if you selected OwnNamespace for the installation mode.
    3. Update Approval To automatically update the running instance of your IBM z/OS Connect Operator whenever new updates are made available to the channel, select Automatic (the default). If you want to review and approve an update manually, select Manual.
      Note:
      1. You can change the approval strategy later.
      2. Automatic Update Approval updates the IBM z/OS Connect Operator in a connected environment. Automatic updates aren't applicable for offline (airgapped) environments.
  6. Click Install.
  7. If you selected Manual for the Approval Strategy field, manually review and approve the install plan.
  8. Verify the IBM z/OS Connect Operator installation.
    A message is displayed on the Operators > OperatorHub page, similar to Figure 1, confirming the successful installation of the IBM z/OS Connect Operator to the Red Hat OpenShift Container Platform.
    Figure 1. Successful Operator installation
    Image displaying successful z/OS Connect Operator installation.
    Tip: To view the installation status of the IBM z/OS Connect Operator after the installation procedure is complete, navigate to Operators > Installed Operators, and select your project from the Projects drop-down. IBM z/OS Connect is listed with a status of Succeeded.
  9. View the deployed IBM z/OS Connect Operator Pods.
    To view the deployed IBM z/OS Connect Operator Pods, click View Operator to see the Operator details page. Scroll to the ClusterServiceVersion details section and click the ibm-zcon-zosconnect-controller-manager deployment that is listed under Operator Deployments.

    From the Deployment details page, click the Pods tab where the IBM z/OS Connect Operator Pod is shown as Status > Running and Ready > 2/2.

Configure an image pull secret in the Container Platform

About this task

In this task, an image pull secret is created in Red Hat OpenShift Container Platform that contains the Container Registry location and credentials for the z/OS Connect API built in Build a z/OS Connect API image. For more information, see A launch icon to indicate a link opens a new tab or window. Using image pull secrets.

Procedure

  1. Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Ensure you are in the Developer perspective by using the left navigation.
  2. Click Secrets in the left navigation.
  3. Select a Project to view the list of Secrets or create a Project.
    Note: This Project is the environment where your z/OS Connect APIs are deployed. Your Administrator might have created it depending on the IBM z/OS Connect Operator installModes configuration. If a Project does not exist, you must create a Project.
  4. Click Create in the upper right of the Secrets page and select Image pull secret.
  5. Enter a Secret name.
    For example, zosconnect-pull-secret.
    Note: The Secret name is used as a reference in Create a ZosConnect Custom Resource (CR) - Operand Deployment.
  6. Enter the Registry server address for the location of the z/OS Connect API.
    For example, privateregistry.example.com.
  7. Enter the Username for the Container Registry defined in Step 6.
  8. Enter the Password for the Container Registry defined in Step 6.
  9. Click Create.
  10. The Secret is added to the Secrets page and is ready for use.

Results

Click Reveal values in the Data section. Your credentials are appended to the .dockerconfigjson file.

What to do next

If your API project requires environment variables for the connection and credential details, go to Configure environment variables (Optional).

If you need to configure TLS, see Configure Transport Layer Security (TLS) in a Container Platform (Optional). For more information about TLS, see A launch icon to indicate a link opens a new tab or window. Self-Serviced End-to-end Encryption Approaches for Applications Deployed in OpenShift

If you use volumes in a container platform to mount keystores for your z/OS Connect API image to use, see Configure volumes (Optional).

Otherwise, you have completed the preparation steps and are ready to deploy your z/OS Connect API image. For more information, see Create a ZosConnect Custom Resource (CR).

Configure environment variables (Optional)

Use ConfigMap and Secret Objects in a Container Platform to store the connection and credential configuration values for your z/OS Connect API image to use.

About this task

If the z/OS Connect API image built in Build a z/OS Connect API image contains a z/OS Connect API project with connection and credential environment variables, you must use a ConfigMap, and optionally a Secret in the Red Hat OpenShift Container Platform.

The ConfigMap and Secret Objects store the connection and credential configuration values in the Red Hat OpenShift Container Platform. These are then mapped to your z/OS Connect API image in the Create a ZosConnect Custom Resource (CR) instance.

The z/OS Connect API project connection and credential configurations are in the ../liberty/config directory.

