IBM Mainframe
Connect your IBM z/OS mainframe for COBOL program discovery, migration planning, and automated code modernization.
Overview
The IBM Mainframe connector uses the z/OS Management Facility (z/OSMF) REST API to provide agents with secure access to mainframe datasets, jobs, USS files, and console commands. Combined with the COBOL migration pipeline, it enables end-to-end modernization of legacy mainframe applications.
Architecture
Data flow: Cendra issues tool calls through the MCP Gateway, which authenticates against z/OSMF using credentials from the Secrets Vault. z/OSMF enforces RACF security rules and routes requests to the appropriate z/OS subsystem. Results flow back through the gateway and are optionally atomized into Cortex for knowledge retention.
Security model
All mainframe operations are subject to three layers of authorization: Cendriix workspace RBAC, z/OSMF access control, and RACF resource-level permissions. No credentials are exposed to agents — they are injected by the MCP Gateway at runtime and never appear in logs or tool outputs.
Setup
Prerequisites
- IBM z/OS 2.3+ with z/OSMF enabled and configured
- RACF user with appropriate permissions for z/OSMF REST services
- Network connectivity from your Cendriix workspace to the z/OSMF endpoint (HTTPS)
Connection wizard
- Navigate to Settings → Integrations → Connectors and find IBM Mainframe.
- Click Connect to open the 3-step setup wizard.
Step 1 — Connection details:
- Connection name (e.g., “Production z/OS”)
- z/OSMF base URL (e.g.,
https://zosmf.example.com:443/zosmf) - Auth method: RACF username + password, Client certificate (TLS), or PassTicket
- RACF credentials
Step 2 — Verify connection:
- Tests connectivity to your z/OSMF instance
- Displays z/OS version, z/OSMF version, and hostname
- Validates credentials and permissions
Step 3 — Configure scope:
- HLQ patterns for dataset discovery (e.g.,
PROD.COBOL.**,DEV.SRC.**) - COBOL source libraries
- Copybook libraries
- JCL libraries
- DB2 subsystem names
Authentication methods
| Method | Description | Use case |
|---|---|---|
| RACF username + password | Standard z/OS authentication | Most common; recommended for initial setup |
| Client certificate (TLS) | Mutual TLS with client cert | Higher security; no password transmission |
| PassTicket | One-time-use authentication token | Automated workflows; no stored passwords |
Credentials are encrypted at rest with AES-256-GCM and stored in the Cendriix Secrets Vault.
Available tools
| Tool | Description |
|---|---|
mainframe.datasets.list | List datasets matching HLQ patterns |
mainframe.datasets.read | Read dataset or PDS member content |
mainframe.datasets.write | Write to a dataset or PDS member |
mainframe.jobs.submit | Submit JCL for execution |
mainframe.jobs.status | Check job status and return code |
mainframe.jobs.output | Retrieve job spool output (SYSOUT) |
mainframe.uss.list | List USS directory contents |
mainframe.uss.read | Read a USS file |
mainframe.uss.write | Write a USS file |
mainframe.console.issue | Issue an MVS console command |
COBOL program discovery
Once connected, the mainframe connector can scan your COBOL libraries to build a program inventory:
- Click Scan Inventory to discover programs across configured PDS libraries.
- Each program is analyzed for:
- Lines of code (LOC)
- COBOL divisions and sections
- Paragraph count
- COPY statement references (copybook dependencies)
- CALL targets (inter-program dependencies)
- Embedded SQL statements (
EXEC SQL) - CICS commands (
EXEC CICS)
- Programs are scored by complexity: Low, Medium, or High.
The inventory feeds into the COBOL Migration pipeline for automated modernization.
Cortex integration
Mainframe source code is ingested into Cortex as specialized knowledge atoms:
| Atom kind | Description |
|---|---|
cobol_source | Program-level metadata — divisions, complexity, LOC, call graph |
cobol_copybook | Copybook references and data structure definitions |
cobol_jcl | JCL procedure and step definitions |
db2_schema | Embedded SQL table references and DDL |
These atoms power Cendra’s mainframe-aware answers and enable dependency analysis across your COBOL estate.
Security
- z/OSMF connections use HTTPS with TLS 1.2+
- Credentials never leave the Cendriix control plane
- Every mainframe API call recorded in the audit log
- Dataset access follows your existing RACF security rules
- Agents cannot access datasets outside configured HLQ patterns
API
| Method | Endpoint | Description |
|---|---|---|
POST | /connectors/mainframe/connect | Create a mainframe connection |
POST | /connectors/mainframe/verify | Test connection to z/OSMF |
GET | /connectors/mainframe/:id/programs | List discovered COBOL programs |
POST | /connectors/mainframe/:id/scan | Trigger inventory scan |
DELETE | /connectors/mainframe/:id | Remove a mainframe connection |
See also: COBOL Migration, All Connectors, Cortex