Note | |
---|---|
If there is at least one |
To configure the client to trust the server's SAF certificate by using SAF validation only, perform the following tasks. Replace the names and IDs with those appropriate to your system:
Get the server host certificate and store it to a data set, for example
'SERVER1.CRT'
.
To add the server certificate into SAF, give the following TSO commands:
RACDCERT ID(USER) ADD('SERVER1.CRT') TRUST WITHLABEL('SERVER1') RACDCERT ID(USER) ADDRING(SSH-HOSTKEYS) RACDCERT ID(USER) CONNECT(ID(USER) LABEL('SERVER1') RING(SSH-HOSTKEYS) USAGE(PERSONAL)) RACDCERT ID(USER) LISTRING(SSH-HOSTKEYS)
For the settings to take effect, give the following TSO command:
SETROPTS RACLIST(DIGTCERT) REFRESH
Define the z/OS SAF external key provider that contains the server host certificates
in the general/known-hosts/key-store
element:
<known-hosts> ... <key-store type="zos-saf" init="KEYS(ID(USER) RING(SSH-HOSTKEYS))" /> </known-hosts>
For more information on the configuration file options, see ssh-broker-config(5). For information on the format of the external key initialization string, see the section called “Key Store Configuration Examples”.