IBM Support

Set up a Liberty collective on z/OS with SAF keyrings

How To


Summary

The example provides steps to set up a collective on z/OS with Admin Center using SAF keyrings.

Objective

The steps to configure a controller and member with SAF keyrings in a collective.
The collective is administered with Admin Center without requiring an Angel, bbgzangl and bbgzsrv procs, nor z/OS authorized services. 

Environment

Liberty with Java 8, Java 11 or Java 17 for z/OS

The following image displays the controller and member certificates:
image-20230929102042-1
Member to Controller communication flow:
  • The member sends the personal certificate from the server identity keystore to the controller.
  • The controller verifies the certificate chain of the member's personal certificate by checking for the signer certificate in the collective trust keystore.
  • The controller confirms the member's personal certificate is a collective certificate by checking the member's personal certificate DN value matches the value specified by the collectiveCertificate rdn tag in the controller's server.xml.
Controller to Member communication flow:
  • The controller sends the personal certificate from the server identity keystore to the member.
  • The member verifies the certificate chain of the controller's personal certificate by checking for the signer certificate in the collective trust keystore.
  • The member confirms the controller's personal certificate is a collective certificate by checking the members personal certificate DN value matches the value specified by the collectiveCertificate rdn tag in the member's server.xml.

Controller SSH flow:
 
  • A pair of RSA keys are generated on server startup under ${server.config.dir}/resources/security/ssh.
  • The public key is added to the controller's ~/.ssh/ authorized_keys file.
  • For operations such as start server and stop server, the  Controller performs SSH public key authentication to connect to the member's system.  The private key is obtained from the Controller's CollectiveSSH personal certificate.

Steps

1. Create SAF certificates and keyrings for the controller and member

a. Create signer certificate CONTROLLER ROOT 
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('CONTROLLER ROOT') O('IBM') C('US'))SIZE(2048) WITHLABEL('CONTROLLER ROOT') TRUST NOTAFTER(DATE(2035/12/31))
b. Create personal certificate for Controller and sign with signer certificate CONTROLLER ROOT
RACDCERT ID(CONTRLID) GENCERT SUBJECTSDN(CN('HOST.NAME') O('IBM') OU('Collective')) WITHLABEL('Controller') SIGNWITH(CERTAUTH LABEL('CONTROLLER ROOT')) SIZE(2048) NOTAFTER(DATE(2030/12/30))
c.Create personal certificate CollectiveSSH and sign with signer certificate CONTROLLER ROOT
RACDCERT ID(CONTRLID) GENCERT SUBJECTSDN(CN('Collective') O('IBM') C('US')) WITHLABEL('CollectiveSSH') SIGNWITH(CERTAUTH LABEL('CONTROLLER ROOT')) SIZE(2048) NOTAFTER(DATE(2025/12/30))
d.Create personal certificate ControllerHTTPS and sign with signer certificate CONTROLLER ROOT
RACDCERT ID(CONTRLID) GENCERT SUBJECTSDN(CN('HOST.NAME') O('IBM') C('US')) WITHLABEL('ControllerHTTPS') SIGNWITH(CERTAUTH LABEL('CONTROLLER ROOT')) SIZE(2048) NOTAFTER(DATE(2025/12/30))
 
