updating ESM configuration with identity mapping commands #3642
Conversation
|
😺 Thank you for creating this PR! To publish your content to Zowe Docs, follow these required steps.
Need help? Contact the Doc Squad in the #zowe-doc Slack channel. |
|
📁 The PR description is missing the file name(s) for the updated content. List all the files included in this PR so this information displays in our Zowe Docs GitHub Slack channel. If you have addressed this issue already, refresh this page in your browser to remove this comment. |
|
💾 The release label is missing. Add a If you have addressed this issue already, refresh this page in your browser to remove this comment. |
|
🔍 The review label is missing. Add a If you have addressed this issue already, refresh this page in your browser to remove this comment. |
|
📌 The subject area label is missing. Add an If you have addressed this issue already, refresh this page in your browser to remove this comment. |
| - RACF : | ||
| RACMAP ID(userid) MAP USERDIDFILTER(NAME('distributed-identity-user-name')) REGISTRY(NAME('distributed-identity-registry-name' )) WITHLABEL('label-name') | ||
|
|
||
| SETROPTS RACLIST(IDIDMAP) REFRESH | ||
|
|
||
| - ACF2 : | ||
| ACF | ||
| SET PROFILE(USER) DIVISION(IDMAP) | ||
| INSERT userid.ZWEDNMAP IDMAPDN(distributed-identity-user-name) - | ||
| IDMAPRN(distributed-identity-registry-name) IDLABEL(label-name) | ||
|
|
||
| F ACF2,REBUILD(USR),CLASS(P),DIVISION(IDMAP) | ||
| END | ||
|
|
||
| - TSS : | ||
| TSS ADD(userid) IDMAP(ZWEDNMAP) IDMAPDN('distributed-identity-user-name') - | ||
| IDMAPRN('distributed-identity-registry-name') IDLABEL('label-name') | ||
|
|
||
| TSS REFRESH |
There was a problem hiding this comment.
See below there are items for RACF, TSS and ACF2 (also remove the CA prefix). These commands should be included in their respective item.
|
|
||
| See the [Identity Federation cli plugin](../../user-guide/cli-idfplugin.md) documentation for details about how to use the plugin tool to set up the mapping in the ESM of your z/OS system. | ||
|
|
There was a problem hiding this comment.
Please rephrase to have first the commands description and then mention the tool as a way to make it easier
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
| @@ -57,9 +57,9 @@ Ensure that the following prerequisites are met: | |||
| - SAF/ESM is configured with mapping between the mainframe and distributed user identities. For details, see the section [ESM configuration](#esm-configuration) in this topic. | |||
| - ZSS must be enabled and properly configured in the Zowe installation. | |||
There was a problem hiding this comment.
This needs to be updated, since 2.15 (verify if this is the correct one) ZSS is not mandatory, but it's the default. The alternative is to configure the API ML Gateway to use its internal mapper functionality.
There was a problem hiding this comment.
It's from 2.14, enabling of internal mapper is here (default is still ZSS) https://docs.zowe.org/v2.14.x/user-guide/authenticating-with-client-certificates/#enabling-the-internal-api-ml-mapper
Signed-off-by: Pablo Hernán Carle <pablo.carle@broadcom.com>
| - **`distributed-identity-user-name`** | ||
| Specifies the user id for distributed-identity-registry | ||
| - **`distributed-identity-registry-name`** | ||
| Specifies the hostname of the registry |
There was a problem hiding this comment.
is it just the hostname or a full URL?
Signed-off-by: ShobhaJayanna <36433611+Shobhajayanna@users.noreply.github.com>
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
| @@ -55,11 +55,11 @@ Ensure that the following prerequisites are met: | |||
| - Users who require access to mainframe resources using OIDC authentication have a mainframe identity managed by SAF/ESM. | |||
| - Client application users have their distributed identity managed by the OIDC provider. For details, see the section [OIDC provider](#oidc-provider) in this topic. | |||
| - SAF/ESM is configured with mapping between the mainframe and distributed user identities. For details, see the section [ESM configuration](#esm-configuration) in this topic. | |||
| - ZSS must be enabled and properly configured in the Zowe installation. | |||
| - Ensure that the API ML Gateway is configured to use the internal mapper functionality. Alternatively, enable ZSS in the Zowe installation, however using the internal mapper is the recommended method. ZSS is enabled by default. | |||
There was a problem hiding this comment.
I think this is missing either a link to the internal mapper doc or at least the minimum version of Zowe?
There was a problem hiding this comment.
Ok. I'll add his "the mapper feature is available for Zowe release 2.14 and later releases." and this link:
https://docs.zowe.org/stable/user-guide/authenticating-with-client-certificates/#enabling-the-internal-api-ml-mapper
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com> Co-authored-by: Pablo Carle <pablocarle@users.noreply.github.com> Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
Signed-off-by: Andrew Jandacek <andrew.jandacek@broadcom.com>
Describe your pull request here:
it is to update the ESM configuration with identity mapping commands.
List the file(s) included in this PR:
api-mediation-oidc-authentication.md
After creating the PR, follow the instructions in the comments.