ACF2 configuration when Using OpenSSH certificates for user authentication. Rather than using a logonid and password for OPENssh use a certificate.

Release : 16.0

Component : ACF2 for z/OS

OpenSSH certificates for user authentication. For each z/OS ssh client user a use certificate in place of a logonid and password. Insert the client user certificate and CERTAUTH signing certificates into the ACF2 INFOSTG database, create a Keyring and CONNECT the certificates to the Keyring. For OPENssh configuration the authorized_keys file specify the zos-key-ring-label= option to point to the Keyring and user certificate label. For example:

zos-key-ring-label="KeyRingOwner/KeyRingName label" 

Where:
KeyRingOwner is Keyring owner(ACF2 Keyring recordid logonid.suffix where logonid is the ring owner)
KeyRingName is key ring name(ACF2 KEYRING RINGNAME)
label is OpenSSH server certificate label

The zos-key-ring-label= specifies the key ring owner, key ring name, and the certificate label within the key ring on the OpenSSH server that contains the user's public key. One or more blanks separate the key ring (real or virtual) name from the certificate label. Certificate labels can contain embedded blanks. The option value must be enclosed in double quotes.