Configuring access to Integration Servers running in IBM z/OS Container Extensions (zCX)

If you use the supplied processing to build a docker image, you can choose from two methods to provide access to the running integration server. Which method you choose, depends on the level of access that you want to give to users who run IBM® App Connect Enterprise commands by using the supplied JCL.

About this task

Users need to access the zCX instance to interact with the integration server Docker container. Users who want to start, stop and delete integration servers, or maintain images, need to access the zCX instance by using the ZCX_SSH_KEY. You might prefer not to give this access to users who need only to access running integration servers and run IBM App Connect Enterprise commands. Instead, you can give those users ssh access directly into the integration server docker container without using the ZCX_SSH_KEY.

Procedure

Configure SSH access for IBM z/OS® Container Extensions (zCX) by completing one of the following steps:

  1. Optional: You can provide full access to the zCX instance by using the ZCX_SSH_KEY. Users who have this level of access can complete the following tasks:
    • Access a running integration server
    • Create, start, stop, and delete an integration server.
    • Maintain images.
    • Run IBM App Connect Enterprise commands.
    • Submit the JCL jobs BIPXPUT and BIPXGET
    To provide full access to the zCX instance by using the ZCX_SSH_KEY, complete the following steps:
    • Create an environment file ENVFILE.
    • Set the following environment variables in the environment file ENVFILE that you created:
      • ZCX_SSH_KEY
      • ZCX_SSH_PORT
      • ZCX_SSH_USER
  2. Optional: You can provide access directly into the integration server docker container without using the ZCX_SSH_KEY. Users who have this level of access can complete the following tasks:
    • Access a running integration server
    • Run IBM App Connect Enterprise commands.
    • Submit the JCL jobs BIPXPUT and BIPXGET
    To provide access directly into the integration server docker container without using the ZCX_SSH_KEY, complete the following steps:
    1. Before you create the integration server Docker image by running the JCL job BIPXBLD as described in Creating an IBM App Connect Enterprise Integration Server Docker image on IBM z/OS Container Extensions (zCX) by using the supplied JCL, you must create an SSH key pair as described in Provisioning an IBM z/OS Container Extensions (zCX) instance but with different name. For example, run the following command:
      ssh-keygen -t rsa -b 4096 -C "your_email@domain.com" -f aceserver1_rsa
      In this example, the private key is named aceserver1_rsa, and the public key is named aceserver1_rsa.pub.

      You can create separate keys for each integration server or share keys over multiple or all integration servers, depending on your access security needs. Each key pair needs its own integration server Docker image that contains the appropriate public key.

    2. Before you create the integration server Docker image by running the JCL job BIPXBLD as described in Creating an IBM App Connect Enterprise Integration Server Docker image on IBM z/OS Container Extensions (zCX) by using the supplied JCL, you must set the SERVER_ACCESS_SSH_PUBLIC_KEY environment variable. Set SERVER_ACCESS_SSH_PUBLIC_KEY to the name of the file that contains the public key. For example, /u/aceadmin/.ssh/aceserver1_rsa.pub.
    3. Before you use the image that you built in the previous step to start an integration server, as described in Starting an integration server on IBM z/OS Container Extensions (zCX) by using JCL, and Starting an integration server on IBM z/OS Container Extensions (zCX) by using IBM z/OS console commands, you must set the environment variable SERVER_ACCESS_SSH_PORT. Set SERVER_ACCESS_SSH_PORT to specify a port number to use for ssh access to the integration server Docker container. The port number must be unique over everything that runs in that zCX instance. When the integration server Docker container starts, it also starts an ssh server that listens on the port that you specified.
    4. When you run IBM App Connect Enterprise commands by submitting the JCL job BIPXISCM, BIPXPUT, or BIPXGET, as described in Running IBM App Connect Enterprise commands on IBM z/OS Container Extensions (zCX) by using JCL, do not specify ZCX_USER or ZCX_SSH_KEY in the environment variables file that is referenced by the JCL jobs.

      Set the SERVER_ACCESS_SSH_PORT environment variable to the port that you set when you started the integration server Docker container.

      Set the SERVER_ACCESS_SSH_KEY environment variable to the file that contains the private key that is associated with the public key that is built into the image. For example, /u/aceadmin/.ssh/aceserver1_rsa.

      If you set SERVER_ACCESS_SSH_PORT, only server SSH access is attempted, even if the zCX credentials are also specified. If neither are specified, the IBM App Connect Enterprise command fails.

What to do next

You can then use the supplied JCL to manage your integration servers and to run IBM App Connect Enterprise commands. For more information, see Administering IBM App Connect Enterprise on IBM z/OS Container Extensions (zCX) by using JCL.