SSH-EXTERNALKEYS(5) SSH2 SSH-EXTERNALKEYS(5)
DESCRIPTION
This document contains general information about using
external keys with SSH Tectia Server for IBM z/OS.
USING EXTERNAL KEYS
For applications capable of using external keys, two
strings need to be specified: the provider name and the
initialization string for the provider. These strings can
be given on the command line or in a configuration file,
depending on the application. The following section
describes the different providers available in more
detail.
The provider name and/or the initialization string may be
defined in the following configuration attributes and
keywords:
In ssh-broker-config.xml:
cert-validation/key-store[@type="provider",init="initstring"]
known-hosts/key-store[@type="provider",init="initstring"]
key-stores/key-store[@type="provider",init="initstring"]
In sshd2_config:
AuthorizationEkProvider="provider:initstring"
HostKeyEkInitString="initstring"
HostKeyEkProvider="provider"
KnownHostsEkProvider="provider:initstring"
In ssh_certd_config:
HostCAEkProvider="provider:initstring"
HostCAEkProviderNoCRLs="provider:initstring"
PkiEkProvider="provider:initstring"
EXTERNAL KEY PROVIDERS
zos-saf
The zos-saf provider is used for accessing keys
stored in the IBM z/OS System Authorization Facil-
ity (SAF).
The initialization string for the zos-saf provider
specifies the key(s) to be used and it has the fol-
lowing components:
{KEYS([ID(xxx)]RING(xxx) [LABEL(xxx)|DEFAULT])}...
KEYS(..) may repeat. The subattributes are:
ID - A SAF user id signifying the owner of the key
ring. If missing, the current user's id is used.
RING - Key ring name. Mandatory.
LABEL - The SAF key label. If missing, and DEFAULT
is missing, use all the keys in the key ring.
DEFAULT - Use the key that is marked as the
default key on the key ring. Do not specify
together with LABEL.
Values must be written in single quotation marks if
they contain single quotation marks or parenthesis.
The initialization string specified with the
HostKeyEkInitString keyword of sshd2_config must
point to a single private key. If the key ring con-
tains several keys, LABEL must be used to distin-
guish between the keys.
When using a trusted key provider and the SSH Tec-
tia Certificate Validator, specify KEYS variables
that include all the CA certificates needed, for
example:
PkiEkProvider="zos-saf"
PkiEkInitString="KEYS(RING(Trusted.CAs) LABEL('Primary CA'))
KEYS(ID(SSHTEST) RING(Internal.CAs))"
The key-store[@init] attribute of ssh-broker-config.xml
and the AuthorizationEkProvider keyword of sshd2_config
can contain special strings in the key specification
that are mapped according the following list:
%U = user name
%IU = user ID
%IG = user group ID
AUTHORS
SSH Communications Security Corp.
For more information, see http://www.ssh.com.
SEE ALSO
ssh-certd(8), ssh-broker-config(5), ssh_certd_config(5),
sshd2_config(5).
|