  • A ConfigMap is used to store connection information. For example, a ../liberty/config/db2.xml with 
    <zosconnect_db2Connection id="db2Conn" host="${DB2_HOST}" port="${DB2_PORT}" credentialRef="commonCredentials" />
    To create a ConfigMap, follow the ConfigMap steps in the following procedure.
  • A Secret is used to store credential information. For example, ../liberty/config/db2.xml with 
    <zosconnect_credential user="${DB2_USERNAME}" password="${DB2_PASSWORD}" id="commonCredentials" />
    To create a Secret, follow the Secret steps in the following procedure.
Note: This procedure demonstrates how the connection and credential environment variables that are shown in the db2.xml examples can be added to a ConfigMap and Secret in Red Hat OpenShift.

If you require environment variables, complete the procedure in order.

Procedure

  1. ConfigMap
    1. Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Ensure you are in the Developer perspective by using the left navigation.
    2. Click ConfigMaps in the left navigation.
    3. Select the Project to view the list of ConfigMaps or Create a Project.
      Note: This Project is the environment where your z/OS Connect APIs are deployed. Your Administrator might have created it depending on the IBM z/OS Connect Operator installModes configuration. If a Project does not exist, you must Create a Project.
    4. Click Create ConfigMap in the upper right of the ConfigMaps page.
    5. Switch Config via value to YAML view using the radio-buttons.
    6. Add the ConfigMap name and your connection information to the Create ConfigMap page.
      In this example, DB2_HOST and DB2_PORT are specified as Key-Value pairs. Customize the values as appropriate.
      apiVersion: v1
kind: ConfigMap
metadata:
  name: <unique ConfigMap name>
  namespace: <project name>
data:
  DB2_HOST: <db2 host address> 
  DB2_PORT: '<db2 port>'
      Note:
    7. Click Create.
    8. The ConfigMap is added to the ConfigMaps page and is ready for use.
  2. Secret
    1. Log in as zcon-user to the Red Hat OpenShift Container Platform web console, and ensure you are in the Developer perspective by using the left navigation.
    2. Click Secrets in the left navigation.
    3. Select a Project to view the list of Secrets or Create a Project.
      Note: This Project is the environment where your z/OS Connect APIs are deployed. Your Administrator might have created it depending on the IBM z/OS Connect Operator installModes configuration. If a Project does not exist, you must Create a Project.
    4. Click Create in the upper right of the Secrets page and select Key/value secret.
    5. Enter a Secret name.
      For example, sample-db2-cred.
      Note: The Secret name is used as a reference in Create a ZosConnect Custom Resource (CR) instance - Operand Deployment.
    6. Enter the username key in the Key field.
      For example, DB2_USERNAME.
    7. Enter the username credential in the Value field.
      For example, JoeSmith.
      This is the DB2_USERNAME for the DB2_HOST defined in Step 1.
    8. Click Add key/value.
    9. Enter the password key in the Key field.
      For example, DB2_PASSWORD.
    10. Enter the password credential in the Value field.
      In this example, the DB2_PASSWORD is the Value for DB2_USERNAME JoeSmith.
      Note: The Secret values should be encrypted at rest. For more information, see A launch icon to indicate a link opens a new tab or window. Encrypting Confidential Data at Rest.
    11. Click Create.
    12. The Secret is added to the Secrets page and is ready for use.

What to do next

If you need to configure TLS (secure networking configuration options), see Configure Transport Layer Security (TLS) in a Container Platform (Optional). For more information, see A launch icon to indicate a link opens a new tab or window. Self-Serviced End-to-end Encryption Approaches for Applications Deployed in OpenShift.

If you use volumes in a container platform to mount keystores for your z/OS Connect API image to use, see Configure volumes (Optional).

Otherwise, the preparation steps are complete and you are ready to deploy your z/OS Connect API image. For more information, see Create a ZosConnect Custom Resource (CR) instance .

Configure Transport Layer Security (TLS) in a Container Platform (Optional)

Configuring TLS (secure networking configuration options) for a z/OS Connect API deployed to a Container Platform with the IBM z/OS Connect Operator.

Before you begin

This page outlines the secure networking (TLS) configuration options for a z/OS Connect API deployed to a Container Platform with the IBM z/OS Connect Operator.

If your z/OS Connect API requires environment variable configuration for connection and credential details, you must complete the configuration preparation steps before starting this section. For more information, see Configure environment variables (Optional).

