Skip to Content
ConnectorsIBM Mainframe

IBM Mainframe

Connect your IBM z/OS mainframe for COBOL program discovery, migration planning, and automated code modernization.

Overview

The IBM Mainframe connector uses the z/OS Management Facility (z/OSMF) REST API to provide agents with secure access to mainframe datasets, jobs, USS files, and console commands. Combined with the COBOL migration pipeline, it enables end-to-end modernization of legacy mainframe applications.

Architecture

Data flow: Cendra issues tool calls through the MCP Gateway, which authenticates against z/OSMF using credentials from the Secrets Vault. z/OSMF enforces RACF security rules and routes requests to the appropriate z/OS subsystem. Results flow back through the gateway and are optionally atomized into Cortex for knowledge retention.

Security model

All mainframe operations are subject to three layers of authorization: Cendriix workspace RBAC, z/OSMF access control, and RACF resource-level permissions. No credentials are exposed to agents — they are injected by the MCP Gateway at runtime and never appear in logs or tool outputs.

Setup

Prerequisites

  • IBM z/OS 2.3+ with z/OSMF enabled and configured
  • RACF user with appropriate permissions for z/OSMF REST services
  • Network connectivity from your Cendriix workspace to the z/OSMF endpoint (HTTPS)

Connection wizard

  1. Navigate to Settings → Integrations → Connectors and find IBM Mainframe.
  2. Click Connect to open the 3-step setup wizard.

Step 1 — Connection details:

  • Connection name (e.g., “Production z/OS”)
  • z/OSMF base URL (e.g., https://zosmf.example.com:443/zosmf)
  • Auth method: RACF username + password, Client certificate (TLS), or PassTicket
  • RACF credentials

Step 2 — Verify connection:

  • Tests connectivity to your z/OSMF instance
  • Displays z/OS version, z/OSMF version, and hostname
  • Validates credentials and permissions

Step 3 — Configure scope:

  • HLQ patterns for dataset discovery (e.g., PROD.COBOL.**, DEV.SRC.**)
  • COBOL source libraries
  • Copybook libraries
  • JCL libraries
  • DB2 subsystem names

Authentication methods

MethodDescriptionUse case
RACF username + passwordStandard z/OS authenticationMost common; recommended for initial setup
Client certificate (TLS)Mutual TLS with client certHigher security; no password transmission
PassTicketOne-time-use authentication tokenAutomated workflows; no stored passwords

Credentials are encrypted at rest with AES-256-GCM and stored in the Cendriix Secrets Vault.

Available tools

ToolDescription
mainframe.datasets.listList datasets matching HLQ patterns
mainframe.datasets.readRead dataset or PDS member content
mainframe.datasets.writeWrite to a dataset or PDS member
mainframe.jobs.submitSubmit JCL for execution
mainframe.jobs.statusCheck job status and return code
mainframe.jobs.outputRetrieve job spool output (SYSOUT)
mainframe.uss.listList USS directory contents
mainframe.uss.readRead a USS file
mainframe.uss.writeWrite a USS file
mainframe.console.issueIssue an MVS console command

COBOL program discovery

Once connected, the mainframe connector can scan your COBOL libraries to build a program inventory:

  1. Click Scan Inventory to discover programs across configured PDS libraries.
  2. Each program is analyzed for:
    • Lines of code (LOC)
    • COBOL divisions and sections
    • Paragraph count
    • COPY statement references (copybook dependencies)
    • CALL targets (inter-program dependencies)
    • Embedded SQL statements (EXEC SQL)
    • CICS commands (EXEC CICS)
  3. Programs are scored by complexity: Low, Medium, or High.

The inventory feeds into the COBOL Migration pipeline for automated modernization.

Cortex integration

Mainframe source code is ingested into Cortex as specialized knowledge atoms:

Atom kindDescription
cobol_sourceProgram-level metadata — divisions, complexity, LOC, call graph
cobol_copybookCopybook references and data structure definitions
cobol_jclJCL procedure and step definitions
db2_schemaEmbedded SQL table references and DDL

These atoms power Cendra’s mainframe-aware answers and enable dependency analysis across your COBOL estate.

Security

  • z/OSMF connections use HTTPS with TLS 1.2+
  • Credentials never leave the Cendriix control plane
  • Every mainframe API call recorded in the audit log
  • Dataset access follows your existing RACF security rules
  • Agents cannot access datasets outside configured HLQ patterns

API

MethodEndpointDescription
POST/connectors/mainframe/connectCreate a mainframe connection
POST/connectors/mainframe/verifyTest connection to z/OSMF
GET/connectors/mainframe/:id/programsList discovered COBOL programs
POST/connectors/mainframe/:id/scanTrigger inventory scan
DELETE/connectors/mainframe/:idRemove a mainframe connection

See also: COBOL Migration, All Connectors, Cortex

Last updated on