e. Create signer certificate MEMBER ROOT
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('MEMBER ROOT') O('IBM') C('US'))SIZE(2048) WITHLABEL('MEMBER ROOT') TRUST NOTAFTER(DATE(2035/12/31))
f. Create personal certificate Member and sign with signer certificate MEMBER ROOT
RACDCERT ID(MEMBERID) GENCERT SUBJECTSDN(CN('HOST.NAME') O('IBM') OU('Collective')) WITHLABEL('Member') SIGNWITH(CERTAUTH LABEL('MEMBER ROOT')) SIZE(2048) NOTAFTER(DATE(2030/12/30))
g. Sign personal certificate MemberHTTPS with signer certificate MEMBER ROOT
RACDCERT ID(MEMBERID) GENCERT SUBJECTSDN(CN('HOST.NAME') O('IBM') C('US')) WITHLABEL('MemberHTTPS') SIGNWITH(CERTAUTH LABEL('MEMBER ROOT')) SIZE(2048) NOTAFTER(DATE(2025/12/30))
h.  Add the keyring CONTROL.KEYRING and CONTROL.SERVID.KEYRING to the userid CONTRLID for the controller
RACDCERT ID(CONTRLID) ADDRING(CONTROL.KEYRING)
RACDCERT ID(CONTRLID) ADDRING(CONTROL.SERVID.KEYRING)
i.  Add the keyring MEMBER.KEYRING and MEMBER.SERVID.KEYRING to the userid MEMBERID for the member
RACDCERT ID(MEMBERID) ADDRING(MEMBER.KEYRING)
RACDCERT ID(MEMBERID) ADDRING(MEMBER.SERVID.KEYRING)
j. Connect the signer certificates to the CONTROL.KEYRING and CONTROL.SERVID.KEYRING
RACDCERT CONNECT(CERTAUTH LABEL('CONTROLLER ROOT') RING(CONTROL.KEYRING)) ID(CONTRLID)
RACDCERT CONNECT(CERTAUTH LABEL('MEMBER ROOT') RING(CONTROL.KEYRING)) ID(CONTRLID)
RACDCERT CONNECT(CERTAUTH LABEL('CONTROLLER ROOT') RING(CONTROL.SERVID.KEYRING)) ID(CONTRLID)
k. Connect the personal certificates to the CONTROL.KEYRING and CONTROL.SERVID.KEYRING
RACDCERT CONNECT(ID(CONTRLID) LABEL('CollectiveSSH') RING(CONTROL.KEYRING)) ID(CONTRLID)
RACDCERT CONNECT(ID(CONTRLID) LABEL('ControllerHTTPS') RING(CONTROL.KEYRING)) ID(CONTRLID)
RACDCERT CONNECT(ID(CONTRLID) LABEL('Controller') RING(CONTROL.SERVID.KEYRING)) ID(CONTRLID)
l. Connect the signer certificates to the MEMBER.KEYRING and MEMBER.SERVID.KEYRING
RACDCERT CONNECT(CERTAUTH LABEL('CONTROLLER ROOT') RING(MEMBER.KEYRING)) ID(MEMBERID)
RACDCERT CONNECT(CERTAUTH LABEL('MEMBER ROOT') RING(MEMBER.KEYRING)) ID(MEMBERID)
RACDCERT CONNECT(CERTAUTH LABEL('MEMBER ROOT') RING(MEMBER.SERVID.KEYRING)) ID(MEMBERID)
m.  Connect the personal certificate to the MEMEBER.KEYRING
RACDCERT CONNECT(ID(MEMBERID) LABEL('MemberHTTPS') RING(MEMBER.KEYRING)) ID(MEMBERID)
RACDCERT CONNECT(ID(MEMBERID) LABEL('Member') RING(MEMBER.SERVID.KEYRING)) ID(MEMBERID)
n. List the certificates on the keyring CONTROL.KEYRING and CONTROL.SERVID.KEYRING for the user id CONTRLID
RACDCERT ID(CONTRLID) LISTRING(CONTROL.KEYRING) 
Digital ring information for user CONTRLID: 
Ring:                                                                 
     >CONTROL.KEYRING<                                                
Certificate Label Name             Cert Owner     USAGE      DEFAULT  
--------------------------------   ------------   --------   -------  
CONTROLLER ROOT                    CERTAUTH        CERTAUTH     NO     
MEMBER ROOT                        CERTAUTH        CERTAUTH     NO     
CollectiveSSH                      ID(CONTRLID)    PERSONAL     NO
ControllerHTTPS                    ID(CONTRLID)    PERSONAL     NO
RACDCERT ID(CONTRLID) LISTRING(CONTROL.SERVID.KEYRING) 
Digital ring information for user CONTRLID: 
Ring:                                                                 
     >CONTROL.SERVID.KEYRING<                                                
Certificate Label Name             Cert Owner     USAGE      DEFAULT  
--------------------------------   ------------   --------   -------  
CONTROLLER ROOT                    CERTAUTH        CERTAUTH     NO          
Controller                         ID(CONTRLID)    PERSONAL     NO
o. List the certificates on the keyring MEMBER.KEYRING and MEMBER.SERVID.KEYRING for the user id MEMBERID
RACDCERT ID(MEMBERID) LISTRING(MEMBER.KEYRING)
Digital ring information for user MEMBERID:

Ring:                                                                
     >MEMBER.KEYRING<                                                    
Certificate Label Name             Cert Owner     USAGE      DEFAULT 
--------------------------------   ------------   --------   ------- 
CONTROLLER ROOT                    CERTAUTH       CERTAUTH     NO    
MEMBER ROOT                        CERTAUTH       CERTAUTH     NO    
MemberHTTPS                                                            ID(MEMBERID)   PERSONAL     NO
RACDCERT ID(MEMBERID) LISTRING(MEMBER.SERVID.KEYRING)
Digital ring information for user MEMBERID:

Ring:                                                                
     >MEMBER.SERVID.KEYRING<                                                    
Certificate Label Name             Cert Owner     USAGE      DEFAULT 
--------------------------------   ------------   --------   -------     
MEMBER ROOT                        CERTAUTH       CERTAUTH     NO    
Member                             ID(MEMBERID)   PERSONAL     NO
2.  Create the collective server

a. Create the collective server

 server create myController
b. Once the myController directory is created, add host="*" to server.xml, and update your http and https ports to the desired values.
<httpEndpoint id="defaultHttpEndpoint"
                  host="*"
                  httpPort="9080"
                  httpsPort="9443" />
c. Add the JAVA_HOME environment variable in server.env set to the path of where the JVM is located.
For example:
JAVA_HOME=/usr/lpp/java/J8.0_64
 
3. Create the collective controller configuration
Login to Unix System Services with the CONTROLID.
The collective create requires that the userid that runs the command is the same userid that owns the keyring.
A functional userid can be setup to run the collective create command by following:
collective create myController
--safKeyring=safkeyring:///CONTROL.KEYRING
--keystorePassword=password
--safCertificateLabel=CollectiveSSH
--safKeystoreType=JCERACFKS
--safKeystoreProvider=IBMJCE
--serverIdentityKeystore=safkeyring:///CONTROL.KEYRING
--serverIdentityKeystoreAlias=ControllerHTTPS
--serverIdentityKeystorePassword=password
--collectiveTrustKeystore=safkeyring:///CONTROL.KEYRING
--collectiveTrustKeystorePassword=password
--createConfigFile=/WebSphere/Liberty/servers/myController/collective-create-include.xml

The full Java 8 command is provided:
collective create myController --safKeyring=safkeyring:///CONTROL.KEYRING --keystorePassword=password --safCertificateLabel=CollectiveSSH --safKeystoreType=JCERACFKS --safKeystoreProvider=IBMJCE --serverIdentityKeystore=safkeyring:///CONTROL.KEYRING --serverIdentityKeystoreAlias=ControllerHTTPS --serverIdentityKeystorePassword=password --collectiveTrustKeystore=safkeyring:///CONTROL.KEYRING --collectiveTrustKeystorePassword=password --createConfigFile=/WebSphere/Liberty/servers/myController/collective-create-include.xml

If the Liberty server is using Java 11 or Java 17 for z/OS change:

–safKeystoreProvider=IBMJCE
to
–safKeystoreProvider=IBMZSecurity
The full Java 11 or Java 17  command is provided:
collective create myController --safKeyring=safkeyring:///CONTROL.KEYRING --keystorePassword=password --safCertificateLabel=CollectiveSSH --safKeystoreType=JCERACFKS --safKeystoreProvider=IBMZSecurity --serverIdentityKeystore=safkeyring:///CONTROL.KEYRING --serverIdentityKeystoreAlias=ControllerHTTPS --serverIdentityKeystorePassword=password --collectiveTrustKeystore=safkeyring:///CONTROL.KEYRING --collectiveTrustKeystorePassword=password --createConfigFile=/WebSphere/Liberty/servers/myController/collective-create-include.xml

A successful create output is provided:
Successfully set up collective controller configuration for myController.
 