Important: This page does not describe how to configure security (Transport Layer Security) for a z/OS Connect Server. For more information on securing z/OS Connect resources, see Securing IBM z/OS Connect resources for zosConnect-3.0.

About this task

At the end of this topic, you will understand the methods of configuring TLS for a z/OS Connect API deployed to a Container Platform. You will have completed the preparation steps required for the next topic, Create a ZosConnect Custom Resource (CR) instance.

If the platform is Red Hat OpenShift, you will know about the TLS termination types that are offered by Red Hat OpenShift Routes, and might or might not have created a certificateSecret object containing TLS certificates, in preparation for creating a secured Route in the next topic.

If the platform is native Kubernetes, you will know about the TLS configuration method that is offered by Kubernetes Ingress, and will have created a certificateSecret object containing TLS certificates, in preparation for creating a secured Ingress in the next page.

The procedure as part of this page outlines how to create the certificateSecret Secret object for Red Hat OpenShift Routes and native Kubernetes Ingress, if this is required for your chosen configuration.

Routes

In Red Hat OpenShift, a router is deployed to the cluster that functions as the Ingress endpoint for external network traffic. This route exposes the service for an application so that any external device can access it. It can be either secure or unsecured, depending on the network security configuration of your application. The focus of this section is on secured routes as these require additional steps in storing TLS keys and/or certificates.

There are three types of security routes, each defined by the TLS termination type:
  1. Edge, which requires an insecure z/OS Connect Server.
  2. Passthrough, which requires a secure z/OS Connect Server. For more information, see Securing IBM z/OS Connect resources for zosConnect-3.0.
  3. Re-encrypt, which requires a secure z/OS Connect Server. For more information, see Securing IBM z/OS Connect resources for zosConnect-3.0.
Note: Where application is referenced, this is the Pod resource on the Container Platform containing the z/OS Connect API.
Edge

With Edge termination, a TLS connection is established between the client and the router, and then terminated at the router. The connection between the router and the application is unencrypted. This is shown by TLS and clear in the diagram.

The TLS connection is created with a certificate/key pair in PEM-encoded format, where the certificate is valid for the route host. Also, a separate CA certificate in a PEM-encoded format can be used to complete the certificate chain. In Red Hat OpenShift, the router provides its own certificate/key pair and CA certificate defaults in PEM-encoded format. To provide your own values, see A launch icon to indicate a link opens a new tab or window. Replacing the default ingress certificate and add tls.key, tls.crt and optionally ca.crt from Table 2 to the certificateSecret in the procedure. If not specified, the router defaults are used.

As the TLS connection terminates at the router, there is no method of providing trust between the router and the application with Edge. Therefore, the z/OS Connect Server must not have TLS enabled. However, the Re-encrypt termination type provides this functionality, see Re-encrypt.

Image showing Edge Route end to end encryption
Table 2. Edge key/value pairs for certificateSecret
Key Value Note Required
tls.key

TLS key in PEM-encoded format as part of certificate/key pairing.

If not specified, the Red Hat OpenShift router defaults are used. Optional
tls.crt

TLS certificate in PEM-encoded format as part of certificate/key pairing.

 If not specified, the Red Hat OpenShift router defaults are used. Optional
ca.crt

TLS CA certificate in PEM-encoded format that completes the certificate chain.

 If not specified, the Red Hat OpenShift router defaults are used. Optional
If you are not using the router default values for tls.key, tls.crt and optionally ca.crt, follow the steps in the procedure to configure the certificateSecret for Edge with the key/values in the Table 2. This certificateSecret is referenced in the certificateSecretRef field in step 6.f when creating the z/OS Connect Custom Resource instance. This is where the Edge route is created by the IBM z/OS Connect Operator for z/OS Connect API deployment.
Pass-through

With Passthrough termination, encrypted traffic is sent straight to the destination without the router providing TLS termination. Therefore, no key or certificate is required on the route. The application is responsible for serving certificates for the traffic at the endpoint, therefore TLS must be enabled on the z/OS Connect Server. This is currently the only method that can support requiring client certificates, also known as two-way authentication.

Image showing Pass-through Route end to end encryption

There are no additional configuration steps that are required for TLS when implementing pass-through. You have completed the preparation steps and are ready to for z/OS Connect API deployment. For more information, see Create a ZosConnect Custom Resource (CR) instance.

