This section describes one way to distribute keys for secure file transfer using SSH Tectia Server for IBM z/OS in the central location and SSH Tectia Server or another Secure Shell server and client products in the remote locations.
The processing on the mainframe is non-interactive. Public-key pair with a null passphrase is used for the SSH Tectia server on the mainframe and can be used also for the SSH Tectia client users on the mainframe - the key security is handled by local file access control using the local security product. RACF is used in this example, but TSS and ACF2 are equally applicable. The Secure Shell servers on the remote hosts use public-key pairs with a null passphrase. This is the customary way of setting up any Secure Shell server.
The users on the remote machines authenticate themselves by presenting their RACF user ID and password.
In this example, it is assumed that there is a centralized organization that administers keys and passwords and call it the Mainframe Security Group and that each remote machine has a responsible administrator, the Remote Security Officer.
The method presented here attempts to be straightforward and executes several of the steps on the mainframe under the batch user accounts. Other methods might run some of the steps under an administrator account or use a Unix or Linux machine to administer the keys.
The sample tools ssh-hostkey-probe and ssh-userkeygendist2.sh are available separately. Contact SSH Technical Support at http://support.ssh.com/.