Add the following lines to the server.xml to enable:
    <include location="${server.config.dir}/collective-create-include.xml" />
 
Please ensure administrative security is configured for the server.
An administrative user is required to join members to the collective.

The myController directory has 2 configuration files collective-create-include.xml and server.xml
/WebSphere/Liberty/servers/myController:>ls
apps                          
dropins                        
server.env                    
workarea
resources                      
collective-create-include.xml  
server.xml
server.env
 
4. Update the controller's collective-create-include.xml

a. Update quickStartSecurity with an initial user and password.
<quickStartSecurity userName="adminUser" userPassword="adminPassword" />
b. Change the server identity keystore from CONTROL.KEYRING to CONTROL.SERVID.KEYRING
<keyStore id="serverIdentity" location="safkeyring:///CONTROL.SERVID.KEYRING"  password="password" fileBased="false" readOnly="true" type="JCERACFKS" provider="IBMJCE" />
c. Add the line:
<collectiveCertificate rdn="OU=Collective"></collectiveCertificate>
 
The rdn value in collectiveCertificate tag must match the OU of the CONTROLLER personal certificate created in 1b. 
The collectiveCertificate rdn determines the certificate that the controller accepts as collective certificate from the member's server identity keystore.
An example collective-create-include.xml is provided:
<?xml version="1.0" encoding="UTF-8" ?>
<server description="myController">
    <featureManager>
        <feature>collectiveController-1.0</feature>
    </featureManager>

    <!-- Define the host name for use by the collective.
         If the host name needs to be changed, the server should be
         removed from the collective and re-joined or re-replicated. -->
    <variable name="defaultHostName" value="host.name" />

    <!-- BYO collective-wide SSH Key information. -->
    <collectiveHostAuthInfo
         safKeyring="safkeyring:///CONTROL.KEYRING"
         safCertificateLabel="CollectiveSSH"
         safKeystoreType="JCERACFKS"
         safKeystoreProvider="IBMJCE" />

    <!-- clientAuthenticationSupported set to enable bidirectional trust -->
    <ssl id="defaultSSLConfig"
         keyStoreRef="defaultKeyStore" serverKeyAlias="ControllerHTTPS"
         trustStoreRef="defaultTrustStore"
         clientAuthenticationSupported="true" />

    <!-- inbound (HTTPS) keystore. Where the location attribute is the  safCommonKeyring value  -->
    <keyStore id="defaultKeyStore" location="safkeyring:///CONTROL.KEYRING"
              password="password" fileBased="false" readOnly="true" type="JCERACFKS" provider="IBMJCE" />

    <!-- inbound (HTTPS) truststore -->
    <keyStore id="defaultTrustStore" location="safkeyring:///CONTROL.KEYRING"
              password="password" fileBased="false" readOnly="true" type="JCERACFKS" provider="IBMJCE" />

    <!-- server identity keystore -->
    <keyStore id="serverIdentity" location="safkeyring:///CONTROL.SERVID.KEYRING"
              password="password" fileBased="false" readOnly="true" type="JCERACFKS" provider="IBMJCE" />

    <!-- collective trust keystore -->
    <keyStore id="collectiveTrust" location="safkeyring:///CONTROL.KEYRING"
              password="password" fileBased="false" readOnly="true" type="JCERACFKS" provider="IBMJCE" />

    <collectiveCertificate rdn="OU=Collective"></collectiveCertificate>
</server>

5. Update the controller's server.xml
a. Enable the adminCenter-1.0 feature with tag
<feature>adminCenter-1.0</feature>
b. Add the following line to the server.xml to enable the collective