Re-encrypt

With Re-encrypt termination, a TLS connection is established between the client and the router, and then terminated at the router. The TLS connection is then re-encrypted, establishing a new TLS connection between the router and the application. This is shown by TLS1 and TLS2 in the diagram respectively.

TLS1 is created with a certificate/key pair in PEM-encoded format, where the certificate is valid for the route host. Also, a separate CA certificate in a PEM-encoded format can be used to complete the certificate chain. In Red Hat OpenShift, the router provides its own certificate/key pair and CA certificate defaults in PEM-encoded format. To provide your own values, see Replacing the default ingress certificate and add tls.key, tls.crt and optionally ca.crt in the Table 3 to the certificateSecret in the procedure. If not specified, the router defaults are used.

TLS2 is created with a separate destination CA certificate in PEM-encoded format. This certificate belongs to the application, therefore the z/OS Connect Server must have TLS enabled. Because the router re-encrypts the connection, it acts as an internal consumer and it trusts the internal certificate by the application. To provide this certificate, add destCA.crt the certificateSecret in the procedure.

Image showing Re-encrypt Route key/value pairs for SecretRef
Table 3. Re-encrypt key/value pairs for certificateSecretRef
Key Value Note Required
tls.key

TLS key in PEM-encoded format as part of certificate/key pairing.

If not specified, the Red Hat OpenShift router defaults are used. Optional
tls.crt

TLS certificate in PEM-encoded format as part of certificate/key pairing.

 If not specified, the Red Hat OpenShift router defaults are used. Optional
ca.crt

TLS CA certificate in PEM-encoded format that completes the certificate chain.

 If not specified, the Red Hat OpenShift router defaults are used. Optional
destCA.crt

TLS CA certificate of the application in PEM-encoded format.

 This certificate is inside the z/OS Connect Server and configured in Config TLS PKCS12. Yes
Follow the steps in the procedure to configure the certificateSecret for Re-encrypt with the key/values in Table 3. This certificateSecret is referenced in the certificateSecretRef field in step 6.f when creating the z/OS Connect Custom Resource instance. This is where the Re-encrypt route is created by the IBM z/OS Connect Operator for z/OS Connect API deployment.
Ingress
Note: The IBM z/OS Connect Operator does not support Ingress on Red Hat OpenShift Container Platform.
A launch icon to indicate a link opens a new tab or window. Ingress resources are Kubernetes-native resources that play the same role as Red Hat OpenShift Routes. The Kubernetes Ingress definition only currently supports a single TLS port 443, and assumes Edge TLS termination. The TLS connection is created with a certificate/key pair in PEM-encoded format, where the certificate is valid for the ingress host.
Table 4. Ingress key/value pairs for certificateSecretRef
Key Value Note Required
tls.key

TLS key in PEM-encoded format as part of certificate/key pairing.

If not specified, the Red Hat OpenShift router defaults are used. Yes
tls.crt

TLS certificate in PEM-encoded format as part of certificate/key pairing.

 If not specified, the Red Hat OpenShift router defaults are used. Yes
Follow the steps in the procedure to configure the certificateSecret for Ingress with the key/values in Table 4 certificateSecretRef. This certificateSecret is referenced in the certificateSecretRef field in step 6.f when creating the z/OS Connect Custom Resource instance. This is where the Ingress is created by the IBM z/OS Connect Operator for z/OS Connect API deployment.

Procedure

  1. Red Hat OpenShift Routes
    Note: Use the following procedure to create the certificateSecret depending on the TLS Termination type and configuration, if required.
    1. Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Ensure that you are in the Developer perspective by using the left navigation.
    2. Click Secrets in the left navigation.
    3. Select a Project to view the list of Secrets or create a Project.
      Note: This Project is the environment where your z/OS Connect APIs are deployed. Your Administrator might have created it depending on the IBM z/OS Connect Operator installModes configuration. If a Project does not exist, you must create a Project.
    4. Click Create in the upper right of the Secrets page and select Key/value secret.
    5. Enter a Secret name.
      Note: The Secret name is used as a reference in Operand Routes for the certificateSecretRef field.
    6. Enter the Key from the table into the Key field and enter the Value from the table into the Value field. Repeat for all applicable Key/Value pairs in the table for your chosen TLS Termination Type.
    7. Click Create.
  2. Native Kubernetes Ingress
    1. Install Kubernetes CLI (kubectl). For more information, see A launch icon to indicate a link opens a new tab or window. Installing the CLI.
    2. Log in to your Kubernetes cluster.
    3. Add tls.key and tls.crt to separate files.
    4. Run the following command to create the secret in the namespace where the z/OS Connect API is to be deployed.
      Note: This namespace is the environment where your z/OS Connect APIs are deployed. Your Administrator might have created it depending on the IBM z/OS Connect Operator installModes configuration. If a namespace does not exist, you must create one.
      kubectl create secret <secret-name> --namespace <your_namespace> --key /path/to/tls.key --cert /path/to/tls.crt

