Tectia

Certificates Stored in SAF

To use SAF certificates for user authentication, do the following steps. Replace the names and IDs with those appropriate to your system:

  1. To create a user key in SAF, give the following TSO commands:

    RACDCERT ID(USER) GENCERT SUBJECTSDN(CN('User') OU('RD') O('EXAMPLE')) 
      SIZE(1024) WITHLABEL('USER')
    RACDCERT ID(USER) LIST
    
  2. Give the following TSO command to generate the certification request:

    RACDCERT ID(USER) GENREQ(LABEL('USER')) DSN('USER.CRT.REQ')
    
  3. Use the PKCS#10 certification request in the dataset 'USER.CRT.REQ' to enroll the certificate. The actual steps depend on your CA setup.

  4. After the enrollment is completed, store the received certificate to a dataset, for example 'USER.CRT'.

  5. To connect the new certificate to a key ring, give the following TSO commands:

    RACDCERT ID(USER) ADD('USER.CRT') TRUST WITHLABEL('USER')
    RACDCERT ID(USER) ADDRING(USER)
    RACDCERT ID(USER) CONNECT(ID(USER) LABEL('USER') RING(USER) 
      USAGE(PERSONAL))
    RACDCERT ID(USER) LISTRING(USER)
    
  6. For the settings to take effect, give the following TSO command:

    SETROPTS RACLIST(DIGTCERT) REFRESH
    
  7. Define the z/OS SAF external key provider and its initialization string with the general/key-stores/key-store element in the ssh-broker-config.xml file:

    <key-stores>
     <key-store type="zos-saf" 
                init="KEYS(ID(%U) RING(%U))" />
    </key-stores>
    

    The initialization string can contain special strings in the key specification that are mapped according the following list:

    • %U = user name

    • %IU = user ID

    • %IG = user group ID

  8. Make sure that public-key authentication is enabled in the ssh-broker-config.xml file (it is enabled by default).

    <authentication-methods>
      <auth-publickey />
    ...
    </authentication-methods>
    

    Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.

For more information on the configuration file options, see ssh-broker-config(5). For information on the format of the external key initialization string, see the section called “Key Store Configuration Examples”.