 <include location="${server.config.dir}/collective-create-include.xml" />
An example server.xml is provided:
 
<?xml version="1.0" encoding="UTF-8"?>
<server description="myController">

    <!-- Enable features -->
    <featureManager> 
        <feature>adminCenter-1.0</feature>
        <feature>jsp-2.3</feature>
    </featureManager>

    <!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
    <httpEndpoint id="defaultHttpEndpoint"
                  host="*"
                  httpPort="9080"
                  httpsPort="9443" />

    <!-- Automatically expand WAR files and EAR files -->
    <applicationManager autoExpand="true"/>

    <include location="${server.config.dir}/collective-create-include.xml" />
</server>
6.  Run the updateHost command to specify the member's JAVA_HOME directory for the controller

a. Start the controller server myController
server start myController
b. Run the updateHost command.  The hostJavaHome indicates the absolute path of the JAVA_HOME on the member's file system.
The controller uses this JVM to issue file system commands such as startServer and stopServer for the member server.
collective updateHost controllerHostname
--host=controllerHostname
--port=9443
--user=adminUser
--password=adminPassword
--rpcUser=zOS_ID
--rpcUserPassword=zOS_Password
--hostWritePath=/WebSphere/Liberty/servers/myController
--autoAcceptCertificates
--hostJavaHome=/usr/lpp/java/J8.0_64
collective updateHost controllerHostname --host=controllerHostname --port=9443 --user=adminUser --password=adminPassword --rpcUser=zOS_ID --rpcUserPassword=zOS_Password --hostWritePath=/WebSphere/Liberty/servers/myController --autoAcceptCertificates --hostJavaHome=/usr/lpp/java/J8.0_64

A successful update is provided:
Updating the authentication information for the host...
Auto-accepting the certificate chain for target server.
Certificate subject DN: CN=Collective, O=IBM, C=US
Host host.name authentication information successfully updated.

7. Verify that the collective controller server started correctly and is ready to receive members.
     a. Open an editor on the collective controller messages log, $WLP_USER_DIR/servers/myController/logs/messages.log.
     b. Look for the following message:
     
    CWWKX9003I: CollectiveRegistration MBean is available.
8.  Create the member server

a. Create the member server
server create myMember
 
b. Once the myMember directory is created, add host="*" to server.xml, and update your http and https ports to desired values.
The values must be unique and differ from the values set in the collective in step 2.
 
<httpEndpoint id="defaultHttpEndpoint"
                  host="*"
                  httpPort="8080"
                  httpsPort="8443" />
c.  Add the JAVA_HOME environment variable in server.env set to the path of where the JVM is located.
For example:
JAVA_HOME=/usr/lpp/java/J8.0_64
10.  Add the server to the collective as a member
 
Login to Unix System Services with the CONTROLID.
The collective join requires that the userid that runs the command is the same userid that owns the keyring.
A functional userid can be setup to run the collective join command by following:
collective join myMember
--host=controllerHostname
--port=9443
--user=adminUser
--password=adminPassword  
--keystorePassword=password
--serverIdentityKeystore="safkeyring:///MEMBER.KEYRING"
--serverIdentityKeystoreAlias="MemberHTTPS"
--collectiveTrustKeystore="safkeyring:///MEMBER.KEYRING"
--safKeystoreType=JCERACFKS
--safKeystoreProvider=IBMJCE  
--autoAcceptCertificates
--createConfigFile=/WebSphere/Liberty/servers/myMember/member-join-include.xml

The full Java 8 command is provided:
collective join myMember --host=controllerHostname --port=9443 --user=adminUser --password=adminPassword  --keystorePassword=password --serverIdentityKeystore="safkeyring:///MEMBER.KEYRING" --serverIdentityKeystoreAlias="MemberHTTPS" --collectiveTrustKeystore="safkeyring:///MEMBER.KEYRING" --safKeystoreType=JCERACFKS --safKeystoreProvider=IBMJCE --autoAcceptCertificates --createConfigFile=/WebSphere/Liberty/servers/myMember/member-join-include.xml
If the Liberty server is using Java 11 or Java 17 for z/OS change:

–safKeystoreProvider=IBMJCE
to
–safKeystoreProvider=IBMZSecurity
The full Java 11 or Java 17 command is provided:
collective join myMember --host=controllerHostname --port=9443 --user=adminUser --password=adminPassword  --keystorePassword=password --serverIdentityKeystore="safkeyring:///MEMBER.KEYRING" --serverIdentityKeystoreAlias="MemberHTTPS" --collectiveTrustKeystore="safkeyring:///MEMBER.KEYRING" --safKeystoreType=JCERACFKS --safKeystoreProvider=IBMZSecurity --autoAcceptCertificates --createConfigFile=/WebSphere/Liberty/servers/myMember/member-join-include.xml
An example of a successful output:
Auto-accepting the certificate chain for target server.
Certificate subject DN: CN=HOST.NAME, OU=Collective, O=IBM
Single Collective SSH Key has been selected by default for collective host HOST.NAME.
Joining the collective with target controller HOST.NAME:9443...
This may take a while.
Successfully completed MBean request to the controller.
Updating authorized keys with new public key...
Successfully joined the collective for server myMember.
Add the following lines to the server.xml to enable:
    <include location="/WebSphere/Liberty/servers/myMember/member-join-include.xml" />

The myMember directory has 2 configuration files member-join-include.xml  and server.xml
/WebSphere/Liberty/servers/myMember>ls
apps                          
dropins                        
server.env                    
workarea
resources                      
member-join-include.xml  
server.xml
server.env
11. Update the member's member-join-include.xml
a. Add the lines:
<hostAuthInfo useHostCredentials="true" />
<collectiveCertificate rdn="OU=Collective"></collectiveCertificate>
b. Change the server identity keystore from MEMBER.KEYRING to MEMBER.SERVID.KEYRING
<keyStore id="serverIdentity" location="safkeyring:///MEMBER.SERVID.KEYRING" password="password" fileBased="false" readOnly="true" type="JCERACFKS" provider="IBMJCE" />
The rdn value in collectiveCertificate tag must match the OU of the MEMBER personal certificate created in 1f. 
The collectiveCertificate rdn determines the certificate that the member accepts as collective certificate from the controller's server identity keystore.
An example member-join-include.xml is provided:
<?xml version="1.0" encoding="UTF-8" ?>
<server description="myMember">

    <featureManager>
        <feature>collectiveMember-1.0</feature>
    </featureManager>

    <!-- Define the host name for use by the collective.
         If the host name needs to be changed, the server should be
         removed from the collective and re-joined or re-replicated. -->
    <variable name="defaultHostName" value="host.name" />

    <!-- Connection to the collective controller -->
    <collectiveMember controllerHost="1.2.3.4"
                      controllerPort="9443" />

    <!-- clientAuthenticationSupported set to enable bidirectional trust -->
    <ssl id="defaultSSLConfig"
         keyStoreRef="defaultKeyStore" serverKeyAlias="MEMBER"
         trustStoreRef="defaultTrustStore"
         clientAuthenticationSupported="true" />

    <!-- inbound (HTTPS) keystore. Where the location attribute is the  safCommonKeyring value  -->
    <keyStore id="defaultKeyStore" location="safkeyring:///MEMBER.KEYRING"
              password="password" fileBased="false" readOnly="true" type="JCERACFKS" provider="IBMJCE" />

    <!-- inbound (HTTPS) truststore -->
    <keyStore id="defaultTrustStore" location="safkeyring:///MEMBER.KEYRING"
              password="password" fileBased="false" readOnly="true" type="JCERACFKS" provider="IBMJCE" />

    <!-- server identity keystore -->
    <keyStore id="serverIdentity" location="safkeyring:///MEMBER.SERVID.KEYRING"
              password="password" fileBased="false" readOnly="true" type="JCERACFKS" provider="IBMJCE" />