Results

The certificateSecret is added to the Secrets page and is ready for use in the Operand Routes for the certificateSecretRef field.

What to do next

If you use volumes in a container platform to mount keystores for your z/OS Connect API image to use, see Configure volumes (Optional).

If you don't use volumes in a container platform, you are ready to deploy your z/OS Connect API. For more information, see Create a ZosConnect Custom Resource (CR) instance.

Configure volumes (Optional)

Use volumes in a container platform to mount keystores for your z/OS Connect API image to use. Volumes are mounted file systems available to pods and their containers.

About this task

In this task, all artifacts that are required for SSL configuration in a z/OS Connect Server are stored in Secret objects in Red Hat OpenShift. This includes keystores, truststores, and certificate passwords. These are mounted to the z/OS Connect API pod through volumes in the Create a ZosConnect Custom Resource (CR) instance section.

The following example shows a configuration file with SSL within a z/OS Connect Server and keystore elements configured. In the procedure, CERTIFICATE_PASSWORD, clientKey.p12 and clientTrust.p12 are stored as Secret Objects in Red Hat OpenShift Container Platform.

<ssl id="sslCertificates" keyStoreRef="clientKeyStore" trustStoreRef="clientTrustStore"/>

<keyStore id="clientKeyStore" password="${CERTIFICATE_PASSWORD}" location="${server.config.dir}/resources/security/clientKey.p12" type="PKCS12"/>  
<keyStore id="clientTrustStore" password="${CERTIFICATE_PASSWORD}" location="${server.config.dir}/resources/security/clientTrust.p12" type="PKCS12"/>
Where
  • clientKey.p12 and clientTrust.p12 are example PKCS12 certificate files that were preconfigured in the procedure How to configure a TLS connection with PKCS12 keystores. The .p12 format is used here for illustration purposes; other certificate formats are also supported.
  • CERTIFICATE_PASSWORD is the password for the clientKey.p12 and clientTrust.p12 certificates.

Procedure

  1. Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Make sure that you are in the Developer perspective by using the navigation.
  2. Click Secrets in the navigation.
  3. Select a Project to view the list of Secrets or Create a Project.
    If a Project does not exist, you must Create a Project.
  4. Click Create on the Secrets panel and select Key/value secret.
  5. Enter a Secret name.
    For example, keystore-secret.
  6. Enter the keystore key in the Key field.
    For example, clientKey.p12.
  7. Enter the keystore contents in the Value field.
    For example, the clientKey.p12 certificate in plain text.
  8. Click Create.
  9. Click Secrets in the navigation.
  10. Click Create on the Secrets panel and select Key/value secret.
  11. Enter a Secret name for the truststore certificate.
    For example, truststore-secret
  12. Enter the truststore key in the Key field.
    For example, clientTrust.p12
  13. Enter the truststore contents in the Value field.
    For example, clientTrust.p12 certificate in plain text.
  14. Click Create.

To create the CERTIFICATE_PASSWORD, complete the following steps:

  1. Click Secrets in the navigation.
  2. Click Create on the Secrets panel and select Key/value secret.
  3. Enter a Secret name for the certificate password.
    For example, certificate-password.
  4. Enter the certificate key in the Key field.
    For example, CERTIFICATE_PASSWORD.
  5. Enter the certificate credential in the Value field.
    For example, the CERTIFICATE_PASSWORD in plain text.

Results

Check the Secrets panel to view the Secret you created.

What to do next

You are ready to deploy your z/OS Connect API. For more information, see Create a ZosConnect Custom Resource (CR) instance.

If you have configured volumes in the container platform, you must also complete the Optional - Volume steps that are part of the Create a ZosConnect Custom Resource (CR) instance steps. These steps ensure that:

  • The CERTIFICATE_PASSWORD is mapped to the z/OS Connect API pod as an environment variable.
  • The clientKey.p12 and clientTrust.p12 files are mounted to the z/OS Connect API pod as volumes at the defined location.

