Mainframe User Keys
Administrators and other people can use passwords or public-key pairs with a passphrase-protected private key to access remote machines with SSH Tectia clients from a Telnet or Secure Shell session. They can also use public-key pairs with a null passphrase if they want to run the SSH Tectia client programs in JCL.
Mainframe batch users are accounts that represent applications or subsystems, not people. They are set up with public-key pairs with a null passphrase to enable non-interactive access through JCL to remote servers. One key pair is generated for each batch user. If the batch user has a shared home directory, the key is placed in the shared
$HOME/.ssh2 directory, otherwise it is copied to the user's home directories on all the LPARs.
ssh-keygen2 utility program is used with the
-P option, which requests a null passphrase, it can be run from the OMVS shell or in JCL. It must be run under the batch user's user ID in order for the file permissions to be set properly. For more information on the
ssh-keygen2 options, see Appendix ssh-keygen2.
The batch user accesses the remote machine using an account created and administered on the remote machine. The remote username may either be the same as the batch user's RACF user ID, or the same but in lower case, or a different username. Several batch users may use the same remote account. One batch user may use separate accounts on one remote machine for different accesses.
Each batch user's public key must be distributed to all the remote accounts it will be accessing. The way the public key is set up differs between SSH Tectia and OpenSSH. The
ssh-userkeygendist2.sh script must be told which type of server the remote machine has. The server must be running when
ssh-userkeygendist2.sh is run.
ssh-userkeygendist2.sh uses password authentication for this initial access to the remote server. The password for the remote account must be entered in a file. The filename is entered as one of the options in the
The other options needed on the
ssh-userkeygendist2.sh command line are the remote account username, the remote host DNS name or IP address, and the type of the remote Secure server (SSH Tectia Server on Unix, SSH Tectia Server for IBM z/OS on mainframe, or OpenSSH on Unix).
The Mainframe Security Group prepares for each batch user one script consisting of a sequence of
ssh-userkeygendist2.sh commands with the details of each remote account the user will access. The scripts are run in JCL under the user ID of the respective batch user.