There is a need to implement secure telnet on an LPAR that uses ACF2. Is it possible to use ACF2 to generate and store the certificate? Does the certificate need to be sent to the client to install?

When configuring SECUREPORT for telnet, there is the option to use a USS based keystore or a SAF based keystore. There is also the option of using ACF2 to generate the certificates or any other 3rd party certificate utility.

To generate and store certificates in ACF2 the steps for completing this task are listed below. Clients will need to have the signing CERTAUTH certificate. 

Step 1 - Generate the CERTAUTH and Client Certificates using ACF2

Example using a local CA:

ACF
GENCERT CERTAUTH.SIGNER SUBJSDN(.....) LABEL(MY COMPANY CA) EXPIRE(12/31/25)
GENCERT TCPTEL.CERT1 SUBJSDN(.....) LABEL(TELNET Certificate) SIGNWITH(CERTAUTH.SIGNER)

Example using an external CA:

ACF
GENCERT TCPTEL.CERT1 SUBJSDN(.....) LABEL(TELNET Certificate)
GENREQ TCPTEL.CERT1 DSN('CERTREQ.DSN')

The external CA creates a signed certificate and sends it back to the site that did the GENREQ of the certificate request. The signed certificate can be FTP'd into a dataset, and the INSERT command can be used to replace the previously GENCERT self-signed certificate and its CERTDATA record in the INFOSTG database.

ACF
SET PROFILE(USER) DIV(CERTDATA)
INSERT CERTAUTH.externalCA DSN('CERTAUTH.DSN')
INSERT TCPTEL.CERT1 DSN('SIGNDCRT.DSN')

Step 2 - Create and connect certificates to a keyring

Example: 

ACF
SET PROFILE(USER) DIV(KEYRING)
INSERT TELNET.RING RINGNAME(TELNET_RING)
CONNECT CERTDATA(CERTAUTH.SIGNER) KEYRING(TELNET.RING) USAGE(CERTAUTH) DEFAULT
CONNECT CERTDATA(TCPTEL.CERT1) KEYRING(TELNET.RING) USAGE(PERSONAL) DEFAULT

Step 3 - Configure SECUREPORT in your telnet parms to point to the keyring created in step 2

Example:

KEYRING SAF TELNET_RING
The server certificate is connected to a key ring called TELNET_RING and designated as the default certificate.

Step 4 - Export the CERTAUTH certificate to a dataset, FTP the dataset in BINary to a local file and send to the client to install in the application they use to telnet into the mainframe

Example:

EXPORT CERTAUTH.NAME DSN(‘EXAMPLE.CERTAUTH.NAME’) FORMAT(CERTDER) 

For more information on digital certificate commands in ACF2, see the Digital Certificate Support section in the ACF2 documentation.
For more information on certificate configuration for SSL/TLS applications in ACF2, see the Configure Key Rings and Certificates for TLS Applications section in the ACF2 documentation.