Troubleshooting tip Keeping ZSS secure with TLS #1883

docs/user-guide/cli-usingcli.md

@@ -236,13 +236,13 @@ To access services through API ML using the token in your base profile, specify
 The following example illustrates a complete path for a z/OSMF instance registered to API ML. The format of base path can vary based on how API ML is configured at your site:
 
 ```
-https://myapilayerhost:port/api/v1/zosmf
+https://myapilayerhost:port/ibmzosmf/api/v1
 ```
 
 To access that API ML instance, create a service profile (or issue a command) with the `--base-path` value of `api/v1`. Your service profile uses the token and credentials stored in your default base profile.
 
 ```
-zowe profiles create zosmf myprofile123 --base-path api/v1 --disable-defaults
+zowe profiles create zosmf myprofile123 --base-path ibmzosmf/api/v1 --disable-defaults
 ```
 
 Commands issued with this profile are routed through the layer to access an appropriate z/OSMF instance.

docs/user-guide/install-ha-sysplex.md

@@ -21,7 +21,7 @@ Review the installation diagram and the high-level instructions in this topic to
 </figure>
 <map name="home_map1" id="home_map1">
   <area href="https://docs.zowe.org/stable/user-guide/installandconfig" target="_blank" alt="Plan and prepare for the installation" title="Plan and prepare for the installation" shape="rect" coords="326, 63, 474, 105" />
-  <area href="https://docs.zowe.org/stable/user-guide/systemrequirements-zos/" target="_blank" alt="Configure system requirements" title="Configure system requirements" shape="rect" coords="318, 183, 467, 224" />
+  <area href="https://docs.zowe.org/stable/user-guide/configure-sysplex/#sysplex-environment-requirements" target="_blank" alt="Configure system requirements" title="Configure system requirements" shape="rect" coords="318, 183, 467, 224" />
 
   <area href="https://www.zowe.org/download.html" target="_blank" alt="Download Zowe SMP/E build" title="Download the Zowe SMP/E build from zowe.org" shape="rect" coords="111,327,304,374" />
   <area href="https://docs.zowe.org/stable/user-guide/install-zowe-smpe" target="_blank" alt="Install the Zowe SMP/E build using JCLs" title="Install the Zowe SMP/E build using JCLs" shape="rect" coords="20,546,167,610" />
@@ -49,7 +49,7 @@ Before you start the installation, review the information on hardware and softwa
 
 ## Stage 2: Install the Zowe runtime
 
-1. Ensure that the software requirements are met. The prerequisites are described in [Zowe high availability requirements (host)](systemrequirements.md).
+1. Ensure that the software requirements are met. The prerequisites are described in [Zowe high availability requirements (host)](configure-sysplex.md#sysplex-environment-requirements).
 
 1. Choose the method of installing Zowe high availability instances on a Sysplex. 
 

docs/user-guide/mvd-configuration.md

@@ -452,6 +452,24 @@ The following steps assume you have installed a Zowe runtime instance (which inc
 
    `ZIS status - Ok (name='ZWESIS_MYSRV    ', cmsRC=0, description='Ok', clientVersion=2)`
 
+
+## Keeping ZSS secure with TLS
+
+ZSS log shows message
+```
+ ** WARNING: Connection is insecure! TLS needed but not found on socket. **
+```
+
+ZSS is a webserver that performs certain system calls for data management and even security. It is important to have a configuration that keeps the network traffic for ZSS secure at all times. When TLS is not active on ZSS, at startup and periodically the warning will be shown. If there is no need for ZSS communication to a client outside the z/OS system, it is possible to make ZSS accessible only internal to z/OS, but if TLS is not activated, the warning will remain.
+
+There are two ways to ensure ZSS has TLS.
+The default, when the environment variable ZOWE_ZSS_SERVER_TLS=true is set. This will use the Zowe keystore for TLS certificate management.
+
+AT-TLS, as described here: https://docs.zowe.org/stable/user-guide/mvd-configuration/#configuring-zss-for-https
+Note that AT-TLS and ZOWE_ZSS_SERVER_TLS=true are mutually exclusive, but perform the same task of making ZSS use HTTPS.
+
+When TLS is enabled, it is fine to have ZSS be externally accessible, but it is still recommended to access it via the API Mediation Layer Gateway for additional benefits such as high availability. When using containers, the Gateway may be external to z/OS, requiring ZSS to be externally accessible.
+
 ## Controlling access to applications
 
 You can control which applications are accessible (visible) to all Zowe desktop users, and which are accessible only to individual users. For example, you can make an application that is under development only visible to the team working on it.

docs/user-guide/scripted-configure-server.md

@@ -53,9 +53,9 @@ The script `<RUNTIME_DIR>/scripts/utils/zowe-install-xmem.sh -d <dataSetPrefix>
 
   **Example:**
 
-  Executing the command `zowe-install-xmem.sh -d MYUSERID.ZWE -a SYS1.PARMLIB -r USER.PROCLIB` copies:
+  Executing the command `zowe-install-xmem.sh -d MYUSERID.ZWE -a USER.PARMLIB -r USER.PROCLIB` copies:
 
-  - the PARMLIB member `MYUSERID.ZWE.SZWESAMP(ZWESIP00)` to `SYS1.PARMLIB(ZWESIP00)`
+  - the PARMLIB member `MYUSERID.ZWE.SZWESAMP(ZWESIP00)` to `USER.PARMLIB(ZWESIP00)`
   - the PROCLIB member `MYUSERID.ZWE.SZWESAMP(ZWESISTC)` to `USER.PROCLIB(ZWESISTC)` and `MYUSERID.ZWESAMP(ZWESASTC)` to `USER.PROCLIB(ZWESASTC)`
 
 The script `zowe-install-xmem.sh` moves and modifies files, but does not perform the steps needed to APF-authorize the PDSE containing the load module `ZWESIS00` and does not enable it to run in key(4) non-swappable.  The steps required to do this are described in [Installing and configuring the Zowe cross memory server: APF authorize](configure-xmem-server.md#apf-authorize) and [Installing and configuring the Zowe cross memory server: Key 4 non-swappable](configure-xmem-server.md#key-4-non-swappable).