To use SAF certificates for user authentication, do the following steps. Replace the names and IDs with those appropriate to your system:
To create a user key in SAF, give the following TSO commands:
RACDCERT ID(USER) GENCERT SUBJECTSDN(CN('User') OU('RD') O('EXAMPLE')) SIZE(1024) WITHLABEL('USER') RACDCERT ID(USER) LIST
Give the following TSO command to generate the certification request:
RACDCERT ID(USER) GENREQ(LABEL('USER')) DSN('USER.CRT.REQ')
Use the PKCS#10 certification request in the dataset
'USER.CRT.REQ'
to enroll the certificate. The actual steps
depend on your CA setup.
After the enrollment is completed, store the received certificate
to a dataset, for example 'USER.CRT'
.
To connect the new certificate to a key ring, give the following TSO commands:
RACDCERT ID(USER) ADD('USER.CRT') TRUST WITHLABEL('USER') RACDCERT ID(USER) ADDRING(USER) RACDCERT ID(USER) CONNECT(ID(USER) LABEL('USER') RING(USER) USAGE(PERSONAL)) RACDCERT ID(USER) LISTRING(USER)
For the settings to take effect, give the following TSO command:
SETROPTS RACLIST(DIGTCERT) REFRESH
Define the z/OS SAF external key provider and its initialization
string with the general/key-stores/key-store
element in
the ssh-broker-config.xml
file:
<key-stores> <key-store type="zos-saf" init="KEYS(ID(%U) RING(%U))" /> </key-stores>
The initialization string can contain special strings in the key specification that are mapped according the following list:
%U
= user name
%IU
= user ID
%IG
= user group ID
Make sure that public-key authentication is enabled in the
ssh-broker-config.xml
file (it is enabled by default).
<authentication-methods> <auth-publickey /> ... </authentication-methods>
Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.
For more information on the configuration file options, see ssh-broker-config(5). For information on the format of the external key initialization string, see the section called “Key Store Configuration Examples”.