Steps for setting up server authentication when keys are stored in key rings
About this task
- Step 1: Generate the host keys for the SSH server. Host keys allow a client to verify the identity of the server.
- Step 2: Distribute the public keys from the local host to the remote hosts. Clients use the
ssh_known_hosts
file to verify the identity of the remote host. - Step 3: Gather the public host keys of remote hosts. Keys are verified and
then added to the
/etc/ssh/ssh_known_hosts
file.
Use RACF® or a similar security product that supports key rings when storing key rings. The key files must be stored in the IBM-1047 (EBCDIC) code set.
The examples provided for managing key rings and associated objects use the RACF RACDCERT command. If a different security product is used, consult that product's documentation to determine if it contains compatible support. For more information about the RACDCERT command, the necessary authority required to use the command, and any other options not described in this documentation, refer to z/OS Security Server RACF Command Language Reference.
In the examples, input names that are given in italics are variables that you can choose. Some of these names in italics contain hyphen characters (-) separating portions of the name. These hyphens are variable and are not required. The names given are merely suggestions and are consistently used throughout the examples. If you customize your own version in one step, that name will likely need to be used on other command steps as well.
The examples demonstrate using a self-signed certificate. Using a certificate chain, such as with root and intermediate certificate authority certificates, is supported. If you will be using more advanced certificate chains than the examples demonstrate, see Validating certificates when using key rings for important considerations.