Complete the Create a ZosConnect Custom Resource (CR) instance steps, including the Optional - Volume steps when you reach them in the following procedure.

Create a ZosConnect Custom Resource (CR) instance

Creating a ZosConnect Custom Resource (CR) instance to enable deployment of your z/OS Connect API project.

About this task

In this section, a z/OS Connect API is deployed to the Red Hat OpenShift Container Platform. This is done by creating an instance of the ZosConnect Custom Resource (CR) that is enabled on the Red Hat OpenShift Cluster by the IBM z/OS Connect Operator.

To create an instance of the ZosConnect CR, you must specify the configuration details for the z/OS Connect API to be deployed.

The IBM z/OS Connect Operator automatically creates the necessary resources for the z/OS Connect API to run as specified in the ZosConnect CR.

Important: A single IBM z/OS Connect Operator can manage multiple instances of the ZosConnect CR, therefore multiple z/OS Connect API deployments.

Procedure

  1. Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Ensure that you are in the Developer perspective by using the left navigation.
  2. From the navigation, click +Add.
    Select the project that you are creating a ZosConnect CR instance for. Create a project if one doesn't exist.
  3. In the Add page, select Operator Backed from the Developer Catalog section.
  4. Search for ZosConnect, and then click the ZosConnect tile.
  5. From the ZosConnect panel, click Create.
  6. Complete the following fields on the Create ZosConnect page to define the ZosConnect Custom Resource:
    1. Specify a Name for your ZosConnect CR instance to associate it with your API.
    2. Optional: Specify additional Labels for your ZosConnect CR instance.
    3. Operand License Structure

      Expand the Operand License Structure section by using A right chevron icon to the right of the page.

      Accept Operand License - Click the check-box, or in later versions of Red Hat OpenShift toggle the radio button to reflect true to accept the license.

      Note: Accept the license for the IBM z/OS Connect Operator to create the resources.
    4. Operand Deployment
      Expand the Operand Deployment section by using A right chevron icon to the right of the page and complete the fields as detailed in Table 5.
      Table 5. Operand Deployment
      Field Value Note
      Container Port For HTTP, 9080.

      For HTTPS, 9443.

      		 This value maps to the available ports defined in a z/OS Connect API.
      Note: This value must be consistent with the Port and Target Port values in the Operand Service step.
      Image Enter the image for the z/OS Connect API to deploy. You can find the steps to build a z/OS Connect API image here Build a z/OS Connect API image.
      Pull Policy Defaults to IfNotPresent. The image is updated when it is not already present on the cluster.
      Note: For more information about this native Kubernetes feature, see A launch icon to indicate a link opens a new tab or window. Image Pull Policy.
      Pull Secret Name of the Secret to use to pull images from the specified repository. For more information, see Configure an image pull secret in the Container Platform.
      Replicas Number of Pod replicas to be deployed to the cluster for the z/OS Connect API.
      Note: This value can be scaled up or down manually after the deployment if needed. More details on Pod replication can be found here.
      Volume All volumes are available to the z/OS Connect API pod. The volumes are not accessible by the z/OS Connect API pod unless mounted.
      VolumeMounts Volumes that are mounted on the z/OS Connect API pods container The name value must match the wanted volume name.
      Optional - Environment variables
      If you completed Configure environment variables (Optional), you must complete the following steps for the data within the ConfigMap and Secret objects to be mapped to the connection and credential tags in the z/OS Connect API image.
      1. Go to the start of the page, switch the view using the Configure via: YAML view to manually edit the ZosConnect CR.
      2. Add the values to the spec.deployment.env field in the ZosConnect CR.
        Note: Do not save the yaml file. It is done automatically.

