The PSWI step 'Run the Zowe init security' step fails due to missing ACIDs

[gejohnston]

Describe the bug

The following PSWI step fails when run under TopSecret:

Software Management - Deployments - Deployment Checklist - Perform Workflows - Workflows - ZOWE Configuration of Zowe 3.0 - 3.3. Run the Zowe init security

To Reproduce

All PSWI steps up to the following step have completed successfully.

The PSWI step 'Run the Zowe init security' step runs the following commands:

zwe init security -c '/u/users/group/product/prod004/zwe/smpe/zowe.yaml' --allow-overwrite
zwe init apfauth -c '/u/users/group/product/prod004/zwe/smpe/zowe.yaml'

One of the zwe init commands, apparently generates a job named ZWESECUR.

The ZWESECUR job fails with the following type of errors in SYSTSPRT (there are 38 errors).

TSS LIST(ZWEADMIN) SEGMENT(OMVS)
TSS0314E ACID DOES NOT EXIST

TSS CREATE(ZWEADMIN)   TYPE(GROUP) NAME('ZOWE ADMINISTRATORS') DEPT()
TSS0364E  DEPARTMENT SPECIFICATION MISSING OR INVALID

TSS ADD(ZWEADMIN)   GID()
TSS0293E  INVALID VALUE FOR KEYWORD GID

TSS ADD()          IBMFAC(ZWES.IS)
TSS0211E  ACCESSOR-ID MISSING OR INVALID

TSS ADD()          IBMFAC(BPX.)
TSS0211E  ACCESSOR-ID MISSING OR INVALID

Similar errors occur for ZWESVUSR and ZWESIUSR:

Many of these ACID values were previously successfully generated into the zowe.yaml file, so data exists for 'zowe init' and its generated JCL.

    # Security related configurations. This setup is optional.
    security:
      # security product name. Can be RACF, ACF2 or TSS
      product: TSS
      # security group name
      groups:
        # Zowe admin user group
        admin: ZWEADMIN
        # Zowe STC group
        stc: ZWEADMIN
        # Zowe SysProg group
        sysProg: ZWEADMIN
      # security user name
      users:
        # Zowe runtime user name of main service
        zowe: ZWESVUSR
        # Zowe runtime user name of ZIS
        zis: ZWESIUSR
      # STC names
      stcs:
        # STC name of Zowe main service
        zowe: ZWESLSTC
        # STC name of Zowe ZIS
        zis: ZWESISTC
        # STC name of Zowe ZIS Auxiliary Server
        aux: ZWESASTC

Looking at the JESJCL spool from the failed ZWESECUR job, I see statements like the following:

          // ... When ... you are using Top Secret,
          //* provide appropriate (numeric) values to these SET commands.
       25 //         SET ADMINGID=             * Group ID for ZOWE administrators
       26 //ADMINGID EXPORT EXPSET=                            GENERATED STATEMENT
       27 //         SET   STCGID=&ADMINGID.   * Group ID for ZOWE started tasks
          IEFC653I SUBSTITUTION JCL - STCGID=
       28 //STCGID   EXPORT EXPSET=                            GENERATED STATEMENT
       29 //         SET  ZOWEUID=             * UID for ZOWE started task User
       30 //ZOWEUID  EXPORT EXPSET=                            GENERATED STATEMENT
       31 //         SET   ZISUID=             * UID for ZIS started task User
       32 //ZISUID   EXPORT EXPSET=                            GENERATED STATEMENT

        
          
          //* Top Secret ONLY -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
          //*                     12345678
       33 //         SET ADMINDEP=             * department owning admin group
       34 //ADMINDEP EXPORT EXPSET=                            GENERATED STATEMENT
       35 //         SET  STCGDEP=             * department owning STC group
       36 //STCGDEP  EXPORT EXPSET=                            GENERATED STATEMENT
       37 //         SET  STCUDEP=             * department owning STC user IDs
       38 //STCUDEP  EXPORT EXPSET=                            GENERATED STATEMENT
       39 //         SET  ZOWEDEP=             * department owning Zowe resources
       40 //ZOWEDEP  EXPORT EXPSET=                            GENERATED STATEMENT
       41 //         SET  FACACID=             * ACID owning IBMFAC
       42 //FACACID  EXPORT EXPSET=                            GENERATED STATEMENT
          //*                     12345678
          //*
          //* end Top Secret ONLY -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

The ZWESECUR job is automatically generated and run completely behind the scenes, so a user does not see the JCL before it is executed. The implication is that zwe and its JCL should be performing all of the needed steps. The PSWI step / zwe / ZWESECUR logic appears to not set values required by that very same JCL process.

Even if the user saw the JCL beforehand, I found no documentation on what steps should be manually performed to enable that JCL to run.

Expected behavior

With no further information about what is required of the user to make this step work, a user cannot continue.

Desktop (please complete the following information):

• OS: Windows 11, z/OS 3.1, TopSecret
• Browser: Chrome 131.0.6778.205

[JoeNemo]

This is a universal plea for someone who knows TopSecret to chime in on this bug. Or if you are a zowe contributor and knows someone who knows can you seek their advice.