The following example assumes that the
SSHD2 user created in Running the Product Installation Jobs is used to run the server.
To use SAF certificates for authenticating the server, do the following steps. Replace the names and IDs with those appropriate to your system:
Create the server host key in SAF by giving the following TSO commands:
RACDCERT ID(SSHD2) GENCERT SUBJECTSDN(CN('LPAR1') OU('RD') O('EXAMPLE')) SIZE(2048) WITHLABEL('LPAR1.EXAMPLE.COM') RACDCERT ID(SSHD2) LIST
The above command will create a 2048-bit RSA key. If you want to, for example, create a 521-bit ECC key, replace
Give the following TSO command to generate the certification request:
RACDCERT ID(SSHD2) GENREQ(LABEL('LPAR1.EXAMPLE.COM')) DSN('SSHD2.LPAR1.CRT.REQ')
Use the PKCS#10 certification request in the data set
'SSHD2.LPAR1.CRT.REQ'to enroll the certificate. The actual steps depend on your CA setup.
After the enrollment is completed, store the received certificate to a data set, for example
To connect the new certificate to a key ring, give the following TSO commands:
RACDCERT ID(SSHD2) ADD('SSHD2.LPAR1.CRT') TRUST WITHLABEL('LPAR1.EXAMPLE.COM') RACDCERT ID(SSHD2) ADDRING(SSH-HOSTKEY) RACDCERT ID(SSHD2) CONNECT(ID(SSHD2) LABEL('LPAR1.EXAMPLE.COM') RING(SSH-HOSTKEY) USAGE(PERSONAL)) RACDCERT ID(SSHD2) LISTRING(SSH-HOSTKEY)
For the settings to take effect, give the following TSO command:
SETROPTS RACLIST(DIGTCERT) REFRESH
HostKeyEkProvider zos-saf HostKeyEkInitString "KEYS(ID(SSHD2) RING(SSH-HOSTKEY) LABEL('LPAR1.EXAMPLE.COM'))" HostKey.Cert.Required yes
HostKeyEkInitStringmust point to a single private key. Setting
yesdefines that the server must authenticate with a certificate. When the z/OS SAF provider is used, setting the option to
nomeans that only the public key found in the SAF certificate is used. Setting the option to
optionalmeans that both the SAF certificate and the public key found in the SAF certificate are used.