How to set up OpenSSH connectivity with z/OS Ansible Core using ACF2 keyrings. Since the private key needs to remain on the Ansible Control Node, a site may choose to generate the keys on the Linux control node to send in a certificate format to ACF2 instead of the opposite (generating a certificate in ACF2 and then importing the certificate to Linux). This document describes how to generate SSH keys in Linux and import them in x509 certificate format for use in an ACF2 keyring. 

1. From Linux, create the SSH keys:

ssh-keygen -t rsa -m PEM         

2. Since OpenSSH does not provide support to convert into an x509 format, use OpenSSL:

openssl req -new -x509 -key id_rsa -out sshcert.PEM -outform PEM -days xxx        (where xxx is the number of days for the certificate validity)

3. Upload the sshcert.PEM x509 cert for use in ACF2:

Cut and paste its contents into a dataset including the BEGIN CERTIFICATE and END CERTIFICATE lines.

or

FTP it to a mainframe dataset with these attributes:

ASCII
WRAP
RECFM: VB
LRECL: 84

4. Issue a TSO ACF2 CHKCERT command to verify the contents of the certificate look as they should:

CHKCERT DSN('sshcert.dataset.name')

5. Add the certificate to the ACF2 database as a TRUSTed certificate:

SET P(USER) DIV(CERTDATA)
INSERT user1.cert DSN('sshcert.dataset.name') LABEL(AnsibleCert) TRUST

Note: Issue the following CHANGE command if an ACF6D075 message appears:

CHANGE user1.cert TRUST

6. Create the KEYRING to be used:

SET P(USER) DIV(KEYRING)
INSERT user1.ring RINGNAME(AnsibleRing)

7. Add the certificate to the KEYRING:

CONNECT CERTDATA(user1.cert) KEYRING(user1.ring) USAGE(PERSONAL)

8. Verify the userid has proper access to read the KEYRING. See section Validations for Key Rings in the ACF2 documentation for more information.

9. Perform a list of the KEYRING and make note of the highlighted information:

SET P(USER) DIV(KEYRING)
LIST user1.ring

KEYRING /user1.ring LAST CHANGED BY xxxxxxxx ON xx/xx/xx-14:27

                       DEFAULT() RINGNAME(AnsibleRing)

  The following certificates are connected to this key ring:

  CERTDATA record    Label                                Usage
  -----------------             --------------------------------  --------

  user1.cert                  AnsibleCert                    PERSONAL

10. Modify the mainframe user home directory .ssh/authorized_keys file with the following entry, substituting the highlighted values above:

zos-key-ring-label="RingOwner/RingName CertificateLabel"

Ex:

zos-key-ring-label="user1/AnsibleRing AnsibleCert"

This article is based on an IBM method found  at  https://www.ibm.com/support/pages/node/6124929