login about faq

We have been implementing Express Logon Feature (ELF) for TSO (and other APPL) access via TN3270. This uses user certificates on smart cards / badges and RACF (SAF) PassTickets to log into TSO without userid or passwords.

Since I recalled that Tectia server docs allowed for RACF certificates (though we do not use them yet) I looked at this a bit again today, specifically here:

Docs link

My question is about the keyring in step 4:

(SAF validation only) To add the user certificate into SAF, give the following TSO commands:

RACDCERT ID(USER) ADD('USER.CRT') TRUST WITHLABEL('USER')

RACDCERT ID(USER) ADDRING(USER)

RACDCERT ID(USER) CONNECT(ID(USER) LABEL('USER') RING(USER) USAGE(PERSONAL))

RACDCERT ID(USER) LISTRING(USER)

Is Tectia Server expecting (does it require) this keyring? ELF is currently working with the user's certificate simply associated / added to the user's RACF "profile". There is no keyring associated unless it an internal RACF one, and you cannot list any keyrings for that user, however you can see the certificate for the user when doing certain list commands, etc. there seems to be one default "slot" in RACF for this certificate that is independent of keyrings.

Can Tectia Server for z/OS utilize a user certificate from this location, or does it require the creation of keyrings for every single user and RACDCERT ADD each user's cert to this keyring so that it can be referenced?

I am assuming that Step 12 references this location:

(SAF validation only)

If only SAF validation is used, define the z/OS SAF external key provider that contains the user >certificates with the AuthorizationEkProvider keyword in the /opt/tectia/etc/sshd2_config file:

AuthorizationEkProvider "zos-saf:KEYS(ID(%U) RING(%U))"

The AuthorizationEkProvider keyword can contain special strings in the key specification that are >mapped according the following list: %U = user name %IU = user ID %IG = user group ID

So does RING(%U) refer to this slot, or does it literally mean user AB123 has to have a RACF keyring called AB123 as well?

I'd prefer if we can avoid using Tectia certd, and also if we can use this certificate already imported to RACF for each user.

Thanks for any info.

asked Aug 17 '15 at 23:45

miken's gravatar image

miken
1112

edited Aug 18 '15 at 00:17


You can skip certd by specifying AuthPublicKey.Cert.ValidationMethods=saf in z/OS tectia server configuration file.

This keyword 'AuthPublicKey.Cert.ValidationMethods' specifies the method used for certifi-cate validation during user public-key authentica-tion. Its value can be tectia or saf, or both (saf,tectia). The default is tectia.

If saf is specified, RACF/SAF is used for validating user certificates. The user certificates must exist in a trusted key ring defined by the AuthorizationEkProvider keyword. Note that when only SAF validation is used, the certificate validity period and revocation status are not checked.

We cannot simply trust the existence of a user certificate in RACF dataset. z/OS tectia server performs additional check if the certificate is defined in the ring which is dedicated for ssh access.

link

answered Aug 21 '15 at 13:10

shuqinLKatSupport's gravatar image

shuqinLKatSupport
7712

Thanks. I may have more questions when we get to that bridge, just wanted to know if these certs being added my be exploitable as-is.

link

answered Aug 26 '15 at 21:09

miken's gravatar image

miken
1112

In our implementation, our code must search through the certificate ring for the existence of the certificate.

link

answered Aug 31 '15 at 11:56

shuqinLKatSupport's gravatar image

shuqinLKatSupport
7712

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×60
×34
×10
×4
×1

Asked: Aug 17 '15 at 23:45

Seen: 8,921 times

Last updated: Aug 31 '15 at 11:56

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.