Generate the API Key to authenticate to the Z controller
Before you begin
About this task
To authenticate an HCL Universal Orchestrator shadow task to the
controller, generate an API Key by performing the following steps:
- Export your z/OS personal certificate by using the SAF interface in a p12 format and store it in a temporary MVS data set.
- In the SEQQSAMP sample library, edit the EQQKYGEN member by defining the following
fields:
//APIKGEN JOB 'JWT GEN',CLASS=A,MSGCLASS=A,REGION=0M //* **************************************************************** */ //* SECURITY CLASSIFICATION */ //* Licensed Materials - Property of HCL. */ //* (c) Copyright HCL Technologies Ltd. 2016, 2024. */ //* Note to U.S. Government Users Restricted Rights: */ //* Use, duplication or disclosure restricted */ //* by GSA ADP Schedule. Contract with IBM Corp. */ //* **************************************************************** */ //* FUNCTION: */ //* GENERATE A SIGNED JWT TOKEN */ //* **************************************************************** */ //* NOTE: Before generating the API key, ensure the following: */ //* - A SAF certificate has been generated and */ //* connected to your security ring. */ //* Each of the following lines must end at maximum column 71.*/ //* **************************************************************** * //* CONFIGURATION SECTION * //* **************************************************************** * // EXPORT SYMLIST=(PASSWORD,P12DSN,CERTUSS,JWTUSS, // EXPDAY,PROFILE1,PROFILE2,PROFILE3) //* **************************************************************** * //* Set the following variables to reference the SAF cert as p12: */ //* P12DSN - Temporary MVS Dataset */ //* PASSWORD- P12 Export Password */ //* **************************************************************** * // SET P12DSN='YOUR.APIKEY.P12' // SET PASSWORD='*******' //* **************************************************************** * //* Set the following variables to run the JZOS environment: */ //* JZOSLIB - JZOS STEPLIB */ //* JZOSMEM - JZOS MEMBER NAME */ //* PROFILE1- first line of env.profile path */ //* PROFILE2- second line of env.profile path */ //* PROFILE3- third line of env.profile path */ //* The full path for env.profile is composed of the PROFILE1, */ //* PROFILE2, and PROFILE3 variables. */ //* **************************************************************** * // SET JZOSLIB='YOUR.DSN.JAVA' // SET JZOSMEM='JAVAMEMB' // SET PROFILE1='/first/part/uss/path' // SET PROFILE2='/second/part/uss/path' // SET PROFILE3='/third/part/uss/path' //* **************************************************************** * //* Set the following variables to generate the signed JWT: */ //* CERTUSS - Temporary uss cert path */ //* JWTUSS - JWT output path. */ //* Set to 'NONE' to see the output on the SYSOUT */ //* EXPDAY - JWT expiration in days. */ //* Set to '' for default value 365 */ //* Set to 0 for no expiration */ //* **************************************************************** * // SET CERTUSS='/your/dsn/cert.p12' // SET JWTUSS='/your/dsn/api.jwt' // SET EXPDAY='' //******************************************************************** //* STEP 1: COPY FROM MVS DATASET TO USS PATH //******************************************************************** //COPYUSS EXEC PGM=BPXBATCH //STDPARM DD *,SYMBOLS=JCLONLY SH cp "//'&P12DSN'" &CERTUSS /* //STDOUT DD SYSOUT=* //STDERR DD SYSOUT=* //******************************************************************** //* STEP 2: JWT GENERATOR //******************************************************************** //JAVAJWT EXEC PGM=&JZOSMEM, // PARM='com.hcl.tws.apikey.SAFJwtGenerator' //STEPLIB DD DISP=SHR,DSN=&JZOSLIB //SYSPRINT DD SYSOUT=* //SYSOUT DD SYSOUT=* //STDOUT DD SYSOUT=*,DCB=(RECFM=VB,LRECL=80) //STDERR DD SYSOUT=*,DCB=(RECFM=VB,LRECL=80) //STDENV DD PATH='&PROFILE1&PROFILE2&PROFILE3',PATHOPTS=ORDONLY /* //************************************************************* //MAINARGS DD *,SYMBOLS=JCLONLY &CERTUSS &PASSWORD &JWTUSS &EXPDAY /*- P12DSN
- The temporary MVS data set where you extracted the personal certificate in p12 format.
- PASSWORD
- The password used to extract the personal certificate.
- JZOSLIB
- The JZOS STEPLIB.
- JZOSMEM
- The JZOS member name.
- PROFILE1
- First line of the
env.profilefile path. - PROFILE2
- Second line of the
env.profilefile path. - PROFILE3
- Third line of the
env.profilefile path.Note: The complete path to theenv.profilefile is made up of PROFILE1, PROFILE2, and PROFILE3. - CERTUSS
- The temporary USS path where you copied the MVS data set containing your p12 certificate.
- JWTUSS
- The USS output file path where the sample will store the generated JWT. Specify NONE to have the output stored in the SYSOUT.
- EXPDAY
- The number of days before the JWT expires. Specify 0 for limitless expiration. The default value is 365.
When running the EQQKYGEN sample job, Step 1 will take as input the MVS temporary data set containing your personal p12 certificate and copy it to the temporary USS file to further process it. Step 2 will use the information included in the
env.profilefile to generate the API Key signed with your personal certificate. This is required for binding an HCL Universal Orchestrator shadow task. - Run the EQQKYGEN sample job.
The output of the sample is a file containing the API Key.
- Copy the content of the output file to the password field of the HCL Universal Orchestrator shadow task.