        For example, 

        spec:
  deployment:
    env:
      - name: DB2_HOST
        valueFrom:
          configMapKeyRef:
            key: DB2_HOST
            name: sample-db2-conn
      - name: DB2_PORT
        valueFrom:
          configMapKeyRef:
            key: DB2_PORT
            name: sample-db2-conn
      - name: DB2_USERNAME
        valueFrom:
          secretKeyRef:
            key: DB2_USERNAME
            name: sample-db2-cred
      - name: DB2_PASSWORD
        valueFrom:
          secretKeyRef:
            key: DB2_PASSWORD
            name: sample-db2-cred
        This adds DB2_HOST and DB2_PORT values from the sample-db2-conn ConfigMap and adds DB2_USERNAME and DB2_PASSWORD values from the sample-db2-cred Secret. These environment variables are exported inside the z/OS Connect API image at run time.
        Note: Substitute the values for sample-db2-conn and sample-db2-cred to match the ConfigMap and or Secret created in Configure environment variables (Optional). If you do not require the optional Secret, remove the respective fields from the example.
      3. Switch the view back to using the Form view using Configure via:
      Optional - Volumes
      If you completed Configure volumes (Optional), you must complete the following steps for the data within the Secret objects to be mapped to the keystore tags in the z/OS Connect API image.
      1. Go to the start of the page, switch the view using the Configure via: YAML view to manually edit the ZosConnect CR.
      2. Add an environment variable for the certificate password by using the spec.deployment.env field.
      3. Add a volume for the keystore and truststore in the spec.deployment.volumes field.
      4. Mount the volume for the keystore and truststore to the container at defined location by using the spec.deployment.volumeMount field.
      5. The following example is a sample configuration for the SSL example that is shown in Configure volumes (Optional). Customize these values for your own configuration.
        spec:
  deployment:
    env:
      - name: CERTIFICATE_PASSWORD
        valueFrom:
          secretKeyRef:
            name: certificate-password
            key: CERTIFICATE_PASSWORD

    volumes:
      - name: truststore
        secret:
          secretName: truststore-secret
      - name: keystore
        secret:
          secretName: keystore-secret

    volumeMounts:
      - mountPath: /opt/ibm/wlp/usr/servers/defaultServer/resources/security/clientTrust.p12
        name: truststore
        subPath: clientTrust.p12
      - mountPath: /opt/ibm/wlp/usr/servers/defaultServer/resources/security/clientKey.p12
        name: keystore
        subPath: clientKey.p12
      6. Switch back to the Form view by selecting Configure via: and verify that the volume mounts and environment variables are correctly configured.
      Each certificate (clientTrust.p12 and clientKey.p12) is referenced from its respective secrets (truststore-secret and keystore-secret) and is stored in a volume (truststore and keystore). The volume is mounted by defining its mountPath that refers to the path inside the z/OS Connect API where the volume is mounted. The subPath property ensures that only the specific certificate file is mounted rather than the entire volume and the name under volumeMount matches the corresponding volume name.
    5. Operand Service
      Expand the Operand Service section by using the A right chevron icon to the right of the page.
      Table 6. Operand Service Config
      Field Value Note
      Port

      The port is exposed by the container.

      For HTTP, 9080

      For HTTPS, 9443

      		This allows a Service resource to communicate with the z/OS Connect API for Routes / Ingress.
      Note: This must be consistent with the Container Port value in the Operand Deployment step.
      Target Port The port that the operator assigns to containers inside pods. Defaults to the value of Operand Service Port. There are no notes for the Target Port field.
      Type ClusterIP There are no notes for the Type field.
      Note: The values for Port and Target Port must match.

    6. Operand Route
      Important:
      1. Use the Expose toggle to set the field to true. This displays the Operand Route section and enables the IBM z/OS Connect Operator to create the Route / Ingress resources, which are required for invoking the z/OS Connect.
      2. If you completed Configure Transport Layer Security (TLS) in a Container Platform (Optional), you must complete values for Termination and Certificate Secret Ref for the operand config to create a secured Route or Ingress.
      3. The following table defines fields that support both Red Hat OpenShift Routes and native Kubernetes Ingress. Select the fields that apply for your chosen configuration. If you do not require transport security, all of the Operand Route fields can be left blank.
      Expand the Operand Route section by using A right chevron icon to the right of the page.
      Table 7. Operand Routes Config
      Field Value Note
      Termination

      (Route)

      		 TLS termination policy for Route. Can be one of the edge, reencrypt, and, passthrough. Define the Red Hat OpenShift Route Transport Layer Security (TLS) termination policy. Required secured Route field.