    <!-- collective trust keystore -->
    <keyStore id="collectiveTrust" location="safkeyring:///MEMBER.KEYRING"
              password="password" fileBased="false" readOnly="true" type="JCERACFKS" provider="IBMJCE" />

  <hostAuthInfo useHostCredentials="true" />
  <collectiveCertificate rdn="OU=Collective"></collectiveCertificate>

</server>
12. Update member's server.xml
Add the following line to the server.xml to enable the collective

<include location="${server.config.dir}/member-join-include.xml" />
An example server.xml is provided:
<server description="myMember">

    <!-- Enable features -->
    <featureManager>
        <feature>jsp-2.3</feature>
    </featureManager>

    <!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
    <httpEndpoint id="defaultHttpEndpoint"
                  host="*"
                  httpPort="8080"
                  httpsPort="8443" />

    <!-- Automatically expand WAR files and EAR files -->
    <applicationManager autoExpand="true"/>

   <include location="${server.config.dir}/member-join-include.xml" />

</server>
13. Verify that the collective controller server started correctly and is ready to receive members.
         
           Start the member
         
           server start myMember
     a. Open an editor on the collective controller messages log, $WLP_USER_DIR/servers/myController/logs/messages.log.
     b.  Look for the following messages in any order:
           CWWKX8112I: The server's host information was successfully published to the collective repository.
           CWWKX8114I: The server's paths were successfully published to the collective repository.
           CWWKX8116I: The server STARTED state was successfully published to the collective repository.
14.  Verify that SSH is working correctly by attempting to start and stop the myMember server and view the server.xml on the remote system through adminCenter
Log in to adminCenter 
http://host.name:9080/adminCenter

which will redirect to:
https://host.name:9443/adminCenter

Click on Explore, then Servers, then Start
image-20230927095427-1
 
Click on the Server Config to view the server.xml.
image-20230925120511-2
The prior steps set up a Liberty collective without an Angel or SAF authorization,  by using quickStartSecurity to define an administrative user.

<quickStartSecurity userName="adminUser" userPassword="adminPassword" />
The following link provides details on how to setup adminCenter with a SAF user registry and SAF roles.

Follow the steps to:

Administering Liberty on z/OS to set up the bbgzangl and bbgzsrv JCL procedure templates (PROCs)
- Create Administrator, Reader, and allAuthenticated roles in SAF and permit users to the Admin Center roles
- Enable Admin Center with SSL Keyring and SAF authorization in server.xml

Additional Information

The collective setup makes use of 3 personal certificates for the controller and 2 personal certificates for the member.
1. Default personal certificate for inbound communication to the httpsPort for the controller and member.
serverKeyAlias="ControllerHTTPS"
serverKeyAlias="MemberHTTPS"
2. Default personal certificate that the controller uses to authenticate to the member's host system over SSH, which allows the controller to start and stop the member.
safCertificateLabel="CollectiveSSH"
3.  The server identity keystore contains only 1 personal certificate,  which is sent from the controller to the member
 <keyStore id="serverIdentity" location="safkeyring:///CONTROL.SERVID.KEYRING" ....
The server identity keystore contains only 1 personal certificate,  which is sent from the member to controller
<keyStore id="serverIdentity" location="safkeyring:///MEMBER.SERVID.KEYRING" ....
 
The server identity keystore must contain only 1 personal certificate as the JVM can choose any personal certificate in this keystore to send outbound from the controller or member.  If there are 2 or more certificates there is no guarantee which personal certificate will be used.
The certificate's DN in the server identity keystore must contain a value that is coded in the collectiveCertificate tag defined in the controller and member. 
<collectiveCertificate rdn="OU=Collective"></collectiveCertificate>


Reference Links

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"ARM Category":[{"code":"a8m50000000CdP0AAK","label":"IBM WebSphere Liberty-All Platforms-\u003ESystem Management-\u003ELiberty Application Management"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions"}]

Document Information

Modified date:
11 September 2024

UID

ibm17009727

Page Feedback