ACF2 equivalent for Digital Certificate authentication

Discussion of the Co:Z Co-Processing Toolkit for z/OS
Post Reply
rhutson
Posts: 1
Joined: Wed May 12, 2021 3:43 pm

ACF2 equivalent for Digital Certificate authentication

Post by rhutson »

What are the ACF2 equivalent commands to the RACF commands in "F.4 RACF Digital Certificate authentication"?

Also, what are the pros/cons to specifying ICSF for the certificate? We have a crypto coprocessor and SSL accelerator
dovetail
Site Admin
Posts: 1991
Joined: Thu Jul 29, 2004 12:12 pm

Re: ACF2 equivalent for Digital Certificate authentication

Post by dovetail »

We don't document the command language for other security products. You would need to refer to Broadcom documentation for translation.

Regarding storing certificate private keys in ICSF. You can put the SAF keys in RACF (ACF2) keyrings, but putting them on a card via ICSF offers better protection - the same consideration as with any private key in a key ring. When you have your keys in a keyring, then ICSF will be used by z/OS OpenSSH for key operations. The performance of this is not usually a concern, since the key operation generally occurs once per session.

I would recommend that you look at the webinar "IBM Ported Tools for z/OS: OpenSSH - Using Key Rings" found near the bottom of this page: https://dovetail.com/webinars.html

You probably want to review the preceding webinar: "IBM Ported Tools for z/OS: OpenSSH - Key Authentication" for background

These are both very useful for understanding how key authentication and key rings work on z/OS OpenSSH.
Post Reply