      For an insecure Route, do not enter a value.
      Insecure Edge Termination Policy

      (Route)

      		 HTTP traffic policy with TLS enabled for Route. Can be one of Allow, Redirect and None. Defaults to Allow.
      Path

      (Route)

      (Ingress)

      		 Path to be used for Route or Ingress. This defaults to /.
      Certificate Secret Ref

      (Route)

      (Ingress)

      		 The name of a secret that already contains TLS key, certificate, and CA to be used for the Route or Ingress. It can also contain a destination CA certificate for Route. The following keys are valid in the secret: ca.crt, destCA.crt, tls.crt, tls.key.

      Optional for a secured Route field.

      Required for a secured Ingress field.

      For an insecure Route or Ingress, do not enter a value.
      Hostname

      (Ingress)

      		 Hostname to be used for the Ingress. Required Ingress field.
      Path Type

      (Ingress)

      		 Path Type to be used for the Ingress. Can be one of Prefix, Exact or ImplementationSpecific. Required Ingress field.

      For more information about Ingress Path Types, see A launch icon to indicate a link opens a new tab or window. Ingress Path Types.
  7. Click Create to create your ZosConnect CR instance.
    Important: To install another z/OS Connect API to the Red Hat OpenShift cluster, repeat the procedure for step 6.

    The IBM z/OS Connect Operator is designed to manage many ZosConnect Custom Resource instances, therefore many z/OS Connect API deployments. The following image shows a IBM z/OS Connect Operator managing 3 ZosConnect instances. Each ZosConnect instance is configured with a different z/OS Connect API image. These represent 3 separate z/OS Connect API deployments in Red Hat OpenShift.

    Figure 2. IBM z/OS Connect Operator with 3 separate ZosConnect instances
    IBM z/OS Connect Operator with 3 separate ZosConnect instances

Results

When the ZosConnect Custom Resource is created, the IBM z/OS Connect Operator creates the resources that are required for your chosen configuration based on the fields that are completed in this procedure. To view these resources, open the Topology page where the ZosConnect instance is created.

In the example shown in Figure 3, the name of the ZosConnect Custom Resource is zosconnect-sample. Click inside the dotted area of the zosconnect-sample Custom Resource to view the resources that are associated with the created ZosConnect Custom Resource.

Figure 3. Red Hat OpenShift Topology page displaying the zosconnect-sample custom resource
Red Hat OpenShift Topology page displaying the zosconnect-samplecustom resource.

The Pod containing the z/OS Connect API is created by the zosconnect-sample-deployment deployment. To view the Pod, click zosconnect-sample-deployment in the Resources tab to open the Deployment > Deployment details page. Navigate to the Pods tab to view the Pod.

In this example, the Pod Status is Running and 1/1 replicas are Ready. Only 1 Deployment>Replicas was specified for the ZosConnect Custom Resource.

Note:
  1. The Pods might take a few seconds to become ready.
  2. The Pods that are created by the IBM z/OS Connect Operator are annotated with productName, productID, and productMetric to allow the IBM License Service to recognize the z/OS Connect Pods should IBM License Service be required by other IBM products that are installed into the same cluster.

Invoke z/OS Connect APIs

About this task

In this task, the z/OS Connect API is deployed to the Red Hat OpenShift Container Platform by using a Red Hat OpenShift Route configured earlier in the procedure.

Note: You must have exposed the z/OS Connect API by checking the expose flag in the ZosConnect Custom Resource.

Procedure

  1. Log in as zcon-user to the Red Hat OpenShift Container Platform web console. Make sure that you are using the Developer perspective by using the left navigation.
  2. From the navigation, click Topology.
    Select the project where your ZosConnect instance is created.
    For example, zosconnect-sample-deployment.
  3. Click inside the dotted line around the ZosConnect instance.
    From the panel that opened to the side of the screen, make sure that you are viewing the Resources tab.
    Red Hat OpenShift Topology page displaying the ZosConnect instance.
  4. Click Red Hat OpenShift Route listed in the Resources tab to navigate to the Route > Route details page.
  5. Click the link in the Location field to invoke the z/OS Connect API that uses the Red Hat OpenShift Route.
    The Location value is the external URL path to the Pod. This is expected to return a 404 response. The z/OS Connect API operation URI values need to be appended to this value to invoke the API operations.
  6. Optional: Append a valid URI for the deployed z/OS Connect API onto the provided Route Location value to invoke the z/OS Connect API operation.
  7. The Red Hat OpenShift Route returns successfully.

Results

You successfully invoked a z/OS Connect API deployed to the Red Hat OpenShift Container Platform that uses a Red Hat OpenShift Route.