SSH-EXTERNALKEYS(5)            SSH2           SSH-EXTERNALKEYS(5)


DESCRIPTION
       This  document  contains  general  information about using
       external keys with Tectia Server for IBM z/OS.


USING EXTERNAL KEYS
       For applications  capable  of  using  external  keys,  two
       strings  need  to  be specified: the provider name and the
       initialization string for the provider. These strings  can
       be  given  on the command line or in a configuration file,
       depending  on  the  application.  The  following   sect1ion
       describes   the  different  providers  available  in  more
       detail.

       The provider name and/or the initialization string may  be
       defined in the following configuration attributes and
       keywords:

       In ssh-broker-config.xml:

           cert-validation/key-store[@type="provider",init="initstring"]
           known-hosts/key-store[@type="provider",init="initstring"]
           key-stores/key-store[@type="provider",init="initstring"]


       In sshd2_config:

           AuthorizationEkProvider="provider:initstring"
           HostKeyEkInitString="initstring"
           HostKeyEkProvider="provider"
           KnownHostsEkProvider="provider:initstring"


       In ssh_certd_config:

           HostCAEkProvider="provider:initstring"
           HostCAEkProviderNoCRLs="provider:initstring"
           PkiEkProvider="provider:initstring"


EXTERNAL KEY PROVIDERS
       zos-saf

              The  zos-saf  provider  is  used for accessing keys
              stored in the IBM z/OS System Authorization  Facil-
              ity (SAF).

              The  initialization string for the zos-saf provider
              specifies the key(s) to be used and it has the fol-
              lowing components:

              {KEYS([ID(xxx)]RING(xxx) [LABEL(xxx)|DEFAULT])}...

              KEYS(..) may repeat. The subattributes are:

              ID - A SAF user id signifying the owner of the  key
              ring. If missing, the current user's id is used.

              RING - Key ring name. Mandatory.

              LABEL  - The SAF key label. If missing, and DEFAULT
              is missing, use all the keys in the key ring.

              DEFAULT  - Use  the  key  that  is  marked  as  the
              default  key  on  the  key  ring.  Do  not  specify
              together with LABEL.

              Values must be written in single quotation marks if
              they contain single quotation marks or parenthesis.

              The   initialization   string  specified  with  the
              HostKeyEkInitString keyword  of  sshd2_config  must
              point to a single private key. If the key ring con-
              tains several keys, LABEL must be used  to  distin-
              guish between the keys.

              When using a trusted key provider and the SSH  Tec-
              tia  Certificate  Validator, specify KEYS variables
              that include all the CA  certificates  needed,  for
              example:

              PkiEkProvider="zos-saf"
              PkiEkInitString="KEYS(RING(Trusted.CAs) LABEL('Primary CA'))
                               KEYS(ID(SSHTEST) RING(Internal.CAs))"

              The key-store[@init] attribute of ssh-broker-config.xml
              and the AuthorizationEkProvider keyword of sshd2_config
              can contain  special  strings  in the key specification
              that are mapped according the following list:

              %U = user name

              %IU = user ID

              %IG = user group ID


AUTHORS
       Tectia Corporation

       For more information, see http://www.tectia.com.


SEE ALSO
       ssh-certd(8),  ssh-broker-config(5),  ssh_certd_config(5),
       sshd2_config(5).