To create a user key in SAF, give the following TSO commands:

RACDCERT ID(USER) GENCERT SUBJECTSDN(CN('User') OU('RD') O('EXAMPLE')) 
  SIZE(1024) WITHLABEL('USER')
RACDCERT ID(USER) LIST

Give the following TSO command to generate the certification request:

RACDCERT ID(USER) GENREQ(LABEL('USER')) DSN('USER.CRT.REQ')

Use the PKCS#10 certification request in the dataset 'USER.CRT.REQ' to enroll the certificate. The actual steps depend on your CA setup.

After the enrollment is completed, store the received certificate to a dataset, for example 'USER.CRT'.

To connect the new certificate to a key ring, give the following TSO commands:

RACDCERT ID(USER) ADD('USER.CRT') TRUST WITHLABEL('USER')
RACDCERT ID(USER) ADDRING(USER)
RACDCERT ID(USER) CONNECT(ID(USER) LABEL('USER') RING(USER) 
  USAGE(PERSONAL))
RACDCERT ID(USER) LISTRING(USER)

For the settings to take effect, give the following TSO command:

SETROPTS RACLIST(DIGTCERT) REFRESH

Define the z/OS SAF external key provider and its initialization string with the general/key-stores/key-store element in the ssh-broker-config.xml file:

<key-stores>
 <key-store type="zos-saf" 
            init="KEYS(ID(%U) RING(%U))" />
</key-stores>

The initialization string can contain special strings in the key specification that are mapped according the following list:

Make sure that public-key authentication is enabled in the ssh-broker-config.xml file (it is enabled by default).

<authentication-methods>
  <auth-publickey />
...
</authentication-methods>

Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.